Fri, 06 Jun 2008
gltail
Just discovered gltail the other day, here's how I got it working for me on gentoo: (mostly so I don't forget!)
Links: Homepage: http://www.fudgie.org/ Code: http://rubyforge.org/projects/gltail/
sudo emerge -av ruby sudo emerge -av freeglut sudo gem install -y ruby-opengl --version 0.40.1 sudo gem install -y net-ssh-1.1.4 gltail-0.1.6.gemI wrote an asa parser that's available here http://gltail.rubyforge.org/svn/trunk/lib/gl_tail/parsers/asafwsm.rb or whenever that's rolled up into the release.
Posted at: Fri, 06 Jun 2008 | category: /itsec
Wed, 28 May 2008
long race=good
It's interesting that no one is pointing out the fact that a long race for a democratic candidate is good for the democrats.<theory> Local elections ride along with the national primaries. So when dems get out the vote for Obama/Hillary, they also vote for Democratic mayors, sec of state, etc. <\theory>
So somehow the media was able to figure out this relationship when the gay rights issues brought out the conservative vote and maybe tipped blue states red, but now they've forgotten these relationships?
Posted at: Wed, 28 May 2008 | category: /politics
modrewrite
Got sick of seeing proxy attempts in my logs so I send 'em to disney
<Directory /var/www>
#rewrite attackers
RewriteEngine On
RewriteCond %{REQUEST_URI} ^.*isp_verify.* [NC,OR]
RewriteCond %{REQUEST_URI} ^.*azenv.php.* [NC,OR]
RewriteCond %{REQUEST_URI} ^.*yahoo.com* [NC,OR]
RewriteCond %{REQUEST_URI} ^.*proxy.* [NC,OR]
RewriteCond %{REQUEST_URI} ^.*azenv.php.* [NC,OR]
RewriteCond %{REQUEST_URI} ^.*google.com.* [NC,OR]
RewriteCond %{REQUEST_URI} ^.*myadmin.* [NC]
RewriteRule ^.* http://www.disney.com/$1 [R,L]
</Directory>
I've seen some folks that send 'em to fbi.gov. Wonder if they check their logs?
Posted at: Wed, 28 May 2008 | category: /itsec
Wed, 16 Apr 2008
winevtsysparse
Here is a script to parse your windows event logs.
Caveats;
they come to you through syslog (evtsys from purdue or be prepared to alter the positions of the date/servername/syslog severity and entry)
you're using unix and can tail the syslog files piping them through this script like so
tail -q -f /mnt/syslog/domaincontrollerlog.txt | winevtsysparse
I use remark to filter out the cruft like so:
tail -q -f /mnt/syslog/domaincontrollerlog.txt| remark /usr/share/regex-markup/winevtlog | winevtsysparse
where the winevtlog file has entries for things I don't care about like:
#windows event descriptions to ignore: /Successful Network Logon/ skip /Service Ticket Request/ skip /User Logoff/ skip /Authentication Ticket Request/ skip /Logon attempt by/ skip /Privileged object operation/ skip /Special privileges assigned to new logon/ skip /Service Ticket Renewed/ skip /Object Operation/ skip /Computer Account Changed/ skip /Set ACLs of members in administrators groups/skip /Logon Failure.*An error occurred during logon/skip /The master browser has received a server announcement/skipHope it's of use to ya.
Posted at: Wed, 16 Apr 2008 | category: /itsec
ipsinline
A simple utility to grab the ip addresses from stdin and spit them out by number, and optionally resolve the dns name.
Handy for adding to a command line when whiddling down data from a firewall, syslog, etc.
examples: tail -f firewallsyslogfilename | ipsinline --dns #will print and resolve all ips it finds in those lines head -n 10 somefilewithipsinit | ipsinline --head 1 --dns #will print and resolve the first ip found in the line only.
You can get it here
Posted at: Wed, 16 Apr 2008 | category: /itsec
Domain controllers in realtime
Yeah I'm a geek and I blog about tools. Here the list of me favs for watching logs in realtime:
Lately I've been working up a script to parse (in realtime) windows syslog entries send via evtsys from Purdue that I'll post here when it's stable.
Should be dandy for watching domain controllers in your enterprise
Posted at: Wed, 16 Apr 2008 | category: /itsec
yim2text
Instant messaging is everywhere. Yahoo IM often logs it's messages locally on the hard disk of the computer used when sending the message. The log files are 'encrypted' using a simple xor. yim2text is a python script to decode these files and show you the chat logs. Download it here
Posted at: Wed, 16 Apr 2008 | category: /itsec
Fix a corrupt event log
When performing forensics on a machine it's often best to pull the plug rather than perform a normal shutdown. On windows boxes this can corrupt the event log. To fix this once I got some good advice from lance Mueller of guidance software:
Here are simple instructions or repairing a "corrupted" (reportedly corrupted) event log.... This works with all three common Event logs (app, sec, sys) Copy out the event log and use your favorite hex editor: 1. Do search for \x11\x11\x11\x11\x22\x22\x22\x22 2. Skip 20 from the beginning of the found text (\x11\x11...etc) 3. Copy the next 8 bytes and paste at the begining of the file, starting at offset 20 4. Goto offset 36 and change value to "8" 5. Save the file 6. Open with Windows Event Viewer (eventvwr.exe)
Worked like a charm for me. I'm posting this here mostly so I don't have to track it down again next time I need it!
Posted at: Wed, 16 Apr 2008 | category: /itsec