[ Home | Articles | Account | People | Projects | FAQ ] Anyways, the curses based interactive mode has been put on the backburner until Matt and I can hack out a pcap editing library.
I'm also looking into adding a massive new feature- a curses based interactive mode. Not sure how big of a project this is going to turn out to be, but it's looking to be the most complex bit of C code I've ever written by far.
I've also bought a Tivo (one of the AT&T models) and I must say I love the thing. Went out and got myself a 120GB harddisk for it and now I've got 197hrs of capacity... no idea what I'll do with all that time though :-)
Anyways, tcpprep development is moving along. Hopefully I should be able to release something in the next week or so, depending on how much free time I find.
For those of you not aware, tsearch has a simple program which inserts 12 random numbers into a tree and prints them out. Only that because of a bug, it only prints out 6 of them.
I'll admit that I'm no C wiz, I couldn't even figure out what was wrong with the code (a friend of mine pointed out that they delete the root node after processing the left side of the tree, preventing further processing).
Anyways, now that I know that the tsearch functions aren't horribly broken, I can continue working on my code. Yippie!
I'm actually pretty stoked about the cache file too- it's super small. For a 900MB tcpdump file, the cache file was only 74K.
Anyways, hopefully I can get Matt to include this into the offical distribution soon. My next feature enchancement will to build some intelligence into tcpprep so it can figure out the server network vs the clients. Should prove useful for replaying in dual-nic mode unknown captures.
Anyways, for those of you who actually read this and care, here's the link to the patches: http://synfin.net/aturner/tcpreplay/
I've also spent about 20 hours looking a Snort signatures this week. The web signatures (mostly) to be exact. Honestly, the more I read them, the more I've come to realize a simple fact:
99.9% of Snort signatures are pure crap.
Out of the 700 signatures I've read, they will either generate false positives like mad (Snort rarely looks for the attack, generally just the CGI/ASP/whatever that is vulnerable. So even if it is a perfectly vaild request, you'll get an alarm.)
And the few times they do look for the attack, either their test is horribly broken or it's so easy to avoid (don't put the cgi parameter next to the ?) that the signature will only pick up script kiddies and morons.
Honestly, I've been running snort for over a year now, and always thought it was a bit overzealous in reporting attacks, and now I know why. IMHO, the only reason to keep snort on my disk is because in sniffer mode, it has a nicer output than tcpdump. Oh well...
First, on the tcpreplay front, it looks like Anzen is not only still alive and kicking, but they're going to be releasing a new version of tcpreplay. I'm working with them now to see if it makes sense to integrate my patches in with their new code.
Work lately has been well.... interesting. Interesting as in the old Chinese curse that says, "May you live in interesting times." Anyways, I'm now in engineering (yeah!) so hopefully I can put the recent political back-stabbing behind me.
I've decided to ask Matt if he's interested in taking an active maintainership role in the app, before I do anything. If Matt decides he's not interested, then I'll take over and merge my patches into the "new official tree".
In the corporate world, things changed rather quickly for me. Last friday I was told it would take weeks or even a month before I moved over to engineering. Today, as I was walking out to my car, my boss informed me that they've decided to accelerate the transition, and I'll be out of marketing by the end of the week. All I can say is _wow_. Of course saying a week and it actually taking a week are two different things, but things are looking pretty good.
Also, looks like there's a good chance that a lot of code and documentation that I wrote for my company will be released to the public under the GPL or simular license. Not sure yet of how I'm going to release it yet... some of it is extremely complicated and prolly really isn't fully ready for public release, but honestly I don't see any chance of me continuing any work on it in the future since the company has dramatically changed directions. However, there is some good docs on hardening Linux and Solaris that is pretty comprehensive.
And speaking of work, I've finally gotten so sick of the horrible sludge they call coffee at work that I picked up a grinder, french press, and a pound of Pete's French Roast for the office. Yes, I'm a freak, but by god, I need good java in the morning and the crap we've got just doesn't cut it.
On a personal note, I ended up getting the PS2 on Friday. Yet another way for me to waste time I really don't have, but at least I'm having fun doing it.
Ended up getting GT3 (PS2 combo pack), SpyHunter (ok, could have better gfx, and what is up with the 2 player mode??), Tekken Tag Tourney (nice gfx, really smooth, and just plain fun), Grand Theft Auto 3 (great game, really unique, good gfx considering, and just plain fun), Metal Gear Solid 2 (again, great gfx, and fun), and Devil May Cry (good gfx, and lots of fun). Yes, I spent a LOT of $$$, but I'm worth it. :)
One thing that did suck rocks was the Topmax Diablos controller I picked up for $10. Feels cheap in my hands, and the buttons are horrible. Should've known. I'll pick up a Sony controller when I return this one.
Of course, working for a small company, one might think changing departments is a relatively easy thing to do, but nooooo.... got to deal with departmental head counts and stuff like that. I guess nobody told them that my pay check comes out of the same place regardless of what deparment I'm in.
On a lighter note, I didn't get the PS2 last night. I wasn't going to have time to play on it last night anyways, so what was the point of spending $500 for the console and a few games if all I have time for is looking at the pretty box? Of course today is a different story....
FOAF updates: Trust rankings are now exported, making the data available to other users and websites. An external FOAF URI has been added, allowing users to link to an additional FOAF file.
Keep up with the latest Advogato features by reading the Advogato status blog.
If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!