tag:blogger.com,1999:blog-127837262024-03-14T03:39:18.831+08:00When {Puffy} Meets ^RedDevil^C.S.Leehttp://www.blogger.com/profile/10778262436985693992noreply@blogger.comBlogger660125tag:blogger.com,1999:blog-12783726.post-50381723771304074112015-06-20T09:52:00.001+08:002015-06-22T19:47:32.266+08:00Interesting ProjectsI'm keeping the list of tools as online bookmark here -<br />
<br />
<a href="https://github.com/automayt/FlowPlotter">https://github.com/automayt/FlowPlotter</a><br />
<br />
<a href="http://threatstream.github.io/mhn/">http://threatstream.github.io/mhn/</a><br />
<br />
<a href="https://github.com/stratosphereips/StratosphereTestingFramework">https://github.com/stratosphereips/StratosphereTestingFramework</a><br />
<br />
The list will grow from time to time so that I don't need to spawn another post.<br />
<br />
<b>Cheers ;)</b>C.S.Leehttp://www.blogger.com/profile/10778262436985693992noreply@blogger.com1tag:blogger.com,1999:blog-12783726.post-43409745361270964442015-06-20T00:24:00.002+08:002015-06-20T00:24:26.668+08:00The Regex GoodiesI came across this post and thinking it's very useful information. A lot of teaching points for people who love regular expression.<br />
<br />
<a href="https://www.loggly.com/blog/regexes-the-bad-better-best/">https://www.loggly.com/blog/regexes-the-bad-better-best/</a><br />
<br />
Enjoy the read, cheers ;)<br />
<br />C.S.Leehttp://www.blogger.com/profile/10778262436985693992noreply@blogger.com0tag:blogger.com,1999:blog-12783726.post-36201578217915589302015-06-19T08:52:00.001+08:002015-06-19T08:52:24.445+08:00Oniguruma Regular ExpressionFor the regex geeks -<br />
<br />
http://www.geocities.jp/kosako3/oniguruma/doc/RE.txt<br />
<br />
Good reference!C.S.Leehttp://www.blogger.com/profile/10778262436985693992noreply@blogger.com0tag:blogger.com,1999:blog-12783726.post-47561364691366576322015-06-12T20:16:00.004+08:002015-06-12T20:16:49.359+08:00Acrobat JavaScript API ReferenceThis is very complete reference from Acrobat and keep it for good when comes to analyse PDF file if javascript is embedded.<br />
<br />
<a href="http://www.adobe.com/content/dam/Adobe/en/devnet/acrobat/pdfs/js_api_reference.pdf">http://www.adobe.com/content/dam/Adobe/en/devnet/acrobat/pdfs/js_api_reference.pdf</a><br />
<br />
<b>Cheers (;])</b>C.S.Leehttp://www.blogger.com/profile/10778262436985693992noreply@blogger.com0tag:blogger.com,1999:blog-12783726.post-89707416136051316642014-04-25T09:40:00.000+08:002014-04-25T09:40:15.748+08:00PPP Reference I found this when wandering around the Internet, and think it's good to share out for packet monkeys, this is very good reference document for anyone who want to learn about point-to-point protocol, very straightforward indeed -<br />
<br />
<a href="http://www.eit.lth.se/ppplab/PPPdocs/ppp-quick-ref.pdf">http://www.eit.lth.se/ppplab/PPPdocs/ppp-quick-ref.pdf</a><br />
<br />
Check it out if you are interested.C.S.Leehttp://www.blogger.com/profile/10778262436985693992noreply@blogger.com0tag:blogger.com,1999:blog-12783726.post-58478222515452966842014-04-23T07:39:00.003+08:002014-04-23T07:39:35.478+08:00Argus 3: Debug & TestingIf you are testing argus 3, the best way is always compile argus source with debug mode on -<br />
<br />
Argus -<br />
<b>shell>tar xvzf argus-3.0.5.tar.gz</b><br />
<b>shell>cd argus-3.0.7.5</b><br />
<b>shell>touch .devel .debug</b><br />
<b>shell>./configure --prefix=/usr/local/stow/argus-3.0.7.5</b><br />
<b>shell>sudo make && make install</b><br />
<br />
Argus Clients -<br />
<b>shell>tar xvzf argus-clients-3.0.7.25.tar.gz</b><br />
<b>shell>cd argus-clients-3.0.7.25</b><br />
<b>shell>touch .devel .debug</b><br />
<b>shell>./configure --prefix=/usr/local/stow/argusc-3.0.7.25</b><br />
<b>shell>sudo make && make install</b><br />
<br />
If argus or its client suite fails to run or behaves wrongly, you can just run them with -D 1-5 depending on the debug information you want. I'm just writing this as note to myself and hopefully it helps others who are using argus as well.<br />
<br />
<b>Cheers ;]</b>C.S.Leehttp://www.blogger.com/profile/10778262436985693992noreply@blogger.com1tag:blogger.com,1999:blog-12783726.post-79132995762396048662014-04-20T21:35:00.003+08:002014-04-23T07:23:48.085+08:00Ubuntu Linux: Argus 3 Installation If you want to test the latest version of argus with all the features enabled on Ubuntu Linux, here's the fastest way, just follow the steps below -<br />
<br />
I use stow to manage argus source -<br />
<br />
<b>shell>sudo apt-get install stow</b><br />
<b>shell>mkdir /usr/local/stow </b><br />
<br />
Install mysql server -<br />
<br />
<b>shell>sudo apt-get install mysql-server</b><br />
<b><br /></b>
Install software dependencies for argus clients -<br />
<b><br /></b>
<b>shell>sudo apt-get install flex bison libpcap-dev libmysqlclient-dev libncurses5-dev libreadline-dev libgeoip-dev libpcre3-dev</b><br />
<br />
Now download argus and its client suite -<br />
<br />
<b>shell>wget http://qosient.com/argus/dev/argus-3.0.7.5.tar.gz</b><br />
<b>shell>wget http://qosient.com/argus/dev/argus-clients-3.0.7.23.tar.gz</b><br />
<br />
Install argus -<br />
<br />
<b>shell>tar xvzf argus-3.0.7.5.tar.gz</b><br />
<b>shell>cd argus-3.0.7.5</b><br />
<b>shell>./configure --prefix=/usr/local/stow/argus-3.0.7.5</b><br />
<b>shell>sudo make && make install</b><br />
<br />
Install argus client -<br />
<br />
<b>shell>tar xvzf argus-clients-3.0.7.23.tar.gz</b><br />
<b>shell>cd argus-clients-3.0.7.23</b><br />
<b>shell>./configure --with-libpcre --prefix=/usr/local/stow/argusc-3.0.7.23</b><br />
<b>shell>sudo make && make install</b><br />
<br />
Now you can use stow to link them to default PATH(/usr/local/sbin and /usr/local/bin) so that you don't need to define full path when running argus -<br />
<br />
<b>shell>cd /usr/local/stow</b><br />
<b>shell>sudo stow argus-3.0.7.5</b><br />
<b>shell>sudo stow argusc-3.0.7.23</b><br />
<br />
Done and you can start testing argus for fun!C.S.Leehttp://www.blogger.com/profile/10778262436985693992noreply@blogger.com0tag:blogger.com,1999:blog-12783726.post-77672071085665977722014-04-08T00:15:00.001+08:002014-04-08T08:51:49.019+08:00Kali/Backbox Linux: Alfa AWUS036H After migrating from Backtrack to <a href="http://www.kali.org/" target="_blank">Kali</a> Linux, I encountered problem with WLAN cracking using Alfa awus036h wireless adapter. The initial probem was <br />
<br />
<b>shell>airodump-ng wlan0</b><br />
ioctl(SIOCSIWMODE) failed: Device or resource busy<br />
<br />
ARP linktype is set to 1 (Ethernet) - expected ARPHRD_IEEE80211,<br />
ARPHRD_IEEE80211_FULL or ARPHRD_IEEE80211_PRISM instead. Make<br />
sure RFMON is enabled: run 'airmon-ng start wlan0 <#>'<br />
Sysfs injection support was not found either.<br />
<br />
So it states that I should run airmon-ng -<br />
<br />
<b>shell>airmon-ng start wlan0</b><br />
airmon-ng start wlan0<br />
<br />
Found 3 processes that could cause trouble.<br />
If airodump-ng, aireplay-ng or airtun-ng stops working after<br />
a short period of time, you may want to kill (some of) them!<br />
-e <br />
PID Name<br />
2625 dhclient<br />
2722 NetworkManager<br />
2971 wpa_supplicant<br />
<br />
<br />
Interface Chipset Driver<br />
<br />
mon0 Realtek RTL8187L rtl8187 - [phy0]<br />
wlan0 Realtek RTL8187L rtl8187 - [phy0]<br />
(monitor mode enabled on mon0)<br />
<br />
We used to be able to run airodump-ng on wlan0 if we are using Backtrack, however it's not the case here, what you need to do is running airodump-ng on mon0 pseudo interface instead -<br />
<b><br /></b>
<b>shell>airodump-ng mon0</b><br />
<br />
Now everything looks good, however there's minor bug that shows the channel -1, to get everything running smoothly without the error, I run the following command instead -<br />
<br />
<b>shell>airodump-ng --ignore-negative-one mon0</b><br />
<br />
Now you can perform the wlan cracking routine(aireplay-ng,aircrack-ng to do packet injection and cracking), but remember to run the aircrack-ng suite with argument --ignore-negative-one and everything will be fine.<br />
<br />
<b>Cheers (;])</b><br />
<br />
p/s: If you are using another Linux distribution - <a href="http://www.backbox.org/" target="_blank">Backbox</a>, the same applies to it as well.<br />
<br />C.S.Leehttp://www.blogger.com/profile/10778262436985693992noreply@blogger.com0tag:blogger.com,1999:blog-12783726.post-91443451491825764622014-03-02T12:33:00.002+08:002014-03-02T12:33:42.606+08:00Interesting Rootkit: UroburosMy friend <a href="http://www.gamelinux.org/" target="_blank">ebf0</a> has shared with me this interesting analysis report from GData Security Lab, you can find the report here -<br />
<br />
<a href="https://public.gdatasoftware.com/Web/Content/INT/Blog/2014/02_2014/documents/GData_Uroburos_RedPaper_EN_v1.pdf">https://public.gdatasoftware.com/Web/Content/INT/Blog/2014/02_2014/documents/GData_Uroburos_RedPaper_EN_v1.pdf</a><br />
<br />
To understand why the name "Uroburos", we should refer to<br />
<a href="https://www.blogger.com/goog_212840103"><br /></a>
<a href="http://en.wikipedia.org/wiki/Ouroboros">http://en.wikipedia.org/wiki/Ouroboros</a><br />
<br />
Doesn't matter it comes from which party, we all know Intel gathering is always there, by the time we know it it seems late by miles. Internet security community needs to work harder together to uncover them as soon as possible.<br />
<br />
<b>Cheers (;])</b>C.S.Leehttp://www.blogger.com/profile/10778262436985693992noreply@blogger.com0tag:blogger.com,1999:blog-12783726.post-18295540063774169232014-02-24T17:09:00.000+08:002014-02-24T17:10:27.157+08:00The Practice Of Network Security MonitoringYear 2014 will most probably be a refreshing year to myself, everything is like new all over again and what should I do next is important.<br />
<br />
NSM has been big part of my career and I'm back to the root, and I would like to discuss/share anything regarding this huge topic. The first thing I would most probably do is to grab the book that is written by my friend - Richard, <a href="http://www.nostarch.com/nsm" target="_blank">The Practice Of NSM</a>. Thank you for your effort to write this book, it is really tough to stay focused and finished a book especially for a busy person like you.<br />
<br />
Second thing to do would be reviewing the new version of existing tools, and also new tools that kick in without me noticing - <a href="http://netsniff-ng.org/" target="_blank">Netsniff-ng</a>, <a href="http://snort.org/" target="_blank">Snort</a>, <a href="http://suricata-ids.org/" target="_blank">Suricata</a>, <a href="http://bro-ids.org/" target="_blank">Bro-ids</a>, <a href="http://qosient.com/argus/" target="_blank">Argus</a>, <a href="http://www.netresec.com/" target="_blank">NetworkMiner</a>, <a href="http://digital-forensics.sans.org/community/downloads" target="_blank">SIFT</a> and many more, you name it.<br />
<br />
Third thing to do is sharing, to share what I have found and learned, in the world of IT security.C.S.Leehttp://www.blogger.com/profile/10778262436985693992noreply@blogger.com0tag:blogger.com,1999:blog-12783726.post-4719818427075572332013-08-12T11:04:00.000+08:002013-08-12T11:04:05.294+08:00Port Span: Packet duplicationI have stumbled across this issue multiple times lately, especially if you are trying to span multiple source ports, and there are couple of solutions worth to look at -<br />
<br />
<a href="http://blogs.cisco.com/security/span-packet-duplication-problem-and-solution/">http://blogs.cisco.com/security/span-packet-duplication-problem-and-solution/</a><br />
<br />
<a href="http://myoss.belgoline.com/despan">http://myoss.belgoline.com/despan</a><br />
<br />
I think the packet duplication issue should be eliminated using hardware based solution(built-in), where the switch itself able to eliminate it, while it may add the workload to the network switch, it makes real time monitoring more accurate and possible especially tools such snort/bro are not going to identify duplicate packets.C.S.Leehttp://www.blogger.com/profile/10778262436985693992noreply@blogger.com1tag:blogger.com,1999:blog-12783726.post-72633766307623546562012-07-15T22:39:00.001+08:002012-07-15T22:55:20.886+08:00HeX 3: On the wayWe are in the development of HeX 3, this is for real. HeX 3 will be based on FreeBSD 9 and we are looking to create more FreeBSD ports for network security tools. Most of existing tools are compiled successfully in FreeBSD 9, we will provide two platforms this time, either i386 or x64.<br />
<br />
We would like to list down all the new network security tools that are going to be included in HeX 3, currently I have 3 in mind -<br />
<br />
- <a href="http://www.netresec.com/?page=NetworkMiner" target="_blank">NetworkMiner</a><br />
- <a href="https://github.com/gamelinux/prads" target="_blank">Prads</a><br />
- <a href="https://github.com/gamelinux/passivedns" target="_blank">PassiveDNS</a><br />
- <a href="http://f00l.de/pcapfix/" target="_blank">Pcapfix</a><br />
<br />
Thanks to Erik(NetworkMiner developer) for sending the installation guide to me, that saves my works ;)<br />
<br />
Here's the screenshot of NetworkMiner running on upcoming HeX 3 -<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/--2JsDHfQEzw/UALUfJYQf5I/AAAAAAAAAo4/zB7-8gBt6uM/s1600/HeX-NetworMiner.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="296" src="http://4.bp.blogspot.com/--2JsDHfQEzw/UALUfJYQf5I/AAAAAAAAAo4/zB7-8gBt6uM/s400/HeX-NetworMiner.jpg" width="400" /></a></div>
<br />
If you are aware of any network security tools(especially for packet analysis) and would like us to add it to HeX 3, kindly let me know.<br />
<br />
<b>Cheers (;])</b>C.S.Leehttp://www.blogger.com/profile/10778262436985693992noreply@blogger.com5tag:blogger.com,1999:blog-12783726.post-27670324418757606102012-07-12T14:04:00.003+08:002012-07-12T14:04:37.245+08:00FreeBSD: NetmapHigh speed network, big data technology are related terms, they are developed to meet the challenge of application demand today. We always see a lot of works for Linux regarding high speed network(10G and up) but not so much on BSD side. I reported <a href="http://code.google.com/p/ringmap/" target="_blank">FreeBSD ringmap</a> in my previous blog post, Robert Watson has also implemented <a href="http://www.seccuris.com/documents/whitepapers/20070517-devsummit-zerocopybpf.pdf" target="_blank">zero copy bpf buffers</a> for FreeBSD. And thanks to the friends in #snort-gui, I just found <a href="http://info.iet.unipi.it/~luigi/netmap/" target="_blank">netmap</a> that is going to be part of FreeBSD 10, it seems promising to me and thanks Luigi and his team for the effort to improve the performance of network stack.<br />
<br />
Right now there's nothing much we can do to test netmap, however if you want to try it out, you can basically download the images from the netmap website and play around with them, or install FreeBSD Current using the snapshot image which you can find here - <a href="http://pub.allbsd.org/FreeBSD-snapshots/">http://pub.allbsd.org/FreeBSD-snapshots/</a><br />
<br />
Here are few steps I did after FreeBSD current is installed -<br />
<br />
<b>shell>cd /usr/src/sys/modules/netmap</b><br />
<b>shell>make</b><br />
<b>shell>kldload ./netmap.ko</b><br />
<b>shell>kldstat</b><br />
<b>shell>ls -la /dev/netmap</b><br />
<b>shell>dmesg</b><br />
<br />
Everything is there but you need to play around with them, so download -<br />
<br />
<a href="http://info.iet.unipi.it/~luigi/netmap/20120608-netmap.tgz">http://info.iet.unipi.it/~luigi/netmap/20120608-netmap.tgz</a><br />
<br />
After untar it, you can start play around with the pkt-gen and other binaries provided in there. Currently netmap is still under development and testing, hopefully when it reaches stable stage, we will be able to see a lot of network security monitoring tools ported to work with netmap since it will be in native FreeBSD system. For most of the detail stuffs, do check out the presentation slide and other information in netmap website.<br />
<br />
<b>Cheers ;]</b>C.S.Leehttp://www.blogger.com/profile/10778262436985693992noreply@blogger.com6tag:blogger.com,1999:blog-12783726.post-16459685057859668332012-07-12T09:24:00.002+08:002012-07-12T09:24:34.289+08:00Flocon 2012: Argus Training SlideIf you are looking for detail information about latest argus development and offering, look no further -<br />
<br />
<a href="http://www.qosient.com/argus/presentations/Argus.FloCon.2012.Tutorial.pdf">http://www.qosient.com/argus/presentations/Argus.FloCon.2012.Tutorial.pdf</a>
<br />
<br />
The slide is made by Carter and it contains a lot of information for state of the art flow analysis tool - argus. Though a long time argus user, I still learn something new from the slide.<br />
<br />
<b>Cheers (;])</b>C.S.Leehttp://www.blogger.com/profile/10778262436985693992noreply@blogger.com1tag:blogger.com,1999:blog-12783726.post-72832740831675412412012-06-21T11:40:00.001+08:002012-06-21T11:40:37.010+08:00Inter VM NSMCloud is everywhere now, and I have been playing with OpenVSwitch for a while, it looks like a critical solution to provide network security monitoring to virtualization technology. If you want to know more about OpenVSwitch, information can be found in the website below -<br />
<br />
<a href="http://openvswitch.org/">http://openvswitch.org</a><br />
<br />
The OpenVSwitch is not just a virtual switch, it offers many network traffic monitoring features such as span, rspan, netflow and sflow, I have tried out many features in OpenVSwitch and they are useful depending on your monitoring need.<br />
<br />
Traditional network traffic monitoring is not going to help here, you can't simply deploy a network tap or port mirroring to monitor the traffic in the cloud server farms, of course you can still monitor when the virtual machines are talking to outside world, however you can't really see the conversation between virtual machines. For example, when vm1 performs network scanning on other virtual machines in the same cloud server.<br />
<br />
More thoughts need to be put into cloud network security monitoring since it becomes a trend and widely used in enterprise world, I have encountered couple of times where performing forensics operation is much harder in the cloud.<br />
<br />
OpenVSwitch seems to be promising, hopefully with the inclusion of OpenVSwitch in Linux 3.3 kernel, it will become more popular and widely used.<br />
<br />
<a href="http://blog.sflow.com/2012/03/linux-33-released.html">http://blog.sflow.com/2012/03/linux-33-released.html</a>
<br />
<br />
<b>Cheers ;]</b>C.S.Leehttp://www.blogger.com/profile/10778262436985693992noreply@blogger.com0tag:blogger.com,1999:blog-12783726.post-51411676326265274432012-01-14T01:20:00.002+08:002012-01-14T01:20:35.078+08:00FreeBSD 9.0 Release is OUT!If you haven't noticed yet, FreeBSD 9.0 Release is out, grab it while it is still hot. The announcement can be found at<br />
<br />
<a href="http://www.freebsd.org/releases/9.0R/announce.html">http://www.freebsd.org/releases/9.0R/announce.html</a>
<br />
<br />
You can check out the release note at -<br />
<br />
<a href="http://www.freebsd.org/releases/9.0R/relnotes.html">http://www.freebsd.org/releases/9.0R/relnotes.html</a>
<br />
<br />
I'm glad to see the driver improvement for network adapters especially intel based cards, and the netgraph ng_netflow supports NetFlow V9 export. Another interesting feature is usbdump which can be used to dump packets over usb controller. As always ipfw is improved in almost every FreeBSD release just like pf in OpenBSD. The FreeBSD team has also made a lot of improvement on file system wise. Finally we see new installer for FreeBSD ;)<br />
<br />
With FreeBSD 9.0 Release is officially out, time to work on HeX 3!<br />
<br />
<b>Cheers ;]</b><br />
<br />
<br />C.S.Leehttp://www.blogger.com/profile/10778262436985693992noreply@blogger.com2tag:blogger.com,1999:blog-12783726.post-68139991434331223492012-01-11T20:23:00.002+08:002012-01-11T20:25:31.635+08:00Argus 3: Some hardly used scriptsThere are couple of perl scripts come with <a href="http://www.qosient.com/argus/" target="_blank">argus</a> 3 to process argus data, in case you haven't used them, do try them out, I will just show the result generated by those scripts -<br />
<br />
<b>shell>perl ./raips -r ~/pcap-repo/anubis.arg3</b><br />
187.45.196.28<br />
187.45.241.156<br />
192.168.0.1<br />
192.168.0.2<br />
<br />
Raips will generate all unique IP addresses that are seen in the argus data.<br />
<br />
<b>shell>perl ./rahosts -r ~/pcap-repo/anubis.arg3</b><br />
192.168.0.2: (3) 187.45.196.28, 187.45.241.156, 192.168.0.1<br />
<br />
Rahosts will generate host report, and telling you the hosts that initiate network connection(transmitter) and also destination hosts that are probed(receiver), you may get an array of IP addresses in the same network if it is network scanning or worm outbreak activity.<br />
<br />
<b>shell>perl ./raports -r ~/pcap-repo/anubis.arg3</b><br />
187.45.241.156 tcp: (1) 80<br />
192.168.0.1 udp: (1) 53<br />
187.45.196.28 tcp: (1) 1433<br />
<br />
Raports will generate the port report, however only on server side, which means those ports that are probed by any host.<br />
<br />
If you are not satisfied with the result generated by those scripts, you are free to modify them to fit your needs, basically Carter is just demonstrating what you can do with argus data using some scripting capabilities.<br />
<br />
<b>Cheers (;])</b><br />
<br />C.S.Leehttp://www.blogger.com/profile/10778262436985693992noreply@blogger.com3tag:blogger.com,1999:blog-12783726.post-77490273086684967192012-01-11T13:43:00.000+08:002012-01-11T13:43:16.213+08:00Large Scale Pcap AnalysisIt seems that the storage is not much an issue when comes to packet capture anymore, looking at terabytes become general everywhere, and many network analysis tools seem to gear toward large scale pcap data analysis, bro-ids has extended their functionality by using tons of community hardware and <a href="http://tracker.bro-ids.org/time-machine/" target="_blank">timemachine</a> to capture and analyze network data, and now I just come to read about people in RIPE NCC are doing this using apache hadoop -<br />
<br />
<a href="https://labs.ripe.net/Members/wnagele/large-scale-pcap-data-analysis-using-apache-hadoop">https://labs.ripe.net/Members/wnagele/large-scale-pcap-data-analysis-using-apache-hadoop</a>
<br />
<br />
As we know as well, <a href="http://pcapr.net/home" target="_blank">pcapr</a> is also making use of cloud technology to share and analyze pcap data for internet community.<br />
<br />
<b>Enjoy ;]</b>C.S.Leehttp://www.blogger.com/profile/10778262436985693992noreply@blogger.com1tag:blogger.com,1999:blog-12783726.post-15037062279068458802012-01-09T22:40:00.002+08:002012-01-09T22:40:38.249+08:00Picviz on WindowsI never know that someone has actually ported <a href="http://www.picviz.com/" target="_blank">picviz</a> to Windows OS platform for a while until I'm working on picviz stuffs and googling some information, you can find here if you are interested -<br />
<br />
<a href="http://berise.blogspot.com/2011/01/picviz-for-win32-port.html">http://berise.blogspot.com/2011/01/picviz-for-win32-port.html</a>
<br />
<br />
Open source really opens up many unknown possibilities ...<br />
<br />
<b>Cheers ;]</b><br />
<br />
<br />C.S.Leehttp://www.blogger.com/profile/10778262436985693992noreply@blogger.com0tag:blogger.com,1999:blog-12783726.post-65015864354681274052011-12-18T18:44:00.003+08:002011-12-18T18:44:51.733+08:00Digital Forensics Tools For LinuxIf you are using Fedora Linux Distro to perform Forensics works, you may want to look into this -<br />
<br />
<a href="http://www.cert.org/forensics/tools/">http://www.cert.org/forensics/tools/</a>
<br />
<br />
CERT also provides vmware forensics appliance where you find at the link above.<br />
<br />
<b>Enjoy ;]</b>C.S.Leehttp://www.blogger.com/profile/10778262436985693992noreply@blogger.com1tag:blogger.com,1999:blog-12783726.post-82237285395987675152011-12-18T14:18:00.000+08:002011-12-18T14:18:47.000+08:00Re-look: Security Operation ToolsI haven't kept track of my favorite tools for awhile, and it's time to pay attention to them again -<br />
<br />
- <a href="http://bro-ids.org/">Bro-ids</a><br />
- <a href="http://www.splunk.com/">Splunk</a><br />
- <a href="http://www.openinfosecfoundation.org/index.php/downloads">Suricata</a><br />
- <a href="http://www.qosient.com/argus/">Argus</a><br />
- <a href="http://www.ntop.org/">Ntop</a><br />
<br />
All of them have new version released and it seems there are numerous changes that worth re-look into ;)C.S.Leehttp://www.blogger.com/profile/10778262436985693992noreply@blogger.com0tag:blogger.com,1999:blog-12783726.post-19284743159637808892011-12-16T12:35:00.005+08:002011-12-16T12:59:56.151+08:00High Tech Fix For "Nokia N900: All telephony functions are disabled" issueLast week, my Nokia N900 phone suddenly popped up with the message -<div><br /></div><div><b><span class="Apple-style-span" >All telephony functions, including emergency calls, are disabled due to communication error. To recover, you might have to reboot the device</span></b></div><div><br /></div><div>You will see something like a sim card icon on the top panel when this message appears.</div><div><br /></div><div>Awesome, it seems I couldn't make or receive call after this message is shown, I rebooted my phone and it works again ... until this week, the phone is dead, I can't use it as a phone but small tablet. Maybe I should try google to see if there's any solution and here's what I have found -</div><div><br /></div><div><a href="http://discussions.europe.nokia.com/t5/Maemo-and-MeeGo-Devices/N900-All-telephony-functions-are-disabled-and-No-IMEI/td-p/915441">http://discussions.europe.nokia.com/t5/Maemo-and-MeeGo-Devices/N900-All-telephony-functions-are-disabled-and-No-IMEI/td-p/915441</a></div><div><br /></div><div><a href="http://talk.maemo.org/showthread.php?t=60881">http://talk.maemo.org/showthread.php?t=60881</a></div><div><br /></div><div>Basically the solution is to claim the warranty and Nokia replaces a new one for you, what if you are out of warranty, just someone like me? Nokia has no answer for that, thank you Nokia ;)</div><div><br /></div><div>I was thinking "Sim card icon and communication error", maybe it is sim card slot issue? I don't know, but here's what I try -</div><div><br /></div><div>0. Switch off N900</div><div>1. Open up N900 case at the back(battery part)</div><div>2. Take out battery</div><div>3. Take out sim card from the slot, clean it</div><div>4. Put the sim card back to the slot</div><div>5. Tighten the slot </div><div>6. Take the toilet paper, yes I say toilet paper because it was on my desk when I was trying to fix this</div><div>7. Try to tear the toilet paper and make it thicker by layering them</div><div>8. Make the toilet paper slightly same size(square) as the sim card slot</div><div>9. Put the toilet paper on top of the sim card slot and push in a bit</div><div>10. Put back your battery and press it little hard, the toilet paper will be underneath</div><div>11. Close the case</div><div>12. Switch on your phone</div><div><br /></div><div>The phone works automagically, don't ask me why, it's really <b>high tech fix</b> if you ever encounter this issue.</div><div><br /></div><div>Have fun with N900 again, by the way no fun since not much apps for it(Thank you Nokia), BUT it works as PHONE again!</div><div><br /></div><div><b>Cheers ;]</b></div><div><br /></div><div>p/s: By the way let me know if this solves your problem, I would like to hear about it!<div><span class="Apple-style-span"><span class="Apple-style-span" style="font-size: 14px; line-height: 16px;"><br /></span></span></div></div>C.S.Leehttp://www.blogger.com/profile/10778262436985693992noreply@blogger.com41tag:blogger.com,1999:blog-12783726.post-2871709002580597082011-12-09T00:07:00.011+08:002011-12-18T10:36:07.429+08:00Time to Kill BillFor all Malaysia IT people, do read this and spread out the words, it's time to kill Bill, what Bill? Computing Professionals Bill 2011!<br />
<div>
<br /></div>
<div>
<a href="http://www.scribd.com/doc/75107593/CPB2011-Draft">http://www.scribd.com/doc/75107593/CPB2011-Draft</a></div>
<div>
<br /></div>
<div>
Do read it in detail! Currently it is in drafting processing, thanks to my best pal - Mel to share this nonsense bill. By the way, if you have facebook, support this - </div>
<div>
<br /></div>
<div>
<a href="https://www.facebook.com/pages/Malaysians-Against-Board-of-Computing-Professionals-Bill/289002177811647">https://www.facebook.com/pages/Malaysians-Against-Board-of-Computing-Professionals-Bill/289002177811647</a></div>
<div>
<br /></div>
<div>
I will constantly update this post if there's any progress regarding the matter, voice out while you can regarding CPB2011 to the document below -</div>
<div>
<br /></div>
<div>
<a href="https://docs.google.com/document/d/14E05jHZKQA0y6rP07n2PYtR4obBLEpiiK7OO1iQQ0PA/edit?hl=en_US">https://docs.google.com/document/d/14E05jHZKQA0y6rP07n2PYtR4obBLEpiiK7OO1iQQ0PA/edit?hl=en_US</a></div>
<div>
<br /></div>
<div>
Mosti has put up their latest working draft which you can find here -</div>
<div>
<br /></div>
<div>
<a href="http://www.mosti.gov.my/mosti/images/stories/pdf/2011/ruu_bcpm_v17.pdf?PHPSESSID=b5a0a3c0faa9f630065896d7694435a1">http://www.mosti.gov.my/mosti/images/stories/pdf/2011/ruu_bcpm_v17.pdf?PHPSESSID=b5a0a3c0faa9f630065896d7694435a1</a></div>
<div>
<br /></div>
<div>
Please review it and make your voice loud and clear! </div>
<div>
<br /></div>
<div>
Some opinions from the individual who works in IT industry ;)</div>
<div>
<br /></div>
<div>
<a href="http://www.youtube.com/watch?v=lCDHiWh6Ky4&feature=channel_video_title">http://www.youtube.com/watch?v=lCDHiWh6Ky4&feature=channel_video_title</a></div>
<div>
<br /></div>
<div>
Petition!</div>
<div>
<br /></div>
<div>
<a href="https://www.change.org/petitions/mosti-stop-computing-professionals-bill-2011-cpb2011">https://www.change.org/petitions/mosti-stop-computing-professionals-bill-2011-cpb2011</a></div>
<div>
<br /></div>
<div>
Follow the Tweets regarding <b>CPB2011 </b></div>
<div>
<br /></div>
<div>
<a href="https://twitter.com/#!/search?q=%23CPB2011">https://twitter.com/#!/search?q=%23CPB2011</a></div>
<div>
<br /></div>
<div>
Flip-flop, uncertainty?</div>
<div>
<br /></div>
<div>
<a href="http://www.themalaysianinsider.com/malaysia/article/it-bill-may-be-dumped-says-mosti/">http://www.themalaysianinsider.com/malaysia/article/it-bill-may-be-dumped-says-mosti/</a></div>
<div>
<br /></div>
<div>
Makes yourself certified criteria?</div>
<div>
<br /></div>
<div>
<a href="http://www.mncc.com.my/members.htm">http://www.mncc.com.my/members.htm</a></div>
<div>
<br /></div>
<div>
Mosti is just facilitator?</div>
<div>
<br /></div>
<div>
<a href="http://www.lowyat.net/v2/index.php?option=com_content&task=view&id=5849&Itemid=1">http://www.lowyat.net/v2/index.php?option=com_content&task=view&id=5849&Itemid=1</a></div>
<div>
<br /></div>
<div>
Role model of CPB 2011, seriously?</div>
<div>
<br /></div>
<div>
<a href="http://allafrica.com/stories/201107061218.html">http://allafrica.com/stories/201107061218.html</a></div>
<div>
<br /></div>
<div>
Interview of Malaysia Deputy Minister Of Science, Technology And Innovation<span class="Apple-style-span"><span class="Apple-style-span" style="font-size: 12px;">, </span></span>Datuk Fadillah Yusoft by Astro Awani, if only you know Malay Language -</div>
<div>
<br /></div>
<div>
<a href="https://www.facebook.com/photo.php?v=10150460323294820&set=vb.11726505964&type=2&permPage=1">https://www.facebook.com/photo.php?v=10150460323294820&set=vb.11726505964&type=2&permPage=1</a></div>
<div>
<br /></div>
<div>
From Tony Pua, member of Parliament -</div>
<div>
<br /></div>
<div>
<a href="http://www.youtube.com/watch?v=6ilM5bKokkw&feature=youtu.be">http://www.youtube.com/watch?v=6ilM5bKokkw&feature=youtu.be</a><br />
<br />
While they can't define what is CNII properly during open meeting, now they want to include more sectors in this undefined crap? Seriously if the government sector has failed to deliver security all these years, that means <a href="http://www.mampu.gov.my/web/guest/prisma">PRISMA</a> that was initiated to protect government ICT agency by our government is a big failure(so much money wasted and now this)? By the way if you read carefully at the last few paragraphs, you will notice "<b>What we can do at CyberSecurity Malaysia is to continue to provide more training and capability building in cyber security, says CyberSecurity malaysia Chieft Executive Officer(CEO) Lt Col Prof Datuk Husin Jazri.</b><span style="color: #333333; font-family: Arial;"><span style="font-size: 14px; line-height: 21px;">"</span></span><br />
<br />
<b><span style="color: #333333; font-family: Arial;"><span style="font-size: 14px; line-height: 21px;"></span></span>To me, that basically sounds like if this bill is passed, he can make big money by selling training and certification program, now we know who is really pushing this AGENDA at the back ;)</b><br />
<span style="color: #333333; font-family: Arial;"><span style="font-size: 14px; line-height: 21px;"><br /></span></span><br />
<a href="http://thestar.com.my/news/story.asp?file=%2F2011%2F12%2F18%2Fnation%2F10119744&sec=nation">http://thestar.com.my/news/story.asp?file=%2F2011%2F12%2F18%2Fnation%2F10119744&sec=nation</a><br />
<br />
Discussion about CPB 2011 on BFM radio station -<br />
<br />
<a href="http://bfm.my/geeksquawks_ep53.html">http://bfm.my/geeksquawks_ep53.html</a>
<br />
<br />
The TeAM(The Technopreneuers Association Of Malaysia) objects to CPB 2011 <span style="color: #333333; font-family: 'Trebuchet MS', Arial, Helvetica, sans-serif;"><span style="font-size: 14px; line-height: 20px;">-</span></span><br />
<br />
<a href="http://techcentral.my/news/story.aspx?file=/2011/12/14/it_news/20111214141030&sec=IT_News">http://techcentral.my/news/story.aspx?file=/2011/12/14/it_news/20111214141030&sec=IT_News</a>
<br />
<br />
Speak out loud, geeks!<br />
<br />
<a href="http://thestar.com.my/news/story.asp?file=%2F2011%2F12%2F18%2Fnation%2F10105092&sec=nation">http://thestar.com.my/news/story.asp?file=%2F2011%2F12%2F18%2Fnation%2F10105092&sec=nation</a>
</div>
<div>
<br /></div>
<div>
No cheers this time, F it!</div>
<div>
<br /></div>C.S.Leehttp://www.blogger.com/profile/10778262436985693992noreply@blogger.com2tag:blogger.com,1999:blog-12783726.post-32784547029704648032011-12-06T13:21:00.003+08:002011-12-06T13:43:17.379+08:00Intel X520<div>I want this for my Christmas present ;]</div><div><br /></div><a href="http://www.intel.com/content/www/us/en/network-adapters/gigabit-network-adapters/ethernet-x520.html">http://www.intel.com/content/www/us/en/network-adapters/gigabit-network-adapters/ethernet-x520.html</a><div><br /></div><div>I never thought 10G network adapter can go very cheap, really need to get one for development and testing!</div>C.S.Leehttp://www.blogger.com/profile/10778262436985693992noreply@blogger.com2tag:blogger.com,1999:blog-12783726.post-77383188539225027062011-12-05T22:15:00.004+08:002011-12-05T22:22:04.999+08:00Virtual PF_Ring<div>Ntop development team has always developed high performance packet capture solutions that I would like to take a look into it -</div><div><br /></div><a href="http://www.ntop.org/products/pf_ring/vpf_ring/">http://www.ntop.org/products/pf_ring/vpf_ring/</a><div><br /></div><div>Virtual PF_RING can only be used with KVM, with this it will bypass many copy operations and capture packets in line rate. I think I will test it on my Linux box and see how it goes. By the way you need to donate to obtain it.</div><div><br /></div><div>Cheers ;]</div>C.S.Leehttp://www.blogger.com/profile/10778262436985693992noreply@blogger.com0