SethSec

A few months ago I configured an all in one (server and sensor) Security Onion VM on my ESXi box.  It took a while, but I finally found a good box that I could use for a physical sensor.   I bought this  Barracuda ethernet TAP  back around 2007-9, and while it worked great, after I moved to my house, it has literally been collecting dust in my basement for years.  Lucky for me, it still works!  This is a non aggregating TAP, which means I have two "output" cables coming from the TAP to my IDS.   On the physical server, I installed Security Onion as a sensor only, and the TAP interfaces ended up being eth0 and eth2 (eth1 is the mgmt. interface). I quickly realized that I only knew how to bond two interfaces together on CentOS/RedHat.  It took a few hours of googling and trial and error, but I finally got eth0 and eth2 bonded/bridged together.  Aside from the ...

When I first started with Burp extensions over a year ago, I used the hiccup framework  to develop my plugins.   Hiccup had a way of monitoring my custom "plugin" for changes each time it performed an action.  As a result, it appeared that any changes I made to a plugin took effect in Burp instantly.    Well, when Burp Extender API 1.5 came out, while it greatly improved what could be done with Burp extensions, it also broke projects like Hiccup.   Not wanting to be dependent on another non PortSwigger API, I decided to spend whatever time I needed to learn how to interface with the Burp API directly.    As I began, one frustrating thing I realized was that I had to reload my extension each time I made even the smallest change.   This process takes some time, and because I am using Jython, it sucks some memory each time the extension is reloaded.  I finally gave in and asked  on the Burp S...

It has been quite a while since my last blog post here. Not that I have ever really blogged much, but in 2010, I officially switched from a world filled with enterprise firewalls and intrusion detection systems, to one filled with Web Applications (and other types of applications). On one hand, for someone who likes to learn, Web Application Penenetration Testing is perfect: There are so many languages, frameworks, best practices, and common mistakes to understand, that as a tester, you will never run out of things to learn. Of course, that also means that you will never come close to being able to learning it all. Left unmanaged, this can be a source of frustration and despair. The main point of this blog re-launch, is that it has been far too long since I have written any code. I'd like to document the mistakes I make, and the lessons I am bound to learn, as I jump back into things.  I mainly test applications from a Windows OS, so those thousands of hours of BASH scri...

After my wedding, I searched for hours trying to find the easiest way for all my friends and family to send me their digital photos. An FTP server would have worked, but would have been slightly more intimidating to the non-technical folk. I decided that a shared dropbox account was the perfect solution, and it worked out even better than I could have imagined. I received 1900 unique pictures in 2 weeks!! I created a new account, and sent the following email to everyone who attended: Thanks so much for making our special day an amazing one! Now that it is over we would love to get everyone's perspective. So, we would appreciate it if you could drop your photos in our dropbox (instructions below). This is an account that we will all share. This means that you can all check back in a week and download as many pictures as you like, and it also means that you can potentially delete all the pictures everyone else has uploaded… so be careful! How to upload pictures: Browse to this websit...

I don't believe this post will be very useful to anyone else, but I want to record it anyway. I noticed a few weeks ago that my drupal installation was complaining that the watchdog table had crashed. With my limited understanding of mysql , I didn't event know that a table *could* crash. Everything else on the site looked fine to the anonymous user so I just ignored it. That brings me to today. I found this interesting script online that will dump all of my mysql databases every hour to another file system . I figured I would give a shot. I entered my root db password and the dst directory and let her rip. I got a few errors right away: [root@www storage]# mysql -backup.sh mysqldump : Error 1194: Table 'watchdog' is marked as crashed and should be repaired when dumping table `watchdog` at row: 283 mysqldump : Got error: 145: Table './drupal/watchdog' is marked as crashed and should be repaired when using LOCK TABLES mysqldump : Got error: 145: Table '....

I was recently playing around with my .bash_profile file looking for new ways to alert myself as well as my team to problems with production snorts. I ended up with two little tricks that I have found really useful and I figured I would share. For those that don't know, the .bash_profile file is an sh script that runs at user login. At a bare minimum it sets the users PATH, but it can be used for a whole lot more. It's located in the root of the users home directory. Ex: /home/snort/.bash_profile, or /root/.bash_profile Before I go any further I will tell you that both of these tricks are obviously reactive in nature. They only let you know there is a problem the next time you log into the device. A more proactive solution would involve setting thresholds and sending emails to admins, but 1) there are already plenty of scripts that do that, and 2) that is not a luxury I have on my sensors. I have inbound ssh, outbound 80 for updates and outbound 443 for logging. Nevertheless, t...

Configuring lirc (Remote control daemon) Getting the remote control to work has been on my to-do list for as long as I've been using MythTV. Early on I decided to go with a wireless mouse/keyboard combo instead. I have been using the Ione Scorpius P-20 for quite a while and it has served me well. Every 6 months or so I would try to get the remote working, and every time I would fail... until this weekend. I couldn’t have done it without the following two sites: 1) http://www.mythtv.org/wiki/index.php/MCE_Remote 2) http://www.hauppauge.co.uk/board/showthread.php?t=8048 I have a Hauppauge PVR-150 Tuner card which came with the Remote and the IR receiver. I would say my biggest stumbling point along the way was that until this weekend I never knew exactly which remote I had. Apparently the PVR-150 has come with a whole bunch of different remotes over its lifetime. As it turns out, I have a MCE USB2, Version 2, Hauppauge PVR-Kit remote. How I was supposed to know that without luckily ...