skip to main |
skip to sidebar
Every now and then its good to get back to one's geek roots and learn a new technology or two. I've been spending my Christmas and New Years break learning two new controls. First I've been playing with Sguil, a console based system for Network Security Monitoring, a concept that security professional Richard Bejtlich is a big supporter of. Richard has a tremendous amount of experience in this field, so I really respect his opinion. What I like about this tool is it works on the assumption that IDS solutions such as Snort are an indication of something is wrong. Sguil bundles the rest of the tools necessary to quickly dig in more details on specific alerts, including analyzing sessions and pcap analysis. This allows you to learn more about events and truly confirm what happend. Version 0.7 is due out in February and I look forward to playing with this updated tool. One big down side is the installation and configuration process is very time consuming and complicated. However the new version appears to address these issues. I applaud the team's Open Source efforts.
The second tool I'm working on SELinux, primarily on Red Hat Linux / Fedora and derivatives. SELinux is an extremely powerful and flexible Mandatory Access Control List solution, simiar to tools such as systrace but much more flexible and complex. I am extremely excited about SELinux in that its a control designed to protect against unknown vulnerabilities, personally one of my biggest concerns. It operates under the concept of least privileges. Learning SELinux is almost like learning a programing language. There are a variety of GUI based tools to help but I prefer command line. Often servers do not have a GUI installed, also command line gives you a better understanding of what is happening.In the coming weeks I'll share with you my thoughts and experiences with these tools.