I dunno why on earth I have this blog.
Human Factor..
The talk that I’ve presented during Infosec.my technical forum this year is Network Security: 3 Key Elements where the key elements are process, technology and Human. I have the idea to give presentation on that topic based on my observation and experience in this field (OK not that long though). Most of our competitor emphasis on how advance their technology is when managing their clients network security. Well I am from the old school in this field where I believe technology is only to assists human in performing their tasks. From the email that I received this morning, I know how right I am in this matter..
Category = Firewall
Severity = Medium
Events = Blocked event
Source IP = Local ISP
Destination IP = Web Server
Destination port = 22, 443
Impact = NetBIOS sharing and possible information disclosure and loss of data
Raw log :
Firewall: Firewall device_id=Firewall [No Name]system-notification-xxxx(traffic): start_time=”today early in the morning” duration=0 policy_id=xx service=https proto=6 src zone=Untrust dst zone=DMZ action=Deny sent=0 rcvd=0 src=(Local ISP) dst=(Web Server)src_port=11866 dst_port=443 session_id=0
Firewall: Firewall device_id=Firewall [No Name]system-notification-xxxx(traffic): start_time=”Few minutes after the first log” duration=0 policy_id=xx service=https proto=6 src zone=Untrust dst zone=DMZ action=Deny sent=0 rcvd=0 src=(Local ISP) dst=(Web Server) src_port=12243 dst_port=443 session_id=0
Can you spot the mistakes? Do you think this event should be escalated? Be my guest to comment 
===============================================================
Update: Thanks for all of your comments.
Actually, this event should not reached the client. In other words, this is event does not require any escalation to be made. The firewall has done its job efficiently and port 22 (SSH) and 443 (HTTPS) has nothing to do with NetBIOS or any of its family. I guess the best comment is from ZiaSay’s (I know who you are hahaha)
———————————————————————————–
Apa la kowang merapu niiiii.. org tanya lain, lain plak kowang jawap yer… kang aku suruh “epul buka TOPENG” kang baru semua terkuzat..
Komen-komen anda semua boleh buat ramai “pecah kapla dan WET wooo uiiii dont make me honi laaa weii ” mehmehmeh..
ok lemme Ella_b0rit’s <– kena ado “aSS” sket
TuanRumah quote’s
“Can you spot the mistakes? Do you think this event should be escalated? Be my guest to comment”
ZiaSay’s
Category = Firewall <– Tak Mistake sbb dari fw event
Severity = “Medium” <– Sikit Mistake kot sbb event ni tak membawa apa-apa “kesan” pung sbb dah kena DENY la katakan.. mehmehmeh it should have been “LOW”.. anyway “wording Severity” tu ader dlm template kan.
Events = Blocked event <– Tak Mistake sbb dari fw rules
Source IP = Local ISP <– Tak Mistake sbb dari fw rules
Destination IP = Web Server <– Tak Mistake sbb dari fw rules
Destination port = 22 <– MISTAAAAAAAAAAAAAKE!!!!! SBBnya.. NTAH MANA-MANA DTG NTAH PORT NI!!!! WEIIIIIII TIDO KA!!! ITU “ssh” LAAAA ADER KER DARI DLM RAW-SYSLOG PAYLOAD TU EK 
YG AKU PERASAAN PAYLOAD TU SEMUA TUNJUK “https-443″ JERRR.. ISKKK…ISKKK
port = 443 <– Tak Mistake sbb dari fw rules
Impact = NetBIOS sharing and possible information disclosure and loss of data <– MISTAAAAAKEEEEEE.. HAHAHHAHAHAHAHA!!! APO KOJADAHNYA KOWANG BUAT KERJAAAA HAAAAAAA!!!!
AKU UMPAMAKAN “ORG” YG BUAT KERJA NI MCM :-
“BARU LEPAS CAPMELAN PASTU DIA TANYA DIRI DIA SENDIRI, HEHHH TADI AKU LUNCH-UP KER or AKU GI MAKAN EK???
PADAN LA IKAN BAKAR KAT KEDAI BASIKAL MOTEN BIKE ALI KOMPUETERRR TU VERY CHEAP-UP LERR…”"
BEST NYERRR!!! …DIA KATA”
HAHAHHAHAHAHA!!!! APOKOJADAHNYA netbios kena ngena gan https & ssh ni weiiii.. sakit “telo” aku gelak!!!!
MORAL OF THE STORY:
Kalau suka sgt guna mouse utk copy & paste pastu dan MALAS utk re-read or re-confirm or perasan “aku dah terrel” beginila jadi nya jon@@@@@@..
TuanRumah quote’s
“Do you think this event should be escalated?”
ZiaSay’s
HAHAHHAHA.. in da perst pelace i would say NO!!! and the one should be escalated and executed and should have been sent to ISA detention center was “mamat” yg buat anal_is_is dan JOKE of the year ni!!! hoiii kowang baru bgn tido kaaa atau mmg tgh tido masa buat kejadah ni..
adeh–adehhh..
ZiaSay’s.. Nyampah I..
You need a translator for this 
)
| Print article | This entry was posted by ayoi on November 3, 2008 at 2:01 pm, and is filed under Analyst Journal. Follow any responses to this post through RSS 2.0. You can skip to the end and leave a response. Pinging is currently not allowed. |
Rules for Dating My Daughters (in the future)
about 1 year ago - 6 comments
I’ve read this from this websites and as I am a father of two wonderful daughters, I think I might apply this set of rules as well RULE ONE If you pull into my driveway and honk you’d better be delivering a package, because you’re sure not picking anything up. RULE TWO You do not
Chill out ;)
about 1 year ago - No comments
It seems that my previous posting did offend some people. I want to take this opportunity to say sorry to whoever offended either directly or indirectly by that post and there are no malicious intentions in it. As most of the people in this particular industry I can call them as my friends and professional
If it was me…
about 1 year ago - 11 comments
As usual, Monday is a very bad day for me. Dun ask me why but perhaps I’m watching /reading too much Garfield and influenced by this fat lazy but adorable cat obsession on hating Mondays . So while doing my usual Monday activities (this of cause after reading my emails especially the ones in the
Perimeter defense is not enough
about 1 year ago - 1 comment
My friend’s gave a presentation on the mod_security usage last few weeks to a group of users from the government. In his presentation he gave a demo on how mod_security managed to prevent “blind sql injection” attacks on the application run on mod_security enabled web engine. He even received a thunderous applaud from the audience
In Between…
about 1 year ago - 1 comment
Well the time for me to spend on blogging is getting lesser (and lesser). To be honest, there are plenty of things that I want to blog about but either I’m consumed with the works or I do suffer some blogger’s block when sitting in front of my laptop. Anyway somehow I managed to drag
WebGoat: Exploit and Learn…
about 1 year ago - 1 comment
Dun know about you guys but during my time (not that long ago lah), the only avenues for me to test my newly acquired skills and tools (most of the time to test the tools and scripts -yeah I used to be a script kiddie ) are servers, websites, routers belong to other people. Ahh
Talk about Full Disclosure…
about 1 year ago - 4 comments
Ok, ok. This post is not a rebuttal, condemning or criticizing anyone. It is more on knowledge sharing for those who didn’t know or perhaps who didn’t get the clear picture on the topic Btw I hope this post will indicate where I do stand and the reason why on recently hotly debated matters with
After a While…
about 1 year ago - 2 comments
I am scheduled to conduct one knowledge sharing session within my department today but due to health reason, I decided to postpone it to next Friday. Yeah, recently I’ve encountered some problems with my health that also reminds me that I need to take it easy on myself. The burnout rate turnover is quite fast
It’s a Noble cause but still you need the consent…
about 1 year ago - 1 comment
It’s quite unusual for me to post anything on Monday nowadays. Perhaps because most of the time I’ve to attend meetings/discussions etc (update: Just finished one meeting ). Btw Monday also is the day when I spent most of my working time on reading news/articles/whitepapers and other stuff as well in order to get into
You are the Consultant..You should know…
about 1 year ago - 5 comments
To quote from Wikipedia ;P “A consultant (from the Latin consultare means “to discuss” from which we also derive words such as consul and counsel) is a professional who provides advice in a particular area of expertise such as accountancy, the environment, entertainment, technology, law (tax law, in particular), human resources, marketing, medicine, finance, economics,
about 1 year ago
Netbios?
https and its blocked? i dont know but it looks like a legit traffic for https and the scary firewall block it(correct me if i’m wrong, still learning here 
).
about 1 year ago
hmm shouldn’t be laa kot,the firewall has been wrongly configured…rasanyela:)
about 1 year ago
22 and 443 for Netbios? C’mon…
about 1 year ago
->session_id=0, that’s why it got blocked
about 1 year ago
this one shud not be escalated.the src comes from untrust zone,mmg patut pon kena deny/blok.always bear in mind whenever we notify client about any security alert/incident,it must be associated with solution/recommendation/eradiction/remedy on the addressed matter.so, from the case above, if we decided to sent notification email, what would be the recommendation?
faktor kemanusiaan ni…mebi the person is very exhausted at that time.
suggestion: have 2 or more ppl in the same team to review the email b4 sending it.
about 1 year ago
dier block coz kene mengene ngan state table (e.g. nmap -sA)..anything from the Internet can fall under untrust zone, up to the admin nk kasik service pe accessible from the Internet..
about 1 year ago
Salam all,
Apa la kowang merapu niiiii.. org tanya lain, lain plak kowang jawap yer… kang aku suruh “epul buka TOPENG” kang baru semua terkuzat..
Komen-komen anda semua boleh buat ramai “pecah kapla dan WET wooo uiiii dont make me honi laaa weii ” mehmehmeh..
ok lemme Ella_b0rit’s <– kena ado “aSS” sket
TuanRumah quote’s
“Can you spot the mistakes? Do you think this event should be escalated? Be my guest to comment”
ZiaSay’s
Category = Firewall <– Tak Mistake sbb dari fw event
Severity = “Medium” <– Sikit Mistake kot sbb event ni tak membawa apa-apa “kesan” pung sbb dah kena DENY la katakan.. mehmehmeh it should have been “LOW”.. anyway “wording Severity” tu ader dlm template kan.
Events = Blocked event <– Tak Mistake sbb dari fw rules
Source IP = Local ISP <– Tak Mistake sbb dari fw rules
Destination IP = Web Server <– Tak Mistake sbb dari fw rules
Destination port = 22 <– MISTAAAAAAAAAAAAAKE!!!!! SBBnya.. NTAH MANA-MANA DTG NTAH PORT NI!!!! WEIIIIIII TIDO KA!!! ITU “ssh” LAAAA ADER KER DARI DLM RAW-SYSLOG PAYLOAD TU EK
YG AKU PERASAAN PAYLOAD TU SEMUA TUNJUK “https-443″ JERRR.. ISKKK…ISKKK
port = 443 <– Tak Mistake sbb dari fw rules
Impact = NetBIOS sharing and possible information disclosure and loss of data <– MISTAAAAAKEEEEEE.. HAHAHHAHAHAHAHA!!! APO KOJADAHNYA KOWANG BUAT KERJAAAA HAAAAAAA!!!!
AKU UMPAMAKAN “ORG” YG BUAT KERJA NI MCM :-
“BARU LEPAS CAPMELAN PASTU DIA TANYA DIRI DIA SENDIRI, HEHHH TADI AKU LUNCH-UP KER or AKU GI MAKAN EK???
PADAN LA IKAN BAKAR KAT KEDAI BASIKAL MOTEN BIKE ALI KOMPUETERRR TU VERY CHEAP-UP LERR…”"
BEST NYERRR!!! …DIA KATA”
HAHAHHAHAHAHA!!!! APOKOJADAHNYA netbios kena ngena gan https & ssh ni weiiii.. sakit “telo” aku gelak!!!!
MORAL OF THE STORY:
Kalau suka sgt guna mouse utk copy & paste pastu dan MALAS utk re-read or re-confirm or perasan “aku dah terrel” beginila jadi nya jon@@@@@@..
TuanRumah quote’s
“Do you think this event should be escalated?”
ZiaSay’s
HAHAHHAHA.. in da perst pelace i would say NO!!! and the one should be escalated and executed and should have been sent to ISA detention center was “mamat” yg buat anal_is_is dan JOKE of the year ni!!! hoiii kowang baru bgn tido kaaa atau mmg tgh tido masa buat kejadah ni..
adeh–adehhh..
ZiaSay’s.. Nyampah I..
about 1 year ago
i thought nebios was 139? most probably this is a false alarm
about 1 year ago
FALSE ALARM???
ELLOOOOOOOO… ni bkn pasal false alarm or pasal untrust zone or pasal session_id=0 or pasal fw wrongly configured or pasal legitimate traffics and shits all!!!!!
Ni pasal TAK GETI BUAT KERJA LA!!! PERIOD! <– BKN DARAH tauuW..
Ni adalah KESILAPAN yg paling GEMPAK dalam dunia anal_is_is bagi mereka-mereka yg mengambil MUDAH kerjaya sbg Anal_Yst.. tu jer..
Apsal la kowang takbleh SPOT soalan dan kesilapan yg KETARA!!
Anyway.. i feel u ahmad_albab
ps: I wanna More mistake!!! argggg GCefffA
about 1 year ago
isk isk isk… ini laaa dunia mu… wa fenin++
dun understand at all..
about 1 year ago
aisey salah ye..takpela saya budak baru belajar.
Tq bro Ayoi n bro ZiaSay..
about 1 year ago
Atuk ZiaSays garang le, takut i… Atuk FFFiiiaaSays, ANALyst ni kene send ke Interanal Sex Act (ISA). Atuk FFFiiaaSays sure must be kinky one.
about 1 year ago
hahaha…i don’t deal with IDS/Firewall anymore hence the guess…tried hard to dig deep down my IDS brain…tx for the lesson though
about 1 year ago
hoshhh!!
ahmad_sembab I [a]iiiickkkk U arr bebeh!!!! #whoami
anton combonG!! nyampah i
say my name–say my name!! What’s my Name!!?
Hev phun g[a]uysssss!
about 1 year ago
ler..ko la ek. ingat sapa tadi. mana ada combong…bila mau kene sup kambing?