terça-feira, abril 09, 2013

Fsnoop - monitor file operations


is a tool to monitor file operations on GNU/Linux systems. Its primary purpose is to detect bad temporary file usages and therefore, file race condition vulnerabilities.



   $ ./fsnoop --help
   fsnoop monitors file operations by using the Inotify mechanism.
   Usage: fsnoop [OPTIONS] [DIR1[,DIR2,...]] [-- COMMAND]
     -d            Run as a daemon
     -fd           Open file descriptors when it's possible
     -k            Send SIGSTOP signal to the running process (COMMAND)
     -o filename   Output is redirected to a specific file
     -r            Monitor directory contents recursively
     -t            Prefix each line with the time of day
   If no DIR is specified, default writable directories such as /tmp,
   /var/tmp, /dev/shm, etc. are monitored.
   If COMMAND is specified, it will monitor activities during the process


On events, it displays lines as shown below:
   [C] -rw------- 1 root root 0     Tue May  8 22:17:10 2012 /var/tmp/test
   [M] -rw-r--r-- 1 root root 0     Tue May  8 22:17:10 2012 /var/tmp/test
   [U] -rw-r--r-- 1 root root 1741  Tue May  8 22:17:27 2012 /var/tmp/test
   [M] -rwxrwxrwx 1 root root 1741  Tue May  8 22:17:27 2012 /var/tmp/test
   [D] F /var/tmp/test
An event begins with an action character (placed between brackets):
  • 'C' for Create;
  • 'M' for Modify (means that metadata changed, e.g. permissions, timestamps, link count, UID, GID, etc.);
  • 'U' for Update (means that file content was modified);
  • 'D' for Delete.
And followed by an output similar to the "ls -l" command, or a shortened output (when fsnoop wasn't able to stat() the file). In the shortened output, only the file type information is displayed ('F' for File and 'D' for directory).

Some examples

To monitor activities in the "/etc" and "/tmp" directories:
   # ./fsnoop /etc,/tmp
   Starting fsnoop version 2.0
   [+] monitor /etc
   [+] monitor /tmp
To run Fsnoop as a daemon in order to monitor the "/var/tmp" directory and record activities in the "/root/fsnoop.log" file:
   # ./fsnoop -d -t -o /root/fsnoop.log /var/tmp
   Starting fsnoop version 2.0 
Output log will look like this:
   # cat /root/fsnoop.log
   [+] monitor /var/tmp
   (20:10:00) [C] -rw-r--r-- 1 root root 0  Mon Jul  9 20:10:00 2012 /var/tmp/blurb-lock
   (20:10:00) [M] -rw-r--r-- 1 root root 0  Mon Jul  9 20:10:00 2012 /var/tmp/blurb-lock
   (20:13:02) [D] F /var/tmp/blurb-lock
To monitor file activities just during a process duration:
   $ ./fsnoop /tmp -- Xorg -ac :1
   Starting fsnoop version 2.0
   [+] monitor /tmp
To send the SIGSTOP signal to a process right after an event occurs:
   $ ./fsnoop -k /tmp/.tX1-lock -- Xorg -ac :1
   [C] F /tmp/.tX0-lock
   *** PID 30342 stopped, type [Enter] to resume execution:
   *** PID 30342 resumed ...
To read the content of a file that has been erased:
   $ ./fsnoop -fd /var/tmp
   [+] monitor /var/tmp
   [+] As then "-fd" option is being used, you can launch new shell by
       using "ctrl-c" and disclose file descriptors content.
   [C] -rw-r--r-- 1 root root 0  Tue Jan  1 21:39:55 2013 /var/tmp/temp.2oPahVp (opened fd=5)
   [U] -rw-r--r-- 1 root root 13  Tue Jan  1 21:40:37 2013 /var/tmp/temp.2oPahVp
   [D] F /var/tmp/temp.2oPahVp
   Here are opened file descriptors.  You can display their contents by
   using the "cat" command.  For example, to display fd #4 use: "cat <&4"
   lrwx------ 1 vladz vladz 64  1 janv. 21:43 0 -> /dev/pts/3
   lr-x------ 1 vladz vladz 64  1 janv. 21:43 5 -> /var/tmp/temp.2oPahVp (deleted)
   fsnoop$ cat <&5
To monitor directories recursively:
If /tmp is being monitored and someone runs:
   $ mkdir -p /tmp/a/b/c/d/e/f
   $ touch /tmp/a/b/c/d/e/f/a
Event will be caught:
   $ ./fsnoop -r /tmp
   [+] monitor /tmp
   [C] -rw-r--r-- 1 vladz vladz 0  Thu Jan 24 13:10:30 2013 /tmp/a/b/c/d/e/f/a


Thanks to Larry Cashdollar for testing the tool and bringing new ideas.

Workshop Proposal Submission Deadline ( Security Focus )

Workshop Proposal Submission Deadline: April 15, 2013
Paper Submission Deadline: June 1, 2013
Washington D.C. USA, September 8-14, 2013.

1.      2013 ASE/IEEE International Conference on Big Data

2.      2013 ASE/IEEE International Conference on Social Computing

3.      2013 ASE/IEEE International Conference on Economic Computing

4.      2013 ASE/IEEE International Conference on Biomedical Computing

5.      2013 ASE/IEEE International Conference on Privacy, Security, Risk and Trust

EC- Council Conference & Event's

Generic Conference Banner
Thank you so much for your participation in EC-Council's certification programs! We are proud to officially announce our 2012 Schedule of Events! EC-Council events are designed to provide you with the best speakers, cutting edge topics, beginning through advanced hacking courses and of course a ton of Continuing Education credits!

If you haven't already registered, don't hesitate as 2013 will offer more events in more locations than any previous year in EC-Council history!

See you there,  
Eric Lopez, Senior Director, Conference & Events

TDC 2013 St. Louis

TakeDownCon St. Louis 
Hosted by EC-Council and one of our top partners, Parameter Security, this two-day conference will feature a split agenda of Security Briefs followed by "Deep Dive" Hacking Clinics! [Advanced hacking courses such as
"Advanced Mobile Hacking Forensics," will be offered Pre-Conference & include access to the main event!]
more Info

St. Louis CISO Summit  
St. Louis CISO Summit  
Strictly for top Information Security executives, apply to attend this prestigious, invite-only event for a mix of keynotes, panel discussions, networking, and live demos covering the most pressing and relevant IS issues.  More info.  

TDC 2013 Huntsville banner  
Rocket City TakeDownCon 
Hosted by EC-Council and one of our top partners, Dynetics, this two-day conference will feature a day of Defensivee Briefs and a day of Offensive Breifs! [Advanced hacking courses such as "Advanced Metasploit Hacking," will be offered Pre-Conference & include access to the main event!]
more info.

HH 2013 banner   
Hacker Halted
Mark your calendars and check back at this website because in staying with our theme, "The Hacker Code; Angels vs Demons," we will be running a massive scavenger hunt with our vendors, a hacking contest and an onsite treasure hunt which will qualify you to enter into a drawing for the largest CASH giveaway Hacker Halted has ever offered! This year will also host the Global Cyberlympics, Global CISO Forum, and onsite hacking challenge and over 50 amazing presenters, and as always, the best Advanced Hacker courses in the industry!
More info. 

Global CISO Forum 2013    
Global CISO Forum
The biggest CISO conference of the year - don't miss this executive-level, invite-only event including high-level information security program management, networking, and demonstrations. 
More info. 

GCL banner 2013     
Global CyberLympics
The EC-Council Foundation is proud to announce that the Cyberlympics freshman year was a huge success with over 400 teams competing from 52 countries! 2013 is already shaping up to be bigger and more exciting than we have previously thought possible. We will begin our first of three regional "Elimination" rounds in July so if you think you have some hacking skills and can compete with last year's Reigning champions, Deloitte's HHCK.ers from the Netherlands, sign up now to get registered! 
More info

Bitmessage - mensagens criptografadas

Bitmessage é um protocolo de comunicações P2P usado para enviar mensagens criptografadas para outra pessoa ou para muitos assinantes. É descentralizado e indigno de confiança, o que significa que você precisa, não inerentemente confiar quaisquer entidades como autoridades de certificação de raiz. 

Ele usa uma autenticação forte, o que significa que o remetente de uma mensagem não pode ser falsificado, e tem como objetivo esconder "sem conteúdo" de dados, como o emissor eo receptor de mensagens, de bisbilhoteiros passivos como aqueles que executam programas de escutas telefônicas sem mandado. 

Um cliente de código aberto está disponível gratuitamente sob a licença MIT muito liberal. Para imagens e uma descrição do cliente, consulte este artigo CryptoJunky: "configurar e usar Bitmessage"

Download: https://bitmessage.org/wiki/Main_Page