Friday, October 07, 2011

Book Review: Practical Packet Analysis, 2nd Ed

Book Review: Practical Packet Analysis, 2nd Edition
Author: Chris Sanders
Published By: no starch press
ISBN: 978-1-59327-266-1


Practical Packet Analysis: Using Wireshark to Solve Real-World Network Problems

"It's easy enough to install Wireshark and begin capturing packets off the wire--or from the air. But how do you interpret those packets once you've captured them? And how can those packets help you to better understand what's going on under the hood of your network? Practical Packet Analysis shows how to use Wireshark to capture and then analyze packets as you take an indepth look at real-world packet analysis and network troubleshooting. The way the pros do it."

I was asked to review this book a while ago, and only recently having few long business trips, did i get the time to read it.

Packet Analysis, and getting down to the real under the bonnet workings of how devices communicate, has always been of interest to me. And i suppose everyone knows one of the best free tools for doing this is Wireshark.

Chris Sanders has updated this second edition with new content, and starts right at the beginners level of what packet analysis is, how to capture traffic in various scenarios and how to use Wireshark to then analyize that data. The book is almost a beginners course to Wireshark in itself.

Its no way as detailed as a book from Bejtlich or Chappell, but if you are a beginner and want to learn how to use wireshark, and how to create filters, merge captures, follow TCP streams, and bring up statistics on conversations happening in the network, then you will get something from the book.
In addition to going over the Wireshark interface, Sanders also takes the user through the basics of many protocols, and produces captures to back up the theory of each, which can all be downloaded  from the no starch website.

There are also small sections on packet analysis for security and wireless, to get you started on your quest for knowledge in these areas.

Overall, i enjoyed the book, and if you are not looking to jump in at the deepend, but learn something new about Wireshark, and how common protocols work then this book is for you.








Sunday, September 04, 2011

Cisco MARS 6.1.3 Released

If you are still using MARS, you will be pleased to hear Cisco released MARS version 6.1.3 a couple of weeks ago.

No new features, which is not surprising, being end of sale, but a few bugs have been fixed.

Some signature updates, as in the table below, but you may also notice some devices are now over a year out of date!



New Features
This release includes contains no new features. It is a release dedicated to issue resolution.

Changes and Enhancements
All changes made in this release are related to the issues listed in Caveats.

You can read the release notes HERE

.

Tuesday, June 28, 2011

Beyond the Cisco MARS End of Sale Date.





I note via, the number of emails and blog visitors, that the search for Cisco MARS replacements, is starting to hot up, now the End-of-Sale Date, has officially passed.

Thats not to say, i have had a few emails recently, telling me that their local partner, is offering them a good deal, on a new MARS appliance!

So have you started your replacement search?

Wednesday, April 13, 2011

Guest Post: How to Replace a SIEM?

How to Replace a SIEM
by Dr. Anton Chuvakin



Ouch! That “Venus” SIEM appliance that we got with routers has finally croaked. That piece of PHP brilliance that pre-pre-previous security engineer wrote has been buried under the thick pile of XML. That managed SIEM provider has annoyed us one last time.

What do the above situations have in common? The unfortunate time to replace your SIEM has come. What to expect, apart from copious amounts of pain? This post will shed some light on this conundrum, based on author’s experiences.

First, it goes without saying that it is better to choose the right SIEM the first time (e.g. see “On Choosing SIEM” and other posts mentioned below) than to migrate from a SIEM that has been collecting logs (and dust) for a few years. However, you might not have any say in the matter – you might have inherited it, your “evil boss” might have procured the previous SIEM without asking you or you might have built it yourself after a particularly bad hangover… Also, your organization might have simply outgrown the SIEM or your early generation SIEM vendor has not kept up with innovation in the space. In any case, you have a SIEM and you need a new one. 

Let’s look at the good side of the situation:

  • It is very likely that you learned some super-valuable lessons from your previous SIEM experience (other people have to hire consultants to get to those lessons) and now can avoid the common purchasing process pitfalls (some discussed here, BTW)
  • You have much more confidence while discussing confusing SIEM features with vendors – speaking from your previous SIEM experience (this alone will make your new SIEM purchase process much less painful)
  • You have some semblance of the logging policy across the systems that log into SIEM – that puts you ahead of those organizations who are just getting their first SIEM or log management tool
  • It is possible that you built some operational procedures around SIEM (such as for PCI DSS log review or other purposes) and those would be handy for a new SIEM as well
  • If you have to write an RFP (as I discuss here), the chances are that your new RFP would be MUCH better and more likely to result in a good vendor short list
  • Treat this situation as positive, think “I now know more than 90% of people buying a SIEM, thus my new SIEM project will be a success” 
 A few things to avoid and pay attention to:
  • Suppress that “I’d buy anything but this crap” mentality – think “what problems will a new SIEM solve or solve better?”
  • Avoid taking shortcuts (such as not doing a PoC); you are more knowledgeable, but not prescient…
How might a migration process look like? This assumes that you have already selected a new product, tested it in the lab and are ready for production deployment.
  • Prepare to run both products for some time – this might range from a few weeks to months
  • Draft the new SIEM vendor to help you migrate the data; after all, they are getting the prize 
  • Potentially, be prepared to keep the old SIEM running (without paying for the support contract, of course) or at least keep the old data backups – this becomes important if complete data migration is impossible due to architecture differences between the new and old SIEMs. Ideally, your log management tool will hold raw log backups and so keeping the old SIEM in operation won’t be needed.
  • One of the biggest migration efforts will be migrating SIEM content: reports, rules, views, alerts, etc. As well all know, such content is not really portable across SIEMs and you should be prepared to simply recreate all the custom content AND all the default content that you used in the the old SIEM and that the new SIEM might lack.
By the way, I have seen more than a few organizations start from an open source SIEM or home-grown log management tool, learn all the lessons they can without paying any license fees – and then migrate to a commercial SIEM tool. Their projects are successful more often than just pure “buy commercial SIEM on day 1” projects and this might be a model to follow (I once called this “build then buy” approach)

Dr. Anton Chuvakin
.

Sunday, March 06, 2011

AD: 10 Reasons for Migrating from MARS to AccelOps

Sponsor Advertisement

AccelOps, the integrated datacenter and cloud monitoring company, today announced a Competitive Upgrade Package with “10 Reasons for Migrating from CS-MARS to AccelOps” exclusively for Cisco CS-MARS security appliance customers and resellers. This is in response to the market demand from the current CS-MARS user community and resellers seeking a migration path, in response to the recent End-of-Life of CS-MARS. 



The company's new executive brief, "10 Reasons for Migrating from CS-MARS to AccelOps" outlines the many advantages available for CS-MARS clients that migrate to AccelOps' fully integrated datacenter and cloud monitoring platform.

.

Friday, March 04, 2011

Cisco MARS 6.1.2 Released

Looks like Cisco released MARS 6.1.2 towards the end of February.

Obviously no new features, but signature updates, and a couple of fixes.

New Features
This release includes contains no new features. It is a release dedicated to issue resolution. 

You can read the release notes HERE

Monday, February 21, 2011

February Update

WIth the Cisco MARS End of Life dates, being finally announced at the end of last year, I am starting to see more enquires to the blog around replacement products.

So I have lined up some new content for the blog, including some great guest articles, and I am still looking for more.