Announcement – I was Recently Published in an Ebook

I am pleased to announced that I was recently published in an ebook, “10 Experts on Active Threat Management”

threatmanagement #ebooks

Export flow logs to an Amazon S3 Bucket

I found the instructions on Amazon’s website to be useless.

This is what worked for me

Define some variables bucket=my-bucket region=us-east-1 log-group-name=primary-nat prefix=my-prefix taskname=my-task start-epoch=1516255200000 end-epoch=1516860000000 Create the bucket aws s3 mb s3://$bucket –region $region Create the Policy cat <<‘EOF’ > ./policy.json { “Version”: “2012-10-17”, “Statement”: [ { “Action”: “s3:GetBucketAcl”, “Effect”: “Allow”, “Resource”: “arn:aws:s3:::replace-bucket”, “Principal”: . . . → Read More: Export flow logs to an Amazon S3 Bucket

IIS7 SNI Rewrite – Howto


Windows XP Users with IE8 are unable to connect to your Server Name Indication (SNI) enabled Amazon CloudFront distribution.


Do not rewrite URLs to CloudFront if the user agent indicates a system that does not support SNI.

Example (IIS 7)

Be sure to have the URL Rewrite module installed

URL Rewrite rule precondition . . . → Read More: IIS7 SNI Rewrite – Howto

iis7 insert rewrite rule web.config

To insert a rewrite rule in to a web.config for deployment purposes you need to modify Web.Release.Config

Example <system.webServer> <rewrite xdt:Transform=”Insert”> <outboundRules> <rule name=”Add Cross Origin Access”> <match serverVariable=”RESPONSE_Access_Control_Allow_Origin” pattern=”.*” /> <conditions> <add input=”{REQUEST_URI}” pattern=”.*\.(ttf|otf|eot|woff|svg)\?*.*$” /> </conditions> <action type=”Rewrite” value=”*”/> </rule> </outboundRules> </rewrite> </system.webServer>

Cloudfront IIS7 CORS Fix


You keep getting Control Allow Origin errors on fonts that are pulling from your CloudFront CDN


You need to make changes at CloudFront and your IIS 7 Server

CloudFront Changes

Modify the origin behaviors:

Navigate to the CloudFront Distributions Panel Select your Distribution Click Behaviors Tab Select Behavior from list items Click Edit . . . → Read More: Cloudfront IIS7 CORS Fix

EC2 ELB Godaddy Cert

Adding Godaddy Cert to EC2 ELB Setup AWS Command Line Interface

Setup instructions are found here:

Define your files and run these commands: # define these crtdomain=”” crtchain=”gd_bundle.crt” echo “converting to pem format” openssl rsa -in ${crtdomain}.key -out aws-${crtdomain}.key openssl x509 -in ${crtdomain}.crt -out aws-${crtdomain}.crt -outform PEM echo “uploading certificate ${crtdomain} to Amazon” aws . . . → Read More: EC2 ELB Godaddy Cert

logstash filters for ssh attempts


Logstash filters for ssh brute for, sudo auth failures, or failed login attempts

Filters grok { type => “syslog” patterns_dir => [“/opt/logstash/patterns”] pattern => [ “%{SYSLOGLINE}” ] } grep { type => “syslog” drop => false match => [ “@message”, “([fF]ailed|[fF]ailure).*password|authentication.*failure|incorrect.password” ] add_tag => [ “auth_failure” ] } grep { type => “syslog” drop . . . → Read More: logstash filters for ssh attempts

Logstash Logrotate Howto


I was facing two problems with my Logstash setup

Logstash service constantly required manual restarts (no longer indexing, hanging process) Local log files were filling up my root partition Symptom

Logstash failed to:

Index events in the queue Trim its own logs =) Cause Indexing

I’m not sure why it was failing to index. . . . → Read More: Logstash Logrotate Howto

git copy remote branch

git copy remote branch

Copy remote master branch to remote QA branch in git git push origin –delete QA git push origin master:QA Copy remote master branch to remote production branch in git git push origin –delete production git push origin master:production