Getting Snort PPS (Packet Per Second) versus Timestamp

November 24th, 2011 Josh No comments

This might be useful to someone, simple bash script to output a csv of human readable time’s versus PPS. Both the PPS and the Times have to be derived from the snort /var/log/snort/snort.stats file which is generated by enabling the performance monitor pre-processor.

#!/bin/bash
#
# josh@securemind.org

# get and process snort's own stats file
cut -d, -f 1 /var/log/snort/snort.stats | sed '1d;/^[#]/d;/^$/d;s/^[ ]*//;s/[ ]\+/,/g' > temp1.file
cut -d, -f 5 /var/log/snort/snort.stats | sed '1d;/^[#]/d;/^$/d;s/^[ ]*//;s/[ ]\+/,/g' > temp2.file

INPUT="temp1.file"

#  this converts the unix timestamp to human readable and selects only the hh:mm:ss portion of it for printout
while read line
  do
    date -d @$line | cut -d" " -f 5 >> temp3.file
  done < "$INPUT" # this sets up the final csv and gives it headers echo "time, kilo-pps, pps" > snort-stats.csv

# this line takes the timestamps and the packet count and calculates a third column PPS and puts them into the csv
paste temp3.file temp2.file | sed 's/\t/,/g' | uniq | awk 'BEGIN {FS=OFS=","}{$3=$2*1000}1' >> snort-stats.csv

# clean up and get read to start over
# rm -f out.* temp*.file
Categories: Linux, Security Tags: , ,

Prototype Shannon’s Entropy of Multiple Files

March 12th, 2011 Josh No comments

I’m working on a project where I need to calculate Shannon’s Entropy of multiple files. I thought I would share some proto-code that I threw together to get the job done. (Python and Bash) this is just alpha code at the moment. The end goal is to compare multiple file’s similarity to gauge randomness or the lack thereof.

Straight forward, you’ll need python and a bash interpreter.

Calculate_Shannons_Entropy_v1_proof.tar.bz2

Categories: Uncategorized Tags:

PPC Virtualization Support Question Response

February 17th, 2011 Josh No comments

In response to a question that was posed to me the other day. The following information is an excerpt from a report I prepared on PPC Virtualization Support.

To answer the question of whether or not KVM is supported by any PPC CPU’s:

  • The current development work on KVM has been limited to the PowerPC 440 CPU. This CPU has no on-board facility for Virtualization. They are using some emulation to allow PowerPC guests to run on the PowerPC host. I haven’t seen any mention of cross architecture virtualization. QEMU could of course accomplish this with its processor emulation mode, but you would at that point be using two layers of “soft” virtualization which would not benefit performance in any way. The development team specifically at this time seems to be avoiding PowerPC systems that have an integrated hypervisor.
  • For the Xen hypervisor, their development process has enabled them to use the hypervisor on the PowerPC 970 CPU. This allow for high performance and minimal modification to Linux Operating System. The current support list for Xen PPC lists support for the PPC 970 CPU on the Maple PPC970 and IBM JS20/JS12 Blades (with custom firmware). However the last development efforts seem to have taken place back in 2007.
Categories: Linux Tags: , , , , , , ,

Virtualization, Utility Computing, Cloud Computing Perspective

January 13th, 2011 Josh No comments

I keep hearing net-admins, vm-folks, and project managers misrepresenting these terms (Virtualization, Utility Computing, Cloud Computing) over and over again. So I thought I would provide not only my perspective but the general consensus from the experts on the matter.

As we know Virtualization can be the emulation of Hardware in software, but it goes further then that. It is not just the ability to be a “fake” machine that exits as only software, but can additionally be the emulation of any service such as an operating system, kernel, or any other type of software that has input and output characteristics to be copied. Virtualization exists on either a singular Hardware platform or can be distributed across many machines.

Cloud computing is not Virtualization, but instead a cloud is a complete service offering that exists on systems / networks that are outside of the end users control. Confusion exists when people see a distributed VM infrastructure and think that is is a cloud. It is not, however a cloud may consist of a virtualized infrastructure but it doesn’t necessarily have to.

A cloud must offer both an administrative interface, a service or machine provisioning interface, and something for the end user. It’s that last item that defines the type of cloud, i.e. Software as a Service (SaaS). But how does this differ from mainframe computing one may ask. Well in short, in the case of private cloud, it doesn’t. However, if deployed as it was intended, by someone else / somewhere else, then the singular characteristic that sets it apart from a mainframe is that it is not the users (or users organizations) responsibility to maintain it.

So where does that leave Utility Computing. Simply put, utility computing is a business model for cloud computing where you pay to drink from the provider. No different then paying your electric provider for the amount of kW/hr used. In a Utility Computing environment, CPU cycles, and time are tracked and billed to the end user.

To sum it up:

  • You may have VM’s but that doesn’t mean you have a cloud.
  • You may have a cloud but that doesn’t necessarily mean you have VM’s
  • You don’t deploy clouds, you deploy services
  • A service may consist of a VM, but doesn’t have to
  • If you are paying usage changes to a computing provider, then you’re using Utility Computing
  • If you are paying flat rates for service then you’re using Cloud Computing
  • If you own the hardware and software and it’s on your network, then it’s a private cloud
  • Private clouds are no different then mainframes by definition.

I know that many out there will argue these points, so for more information I point you (in no particular order) to the following resources:

http://www.accountingweb.com/item/107692

Presenting at SPIE Orlando 2011

January 5th, 2011 Josh No comments

I’ll be presenting 3 papers at the SPIE conference on Defence Security and Sensing this year entitled:

  • A method of hardware support for high-speed data capture at 40 Gbps and beyond
  • An analysis of coupling attacks in high-speed fiber optic networks
  • Single-ended IP roaming solution for dynamic network reconstruction

The first two papers were written with Adam Pilbeam as part of our hobby work. The third is a company paper.

Hope to see a few familiar faces.

25 – 29 April 2011

Orlando World Center

Marriott Resort & Convention Center

Orlando, Florida, USA

Categories: PLONS, Security Tags:

Malware Research Relationship Fostering

August 11th, 2010 Josh No comments

I’m looking to foster relationships with the malware research and defence community and the company I work for. As such I’m sharing my malware archive with those who are interested. So if you are interested contact me on linkedin and I’ll send you a list of what’s in the master archive and then we’ll work out how to transfer it. Over a couple years I’ve collected a massive amount of malware, these range from Viruses, Trojans, Bots, etc. In total there’s 75+ GB of fun.

So contact me for more info.

Categories: Security Tags:

SecureMind Research Laboratory is Digg proof thanks to caching by WP Super Cache