hrbrmstr 🇺🇦 🇬🇱 🇨🇦
LightNews LightNews
banner
hrbrmstr.mastodon.social.ap.brid.gy
hrbrmstr 🇺🇦 🇬🇱 🇨🇦
@hrbrmstr.mastodon.social.ap.brid.gy
410 followers 13 following 4.1K posts
Pampa • Don't look @ me…I do what he does—just slower. #rstats avuncular •👨‍🍳• ✝️ • 💤 • Varaforseti í Gögn Vísindi @ GreyNoise + Carnegie Mellon lecturer […]

🌉 bridged from ⁂ https://mastodon.social/@hrbrmstr, follow @ap.brid.gy to interact
Posts Replies Media Videos
hrbrmstr.mastodon.social.ap.brid.gy
Another one for the "Confuse @neurovagrant" AM ritual…

Meet AS35916 (MultaCOM).

CF says they're mostly bots. (TIL CF makes it ++easy to copy these section imgs, which makes me sad b/c I hate CF).

Was doing a semi-regular poke at untagged traffic (we will […]

[Original post on mastodon.social]
71% bot traffic graph destination port treemap
November 25, 2025 at 11:20 AM
hrbrmstr.mastodon.social.ap.brid.gy
Oh, it's just Tencent Global CDN Platform - EdgeONE constantly pinging the entire internet.
ACE ASN info multiple time series
November 23, 2025 at 3:57 PM
hrbrmstr.mastodon.social.ap.brid.gy
Let's rly try to help hrbrmstr go back to sleep by having him write a tediously long SQL query to see if we can possibly identify structure in the payloads: https://ray.so/99w1DqL

What? Doesn't everyone re-implement `file` magic ops in SQL?

So, even more […]

[Original post on mastodon.social]
top half of SQL at first url bottom half of SQL at first url table
November 23, 2025 at 9:52 AM
hrbrmstr.mastodon.social.ap.brid.gy
Some other WTHeck?s

- type 15, 17
- type 0 or 8 with non-zero codes
- type 3 with larger codes

These low-frequency weirdos can be C2 control messages, markers for session start/stop, or “probe” packets to see what the network allows.

Fun!

Let's take a […]

[Original post on mastodon.social]
sql @ first URL table
November 23, 2025 at 9:33 AM
hrbrmstr.mastodon.social.ap.brid.gy
First we need to squeeze as much juice from this lemon as possible: https://ray.so/jarK3Fr

The `sed` line is there b/c only monsters use dots in field names in SQL.

Now we'll import that into DuckDB and get some summary info: https://ray.so/sxFyZB8

Hoo boy […]

[Original post on mastodon.social]
bash cmds at first URL sql at second URL table output
November 23, 2025 at 9:16 AM
hrbrmstr.mastodon.social.ap.brid.gy
This is a good approximation of table schema for the Zeek conn.log: https://ray.so/UK27xKn

We then import the conn.log: https://ray.so/kGazZUF

Now, we need to run some basic stats on the data to find anomalies. We don't care about boring ICMP, and we'll […]

[Original post on mastodon.social]
schema source at the first URL import SQL from second URL stats SQL at third URL five abnormal ICMP patterns
November 23, 2025 at 8:54 AM
hrbrmstr.mastodon.social.ap.brid.gy
This is bonkers.

Legit MS Security Event logs. 🤔

I only sampled a few days, but it's been going like the Energizer bunny.

So, would love any ideas y'all have as threaded responses.

Why would an atttacker want to shunt these messages out (and why to one […]

[Original post on mastodon.social]
# A tibble: 37 × 3 src_ip wat n <chr> <chr> <int> 1 107.23.117.241 "An account was successfully logged on" 5615 2 107.23.117.241 "An account was logged off" 5111 3 107.23.117.241 "A handle to an object was requested" 4441 4 107.23.117.241 "Special privileges assigned to new logon" 1979 5 107.23.117.241 "An attempt was made to access an object" 790 6 107.23.117.241 "The handle to an object was closed" 663 7 107.23.117.241 "A Kerberos service ticket was requested" 646 8 107.23.117.241 "A Kerberos authentication ticket (TGT) was requested" 153 9 107.23.117.241 "A Kerberos service ticket was renewed" 83 10 107.23.117.241 "A privileged service was called" 59 11 107.23.117.241 "An operation was performed on an object" 12 12 107.23.117.241 "Kerberos pre-authentication failed" 9 13 107.23.117.241 "An operation was attempted on a privileged object" 4 timeline chart
November 22, 2025 at 12:05 PM
hrbrmstr.mastodon.social.ap.brid.gy
So, I had Ollama Qwen3 Coder 450b build a parser for them (yeah go ahead and judge me if it makes you feel smugly superior; idgaheck)

It took it like 5 seconds. It's Python b/c AI's aren't smart enough to use real programming languages.

https://ray.so/lKAJDpv

3/n
source code at the URL in the post
November 22, 2025 at 11:55 AM
hrbrmstr.mastodon.social.ap.brid.gy
Here's what that CSV looks like.

Odd.

*What are Windows Security Event Log entries doing in ICMP packets hitting the internets?*

2/n
odd CSV
November 22, 2025 at 11:50 AM
hrbrmstr.mastodon.social.ap.brid.gy
I have more like a "confuse @neurovagrant" thing today.

Was staring into the expanse that is the untagged sessions in our fleet and eventually plotted a course towards the ICMP system, which eventually led me to a planet that was beaconing with some oddly […]

[Original post on mastodon.social]
chart and table ```bash $ tshark -r sessions-2.pcap -Y icmp -T json -e frame.time -e ip.src -e data.data > odd.json ``` ```sql CREATE TABLE odd AS FROM read_json('odd.json'); COPY ( FROM ( FROM ( FROM ( FROM odd SELECT UNNEST(_source) ) SELECT UNNEST(layers) ) SELECT UNNEST("frame.time") ts, UNNEST("ip.src") ip, UNNEST("data.data") payload ) SELECT ts, ip, from_hex(payload) pay WHERE ts IS NOT NULL ) TO 'wat.csv'; ```
November 22, 2025 at 11:47 AM
hrbrmstr.mastodon.social.ap.brid.gy
Some turkey pot pie ahead of turkey week #nom
Turkey pot pie
November 21, 2025 at 10:55 PM
hrbrmstr.mastodon.social.ap.brid.gy
today's spate has some oddities.

that older spate is…super odd

Our tag matches very specifically to AppleBot (it's not easily spoofable UA-based).

I think Apple's AI team is letting Siri search on some inputs, which is a VERY BAD IDEA.

Def some mal-looking paths in the larger capture
/robots.txt / /%D 9%87%D9%85%DA%A9%D8%A 7%D8%B1%DB%8C/ /energy/341/sony-has-launched-an-electric-vehicle-team-to-explore-the-market/ / feed/ /wp-content/uploads/2021/01/mini_IDXTUBE-15-01-2021- 9. mp4_snapshot_00.05.722.jpg /owa/ /feed/ /manual /TOS.html /robots.txt /xe/7559904 /xe/8346193 /xe/9235984 /xe/9856523 /xe/12378142 /contact-us/ /sitemap.xml /xe/11516142 /xe/12031167 /xe/13931697 /login.action /sample-page/ /weblogin.htm /Main_Login.asp /xe/box/3272569 /author/jamesp/ /bbs/content.php /doc/page/login.asp /owa/auth/logon.aspx /wp-admin/install.php /WebInterface/login.html /featured-stories/page/2/ /static/styles/core-17a365.css /static/scripts/bundle-17a365.js /wpautoterms/terms-and-conditions/ /2017/06/american-student-otto-warmbier-freed-north-korea/ /2017/09/europes-tainted-eggs-scandal-spread-non-eu-countries/ /2025/03/27/%d0%bf%d1%80%d0%b8%d0%b2%d0%b5%d1%82-%d0%bc%d0%b8%d1%80/ /2017/06/couple-gives-birth-to-sextuplets-after-17-years-of-infertility/
November 21, 2025 at 7:27 PM
hrbrmstr.mastodon.social.ap.brid.gy
Apple be crawlin' fer somethin'

https://viz.greynoise.io/tags/applebot?days=90
time series
November 21, 2025 at 7:02 PM
hrbrmstr.mastodon.social.ap.brid.gy
I expected Bitcoin's sagging would have caused the malicious cryptominers to fade, but they just keep ramping up their quest for compute.
Three PHP time series GO UP!
November 21, 2025 at 6:43 PM
hrbrmstr.mastodon.social.ap.brid.gy
Show time for @greynoise @ #suricon2025 !
November 20, 2025 at 2:42 PM
hrbrmstr.mastodon.social.ap.brid.gy
This exchange from The Ramsey Show was shared privately and is too good not to share.

Filed under: "AI" is going GREAT!

(full exchange text in alt txt)
Dave: "So let me get this straight, Michael. You started Cursor three years ago." Michael: "Yes, Dave." Dave: "And you just raised $900 million." Michael: "Correct." Dave: "At a $9.9 billion valuation." Michael: "That's right." Dave: "You're doing over $500 million in ARR." Michael: "Yes." Dave: "Which means your revenue has been doubling every two months." Michael: "Pretty much." Dave: "And OpenAI tried to buy you." Michael: "They did." Dave: "But you said no." Michael: "We turned them down." Dave: "So they bought your competitor Windsurf for $3 billion instead." Michael: "That happened, yes." Dave: "The competitor doing $100 million ARR while you're at $500 million." Michael: "I'm aware of the math, Dave." Dave: "And you're still just a fork of VS Code." Michael: "Well, when you say it like that—" Dave: "So your entire $9.9 billion company depends on Microsoft not changing its API." Michael: "We prefer to call it 'strategic interdependence.'" Dave: "Okay. Thanks for calling in." THE VERY NEXT DAY: Dave: "Michael, you're calling back already?" Michael: "We just raised another round." Dave: "How much?" Michael: "$2.3 billion." Dave: "At what valuation?" Michael: "$29.3 billion." Dave: "You were at $9.9 billion yesterday." Michael: "Correct." Dave: "Did you stop being a fork of VS Code?" Michael: "No." Dave: "Did Microsoft give you permission to use their code?" Michael: "They haven't said no." Dave: "So you tripled your valuation in 24 hours and nothing fundamentally changed." Michael: "Our revenue is still doubling every two months." Dave: "You're still one API change away from bankruptcy." Michael: "Strategic interdependence, Dave." Dave: "We're done here, Michael. Stop calling.
November 19, 2025 at 7:42 PM
hrbrmstr.mastodon.social.ap.brid.gy
Rly excited abt the WebAssembly engine for @suricata

I know WASM is rapidly becoming as bad as Flash (as I predicted years ago) but done right, it is ~sandboxed, and this cld make running modules far less risky.

#suricon2025
10:45 - 11:15: Suricata Research: WebAssembly modules in Suricata Pierre Chifflier WebAssembly is a new type of code primarily intended for modern web browsers and designed to allow execution of foreign code in the target environment while providing performance and safety. It is not intended to be written by hand but is designed to be an effective compilation target for source languages like C, Rust, Typescript and even Python or Go. To execute WebAssembly modules, an application must provide an engine to run virtual machines and a set of APIs that modules are allowed to use to call functions provided by the application. In this presentation, we will: Present an experimentation of adding a WebAssembly engine to Suricata (available libraries, design choices, etc.) Present some example modules, the compilation process, and how to load them into the main application. Discuss the results in terms of performance and security, with a focus on parsing untrusted data and on the differences with the existing Rust code and LUA modules. This experimentation is a follow-up from previous work and brainstorm discussions, with updates. It is not really proposed for inclusion, but rather given as feedback from research work.
November 19, 2025 at 3:49 PM
hrbrmstr.mastodon.social.ap.brid.gy
Trying to multitask (badly) but we are seeing exploitation slings against Fortinet FortiWeb CVE-2025-64446 (Auth Bypass).

https://viz.greynoise.io/tags/fortinet-fortiweb-cve-2025-64446-authentication-bypass-attempt?days=10

Def an "initial access […]

[Original post on mastodon.social]
time series ip/ja4/asn
November 19, 2025 at 3:32 PM
hrbrmstr.mastodon.social.ap.brid.gy
Since I drove up to SuriCon, I brought the portable matcha kit. May not have to leave the venue at all.

Speaking of venue, it's kind of cool knowing this place is soon gonna be packed with folks who grok @suricata rules.
matcha kit conference venue
November 19, 2025 at 1:49 PM
hrbrmstr.mastodon.social.ap.brid.gy
Wow. MASSIVE Palo Login crawler spike.

Mostly Germany source networks with a smattering of Canada, Lithuania, U.S., and Finland sources.

target country networks are (exhaustive list) United States, Mexico, Pakistan, United Kingdom, and United Arab Emirates […]

[Original post on mastodon.social]
time series
November 19, 2025 at 1:52 AM
hrbrmstr.mastodon.social.ap.brid.gy
@jmeyer 🙂

if they aren't lying (BIG IF) then they deserve it for letting ~60K their IP space whack the internet back in august
time series
November 18, 2025 at 4:55 PM
hrbrmstr.mastodon.social.ap.brid.gy
BWHAHAHAHAHAHAHA

"configuration file too big"

BWHAHAHAHAHAHAHA
heatmap
November 18, 2025 at 4:39 PM
hrbrmstr.mastodon.social.ap.brid.gy
This is how Down Detector managed to stay/get back up

They turned off Cloudflare
fl=1167f37 h=downdetector.com ip=2603:3005:1507:5900: 15e:84fb: abf4: ce9d ts=1763479421.768 visit. _scheme=https uag=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36 colo=BOS sliver=none http=http/2 loc=US tls=TLSV1.3 sni=plaintext warp=off gateway=off rbi=off kex=X25519MLKEM768
November 18, 2025 at 3:28 PM
hrbrmstr.mastodon.social.ap.brid.gy
The CF thing is (sadly) not having much of an impact on IPs from Cloudflare trying to do bad things on the internet.
time series
November 18, 2025 at 3:22 PM
hrbrmstr.mastodon.social.ap.brid.gy
Down, indeed!
heatmap
November 18, 2025 at 2:40 PM