Skip to main content

Zero Slides @ IrissCon

So if you're unlucky enough to follow me on Twitter, you'll have seen that I had a conundrum with my presentation at IrissCon :)

After a little work yesterday morning, during IrissCon, I tweaked the presentation and reduced the number of slides and successfully tested my "Security Onion in EC2" demo over the hotel wifi. I even managed to show a few others what I was going to do and received good feedback :) To add to my preparation, during lunch I hooked up my laptop to the main screen in the conference and everything looked sweet, even the "live" demo (@BrianHonan took some nice pictures also).

I was so relaxed this year in comparison to previous years (I only had a 30 minute talk to do, right). Looking at Jason and the Honeyn3t lads (organisers of the CTF this year) , I recognised the bloodshot eyes and I could see the amount of stunning work that they had done (the world map of domination was simply awesome).  My relaxation was commented upon by several folk so I must've been a right pain last year, sorry!!!

After lunch I ended up in the second room, where the Iriss CTF was going  on. I went to check out some of the nmap scans of Team404 and ended up stealing a chair and a laptop. Looking at the World Map being dominated by the Bitbucket crew, I sat down to give some help and ended up taking control of 3 boxes and was on two of them for 2 hours but got very few points due to missing newline characters and the restrictions of DOS :( It was a lot of fun (getting on, getting kicked off by another team) though so a BIG thank you to Team404 and the Honey3t guys for allowing me to sit down and have fun (much more fun sitting on the other side of the table)!!!!!! As a result of this though, I missed all the early afternoon talks, including Marcus Ranum's talk........doh :( I actually missed most talks due to talking to folk outside in the hallways, preparing for my own talk and spending time in the CTF room but I had a great time chatting and learning. I caught a fair bit of Mick Moran's talk and it was pretty powerful stuff!

I did get to see @EoinKeary's slides around how we're doing web application wrong and I was gutted I missed his talk (but I  did get a personal walk-through), it looked excellent, especially the Kinder Eggs slide :)

Anyway, onto the main point of this blog post, my MacBookPro died a very public death as I plugged the VGA cable into it to start my presentation and it did this flashing performance as it moved from blue to white to black back to white. Half of me was thinking -

"Really? Seriously, what is this sh*t? Murphy's Law :("

whilst the other (geek) half thought
"This is actually quite cool, I didn't know a Mac could do a BSOD :)" 

Thankfully, I had actually prepared, gone over my presentation several time and I like to think I knew what I was talking about (thanks to @bobdob and @rtby for the prep presentation). As a result, I presented on

"Peeling your Network Layers with Security Onion"

with no slides, no notes and no props. It appears that I've received good feedback, folks said nice things about the presentation and I had questions from the floor and afterwards some personal questions. If you saw the presentation and want to see the slides to help decipher what I was waffling on about, check them out here.

Security Onion is an awesome tool and I like to think I did it justice. I plan on trying to help Doug et al on the project as much as I can - I want to add some cli options to the setup script and seriously look at implementing a "Chef" solution for MongoDB.

Remember Security Onion -
  • is a great way to see what's actually going on in your network
  • provides a clarity that many commercial solutions cannot
  • is an awesome solution as not a only an NSM server/sensor but also is a stunningly loaded analyst workstation
  • has a tonne of tools - frameworks, network ids, host ids, network forensics tools, nice guis, asset management the awesome sguil and many more
  • comes with everything complied and ready-to-go (ever tried to compile sguil from scratch)
  • has a very active mailing list with great support
  • you can still get commercial support for your Snort rules and signatures to keep your rules completely up-to-date
  • provides context so YOU actually KNOW what is going on in your network and what happened before or after
  • enables a WINDOWS ADMIN to set up a sensor in less than 10 minutes
  • is FREE, yes FREE :)

By the way, the good news is that the Mac Book is back on the road to recovery and working. @Jayester advised me to a back-up immediately whilst @BaconZombie offered 50 euro for the Mac :)

Well done to "Brian Honan" on another excellent edition of IrissCon, all credit should go to Brian for such amazing hard work. I must apologise to Brian for my laptop screw-up though :(

--

P.S. I took the title of this blog post from a tweet from Marcus Viertel's tweet here.

P.P.S. As a FYI, next week, along with @securityninja and @marcwickenden, I'm hosting a slimmed-down version of HackEire @ Realex, which will be cool and exciting. Sign up here!!!!

Comments

Popular posts from this blog

Being a Support Engineer @ 10gen - Part 1

There's a mis-conception around the role of a "Support Engineer".  As a clue, it's not what Urban Dictionary   says   - A person whose job is to answer calls from customers of a small- to large-sized company...... They are teathered to a their desk all day via phone headset........ phone jockeys usually hate their jobs.......they are are paid well enough..........until they completely burn out, and hate everyone.   and doesn't always involve this - Image Source: http://half-bakedbaker.blogspot.ie/2009/11/cannoli-and-broken-computer.html As you can see  here , there's lots of open roles in  10gen  and more specifically with 10gen, in  Dublin . I thought I'd write this quick blog to explain what Support Engineers actually do and why I joined 10gen as a "Support Engineer". I could be wrong but didn't Google come up with term " Site Reliability Engineer " to do away with the stigma associated with being a...

LinkedIn Emails

Receiving mails via LinkedIn is an interesting experience. For example, how many folk actually personalise "contact requests" - from what I see, less than 1%. I typically try to because I think it shows some thought has gone into the request and it's friendly, but then "manners" on the Internet is a very different thing to the real world, right ;-) Anyway, to the point of the blog post. In early November (2012), whilst I was preparing my Security Onion presentation for IrissCon  (why did I bother when my MBP died on-stage), I received a very interesting and personal email via LinkedIn. The email came from a "Senior International Belief Instigator" (let's call him the SIBI - to save me typing) at Riot Games and the email was literally awesome, it hit many of the key points that you'd hope for in a recruiter email but it also had a wonderful tone. In my ignorance, I knew of League of Legends but not Riot (yes, I am embarrassed by that). I r...

WAF versus DPI Firewall

This is a question, I've frequently been asked in recent years and in the last month, o n one of the internal mailing lists, in my old company, the following question was posted – In simple terms, what tasks is a Web Application Firewall (WAF) able to do that a Deep Inspection Firewall can't and why ? by one of my colleagues. Many of you may be surprised (I know I was initially) but this question still comes up an awful lot. Having answered the email (as a warning, I went into a lot of detail and plugged the awesome Security Onion ), I was requested to write a technical blog on the subject, but as I left the company soon after, the blog was never published. Therefore, to save me answering the question again, I thought I’d publish it so I can just reference the link in future J