Projects

Here are some of the projects that I’ve enjoyed creating or contributing to. I like keeping track of some of these sorts of projects to record my progression over time.

archbloom

archbloom is a library written in C that provides a set of probabilistic data structures and related algorithms.

ssh-honeypot

ssh-honeypot is a fake Secure Shell service that logs the credentials and IP address of failed login attempts. This is written in C and uses libssh.

I no longer use this, but at one point had about a dozen instances of this running on the internet, gathering statistics about botnets that abused the SSH protocol.

I have some ideas for new features that I’d like to implement when I get some time, but for now this project is abandoned.

greylost

greylost sniffs DNS traffic and determines if a DNS query is uncommon or matches known malicious hosts.

It was designed to be low resource and reasonably fast. It accomplishes this with bloom filters.

This software has been used in production to successfully detect malware and unauthorized activity.

dmfrbloom

dmfrbloom is a bloom filter implementation for Python. It is available via PyPi and can be installed with pip.

pip3 install dmfrbloom

This also provides “time-decaying” bloom filters, which allows entries to expire after a period of time.

yararules

These are miscellaneous YARA rules I have developed.

noawareness

noawareness is a Linux process monitor which utilizes netlink process events. It logs data in JSON to be easily ingested into tools such as Elasticsearch or Splunk.

I developed this to use at attack/defend CTFs because I couldn’t find a suitable solution to log process-related events that could be rapidly deployed and work on any Linux distribution. It seemed like no matter which tool I tried, none “just worked”. Every solution seemed to mostly work, but have some gotcha or quirk that caused it not to work uniformly across the board.