Logical Access Library

Windows Smartcard Authentication

MSDN Magazine (2007) Customising login experience with credential provider

NXP documents:

Windows 8 virtual smart card Understand and evaluate virtual smart cards

tpmvscmgr.exe  create /name testvsc /pin prompt /puk prompt /adminkey random /generate

Security Monitoring

Here are some links related to security monitoring.


Microsoft LogParser to send events to ELSA

"c:\Program Files (x86)\Log Parser 2.2\logparser.exe" -i:EVT -o:SYSLOG "select * INTO @1xx.xx.xx.xx from \\SyslogHost\Security"

Evtsys config file to include sysmon logs

XPath:Application:<Select Path="Application">*</Select>
XPath:Security:<Select Path="Security">*</Select>
XPath:System:<Select Path="System">*
XPath:Microsoft-Windows-Sysmon/Operational:<Select Path="Microsoft-Windows-Sysmon/Operational">*</Select>

Accessing the ELSA api from PowerShell, and the git respostory
Selecting images and SHA hashes from Sysmon log

(New-ElsaResults -query "host=xx.xx.xx.xx eventid=1").results | % {$_ -Replace '^.*Image: (.+) CommandLine:.+SHA1=([a-f0-9]{40}) .*$','$2,$1'} | Sort-Object -Unique

Get the addresses of all DCs logging to ELSA for current domain or all domains in the forest

((Get-ADDomainController  -Filter *).HostName | Resolve-DnsName).IpAddress | % {(New-ElsaResults -query "host=$_" -limit 1).results} | % {$}
((Get-ADForest | % {$_.Domains} | Get-ADDomain | % {(Get-ADDomainController -Filter * -Server $_.PDCEmulator)}).HostName | Resolve-DnsName).IpAddress | % {(New-ElsaResults -query "host=$_" -limit 1).results} | % {$}

Useful resources

Pcaps for testing (security onion)

Open Source Security Tools
Critical Stack Intel Feeds Tao Security Blog

IDS Testing

Security Onion configuration

snort configuration file /etc/nsm/SO2012-eth3/snort.conf

Managing over active signatures

Rules to ignore various packets


pass udp 53 -> any (msg:"Ignore google dns"; sid:22222228;)
#pass tcp $HOME_NET any <> $WINDOWS_UPDATE 80 (msg:"Ignore Windows Update"; sid:
pass tcp $HOME_NET any <> any 80 (msg:"Ignore Windows Update"; content:"Host|3a|"; http_header; classtype: web-application-activity;
pass tcp $HOME_NET any <> any 80 (msg:"Ignore DynDNS Updates"; content:"Host|3a|"; http_header; classtype: web-application-activity; sid:2222


1:2013914 # User Agent to Backtrack Repository
1:2014726 # Outdated Windows Flash Version ID
1:15169 # XBOX Live Kerberos authentication request
1:16739 # FILE-MULTIMEDIA MultiMedia Jukebox playlist file handling heap over

119:19 # http_inspect: LONG HEADER
123:8 # frag3: Fragmentation overlap
128:4 # ssh: Protocol mismatch
129:4 # stream5: TCP Timestamp is outside of PAWS window
129:5 # stream5: Bad segment, overlap adjusted size less than/equal 0
129:7 # stream5: Limit on number of overlapping TCP packets reached
129:12 # stream5: TCP Small Segment Threshold Exceeded
129:15 # stream5: Reset outside window
138:5 # sensitive_data: sensitive data - eMail addresses

Update Rules: /usr/bin/rule-update

Fine tuning snort rules:

ELSA Parsers

Merging parsers

Integrating business data with ELSA

Apache failing