Skip navigation

Author Archives: hrbrmstr

Don't look at me…I do what he does — just slower. #rstats avuncular • ?Resistance Fighter • Cook • Christian • [Master] Chef des Données de Sécurité @ @rapid7

EUVD API NPM And Go Packages + Nicer Docs

ENISA published docs for their European Vulnerability Database (EUVD) — https://euvd.enisa.europa.eu/apidoc.

I’ve got an easier-on-the-eyes version that supports light/dark mode and includes sample API JSON results at https://rud.is/euvd-api/. The Quarto markdown source for it can be found at https://rud.is/euvd-api/euvd-api.qmd.

I need to make an MCP (Model Context Protocol) server for the API, but not everyone wants an MCP server, so there’s a TypeScript NPM package for it — https://www.npmjs.com/package/@hrbrmstr/euvd (source: https://codeberg.org/hrbrmstr/euvd-ts). This comes with the added benefit of making it easier/cleaner to build an MCP server. Friends don’t let friends make icky Python-based MCP servers.

I also need to integrate it into pipeline stuff at $WORK, so there’s also a Golang API wrapper & CLI @ https://codeberg.org/hrbrmstr/euvd.

READMEs in both repos have all the details.

Suriest: Suricata Rule Validation As A (REST) Service

Meet Suriest — a new REST API service for validating Suricata rules, designed to be run by organizations to streamline rule validation workflows. Suriest supports Suricata 6.0 and later and offers features like secure configuration, S3-compatible storage for logging validation attempts, and a simple HTTP API to validate rules programmatically. While the project is intended for deployment within your own environment, there’s a live instance already available for immediate use at https://sigchk.hrbrmstr.app/validate-rule. You can test it easily with a curl command like:

curl --silent --request POST --url https://sigchk.hrbrmstr.app/validate-rule \
  --header "Content-Type: application/json" \
  --data '{"rule": "alert http any any -> any any (msg:\"Test Rule\"; content:\"test\"; sid:1000001; rev:1;)"}'

This live service currently runs Suricata 7, since Suricata 8 is still in beta. For full details on setup, configuration options (including S3 logging), and API usage, check out the README in the repository at https://codeberg.org/hrbrmstr/suriest. Suriest offers a practical, scalable solution for Suricata rule validation that integrates well into security operations and development pipelines.

New CISA KEV MCP Server

MCP servers let you wire up external services/APIs in a standard way for LLM/GPT tool-calling and other forms of automation.

I made a basic, but fairly comprehensive CISA KEV MCP server that I go into the details a bit more of here.

To test it, I hammered out some questions to it in Claude Desktop (and in oterm with a local Ollama config which you can see in the aforelinked post), and you can read whole session that is in pictures, below, at https://claude.ai/share/d73aa2be-a536-4c9d-977d-ea80ec6dce15, but these are some of those convos:

RSAC 2025 Sets A Dangerous Precedent for Cybersecurity Leadership

(I posted this on LI, but I like to own my content, so am also posting here.)

The cybersecurity community deserves better than what we’re witnessing at RSAC 2025, today.

While Kristi Noem delivers today’s keynote, the absence of traditional cybersecurity leaders from agencies like NSA and CISA speaks volumes about shifting priorities in our field. This contrast becomes even more troubling when viewed alongside recent developments with Chris Krebs. The former CISA director — widely respected for his defense of election security — has faced unprecedented retaliation: security clearances revoked, his employer SentinelOne effectively blacklisted, and federal investigations directed into his tenure for simply upholding the integrity of our democratic systems.

Meanwhile, Secretary Noem — who has publicly committed to “reining in” CISA’s disinformation efforts and called its election integrity work “shocking” — receives our industry’s most prestigious speaking platform. Her tenure at DHS has featured more political theater than substantive cybersecurity leadership — or just leadership in general — prioritizing spectacle over the technical expertise and collaborative approach our field demands.

RSAC has always represented rigorous, forward-thinking discussion about defending critical infrastructure and fostering trust in technology. By elevating political figures who undermine the very principles our community stands for — while one of our most principled voices faces silencing — we’re accepting a dangerous new standard.

The cybersecurity field requires leaders who value expertise, accountability, and the defense of democratic norms. We must ask ourselves: what message are we sending about our professional values when we applaud those who work to dismantle the very protections we’ve built?

Every individual involved with RSAC who had a part to play in this decision should be deeply, deeply ashamed of themselves.

New geolocus-cli For ONYPHE’s Geolocus Database

ONYPHE has made available a free API and free MMDB download of their new Geolocus database. It provided IP address metadata in the form of:

{
    "abuse":
    [
        "amzn-noc-contact@amazon.com",
        "aws-routing-poc@amazon.com",
        "aws-rpki-routing-poc@amazon.com",
        "trustandsafety@support.aws.com"
    ],
    "asn": "AS14618",
    "continent": "NA",
    "continentname": "North America",
    "country": "US",
    "countryname": "United States",
    "domain":
    [
        "amazon.com",
        "amazonaws.com",
        "aws.com"
    ],
    "ip": "3.215.138.152",
    "isineu": 0,
    "latitude": "37.09024",
    "location": "37.09024,-95.712891",
    "longitude": "-95.712891",
    "netname": "AMAZON-IAD",
    "organization": "Amazon Data Services NoVa",
    "physical_asn": "AS14618",
    "physical_continent": "NA",
    "physical_continentname": "North America",
    "physical_country": "US",
    "physical_countryname": "United States",
    "physical_isineu": 0,
    "physical_latitude": "37.09024",
    "physical_location": "37.09024,-95.712891",
    "physical_longitude": "-95.712891",
    "physical_organization": "Amazon.com, Inc.",
    "physical_subnet": "3.208.0.0/12",
    "physical_timezone": "America/Chicago",
    "subnet": "3.208.0.0/12",
    "timezone": "America/Chicago"
}

Since it’s way more efficient to use the MMDB file than the API, I built a cross-platform CLI tool for it: https://codeberg.org/hrbrmstr/geolocus-cli.

also with binary releases: https://codeberg.org/hrbrmstr/geolocus-cli/releases

Code is also available via Tangled Knot: https://tangled.sh/@hrbrmstr.dev/geolocus-cli

Usage:

# Download the latest Geolocus database
geolocus-cli download

# Look up IPs from a file
geolocus-cli lookup -i ips.txt -o results.json

# Process IPs from stdin and output to stdout
cat ips.txt | geolocus-cli lookup

# Output in CSV format
geolocus-cli lookup -i ips.txt -f csv -o results.csv

# Output in JSONL format (one JSON object per line)
geolocus-cli lookup -i ips.txt -f jsonl -o results.jsonl

# Disable session caching
geolocus-cli lookup -i ips.txt --no-cache

CLI options:

Commands:
  download    Download a fresh copy of the geolocus.mmdb database
  lookup      Lookup and enrich IP addresses from a file or stdin

Options:
  -h, --help              Show help information
  -i, --input <file>      Input file containing IP addresses (one per line)
  -o, --output <file>     Output file for results (defaults to stdout)
  -f, --format <format>   Output format: json, csv, or jsonl (default: json)
  --no-cache              Disable IP caching for the current session

Trump’s Retaliation Against Chris Krebs — and the Cybersecurity Industry’s Deafening Silence

Chris Krebs, the former director of the Cybersecurity and Infrastructure Security Agency (CISA), was fired by Donald Trump in 2020 for publicly affirming that the presidential election was secure and free from widespread fraud. Fast-forward to April 2025: Trump, now back in the White House, issued an executive order revoking Krebs’ security clearances and ordering a federal investigation into his conduct, specifically targeting both Krebs and his employer, SentinelOne. The order also suspended clearances for other SentinelOne employees and threatened the company’s ability to do business with the government.

Krebs responded by resigning from SentinelOne to fight the administration’s campaign against him, stating, “This is a fight for democracy, freedom of expression, and the rule of law. I’m ready to give it my all”. SentinelOne’s stock dropped, and the chilling effect on the broader cybersecurity sector was immediate and palpable.

The Industry’s Response: Silence, Not Solidarity

Despite Krebs’ reputation for professionalism and integrity, the cybersecurity industry has, with rare exceptions, responded with silence. Reuters reached out to 33 major cybersecurity firms and three industry groups—only one responded with a comment. Industry leaders, major vendors, and conference organizers have largely avoided public statements. Even companies with direct ties to Krebs, such as Microsoft and CrowdStrike, declined to comment.

This silence is not just disappointing—it’s dangerous. The executive order against Krebs is not merely a personal vendetta; it is a test of constitutional norms and the independence of the cybersecurity profession. By targeting Krebs for telling the truth, the administration is sending a message: dissent—especially when it contradicts the preferred political narrative—will be punished. The industry’s lack of response is, in effect, complicity.

Why This Matters

  • Chilling Effect: If a high-profile, well-respected figure like Krebs can be targeted for doing his job, no one in the industry is safe. The message is clear: toe the line or risk your career and your company’s future.
  • Erosion of Trust: Cybersecurity is built on trust and integrity. If practitioners cannot speak the truth without fear of retaliation, the entire profession is undermined.
  • Precedent for Authoritarianism: The use of executive power to punish private citizens and companies for protected speech is a hallmark of authoritarianism. The industry’s silence enables further overreach.

What Every RSA Attendee Should Do

RSA Conference 2025’s theme is “Many Voices. One Community.” But a community that stays silent in the face of injustice is not united—it is complicit. Every attendee, whether you’re a practitioner, vendor, or “A-lister,” has a responsibility to meet this moment.

When you visit vendor booths or encounter cybersecurity leaders and influencers at RSA, ask them:

  • What are you and your company doing to publicly support Chris Krebs and SentinelOne?
  • How are you defending the principles of free speech and professional integrity in cybersecurity?
  • Are you willing to risk contracts, revenue, or reputation to stand up for what’s right?
  • What concrete actions will you take to ensure that truth-telling cybersecurity professionals are protected, not punished?

Don’t let them dodge. Don’t accept platitudes.

If you’re a vendor or a leader: issue a public statement. Sign an open letter. Organize a session or a panel on defending professional independence. Use your platform—on stage, on social media, in the press—to call out this abuse of power.

If you’re an attendee: demand answers. Refuse to let silence be the industry’s answer to authoritarian overreach.

Remember: Silence is not safety. Silence is capitulation. If the cybersecurity community cannot defend its own when the truth is under attack, then what exactly are we protecting?

This is your moment. Don’t waste it.

American [Cyber] Sigh

A long, long time ago
I can still remember
How those CVEs would make me smile
And I knew if I had my chance
To patch a vuln or take a stance
Maybe we’d be secure for a while

But April ides made me shiver
With each leaked memo and press release delivered
Bad news on the doorstep
Couldn’t take one more step

I can’t remember if I sighed
When I read about the program’s demise
But something broke me deep inside
The day the CVE died

So bye, bye, MITRE’s CVE pie
Checked the vuln feed in my Feely
But the Feedly ran dry
And them good old nerds were drinking whiskey and rye
Singin’, “This’ll be the day that I sigh
This’ll be the day that I sigh”

Did you write the book of flaws
And do you have faith in CISA’s cause
As the budget fails you so?
Do you believe in NVD
Can it save our infosec sanity
Now that MITRE’s left out in the cold?

Well, I know you’re chasing vulns with me
Saw your commits in the CVE tree
We both diffed those exploit clues
Man, I miss those vuln ID blues

I was a lonely analyst on the hunt
With a zero-day and a coffee cup
But I knew I was out of luck
The day the CVE died

I started singing
Bye, bye, MITRE’s CVE pie
Checked the vuln feed in my Feely
But the Feedly ran dry
And them good old nerds were drinking whiskey and rye
Singin’, “This’ll be the day that I sigh
This’ll be the day that I sigh”

Now for twenty-five years we’ve been on our own
But the funding’s gone, the seeds are sown
That’s not how it used to be
When MITRE sang for DHS
And catalogued every software mess
In a voice that came from you and me

Oh, and while the vendors looked around
The hackers stole the thorny crown
No verdict was returned
And the vuln world, it just burned
And while defenders read advisories
The attackers practiced in the dark
And we sang dirges in the park
The day the CVE died

We were singing
Bye, bye, MITRE’s CVE pie
Checked the vuln feed in my Feely
But the Feedly ran dry
And them good old nerds were drinking whiskey and rye
Singin’, “This’ll be the day that I sigh
This’ll be the day that I sigh”

Helter skelter before the summer swelter
The KEV flew off with no shelter
Zero-days high and falling fast
It landed foul on the grass
The vendors tried for a forward pass
With MITRE on the sidelines in a cast

Now the half-time air was sweet perfume
While the Red Team played a marching tune
We all got up to dance
Oh, but we never got the chance
‘Cause the vendors tried to take the field
The bug bounty band refused to yield
Do you recall what was revealed
The day the CVE died?

We started singing
Bye, bye, MITRE’s CVE pie
Checked the vuln feed in my Feely
But the Feedly ran dry
And them good old nerds were drinking whiskey and rye
Singin’, “This’ll be the day that I sigh

Oh, and there we were all in one place
A generation lost in cyberspace
With no time left to start again
So come on: Jack be nimble, Jack be quick
Jack Flash sat on a candlestick
‘Cause fire is the hacker’s only friend

Oh, and as I watched it on the stage
My hands were clenched in fists of rage
No angel born in hell
Could break that budget spell
And as the flames climbed high into the night
To light the sacrificial rite
I saw Musk laughing with delight
The day the CVE died

He was singing
Bye, bye, MITRE’s CVE pie
Checked the vuln feed in my Feely
But the Feedly ran dry
And them good old nerds were drinking whiskey and rye
Singin’, “This’ll be the day that I sigh

I met a dev who sang the blues
And I asked her for some happy news
But she just smiled and turned away
I went down to the sacred store
Where I’d checked for CVEs before
But the sysadmin said the feeds wouldn’t play

And in the streets, the hackers screamed
The CISOs cried, and the devs all dreamed
But not a word was spoken
The patching chain was broken
And the three things I admire most:
The patch, the fix, and the vuln disclosure post
They caught the last train for the coast
The day the CVE died

And they were singing
Bye, bye, MITRE’s CVE pie
Drove my vuln feed to the levee
But the levee ran dry
And them good old nerds were drinking whiskey and rye
Singin’, “This’ll be the day that I sigh
This’ll be the day that I sigh”

I told you so…

Just putting a marker out there, that I’m either fundamentally wrong, or we all are f’d this week.

If the latter: I told you so.