I recently had a need to specify and increment the IP timestamp values of packets in a PCAP. In this example, the starting second value is specified and we increment the microsecond value. This requires the use of Scapy. If you have any questions or recommendations for improvement, please leave …
I recently fired up a Snort Anomaly Detection instance provided by the SnortAD project and wanted to share my experience for those who might be interested in trying it on your network. SnortAD is the third generation anomaly detection preprocessor for Snort and is a little different than its predecessors …
Here are a few technology and information security related mailing-lists that I subscribe to in no particular order. Leave a comment if you think I missed one. asterisk-users.lists.digium.com beginners.perl.org snort-users.lists.sourceforge.net nessus.list.nessus.org pauldotcom.mail.pauldotcom.com samurai-devel.lists.sourceforge.net …
Here is a list of information technology and security podcasts. Some are technical, others are higher level so YMMV. A source of information to keep me up to date on what is going on in the information technology realm. If you think of something I have missed, leave a commment …
I recently came across the need to decode an exclusive or (XOR) payload. In my case, the key to de-obfuscating the traffic was the first three bytes of each packets payload. While it is trivial to decode each payload, it was not reasonable for a large number of packets. For …
World IPv6 Day on June 8th 2012 is rapidly approaching. It is an exciting and scary reality. For my personal assets, there was a small investment on my part to get everything up to par. My internet provider Comcast is dual-stack ready which is nice because I experienced some serious …
In an effort to replicate the amusing idea of a transparent proxy that manipulates traffic in a fun way found here and made even better with some great scripts that you can pull down from here. A Debian box was stood up with two network cards; one connects to the …
I recently came across a blog post demonstrating how to use the Emerging Threats rule sets in order to block malware calls to command and control (C&C) hosts. Using the script referenced in the blog post may work fine, but I want to review and update when I feel …
If you would like to enable server-side encryption which is a relatively new feature for your Amazon S3 data using GSUtil then you need specify the header value when pushing files to their cloud. $ gsutil -h "x-amz-server-side-encryption: AES256" cp /backups/files* s3://bucket Note that server-side encryption protects your data …
After seeing some suspicious activitiy in my McAfee antivirus logs, I learned the Access Protection functionality, specifically IRC communication setting may be able to thwart some of the aforementioned activity. There are a number of useful setting to log or even block attempts that are not enable by default. A …
Looking over some netflow data I notice some variance between the two sensors. Sensor s0 is v5 netflow data from a Cisco switch, s1 is from a network tap listening between a Router on a Stick and said Cisco switch. The latter is a capture from YaF listening on a …
In a previous post SiLK was setup on a Debian host using NetFlow v5 from a Cisco switch. This worked well but I also have a network tap and said Cisco switch is capable of capturing data via SPAN port(s). This got me thinking about what difference I may …
This guide walks through configuring SiLK from a source install on a Debian 6 host in order to collect NetFlow data from a Cisco router. The guides here and here written by CERT NetSA are quite good but lack some detail specific to the Debian distribution which required a bit …
Google’s gsutil is a great tool for pushing, retrieving and setting permissions on objects uploaded to Google Storage. I was reviewing the documentation on the Sharing and Collaboration page, specifically the Authenticated Browser Download section and realized there were a couple of small mistakes, err typos. I wanted to …
When you are running those vulnerability scans of Linux and UNIX hosts I hope that you are following best practices for keeping a host secure during the process. Both Retina and Nessus rely upon SSH in order to connect to a remote host and run a number of commands to …
I was thinking about how to retrieve photos from Facebook photo gallery’s and came across a number of solutions. Most of the solutions were for blog or CMS and furthermore required caching your credentials in a database along with a few other hoops in order to access your albums …
While experimenting with EMET I decided to put together a little presentation demonstrating how it can be used to prevent exploitation of a known threat to Acrobat Reader. The presentation first demonstrates the exploit using Metasploit, provides some high level analysis and then goes on to describe how EMET can …
I was hunting around for a way to create email aliases for mailing-lists and whatnot. It is a little disappointing to learn that there is not away to create true aliases with Google’s Gmail. You can create aliases if using Google’s hosted application service but I do not …
Note this is an older post that I am migrating from another blog I previously maintained. Metasploit has already provide a nice write up of the pwning, I mean testing the vector http://blog.metasploit.com/2010/08/exploiting-dll-hijacking-flaws.html. It does involve a bit of prep work but I …
This installment is about keeping your notebook and other technology items safe. I was recently asked what the Defcon locks were for that I have been distributing with the new notebooks. I jokingly said to keep people from taking your monitor and chair from your desk while your on travel …