Wednesday, August 27, 2014

Decompress gzip’d HTTP data from WireShark in Windows (No Linux required)

Here’s the alert with gzip’d data (look at the Content-Encoding header):

1.       Pull the packets into WireShark  from the IDS:

2.       Extract the zip file and open it in WireShark.

3.       Right click the first packet and choose the Follow Stream option:

4.       Choose the server side of the conversation from the drop down:

5.       Click Save As, give it a filename (like data.txt.gz). 
6.       Go to the directory where you saved the file, and open it with Notepad++ or a similar program.

7.       Delete the server header and the blank lines under it, leaving only the compressed content.

8.       After saving the file and closing it, right click the file and from the 7-Zip context menu, choose Extract Here. (If you get a “file is broken” error, continue anyway.)

9.       Open up the now decompressed file and begin analyzing.

Thursday, August 21, 2014

DerbyCon 4.0 - Family Rootz

I meant to post a reminder to get your DerbyCon tickets sooner rather than later a while back, and just didn't get around to it. If you didn't get yours by now, the con is sold out. Training is sold out as well.

Rooms at the Hyatt, gone. MIGHT be some left at the Marriott; if you have ticks and no room yet, better jump on it or you'll be sleeping in the RV of Doom. =-) There's also a Hampton Inn a couple blocks away. It's September in Louisville; it'll be a nice walk..

Dave and crew MAY release a small number of additional tickets right before the conference starts, so slap a monitor on the tickets page or check the Twitter feed if you got locked out.

If you have tickets, see you in Louisville..

Thursday, August 7, 2014

Free Cyber Security training

If you know of someone who might be interested in making network security a career, SANS is offering free online training, called CyberAces, starting September 1st. It's totally free, and you need not even register unless you'd like to take the quizzes to check on your progress. You can find out more and sign up, if you wish, at this link:

Blog Archive