Two articles were very helpful
http://sourceforge.net/projects/vbserialcomport/files/
Filed under: Uncategorized | Leave a comment »
I had originally had high hopes for using redgate source control but we hit on some snags where it pretty much just stopped working…. lame
Recently started playing with ApexSQL source control… so far, fingers crossed, it appears to be working.
Filed under: Uncategorized | 1 Comment »
So one would think that you can just use
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%
And you would be good…. well not really, you also want
C:\Program Files
Do the same for the x86 Directory….
Also, it doesn’t seem to like to use network drives in the whitelist, instead use the UNC path….
I don’t know how it plays with DFS
Filed under: Uncategorized | Leave a comment »
So, no-one likes getting malware. Am I right, or am I right.
So, after reading a whole bunch of posts about how to blacklist I decided to try it.
Most places say you should black list like
%AppData%\*.exe
%AppData%\*\*.exe
The thing about this though is
Sure it blocks exe files from being executed in the root of AppData and then the subfolder of AppData but thats it, it doesn’t block any deeper… also it only blocks .exe files. There are certainly a lot of bad things that can happen other than .exe
So what is a person to do
Well, if you black list
%AppData%
Guess what happens. The folder and all the sub folders are black listed, as well as not just .exe files it blacklists everything on the Designated File Types… a long list of executable code file types….
Where did this bad configuration come from? I don’t know, but it doesn’t seem like good advice.
But, after all that. I think what you really want to do anyways is white listing.
The best paper I have found on whitelisting is this NSA one.
https://www.nsa.gov/ia/_files/os/win2k/application_whitelisting_using_srp.pdf
Filed under: Uncategorized | Leave a comment »
Solution is here
https://www.alienvault.com/forums/discussion/1211/sonicwall-ossim-how
File to edit is /etc/ossim/agent/plugins/sonicwall.cfg
add “exclude_sid=” (without quotes) to the sonicwall plugin config and add the SID’s that you don’t want to appear in alienvault. It will nuke them at the agent level. Comma seperated please with no spaces between (ex. exclude_sid=8698251,8699283) you can find the SID number in question by opening the event in the SIEM that you don’t want to keep and looking for (you guessed it) “Event Type ID”
hmm but It doesn’t seem to be filtering yet…. will have to keep stabbing
Filed under: Uncategorized | Leave a comment »