Tuesday, November 30

Sorry for the lack of posts, I've been particularly busy.

Been pretty busy lately with my two full-time day jobs at Sourcefire.  The good news is, if you are a Snort user, that I am working on a lot of things that will not only make our community better, but improve how Sourcefire interacts with that community and allow us to move forward in a more progressive manner.

Aside from Sourcefire/Snort stuff, the shop that is restoring my Mustang is almost done (should get it back this week, and when I do, I'll post pics), I'm working on the shops website too (as the old one needed some TLC).  I got with the owner and we decided to redo the whole thing, so I am doing that in my spare time as well.

Thank you Squarespace!

Also working on another website that I tighten up a bit (aside from tightening up a bit as well) for another company (Car alarm company) that I do a bit of consulting/marketing for.  So, it feels like I am buried in html lately.

On top of all of that, my son is doing well, my daughter is awesome and my wife's Grandmother died this past week, so we are all dealing with that as well.

Busy Busy Busy.  Stay tuned.  I've got a few posts lined up for the pipeline for not only this blog but for another blog I am starting, so when that all comes together, stay tuned!

Sunday, November 28

Tuesday, November 23

"So I have this IDS now what?" presentation at BSidesDE

Joel Esler, so I have this IDS now what BSidesDE1 on USTREAM. Conference.

Above is a link to my presentation from BSidesDelaware a couple weeks ago.  For some reason the audio and video are like 5 minutes off, but the presentation (for the most part) is intact.

Monday, November 22

Monday, November 15

New Role at Sourcefire

This is just an announcement to let the users of our OpenSource products know that we have a new community manager here at Sourcefire.

Over the past year or so, Mike Guiterman, our former Community Manager has taken on a different role within Sourcefire.  In the meantime, I've been filling some of the void.

For those of you that weren't able to make the Snort Rally/Pig Roast this past Friday at Sourcefire HQ, I have been officially assigned the role of Sourcefire's OpenSource Community Manager.

I know many of you, but for those who I don't, I came from the OpenSource community, working for the government using Snort in actual deployments.  I submit rules to VRT, and was one of the original submitters to BleedingSnort (Now Emerging Threats).  I've worked with both the OpenSource community and with our Corporate customers since I came to Sourcefire giving me first hand knowledge at how the community plays a vital role in the direction, development, and QA of our products.

I'll be focusing on product innovation in our OpenSource projects, as well as:

  • Communicating with the communities.

  • Being available to answer questions and receive comments.

  • Coordinating the release of OpenSource project software.

  • Providing whitepapers and instructional materials on our software.

  • Providing the go-between for the OpenSource communities and Sourcefire software developers, including receiving OSS feature requests and bugs.  Entering these into our internal bug tracking system, and following up with the submitters.

  • Snort-Groups.  Standing these back up, both virtually and in person.

  • Speaking about our software at events and shows.

I have several projects in mind alerady, but the first thing is I want to hear from you.  Suggestions, ideas, complaints, and compliments.

  • How we can make things better.

  • Problems with Snort, ClamAV, DaemonLogger, or Razorback

  • Features you'd like to see with these projects

  • What isn't working now?

  • What is working now!

  • How can we make bug tracking more efficient?

  • How can we make False positive submissions better?

  • What can we put out (in terms of training and whitepapers) for better understanding and results?

  • ???

Let me hear it.  Email me directly at  I want to be able to track your ideas so I can write you back when we make movement.

I'll summarize your submissions in a blog post in the future and let everyone know where we are at with the progress of these great ideas.

I'd like to thank people both internally at Sourcefire and the community for building the community into what it is today, and I look forward to a great future!  Also thanks to Mike Guiterman for his years of hard service working with our OpenSource communities.

For Razorback(tm) please continue to submit feature requests and any
other Razorback items to the Razorback Trac at:

And for Nugget related items please use:

You can of course, also use the mailing lists for Razorback and the
Nugget Farm.

Tuesday, November 2

Security B-sides Delaware tickets are almost gone!

If you are in the area (or even if you aren't, I know of people traveling a pretty good distance to get here) and you haven't got your ticket for Bsides DE yet, you may want to get on it.

The first round of tickets are all gone, and there are only 40 left of the extension tickets.


I'm speaking at 1:00, right after lunch.  See the speaker's schedule here.  But anyway, if you haven't got your tickets yet, you might want to hurry up and grab them from here.  Cost?  Free.

Archiving Emails in, there's an app for that.

If you are using on OSX, this post is for you.

It's been well known to people that read my blog that I am an Inbox-Zero ninja, and generally pride myself on my ability to get through vast amounts of email quickly because of the system that I have refined over the past several years of experimenting.

Techniques in Archiving

One of the things about Inbox Zero is the ability to quickly move an email out of your "Inbox" and into another folder.  If you sort your emails that come into your Inbox by topic or subject or whatever, different folders may do good things for you.  For instance I have a folder where all Snort related email goes.  The three Snort mailing lists go straight to my inbox where I read most of them and then file them away using a keyboard shortcut.  Other Snort related mailing lists just go straight to this box, leaving me with only the important ones in my inbox.

Most listserver traffic of the 40 or so listservers that I belong to go straight to a "listserver" folder, where I can deal with it later.  You get my point.

But everything that I don't filter, is in my inbox, which usually nets me about 200~ emails a day that I need to deal with.  When I read an email I have possible outcomes.

  • Delete it

  • Archive it (if I need it later)

  • Respond to it (if it takes shorter than 2 minutes to accomplish this task)

  • Delegate it (if I am not the appropriate person to deal with "x" email)

  • Make a todo to deal with it later.

Delete it

Duh.  I don't do enough of this.

Archive it.

This is the meat of the post, and kind of the point of writing this article.  I am a firm believer in leaving your hands on the keyboard if possible.  Learning the keyboard shortcuts in your favorite app will not only save time, but it also keeps your hands where you need to be doing work.  On the keyboard (instead of continually reaching for your mouse).  There are keyboard shortcuts for almost anything in OSX, and if you can't find it, or the menu command doesn't have a keyboard shortcut, you can make a keyboard shortcut to do what you want in Snow Leopard.  Heck, there are keyboard shortcuts in Gmail (learn em!)

Now, how do you do this in, well there is a little app called "Archive" that will allow you to do this.

Archive.  Archive allows you to do exactly that.  Archive the email that you are presently on.  It creates a folder in your email accounts named "Archive", and when you mash the shortcut in your inbox, it puts the email that you have lighted in the appropriate Archive folder.  Simple, clean, done.

There is also Mail Act-On, which I've talked about before here, is a nice little app if you need to do more advanced things than Archive, but for 99% of you, check out Archive, it does what you need.

Respond to it

If I think it'll take less than 2 minutes to respond to the email that I am currently reading, I'll bang out a response.  I try to not bang out a "quick" response "just to keep the ball moving" as Kevin Rose says.  I try to write out a through response.  My point in doing this is to eliminate further email by providing any answers I can, by asking the appropriate question so that the response to my email is full of exactly what I need it to be, and so that people don't waste more time by me not wasting theirs with a "short terse banged-out email".

Delegate It.

Otherwise known as the "Forward" button.  I get a ton of email, not all appropriate for me to handle, some need to go to our web team, some need to go to our research team, but it comes to me, because I "handle" the email, as opposed to ignore it.  I don't mind being the conduit to which people communicate, at least I know things are getting done, and I have a pulse on what is going on.

Todo It.

If the email contains an action that I need to perform, but I can't do it right now, I have a keyboard shortcut that allows me to highlight a section of text, mash a keyboard shortcut, and Omnifocus will grab the hightlight-ed input that I selected and makes a Todo out of it, along with a link in Omnifocus back to the email that generated it.  (This is called "Clipping" for you Omnifocus nerds, get ON IT.)  I quickly set a context (email) and a due date.  Then I go onto the next email.  Everyday, I get to the bottom of the "Todo"s that are due that day, and that includes the thoughtful emails.

Matter of fact, writing this post about "Archive" was a Todo.

Let me go mark it done.

BTW -- Inbox Zero comes from Merlin Mann.  I'm not stealing his work.  It's insightful.  He rocks. and