Saturday, November 5


I'm basically putting this post up for Google to index it and maybe it'll help some people solve the problem in the future.

PortVar Lookup failed on '$FILE_DATA_PORTS'

If you came to this blog post by searching for the above error, or if you have the above error in Snort, you should read this post on the VRT blog that we wrote.  It'll help solve your problem:

There. Check that out.

Friday, November 4

Thursday, October 20

Wednesday, October 19

MacOSX Flashback Trojan is covered by ClamAV

So called because it looks like an Adobe Flash Installer. There seems to be a ton of news around this Trojan on various Mac-related websites. for instance.

We wrote protection for this in ClamAV about 5 days ago.  I know a lot of Mac users run ClamAV, so I just thought I'd throw this out there.

Please leave comments below.

Apple - Remembering Steve Jobs

Apple - Remembering Steve Jobs:

One more thing...

Apple today put up a "Remembering Steve" site. Where you can basically go and read emails from the people that wrote in at

Nice tribute. Apparently today the Apple employees are attending a "remembrance" service for Steve. Apparently this won't be broadcast to the world. Too bad, I am sure many would have watched it.

Please leave comments below.

E-mail improvements in iOS 5 - iPhone J.D.

E-mail improvements in iOS 5 - iPhone J.D.:

Sorry, a link to another interesting iOS 5 article. Sorry if I am not adding a bunch of color commentary to each of these articles. I am blogging them because I think they are of interest to the readers of my blog. (Which, according to the stats, most of you run OSX.)

I am sure some of my friends will accuse me of trying to draw hits to my blog instead of twittering about the article directly. Here's the truth to that: When I post to my blog, Twitter picks up the article and tweets it immediately. If I don't post to my blog and only to twitter, the readers of my blog through direct links and RSS feeds won't get the article.

So it's a loss either way. So I post on the blog, and it goes to both.

Anyway... read the article. ;)

Please leave comments below.

My Dinner With Android - Four months with Android: reflections, grievances and some tenuous metaphors bundled up into a weighty tome

My Dinner With Android - Four months with Android: reflections, grievances and some tenuous metaphors bundled up into a weighty tome:

Interesting article, no matter if you are an Android user or an iOS user. He makes a couple interesting points in the article. One being, you can't approach Android like you are using iOS, it just doesn't work like that. Vise Versa as well.

I have a friend that has had an Android phone for awhile, and recently moved to the iPhone 4S. We were talking yesterday and he mentioned to me that it was very strange. I answered him saying that you can't approach iOS like you do with Android.

Another quote from the article that is pointed:

"Fans of Android, let’s not tiptoe around this: Android exists because it is a rip off of iOS. Sure, it has grown into its own in a lot of ways, but its roots are decidedly placed at the introduction of iOS in 2007. Consider the before and after that caused a stir last year. Things changed when the iPhone came out. Apple changed the mobile phone game, and Google did a one-eighty to realign with what they recognized to be a better direction."

Wednesday, October 5

Steve Jobs

Over the next few days, there will be countless specials, news casts, and thrown together documentaries about Steve Jobs and Apple.

Everyone will be focusing on his products. The iPod, iPhone, the personal computer, and the iPad. This was a part of his legacy, but not his genius.

His genius was how all the products worked together in a single coherent strategy (iCloud is a perfect example). Making everything work together seamlessly. Simply.

So that my two year old could operate it, as well as my 75 year old Dad.

You could interact with any of the products without an instruction book.

I think the best example of that is Siri. Being able to interact with your devices in a natural language way.

His genius was how everything was simple. The packaging, the website, the buying experience, the product, the operation, the genius bar. The way Apple itself functioned.

This was his genius. He was a visionary in the best way.

Call me a fanboy all you want.

He was smart. He demanded brilliance. He settled for nothing less than awesome.


Tuesday, October 4

Let's just assume this pcap is bad...mkay?

Alerts (, 4924362.pcap)
1:18347:3 BLACKLIST USER-AGENT known malicious user-agent string AutoIt Alerts: 4
1:19734:1 BLACKLIST DNS request for known malware domain Alerts: 2
1:16816:5 BOTNET-CNC known command and control channel traffic Alerts: 1
1:18762:1 BLACKLIST URI request for known malicious URI /blog.updata?v= - Win32-Agent-GRW Alerts: 1
1:17834:3 BLACKLIST DNS request for known malware domain Alerts: 1
1:16815:4 BOTNET-CNC known command and control channel traffic Alerts: 1

Please leave comments below.

Friday, September 30

QR Codes Found Sending Users to Site Containing Android Trojan | threatpost

QR Codes Found Sending Users to Site Containing Android Trojan | threatpost:

It really sucks that Android is taking a beating on the malware front. I guess that's the difference between the walled garden (iPhone) approach and the "free for all" approach (Android).

Please leave comments below.

Ninja Turtles: Hey Apple App reviewers, you let one slip through

App Store - Ninja Turtles

This is pretty funny, read the review on it. However, the funniest part to me is the background in the screenshots.

It's the original Contra.

Wednesday, September 14

IDC: Apple's iPad 2 took market share from Android tablets in Q2 2011

AppleInsider | IDC: Apple's iPad 2 took market share from Android tablets in Q2 2011

Dear IDC, your headline is wrong. You meant to say "Android tablets lost more ground to Apple's iPad 2"

You can't take market share away from someone when you already own the whole market.

Wednesday, August 24

Steve Jobs Resigns as CEO

Daring Fireball: Resigned:

I think the link above says exactly what I think about it.

We knew Steve was going to resign. Tim Cook has been running the company for awhile now in transition, and now the title has changed hands.

Steve is still there, the people he has put in place are still there, and his ideas are still there.

Just the titles changed.

Saturday, August 20

Microsoft courting webOS developers with free phones

AppleInsider | Microsoft courting webOS developers with free phones

Fantastic idea Microsoft:

"To Any Published WebOS Devs: We'll give you what you need to be successful on #WindowsPhone, phones, dev tools, and training, etc.," Watson wrote on Twitter.

Please leave comments below.

Wednesday, August 17

iSec Partners' presentation on "Macs in the Age of APT"

Interesting slide deck here if you are interested in OSX vs. Windows security. I'd like to see Dino Dai Zovi's take on the slide deck.

Related: Dino's recent iOS 4 security evaluation slide and whitepaper (written in Pages ;)

1st Review of my Gfirst 2011 talk

Nice review of my Gfirst 2011 talk.

Chris Sanders » GFIRST 2011 Presentation Slides, Code, and Thoughts:

"This talk was presented by Joel Esler of Sourcefire. Joel is a really smart guy and a great presenter and he didn’t disappoint. My big take away from this one was his discussion of Razorback, which I really think is going to be one of the next big things in intrusion detection. I think a lot of the crowd missed the point on this. There were a lot of complaints because of the amount of legwork required to integrate the tool, but I think most of those people were overlooking the early stage the tool was in and the potential impact of the community released nuggets and detection plugins. I played with Razorback when it was first released and look forward to digging into it again once some of the setup and configuration pains are eased. I’ve already thought of quite a few nuggets that I could possibly write for it."
Thanks Chris!

Please leave comments below.

Android isn't free, unless you are the end user.

Android isn't free.

Apparently Google has found that out that a free OS isn't free.  It's going to cost you legal fees.  Being sued by everyone under the sun, Google has found itself in a sticky predicament, and has to defend itself with patents.  However, Apple still holds the patent on multitouch, so we'll have to see how that all works out.

So they bought Motorola Mobility.  yes. That division of Motorola that almost shut down and is nearly bankrupt -- and they paid 12.5B for it.  Srsly.

Even Balmer says Android isn't free.  Awhile ago.

Unless you are the end user, when you can download and compile Android "for free" for use on your phone.

Should be interesting.

Please leave comments below.

Friday, July 29

What have I been up to?

Well, as promised, I haven't written a post in awhile.  I've been really really busy, so I'll give you a crash course on what I've been doing that's kept me, and thoughts about things that have come to market in the past month or so.

1)  My Mother passed away.  As anyone who has had this happen knows, it's a pretty hard time, emotionally, as well as just, all the stuff you have to do.  Writing your own mother's obituary isn't necessarily a good time.  Selecting what she's going to wear, the casket, ...  just a lot.  The people that have written me and talked to me face to face have been great and I thank you all very much.

2)  VRT.  April 1st I moved to the Vulnerability Research Team at Sourcefire.  I'm one of the many other analysts responsible for writing Snort (and now recently ClamAV!) rules to detect the known, and the unknown.  It's a difficult job, it's challenging, it's fun, and it's busy.  I currently have over 100 bugs in my cue.  Lots of bugs and research to do.  My current focus is Malware and some redesign efforts.  We're trying to make the Snort rules easier to manage and provide more intelligence to the end user as well as increase our coverage in a lot of areas.  Making our rules harder to bypass and more and more adaptable to today's client-based landscape.  Over the rest of 2011, the VRT ruleset is going to change, for the better, and significantly.  There's essentially going to be three steps to this, and I'll post about the changes soon over on the Snort Blog.

3)  Snort Community.  It's growing.  When I took over the job in October of last year, I thought the Snort community had reached critical mass.  Most open source projects that I've seen plateau after awhile.  When I was running the BASE project we got up to about 15k downloads a day, and that was our plateau.  But since I took over, I've started to keep a lot of metrics.  Metrics about email postings, forum postings, users, downloads, etc.  Lots of metrics.  They are all going up.  We're doing well.

4)  Snort.  It's changing and evolving.  We're rolling out 2.9.1 soon with some very significant changes (read about PAF!) in detection and the IP reputation preprocessor.  The changes we have planned for post 2.9.1 make Snort even faster (we are already hitting WAY over 20 G/sec in detection, and the next number we are aiming for is unheard of in our industry), and easier to deploy.  Changes in it's detection will make it more accurate and significantly increase the effectiveness of our rules and keywords.

5)  ClamAV.  Also growing.  Now built into Immunet 3.0 (the company we acquired in December of last year) providing not only cloud based detection (so awesome), and offline detection.  Immunet is growing very fast by the looks of our daily metrics which means ClamAV use is increasing as well.  OEM solutions that are building ClamAV are also growing, and now recently we are going to start accepting community virus detection as well.  This will grow our detection rate exponentially.

6)  OSX Lion.  It's out.  I'm using it (have been for about a month and a half).  It works great.  The only thing I don't like about it is the deletion of the scroll bar.  I don't mind it as much as my wife will (I haven't converted her yet).

7)  Defcon.  We'll (VRT) be there.  Look for us in pink.  For those of you that were able to get an invite to TheBarCon, we'll see you there.

I can't think of anything more right now, and am being summoned for dinner.  I'll write more when I have a chance. If you have any questions, leave a comment below.

Please leave comments below.

Wednesday, July 27

Hackinations: 5 really good Lion tweaks | TUAW - The Unofficial Apple Weblog

Hackinations: 5 really good Lion tweaks | TUAW - The Unofficial Apple Weblog

I know I haven't written in awhile, I have a blog post planned in my head, just have been too busy to put it down on paper. But in the meantime, I saw this article and thought it was pretty good for you OSX readers that have upgraded to Lion.

Sunday, June 12

Mac OS X Lion beta reveals "Restart to Safari" browser-only mode

Mac OS X Lion beta reveals "Restart to Safari" browser-only mode

From Engadget.

As the article says, in OSX Lion there is apparently a way to reboot your machine into "browser only" mode. Could be useful in a couple of situations.

A) If you are going to leave your computer unattended, maybe at home, and you want to allow people to check their email.
B) Kiosk mode. Maybe a computer sitting in a public area?

I don't think they are going for a play against ChromeOS here as the article sort of implies. Either way, interesting.

Please leave comments below.

Tuesday, May 31

Apple's "known bad" Xprotect file is now automatically updated

Very technical term I used there in the subject.. I know.

Apple just released Security Update 2011-003, in which they check for the MacDefender Malware, which I wrote about here.  But the most interesting part of the update is this paragraph:

File Quarantine
Available for:  Mac OS X v10.6.7, Mac OS X Server v10.6.7
Impact:  Automatically update the known malware definitions
Description:  The system will check daily for updates to the File
Quarantine malware definition list. An opt-out capability is provided
via the "Automatically update safe downloads list" checkbox in Security Preferences. Additional information is available in this.
Knowledge Base article:
Where apparently, Apple has built in an automatic updater to their anti-malware file, in it's most basic form, giving Apple the ability to directly protect their OS against the newest Malware.

If you don't know what I am talking about when I say "anti-malware file"  I suggest you read this post as well.

Please leave comments below.

Friday, May 27

Resolving Flowbit dependancies

I put this blog entry up over on the blog this morning.  Figured it might help people answer some questions.  Check it out.

Please leave comments below.

Sunday, May 15

Speaking Engagements

This past week I was invited to come speak at ISOI9 in Sterling, VA.  The talk seemed to go over rather well, and while I didn't get a lot of questions in the presentation, I got a ton of questions afterwards out in the hall.

This coming week I'll be down at the Richmond Area Virginia Linux User Group.  The coordinators of the group were kind enough to invite me down to talk about Sourcefire and the OpenSource company that we are.

If you are in the Richmond, VA area, be sure and come out!

I have another speaking engagement in August as well, but I'll blog about that when it gets a bit closer to the time.

If you are interested in coming to the meeting this week, it's on Tuesday, May 17th at 6pm.

Register here:

Please leave comments below.

Locking your screen on OSX

Friend of mine tipped me to this (thanks @englishlfc).  People have asked me in the past about this, basically, how to lock your screen (Start your screen saver) using a keyboard shortcut on OSX.

On Windows you can mash Windows-L and it will lock your screen.  Or Ctrl-alt-del, enter.  (God it pains me to watch people hit Ctrl-Alt-Del and then MOUSE to "Lock Screen"... GRR!!)

My solution in OSX has always been to set my bottom left corner of my screen to "activate screen saver".  Then I could just move my mouse to that corner, and viola, locked screen.

But @englishlfc was looking to the same thing with the keyboard, and there are a ton of ways of doing it in Applescript, but it's even easier with Automator.

So, go open Automator, and select new "Workflow".

You'll get a blank screen that looks like this:

Select "Utilities on the left, and then find "Start Screen Saver" in the next column:

Drag "Start Screen Saver" over to the right:

That's it.  Save it as an "Application" in Documents or Applications.

Then go to System Preferences and set up a Keyboard Shortcut to activate that App:


I did it a bit differently.  I used Alfred's new "Global Keyboard Shortcut" functionality to activate the app.


Maybe this'll help someone.

Want to know how to do this in Applescript?

Please leave comments below.

Wednesday, April 6

First 2011 Snort Webcast Registration is Open!

Just wanted to announce that Registration for the first 2011 Snort Webcast is now open at the following link:

Our Presenter is Nick Moore of Sourcefire and he'll be presenting the first of a two part series on simply getting started with Snort.  How to set it up, running, and working with traffic.

When you click on the above link, you will see a "Register" link on the left-hand side of the page.  Click that for pre-registration.

What does pre-registration get you?  Reminders.  You'll receive a reminder the 11th (Monday) and an hour before we begin so you'll be sure to remember to attend.

The registration form only asks for a couple things so we can remind you about the event.  Registering for the event does not mean that you will start to receive sales information, we're simply using the information for numbers (how many registered, how many attended) information.

Topic: Snort Webinar Training
Date and Time:
April 13, 2011 11:00 am, Eastern Daylight Time (New York, GMT-04:00)
Event number: 793 571 014


Friday, April 1

Time to move on to a new job.

For the past, almost 6 years, my employment at Sourcefire has been great.  I've worked in Professional Services, going around to over 150 customers, educating them on Sourcefire, the product, the GUI, detection, and all the awesome that is, but..... it's time for me to move on.

I accepted a position last October with Sourcefire, being in charge of OpenSource Community Management, in charge of coordinating the communities themselves and being the liaison between the communities and the company (Sourcefire) for all OpenSource products.  This has been great.

Well, I'm pleased to announce that, I am retaining this new role as I go, so I will still be the OpenSource Community Manager for Sourcefire.  

Where am I moving to?  A company you may have heard of:

That's right, I'm staying right here.  Effective today, I'm moving out of Sourcefire's Professional Services team and moving to the Vulnerability Research Team (VRT), the team at Sourcefire that is responsible for publishing detection for Snort, ClamAV, and Razorback.

My new role has me writing detection for Snort primarily, moving into writing detection for ClamAV and even vulnerability research down the road.

I'm pretty excited about this move, as you can probably tell, and look forward to working with my new team.  

P.S.  I know I write this on April 1, but it's not an April Fools joke ;)

Friday, March 25

To the Cloud! (with the blog)

Some of you may have noticed that my blog looks a bit different.  

I moved it from my own server and put it up on Google's Blogger hosting service.  I had it up on Blogger about a year ago, and in retrospect can't think of why I took it and put it on my own server.  Experimenting I guess.

In the meantime there are going to be a lot of 404 links for really long url's and url's that have strange characters in them.  They'll 404 themselves out of the search engines and be reindexed soon I hope, so I'm not too terribly concerned.  

If you came to my blog on a search query (which about 50% of you do), and your search resulted in a 404, then take a look at the archives, or use the search box.

Please leave comments below.

Wednesday, March 23

Suspicious Domains related to Japan Disaster

With every disaster that takes place, one of things that I do is start to watch the domain names being registered on the internet in relation to the event.

For instance, "earthquake", "Tsunami", Haiti, Chile, and now, Japan.

We mourn for all of those that lost loves ones in each of the disasters, and I feel very sorry for those that have lost everything.  Homes, cars, valuable pictures of your loved ones, family history, and the families themselves.  I am quite sure there are examples where entire families may have been lost to this most recent tragedy.

It's despicable that a malicious person would register a domain, and set up a webpage to receive donations, only to keep the money themselves, or fund $bad_thing.  Absolutely disgusting.

I was taking a look through my list for this morning (I get a list every day), and looking at some of the examples.  A lot of the names you wouldn't even think, just by looking it, that it would be bad.  Examples like "" and .org.  One might think that was a legitimate site.  A few more interesting ones, I'll leave the extension off of these:

  • "earthquakeandtsunamis"

  • "tsunamidanger"

  • "tsunamireliefforjapan"

  • "savejapanesepeople"

  • "rebuildjapan"

  • "japanemergency"

  • "japanliferescue"

  • "earthquakeeastjapan"

Now, I'm not implying that any of the above are bad or linked to the evil-doers. I'm saying that you need to use caution when donating and visiting these sites.  Not all humans are decent, wholesome, and good.  In fact, there are a large amount of people that aren't.  I know, surprise, surprise.

How many domains have I see like this?  Hundreds.  Several.  Hundred.


I don't want to dissuade you from donating funds to the people of Japan.  They need your help.  They need it bad.  I've donated, and will donate more.  But ensure, when you are donating, you are donating to a reputible organization.  People flocked to help Haiti, I'm asking that we flock to help Japan too.  Just because they are not a 3rd world country, doesn't make them any less important.  Japan came to our rescue when Hurricane Katrina hit, donating millions and millions of man hours and dollars towards the tragedy.  Let's do the same for them.

Sunday, February 27

Mac OS X Lion iChat supports Yahoo Messenger video and voice chat

As the title of the article title states, Apple's OSX iChat client on OSX 7 Lion supports Yahoo Instant Messenger adding to support for AIM, GChat, and standard Jabber.

This is a welcome addition and stands to keep chipping away at the other major Instant Messenger clients, but, why is there two separate video chat clients for the Mac? (Facetime, iChat)

It would seem to me that it would make more sense to combine these two.

  • Facetime traverses NAT (etc) better than iChat

  • Facetime uses less bandwith

  • Facetime is now "HD" (as Apple calls it), leaving the "quality" issue behind (iChat's resolution was better than Facetime, as Facetime is faster on the network)

  • However, iChat does support up to 3 video calls at once (and like, 10 audio)

Anyway, I hope they fix this before OSX 7 is released finally.  I'd love to have one app that covered both IM and Mobile Video Chat.

Appleinsider has a great breakdown featuring some nice videos of OSX7 on their site here and here.  Check it out if you are an Apple user like me.

Other notable features of OSX7 I think:

  • No Front Row

  • Java runtime is not installed by default, it's a download now.

  • Rosetta support (so support for running PowerPC apps on Intel machines) is gone.  Meaning that Apps should be smaller in size.

  • Migration Assistant now supports helping Windows users move over to the Mac (smart)

  • OSX Lion was given to a few researchers for review, so they can beat it up.  Very nice work.  I hope Apple rewards the researchers in some way.

Thursday, February 3

Rude People

Okay, so there I am waiting in line, directly between two people, and I am sitting on my suitcase. The lady in front of me has a space between her and the person in front of her of about 4 feet. Plainly visible. No excuses.

So this guy decides to take it upon himself to try and cross the line, not in the big ass 4 foot space that everyone else crossing the line is passing through, but directly between me and the lady in front of me. Rudely.

He squeezes by in such a way where he bumps my suitcase, sending it, and me crashing to the floor where I wind up on my ass.

He starts to apologize profusely.

I get up, say nothing, and sit back down on my suitcase.

He proceeds to apologize again, he looks around, looks at his ticket, then walks BACK through the line, in the big ass 4 foot space.


Wednesday, January 12

H.264 is being dropped from Chrome

Chromium Blog: HTML Video Codec Support in Chrome.

Key sentence from above article:

"Though H.264 plays an important role in video, as our goal is to enable open innovation, support for the codec will be removed and our resources directed towards completely open codec technologies."

Key comment from Slashdot on above article:

"This serves two strategic purposes for Google. First, it advances a codec that’s de facto controlled by Google at the expense of a codec that is a legitimate open standard controlled by a multi-vendor governance process managed by reputable international standards bodies. (“Open source” != “open standard”.) And second, it will slow the transition to HTML5 and away from Flash by creating more confusion about which codec to use for HTML5 video, which benefits Google by hurting Apple (since Apple doesn’t want to support Flash), but also sucks for users."

Google, just when I started to like you again.  I turned away from you for about a year and a half because you pissed me off with the Buzz thing.  Now you go and do this.

One step forward, two steps back.

Tuesday, January 11

iPhone 4 goes to Verizon too.

Finally, after long last, the iPhone is coming to Verizon.

I probably could go on Ad nausem about the new iPhone, but I'll just cover the bullet points

  • The antenna is redesigned, and as a result the buttons are moved slightly down on the left, so some cases may not fit.

  • CDMA, not LTE.  Which means you can't talk and surf at the same time. (Feature that I use a lot)

  • You can use the iPhone as a wifi hotspot (so like a mifi) for up to 5 devices.  Nice.

  • Coming February 10th for GA.  Advanced ordering for Verizon Customers on Feb 3.

  • Otherwise, it's the iPhone 4.

This will be nice.

Seven Cool Open Source Projects for Defenders

TaoSecurity: Seven Cool Open Source Projects for Defenders.

Richard Bejtlich wrote this good post over on his blog, a few good OpenSource tools to defend your networks with.  He talks about the newest updates with:

  • Rumainte IDS

  • Security Onion

  • Bro IDS

  • Suricata IDS

  • Snorby

  • OpenFPC

  • Polman

  • Snort

  • ClamAV

  • Razorback

Richard does pay me a kind compliment, so thank you Richard.  Take a look at his post and try some of the tools out.

Tuesday, January 4

A Year in Reflection

I am reading all these posts on reflection on 2010 and accomplishments for this year.

Yes, I accomplished a lot for this year.  Lots and Lots of work stuff.  But I accomplished one thing that eclipses all else.

I have a beautiful family with an awesome wife and two beautiful kids.

Happy New Year everyone.  Well wishes for 2011.