This guy is nuts. I could never do this. Even though 99% of my work is done via screen @ work as well.
Interesting though.
(whoops)
Showing posts with label Linux. Show all posts
Showing posts with label Linux. Show all posts
Friday, November 4
Yield Thought, this guy swapped his MacBook for an iPad+Linode
Yield Thought, I swapped my MacBook for an iPad+Linode:
(whoops)
(whoops)
Wednesday, February 17
Tuning Snort with Host Attribute Tables - CSO Online - Security and Risk
Tuning Snort with Host Attribute Tables - CSO Online - Security and Risk.
Here is an article I wrote for CSO magazine, thought the readers of my blog might like to check it out as well.
I was asked to write a fairly technical article for CSO magazine about Snort, the problem is, which part of Snort do you write the article for? An article about Snort can be very technical or not so technical. One of the advantages of having Open-Source software.
In any case, enjoy.
Here is an article I wrote for CSO magazine, thought the readers of my blog might like to check it out as well.
I was asked to write a fairly technical article for CSO magazine about Snort, the problem is, which part of Snort do you write the article for? An article about Snort can be very technical or not so technical. One of the advantages of having Open-Source software.
In any case, enjoy.
Sunday, January 31
Flash, time for you to die
I've been reading a lot of hubbub about the new Apple iPad not having the capability of displaying Flash. Of course! It stands to reason that it can't, it has the same OS as the iPhone, which, also can't display Flash. Which leads me to think, why do we need flash?
Answer is, we don't. Not anymore. 90% of Flash usage is for audio or video on the Internet and HTML5 can handle <audio> and <video> tags. It can do Canvas. (Oh and a TON more, I'm just illustrating a point.) Some of the major browsers have adapted most of these technologies. Webkit (Invented by Apple, powers Safari, Webkit, and Google Chrome [amongst others], and Presto (The rendering engine that powers Opera) have supported more than the other two majors (Gecko -- The engine that powers Firefox and all of it's kin), and Trident (The engine that powers Internet Explorer). The last being the worst adopter. Surprisingly.
I read somewhere (I can't find it now), about most browser crashes come from plugins. Flash, Java, etc. Why can't we eliminate these plugins and go with the native protocols? That's what HTML5 is attempting to do for the most part, and I, for one, am glad for it.
Apple has always been about killing off technologies and moving onto what is on the horizon (killing off serial, going for USB, killing of Diskettes, going to CD, Killing off CD's (Macbook Air), moving more wireless (Airport), Killing off displayport, hdmi, dvi, vga, going with Mini Displayport). They have never been afraid to just "move on" to the new thing.
I believe they said to Flash, die, HTML5 is here. Then they turned to web developers and said "fix your stuff". How did they do that? Rolled out the iPhone, which has become the largest mobile browsing platform on the planet now. Slowly and surely, what's happening? Websites are changing away from Flash.
Unless, you know, of course, you are a band or a restaurant. (Seriously? What is with bands and restaurants and your use of Flash?)
I don't even need to get into the security issues of Adobe's Flash. Look, there is one small part of Adobe working on Flash. The entire internet is working on HTML5.
Flash (and Silverlight) is dead. Get over it.
--
100% of the statistics in this post are made up. ;)
Answer is, we don't. Not anymore. 90% of Flash usage is for audio or video on the Internet and HTML5 can handle <audio> and <video> tags. It can do Canvas. (Oh and a TON more, I'm just illustrating a point.) Some of the major browsers have adapted most of these technologies. Webkit (Invented by Apple, powers Safari, Webkit, and Google Chrome [amongst others], and Presto (The rendering engine that powers Opera) have supported more than the other two majors (Gecko -- The engine that powers Firefox and all of it's kin), and Trident (The engine that powers Internet Explorer). The last being the worst adopter. Surprisingly.
I read somewhere (I can't find it now), about most browser crashes come from plugins. Flash, Java, etc. Why can't we eliminate these plugins and go with the native protocols? That's what HTML5 is attempting to do for the most part, and I, for one, am glad for it.
Apple has always been about killing off technologies and moving onto what is on the horizon (killing off serial, going for USB, killing of Diskettes, going to CD, Killing off CD's (Macbook Air), moving more wireless (Airport), Killing off displayport, hdmi, dvi, vga, going with Mini Displayport). They have never been afraid to just "move on" to the new thing.
I believe they said to Flash, die, HTML5 is here. Then they turned to web developers and said "fix your stuff". How did they do that? Rolled out the iPhone, which has become the largest mobile browsing platform on the planet now. Slowly and surely, what's happening? Websites are changing away from Flash.
Unless, you know, of course, you are a band or a restaurant. (Seriously? What is with bands and restaurants and your use of Flash?)
I don't even need to get into the security issues of Adobe's Flash. Look, there is one small part of Adobe working on Flash. The entire internet is working on HTML5.
Flash (and Silverlight) is dead. Get over it.
--
100% of the statistics in this post are made up. ;)
Wednesday, December 30
SSH keys, my how I hate you sometimes.
So, earlier today I was setting up some SSH keys to be able to connect back and forth between various machines in my network. Seems like a normal thing for a guy with a bunch of Unix machines around the house to do right? Well, apparently it was more painful than I thought.
I had:
I had the permissions right on all the files, on both the client and the server, yes, I checked this, and that.
So, here I am racking my brain, "why isn't this working", darn it.. what am I overlooking? So I IM'ed a friend of mine, Richard Harman, who is the master of a bunch of things, one of the things is Linuxy, Unixy stuff -- at this point I'm at my wits end, and trying to figure it out, I am racking my brain.
Richard connects up to my computer, and he has the same problem (can't connect via SSH key), so it's obviously a server problem.
We start daemons in debug mode, looking at RPM packages (this particular server was running Fedora 10), heck, I was even looking at bugs in SELINUX as the culprit. Nothing.
We noticed one line in particular that was bothering us.. every time someone tried to connect to sshd on the SERVER's SSHD debug line, it was trying to access /root/.ssh/authorized_keys. No matter what the user. Obviously, this isn't right. I tested this out by moving my authorized_keys file to root's /.ssh directory and it worked right away.
After poking around a bit, Richard found the problem:
Because, when SSHD starts up, the sshd_config file was expanding "~/" to the home directory, and since sshd starts as root.. the ONLY directory it was going to look in was /root/.ssh/authorized_keys
Richard changed this to:
It worked and life is fine now. Two characters. TWO. (That I didn't put there, or at least don't remember putting there.)
Thanks Richard.
I had:
PubkeyAuthentication yes
I had the permissions right on all the files, on both the client and the server, yes, I checked this, and that.
So, here I am racking my brain, "why isn't this working", darn it.. what am I overlooking? So I IM'ed a friend of mine, Richard Harman, who is the master of a bunch of things, one of the things is Linuxy, Unixy stuff -- at this point I'm at my wits end, and trying to figure it out, I am racking my brain.
Richard connects up to my computer, and he has the same problem (can't connect via SSH key), so it's obviously a server problem.
We start daemons in debug mode, looking at RPM packages (this particular server was running Fedora 10), heck, I was even looking at bugs in SELINUX as the culprit. Nothing.
We noticed one line in particular that was bothering us.. every time someone tried to connect to sshd on the SERVER's SSHD debug line, it was trying to access /root/.ssh/authorized_keys. No matter what the user. Obviously, this isn't right. I tested this out by moving my authorized_keys file to root's /.ssh directory and it worked right away.
After poking around a bit, Richard found the problem:
AuthorizedKeysFile ~/.ssh/authorized_keys
Because, when SSHD starts up, the sshd_config file was expanding "~/" to the home directory, and since sshd starts as root.. the ONLY directory it was going to look in was /root/.ssh/authorized_keys
Richard changed this to:
AuthorizedKeysFile .ssh/authorized_keys
It worked and life is fine now. Two characters. TWO. (That I didn't put there, or at least don't remember putting there.)
Thanks Richard.
Thursday, December 24
Bottom Posting
Recently was chastised for Bottom posting on a Mailing list, so I thought I'd write a few words about it.
I bottom (or inline post) mostly because I like the email to be a message. You read a message or a letter from top to bottom, from left to right. It wasn't until email clients started top posting (looking at you Outlook/Lotus Notes) that email was written in the top-posting format, forcing you to read an email backwards.
So I looked it up, basically looking at two different information stores.
Wikipedia -- http://en.wikipedia.org/wiki/Posting_style
RFC1855 -- http://www.ietf.org/rfc/rfc1855.txt
These two places will define how to write email and how email should be written, on mailing lists, use groups, or any other email transaction.
The particular part to pay attention to is in RFC1855 --
"- If you are sending a reply to a message or a posting be sure you
summarize the original at the top of the message, or include just
enough text of the original to give a context. This will make
sure readers understand when they start to read your response.
Since NetNews, especially, is proliferated by distributing the
postings from one host to another, it is possible to see a
response to a message before seeing the original. Giving context
helps everyone. But do not include the entire original!"
Summarize the email at the top, and post below it. In other words, bottom-posting is the correct way to write email, as per RFC.
I bottom (or inline post) mostly because I like the email to be a message. You read a message or a letter from top to bottom, from left to right. It wasn't until email clients started top posting (looking at you Outlook/Lotus Notes) that email was written in the top-posting format, forcing you to read an email backwards.
So I looked it up, basically looking at two different information stores.
Wikipedia -- http://en.wikipedia.org/wiki/Posting_style
RFC1855 -- http://www.ietf.org/rfc/rfc1855.txt
These two places will define how to write email and how email should be written, on mailing lists, use groups, or any other email transaction.
The particular part to pay attention to is in RFC1855 --
"- If you are sending a reply to a message or a posting be sure you
summarize the original at the top of the message, or include just
enough text of the original to give a context. This will make
sure readers understand when they start to read your response.
Since NetNews, especially, is proliferated by distributing the
postings from one host to another, it is possible to see a
response to a message before seeing the original. Giving context
helps everyone. But do not include the entire original!"
Summarize the email at the top, and post below it. In other words, bottom-posting is the correct way to write email, as per RFC.
Friday, December 11
New Blog for your enjoyment
Friend of mine, Mike Mishou, started a new blog over at http://mishou.org. So far he has some great posts, and I envision him to continue having great posts. Head on over to Mike's website and check it out.
Please leave comments below.
Please leave comments below.
New Blog for your enjoyment
Friend of mine, Mike Mishou, started a new blog over at http://mishou.org. So far he has some great posts, and I envision him to continue having great posts. Head on over to Mike's website and check it out.
Please leave comments below.
Please leave comments below.
Thursday, November 19
Fedora 12 allows installation of software without root privs
I posted this on the ISC this morning as well, but I just wanted to post it here as well.
Please leave comments below.
A "bug" created back in November against the latest Fedora release (12) indicates that, through the GUI, desktop users of the Fedora system are able to install signed packages without root privileges or root authentication. Yes, you just read that correctly. (I'll give you a second re-read that sentence so I don't have to retype it.) Yes, "it's a feature, not a bug".
In all my travels I've only ran across one company, ever, that has Fedora rolled out as an enterprise operating system on every desktop. But what kind of security implications does this have? I obviously don't have to explain why this is (may be) a bad idea to the readers of the ISC, as we are all security minded people.
Now, the restrictions. This change does not affect yum on the command line. This only affects installing things through the GUI. (Not that helps any, as most users will be running the GUI anyway.) You can also disable it.
create a file in:
/var/lib/polkit-1/localauthority/20-org.d (you can name if file anything you want)
and include the following:
[NoUsersInstallAnythingWithoutPassword] Identity=unix-user:someone;unix-user:someone_else Action=org.freedesktop.packagekit.* ResultAny=auth_admin ResultInactive=auth_admin ResultActive=auth_admin
(the above came from the release notes for Fedora 12, found here.
Also, I found this as a solution:
pklalockdown --lockdown org.freedesktop.packagekit.package-install
Currently in the bug, there is some debate about if they should revert this feature. So, this may be just temporary.
Please leave comments below.
Fedora 12 allows installation of software without root privs
I posted this on the ISC this morning as well, but I just wanted to post it here as well.
Please leave comments below.
A "bug" created back in November against the latest Fedora release (12) indicates that, through the GUI, desktop users of the Fedora system are able to install signed packages without root privileges or root authentication. Yes, you just read that correctly. (I'll give you a second re-read that sentence so I don't have to retype it.) Yes, "it's a feature, not a bug".
In all my travels I've only ran across one company, ever, that has Fedora rolled out as an enterprise operating system on every desktop. But what kind of security implications does this have? I obviously don't have to explain why this is (may be) a bad idea to the readers of the ISC, as we are all security minded people.
Now, the restrictions. This change does not affect yum on the command line. This only affects installing things through the GUI. (Not that helps any, as most users will be running the GUI anyway.) You can also disable it.
create a file in:
/var/lib/polkit-1/localauthority/20-org.d (you can name if file anything you want)
and include the following:
[NoUsersInstallAnythingWithoutPassword]
Identity=unix-user:someone;unix-user:someone_else
Action=org.freedesktop.packagekit.*
ResultAny=auth_admin
ResultInactive=auth_admin
ResultActive=auth_admin
(the above came from the release notes for Fedora 12, found here.
Also, I found this as a solution:
pklalockdown --lockdown org.freedesktop.packagekit.package-install
Currently in the bug, there is some debate about if they should revert this feature. So, this may be just temporary.
Please leave comments below.
Tuesday, August 18
Rambling on Productivity and Email (Part Two)
Managing To-Dos
As I promised a follow up post to my previous blog post here.
I stated, I try to manage things through Todo lists. When I read an email that I need to take action on, I make a ToDo out of it. Simple to complex, I make a ToDo out of it. Not just emails either. If I am in a meeting and I hear an "action item" for me, I knock that out. If I get a shopping list from my wife, I put that in my Todo list as well.
There are several tools that I have evaluated and used over the years, let me go over a few of these and see if any of them help you. The one that works for me is not the one that may work for you. You have to figure it out for yourself. Make the ToDo list work for you, not you working for your ToDo list. If you find yourself spending most of your time in your ToDo list "managing it" (prioritizing, categorizing, contexting... You are doing it wrong. Managing your ToDo's should not be a ToDo within itself.)
1) Google Tasks
Google Tasks is a built in Task manager into the Gmail interface. It is accessible on the left hand side of your Gmail interface near the labels. (Look for the obvious word "Tasks"). I like this method, it's keyboard accessible, works great, and is accessible from the web.
However, There are two reasons I don't use Google Tasks. First is templates. If I want to make a standard "Group" of tasks. Say, 10 things that I must do with each client, I want to be able to template these 10 things, copy the template and use it over and over for each client. The second reason is, for some reason, right now, Google for Domains doesn't support an iPhone version of tasks. This sucks. It works in the regular Gmail, but not in Google for domains, yet. If you have the luxury of using Gmail for your primary email, I'd suggest checking out Google Tasks. Learn the keyboard shortcuts for it, and you'll whiz through it. Best feature? Being able to create a ToDo related to an email (So you can go to the ToDo and get back to the exact email). Shift-t.
All three of these are web based services that you can use for ToDos. I tried several of these, however, most of these require an extra step, or an extra website to log in to and maintain. To me, that's not reducing the amount of work I have to do, that's increasing it. I shouldn't have to increase the amount of things I have to do in order to manage a ToDo list. Each of these has their own merits. I think Remember the Milk is the most extensible. (Meaning it has an iPhone app as well.) GTDAgenda was fairly nice. In the interest of Full Disclosure, I was asked to evaluate GTDAgenda and received a free account. I used it very little because of the above reasons. Backpack is overkill. It's like a Wiki, on crack.
3) Omnifocus
Or OmniOutliner.
This is what I use, it's an OSX only application, but it allows several things that I find vital. The only thing that I don't like about it is that it's a separate app on my system (As opposed to Gmail Tasks, which is built in.) If I have an email (or damn near anything on my computer) I can highlight it with my mouse, and mash a keyboard shortcut (which is customizable) and Omnifocus takes what I have highlighted and makes it a Todo. This is the best.
I am able to assign contexts and projects to everything, assign due dates, make reoccurring tasks... etc.
It also allows me to use templates, as I discussed in Number 1. I can set up a series of tasks, then copy the series of tasks by right clicking and saying "Duplicate".
It allows me to Sync between my computer and my iPhone. Now, the way this takes place is, Omnifocus takes it's DB and puts it up on MobileMe's iDisk. The iPhone, with it's accompanying app then syncs with the DB up on the iDisk. Not a big deal, but it can be a pain to have to keep two in sync. I'd rather just use Google Tasks.
Pain in the butt part? It's expensive. Stupid expensive. It's 79 dollars for the OSX app, and it's another 19.99 for the iPhone app. I think this is bull.
4) Things
This is another program similar to Omnifocus. Simpler to use. (Less complex of an interface), but also, it's 49.95 for the App, plus another 9.99 for the iPhone version. It syncs, but not with MobileMe. Your computer that has the app on the desktop must be on the same Wifi network in order to Sync. That's fairly annoying.
5) ToDo.txt
This is a shell script, basically, that allows you to simply manage ToDos in a simple fashion from the command line. You can barely do contexts and project tagging, but you can't do subordinate projects or anything like that. It's a pretty cool little tool if you are one of those people that likes to manage everything you possible can in a command line. I have several friends like that, and I like to be like that too, but this program just doesn't have enough of the features I need to be able to manage it.
6) Tasks in your email client
Outlook, Thunderbird (with addons), and Mail each have their own ToDo system.
A) Outlooks works like this. You can drag an email over to the right pane (in Office 2007), you can also drag an email down to the "tasks" icon in the left pane at the bottom of the screen. Problem with either one of these solutions is, if you move the mail out of the inbox and into a PST, poof. The ToDo is gone. Seems counter intuitive to me. Anyway...
B) Thunderbird has various plugins for Managing Todos. I didn't put many man hours into investigating the use of the ToDo system within Thunderbird, because I didn't use Thunderbird for more than about five minutes.
C) Mail.app -- This is the only Mail program on OSX that has a ToDo system worth a crap. But even it has it's own problems.
You can create a todo based off an email, highlight the text you want and tap the "Todo" button. Mail will create a Todo based on the email. This Todo is stored in a central db that is shared between Mail.app and iCal. Problem is, as of right now, there is no way to get those ToDos on your iPhone. Come on Apple. Plus Mail.app is dog slow when dealing with 200,000 emails. (And gmails imap implementation sucks)
So, currently I am using Omnifocus until the second best (Google Tasks) comes along. At which point I will probably abandon Omnifocus, even if Google Tasks doesn't allow me to template, I will gladly ditch Omnifocus for a less "sync-y" built in, Cloud managed Task manager. I paid the full retail price for both of the Omnifocus apps (basically totaling about 100 dollars for two apps... to manage Todos. (Seriously Omni Group. The Pricing?)) It's a good pair of programs, but it's a bit overweight and expensive for what its use is.
After my Todos get into my Omnifocus program, I arrange them in two methods.
1) Project
2) Context
If the Todo is work related, I put it under "Work". If the Todo is home related (ex. Get new lightbulb for Microwave), I put it under home. Context is the "Where" portion of the todo.
So if I need to email Dave about that thing we were working on, the Project will be "Work" but the Context will be "Email".
That way, if I have a few minutes, I can take a look at my Todo list under the context "Email" or "Phone" or something, and knock a few of them out. This allows me to fit in ToDos that I have time for. Which will bring me to my next post on productivity, using my Calendar. But that's for another day.
Please leave comments below.
Monday, February 23
Moving my network around
Today I moved my network around, so just a quick article about why, or what was the point.
It’s funny the little noises that irritate you. For me, there are a few, high pitches whines, buzzing sounds that are constant, when my wife clicks her nails together, and computer fans.
In my office, I have a PowerMac (Dual Core, with Dual Fans), a Linux box that I do a lot of Snort Testing on, and a 1U server that is older than my daughter.
The 1U was moved to the basement a long time ago, simply because the fans on the thing were so incredibly loud, you couldn’t sit in the same room as the machine. It was crazy. I can’t imagine a server room full of these things. The fan ran constantly too. Not when the processors got hot, but all the time. So very irritating! I moved this server to the basement by drilling a hole in the floor in my office and running a Cat 6 cable down there. Simple enough.
That was about a year ago.
As I’ve stated before on the blog, and on twitter, and go knows where else -- I’ve moved totally to using laptops as my primary machines now. I keep everything “in the cloud” except for things like Pictures, (in iPhoto), Music, (in iTunes), and random misc software.
I use my iDisk for my Document and File Storage, and am starting to use Google Docs for collaboration on documents. I use Evernote for jotting taking notes and keep everything in one place. I use Google mail for my email (eliminating the need for a local client), and I use Google Calendar for my Calendaring. (As opposed to iCal.)
So my needs for everyday computing are rather lightweight. Last week my company replaced my aging PowerBook G4 with a brand new MacBook Pro. I started to do the “laptop dance”, you know the one, where you transfer years and years of data that you have kept for God knows why over to your new computer. After about an hour of doing this, I decided that this was inefficient and stupid and stopped. Moved everything to things like iDisk and Evernote, and eliminated the need to have everything locally. (Technically I do have everything locally, it’s just synced for me.)
I brought my new MBP into the office here at the house and stared at my PowerMac for awhile.
My Powermac has served me well for years. It’s a Dual 2.0 PowerMac G5, liquid cooled, and has 4 Gigs of RAM in it. This thing is still pretty fast, and I bought it in 2004/5 ish timeframe. But what did I use it for?
It’s sitting here connected to my 20in Apple Cinema Display -- which by the way, Apple stopped making recently -- keyboard and mouse connected to it. But how often do I use this thing? How about, almost never! I’d rather use my laptops, because then I can wander all over the house, go to Starbucks, Panera, whatever.
So I thought for a while. I already have a Cat 6 cable running to the basement, what if I relocated all my computers, switches, and everything to the basement, and only keep my wireless access points (with their associated Ethernet cables plugged in) upstairs?
So I moved everything. Powermac, Linux servers, switches, hubs (for testing), downstairs. I even moved my FiOS connection end point downstairs, (which required re-running the cable, etc.).
All I have in my office now is my MBP, with the 20in Monitor attached to it, and I have my personal older model MBP sitting next to it. (It’s my “grab my computer and go to the bathroom for reading material” computer.)
You can hear a pin drop in my office now, and it is much less distracting.
I recommend, if you can relegate your computing devices out of your office, into another room, closet, floor, attic, or whatever, do it. It’s awesome.
Tuesday, June 17
Firefox 3 today
Today is Firefox 3 Tuesday. So this is just a reminder to go download it today!
Subscribe in a reader
Firefox 3 today
Today is Firefox 3 Tuesday. So this is just a reminder to go download it today!
Subscribe in a reader
Saturday, June 7
Thursday, May 15
Debian ftw?
So, all you Debian users your ssh is ftl.
All the other security blogs are covering it at this point, (so I won't, much) however, it is of high concern, so hopefully you are/have regen'ed all your ssh/ssl keys by now.
We will probably move the ISC to Yellow at some point today to raise awareness.
Subscribe in a reader
Debian ftw?
So, all you Debian users your ssh is ftl.
All the other security blogs are covering it at this point, (so I won't, much) however, it is of high concern, so hopefully you are/have regen'ed all your ssh/ssl keys by now.
We will probably move the ISC to Yellow at some point today to raise awareness.
Subscribe in a reader
Tuesday, February 26
Random IDS musings
I've seen alot of traffic lately on the snort-users list about how to clean out a database periodically and it got me thinking..
Basically the basis of the story is that people want to clean out the events from their DB on a periodic basis, 1 month, 2 months, whatever. Basically I look at it like this then, why are there events in your database that are that old?
If you have events in your IDS DB, you should look at them. That's the reason you have an IDS/IPS. To review the events (and in the case of IPS, prevent the attacks) and make sure the evil hax0rs are not getting you. If you have events in your current DB that are a month old, that tells me either one of two things:
A) You don't care about your alerts
B) You have too many alerts, and you don't have a system.
So let me help you get a system.
Make an archive DB (for the people using BASE, then this is pretty simple), now, you have two db's. One current, and one archive.
1) Events come in from Snort via barnyard into your current DB.
2) You review these events. Any events that you skip over, take note of them. Do you need this alert? Is applicable to your network? Do you KNOW if it's applicable to your network?
3) Any events that you take a look at, did it actually affect your network or was it someone banging on the door (script kiddie)? If it was a skript kiddie, what are you going to do about it? Block them at your firewall? Send their ISP a cease and desist letter? If you are going to do nothing then DELETE THE ALERT. Why keep it? You aren't going to do anything about it, so who cares?
4) Now, say when you are reviewing alerts, you come across something you need to investigate. Good. Take note of it and come back later. Leave it in your current db, get through the rest of your alerts.
5) Through your alerts? Good. Come back to the ones you still have in your current db. Do you need to take further action on these guys? Yes? Investigation time? Okay, well then you need to save the alert, so move it to your archive db. When you are done with your investigation in your archive db, then delete the alert.
Basically my point here is, don't keep alerts for no reason. Now, let's go back to #2.
For instance, if you are running web-php rules, but aren't running any webservers that run PHP on them, do you need the rules? Don't subscribe to the philosophy of "if the IDS isn't alerting, then how do I know it's working?". If you want to make sure your IDS is working, then write some kind of script to email you the statistics or something from the Snort process to make sure it's analyzing traffic. If you ALWAYS skip over a particular event, then WHY are you making your IDS run the rule? Shut it off!
Let's take a look at a network. Small one. One bsd box, 2 osx boxes, 2 windows boxes, and 1 linux box. Now, in your network these may be thousands of machines on tons of subnets. The network size doesn't matter, you can take the same philosophy.
Your frag3 and your stream5 preprocessors need to be tuned to the OSes. Done? k.
Now, take your network and look at it. What services are you running, what versions of those services? What OSes? What vulnerabilities are present on your network? Now, figure those things out and turn off the rules in Snort you don't need.
Now, this is where you say to me that this is a pain in the butt, and Snort has tens of thousands of rules, with more coming out each month, blah blah, etc. etc.
Well, that's where Sourcefire comes in. We have things like RNA, we have things like Adaptive IPS/IDS that will do all that FOR YOU, leaving you with the relevant alerts, things you HAVE to look at! But rather than this turning into a sales pitch, I am simply trying to get you to think about how to work with your data. Do you need to keep all that data? or can you fine tune it?
Basically the basis of the story is that people want to clean out the events from their DB on a periodic basis, 1 month, 2 months, whatever. Basically I look at it like this then, why are there events in your database that are that old?
If you have events in your IDS DB, you should look at them. That's the reason you have an IDS/IPS. To review the events (and in the case of IPS, prevent the attacks) and make sure the evil hax0rs are not getting you. If you have events in your current DB that are a month old, that tells me either one of two things:
A) You don't care about your alerts
B) You have too many alerts, and you don't have a system.
So let me help you get a system.
Make an archive DB (for the people using BASE, then this is pretty simple), now, you have two db's. One current, and one archive.
1) Events come in from Snort via barnyard into your current DB.
2) You review these events. Any events that you skip over, take note of them. Do you need this alert? Is applicable to your network? Do you KNOW if it's applicable to your network?
3) Any events that you take a look at, did it actually affect your network or was it someone banging on the door (script kiddie)? If it was a skript kiddie, what are you going to do about it? Block them at your firewall? Send their ISP a cease and desist letter? If you are going to do nothing then DELETE THE ALERT. Why keep it? You aren't going to do anything about it, so who cares?
4) Now, say when you are reviewing alerts, you come across something you need to investigate. Good. Take note of it and come back later. Leave it in your current db, get through the rest of your alerts.
5) Through your alerts? Good. Come back to the ones you still have in your current db. Do you need to take further action on these guys? Yes? Investigation time? Okay, well then you need to save the alert, so move it to your archive db. When you are done with your investigation in your archive db, then delete the alert.
Basically my point here is, don't keep alerts for no reason. Now, let's go back to #2.
For instance, if you are running web-php rules, but aren't running any webservers that run PHP on them, do you need the rules? Don't subscribe to the philosophy of "if the IDS isn't alerting, then how do I know it's working?". If you want to make sure your IDS is working, then write some kind of script to email you the statistics or something from the Snort process to make sure it's analyzing traffic. If you ALWAYS skip over a particular event, then WHY are you making your IDS run the rule? Shut it off!
Let's take a look at a network. Small one. One bsd box, 2 osx boxes, 2 windows boxes, and 1 linux box. Now, in your network these may be thousands of machines on tons of subnets. The network size doesn't matter, you can take the same philosophy.
Your frag3 and your stream5 preprocessors need to be tuned to the OSes. Done? k.
Now, take your network and look at it. What services are you running, what versions of those services? What OSes? What vulnerabilities are present on your network? Now, figure those things out and turn off the rules in Snort you don't need.
Now, this is where you say to me that this is a pain in the butt, and Snort has tens of thousands of rules, with more coming out each month, blah blah, etc. etc.
Well, that's where Sourcefire comes in. We have things like RNA, we have things like Adaptive IPS/IDS that will do all that FOR YOU, leaving you with the relevant alerts, things you HAVE to look at! But rather than this turning into a sales pitch, I am simply trying to get you to think about how to work with your data. Do you need to keep all that data? or can you fine tune it?
Tuesday, February 19
Snort Drinking Game by Erek Adams
Today I went looking for the "Snort Drinking Game". A joke made by Erek Adams, who, unfortunately for all those involved with Snort and his family + friends, passed away last October. So, in honor of Erek, I repost HIS drinking game here. I did NOT make it, this is EREK's. However, the game is getting a bit hard to find (only via the WayBack machine was I able to find it), now that Erek's servers are gone.
So, in honor of him:
Welcome to the Snort-Users Drinking Game!
version 1.00
By Erek Adams
The most current version of this can be found at
http://www.theadamsfamily.net/~erek/snort/drinking_game.txt . Please send
suggestions/updates to erek@theadamsfamily.net.
-----
WARNING: Excessive use of alcohol can be dangerous to your health. Please
play this game sensibly. If you start to feel ill or sick, stop playing!
Alcohol poisioning is not fun, and you can kill yourself!
Please be sensible! This is for _fun_ only!!
And if you don't like alcohol, please use your beverage of choice!
-----
Instructions: Don't read your snort-users email for a month. Or failing
that, you could use the archives. Start with the first email message for the
month. Read it. If an item from the following lists is in the email, take
the penalty drink. If not, go onto the next message. Repeat until you can't
read anymore, or have a empty bottle. ;-)
Please note: These are culmative! Be careful, as you could have SIX+ drinks
from one email!
Lets Begin!!
Take one drink if.....
The question is answered in the documentation.
The question is answered in the FAQ.
The writer doesn't know how use Google.
The reply is "RTFM"
The reply is "It's in the FAQ"
Writer is using Red Hat's broken pcap.
"Why aren't portscans showing up in ACID?"
"Why is snort not reporting dropped packets the right way on Linux?"
Marty complains about Red Hat's brokeness.
Writer is using "Linux 8" or "Linux 9".
Writer has a .sig over 4 lines.
Writer posts a packet capture with the IP's XXX'ed out, but still leaves
them in the hex decode below.
The drinking game starts it's own thread.
Take two drinks if.....
Writer obviously has _never_ read any docs.
Writer obviously doesn't know how to compile.
"How can I auto update the rules?"
Writer asks "Where is signature XX?" and that's already in the rules.
Writer says "It's broken." and includes _nothing useful_ about the
setup.
Someone reply's to a digest mode email, and includes the whole digest.
A virus scanner kicks email back to the list.
Writers .sig contains a "The contents of this email.." style discalimer.
Post contains a "Stupid Management Tricks" story.
Message says "Please unsubscribe me from this list."
Message is _entirely_ blank.
Confirmation/signup email gets sent to the entire list.
Someone posts a non RFC-1918 IP and remarks that "it's not being used
by anyone."
Someone replys to a message and has more 'header cruft' in thier message
than content--Thank you Lotus Notes....
You post a message to the list and get a "I am out of the office
message...."
If you realize that _YOU_ were the reason another penalty drink was
added to the Drinking Game.
You hit "Reply to All" instead of "Reply" and you start you response
with the words "Hey Sexy!"
Writer says "I've searched Google and can't find the answer." and the
answer is in the first 10 results.
Take three drinks if.....
The message has "Whitehats.com is down" or "Where's another
Whitehats?"
Someone wants the file vision18.conf.gz.
"Can snort email me alerts?"
"Can snort page me with alerts?"
Writer is using an old version (non-current release) of snort.
Writer becomes offended at "Kickass P0rn."
Writer becomes offended at comments in source code.
Writer isn't even sure what snort does.
Writer starts an OS Holy War.
Someone posts in HTML-ized email.
Posters .sig or disclaimer is longer than the reply.
Writer has no clue that http://www.snort.org/ exists.
Someone has to correct your drink totals for a penalty.
Someone posts thier IP asking for a portscan.
Writer obviously thinks that Red Hat == Linux.
Writer places the question and or email in the subject and leaves the
body of the email blank.
You move your mailserver from coast to coast w/o a temp box setup and
your bounces get you unsubscribed from the snort-users list. *sigh*
You post more than one message to the list and get back a "I am out of
the office..." message for _each_ post you made.
You have a broken vacation message that responds to the each post made
to a mailing list.
You realize that you just posted a "Hey Sexy!" response to a worldwide
mailing list.... From your _work_ email address.
And the Big Penalty Drink:
If you realize you are drinking to your own post, DOUBLE the penalty.
IOW, if you posted a HMTL-ized email, take six (yes, 6) drinks.
So, in honor of him:
Welcome to the Snort-Users Drinking Game!
version 1.00
By Erek Adams
The most current version of this can be found at
http://www.theadamsfamily.net/~erek/snort/drinking_game.txt . Please send
suggestions/updates to erek@theadamsfamily.net.
-----
WARNING: Excessive use of alcohol can be dangerous to your health. Please
play this game sensibly. If you start to feel ill or sick, stop playing!
Alcohol poisioning is not fun, and you can kill yourself!
Please be sensible! This is for _fun_ only!!
And if you don't like alcohol, please use your beverage of choice!
-----
Instructions: Don't read your snort-users email for a month. Or failing
that, you could use the archives. Start with the first email message for the
month. Read it. If an item from the following lists is in the email, take
the penalty drink. If not, go onto the next message. Repeat until you can't
read anymore, or have a empty bottle. ;-)
Please note: These are culmative! Be careful, as you could have SIX+ drinks
from one email!
Lets Begin!!
Take one drink if.....
The question is answered in the documentation.
The question is answered in the FAQ.
The writer doesn't know how use Google.
The reply is "RTFM"
The reply is "It's in the FAQ"
Writer is using Red Hat's broken pcap.
"Why aren't portscans showing up in ACID?"
"Why is snort not reporting dropped packets the right way on Linux?"
Marty complains about Red Hat's brokeness.
Writer is using "Linux 8" or "Linux 9".
Writer has a .sig over 4 lines.
Writer posts a packet capture with the IP's XXX'ed out, but still leaves
them in the hex decode below.
The drinking game starts it's own thread.
Take two drinks if.....
Writer obviously has _never_ read any docs.
Writer obviously doesn't know how to compile.
"How can I auto update the rules?"
Writer asks "Where is signature XX?" and that's already in the rules.
Writer says "It's broken." and includes _nothing useful_ about the
setup.
Someone reply's to a digest mode email, and includes the whole digest.
A virus scanner kicks email back to the list.
Writers .sig contains a "The contents of this email.." style discalimer.
Post contains a "Stupid Management Tricks" story.
Message says "Please unsubscribe me from this list."
Message is _entirely_ blank.
Confirmation/signup email gets sent to the entire list.
Someone posts a non RFC-1918 IP and remarks that "it's not being used
by anyone."
Someone replys to a message and has more 'header cruft' in thier message
than content--Thank you Lotus Notes....
You post a message to the list and get a "I am out of the office
message...."
If you realize that _YOU_ were the reason another penalty drink was
added to the Drinking Game.
You hit "Reply to All" instead of "Reply" and you start you response
with the words "Hey Sexy!"
Writer says "I've searched Google and can't find the answer." and the
answer is in the first 10 results.
Take three drinks if.....
The message has "Whitehats.com is down" or "Where's another
Whitehats?"
Someone wants the file vision18.conf.gz.
"Can snort email me alerts?"
"Can snort page me with alerts?"
Writer is using an old version (non-current release) of snort.
Writer becomes offended at "Kickass P0rn."
Writer becomes offended at comments in source code.
Writer isn't even sure what snort does.
Writer starts an OS Holy War.
Someone posts in HTML-ized email.
Posters .sig or disclaimer is longer than the reply.
Writer has no clue that http://www.snort.org/ exists.
Someone has to correct your drink totals for a penalty.
Someone posts thier IP asking for a portscan.
Writer obviously thinks that Red Hat == Linux.
Writer places the question and or email in the subject and leaves the
body of the email blank.
You move your mailserver from coast to coast w/o a temp box setup and
your bounces get you unsubscribed from the snort-users list. *sigh*
You post more than one message to the list and get back a "I am out of
the office..." message for _each_ post you made.
You have a broken vacation message that responds to the each post made
to a mailing list.
You realize that you just posted a "Hey Sexy!" response to a worldwide
mailing list.... From your _work_ email address.
And the Big Penalty Drink:
If you realize you are drinking to your own post, DOUBLE the penalty.
IOW, if you posted a HMTL-ized email, take six (yes, 6) drinks.
Snort Drinking Game by Erek Adams
Today I went looking for the "Snort Drinking Game". A joke made by Erek Adams, who, unfortunately for all those involved with Snort and his family + friends, passed away last October. So, in honor of Erek, I repost HIS drinking game here. I did NOT make it, this is EREK's. However, the game is getting a bit hard to find (only via the WayBack machine was I able to find it), now that Erek's servers are gone.
So, in honor of him I've found it and placed it here, plus we've updated it:
http://blog.joelesler.net/the-snort-drinking-game
So, in honor of him I've found it and placed it here, plus we've updated it:
http://blog.joelesler.net/the-snort-drinking-game
Subscribe to:
Posts (Atom)