Dear Windows users…try Linux VM’s

I have been using this strategy for years and I am now finally ready to recommend this approach to security-conscious Windows users who have grown tired of dealing with a myriad of malware issues. Virtualization and Linux distros have finally reached the point that with a bit of reading and/or YouTube, creating a virtual machine (VM) isn’t that difficult. Modern x86 hardware should easily be able to handle the load to make it a pleasurable experience. I consider a Linux VM a viable tool for malware mitigation on a Windows host; an effective supplement to traditional signature-based detection mechanisms that are becoming increasingly ineffective in combating zero-day threats. Still the majority of malware in the wild is designed to target the Windows OS. Using a VM as an additional layer of protection is an effective strategy against botnets, ransomware and other trojan’s that are increasing in sophistication and have caused massive headaches for Windows users in recent years. They are not going away anytime soon. The theft of personal information and extortion are important enough reasons for many to consider using Linux VMs, even with the inconvenience of having to manage a guest VM in order to do web-based activities. In doing so, you will drastically limit the scope of malware finding its way on to your Windows host machine through a range of well-crafted attack techniques.

Keep in mind there is no silver bullet to online security. Linux is certainly not immune to web-based threats, but is generally considered well protected by design against malware. There is no need to dig into the wallet. Virtualization software and Linux are available for free, so why not try it out? There will be a learning curve if these concepts are new, but think of it as a project and take a weekend to play around with it. You may come away with a further interest in Linux, all while increasing your security posture and awareness. Here are my recommendations based on getting up and running with ease of use in mind.

Virtualization software

VirtualBox – various network configurations (NAT, bridged, host-only), cloning and snapshot support.

Linux distro

MINT – has everything you would expect in a desktop OS with features that are Windows user friendly: Cinnamon Desktop Environment, VLC media player, Gufw – gui to manage firewall, ClamAV – if sharing files with Windows host, Browsers – Firefox (default) / Chromium – protect your browser of choice with security add-ons and extensions as discussed in “Security and the Browser“. Only install software from the official repositories.

Don’t forget to secure the Windows host operating system as much as possible. You may still want to reach out to the internet for Windows Updates, or if VirtualBox does not support your hardware (e.g. webcam). Tips: Host-based firewall – create restrictive rules for outbound traffic, Application Whitelisting using Software Restriction Policies (SRP) or AppLocker (only available in Windows Ultimate/Enterprise & Server editions). There are many guides and strategies available online. Here is an example of how SRP was used to block the infamous Cryptolocker ransomware. Continue using an antivirus/anti-malware solution on your Windows host – Avast provides a decent free package.

Additional Tips: VBox and MINT have awesome community forums where you can find your answer to just about anything. If you post a question, chances are it will be answered in the matter of hours if not sooner. Configure SSH on MINT and use WinSCP to securely transfer files between the host and VM.

pfSense config tips

pfSense 2.2 dropped last week and to pay homage, I’ve put together some configuration tips that I do immediately post install. Yes I am a biased pfSense user going on five years and haven’t looked back. When I look at some of the crappy home gear that comes with a hefty price tag and lack of advanced features in comparison to my pfSense UTM, I find myself saying, “It don’t make sense, if it ain’t pfSense!” OpenDNS

  • Force DNS requests from local clients to use the DNS Forwarder or Resolver on pfSense for resolution. I chose to use OpenDNS servers based on their reliability and reputation for filtering out malicious domains. I recommend checking out Blocking DNS queries to external resolvers.
  • The OpenDNS server IP’s are 208.67.222.222 & 208.67.220.220

OpenDNS Firewalling Strategy

  • Employ egress filtering – Strive to allow only the minimum required outbound traffic. Allow what you know (e.g. web traffic on TCP 80 & 443, DNS queries on TCP/UDP 53), block the rest, and work through it by analyzing the firewall logs and fine tuning the rules making them as granular as possible.
  • Rulesets are evaluated from the top down on a first match basis. Check out the ‘Firewall Rule Basics‘ article for a quick overview.
  • Default deny – Most commercial routers come with default allow rules on the LAN – pfSense is no exception. The best approach is to disable or remove the “Default LAN > any” rule. Check out the ‘Example basic configuration’ article that gives a great understanding of how rules are setup.
  • Reduce log noise – Make sure your logs are not getting over-spammed with things such as NetBIOS broadcasts. Too much noise will overshadow the important messages that you want to see. Make sure to carefully analyze your logs and review the frequency. Get a thorough understanding of what is generating the logs, and only then decide if it is something that you deem safe to filter out.

pfblockerNG (coming soon?) – Update pfblockerNG v1.0 has been released for 2.2 – thanks to developer BBcan177. I’ve had a chance to play with it a bit. I’ve added some block lists from Emerging Threats and so far so good. I’m already seeing some activity being logged because of the rules.

  • pfBlocker was a must have package for pfSense that could be used to block IP ranges of spammers, botnets and/or entire countries. It would have made this list, but the package is outdated and has some noted issues with pfSense 2.2. Development is under way for it’s replacement called pfBlockerNG. Keep a close eye on the forums for the latest news.

A special thanks to all the wonderful folks that contribute to the pfSense project. Your time and efforts are greatly admired and appreciated.

SecWorX – InfoSec Year In Review – 2014

Hi folks, I’ve compiled some of the more popular InfoSec stories and links on each topic– just a quick year in review summary for you. This year has been extremely eventful and there are no signs of slowing down as we enter 2015. Read it and weep, or, if you work in InfoSec, read and smile that you are still employed with plenty of work on the horizon🙂

Total PWNage

Sony Cyber Attack The biggest, baddest and juiciest story of them all broke in late November and will continue to be a treasure trove well into 2015. This cyber attack was reminiscent of an old school cheesy hacker movie. Here is the image of what many Sony employees saw showing up on their screens. Gotta love the scary skull pic! GOP

The FBI is pointing the proverbial finger at DPRK. I’m holding back judgment until the InfoSec community has had a chance to review the technical analysis. Seth Rogan is one person that must be pretty stoked about the Sony attack which was spun into an awesome promotional tool for “The Interview” movie going into the holiday season. I admit that I bought into the hype. My review…a few good laughs but far from a blockbuster!

The leak was BRUTAL!
– entire databases exfiltrated
– unpublished movie scripts
– contract negotiations
– data dump posted to torrent sites, pastebin and reddit (amongst others)
– full dump claimed to be 10s of Terabytes

Brian Krebs is covering this one pretty well!

Celebrity Nude Photo Leak This story broke over Labour Day which must have set records for female A-lister search queries looking for a download link for the files. The series of nude pics for allegedly 101 celebs (names below) are making the rounds on file sharing sites, referred to as ‘The Frappening’. The attack was a garden-variety brute force attempt against iCloud accounts: a huge breach in privacy where the attacker was able to steal nude photos from right under the nose of these celebrities straight off the cloud. The photographs were then posted to online forums and soon spread like wild fire. Reports suggest the hack consists of the cumulative use of a Python script named “iBrute” that was posted on Github, along with a vulnerability found in the ‘Find my iPhone’ app. The vulnerability provided unlimited chances for an attacker to brute force the passwords due to the lack of rate limiting or account lockout.

The alleged list:
AJ Michalka, Alyson ‘Aly’ Michalka, Allegra Carpenter, Abigail Spencer, Alana Blanchard, Alexa Jane, Angelina McCoy, Anna O’Neill, Ashley Blankenship, Aubrey Plaza, Abigail ‘Abby’ Elliott, AnnaLynne McCord, Avril Lavigne, Amber Heard, Rebecca ‘Becca’ Tobin, Brie Larson, Brittany Booker, Candace Smith, Candice Swanepoel, Cara Delevingne, Carley Pope, Carmella Carcia, Carrie Michalka, Cat Deeley, Carly Foulkes, Chloe Dykstra, Clare Bowen, Dove Cameron, Elena Satine, Elle Evans, Ellenore Scott, Emily Browning, Emily DiDonato, Emily Ratjkowski, Erin Cummings, Erin Heatherton, Farrah Abraham, Gabrielle Union, Gabi Grecko, Hayden Panettiere, Hope Solo, Heather Marks, Hilary Duff, Jacqueline Dunford, Janelle Ginestra, Jennifer Lawrence, Jessiqa Pace, Jessica Dunford, Jessica Riccardi, Jesse Golden, JoJo, Joanna Krupa, Jennifer ‘Jenny’ McCarthy, Josie Loren, Joy Corrigan, Kaley Cuoco, Kaime O’Teter, Kate Upton, Kate Bosworth, Kelly Brook, Lauren ‘Keke’ Palmer, Kim Kardashian West, Kirsten Dunst, Krysten Ritter, Lake Bell, Laura Ramsey, Lea Michele, Leelee Sobieski, Leven Rambin, Lisa Kelly, Lisalla Montenegro, Lindsay Clubine, Lizzy Caplan, Mary-Kate Olsen, Mary Elizabeth Winstead, McKayla Maroney, Melissa Benoist, Meagan Good, Megan Boone, Michelle Keegan, Mikayla Pierce, Misty Treanor, Nina Stavris, Rachel Nichols, Rihanna, Sarah Shahi, Sahara Ray, Sarah Schneider, ScarJo, Selena Gomez, Shannon McNally, Tameka Jacobs, Teresa Palmer, Uldouz, Vanessa Hudgens, Victoria Justice, Wailana Geisen, Winona Ryder, Yvonne Strahovski, Alison Brie, Dave Franco.

User lessons
1. Use strong passwords and enable two-step verification.
2. Review the contents that are copied to the cloud. Delete backups or whatever else that you do not want on there.
Business lessons
1. Always implement a rate limiting/account lockout feature on web apps.
2. Bug Bounty programs are a good thing.

I’m still waiting for a story to break that points to Kim Kardashian as being the real hacker for this one! Wouldn’t that make the gossip mags a fortune in 2015?

Here are links to three good posts on the story.
Sources: Forbes – Link1, Link2 Mail Online – Link  

Retail Card Breaches Cont’d This type of attack came on the radar a year ago with the disastrous Target breach but was soon trumped by Home Depot resulting in the largest breach of its kind on record. Cyber Criminals using custom-built malware that lingered on the network for approximately half a year (April to September) were able to steal card data and customer email addresses. The numbers speak for themselves:
– 56 Million customer credit/debit card accounts
– 53 Million customer email address

Krebs broke the story on Sep 2, 2014, and has done a fabulous job at posting detailed updates. Thanks again Brian!

Lesson learned: – Fear the phrase “PCI Compliant”!!!!

Bugs

Heartbleed and ShellShock The two most popular bugs making the media rounds were tagged with the coolest monikers: Heartbleed & ShellShock.

Heartbleed is an OpenSSL bug disclosed in April, 2014 and hit the mainstream media with full force given the enormity of websites that use it. OpenSSL is the open-source implementation of SSL/TLS, used for communication security and privacy over the internet; for applications such as web, email, IM and some VPNs. Shall I now scream, “THIS IS IMPORTANT!”? Vulnerable versions of OpenSSL are open to data leakage by a coding flaw that allows for a buffer over-read by crafting a malformed heartbeat designed to access more data than what should be allowed. Major sites have since patched their servers, however rest assured there are many that still remain vulnerable.

The Sophos Naked Security news site posted my favorite technical article for Heartbleed.

Real World Example – Western University student charged with extracting data from the Canada Revenue Agency resulting in a major tax-time disruption

ShellShock is a GNU-Bash shell bug disclosed in September of 2014. The flaw dates back to versions of Bash from the early days circa 1989 through to v.4.3. While still widely publicized, it did not seem to garner the same coverage in the mainstream media as did Heartbleed. Shellshock is a far more significant vulnerability with a National Vulnerability Database severity rating of 10/10. The sheer length of time of the bug’s existence leaves many lingering questions such as, who knew of this vulnerability and for how long? Bash is an enormously popular *nix shell and is the default shell on popular operating systems such as Linux and Mac OS X. The sheer footprint of Bash found on public web servers and on internet of things (IoT) devices running embedded Linux with Bash (e.g., home routers and NAS gear) has cause for great concern with the seemingly limitless attack possibilities. The ShellShock bug allows for remote arbitrary code execution via a specially crafted environment. Many companies have since patched their critical servers, but relaying this message to the consumer will prove difficult. Getting the average consumer to take action and patch devices that sit on the shelf would be hard even if a one-click update option was available. Any fix or workaround requiring more technical savvy will go well beyond the comfort level of many customers who purchase these solutions without even realizing the impact or ramifications of security vulnerabilities.

Check out these four great articles to further your understanding about this very serious vulnerability. Sources: US-Cert, CloudFlare, FireEye, Troy Hunt

Real World Example – Several botnets have been leveraging the ShellShock bug. Botnet agents have been found with port scanning, backdoor and DDoS capabilities. One of the first reported botnet attacks was a DDoS against Akamai and US DoD networks.

Operations

Dark Markets Online marketplaces used for illegal activity are still active even with aggressive pursuit by law enforcement agencies worldwide. The infamous Silk Road is just one of many online underground markets that use the TOR network for anonymity and digital currencies such as Bitcoin to hide the money trail. Existing in what has been termed the ‘deep web’ or ‘darknet’, these sites have been used as a conduit for a wide range of illicit activities operating in a virtual black-market. Investigations have uncovered illegal vices such as moving contraband, money laundering, stolen credit cards, false identification, weapons dealing and contract killing, all linking back to various dark market sites. A massive international investigation was launched targeting these sites called ‘Operation Onymous’. The crackdown involving the FBI, Homeland Security and Europol lead to 17 arrests, asset seizures and took down many black market sites. There are still plenty of others that have managed to elude law enforcement and remain operational in the underground economy. The investigation has also caused a stir amongst TOR users leaving them to question the actual strength of providing true anonymity.

Snowdon Revelations 2014 Call him former government contractor, traitor, whistle-blower or patriot, but those in InfoSec call him, “the gift that keeps on giving”. Since Ed Snowdon fled the USA, stopping in Hong Kong and eventually landing in Russia, he has released a treasure trove of documents on privacy and surveillance that has left audiences captivated. He even landed a feature interview from abroad that aired on CBS’s 60 Minutes. The revelations kept coming strong throughout 2014. Al Jazeera created an amazing interactive timeline. You can scroll over to the beginning of 2014 if you want a recap. The collection reveals the NSA’s true power and vast international spy grid. Other articles cover the various techniques used by agencies like the NSA and GCHQ for tracking and data collection. Articles on facial recognition technologies and quantum computing provide readers a window into the future.

All of these stories give credence to the fact that InfoSec has some big challenges ahead. I could continue writing until the clock strikes midnight in 2015, but I am on holidays after all so I’ll sum it all up in just four words; Nothing can be trusted!!!

Splunking pfSense

I’ve decided to switch to Splunk for my syslog parser. I was using Syslog Watcher, however I realized that I need something that I can customize to correctly parse the data coming from pfSense. The reason being is because of the way pfSense generates the firewall events. The output is split into two lines instead of one; this format causes a problem with many popular syslog & SIEM applications. Combining the lines into one will be required if you want to do proper analytics & reporting. With just a few tweaks, Splunk handles the parsing the way I want it to.

I run Splunk 6.1 Enterprise on a CentOS server. The RPMs can be found on splunk.com.

Here is a link to a quick youtube video that gives a quick run through of the installation.
Installing Splunk 6 on Linux (CentOS, Red Hat).

A few commands and things to note:

Start/Stop/Restart Splunk

$SPLUNK_HOME/bin/splunk start <stop, restart>

Configure Splunk to start at boot time with a startup (init) script
$SPLUNK_HOME/bin/splunk enable boot-start

Web GUI
Splunk runs on default port 8000
http://yourhost:8000

 How to configure Splunk to handle pfSense data
This is the really cool thing about Splunk. It is the ultimate SIEM application in terms of customization. There are two config files that give you the ability to parse the data and output it the way you want:

props.conf – allows Splunk to recognize the multi-line pfSense events as one.

transforms.conf – the parsing of the data received into the fields that you want to see.

Full credit goes to this blog for the awesome regex tailor-made to parse pfSense.
basementpctech.com

Splunk Configuration

  1. Check that pfSense is configured to send log messages to remote syslog server.
  2. From the Splunk Web GUI go to Settings – Data inputs – UDP.

This is where Splunk is configured to listen on UDP 514 (syslog). Here are my custom settings:

splunk

Now you can go to the App: Search & Reporting and you will see your indexed data. Click the Data Summary button and it will launch a window where you can view the various sources that Splunk is listening to.

splunk2

4. You can use the search field to customize your search. The results can be saved as a report, dashboard or alert. My query displays in table format showing the fields: _time, src_ip, src_port, dest_ip, dest_port, protocol, action.

splunk3

The result is pretty neat compared to reading the raw data format.

Here are some helpful Splunk links for Search. I still have some playing around to do to create some nice visually appealing charts and reports. I plan on making some custom search queries to cover various time periods such as: 24hr, week, month and year, to make it easy to pull statistics and perform analytics.

  1. The Search Tutorial
  2.  The Search Manual

Happy Splunking🙂

WiFi Security – Time to turn off WPS

I recently read some interesting slides posted online by Swiss security specialist Dominique Bongard regarding refined attacks against WiFi Protected Setup (WPS), reducing the length of time to crack a WiFi network’s WPA passphrase within seconds. It suddenly dawned on me that I probably forgot to disable this feature when I swapped out my old Linksys for a DLink Gateway around two years ago.

What is WPS?

  • It is a protocol aimed at easily connecting to WiFi networks
  • Gives the WPA passphrase to stations providing the right PIN
  • Two main modes: Push Button and 8 digit PIN code

Sure enough I logged on the D-Link Gateway interface and found that it was in fact enabled. Needless to say, I turned it off immediately as WPS has been found to be a troubled protocol dating back to when researcher Stefan Viehböck reported an implementation flaw that makes brute-force attacks against WPS feasible.

Wikipedia has a good summary

The vulnerability centers around the acknowledgement messages sent between the registrar and enrollee when attempting to validate a PIN. The PIN is an eight-digit number used to add new WPA enrollees to the network. Since the last digit is a checksum of the previous digits,[7] there are seven unknown digits in each PIN, yielding 107 = 10,000,000 possible combinations.

When an enrollee attempts to gain access using a PIN, the registrar reports the validity of the first and second halves of the PIN separately. Since the first half of the pin consists of four digits (10,000 possibilities) and the second half has only three active digits (1000 possibilities), at most 11,000 guesses are needed before the PIN is recovered. This is a reduction by three orders of magnitude from the number of PINs that would have to be tested. As a result, an attack can be completed in under four hours (183 minutes to be precise). The ease or difficulty of exploiting this flaw is implementation-dependent, as Wi-Fi router manufacturers could defend against such attacks by slowing or disabling the WPS feature after several failed PIN validation attempts.[4]

Given the seriousness of the WPS vulnerability that leaves you open to brute-force attacks by anybody within the vicinity of your network,  I was curious about the number of AP’s around me that have WPS enabled. I fired up Kali and performed a scan using the wash command:

wash2

The results after a brief scan show that there are four machines within range that are vulnerable to “reaver” attacks. Reaver is an open-source tool specifically designed to exploit the WPS security flaw and is available in Kali Linux. As stated on the Google code site for reaver-wps:

On average Reaver will recover the target AP’s plain text WPA/WPA2 passphrase in 4-10 hours, depending on the AP. In practice, it will generally take half this time to guess the correct WPS pin and recover the passphrase.

Yikes! I strongly suggest to check your WiFi Gateway settings and turn off WPS. Here is a screen shot of where it is found on my DLink.

WPSDlink

While you’re at it, double check your WiFi security level. The minimum security standard should be WPA with a strong passphrase known as the Pre-Shared Key (PSK).

Oh %*&#, I lost my USB stick!!!

I couldn’t help but recently overhear a conversation while enjoying an outing with my wife at a local café; a university professor was telling a colleague about the horror of losing her USB stick. Looking clearly distraught as she explained the story, I mused about what data could have been stored on the thumb drive: students’ marks, banking information, private photos and videos. The potential fallout is hard to ascertain. “What a nightmare!”, I said to myself as I contemplated whether or not to interject the conversation. Luckily we ended up chatting and I got the chance to bring up encryption and the importance of protecting portable data. What I had to say clearly caught her attention and would bet that going forward she would take whatever steps necessary to avoid being in that situation again.

Encrypting data on flash drives should be a top priority if they are being used to store sensitive data, especially because of their propensity for physical loss due to small size and portability. Think about how easy it is to misplace, drop or simply leave behind. What about the minimal effort required for a thief to walk by and snatch one out of your device? With flash drives reaching terabyte capacity, people are storing more and more data on them without taking into consideration the impact if they were to fall into the wrong hands.

My recommendation is the wonderful freeware encryption utility called “TrueCrypt”. I know many have heard by now that the project abruptly ended in May 2014, but for the time being it remains my #1 choice for protecting my flash drive until there is a viable alternative. I realize the program’s sourceforge page recommends users to switch over to Microsoft’s proprietary BitLocker that only ships with the higher end Ultimate/Enterprise editions of the OS. I’m sorry, but this answer is not sufficient as BitLocker is only supported by Windows OS whereas TrueCrypt is cross-platform (Windows/Linux/OS X). I personally believe that the source code for encryption software should be publicly available for cryptanalysis as was the case with TrueCrypt. In fact, a professional security audit is under way called the Open Crypto Audit Project and so far has not found any evidence of backdoors or malicious code. The reason for the TrueCrypt developers suddenly dropping the project after 10 years is somewhat of a mystery. The bizarre message that appeared on the website stating that development ended after MS terminated support of Windows XP is very cryptic and has fanned the flames of conspiracy theorists worldwide. Many suggest that the developers simply decided to retire the project but I have decided to keep an open mind as like the revelations of NSA whistleblower Edward Snowden revealed, anything is possible.

Well enough of my ranting…back to the solutions…

One of TrueCrypt’s many great features is OTFE (On-the-fly Encryption) also known as real-time encryption. The main advantage is transparency to the user, meaning that you do not have to re-encrypt the files you work with after you’re done using them. There is also a portable mode that will allow you to run the program directly from the USB device without the need for the program to be installed on the operating system as long as you have admin rights. The TrueCrypt v7.1a installation packages and instructions can still be found on the GRC’s TrueCrypt final release archive.

There is an alternate OTFE portable solution for USB flash drives called Rohos Mini Drive that deserves honorable mention. One of the features gives the ability to access the disk without the need for admin rights, however there are several limitations. Please refer to the website for more information.

Another solution is File/Folder Encryption. The disadvantage when compared to OTFE is that encryption is not done in real-time. You need to manually select the files that you want to encrypt and if there is sensitive data that is not part of your encrypted archive, it will be clearly readable by anybody with access to your flash drive. My recommendation for File/Folder encryption is 7Zip which also has a portable app that can be installed and run directly from the USB device without software or admin right dependencies.

The most expensive solution is Hardware-Based Encryption. These secure flash drives are widely available from many vendors, such as IronKey and Kingston. The advantages are that encryption is always active without software or driver dependencies and no learning curve. Encryption/Decryption operations are managed by a built-in chip on the flash drive. The downside is the elevated cost that can easily be 3 or 4 times that of a regular flash drive with similar capacity.

All of these solutions support the AES-256 cryptographic algorithm which is the government standard for encrypting highly sensitive classified information. What this basically means is that unless by chance your flash drive is found by some NSA cryptanalyst, your data should be safe from prying eyes. So if you really care about securing your portable data, go and try one of these great encryption solutions ASAP.

pfSense – Unified Threat Management Home Lab Project

…on why pfSense makes a lot of Sense: pfsense.org

  • Go far beyond the consumer grade WiFi gateway that sits on the shelf, collects dust and runs outdated firmware. No worries, you can make use of it as an AP.
  • Have an old PC lying around? Turn it into a pfSense box; It’s the green way of thinking.
  • Amazing Features: Stateful Firewall, Hardware Failover, Multi-WAN, Load Balancing, VPN, Dynamic DNS, Captive Portal, DHCP Server etc.
  • Additional 3rd Party Packages: Squid Proxy, Snort IDS/IPS, pfBlocker and more…..
  • I highly recommend purchasing a copy of “pfSense – The Definitive Guide”. A great read, props to Chris Buechler and Jim Pingle.
  • Great user community and support to help you when you find yourself banging your fist or head against your desk.

For InfoSec folks it is an awesome project to not only protect the home network but reap the benefits of learning about firewalls, networking, intrusion detection and traffic analysis. I’ve used multi-port NICs and a couple of switches for LAN segmentation so I can test malware and various security tools without disrupting my home network and facing the wrath of my wife for bringing down her Facebook session. “Sorry Honey!”

My current LAB design:

Hardware:

  • pfSense box: Lenovo M58P (SFF), 1TB HDD, 8GB RAM. 3 x LAN ports
  • D-Link DIR-628 WiFi
  • MikroTik RB250GS switch
  • Netgear GS108T switch
  • Custom PC: Asus Maximus V Gene, Core I5, 16GB RAM, 4 x HDD, 3 x LAN port, Host OS = Windows 7 + Mixed Windows/Linux VMs

Additional software:

  • Syslog Watcher – snmpsoft.com  – Syslog parsing and reporting – Running on Windows 7 Host PC
    Replaced with Splunk. See my post
  • Snorby – snorby.org – Snort NIPS monitoring and traffic analysis – Running on CentOS VM

Stay tuned for more…

pfSense snorby syslog_watcher