December 8, 2005

Reverse SSH Tunnel

Category: UNIX Security — Raffael Marty @ 6:19 pm

Something that comes in handy all the time (as proven today when someone asked me about how to do it), is how to setup a reverse SSH tunnel. (Especially when you need to access your work computer from home.) Well, my SSH page explains the procedure.

December 7, 2005

Commen Event Format / Standard

Category: Log Analysis — Raffael Marty @ 12:51 pm

There is an interesting thread on the log-analysis mailinglist about regex-less parsing of messages. The problem is a very old one. Every device out there is logging in some strange way, making it incredibly time-consuming for event consumers (such as ArcSight), to parse the messages and normalize them.
There have been attempts to standardize events, such as IDMEF, which tried to tackle IDS messages. It’s kind of sad, but there is not a single IDS that I know of, which really uses this event exchange format. A lot of IDSs support it, but it’s not their main transport. Then there are tons of other attempts from BEEP to RDEP to SDEE and alike. They are all nice, but guys, we need something that is

  • easy to implement,
  • scales to high event rates,
  • is extensible to support not just security devices (for sure not just IDSs),
  • and is MACHINE READABLE (not human readable) [when are you people going to realize that logs are not read by humans anymore, but by machines?].
  • All the past attempts of standardizing event formats are not enough, now Microsoft comes out with yet another event logging format. I have to admit, I only quickly glanced over it, but it’s XML again. That’s just SLOW! Huge overhead!
    Also, why do people always define the transport when they are trying to standardize log messages? Leave the transport to the devices. They will figure that one out. In the worst case, people can just use syslog which is widely deployed and has it’s problems. But you know what? At least the burden of complying with the standard is incredibly low. Just send a syslog message. Even I can do that. If you asked me to implement BEEP, I don’t think I would even start thinking about complying with the standard…

    Sorry for the long post and rant, but this is just a bit frustrating …

    December 6, 2005


    Category: Uncategorized — Raffael Marty @ 11:32 pm

    I guess by now everyone knows scapy. At this point this is more a way for me to remember this tool.

    Scapy is an interactive packet manipulation program written in Python.

    Adding Random Data To Files

    Category: VI — Raffael Marty @ 1:30 am

    I find myself adding data to files that need to be randomized. Well, just call awk from within vi and use the rand() function

    :%!awk ‘BEGIN {srand()}; {if (int(rand()*4)==2) {printf(“\%s,S\n”,$0)} else print $0;}’

    Maybe even a bit more comfortable AND this only adds to the lines if they don’t use SA, S or F

    :%!awk ‘BEGIN {srand()} \!/(SA|S|F)$/ {if (int(rand()*4)==2) {sub(/$/,”FA”);}};{print}’

    Adding Text To Special Lines

    Category: VI — Raffael Marty @ 1:22 am

    I need to remember this one:

    :g/some text/s/$/,more_data

    This will add another column of data to all the lines with “some text”. Simple but useful.

    December 4, 2005

    Python For Beginners and for me

    Category: Programming — Raffael Marty @ 9:00 pm

    The RedHat Magazine had a nice Introduction to Python. Cool example that uses pyGTK!

    Visualization Tools

    Category: Visualization — Raffael Marty @ 8:52 pm

    I just tryed a mutli-dimensional data visualization tool. Took me a bit to get the Java OpenGL running and just to find that it’s not _that_ cool. Oh well, here it is: xmdv.

    Visualization of Security Data

    Category: Visualization — Raffael Marty @ 7:27 pm

    I am looking for tools that people are using to visualize security data. I assume everyone is using afterglow, but what other tools are you using?

    Credit Card Numbers on Receipts

    Category: Uncategorized — Raffael Marty @ 7:25 pm

    Have you ever noticed that some restaurant or retail stores put the entire freaking credit card number on the receipt. I got quite upset and found this very interesting California Civil Code. Number 1747.9 stating that there shall not be more than 5 numbers on the receipt. I will start complaining. You should too!