Something that comes in handy all the time (as proven today when someone asked me about how to do it), is how to setup a reverse SSH tunnel. (Especially when you need to access your work computer from home.) Well, my SSH page explains the procedure.

There is an interesting thread on the log-analysis mailinglist about regex-less parsing of messages. The problem is a very old one. Every device out there is logging in some strange way, making it incredibly time-consuming for event consumers (such as ArcSight), to parse the messages and normalize them.
There have been attempts to standardize events, such as IDMEF, which tried to tackle IDS messages. It’s kind of sad, but there is not a single IDS that I know of, which really uses this event exchange format. A lot of IDSs support it, but it’s not their main transport. Then there are tons of other attempts from BEEP to RDEP to SDEE and alike. They are all nice, but guys, we need something that is

All the past attempts of standardizing event formats are not enough, now Microsoft comes out with yet another event logging format. I have to admit, I only quickly glanced over it, but it’s XML again. That’s just SLOW! Huge overhead!
Also, why do people always define the transport when they are trying to standardize log messages? Leave the transport to the devices. They will figure that one out. In the worst case, people can just use syslog which is widely deployed and has it’s problems. But you know what? At least the burden of complying with the standard is incredibly low. Just send a syslog message. Even I can do that. If you asked me to implement BEEP, I don’t think I would even start thinking about complying with the standard…

Sorry for the long post and rant, but this is just a bit frustrating …

I guess by now everyone knows scapy. At this point this is more a way for me to remember this tool.

Scapy is an interactive packet manipulation program written in Python.

I find myself adding data to files that need to be randomized. Well, just call awk from within vi and use the rand() function

:%!awk ‘BEGIN {srand()}; {if (int(rand()*4)==2) {printf(“\%s,S\n”,$0)} else print $0;}’

Maybe even a bit more comfortable AND this only adds to the lines if they don’t use SA, S or F

:%!awk ‘BEGIN {srand()} \!/(SA|S|F)$/ {if (int(rand()*4)==2) {sub(/$/,”FA”);}};{print}’

I need to remember this one:

:g/some text/s/$/,more_data

This will add another column of data to all the lines with “some text”. Simple but useful.

The RedHat Magazine had a nice Introduction to Python. Cool example that uses pyGTK!

I just tryed a mutli-dimensional data visualization tool. Took me a bit to get the Java OpenGL running and just to find that it’s not _that_ cool. Oh well, here it is: xmdv.

I am looking for tools that people are using to visualize security data. I assume everyone is using afterglow, but what other tools are you using?

Have you ever noticed that some restaurant or retail stores put the entire freaking credit card number on the receipt. I got quite upset and found this very interesting California Civil Code. Number 1747.9 stating that there shall not be more than 5 numbers on the receipt. I will start complaining. You should too!