Tuesday, October 9, 2018

How Much Google Cloud Platform Charges on F1-Mirco VM

I have been using GCP for my small blog site for a while. It was not been charged much since the traffic is small, a couple of thousand visitors per day from the world. The GCP credit is still having more than $384 30 days before the trial day ended.

To better trace the charges, I decided to spin up another VM around 10PM Sep 28 2018 to track how much it will charge daily with this minimum f1-micro (1 vCPU, 0.6 GB memory) VM.

I choosed Ubuntu 16.04 (Xenial Xerus) on f1-micro. License is free for this OS. The only service enabled on this f1-micro VM is Mysql used as backend of my blog. FrontEnd is another PHP/APACHE VM hosting in another GCP account.  I have hardened the firewall rules to allow only MySQL in from a specific ip.

Based on the GCP Always Free Usage Limits, I should be able to have following services as free:
  • 1 f1-micro VM instance per month (US regions, excluding Northern Virginia).
  • 30 GB of Standard persistent disk storage per month.
  • 5 GB of snapshot storage per month.
  • 1 GB egress from North America to other destinations per month (excluding Australia and China).

1. First Two days 
Here is first 32 hours charges and checked on Sep 30 2018:


UsageCost before Credit credit
Network Inter Zone EgressCompute Engine
2.51 gibibyte$0.03-$0.03
Micro instance with burstable CPU running in AmericasCompute Engine
32 hour$0.02-$0.02
Network Internet Egress from Americas to ChinaCompute Engine
0 gibibyte$0.00-$0.00

Splunk Tips and Tricks

Splunk Installation:
On Google Cloud Windows 2016 VM

Thursday, October 4, 2018

Gartner Magic Quadrant for Web Application Firewalls (2018,2017,2016)

A web application firewall (WAF) is an application firewall for HTTP applications. It applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as cross-site scripting (XSS) and SQL injection.

While proxies generally protect clients, WAFs protect servers. A WAF is deployed to protect a specific web application or set of web applications. A WAF can be considered a reverse proxy.

According to Gartner, by 2023, more than 30% of public-facing web applications will be protected by cloud web application and API protection (WAAP) services that combine distributed denial of service (DDoS) protection, bot mitigation, API protection, and WAFs. This is an increase from fewer than 10% today.


On August 2018, Gartner’s released their latest Magic Quadrant report for Web Application Firewalls. Only Imperva and Akamai are in the Leaders quadrant. F5 has been moved out from Leaders quadrant to challengers. Other vendors , such as Fortinet, Cloudflare, Barracuda, Citrix, are not changed much and still in challengers. Oracle and Radware are in Visionaries quadrant.

Tuesday, October 2, 2018

Install T-Pot into Google Cloud Platform VM Instance

T-Pot is a honeypot platform built on Ubuntu with Dock technology. Latest version is 17.10 and OS is Ubuntu 16.04. The minimum system requirement is at least 2GB RAM and 40GB disk space.

There are some other posts online to show how to install T-Pot into cloud virtual machine instance. Unfortunately, I failed so many times and got a error message 'could not find authrized_keys at .ssh folder'. Eventually I found issue is with the user I were using. If I create a new user and add it into sudo group, and install T-Pot after log in as that new user, the installation process is quite smooth.

Here is all steps I did. Hopefully it helps when you try this awesome honeypot.

1. Create a VM

2. Update your Ubuntu instance

[email protected]:~$ sudo apt-get update
[email protected]:~$ sudo apt-get upgrade
[email protected]:~$ sudo apt-get dist-upgrade

Thursday, September 27, 2018

Cisco Web Security Appliance (WSA) S190 - Web GUI

Cisco® Web Security Appliance (WSA) offers malware protection, application visibility and control, acceptable use policy controls, insightful reporting and secure mobility to enterprise network. 

The Cisco WSA is a forward proxy that can be deployed in either Explicit mode (proxy automatic configuration [PAC] files, Web Proxy Auto-Discovery [WPAD], browser settings) or Transparent mode (Web Cache Communication Protocol [WCCP], Policy-Based Routing [PBR], load balancers). WCCP-compatible devices, such as Cisco Catalyst® 6000 Series Switches, Cisco ASR 1000 Series Aggregation Services Routers, Cisco Integrated Services Routers, and Cisco ASA 5500-X Series Next-Generation Firewalls, reroute web traffic to the Cisco WSA. The Cisco WSA can proxy HTTP, HTTPS, SOCKS, native FTP, and FTP over HTTP traffic to deliver additional capabilities such as data-loss prevention, mobile user security, and advanced visibility and control. Cisco provides hardware appliances (Cisco S690, Cisco S690X, Cisco S680, Cisco S390, Cisco S380, Cisco S190, Cisco S170) and virtual appliances WSAV (S000v, S100v, S300v) for different requirements. In this post, S190 will be used to show the how web gui looks like.
The Cisco S190 appliance is typically installed as an additional layer in the network between clients and the Internet.

Disk Space
RAID Mirroring
SMB and Branch
(2x600 GB SAS)
Yes (RAID 1)
8 GB, DDR4
1 x 1.9 Ghz, 6C

Depending on how you deploy the appliance, you may or may not need a Layer 4 (L4) switch or a WCCP router to direct client traffic to the appliance.
Deployment options include:

  • Transparent Proxy—Web proxy with an L4 switch 
  • Transparent Proxy—Web proxy with a WCCP router 
  • Explicit Forward Proxy—Connection to a network switch 
  • L4 Traffic Monitor—Ethernet tap (simplex or duplex)

Sysinternals Tool Sysmon Usage Tips and Tricks

Microsoft Sysinternals tool Sysmon is a service and device driver, that once installed on a system, logs indicators that can greatly help track malicious activity in addition to help with general troubleshooting.

Basic Sysmon Usage commands:

sysmon -i -accepteula [options]

  • Extracts binaries into %systemroot%
  • Registers event log manifest
  • Enables default configuration
Note: Once this command runs, the Sysmon service is installed, running, and logging to the Event log at Applications and Service Logs > Microsoft > Windows > Sysmon > Operational. 

Viewing and updating configuration:
sysmon -c [options]

  • Updates take effect immediately
  • Options can be basic options or a configuration file

Wednesday, September 26, 2018

How to Find Out Windows Process Sending Traffic, Especially ICMP Packets

There are a number of different ways to find out which process is sending tcp / udp traffic in computer systems, but not much for icmp traffic.

Here is a summary for the ways to do it.

1. Install a local firewall

You could always try installing a firewall that blocks outgoing traffic or use the Windows Firewall. When the traffic is generated, it could prompt you asking whether you want to allow it or not. In many cases, it will tell you what application is generating the traffic.