Hunting Packets

I was sad to give up my box that hosted my Active Directory servers but now I have the hardware to implement OSSIM.  Hope its as good as the screen shots or as good as the pfsense project.  This will be the first publish project on the new wiki.

Most of the content on this site will be on the wiki.

Topics so far are:

-  events – sorted by vendor, product then event name – with real world notes and links to other posted write ups.

-  tools and syntax – like it says

-  project list – notes from builds I have run

Any more ideas would be great.

updated the NAS – new firmware and the usb hookup works! – now I can backup the NAS over usb instead of from another pc with a usb drive

updated my wap to new version of tomato – since i only run as wap not much to notice

no update for pfsense -1.3 should be out soon – wish they would get their traffic graphs from tomato!

killed both domain controllers (needed the hardware, very sad!) and the wsus server, had to go around and config the xp clients to auto update (will have a very nice box for logs now though!)

Just found out that I get to attend SANS Chicago this year, 560 or 610, life is full of tough choices.

At work I sometimes feel as if the sysadmins think we are out to get them and to turn them in for finding vulns or infected systems. Part of this may be due to the fact that we only show up when something goes wrong. What if they had a more active role in the log management. Some ways to improve this that do not involve high management sign offs (or after initial sign off)

- Security team (or internal SOC) builds large syslog server, might even be a few for different types of logs.

- Sysadmins can register and add details of thier systems, ip, hostname, contact info, function (services that should be running). With this data an asset list could be built and used with firewall and ids data.

- Secruity team builds front end for sysadmins to see all of thier logs and filter based on a few fields, nothing big else it would be hard on resources.

- Since the security team now has many local logs for select systems word may get around that their security issues are handled faster and with more detail that those who did not sign up.

- Security team has a better view of activity on network without having to do the legwork of getting the logs.

As I have more and more trouble with my hosting company I find myself doing more of their trouble shooting than working on security projects. I think I might stick with services such as this and host the wiki at my house where I can control the server. Worse case I create more traffic for my sensors!