29 March, 2013

CERT is hiring

The company I work for is hiring. For those that don't know, CERT is part of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Software Engineering Institute at Carnegie Mellon University. CERT was created in 1988 as part of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 response to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Morris worm. You can find out more on CERT's "About Us" page.

If you are interested, please read more about our hiring process and browse some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 available positions. The positions are primarily in Pittsburgh with a few openings in Arlington, VA. The open positions cover network security analysis, security architecture, malware analysis, software development, vulnerability analysis, and more.

I consider our hiring process fairly grueling but also stimulating. It gives cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 prospective employee and prospective coworkers a good chance to really learn if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 relationship will work. It is an opportunity not just for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 candidate to get interviewed, but also for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 candidate to interview those that already work at CERT.

One of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 reasons we have so many vacant positions is because we try to maintain high standards when considering candidates. Most of our positions require a fair amount of experience and expertise. My colleagues are smart, diligent, and largely enthusiastic about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir chosen professions. Don't get me wrong -- we still have bad days when we are less enthusiastic or unhappy about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 state of information security, but this is a pretty cool place to work. We do a wide variety of both research and more operationally focused work, tackling a lot of big problems. We also get a fair amount of freedom to find interesting and challenging areas of work.

If I know you or know of your work, please contact me about using my name as a referral. A referral from a current CERT employee can be helpful when applying. The best way to contact me regarding a referral or to ask ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r questions is via email or LinkedIn. You can also post questions more publicly here on my blog if it seems appropriate. In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 interest of disclosure, I have an interest in recruiting people that I will want to work with but also could potentially get a referral bonus if you list me when you apply.

11 March, 2013

Building an IR Team: Growth

This is a long overdue continuation of my posts regarding Building an Incident Response Team. I had a very rough outline of this post going all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 way back to 2009! The good response I got on some of my previous posts on building IR teams made me come back and work on finishing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 posts I had planned when I first started cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 series.

Previous posts:

I believe one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hardest things to deal with when building a successful IR team is growth. If you build an IR team that is successful and gets management buy-in as a result, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is a good chance that responsibilities, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 amount of work, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 number of incidents detected, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 size of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 team will all grow. This will invariably cause growing pains, setbacks, and reevaluation of procedures.

I honestly could go on and on about dealing with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 growth of an IR team. There are so many things to consider that it is daunting to plan for growth ahead of time instead of just dealing with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hurdles as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y come. However, if you have a team that is growing it really helps to take a step back and plan for both immediate and long-term growth. It is so important that a fair amount of this post will reiterate what I have explicitly or implicitly said in some of my previous "Building an IR Team" posts.

There are a number of questions to keep in mind when an IR team grows. What are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 additional duties causing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 addition of positions? Are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 additional positions adequate to cover cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 additional duties and responsibilities? If not, how can expectations be managed so superiors understand what is actually feasible? Are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 duties just a higher volume of what cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 team already is responsible for, or are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re new areas that will require different types of team members and different types of training? What works well now but may be problematic with a larger team? Do we need to restructure? How do we maintain cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 success that led to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IR team growth? The last question is one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most fundamental.

Relationships


At one point I worked on a team that, over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 course of a few years, increased cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 number of personnel fourfold. This completely changed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 dynamics of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 team, from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 lead all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 way down to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most junior analyst. The more people you add, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 more complex cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 relationships become. This applies not only to relationships within cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 team, but also relationships with ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r parts of your organization and management.

With such growth, it became a lot more important to clearly define roles and responsibilities, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 command structure, and get management support of decisions.
  • Command structure: As cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 team grows, ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r groups in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 company are less likely to know each person on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 team. This means in a lot of cases it is helpful to have a few key people known to those ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r groups. These key people don't have to always be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ones to communicate with a specific group, but can be used as a fallback if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r group's first instinct is to be more adversarial with those people cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y don't know.
  • Intra-team relationships: The more people you have, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 more you have to keep an eye on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 working relationship between members. When you have a team that numbers single digits, it is almost natural to know all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ins and outs of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 working relationships, for example who complements each ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r and who can be a good mentor to more junior analysts. It takes more conscious effort to track as you increase cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 number of people. Not only that, it requires more actively setting expectations about what you expect of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m.
  • Management support and inter-team relationships: As a team gets bigger, its profile is raised throughout cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 company. This can make dealing with ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r groups easier, more difficult, or most likely a little bit of both. As we all know, IR teams sometimes need to make decisions or do things that are not popular and people outside cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 team view as irritating to say cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 least. It is very important to have management support when you invariably have conflicts with those outside cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IR team. It's also important to have a manager that knows when to tell you that you're being unreasonable and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 outside groups have a reasonable concern or complaint.
This is by no means a complete list of things to consider. The bottom line is that a larger team makes both intra- and inter-team relationships more complex.

Ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r Growing Pains


The simplest example I have from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 past regarding growing pains was when I was on a team that was not gaining new areas of responsibility but was switching to coverage 24 hours a day seven days a week. As I covered in anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r blog post, it is important come up with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 proper organization and make sure every shift was productive. Increasing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 number of hours of coverage also obviously means hiring new analysts, plus cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 possibility of shifting current analysts to drastically different schedules.

Restructuring can often cause conflicts beyond those involving work schedules. On a small team, most people gravitate to a niche and can often be allowed to work in it as long as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y also can handle cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 more generalized response duties. In a larger team, it's much harder to let members naturally gravitate towards certain areas while maintaining cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ability to get all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 work done. It certainly is nice to keep everyone happy and specializing in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 areas cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are most interested in, but it's not always realistic. One way to help with this is to make sure you follow cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 advice for redundancy in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "Organization" post, plus allow members to rotate through different areas of specialty. This means cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y won't be stuck in one particularly area in addition to providing redundancy of skills.

Anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r issue is making sure you formalize reporting to some degree. In a team of a few people, it's readily apparent what each person is doing. When you have a score of people, you need to get both formal and informal reporting from shift leads, team leads, mentors, and even individual analysts to properly understand who is doing what, workloads, what is working well, and what is not working. Regardless, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 structure of a larger IR team probably needs to be more formal when it is larger. Notice cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "probably." I think it is safe to say cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re may be exceptions to all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se points! The key is to find cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 proper balance that enables useful reporting while avoiding unneeded bureaucracy.

Hiring can also create growing pains. I must stress that you should do everything possible to maintain standards when hiring. That said, a bigger team can mean more room and opportunity for less experienced analysts. One weak link among five people is a much bigger deal than one weak link among 30, so a larger team can allow you to take a chance or two when hiring. I've always been an advocate of getting smart people that can learn and are legitimately interested in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 field over those who have experience but less potential for growth, and a larger team can sometimes make this easier to justify.

Evaluation of Procedures and Operations


This advice really applies to all IR teams, but becomes more important with growth. Incident response procedures that work well in a small team may not work as well with a larger group. Even if your team has not grown, you may want to regularly reevaluate IR workflow, reporting, or just about any existing procedures and standards of operations. Sometimes it may mean more clearly codifying what were once informal standards, while ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r times it may mean completely rethinking how you operate because you have several tiers of analysts. Having good metrics so you can try to make reevaluation more objective and less subjective also helps. Unfortunately, metrics is a huge topic that I can't address in this post, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are many sites, papers, books, and more to help anyone interested in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 topic.

Standards for working with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 field may also need to change. If you are in an enterprise where cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IR team often is reaching out to "boots on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ground" like local system administrators or IT staff, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re may need to be changes in areas of responsibility when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IR team is larger. I partially covered this when mentioning inter-team relationships. Even if your IR team is comfortable contacting those in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 field directly, those managing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 people in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 field may want a more formal command structure so cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y can track requests and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r communications from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IR team. Contacts in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 field may also want cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir roles and responsibilities more formally or clearly defined. This is easier to work through when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IR team only has a few people, but once cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are dozens it can cause problems if those in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 field don't know upfront what cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IR team expects and what qualifies as an unusual request from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IR team.

Training


A larger IR team means cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 company is spending a lot more money on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 team and security in general. It also means you may have enough team members to form a class-sized group. Whecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r you use in-house training, outsource, or a combination, a larger team means you will need to think about more formal training where a large group is in a classroom environment. This doesn't mean one-on-one or one-on-few mentoring and training should go away, but you will need to adapt to training larger groups. You also should consider setting aside money specifically for training if that was not done previously.

Be Flexible


Note that this is all based on my experiences in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 past 10 or more years, but it is just cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tip of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 iceberg. Different teams may have different issues to consider when growing. Depending on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 specific IR team, none of what I wrote may apply directly. I think cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are two overriding concerns when an IR team grows. One is to be flexible as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 team grows so your organization can really see what works and what does not. Two is to plan for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 growth instead of just letting it happen haphazardly. Some teams do quite well with very little change after cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y've grown, while some may need drastic changes just because of adding a few people or analyst turnover.

Ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r Resources


There are some resources available to help deal with creating IR teams, and much of what applies at creation of a team can apply to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 growth of a team. When a team goes from a few people to 20-30 people, you essentially are destroying cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 old team and creating a new one. Most of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 questions considered when creating an IR team can be asked once again and reevaluated as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 team grows.
Richard Bejtlich has posted on his blog about many aspects of building and maintaining SOCs, and also mentioned that he will have a chapter in his new book titled "Network Security Monitoring Operations," focused on sharing "cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 author’s experience building and leading a global Computer Incident Response Team (CIRT), such that readers can apply those lessons to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir own operations." I presume anyone regularly reading my blog is already reading Taosecurity, and also anticipate that his new book will be quite useful.

I hope to have at least one more post in my "Building an IR Team" series. I may also have additional material, or collate and improve all my existing posts if I feel it is worthwhile.

01 March, 2013

Reflections on Over Five Years of Blogging

My first post to this blog was in September, 2007. Professionally speaking, I have gone through major changes since cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n. I've changed employer, though amazingly enough in this line of work that happened only once during that time. I have also learned a lot and my duties have changed quite a bit.

Though I try to stay plugged in to incident response, NSM, and all those ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r operational bits I love, I am definitely a step back from directly responding to incidents compared to a lot of my previous experience. Anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r big change for me is that I no longer run a bunch of NSM sensors though I still do that type of administration on my home network. On cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r hand, one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 wonderful things about my current employer is that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y allow us a lot of freedom to identify problems or challenges cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n take cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m on without trying to pigeonhole us. I look forward to 2013 as a year in which I will continue being challenged by taking on some new projects of interest to me.

I've gotten a number of links and traffic bursts on some of my past blog posts, which is flattering. I don't particularly feel like a unique snowflake that should get a ton of web traffic and don't usually get a ton of traffic, but occasionally I will really hit cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 nail on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 head with a technical post and get a lot of traffic and links from ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r bloggers. Unsurprisingly, many of my top posts are in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 system administration category since cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 more security-focused posts probably have a narrower target audience.

I attended FloCon 2013 in January, which made me reflect on a couple things. First, I am going to try and blog a little more often this year. It was very flattering to talk to people at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 conference and have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m say cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y have read my blog or to find cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y were using content I had contributed to NSMWiki. When I started this blog, my two main goals were to provide references for myself and to make those references available to ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs in case cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y also found cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m useful. It is good to know that my blog and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r public contributions have been useful to ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs. I would not be where I am without similar help from ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs and I think that sharing of information, advice, experience, and debate is a great thing about much of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security community.

The second thing it drove home is that I need to end cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 semi-anonymous nature of this blog. At FloCon I found that I had coworkers following me on Twitter without even realizing it was me that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y were following!

My previous employer knew about my blog and did not give me any grief whatsoever, but at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same time cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y were somewhat nervous about it. My current employer embraces public engagement to a much larger degree. Plenty of people already knew my name prior to this and Richard Bejtlich even linked to my blog using my name at least once, but generally I did not promote myself as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 author. It is time to change that.

15 June, 2012

CERT's FloCon 2013 CFP

CERT's FloCon 2013 CFP is posted.

Albuquerque, New Mexico, on January 7–10, 2013.

I plan to attend.

08 June, 2012

Flame Round-up

Updated June 13 with a few more links.

I decided to write a short post with a Frame timeline, links to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 related information, and a brief summary of interesting information available at each link. I might update this post if I get comments with additional interesting links or if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are significant new developments. When possible, I'm trying to catalog technical discussion racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r than news aimed at a general non-technical audience.

Note that many of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 dates, on blog posts in particular, will reflect cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last time cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 post was changed racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r than initial posting date. This can be a problem when relying on sites that do not show both a publication and modification date for web publications. I will note when I know of discrepancies in date.

2012 May 28:

Kaspersky Lab and ITU Research Reveals New Advanced Cyber Threat: Kaspersky Lab posts information about new malware dubbed Flame. They were investigating incidents related to something known as Wiper on behalf of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ITU and discovered Flame in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 process. Kaspersky calls Flame a "super-cyberweapon" and says cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 primary purpose is cyber espionage. The end of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 article includes a link to The Flame: Questions and Answers, a technical FAQ. Judging by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CrySyS report (below), Wiper and Flame could actually be one and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same.

Identification of New Targeted Attack: Dated cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same day as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Kaspersky Lab post, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Iranian CERTCC (MAHER) posts information gleaned from an investigation into Flame. They include bullet points listing some of Flame's behaviors and capabilities.

  • Distribution via removable medias
  • Distribution through local networks 
  • Network sniffing, detecting network resources and collecting lists of vulnerable passwords 
  • Scanning cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 disk of infected system looking for specific extensions and contents 
  • Creating series of user’s screen captures when some specific processes or windows are active 
  • Using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 infected system’s attached microphone to record cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 environment sounds 
  • Transferring saved data to control servers 
  • Using more than 10 domains as C&C servers 
  • Establishment of secure connection with C&C servers through SSH and HTTPS protocols 
  • Bypassing tens of known antiviruses, anti malware and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r security software 
  • Capable of infecting Windows Xp, Vista and 7 operating systems 
  • Infecting large scale local networks
Both Kaspersky Lab and MAHER tie Flame to Stuxnet and Duqu. Kaspersky later referred to this post by MAHER taking place on May 27 racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r than date listed on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 page, which is May 28.

CrySyS Lab publishes cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir first version of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 64 page sKyWIper (Flame) technical report, updated to version 1.05 as of May 31. The report states that Flame may have been active for as long as five to eight years at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time of discovery. The report details modules, encryption, activation, propagation, component descriptions, C&C details, scripts, and evasion techniques.

2012 June 01:

OpenDNS provides a timeline of command and control domain registrations. Domains were registered and active as far back as 2008.

The New York Times publishes an article, Obama Ordered Wave of Cyberattacks Against Iran, detailing efforts directed first by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Bush administration and increased by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Obama administration to use cyberattacks to slow Iranian nuclear development. The article ties cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 attacks most directly to Stuxnet and was adapted from David E. Sanger's new book, Confront and Conceal: Obama's Secret Wars and Surprising Use of American Power.

2012 June 03:

Microsoft issues Security Advisory (2718704): Unauthorized Digital Certificates Could Allow Spoofing after revelations that Flame was using a cryptographic collision and terminal server licensing certificates to sign code, allowing spoofing of Windows Update. Microsoft issued an emergency patch that blacklisted cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 three intermediate certificate authorities.

2012 June 04:

ArsTechnica rounds up links, quotes, and information in "Flame" malware was signed by rogue Microsoft certificate. I will not repeat cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir work, but instead say that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y did a good job providing information along with links to more detailed posts and articles from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 various players that have been active in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 dissemination of information about Flame.

Kaspersky Lab posts The Roof is on Fire: Tackling Flame's C&C Servers. The post includes a chart comparing Duqu and Flame command and control infrastructure, from choice of OS (CentOS for Duqu, Ubuntu for Flame) to number of known C&C domains (80+ for Flame), and more. They go into great detail about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 C&C architecture, including cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 domains being purchased primarily through GoDaddy, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fake identities used for registration, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 technical details of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 C&C infrastructure, and a list showing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 geographic distribution of infections. OpenDNS's timeline links to this post by Kaspersky Lab, so it was presumably posted around cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same day, June 01, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n updated later.

2012 June 05:

Bitdefender Labs details how Flame uses USB and old-fashioned sneakernet to move data off systems that are not connected to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet and onto systems that have previously connected to Flame's C&C servers. FLAME – The Story of Leaked Data Carried by Human Vector also mentions how Flame is different from much ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r malware, for instance very large file sizes and no anti-debugging or anti-reversing code.

2012 June 06:

Microsoft Security Research and Defense posts Frame malware collision attack explained. This goes into detail and is well worth reading. Notable is that Windows versions older than Vista would have been vulnerable without cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 MD5 collision, but newer versions required cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 collision attack.

ArsTechnica also posts on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 subject and links to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same MS post among ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir Flame's "god mode cheat code" wielded to hijack Windows 7, Server 2008. Included is a link to a write-up about a cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365oretical MD5 collision attack dating back to 2007, which itself was an extension of work from 2004. In 2008, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 attack went from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365oretical to practical.

Symantec's blog post titled Flamer: Urgent Suicide details remaining Flame C&C servers sending a command to essentially uninstall from infected systems by deleting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n overwriting Flame files with random data.

Related to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 topic of cyber espionage but not dealing directly with Flame, Google announces that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y will warn users of possible state-sponsored attacks.

2012 June 07:

Details start to emerge that Flame used a new collision attack. ArsTechnica posts Flame breakthrough shows Flame was designed by world-class scientists. Marc Stevens and B.M.M de Weger are quoted as saying that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 collision attack was new.
“Flame uses a completely new variant of a ‘chosen prefix collision attack’ to impersonate a legitimate security update from Microsoft. The design of this new variant required world-class cryptanalysis,” says Marc Stevens. “It is very important to invest in cryptographic research, to continue to be ahead of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se developments in practice.”
This adds to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ever-present but growing evidence regarding cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 type of resources needed for Flame.

2012 June 11:

Bitdefender Labs get into some great detail on components within Flame, including comparisons to Stuxnet, in Stuxnet's Oldest Component Solves cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Flamer Puzzle.
"As mentioned before, atmpsvcn.ocx was believed to belong to Stuxnet: more to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 point, its MD5 hash (b4429d77586798064b56b0099f0ccd49) was detected in a Stuxnet dropper.  This irrefutably places it as a Stuxnet component. It is common knowledge that Stuxnet used quite an array of droppers, and one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 oldest such droppers, dated from 2009, also contains cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 atmpsvcn.ocx component. Inside cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 dropper, we identified a resource encrypted using XOR 255 (0xFF) that is 520.192 bytes large and has cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same hash: b65f8e25fb1f24ad166c24b69fa600a8.

This concludes cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first part of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 demonstration. There is no doubt about it being a Stuxnet component, but today’s demonstration will shed new light on how it fits in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Flamer puzzle."

04 June, 2012

A Practical Example of Non-technical Indicators and Incident Response

Once upon a time cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re was a network security analyst slash NSM engineer who, like any sane person, ran full packet capture, IDS/IPS, session capture, and passive fingerprinting inline at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ingress/egress of his home network. His setup was most similar to diagram two in IDS/IPS Placement on Home Network.

This security analyst was casually going about his business one day when he opened cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 basement door of his house and found a tennis ball wedged between cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 door frame and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 storm door. “That’s odd!” he thought. “Who would do that?”

After removing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tennis ball, he thought, “Well, this storm door is really loud when it closes those last few inches. Maybe someone did it to quietly enter or exit cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 house.” It just so happens that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 daughter of said analyst was in high school and her bedroom was down cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hall from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 basement door. He promptly entered her room and took a quick look around. Lo and behold, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 screen from her window was under her bed and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 window itself was unlocked. Since this room was on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ground floor, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 analyst immediately had some good ideas about what was happening with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 window and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 basement door. Someone was sneaking in or out of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 house!

The analyst confronted his teenage daughter when she got home from school and received denial after denial about any possible wrongdoing. The denials did not sound sincere.

Enter cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network security monitoring. He stated, “I told you I would respect your privacy with your email and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r electronic communications unless you gave me a reason not to. I consider you in violation of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se Terms of Service and I’m going to see what you’ve been up to lately.”

At this point it was late in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 evening and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 analyst had to get up early for work. This was some years back when AIM was quite common, so he briefly used Sguil to look at recent sessions of AOL Instant Messenger traffic. He decided to get some sleep for work cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next day and put off additional investigation. In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 meantime, his daughter's privileges were highly restricted.

A day or two later, after trying to manually sift through some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ASCII transcripts of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 packet captures cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 analyst quickly decided cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re was a better way. He whipped up a short shell script to loop through all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 packet captures, run Dug Song’s msgsnarf, and pipe cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 output into an HTML file for later examination. This required a little tweaking to make cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 HTML easily readable, but it was fairly quick to write and test cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 script.
The next morning cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re were many hundreds of lines of AIM conversations to examine. He started working from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most recent and reading backwards. After a few minutes he quickly confirmed that his daughter had been sneaking out of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 house to go to parties and get into ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r mischief.

Anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r conversation with his daughter finally led to her confession, a long discussion, and suitable punishment. Despite cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 severity of her actions, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 HTML file containing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 chat transcripts also contained a few endearing nuggets.

Daughter: OMG cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y know everything!
Accomplice: what do u mean everything
Daughter: my dad can read all my chats
Daughter: he does computer security for [company redacted]
Daughter: he’s a computer genius
Daughter: DAD I’M INNOCENT!

Upon telling this story to a current colleague, he mentioned that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last few lines are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best facá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r’s day gift cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 analyst would ever receive.

I think cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are a few obvious lessons here that can translate to network monitoring.

First, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 initial indicator of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem was in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 physical world. Network security monitoring or any ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r type of technical monitoring and prevention will fail. I have experienced many times when phone calls from users have been one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 earliest indicators of malicious activity. Particularly in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 case of insider threats, it's important to note that many initial indicators of malicious activity are non-technical, like a person's behavior, personnel action, or in this case a physical indicator of a security problem.

Second, sometimes you need to be flexible to solve a problem quickly and with minimal effort. The analyst could have manually looked at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 AIM traffic, but because he judged that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 threat of anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r incident was already mitigated by talking to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 daughter, digging up cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 traffic wasn’t urgent. Instead, The analyst decided to write cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 script that would pull all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 traffic and convert it to a readable format. The analyst also had cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 luxury of knowing that all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 packet captures would still be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re since his home bandwidth at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time meant well more than 30 days of pcap storage.

Third, network monitoring is a means to an end. In this case, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re was a security problem that could be addressed with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 help of technical means. In many obvious cases you are trying to protect data. In ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r cases, you can be trying to protect people or things in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 physical world that could be harmed if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 wrong information is revealed. It is important to stay focused on what really matters and not get caught worrying about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 wrong things because your instrumentation or technologies push you towards priorities that don’t make sense.

Last, attackers are not static. The daughter definitely learned cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 value of encryption and even using out-of-band communication in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 form of SMS over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 phone network if she did not want cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network sensor recording her conversations in plain text. Technology advancement also makes attackers evolve, for instance with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 move to Facebook chat or SMS from older forms of IM.

26 March, 2012

Updating to Snort 2.9.2 and Barnyard2

After fixing hardware problems that had my home network sensor out of commission for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 better part of a year, I recently got cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 system inline again. Because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sensor had been down for so long, I was running a fairly old version of Snort, 2.9.0.3, along with barnyard 0.2.0. I decided cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first thing I should do after updating cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 OS itself was update Snort and Barnyard.

I won't go through cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 process in detail since cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are many resources online for installing and configuring Snort. The main thing I will point out is that you should always look in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 docs/ directory for information on installing and upgrading. If you're updating from a previous version, pay particular attention to changes and new features. Anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r important thing to do is look closely at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 snort.conf provided with a given version in etc/ since it will have a lot of information on defaults and configuration directives that may be required. These won't always be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same as previous versions. It's also important to update to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 latest rule sets, check for new rules files, and do all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r normal tuning to make sure certain rules are turned off or on.

I had two main problems when I updated, one with Snort and one with Barnyard2. Since Snort is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 main piece of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 puzzle here, I updated it prior to Barnyard. After updating to Snort-2.9.2.1 and fixing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 configuration, I was able to run Snort successfully using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 options I normally had previously. However, as soon as I put cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sensor back inline and Snort started processing packets, Snort would exit with an error.

Can't acquire (-1) - ipq_daq_acquire: ipq_read=-1 error Failed to receive netlink message!

A quick search revealed that I had to remove cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ip_queue module. JJ Cummings on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 #snort channel pointed out to me that NFQ is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 more recent option than IPQ. I am using Slackware-current, so even though it is a maintained distribution it is also not surprising that I was using an older option. Slackware also did not have a couple of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 required libraries to compile DAQ with support for NFQ, so I went to Slackbuilds.org to get cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 files allowing me to create Slackware packages for libnetfilter_queue and libnfnetlink.

Once I got cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new packages installed, made sure cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ip_queue module wasn't loaded, recompiled DAQ to support NFQ, and changed my Snort init to use --daq nfq, my inline Snort was working once again.

Next, I updated from Barnyard-0.2.0.

$ barnyard2 -V

  ______   -*> Barnyard2 <*-
 / ,,_  \  Version 2.1.10-beta2 (Build 266) TCL
 |o"  )~|  By Ian Firns (SecurixLive): http://www.securixlive.com/
 + '''' +  (C) Copyright 2008-2011 Ian Firns


Barnyard2 is needed to process Snort's newer output mode, unified2. My snort.conf changed from:

output log_unified: filename unified.log, limit 128

to:

output unified2: filename unified.log, limit 128

When I got Barnyard2 up and running, it was obviously not successfully processing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 unified2 files from Snort. Barnyard2 kept repeating cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following error as it tried to process cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 files.

WARNING: No function defined to read header.

I found a thread on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 snort-users list that indicated Barnyard2 was getting a file type it wasn't expecting, which made sense considering cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 warning message. This issue gave me more problems than it should have and I eventually realized it was because of an error in my barnyard.conf file. The input is supposed to read "input unified2" but I had somehow managed to include a colon after "input". Once I fixed that line, Barnyard2 started working, with alerts being properly processed and showing up in Sguil once again.

The next update will be to go from Sguil-0.7.0 to Sguil-0.8.0.