Sans Retraining

Just spreading the word!

This is a fantastic opportunity.

For anyone wanting to get into security and is able to pass the assessments needed to qualify, this will give you a good grounding and set you on the path of a fun career.

I very much enjoy working in security, so much to constantly learn, but this is what makes the whole experience fun.

RSA Rules Rig Exploit Kit

The last few days I have seen the Rig Exploit Kit traffic on the networks I look after. Fireeye has been doing a decent job and picking up the traffic.

There has been a good article written by Sans Storm Centre that can do a far better job than myself of explaining and analyzing the traffic.

So there is quite a simple rule that can be written in RSA to identify this type of traffic.

You rule can be setup as follows

query contains 'PrfJxzFGMSUb'

The string has been present in the traffic I have seen on the networks I look after and various pcaps available.  If you look at the strings closely you will see there are several parts of the query that appear to be in common.

So far I have had great success with this effective but simple rule.

Happy Hunting.

RSA Rules MySQL exploit attempt CVE 2016 6662

This rule was written to help identify any exploits being made for the MySQL vulnerability recently found

So I have created a rule that contains the following.

MySQL exploit attempt CVE-2016-6662

query contains 'unhex' || query contains '67656e6572616c5f6c6f675f66696c65' || query contains '2e636e66' || query contains '6e6d616c6c6f635f6c6962' || query contains 'global_log_dir' || query contains 'nmalloc_lib' || extension = 'cnf'

I looked at the snort rules from the emerging threat ruleset and looked for the relevant content that could be used to search for on RSA and this is what I came up with.

This has generated a few false positives based on the hex values, but so far I’m happy with what it has been identifying

Sans 503 Certified!

In what feels like a long time coming I passed the sans 503 exam today.  One thing I learned is that my index could have been better.  How I set it up and thought would help me, was not really the case.  I started off really well, being able to find and rely upon my index to help me out in the area’s I needed to check my books, just to confirm my answers.  30 questions in I’m at 96%, so far so good.  90 questions in 84% – still good at this point, more than half way I’m feeling confident and have about 2 hours left at this point.

Then I seemed to have several questions based on information I could not find in my index, and on area’s that are weaker for me, like DNS.  My impression was soon as it discovered a weaker area, you would be asked several questions in this area – at least that is how it felt.

If I had studied other sans exams before this one, I would have been able to create a better index and no doubt scored a better mark.  All things considered, this is my first certification in many years and I’m happy that I have passed with a 77%, not the score I was aiming for, but towards the end all I wanted to do was finish those questions and get out of there.

I have the 401 exam booked for 4 weeks time, I now need to create my index for this one, with it being an easier exam content wise, and now my experience gained from this one, I should hopefully be able to score very well.

Time will tell.

Sans 503 Certification Time – or so I hope!

Tomorrow I have my sans 503 exam.  I’ve prepared as best I can, but feel I could do better.  My original goal was to attempt to achieve more than 90% however I do not feel that this is attainable anymore.  I’m confident I will pass, but not achieve my initial goal.

I took a test exam today so I would be in the right frame of mind and allow me to get some last minute revision on the area’s that need strengthening and I scored 80%, so now going to focus on those that let me down, and hopefully it goes well.

What I have realised is that I spend the last couple months indexing the books, and found that I hardly used them at all.  The most important thing for me was my cheat sheets for the headers.  This are invaluable and I can very much recommend them.  I need to make a snort cheat sheet for the configuration side of things, I’m more than happy with therules, but I was thrown off when I was asked configuration questions, so that is what I am doing this evening!

On a few other occasions when I did reference the book, and re-read a section and then answered the question, to still get it wrong….I guess the morale is that you need to know the content, rather than rely on the book to give you the answer.

This is my first Sans exam, and it’s invaluable lessons learned for future exams.  I have the 401 scheduled for a months time, and at the very least I can take what I have learned from this index and use it for my next one.

Anyhow….back to the last few steps of preparation!

IP Header

I’m putting this update, in order to help myself, to reinforce my knowledge, by writing about the subject, hopefully I will have a greater understanding!

Picture1No doubt you would have come across this image for the IP header, I find this the easiest one to read, it breaks up and explains the header fields quite nicely.

So before we can analyze and understand the information in the IP header, we need to know what these fields are or represent.

Protocol Version (4 bits) – This is the first field in the IP header, which tells us which protocol is being used, predominately you will see the value of 4 in this field – which tells us that we are using IPv4.

Header Length (4 bits) – The length of the IP header.  This again has a “normal” value of 5, however it can contain other values if there are any IP options present, this value will be different as the IP header length will be larger than the standard 20 bytes.  The largest value the header can be is (15 * 32) 480 bits or 60 bytes and the minimum is (5 * 4) 160 bits or 20 bytes.

Type of Service or ECN (8 Bits)This field is rarely populated, and requires both routers on the path to have the same functionality for these services to be enabled.

Total Length (16 Bits) – The total IP datagram in bytes.  As the header length gives the length of the header and we have the total length of the data from this field we can calculate the length of the data field and its starting point.  The maximum size of the IP datgram can be is 65535 bytes.

Identification (16 Bits) – Used to uniquelt identify the IP datagrams, this value is incremented every time an IP datagram is sent from the source to the destination, and is used for reassembly of fragmented IP datagrams.

Flags (3 bits) – The first bit is reserved.  The next bit is DF – Don’t fragment, when this flag is present the IP datagram is never fragmented, if the need to fragment IP datagram arises then the datagram is dropped.

The third bit is MF – More Fragment, if this is set then it essentially means that more fragments make up the IP datagram.  If this is the last fragment of an IP datagram, then this field is not sent and it then represents the last fragment.

Fragment offset (13 Bits) – If there are fragmented IP datagrams, this field contains the offset(in 8 byte units) from the start of the IP datagram, this is used for the reassembly of the fragmented IP datagrams.

Time to Live (8 Bits) – The number of hops that the IP will go through before being discarded.  This value is usually dependant on the originating OS, as the packet traverses another “hop” the TTL value is decreased by one until it reaches its final destination, if the value reaches zero, then the packet is discarded.

Protocol (8 Bits) – This is the transport layer protocol, that handed the data to the IP layer.

Header Checksum (16 bits) – This value is calculated using an algorithm covering all the fields in the header.  The value is calculated and stored in the header when the IP datagram is sent from the source to the destination.  The destination side of this checksum is then again calculated and verified against the checksum in the header.  If the value is the same then the data is not corrupt!

Source and Destination IP (32 Bits each) – These represent the values for the source and destination IP.

Options – If any IP options are present they will be represented in this field

Data – FInally we have the data field

IP Header Fundamentals

IP protocol is one of the main protocols in the TCP/IP stack.  It is in the form of IP datagrams that all the TCP, UDP, ICMP and IGMP data travels over the network.

The application layer sends the data (to be transferred to the remote destination) to the transport layer.  The transport layer puts in the header in the beginning and sends the complete packet (TCP-header + app-data) to the IP layer.  The IP layer appends its header in front of the data received from TCP (TCP = TCP-header + app-data)

So now we have IP datagram which is IP-header + TCP-header + app-data.

The IP datagram is then passed to the ethernet layer which then adds its own header to the IP datagrams and then transmits the hole network.

On the destination host, the same process happens except in reverse, as the packet goes back through the stack to the application layer, each of the headers from the previous layer is removed.

Sounds a bit confusing?  In short, each layer adds its own header….hopefully a diagram will clear up any issues.


Now that we hopefully have a basic understanding, I will add in an example which will put some of this knowledge into practice.

Nine Inch Nails and Gary Numan

I’m currently studying for the SANS 503 certification and have my exam comign up shortly.  It has made me realise that I have never been an academic type!  I really do find the studying or reading through text books laborious. So I will get there…eventually.

I’m more of a hands on guy, give me a task or something to figure out and I will happy go off and do it without any kind of instructions, i will figure it out myself or use some type of resource (google) to find partial answers and put the rest together in my head, this is how I finally worked out to teach myself.

Studying is not for me.  So I need something to break up the monotony of study.  So I have to take frequent breaks, and listen to some music.

I’ve always been partial Nine Inch Nail’s and can relate to so many of the songs.  It’s pretty amazing, they have been around since I was like 12 or so and still going strong today and making music that I still like and can relate too.

Amazing song and performance!

Hex and Binary

I intend to build up this guide into a series of more complex “lessons” so eventually we can read packets as they are on the wire and you will be able to interpret what you are seeing without too much difficulty.

Time to start with the basics.  In order to understand and read packets, we need to know the fundamentals.  How do computers and network communicate?  Essentially by binary and hexadecimal.  This is a series of zero’s and one’s and the numbers 0 to 9 with the letters A to F.

When I was taught this in school, some 20ish years ago, I honestly found it a bit complicated, but looking back it was only complicated due to the way it was taught.  Hopefully this methodolgy is simple for you to understand.

Counting in binary is not too difficult, the values can only be a 0 or a 1, an off or on value.  However what the off or on values represent is the important ‘bit’.

You essentially have 8 bits in a byte and this makes binary reasonably straight forward, for counting I find it best to create a quick table, this allows me to visually count, rarther than attempting to work out everything in my head.

binaryhexchart Continue reading “Hex and Binary”

Individual Goals

These past few weeks or so I’ve been taking a long hard look at myself and what I have accomplished and achieved so far.  I’ve come to the conclusion, that even though I would consider myself reasonably happy in where I am at (professionally), I could be doing so much  more.

I enjoy the career path I chose to follow, and I would say that I am pretty good at it, simply because of the very fact that I enjoy it and see it as more than just a job that pays with bills, however with that said I do not believe I have done as much as I could and should be doing to help myself.  Whereas up until this point I thought I was doing a good job in that area, I came to the conclusion that I can be doing so much more, and this is only going to exponentially increase my knowledge and growth rate, if I follow a few simple steps!

Step one is to read, read a lot of books.  So I am going to make the effort to read a hell of a lot more books, the last week alone I have read 3 books, well 2 and a half, still reading the 3rd.

Spamnation by Brian Krebs – This was a good read and very interesting, about spam emails that we all receive and hate, what I really enjoyed about it, is the fact that I can relate and recall seeing all those damn emails in my inbox, as I still have my old ntlworld email address, which is around 15 years old and receives a crazy amount of spam still!

The Dark Net byJamie Bartlett – I started off the first several chapters and was enjoying this book, however the last half of the book was not about the dark net at all, it covered area’s with how people make money from cam websites and the like, not really interesting and a bit misleading, however over all a decent read.

We are Anonymous by Parmy Olson – I am several chapters into this book and I’m really enjoying it so far, a good bit of insight into the Anonymous group, how they started and what they stand up for.

I’m now at the point where I am making a far greater effort to educate myself and have fun doing it, I have grand plans for myself in the immediate future, it currently feels that I do not have enough time to implement these changes in my life, I just know I will get there, and turn this site into something which will hopefully be beneficial to others!

In with the New

A site revival…Again.

So over the years I’ve had this domain name and have used it as some type of blog, with no real structure or thought as to what I am using it for.  However one it has been, and that is beneficial, I’ve helped myself and others at some point with posts or updates to issues and bugs that I have come across.

So I’m going to carry that on, but now in a slightly different direction, in the wonderful and ever changing world of Security.

I’m currently studying for the SANS 503 GCIA and SANS 401  GSEC certifications, and will be taking the 503 exam early next year, part of this blog will help me reinforce my knowledge, as I have discovered that we can generally understand things reasonably well in our head / mind, however when you have to explain or talk about what we believe we understand to others, we soon realise, that we do not know the subject as much as we thought!

Anyhow, I’ve made myself get this update out there, and will be making changes / adding more content going forward and hopefully this will be of some use to others as time goes by.  It’s 5:30am and I have not slept yet…my sleep pattern is currently messed up, no fun!