Finally I setup my home IDS: Snort & Snorby on top. The goal: to see what is going on in my Internet traffic, is there anything interesting. Also Snort output will be collected by home Splunk instance. The screenshot below shows only test events, nothing serious 🙂 I used this guide: Home IDS with Snort … Read more
Send your name to Mars
ArcSight Smart Connectors has a very useful feature: it is possible to set up a filter to filter out unwanted events and don’t send them to a destination (ESM ArcSight, Logger, etc). It works very well at the ESM ArcSight – you just need to open connector’s properties, select the “Filter” tab and create a … Read more
Today I would like to share a recipe how to utilize WSDL (SOAP) in a Python SUDS script behind the HTTPS proxy. It may be useful for getting some commercial feeds on a server sitting behind the corporate firewall. First of all, I find out the Python SUDS are very convenient. You can download it … Read more
Here is a workaround for the issue with mounting a CIFS share (Windows 2008 R2 Server) at a Logger. I followed usual procedure to configure a remote file system at a Logger. All required parameters for CIFS share were specified: Surprisingly it did not work: I carefully checked parameters, login credentials – everything was correct. … Read more
Here I put some technical details about RedKit Java exploit. I will use real sample of captured network traffic. The analysis was done using the following tools: CuckooBox 0.6, Java Decompiler GUI, Wireshark. Don’t follow any URLs in this post! They may still contain the malware. OK, now step 1: a victim visits an infected … Read more
Mauritania hacker (AnonGhost) hacked Facebook. Cool! PasteBin Facebook:
Recently I find out a situation when some device puts time stamps using the GMT time zone. It could be easily fixed by changing connector settings. But here is a problem again – settings are global, so it will fix time stamps for this device and will broke time stamps for all other device. The only … Read more
Introduction I attended many sessions at the “HP Protect 2012” conference last September and one of them – the “Plug it in!” by Doron Keller (HP/ArcSight) was very interesting for me. As a former software developer, I always like any possibilities of enriching features of an existing product by writing few lines of code. Furthermore … Read more
The “Replay” (also known as Test Alert) agent at the ESM ArcSight – is a very powerful tool for developing and debugging rules. You don’t need to wait until a real (and probably rare!) event will be received by the ESM Manager only to check that the rule produced incorrect result. Of course a test … Read more