Advogato blog for aturner

3 Dec 2002

Tue, 3 Dec 2002 00:23:33 GMT

Hmmm.... haven't written anything in a while. Good news is that tcpreplay is still being actively developed. 1.3-beta6 was just released and adds a lot of cool features and fixes a ton of nasty bugs.

Anyways, the curses based interactive mode has been put on the backburner until Matt and I can hack out a pcap editing library.

15 Mar 2002

Fri, 15 Mar 2002 19:29:19 GMT

Well lots of things have happened. Looks like after about four months, tcpreplay will finally be released in a few weeks. This is a really big thing as I've basically had to put futher development on hold until the 1.1 release is out the door.

I'm also looking into adding a massive new feature- a curses based interactive mode. Not sure how big of a project this is going to turn out to be, but it's looking to be the most complex bit of C code I've ever written by far.

I've also bought a Tivo (one of the AT&T models) and I must say I love the thing. Went out and got myself a 120GB harddisk for it and now I've got 197hrs of capacity... no idea what I'll do with all that time though :-)

11 Dec 2001

Tue, 11 Dec 2001 18:20:03 GMT

Well I finally gave up on tsearch. Turns out it is horribly broken if you want to update entries in the tree, so finally I gave up. I found libredblack on freshmeat, and haven't looked back since.

Anyways, tcpprep development is moving along. Hopefully I should be able to release something in the next week or so, depending on how much free time I find.

6 Dec 2001

Thu, 6 Dec 2001 18:41:44 GMT

Grrrrr.... I wish I could tar and feather the person who wrote the GNU tsearch manpage. If you're going to include a source code example, could you at least make sure that it works?

For those of you not aware, tsearch has a simple program which inserts 12 random numbers into a tree and prints them out. Only that because of a bug, it only prints out 6 of them.

I'll admit that I'm no C wiz, I couldn't even figure out what was wrong with the code (a friend of mine pointed out that they delete the root node after processing the left side of the tree, preventing further processing).

Anyways, now that I know that the tsearch functions aren't horribly broken, I can continue working on my code. Yippie!

4 Dec 2001

Tue, 4 Dec 2001 17:45:51 GMT

Woo hoo! My lastest patch for tcpreplay is done which impliments a pre-processor (tcpprep) and cache function which dramatically improves performance for dual-nic use. Actually, performance seems to match single-nic use which was the goal.

I'm actually pretty stoked about the cache file too- it's super small. For a 900MB tcpdump file, the cache file was only 74K.

Anyways, hopefully I can get Matt to include this into the offical distribution soon. My next feature enchancement will to build some intelligence into tcpprep so it can figure out the server network vs the clients. Should prove useful for replaying in dual-nic mode unknown captures.

Anyways, for those of you who actually read this and care, here's the link to the patches: http://synfin.net/aturner/tcpreplay/

30 Nov 2001

Fri, 30 Nov 2001 00:23:56 GMT

Well I've figured out how I'm going to impliment a performance fix for my new version of tcpreplay. Hopefully have that ready sometime next week.

I've also spent about 20 hours looking a Snort signatures this week. The web signatures (mostly) to be exact. Honestly, the more I read them, the more I've come to realize a simple fact:

99.9% of Snort signatures are pure crap.

Out of the 700 signatures I've read, they will either generate false positives like mad (Snort rarely looks for the attack, generally just the CGI/ASP/whatever that is vulnerable. So even if it is a perfectly vaild request, you'll get an alarm.)

And the few times they do look for the attack, either their test is horribly broken or it's so easy to avoid (don't put the cgi parameter next to the ?) that the signature will only pick up script kiddies and morons.

Honestly, I've been running snort for over a year now, and always thought it was a bit overzealous in reporting attacks, and now I know why. IMHO, the only reason to keep snort on my disk is because in sniffer mode, it has a nicer output than tcpdump. Oh well...

22 Nov 2001

Thu, 22 Nov 2001 06:42:21 GMT

Wow, what a crazy series of events lately.

First, on the tcpreplay front, it looks like Anzen is not only still alive and kicking, but they're going to be releasing a new version of tcpreplay. I'm working with them now to see if it makes sense to integrate my patches in with their new code.

Work lately has been well.... interesting. Interesting as in the old Chinese curse that says, "May you live in interesting times." Anyways, I'm now in engineering (yeah!) so hopefully I can put the recent political back-stabbing behind me.

20 Nov 2001

Tue, 20 Nov 2001 07:01:49 GMT

Well I heard back from Matt. Sounds like he's not actively maintaining tcpreplay anymore and it doesn't look like NFR purchased the copyright or other intellectual property surrounding the nidsbench research.

I've decided to ask Matt if he's interested in taking an active maintainership role in the app, before I do anything. If Matt decides he's not interested, then I'll take over and merge my patches into the "new official tree".

In the corporate world, things changed rather quickly for me. Last friday I was told it would take weeks or even a month before I moved over to engineering. Today, as I was walking out to my car, my boss informed me that they've decided to accelerate the transition, and I'll be out of marketing by the end of the week. All I can say is _wow_. Of course saying a week and it actually taking a week are two different things, but things are looking pretty good.

19 Nov 2001

Mon, 19 Nov 2001 06:34:53 GMT

Right now I'm trying to track down Matt Undy of Anzen Computing (recently bought by NFR) to see about my patches to tcpreplay. His email isn't bouncing, but I'm not getting a reply from him either. Not really sure what to make of it. Hopefully I'll hear from him on monday.

Also, looks like there's a good chance that a lot of code and documentation that I wrote for my company will be released to the public under the GPL or simular license. Not sure yet of how I'm going to release it yet... some of it is extremely complicated and prolly really isn't fully ready for public release, but honestly I don't see any chance of me continuing any work on it in the future since the company has dramatically changed directions. However, there is some good docs on hardening Linux and Solaris that is pretty comprehensive.

And speaking of work, I've finally gotten so sick of the horrible sludge they call coffee at work that I picked up a grinder, french press, and a pound of Pete's French Roast for the office. Yes, I'm a freak, but by god, I need good java in the morning and the crap we've got just doesn't cut it.

On a personal note, I ended up getting the PS2 on Friday. Yet another way for me to waste time I really don't have, but at least I'm having fun doing it.

Ended up getting GT3 (PS2 combo pack), SpyHunter (ok, could have better gfx, and what is up with the 2 player mode??), Tekken Tag Tourney (nice gfx, really smooth, and just plain fun), Grand Theft Auto 3 (great game, really unique, good gfx considering, and just plain fun), Metal Gear Solid 2 (again, great gfx, and fun), and Devil May Cry (good gfx, and lots of fun). Yes, I spent a LOT of $$$, but I'm worth it. :)

One thing that did suck rocks was the Topmax Diablos controller I picked up for $10. Feels cheap in my hands, and the buttons are horrible. Should've known. I'll pick up a Sony controller when I return this one.

16 Nov 2001

Fri, 16 Nov 2001 17:58:42 GMT

Well it looks like there's a good chance that I'll be moving out of the marketing (yes, I said the M-word) department and into engineering. Thank god. I'm tired of writing whitepapers that are so full of marketing that they're grey. To actually be allowed to hack Perl and C on the company dime would be like mana from heaven.

Of course, working for a small company, one might think changing departments is a relatively easy thing to do, but nooooo.... got to deal with departmental head counts and stuff like that. I guess nobody told them that my pay check comes out of the same place regardless of what deparment I'm in.

On a lighter note, I didn't get the PS2 last night. I wasn't going to have time to play on it last night anyways, so what was the point of spending $500 for the console and a few games if all I have time for is looking at the pretty box? Of course today is a different story....