Jan 28, 2011
New Critical Bug In All Current Windows Versions
New Critical Bug In All Current Windows Versions: "Trailrunner7 writes 'Microsoft is warning its users about a dangerous flaw in the way that Windows handles certain MHTML operations, which could allow an attacker to run code on vulnerable machines. The bug affects all of the current versions of Windows, from XP up through Windows 7 and Windows Server 2008. Microsoft issued an advisory about the MHTML vulnerability, which has been discussed among security researchers in recent days. There is some exploit code available for the bug, as well. In addition to the advisory, Microsoft has released a FixIt tool, which helps mitigate attacks against the vulnerability in Windows.'
Jan 25, 2011
Best Terminal App, EVAR!
This has to be the best terminal application ever. I don't think I will ever license it either. The picture degradation makes it sooo much more bettuh!
Cathode - Vintage Terminal Emulator
Cathode - Vintage Terminal Emulator
Jan 24, 2011
Apple hires former NSA, Navy analyst as security czar
Apple hires former NSA, Navy analyst as security czar: "In response to calls for increased security from enterprise clients, Apple has hired cybersecurity expert and author David Rice as its director of global security, a new report claims.
Jan 7, 2011
Splunk GEOIP Lookup
Here's a great Splunk feature. Using this query you can see what countries are hammering your boxes and make nice graphs for the boss.
sourcetype="linux_secure" name="Failed Password" | lookup geoip clientip as src_ip | timechart useother=false limit=5 count by client_country
You can easily change client_country with src_ip to start dropping the ban-hammer as well.
sourcetype="linux_secure" name="Failed Password" | lookup geoip clientip as src_ip | timechart useother=false limit=5 count by client_country
You can easily change client_country with src_ip to start dropping the ban-hammer as well.
Jan 6, 2011
Useful Splunk Queries
So we finally have a working reliable installation of Splunk on site and I am starting to build some useful queries. There is so much information available it's almost too hard to make a reliable query that returns the information you need (without false positives).
sourcetype="WinEventLog:Security" User Name: "CategoryString=Logon/Logoff" User_Name="administrator" | chart count(eval(Type="Failure Audit")) as "Login Failures" by src_ip
This will give you a nice chart showing a count of Administrator logon failures by source IP.
If you find yourself getting data that you aren't sure is real or should be ignored, I find the best way to be sure is to verify with a known failure or reproduction of the issue to be tracked. In this case, I simply attempted to log in with a bad password and my attempt showed up after a refresh.
sourcetype="WinEventLog:Security" User Name: "CategoryString=Logon/Logoff" User_Name="administrator" | chart count(eval(Type="Failure Audit")) as "Login Failures" by src_ip
This will give you a nice chart showing a count of Administrator logon failures by source IP.
If you find yourself getting data that you aren't sure is real or should be ignored, I find the best way to be sure is to verify with a known failure or reproduction of the issue to be tracked. In this case, I simply attempted to log in with a bad password and my attempt showed up after a refresh.
Subscribe to:
Posts (Atom)