Category: News
Introducing The Open Event Log Project
The Open Event Log (OEL) Project was conceived by Andrew Hay in May 2006 as a repository for system/server/application event logs to aide in incident response and forensic analysis. Many tools are now available to assist the analyst in interpreting event logs but a better understanding of the logs, as well as samples, were lacking. Most vendors post their event log specifications but it helps to have a central location that displays samples of these logs.
The ultimate goal of this site is to educate users on proper event log collection and analysis techniques which goes hand in hand with our motto: “No log left behind!”
Please note that there is no corporate backing of this site in order to remain as independent as possible.
Each device/application will display the following information to help the community:
- Log Sample
- Log Description
- How To Enable Logging
- Regular Expression Matching
An example of this format can be seen with the Juniper NetScreen entry here: http://www.openeventlog.com/index.php/Juniper_NetScreen
I’d appreciate any feedback you might have and invite you to contribute as much as possible.
SANS IP Packet Analysis Class in Fredericton, NB, Canada
On Tuesday, April 24th, 2007 I will be presenting the SANS SECURITY 452 StaySharp: IP Packet Analysis track here in Fredericton, New Brunswick, Canada.
Knowing how to decode network traffic with tools is a necessary skill for any serious network or information security administrator. Being able to decode the bits and bytes that represent our mission-critical networks gives you the skills to identify malicious activity, troubleshoot network failures, and analyze other desirable or undesirable network events.
This Stay Sharp class will give you the basic skills to decode network traffic with open-source tools available for Unix and Windows systems. You’ll be able to use these basic skills to analyze current or future network protocols and a better understanding of your network traffic.
Who should attend this course?
- IDS, firewall, and network administrators looking to learn packet decoding skills
- Analysts looking to learn new techniques in packet analysis
- Network administrators and operations professionals seeking a deeper understanding of network analysis techniques
If you live in Fredericton, or the surrounding areas, and want to know more about this training sessions then please take a look at the following links:
- The SANS Institute – http://www.sans.org/
- About the Stay Sharp Program – http://www.sans.org/staysharp/about.php
- Stay Sharp Program FAQ – http://www.sans.org/staysharp/faq.php
- SECURITY 452 StaySharp: IP Packet Analysis – http://www.sans.org/staysharp/details.php?id=3501
Also, if you’d like to learn more about the instructor (me) then please check out my About page and Resume. I look forward to seeing everyone there!
Hacker Breaks Into Website of Canadian Nuclear Agency
As reported by the Ottawa Citizen, and numerous other sources, a hacker attacked the Canadian Nuclear Safety Commission website, littering it with dozens of photographs of a nuclear explosion and raising concerns about the security of information held by the nuclear watchdog agency.
There is no excuse for any government funded agency in Canada to be susceptible to an attack of this nature. The Communications Security Establishment (CSE) offers training to all levels of government, certifies products, and also conducts research and development on behalf of the Government of Canada in fields related to communications security.
I’ve assisted the CSE during their evaluation of a product and they were very thorough in their evaluation process. Not only do they follow their defined test plan to ensure proper validation, they also create “free form” scenarios in an attempt make the device do something unexpected, like removing key values from configuration files to see what happens.
This attack leads me to believe that the defacement of this website was due to a breakdown in process. The developers of the website, either internal developers or consultants, did not perform adequate validation of their code to ensure security. The project officer who signed off on the completion of the project should ultimately be held responsible for this breach. Part of their project goals should have been a complete inspection of the final product with respect to security using publicly available Government of Canada Publications published by the CSE.
I can’t help but think what a huge problem this breach would have been had this been anything more than a simple website defacement.