Fiber Economics — Dave Troy: Fueled By Randomness.
Darn good article by Dave Troy, a business man out of Baltimore, MD. He explains Verizon and Comcast, the two biggest players in Internet access (in terms of "innovation"), and how Google's Fiber ambitions play into that.
Thanks @awilliams for the pointer to that one.
Wednesday, March 31
Tuesday, March 30
Seton Hill University to give all students an iPad
And so it begins... Seton Hill University to give all students an iPad.
This article from The Unofficial Apple Weblog, buried in my News Reader today, points out that the Seton Hill University up in Pennsylvania, starting Fall 2010 is going to be issuing an iPad to every man, woman, and child who enrolls into school.
So for those of you that read my blog and want to enroll in college at a "Catholic Liberal Arts University", here's your chance to get a free iPad.
This article from The Unofficial Apple Weblog, buried in my News Reader today, points out that the Seton Hill University up in Pennsylvania, starting Fall 2010 is going to be issuing an iPad to every man, woman, and child who enrolls into school.
So for those of you that read my blog and want to enroll in college at a "Catholic Liberal Arts University", here's your chance to get a free iPad.
How to specify a Snort Variable from the command line
So, my last post talked about how the -h command line tag in Snort doesn't actually specify HOME_NET like many people have thought. I have received about 30 emails asking "well then how do I do this! OMG!"
Fear not, there is a way to do this. So let's use the same testing criteria I did in my last post, same rule, same set up.
Are specified in my snort.conf file
Run Snort against the pcap and I get:
Fear not, there is a way to do this. So let's use the same testing criteria I did in my last post, same rule, same set up.
- var HOME_NET any
- var EXTERNAL_NET any
Are specified in my snort.conf file
Run Snort against the pcap and I get:
[**] [1:10000001:0] Alert! [**][Priority: 0]03/29-16:57:47.361016 192.168.1.120:51968 -> 72.14.204.147:80TCP TTL:64 TOS:0x0 ID:13360 IpLen:20 DgmLen:993 DF***AP*** Seq: 0xC03BC58E Ack: 0x8B9BF8F5 Win: 0x822B TcpLen: 32TCP Options (3) => NOP NOP TS: 63957188 2272801581
With the following rule:
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Alert!"; content:"/content"; sid:10000001;)
Same as before, so now let's use the -S command line tag. The -S tag, as stated in snort --help is:
-S <n=v> Set rules file variable n equal to value v
So let's do that.
Command line is now:
snort -c snort.conf -l . -r snort.log.1269894717 -k none -S HOME_NET=192.168.0.0/16
Run Snort against the pcap again:
[**] [1:10000001:0] Alert! [**][Priority: 0]03/29-16:57:47.361016 192.168.1.120:51968 -> 72.14.204.147:80TCP TTL:64 TOS:0x0 ID:13360 IpLen:20 DgmLen:993 DF***AP*** Seq: 0xC03BC58E Ack: 0x8B9BF8F5 Win: 0x822B TcpLen: 32TCP Options (3) => NOP NOP TS: 63957188 2272801581
Alert. Same as before, okay, so now for the real test..
Reverse the direction of the HOME_NET:
snort -c snort.conf -l . -r snort.log.1269894717 -k none -S HOME_NET=72.14.0.0/16
No alert.
So, for those of you (100's of you?) that have been using -h to specify your HOME_NET on your command line, read my post yesterday and found out that it doesn't work that way...
Try -S, it'll do what you want.
Monday, March 29
Snort -h doesn't do what you think it does.
I've seen a lot of traffic recently of people trying to use "-h" on the Snort command line to specify the variable $HOME_NET, and it's generated a lot of confusion as of late, so I thought I better write about it.
If you look in the manual, every time -h is used, it's used with a network range, or an individual IP, and it's also used with -l, also only used with -vde (otherwise sniffer mode). It's not ever made clear exactly what -h actually does. Similarly if you type:
snort --help
on the command line the -h tag says:
So, one might think that by doing a -h on the command line, it specifies the HOME_NET variable found in the snort.conf on the command line. Well, as you probably have guessed by now, this is not the case.
So here's the truth: -h actually has nothing to do with the HOME_NET as specified in the snort.conf file.
As we know,
Will specify which direction traffic should be examined in terms of the rules within the detection engine.
In the snort.conf file is then filled in in all the rules that call $HOME_NET. This is not -h.
So, for example, the following rule:
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Alert!"; content:"/content"; sid:10000001;)
In my Snort.conf
I get the following alert:
If you look in the manual, every time -h is used, it's used with a network range, or an individual IP, and it's also used with -l, also only used with -vde (otherwise sniffer mode). It's not ever made clear exactly what -h actually does. Similarly if you type:
snort --help
on the command line the -h tag says:
-hHome network =
So, one might think that by doing a -h on the command line, it specifies the HOME_NET variable found in the snort.conf on the command line. Well, as you probably have guessed by now, this is not the case.
So here's the truth: -h actually has nothing to do with the HOME_NET as specified in the snort.conf file.
As we know,
var HOME_NET any
Will specify which direction traffic should be examined in terms of the rules within the detection engine.
var HOME_NET 192.168.0.0/16
In the snort.conf file is then filled in in all the rules that call $HOME_NET. This is not -h.
So, for example, the following rule:
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Alert!"; content:"/content"; sid:10000001;)
In my Snort.conf
- var HOME_NET any
- var EXTERNAL_NET any
I get the following alert:
[**] [1:10000001:0] Alert! [**][Priority: 0]03/29-16:57:47.361016 192.168.1.120:51968 -> 72.14.204.147:80TCP TTL:64 TOS:0x0 ID:13360 IpLen:20 DgmLen:993 DF***AP*** Seq: 0xC03BC58E Ack: 0x8B9BF8F5 Win: 0x822B TcpLen: 32TCP Options (3) => NOP NOP TS: 63957188 2272801581
If I define HOME_NET in the snort.conf
- var HOME_NET 192.168.0.0/16
- var EXTERNAL_NET any
I still get the alert, okay.
[**] [1:10000001:0] Alert! [**][Priority: 0]03/29-16:57:47.361016 192.168.1.120:51968 -> 72.14.204.147:80TCP TTL:64 TOS:0x0 ID:13360 IpLen:20 DgmLen:993 DF***AP*** Seq: 0xC03BC58E Ack: 0x8B9BF8F5 Win: 0x822B TcpLen: 32TCP Options (3) => NOP NOP TS: 63957188 2272801581
If I define HOME_NET in the snort.conf as such:
- var HOME_NET 72.14.0.0/16
- var EXTERNAL_NET any
I don't get an alert, exactly as planned, now... I conduct the same test. Same rule.
- var HOME_NET any
- var EXTERNAL_NET any
In my snort.conf, but this time I am going to specify 192.168.0.0/16 in the -h command line tag.
[**] [1:10000001:0] Alert! [**][Priority: 0]03/29-16:57:47.361016 192.168.1.120:51968 -> 72.14.204.147:80TCP TTL:64 TOS:0x0 ID:13360 IpLen:20 DgmLen:993 DF***AP*** Seq: 0xC03BC58E Ack: 0x8B9BF8F5 Win: 0x822B TcpLen: 32TCP Options (3) => NOP NOP TS: 63957188 2272801581
Exactly as before.
Now if I run -h with 72.14.0.0/16 at the command line I get the following alert
[**] [1:10000001:0] Alert! [**][Priority: 0]03/29-16:57:47.361016 192.168.1.120:51968 -> 72.14.204.147:80TCP TTL:64 TOS:0x0 ID:13360 IpLen:20 DgmLen:993 DF***AP*** Seq: 0xC03BC58E Ack: 0x8B9BF8F5 Win: 0x822B TcpLen: 32TCP Options (3) => NOP NOP TS: 63957188 2272801581
Where I should not have. So, no, it doesn't actually specify HOME_NET.
So if you are trying to specify HOME_NET, you need to do it in the snort.conf file.
-h, in fact, and after checking with development team and reading the code myself, -h corresponds to how packets are logged. (When using the old "log per directory" mode) However, this isn't very clear in the documentation, or in the --help file. So I've asked the developers to make this a bit more clear what -h does in the documentation as well as the code. It's pretty much only useful for Sniffer mode, not much for IDS mode.
Security Update 2010-002 / Mac OS X v10.6.3
About the security content of Security Update 2010-002 / Mac OS X v10.6.3.
Apple just posted 10.6.3 which included a ton of security updates in the following pieces of software, so go update:
Apple just posted 10.6.3 which included a ton of security updates in the following pieces of software, so go update:
- AppKit
- Application Firewall
- AFP Server
- Apache
- ClamAV
- CoreAudio
- CoreMedia
- CoreTypes
- CUPS
- curl
- Cyrus IMAP
- Cyrus SASL
- DesktopServices
- Disk Images
- Directory Services
- Dovecot
- Event Monitor
- FreeRADIUS
- FTP Server
- iChat Server
- ImageIO
- Image RAW
- Libsystem
- Mailman
- MySQL
- OS Services
- Password Services
- perl
- PHP
- Podcast Producer
- Preferences
- PS Normalizer
- QuickTime
- Ruby
- Server Admin
- SMB
- Tomcat
- unzip
- vim
- Wiki Server
- X11
- xar
Saturday, March 27
Day Two: No One Even Attempts Hacking Chrome at Pwn2Own Competition
Day Two: No One Even Attempts Hacking Chrome at Pwn2Own Competition - Google Chrome - Lifehacker.
Found this interesting. I didn't make it to CanSecWest this year, but several of my friends did go to this event/competition. While I did see that every other major browser was cracked on day one, (IE8, Firefox, and Safari) Chrome didn't even get tried, apparently.
While Chrome does use the Webkit (safari) engine, Chrome starts each browser tab in a separate process which is in a 'sandbox'.
On the usability side, I've been using Chrome on the Mac since they opened up the dev channel for it, and I really like it.
Found this interesting. I didn't make it to CanSecWest this year, but several of my friends did go to this event/competition. While I did see that every other major browser was cracked on day one, (IE8, Firefox, and Safari) Chrome didn't even get tried, apparently.
While Chrome does use the Webkit (safari) engine, Chrome starts each browser tab in a separate process which is in a 'sandbox'.
On the usability side, I've been using Chrome on the Mac since they opened up the dev channel for it, and I really like it.
Friday, March 26
and then, there was rust
Got a call today from the shop that is tearing down the Mustang for the rebuild, asking me to stop by if I could and take a look, it seems that the rust on the front end was a little worst than they expected. I knew there was rust in there, but didn't know just how much...
So basically, we are going to replace from the driver's seat on forward. Frame, sidewalls, everything. Of course, I am getting stuck with the bill of people not doing it correctly to begin with, but, I suppose, that's the downfall of having a 42 year old car.
To look at the whole gallery of pictures I took today... Click here.
Stay tuned.
So basically, we are going to replace from the driver's seat on forward. Frame, sidewalls, everything. Of course, I am getting stuck with the bill of people not doing it correctly to begin with, but, I suppose, that's the downfall of having a 42 year old car.
To look at the whole gallery of pictures I took today... Click here.
Stay tuned.
Thursday, March 25
Detecting suspicious account activity on your Gmail
Official Gmail Blog: Detecting suspicious account activity.
I found this article interesting. Google has implemented a kind of security feature in Gmail. What it looks like, is now Google keeps track of the IPs that you log into your Gmail account from (which they have for awhile now, check this out from back in 2008) and let's you know of any very strange deviations in pattern.
The example they provide is this:
Google knows, in this example, that this person normally signs in from California in the USA, then suddenly in the middle of all the normal accesses, there is a login in Poland. Which is strange for the user, and you get this popup when you log into your gmail:
I think this is head and shoulders above what any of the other competitors are doing with their free online email solutions, and hopefully this will make strides to curbing some spam and illegal access of accounts.
No doubt that this had something to do with the illegal access of accounts from China during the whole "Google/Intel/insertothercompanieshere debacle". Glad to see Google doing things like this.
I found this article interesting. Google has implemented a kind of security feature in Gmail. What it looks like, is now Google keeps track of the IPs that you log into your Gmail account from (which they have for awhile now, check this out from back in 2008) and let's you know of any very strange deviations in pattern.
The example they provide is this:
Google knows, in this example, that this person normally signs in from California in the USA, then suddenly in the middle of all the normal accesses, there is a login in Poland. Which is strange for the user, and you get this popup when you log into your gmail:
I think this is head and shoulders above what any of the other competitors are doing with their free online email solutions, and hopefully this will make strides to curbing some spam and illegal access of accounts.
No doubt that this had something to do with the illegal access of accounts from China during the whole "Google/Intel/insertothercompanieshere debacle". Glad to see Google doing things like this.
Wednesday, March 24
Mustang Status...
Had the car taken to the shop today. I've removed most of the engine, and am to the point where I can't do anything else with the tools that I have available to me. I don't know how to weld yet (I am learning, on the "job" training as it were), excuses, excuses, so anyway, to the shop the car went.
I guess I didn't get all the coolant out of the system when I was taking that portion apart.
This picture shows how much (well it kinda shows) I've stripped out of the car already.
I didn't take a picture with the hood up. Should have...
Of course I'll post pictures along it's progress.
What I'm putting into the car:
- 351W motor, custom built crate engine (400-450 hp) (on order)
- New front suspension
- New radiator and coolant system
- New 8in rear
- New spindles (4 lug to 5 lug)
- New Rims + Tires (obviously)
- New T-5 Transmission
Tuesday, March 23
Some notes on “making Snort go fast under Linux”
Work Together For The Benefit Of All ManKind… » Some notes on “making Snort go fast under Linux”.
Read the above link if you are interested in Snort. Author Edward Fjellskål does a nice job of explaining some really tricky details of Optimizing Snort. Including little tweaks about how to optimize the kernel.
Take a look, nice post Edward.
Read the above link if you are interested in Snort. Author Edward Fjellskål does a nice job of explaining some really tricky details of Optimizing Snort. Including little tweaks about how to optimize the kernel.
Take a look, nice post Edward.
iPhone universal inbox?
Julio Rodriguez, a fellow Apple user wrote Steve Jobs an email thanking Apple for their great customer service, and proclaiming his "life-long" customer status.
However, the interesting part for me came in the second paragraph where Julio ask Mr. Jobs:
Steve Jobs answered back in his typically terse answer form:
For a screenshot of the email (including headers), check it out here.
However, the interesting part for me came in the second paragraph where Julio ask Mr. Jobs:
I just have one question for you; will iPhone ever have a universal mailbox just like Mail has on my Mac? It would be so much easier and efficient
Steve Jobs answered back in his typically terse answer form:
Yep.
Sent from my iPad
For a screenshot of the email (including headers), check it out here.
Reader Question: Why is your Blog named Finshake?
Why is your Blog named Finshake? | Finshake.
I received a request about why my Blog is named Finshake. Read the above link for the reason.
Note: There is a search field on the right hand side of the blog. Check it out.
I received a request about why my Blog is named Finshake. Read the above link for the reason.
Note: There is a search field on the right hand side of the blog. Check it out.
Indian military to weaponize world's hottest chili
My Way News - Indian military to weaponize world's hottest chili.
Read the above article. This is a great use for food as a weapon. Hurt? Yes. Lethal? Probably not. Immobilizing? Heck yes.
Read the above article. This is a great use for food as a weapon. Hurt? Yes. Lethal? Probably not. Immobilizing? Heck yes.
Sunday, March 21
Inbox Zero is fail? Wrong.
Alyssa Gregory, blogger at sitepoint, clearly doesn't get it.
It = Inbox Zero, she says it can't be done.:
Merlin Mann, the de-facto creator of Inbox Zero offered a nice rebuttal, basically saying, "you clearly don't get it."
Then, Alyssa writes another post, basically saying "Uh, yeah, it still won't work."
Of course, this isn't my fight, it's Merlin's, however, as a devout follower of Inbox Zero, relying on it constantly as my day in and day out way of staying sane, I offered this rebuttal, which are basically my feelings about email. (Which I doubt she'll post, but whatever.) Here it is.
Merlin, you are still the man.
It = Inbox Zero, she says it can't be done.:
Merlin Mann, the de-facto creator of Inbox Zero offered a nice rebuttal, basically saying, "you clearly don't get it."
Then, Alyssa writes another post, basically saying "Uh, yeah, it still won't work."
Of course, this isn't my fight, it's Merlin's, however, as a devout follower of Inbox Zero, relying on it constantly as my day in and day out way of staying sane, I offered this rebuttal, which are basically my feelings about email. (Which I doubt she'll post, but whatever.) Here it is.
Merlin, you are still the man.
I believe you are still missing the point. The point in Inbox Zero is to become a “decider” and a “do-er” instead of an email processor. You receive email, you make a decision about it’s purpose, either A) Respond right now if it takes less than 2 minutes, B) If it takes longer than two minutes, Put it into a folder to reply later, C) Make a TODO to DO the thing that is in the email, and save the email, or D) Delete it.
Is the email that is sitting in my inbox right now, that I am staring at, actionable? Do I need to physically do something with the information that is front of me? Yes? Make to-do todo it, then DO it. No? Either file it, or delete it.
Follow this process until you hit ZERO emails in your inbox.
Then CLOSE your email. CLOSE it. And go DO the things that you made todo’s to, do.
Even if those todo’s involve answering the email that you put into a folder under “B", you need to DO them. Only check email about twice or three times a day, and you will be much more productive.
The point in Inbox zero is to process to ZERO, then CLOSE the inbox for the time being and GO CREATE. GO CREATE YOUR WORK BEING DONE.
Then, later, open it back up.
Thursday, March 18
Cybersecurity Bill Trims Presidents Power
Cybersecurity Bill Trims Presidents Power -- Cybersecurity -- InformationWeek.
"The Senate Wednesday re-introduced a cybersecurity bill it considered last year, minus a provision that would have allowed the president to shut down the Internet in the event of a major cyber attack.
"The Senate Wednesday re-introduced a cybersecurity bill it considered last year, minus a provision that would have allowed the president to shut down the Internet in the event of a major cyber attack.
The Cybersecurity Act, S. 773, co-sponsored by Senators Jay Rockefeller (D-W.Va.) and Olympia Snowe (R-Maine), is aimed at protecting critical U.S. network infrastructure against cybersecurity threats by fostering collaboration between the federal government and the private sectors that maintain that infrastructure."
Check this out, interesting.
Wednesday, March 17
Hey Microsoft, Don't F*ck Up Windows Phone 7
Hey Microsoft, Don't F*ck Up Windows Phone 7 - Windows phone 7 - Gizmodo.
A funny post over on Gizmodo detailing how, apparently, Microsoft has put out a couple changes to Windows Phone Mobile 7. (What is it with Microsoft and the number 7 all of the sudden? Unified messaging?)
Apparently Microsoft is going to do two things wrong..
As for Multitasking, the iPhone doesn't have it "ish". (Mail and various other "Apple only" apps can run in the background). However, the rumor is that iPhone 4.0 will have multitasking. So Microsoft, instead of trying to get ahead of the curve, you are going to be at least 3 years behind in copying Apple? Seriously? Way to step up the innovation there guys.
Copy and Paste.. Well, the iPhone didn't have it until iPhone 3.0, and a shitton of people bought iPhones too. Not that many will buy Windows Mobile 7 devices, but still...
How can you not put copy and paste in it, when (as the author of the Gizmodo article says) the phone you are trying to compete with (the iPhone) already has it!?
Steller Microsoft, way to win. Whatever, I wouldn't buy it anyway.
A funny post over on Gizmodo detailing how, apparently, Microsoft has put out a couple changes to Windows Phone Mobile 7. (What is it with Microsoft and the number 7 all of the sudden? Unified messaging?)
Apparently Microsoft is going to do two things wrong..
- No multitasking
- No Copy and Paste
As for Multitasking, the iPhone doesn't have it "ish". (Mail and various other "Apple only" apps can run in the background). However, the rumor is that iPhone 4.0 will have multitasking. So Microsoft, instead of trying to get ahead of the curve, you are going to be at least 3 years behind in copying Apple? Seriously? Way to step up the innovation there guys.
Copy and Paste.. Well, the iPhone didn't have it until iPhone 3.0, and a shitton of people bought iPhones too. Not that many will buy Windows Mobile 7 devices, but still...
How can you not put copy and paste in it, when (as the author of the Gizmodo article says) the phone you are trying to compete with (the iPhone) already has it!?
Steller Microsoft, way to win. Whatever, I wouldn't buy it anyway.
Tuesday, March 16
Random Picture from the Internet
VRT: The New Disclosure Debate and the Evil Mr. Moore
VRT: The New Disclosure Debate and the Evil Mr. Moore.
I am not trying to get into the business of reblogging Sourcefire VRT's blog entries, but I blog things that I think are interesting, or that I think my readers will find interesting and hopefully debate. I think this is yet, ANOTHER insanely great article by Mr. Matt Olney. Please click the link above and read it!
I am not trying to get into the business of reblogging Sourcefire VRT's blog entries, but I blog things that I think are interesting, or that I think my readers will find interesting and hopefully debate. I think this is yet, ANOTHER insanely great article by Mr. Matt Olney. Please click the link above and read it!
Wednesday, March 10
Funny ‘Hacker’ Story
Funny ‘Hacker’ Story.
A funny story about a hacker named "bitchchecker", proving his mad skills by attacking someone on the Internet.
Using the IP: 127.0.0.1
Watch out for this guy.
A funny story about a hacker named "bitchchecker", proving his mad skills by attacking someone on the Internet.
Using the IP: 127.0.0.1
Watch out for this guy.
Tuesday, March 9
VRT: APT: Should your panties be in a bunch, and how do you un-bunch them?
VRT: APT: Should your panties be in a bunch, and how do you un-bunch them?.
I don't know how to say it anymore than this:
Matt Olney wrote a damn, a DAMN good post about APT on the VRT blog, and if you read my blog, and you don't go over to the VRT blog and read that post.. Heck I don't care if you don't read another post by the VRT that they have written in the past (although, you SHOULD! They put a LOT of time into their posts!) you should read this one.
Matt, whom I play Xbox with nearly every night, talk to on a regular basis, and consider to be my friend.. I just wanted to let you know, seriously...
Damn fine job sir.
I don't know how to say it anymore than this:
Matt Olney wrote a damn, a DAMN good post about APT on the VRT blog, and if you read my blog, and you don't go over to the VRT blog and read that post.. Heck I don't care if you don't read another post by the VRT that they have written in the past (although, you SHOULD! They put a LOT of time into their posts!) you should read this one.
Matt, whom I play Xbox with nearly every night, talk to on a regular basis, and consider to be my friend.. I just wanted to let you know, seriously...
Damn fine job sir.
10 reasons to avoid talking on the phone
10 reasons to avoid talking on the phone - The Oatmeal.
This is an awesome comic, pretty much sums up talking on the phone correctly.
Click through, it's awesome.
This is an awesome comic, pretty much sums up talking on the phone correctly.
Click through, it's awesome.
Sunday, March 7
Sourcefire VRT Labs: MS to SID mappings
Sourcefire VRT Labs.
For those of you that are using Sourcefire VRT rules to protect your network with your Snort IDS/IPS installation, (as you should!). There are mappings from MS vulnerability number to SID number, in the past, you either had to be a Sourcefire customer (we make this super easy in the Policy Editor GUI) or you had to be very patient and grep your way through the rules.
However, VRT put these mappings in a super easy to use interface at the link above. Check it out.
Update:
Nigel corrected me, these mappings have always been on Snort.org, VRT just moved the hosting. Duh.
For those of you that are using Sourcefire VRT rules to protect your network with your Snort IDS/IPS installation, (as you should!). There are mappings from MS vulnerability number to SID number, in the past, you either had to be a Sourcefire customer (we make this super easy in the Policy Editor GUI) or you had to be very patient and grep your way through the rules.
However, VRT put these mappings in a super easy to use interface at the link above. Check it out.
Update:
Nigel corrected me, these mappings have always been on Snort.org, VRT just moved the hosting. Duh.
Usability participants needed for Outlook:Mac
go ahead, mac my day : usability participants needed for Outlook:Mac study in March.
Blog entry from one of the developers that works on the Office:Mac suite at Redmond, asking for usability testing volunteers to test Outlook for the Mac. (To be released this year IIRC.
If you are in or near Mountain View, California, and you wish to participate, you need to be eligible by:
Blog entry from one of the developers that works on the Office:Mac suite at Redmond, asking for usability testing volunteers to test Outlook for the Mac. (To be released this year IIRC.
If you are in or near Mountain View, California, and you wish to participate, you need to be eligible by:
- use a Mac for work purposes
- connect your Mac to an Exchange server
- use mail and calendar on your Exchange server several times per week
Tuesday, March 2
Offset, Depth, Distance, and Within
Without going off the deep-end here and discussing every single Snort rule keyword, I just wanted to touch on a few modifiers that people sometimes misunderstand. They aren't difficult, and hopefully after this explanation and a few examples, I can clear some of the air around these five modifiers.
The five modifiers that I am talking about are
In the above example, if I wanted to find the word "GET" (highlighted). I would write:
<Common Misconception>
Some tend to think that if they stack two contents next to each other, that Snort will look for those contents in the order they are provided. For example, if I were to write:
2.
Depth in the Snort manual is defined as:
I want to match on "GET" but ONLY if it occurs as the beginning of the packet. Notice when I was describing offset above I said that offset tells Snort where to start looking. Not where to stop. If I don't tell Snort where to stop using a content match, Snort will search the entire packet. If I want to tell Snort where to stop looking for a content match, I have to use something like depth. So for the above example, if I want to match on "GET" but only at the beginning of the data portion of the payload:
Distance is defined in the Snort manual as:
4.
Within in described in the Snort Manual as:
So, using the content matches we've built already:
5.
Finally, let me discuss "nocase";. nocase, or "No case" simply means, for the content match specified, do not pay attention to case sensitivity. "nocase" doesn't make the Snort engine work any harder in the grand scheme of things, and it's very handy for being able to make sure your rules do not get bypassed. Example? Let's say I wanted to match the above screenshot, no matter what. Well, if I was an attacker, and I came to your webserver trying to access your "downloads" directory, as the rule is written, I could pass my "GET" string as lowercase "get" or mixed case "GeT", and depending upon your webserver, it might accept it, and I have effectively bypassed your rule. The easiest thing to do with this type of evasion is to use a nocase; statement.
--
SNORT and Sourcefire are registered trademarks of Sourcefire, Inc.
The five modifiers that I am talking about are
Offset
Depth
Distance
Within
nocase
content
". The content keyword is one of the easiest pieces of the Snort rules language as all it does is look for a particular string. So for instance if I wanted to look for the word "joel" within a packet. A simple: content:"joel";
Would allow me to do that. The interesting part comes into play when you want to specify where inside of a particular packet you want the string "joel" to be looked for. If you are running just a plain content match with a simple string, and not specifying where in the packet to look for that string, your Snort instance will receive a ton of alerts, and then you, the analyst, are stuck looking through all of those alerts to try and pick out the alert that is needed. While a content match for "joel" might be pretty unique (that might not occur a lot on your network), but it will occur a bunch on mine. Offset
The offset keyword allows the rule writer to specify where to start searching for a pattern within a packet.So, given a certain packet, Offset tells the content match it's modifying where to start looking, given an offset from the beginning of the data payload of the packet.
In the above example, if I wanted to find the word "GET" (highlighted). I would write:
content:"GET"; offset:0;
Meaning, start at the beginning of the data payload of the packet (offset:0;) and find the word GET. Now, in this example, the word "GET" is at the very beginning of the packet making the search very easy. However, if I wanted to match on the word "downloads" that is found a bit later in the above screenshot, I could still start my content match at the beginning of the payload (offset:0;) but the content match would be more accurate and less computationally expensive if I were to make the offset more accurate. content:"downloads"; offset:13;
Would tell Snort to start looking for the word "downloads" at the 13th byte in the data portion of the packet. So, what if I chained these two together? content:"GET"; offset:0; content:"downloads"; offset:13;
In other words, start looking for "GET" at the beginning of the data payload of the packet, and start looking for the word "downloads" at the 13th byte of the packet. Now, why would I do this? This example tells Snort, after the first content match, go back to the beginning of the packet, move over 13 bytes and then start looking again for a second content match. There are several things wrong with this example, that I did on purpose. First off, if you are at the first content match in a Snort rule, or a content match you want to start at the beginning of the packet, you don't have to write "offset:0;". Any content match that doesn't have a modifier after it automatically starts at the beginning of the data payload portion of the packet by default. Offset:0; is implied for this type of match. Second, and a:<Common Misconception>
Some tend to think that if they stack two contents next to each other, that Snort will look for those contents in the order they are provided. For example, if I were to write:
content:"GET"; content:"downloads";
Some people generally think that in the above example, that the word "downloads" will have to occur after the word "GET" in the packet. This is Wrong. If no modifiers to contents are specified than the order of the matches within a given packet (or stream for that matter) doesn't matter. "downloads" could be first, then "GET", and the rule will still fire. So given the above exampled screenshot, if I wanted to force the word "downloads" to occur after the word "GET". I could use a distance modifier. Which I will touch on a bit later.2.
Depth
Depth in the Snort manual is defined as:
The depth keyword allows the rule writer to specify how far into a packet Snort should search for the specified pattern from a given offset.So, given the above example again:
I want to match on "GET" but ONLY if it occurs as the beginning of the packet. Notice when I was describing offset above I said that offset tells Snort where to start looking. Not where to stop. If I don't tell Snort where to stop using a content match, Snort will search the entire packet. If I want to tell Snort where to stop looking for a content match, I have to use something like depth. So for the above example, if I want to match on "GET" but only at the beginning of the data portion of the payload:
content:"GET"; depth:3;
Notice some things. - I didn't start with Offset:0;. Remember, if I am beginning a content search at the beginning of the data payload of the packet, offset:0; is implied.
- Depth counts in positive integers. While offset starts counting at "0" bytes, depth counts in positive integers, "GET" is three bytes long, so my depth is "3".
- Depth starts counting from the offset point. Not from the beginning of the packet. While, in the above "GET" example, the offset point IS the beginning of the packet, don't get confused by this.
- By telling Snort to only look in the first three bytes, if Snort is analyzing millions of 1500 byte packets, only matching on the first three bytes is a significant CPU saver.
- BTW -- Don't do the above example, as you will essentially match on every single GET request on your network, turning your IDS into a brick. This is just an example. Besides this is what
http_method
is for, which i'll cover in a later blog post.
Distance
Distance is defined in the Snort manual as:
The distance keyword allows the rule writer to specify how far into a packet Snort should ignore before starting to search for the specified pattern relative to the end of the previous pattern match.(Emphasis added by me) Distance says to us, "okay, relative to the end of the previous content match, when should I start searching for the second content match?". So bringing back my previous example:
content:"GET"; depth:3; content:"downloads";
If I were to do this: content:"GET"; depth:3; content:"downloads"; distance:0;
That by itself would force the content match "downloads" to occur after the "GET" content match. Doesn't matter where (distance:0;), just as long as the pattern match is AFTER the first one. However, if I wanted to be more specific and more specifically match on the screenshot that I provided above: content:"GET"; depth:3; content:"downloads"; distance:10;
This says to the Snort engine, "match on GET, in the first 3 bytes of the data payload of the packet, then move 10 bytes relative to the end of GET and start looking for "downloads"". Notice I said start looking. Not limited to. Kinda like putting an offset without a depth there... so we have within.4.
Within
Within in described in the Snort Manual as:
The within keyword is a content modifier that makes sure that at most N bytes are between pattern matches using the content keyword.Within allows you to specify a range between content matches, it also allows you to tell a second (relative) content match where to stop.
So, using the content matches we've built already:
content:"GET"; depth:3; content:"downloads"; distance:10;
The only problem here is "downloads" is being searched for in the entire packet, except for the first 13 bytes, essentially. How can we make downloads only be searched for at that specific spot? Within. content:"GET"; depth:3; content:"downloads"; distance:10; within:9;
"Match on GET, in the first 3 bytes of the data payload of the packet, then move 10 bytes relative to the end of GET and start looking for "downloads", however, "downloads" must occur wholly within the next 9 bytes." Could I say "within:10;"? Yes, I could, and then downloads could be in it's present position, or if there was another byte in front of the actual content match. Also notice that within, like depth, also works in positive integers (distance starts counting at "1")5.
nocase
Finally, let me discuss "nocase";. nocase, or "No case" simply means, for the content match specified, do not pay attention to case sensitivity. "nocase" doesn't make the Snort engine work any harder in the grand scheme of things, and it's very handy for being able to make sure your rules do not get bypassed. Example? Let's say I wanted to match the above screenshot, no matter what. Well, if I was an attacker, and I came to your webserver trying to access your "downloads" directory, as the rule is written, I could pass my "GET" string as lowercase "get" or mixed case "GeT", and depending upon your webserver, it might accept it, and I have effectively bypassed your rule. The easiest thing to do with this type of evasion is to use a nocase; statement.
content:"GET"; depth:3; nocase; content:"downloads"; distance:10; within:9; nocase;
So, I want you to notice a few things: - We went from very generic to very specific, your use case will vary.
- Modifiers to contents come AFTER the content match. Not before, they won't work, don't try it.
- Offset goes with Depth, distance goes with within. Don't mix them.
--
SNORT and Sourcefire are registered trademarks of Sourcefire, Inc.
Apple sues HTC for alleged infringement of 20 iPhone patents
AppleInsider | Apple sues HTC for alleged infringement of 20 iPhone patents.
...And so it begins... I was beginning to wonder when this was going to happen, of course, HTC, the makers of many phones, the most notable being the Google Nexus One, and the G1.
We'll have to wait and see how this one shakes out.
...And so it begins... I was beginning to wonder when this was going to happen, of course, HTC, the makers of many phones, the most notable being the Google Nexus One, and the G1.
We'll have to wait and see how this one shakes out.
Monday, March 1
Plugins add grunt to Google’s Quick Search Box
Plugins add grunt to Google’s Quick Search Box « Hawk Wings.
If you are a user of Google's Quick Search Box (similar to QuickSilver), and is in active development, you can download and use these series of scripts in order to interact with the rest of your OS. (Things like sending a file through email in Mail.app).
Or, you can just stick with QuickSilver. It does all these things already.
If you are a user of Google's Quick Search Box (similar to QuickSilver), and is in active development, you can download and use these series of scripts in order to interact with the rest of your OS. (Things like sending a file through email in Mail.app).
Or, you can just stick with QuickSilver. It does all these things already.
Subscribe to:
Posts (Atom)
-
Without going off the deep-end here and discussing every single Snort rule keyword, I just wanted to touch on a few modifiers that people so...
-
Let me start off by saying I'm not bashing the writer of this article, and I'm trying not to be super critical. I don't want to...
-
Let's say you're like me, an avid Omnifocus user, but you've been hearing great things about Reminders on MacOS/iOS/iPadOS, and ...