Skip to main content


Showing posts from March, 2010

The Geek/Nerd/Dork/Dweeb Venn Diagram

Seton Hill University to give all students an iPad

And so it begins... Seton Hill University to give all students an iPad.

This article from The Unofficial Apple Weblog, buried in my News Reader today, points out that the Seton Hill University up in Pennsylvania, starting Fall 2010 is going to be issuing an iPad to every man, woman, and child who enrolls into school.

So for those of you that read my blog and want to enroll in college at a "Catholic Liberal Arts University", here's your chance to get a free iPad.

How to specify a Snort Variable from the command line

So, my last post talked about how the -h command line tag in Snort doesn't actually specify HOME_NET like many people have thought.  I have received about 30 emails asking "well then how do I do this! OMG!"

Fear not, there is a way to do this.  So let's use the same testing criteria I did in my last post, same rule, same set up.

var HOME_NET any

Are specified in my snort.conf file

Run Snort against the pcap and I get:

[**] [1:10000001:0] Alert! [**]
[Priority: 0]
03/29-16:57:47.361016 ->
TCP TTL:64 TOS:0x0 ID:13360 IpLen:20 DgmLen:993 DF
***AP*** Seq: 0xC03BC58E  Ack: 0x8B9BF8F5  Win: 0x822B  TcpLen: 32
TCP Options (3) => NOP NOP TS: 63957188 2272801581
With the following rule:

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Alert!"; content:"/content"; sid:10000001;)
Same as before, so now let's use the -S command line tag.  The -S tag, as stated in snort --help is:

-S <n=v>   Set r…

Snort -h doesn't do what you think it does.

I've seen a lot of traffic recently of people trying to use "-h" on the Snort command line to specify the variable $HOME_NET, and it's generated a lot of confusion as of late, so I thought I better write about it.

If you look in the manual, every time -h is used, it's used with a network range, or an individual IP, and it's also used with -l, also only used with -vde (otherwise sniffer mode). It's not ever made clear exactly what -h actually does. Similarly if you type:

snort --help

on the command line the -h tag says:
-h Home network =
So, one might think that by doing a -h on the command line, it specifies the HOME_NET variable found in the snort.conf on the command line. Well, as you probably have guessed by now, this is not the case.

So here's the truth: -h actually has nothing to do with the HOME_NET as specified in the snort.conf file.

As we know,
var HOME_NET any
Will specify which direction traffic should be examined in terms of the rules with…

Security Update 2010-002 / Mac OS X v10.6.3

About the security content of Security Update 2010-002 / Mac OS X v10.6.3.

Apple just posted 10.6.3 which included a ton of security updates in the following pieces of software, so go update:

Application Firewall
AFP Server
Cyrus IMAP
Cyrus SASL
Disk Images
Directory Services
Event Monitor
FTP Server
iChat Server
Image RAW
OS Services
Password Services
Podcast Producer
PS Normalizer
Server Admin
Wiki Server

Day Two: No One Even Attempts Hacking Chrome at Pwn2Own Competition

Day Two: No One Even Attempts Hacking Chrome at Pwn2Own Competition - Google Chrome - Lifehacker.

Found this interesting.  I didn't make it to CanSecWest this year, but several of my friends did go to this event/competition.  While I did see that every other major browser was cracked on day one, (IE8, Firefox, and Safari) Chrome didn't even get  tried, apparently.

While Chrome does use the Webkit (safari) engine, Chrome starts each browser tab in a separate process which is in a 'sandbox'.

On the usability side, I've been using Chrome on the Mac since they opened up the dev channel for it, and I really like it.

and then, there was rust

Got a call today from the shop that is tearing down the Mustang for the rebuild, asking me to stop by if I could and take a look, it seems that the rust on the front end was a little worst than they expected.  I knew there was rust in there, but didn't know just how much...

So basically, we are going to replace from the driver's seat on forward.  Frame, sidewalls, everything.  Of course, I am getting stuck with the bill of people not doing it correctly to begin with, but, I suppose, that's the downfall of having a 42 year old car.

To look at the whole gallery of pictures I took today... Click here.

Stay tuned.

Detecting suspicious account activity on your Gmail

Official Gmail Blog: Detecting suspicious account activity.

I found this article interesting.  Google has implemented a kind of security feature in Gmail.  What it looks like, is now Google keeps track of the IPs that you log into your Gmail account from (which they  have for awhile now, check this out from back in 2008) and let's you know of any very strange deviations in pattern.

The example they provide is this:

Google knows, in this example, that this person normally signs in from California in the USA, then suddenly in the middle of all the normal accesses, there is a login in Poland.  Which is strange for the user, and you get this popup when you log into your gmail:

I think this is head and shoulders above what any of the other competitors are doing with their free online email solutions, and hopefully this will make strides to curbing some spam and illegal access of accounts.

No doubt that this had something to do with the illegal access of accounts from China during the whole

Mustang Status...

Had the car taken to the shop today.  I've removed most of the engine, and am to the point where I can't do anything else with the tools that I have available to me.  I don't know how to weld yet (I am learning, on the "job" training as it were), excuses, excuses, so anyway, to the shop the car went.

I guess I didn't get all the coolant out of the system when I was taking that portion apart.

This picture shows how much (well it kinda shows) I've stripped out of the car already.

I didn't take a picture with the hood up.  Should have...
Of course I'll post pictures along it's progress.
What I'm putting into the car:

351W motor, custom built crate engine (400-450 hp) (on order)
New front suspension
New radiator and coolant system
New 8in rear
New spindles (4 lug to 5 lug)
New Rims + Tires (obviously)
New T-5 Transmission

Some notes on “making Snort go fast under Linux”

Work Together For The Benefit Of All ManKind… » Some notes on “making Snort go fast under Linux”.

Read the above link if you are interested in Snort.  Author Edward Fjellskål does a nice job of explaining some really tricky details of Optimizing Snort.  Including little tweaks about how to optimize the kernel.

Take a look, nice post Edward.

iPhone universal inbox?

Julio Rodriguez, a fellow Apple user wrote Steve Jobs an email thanking Apple for their great customer service, and proclaiming his "life-long" customer status.

However, the interesting part for me came in the second paragraph where Julio ask Mr. Jobs:
I just have one question for you; will iPhone ever have a universal mailbox just like Mail has on my Mac?  It would be so much easier and efficient
Steve Jobs answered back in his typically terse answer form:

Sent from my iPad
For a screenshot of the email (including headers), check it out here.

Inbox Zero is fail? Wrong.

Alyssa Gregory, blogger at sitepoint, clearly doesn't get it.

It = Inbox Zero, she says it can't be done.:

Merlin Mann, the de-facto creator of Inbox Zero offered a nice rebuttal, basically saying, "you clearly don't get it."

Then, Alyssa writes another post, basically saying "Uh, yeah, it still won't work."

Of course, this isn't my fight, it's Merlin's, however, as a devout follower of Inbox Zero, relying on it constantly as my day in and day out way of staying sane, I offered this rebuttal, which are basically my feelings about email.  (Which I doubt she'll post, but whatever.)  Here it is.

Merlin, you are still the man.
I believe you are still missing the point. The point in Inbox Zero is to become a “decider” and a “do-er” instead of an email processor. You receive email, you make a decision about it’s purpose, either A) Respond right now if it takes less than 2 minutes, B) If it takes longer than two minutes, Put it into a folder to r…

Cybersecurity Bill Trims Presidents Power

Cybersecurity Bill Trims Presidents Power -- Cybersecurity -- InformationWeek.

"The Senate Wednesday re-introduced a cybersecurity bill it considered last year, minus a provision that would have allowed the president to shut down the Internet in the event of a major cyber attack.
The Cybersecurity Act, S. 773, co-sponsored by Senators Jay Rockefeller (D-W.Va.) and Olympia Snowe (R-Maine), is aimed at protecting critical U.S. network infrastructure against cybersecurity threats by fostering collaboration between the federal government and the private sectors that maintain that infrastructure."
Check this out, interesting.

Hey Microsoft, Don't F*ck Up Windows Phone 7

Hey Microsoft, Don't F*ck Up Windows Phone 7 - Windows phone 7 - Gizmodo.

A funny post over on Gizmodo detailing how, apparently, Microsoft has put out a couple changes to Windows Phone Mobile 7. (What is it with Microsoft and the number 7 all of the sudden?  Unified messaging?)

Apparently Microsoft is going to do two things wrong..

No multitasking
No Copy and Paste

As for Multitasking, the iPhone doesn't have it "ish".  (Mail and various other "Apple only" apps can run in the background).   However, the rumor is that iPhone 4.0 will have multitasking.  So Microsoft, instead of trying to get ahead of the curve, you are going to be at least 3 years behind in copying Apple?  Seriously?  Way to step up the innovation there guys.

Copy and Paste..  Well, the iPhone didn't have it until iPhone 3.0, and a shitton of people bought iPhones too.  Not that many will buy Windows Mobile 7 devices, but still...

How can you not put copy and paste in it, when (as the author o…

Random Picture from the Internet

Don't know where the above picture came from (I received it via email), but.. Wow. That's a lot of Cash. This was probably a drug seizure or something like that.

VRT: The New Disclosure Debate and the Evil Mr. Moore

VRT: The New Disclosure Debate and the Evil Mr. Moore.

I am not trying to get into the business of reblogging Sourcefire VRT's blog entries, but I blog things that I think are interesting, or that I think my readers will find interesting and hopefully debate.  I think this is yet, ANOTHER insanely great article by Mr. Matt Olney.  Please click the link above and read it!

VRT: APT: Should your panties be in a bunch, and how do you un-bunch them?

VRT: APT: Should your panties be in a bunch, and how do you un-bunch them?.

I don't know how to say it anymore than this:

Matt Olney wrote a damn, a DAMN good post about APT on the VRT blog, and if you read my blog, and you don't go over to the VRT blog and read that post..  Heck I don't care if you don't read another post by the VRT that they have written in the past (although, you SHOULD!  They put a LOT of time into their posts!) you should read this one.

Matt, whom I play Xbox with nearly every night, talk to on a regular basis, and consider to be my friend..  I just wanted to let you know, seriously...

Damn fine job sir.

Sourcefire VRT Labs: MS to SID mappings

Sourcefire VRT Labs.

For those of you that are using Sourcefire VRT rules to protect your network with your Snort IDS/IPS installation, (as you should!).  There are mappings from MS vulnerability number to SID number, in the past, you either had to be a Sourcefire customer (we make this super easy in the Policy Editor GUI) or you had to be very patient and grep your way through the rules.

However, VRT put these mappings in a super easy to use interface at the link above.  Check it out.


Nigel corrected me, these mappings have always been on, VRT just moved the hosting.  Duh.

Usability participants needed for Outlook:Mac

go ahead, mac my day : usability participants needed for Outlook:Mac study in March.

Blog entry from one of the developers that works on the Office:Mac suite at Redmond, asking for usability testing volunteers to test Outlook for the Mac.  (To be released this year IIRC.

If you are in or near Mountain View, California, and you wish to participate, you need to be eligible by:

use a Mac for work purposes
connect your Mac to an Exchange server
use mail and calendar on your Exchange server several times per week

Offset, Depth, Distance, and Within

Without going off the deep-end here and discussing every single Snort rule keyword, I just wanted to touch on a few modifiers that people sometimes misunderstand.  They aren't difficult, and hopefully after this explanation and a few examples, I can clear some of the air around these five modifiers.

The five modifiers that I am talking about are
OffsetDepthDistanceWithinnocaseThese five modifiers are not keywords of themselves, but rather they apply as modifiers to another keyword.  That keyword is "content". The content keyword is one of the easiest pieces of the Snort rules language as all it does is look for a particular string.  So for instance if I wanted to look for the word "joel" within a packet.  A simple:
content:"joel";Would allow me to do that.  The interesting part comes into play when you want to specify where inside of a particular packet you want the string "joel" to be looked for.  If you are running just a plain content ma…

Plugins add grunt to Google’s Quick Search Box

Plugins add grunt to Google’s Quick Search Box « Hawk Wings.

If you are a user of Google's Quick Search Box (similar to QuickSilver), and is in active development, you can download and use these series of scripts in order to interact with the rest of your OS.  (Things like sending a file through email in

Or, you can just stick with QuickSilver.  It does all these things already.