Quick and dirty Snort log analyzers (sed, awk, uniq, sort, etc may be just as good at massaging):
Monthly Archives: January 2004
GIAC GCFW practical posted
SANS GIAC has posted my GCFW certification status as #459 and my practical. It expires January 31, 2008…I wonder wth I’ll be doing then?
Incident Handling Guide from NIST
In reading the recently released Computer Security Incident Handling Guide from NIST I was informed that incidents against critical infrastructure can be reported to the National Infrastructure Protection Center which is part of the Department of Homeland Security. They have a handy form for submitting incident details at http://www.nipc.gov/incident/cirr.htm. Why is that page not HTTPS by default?
Creating network diagrams on linux
Historically I have used Xfig to draw network diagrams. It is quite an old vector drawing program but gets the job done well. Most recently I used it to draw the network diagram in my SANS GCFW paper. I’m currently working on my SANS GCIA and want to draw a diagram that contains network device icons (I had used mainly rectangle shapes to symbolize machines in my GCFW paper) for a bit more polished look. In searching for *nix programs for network topology maps I ran into the article Creating Network Diagrams that compares four programs: Dia, Tgif, Tkined, and Xfig. The author rated the default Xfig library fairly well, and upon further investigation of the other programs, Xfig contained the most mature iconsets for everything I was looking for.
How to replay 802.11 packet captures
There was a recent thread on the pen-test list about replaying 802.11 (rfmon) pcaps with tcpreplay. The problem encountered is that tcpreplay wants an 802.3 ethernet header (1.5beta6 let’s you “fake it” however, using the -2 flag to create an ethernet header, the pcap has to be IP header onwards). A poster to the list cobbled together wifi2eth.c as a solution.
Snort perfmonitor statistics
Snort perfmonitor stats graphed using RRDTool and a perl script.
Humor: Microsoft’s representation of a hacker
Website of Snort developers
I ran across a website, http://www.idsresearch.org, created by two Sourcefire employees / Snort developers for their IDS research and code. The site is a little sparse at the moment…