TaoSecurity Blog

Happy birthday TaoSecurity Blog, born on this day in 2003! The best way to digest the key lessons from this site is to browse my four volume Best of TaoSecurity Blog book series , published in 2020. It's available in print as seen here, or as a properly formatted HTML-based digital book -- none of that PDF-based fixed format nonsense. Each book is a theme-centric collection of posts with new commentary for each entry. Some of what I wrote stood the test of time, and some did not. See what you think. Or, just scroll backwards through this site. Thank you to Blogspot and Google for hosting this blog for the last 22 years! This is post number 3,086 by the way.

Probably once a week, I see posts like this in the r/Ubiquiti subreddit. Ubiquiti makes network gear that includes an "IDS/IPS" feature. I own some older Ubiquiti gear so I am familiar with the product. When you enable this feature, you get alerts like this one, posted by a Redditor: This is everything you get from Ubiquiti.   The Redditor is concerned that their system may be trying to compromise someone on the Internet. This is my answer to how to handle these alerts.   == This is another example of this sort of alert being almost worthless for most users. The key is trying to understand what COULD have caused the alert to trigger. CVEs, whatever, are irrelevant at this point. Here is one way to get SOME idea of what is happening. Go to https://rules.emergingthreats.net/open/suricata-7.0.3/rules/ Download the file that is named as the first part of the alert. Here that is EXPLOIT. https://rules.emergingthreats.net/open/suricata-7.0.3/rules/emerging-exploit.rules Find the r...

On this day in 2004, Addison-Wesley/Pearson published my first book, The Tao of Network Security Monitoring: Beyond Intrusion Detection . This post from 2017 explains the differences between my first four books and why I wrote Tao .  Today, I'm always thrilled when I hear that someone found my books useful.  I am done writing books on security, but I believe the core tactics and strategies in all my books are still relevant. I'm not sure that's a good thing, though. I would have liked to not need the tactics and strategies in my book anymore. "The Cloud," along with so many other developments and approaches, was supposed to have saved us by now. Consider this statement from a report describing CISA’s red team against a fed agency:  “[A]ttempts to capture forensic data via packet captures occurred directly on the compromised Solaris and Windows hosts, where the red team observed the data being collected and therefore had the opportunity to disrupt collection, tam...

When I was a sophomore in high school, from 1987 to 1988, my friend Paul and I had Commodore C64 computers. There was a new graphical user interface called GEOS that had transformed the way we interacted with our computers. We used the C64 to play games but also write papers for school. One day Paul called me. He was clearly troubled. He had somehow dragged his newly completed term paper into the trash bin instead of the printer. If I recall correctly, back then they were right next to each other (although the screen shot above shows them separate).  Paul asked if I knew any tricks that could retrieve his paper. There was no undelete function in GEOS. I subscribed to a magazine called Compute's Gazette, for Commodore owners. I remembered seeing an article in the magazine that included code for undeleting files dropped in the GEOS "Waste Basket." All I had to do was type it in by hand, save it to a 5 1/4 inch floppy, drive to Paul's house, and see if the program would ...

  In the fall of 1998 I joined the AFCERT. I became acquainted with the amazing book TCP/IP Illustrated, Volume 1: The Protocols  by W. Richard Stevens. About a year later I exchanged emails with Mr. Stevens. Here is the last exchange, as forwarded from my AFCERT email address to my home email. From "Capt Richard Bejtlich - Real Time Chief" Mon Sep  6 18:27:35 1999 X-Mozilla-Keys:                                                                                  Received: from kinda.csap.af.mil (kinda.csap.af.mil [192.203.2.250])           by mw4.texas.net (2.4/2.4) with SMTP   id RAA22116 for <bejtlich@texas.net>; Mon, 6 Sep 1999 17:27:38 -0500 (CDT) Received: by kinda.csap.af.mil (Smail3.1.29.1 #7) id m11O7Ee-000NcwC; Mon, 6 Sep 99...

This is unusual. I found this "skills and interest radar" diagram I created in July 2005. It looks like my attempt to capture and prioritize technical interests. At the time I was about to start consulting on my own, IIRC.

  I wrote this on 7 December 2018 but never published it until today. The following are the "key network questions" which "would answer many key questions about [a] network, without having to access a third party log repository. This data is derived from mining Zeek log data as it is created, rather than storing and querying Zeek logs in a third party repository." This is how I was thinking about Zeek data in the second half of 2018. 1. What networking technologies are in use, over user-specified intervals?    1. Enumerate non-IP protocols (IPv6, unusual Ethertypes)    2. Enumerate IPv4 and IPv6 protocols (TCP, UDP, ICMP, etc.)    3. What is the local IP network topology/addressing scheme? 2. What systems are providing core services to the network, over user-specified intervals?    1. DHCP    2. DNS    3. NTP    4. Domain Controller    5. File sharing    6. Default gateway (via DHCP inspection...