These are just words

Recent Posts

  • Death Calling It's Friday night and I am stressed. At work we are super close to a major product release but strangely enough that isn't even close to what is ...
    Posted Jan 21, 2017, 8:45 AM by Paul Halliday
  • You can't go back, only forward. tl;dr: I will no longer be developing squert. If you want a little history and the reason, read on.A little over ten years ago I sent this message ...
    Posted Sep 2, 2016, 5:58 AM by Paul Halliday
  • End tables I had some offcuts of larch I was going to toss but as I looked at the pile I thought: I bet I could make something nice out of this ...
    Posted Sep 7, 2015, 2:23 PM by Paul Halliday
  • Concrete #2 I hate dusting. More generally, I hate when something is difficult to clean or maintain. This actually bothers me so much that I have no problem throwing perfectly good things ...
    Posted May 25, 2015, 4:11 PM by Paul Halliday
  • Focus on what you know We had an incredible training exercise a couple of weeks ago that really left me thinking (explained shortly). To prepare for the exercise, we began by removing all of the ...
    Posted Mar 27, 2015, 6:44 AM by Paul Halliday
  • Adding heatmaps to drilldowns I am playing with adding a simple weekly heatmap to the signature drilldowns in squert. It adds about a second to the original query so I will make it an ...
    Posted Feb 5, 2015, 6:49 AM by Paul Halliday
Showing posts 1 - 6 of 21. View more »

Death Calling

posted Jan 20, 2017, 6:43 PM by Paul Halliday   [ updated Jan 21, 2017, 8:45 AM ]

It's Friday night and I am stressed. At work we are super close to a major product release but strangely enough that isn't even close to what is bothering me. The stress I am currently experiencing was in fact induced by an email that I received earlier this afternoon. It read like so:

Hi Paul,

As I mentioned on Twitter, your talk was accepted. Please sign and return the attached speaker's agreement.

Thanks.

Innocuous enough right? Most people would probably be delighted at this point. For me though, and since the evening before when I saw the direct message on Twitter, I have been in panic mode. Should I respond? Can I still back out?

Even as I type this I am trying to find the best way to articulate exactly why I am so terrified by this. In fact, I am hoping that by doing so I can begin to better understand myself. 

I go through this every time I make a talk submission, a process that occupies and hobbles my brain until the moment the conference is complete.

I think deep down I am hoping that some wizbang psychologist will come across this piece and say: Well, this is simple! You suffer from <this>; and then I can will simply move on with my life, but I doubt it is going to be that simple.


Stop looking at me

I was strange long before this. To humor myself and my understanding of cognitive biases I will anchor us at a point in time where things were probably the most lucid. The most poignant memory I have of being completely terrified of people was shortly after my first job that required me to actually go to a bank and deposit a cheque. 

To date myself, the teller thought I looked like Mike D of the Beastie Boys. I was big into skateboarding at the time and my hair was a different colour every week; that fake blonde shade this time around. Not sure if this was troll on her part or not (definitely not a term at this point) but for the sake of argument it likely was ;)

Anyway, typical bank style  there was this super long line that you had to slowly progress through before reaching the goal. As it turns out, I would rarely make it to the goal because as I slowly progressed through the line I was increasingly aware of every last person in the bank. Every person, every conversations they were having; it was overwhelming. As far as I could tell, they were all looking and thinking about me.

Invariably I would leave; even if almost at the goal because I had become so incredibly anxious and embarrassed that I was certain that everyone there was looking at me as if I was about to Point Break. In hindsight the act of leaving was probably quite suspicious.

So many times I would and did just leave. Granted I was just in my early teens and no one was missing a meal but still.The feeling was that strong that I just couldn't do it. No passing Go. No collecting $200.

This actually haunts me to this day. A flight for example is incredibly emotionally demanding. I am literally a sweating bag of nerves until I reach my destination. Security being the worst. I literally feel like I am about to be hauled away as I become hyper aware of a bead of sweat forming on my forehead as I am asked: Where are you headed today?

Fitting in

At some point in my life someone told me that the more you did something, the more natural it would seem. Are you afraid of people? Just put yourself front and center and this will fix everything! This is of course perfect advice for a normal human being. For me? Meh.

This will be my 10th talk. If these were weddings it would be the 10th time I have almost left someone at the alter. Up until the point that I start talking, I am ready to run. The day of still quite ready to feign a catastrophe to get out of it.

It is this part that confused me the most.There has been no incremental ease in delivery. I will be equally as terrified this time as I was the first time. I will still look out at everyone in the audience anticipating and playing out their every thought, and if the doors are open trying to make sense of the conversations in the hall.

Why do I subject myself to this? Conference talks are the scariest thing I consciously pursue to try and make myself better. 

They are therapy, in some strange way that I am not certain I understand.. 

I just wanted to share that.

 

You can't go back, only forward.

posted Sep 1, 2016, 6:27 PM by Paul Halliday   [ updated Sep 2, 2016, 5:58 AM ]

tl;dr: I will no longer be developing squert. If you want a little history and the reason, read on.


A little over ten years ago I sent this message to the snort-users mailing list:


I initially built squert because I needed to get alert data into the hands of non-analysts so that they could identify infected clients and fix them. At the time I was responsible for the security of a semi large and strangely complex network which I was going to do my best to try and protect. Unfortunately, few people shared this interest and I only had about 5$ in my pocket. 

The existing Intrusion Detection user interfaces available at the time were either unusable or designed and built for people that had a background in security; specifically, people with incident handling and response abilities and that knew how to deal with the alerts when they came rolling in. I had a handful of generalists that weren't particularly interested in having something else dumped on their plate.

I needed something that was unambiguous in its message (think traffic light) and that was easily accessible via software that everyone would very likely already have installed on their computer. With these requirements, no real plan and no formal knowledge of web applications I built a very rough but working prototype in a couple of weeks. Squert version 0.1.0 was born.




Beautiful isn't it? 

It didn't matter, we started finding bad stuff immediately and very slowly managed to clean up a very messy network. The biggest win though was that once you have a way to easily articulate a problem; once you have data about the problem and can display it simply, it's hard ignore it any longer. 

We finally had visibility into our environment and with this visibility came a requirement to react.The earlier versions were very simple but I was always looking for ways to make the traffic light better.


GEO

Geo was probably one of the first things I started playing with. The actual implementation was super ghetto, it consisted of a small TCL script that would query the RIRs, format the results and toss them into a DB so that I could perform joins on data. I always wanted to improve this feature but never got a chance to return to it.



First attempt at GEO presentation



Toying around with a tag cloud type idea (click would filter by)



This was further refined with added functionality in later versions and ultimately fed back into several of the charts and views that you will see below (hover would show details, click would filter)




CHART JUNK


Concurrently with GEO I was always trying to display the data in as many different ways as possible. I tried a LOT of stuff. I played with so many different libs, chart types, different data, different aspects of the data, and composites all to see what worked and what didn't



I always loved this effect. It can be quickly processed. Not bad for a bunch of <tr><td>s



I wasted too much time playing with link charts. It was a complete dead end for me. I could never come up with consistent enough results that gave me confidence in the story that the data was trying to tell






The moment I saw a Sankey Diagram though, I had to have it!




In later versions I was trying to provide as much context as possible in a single view. I didn't want people to waste cycles on something that if by providing a secondary piece of information was enough for them to make a quick decision and move on




The default aggregate alert view was a perfect example of this strategy. Each signature line contained numerous disparate pieces of data (some composites) with the hope of telling a story before actually looking into the alerts detail




And when you finally did drill down into the alert you could get even more detail and a history



This isn't a chart but I loved this feature. Once an object was flagged it was trivial to pick out in later views




The last thing I was working on; integrating data from Bro so that you could pull in this extra source of data right under the event you were looking at



SO WHY STOP?

When I initially built squert it was intended to be a tool for generalists. I didn't know what I was doing or how to write software, I was simply trying to solve an immediate problem I had. When the project ultimately landed in the Security Onion linux distribution all of this changed. All of the sudden people actually started using it, something I had never anticipated.

Almost overnight, there was a user base (some of them analysts) and with this new user base came a quiet expectation that the tool needed to be more aligned with the analyst console Sguil. The complexity of this tool coincidentally happened to be the reason that I needed to create squert in the first place.   

The attention to the project and the feedback from people using it pushed me want to make it the best tool that I could. I knew that there were people that were trying to defend networks that had no resources; people that relied on tools such as this because they really had no other options. People that were in the same position that I was when I started to Google: How do I make a web application? I couldn't pack it in just yet.

Unfortunately, maintaining an open source project is work. Even when I was committing somewhat consistently on the project I was doing so in tiny spurts whenever they were available. There was never a sit down, make a plan; OK this is where are we going next! It was more like: I have an hour, what can I add that will make this view pop, how can I make this better. No plan. Just drive. 

You can't go back, only forward. 

If I didn't subscribe to this there would have never been any feature adds, no toying with new ideas, no trying out some new wizbang lib. I would have simply spent all of those short spurts cleaning up bad code which I never really learned to write, when all I wanted to do was move forward. Well, that's just no fun :)

if you have been following along closely you may have picked out that I am passionate about this stuff. I like to help wherever I can and am willing to sacrifice my own time and effort to do so. 

I have learned so much in the past year and now I want to go back. I want to fix all of the things that I know are wrong or could be done better but it is just too much. It would require a huge rewrite and I don't even use the tool anymore.


@bammv Thanks for putting up with all of my questions
@securityonion Thanks for complicating things ;)
@mephux Thanks for being a solid mentor

End tables

posted Sep 7, 2015, 2:18 PM by Paul Halliday   [ updated Sep 7, 2015, 2:23 PM ]

I had some offcuts of larch I was going to toss but as I looked at the pile I thought: I bet I could make something nice out of this. Always up for a challenge and knowing that I probably wouldn't be happy with anything I bought off the shelf, I accepted.

The wood itself was the carcass of a 6"x6" post that had spent the last 2 years outside behind the garage exposed. I had already scavenged the best from it so what remained had lots of cracks, some dry rot, and a labyrinth of larvae borrows.

You can see the extensive damage in the tops that I am joining here:


even with the glue there were enough cracks to warrant a little bit of reinforcement:




I opted for steel cross braces just to try something new. This will be the last time I will wear sneakers while doing this kind of work :/. It will heal.


I usually try to avoid building things that require jigs but because I went with a compound 10 degrees on the legs I need to come up with something for the drill press. Simple enough but I did need to pay attention because none of the legs are identical in width:


3 coats of polyurethane and some assembly gave me these:



I used a black tinted wood fill to accent the worm holes. Some of these went right through.



The wood had a lot of discrepancies which I tried to preserve as well as I could. I hate the silver hardware though and it is quite visible even for an end table so I think I will try to source out something to match the braces.  



Concrete #2

posted May 25, 2015, 2:24 PM by Paul Halliday   [ updated May 25, 2015, 4:11 PM ]

I hate dusting. More generally, I hate when something is difficult to clean or maintain. This actually bothers me so much that I have no problem throwing perfectly good things away if they meet this criteria.

This is what my office looked like a few weeks ago


What we see here are two Ikea desks that are confining, have very little usable desktop space, and are starting to show their age. Did I mention they are a pain to keep clean? (terrible finish for a desktop). Anyway, time for something new (don't worry, they were re-purposed).

My requirements for the replacement were pretty simple. I was looking for something that made the entire length of the room usable desk space and is durable and easy to keep clean. It just so happens that concrete is the perfect fit for this!



Building the form

After emptying the room I placed a 2x6 ledger board along the length of the wall. This is what the finished desktop will rest on so you want to make sure that you are using decent screws and hitting the studs as close to center as possible. After this was up I fastened a 2x4 the entire length, shooting long at the end so that I would have enough to complete the form. This is 3/4 inch down from the top of the ledger as this will support the plywood that will become the bottom of the form.



I ran a bead of silicon along the top of the 2x4 to keep the water in the form (and not make a huge mess). I used short screws sparingly to fasten the plywood because this is going to need to come apart easily when we are done. Notice that the top of the plywood is flush with the top of the ledger board.




The trough on the front is so that the finished product looks a little thicker than it really is. Regardless of whether you are going for this effect or not, you will still want to make it so that you can expose the face of the concrete early on so that you can clean it up before it sets (more on this later).




Once the form is done we need to add a grid of reinforcing bar (rebar). This is especially important for a piece as thin as this, it will crack and be significantly weaker without it. 

When you are laying the grid out you want to pay particular attention to the exposed edges, making sure that the bar is centered within these areas. You can use wire to suspend it within the form or just rest it on small spacers (I just used washers). The 2x6 legs are sacrificial. They are friction fit to support the the entire form while the concrete is poured and sets.




One last detail. This thing is going to be REAL heavy when it is done and the last thing we want is it coming away from the wall. To address this I drove lag bolts into the top of the ledger and into every stud along the length of the form. The small nails are there so that I can keep track of my depth as I do the initial screed.





Mixing and Pouring the Concrete

The total length for this project is a little under 13 feet in length with a depth of 30 inches. The finished surface will be 29 inches high and 1 5/8 inches thick. I am using 80 pound bags of high early cement which I added a charcoal dye to tone down the bright grey of typical bag mix. The finished product will weigh around 640 pounds.

NOTE: There is no turning back once you start mixing and pouring. You will be committed until you have screed, troweled, and edged the piece. Also, if you are working on anything bigger than a few feet you will want a few people with you; especially if you are mixing by hand. If you have even a hint of the need for the washroom, take care of that before you start.

Also, watch your water. If you are mixing it yourself follow the instructions. You are not making soup, you want stiff oatmeal.

Lastly, knockouts. If you have anything with wires there is a good chance you will want some of these. Unlike other materials though, they are pretty tricky to add after the fact so you need to build them into your form. I just used oak dowel here and if you have it, you can wrap these in something compressible (sill gasket is perfect) to make them easier to remove when everything sets.




Once the form was filled I wrapped the sides and bottom with a hammer for about 5 minutes. At this time I also used an edging tool to break the exposed edge.




That's it for now. This needs to rest for a while.




After about an hour I stripped the front of the form so that I could finish the edge. There is a good chance there will be some voids as can be seen below.




You can usually scrape enough slurry from the form piece that was removed to fill these. After filling these in I used the edging trowel to finish the face and round over the bottom edge. 




This was the first piece that I have done that was not going to be ground and polished with diamond pads. I was going for a very rustic look. 

Eliminating these steps doesn't necessarily get you off the labor hook though. I continued troweling the surface every few hours until the early hours of the next day. If I wasn't so exhausted I would have probably done a little more. I am happy with the results though.




Building the Legs

Nothing fancy here. Square tubing, a few small pieces of angle and jack post plates. They were 10 bux a piece but saved me a lot of time cutting and drilling.




The only problem with the plates is they were stamped and raised in the center. These mag angles helped me lay them out.




Ready for paint. The small angle is there so that I can fasten them to the floor as well. I used 1/2 inch drive pins to fasten these to the underside of the desk and the floor.




Finished (almost)

After the concrete rested for 7 days I stripped the form and cleaned up any sharp edges with a sanding block. I then applied 2 coats of a penetrating sealer. After this dried for about 2 hours I applied 6 coats of a water based satin finish (30 minutes apart).

I trimmed out the ledger with clear pine that I painted to match the legs,



The books are temporary and will be replaced by a 12" deep maple plank that will run the entire length of the desktop (waiting on my mill guy). There will also be maple plank shelving hovering just below the bottom of the desktop to support laptops, and yes there will be cable management too :)

 I will update this page once complete.



Focus on what you know

posted Mar 26, 2015, 3:17 PM by Paul Halliday   [ updated Mar 27, 2015, 6:44 AM ]

We had an incredible training exercise a couple of weeks ago that really left me thinking (explained shortly). To prepare for the exercise, we began by removing all of the big trucks from the station and then laid out a very simple, symmetric course comprised of 9 coiled up hoses of varying length and diameter oriented like this

      


Each coil of hose was spaced approximately 15 feet apart from the next and placed on top of each coil was either a 1/2" diameter piece of tubing about 4" long or a 1/2" diameter 90 degree elbow. 

The task was simple, navigate from hose to hose collecting each piece as you go and then once at the finish, assemble them to make a square. Easy enough huh? 

These were the conditions:

1) Full bunker gear. Gloves had to be fire (very thick) not utility and could not be removed during the exercise
2) BA (breathing apparatus) and helmet had to be worn. You were given a full tank
3) You were given a halligan tool (for search) and a radio (emergency phone a friend)
4) The mask was fitted with a blanking insert that completely obstructed the view
5) Finish in 7 minutes

Oh, I get it now. Blindfolded! 

The purpose of the pipe pieces was to add a component of stress to the event and test dexterity. As you were moving along, someone would ask: How many pieces do you have now?; and Where are you in the room?



There were quite a few people there that night so I got to spend a little bit of time observing (learning) before taking a crack at it myself. Before I get to that though I want to talk about why this exercise really had me thinking.

As most of you know, I read quite a bit and the content that interests me the most with regards to the fire service are the case studies associated with incidents. At one point in time I happened across this piece (thanks Lloyd)

"Three Firefighters Die in Pittsburgh House Fire"

As far as the title is concerned there is nothing out of the ordinary, a surprising amount of Firefighters die every year. What made this article in particular burn into my brain was this picture


Even though I have read the report and have seen this pictures a dozen times, I can't help but think, how on earth?! 

That is a pretty tiny spot and it was not involved (albeit smoke filled). Simply knowing the typical width of a stair tread will quickly give you the rough dimensions of this place. It's tiny.

From the report:

All three firefighters died from asphyxiation, which involved both carbon monoxide inhalation and
oxygen deficiency. This occurred as a direct result of exhausting their air supplies and being unable
to find an exit from the family room. It is assumed, but it cannot be confirmed, that all three were
using their SCBAs, with facepieces in place, for the entire time they were inside the house until their
air supplies were depleted.
It is known that the three crew members from Engine 17 exhausted their air supplies and that their
vision was fully obscured by heavy smoke, at least during the period when they were running out of
air. The fire did not involve the room where they were found; after the fire there was only moderate
heat damage at the upper levels of the room and their protective clothing and equipment showed no
signs of damage or deterioration caused by exposure to the fire.

I encourage you to read the entire report.

Back to the present.

It was the third or fourth person that launched this report back into my consciousness. They started out like everyone else but missed the first landmark completely, performing a large arc to the left of it. They were SO close to finding it on a few occasions; just grazing it with their search tool but not registering it. When they finally found a hose coil it was the one in the centre of the room. In their mind where were they? and where to next? 

It was this that made me think not only of this report but also more generally, what if those coils were victims? (OK, perhaps too dark) Honestly though, watching the tip of the halligan just grazing the coil gave me goosebumps, because there was no doubt in my mind that this has happened numerous times before but not with a coil of hose.

As people went through the mock course these were the dominant themes (listed in order of frequency):

1) A single mistake quickly made your entire world fall apart
2) A single mistake quickly made your entire world fall apart but luck revived you (a good chance you missed a puzzle piece though)
3) You made it but it was sketchy at best
4) You took advantage of what you knew and worked the problem in reverse (more on this in second)

It was ugly. People came close to running out of air. People misread landmarks (or didn't leverage them at all) and most took far too long.

The most interesting part though was how incorrectly I was initially reading things. The first person to go did very well up until point #7 but then things started to unravel. They got lost and ultimately tripped their low air alarm. It wasn't until observing a few more people that I finally got it.

I was comparing everyone to this landmark; point #7. It turns out that it had nothing to do with how far you made it, just whether or not you got lost and how you dealt with it when you did.

As for me? I took advantage of the room to orient me. Instead of swinging my halligan almost immediately (as most people did, which I think contributed to them going off course) I took long deliberate strides and only started swinging when I knew (well, thought I knew) that I should be right on top of one. I would then climb on top of the coil and rotate to what I thought was 90 degrees and then set out. I did this because I figured I would be going off course anyway so starting from the center would limit the deviation.

Once I made it to #5 I knew I was good. I went straight for the wall and moved along it. To go out from #6 to #7 I used the wall to square my launch which helped me quickly find it. All I needed to do from here is make it back to the wall, even a huge error here wouldn't matter because I really couldn't miss the wall. Knowing that my next stop was almost in the corner of the room I headed to where I thought that might be. Once I found the corner I again knew exactly where I was. I then just followed the front wall of the room to the finish.

I did fumble quite a bit trying to put the puzzle together (damn gloves) even dropping it at one point. I got it though, and had plenty of air left :)

Adding heatmaps to drilldowns

posted Jan 25, 2015, 2:00 PM by Paul Halliday   [ updated Feb 5, 2015, 6:49 AM ]

I am playing with adding a simple weekly heatmap to the signature drilldowns in squert. It adds about a second to the original query so I will make it an option.


Autopilot

posted Jan 12, 2015, 2:04 PM by Paul Halliday

I am just jotting this down because I have been thinking about it quite a bit.

During training this weekend we spent the morning practicing water shuttles and then returned to the station just after noon to practice some mock rescues.

After suiting up and putting my pack on I turned on my air right away because I thought the setup was ready to go. It turns out that they were still preparing the scene and we had to wait. I left my air on. 

The exercise itself was a building collapse (no fire) so hands and knees crawling under rows of tables looking for victims. It was actually a pretty arduous crawl; long with a lot of obstacles. We finally found the victim at the very end of the run (of course) that needed to be evacuated. She was unconscious (of course) so we decided the best option would be to drag her out the same crappy way we came in.

I removed the spectra straps I carry and looped them under her back and up through her arms. With one person controlling these and another her legs we could easily manoeuvre the body back through the obstacles and out. Unfortunately, after moving the body just a few feet a low air alarm went off.

The alarm was mine of course, I had wasted a lot of air waiting. We were told that it would be borderline for me to get back even without hauling a body so according to protocol I am now a victim with a higher priority. We leave her and get me out.

I outright objected to this; absurd I said. We are right here! we are going back anyway, let's just see how we make out.

Sounds easy huh? Unfortunately:

1)  It's going to make the situation worse
2)  It's not my call to make and we don't have time to mull it over anyway

It took me a while to come to this conclusion and this is why practice is so important. Conditions deteriorate so rapidly in situations like this and if we stop to think, ponder or mull over anything we make the situation worse. We had found a victim, we had her strapped and ready to go. This is a better situation for them than before. 

It was time to get out of there as quickly as possible and send another team back in.

Bro Agent for Sguil - Now supports Intel.log

posted Oct 29, 2014, 11:06 AM by Paul Halliday   [ updated Jan 14, 2015, 5:42 AM ]

Intro

I created the Bro agent for Sguil so that I could insert certain events from Bro (the notice log) into my workflow and access them via squert. This puts these events in a nice spot for perusal, allows correlation with the other data sources I can access from the interface and also gives me the ability to pull a transcript if need be. 

The stock notice.log has been great as both a complimentary piece and standalone source however this week I started playing with the Bro Intel Framework and Wow; opportunities galore! 

Inspired by the release of Mandiant's APT28 report INDICATORS! and propelled by the help from the folks in #snort-gui I managed to get things up and running. More importantly though, and the reason for this post is I also modified the Bro Agent so that it can work with both logs simultaneously.

Keep in mind, this isn't about logs but events. This agent is not supposed to be processing everything Bro is logging, it simply acts as a tripwire.


Setup

I am going to be very generic here and use a very simple (perhaps not the best) example: a domain blacklist. I will use the one from here: http://mirror1.malwaredomains.com/files/justdomains

This file contains a bunch of entries like:

38zu.cn
brenz.pl
gumblar.cn
blog-salopes.com
forum-cs.net76.net
iseyh.com


To use them with the Intel Framework, they need to be formatted like this:

#fields    indicator    indicator_type    meta.source    meta.do_notice
38zu.cn    Intel::DOMAIN    Malware Domains    F
brenz.pl    Intel::DOMAIN    Malware Domains    F

Note: meta.do_notice is set to false (F) because I don't need to see these in the notice log as well. The agent will skip Intel entries it finds in the notice.log so you don't get duplicates.

Very Important: field separators are a single tab, this rule applies in the header as well. Bro is very picky about this format (I wasted a lot of time figuring this out). If things aren't working, check your reporter.log.

To achieve the required format I just did this:

~$ fetch http://mirror1.malwaredomains.com/files/justdomains
~$ awk '{print $1"\011""Intel::DOMAIN""\011""Malware Domains""\011""F"}' justdomains > intel_domains.dat


Lastly, I just needed to add these lines to my local.bro:

# Intel Framework
@load frameworks/intel/seen
@load frameworks/intel/do_notice
redef Intel::read_files += { 
  "/usr/local/bro/share/bro/site/intel_domains.dat",
  "/usr/local/bro/share/bro/site/intel_emails.dat",
  "/usr/local/bro/share/bro/site/intel_apt28.dat",
  "/usr/local/bro/share/bro/site/intel_apt1-certs.dat",
  "/usr/local/bro/share/bro/site/intel_apt1-fqdn.dat",
  "/usr/local/bro/share/bro/site/intel_apt1-md5.dat"
};


Take a look here: http://blog.bro.org/2014/01/intelligence-data-and-bro_4980.html   for more details on the Intel Framework, options and fields. 


The Agent

You need a working sguil and bro install to use this agent. This is trivial to setup if you are running  Securityonion

Get the agent:

~$ git clone https://github.com/int13h/bro_agent

Configure the agent:

~$ cp bro_agent.conf.sample bro_agent.conf


Edit the settings in the conf file to match your sguil setup, it is well documented. There are some other options in there as well if you wish to change the event priorities and classifications.

Lastly, fire it up:

~$ bro_agent.tcl -c bro_agent.conf -f "path_to_notice.log path_to_intel.log"



Results

Here we can see the events from both the intel and notice logs:



The payload looks like this:



And here's a transcript:



I think this is a great addition to the existing data; adding one more piece of context or perhaps even revealing gaps in coverage. I am pretty excited to start pouring more Intel into this and see what I can net.

Moving windows

posted Oct 1, 2014, 3:42 AM by Paul Halliday   [ updated Oct 7, 2014, 4:18 AM ]

This has been on my todo list for a while but I have been avoiding it like the plague because it was going to be a significant chore. Messing with the windows also means messing with drywall, crack-filling and siding.

When I added a loft over my kitchen I had no choice but to cut off the lower portion of the windows on the front of the house. I could have worked around this but the other option: a low ceiling in the kitchen, was even less appealing. They had to move.

Here I have already removed the existing headers and reframed the upper portion of the new opening. From here, it is just a matter of freeing the window from the structure, cutting out the sheeting above the window and framing in a little wall in the bottom void.


 Now that looks better!


This side was easy because I could work from the inside and any mess would be easy to clean up. The other side was a little trickier because I needed to work from the outside.


The only thing left is to remove the remaining siding and cover everything in a waterproof membrane.



This side of the house faces south and I have always had water problems. Whenever there is a storm (especially during hurricane season) the rain isn't falling but blowing upwards with enough force to go up the siding at the overlaps. The waterproof membrane coupled with a steel panel siding product should eliminate this problem.

I will take another shot when the siding is complete.

Making lockpicks

posted Jul 6, 2014, 11:32 AM by Paul Halliday

Out of the blue a few weeks ago someone emailed me about this page and asked if I could reproduce the picks that are shown in the last image. I haven't made picks in quite some time and figured this was a perfect opportunity to see if I still could.

Turns out it wasn't much of a challenge at all. I spent more time looking for the stock and setting up the tools than I did actually making the picks. There was even enough scrap for a torque wrench :) 


As for the story behind these 2 designs; I have quite a few padlocks lying around and of the 10 or so different (random) pick designs I had made at the time, these were the most versatile. Trial and error they opened more locks, quicker. The top one will open most Master Locks with very little effort (usually 2 rocks in the keyway). The second one is handy for when middle pins set high.

1-10 of 21