Sunday, January 30, 2011

Sniffing tools, and camera obscura

This Linux Journal article looks at the linux sniffing tools. It looks at the most common sniffing tool, tcpdump, but also has info on a few tools I wasn't familiar with like p0f, which attempts to do passive OS fingerprinting to see what versions of software are on your net and dsniff, which follows network traffic to look inside traffic like mail, web, etc. if you want to create your own wall of sheep.

And while I'm looking at security and unintended shared content, Schneier's blog has a post about unsecured webcams.

Wednesday, January 26, 2011

Some useful commands for the Juniper Netscreen CLI

"dbuf" is the debug output buffer. so "get dbuf str" will show you a stream of debug info, if you're doing a debug flow or something like that. If you need a bigger dbuf buffer, though, you can resize it with the command "set dbuf size ". The default is 32K, but you can make it bigger.

"get session" will show you all the sessions the netscreen is currently handling. For more or less detail, you have the following options:
dst-ip               destination ip address
dst-mac              destination mac address
dst-port             destination port number or range
id                   show sessions with id
ike-nat              show ike-nat ALG info
policy-id            policy id
protocol             protocol number or range
rm                   show sessions for resource management
service              show sessions with service type
src-ip               source ip address
src-mac              source mac address
src-port             source port number or range
tunnel               show tunnel sessions
vsd-id               get vsd-id specified sessions

So you can look at a specific session, or all sessions on a given port, or any number of other ways to drill down to the info you actually want.

Not listed in that set of options, however, is "info". "get session info" will give you the summary of session info that is the first two lines of the full 'get session' output. Useful if you just want to get an overview rather than the full firehose of sessions.

Sunday, January 23, 2011

Speaking of worms...

I made a post the other day about worms without mentioning Stuxnet, which may have hosed the nuclear processing going on in Iran. Current theory is that the worm was a joint US/Israel venture, but there are other theories out there.

There have certainly been other instances of computer worms endangering infrastructure both online and offline:
In 2003, the SQL Slammer worm caused network problems in an Ohio nuclear plant, although there was an analog backup for much of the functionality and furthermore the plant was offline.

Wednesday, January 19, 2011

worms! or, a note on computer security

It's been twenty five years since the release of @Brain, the first PC computer virus.

It wasn't until November of 1988 that the Morris worm[1] ran around the Internet and mucked things up, spurring the creation of CERT.

Trivia: The use of the term "worm" to refer to self-replicating computer worms comes from Brunner's excellent novel "The Shockwave Rider".

[1] When I first encountered the term "RTFM", it was shortly after the worm, and I assumed it meant "Robert T Fucking Morris", which led to a bit of confusion on my part.

Sunday, January 16, 2011

Weekend vacation

Regis is a big slacker who took another weekend off and didn't make a blog post.

Wednesday, January 12, 2011

My 802.1x problem

I straightened out the Windows side of my 802.1x issue (previously discussed here), but was still having problems on the switch side of things.

Basically, the switch would request authentication twice. Which is not just weird but wrong. After a bunch of back and forth with the excellent folks at Cisco tech support, I upgraded the code on the catalyst switch and the aberrant behavior stopped.

Serves me right for running 5 or 6 year old code. :)

Sunday, January 9, 2011


Thanks to metafilter, I found this set of pictures of a data center room from back in the day (late 1960's). It looks like many, if not most, of the computer operators (but not the programmers) were women. Some of that comes from the cultural categorization of that sort of computer operations work as 'clerical'.

I'd like to think that some of it goes back to a number of computer pioneers being women back when "computer" was a job title for a person, not the name of a machine. It looks like the folks are trying to get a documentary made about the women who did the initial programming on the ENIAC, and they're taking donations.

Women keep being part of tech and hacking and history and repeatedly forgotten. Every once in a while there's a spate of stories in media about "OH MY GOD! LOOK! WOMEN NERDS AND WOMEN HACKERS!" And every time, it seems like they're newly discovering it. We're here. We've always been here, and we're *still* here, not just newly arriving. But somehow, we're never quite remembered as having been there.

Never introduced, they never became a part of history. Forty years later, Kathy Kleiman was told that the women in pictures with ENIAC (1946) were "Refrigerator Ladies," models posed in front of the machine.

Back to the present and into the future... The CCC (that's chaos computer club not concourse computer center) is having their conference right now, which led to a wired article I just read about the Haecksen group of women hackers. Yay more women hackers! We're here -- still here, not just newly arrived.

Wednesday, January 5, 2011

Blocking skype with Cisco's NBAR has an old post on how to block skype on a Cisco Router. IOS 12.4(4)T and later include a classification for skype, so you can filter and block it using Cisco's Network Based Application Recognition (aka "NBAR")

The Cisco whitepaper on IOS Flexible Packet Matching and this thread in the Cisco support forums are both likely to be helpful.


About Me

My photo
Regis has worked as a network engineer since 1994 for small companies and for large companies.