Skip to main content


Showing posts from 2011


I'm basically putting this post up for Google to index it and maybe it'll help some people solve the problem in the future.

PortVar Lookup failed on '$FILE_DATA_PORTS'

If you came to this blog post by searching for the above error, or if you have the above error in Snort, you should read this post on the VRT blog that we wrote.  It'll help solve your problem:

There. Check that out.

MacOSX Flashback Trojan is covered by ClamAV

So called because it looks like an Adobe Flash Installer. There seems to be a ton of news around this Trojan on various Mac-related websites. for instance.

We wrote protection for this in ClamAV about 5 days ago.  I know a lot of Mac users run ClamAV, so I just thought I'd throw this out there.

Please leave comments below.

Apple - Remembering Steve Jobs

Apple - Remembering Steve Jobs:

One more thing...
Apple today put up a "Remembering Steve" site. Where you can basically go and read emails from the people that wrote in at
Nice tribute. Apparently today the Apple employees are attending a "remembrance" service for Steve. Apparently this won't be broadcast to the world. Too bad, I am sure many would have watched it.

Please leave comments below.

E-mail improvements in iOS 5 - iPhone J.D.

E-mail improvements in iOS 5 - iPhone J.D.:

Sorry, a link to another interesting iOS 5 article. Sorry if I am not adding a bunch of color commentary to each of these articles. I am blogging them because I think they are of interest to the readers of my blog. (Which, according to the stats, most of you run OSX.)
I am sure some of my friends will accuse me of trying to draw hits to my blog instead of twittering about the article directly. Here's the truth to that: When I post to my blog, Twitter picks up the article and tweets it immediately. If I don't post to my blog and only to twitter, the readers of my blog through direct links and RSS feeds won't get the article.
So it's a loss either way. So I post on the blog, and it goes to both.
Anyway... read the article. ;)

Please leave comments below.

My Dinner With Android - Four months with Android: reflections, grievances and some tenuous metaphors bundled up into a weighty tome

My Dinner With Android - Four months with Android: reflections, grievances and some tenuous metaphors bundled up into a weighty tome:

Interesting article, no matter if you are an Android user or an iOS user. He makes a couple interesting points in the article. One being, you can't approach Android like you are using iOS, it just doesn't work like that. Vise Versa as well.
I have a friend that has had an Android phone for awhile, and recently moved to the iPhone 4S. We were talking yesterday and he mentioned to me that it was very strange. I answered him saying that you can't approach iOS like you do with Android.
Another quote from the article that is pointed:
"Fans of Android, let’s not tiptoe around this: Android exists because it is a rip off of iOS. Sure, it has grown into its own in a lot of ways, but its roots are decidedly placed at the introduction of iOS in 2007. Consider the before and after that caused a stir last year. Things changed when the iPhone cam…

Bad-Lip Reading

Tremendous work.

More here

Please leave comments below.

Steve Jobs

Over the next few days, there will be countless specials, news casts, and thrown together documentaries about Steve Jobs and Apple.

Everyone will be focusing on his products. The iPod, iPhone, the personal computer, and the iPad. This was a part of his legacy, but not his genius.

His genius was how all the products worked together in a single coherent strategy (iCloud is a perfect example). Making everything work together seamlessly. Simply.

So that my two year old could operate it, as well as my 75 year old Dad.

You could interact with any of the products without an instruction book.

I think the best example of that is Siri. Being able to interact with your devices in a natural language way.

His genius was how everything was simple. The packaging, the website, the buying experience, the product, the operation, the genius bar. The way Apple itself functioned.

This was his genius. He was a visionary in the best way.

Call me a fanboy all you want.

He was smart. He demande…

Let's just assume this pcap is bad...mkay?

Alerts (, 4924362.pcap)
1:18347:3 BLACKLIST USER-AGENT known malicious user-agent string AutoIt Alerts: 4
1:19734:1 BLACKLIST DNS request for known malware domain Alerts: 2
1:16816:5 BOTNET-CNC known command and control channel traffic Alerts: 1
1:18762:1 BLACKLIST URI request for known malicious URI /blog.updata?v= - Win32-Agent-GRW Alerts: 1
1:17834:3 BLACKLIST DNS request for known malware domain Alerts: 1
1:16815:4 BOTNET-CNC known command and control channel traffic Alerts: 1

Please leave comments below.

Steve Jobs Resigns as CEO

Daring Fireball: Resigned:
I think the link above says exactly what I think about it.
We knew Steve was going to resign. Tim Cook has been running the company for awhile now in transition, and now the title has changed hands.
Steve is still there, the people he has put in place are still there, and his ideas are still there.
Just the titles changed.

iSec Partners' presentation on "Macs in the Age of APT"

Interesting slide deck here if you are interested in OSX vs. Windows security. I'd like to see Dino Dai Zovi's take on the slide deck.

Related: Dino's recent iOS 4 security evaluation slide and whitepaper (written in Pages ;)
Please leave comments below.

1st Review of my Gfirst 2011 talk

Nice review of my Gfirst 2011 talk.
Chris Sanders » GFIRST 2011 Presentation Slides, Code, and Thoughts:
"This talk was presented by Joel Esler of Sourcefire. Joel is a really smart guy and a great presenter and he didn’t disappoint. My big take away from this one was his discussion of Razorback, which I really think is going to be one of the next big things in intrusion detection. I think a lot of the crowd missed the point on this. There were a lot of complaints because of the amount of legwork required to integrate the tool, but I think most of those people were overlooking the early stage the tool was in and the potential impact of the community released nuggets and detection plugins. I played with Razorback when it was first released and look forward to digging into it again once some of the setup and configuration pains are eased. I’ve already thought of quite a few nuggets that I could possibly write for it."Thanks Chris!

Please leave comments below.

Android isn't free, unless you are the end user.

Android isn't free.

Apparently Google has found that out that a free OS isn't free.  It's going to cost you legal fees.  Being sued by everyone under the sun, Google has found itself in a sticky predicament, and has to defend itself with patents.  However, Apple still holds the patent on multitouch, so we'll have to see how that all works out.

So they bought Motorola Mobility.  yes. That division of Motorola that almost shut down and is nearly bankrupt -- and they paid 12.5B for it.  Srsly.

Even Balmer says Android isn't free.  Awhile ago.

Unless you are the end user, when you can download and compile Android "for free" for use on your phone.

Should be interesting.

Please leave comments below.

What have I been up to?

Well, as promised, I haven't written a post in awhile.  I've been really really busy, so I'll give you a crash course on what I've been doing that's kept me, and thoughts about things that have come to market in the past month or so.

1)  My Mother passed away.  As anyone who has had this happen knows, it's a pretty hard time, emotionally, as well as just, all the stuff you have to do.  Writing your own mother's obituary isn't necessarily a good time.  Selecting what she's going to wear, the casket, ...  just a lot.  The people that have written me and talked to me face to face have been great and I thank you all very much.

2)  VRT.  April 1st I moved to the Vulnerability Research Team at Sourcefire.  I'm one of the many other analysts responsible for writing Snort (and now recently ClamAV!) rules to detect the known, and the unknown.  It's a difficult job, it's challenging, it's fun, and it's busy.  I currently have over 100 bug…

Apple iCloud: How vs What

Apple iCloud: How vs What | Technology |
A well written piece by, written by Jean-Louis Gassée.
Bit of background for those of you that don't remember: Back in 1985 Steve Jobs was in a fight with John Sculley, Apple's then-CEO. (This was shortly after the Macintosh, Steve Jobs's baby, came to market.) At the end of this power struggle Sculley relieved Jobs of his duties as the head of the Macintosh Division, and Jobs sold all stock in Apple (save for 1 share) and left the company, eventually buying Pixar and starting NeXT computer.
Well, after Steve Jobs left, Sculley appointed Jean-Louis Gassée to head the Macintosh division. Just an interesting tidbit there.
There's a couple of tidbits that I thought were very good in this article, but namely the points that I've been struggling with a bit, so I'll outline those.
Google Docs -- Everything is stored in the cloud, accessible via the browser, and you can work on a single docum…

Mac OS X Lion beta reveals "Restart to Safari" browser-only mode

Mac OS X Lion beta reveals "Restart to Safari" browser-only mode
From Engadget.
As the article says, in OSX Lion there is apparently a way to reboot your machine into "browser only" mode. Could be useful in a couple of situations.
A) If you are going to leave your computer unattended, maybe at home, and you want to allow people to check their email. B) Kiosk mode. Maybe a computer sitting in a public area?
I don't think they are going for a play against ChromeOS here as the article sort of implies. Either way, interesting.
Please leave comments below.

Apple's "known bad" Xprotect file is now automatically updated

Very technical term I used there in the subject.. I know.

Apple just released Security Update 2011-003, in which they check for the MacDefender Malware, which I wrote about here.  But the most interesting part of the update is this paragraph:

File Quarantine
Available for:  Mac OS X v10.6.7, Mac OS X Server v10.6.7
Impact:  Automatically update the known malware definitions
Description:  The system will check daily for updates to the File
Quarantine malware definition list. An opt-out capability is provided
via the "Automatically update safe downloads list" checkbox in Security Preferences. Additional information is available in this.
Knowledge Base article: apparently, Apple has built in an automatic updater to their anti-malware file, in it's most basic form, giving Apple the ability to directly protect their OS against the newest Malware.

If you don't know what I am talking about when I say "anti-malware file"  I su…

Speaking Engagements

This past week I was invited to come speak at ISOI9 in Sterling, VA.  The talk seemed to go over rather well, and while I didn't get a lot of questions in the presentation, I got a ton of questions afterwards out in the hall.

This coming week I'll be down at the Richmond Area Virginia Linux User Group.  The coordinators of the group were kind enough to invite me down to talk about Sourcefire and the OpenSource company that we are.

If you are in the Richmond, VA area, be sure and come out!

I have another speaking engagement in August as well, but I'll blog about that when it gets a bit closer to the time.

If you are interested in coming to the meeting this week, it's on Tuesday, May 17th at 6pm.

Register here:

Please leave comments below.

Locking your screen on OSX

Friend of mine tipped me to this (thanks @englishlfc).  People have asked me in the past about this, basically, how to lock your screen (Start your screen saver) using a keyboard shortcut on OSX.

On Windows you can mash Windows-L and it will lock your screen.  Or Ctrl-alt-del, enter.  (God it pains me to watch people hit Ctrl-Alt-Del and then MOUSE to "Lock Screen"... GRR!!)

My solution in OSX has always been to set my bottom left corner of my screen to "activate screen saver".  Then I could just move my mouse to that corner, and viola, locked screen.

But @englishlfc was looking to the same thing with the keyboard, and there are a ton of ways of doing it in Applescript, but it's even easier with Automator.

So, go open Automator, and select new "Workflow".

You'll get a blank screen that looks like this:

Select "Utilities on the left, and then find "Start Screen Saver" in the next column:

Drag "Start Screen Saver" over to the…

First 2011 Snort Webcast Registration is Open!

Just wanted to announce that Registration for the first 2011 Snort Webcast is now open at the following link:

Our Presenter is Nick Moore of Sourcefire and he'll be presenting the first of a two part series on simply getting started with Snort.  How to set it up, running, and working with traffic.

When you click on the above link, you will see a "Register" link on the left-hand side of the page.  Click that for pre-registration.

What does pre-registration get you?  Reminders.  You'll receive a reminder the 11th (Monday) and an hour before we begin so you'll be sure to remember to attend.

The registration form only asks for a couple things so we can remind you about the event.  Registering for the event does not mean that you will start to receive sales information, we're simply using the information for numbers (how many registered, how many attended) information.

Topic: Snort Webinar Tr…

Time to move on to a new job.

For the past, almost 6 years, my employment at Sourcefire has been great.  I've worked in Professional Services, going around to over 150 customers, educating them on Sourcefire, the product, the GUI, detection, and all the awesome that is, but..... it's time for me to move on.
I accepted a position last October with Sourcefire, being in charge of OpenSource Community Management, in charge of coordinating the communities themselves and being the liaison between the communities and the company (Sourcefire) for all OpenSource products.  This has been great.
Well, I'm pleased to announce that, I am retaining this new role as I go, so I will still be the OpenSource Community Manager for Sourcefire.  
Where am I moving to?  A company you may have heard of: Sourcefire.
That's right, I'm staying right here.  Effective today, I'm moving out of Sourcefire's Professional Services team and moving to the Vulnerability Research Team (VRT), the team at Sourcefire that is resp…

To the Cloud! (with the blog)

Some of you may have noticed that my blog looks a bit different.  
I moved it from my own server and put it up on Google's Blogger hosting service.  I had it up on Blogger about a year ago, and in retrospect can't think of why I took it and put it on my own server.  Experimenting I guess.
In the meantime there are going to be a lot of 404 links for really long url's and url's that have strange characters in them.  They'll 404 themselves out of the search engines and be reindexed soon I hope, so I'm not too terribly concerned.  
If you came to my blog on a search query (which about 50% of you do), and your search resulted in a 404, then take a look at the archives, or use the search box. Please leave comments below.

Suspicious Domains related to Japan Disaster

With every disaster that takes place, one of things that I do is start to watch the domain names being registered on the internet in relation to the event.

For instance, "earthquake", "Tsunami", Haiti, Chile, and now, Japan.

We mourn for all of those that lost loves ones in each of the disasters, and I feel very sorry for those that have lost everything.  Homes, cars, valuable pictures of your loved ones, family history, and the families themselves.  I am quite sure there are examples where entire families may have been lost to this most recent tragedy.

It's despicable that a malicious person would register a domain, and set up a webpage to receive donations, only to keep the money themselves, or fund $bad_thing.  Absolutely disgusting.

I was taking a look through my list for this morning (I get a list every day), and looking at some of the examples.  A lot of the names you wouldn't even think, just by looking it, that it would be bad.  Examples like "redc…

Mac OS X Lion iChat supports Yahoo Messenger video and voice chat

As the title of the article title states, Apple's OSX iChat client on OSX 7 Lion supports Yahoo Instant Messenger adding to support for AIM, GChat, and standard Jabber.

This is a welcome addition and stands to keep chipping away at the other major Instant Messenger clients, but, why is there two separate video chat clients for the Mac? (Facetime, iChat)

It would seem to me that it would make more sense to combine these two.

Facetime traverses NAT (etc) better than iChat
Facetime uses less bandwith
Facetime is now "HD" (as Apple calls it), leaving the "quality" issue behind (iChat's resolution was better than Facetime, as Facetime is faster on the network)
However, iChat does support up to 3 video calls at once (and like, 10 audio)

Anyway, I hope they fix this before OSX 7 is released finally.  I'd love to have one app that covered both IM and Mobile Video Chat.

Appleinsider has a great breakdown featuring some nice videos of OSX7 on their site here and here.  C…

Rude People

Okay, so there I am waiting in line, directly between two people, and I am sitting on my suitcase. The lady in front of me has a space between her and the person in front of her of about 4 feet. Plainly visible. No excuses.

So this guy decides to take it upon himself to try and cross the line, not in the big ass 4 foot space that everyone else crossing the line is passing through, but directly between me and the lady in front of me. Rudely.

He squeezes by in such a way where he bumps my suitcase, sending it, and me crashing to the floor where I wind up on my ass.

He starts to apologize profusely.

I get up, say nothing, and sit back down on my suitcase.

He proceeds to apologize again, he looks around, looks at his ticket, then walks BACK through the line, in the big ass 4 foot space.


H.264 is being dropped from Chrome

Chromium Blog: HTML Video Codec Support in Chrome.

Key sentence from above article:

"Though H.264 plays an important role in video, as our goal is to enable open innovation, support for the codec will be removed and our resources directed towards completely open codec technologies."

Key comment from Slashdot on above article:

"This serves two strategic purposes for Google. First, it advances a codec that’s de facto controlled by Google at the expense of a codec that is a legitimate open standard controlled by a multi-vendor governance process managed by reputable international standards bodies. (“Open source” != “open standard”.) And second, it will slow the transition to HTML5 and away from Flash by creating more confusion about which codec to use for HTML5 video, which benefits Google by hurting Apple (since Apple doesn’t want to support Flash), but also sucks for users."

Google, just when I started to like you again.  I turned away from you for about a year and a hal…

iPhone 4 goes to Verizon too.

Finally, after long last, the iPhone is coming to Verizon.

I probably could go on Ad nausem about the new iPhone, but I'll just cover the bullet points

The antenna is redesigned, and as a result the buttons are moved slightly down on the left, so some cases may not fit.
CDMA, not LTE.  Which means you can't talk and surf at the same time. (Feature that I use a lot)
You can use the iPhone as a wifi hotspot (so like a mifi) for up to 5 devices.  Nice.
Coming February 10th for GA.  Advanced ordering for Verizon Customers on Feb 3.
Otherwise, it's the iPhone 4.

This will be nice.

Seven Cool Open Source Projects for Defenders

TaoSecurity: Seven Cool Open Source Projects for Defenders.

Richard Bejtlich wrote this good post over on his blog, a few good OpenSource tools to defend your networks with.  He talks about the newest updates with:

Rumainte IDS
Security Onion
Suricata IDS

Richard does pay me a kind compliment, so thank you Richard.  Take a look at his post and try some of the tools out.

A Year in Reflection

I am reading all these posts on reflection on 2010 and accomplishments for this year.

Yes, I accomplished a lot for this year.  Lots and Lots of work stuff.  But I accomplished one thing that eclipses all else.

I have a beautiful family with an awesome wife and two beautiful kids.

Happy New Year everyone.  Well wishes for 2011.