TaoSecurity Blog

I spent a chunk of the day troubleshooting a network security monitoring (NSM) problem. I thought I would share the problem and my investigation in the hopes that it might help others. The specifics are probably less important than the general approach. It began with ja3 . You may know ja3 as a set of Zeek scripts developed by the Salesforce engineering team to profile client and server TLS parameters. I was reviewing Zeek logs captured by my Corelight appliance and by one of my lab sensors running Security Onion. I had coverage of the same endpoint in both sensors. I noticed that the SO Zeek logs did not have ja3 hashes in the ssl.log entries. Both sensors did have ja3s hashes. My first thought was that SO was misconfigured somehow to not record ja3 hashes. I quickly dismissed that, because it made no sense. Besides, verifying that intution required me to start troubleshooting near the top of the software stack. I decided to start at the bottom, or close to the bottom. I ha...

Yesterday I posted about DetectionLab , but noted that I was having trouble with the RDP servers offered by Virtualbox. If you remember, DetectionLab builds four virtual machines: root@LAPTOP-HT4TGVCP C:\Users\root> "c:\Program Files\Oracle\VirtualBox\VBoxManage" list runningvms "logger" {3da9fffb-4b02-4e57-a592-dd2322f14245} "dc.windomain.local" {ef32d493-845c-45dc-aff7-3a86d9c590cd} "wef.windomain.local" {7cd008b7-c6e0-421d-9655-8f92ec98d9d7} "win10.windomain.local" {acf413fb-6358-44df-ab9f-cc7767ed32bd} I was having a problem with two of the VMs sharing the same port for the RDP server offered by Virtualbox. This meant I could not access one of them. (Below, port 5932 has the conflict.) root@LAPTOP-HT4TGVCP C:\Users\root\git\detectionlab\DetectionLab\Vagrant> "c:\Program Files\Oracle\VirtualBox\VBoxManage" showvminfo logger | findstr /I vrde  | findstr /I address VRDE:                        enabled (Ad...

Many security professionals run personal labs. Trying to create an environment that includes fairly modern Windows systems can be a challenge. In the age of "infrastructure as code," there should be a simpler way to deploy systems in a repeatable, virtualized way -- right? Enter DetectionLab , a project by Chris Long . Briefly, Chris built a project that uses Packer and Vagrant to create an instrumented lab environment. Chris explained the project in late 2017 in a Medium post , which I recommend reading. I can't even begin to describe all the functionality packed into this project. So much of it is new, but this is a great way to learn about it. In this post, I would like to show how I got a version of DetectionLab running. My build environment included a modern laptop with 16 GB RAM and Windows 10 professional. I had already installed Virtualbox 6.0 with the appropriate VirtualBox Extension Pack. I had also enabled the native OpenSSH server and performed all...