Mathieu Dessus

Page personelle

Latest articles

Book: Implementing Splunk

The book Implementing Splunk: Big Data Reporting and Development for Operational Intelligence written by Vincent Bumgarner and for which I was a reviewer (yes, it’s a unashamed advertisement) is now available.

Event interoperability: current and emerging standards

Each applications, OS, network and security devices have their own way to log events, and so far, there is no widely adopted standard that allow to easily integrate all logs into SIEM solution. Here’s the main standard and their key points: IDMEF:The IDMEF standard, mainly focused on IDS, is now almost dead. CEF (Common Event Format): The Common Event...

Splunk 5 released

The latest version Splunk (5.0) is now out, with some nice improvements:The most visible missing feature for users (customers ?) is PDF report generation: Splunk is now able to generate natively PDF reports (including for report scheduling). You can forget the crappy PDF report app .Report acceleration (similar to ArcSight trends) that allows fast reports...

Quick tip: Run splunk as non-root user (but still receive syslog)

In a non-dsitributed architecture (your indexer is also the host receiving the events), you might want to keep Splunk running as a non-privilegied user but still be still receive syslog from remote hosts. You have (mainly) two solutions: Setup your favorite syslog daemon (syslog-ng or rsyslogd) to listen to port 514, and then configure Splunk to read...

What’s new in Splunk 4.3

Splunk 4.3 is out for a few days, and this new release contains some nice improvements: Sparklines (like in BlueCoat): * | chart sparkline count by host gives the following result: Flash is replaced by HTML5 (for recent browsers; flash is still used for old browsers), but the behaviour of flashtimeline or reports is kept unchanged. Allows mobile device...

ArcSight Logger 5.2 available

Arcsight recently presented their new version of the Logger. Some of the new features are:Distributed reports over multiple LoggerUser configurable dashboardsEvent summary (overview)Live event viewerLDAP and AD directory integrationdedup and transaction search commandsSNMP polling support I’ve been waiting for some of these feature for a long time (except...

Log management solutions: storage and integrity

The main log management solutions available on the market have different features, and different way of handling the data. This article focus on how ArcSight Logger, Loglogic and Splunk are handling archives, and what are their integrity functionalities. How the different log management solutions are handling the data archiving ?ArcSight allocates...

Virtual keyboard and false sense of security

The Juniper VPN SSL solution (Secure Access) is undoubtedly the most advanced of the market today, and I’ve always been satisfied with it. However, a few days ago, one of my customers show me his VPN SSL, for which he enabled the “virtual keyboard“. I’ve never been really convinced about the security level added by virtual keyboards. Even if it prevents...

URL obfuscation and ‘numerical encoding‘

As reported by Kaspersky, most browsers (and proxies ?) supports URL with IP addresses in format others than decimal, which can be a good way to bypass network security: http://0×42.0×66.0×0d.0×63/ http://0×42660d63/ http://1113984355/ http://00000102.00000146.00000015.00000143/ The previous URL are working with both Firefox and Chrome.

Imperva WAF detection for Wafw00f

You will find below a patch for WAFW00F (a tool used to fingerprint Web Application Firewall) that allows to identify Imperva SecureSphere WAF. On characteristic of Imperva is to respond with an HTTP/1.0 message, even if the request is made in HTTP/1.1. The other WAF I’ve worked with do not have the same behaviour (but there may be a few false positive). This...

Discover, share and read the best on the web

Subscribe to RSS Feeds, Blogs, Podcasts, Twitter searches, Facebook pages, even Email Newsletters! Get unfiltered news feeds or filter them to your liking.

Get Inoreader
Inoreader - Subscribe to RSS Feeds, Blogs, Podcasts, Twitter searches, Facebook pages, even Email Newsletters!