George Starcher - Latest Comments

Re: Tutorial - Quartz Composer and Image Units in Xcode

georgestarcher — Wed, 02 Dec 2009 16:05:33 -0000

most likely a hidden character when you cut and pasted. that happens.

Re: Tutorial - Quartz Composer and Image Units in Xcode

Graham Harrison — Tue, 01 Dec 2009 04:03:09 -0000

If my first post appears, I reloaded the example and this time got everything to pass syntax. Don't know what the error was, but no intervention needed.

Re: Tutorial - Quartz Composer and Image Units in Xcode

Graham Harrison — Tue, 01 Dec 2009 00:09:10 -0000

I didn't discover this until after I had upgraded to Snow Leopard and, consequently, Xcode 3.2. It was obvious from the beginning that things had changed, minor layout and renames for instance. But on page 5, copying your code brought up everything as being a syntax error.

Judicous pruning of multiple double-quotes has fixed most of it, but nothing I have tried will stop it from rejecting the very first line - Kernel vec4 ….

I am very new to this, and with little Xcode or Mac coding either, so I don't have a lot of arrows in my quiver. I was so pleased to find that such a tutorial existed and to be stopped in my tracks so early is a huge disappointment. If you have had a chance to look at 3.2 I would appreciate a hand.

Thanks
Graham

Re: Building a logging VM – syslog-ng and Splunk

georgestarcher — Mon, 16 Nov 2009 20:00:08 -0000

Hi Simon,

I knew about the wmi. But in some scenarios folks might not want to get into admin level credentials and using snare to send via syslog eliminates that. Plus it further controls what is sent and thus how much data is indexed by splunk.

I still think using syslog-ng is useful since it can rewrite messages before they get indexed by Splunk and forward to sql. After someone gets comfortable with splunk I can see digging into the routing and forwarding syslog native to it for more options.

Thanks for the feedback. I really made this to help folks completely unfamiliar with logging have a starting point on both syslog-ng and splunk. Plus target a simple solution for smaller shops.

Re: Building a logging VM – syslog-ng and Splunk

shelston — Mon, 16 Nov 2009 19:47:57 -0000

George -

Simon from Splunk here. Just wanted to clarify a few points. The first is that Splunk can in fact index Windows Event Logs and any sort of "perfmon" metrics via WMI out of the box and very easily. Splunk can also index and "tail" a Windows Registry but that requires Splunk to be running on the box itself.

Second, tegarding Syslog-ng. Splunk can pretty much do everything you describe. Splunk can obviously index Syslog directly on UDP/514. It can also send Syslog back out to other systems if you wanted to. See: http://www.splunk.com/base/Documentation/4.0.6/...

Splunk can also route data in other formats to other kinds of systems/apps based on pretty much anything in the data. You specific the "sourcetype" and its routing parameters and voila! Check out: http://www.splunk.com/base/Documentation/4.0.6/...

Combining this with Splunk deployment server (centralized config manager) would probably simplify your deployment by leaps and bounds. Remember that our licensing is based on how much data you index in a 24 hour period. We don't count servers, agents, data sources, etc. This is just about leveraging Splunk out of the box awesomeness! ;)

Hope this helps.
Simon

Re: Building a logging VM – syslog-ng and Splunk

georgestarcher — Fri, 13 Nov 2009 18:55:16 -0000

I mainly wanted the syslog-ng for the rewriting to compensate on forwarded syslog events where you cannot run by policy or get to work the spoof based forwarding. However the advantage to hitting it first is the filtering and other log destination options you have should you suddenly want to do that. It becomes just changing syslog-ng config files instead of having to redo all your forwarding setup to wedge it in later. So yeah splunk itself can receive all those events on any ports you define. But you wont get the extra routing, filtering and relogging with precision.

I do actually have snort with splunk on the same box. Then I just make that splunk forward but not index to my real splunk vm I want to do my searches at.

In the end you can get way more complex later. But I wanted a nice solid getting started framework for anyone else fighting the learning curve. From here we can get into forwarding logs from macs, forwarding snort via a second splunk install etc.

Re: Building a logging VM – syslog-ng and Splunk

twitter-28397821 — Fri, 13 Nov 2009 18:35:49 -0000

Excellent documentation! So I assume the goal of this configuration was to be able to forward events via syslog or Snare from the remote servers rather than installing Splunk in forwarding mode?

Have you run into any limitations by taking this approach vs Splunk as a forwarder?

Re: crowbarDMG - Version 1.0

georgestarcher — Wed, 11 Nov 2009 06:19:11 -0000

Dictionaries in a security tool sense are simply text files with one word per line. You can google "password word lists" for example. You can also see another post I made on using an automator to create a dictionary from various files. https://www.georgestarcher.com/?p=260

The crowbar apps are looking for .txt .pwd or no extension, but all must be plain text files with one password per line.

Re: crowbarDMG - Version 1.0

williamroney — Tue, 10 Nov 2009 21:01:46 -0000

I cannot seam to get crowbar to open any of the dictionaries on my mac. Also what is the known extension for the password file?

Re: What RSA can learn from Sector and Louisville Infosec

irongeek_adc — Fri, 09 Oct 2009 22:20:59 -0000

Groovy, I'm hoping next year we get the bigger venue so we can have more people there. :)

Re: What RSA can learn from Sector and Louisville Infosec

georgestarcher — Fri, 09 Oct 2009 22:15:02 -0000

I love the produced keynote too. I was thinking more in the following day keynotes. If they even spotlighted one of our real folks each year that would make a big difference.

Re: What RSA can learn from Sector and Louisville Infosec

georgestarcher — Fri, 09 Oct 2009 22:14:07 -0000

No problem man. You deserve it. Also, the conference was outstanding. I am already telling people I know they need to go next year.

Re: What RSA can learn from Sector and Louisville Infosec

irongeek_adc — Fri, 09 Oct 2009 22:12:10 -0000

Glad you could make it out to our conference. :) Thanks for helping me get my butt to Defcon by the way.

Re: What RSA can learn from Sector and Louisville Infosec

Brian Blankenship — Fri, 09 Oct 2009 20:09:19 -0000

George,

Thank you for the kind words about the Louisville InfoSec Conference. I am glad you enjoyed it! We really worked hard to bring in quality speakers. We hope to have video up soon of the presentations on the conference web site.

Brian Blankenship
Conference Chair

Re: What RSA can learn from Sector and Louisville Infosec

twitter-15033971 — Fri, 09 Oct 2009 11:07:13 -0000

Bravo to your blog!

I have to say that the RSA Keynote spectacle is pretty amazing. Note I said amazing... not really valuable. I find the Keynotes at RSA to be more entertainment value rather then informative/take-away type sessions. I agree that it would be lovely to see some of the more 'practical' information security speakers to headline at RSA, but, I do love that we get to enjoy them in the sessions where the setting is much more intimate.

Re: Wireshark + OSX Leopard

josh Fuller — Sun, 23 Aug 2009 00:21:35 -0000

sorry but i deleted the blog post you're referencing

Re: Tutorial - Quartz Composer and Image Units in Xcode

Name — Fri, 31 Jul 2009 16:38:42 -0000

I can't seem to access the tutorial. Are there any mirrors I can try?

Re: Tutorial - Quartz Composer and Image Units in Xcode

jeff — Fri, 17 Jul 2009 10:54:43 -0000

Core image filters can also be applied by CoreImageTool!

http://codesnippets.joyent.com/posts/show/1731

Thanks for the tutorial!

Re: crowbar and PGP Virtual Disk

georgestarcher — Sat, 11 Jul 2009 21:59:35 -0000

To follow up, Rich took my previous pgp virtual disc shell script and replaced the key command line with the line he provided above. He had also fed the script a dictionary file made of the permutations of what he felt his passphrase was. It worked like a champ. Since then I have also compiled a local copy of crowbar using that command and it works great. I will release a public version once I can come up with a way to select in gui the connected disks for attack. That is a LOT harder than you think it would be. Just ask any mac developer about I/O kit and watch them run away screaming.

Re: crowbar and PGP Virtual Disk

Rich — Wed, 08 Jul 2009 09:48:41 -0000

Hello!!
Would it be possible to also allow the command to run on an encrypted volume??

The mounting command is...

pgpwde --decrypt --passphrase <passphrase> --disk <n>

That would be awesome!
Thanks :)

Re: crowbarDMG - Version 1.0

georgestarcher — Wed, 01 Jul 2009 18:20:34 -0000

crowbar just takes a text file dictionary file and runs through it. If you make your own file one "word" per line made of the combinations of the words you know then yes I imagine it would work through that fairly quickly.

Re: crowbarDMG - Version 1.0

venanzio — Wed, 01 Jul 2009 10:48:35 -0000

I know the number of words and what 3 of the words are. will that help reduce the amount of time?

Re: Mac and Sleuthkit

georgestarcher — Sat, 06 Jun 2009 17:38:58 -0000

Yeah it is very typical for ports or things in repositories even in linux for apt-get or other package managers to be a little behind. Sometimes a LOT behind. In those cases you need to build it yourself by downloading the source. This post was really about just getting it up and running quickly to start learning the tools in general.

Re: Mac and Sleuthkit

Jimmy — Sat, 06 Jun 2009 04:12:21 -0000

I was actually looking to install sleuthkit on mac, but the macports version seems outdated. Its sleuthkit version 2.09, currently sleuthkit is at 3.01.

Re: Mac Forensics - Did he roll the clock back?

Paul — Mon, 06 Apr 2009 10:00:31 -0000

Nice Job...It goes to show that you should double/triple check you email and attachments before you send them off!! I am sure the student learned his lesson! Black Bag Forensics has a tool that will pull all available metadata as well that includes the iNode number.