#Network Traffic Capture in Virtual Enviroments
This post demonstrates howto mirror interfaces on a virtual private server (VPS) in a cloud environment, e.g. virtual machine (VM) on a hypervisor where you …
Technical notes
Security engineering notes, network defense walkthroughs, and practical technical references.
This post demonstrates howto mirror interfaces on a virtual private server (VPS) in a cloud environment, e.g. virtual machine (VM) on a hypervisor where you …
This post demonstrates how you can mirror interfaces on a Linux server in an environment where you may not have physical network taps or SPAN ports. We can u…
Everyone enjoys responsive websites and being that I host a few, look for ways to improve their speed. Previously, I was interested in, HTTP, HTTPS, and HTTP…
This entry is a post in a series in order to identify Tor (the onion router) network traffic and usage using Bro Network Security Monitor. To learn more abou…
In this post, the process for retroactively identifying and graphing a HTTPS DDoS of service condition is described. Why do we care about graphing, because i…
A list of sites that analysts may find useful in their day-to-day analysis of indicators and threats. While verifying and searching for new sources, I came a…
In the previous post, I described the process of benchmarking domain name servers for a website domain with a modified version of Namebench. Namebench genera…
This post evaluates a few methods to benchmark name servers that provide resolution of your websites domain name to its respective IP address. While DNS reso…
This entry describes settting up ModSecurity on a node in order to protect a few WordPress sites I host. There are a slew of guides out there describing ModS…
I recently enabled HTTPS on this site and wanted to use a 301 redirect in order to correctly re-route guests from HTTP to HTTPS (HTTP to SSL/TLS). I original…
This site previously used WordPress as a CMS platform. Quite a bit of time was spent tuning in order to get page load times that were consistently less then …
This is a quick post about one of many ways you may want to parse Microsoft DNS server logs. I this case, I simply wanted to know the top talkers. We use she…
This blog entry shows how to easily insert flow data into an ElasticSearch instance using Logstash and view the data using Kibana. To keep the example simple…
This entry continues a series of posts on identifying Tor network traffic and usage. The entry will demonstrate how to parse the output of YaF records via me…
This entry continues a series of posts on identifying Tor network traffic and usage. This post is not to argue the merits of allowing Tor to run on a network…
This post assumes you are running the Xen hypervisor and are using a partitions based filesystems for you Xen guest you would like to re-size. I have previou…
This guide describes how to create a filesystem and guest for the Xen hypervisor. This assumes you have a working Xen install with Dom U. I have described se…
I recently had a need to install Xen hypervisor on CentOS and most of the guides covered using the package maintainers version. Further, RHEL distributions f…
Passive DNS is a useful tool for any analysts teams toolbox, I have noted several public sensors here but they only see data (queries and responses) that tra…
This is an overview of installing and running Moloch on a single host. After seeing the 2013 ShmooCon presentation, I have been looking forward to giving the…
I recently had a need to specify and increment the IP timestamp values of packets in a PCAP. In this example, the starting second value is specified and we i…
I recently fired up a Snort Anomaly Detection instance provided by the SnortAD project and wanted to share my experience for those who might be interested in…
Here are a few technology and information security related mailing-lists that I subscribe to in no particular order. Leave a comment if you think I missed on…
Here is a list of information technology and security podcasts. Some are technical, others are higher level so YMMV. A source of information to keep me up to…
I recently came across the need to decode an exclusive or (XOR) payload. In my case, the key to de-obfuscating the traffic was the first three bytes of each …
<img src="/assets/IPv6-wordmark-256-trans.png" style="float:right; padding:10px;" /World IPv6 Day on June 8th 2012 is rapidly approaching. It is an exciting …
In an effort to replicate the amusing idea of a transparent proxy that manipulates traffic in a fun way found here and made even better with some great scrip…
I recently came across a blog post demonstrating how to use the Emerging Threats rule sets in order to block malware calls to command and control (C&C) hosts…
If you would like to enable server-side encryption which is a relatively new feature for your Amazon S3 data using GSUtil then you need specify the header va…
After seeing some suspicious activitiy in my McAfee antivirus logs, I learned the Access Protection functionality, specifically IRC communication setting may…
Looking over some netflow data I notice some variance between the two sensors. Sensor s0 is v5 netflow data from a Cisco switch, s1 is from a network tap lis…
In a previous post SiLK was setup on a Debian host using NetFlow v5 from a Cisco switch. This worked well but I also have a network tap and said Cisco switch…
This guide walks through configuring SiLK from a source install on a Debian 6 host in order to collect NetFlow data from a Cisco router. The guides here and …
Google's gsutil is a great tool for pushing, retrieving and setting permissions on objects uploaded to Google Storage. I was reviewing the documentation on t…
When you are running those vulnerability scans of Linux and UNIX hosts I hope that you are following best practices for keeping a host secure during the proc…
I was thinking about how to retrieve photos from Facebook photo gallery's and came across a number of solutions. Most of the solutions were for blog or CMS a…
While experimenting with EMET I decided to put together a little presentation demonstrating how it can be used to prevent exploitation of a known threat to A…
I was hunting around for a way to create email aliases for mailing-lists and whatnot. It is a little disappointing to learn that there is not away to create …
Note this is an older post that I am migrating from another blog I previously maintained. Metasploit has already provide a nice write up of the pwning, I mea…
This installment is about keeping your notebook and other technology items safe. I was recently asked what the Defcon locks were for that I have been distrib…
While watching some Florida football today I decide to figure out how to mount/run a DD image in VMware Workstation. My image mounting skills were a little l…
Every once in a while someone asks me how I got started in working in the information technology realm. Usually someone that is not in the industry or they a…
I haven't posted in a while because Blogger finally did away with their FTP/SCP publishing ability meaning if I wanted to continue using Google's Blogger pla…
Blogger is doing away with the option to host your blog via your own host and migrating everything to the cloud. I wanted to have the option to continue host…
These tools may help rid a computer system of malware but be warned they can be very destructive to your system. In other words if you don't know what you're…
Setting up maildrop with Courier MTA Before I get into the maildrop here are a few notes to myself for setting up Courier. Before running ./configure you sho…
Blogger is removing the functionality to host your own "Blogger" content by disabling the FTP/SFTP functionality from their system. I'm considering their hos…
Windows 7 and Vista (latter can be buggy) has an interesting feature that allows quick access to allow kinds of administrative tools. To create God Mode simp…
I was recently checking name servers that I was using to resolve hosts on a network. After using tools such as ping, traceroute, and dig I decided to search …
I ran into a interesting issue this weekend. I was setting up a RAID volume on a Optiplex and Precision workstations, which have three 1.5 Terabyte (TB) driv…
I recently had a need to upload large files to a server via HTTP. Most of the solutions required tweaking the web server or PHP. Instead, I found a Python sc…
I have been in a couple of places which I needed to access my email and chat so here is a little fix to get around DNS fixes that redirect hosts to the local…
Now you can logon to your Facebook account through several providers such as Google, Myspace and OpenId which IMO is great (I'm lazy). Just go to Settings, A…
The Sun Java JDK is available in the Debian Lenny non-free repository, therefore you must modify /etc/apt/sources.list: ~~~~ $ sudo vi /etc/apt/sources.list …
The script is located here. It can update the software repository, backup the file system, and send the backup to another machine via SSH. Feel free to try i…
Here's a short list of safe computing tips that may help you stay safe. \1. Passwords, use complex passwords and do not use the same password for MySpace/Fac…
So I recently acquired a new notebook and I of course wanted the notebook to be secure. When I say secure I'm not just talking about preventing someone from …
Like most I do not have the funds to purchase a $1000 port aggregation tap for my IDS to monitor traffic so instead I just used a 2950 Cisco Switch: ~~~~ ! i…
In a graduate course I was taking, our professor wanted us to tool around with the Metasploit project. This tool makes quick work of exploiting vulnerabiliti…
A lot of information may be stored on a drives slack space. If you want to get rid of these artifacts then run the usual tools to clean up the system like 'D…
A script that I had been using for sometime to update my Gentoo servers needed a few additions in my opinion. I spoke to the original developer of the script…
I needed to analyze a drive for a company that suspects an ex-employee may have taken corporate material (training exercise or else I would use a hardware wr…
A friend had two notebooks running Microsoft XP Home and Professional editions in which the notebooks were no longer functional but the hard drives were in g…
A desktop that I had which was used for work recently would not activate because it required connectivity to the companies KMS server which I would connect t…
In the process of setting up some virtual servers (slices) from www.slicehost.com I had to move the name servers around along with a migration to Google web …
In this post I am going to share my experiences with encrypting a secondary drive in a Windows Vista environment. The hardware is a Dell Optiplex core 2 duo.…
For reference. Strip HTML email in Outlook into plain text Content: First, this is secure as many of the worms and bugs rely on HTML script code. One good ex…
In Vista (unlike Windows XP), Fast User Switching works if you’re on a network domain. To turn off Fast User Switching, choose Start, type gpedit.msc in the …
This might break something the user is doing. You have been warned. ~~~~ last -i1 baduser | awk '{print $3;exit}' | xargs -p --replace iptables -A INPUT -s {…
Your /etc/pam.d/system-auth is created with the command "authconfig" on a RHEL5 machine though you may have to manually edit it with other distributions: ~~~…
if you get ( doing a netstat -an more ) Then your sendmail server is configured to accept connections from localhost only. To change this behavior, you need …
Want to open up the MMC of a local Group Policy on a remote machine? Simply go to Start Run and type: ~~~~ gpedit.msc /gpcomputer: Computername ~~~~
If you just want your program to simply run in the background, launch it with a "&" at the end of the command from the shell. However, if it expects to use s…
This helpful bit was written by Don Meyer. I am a little too stubborn for a quick fix like this, so I went the route of adding the specific rules needed to a…
In httpd.conf: ~~~~ Alias /wiki/index.php /home/rsreese/richardsreese/htdocs/w/index.php Alias /wiki /home/rsreese/richardsreese/htdocs/w/index.php ~~~~ In L…
~~~~ cc "| /usr/lib/courier/bin/mailbot -t autoresponse -s 'AutoAwayMessage' -A 'From: test@somedomain.com' /usr/sbin/sendmail -f ''"cc "!user@somedomain.edu…
First I am going to edit the /etc/sysconfig/nfs to specify the ports I want to run on. ~~~~ STATDPORT=4000 STATDOUTGOINGPORT=4004 LOCKDTCPPORT=4001 LOCKDUDPP…
This video shows some of the capabilities of this system. <object width="416" height="342" classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="htt…
A web server running Apache 2 and PostgreSQL was successfully compromised using a SQL injection vulnerability. I first noticed there was a new table in one o…
Most users I know run Microsoft products. A few of you may benefit from some basic tips to keep your computer out of BestBuy or your local computer vendor fo…
Vista has been a decent Operating System so far but there are still a large number of software vendors who were not prepared for the OS. A number of statisti…
Every day technology creates efficiency for millions of people. With all of the benefits that technology provides there are also many pitfalls that come with…
I recently got my hands on a copy of Microsoft’s latest offering in the form of desktop software, Vista and Office 2007. I have also acquired some new 64 bit…
Ever since the Napster rise and fall there has been an on going debate in regards to copyrighted material being shared across networks with peer to peer (P2P…
An article describing the slow migration to what some call Web 2.0 article: http://www.oreillynet.com/pub/a/oreilly/tim/news/2005/09/30/what-is-web-20.html?p…
Witlog claims he do not use his botnet for illegal purposes, only "for fun." I found that claim pretty hard to believe given a) the income he could make inst…
People are becoming aware of the insecurities posed by online shopping, browsing, and even messaging. The days of email that are obviously spam due to misspe…