« PaulDotCom Security Weekly IRC - #pauldotcom | Main | Listen to PaulDotCom Security Weekly Live - Skypecast »

PaulDotCom Security Weekly - Episode 27 - May 11, 2006

Live from the PaulDotCom Security Weekly Studio....

We had two special guests on the show, Kevin Amorin from Harvard and co-deveoper of Packet Fence, and Martin Mckeay of the Network Security Podcast.

This episode was also broadcast over SkypeCast, so look for us each week when we record. It will also be announced in our IRC chatroom #pauldotcom on Freenode (irc.freenode.net).

  • Sponsored by Core Security, listen for the discount code at the end of the show
  • Sponsored by Syngress, be the first to post the answer to the question at the end of the show and win a free book!
  • Sponsored by The SANS Institute, listen to the discount code for SANSFIRE this summer for 5% off this conference
  • Please go update our frapper map!
  • Help us get a cool logo and slogan! Go to our contest page and read all about how you can win free Snort gear and a one-year subscription to VRT rules. Sponsored by Sourcefire
  • Full Show Notes

Hosts: Larry Pesce, Paul Asadoorian, "Twitchy"
Email: psw@pauldotcom.com

Direct Audio Download
No video this week...

(Bandwidth provided by OSHEAN, Rockin' in the free world)

Audio Feeds:

Posted by Paul Asadoorian on May 12, 2006 10:21 AM |

Comments

"SCORE! Get the lotion!" alerts on users surfing porn, appeared in snort 1.8.2 and can be found in the file classification.config.

Posted by: Stefan | May 12, 2006 10:23 AM

Small correction, kick-ass porn is the classification.

Posted by: Stefan | May 12, 2006 10:30 AM

The classification is "kickass-porn" and the file you would have to edit is "classification.config"

Site: http://www.gentoo.org/doc/en/security/security-handbook.xml?part=1&chap=13

Posted by: Dustin Dembrosky | May 12, 2006 10:52 AM

QOTW answer:

kickass-porn and classification.config.

Enjoy the lotion guys ;-)

Posted by: Leon | May 12, 2006 12:05 PM

config classification: kickass-porn,SCORE! Get the lotion!

The classification is porn and the config file to edit is :
classification.config

Info from http://www.gentoo.org/doc/en/security/security-handbook.xml?part=1&chap=13

really good doco from those gentoo folk

Posted by: pete | May 12, 2006 12:13 PM

Syngress QOTW

Part 1 - config classification: kickass-porn,SCORE! Get the lotion!,1

Part 2 - classification.config


-jhs
www.johnhsawyer.com

Posted by: John H. Sawyer | May 12, 2006 12:30 PM

based on this: http://www.gentoo.org/doc/ro/security/shb-intrusion.xml?glang=ro the answer would be: kickass-porn and the file you should edit is /etc/snort/classification.config

Posted by: Cd0MaN | May 12, 2006 12:55 PM

In older version of snort the classification is:
config classification: kickass-porn,SCORE! Get the lotion!,1
The file to edit to change this message to an office friendly message is
/etc/snort/classification.config
This answer was taken from:
http://www.gentoo.org/doc/en/security/security-handbook.xml?part=1&chap=13

Posted by: BJ Fentress | May 12, 2006 02:49 PM

The classification would be kickass-porn, and to change the message you would have to edit the classification.config file.

Posted by: Jason | May 12, 2006 03:38 PM

Just some feedback from a junior AV analyst :)

You were talking about web "hacking" tools, so here are a few which I've found usefull in my prior life (when I was a web "security" man):

These two are Firefox addons:
http://livehttpheaders.mozdev.org/
https://addons.mozilla.org/firefox/966/

Now some standalone programs:
http://www.portswigger.net/suite/
http://www.parosproxy.org/index.shtml

And an informative page:
http://ha.ckers.org/xss.html

Also the guy over at MightySeek (http://www.mightyseek.com/) did a show about SQL injection which is kind of basic but should be a good primer for anyone interested in this stuff. Now regarding the "AV companies making viruses": I don't believe this to be true, because there is enough malware out there to keep us entertained for the next 100 years :). And yes, most of the malware is very primitive and is based on (stupid) tutorials found on the net.

Keep up the good work guys. Also if you have questions regarding the AV industry, don't hesitate to contact me (should point out though that I'm still a jr. analyst and possibly I don't have a deep insight in future trends, etc)

Posted by: Attila-Mihaly Balazs | May 13, 2006 10:10 AM

Hey guys! Great podcast as usual. If you still have your Stealing the Network books around, I believe that in the first book (how to own the box) there is an example of this type of attack, and includes some of Paul's favorite - Printer Hacking!. And the vulnerable system is in a university setting.

Have a good one!

Posted by: Steven Murawski | May 13, 2006 11:49 AM

Hey, you guys every consider dialing down the bitrate on your podcasts? (Love the show BTW)

Posted by: Lee | May 16, 2006 04:02 PM

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)