Loading in 2 Seconds...
Loading in 2 Seconds...
STIF [Security Tools Integration Framework] STIF-WARE EVOLUTION Fyodor Yarochkin Meder Kydyraliev email@example.com firstname.lastname@example.org. HackInTheBox, Kuala Lumpur - 2005. http://o0o.nu/. Agenda (best question gets an “Industry Slave” HITB T-shirt). Introduction to STIF-ware concepts
[Security Tools Integration Framework]
Fyodor Yarochkin Meder Kydyraliev
HackInTheBox, Kuala Lumpur - 2005
Security Tools Integration Framework (STIF) is aimed to provide a unified environment and data exchange platform for automated security assessments in heterogeneous environments.
In simple words it is a platform for “hacking” automation, where STIF emulates the “brain” of a security analyst to perform repetitive tasks.
Typical scenario for security analyst
Want to see what happened to Joe the analyst after one month?
Look what repetitive and boring “hacking” has done to him…
Why not let machine do the boring part???
Of course, you can ...
Scanners vs. STIF
STIF is designed to solve the problems outlined earlier, by introducing the common format for data representation and by providing a platform for data exchange among tools.
First generation STIF provides:
STIF Features (continued)
Data representation unification
STIF encapsulates data in a set of XML messages (STIF-Message)
Input data, provided in XML format, converted by Exec module into the form, which could be understood by the tool
The results of tools execution are converted to STIF and are fed back into the Inference Engine.
<Port number="80" state="open" protocol="tcp">
Apache/1.3.27 (Unix) PHP/4.3.1
Data Publishing facility
Publishing in STIF environment means providing the Publisher with newly arrived facts (STIF-Messages from tools).
STIF is able to execute several data/fact publishing modules simultaneously (e.g. database publishing, IRC publishing).
STIF comes with SQL publishing module, which can publish/store data received from tools in a form of a STIF-Message, in databases of arbitrary scheme.
INSERT INTO ip_address VALUES(NULL,'%h');
SELECT id FROM ip_address WHEREip_address='%h';
INSERT INTO port VALUES(NULL, $1, '%n', '%P', '%S', '%p', '%a'); </query>
STIF supports command input over IRC and can publish new facts to an IRC channel or using private messages.
Other software tools can act as STIF “nodes” embedding the IRC importer/publisher functionality
Your favorite tools integration to support STIF?
Integration using STIF Generic2STIF Converter
Define rules in parser.xml:
<Group name="target address">
<Regex name="address" required="true">
.*ports on .*\(([\d\.]+)\):.+
<Group name="port" generate="port">
<Regex name="portNumber" required="true">
How can you help?
First generation STIF Demonstation
Questions (remember we give out T-shirt for best question)?