My request for the Sourcefire Snort Certified Professional courses/exam, that I posted about earlier, was finally approved, bathed in red tape and finally completed. I received my login information for the courses and certification exam (through vcampus.com). I nervously logged in expecting to see that the account had been created weeks ago, and that I was not going to get the full sixty days; but to my surprise, it was created today! I decided to setup my profile on the vcampus site first, and to my surprise you can change, every aspect of your account, including user name. Being as the original user name and password were sent to me clear text, being able to change them both securely, rocks.

I have not as of yet dived into the course material; I must admit, I’m a little nervous about it. This is the first certification test, that I feel like I am actually going to have to work for. So I am thankful to be able to get the full sixty day period to access the materials.

Extended personal spewing …

Today has been slow a slow day at work … so let’s learn about TCPTrack. What is TCPTrack? It can be defined as a passive network sniffer, that monitors an interface for network connections. More specifically it displays source and destination addresses and ports, connection state, idle time, and bandwidth usage, all in real time. Sure, that sounds a lot like netstat, until you get to the real time part. I love tcptrack for those situations where you are looking for a quick overview of current network connections, and don’t want to have to use something as robust as ntop.

On to the goodness ….

Sourcefire has released snort 2.8.0 as the new stable production release!! So many cool new features. I don’t have time to go into much of them in depth, but I have a little preview for you. If you would like to read the Change Log it is located here.

From: results [] prometric.com
Subject: Test Results
Date: September 21, 2007 11:42:41 AM CDT
To: tre [] trepullins.net

=============================================
Name: Tre Pullins
Name of candidates company (if provided):
Student ID:
Test Title: Ethical Hacking and Countermeasures (CEHv5)
Start time: 9/21/2007 10:20:48 AM (GMT-5:00) (cst)
End time: 9/21/2007 12:42:28 PM (GMT-5:00) (cst)
Passing Score: 70 / 100
Your Score: Pass (81 points)

In part 2 of a behind the scenes look at Sort, we shall begin by looking at barnyard. Barnyard can best be described as the middle man between Snort and it’s database. You are probably saying … Snort has native database support built in (if you compiled it as such), why do I need another application to handle this task?!

The answer is rather simple, alert queuing. In almost every production environment, the database for Snort alerts, are not stored locally on the Snort box. So, if there is a loss of transport, or hardware/database issues, what happens to Snort? It will just stop logging alerts, leaving you with no IDS data for the timespan of the outage. Forensically speaking, this is a horrendously bad idea. This is where barnyard will be your savior; as Snort logs alerts to the local unified files, barnyard will keep track of what has or has not been inserted into the database. Barnyard will continue to store alerts in its queue while checking for database availability, ultimately inserting the queued alerts when the correct resources are available.

Let’s get ready to barnyard it up: