Parsing Netflow using Kibana via Logstash to ElasticSearch

This blog entry shows how to easily insert flow data into an ElasticSearch instance using Logstash and view the data using Kibana. To keep the example simple, we will use Kibana that is integrated in LogStash. We will not use … Continue reading

Posted in network, software | Tagged , , | 4 Comments

Detecting Tor network traffic with YaF and Python

This entry continues a series of posts on identifying Tor network traffic and usage. The entry will demonstrate how to parse the output of YaF records via mediator using a Python script in order to determine if the SSL certificate … Continue reading

Posted in network, security | Tagged , , , | Leave a comment

Detecting Tor network traffic with SiLK

This entry continues a series of posts on identifying Tor network traffic and usage. This post is not to argue the merits of allowing Tor to run on a network. However, the entry will demonstrate how to create a set … Continue reading

Posted in network, security | Tagged , , | Leave a comment

Detecting Tor traffic with Bro network traffic analyzer

This entry is a post in a series to identifying Tor (the onion router) network traffic and usage using the Bro network traffic analyzer. To learn more about both projects, please visit the aforementioned links. This post is not to … Continue reading

Posted in network, security | Tagged , , | Leave a comment

Resizing Xen guest parition based filesystems

This post assumes you are running the Xen hypervisor and are using a partitions based filesystems for you Xen guest you would like to re-size. I have previously written on Installing Xen on CentOS 6 from source and another blog … Continue reading

Posted in systems administration | Tagged , | 2 Comments

Creating Debian guests on Xen using parition based filesystem

This guide describes how to create a filesystem and guest for the Xen hypervisor. This assumes you have a working Xen install with Dom U. I have described setting up a Xen hypervisor from source in another posted titled Installing … Continue reading

Posted in systems administration | Tagged , | Leave a comment

Installing Xen on CentOS 6 from source

I recently had a need to install Xen hypervisor on CentOS and most of the guides covered using the package maintainers version. Further, RHEL distributions favor using KVM. I did come across HowTo: Install XEN Dom0 on CentOS 6 from … Continue reading

Posted in systems administration | Tagged , | Leave a comment

Passive DNS collection and analysis using YaF and Mediator

Passive DNS is a useful tool for any analysts teams toolbox, I have noted several public sensors here but they only see data (queries and responses) that transverse their sensors. I have been working on setting up passive DNS using … Continue reading

Posted in security | Tagged , , | Leave a comment

Online Information Security Analysis Tools and Resources

Here are a list of sites that analysts may find useful in their day-to-day analysis of indicators and threats. While verifying and searching for new sources, I came across Links and resources for malware samples andĀ Free Online Tools for Looking … Continue reading

Posted in security | Tagged , , | 4 Comments

Running Moloch

This is an overview of installing and running Moloch on a single host. After seeing the 2013 ShmooCon presentation, I have been looking forward to giving the tool a test-drive. Per the documentation, “Moloch is a open source large scale … Continue reading

Posted in network, security | Tagged , , | Leave a comment

Increment IP packet timestamp

I recently had a need to specify and increment the IP timestamp values of packets in a PCAP. In this example, the starting second value is specified and we increment the microsecond value. This requires the use of Scapy. If … Continue reading

Posted in network | Tagged , | Leave a comment

Running SnortAD

I recently fired up a Snort Anomaly Detection instance provided by the SnortAD project and wanted to share my experience for those who might be interested in trying it on your network. SnortAD is the third generation anomaly detection preprocessor … Continue reading

Posted in network, security | Tagged | 9 Comments

Mailing Lists

Here are a few technology and information security related mailing-lists that I subscribe to in no particular order. Leave a comment if you think I missed one. asterisk-users.lists.digium.com beginners.perl.org snort-users.lists.sourceforge.net nessus.list.nessus.org pauldotcom.mail.pauldotcom.com samurai-devel.lists.sourceforge.net ptk-forensics-mail.lists.sourceforge.net gcfa.lists.sans.org framework-hackers.spool.metasploit.com framework.spool.metasploit.com secureideas-base-user.lists.sourceforge.net python-list.python.org nexpose-users.lists.rapid7.com … Continue reading

Posted in network, security | Tagged | Leave a comment

Podcasts

Here’s a list of information technology and security podcasts. Some are technical, others are higher level so YMMV. Essentially a source of information to keep me up to date on what’s going on in the information technology realm. If you … Continue reading

Posted in network, security | Tagged | Leave a comment

Decoding XOR payload using first few bytes as key

I recently came across the need to decode an exclusive or (XOR) payload. In my case, the key to de-obfuscating the traffic was the first three bytes of each packets payload. While it is trivial to decode each payload, it … Continue reading

Posted in network, security | Tagged , | 4 Comments

World IPv6 Day

World IPv6 Day (June 8th 2012) is rapidly approaching. It is an exciting and scary reality. For my personal assets, there was a small investment on my part to get everything up to par. My internet provider Comcast is dual-stack … Continue reading

Posted in network | Tagged | 3 Comments

How-to setup an Upside-Down-Ternet

In an effort to replicate the amusing idea of a transparent proxy that manipulates traffic in a fun way found here and made even better with some great scripts that you can pull down from here. A Debian box was … Continue reading

Posted in internet | Tagged , , | Leave a comment

Block Command and Control requests using ASA 5500

I recently came across a blog post demonstrating how to use the Emerging Threats rule sets in order to block malware calls to command and control (C&C) hosts. Using the script referenced in the blog post may work fine, but … Continue reading

Posted in internet, security | Tagged , , | Leave a comment

Amazon S3 Server-Side Encryption using GSUtil

If you would like to enable server-side encryption which is a relatively new feature for your Amazon S3 data using GSUtil then you need specify the header value when pushing files to their cloud. $ gsutil -h “x-amz-server-side-encryption: AES256″ cp … Continue reading

Posted in security | Tagged , , | Leave a comment

Block IRC and other communications with McAfee VirusScan

After taking a peak at some McAfee’s logs I decided to try mucking about with some of the Access Protection functionality, specifically IRC communication. I noticed there were a number of useful entries that could be sent to log or … Continue reading

Posted in security | Tagged , | Leave a comment