Network Intrusion detection systems have been around for decades. However, going from intrusion detection to intrusion prevention can be scary because false positives can break production systems. In this writeup, I describe how I was able to deploy Palo Alto Networks’ threat prevention in blocking mode in an enterprise environment to help us move our network security closer to zero-trust. I am also publishing the Python script used to make the bulk firewall changes and create the spreadsheet for analyzing threat alerts.

SSL inspection is an amazing technology for empowering network defenders. However, because it can potentially break every single HTTPS connection in your network it’s important to deploy it carefully to avoid major outages. This writeup aims to give a basic overview of SSL inspection and how to deploy it in an enterprise environment to help avoid some of those issues. What is SSL and how does it work? Internet traffic goes through many devices before it reaches its destination.

One of our systems was having a problem that the SNMP health monitoring was unreliable. The vendor blamed it on the SNMP process using too much memory, causing either the system to run out of memory or restart the process. One of the vendor’s articles stated that the system uses Net-SNMP as the SNMP agent. That led me to a question: Could I find and fix the Net-SNMP bugs that were causing problems for us?

One of the more common challenges in the world of incident response is the multitude of tools in an analyst’s toolbox. Pivoting from one tool to another is often slow, with much copy-pasting between their interfaces. For example, when you’re analyzing a website, you might want to check its reputation on Google Safe Browsing or scan it with SSL Labs. Or when examining traffic to a host, you might want to run ping or traceroute to it.

I recently received an email that I needed to schedule an appointment on a website. However, when I attempted to visit the page, Chrome displayed a nasty error message: I had never encountered an ERR_HTTP2_INADEQUATE_TRANSPORT_SECURITY error before and since googling it resulted in all pages that didn’t explain the issue, my next step was obvious: Analyze the traffic with Wireshark! Analyzing the TCP session in Wireshark To prepare for the analysis, I configured my browser to store TLS secrets and Wireshark to read them, so I’d be able to view the plaintext traffic.

I’ve wanted to play with WinAFL since it was released. Here’s how I used WinAFL to fuzz IrfanView v4.57 and find several bugs. Background Fuzzing is testing software for bugs by sending invalid, unexpected, or random data as inputs to a computer program. WinAFL is a fuzzer for Windows which can take a corpus of input files, track which code is executed, and generate new inputs to execute new execution paths.

A common task in incident response is to work backwards from a web request to determine the actions that led to the web request being made. For example, when a user visits a malicious web page, did they reach it from a Google search? A phishing link? Or from somewhere else? To aid in this analysis, I developed a new Wireshark feature called HTTP Request Sequences. HTTP Request Sequences uses HTTP’s Referer and Location headers to graph a PCAP’s HTTP requests as a tree.

This post will go over how I created AppArmor profiles for two of the most well-known programs in the aircrack-ng suite of tools, aircrack-ng and airodump-ng . Installing AppArmor AppArmor is installed by default on Ubuntu. What we’ll need is the apparmor-utils package, which contains the utilities to simplify creating new AppArmor policies. Installing that is as easy as running: sudo apt-get install apparmor-utils Creating your first profile  aircrack-ng We could start with an empty profile, and then refining that until it works.

It’s a beautiful summer day, your daughter just graduated high school, she’s all ready for college and you did your part too – you filed your FAFSA and you’re all excited and supportive about her going to college. And then you get the letter in the mail. Your “Expected Family Contribution” is $30,000 and so she isn’t eligible for any financial aid. But how can you afford to spend $30,000 a year on college when you only make $80,000 and still have three other kids at home?

I thought it would be wise to digitize my family’s collection of home videos stored on VHS. The first step was to try to research existing tools. I had gotten tvtime to display the video, but unfortunately, numerous threads (link) mentioned that there was no way to record from tvtime, and running a screen capture utility would be extremely inefficient. xawtv was mentioned in a few places (link), but it maxed at 384×288 and only supported AVI output, with minimal configuration available.