This is the year when my wife asked me what I wanted for christmas, I exclaimed “Wii want to play!!”; and so began the quest for the ever elusive $249 Wii. We both thought it was going to be difficult, if not impossible .. until I just randomly stopped by the ghettomart.
Today, I would like to introduce you to some of tcpdump’s advanced options. If you’ve ever used tcpdump you’ve probably captured traffic off a network interface, or examined the contents of an existing pcap file. In it’s most basic use (sudo tcpdump), all visible network traffic is dumped off the primary interface to stdout. While this is the making of a great screen saver, it’s not very useful. This is the moment at which you began reading the man page, and discovered Berkley Packet Filters (bpf). BPF statements can range from something as broad as # tcpdump ‘port 80′ or # tcpdump ‘host and/or host’. There are times where a very specific level of detail is needed. This is where Berkley Packet Filters become your best friend.
Today is the day (since I’m off work), to upgrade my systems to OS X 10.5. I already did a new install on my desktop system and all went well there. Right now I am doing an upgrade on my mac mini, a little nervous I will admit. The mac mini is the heart of my home theater system, so I can’t afford to have it out of commission for very long.
What I am really interested in seeing though, is the new features available in Front Row. As I said the mac mini is the heart of my home theater, I use Front Row almost daily. So I am really excited to see the revamped interface, that is supposed to look like the Apple TV interface. I am also excited to see these “new settings” that are available. I will try and put up a post about them tonight, after I finish the upgrades.
For now I will leave you with this… Time Remaining: About 7 minutes – WOOT!
I have had an influx of people hitting my site, looking for info on preprocessor rules for Snort 2.8.0. In an earlier post, I made mention of them, but never followed up with any real info about how to implement these rules.
There are a few steps that one needs to perform to make use of the preprocessor and decoder rules in Snort, beginning with compiling support for them into the Snort binary.
when you compile (or recompile) the snort binary, you will need to add
--enable-decoder-preprocessor-rulesin addition to any other options you normally use.
Once you have completed this process, the next step is to edit your snort.conf and add in the appropriate rule path variable.
include $RULE_PATH/preprocessor.rules
include $RULE_PATH/decoder.rules
You will most likely notice that I changed the variable name from $PREPROC_RULE_PATH, not a real big deal. I changed the variable to be $RULE_PATH, because I include these rule sets in my normal rules directory, and this makes thing’s a little easier to maintain.
The last step is to actually get the preprocessor.rules and decoder.rules files, which are included in the snort.2.8.0 tarball. They are located at snort-2.8.0/preproc_rules. All you need to do at this point is copy the two .rules files to where ever your $RULE_PATH variable points, verify permissions on those files (chown if needed) and restart snort.
If everything went as planned you should see the following when you restart snort:
++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains…
6175 Snort rules read
5990 detection rules
53 decoder rules
132 preprocessor rules
6175 Option Chains linked into 291 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++
As always have fun with it and I hope you expand and learn more on your own!
My wife Karen kicks so much ass. She designed and created my new banner for me. I couldn’t ask for anything cooler if I tried. pheer.
I did a little ebaying today and purchased myself a new switch for the home network. I decided it was time to upgrade to a managed layer 2 switch. I will now be able to setup my monitoring gear properly and can retire the inline hub/tap. So what did I get? I picked up an Allied Telesyn AT8000S/16 for $68 with free shipping. woot.
Specs can be nit-picked over below …