Monitoring Pastebin.com Overview

Summary:

This document outlines a Perl script named `pastemon.pl` developed for monitoring Pastebin content, specifically designed to detect potentially leaked data such as passwords or emails posted on the site. The script is integrated into a SIEM system (Security Information and Event Management) through ArcSight infrastructure for continuous monitoring. Key features include automated detection using regular expressions (regex), daemon functionality for 24/7 operation, logging findings via Syslog messages, and flexibility with options like regex patterns, syslog facility levels, case sensitivity settings, debug mode, and CEF event transmission to specified destinations. The script requires a Linux machine equipped with Perl and internet access. Pastemon has evolved through user feedback and suggestions, improving its capabilities by allowing custom rule definition for filtering false positives, saving matched paste data, and adding email alert functionality. Future enhancements are proposed, including real-time monitoring capabilities and the exclusion of specific words to reduce false positive matches.

Details:

This article is about monitoring pastebin.com within a SIEM (Security Information and Event Management) system. Pastebin.com is a website where users can post text for sharing, often containing sensitive information like passwords or emails. The author discusses how to automatically detect potentially leaked data from this site using a Perl script called pastemon.pl, which they developed further by adding daemon functionality and the ability to log findings into a Syslog message. These messages can be processed in an ArcSight infrastructure for SIEM monitoring. Requirements include a Linux machine with a Perl interpreter and internet access. The script is flexible with options like specifying regex patterns, setting facility levels, ignoring case sensitivity, enabling debug mode, and sending CEF events to a destination IP or FQDN. This content is about a script called "pastemon.pl" which is used for monitoring newly uploaded pasties on pastebin.com and searching for interesting content using regular expressions. The script can generate CEF events, perform case-insensitive searches, and has several optional parameters like debug mode, facility for syslog, regex configuration file, and more. It sends the information to a local Syslog daemon or configured CEF destination if enabled. Useful regular expressions are provided for common targets such as company domains, email addresses, names, IP addresses, credit cards, and other specific data patterns. The script can be easily processed in an ArcSight infrastructure by configuring SmartConnectors and UDP CEF receivers. This text conversation is a series of messages exchanged between different individuals discussing and interacting with a script called "pastemon" which was used to monitor Pastebin.com for leaked information that could be useful in OSINT (Open Source Intelligence) monitoring. The users are exchanging tips, troubleshooting issues they're encountering while running the script through proxies, and providing feedback on the functionality of the tool. Some key points from this conversation include:

• Users discussing whether non-Roman characters like Umlauts or Cyrillic letters can be supported by the script when processing regular expressions.

• A suggestion to check if Tor support is available for the script, as it's noted in the todo list of one user (Xavier).

• Information about changes in the source code of Pastebin.com, which affected how pasties could be fetched from the site due to a change in the archive URL structure.

• Users sharing their experiences with running the script behind proxies and suggesting modifications to handle such environments better.

• Feedback on the tool's behavior when using debug mode and issues related to logging (which were not properly captured under certain conditions).

The text discusses a script created by Xavier for monitoring Pastebin content and forwarding it as CEF events to a SIEM (Security Information and Event Management) tool like ArcSight. The script has evolved through several versions, each addressing user feedback and suggestions. Key improvements include the ability to define custom rules for filtering out false positives and saving matched paste data in a specified directory for later review. User comments highlight preferences such as configuring the PID file location, adding email alert functionality, and extending the script's usefulness by storing matches if not already implemented. The discussion also includes suggestions from users about improving the tool further, like excluding specific words to avoid false positives and ensuring real-time monitoring capabilities are added.