Reading in serial port data using

Two articles were very helpful

Back on the #SQLSourceControl horse again. #ApexSQL

I had originally had high hopes for using redgate source control but we hit on some snags where it pretty much just stopped working…. lame

Recently started playing with ApexSQL source control… so far, fingers crossed, it appears to be working.

More #Whitelisting fun

So one would think that you can just use


And you would be good…. well not really, you also want

C:\Program Files

Do the same for the x86 Directory….

Also, it doesn’t seem to like to use network drives in the whitelist, instead use the UNC path….

I don’t know how it plays with DFS

#Whitelist #Blacklist #Brownfish #Bluefish

So, no-one likes getting malware. Am I right, or am I right.

So, after reading a whole bunch of posts about how to blacklist I decided to try it.

Most places say you should black list like



The thing about this though is

Sure it blocks exe files from being executed in the root of AppData and then the subfolder of AppData but thats it, it doesn’t block any deeper… also it only blocks .exe files. There are certainly a lot of bad things that can happen other than .exe

So what is a person to do

Well, if you black list


Guess what happens. The folder and all the sub folders are black listed, as well as not just .exe files it blacklists everything on the Designated File Types… a long list of executable code file types….

Where did this bad configuration come from? I don’t know, but it doesn’t seem like good advice.

But, after all that. I think what you really want to do anyways is white listing.

The best paper I have found on whitelisting is this NSA one.

#AlienVault #OSSIM getting buried by connect and disconnect messages

Solution is here

File to edit is /etc/ossim/agent/plugins/sonicwall.cfg

add “exclude_sid=” (without quotes) to the sonicwall plugin config and add the SID’s that you don’t want to appear in alienvault. It will nuke them at the agent level. Comma seperated please with no spaces between (ex. exclude_sid=8698251,8699283) you can find the SID number in question by opening the event in the SIEM that you don’t want to keep and looking for (you guessed it) “Event Type ID”

hmm but It doesn’t seem to be filtering yet…. will have to keep stabbing