View Ron Dilley's profile on LinkedIn

Please donate if you find the tools, scripts and info useful.

BTC: 1GwYToq2AuUWUfJJ7NeCpksfjMth7bw7Tu
LTC: LKh99yzPeXZ7jQgvGgRhkTGReN4TRK4C6p

Project Name

Project Details Last Updated

Log Pseudo Indexer (logpi)

Logpi is a very small and fast indexing utility that creates indexes for a subset of data including IPv4/v6 and MAC addresses in arbitrary text data. The pseudo indexes can be used to reference and recall log data quickly. This is useful for security practitioners that need to search through text log data more than once. 2018-12-10

Wirespy Daemon (wsd)

Wirespy is a lightweight packet sniffer and metadata logger. It supports live network monitoring and off-line PCAP file processing including TCP flow reassembly. This tool can give you firewall log like fidelity on any point on your network where you choose to tap. I use it to extend the duration of network visibility on my network recorders. 2018-01-03

Directory Tree Differ (difftree)

dt is short for difftree and it is a fast directory comparison tool.  It is a command-line utility to compare two or more directories.  It detects changes in file metadata including size, ownership, permissions, etc.  This is very handy during a security incident when time is of the essence. 2017-12-27

Log Templater: Converts logs to templates for anomaly detection (tmpltr)

Templater is a small and fast log processor that provides simple artificial ignorance capabilities. You use the tool to process past log data and store templates that represent normal log line structures. You then run the tool against current or target logs and all normal patterns are automatically ignored.


SSH Canary (sshcanary)

I got tired of getting ssh bruteforced without any idea of what the bad guys were trying to do. So I lifted Pete Morris's sshpot code and enhanced to meet my needs. A couple of interesting features that sshcaray has include the ability to extract additional interesting info from the ssh connection and allows you to tell the client that the authentication was successful (just to see what happens next). 2017-06-14

PDF Forensic Parser (pdfcarve)

A buddy of mine came to me with a problem one day. He had a PDF that he knew was malicious, but had no way of reviewing.  When he attempted to open it in a VM, the viewer just crashed without any errors.  On a victim machine, the Adobe Reader would execute the malware and the system would get compromised.  I spend a bit a time searching the Internet looking for a tool that could parse the file and found nothing that would handle to clearly malformed and dangerous file.  So, I downloaded the PDF specification and opened the file in a hex editor and started carving it up.  After a few hours, I found the problem and carved out the malicious JavaScript.  He was elated when I sent him what I had found and promptly sent me ten more malicious PDF files.  Being the lazy UNIX administrator that I am, I codified my manual process in a tool called pdfcarve.  It makes as few assumptions about the format of the PDF as possible and verbosely displays all of the objects. 2016-03-27

Passive Proxy Daemon: Reads web traffic and generates squid proxy logs (pproxyd)

This tool reads pcap format files or reads packets directly from the network, assembles web based traffic and generates squid proxy style logs. Logs are sent to standard out while in interactive mode and via syslog when running as a daemon. The log format is similar to native squid v1.1/2.x format.


Quickparser: Converts Netscreen/Juniper firewall logs from syslog to psuedo-XML (quickparser)

A co-conspirator and I have been building some log analysis tools.  To feed data to the tools, we needed to convert log files into a psuedo XML format.  I built a couple of regex log parsers in perl but they were very slow.  We have spent some time talking about other ways of parsing logs and I canabalized a log compression tool that I had built using regexless parsing and found out that it is pretty fast.  By fast I am talking 2.6M lines per minute on a single processor 2.5GHz PC running linux and 950K lines per minute on a SunBlade 2000 with 1GHz processors.


BaraCUDA: Multiple GPU password cracker

Also known as Nightingale, this CUDA based password cracker supports mutliple GPUs and currently supports NTLM, MD4, MD5 and WINCRYPT hashes.  Crypt(3) MD5 and RAR v3 are in the works. 2010-06-02

Log Store: Fast and efficient text log storage tool (logstore)

One of the offshoots of my regexless log parser (quickparser) is a tool that provides high speed compression that is I/O vs. CPU bound.  It also allows for fast keyword searching due to the parsing method used.  It is much faster than bzip2 and faster than gzip while providing considerably better compression ratios.  The down side is that it is tailored for compressing text based log data.  I use it on logs that are generated by syslog compatible software. 2010-05-31

DNS Spy: The passive DNS monitor (pdnsd)

In my never ending quest to find a better way to detect bad programs and people, I am working with a small group of guys to build a system that monitors DNS traffic for anomalous and known to be evil patterns. As long as the bad guys use the network and stay away from static IP addresses, they must leave tracks in DNS. 2010-05-31

The Wiretappers Toolkit (twt)

A friend of mine and I are working on a web based tool that records all network traffic and allows an investigator to slice out network traffic based on search criteria like source/destination IP address, e-mail address and regex string searches.  It is very simple, but gets the job done. 2010-05-31

Portable Incident Response & Assesment Tool (PiRAT)

I just upgraded from a Nokia N800 to a N810 and it is time to rebuild my tool chain again.  I was very happy with the way that PIRAT v0.1 turned out, I will be opening up PiRAT v0.2 for the N810 in the near future.  PiRAT still offers a port of all of my InfoSec related tools to this ultra-small computing platform.  There is a pretty well put together development environment and a strong open source development community branded as Maemo. 2008-12-02

Volumes Monitoring Daemon (vmd)

I wrongly assumed that it would be simple to find an intellectual property (IP) leakage monitoring tool for removable media on OS/X.  It is unfortunate that the abundance of this type of tool on Windows has not rubbed off on Mac.  That said, I hacked together a volume monitoring daemon (vmd) to provide logging of file activity on removable devices on systems running OS/X.  It is the poor mans solution to the problem.  It uses syslog, so it is possible to have all of your Mac's point to a central syslog server and gain arms length auditing of removable media across all of your OS/X based systems with this little daemon.  A word of caution, I used the fsevents functionality of  10.4 and 10.5 which is not a standard hook for applications.  So don't be surprised if this stops working in a future version of OS/X.

The following is a quick install guide for non-*nix folks.  This configuration will have the removable media activity logged to /var/log/secure.log on the local system.  It is a simple thing to change the configuration to point to a centralized logging server and have all systems log to it.

To install (as root):

1. Get the tools

Download the vmd binary for 10.5 (MD5 = ddc147333246d13c08ffa4c2bc9de1ca)
Download the startup script
Download the StartupParameters.plist file

2. Update syslog

NOTE: The <tab>s (\t) are important.

echo "daemon.*\t\t\t/var/log/secure.log" >> /etc/syslog.conf
kill -HUP `cat /var/run/`

3. Copy vmd

mkdir -p /usr/local/bin
cp vmd /usr/local/bin
chmod 755 /usr/local/bin/vmd

4. Setup vmd to start automatically

mkdir -p /usr/local/bin
cp StartupParameters.plist /Library/StartupItems/vmd
chmod 644 /Library/StartupItems/vmd/StartupParameters.plist
cp /Library/StartupItems/vmd/vmd
chmod 755 /Library/StartupItems/vmd/vmd

Passive Syslog Monitoring Daemon (psmd)

This tool allows you to monitor syslog traffic on a segment of the network without having any control over the source or the syslog server that receives the data.  This is very hand in a DMZ environment.  You can use psmd as a syslog replacement allowing all of your DMZ clients to forward their messages to a non-existent IP address in the DMZ.  You can black-hole the syslog data and still record it all without exposing where your syslog server is or punching a hole in your firewalls.  Lastly, you can use psmd to relay traffic.  This works really well when trying to split in a commercial log analysis appliance that expects all devices to forward traffic directly to the appliance.  You can keep your syslog infrastructure just the way it is, add psmd and forward all sniffed logs to the appliance.  Psmd will even rewrite the source addresses of the traffic to make the log analysis appliance happy. 2008-01-24

The DARPA Grand Challenge

I was lucky enough to get the opportunity to join SciAutonics for the 2005 DARPA Grand Challenge.  Our design was approved and we were off to the races (after a couple of cullings).  It was quite an adventure and provided me an opportunity to work with some very smart people.  I worked on the computer platforms, software architecture and the lidar drivers. We received a bit of press while we worked on the 2005 challenge including a piece in one of the local newspapersThe 2007 Urban Grand Challenge is coming up quick, wish us all luck as we try once again to get into the race.  We have managed it twice before!

And for the third time, we have made it into the semi-finals!  Go SciAutonics!!!

RASCAL at work

Wire Spy Daemon (wsd)

This tool is one of my current "under construction" projects.  The tool allows you to monitor a network segment over long periods of time (like 90 days+) and while it is running, it builds ACLs for the traffic that is seen.  This is a great way to impliment ACLs on a wire where you don't know what is passing across it and you don't want to take the chance of breaking some important traffic while you move from ANY->ANY Allow to something less. 2007-07-21

SMB Crawler (smbcd)

Ever want to know what files were accessible across your entire network but had no idea how to find them?  Try using a search engine only to find out that there was not enough disk space on your box to store all the search date?  I had that exact problem, so I build a crawler that stores limited meta data about files while searching huge amounts of data.  All searches happen as the data is crawled removing the need to large amounts of disk space to store search data. 2006-10-26

TCP Stream Carver (tcpcarve)

While bolting together The Wiretappers Toolkit it became obvious that tcpflow was not cutting it.  TWT needed a sniffer/TCP flow reassembler that was easy to graft into the TWT framework.  That said, I started to convert wsd into a TCP flow assembler and archiver. 2006-10-25

Please report issues to

Last Updated: 2018-12-10 @ 11:20pm