Let me start off by saying I’m not bashing the writer of this article, and I’m trying not to be super critical. I don’t want to discourage this person from writing articles about Snort rules. It’s great when people in the Snort community step up and explain some simple things out there. There are mistakes, [...]
Tuning Snort with Host Attribute Tables – CSO Online – Security and Risk.
Here is an article I wrote for CSO magazine, thought the readers of my blog might like to check it out as well.
I was asked to write a fairly technical article for CSO magazine about Snort, the problem is, which part of Snort [...]
So, after my post about ask.com’s network… Here’s another quiz for you.
Feb 15 09:16:39 localhost kernel: IN=eth0 OUT= MAC=00:03:47:f1:52:0d:00:18:01:b6:c1:4d:08:00 SRC=121.242.15.135 DST=192.168.x.x LEN=72 TOS=0×00 PR
EC=0×00 TTL=45 ID=32394 DF PROTO=TCP SPT=52764 DPT=22 WINDOW=46 RES=0×00 ACK PSH FIN URGP=0
What kind of fun is that!
So, in the spirit of another post I put up recently, I am monitoring my firewall logs for anything strange and I keep seeing this:
Feb 8 14:47:55 localhost kernel: IN=eth0 OUT= SRC=66.235.120.71 DST=192.168.x.x LEN=455 TOS=0×00 PREC=0×00 TTL=49 ID=33745 DF PROTO=TCP SPT=80 DPT=58709 WINDOW=54 RES=0×00 ACK PSH URGP=0
The Source is Ask.com, the DST is my webserver, [...]
In my To-Do list, I have a section for Blog topics that I think of in $random_place and I want to jot down for brainstorming later. This topic has been on my to-do list for about a year.
I was standing on a stage giving a speech at a military base, in about 2004. The people [...]
This week, we at Sourcefire had our annual Sales Kickoff meeting. Basically a good look backwards at 2009, and what we did right and wrong, a look ahead and goals for 2010.
Obviously most of what we talked about is corporate confidential, but I think we all left with a good idea about where [...]
Over the past couple days I’ve been reporting over on the Internet Storm Center about the number of domains that have been registered (either legitimately for good use, or for malicious use) concerning the Haitian Earthquake disaster. Read the original article here.
Like I said in that article, we’re assuming that these domains are being registered [...]
Today, I posted an article on the Internet Storm Center about the fact that sometimes domains are parked and used for malicious use when a disaster occurs.
Domains like haitiearthquake2010 and haitiearthquakerelief and various names like that.
Well, because this is of such a large concern, I was contacted by no less than 5 news [...]
Read the below on Google Reader, figured it was easy enough to write some SNORT® rules for:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”VIRUS W32/Xpaj Botnet infection”; flow:to_server,established; uricontent:”up.php”; content:”a=g2″; rev:1; sid:1000000;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”VIRUS W32/Xpaj Botnet Infection”; flow:to_server,established; uricontent:”stamm/”; content:”stamm.dat”; depth:0; within:9; rev:1; sid:1000001;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [...]
In my job, I see a lot of Snort rules being thrown around for this that, and the other thing. The thing I try to emphasize is not to make rules for rules sake. Don’t write rules just because you can. Write rules because you have to.
So recently an exploit for Microsoft [...]