Jan 2, 2016 · 5 minute read
programmingcommunity
This was an idea for a blog post around 1.5 years ago when the OSSEC team started the the great refactor, but sadly I did nothing with it till now. OSSEC build that always worked, but made me mad OSSEC has been using a cross platform build script written in sh for ages. This system had worked for ages and worked everyplace most of the time. See that was the problem changes to the script were very error prone and always on systems we did not have access to test on (I am looking at you AIX and HPUX).
Read On →
Dec 31, 2015 · 3 minute read
site
Overview of my moving to to github and cloudflare from my old setup.
Read On →
Jan 10, 2010 · 2 minute read
securitynetworkingprogramming
Code Following the Juniper kernel flaw posts, we received a number of inquiries regarding how
to determine the option value to use, however we were somewhat reluctant to provide
that level of detail. Now that [exploit code has been published](http://evilrouters.net/2010/01/09/junos-psn-2010-01-623-exploit/)
elsewhere, there is little reason not to answer this question.
Read On →
Jan 7, 2010 · 4 minute read
security
A report has been received from Juniper at 4:25pm under bulletin PSN-2010-01-623 that a
crafted malformed TCP field option in the TCP header of a packet will cause the JUNOS kernel
to core (crash). In other words the kernel on the network device (gateway router) will
crash and reboot if a packet containing this crafted option is received on a listening
TCP port. The JUNOS firewall filter is unable to filter a TCP packet with this issue.
Juniper claims this issue as exploit was identified during investigation of a vendor
interoperability issue.
Read On →
Jan 7, 2010 · 11 minute read
security
We have noted some interesting responses since our post yesterday detailing the information in Juniper bulletin PSN-2010-01-623 and our thoughts on its somewhat understated effect. Since our post yesterday, the bulletin has been updated, becoming more specific about the versions affected (basically excluding JUNOS version 10.x and versions no longer supported by Juniper). We’ve been quoted here and there saying that the potential worst case scenario with this flaw could have been widespread Internet outages (not overstatement in our opinion), and that such a simple attack that escapes filtering and can reboot high end routers is a big deal.
Read On →
Oct 5, 2009 · 8 minute read
ossecprogramming
In working with OSSEC agentless for some time now I have come across some limitations in the implementation that I felt needed to be addressed. As OSSEC agentless is designed to preform syscheck functions on remote hosts, more general features are hard (if not impossible) to write into a script. Currently in OSSEC, agentless scripts are limited to the following commands: Command Description INFO: The string following INFO will be logged to /var/ossec/logs/ossec.log by OSSEC for debugging.
Read On →
Oct 3, 2009 · 15 minute read
ossec
In my last OSSEC post
[OSSEC: Agentless to save the day](/archives/2009/11/ossec-agentless-to-save-the-day/)
I went over how to setup agentless monitoring using the built in scripts. With
this post I am going to get into the details of how to modify the OSSEC supplied
scripts to do your bidding.
Read On →
Oct 2, 2009 · 8 minute read
ossec
Lois, Clark Kent may seem like just a mild-mannered reporter, but listen, not only does he know how to treat his editor-in-chief with the proper respect, not only does he have a snappy, punchy prose style, but he is, in my forty years in this business, the fastest typist I’ve ever seen. Perry White Michael Starks from Immutable Security published the “Week of OSSEC” all last week (find their links at the end of article), and it was a great setup of posts.
Read On →
Aug 25, 2009 · 7 minute read
security
Yesterday we spent some time speculating on how phishing attacks like
the one afflicting Twitter on Wednesday of this week are seeded. How are
the original direct messages sent out that kick off the first stolen
credentials, the next set of direct messages, and so on in the loop? We
were hoping, but not counting on, the fact that Twitter might address
this in their blog. Taking a page from Google or Microsoft, an up front
and transparent approach to security seems to be the direction of
major players in the online space. Twitter may consider embracing this
approach, given its rampant rise in popularity and thus existence at the
edge of malicious customized attacks from bad actors, as it likely has a
lot of data that would benefit the information assurance community.
Read On →
Aug 15, 2009 · 15 minute read
networkingsecurity
I attended [SC World Congress](http://www.scmagazineus.com/SC-World-Congress-2009/section/886/)
in New York this week and a keynote from Cisco caught my attention: _Securing
the Cloud: Building the Borderless Network_. I became fixated on the words
used over and over by [Joel McFarland](http://www.scmagazineus.com/Joel-McFarland-senior-manager-Product-Management-Security-Technology-Group-Cisco-Systems/article/149536/).
Borderless this, borderless that, borderless everything. This campaign started
to bother me as this was a security conference and a network company was
pushing the idea of less borders. It seemed off, wrong, and incomplete to me.
Read On →
Aug 15, 2009 · 26 minute read
networking
Breaking up your network *"is good,"* we all know this, and VLANs have
traditionally been used to segment a network to help with maintenance,
management, and security; but, they are not the only game in town and often the
wrong place to break your network into smaller and more efficient pieces. VPN
Routing and Forwarding (VRF) can do the same for layer 3 infrastructure that
VLANs do for layer 2. By allowing you to create and manage separate routing
tables within a single physical router, they truly bring virtualization and
segmentation to all points on your network. As with any technology that adds
layers, complexity can become a problem, but you already know this.
Read On →
Mar 16, 2009 · 2 minute read
networking
The [Bluecoat SGOS](http://www.bluecoat.com/products/sg) can do a fair amount
of stuff just like any web-proxy should, but my favorite is to
[RickRoll](http://en.wikipedia.org/wiki/Rickrolling) the whole
company. ( _People spend to much time on youtube as is_ ).
Read On →
