Information Security Incident Handling short course

Nowadays is almost impossible not to learn something in an easy way. Globalization of content and information (evidently through internet) has skyrocketed the learning and educational possibilities worldwide. I took advantage of this mostly through tutorials, guides and free online applications such as Codeacademy, Blogger, WordPress. Only recently (several months ago) I became aware of the MOOC phenomenom (massive open online courses). Continue reading “Information Security Incident Handling short course”

Offline analysis in Security Onion

I’ve mentioned in a previous posts about how useful is Security Onion as it is, but for different reasons one might have to tweat it in order to suit his needs. In my case, I had the problem of big drop rates on network packets from Snort and BRO in a temporary production deployment. Since I couldn’t rely on the BRO and Snort logs I would have to generate them again. The good thing was that netsniff-ng had an almost 0 drop rate and I could use the PCAP files for offline analysis. Continue reading “Offline analysis in Security Onion”

Snort alerts – passing through the Onion

Snort is a pretty interesting piece of software, with multiple features. Understanding the Snort architecture might help better understand this post. It is also the de-facto standard when it comes to IDS and the default sensor used in Security Onion. The present article will present the overview of how Snort and additional programs are being used in Security Onion. The purpose of Snort in Security Onion is to provide IDS data which will be analyzed by the user in one of the user-interfaces available in the operating system. The following is also an example of a network security monitoring system. Continue reading “Snort alerts – passing through the Onion”

How ELSA works

ELSA stands for Enterprise Log Search and Archive. It’s a really powerful syslog framework built on Syslog-NG, MySQL, and Sphinx full-text search. It’s one of the main tools that I’m relying on when using Security Onion. On a previous post I’ve put some words on the big picture in Security Onion , but in the present one I’m going to focus on details related to how ELSA works in Security Onion. The main reason for this article is to understand the differences between standard ELSA and Security Onion ELSA, where people (including me) might get confused with file paths and configuration details. Continue reading “How ELSA works”

Security Onion – from traffic to analyst

In the past months I’ve been using Security Onion in relation to one of my school projects and lately to my internship. Security Onion has a lot of useful programs, on which you could literally spend days to configure to work properly on the same server. The fact that it just works, does not save you the headaches of figuring out how it works and tweaking it to suit your needs. (but it saved me from a lot of headaches caused by other issues). Continue reading “Security Onion – from traffic to analyst”

Getting rid of spam

Everybody using a PC and the internet has a slight idea of what spam is. If not, you could check out the explanation on Webopedia. In short it is (almost) any form of unsolicited email that gets into our mailbox, generally advertising products. Spamming is a great example on how you can take advantage of the human nature. When spam is being sent it’s usually targeted for the masses – in the “male” case, a lot of this spam is intended for viagra or other similar products. Whereas in the female case, a lot of this spam is intended for breast implants and such. Not to mention financial scams, like Nigerian 419 or bank phishing, where the altruist sentiment is being triggered or just the worrying feeling that something might be wrong with you bank account gets people to hand out their credentials without even suspecting.

Continue reading “Getting rid of spam”

Intercepting and modifying HTTP uploads

Sniffing traffic is relatively easy enough. You just fire Wireshark up and look at the packets. Intercepting traffic and modifying it in real time is something that caught my attention, especially from an average user perspective. When you cannot trust users on your network of properly handling data in relation with filesharing services/cloud services, or you just want an easy way for them to upload encrypted data instead of plain-text, modifying their traffic on the fly is the way to go. Continue reading “Intercepting and modifying HTTP uploads”

Hospital Wifi security review

I managed to land in Denmarks second largest hospital, the Odense University Hospital (refered as OUH in danish). Since i’ve been informed that i will have to stay here for several days, i began to accomodate myself (networking wise as in doing my first wifi security review). There is only one free network available for patient/guest access, and several other for staff usage. Most users wouldn’t be interested in the deeper information about the networks, but i was so i started digging a bit into it. Brace yourself, it’s a long one. Continue reading “Hospital Wifi security review”