search menu icon-carat-right cmu-wordmark

Subject: Tools

New SEI CERT Tool Extracts Artifacts from Free Text for Incident Report Analysis

New SEI CERT Tool Extracts Artifacts from Free Text for Incident Report Analysis

• CERT/CC Blog
Matthew Sisk

This post is co-authored with Sam Perl. The CERT Division of the Software Engineering Institute (SEI) at Carnegie Mellon University recently released the Cyobstract Python library as an open source tool. You can use it to quickly and efficiently extract artifacts from free text in a single report, from a collection of incident reports, from threat assessment summaries, or any other textual source....

Read More
Announcing CERT Tapioca 2.0 for Network Traffic Analysis

Announcing CERT Tapioca 2.0 for Network Traffic Analysis

• CERT/CC Blog
Will Dormann

A few years ago, I announced the release of CERT Tapioca for MITM Analysis. This virtual machine was created for the purpose of analyzing Android applications to find apps that don't validate SSL certificates. Since the original release of Tapioca, we have received a request to make it easier to use and add some additional features. The new version of CERT Tapioca improves on the original in multiple ways in that it offers the following:...

Read More
Visualizing CERT BFF String Minimization

Visualizing CERT BFF String Minimization

• CERT/CC Blog
Will Dormann

I've been working on a presentation called CERT BFF - From Start to PoC. In the process of preparing my material, I realized that a visualization could help people understand what happens during the BFF string minimization process....

Read More
YAF App Label Signature Context with Analysis Pipeline

YAF App Label Signature Context with Analysis Pipeline

• CERT/CC Blog
Angela Horneman

In my last post, I presented how to create a YAF application label signature rule that corresponds to a text-based Snort-type rule. In this post, I discuss methods for using Analysis Pipeline to provide context to those signatures. The context for signatures can take many forms. Some context can be derived from the individual flows that match the signatures. This information is easy to obtain from either SiLK or another traffic analysis tool--just look at...

Read More
Making YAF App Labels from Text-Based Snort Rules

Making YAF App Labels from Text-Based Snort Rules

• CERT/CC Blog
Angela Horneman

Ever want to use a Snort-like rule with SiLK or Analysis Pipeline to find text within packets? Timur Snoke and I were recently discussing how we could do this and realized that while neither SiLK nor Analysis Pipeline themselves do packet inspection, YAF can be used to create an application label that can be used in analyses in both SiLK and Pipeline (field 29, application). This post outlines the steps required and provides an example....

Read More
Baseline Network Flow Examples

Baseline Network Flow Examples

• CERT/CC Blog
Angela Horneman

Hi. This is Angela Horneman of the SEI's Situational Awareness team. I've generated service specific network flows to use as baseline examples for network analysis and am sharing them since others may find them helpful. We have been looking at implementing Network Profiling in Analysis Pipeline to automatically generate lists of active servers and to alert when new IPs start acting as servers. As part of this initiative, we started looking at alternatives to using...

Read More
A Subversive Use of SiLK

A Subversive Use of SiLK

• CERT/CC Blog
Leigh Metcalf

Hi, this is Leigh Metcalf. In this blog post I talk about a subversive use of SiLK, the open-source tool suite designed by the CERT/CC team at the SEI, available on the CERT website. This post is a technical walk through of how to use the SiLK tools to support analysis in interesting ways you may not have thought of....

Read More
Announcing CERT Tapioca for MITM Analysis

Announcing CERT Tapioca for MITM Analysis

• CERT/CC Blog
Will Dormann

Hi folks, it's Will. Recently I have been investigating man-in-the-middle (MITM) techniques for analyzing network traffic generated by an application. In particular, I'm looking at web (HTTP and HTTPS) traffic. There are plenty of MITM proxies, such as ZAP, Burp, Fiddler, mitmproxy, and others. But what I wanted was a transparent network-layer proxy, rather than an application-layer one. After a bit of trial-and-error investigation, I found a software combination that works well for this purpose....

Read More
10 Years of FloCon

10 Years of FloCon

• CERT/CC Blog
George Jones

Hi, this is George Jones, I was conference chair of the 10th annual FloCon Conference that was held in Charleston, South Carolina, January 13-16, 2014. Check out the FloCon proceedings to learn about the work presented, and consider participating in future FloCons....

Read More
Hacking the CERT FOE

Hacking the CERT FOE

• CERT/CC Blog
Will Dormann

Hey folks, it's Will. Every now and then I encounter an app that doesn't play well with FOE. You don't have to throw your hands up in defeat, though. Because FOE (and BFF) are written in Python, it's pretty easy to modify them to do what you like....

Read More
BFF 2.7 on OS X Mavericks

BFF 2.7 on OS X Mavericks

• CERT/CC Blog
Will Dormann

Hi folks, it's Will. Apple has released OS X Mavericks. Because BFF 2.7 was released before Mavericks, BFF doesn't work right out of the box. But it's actually quite simple to get it working....

Read More
Attaching the Rocket to the Chainsaw - Behind the Scenes of BFF and FOE's Crash Recycler

Attaching the Rocket to the Chainsaw - Behind the Scenes of BFF and FOE's Crash Recycler

• CERT/CC Blog
Allen Householder

Hi folks, Allen Householder here. As Will Dormann's earlier post mentioned, we have recently released the CERT Basic Fuzzing Framework (BFF) v2.7 and the CERT Failure Observation Engine (FOE) v2.1. To me, one of the most interesting additions was the crash recycling feature. In this post, I will take a closer look at this feature and explain why I think it's so interesting....

Read More
One Weird Trick for Finding More Crashes

One Weird Trick for Finding More Crashes

• CERT/CC Blog
Will Dormann

Hi folks. It's Will Dormann from the CERT Vulnerability Analysis team. Today we're announcing the release of updates to both of our fuzzing tools, the CERT Basic Fuzzing Framework (BFF) version 2.7 and the CERT Failure Observation Engine (FOE) version 2.1. In this blog entry I will describe some of the major changes with these tools....

Read More
One Weird Trick for Finding More Crashes

One Weird Trick for Finding More Crashes

• CERT/CC Blog
Will Dormann

Hi folks. It's Will Dormann from the CERT Vulnerability Analysis team. Today we're announcing the release of updates to both of our fuzzing tools, the CERT Basic Fuzzing Framework (BFF) version 2.7 and the CERT Failure Observation Engine (FOE) version 2.1. In this blog entry I will describe some of the major changes with these tools....

Read More
A Look Inside CERT Fuzzing Tools

A Look Inside CERT Fuzzing Tools

• CERT/CC Blog
Allen Householder

Hi, this is Allen Householder of the CERT Vulnerability Analysis team. If you've been following this blog for a while, you are probably familiar with our fuzzing tools: Dranzer, the CERT Basic Fuzzing Framework (BFF), and the CERT Failure Observation Engine (FOE). While creating tools that can find and analyze vulnerabilities makes up a significant portion of our work in the CERT Vulnerability Analysis team, our focus is on developing and communicating the knowledge we've...

Read More
Updates to CERT Fuzzing Tools (BFF 2.6 & FOE 2.0.1)

Updates to CERT Fuzzing Tools (BFF 2.6 & FOE 2.0.1)

• CERT/CC Blog
Allen Householder

Hi everybody. Allen Householder from the CERT Vulnerability Analysis team here, back with another installment of "What's new in CERT's fuzzing frameworks?" Today we're announcing the release of updates of both our fuzzing tools, the CERT Basic Fuzzing Framework (BFF) version 2.6 and the CERT Failure Observation Engine (FOE) version 2.0.1. The remainder of this post describes the changes in more detail....

Read More
CERT Failure Observation Engine 2.0 Released

CERT Failure Observation Engine 2.0 Released

• CERT/CC Blog
Allen Householder

Hi folks, Allen Householder from the CERT Vulnerability Analysis team here. Back in April, we released version 1.0 of the CERT Failure Observation Engine (FOE), our fuzzing framework for Windows. Today we're announcing the release of FOE version 2.0. (Here's the download.) Although it has only been a few months since we announced FOE 1.0, our development cycle is such that FOE 2.0 actually reflects nearly a year of additional improvements over the 1.0 release....

Read More
CERT Basic Fuzzing Framework 2.5 Released

CERT Basic Fuzzing Framework 2.5 Released

• CERT/CC Blog
Allen Householder

Hi folks, Allen Householder here. In addition to the recent introduction of our new Failure Observation Engine (FOE) fuzzing framework for Windows and Linux Triage Tools, we have updated the CERT Basic Fuzzing Framework (BFF) to version 2.5. This post highlights the significant changes....

Read More
CERT Failure Observation Engine 1.0 Released

CERT Failure Observation Engine 1.0 Released

• CERT/CC Blog
Allen Householder

In May 2010, CERT released the Basic Fuzzing Framework, a Linux-based file fuzzer. We released BFF with the intent to increase awareness and adoption of automated, negative software testing. An often-requested feature is that BFF support the Microsoft Windows platform. To this end, we have worked to create a Windows analog to the BFF: the Failure Observation Engine (FOE). Through our internal testing, we've been able to help identify, coordinate, and fix exploitable vulnerabilities in...

Read More
Announcing the CERT Basic Fuzzing Framework 2.0

Announcing the CERT Basic Fuzzing Framework 2.0

• CERT/CC Blog
Allen Householder

Version 2.0 of the CERT Basic Fuzzing Framework (BFF) made its debut on Valentine's Day at the 2011 CERT Vendor Meeting in San Francisco. This new edition has a lot of cool features that we'll be describing in more detail in future posts, but we wanted to let you know that it's available so that you can download and try it....

Read More
CERT Basic Fuzzing Framework

CERT Basic Fuzzing Framework

• CERT/CC Blog
Will Dormann

Hi folks. I've been involved in a fuzzing effort at CERT. One of the ways that I've been able to discover vulnerabilities is through "dumb" or mutational fuzzing. We have developed a framework for performing automated dumb fuzzing. Today we are releasing a simplified version of automated dumb fuzzing, called the Basic Fuzzing Framework (BFF)....

Read More
Release of Dranzer ActiveX Fuzzing Tool

Release of Dranzer ActiveX Fuzzing Tool

• CERT/CC Blog
Will Dormann

Hi, it's Will. As previously mentioned, we have been investigating and discovering ActiveX vulnerabilities over the past few years. Today we released the Dranzer tool that we have developed to test ActiveX controls. We've been using the Dranzer ActiveX fuzz testing tool for over three years, and we've found a large number of vulnerabilities with it. I've tagged a few of the US-CERT Vulnerability notes with the "Dranzer" keyword to show the sort of vulnerabilities...

Read More