An alchemists view from the bar

Network Security Alchemy

Posts Tagged ‘Sourcefire

Planing for infosecurity 2010 (London) – VRT Workshop

leave a comment »

It’s that time of year again. Infosecurity Europe is upon us. If you’re going to be there and have a strong interest in the inner-works of intrusion prevention engines, have I got a treat for you lucky lucky people 🙂

Sourceifre’s own Lurene Grenier (@pusscat) and Matthew Olney (@kpyke) are running a workshop!

Here’s the official blurb

Sourcefire VRT Workshop
Register here
– 11:00 – 12:00, Wednesday 28th April 2010 –  Mayfair Room, Earls Court.
The VRT team will demonstrate the power and flexibility of the engine by unveiling a new multi-faceted, scalable detection methodology targeted at addressing the most difficult detection problems facing security professionals today.

So if that gets your interest going, make sure you register here.

As a bonus for you all, Sourcefire are also running an “Intelligent Network Security” Workshop.

Sourcefire Intelligent Network Security Workshop
Register here | 15:00 – 16:00am, Wednesday 28th April 2010 | Mayfair Room, Earls Court
In the age of the advanced persistent threat of cloud computing and of new economic realities, how can companies ensure their networks are monitored and protected securely and cost-effectively? Find out how Sourcefire, the leader in context-aware Intrusion Prevention Systems has addressed the limitations of current generation IPS to provide true intelligent network security solutions.

And I’ll be stuck on the Sourcefire stand for most of the three days, pop buy if you want to say “oh hai”.



Written by leonward

April 1, 2010 at 9:13 am

Posted in Sourcefire

Tagged with , ,

Network Security Bloggers meet, London 30/March/2009

leave a comment »

I’m attending a network security Blogger meeting on the 30/March/2010 in a pub just off Oxford St, London. It’s kindly hosted by Sourcefire but don’t expect any sales people in attendance! It will be an informal event with drinks, nibbles, and networking (read free beer). Hopefully we’ll discuss what’s hot (or not) right now, share some ideas, and provide inspiration for a post or two.

If you’re a network security blogger and want to meet others like you in person, let me know and ill try to get you on the guest list!


Written by leonward

March 18, 2010 at 12:09 pm

Posted in Uncategorized

Tagged with ,

Geographic Representation of Intrusion Events

with 4 comments

Snort events and Google Earth Mashup. They say a picture is worth a thousand words, so I guess the below is all I need to show to explain.

SQL Worms represented in Google EarthSQL Worms represented in Google Earth

Firstly, karma goes to James Tucker for hacking together an early PoC.

I looked into hooking Google Earth into Sourcefire’s Defense Center about a year ago, but ran into issues with finding a good *free* geolocation perl module that I could use.  After a chat with Jim a few weeks back, he pointed me to Maxmind and provided a quick sample of plotting a Snorty pig.

I jumped right into making the integration glue for Sourcefire’s real-time event feed (EStreamer), making it plot the location of your current attacker as the events flood in.

The Good: It worked!

The Bad: It made dizzy!

The world would spin way too fast to keep up with all the nasty stuff out there.  I finally decided on a more mature approach of parsing either a snort alert file, or a Sourcefire CSV report.  This way the user gets more control of  the data being rendered.

To see a real example, download and take a look at the below KML file (open in Google Earth). I re-enabled SQL worm detection in my snort config on a publicly accessible device to find out what country is being the slowest to patch.  It provided an immediately interesting trend. Well done Europe and America for patching against a 8 year old problem,  shame on the rest of you!  Open the attached KML file in Google Earth to inspect in detail on your own local system.

Download SQL Worm KML file

Because Sourcefire 3D uses a advanced method of alert prioritization (impact flags), when used with a Sourcefire report you get an output like the below.

Impact Flag based events

Impact Flag based events

Update: The code can be downloaded from Jason’s blog on, it’s simple to use and get working, up but Ill knock up some instructions when I get a moment.


Written by leonward

March 15, 2009 at 11:37 am

Posted in Security, Sourcefire

Tagged with , ,