Skip to main content

Posts

Showing posts from December, 2006

The Snort Top 10

I work with SNORT®..... constantly. It's my job to do so. I've been using Snort for many years, I teach classes on how to configure it, I teach classes on how to write Snort rules. I've been using Snort and setting up Sourcefire and Snort devices on hundreds of different networks for years on end now.

I am frequently asked questions, many of the questions are the same things over and over again, and I always see the same mistakes being made when setting it up. So, i've compiled a list of the top ten mistakes and commonly misconfigured or overlooked things when configuring everyone's favorite IDS.

None of these override the necessity to read the Snort manual, however. The manual supersedes all Snort books, because as great as these books are, they can't keep up with the fast-paced updates at which Snort is updated. So here goes...

1. The Snort.conf file.
Almost all your options are set in this file. This file should be read line by line, from top to bottom, taking t…

Are CAC (Common Access Cards) worth it?

A buddy of mine Richard Bejtlich, a known security blogger and consultant, had this article on his blog... I made a big long comment about it.. displayed below, and linked above...

--- begin ---

Yes. The CAC is used for signing on, email signing and encryption, web authentication, basically anything that can be done, or is done with a certificate.

It's only being used in NIPR (Unclassified) systems. It has a magnetic strip on the back that is blank, and can be coded for swipe doors at whatever location you are currently working at.. (problem is, most DOD facilities have proximity cards).

Could this be implemented in a commercial setting? Yes. But at what cost? What what expense? What do you gain out of it? When I worked for DOD, all I got out of the deal was a headache... implementation, it became our ID, which.. only SOME people accepted (like, the gate guards on post wanted our Drivers License sometimes -- grrrr) going to get a new one every three years, using it for sign-on, usin…

Are CAC (Common Access Cards) worth it?

A buddy of mine Richard Bejtlich, a known security blogger and consultant, had this article on his blog... I made a big long comment about it.. displayed below, and linked above...

--- begin ---

Yes. The CAC is used for signing on, email signing and encryption, web authentication, basically anything that can be done, or is done with a certificate.

It's only being used in NIPR (Unclassified) systems. It has a magnetic strip on the back that is blank, and can be coded for swipe doors at whatever location you are currently working at.. (problem is, most DOD facilities have proximity cards).

Could this be implemented in a commercial setting? Yes. But at what cost? What what expense? What do you gain out of it? When I worked for DOD, all I got out of the deal was a headache... implementation, it became our ID, which.. only SOME people accepted (like, the gate guards on post wanted our Drivers License sometimes -- grrrr) going to get a new one every three years, using it for sign-on, usin…

A Question for my readers

Please describe to me.. At what point does security become an operational burden?

When too many passwords, authentication mechanisms, log-on tokens, segmentation..etc... mount up.. what what point do you just say "hey, you know, this sucks!"

Please leave comments.

A Question for my readers

Please describe to me.. At what point does security become an operational burden?

When too many passwords, authentication mechanisms, log-on tokens, segmentation..etc... mount up.. what what point do you just say "hey, you know, this sucks!"

Please leave comments.

Christmas, and the holiday spirit, and Internet security

Recently, since we've all been shopping, out there paying attention to gifts, what we are going to get, and what we aren't going to get. An attack has been going on. Apparently, against my web server.

I review my weblogs (I review all my logs) on a weekly basis. Because really, what's the point in having logs if you're not going to look at them? A log that isn't looked at is a pointless log. You might as well shut off syslog if you aren't going to look at the logs. But I digress.

I review my weblogs. I have mod_security installed on my apache webserver here, so through my custom mod_security rules, I am provided with audit_log in my logging directory.

I usually get about 200 to 300 entries a week in that file. All denied.

Last week that number jumped to almost 9000. As of this morning (my logs roll over on Sunday), I had over 3000.

As I am on my blackberry I don't have a copy of the logs, so I'll post a sample entry later.

But the string I see a …

who makes up these rules?

On some flights, you can't have your phones with the wireless turned on.
Then some you can't have them on at all.
On ASA you can't fly with the windows shades down, but on delta you can.
Today we were told that laptop computers had to be completely off, and NOT in the standby mode.

Why can't we just have one set of rules? Everyone the same. The flight attendants all having the same info, so we don't have flight attendants just making stuff up arbitarily?

FAA -- is this so hard?

who makes up these rules?

On some flights, you can't have your phones with the wireless turned on.
Then some you can't have them on at all.
On ASA you can't fly with the windows shades down, but on delta you can.
Today we were told that laptop computers had to be completely off, and NOT in the standby mode.

Why can't we just have one set of rules? Everyone the same. The flight attendants all having the same info, so we don't have flight attendants just making stuff up arbitarily?

FAA -- is this so hard?

0wned

0wned