Wednesday, August 30, 2017

Building a SOC

I gave a talk last Friday at the last Ruxmon before the hiatus for Ruxcon on building a SOC. The slide deck should be up here: Now the map is not the territory, and the slide deck is not the talk (in some ways it's more useful). There are links to a lot of things you should be familiar with as well as three slides of some of the books it's worth investing some time in.

An interesting point is that I was suggesting Apache Metron was worth attendees' time checking out and it would appear Telstra agrees as the SOC's they've opened in Sydney and Melbourne are running Metron.

Based on the OpenSOC project created at Cisco, Metron entered the Apache Incubator program in December 2015, had its first release in April 2016, and became a top-level project earlier this year (April 2017).

Go here to check it out:

Monday, December 05, 2016

Legacy post rescued from Drafts: Troubleshooting Check Point VPNs

Was working with a customer's outsourcing provider to establish a set of meshed VPNs. Both the outsourcer and the customer have complex Network environments, requiring double-NAT'ing either side of the VPN, so when things didn't work, we settled down for some troubleshooting.

First the VPN wasn't coming up at all...bread-and-butter, usually routing between the endpoints (assuming your auth and communities are right). This was a little bit more interesting as it turned out the outsourcer had two firewall clusters on the same external segment, and when they looked at the logs, the inbound IKE traffic was hitting the wrong cluster. Simple enough, routing on their border router, right? Turns out wrong - the routing table was fine. The necessary clue was provided when network support at the outsourcer said "the VRRP address of this cluster is...". Turned out that the clusters shared the same VRID (Virtual Router ID - VRRP is RFC 3768, now obsoleted by Version 3 for IPv4 and IPv6 in RFC 5798), which meant that they shared the same virtual router MAC address, which is how traffic that was routed correctly was ending up on the wrong firewall. The outsourcer changed one of their VRIDs, and we were good to go!

Well, not quite...the VPN now came up and the firewalls at both ends logged the customer's traffic, however the customer couldn't connect to the web app. Turned out the SYN was going out, no SYN-ACK coming back! Outsourcer checked their side and the SYN-ACK was getting back to the firewall. Had them do an "fw monitor -p all" and the packet was reaching the encrypt chain. However we never saw any traffic at the customer end. Further inspection showed that there were never any Phase 2 renegotiations from the outsourcer's end either. When we did the tcpdumps at our end, it was

...transmission interrupted...

Monday, October 27, 2014


I wrote a Gold Paper for my GCFA, the cert corresponding to the SANS Institute FOR508 Advanced Forensics course,which may be found at the following link:
It's also in the SANS Reading Room in the forensics section, linked:

In short the paper describes automating the evidence processing phase of a DFIR investigation, using Jenkins to control the automation and storing the results in an ELK (Elasticsearch-Logstash-Kibana) stack for visualisation. A lightweight DFIR case manager is also provided.

The software can be found at:

A list of current open issues (bugs and enhancement requests) is at:

Bug reports and requests for enhancement will be accepted with gratitude!

Thursday, January 09, 2014

Post-processing AWS CLI output with jq

I've been using the AWS CLI to dump information out of AWS for some time now, but just started using jq to post-process the JSON format AWS CLI produces. Here is (I think) a useful one-liner (it assumes you're using Tags, and have a useful tag with Key "Name"; it also assumes you're using VPC's, but of course you're using VPC's):
aws ec2 describe-instances | jq '.Reservations[].Instances[]| .InstanceId, .VpcId, .SubnetId, .InstanceType, .NetworkInterfaces[].PrivateIpAddress, (.Tags[]|select(.Key == "Name").Value), .SecurityGroups'

Tuesday, March 10, 2009

Strategic partnerships with vendors - possible?

I was having a discussion at a client recently where the topic of "strategic partnerships" with vendors came up.

Given that one definition of strategic is "planned to achieve an advantage", I agree that partnerships can be strategic...just not for the customer.

See, paying someone to think for you is one thing...allowing someone whose job it is to sell you stuff to do your thinking for you is, in my opinion, a totally different thing and somewhat akin to setting the fox to guard the henhouse.

Anyone got any good counter-examples?

Thursday, September 28, 2006

Checkpoint FW-1 log exporting

The thing I didn't mention that you quickly find out when importing Checkpoint logs into a database is that Checkpoint have a non-fixed format for exporting logs - only those fields that have values appear in the export, and as for the order of those fields - I'm pretty certain it depends on the phase of the moon ;-) I'll post the little script that gets around that with some Perl later - it's quite simple, but not everyone who might need to load FW-1 logs into a database wants to learn Perl (or any scripting/text-processing language) in order to do so.

Volumes of Network metadata

So I'm doing a firewall ruleset review for a customer and decide to create a toy database just to play around with some queries on the logs...~55 million rows and 19G later...this is why people who ask for full event correlation usually don't know what they're asking for. The volumes of data involved are large. And I'm not not talking about session captures above. That's just "this ip address tried talking to this ip address on this udp port and was dropped on this interface of this firewall at this time"...On the plus side, iPods are now up to 80G!

powered by performancing firefox