Friday, September 28, 2018

Create a MySQL Computer Engine VM Instance Using Ubuntu in Google Cloud


1. Create Ubuntu VM Instance


Thursday, September 27, 2018

Cisco Web Security Appliance S190 - Web GUI

Cisco® Web Security Appliance (WSA) offers malware protection, application visibility and control, acceptable use policy controls, insightful reporting and secure mobility to enterprise network. 

The Cisco WSA is a forward proxy that can be deployed in either Explicit mode (proxy automatic configuration [PAC] files, Web Proxy Auto-Discovery [WPAD], browser settings) or Transparent mode (Web Cache Communication Protocol [WCCP], Policy-Based Routing [PBR], load balancers). WCCP-compatible devices, such as Cisco Catalyst® 6000 Series Switches, Cisco ASR 1000 Series Aggregation Services Routers, Cisco Integrated Services Routers, and Cisco ASA 5500-X Series Next-Generation Firewalls, reroute web traffic to the Cisco WSA. The Cisco WSA can proxy HTTP, HTTPS, SOCKS, native FTP, and FTP over HTTP traffic to deliver additional capabilities such as data-loss prevention, mobile user security, and advanced visibility and control. Cisco provides hardware appliances (Cisco S690, Cisco S690X, Cisco S680, Cisco S390, Cisco S380, Cisco S190, Cisco S170) and virtual appliances WSAV (S000v, S100v, S300v) for different requirements. In this post, S190 will be used to show the how web gui looks like.
The Cisco S190 appliance is typically installed as an additional layer in the network between clients and the Internet.


Model
Disk Space
RAID Mirroring
Memory
CPUs
SMB and Branch
S190
1.2TB
(2x600 GB SAS)
Yes (RAID 1)
8 GB, DDR4
1 x 1.9 Ghz, 6C


Depending on how you deploy the appliance, you may or may not need a Layer 4 (L4) switch or a WCCP router to direct client traffic to the appliance.
Deployment options include:

  • Transparent Proxy—Web proxy with an L4 switch 
  • Transparent Proxy—Web proxy with a WCCP router 
  • Explicit Forward Proxy—Connection to a network switch 
  • L4 Traffic Monitor—Ethernet tap (simplex or duplex)


Sysinternals Tool Sysmon Usage Tips and Tricks

Microsoft Sysinternals tool Sysmon is a service and device driver, that once installed on a system, logs indicators that can greatly help track malicious activity in addition to help with general troubleshooting.

Basic Sysmon Usage commands:

Installation:
sysmon -i -accepteula [options]

  • Extracts binaries into %systemroot%
  • Registers event log manifest
  • Enables default configuration
Note: Once this command runs, the Sysmon service is installed, running, and logging to the Event log at Applications and Service Logs > Microsoft > Windows > Sysmon > Operational. 

Viewing and updating configuration:
sysmon -c [options]

  • Updates take effect immediately
  • Options can be basic options or a configuration file

Wednesday, September 26, 2018

How to Find Out Windows Process Sending Traffic, Especially ICMP Packets

There are a number of different ways to find out which process is sending tcp / udp traffic in computer systems, but not much for icmp traffic.

Here is a summary for the ways to do it.

1. Install a local firewall

You could always try installing a firewall that blocks outgoing traffic or use the Windows Firewall. When the traffic is generated, it could prompt you asking whether you want to allow it or not. In many cases, it will tell you what application is generating the traffic.


Windows Command Line Remote Troubleshooting Tools

Here are some scripts and methods to do remote troubleshooting or running some commands in remote machines. I found they are very useful especially in a enterprise environment if you have your domain admin account.

Prerequisites to run remote commands

  • Install .NET Framework 4.5.2 from \\shareserver\it\$Install\Scripting prerequisites\NDP452-KB2901907-x86-x64-AllOS-ENU.exe
    • or from https://www.microsoft.com/en-ca/download/details.aspx?id=42642
  • Install Windows Management Framework 5.1:
    •  copy the folder \\shareserver\it\$Install\Scripting prerequisite\Windows Management Framework 5.1 to your C drive or download from https://docs.microsoft.com/en-us/powershell/wmf/5.1/install-configure
    •  Open PowerShell as an administrator, navigate into the directory on your C drive, and run the command
      • .\Install-Wmf.ps1
  • Install Microsoft Visual C++ 2017 redistributable from \\shareserver\it\$Install\Scripting prerequisite\VC_redist.x64.exe
    • Download from https://www.microsoft.com/en-us/download/details.aspx?id=52685
  • From a PowerShell prompt running as an administrator, run the command
    • Set-ExecutionPolicy Unrestricted -Force
  • From a PowerShell prompt running as an administrator, run the command
    • winrm quickconfig

Tuesday, September 25, 2018

ArcSight SIEM Logger

ArcSight Logger is one of products from Micro Focus SIEM platform. It  streams real-time data and categorizes them into specific logs and easily integrates with Security Operations. As a result, organizations of any size can use this high performance log data repository to aid in faster forensic analysis of IT operations, application development, and cyber security issues, and to simultaneously address multiple regulations.


Summary