Skip to main content


Showing posts from 2010

Whew, what a whirlwind

Talk about a busy end of the year, so on top of going my actual consulting gigs for customers, I am also doing the other full time job I have of the Snort Community Manager. If you read my blog, you've known this.

So, what have I worked on so far.

Snort Twitter account. Not really a lot of work here, other than getting Twitter to remove it from the parker's clutches and give it to us.
Snort Blog. Getting this set up, with the DNS entries, blog posts, editing, writing, design, and even the banner image (thanks CC for that!) was about 3 weeks worth of work.  Check it out
Snort Mailing list/Forum Consolidation. I thought it best to let the Community decide, so I made a non-scientific poll to choose between the forums, the mailing lists, or the penultimate solution, to merge the two. Thought of Google Groups for this. Google Groups allows you to post like a forum, and post like a mailing lists, and Google Groups takes care of the arrangement, merging, and t…

Snort has a Twitter account

Another post for my Snort/IDS audience that read my blog.

We managed to get a hold of the "Snort" account on Twitter.  Someone was simply squatting on the name, not using it, so Twitter has a way of petitioning to get a hold of a name for a bunch of different reasons.  So we got with Twitter and they freed up the @Snort Twitter name for us.

Using the @Snort Twitter account we'll post new news, upcoming items, blog posts, news about Snort and interesting other tidbits that may or may not be found anywhere else on

Check it out, follow us:  Thanks!

Sorry for the lack of posts, I've been particularly busy.

Been pretty busy lately with my two full-time day jobs at Sourcefire.  The good news is, if you are a Snort user, that I am working on a lot of things that will not only make our community better, but improve how Sourcefire interacts with that community and allow us to move forward in a more progressive manner.

Aside from Sourcefire/Snort stuff, the shop that is restoring my Mustang is almost done (should get it back this week, and when I do, I'll post pics), I'm working on the shops website too (as the old one needed some TLC).  I got with the owner and we decided to redo the whole thing, so I am doing that in my spare time as well.

Thank you Squarespace!

Also working on another website that I tighten up a bit (aside from tightening up a bit as well) for another company (Car alarm company) that I do a bit of consulting/marketing for.  So, it feels like I am buried in html lately.

On top of all of that, my son is doing well, my daughter is awesome and my wife's Grand…

New Role at Sourcefire

This is just an announcement to let the users of our OpenSource products know that we have a new community manager here at Sourcefire.

Over the past year or so, Mike Guiterman, our former Community Manager has taken on a different role within Sourcefire.  In the meantime, I've been filling some of the void.

For those of you that weren't able to make the Snort Rally/Pig Roast this past Friday at Sourcefire HQ, I have been officially assigned the role of Sourcefire's OpenSource Community Manager.

I know many of you, but for those who I don't, I came from the OpenSource community, working for the government using Snort in actual deployments.  I submit rules to VRT, and was one of the original submitters to BleedingSnort (Now Emerging Threats).  I've worked with both the OpenSource community and with our Corporate customers since I came to Sourcefire giving me first hand knowledge at how the community plays a vital role in the direction, development, and QA of our product…

Security B-sides Delaware tickets are almost gone!

If you are in the area (or even if you aren't, I know of people traveling a pretty good distance to get here) and you haven't got your ticket for Bsides DE yet, you may want to get on it.

The first round of tickets are all gone, and there are only 40 left of the extension tickets.


I'm speaking at 1:00, right after lunch.  See the speaker's schedule here.  But anyway, if you haven't got your tickets yet, you might want to hurry up and grab them from here.  Cost?  Free.

Archiving Emails in, there's an app for that.

If you are using on OSX, this post is for you.

It's been well known to people that read my blog that I am an Inbox-Zero ninja, and generally pride myself on my ability to get through vast amounts of email quickly because of the system that I have refined over the past several years of experimenting.
Techniques in Archiving
One of the things about Inbox Zero is the ability to quickly move an email out of your "Inbox" and into another folder.  If you sort your emails that come into your Inbox by topic or subject or whatever, different folders may do good things for you.  For instance I have a folder where all Snort related email goes.  The three Snort mailing lists go straight to my inbox where I read most of them and then file them away using a keyboard shortcut.  Other Snort related mailing lists just go straight to this box, leaving me with only the important ones in my inbox.

Most listserver traffic of the 40 or so listservers that I belong to go straight to a &qu…

Snort Community Pig Roast

(If you read this on Twitter, please RT!)

Sourcefire is going to throw a community pig roast at our World Wide Headquarters on November 12, 2010.  We'll have some talks by Marty Roesch (our fearless leader) and Matt Watchinski (or VRT fearless leader).

Date: Friday, November 12, 2010
Time: 12:00PM

Where: Sourcefire HQ
9770 Patuxent Woods Dr.
Columbia, MD 21046

The event is open to our community, and we'd like you to come on over and hang out!

Please RSVP at:

Notes syncing between and iPhone, finally

I've written several times over the years about the need for Notes to sync automatically between the iPhone and the Mac Desktop application.  Well, unbeknownst to me (because I stopped using Notes in because of the lack of this feature), in iOS 4.0 Apple has built this in.

I didn't test it right away when the release came out, and just now that I haven't written about it either since they built this in.  But it works.

If you have an IMAP account, you can go into your account settings on your iPhone and turn on "Notes" in that account's preferences.  Mail will create a folder called "Notes" on the IMAP server, and your "Notes" on will be sync'ed Over-the-Air with your iPhone.

I have my set up like this:

So that all my notes and to-do's stay intact in one account, and not spread apart different accounts.  But there is more than one advantage to MobileMe for this particular feature.  If you set it to Mo…


Facetime, Apple’s new iPhone 4 to iPhone 4 video chat application got a bit of an update on Tuesday of this week.

Jobs said it himself, the biggest thing that people wanted when facetime was shown on the iPhone for the first time was the integration of the system into the Mac desktop.  I talked about this back on this original post when the iPhone 4 came out.  Finally, at Tuesday’s speech Jobs and Apple rolled out the Facetime client for the desktop.

It works.

You can call Mac to Mac using Facetime, you can also call Mac to iPhone or iPhone to Mac, likewise with the iPod Touch. The resolution is good (it’s scaled down a bit if you are used to iChat’s resolution), audio is excellent, and it works flawlessly. In fact, when it came out, I was on a hotel network. I tried to initiate an iChat connection to my Dad, and we couldn’t do it for lack of bandwidth, however, Facetime connected right away without a problem.

The only thing that I thought was a bit strange, and I know I'm not the onl…

The Mac App Store, why it's awesome.

On Tuesday this week, Steve Jobs got up in front of journalists and announced several things.  I'd like to cover them all at once, but I realized the post was going to be way too long, so I thought I'd cover them in separate topics.
The Mac App Store
First let me talk about, what I thought was the biggest announcement of the entire press conference.  The Mac App Store.

Similar to the iOS App store that you can find in iTunes, Apple will be rolling out a separate application onto the OSX platform where developers can upload their apps to Apple in order for them to be purchase-able through the "one-click" easy access of this app.

Apple is taking the same 'cut' that it takes for the iTunes app store, 70/30.  70% of the developers revenue for selling an app goes to the developer, the other 30% goes to Apple to pay for the store, the hosting, the bandwidth, etc.  Some developers will think that this is Apple gouging into their profits, and while true, they have to thi…

Ray Ozzie leaving post as Microsoft's chief software architect

Ray Ozzie is the gentleman that took Bill Gates's place after he retired from his day to day duties at Microsoft, and unfortunately, this kinda makes me feel more confident in the opinion I had when that event took place.

Microsoft is losing their spirit.

Let's face it, it's quite obvious now that Bill Gates was the driver behind the Microsoft brand and direction.  This is the third notable post that is being vacated since Bill Gates left (the first being the designer behind the Zune interface Robbie Bach, second being CFO Chris Liddell), and yet, somehow Ballmer stays in charge.

Don't get me wrong, Ballmer knows how to make money.  Which is why he's a good CEO, but in my opinion, it doesn't feel like he is ushering in a strong "direction" for the company.  But maybe I'm being a little critical, trying not to compare him to Steve Jobs, but hate him or love him, Steve Jobs is a great CEO.

It just feels to me that Microsoft is playing the catchup game. …

MobileMe Calendar Comes out of Beta

Following up on this post that I wrote back in July, the MobileMe calendaring system has come out of Beta.  Which means that if you are using the MobileMe service and you are on Snow Leopard (or Leopard) your iCal calendar should automatically switch over to WebDAV.  As well as your iPhone's calendar if you are running 4.0.

The nicest part about the system is the ability to invite other people to events from your iPhone and iCal, as well as see their Free/Busy schedules.

Update:  Apple's article on the subject.

I'm speaking at Security B-Sides Delaware

We have a lot going on in Delaware.  Tax-free shopping, we elect crazy people, and we have the Security B-sides Delaware event happening in November.

I was asked if I would submit a talk to the conference, and lo and behold, it was accepted. (Along with a bunch of other great presenters, check out the first round of CFP accepts here.  Hopefully lots of people will come.  I actually have a confession to make, I've never actually been to a Security B-sides, although, from watching the Twitter, they are very popular.

Abstract of my talk:
Shining light into the "now what" arena of IDS and IPS tuning, I'll talk about  what the next steps should be with the alerts, tuning, and maintenance of the ruleset and  configuration deployed into an IDS or an IPS.  General guidelines will be provided, however,  all guidelines must be adapted to your specific environment.
I look forward you seeing many of you there, thanks for supporting B-sides.  Okay, back to making slides.

Security B-Si…

Snort 2.9.0 has been released

Now available from, Snort 2.9.0 and DAQ 0.2.    I'll be writing some articles at some point to expand upon some of the functionality of Snort 2.9, but for now, know that there are some very nice new keywords in 2.9 and also an improved Stream model, as well as lots of improvements all over the place in the engine.

...and now some cut and paste from the release notes!   Download it now!

[*] New Additions
* Feature rich IPS mode including improvements to Stream for
inline deployments.  Additionally a common active response API is
used for all packet responses, including those from Stream,
Respond, or React.  A new response module, respond3, supports the
syntax of both resp & resp2, including strafing for passive
deployments.  When Snort is deployed inline, a new preprocessor
has been added to handle packet normalization to allow Snort
to interpret a packet the same way as the receiving host.

* Use of a Data Acquisition API (DAQ) that supports m…

OpenFPC, in other words, Leon is a Ninja

I put this up to basically draw attention to this project.  Leon (a fellow Sourcefire employee and Ninja over in the UK) can explain the project much better than I can, so I'll let him:

OpenFPC is a set of tools that combine to provide a lightweight full-packet network traffic recorder & buffering system. It's design goal is to allow non-expert users to deploy a distributed network traffic recorder on COTS hardware while integrating into existing alert and log management tools.
OpenFPC is described as lightweight because it follows a different design model to other FPC/Network traffic forensic tools that I have seen. It doesn't provide a user with the ability to trigger automatic events (IDS-like functions), or set watch events for anomalous traffic changes (NBA-like functions) as it is assumed external open source, or comercial tools already provide this detection capability. OpenFPC fits in as a companion to provide extra (full packet/traffic stream) data as a bolt-on …

Let me tell you about my past two weeks

The past couple weeks I've had the opportunity to do some really amazing work, something that most people, if they could do, would understand a lot more of what goes on behind the veiled curtain.

The last two weeks I worked for Sourcefire's Vulnerability Research Team (VRT).

First I'd like to say that I've never worked with a more professional organization.  Period.  I came in to do some technical work with them, which consisted of analyzing hundreds of pcaps, tons of analysis, and as a result writing rules for those threats.  We did, kind of a tech exchange type of thing.

Now, we weren't shooting in the dark.  (even though there is no overhead lighting in the VRT offices, and you have to watch for getting hit in the head with a Nerf dart)  The VRT doesn't take the random vulnerability or exploit found on or milw0rm or whatever, and just bang out a rule for it.  They do labor intensive work.

For instance, I had to write a rule for a vulnerability in …

Verizon Rumored To Replace Google With Bing On All Android Devices

Yesterday, Spetember 9th, Verizon gave a preview to their newest "Android" phone coming out for their network, Samsung's Galaxy S.

It has a 4-in AMOLED screen, 1GHZ Hummingbird Processor, and it has the ability to become a hotspot.  However, Verizon has ruined the phone, and may ruin every phone on their network from now on.  Why?

The thing that makes Android great is it's integration.  Google built the OS, it's integrated into Google's infrastructure, and that's the way it works best.  Just like the iPhone, which works best with Apple's infrastructure (MobileMe, iTunes, etc).

Verizon has decided to cripple this phone by instead of tying it to Google, they have tied it to Bing.  Bing Search, Bing Maps, and instead of Google's awesome navigation app, they have replaced it with Verizon's own Navigation app, which, btw, they cleverly charge you 10 bucks a month to use.

Bloatware..  Blockbuster apps, Tetris apps that charge you money, etc.

To make it w…

The Heart of the Mustang is almost ready

351W Ford for my 1968 Mustang

Why I haven't written

I haven't been writing recently.  Been kinda busy.

For those of you that haven't heard, my wife gave birth to our baby boy last Wednesday.

His name is Paul Esler.

Start with a cage containing five monkeys.

Start with a cage containing five monkeys.
Inside the cage, hang a banana on a string and place a set of stairs under it. Before long, a monkey will go to the stairs and start to climb towards the banana. As soon as he touches the stairs, spray all of the other monkeys with cold water. After a while, another monkey makes an attempt with the same result - all the other monkeys are sprayed with cold water. Pretty soon, when another monkey tries to climb the stairs, the other monkeys will try to prevent it.
Now, put away the cold water.
Remove one monkey from the cage and replace it with a new one. The new monkey sees the banana and wants to climb the stairs. To his surprise and horror, all of the other monkeys attack him. After another attempt and attack, he knows that if he tries to climb the stairs, he will be assaulted.
Next, remove another of the original five monkeys and replace it with a new one. The newcomer goes to the stairs and is attacked. The previous newcomer takes part i…

Security for the SMB makes sense, by Jason Brvenik

Security for the SMB makes sense.

I was off reading some older articles written on a couple of blogs that I follow looking for something in particular. Well, I never did find what i was looking for (in regards to the article itself), but I did reread this post by Jason Brvenik over at

This is a great article in response to another article about why small business shouldn't invest in IPS (which is a crazy view). Jason really does a nice job of laying out the reasons why its important. Definitely worth the read, or reread if you've seen it before.

Google Wave, it's dead. So sad.

In case you haven't heard.
So, on Google's "Official" Blog (which one guys?  You have so many!) they announced yesterday that they are pulling the plug on Google Wave.
So sad.
I think Wave had some really good potential, but I'll say it here, as I have said it since the beginning, Wave would have never caught on unless it replaced something else.  Wave was pretty neat, it was like a Wiki, Google Docs, Gmail, Gtalk, and god-knows-what-else all rolled into one.  It worked, it worked pretty well.  But it didn't replace anything for anyone.  It was a "and also" technology.
Let's Hope
Google rolls some of the technology they developed for Wave into the rest of their products.  For instance, simultaneous typing. That could be useful in Gmail and Gtalk.

I think the collaboration-on-documents idea was great.  That would be most useful in a corporate setting.  I would have loved to use it at Sourcefire.
Some of their design ideas were great. Look at the n…

Now that I have these IDS events, now what?

In my full-time job I work for Sourcefire, as a Sourcefire and Snort Professional Services Consultant.  I deal with a different customer every week (sometimes every day), and with each customer comes a separate set of IDS events.  Customers will often tell me "this network is unlike any you've ever seen before", and for the most part, they are right.  While all networks consist of servers, desktops, switches, routers, firewalls, antivirus, and even IDSes, all networks are essentially the same in that respect.  However, each of them pose their own unique set up and vulnerability attack-landscape.  Each network is unique in this way, it doesn't matter if you have 300,000 users on your network or 10.  All that does is make your life as a security person more difficult, this is essentially a number.  That number may increase lots of things, people hired to handle them, number of sensors needed, the amount of bandwidth needed, etc.

So, in dealing with the hundreds, perhaps…

New Digg Interface Invites

I have a couple posts brewing in my head that I need to get down on paper, but in the meantime, I have 5 invites for the new interface if anyone wants them.

First five people to send me their email address get them.

Contrary to Recent Assertions - Snort 2.9 beta has been released, and it's awesome..

Snort 2.9 has been in the works now internally for awhile and the first beta release is out and ready for community feedback.
It's a big release with lots of enhancements, so here are the current list of things that need to be beta tested in Snort 2.9, and I'll expand upon them a bit:
* Feature rich IPS mode including improvements to Stream for inline deployments. A common active response API is used for all packet responses, including those from Stream, Respond, or React. A new response module, respond3, supports the syntax of both resp & resp2, including strafing for passive deployments. When Snort is deployed inline, a new preprocessor has been added to handle packet normalization to allow Snort to interpret a packet the same way as the receiving host.
This feature really does away with a lot of the old react/resp/reset code and unifies all that broken code under respond3.  It also allows for RST and ICMP injection into a stream in IPS mode (more reliable than IDS), …

Project Razorback has been unleashed on the World

For several months, the Vulnerability Research Team (VRT) here at Sourcefire has been heads down in coming up with a new framework for detection called Razorback, and now, it's been unveiled to the world this this morning.

Being announced at Defcon this weekend by the VRT, so if you are in Defcon this week, reading my posts, First: Have a beer for me, as I am not there this year due to the impending birth of my child, and Second: Attend this talk.  If no other talks are attended during your drunken hacking binge in Vegas, go to this talk.

What is Razorback?
In Marketing speak: "Razorback is an Open-Source Framework for an intelligence driven security solution."  Okay, okay, what does that mean?

Razorback is a system that detects and decodes, well, just about anything you need it to.  Following that, it has the ability to then block and alert on that activity.  So, for example:

Obfuscated Javascript?  Decoded, Blocked?
Bad PDFs? D…

Safari 5.0.1 Posted this morning

Back in June I wrote a post on a problem with Safari 5 creating a black background around certain objects when moved from one application to another.  For instance, when you attempt to use the "Mail this PDF" function from Preview.  Well, this morning Apple released version 5.0.1 of Safari.  This fixes the issue I described here, along with many others.  As posted on Apple's website here, the following are fixes:

More accurate Top Hit results in the Address Field
More accurate timing for CSS animations
Better stability when using the Safari Reader keyboard shortcut
Better stability when scrolling through MobileMe Mail
Fixes display of multipage articles from in Safari Reader
Fixes an issue that prevented Google Wave and other websites using JavaScript encryption libraries from working correctly on 32-bit systems
Fixes an issue that prevented Safari from launching on Leopard systems with network home directories
Fixes an issue that could cause borders on YouT…

Apple's New Products

Apple announced a few new products this morning on their online Store.  New iMac, new Mac Pro, and a totally new product that I saw rumored a couple weeks ago, called the Magic Trackpad.

For years I've had a Fingerworks iGesture pad, I've been using it off and on since about the 2001 timeframe.  I found it to be the neatest and easiest way to navigate my computer's interface differently from the mouse ever.  I'm a big proponent of the keyboard, and hate taking my hand off of the keyboard to mouse, but for some reason I found the iGesture Pad fun to use (especially doing things like cut, copy, and paste.   Fingerworks was founded 1998 at the University of Delaware (a couple miles from where I live) and produced keyboards, pads, keypads, all to help with RSI and to introduce gesture based navigation into the world.  They weren't exclusively Mac based, in fact, they worked on Linux pretty well as well, of course, on Windows.  Which, back then, is what I used.

Apple boug…

Apple Stores are good to me

Yesterday my wife and I took a visit to the local Apple Store, my Time Capsule had died, and since it was one of the original models, it was under a replacement program. I took the Time Capsule back, they traded my broken one for a brand new one, and I was done.

My wife, however, was a different story. You may remember from a previous post of mine that my wife dropped her iPhone4 while getting my daughter out of the car. Whoops.  Cracked the back glass to shreds.

She was fairly upset, since she had it about a week. Anyway, she went in, explained what she did to the Apple Genius dudes, and guess what?

They gave her a brand new phone.

/That's/ why I like Apple Stores.

Thanks to the Christiana Mall Apple Store Geniuses. You rule.

Reading Spam with Common Sense

Usually when I receive an email that looks like spam, I can just mash my "Send to Junk" keyboard shortcut and it goes away.  But every once in awhile there is a decent looking spam that *might* be real.  At first glance it won't have an images or selling viagra, or anything like that in it, and might just look real.

This is where the common sense approach to reading email kicks in.  Obviously this post it not for the expert, this is probably more of the occasional user, but maybe someone in between will find it useful.

Here's a spam I received this morning that prompted me to write this diary:

From: Comcast

"This is a courtesy reminder that your Comcast Billing Information needs to be verified.

In order to continue using comcast services,  click the link below, sign in and and follow the provided steps:

<Malicious Link was right here>

Comcast Billing Department"

So, let's look at this and see how easy this is to detect:

I'm not a Comcast custom…

iPhone 4. A review after practical use, part 2

Part 1 Linked here.
Buttons and other Cosmetics
The volume button, the lock button, and the silent/ringer switch all got the same industrial treatment the rest of the phone did. They work much better, have better tactile feedback and are much more defined, making it much easier to find one of these buttons in the depths of your pocket.  (Like to turn the volume down on your ringer or something)

There is the single button on the front of the phone, the Home button, which they made a bit more "clicky" I would say. But the one thing about the design of the phone is, when you reach in your pocket to grab the phone and bring it out of your pocket in one swift motion while mashing the Home button, you can't do it.

Since the 3GS had that rounded back, it was easy to feel where the backside was and hit the button. With the square design, it's hard to tell which side is the front and back when it's your pocket unless you try and find the buttons on the side.

This isn't a b…

iPhone 4. A review after actual use.

Physical Design
Okay, much has been said about the physical design of this phone, it's industrial features, it's glass front and back, stainless steel metal band around the side that doubles as an antenna, dual camera, and an led flash. The buttons, the glass, the band, everything. It makes for a great design, feels smaller and better in your hand than the 3GS. In fact, the 3GS feels fat, plastic, and bloated. I only see two problems with the design.

One, front and back are both glass, meaning, if you drop it it might break. Even though Apple claims that the glass is harder than sapphire, if you drop the thing at the right angle, it will break. Ask my wife, who has already shattered the back of her phone after dropping it on the driveway. (Which Apple wants 199 dollars to replace the back, which is the cost of a new phone! Apple, have you lost your mind?).

Problem Two: it's slippery. If you place your phone on something smooth, say, like in my car, I have a center console. If…