If you need to practice work Cisco routing FU the Hacking Cisco Blog (link) is amazing. You have more then 156 practice lab including network diagram and solution. Have Fun!

Here are some search tips for sguil IDS alerts search

• Search for all event that have a destination IP of 192.168.99.1

WHERE event.timestamp > '2011-08-19' AND event.dst_ip=INET_ATON('192.168.99.1')

• Search for a specific Snort SID

WHERE event.timestamp > '2011-08-19' AND event.signature_id = 2003422

• Search for an event ID (650: SHELLCODE x86 setuid 0) with a destination IP of 192.168.99.1

WHERE event.timestamp > '2011-09-19' AND  event.signature_id  = 650 AND event.dst_ip=INET_ATON(192/(256^3) + 168/(256^2) + 99/256 + 1)

I had the chance to participate at the HackUS 2011. This was my first time at the HackUS and let me tell you it worth it a lot! There was a lot of challenges (too much for my level of experience). See here for detail of the event. One thing I learn is that preparation make all the difference. Before attending the competition I make sure that the following was in a working condition

• My MacBookPro
• Windows VM with ollyGDB and IDA Pro
• Backtrack VM
• Webscarab OS X Installation
• Spare laptop with VMware player
• Cisco 2950 Switch
• Alfa Network b/g USB Adapter
• (Power bar network cable etc..)

I take I bit of time to learn new tools before going to the competition.

• Start Reading Hacking : The Art of Exploitation 2^nd Edition 
• Webscarab youtube video
• Playing a bit with GDB
• Load a Small binary in IDA Pro to see what it look like

With those tools and that new knowledge, I drove my car for 2 hours in light snow to the HackUS event. My goal was to learn have fun and capture some flags ;-)

I had no team so I was match with other people. Our team was called « The Others ». I met nice and skilled people.  I was the only one with little experience in the team (2 other competition).

The challenge I enjoy the most was the forensics, Hack the Human and the BGP Network Challenge. I also like the Firewall challenge but it was release at the end of the competition so I did not had a lot of time to play with it.

What I learn:

• Invest time in protecting your environment.
• Make sure that all your team member know what they have to do went time is very short on a challenge
• Follow the IRC channel for hints and challenge update (Use SSL)
• Have a share for the team so all info can be centralized and shared quickly
• If you are sure you have the good answer for your challenge and the solution is not working, try with other tool. There was a bug in Webscarab. (Lost 30 minutes)
• Bring a manageable switch that can do « span port » ;-)
• Don’t be afraid to ask question to challenge designers.
• When doing social engineering don’t spend too much time looking at the same place. Look around as much as you can. Don’t take thing for granted ie: check if doors are locks, verify trash carefully; ask other if they got technology in their pockets etc…
• At least 4 hours of sleep per day. 
• Beer in reasonable quantities (A team of three take 21 in 30 minutes or so)

What I plan to do in preparation for the next competition (Hackfest 2011)

1. Read at least half of The Art of Exploitation 2^nd Edition (40 hours)
2. Spend at least 20 hour playing with scapy (Spoof source IP and more)
3. Learn enough snort-fu to be able to send rst packet when some signature are hit (Drop stuff that can hurt your environment) (5 hours)
4. Build a system that can crack password (laptop or desktop) 10 hours + $$$
5. Dedicate 2 hours a month for hacking (Work on Hackfest 2010 challenge/solution)
6. Learn as much as I can

Extra hardware to bring

• Third PC to capture network traffic and pasword cracking tools
• Big external drive for network capture and data sharing (500 gig+)
• Bring an external monitor for the IRC feed.
• Good Wireless antenna
• Good books that can help during the competition

The next planned competition is Hackfest 2011 in the beginning of November. I would like to take the opportunity to thanks my girlfriend and my kids to let me attend this competition.

If you need to browse Microsoft Windows WMI class, Micosoft as published a very nice tool to do so call scriptomatic. This is realy helpfull when you need to view WMI class structure. Also It can help when troubleshooting installation issue. It is also a nice tool to have in it's bag. It can be found at this location.

While browsing the Web, I came across a really good editor Notepad++. It support many feature like perl, vb and PHP code. Have a try when you got time. BTW it is a Windows editor. It works well on Vista.

It is possible to received an error in syslog when you start snort 2.6

‘Not Using PCAP_FRAMES’

This message can be ignore if you don’t have any performance issue. If you run snort on a slow machine or have a lot of packets to analyzes or are dropped, follow this post

Snort 2.6 does not compile correctly on Fedora core 5.

Here is what you have to do to compile it:
./configure --with-mysql --enable-dynamicplugin
make
make check
libtool --finish /usr/local/lib/snort_dynamicpreprocessor
make install

Taken from this post

To connect to my CISCO 2900 switch using my solaris 10 server I used:
$tip hardwrie