#Network Traffic Capture in Virtual Enviroments
This post demonstrates howto mirror interfaces on a virtual private server (VPS) in a cloud environment, e.g. virtual machine (VM) on a hypervisor where you …
Technical notes
Articles
Security engineering notes, network defense walkthroughs, and practical technical references.
#Network Traffic Capture on Linux using OpenvSwitch
This post demonstrates how you can mirror interfaces on a Linux server in an environment where you may not have physical network taps or SPAN ports. We can u…
#Benchmarking Websites with ab and tsung
Everyone enjoys responsive websites and being that I host a few, look for ways to improve their speed. Previously, I was interested in, HTTP, HTTPS, and HTTP…
#Detecting Tor traffic with Bro network traffic analyzer
This entry is a post in a series in order to identify Tor (the onion router) network traffic and usage using Bro Network Security Monitor. To learn more abou…
#SiLK Network Traffic Analysis Visualization with R and Rayon
In this post, the process for retroactively identifying and graphing a HTTPS DDoS of service condition is described. Why do we care about graphing, because i…
#Online Information Security Analysis Tools and Resources
A list of sites that analysts may find useful in their day-to-day analysis of indicators and threats. While verifying and searching for new sources, I came a…
#Graphing Namebench Spreadsheet Data with R
In the previous post, I described the process of benchmarking domain name servers for a website domain with a modified version of Namebench. Namebench genera…
#Benchmarking Website Domain Name Servers
This post evaluates a few methods to benchmark name servers that provide resolution of your websites domain name to its respective IP address. While DNS reso…
#Building Apache and ModSecurity from source
This entry describes settting up ModSecurity on a node in order to protect a few WordPress sites I host. There are a slew of guides out there describing ModS…
#Redirect HTTP to HTTPS using Varnish
I recently enabled HTTPS on this site and wanted to use a 301 redirect in order to correctly re-route guests from HTTP to HTTPS (HTTP to SSL/TLS). I original…
#Making WordPress Fast
This site previously used WordPress as a CMS platform. Quite a bit of time was spent tuning in order to get page load times that were consistently less then …
#Parsing Microsoft DNS Server Logs
This is a quick post about one of many ways you may want to parse Microsoft DNS server logs. I this case, I simply wanted to know the top talkers. We use she…
#Parsing Netflow using Kibana via Logstash to ElasticSearch
This blog entry shows how to easily insert flow data into an ElasticSearch instance using Logstash and view the data using Kibana. To keep the example simple…
#Detecting Tor network traffic with YaF and Python
This entry continues a series of posts on identifying Tor network traffic and usage. The entry will demonstrate how to parse the output of YaF records via me…
#Detecting Tor network traffic with SiLK
This entry continues a series of posts on identifying Tor network traffic and usage. This post is not to argue the merits of allowing Tor to run on a network…
#Resizing Xen guest parition based filesystems
This post assumes you are running the Xen hypervisor and are using a partitions based filesystems for you Xen guest you would like to re-size. I have previou…
#Creating Debian guests on Xen using parition based filesystem
This guide describes how to create a filesystem and guest for the Xen hypervisor. This assumes you have a working Xen install with Dom U. I have described se…
#Installing Xen on CentOS 6 from source
I recently had a need to install Xen hypervisor on CentOS and most of the guides covered using the package maintainers version. Further, RHEL distributions f…
#Passive DNS collection and analysis using YaF and Mediator
Passive DNS is a useful tool for any analysts teams toolbox, I have noted several public sensors here but they only see data (queries and responses) that tra…
#Running Moloch
This is an overview of installing and running Moloch on a single host. After seeing the 2013 ShmooCon presentation, I have been looking forward to giving the…
#Increment IP packet timestamp
I recently had a need to specify and increment the IP timestamp values of packets in a PCAP. In this example, the starting second value is specified and we i…
#Running SnortAD
I recently fired up a Snort Anomaly Detection instance provided by the SnortAD project and wanted to share my experience for those who might be interested in…
#Mailing Lists
Here are a few technology and information security related mailing-lists that I subscribe to in no particular order. Leave a comment if you think I missed on…
#Podcasts
Here is a list of information technology and security podcasts. Some are technical, others are higher level so YMMV. A source of information to keep me up to…
#Decoding XOR payload using first few bytes as key
I recently came across the need to decode an exclusive or (XOR) payload. In my case, the key to de-obfuscating the traffic was the first three bytes of each …
#World IPv6 Day
<img src="/assets/IPv6-wordmark-256-trans.png" style="float:right; padding:10px;" /World IPv6 Day on June 8th 2012 is rapidly approaching. It is an exciting …
#How-to setup an Upside-Down-Ternet
In an effort to replicate the amusing idea of a transparent proxy that manipulates traffic in a fun way found here and made even better with some great scrip…
#Block Command and Control requests using ASA 5500
I recently came across a blog post demonstrating how to use the Emerging Threats rule sets in order to block malware calls to command and control (C&C) hosts…
#Amazon S3 Server-Side Encryption using GSUtil
If you would like to enable server-side encryption which is a relatively new feature for your Amazon S3 data using GSUtil then you need specify the header va…
#Block IRC and other communications with McAfee VirusScan
After seeing some suspicious activitiy in my McAfee antivirus logs, I learned the Access Protection functionality, specifically IRC communication setting may…
#Variance in rwfilter results from netflow v5 and YaF
Looking over some netflow data I notice some variance between the two sensors. Sensor s0 is v5 netflow data from a Cisco switch, s1 is from a network tap lis…
#Configure YAF on Linux for NetFlow collection from a network tap or SPAN
In a previous post SiLK was setup on a Debian host using NetFlow v5 from a Cisco switch. This worked well but I also have a network tap and said Cisco switch…
#Configure SiLK on Linux for NetFlow collection from a Cisco router
This guide walks through configuring SiLK from a source install on a Debian 6 host in order to collect NetFlow data from a Cisco router. The guides here and …
#Setting Google Storage object ACL for authenticated downloads
Google's gsutil is a great tool for pushing, retrieving and setting permissions on objects uploaded to Google Storage. I was reviewing the documentation on t…
#Running NIX Retina and Nessus vulnerability scans with least privileges
When you are running those vulnerability scans of Linux and UNIX hosts I hope that you are following best practices for keeping a host secure during the proc…
#Use Facebook CDN to host website photo gallerys
I was thinking about how to retrieve photos from Facebook photo gallery's and came across a number of solutions. Most of the solutions were for blog or CMS a…
#Blocking evil with the Enhanced Mitigation Experience Toolkit EMET
While experimenting with EMET I decided to put together a little presentation demonstrating how it can be used to prevent exploitation of a known threat to A…
#Pseudo Gmail address obfuscation
I was hunting around for a way to create email aliases for mailing-lists and whatnot. It is a little disappointing to learn that there is not away to create …
#Insecure Library Loading Could Allow Remote Code Execution
Note this is an older post that I am migrating from another blog I previously maintained. Metasploit has already provide a nice write up of the pwning, I mea…
#Keeping your hardware safe and avoiding the evil maid
This installment is about keeping your notebook and other technology items safe. I was recently asked what the Defcon locks were for that I have been distrib…
#Creating VMware VMDK files from DD images using Live View
While watching some Florida football today I decide to figure out how to mount/run a DD image in VMware Workstation. My image mounting skills were a little l…
#How I got started in information technology
Every once in a while someone asks me how I got started in working in the information technology realm. Usually someone that is not in the industry or they a…
#Finally migrated from Blogger to WordPress
I haven't posted in a while because Blogger finally did away with their FTP/SCP publishing ability meaning if I wanted to continue using Google's Blogger pla…
#Redirect Blogger URL using Mod Rewrite and shell scripting fu
Blogger is doing away with the option to host your blog via your own host and migrating everything to the cloud. I wanted to have the option to continue host…
#A few tools that may help rid of malware
These tools may help rid a computer system of malware but be warned they can be very destructive to your system. In other words if you don't know what you're…
#Setting up maildrop with Courier MTA
Setting up maildrop with Courier MTA Before I get into the maildrop here are a few notes to myself for setting up Courier. Before running ./configure you sho…
#Migrating from Blogger to WordPress
Blogger is removing the functionality to host your own "Blogger" content by disabling the FTP/SFTP functionality from their system. I'm considering their hos…
#God Mode - Give Windows users an easier way to destory their computers
Windows 7 and Vista (latter can be buggy) has an interesting feature that allows quick access to allow kinds of administrative tools. To create God Mode simp…
#Google namebench helps find happy nameservers
I was recently checking name servers that I was using to resolve hosts on a network. After using tools such as ping, traceroute, and dig I decided to search …
#Problem with RAID volume larger then 2TB on Dell workstations
I ran into a interesting issue this weekend. I was setting up a RAID volume on a Optiplex and Precision workstations, which have three 1.5 Terabyte (TB) driv…
#Python File Uploader
I recently had a need to upload large files to a server via HTTP. Most of the solutions required tweaking the web server or PHP. Instead, I found a Python sc…
#Trouble accessing Gmail or internal chat client
I have been in a couple of places which I needed to access my email and chat so here is a little fix to get around DNS fixes that redirect hosts to the local…
#Facebook gets linked account support
Now you can logon to your Facebook account through several providers such as Google, Myspace and OpenId which IMO is great (I'm lazy). Just go to Settings, A…
#Installing Sun Java on Debian Lenny
The Sun Java JDK is available in the Debian Lenny non-free repository, therefore you must modify /etc/apt/sources.list: ~~~~ $ sudo vi /etc/apt/sources.list …
#Debian Backup Script
The script is located here. It can update the software repository, backup the file system, and send the backup to another machine via SSH. Feel free to try i…
#A few simple computing tips
Here's a short list of safe computing tips that may help you stay safe. \1. Passwords, use complex passwords and do not use the same password for MySpace/Fac…
#TrueCrypt on my Dell notebook
So I recently acquired a new notebook and I of course wanted the notebook to be secure. When I say secure I'm not just talking about preventing someone from …
#Using session-monitor to span ports as an aggregation tap
Like most I do not have the funds to purchase a $1000 port aggregation tap for my IDS to monitor traffic so instead I just used a 2950 Cisco Switch: ~~~~ ! i…
#Using metasploit to pwn MS06-067
In a graduate course I was taking, our professor wanted us to tool around with the Metasploit project. This tool makes quick work of exploiting vulnerabiliti…
#Erase slack space on Microsoft Vista
A lot of information may be stored on a drives slack space. If you want to get rid of these artifacts then run the usual tools to clean up the system like 'D…
#Gentoo Linux auto update script
A script that I had been using for sometime to update my Gentoo servers needed a few additions in my opinion. I spoke to the original developer of the script…
#Mounting drives/volumes read-only in Microsoft Windows (Vista)
I needed to analyze a drive for a company that suspects an ex-employee may have taken corporate material (training exercise or else I would use a hardware wr…
#Converting Microsoft OS to VMWare Guest
A friend had two notebooks running Microsoft XP Home and Professional editions in which the notebooks were no longer functional but the hard drives were in g…
#Converting Microsoft Vista from one version to another
A desktop that I had which was used for work recently would not activate because it required connectivity to the companies KMS server which I would connect t…
#Domain registrars spamming sub-domains?
In the process of setting up some virtual servers (slices) from www.slicehost.com I had to move the name servers around along with a migration to Google web …
#Encrypting a secondary drive (PGP or TrueCrypt)
In this post I am going to share my experiences with encrypting a secondary drive in a Windows Vista environment. The hardware is a Dell Optiplex core 2 duo.…
#Force Outlook to open all email in plain text
For reference. Strip HTML email in Outlook into plain text Content: First, this is secure as many of the worms and bugs rely on HTML script code. One good ex…
#Disable fast user switching on Vista
In Vista (unlike Windows XP), Fast User Switching works if you’re on a network domain. To turn off Fast User Switching, choose Start, type gpedit.msc in the …
#Kicking a user off a linux system
This might break something the user is doing. You have been warned. ~~~~ last -i1 baduser | awk '{print $3;exit}' | xargs -p --replace iptables -A INPUT -s {…
#Authenicating kerberos against active directory
Your /etc/pam.d/system-auth is created with the command "authconfig" on a RHEL5 machine though you may have to manually edit it with other distributions: ~~~…
#Configuring sendmail to accept mail
if you get ( doing a netstat -an more ) Then your sendmail server is configured to accept connections from localhost only. To change this behavior, you need …
#Edit group policy on remote computer
Want to open up the MMC of a local Group Policy on a remote machine? Simply go to Start Run and type: ~~~~ gpedit.msc /gpcomputer: Computername ~~~~
#Running processes in the background on Linux
If you just want your program to simply run in the background, launch it with a "&" at the end of the command from the shell. However, if it expects to use s…
#Adding a character to a line using Perl
#Getting Samba to play nicely with SELinux on RHEL
This helpful bit was written by Don Meyer. I am a little too stubborn for a quick fix like this, so I went the route of adding the specific rules needed to a…
#Remove index.php from wiki URL
In httpd.conf: ~~~~ Alias /wiki/index.php /home/rsreese/richardsreese/htdocs/w/index.php Alias /wiki /home/rsreese/richardsreese/htdocs/w/index.php ~~~~ In L…
#Courier Vacation Notice
~~~~ cc "| /usr/lib/courier/bin/mailbot -t autoresponse -s 'AutoAwayMessage' -A 'From: test@somedomain.com' /usr/sbin/sendmail -f ''"cc "!user@somedomain.edu…
#Compare Directory Contents on Linux computer
#NFS howto with static ports
First I am going to edit the /etc/sysconfig/nfs to specify the ports I want to run on. ~~~~ STATDPORT=4000 STATDOUTGOINGPORT=4004 LOCKDTCPPORT=4001 LOCKDUDPP…
#Multi-Touch Techonolgy - The new interface of computing
This video shows some of the capabilities of this system. <object width="416" height="342" classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="htt…
#SQL injection attack on a PostgreSQL database (t_jiaozhu)
A web server running Apache 2 and PostgreSQL was successfully compromised using a SQL injection vulnerability. I first noticed there was a new table in one o…
#Running UAC and some other tricks to keep your computer running smoothly
Most users I know run Microsoft products. A few of you may benefit from some basic tips to keep your computer out of BestBuy or your local computer vendor fo…
#Running Terminal Server on Windows 2003 Server
Vista has been a decent Operating System so far but there are still a large number of software vendors who were not prepared for the OS. A number of statisti…
#Using Common Sense to Secure your Information
Every day technology creates efficiency for millions of people. With all of the benefits that technology provides there are also many pitfalls that come with…
#Microsoft Vista and Office 2007 Initial Review
I recently got my hands on a copy of Microsoft’s latest offering in the form of desktop software, Vista and Office 2007. I have also acquired some new 64 bit…
#Copyrighted Music and Movies
Ever since the Napster rise and fall there has been an on going debate in regards to copyrighted material being shared across networks with peer to peer (P2P…
#What is Web 2.0
An article describing the slow migration to what some call Web 2.0 article: http://www.oreillynet.com/pub/a/oreilly/tim/news/2005/09/30/what-is-web-20.html?p…
#Botnets that make money but at whos expense
Witlog claims he do not use his botnet for illegal purposes, only "for fun." I found that claim pretty hard to believe given a) the income he could make inst…
#New phishing techniques to fool online users
People are becoming aware of the insecurities posed by online shopping, browsing, and even messaging. The days of email that are obviously spam due to misspe…