Sans Retraining

Just spreading the word!

This is a fantastic opportunity.

For anyone wanting to get into security and is able to pass the assessments needed to qualify, this will give you a good grounding and set you on the path of a fun career.

I very much enjoy working in security, so much to constantly learn, but this is what makes the whole experience fun.

RSA Rules Rig Exploit Kit

The last few days I have seen the Rig Exploit Kit traffic on the networks I look after. Fireeye has been doing a decent job and picking up the traffic.

There has been a good article written by Sans Storm Centre that can do a far better job than myself of explaining and analyzing the traffic.

So there is quite a simple rule that can be written in RSA to identify this type of traffic.

You rule can be setup as follows

query contains 'PrfJxzFGMSUb'

The string has been present in the traffic I have seen on the networks I look after and various pcaps available.  If you look at the strings closely you will see there are several parts of the query that appear to be in common.

So far I have had great success with this effective but simple rule.

Happy Hunting.

In with the New

A site revival…Again.

So over the years I’ve had this domain name and have used it as some type of blog, with no real structure or thought as to what I am using it for.  However one it has been, and that is beneficial, I’ve helped myself and others at some point with posts or updates to issues and bugs that I have come across.

So I’m going to carry that on, but now in a slightly different direction, in the wonderful and ever changing world of Security.

I’m currently studying for the SANS 503 GCIA and SANS 401  GSEC certifications, and will be taking the 503 exam early next year, part of this blog will help me reinforce my knowledge, as I have discovered that we can generally understand things reasonably well in our head / mind, however when you have to explain or talk about what we believe we understand to others, we soon realise, that we do not know the subject as much as we thought!

Anyhow, I’ve made myself get this update out there, and will be making changes / adding more content going forward and hopefully this will be of some use to others as time goes by.  It’s 5:30am and I have not slept yet…my sleep pattern is currently messed up, no fun!