Email Signature Block Etiquette

I was involved in a discussion today about Email signature blocks and how obnoxious some of them are. I saw one today, with literally, an entire page of certifications and stuff. I’ve written about this before, but it never hurts for a little refresher.

Although the individuals reading my blog shouldn’t have this problem and know how to write email signature blocks right?

Let’s look at some best practices, and some other common stuff --

1. Start you signature block with “-- “. This allows email clients that correctly parse emails to collapse or grey out this area.
2. 4 lines or less.
3. Phone number, Primary, maybe fax (if you depend on the fax technology)
4. No email address (If you are sending an email, what’s the point in having your email in your signature block? They already HAVE your email address!)
5. Webpage (okay, this is fine, but keep it simple)
6. No quotes. If I want a witty quote, I’ll go find one. Your email should tell me a lot about you, not the quote.
7. Instant Messenger name (If you are the kind of person that would rather communicate via that medium, as opposed to phone.
8. Disclaimer -- The jury is still out on this “Disclaimer, legal copy” nonsense. Has it one of these ever been Enforced in Court? Not that I know of.
9. Company Name -- Good idea to have
10. Address? No. I can go look it up, or email you back to get it. 99% of the emails you send will not need the address. Besides, if I feel you’ll need my address, I’ll send it to you, along with a short url of Google Maps on how to get here.
11. Logo, multi colors, html, and various other nonsense? No.

Keep it simple. Signature block reads:

--

Joel Esler | Sourcefire | gtalk: jesler@sourcefire.com | | http://twitter.com/joelesler

Short, sweet, to the point. You know how to get a hold of me via 4 mediums. Phone, IM, Twitter, and of course, Email.

Email Signature Block Etiquette

I was involved in a discussion today about Email signature blocks and how obnoxious some of them are. I saw one today, with literally, an entire page of certifications and stuff. I’ve written about this before, but it never hurts for a little refresher.

Although the individuals reading my blog shouldn’t have this problem and know how to write email signature blocks right?

Let’s look at some best practices, and some other common stuff --

1. Start you signature block with “-- “. This allows email clients that correctly parse emails to collapse or grey out this area.
2. 4 lines or less.
3. Phone number, Primary, maybe fax (if you depend on the fax technology)
4. No email address (If you are sending an email, what’s the point in having your email in your signature block? They already HAVE your email address!)
5. Webpage (okay, this is fine, but keep it simple)
6. No quotes. If I want a witty quote, I’ll go find one. Your email should tell me a lot about you, not the quote.
7. Instant Messenger name (If you are the kind of person that would rather communicate via that medium, as opposed to phone.
8. Disclaimer -- The jury is still out on this “Disclaimer, legal copy” nonsense. Has it one of these ever been Enforced in Court? Not that I know of.
9. Company Name -- Good idea to have
10. Address? No. I can go look it up, or email you back to get it. 99% of the emails you send will not need the address. Besides, if I feel you’ll need my address, I’ll send it to you, along with a short url of Google Maps on how to get here.
11. Logo, multi colors, html, and various other nonsense? No.

Keep it simple. Signature block reads:

--

Joel Esler | Sourcefire | gtalk: jesler@sourcefire.com | | http://twitter.com/joelesler

Short, sweet, to the point. You know how to get a hold of me via 4 mediums. Phone, IM, Twitter, and of course, Email.

My Email set up

Earlier today, I found myself in a conversation on Twitter about how I process email with my friend Bryan Liles. He uses the Inbox Zero method, as do I, to a bit, so I thought I’d actually write a post.

The last time I talked about email, I believe I was still using Mail.app, which, of course, I still like because of it’s nice integration with other Apple Apps. I have to admit, however, that I no longer use it.

I use Gmail, the web interface. That’s all I use. I mentioned before that I used to have about 10 email accounts, all for various reasons, none of which I could truly justify. None of them were hidden or anything, they were all some derivative of “eslerj” or “joelesler” or something. So I started consolidating.

Right now, all my personal email, (friends and family) use one address. All my list servers go to a second address, and of course, I have my work email.

I found logging into three different accounts to be very annoying, so I found out through playing around in the Gmail settings that you can enable your Gmail to be able to send email “on behalf” of other email accounts. So, for example, I set my “from” address to be any one of the three addresses, and when I hit “reply”, Gmail knows to reply from the proper account. (If you have it set up correctly.)

So, I took my other two accounts and forwarded them to the one. That way, I have one single account to check all my email from. Very nice.

So, onto the meat, how do I process email?

Like a lot of people I use Gmail’s filters and labels. Since I forward all my email into one account, I get anywhere between 600-1000 emails a day, so I needed an efficient way to handle this stuff automatically.

All listservers, when I receive an email from them, are tagged automatically with a label, based upon the list header. (I suggest you let Google filter this stuff for you, use the “Filter Messages like this” feature.)

Google will suggest what it thinks you should use as a Filter. Whether it be from a certain person, etc.. For the listservers, it does a nice job of parsing headers. For example, the filter in my Gmail to filter emails sent to the Snort-Sigs list for http://www.snort.org is “list:"snort-sigs.lists.sourceforge.net"”

I then let Gmail apply a label, and Skip the Inbox.

That way I don’t get bogged down in the listserver email when I am trying to do actual email processing. All listservers are set up like that (Except for my “Snort” based ones, I want those in my Inbox, so I can respond to people.) That eliminates about 400-800 emails from my daily processing. I take a look at all my listserver email about once a day, scan the subjects, and if I don’t see anything interesting, I mark them all as read and move on. (BTW -- so, if you want me to particularly look at your email if you post to a listserver, cc me! You’ll find out why in a sec ;)

BTW -- If you aren’t using these two features in Gmail, you are absolutely crazy.

The first option is Keyboard Shortcuts. Once you learn the keyboard shortcuts in Gmail, you FLY through your email so much faster.

The Personal Level indicators place little arrows next to the emails that are sent only to you “>>” or sent to your name (as well as someone else, like for instance, if you were “cc’ed” on an email. “>”.

Anyway --

So, when I read my email in my inbox, I use a labels/filters to process the ones from my corporate domain “sourcefire.com” and (and a couple other domains) and label them a particular color. This allows me to quickly glance down a huge page of email, determine which of the emails with the “>>” arrows are from my company or not.

I process all the email in my inbox to “zero”, making “todo’s” (I use OmniFocus for this (learn your keyboard shortcuts!) Responding quickly to those that need responding, and archiving the things I don’t want to respond to. I can burn through a couple hundred emails in a very short amount of time.

I also try to keep to the 5 sentences or less method of email if I can. I do make exceptions to this rule if I need to, (rarely), but I find that I don’t generally have a problem if I keep my emails quick, descriptive, and to the point.

Sourcefire's Exploit Development Class

First off, if you were to go look at this class on Sourcefire’s website, it states “Exploit Development Class for Snort Rule Writers”. We need to fix this. In the words of Lurene, “This class has nothing to do with Defense. At all. Ever.” The class should be more appropriately named, “Fundamentals of Exploit Development”, or “Writing Exploits, we’re going to hurt you”

So, let’s describe this class in two words or less:

Freakin Awesome.

Beginning on day one with a lot of terminology, introduction and drinking from the firehose on Assembly and gdb, by the end of the first day, you are well versed in how to read assembly, pick it apart, and even being able to reverse simple programs at this point. Your Brain will hurt.

Day Two, more drinking from the firehose, more reversing, more assembly, more gdb, drawing stacks, and by the end of the second day, you are learning to control EIP, and doing it. Your Brain will hurt even more.

Day Three, you just sit all day and hack programs. From simple to intermediate, (you aren’t cracking Microsoft Office just yet ;), by the end of the day, you are using reverse shells and shellcode like nothing. Your Brain is now fried. Go drink beer. Seriously.

This was the best class I have ever taken in my life. Srsly.

You know those classes where you go and sit, and you could probably figure out 80% of it, and the other 20% of the class you pick up little tricks and tips on whatever you are learning? This is not one of those. If you know assembly, or have experience in reversing assembly, this is not the class for you (even though you will probably learn something). The class I took was taught by 4 of the Vulnerability Research Team members, people I am glad to call my friends.

So, my hat’s off to Lurene, Matt, Ryan, and Nigel, along with all the other members of the VRT that contributed, came out, and helped with the class. It was great, and I’d gladly take it again anytime.

The best part of the class, I thought, was during the class, on a separate projector, they fuzzed software and found some 0days. I don’t want to disclose which pieces of software were fuzzed, but let’s just say that they are pieces of software that people use everyday.

In one piece of software, over 200 crashes and bugs were caused. No word on how many were exploitable yet.

No, I will not tell you which piece of software it was either.

Why is your IDS outside your firewall?

Stop that. You’re doing it wrong.

This is a very puzzling situation that I run across quite often, more often than I should. I thought i’d bring up a few points as to why, I view, IDSs outside of Firewalls, to be a bad thing.

Allow me to play Devil’s Advocate here for a minute, present a few arguments, then allow me to rebuttal them. I am not insulting anyone that has their sensors outside the firewall. But I ask to you please reconsider. Here you go:

1. We place a sensor outside of our firewall to see what’s “out there in the wild”.

First off, the Internet is not plugged into one big hub. Network traffic that is destined for somewhere else is not going to be seen by your network. Only networks that you advertise as yours will receive the traffic that you intend. Placing a sensor outside of a Firewall because you think you are going to see traffic “floating” by, is just plain wrong.

Second of all, if you have a "Deny all, permit by exception" policy on your Firewall -- as you should -- only allowing things into the network that you explicitly want people to access remotely, you will only see UDP based attacks on the outside. So, you will simply pick up a lot more SQL Slammer attempts at your gateway. Confused? What do I mean?

If you have a state-ful Firewall, denying access to your network prevents a valid 3-way handshake to be exchanged with a host you EXPLICITLY allow access to from the outside, you will never receive any more attacks on a TCP basis. Your IDS will sit there and track SYN packets all day, attempting to track sessions, never receive SYN-ACK’s, and purging that session from the state table upon timeout. Maybe your Firewall will send an ICMP Admin Prohibited response if you have it configured to do so, however, most Firewalls simply drop silently. After all, why would you want the attacker that is coming after you to know you have a Firewall, and exactly what hop it is in the network?

This is a waste of IDS resources, time, and money. (Time = money.)

2. “We put the IDS outside the firewall because if an attacker is going to attack our network, they are going to attack the firewall first.”

(Yes, this is an actual quote. I do have permission to repeat it, as long as I don’t tell anyone who said it. Actually, the person who told me this was simply repeating what his network admin had told him.)

If you told me that statement above, I would assume three things.

First: The management interface to your Firewall is accessible from the Internet.

Second: If it is, what is the condition of the rest of your network, because I can most likely attack it easier.

Third: Obviously you are willing to sacrifice your IPS. (by putting it outside) What is the difference between an IPS and a Firewall in this context?

I say they are both security devices, and are both vital to the protection of the network. If I am an attacker, I am not going to attack your firewall. I am going to try and find a way THROUGH your firewall, install some kind of backdoor, then get in through that, or better yet, have the backdoor opened for me from the inside. You obviously allow some ports open on your firewall so I am going to go in through those first. I’d rather go after your SSH server, FTP server, HTTP server, hell, i’d rather attack your printer than to go after your firewall. That is, of course, assuming your management interface isn’t sitting in the DMZ, and has a password of “password”.

3.  It’s the only aggregation point we have where all the traffic comes together!

Okay, fair enough, I’ll allow this argument. However, I am assuming then, that this is just a temporary solution until you can either afford to buy more sensors, or build more SNORT® boxes. It should only be a temporary solution and you should really concentrate hard on moving your IPS inside of your firewall, perhaps get traffic to the IPS/IDS with taps or multiple spans. Utilizing multiple detection engines on one machine is a good way to do that. A sensor sitting outside the firewall is never the solution, for two or three really good reasons I just talked about above.

I am sure I can probably think of some more, but that’s enough for now.

Moving my network around

Today I moved my network around, so just a quick article about why, or what was the point.

It’s funny the little noises that irritate you. For me, there are a few, high pitches whines, buzzing sounds that are constant, when my wife clicks her nails together, and computer fans.

In my office, I have a PowerMac (Dual Core, with Dual Fans), a Linux box that I do a lot of Snort Testing on, and a 1U server that is older than my daughter.

The 1U was moved to the basement a long time ago, simply because the fans on the thing were so incredibly loud, you couldn’t sit in the same room as the machine. It was crazy. I can’t imagine a server room full of these things. The fan ran constantly too. Not when the processors got hot, but all the time. So very irritating! I moved this server to the basement by drilling a hole in the floor in my office and running a Cat 6 cable down there. Simple enough.

That was about a year ago.

As I’ve stated before on the blog, and on twitter, and go knows where else -- I’ve moved totally to using laptops as my primary machines now. I keep everything “in the cloud” except for things like Pictures, (in iPhoto), Music, (in iTunes), and random misc software.

I use my iDisk for my Document and File Storage, and am starting to use Google Docs for collaboration on documents. I use Evernote for jotting taking notes and keep everything in one place. I use Google mail for my email (eliminating the need for a local client), and I use Google Calendar for my Calendaring. (As opposed to iCal.)

So my needs for everyday computing are rather lightweight. Last week my company replaced my aging PowerBook G4 with a brand new MacBook Pro. I started to do the “laptop dance”, you know the one, where you transfer years and years of data that you have kept for God knows why over to your new computer. After about an hour of doing this, I decided that this was inefficient and stupid and stopped. Moved everything to things like iDisk and Evernote, and eliminated the need to have everything locally. (Technically I do have everything locally, it’s just synced for me.)

I brought my new MBP into the office here at the house and stared at my PowerMac for awhile.

My Powermac has served me well for years. It’s a Dual 2.0 PowerMac G5, liquid cooled, and has 4 Gigs of RAM in it. This thing is still pretty fast, and I bought it in 2004/5 ish timeframe. But what did I use it for?

It’s sitting here connected to my 20in Apple Cinema Display -- which by the way, Apple stopped making recently -- keyboard and mouse connected to it. But how often do I use this thing? How about, almost never! I’d rather use my laptops, because then I can wander all over the house, go to Starbucks, Panera, whatever.

So I thought for a while. I already have a Cat 6 cable running to the basement, what if I relocated all my computers, switches, and everything to the basement, and only keep my wireless access points (with their associated Ethernet cables plugged in) upstairs?

So I moved everything. Powermac, Linux servers, switches, hubs (for testing), downstairs. I even moved my FiOS connection end point downstairs, (which required re-running the cable, etc.).

All I have in my office now is my MBP, with the 20in Monitor attached to it, and I have my personal older model MBP sitting next to it. (It’s my “grab my computer and go to the bathroom for reading material” computer.)

You can hear a pin drop in my office now, and it is much less distracting.

I recommend, if you can relegate your computing devices out of your office, into another room, closet, floor, attic, or whatever, do it. It’s awesome.

A tale of my mother in laws laptop

So, yesterday, my mother in law moved into my house to stay with us for awhile. (Yes this is cool with me, it was actually my idea.. Anyway.)

She handed me her laptop, Sony Vaio (this thing is a freaking brick!), loaded with Windows XP, she always makes jokes about my network here at the house, and about how “clean” it probably is (all macs, security etc..) So I went about starting to clean it.

First, I wanted to get the antivirus updates. She had a current Antivirus client (Symantec), it was the full suite, with the firewall and everything. So I updated that, took awhile as it hasn’t been updated in awhile.

-- Sidebar --

My mother in law has been on dialup in her neighborhood where she used to live for a long time. She doesn’t log in for long, long enough to log into her AOL account and check her email and some light surfing.. (yes AOL. Seriously.)

So you can imagine, everything hasn’t been updated in a long time because of the speed of her connection, she doesn’t have the kind of time to sit there and let downloads download overnight.

-- Back to my Story --

The Antirvirus ran, asked me if I wanted to deal with the stuff in Quarantine. I looked what it was, 3 instances of “Bloodhound.Exploit” in Temp Internet files. Okay, not a big deal, they’ve been quarantined for over a year, so I just deleted them. Hopefully that’s all it finds.

So I started to download XP updates. This is really where I started to value my Macs. This machine was pre Service Pack 3, Windows XP. So you know the drill, get the updates up to date so you can download SP3, then download SP3, then install that, then update, update, update, update. I had to go to Windows Update at least 5 or 6 times. Office was actually updated, but the Windows OS updates were so far behind it took me 6 hours to get this thing updated.

Now, I know when you build a fresh Mac install you have to do the same thing. But it only takes me about 20 minutes to do it, not 6 hours.

I started telling my tale, as I was going, to my followers on Twitter. A lot of jokes were made, you know, about making the laptop a doorstop, or if I had a table with one short leg, go ahead and prop up the table with it.

Other suggestions were made like, “load Ubuntu on it, tell your mother in law it’s the new version of XP”. I thought about it, but my mother in law is just one of those kinds of people who get comfortable with her computing experience and you don’t want to upset that. She like her XP, and Microsoft Word, so I don’t want to mess with her right now, maybe she’ll get a mac on her next computer buying experience.

Anyway, it’s fully updated and working now, yes, it’s on my network, as much as I hate to admit it. (It’s the first Windows machine on my network in about 6 years.)

Hopefully now, I can keep her patched and updated.

Let's be productive by minimizing clutter Part deux

As usual, when you start dealing with one thing in your life, you tend to narrow in and focus on it. Which is great, however, what if you have several things to do in your life, as most of us do, how do we manage creativity and productivity?

I find myself always on the quest for better productivity and better ways to perform things.

One thing that I find to increase productivity and generally lower stress is to clear. I didn’t say Clean, I said clear.

One of the basic things that is taught, on like Step 1, of Getting Things Done (GTD for those of you that love abbreviations) is to clear and empty. Take everything off your desk, empty your inbox, etc, and then perform actions on everything. Recently I wrote a blog post issuing my New Year’s Challenge to everyone about clearing off your desk and reducing clutter, paper, and digitizing everything you can. Because, you know, how easy is it for you to perform Boolean searches for post it notes?

So here comes the second part of my challenge, assuming you have performed challenge one, clearing off of your desk and surrounding area, hopefully putting things away and digitizing as much as you can, step two has to do with your computer.

Step Two:

Desktop. Your Desktop. I want you to perform this in two steps. First step, is to change your desktop background. Your kids and dog will understand I am sure. Get rid of anything busy, photos, etc. What I want you to start off with is a black background. You can make one in Paint if you are using Windows, if you are using a Mac, I’ll let you get away with Grey just to make life simple. (There is a grey solid color background built into OSX.  Linux users, since you have to compile your own fonts, I think you can figure out how to make your desktop black. BSD users too, since you guys actually have to build your keyboards out of small pieces of a scrabble board and a leftover IBM keyboard without scissor keys....

Rid your desktop of all icons. Okay, I’ll let you have one or two, maybe the trash can, and the Harddrive icon. For Windows users I’ll allow you, say the Recycle Bin, and My Computer, or whatever is on the Windows Desktop nowadays.

Get rid of all your shortcuts (put them in the dock, or the quick launch section of your Task Bar), put your Shortcuts in a stack or something. Better yet, learn to use Butler or Quicksilver and do away with your Shortcuts all together.

Take all your pictures on your desktop and put them in the Pictures folder

Take all your Documents and put them in the Documents folder.

No excuses. Black Background, no icons.

Now, auto hide your Dock, or your Task bar. Get rid of it. You should have One icon maybe two, and no TaskBar/Dock.

For extra credit, you mac users, feel free to use MenuShade to get rid of the Apple Menu (unless you actually use it for things like Google Notifier like I said in a previous post.)

Okay, so now, I want you to work that way for a minimum of two weeks. Nothing on your Desk, Nothing on your Desktop. If you have things like Firefox that dumps your downloads on your Desktop, Create you a “Downloads” folder in your user profile and point Firefox there. Same thing with IE or whatever. OSX already has a downloads folder, tell Firefox to go there.

Two weeks. Make a conscience effort to keep things off your Desk and your Desktop for two weeks. Until it becomes natural. Then give me feed back on how it’s working for you by posting in the comments.

Yes. I do this.

BTW -- This methodology of working does really well with an app like Spirited Away, which auto hides apps.

I’ll explain why you are doing these exercises after my third and final exercise that I ask you to do. But for now, conduct one and two, and work with that for awhile.

To be successful with the “clear Desk” thing, you have to have someplace for people to put things instead of “on your desk”. Try an inbox or a special place on your desk to set things, then train your co-workers, spouse, secretary, and dog to place things in this space.

iWork 2009 Trojan

As I wrote on the Internet Storm Center:

It's already pretty widely reported in the media, take for instance here and here.

First reported by Intego, this trojan apparently is distributed by downloading Bittorrented copies of iWork 2009 from the Internet and installing them. The Trojan is installed as part of the software package, by, yup, you guessed it, you giving the software permissions to install by giving it your password.

Apparently this backdoor opens a hole on your computer, reporting back to a central server in order to allow the attacker to connect and issue commands to your system.

So, what can we learn from this?

1) If you Bittorrent software you are supposed to buy, and break the law in doing so... you have to deal with the ramifications...

2) Hey, you can download the Trial from Apple.com, and then buy it, and they give you a serial number! You don't even have to go to the store to get a boxed copy! You already spent the money and bought a mac, you cheepskate, now if you want iWork, spend the 79 bucks and buy it like you are supposed to.

iWork 2009 Trojan

As I wrote on the Internet Storm Center:

It's already pretty widely reported in the media, take for instance here and here.

First reported by Intego, this trojan apparently is distributed by downloading Bittorrented copies of iWork 2009 from the Internet and installing them. The Trojan is installed as part of the software package, by, yup, you guessed it, you giving the software permissions to install by giving it your password.

Apparently this backdoor opens a hole on your computer, reporting back to a central server in order to allow the attacker to connect and issue commands to your system.

So, what can we learn from this?

1) If you Bittorrent software you are supposed to buy, and break the law in doing so... you have to deal with the ramifications...

2) Hey, you can download the Trial from Apple.com, and then buy it, and they give you a serial number! You don't even have to go to the store to get a boxed copy! You already spent the money and bought a mac, you cheepskate, now if you want iWork, spend the 79 bucks and buy it like you are supposed to.

Snort is up and running, now what?

I’m often asked to write a document about the after effects, the post marital bliss, as it were, of going through the steps of installing Snort as your IDS, and what to do next. So I’ve decided, at great request, to sit down and write a blog entry about the “next steps”.

Now, let me be clear, any security device, yes, ALL of them, require tuning. If someone is out there saying “my device doesn’t require tuning”, not only are they wrong, but it’s an absolute falsehood. I don’t care if your system is being automatically tuned, its still being tuned. One device is not the end all-be all of security devices. Of course there are default settings that take into account the majority of networks out there, and yes, Snort is one of those. But each device you put on your network requires a small bit of tuning at least to adapt to your environment.

So what do I like to do first?

1. Variables -- Tune those variables. How you tune your Snort variables is up to you, but I always say at the very least, start off by tuning your HOME_NET variable. Punch into this variable that network ranges you’d like to protect. How you tune the rest of the variables is up to you, but a good place to start is with EXTERNAL_NET. How you tune this variable, I have a talk on that, I am sure I will be giving soon, so stay tuned. I don’t want to put my bullet points out there before I start talking. By default EXTERNAL_NET is set to any, which is a fine start.
2. Rulesets -- If you don’t have the awesome luxury of dealing with a Sourcefire device, which will give you the recommendations for your rules based upon what is actually on your network (We call this “RNA recommended rulesets”), you will have to do this manually. Sit down, simply at first, with the category names of the rules that you download from Snort.org and take inventory of your network from a Software and service based perspective. Are you running IMAP as a service on your network? No? Then shut the whole rule category off. Rinse and Repeat.
3. Preprocessors -- Now, for proper elimination of alerts and tuning, these will take time, however, at the beginning, ask yourself two questions: 1) What is the majority operating system on my network, and 2) What is the majority webserver on my network. Take the answers to these two questions and tune things like your frag3, stream5, and http_inspect_server preprocessors.
4. Restart Snort -- In the present version of Snort (2.x.x) you have to restart Snort for changes to take effect. After you have done all of the above steps, restart Snort.
5. Suppression and Thresholding -- Now, for the lather rinse and repeat steps. Look at your alerts -- Do I need this alert? How is this alert going to help me to do my job? Do I have any actionable information from this alert. I mean -- So you are getting SNMP alerts, so what? Do you care? ICMP alerts, do you care? What does someone on your network pinging do for your security. In some environments it might, in most, no. So your Solarwinds server is pinging lots of hosts on the network. So? That’s what it’s supposed to do, so take that IP and suppress alerts. That’s what suppression is. Don’t want something to alert at all going to a particular host? That’s a suppression. Don’t want something to alert “as much”? That’s a threshold. Set the ones you need. Restart Snort.

This is not intended to replace any tuning steps you’ve already done, this is not intended to be the end all-be all. This is intended to get you going after your install.

For those of you using Sourcefire product, these steps are either non-existent or considerably easier for you. Some vendors will try and position their product against Snort (read: not Sourcefire) and call the comparison fair. Snort is an open source project, while many companies use Snort as the basis for their product, Sourcefire owns the technology and makes it considerably easy to use. That’s why Sourcefire was started. Marty had a vision of being able to make a complex engine like Snort, very easy to configure, so he started Sourcefire -- and viola.

For further tuning steps (and there can be a lot of them, depending on your network), we have consulting services available. I can’t give all the answers away! ;)

Desk Clearing Challenge

Okay, here’s my Challenge for you all.

Take your desk. Work, home, wherever it is.

Take everything off it. Everything except your computer. (Mouse, Keyboard, Monitor, iPod/iPhone dock, maybe some speakers too can stay). Everything else comes off. Put it on a pile on the floor or in your inbox or something. Not even Post it Notes. If you one of those people that puts Post It Notes on your Monitor or Desk or something like that, take those off. Clean, use the picture attached to this post for reference of what it should look like.

Now, let’s go through this stuff.

Pile of stuff. Go piece by piece. Do you need to file it? Go file it, matter of fact, would you best be served by scanning whatever the piece of paper is, and put it into your computer?

What do you take notes on? Paper? How about you try taking all your notes digitally. Use something like Evernote, or Notepad, or Wordpad. Doesn’t matter what it is, just get your notes digital. If you are using Mail.app, use the Notes. If you can use Evernote, use Evernote. Do you use Outlook? It has a notes feature as well. Give it a shot.

All those Post It Notes. Are they reminders? “Shut off the lights”. Try putting stuff like this on your calendar. “New Event -- Shut off the lights, set reminder, everyday M-F 5 pm”. Are they phone numbers for people? Put them in your Address Book in your computer. In Outlook or whatever you use to manage your contacts. Are they serial numbers or helpful little jotdowns? Put them in a note, title it appropriately so you can find it again.

What is left? Catalogues? Do you need them? Do you need all of them? Can you reduce costs by going with one vendor for your office supplies? Throw out the ones you don’t need/want anymore, then put the ones you want to keep on a bookshelf, or in a desk drawer. Better yet -- Can you throw them all away and manage the account online, ordering and everything? Try recycling those inch thick catalogues.

For those of you that have a laptop as your desktop machine, you have it ideally. You can take your desktop with you, all your notes, everything. Awesome. How can you make this work for you? Taking your laptop to meetings? Can you take notes your phone/mobile device and then email the notes to yourself?

If you have your own printer in your office, and you make it a bad habit of printing out lots of stuff, try shutting off the printer. Unplug it. Create it a chore for yourself to print something out. Avoid printing as much as you can.

At the end of this exercise, your desk should look like the picture above, and you should have nothing on the floor.

Are you one of those people that one of those big flat desk calendars? Or a piece of glass where you store business cards underneath? Take those business cards, and put them in your address book/contact list. How about that Desk Calendar? Can you use the calendar in your computer? In Outlook? iCal? Lightning? Google Calendar?

Digitize yourself. Use things like Dropbox, LiveMesh, or iDisk to be able to get at all your things wherever you are.

For the next step, get really down and dirty and do the same thing through your desk drawers. Good Luck. Let me know your results.

By the way, yes, I’ve done this.

Immaculate Collection

(Preface: I wrote this around January of 2007 and simply forgot about it. I wrote it around the time that Marty was writing these posts: here. Also when Richard was writing these posts here.)

I started playing with Sguil again recently, and for the benefit of those that don’t know, Sguil is a Snort based “NSM” system. It uses Snort and some other tools brought together in one interface to provide better analysis and results. The main factor of Sguil is that it runs something like Tcpdump, Snort, or Daemonlogger in order to dump ALL traffic to disk.

I bought my good friend Richard Bejtlich’s “The Tao of Network Security Monitoring” book earlier this year.

Richard has the theory of: “collect all packets, because without all packets the total picture isn’t seen”. In principle, I agree. I used to use this methodology heavily in my last job, and it worked quite well at the time.

While he also goes on to say that IDS “alerting” has its place, without “context” (the surrounding traffic on the network) the alert will make no sense. I don’t know if I rightly agree with that statement as a whole. Let me explain my difference in “context”.

At my company, Sourcefire, we make a product called “RNA” which stands for “Real-Time Network Awareness”. This product coupled with our IPS’s and Defense Center make an extremely powerful tool for analyzing “alert traffic”. Let me give you an example.

Simple Example:

Hacker attacks your network with an exploit against IIS servers. If any of you have ever seen something like this before in your analyst lives, you probably know that they will either 1) Prescan your network for open http ports, or 2) just automate the attack so no prescan takes place, just the attack, very quickly.

If you have plain vanilla Snort, you will get an alert for every one of these attempts. Using the “Collection” theory, we would also collect all traffic for these connections and we are able to see which attacks got through the firewall, not which ones didn’t. You can even take it this a step further and rebuild the session to see what took place (if anything). This is a lot of data. We’re talking a pcap file that is containing not only all these hundreds of potential connections, but every other connection that is taking place on the network at the same time.

Now, there is nothing wrong with that if:

A) You have the hard drive space.

B) You have the time.

1. Your machines doing the sniffing can keep up.
2. You have the personnel to manage all the time, data, and storage.

The problem with it is, at modern network speeds, and the speed at which a program would have to write this stuff to disk, something would give. Now I am not talking at your 500 Mbit/s speeds. I’m talking about the majority of the networks that I deal with that are >1 Gig/s. Whether it be the hard drive, memory, or whatever, but something would buffer somewhere, and more than likely you are going to drop packets. Again, I’m not saying that this is totally a bad idea, I’m just bringing up cons to the pros.

But lets look at it a different way. RNA profiles the hosts on your network, both pre-attack and during, in real-time. RNA knows which machines are running IIS (if any) and which ones aren’t. So it already knows if you will be affected by the IIS exploit attempt.

When these alerts come back to the DC (Defense Center), the DC correlates the RNA event with the Intrusion Sensor alert and the “fat rises to the top” as it were. The DC knows to say “Hey, this attack affects IIS version 5, and only version 5, on Windows...etc..” This is technology that Sourcefire has invented and patented.

So instead of you now having to analyze 100’s of alerts and 1000’s of packets, hey, I only have “these two machines” over here running IIS, and the DC told me that I need to look at these alerts first. Are the other alerts still recorded? Yes, but now I know through the correlation which machines will receive a greater IMPACT from the attack. The two IIS machines. My other Apache boxes aren’t affected at all, so who really cares.

Lets take it a step further. Say the exploit was against IIS 5.0. Well, our two machines are running IIS 6.0. (I’m inferring patch level with this example)

So do we really care? Well, we might like to know, hey, there was an attempt, that’s great, but it doesn’t affect us, we’re not vulnerable to it, lower the IMPACT, and lets move on to the next alert.

If you were collecting packets using the “Immaculate Collection” theory, you’d have to analyze all these streams to make sure that each IIS/Apache/etc.. box returned 404 and whatever else error codes.

Could we do that with Snort? Yes, of course we could. But if RNA knows our network already, then is it important to us? Or is it just informational at this point?

Take it a step further. Think about the exploits that affect browsers, Mail Clients, versions of SSH, telnet, snmp, etc.. RNA already knows these services and applications on your network. Before the attack even takes place.

Single glances allow us to look at these 1000’s of alerts, and say hey, these 2 machines are running IIS, but we’re not vulnerable to the attack. In a matter of seconds.

If you’ve ever heard Marty Roesch speak, you’ll know that it is his belief that “Humans” basically can’t make the decisions for the IDS. Why don’t we let RNA tune it directly? But that’s for a totally different post, one that Marty has covered on his blog as well.

Of course there are strong points to both sides of the discussion. Share your thoughts in the comments.

® Snort, Daemonlogger, RNA, Defense Center, and Sourcefire are all registered trademarks of Sourcefire, Inc.