Skip to main content


Showing posts from April, 2010

Snort 2.8.6 segfaults

Putting this post up for the people who will Google the error.
If you get an error that looks like something like this:
"segfault at 0 ip b7955947 sp bfa35d70 error 4 in[b7953000+8000]"
When you start Snort after you have upgraded to 2.8.6 from (or whatever)

This means you are running SO rules with the 2.8.6 engine. You need the 2.8.6 rules to run with the 2.8.6 engine.

You can get the rules here:

Make sure you read this post too:

Fun with profile_rules

I received a rule in my inbox today from StillSecure, and to be honest there wasn't anything wrong with it, but here was the rule:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS HP Digital Imaging ActiveX Control CLSID Access Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"697F5209-0494-11D6-A2B0-0060B0FBD872"; nocase; distance:0; content:"Save"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*697F5209-0494-11D6-A2B0-0060B0FBD872/si";classtype:attempted-user; reference:url,;sid:2012881; rev:1;)
So I started thinking about that pcre.  That's a pretty intensive pcre, and what does it do for us?  Checks order and formatting?  Okay.  I can see that, but as an experiment, I wanted to see how much faster that rule would run if you ran it natively in pure content matches.

I wrote the following:
alert tcp $EXTERNAL_NET $HT…

Reinventing the Mainframe

From IRC today, my friend kraigus said this:
"I don't find it interesting that we're reinventing mainframes; I find it depressing and shittacular that we're just reinventing them, we're reinventing them _poorly_"

The conversation was about data centers and virtualization of machines.

Don't know why, I just liked this statement.
(Reprinted with Kraigus's permission)

PulledPork v0.4.1 released!

New Features/changes:

- Flowbit tracking! - This means that all flowbits are not enabled when a specific base ruleset is specified (security etc...) but rather all flowbits are now tracked, allowing for only those that are required to be enabled.

- Adjusted pulledpork.conf to account for new snort rules tarball naming and packing scheme, post Snort 2.8.6 release.

- Added option to specify all rule modification files in the master pulledpork.conf file - feature request 19.

- Added capability to specify base ruleset (see README.RULESETS) in master pulledpork.conf file.

- Handle preprocessor and sensitive-information rulesets

Bug Fixes:

- 18 - non-rule lines containing the string sid:xxxx were being populated into the rule data structure, added an extra check to ensure that this does not occur

- Cleaned up href pointers, syntatical purposes only...

- Modified master config to allow for better readability on smaller console based systems

- Error output was not always returning full error

Be sure and…

New VRT Rulepack changes

There has been a lot of confusion between the rule update packs.  Some people would see the word "snortrules-snapshot-CURRENT_s.tar.gz" in the rulepack name, or the "snortrules-snapshot-2.8_s.tar.gz" name, and not know which ones to use, or which version of rulepack to use with which version of Snort, so hopefully with this change we've eliminated that confusion.  Now the Snort RulePacks are specific to "Version released".

What does that mean for you?

If you are using and are updating to 2.8.6 (recommended)

You need to go into your oinkmaster / pulledpork / wget / any updater that you are using, and change the name of the rulepack you are grabbing to the version that is specific to your environment, so if you are changing to 2.8.6, you will not only need to update to 2.8.6, but you will also need to change your rulepack name to:


If you are using, and are NOT planning to update to 2.8.6 at this time

You STILL n…

Snort 2.8.6 is released!

[*] New Additions
* HTTP Inspect now splits requests into 5 components -
Method, URI, Header (non-cookie), Cookies, Body.
Content and PCRE rule options can now search one or more of these buffers.

HTTP server-specific configurations to normalize the HTTP header and/or cookies have been added.

Support gzip decompression across multiple packets.

* Added a Sensitive Data preprocessor, which performs detection of Personally Identifiable Information (PII).  A new rule option is available to define new PII.  See README.sensitive_data and the Snort Manual for configuration details.

* Added a new pattern matcher and related configurations.  The new pattern matcher is optimized to use less memory and perform at AC speed.

[*] Improvements
* Addressed problem to resolve output obfuscation affecting packets when Snort is inline.

* Preprocessors with memcap settings can now be configured in a "disabled" state.  This allows you to configure that memcap globally, but only enable the preprocessor in …

Backpacks are not people too!

Videos of Sourcefire, by TheAcademyPro

YouTube - SourcefireInc's Channel.

TheAcademyPro does some wonderful videos for us showing some of the aspects of the Sourcefire interface, working with Virtual Machines, just showing how easy it is to navigate around the Sourcefire interface.  If you read my blog and you are a Sourcefire customer, or just a plain Snort user who is interested to see how things work within Sourcefire, check out these videos.

There are a ton of videos in there, how to manage policy, make remediation alerts, etc.  Covering a bunch of different aspects of the Sourcefire interface.  Check it out!

How to make go faster

For those of you that use for a Mail client on your Mac..  This is one way to speed it up.

Go open your Applescript Editor and paste this in there:
tellapplication "Mail" toquit

set sizeBefore todo shell script "ls -lah ~/Library/Mail | grep -E 'Envelope Index$' | awk {'print $5'}"

do shell script "/usr/bin/sqlite3 ~/Library/Mail/'Envelope Index' vacuum"

set sizeAfter todo shell script "ls -lah ~/Library/Mail | grep -E 'Envelope Index$' | awk {'print $5'}"

display dialog ("Mail index before: " & sizeBefore & return & "Mail index after: " & sizeAfter & return & return & "Enjoy the new speed!")

tellapplication "Mail" toactivate

This script came from here.  However, if you copy and paste it from that website you have to correct all the quotes and single ticks in the whole script.  Hopefully my above paste makes it better.

For background on wh…

Steve Jobs gets a bad rap

I believe Steve Jobs gets a bad rap. Not about being secretive, or being a totalitarian in his management techniques (which, by the way, appear to work, did you see their Q2 numbers?).

But I think he gets a bad rap in his parking.

Yes, his parking.

If you read Mac Gadget blogs, Apple centric webpages, you see things like this.

You would simply think that Steve Jobs goes around parking in Handicapped spaces all day.  Totally untrue.  The other day, when I was ironically parked in the same space as the red car in the above picture, saw this, and took a picture.

See?  He doesn't always park in a handicapped spot!  Now, the lack of license plate?  That's a different story.


7 Things I'd Love to Change About Meetings | Wise Bread

7 Things Id Love to Change About Meetings | Wise Bread.

A great article over on Wise Bread consisting of 7 things that they wish they could change about meetings.

Beware of "Posting Meetings"
Abolish Monday Meetings
Finish With A Review of Actions Captured
Make All Meetings "Standing" Meetings
State The Purpose Of Every Meeting At The Start
Bring Back Transit Time!
If You Must Meet, Meet on Tuesday at 3pm

Click through at the above link to read the expansion on these points.

What is a desktop? What is a server?

See the subject?

Posting this for a discussion on the blog, I was involved in this debate earlier today.  Didn't really participate, I thought it would be a good topic for discussion.

Please leave comments in the comments section below.  What do you define as a desktop, what do you define as a server?

iPad review

My mother in law, whose extent of using the Internet is asking where the big blue "E" is, sat done with my iPad and in five minutes of using it, knew how, and was determined that she wanted one. (That is to say that technology is not really her thing, she's a very smart woman)

My three year old daughter, who has prior computing experience on my iPhone, used my iPad for sly of about 3 seconds and was watching videos and playing games on it.

My wife, who also has an iPhone, works on Windows and Macs everyday started using it right away.

Reminded me of that Staples commercial. "That was easy".

I swore to myself that I would approach this device (writing this blog post on it, on the virtual keyboard too) with an open and objective mind, not to be an Apple fanboy, and really use nothing but this device for, say a week, and really give it a good review. I figure the only way to give a good review about this device is to do just that, and see, once and for all, if you r…

Note To Thieves: People You Rob Use Craigslist Too

A Story about a man who, much to his dismay, had his home broken into and several items stolen.  However, he was smart enough to think to look for his items on Craiglist, and found his computer.

Still looking for other items, but since he reported the man who he got his computer back from, I have a feeling that the rest will turn up soon as well.

At least the thieves didn't delete his harddrive.

Note To Thieves: People You Rob Use Craigslist Too - Houston Music - Rocks Off.

Google services on the iPad and tablet computers

Google today rolled out their new version of the Gmail web interface specifically for the iPad.  Looks pretty nice.

Nice side by side pane view, similar to the native iPad Mail app.
Read the post below:

Official Google Mobile Blog: Google services on the iPad and tablet computers.

AT&T has some shady billingness going on.

At my company we use a service named "Webex" to do remote presentations and conferencing.  So here you are, you join a Webex session on your iPhone.   See Cisco (the makers of Webex) made an iPhone app where you can view presentations and participate in an online presentation right on the Phone!  It's great!    You sign into a webex, and the webex app says "Hey, you want me to dial the conf number for you", Why sure!  You can dial the number, and then I can pop back over to the webex app!? Phenomenal.  Great technology, great to see it.
So it kicks you over to the Call screen where it proceeds to dial 8664693239 ,,<confcode>,,<attendee id>#  (commas are pauses in the Phone world)
The way that Cisco sends the number to the call app, inserts that space after the actual phone number, which makes the phone app format the aforementioned number as an international number.
So, the iPhone appears to dial the number as +8664693239.  You know what +86 is as a co…

Found footage: the first guy in the iPad line at 5th Avenue Apple Store

Someone should tell this guy that he could have ordered it and had it delivered straight to his house.  Just a thought.

Found footage: the first guy in the iPad line at 5th Avenue Apple Store.

OAuth access to IMAP/SMTP in Gmail

...another entry from Google on the "Openness" aspect of their solution.  They have implemented OAuth IMAP/SMTP for Gmail.  So instead of you having to pass a 3rd party website your username and password credentials, you can use OAuth to be able to authorize that 3rd party website to access the information in Gmail.  Nice Approach there I think.

Google Code Blog: OAuth access to IMAP/SMTP in Gmail.

Yale Daily News - ITS delays switch to Gmail

Many universities and businesses have switched to Gmail as an email processing, cloud based platform.  I like a lot of the features of Gmail, ease of access, simple interface.  But I'm not a fan of several things as well.

Yale was thinking about moving to Google Apps as a platform, and said that "everyone was so caught up in wondering how we can do it, and forgot to ask should we do it."

Interesting article.

Yale Daily News - ITS delays switch to Gmail.

Apples iPad: The Mothership Prepares for Launch

Stephen Fry comes to us from regaling us of his tale of his recent visit to 1 Infinite Loop.  Stephen Fry is a great writer and tells a story about how he met and interviewed Phil Schiller, Eddy Cue, and Steve Jobs.  Then he tells us about his instant love with the iPad.

Many articles have been published about the iPad this morning that came up in my RSS reader.  I read Walt Mossberg's, I read Andy Ihnatko's.  Stephen Fry's didn't just tell a tale about the iPad, it told a tale about the design of it, the use of it, and the love affair he now has with it.

I have pre-ordered one, as I unabashedly like Apple products and clearly see a potential for this device (and as of this morning it has left China).  I'll be posting my own review of the device here for family, friends, and blog readers alike.

I have several family members waiting patiently to see what I think of it before they buy.

Check it out at the link below:

Apples iPad: The Mothership Prepares for Launc…