Thursday, June 28, 2007

Wireshark and Firewall Rules

One of the infrastructure folks where I work showed me a nifty feature in Wireshark I'd never noticed before. Click on any captured packet, and go to Analyze, Firewall ACL Rules. A dialog box will pop up showing you the syntax to write a rule denying or accepting the packet by IP, MAC, port or combination thereof depending on what device you choose. Supported is Cisco IOS, iptables, ipfirewall, Windows firewall, and pf (BSD's Packet Filter firewall). Very nice.

Wednesday, June 27, 2007

Internet Storm Center

One of my favorite places to check each morning is the Internet Storm Center, run by SANS ( A handler is on duty at all times, keeping track of emerging trends, new malware and outbreaks, or, when things are slow, just interesting things in network security. Often a handler will share the methodology they used to analyze an incident or reverse engineer a piece of malware. Browsing back through the archives is a great learning experience in itself. I usually print out the better analysis pieces for a little light reading at lunch!

Monday, June 25, 2007


A good weekend for me is one that doesn't require me to stop what I'm doing and run home to check on some event an IDS or logger is reporting. I'll be remoted in sometime, that's a given, it's just nice to be able to choose when that happens. Of course, there are also the installs/upgrades/fixes/tweaks that happen regularly. If you're part of a small network security team, or may be you ARE the team, ever notice how much of your time is taken up with sysadmin duties? Installing, patching, upgrading, and always seems like somethings on the fritz.
Makes for busy days when EOI's are on the uptick and you need to dig deep.
Oh, well... that's the part they REALLY pay you for, whether they're aware of it or not. Let a few go unnoticed and an incident happen, and all of a sudden they are acutely aware of it again. =-)

Friday, June 22, 2007

Fake Adobe Shockwave Download site

The Internet Storm Center ( is reporting that a reader discovered a fake Adobe Shockwave website, serving up a Trojan, that has a very low detection rate on VirusTotal.
Details here:


I'll be attending SANSFIRE last week of July, third year running for that venue. I've attended SANS conferences in New York, and San Francisco as well, but really like D.C. based SANSFIRE best. The mix of military, business and federal government folks (a lot of them with three letter acronyms behind their names) makes a very interesting atmosphere. SANS always has their best instructors and classes there, as well as a ton of SANS@Night classes, Bird of a Feather roundtables, and Lunch and Learn with vendors (good way to score free lunch and see a demo of some nifty new product).

Thursday, June 21, 2007


Welcome to my Network Security blog. I'll be discussing news in the information security world, new trends, products I've come across, and any tips that are hopefully worth sharing.

Blog Archive