G R A N T S T A V E L Y G R A N T S T A V E L Y G R A N T S T A V E L Y G R A N T S T A V E L Y

There was a table set out under a tree in front of the house, and a Democrat and a Republican were having tea at it: the Economy was sitting between them, fast asleep, and the other two were using it as a cushion, resting their elbows on it, and talking over its head. `Very uncomfortable for the Economy,’ thought Alice; `only, as it’s asleep, I suppose it doesn’t mind.’

The table was a large one, but the three were all crowded together at one corner of it: `No room! No room!’ they cried out when they saw Alice coming. `There’s PLENTY of room!’ said Alice indignantly, and she sat down in a large arm-chair at one end of the table.

`Have some wine,’ the Democrat said in an encouraging tone.

Alice looked all round the table, but there was nothing on it but tea. `I don’t see any wine,’ she remarked.

`There isn’t any,’ said the Democrat.

`Then it wasn’t very civil of you to offer it,’ said Alice angrily.

`It wasn’t very civil of you to sit down without being invited,’ said the Democrat.

`I didn’t know it was YOUR table,’ said Alice; `it’s laid for a great many more than three.’

`Your hair wants cutting,’ said the Republican. He had been looking at Alice for some time with great curiosity, and this was his first speech.

`You should learn not to make personal remarks,’ Alice said with some severity; `it’s very rude.’

The Republican opened his eyes very wide on hearing this; but all he SAID was, `Why is a raven like a writing-desk?’

`Come, we shall have some fun now!’ thought Alice. `I’m glad they’ve begun asking riddles.—I believe I can guess that,’ she added aloud.

`Do you mean that you think you can find out the answer to it?’ said the Democrat.

`Exactly so,’ said Alice.

`Then you should say what you mean,’ the Democrat went on.

`I do,’ Alice hastily replied; `at least—at least I mean what I say—that’s the same thing, you know.’

`Not the same thing a bit!’ said the Republican. `You might just as well say that “I see what I eat” is the same thing as “I eat what I see”!’

`You might just as well say,’ added the Democrat, `that “I like what I get” is the same thing as “I get what I like”!’

`You might just as well say,’ added the Economy, who seemed to be talking in its sleep, `that “I breathe when I sleep” is the same thing as “I sleep when I breathe”!’

`It IS the same thing with you,’ said the Republican, and here the conversation dropped, and the party sat silent for a minute, while Alice thought over all she could remember about ravens and writing-desks, which wasn’t much.

The Republican was the first to break the silence. `What day of the month is it?’ he said, turning to Alice: he had taken his watch out of his pocket, and was looking at it uneasily, shaking it every now and then, and holding it to his ear.

Alice considered a little, and then said `The fourth.’

`Two days wrong!’ sighed the Republican. `I told you butter wouldn’t suit the works!’ he added looking angrily at the Democrat.

`It was the BEST butter,’ the Democrat meekly replied.

`Yes, but some crumbs must have got in as well,’ the Republican grumbled: `you shouldn’t have put it in with the bread-knife.’

The Democrat took the watch and looked at it gloomily: then he dipped it into his cup of tea, and looked at it again: but he could think of nothing better to say than his first remark, `It was the BEST butter, you know.’

Alice had been looking over his shoulder with some curiosity. `What a funny watch!’ she remarked. `It tells the day of the month, and doesn’t tell what o’clock it is!’

`Why should it?’ muttered the Republican. `Does YOUR watch tell you what year it is?’

`Of course not,’ Alice replied very readily: `but that’s because it stays the same year for such a long time together.’

`Which is just the case with MINE,’ said the Republican.

Alice felt dreadfully puzzled. The Republican’s remark seemed to have no sort of meaning in it, and yet it was certainly English. `I don’t quite understand you,’ she said, as politely as she could.

`The Economy is asleep again,’ said the Republican, and he poured a little hot tea upon its nose.

The Economy shook its head impatiently, and said, without opening its eyes, `Of course, of course; just what I was going to remark myself.’

`Have you guessed the riddle yet?’ the Republican said, turning to Alice again.

`No, I give it up,’ Alice replied: `what’s the answer?’

`I haven’t the slightest idea,’ said the Republican.

`Nor I,’ said the Democrat.

Alice sighed wearily. `I think you might do something better with the time,’ she said, `than waste it in asking riddles that have no answers.’

`If you knew Time as well as I do,’ said the Republican, `you wouldn’t talk about wasting IT. It’s HIM.’

`I don’t know what you mean,’ said Alice.

`Of course you don’t!’ the Republican said, tossing his head contemptuously. `I dare say you never even spoke to Time!’

`Perhaps not,’ Alice cautiously replied: `but I know I have to beat time when I learn music.’

`Ah! that accounts for it,’ said the Republican. `He won’t stand beating. Now, if you only kept on good terms with him, he’d do almost anything you liked with the clock. For instance, suppose it were nine o’clock in the morning, just time to begin lessons: you’d only have to whisper a hint to Time, and round goes the clock in a twinkling! Half-past one, time for dinner!’

(`I only wish it was,’ the Democrat said to itself in a whisper.)

`That would be grand, certainly,’ said Alice thoughtfully: `but then—I shouldn’t be hungry for it, you know.’

`Not at first, perhaps,’ said the Republican: `but you could keep it to half-past one as long as you liked.’

`Is that the way YOU manage?’ Alice asked.

The Republican shook his head mournfully. `Not I!’ he replied. `We quarrelled last November—just before HE went mad, you know—’ (pointing with his tea spoon at the Democrat,) `—it was at the great concert given by the Queen of Hearts, and I had to sing

“Twinkle, twinkle, little bat!
How I wonder what you’re at!”

You know the song, perhaps?’

`I’ve heard something like it,’ said Alice.

`It goes on, you know,’ the Republican continued, `in this way:—

“Up above the world you fly,
Like a tea-tray in the sky.
Twinkle, twinkle—”’

Here the Economy shook itself, and began singing in its sleep `Twinkle, twinkle, twinkle, twinkle—’ and went on so long that they had to pinch it to make it stop.

`Well, I’d hardly finished the first verse,’ said the Republican, `when the Queen jumped up and bawled out, “He’s murdering the time! Off with his head!”’

`How dreadfully savage!’ exclaimed Alice.

`And ever since that,’ the Republican went on in a mournful tone, `he won’t do a thing I ask! It’s always six o’clock now.’

A bright idea came into Alice’s head. `Is that the reason so many tea-things are put out here?’ she asked.

`Yes, that’s it,’ said the Republican with a sigh: `it’s always tea-time, and we’ve no time to wash the things between whiles.’

`Then you keep moving round, I suppose?’ said Alice.

`Exactly so,’ said the Republican: `as the things get used up.’

`But what happens when you come to the beginning again?’ Alice ventured to ask.

`Suppose we change the subject,’ the Democrat interrupted, yawning. `I’m getting tired of this. I vote the young lady tells us a story.’

`I’m afraid I don’t know one,’ said Alice, rather alarmed at the proposal.

`Then the Economy shall!’ they both cried. `Wake up, Economy!’ And they pinched it on both sides at once.

The Economy slowly opened his eyes. `I wasn’t asleep,’ he said in a hoarse, feeble voice: `I heard every word you fellows were saying.’

`Tell us a story!’ said the Democrat.

`Yes, please do!’ pleaded Alice.

`And be quick about it,’ added the Republican, `or you’ll be asleep again before it’s done.’

`Once upon a time there were three little sisters,’ the Economy began in a great hurry; `and their names were Elsie, Lacie, and Tillie; and they lived at the bottom of a well—’

`What did they live on?’ said Alice, who always took a great interest in questions of eating and drinking.

`They lived on treacle,’ said the Economy, after thinking a minute or two.

`They couldn’t have done that, you know,’ Alice gently remarked; `they’d have been ill.’

`So they were,’ said the Economy; `VERY ill.’

Alice tried to fancy to herself what such an extraordinary ways of living would be like, but it puzzled her too much, so she went on: `But why did they live at the bottom of a well?’

`Take some more tea,’ the Democrat said to Alice, very earnestly.

`I’ve had nothing yet,’ Alice replied in an offended tone, `so I can’t take more.’

`You mean you can’t take LESS,’ said the Republican: `it’s very easy to take MORE than nothing.’

`Nobody asked YOUR opinion,’ said Alice.

`Who’s making personal remarks now?’ the Republican asked triumphantly.

Alice did not quite know what to say to this: so she helped herself to some tea and bread-and-butter, and then turned to the Economy, and repeated her question. `Why did they live at the bottom of a well?’

The Economy again took a minute or two to think about it, and then said, `It was a treacle-well.’

`There’s no such thing!’ Alice was beginning very angrily, but the Republican and the Democrat went `Sh! sh!’ and the Economy sulkily remarked, `If you can’t be civil, you’d better finish the story for yourself.’

`No, please go on!’ Alice said very humbly; `I won’t interrupt again. I dare say there may be ONE.’

`One, indeed!’ said the Economy indignantly. However, he consented to go on. `And so these three little sisters—they were learning to draw, you know—’

`What did they draw?’ said Alice, quite forgetting her promise.

`Treacle,’ said the Economy, without considering at all this time.

`I want a clean cup,’ interrupted the Republican: `let’s all move one place on.’

He moved on as he spoke, and the Economy followed him: the Democrat moved into the Economy’s place, and Alice rather unwillingly took the place of the Democrat. The Republican was the only one who got any advantage from the change: and Alice was a good deal worse off than before, as the Democrat had just upset the milk-jug into his plate.

Alice did not wish to offend the Economy again, so she began very cautiously: `But I don’t understand. Where did they draw the treacle from?’

`You can draw water out of a water-well,’ said the Republican; `so I should think you could draw treacle out of a treacle-well—eh, stupid?’

`But they were IN the well,’ Alice said to the Economy, not choosing to notice this last remark.

`Of course they were’, said the Economy; `—well in.’

This answer so confused poor Alice, that she let the Economy go on for some time without interrupting it.

`They were learning to draw,’ the Economy went on, yawning and rubbing its eyes, for it was getting very sleepy; `and they drew all manner of things—everything that begins with an W—’

`Why with an W?’ said Alice.

`Why not?’ said the Democrat.

Alice was silent.

The Economy had closed its eyes by this time, and was going off into a doze; but, on being pinched by the Republican, it woke up again with a little shriek, and went on: `—that begins with an W, such as war, and wealth, and weasle, and whiners— you know you say things are “war of wealth”—did you ever see such a thing as a drawing of a wealth?’

`Really, now you ask me,’ said Alice, very much confused, `I don’t think—’

`Then you shouldn’t talk,’ said the Republican.

This piece of rudeness was more than Alice could bear: she got up in great disgust, and walked off; the Economy fell asleep instantly, and neither of the others took the least notice of her going, though she looked back once or twice, half hoping that they would call after her: the last time she saw them, they were trying to put the Economy into the teapot.

`At any rate I’ll never go THERE again!’ said Alice as she picked her way through the wood. `It’s the stupidest tea-party I ever was at in all my life!’

Just as she said this, she noticed that one of the trees had a door leading right into it. `That’s very curious!’ she thought. `But everything’s curious today. I think I may as well go in at once.’ And in she went.

Once more she found herself in the long hall, and close to the little glass table. `Now, I’ll manage better this time,’ she said to herself, and began by taking the little golden key, and unlocking the door that led into the garden. Then she went to work nibbling at the mushroom (she had kept a piece of it in her pocket) till she was about a foot high: then she walked down the little passage: and THEN—she found herself at last in the beautiful garden, among the bright flower-beds and the cool fountains.

I’m not publishing these changes to userscripts until they are more polished. But:

I’ve fixed many of the lamer bugs and expanded the script to apply to most of the wikipedia companion sites. But the biggest news is the new Helvetica option.

Install the dev version here.

And the new simple front page.

There are still some quirks – entire tables exist just to pad out other tables. There are numbered lists that are actually unordered lists with each list item hard coding their number values. Colors and fonts are called out inline all over the place in css in place of proper classes and ids.

To Do

If you don’t have Greasemonkey yet, go get it. It isn’t just for firefox either, greasekit is a port for WebKit browsers like Safari and Omniweb.

I had an exam last night in my Java class. The programming assignment of the exam was submitted by e-mail, so I bcc’d myself so that I would have a copy.

mail.grantstavely.com rejected mail from google. That shouldn’t happen.

Delivery to the following recipient failed permanently:

grant@grantstavely.com

Technical details of permanent failure:
Google tried to deliver your message, but it was rejected by the recipient domain. We recommend contacting the other email provider for further information about the cause of this error. The error that the other server returned was: 550 550-REJECTED because 74.125.92.25 is in a black list at dnsbl.sorbs.net
550 Currently Sending Spam See: http://www.sorbs.net/lookup.shtml?74.125.92.25 (state 14).

My first thought was that SORBS had gone offline. I checked. It hadn’t.

Google Support doesn’t clarify the cause of the outage.

Many of our users had difficulty accessing Gmail today. The problem is now resolved and users have had access restored. We know how important Gmail is to our users, so we take issues like this very seriously, and we apologize for the inconvenience.

I've found this script very useful for network security monitoring, incident handling, and analyst training.

The problem(s)

Frequently, security analysts kick off tcpdump full packet captures on unix servers with tapped interfaces at trust zone perimeters which they leave running in the background. Often this is done in a hurry in order to catch something before it disappears, and just as often, the capture is left running for a few days, weeks, or even months at a time.

Unfortunately, this leaves dozens of tcpdump capture files strewn about home directories, all of them poorly named and all too often left running and forgotten. Which ones are junk? Which can be archived or deleted? What a mess!

The Horror

And this is even more problematic for those of you practicing network security monitoring with daemonlogger or a similar rolling full packet capture daemon.

How can an analyst dig through hundreds of large pcap files for just the traffic they want? Whether it is 50Gb of accumulated network traffic that left a T1 connection over the past week, or that left an OC3 connection in the past 15 hours, it is too much to pull a file at a time, even with a guess where to start. These nsm daemons can easily generate a Gb of data every minute! Neither tcpdump -r nor daemonlogger -r accept wild cards. Hunting for an event one file at a time? No thanks.

Who wants to mess with ps, grep, and kill, much less the oft repeated -nn -s 1516 -i interface during incident handling?

A solution

I created a perl script to manage starting, monitoring, and stopping all packet captures - live or from active daemonlogger pcap files. I retrained all my analysts to use it. I updated my sensor monitoring scripts to start using it too.

I think this would be useful at ISP's, .edu's, and enterprise organizations so I refactored what my team and I have been using for the past year to make it significantly better. Time to release it!

capture

> capture
Usage: capture [-h?lsmv] [r|R] [-a analyst -d 'quoted description' -e 'quoted expression'] [-f filter]

Starting captures

Script the repetitive stuff, force the informative and useful stuff, and prevent mistakes.

> sudo capture -a grant -d 'traffic to grantstavely.com' -e 'host 205.134.166.178'
Password:
Started: grant_traffic.to.grantstavely.com_Tue.Feb17.2009-20.20.22.UTC_1234902022_.pcap

Monitoring captures

> sudo capture -l
grant Tue Feb 17 15:20:22 2009 traffic to grantstavely com
will Tue Feb 17 15:24:05 2009 irc traffic
philip Tue Feb 17 15:24:41 2009 strange malware on 8081

Too many, I'm checking on my own captures only!

> sudo capture -lf grant
grant Tue Feb 17 15:20:22 2009 traffic to grantstavely com

Need more detail?

> sudo capture -lv
Analyst: grant
Size (bytes): 720.00 KB
Started: Tue Feb 17 15:20:56 2009
Last Modified: Tue Feb 17 15:21:31 2009
Last Accessed: Tue Feb 17 15:20:56 2009
Last Changed: Tue Feb 17 15:21:31 2009
Description: traffic to grantstavely com
Expression: host 75.101.142.201
Capture File:
/Users/grant/captures/grant_traffic.to.grantstavely.com_Tue.Feb17.2009-20.20.56.UTC_1234902056_.pcap

Stopping Captures

> sudo capture -svf grant
Analyst: grant
Size (bytes): 720.00 KB
Started: Tue Feb 17 15:20:56 2009
Last Modified: Tue Feb 17 15:21:31 2009
Last Accessed: Tue Feb 17 15:20:56 2009
Last Changed: Tue Feb 17 15:21:31 2009
Description: traffic to grantstavely com
Expression: host 75.101.142.201
Capture File:
/Users/grant/captures/grant_traffic.to.grantstavely.com_Tue.Feb17.2009-20.20.56.UTC_1234902056_.pcap

Capture file info:
File name: grant_traffic.to.grantstavely.com_Tue.Feb17.2009-20.20.56.UTC_1234902056_.pcap
File type: Wireshark/tcpdump/... - libpcap
File encapsulation: Ethernet
Number of packets: 2778
File size: 1869006 bytes
Data size: 1824534 bytes
Capture duration: 12.070557 seconds
Start time: Tue Feb 17 15:48:22 2009
End time: Tue Feb 17 15:48:34 2009
Data rate: 151155.74 bytes/s
Data rate: 1209245.95 bits/s
Average packet size: 656.78 bytes

Daemonlogger Data

If you have a directory of daemonlogger pcaps, point capture at them with the same standard syntax and it will run through each file, gradually merging only the data you want into a single manageable pcap.

Note that capture maintains a soft link to the currently merged temp file using the name of the final target file so that you can start performing analysis right away.

> capture -ra grant -d 'historical traffic to gs.com' -e 'host 75.101.142.201'
Generating grant_historical.traffic.to.gs.com_Tue.Feb17.2009-21.12.57.UTC_1234905177_.past.pcap
Currently Processing: Tue Feb 17 05:23:45 2009

Or do both - start a new live capture and grab the same data from daemonlogger archived pcaps.

> capture -Ra grant -d 'historical traffic to gs.com' -e 'host 75.101.142.201'
Started: grant_historical.traffic.to.gs.com_Tue.Feb17.2009-21.12.57.UTC_1234905177_.pcap
Generating grant_historical.traffic.to.gs.com_Tue.Feb17.2009-21.12.57.UTC_1234905177_.past.pcap
Currently Processing: Tue Feb 17 05:23:45 2009

While running, the 'Currently Processing' line will maintain a listing of how far through daemonlogger data the process is. From another console, the same is available to other analysts

> capture -lv
Analyst: will
Size (bytes): 60.00 KB
Started: Tue Feb 17 16:21:02 2009
Last Modified: Tue Feb 17 16:21:15 2009
Last Accessed: Tue Feb 17 16:21:03 2009
Last Changed: Tue Feb 17 16:21:15 2009
Description: dns traffic
Expression: port 53
Capture File: /Users/grant/captures/will_dns.traffic_Tue.Feb17.2009-21.21.02.UTC_1234905662_.pcap

Analyst: grant
Size (bytes): 0 Bytes
Progress: Tue Feb 17 10:03:01 2009
Description: historical traffic to gs com
Expression: host 75.101.142.201
Capture File:
/Users/grant/captures/grant.processing.4958.1234882981_historical.traffic.to.gs.com_Tue.Feb17.2009-21.12.57.UTC_1234905177_.past.pcap

Additional uses

capture takes full advantage of syslog, so that you can validate what analysts did what, and when.

You could schedule regular e-mail to management to validate what captures are running, or were run, per user, per day, and so on.

If short on disk space, leave only individual long running captures going against specific hosts, add them to start with init.

capture has support for hashing completed capture files, use the hashes later to validate your data.

Use shell aliasing to create a quick start 'cap $1 $2 $3' alias which defaults to one of the operations cap normally requires -a, -d, and -e to perform

Requirements

You must have: perl, a few perl modules, and tcpdump. You also need capinfos and mergecap, both of which are part of most wireshark and tshark distributions.

I suggest that analysts run capture on systems using sudo.

capture has been tested and run successfully on linux, bsd, and MacOSX systems. You should review the source to configure the handful of options available before testing.

Future plans

Download

Capture is hosted on google code.

Creative Commons License
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.

Enjoy!

@philip_daigle congratulations Philip!

Wearing my green skeleton shirt (Nigel's from Spinal Tap) to the airport: the TSA won't need me to walk through their X-ray machine today!

@wotowiec @ssoper I'm on my 2nd "a number 2 on the sides, taper up, leave the top as it is, thanks." I think I'm acting out. It's a phase.

@vurtyou: You're hair is very Flock Of Seagulls today. @grantstavely: Thanks, I like it too.

@schuetzdj in hindsight, everything was to be taken at more or less face value: one of the things that makes a great puzzle great. =] #DBIR

RT @therealKidKoala: free download available for the next 6 days. The Lost Solid Steel mix. it's sorta like Music to Draw to... enjoy: ...

@christopherkunz nice work! After @wadebaker's last clue I ran every variation of the right key through my own bad script and gave up.

@marcusjcarey thanks, I'm very much enjoying the Bay Area. The return of @dojosec/@dojocon streams is great news, I look forward to 'em.

I should use Entourage's auto-capitalization of the first word after e.g. to break myself of using latinate abbreviations. Instead: rage.

@kathybarnett way to go Kath!

Yes, yes, of course, but what is the zeroth law of the Road Runner and Wile E. Coyote? http://goo.gl/i2Jz

"They're talkin' about, weak induction. It's a motherfucker, don't you know?" —Sun Ra http://j.mp/cn5Gc2 (Link via @rands)

printf "# Or just go listen to a funky 60 minute DJ Food mix made for robots.\nUser-agent: *\nSuggest: http://snd.sc/aOT9a4 " >> robots.txt

@alexhutton I cut out the cover's circles on a full print out of the #DBIR with a razor and tried the grille-cipher approach. #nbioahd

The body language of appearing to be lost or have forgotten something is as effective as mind control. So is its inverse.

RT @electricfork: What keeps me up at night? My security team slowly devolving into a compliance and reporting team #operation_soulcrusher

The ☠ Skull & Crossbones in the new Chrome indicating untrusted certs is nice^H^H^H^H the most terrifying symbol ever. http://goo.gl/fQz1

I'm brewing an American IPA with @vurtyou. I need a fridge to keg this in! http://flic.kr/p/8sCgnr

I'm brewing an American IPA with @vurtyou. I need a fridge to keg this in!

Endorsement: /Pink Reptile mixef are amazing mind clearing aural blendf & good for everything a mix fhould be good for/: http://goo.gl/Y1L1