An alchemists view from the bar

Network Security Alchemy

Archive for March 2009

The home communications closet

with one comment

Because I am slowly ripping the house apart, it makes sense to add some CAT5e at the same time. Structured cables require a central location where you can patch them together, and at home I don’t want to dedicate a load of space to a server room. I spent some quality time with the hall cupboard and some MDF.


The "Before Shot"

The after shot

The "After shot"

I mounted the patch panel vertically so all the back-end CAT5 will be hidden. Power is fed to everything from behind the panel (held in with magnetic clips) to keep things tidy.


Written by leonward

March 17, 2009 at 10:10 am

Posted in Home Cinema

Tagged with ,

Geographic Representation of Intrusion Events

with 4 comments

Snort events and Google Earth Mashup. They say a picture is worth a thousand words, so I guess the below is all I need to show to explain.

SQL Worms represented in Google EarthSQL Worms represented in Google Earth

Firstly, karma goes to James Tucker for hacking together an early PoC.

I looked into hooking Google Earth into Sourcefire’s Defense Center about a year ago, but ran into issues with finding a good *free* geolocation perl module that I could use.  After a chat with Jim a few weeks back, he pointed me to Maxmind and provided a quick sample of plotting a Snorty pig.

I jumped right into making the integration glue for Sourcefire’s real-time event feed (EStreamer), making it plot the location of your current attacker as the events flood in.

The Good: It worked!

The Bad: It made dizzy!

The world would spin way too fast to keep up with all the nasty stuff out there.  I finally decided on a more mature approach of parsing either a snort alert file, or a Sourcefire CSV report.  This way the user gets more control of  the data being rendered.

To see a real example, download and take a look at the below KML file (open in Google Earth). I re-enabled SQL worm detection in my snort config on a publicly accessible device to find out what country is being the slowest to patch.  It provided an immediately interesting trend. Well done Europe and America for patching against a 8 year old problem,  shame on the rest of you!  Open the attached KML file in Google Earth to inspect in detail on your own local system.

Download SQL Worm KML file

Because Sourcefire 3D uses a advanced method of alert prioritization (impact flags), when used with a Sourcefire report you get an output like the below.

Impact Flag based events

Impact Flag based events

Update: The code can be downloaded from Jason’s blog on, it’s simple to use and get working, up but Ill knock up some instructions when I get a moment.


Written by leonward

March 15, 2009 at 11:37 am

Posted in Security, Sourcefire

Tagged with , ,

Top things not to do with a drill

leave a comment »

What starts with a drill and ends in a big fizz, buzz, spark, bang ouch?

Written by leonward

March 8, 2009 at 7:23 pm

Posted in Fail

Relocation, Relocation, Relocation

leave a comment »

Yes, it’s the third time I have had to relocate my blogroll, but I am a victim of technology beyond my control. So I for one welcome my new overlord, and hope that will be kind to my needs.

Old feeds have RewriteRule to the new location (I owe Apache another beer).


Written by leonward

March 8, 2009 at 12:30 pm

Posted in Uncategorized