glenkemp

I've said before, I've been really impressed by the quantity and quality of the contributions here..

You won't have to wait long, Part III is up now! Deep Packet Analysis - What's in a Name (service)?

Hi! I won't get into my whole Blade Runner "I've seen things you people wouldn't believe.." speech, but I stand by it But granted, as a point of clarity I should have said "allowing port 80 without any other mitigating controls etc." and would be a bit less alarmist.. I'm kinda building up to DPI as a control so please…

Thanks! Reading that comment made my day! Off-topic a bit, but many are predicting the death of CLI, driven by improved API's, automation and SDN in general. But thinking about it, these old-school skills are going to be more relevant than ever - Can you just imagine the holy mother of bob screw-ups we're going to get with…

Yes, I'd say that was a pretty good explanation..There are some vendors that have SIEM-like features on box, but inevitably they are going to be in a trade-off of SIEM features vs. performance vs. cost.

Thanks, I hope so too!

It never occurred to me to be honest, but taking a quick look at the documentation from WinPcap (emphasis mine): "WinPcap receives and sends the packets independently from the host protocols, like TCP-IP. This means that it isn't able to block, filter or manipulate the traffic generated by other programs on the same…

Um, no thanks

Umm..There are ways of doing this, but certainly it's not easy..Maybe a topic for another post, if not here then somewhere else..

Thanks! Yeah processor architectures is a really interesting topic I'd love to spend a bunch of time researching and writing about the relative merits. It does seem to swing back and forwards as to which is the highest performance. At the moment, I would say that for brute force, ASICS have it right now, but Intel have…

Thanks!

After that, I had to go and find the original speech, worth sharing I think

Ouch; I thought that TTL of 65 seconds was a bit odd; I knew the DNS TTL was there, but I guess I was looking in the wrong place. I'll fix this, with credit to you.

No worries, been a pleasure!

Real world? Such as? Everything I talk about here is currently being implement across many Firewall/NetSec vendors, it's just that I can't really get into the nuts and bolts of it in this context..If I write something else somewhere (as part of my dayjob) I'll share with the group!

Yeah me to, I did have to double check a few things for this and the next article!, the other thing of course is that tcpdump is still being maintained; I discovered something from the MAN page wouldn't work because my geriatric SAN was using a *really* outdated build..

Um, did I spell Library with one "r"' again?

Thanks for, that, I wasn't aware of that tool, but having just checked it's not on two out of three Linux boxes I use for testing, but of course, it can be easily installed..

Thank you for reading!

Hi! Given how well the Security focus as been recieved on this blogs, I'm tempted to abandon my original intention and just focus on that, however, I don't want anyone to miss out, so if you have an opinion on what you'd like to see me write about next, please vote in the poll, it closes in 3 days so be quick!

Yup, I'm coming to that (eventually!)

Yeah, if you hare going to have ANY hope of performing effective/meaningful DLP then yes, you need to be doing SSL inspection as a matter of course..

Hi, although I've only played with a SIEM a bit, (logs, yawn!) I believe that "anomaly detection" is quite different in the context of Firewall DPI. As I understand it, SIEM systems are looking for usual traffic flows or volumes that deviate from the "norm". The definition of "norm" being built up over a period of time…

Ta! There are plenty of really excellent tools out there these days, and to be honest I use Wireshark more than anything, but no matter how great your lighter is, sometimes all you have is a couple of twigs..

Yeah, that's certainly my point; in most cases it's easier to light a fire with matches, but sometimes all you have is a couple of sticks...

Thanks

Thanks!

I considered introducing the -X switch as part of this post, but I struggled to find anything useful that the standard decoders with either -v or -vv wouldn't tell you. The -A switch will at least show you any human-readable parts easily; I've find that if I'm worrying about what's going on in hex, then it's time to open…

Ha; as you maybe can tell, this was a real-world scenario that I've seen. It was only by looking deep into to the packet flow did we understand what was going on..

Ha Ha! Looks like we've discovered two BOFH's here then! I think it does depend on what kind of Org you are talking about, but IMHO social media does have a place, but it is easily abused. The way to deal with it is carrot + stick. Employees should be encouraged to use Social media, but they must have appropriate training…