Stephen Reese

Network Traffic Capture on Linux using OpenvSwitch

This post demonstrates how you can mirror interfaces on a Linux server in an environment where you may not have physical network taps or SPAN ports. We can use OpenvSwitch in order to forward traffic between nodes, even if we are not using virtualization. Each node being monitored needs two …

Benchmarking Websites with ab and tsung

Everyone enjoys responsive websites and being that I host a few, look for ways to improve their speed. Previously, I was interested in, HTTP, HTTPS, and HTTP/WAF, I now primarily focus on HTTPS. Browsers and third-party online services may be used in order to benchmark page performance but began …

Detecting Tor traffic with Bro network traffic analyzer

This entry is a post in a series in order to identify Tor (the onion router) network traffic and usage using Bro Network Security Monitor. To learn more about both projects, please visit the aforementioned links. This post is not to argue the merits of allowing Tor to run on …

SiLK Network Traffic Analysis Visualization with R and Rayon

In this post, the process for retroactively identifying and graphing a HTTPS DDoS of service condition is described. Why do we care about graphing, because it can be a great way to describe data to folks that may not be interested in looking at it in a tabular form, e …

Online Information Security Analysis Tools and Resources

A list of sites that analysts may find useful in their day-to-day analysis of indicators and threats. While verifying and searching for new sources, I came across Links and resources for malware samples, Malware Analysis and Incident Response Tools for the Frugal and Lazy, and Free Online Tools for Looking …

Graphing Namebench Spreadsheet Data with R

In the previous post, I described the process of benchmarking domain name servers for a website domain with a modified version of Namebench. Namebench generates graphs using the Google chart API. This left me wanting a little more therefore decided to explore the data using the R Project. This post …

Benchmarking Website Domain Name Servers

This post evaluates a few methods to benchmark name servers that provide resolution of your websites domain name to its respective IP address. While DNS resolution for you domain is a small piece of the process for a user to retrieve a page, it is still important to provide the …

Building Apache and ModSecurity from source

This entry describes settting up ModSecurity on a node in order to protect a few WordPress sites I host. There are a slew of guides out there describing ModSecurity builds but I wanted to leverage the latest ModSecurity and Apache MPM Event packages which typically are not included in most …

Redirect HTTP to HTTPS using Varnish

I recently enabled HTTPS on this site and wanted to use a 301 redirect in order to correctly re-route guests from HTTP to HTTPS (HTTP to SSL/TLS). I originally performed all of my rewrites in Apache which acts as my backend. While Apache handled the typical non-www to www …

Making WordPress Fast

This site previously used WordPress as a CMS platform. Quite a bit of time was spent tuning in order to get page load times that were consistently less then 500ms although usually closer to 200 to 300ms. The WordPress site was able to burst to around to 2000 users per …

Parsing Microsoft DNS Server Logs

This is a quick post about one of many ways you may want to parse Microsoft DNS server logs. I this case, I simply wanted to know the top talkers. We use shell and Python in this entry on a Linux host. We follow-up with an all inclusive Python script …

Parsing Netflow using Kibana via Logstash to ElasticSearch

This blog entry shows how to easily insert flow data into an ElasticSearch instance using Logstash and view the data using Kibana. To keep the example simple, we will use Kibana that is integrated in LogStash. We will not use the ElasticSearch that is bundled with LogStash. Instead, we will …

Detecting Tor network traffic with YaF and Python

This entry continues a series of posts on identifying Tor network traffic and usage. The entry will demonstrate how to parse the output of YaF records via mediator using a Python script in order to determine if the SSL certificate values match the pattern of Tor certificates. It is assumed …

Detecting Tor network traffic with SiLK

This entry continues a series of posts on identifying Tor network traffic and usage. This post is not to argue the merits of allowing Tor to run on a network. However, the entry will demonstrate how to create a set of Tor server IP addresses to parse network flow using …

Resizing Xen guest parition based filesystems

This post assumes you are running the Xen hypervisor and are using a partitions based filesystems for you Xen guest you would like to re-size. I have previously written on Installing Xen on CentOS 6 from source and another blog entry that describes how to create partition based Xen guests …

Creating Debian guests on Xen using parition based filesystem

This guide describes how to create a filesystem and guest for the Xen hypervisor. This assumes you have a working Xen install with Dom U. I have described setting up a Xen hypervisor from source in another posted titled Installing Xen on CentOS 6 from source. Create a partition to …

Installing Xen on CentOS 6 from source

I recently had a need to install Xen hypervisor on CentOS and most of the guides covered using the package maintainers version. Further, RHEL distributions favor using KVM. I did come across HowTo: Install XEN Dom0 on CentOS 6 from source but the domain was blocked (Google cache made quick …

Passive DNS collection and analysis using YaF and Mediator

Passive DNS is a useful tool for any analysts teams toolbox, I have noted several public sensors here but they only see data (queries and responses) that transverse their sensors. I have been working on setting up passive DNS using Yet another Flowmeter (YaF) and Mediator (YaF to MySQL) to …

Running Moloch

This is an overview of installing and running Moloch on a single host. After seeing the 2013 ShmooCon presentation, I have been looking forward to giving the tool a test-drive. Per the documentation, “Moloch is a open source large scale IPv4 full PCAP capturing, indexing and database system”. It is …

Increment IP packet timestamp

I recently had a need to specify and increment the IP timestamp values of packets in a PCAP. In this example, the starting second value is specified and we increment the microsecond value. This requires the use of Scapy. If you have any questions or recommendations for improvement, please leave …