Skip to main content


Showing posts from February, 2010

Writing Snort Rules Correctly

Let me start off by saying I'm not bashing the writer of this article, and I'm trying not to be super critical.  I don't want to discourage this person from writing articles about Snort rules.  It's great when people in the Snort community step up and explain some simple things out there.  There are mistakes, it comes with the territory.  If you choose to be one of the people that tries to write Snort rules, you also choose to be someone who wants to learn how to do it better.  That's why I write this blog post, not to bash the writer, but to teach.

I noticed this post today over at the "Tao of Signature Writing" blog, and to be honest I glanced over most of it figuring it was a rehash of things I've already read or things that have already been written from countless people about "Here's how you write Snort rules!".  I scrolled down quickly skimming, not reading at all really, and noticed this part:
Now, let us look at the second questio…

Page for my Mustang

Someone wrote me on Twitter and asked if I had a webpage about my 1968 Mustang, and I said I didn't, although it was a good idea for those that are interested.  So I made a quick page here on my website that I will keep updated with it's progress.

Check out the page here.  Thanks.

You can also find it under the "Pages" links on the right hand side of the homepage of the blog.

Why buying a DVD sucks

This is an image that's been floating around the past couple days on the internet.  I have no idea where it originally came from.

I don't pirate movies, I buy movies from iTunes, which, skips all the nonsense illustrated above and just gives you the movie.  Which, really, is all we want anyway right?

I thought this image kind of sums it up correctly though.

Stop Google Buzz From Showing the World Your Contacts

Stop Google Buzz From Showing the World Your Contacts - google buzz - Lifehacker.

If you are a person who values their privacy and want to secure you Google Buzz contacts, I.E.  Not show everyone in the world who is in your contact book, follow the directions above.

I've done this, just for good citizen's sake, as well as manually blocked some people that I don't trust.  Keep on top of this stuff people!  As an online community becomes more ubiquitous, the more risk you present in revealing too much.

Tuning Snort with Host Attribute Tables - CSO Online - Security and Risk

Tuning Snort with Host Attribute Tables - CSO Online - Security and Risk.

Here is an article I wrote for CSO magazine, thought the readers of my blog might like to check it out as well.

I was asked to write a fairly technical article for CSO magazine about Snort, the problem is, which part of Snort do you write the article for?  An article about Snort can be very technical or not so technical.  One of the advantages of having Open-Source software.

In any case, enjoy.

Will Hack For SUSHI » MiFi Config Hack

Will Hack For SUSHI » MiFi Config Hack.

A post by friend and collegue at SANS Joshua Wright.  Joshua is one of the guys I know that is really proficient at hacking wireless.  Bluetooth, wifi, etc.  He does some really wonderful work at that, and he's fantastic at it.

This post is about him hacking his Mifi (Verizon).  He has two posts on the subject you should check out if you have a Mifi.

The other post is here.

Fun with Firewall Logs

So, after my post about's network...  Here's another quiz for you.

Feb 15 09:16:39 localhost kernel: IN=eth0 OUT= MAC=00:03:47:f1:52:0d:00:18:01:b6:c1:4d:08:00 SRC= DST=192.168.x.x LEN=72 TOS=0x00 PR
EC=0x00 TTL=45 ID=32394 DF PROTO=TCP SPT=52764 DPT=22 WINDOW=46 RES=0x00 ACK PSH FIN URGP=0
What kind of fun is that!

Baby 2.0 picture


Help Desk sign I wish I had sometimes

Help Desk sign I wish I had sometimes - The Posterior of Randal Schwartz.

From someone at Oddly Specific.

Thanks Shirkdog for pointing this out.

Hey,, what are you doing?

So, in the spirit of another post I put up recently, I am monitoring my firewall logs for anything strange and I keep seeing this:
Feb  8 14:47:55 localhost kernel: IN=eth0 OUT= SRC= DST=192.168.x.x LEN=455 TOS=0x00 PREC=0x00 TTL=49 ID=33745 DF PROTO=TCP SPT=80 DPT=58709 WINDOW=54 RES=0x00 ACK PSH URGP=0
The Source is, the DST is my webserver, but take a look at the Ports.  SRC port 80?  DPT 58709?  Anyone else see anything like this?  This is being denied at my firewall because of my ESTABLISHED,RELATED line.  So, the connection was not made from here.  It's initiated from the outside.

What's going on over there at

WP Greet Box is back

I took away the WP Greet Box for awhile based on the fact that I didn't really have it configured optimally.  I wanted the Greet Box (which is a little pop up widget that say "Hello, welcome to the site, you can subscribe here" -- pretty much) because on several of the themes I have been partial to, had no obvious way to subscribe via RSS.  I've fixed that now with, as the blog will advertise that it has a feed in the URL bar now (for most modern browsers), also with a link over in the sidebar that points you to the feed.  But I wanted a little something, non-intrusive, that pointed to the RSS feed when you came from certain sites.  (Digg, StumbleUpon, things like that).  So it's there again, but only if you get directed from certain webpages to my site.  Which, actually, is the majority of the hits I receive.  Basically it's just an experiment.  Bear with me.

A couple snow pictures

Lots of Snow over the past couple days. 2nd biggest snowfall ever for this area.

If Email Signatures Were Honest

If you never knew it occurred, did it occur in the first place?

In my To-Do list, I have a section for Blog topics that I think of in $random_place and I want to jot down for brainstorming later. This topic has been on my to-do list for about a year.

I was standing on a stage giving a speech at a military base, in about 2004.  The people I was giving a speech to were about 200-250 different "network" and "Systems" administrators from all over this military base in tons of different units.  In this audience I had military, civilian, and contractor.  I was asked to give a speech to the system administrators because some of them didn't see the value in security in their systems.  It was an afterthought and people weren't terribly excited about having to follow $regulation that ensured proper lock down of various controls in the operating system and network.

I asked this question:  "If you never knew it occurred, did it occur in the first place?"  I paused for effect, waiting for an answer.  One didn't come.  Ob…

Review: Jawbone ICON Bluetooth Headset

I am not trying to jump on you like a bully and pummel you with reviews for a few posts recently, but I feel, as a geek, I have the need to tell my other geeky friends if something sucks, or if something is good. That way, not everyone spends money on things that are complete pieces of crap.

For those of you seeking a Bluetooth headset, you may want to look no further than the Jawbone ICON headset. Little bit of background before I proceed.

I've had all three versions of the Jawbone now. The Jawbone One, was big, bulky, but it did it's job right, however, it did not survive the trip through the washing machine. The second version fixed that, (not the washing machine part, the big and bulky part). Same awesome noise cancellation technology, much much lighter, the only problem was, it wasn't very solid in your ear, and it fell out of my ear a lot, simply because it just felt like it was Stallone in Cliffhanger, hanging on for dear life. The only other thing I didn't…

Review: Capitol Hilton, Washington, D.C.

This week I had to come down to Washington, DC to work with a customer.  Now, I've been to loads and loads of Hotels, and most of the big ones in Washington, DC.  This week I decided to stay at the Capitol Hilton.  It's about three blocks North of the White House.

So, being the traveler I am, I am a Diamond member with Hilton, for the past three years, which is the highest you can get as a "premier traveler" with Hilton Rewards.  I'm not saying that to brag, I'm saying that to illustrate a point.  As a diamond member, you automatically get certain things.  Free Gym access, free breakfast, free newspapers, and free room upgrades just to name a few.

So, and you might call me spoiled, but whatever, I'm not trying to act that way, I'm giving a review.

So, I get my room.  No refrigerator, shower was dirty, shower head sprayed water every which way (indicating that you have hard water, and the shower head hasn't been cleaned), and no electrical outlets in …

Steve Jobs: The Rolling Stone Interview : Rolling Stone

Steve Jobs: The Rolling Stone Interview : Rolling Stone.

This is an older interview (2003) with Steve Jobs.  This is shortly after the iTunes rollout on Windows, iPods were just taking off, before the iPhone, before the App Store, before the iPad.

This is an interesting interview and you can see where Apple was at the time as far as Steve's thinking was concerned, and how that thinking has come to shape Apple.

Great Anti-Email post

Jeff Atwood, blogger and coder over at Coding Horror, one of the many blogs I read, had this post up sometime last year, and I thought it was such a good post that I've recommended it to a couple friends, but I realized I never actually blogged it.

Jeff discusses a similar topic to what I've discussed in the past.  Checking email less often, shutting your email off for periods of time, turn off the "new message" ding.   All great points.

Go check out his post here.  Jeff, great job!

YouTube in html5, enable it now

I received this link on one of my mailing lists and thought it was the greatest thing since sliced bread.  Following up on my "Flash is dead" post, you can enable to work in HTML5.

Go to: and you can "opt-in".  I assume it places a cookie in your browser so that every time you try and view a video, the video plays in html5 instead of flash.  My browser doesn't run at 100% CPU or anything.  It's awesome.  Go do it now, help kill flash.

Google to kill off IE6 support in 2010

In a big move by Google I just received an email letting me know that Google will be phasing out support for IE6 in Google Apps in 2010.
"In order to continue to improve our products and deliver more sophisticated features and performance, we are harnessing some of the latest improvements in web browser technology. This includes faster JavaScript processing and new standards like HTML5. As a result, over the course of 2010, we will be phasing out support for Microsoft Internet Explorer 6.0 ​as well as other older browsers that are not supported by their own manufacturers."
I think this is a phenominal move by a company as big as Google to say "not anymore". I wish other companies would take such a firm stance against my other pet peeves. You know, ActiveX, Flash, and Silverlight.

Snort Ruleset tuning, by the VRT

Awhile back here on this blog I wrote about PulledPork 0.3.4 being released and about the VRT making the "Connectivity, Balanced, and Security over Connectivity" policies.  Also about how you can use PulledPork to automate the updating of your open source Snort rules to take advantage of these recommendations.

Around about the same time VRT put a post up entitled the "VRT Guide to IDS Ruleset Tuning".  It was a good post, and I didn't really highlight it.  They post some really great examples towards the bottom of the post.  If you run a Snort installation and you've read some of my posts about Snort tuning, and "I've installed Snort, now what".  This is a good read as well.

Check it out here.