Information, tools and how-to's for the new intrusion analyst. Mentoring by blogging.
Thursday, June 28, 2007
Wireshark and Firewall Rules
One of the infrastructure folks where I work showed me a nifty feature in Wireshark I'd never noticed before. Click on any captured packet, and go to Analyze, Firewall ACL Rules. A dialog box will pop up showing you the syntax to write a rule denying or accepting the packet by IP, MAC, port or combination thereof depending on what device you choose. Supported is Cisco IOS, iptables, ipfirewall, Windows firewall, and pf (BSD's Packet Filter firewall). Very nice.
Wednesday, June 27, 2007
Internet Storm Center
One of my favorite places to check each morning is the Internet Storm Center, run by SANS (isc.sans.org). A handler is on duty at all times, keeping track of emerging trends, new malware and outbreaks, or, when things are slow, just interesting things in network security. Often a handler will share the methodology they used to analyze an incident or reverse engineer a piece of malware. Browsing back through the archives is a great learning experience in itself. I usually print out the better analysis pieces for a little light reading at lunch!
Monday, June 25, 2007
Weekends
A good weekend for me is one that doesn't require me to stop what I'm doing and run home to check on some event an IDS or logger is reporting. I'll be remoted in sometime, that's a given, it's just nice to be able to choose when that happens. Of course, there are also the installs/upgrades/fixes/tweaks that happen regularly. If you're part of a small network security team, or may be you ARE the team, ever notice how much of your time is taken up with sysadmin duties? Installing, patching, upgrading, and always seems like somethings on the fritz.
Makes for busy days when EOI's are on the uptick and you need to dig deep.
Oh, well... that's the part they REALLY pay you for, whether they're aware of it or not. Let a few go unnoticed and an incident happen, and all of a sudden they are acutely aware of it again. =-)
Makes for busy days when EOI's are on the uptick and you need to dig deep.
Oh, well... that's the part they REALLY pay you for, whether they're aware of it or not. Let a few go unnoticed and an incident happen, and all of a sudden they are acutely aware of it again. =-)
Friday, June 22, 2007
Fake Adobe Shockwave Download site
The Internet Storm Center (isc.sans.org) is reporting that a reader discovered a fake Adobe Shockwave website, serving up a Trojan, that has a very low detection rate on VirusTotal.
Details here: http://isc.sans.org/diary.html?storyid=3024
Details here: http://isc.sans.org/diary.html?storyid=3024
SANSFIRE 2007
I'll be attending SANSFIRE last week of July, third year running for that venue. I've attended SANS conferences in New York, and San Francisco as well, but really like D.C. based SANSFIRE best. The mix of military, business and federal government folks (a lot of them with three letter acronyms behind their names) makes a very interesting atmosphere. SANS always has their best instructors and classes there, as well as a ton of SANS@Night classes, Bird of a Feather roundtables, and Lunch and Learn with vendors (good way to score free lunch and see a demo of some nifty new product).
Thursday, June 21, 2007
Welcome
Welcome to my Network Security blog. I'll be discussing news in the information security world, new trends, products I've come across, and any tips that are hopefully worth sharing.
Subscribe to:
Posts (Atom)