Derek Thomas

  • Email:
  • Registered on: 08/10/2009
  • Last connection: 05/25/2011

Projects

Activity

Reported issues: 0

05/25/2011

02:44 PM SimWitty Water Cooler: RE: How Open Source Projects Can Prepare Students for Better Careers
I think that SimWitty has a good track record for their interns that have gone through the program. I wonder if we could get SimWitty involved with the Summer of Code program?

12/03/2010

04:08 AM SimWitty Water Cooler: RE: SIEM Best Practices
Here are my notes from another SANS webcast https://www.sans.org/webcasts/detecting-advanced-threats-malware-siem-93643 h1. Detecting Advanced Threats and Malware with SIEM SIEM is log data collection, aggregation, normalization, retention, ...
03:02 AM SimWitty Water Cooler: SIEM Best Practices
I watched a great SANS webcast called Operationalizing Security - Making the top 10 SIEM best practices work; Metrics, Processes and Technologies. This webcast will be very insightful for any SimWitty members. SimWitty does address most of these...

07/25/2010

01:27 PM SimWitty Dev - SimWitty IDS: IDS evasion
Here is another IDS evasion technique: http://www.packetstan.com/2010/07/linux-2426-kernel-off-by-one-tcp.html Basically it uses invalid timestamps that are accepted by Linux. A malicious packet could be fragmented with invalid timestamps, th...
01:21 PM SimWitty Water Cooler: RE: Sagan: An open-source event correlation system
SAGAN looks very cool. We have all the events and a database already so I think we need to examine the rules that it uses. I wonder if we could integrate the SAGAN rule set somehow.

06/10/2010

03:14 AM SimWitty Dev - SimWitty Port Scanner: Probe Response
The portscanner code has been updated. The response to the TCP Syn probes are now captured and if the Syn-Ack field is present in the TCP packet then the a "port open" message is displayed. !Capture.PNG!

06/07/2010

03:29 PM SimWitty Dev - SimWitty Port Scanner: PortScanner Update
Wolf found the problem with the portscanner. The TCP Checksum was bad and one line of code fixed the problem. We have a good handle on incorporating the capture portion that will receive and analyze the responses to our probes. I hope to have t...

06/04/2010

01:10 AM SimWitty Dev - SimWitty Port Scanner: RE: PortScanner Prototype
The source code is found in the Repository in the Sandbox. The source and destination IP is hardcoded so you will have to modify their values for your network. Make sure you are referencing packetdotnet.dll found in the repository in the depende...

06/03/2010

12:18 PM SimWitty Dev - SimWitty Port Scanner: PortScanner Prototype
I'm making progress on the prototype Port Scanner. Right now it currently sends out the SYN packet to the well known ports 0-1023. The packets are not triggering the expected SYN-ACK response which is a problem, but one that should be easily fix...

05/03/2010

01:07 PM SimWitty Water Cooler: RE: Simmy the Whitehat Worm
Looks good guys, great job!

Also available in: Atom