Interesting title, don't you think? But, it is accurate if you think about it. HIDS, or Host Intrusion Detection System/Software, and NIDS, Network Intrusion Detection System/Software, though having the same core purpose (that being Intrusion Detection) are such very different creatures. HIDS looks at events as they relate to the host, or occur on the host. NIDS looks at events as they relate to network traffic.
Example: HIDS will see the syslog events where someone tried logging in via ssh, and is pretty positive that these events occurred. Very fact based, not very subtle. NIDS sees the ssh traffic, and probably wouldn't trigger an event unless the ssh packets are not rfc compliant or an attack pattern is detected in the packets themselves. If NIDS does trigger an event, the event would be somewhat vague and non-committal, and you (the IDS engineer/analyst) would have to do some interpretation and correlation. Note the subtle differences in how each approaches and implements their solutions to the same problem; that being intrusion detection.
I'll leave it up to you, the reader, to decide which variant of IDS fits which gender. It's safer that way...less chance of offending someone's (so-called) politically correct sensibilities. Me personally....I'm a HIDS.
Quite often it can be difficult correlating events from HIDS and NIDS (e.g. He said..., She said...”), let alone other event sources (which we won't go into for this brief discussion). Since HIDS and NIDS look at intrusion detection differently, they are bound to talk about (log) events differently and use differing lingo. You need someone to act as a go-between, and interpreter who understands both languages (HIDS and NIDS), and can make sense out each input (logs) as well as provide an accurate “big picture” of your environment (depending on how many logging sources you have of course). OSSEC-HIDS fits that role quite well. It understands NIDS events, HIDS events, firewall events, and so much more. It's the relationship counselor of intrusion detection. *smile*
Anyone who knows me, knows that somehow I'll find a way to wriggle OSSEC-HIDS into most any conversation. It's one of my favorite open source projects. Perhaps I am somewhat biased in my opinions regarding OSSEC-HIDS, but what I said about it is essentially accurate, though understates the features it brings to any environment. OSSEC is more than an IDS relationship counselor, but it handles that task quite nicely if you ask me.
Tuesday, July 17, 2007
Tuesday, July 10, 2007
Nothing is going to change until I become President of the U.S.
I've often said that nothing is ever going to get fixed, until I am elected President of the United States. Considering the dire straits my country is in (government leadership-wise), I've gotten a bit more curious about what it takes to be able to run for President. So, what are the requirements to become President of the United States?
Answer: The United States Constitution outlines the requirements for President in Article 2. This article of the U.S. Constitution also outlines the powers of the President and Executive branch of government.
Answer: The United States Constitution outlines the requirements for President in Article 2. This article of the U.S. Constitution also outlines the powers of the President and Executive branch of government.
Section 1 of Article 2 of the U.S. Constitution states that a President must:
- Must be a natural born citizen of the United States.
- Must be at least 35 years old.
- Must have lived in the United States for at least 14 years.
Hmmm....well, let's see if I qualify. Yep, I am a natural born citizen of the United States. Yes, sadly enough I am over 35 years of age (though not by much!). And yes, I have lived in the United States for at least 14 years (I've lived in the U.S. my entire life...all 39 years.)
So I guess I do meet the minimum requirements to run for the office of President of the United States. Now all I need is some folks to vote for me. :)
Monday, June 4, 2007
CTF 07 Qualification round has begun.....and ended.
Well, I had intended to blog while the CTF qualification round/weekend was going on. But you see how well that plan worked out. CTF07 quals started Friday (June 1st) night at 10pm eastern (8pm mountain), and ended Sunday (June 3rd) at 10pm eastern (8pm mountain). Our team, “our wives are pissed”, initially ended up in 11th place. Though not bad considering over 200 teams registered for the event, but only the top 7 teams qualify to compete in the actual Capture The Flag competition at DefCon.
About 10:30pm (mountain) Sunday night (right after the quals ended), Syndrowm sent me a text message saying that we were in (we qualified for CTF)! So I ran downstairs (I was upstairs reading) to my laptop to check on the mud, and on irc, to see what the heck happened. Turns out that two of the teams that qualified couldn’t make it or just decided not to compete, so that freed up two slots and put us into 9th place; still not enough to get us “To The Show”. Then we found out that two other teams that had qualified were actually “ghost teams” for other team(s) that had qualified, so they dropped the two ghost teams, which put us in 7th place....enough to qualify us for CTF!
Note: This year’s qualification round was a stone cold bitch. Mad props go out to the folks that put it all together, Kenshoto. I seem to recall many threats of kicking Invisigoth in the shins for *insert category*/*insert question value*. ☺ It was incredibly fun, and incredibly challenging.
Link to the results page: http://www.kenshoto.com/ctf07/quals_final.html
I have a lot of studying and trial/error to do before the actual competition. Time to start hackin’ up my lab network!
About 10:30pm (mountain) Sunday night (right after the quals ended), Syndrowm sent me a text message saying that we were in (we qualified for CTF)! So I ran downstairs (I was upstairs reading) to my laptop to check on the mud, and on irc, to see what the heck happened. Turns out that two of the teams that qualified couldn’t make it or just decided not to compete, so that freed up two slots and put us into 9th place; still not enough to get us “To The Show”. Then we found out that two other teams that had qualified were actually “ghost teams” for other team(s) that had qualified, so they dropped the two ghost teams, which put us in 7th place....enough to qualify us for CTF!
Note: This year’s qualification round was a stone cold bitch. Mad props go out to the folks that put it all together, Kenshoto. I seem to recall many threats of kicking Invisigoth in the shins for *insert category*/*insert question value*. ☺ It was incredibly fun, and incredibly challenging.
Link to the results page: http://www.kenshoto.com/ctf07/quals_final.html
I have a lot of studying and trial/error to do before the actual competition. Time to start hackin’ up my lab network!
Thursday, May 31, 2007
Is Christianity turning into a cult?
That was a thought that came to me this morning as I was reading more news about the Christian fundamentalists' latest fads (things to protest). When I posed that question to my friend Evan, he said "_turning_?.....it started as a cult." And I'm leaning towards agreeing with him.
If Christianity is a cult, and it bears all the signs of being one, then how does it get away with the bad things they do in "God's name" or because "God spoke to them." Didn't they used to lock people in a mental hospital if they said they talked to God? Now they elect those people president (GW Bush said that God talked to him)!
The religious right (not right as in correct, but right as in the opposite of left) has taken over our government. That much is obvious by how much power the Christian fundamentalists have within the upper echelons of the Executive branch. Jerry Falwell was consulted (before he died obviously, but you never know with this administration) on appointees for the Supreme Court. It's been reported that, just on the White House staff, there are over 150 graduates from Pat Robertson's Regent University (aka "a televangelists diploma mill" - Bill Mahr). In fact, Regent claims that over 1/6th of it's graduates are working for the government.
What happened to separation of Church and State? That ideal is no more.....now they are one entity. For every action, there is an equal and opposite reaction; and the action of Christianity infiltrating our government has caused the reaction of the government removing more and more of our civil liberties.
I'll get off of my soap box for now. I didn't really get into the Christianity as a cult bit as detailed as I would like, but I don't have time to write it all up right now. Additionally, I wanted to talk a bit about Al Sharpton, his bigotry, and double-standards, but that would get me entirely too irritated. :) Maybe next I'll talk about the Denver Metro area cops, and their double-standards. Yet another very irritating subject! Have you heard of the book "7 Habits of Highly Effective People"? Well, I wanted to write a book called "7 Habits of Highly Irritated People". :)
If Christianity is a cult, and it bears all the signs of being one, then how does it get away with the bad things they do in "God's name" or because "God spoke to them." Didn't they used to lock people in a mental hospital if they said they talked to God? Now they elect those people president (GW Bush said that God talked to him)!
The religious right (not right as in correct, but right as in the opposite of left) has taken over our government. That much is obvious by how much power the Christian fundamentalists have within the upper echelons of the Executive branch. Jerry Falwell was consulted (before he died obviously, but you never know with this administration) on appointees for the Supreme Court. It's been reported that, just on the White House staff, there are over 150 graduates from Pat Robertson's Regent University (aka "a televangelists diploma mill" - Bill Mahr). In fact, Regent claims that over 1/6th of it's graduates are working for the government.
What happened to separation of Church and State? That ideal is no more.....now they are one entity. For every action, there is an equal and opposite reaction; and the action of Christianity infiltrating our government has caused the reaction of the government removing more and more of our civil liberties.
I'll get off of my soap box for now. I didn't really get into the Christianity as a cult bit as detailed as I would like, but I don't have time to write it all up right now. Additionally, I wanted to talk a bit about Al Sharpton, his bigotry, and double-standards, but that would get me entirely too irritated. :) Maybe next I'll talk about the Denver Metro area cops, and their double-standards. Yet another very irritating subject! Have you heard of the book "7 Habits of Highly Effective People"? Well, I wanted to write a book called "7 Habits of Highly Irritated People". :)
Tuesday, May 29, 2007
Headlines - Storm in Denver Metro Area Hinders CTF Prep!
Ya gotta love Colorado. Just when I was sitting down to access an image we have running of the CTF 05 system, ready to practice more on reversing those services, and a fairly intense storm hits here in Denver. First indication I had that the storm was getting worse was when I lost satellite signal for my TV. No great loss, since there is only crap, and more crap to choose from on daytime television; and I could watch what I had saved in the “Now Playing” area. Something for background noise while coding n whatnot.
Then I lost my Internet connection (DSL). I went down to the “wiring closet” and saw that the DSL modem/router had lost connection to the CO (central office), but it re-established connection while I stood there. Thinking the problem had resolved itself, I went back upstairs to get back to work, but I was still unable to connect to any resources on the Internet! So I restarted everything, all network devices and computers in question. Just to see if that clears the problem.
Time to get back to basics, I broke out ping and traceroute. ☺ I tested connectivity to my router, and had no problems, no drops, excellent ping times (of course...it’s a LAN connection). But when I tested connectivity to my gateway (ISP’s router), the problem becomes apparent:
--- ip.addr.removed ping statistics ---
876 packets transmitted, 733 packets received, 16% packet loss
round-trip min/avg/max/stddev = 36.014/45.059/276.710/25.305 ms
*sarcasm* Awesome...and intermittent problem. My favorite! */sarcasm*
I went back down to the wiring closet to check out the DSL modem, and lo and behold it had lost connection to the C.O. It resync’d while I stood there (again), and a few minutes later the process repeated. *BOING* There goes the Internet connection. Kinda difficult to maintain an ssh connection or three when your Internet bounces like that!
I’ll be back later, hopefully the Internet connection and satellite connections return to stability. Unlike the rest of the household. LOL
##### UPDATE #####
5:30pm: Internet and satellite TV back. w00t.
Then I lost my Internet connection (DSL). I went down to the “wiring closet” and saw that the DSL modem/router had lost connection to the CO (central office), but it re-established connection while I stood there. Thinking the problem had resolved itself, I went back upstairs to get back to work, but I was still unable to connect to any resources on the Internet! So I restarted everything, all network devices and computers in question. Just to see if that clears the problem.
Time to get back to basics, I broke out ping and traceroute. ☺ I tested connectivity to my router, and had no problems, no drops, excellent ping times (of course...it’s a LAN connection). But when I tested connectivity to my gateway (ISP’s router), the problem becomes apparent:
--- ip.addr.removed ping statistics ---
876 packets transmitted, 733 packets received, 16% packet loss
round-trip min/avg/max/stddev = 36.014/45.059/276.710/25.305 ms
*sarcasm* Awesome...and intermittent problem. My favorite! */sarcasm*
I went back down to the wiring closet to check out the DSL modem, and lo and behold it had lost connection to the C.O. It resync’d while I stood there (again), and a few minutes later the process repeated. *BOING* There goes the Internet connection. Kinda difficult to maintain an ssh connection or three when your Internet bounces like that!
I’ll be back later, hopefully the Internet connection and satellite connections return to stability. Unlike the rest of the household. LOL
##### UPDATE #####
5:30pm: Internet and satellite TV back. w00t.
Monday, April 30, 2007
I finally gave in...
...and bought a Nintendo Wii. All I can say so far is WOW. Awesome interface. Actually it’s very easy to use and navigate through the Wii menus and the games themselves. When I bought the Wii, I also purchased Tiger Woods 07. I’ve been a big fan of that line of games (the Tiger Woods golf series) for a few years now; I started with Tiger Woods 2004 for the Xbox, and have gotten the game each year/release every since. The game is so precise that it actually helped improve my own golf game!
More to come later.
More to come later.
Wednesday, April 18, 2007
Twitter no more (not like I did much twittering anyway)
I officially closed my Twitter account. I gave it a go, and decided that wasn’t the way for me (twittering). To be honest, it was very fething boring (if you didn’t catch the Gaunt’s Ghosts reference, you can go here and here for a bit of an explanation).
That leads into my latest (past year or so) favorite reading topic: Warhammer 40,000. I don’t play the game, but I read the novels. The universe is very different in Warhammer 40k. It’s the 41st millennium, and an Emperor has risen to unite mankind, leading from Holy Terra (Earth). I read stories about Gaunt’s Ghosts, Space Wolves, UltraMarines, Imperial Fists, the Eldar, Chaos and demons...everything in the Warhammer 40,000 (40k) universe. Currently I’m reading Flight of the Eisenstein from the Horus Heresy series (this is the 4th book in the series). This is during the 31st millennium, during the Great Crusade after the Emperor of Mankind elevated the primarch Horus to Warmaster, and the Emperor returned to Terra (Earth) to start overseeing the vast empire he has built/conquered. There’s much more to it than that, but I leave it to you (the reader) to do the follow up reading if you are interested.
Well, that’s it for now. Funny how the post started with me closing my Twitter account, and ending with a brief discussion of Warhammer 40k. Ya gotta love ADD, easily distractable. Ooo....Shiny!
*and off I go to some other random task/topic*
That leads into my latest (past year or so) favorite reading topic: Warhammer 40,000. I don’t play the game, but I read the novels. The universe is very different in Warhammer 40k. It’s the 41st millennium, and an Emperor has risen to unite mankind, leading from Holy Terra (Earth). I read stories about Gaunt’s Ghosts, Space Wolves, UltraMarines, Imperial Fists, the Eldar, Chaos and demons...everything in the Warhammer 40,000 (40k) universe. Currently I’m reading Flight of the Eisenstein from the Horus Heresy series (this is the 4th book in the series). This is during the 31st millennium, during the Great Crusade after the Emperor of Mankind elevated the primarch Horus to Warmaster, and the Emperor returned to Terra (Earth) to start overseeing the vast empire he has built/conquered. There’s much more to it than that, but I leave it to you (the reader) to do the follow up reading if you are interested.
Well, that’s it for now. Funny how the post started with me closing my Twitter account, and ending with a brief discussion of Warhammer 40k. Ya gotta love ADD, easily distractable. Ooo....Shiny!
*and off I go to some other random task/topic*
blogger blogger blogger blogger
Dunno why I typed that. Sounded fun to say out loud though.
This is kinda my first foray into blogging. My friend Evan started blogging, but he puts useful information up on his blog. So he kinda motivated me to start (blogging).
As far as format goes, this blog will not be strictly technical info, nor will it just be random ranting by me; it will be a combination of the two....and then some.
“How often will your blog be updated?“ you ask....good question. Answer is: random and sporadic. I have no plans to commit to daily blog updates, nor do I plan to go silent for months. It all depends on my attention span. hahaha
This is kinda my first foray into blogging. My friend Evan started blogging, but he puts useful information up on his blog. So he kinda motivated me to start (blogging).
As far as format goes, this blog will not be strictly technical info, nor will it just be random ranting by me; it will be a combination of the two....and then some.
“How often will your blog be updated?“ you ask....good question. Answer is: random and sporadic. I have no plans to commit to daily blog updates, nor do I plan to go silent for months. It all depends on my attention span. hahaha
Subscribe to:
Posts (Atom)