Smartcard

Logical Access Library http://liblogicalaccess.islog.com/wiki/doku.php/start

Windows Smartcard Authentication http://msdn.microsoft.com/en-us/library/windows/desktop/aa380142(v=vs.85).aspx

MSDN Magazine (2007) Customising login experience with credential provider http://msdn.microsoft.com/en-us/magazine/cc163489.aspx

NXP documents:

Windows 8 virtual smart card http://windowsitpro.com/windows-8/creating-virtual-smart-card-windows-8 Understand and evaluate virtual smart cards

tpmvscmgr.exe  create /name testvsc /pin prompt /puk prompt /adminkey random /generate

Security Monitoring

Here are some links related to security monitoring.

ELSA

Microsoft LogParser to send events to ELSA

"c:\Program Files (x86)\Log Parser 2.2\logparser.exe" -i:EVT -o:SYSLOG "select * INTO @1xx.xx.xx.xx from \\SyslogHost\Security"

Evtsys config file to include sysmon logs

XPath:Application:<Select Path="Application">*</Select>
XPath:Security:<Select Path="Security">*</Select>
XPath:System:<Select Path="System">*
XPath:Microsoft-Windows-Sysmon/Operational:<Select Path="Microsoft-Windows-Sysmon/Operational">*</Select>

Accessing the ELSA api from PowerShell, and the git respostory
Selecting images and SHA hashes from Sysmon log

(New-ElsaResults -query "host=xx.xx.xx.xx eventid=1").results | % {$_ -Replace '^.*Image: (.+) CommandLine:.+SHA1=([a-f0-9]{40}) .*$','$2,$1'} | Sort-Object -Unique

Get the addresses of all DCs logging to ELSA for current domain or all domains in the forest

((Get-ADDomainController  -Filter *).HostName | Resolve-DnsName).IpAddress | % {(New-ElsaResults -query "host=$_" -limit 1).results} | % {$_.host}
((Get-ADForest | % {$_.Domains} | Get-ADDomain | % {(Get-ADDomainController -Filter * -Server $_.PDCEmulator)}).HostName | Resolve-DnsName).IpAddress | % {(New-ElsaResults -query "host=$_" -limit 1).results} | % {$_.host}

Useful resources

Pcaps for testing (security onion)

Open Source Security Tools
Critical Stack Intel Feeds Tao Security Blog

IDS Testing http://www.testmyids.com http://secanalysis.com/black-sunday-in-your-idsips-for-testing/

Security Onion configuration

snort configuration file /etc/nsm/SO2012-eth3/snort.conf

Managing over active signatures

Rules to ignore various packets

/etc/nsm/rules/local.rules

pass udp 8.8.8.8 53 -> 192.168.1.1 any (msg:"Ignore google dns"; sid:22222228;)
#pass tcp $HOME_NET any <> $WINDOWS_UPDATE 80 (msg:"Ignore Windows Update"; sid:
22222229;)
pass tcp $HOME_NET any <> any 80 (msg:"Ignore Windows Update"; content:"Host|3a|
 download.windowsupdate.com"; http_header; classtype: web-application-activity;
sid:22222230;)
pass tcp $HOME_NET any <> any 80 (msg:"Ignore DynDNS Updates"; content:"Host|3a|
 checkip.dyndns.com"; http_header; classtype: web-application-activity; sid:2222
2231;)

/etc/nsm/pulledpork/disablesid.conf

1:2013914 # User Agent to Backtrack Repository
1:2014726 # Outdated Windows Flash Version ID
1:15169 # XBOX Live Kerberos authentication request
1:16739 # FILE-MULTIMEDIA MultiMedia Jukebox playlist file handling heap over

119:19 # http_inspect: LONG HEADER
123:8 # frag3: Fragmentation overlap
128:4 # ssh: Protocol mismatch
129:4 # stream5: TCP Timestamp is outside of PAWS window
129:5 # stream5: Bad segment, overlap adjusted size less than/equal 0
129:7 # stream5: Limit on number of overlapping TCP packets reached
129:12 # stream5: TCP Small Segment Threshold Exceeded
129:15 # stream5: Reset outside window
138:5 # sensitive_data: sensitive data - eMail addresses

Update Rules: /usr/bin/rule-update

Fine tuning snort rules: http://www.doctorchaos.com/fine-tuning-snort-rules-in-security-onion/

ELSA Parsers

http://blog.infosecmatters.net/2013/01/creating-vyatta-parser-for-elsa.html

Merging parsers

Integrating business data with ELSA

Apache failing

Elsa