https://inliniac.net/blog/category/nsm/ Recent content in Nsm on Inliniac Hugo en Mon, 28 Jul 2014 19:09:07 +0000 https://inliniac.net/blog/2014/07/28/suricata-flow-logging/ Mon, 28 Jul 2014 19:09:07 +0000 https://inliniac.net/blog/2014/07/28/suricata-flow-logging/ <p>Pretty much from the start of the project, Suricata has been able to track flows. In Suricata the term &lsquo;flow&rsquo; means the bidirectional flow of packets with the same 5 tuple. Or 7 tuple when vlan tags are counted as well.</p> <p>Such a flow is created when the first packet comes in and is stored in the flow hash. Each new packet does a hash look-up and attaches the flow to the packet. Through the packet&rsquo;s flow reference we can access all that is stored in the flow: TCP session, flowbits, app layer state data, protocol info, etc.</p> https://inliniac.net/blog/2012/11/29/closing-in-on-suricata-1-4/ Thu, 29 Nov 2012 16:50:15 +0000 https://inliniac.net/blog/2012/11/29/closing-in-on-suricata-1-4/ <p><img src="https://inliniac.net/blog/blog/wp-content/uploads/2012/07/suricata2.png" alt="">I just made <a href="http://suricata-ids.org/2012/11/29/suricata-1-4rc1-available/">Suricata 1.4rc1</a> available with some pretty exciting features: unix socket mode and IP reputation.</p> <p><strong>Unix socket</strong></p> <p>First of all, <a href="https://home.regit.org/2012/09/a-new-unix-command-mode-in-suricata/">Eric Leblond&rsquo;s work</a> on the Unix socket was merged. The unix socket work consists of two parts. The unix socket protocol implementation and a new runmode.</p> <p>The protocol implementation is based on JSON messages over unix socket. Eric will be fully documenting it soon. Currently the commands are limited to shutting down and getting some basic stats. This part isn&rsquo;t very exciting yet, but the groundwork for many future extensions has been laid.</p> https://inliniac.net/blog/2012/02/22/recovering-the-emailusername-in-snorby/ Wed, 22 Feb 2012 15:16:46 +0000 https://inliniac.net/blog/2012/02/22/recovering-the-emailusername-in-snorby/ <p>I use a Snorby setup that comes with Security Onion. Recently I had changed the username, but I couldn&rsquo;t remember what I had set it to.</p> <p>To recover the username, we can look it up in the database, like this:</p> <p><code>mysql -uroot -B -e 'use snorby; select email from users;'</code></p> <p>Thanks to Doug Burks and Dustin Webber for helping me recover it.</p> https://inliniac.net/blog/2007/10/09/friendly-pcap-parsing/ Mon, 08 Oct 2007 22:47:28 +0000 https://inliniac.net/blog/2007/10/09/friendly-pcap-parsing/ <p>Over at his weblog <a href="http://node5.blogspot.com/">node5</a>, William Metcalf has written about a nice script he created for automagically extracting full content data for certain ip&rsquo;s and ip ranges from large amounts of pcap data. It will also create some nice output for the data. Check out his <a href="http://node5.blogspot.com/2007/08/parsep-extend-rangepl-your-friendly.html">post at node5</a> and the <a href="http://doc.bleedingthreats.net/bin/view/Main/PcapParser">script here at bleedingthreats</a>. Great to see you blogging Will! :)</p>