Ayoi's

Simply a Happy Man 

Starting from today until this coming Sunday, I’ll have to play wifey’s roles. Wifey is away as she’s participating her company’s sports day held at Awana Kijal. Based on the information given by wifey, she will be representing her team in volleyball match (And I would love to see that actually lol). Anyway  both of us had discussed this for quite some time ago. I guess maybe wifey felt that it would be tough for me to handle the kids by myself. Especially when I need to ensure that Adam and Ariff will put in bed on time.. Deep inside I have to admit that some of wifey’s concerns are true but I’ll try my best to prove her wrong.

(more…)

…Is not an easy task. Honest. Usually when we have this family outing to shopping mall (for time being only to Equene’s Jusco nearby), it would be like a caravan of circus (that’s my view), with the stroller, the twin’s traveller kit (basically a backpack containing their milk supply, their snacks, pampers, spare shirts and shorts for each of them and some other additional items.) and yes, we will put Adam and Ariff in their stroller as I dun have any intention to carry them during the outings and neither do wifey.

(more…)

Well, one of my friends, geek00l compliment on the cuteness of my twin (such a flattering compliment and on behalf of the twin I would like to say thanks) and suggest that I should take both of them out and perhaps during gathering or sort of which I think might be applicable in the near future. Both of them can walk even though at slow rate but perhaps in few months time, maybe the slowliness problem will be over. Anyway here are the pictures of both Adam and Ariff. To be honest, they are not that exactly the same.

(more…)

What’s up? Well during the Holy month, you might notice that I’m lil bit lazy in posting new items. Perhaps lack of caffeine or glucose ). Anyway I think for the second half of Ramadhan, everything seems like back to normal. Normal in sense of I need to do some paperworks, some presentation slides and yeah meetings as well (btw I do hate having meetings during Ramadhan tho.. Lol. As I try to preserve whatever energy I might have within my skinny frame figure

Anyway for this week, I’ve received some good news/events and some bad news/events.

(more…)

Yeah, hopefully. After enduring worst headache I ever had on last Friday, everything seems like back to normal during the weekend. Perhaps due to the visit of my parents (they never fails to visit my house during the weekends..Maybe after Raya I need to start going back to Kuantan as well), maybe due to the news that a new babysitter finally arrive today, or maybe simply because I just have another dose of Panadol’s ActivFast and sleep on it.

(more…)

Since last week, I’ve felt lil bit demoralized in executing my daily tasks. Yeah I know that I have a lot of things need to be resolved or settled but after performing some root cause analysis, deep inside I know I need to resolve THIS particular matter in order to eliminate this intentional state of laziness Well I just received a good advice from my immediate Boss today which I will adhere accordingly.

(more…)

Yeap, lil bit busy this week. Hmm let me tell you what really consume most of my time either during working hours and at home. Maybe at the end it turns out that I am not that busy at all. But I do feel like I have a lot of things to do..

(more…)

Don’t worry, it is not about my twin btw.

Can you spot the difference (especially in sense of the traffic behavior) of this two packet captured files?

I use windump on my Windows XP machine and the command I executed to produce these outputs is

wd -Snnr packet_capture_file.pcap dst port 22

Packet Capture 1

20:25:00.696718 IP 192.168.4.128.1813 > 192.168.4.126.22: S 2151807408:2151807408(0) win 65535 <mss 1460,nop,wscale 1,nop,nop,sackOK>

20:25:00.698859 IP 192.168.4.128.1813 > 192.168.4.126.22: . ack 1369704931 win 64000

20:25:00.751279 IP 192.168.4.128.1813 > 192.168.4.126.22: P 2151807409:2151807437(28) ack 1369704970 win 63980

20:25:00.760521 IP 192.168.4.128.1813 > 192.168.4.126.22: P 2151807437:2151807941(504) ack 1369705706 win 63612

20:25:00.760616 IP 192.168.4.128.1813 > 192.168.4.126.22: P 2151807941:2151807957(16) ack 1369705706 win 63612

20:25:00.900008 IP 192.168.4.128.1813 > 192.168.4.126.22: P 2151807957:2151808229(272) ack 1369705986 win 63472

20:25:01.094824 IP 192.168.4.128.1813 > 192.168.4.126.22: P 2151808229:2151808245(16) ack 1369706770 win 64000

20:25:01.095211 IP 192.168.4.128.1813 > 192.168.4.126.22: P 2151808245:2151808297(52) ack 1369706770 win 64000

20:25:01.211169 IP 192.168.4.128.1813 > 192.168.4.126.22: . ack 1369706822 win 63974

20:25:06.746347 IP 192.168.4.128.1813 > 192.168.4.126.22: P 2151808297:2151808365(68) ack 1369706822 win 63974

20:25:07.627074 IP 192.168.4.128.1813 > 192.168.4.126.22: P 2151808365:2151808465(100) ack 1369706890 win 63940

20:25:07.747682 IP 192.168.4.128.1813 > 192.168.4.126.22: . ack 1369706958 win 63906

20:25:09.354328 IP 192.168.4.128.1813 > 192.168.4.126.22: P 2151808465:2151808741(276) ack 1369706958 win 63906

20:25:09.361925 IP 192.168.4.128.1813 > 192.168.4.126.22: P 2151808741:2151808841(100) ack 1369707026 win 63872

20:25:09.559764 IP 192.168.4.128.1813 > 192.168.4.126.22: . ack 1369707094 win 63838

20:25:11.762118 IP 192.168.4.128.1813 > 192.168.4.126.22: P 2151808841:2151809117(276) ack 1369707094 win 63838

20:25:11.768410 IP 192.168.4.128.1813 > 192.168.4.126.22: P 2151809117:2151809217(100) ack 1369707162 win 63804

20:25:11.973704 IP 192.168.4.128.1813 > 192.168.4.126.22: . ack 1369707230 win 63770

20:25:13.357811 IP 192.168.4.128.1813 > 192.168.4.126.22: P 2151809217:2151809493(276) ack 1369707230 win 63770

20:25:13.365031 IP 192.168.4.128.1813 > 192.168.4.126.22: P 2151809493:2151809593(100) ack 1369707298 win 63736

20:25:13.482591 IP 192.168.4.128.1813 > 192.168.4.126.22: . ack 1369707366 win 63702

20:25:14.856313 IP 192.168.4.128.1813 > 192.168.4.126.22: F 2151809593:2151809593(0) ack 1369707366 win 63702

20:25:14.864991 IP 192.168.4.128.1813 > 192.168.4.126.22: . ack 1369707367 win 63702

Packet Capture 2

16:30:59.167586 IP 192.168.2.8.32862 > 192.168.2.9.22: S 1789751218:1789751218(0) win 5840 <mss 1460,sackOK,timestamp 25550657 0,nop,wscale 2>

16:30:59.168266 IP 192.168.2.8.32862 > 192.168.2.9.22: . ack 1673969780 win 1460 <nop,nop,timestamp 25550658 20899740>

16:30:59.194809 IP 192.168.2.8.32862 > 192.168.2.9.22: . ack 1673969800 win 1460 <nop,nop,timestamp 25550659 20899766>

16:30:59.194814 IP 192.168.2.8.32862 > 192.168.2.9.22: P 1789751219:1789751240(21) ack 1673969800 win 1460 <nop,nop,timestamp 25550659 20899766>

16:30:59.203125 IP 192.168.2.8.32862 > 192.168.2.9.22: P 1789751240:1789751392(152) ack 1673970440 win 1780 <nop,nop,timestamp 25550660 20899774>

16:30:59.210623 IP 192.168.2.8.32863 > 192.168.2.9.22: S 1783492046:1783492046(0) win 5840 <mss 1460,sackOK,timestamp 25550662 0,nop,wscale 2>

16:30:59.210642 IP 192.168.2.8.32864 > 192.168.2.9.22: S 1787890826:1787890826(0) win 5840 <mss 1460,sackOK,timestamp 25550663 0,nop,wscale 2>

16:30:59.210647 IP 192.168.2.8.32865 > 192.168.2.9.22: S 1788072431:1788072431(0) win 5840 <mss 1460,sackOK,timestamp 25550664 0,nop,wscale 2>

16:30:59.212077 IP 192.168.2.8.32863 > 192.168.2.9.22: . ack 1687906519 win 1460 <nop,nop,timestamp 25550665 20899783>

16:30:59.238583 IP 192.168.2.8.32864 > 192.168.2.9.22: . ack 1678854406 win 1460 <nop,nop,timestamp 25550665 20899784>

16:30:59.238588 IP 192.168.2.8.32865 > 192.168.2.9.22: . ack 1673861893 win 1460 <nop,nop,timestamp 25550665 20899784>

16:30:59.238592 IP 192.168.2.8.32863 > 192.168.2.9.22: . ack 1687906539 win 1460 <nop,nop,timestamp 25550666 20899810>

16:30:59.238596 IP 192.168.2.8.32863 > 192.168.2.9.22: P 1783492047:1783492068(21) ack 1687906539 win 1460 <nop,nop,timestamp 25550666 20899810>

16:30:59.238600 IP 192.168.2.8.32866 > 192.168.2.9.22: S 1780193083:1780193083(0) win 5840 <mss 1460,sackOK,timestamp 25550667 0,nop,wscale 2>

16:30:59.238604 IP 192.168.2.8.32867 > 192.168.2.9.22: S 1781912197:1781912197(0) win 5840 <mss 1460,sackOK,timestamp 25550668 0,nop,wscale 2>

16:30:59.280609 IP 192.168.2.8.32866 > 192.168.2.9.22: . ack 1685157275 win 1460 <nop,nop,timestamp 25550668 20899812>

16:30:59.280614 IP 192.168.2.8.32867 > 192.168.2.9.22: . ack 1686380212 win 1460 <nop,nop,timestamp 25550669 20899812>

16:30:59.280619 IP 192.168.2.8.32868 > 192.168.2.9.22: S 1786479460:1786479460(0) win 5840 <mss 1460,sackOK,timestamp 25550670 0,nop,wscale 2>

16:30:59.280623 IP 192.168.2.8.32862 > 192.168.2.9.22: P 1789751392:1789751536(144) ack 1673970440 win 1780 <nop,nop,timestamp 25550670 20899816>

16:30:59.280627 IP 192.168.2.8.32864 > 192.168.2.9.22: . ack 1678854426 win 1460 <nop,nop,timestamp 25550670 20899837>

16:30:59.280631 IP 192.168.2.8.32864 > 192.168.2.9.22: P 1787890827:1787890848(21) ack 1678854426 win 1460 <nop,nop,timestamp 25550670 20899837>

16:30:59.280635 IP 192.168.2.8.32865 > 192.168.2.9.22: . ack 1673861913 win 1460 <nop,nop,timestamp 25550671 20899851>

16:30:59.280639 IP 192.168.2.8.32865 > 192.168.2.9.22: P 1788072432:1788072453(21) ack 1673861913 win 1460 <nop,nop,timestamp 25550671 20899851>

16:30:59.280643 IP 192.168.2.8.32863 > 192.168.2.9.22: P 1783492068:1783492220(152) ack 1687907179 win 1780 <nop,nop,timestamp 25550671 20899849>

There are some significant differences between those two packets and from the pattern itself we can probably identify what happen on trace 1 and trace 2.

So what do you think?

I’m having less and less time to update my blog. Perhaps now I am beginning to assume the new post which automatically requires me to pay my attention on few key areas that need to be addressed by the unit (and now I do really need assistance which indirectly requires me to update my unit plan and indirectly update the staff requirements and whatsnot. For time being it will be good to have another clone of me doing other tasks as well but alas that’s not possible because I dun want wifey to get confused later on. Another pair of hands? It’ll be weird and I do feel like a spider (and I DO NOT like spider). So? Just do whatever I can one at a time or perhaps everything at the time (I wish).

Another thing is I can forget on thinking of continuing my office’s tasks at home as I’ve tried many times (even during the weekends) but the twin is too naughty rite now and wifey needs help as much as possible from me.

What makes me so busy?

a). I need to complete the unit plan, by hook or by crook. At least it will be the master plan or the high level guidelines for the unit.

b). My immediate task now is to provide analysis guidelines for the SA. (I know I’ve posted about the guideline thingy before but then the SA always has these excuses “We did not have any proper instruction/flow/guidelines”. So cannot blame them also.

c). Currently to fill in my time while travelling in the LRT from and to the office, I’ve read this book. It is about Assembly Language step by step by Jeff Duntemann. It is a nice book with good explanation, examples and anologies as well. The style is similar with my favourite author, Richard Bejtlich and thankfully not as complex as my other favourite author Tom Clancy. The purpose? Just to assist me on understanding this language and perhaps I can pursue the malicious code analysis thingy later on. And no, I dun have any intention on writing exploits, not my strength btw. And I dun want to be another sk (he’s too good tho)

d). Currently I just playing around with the SSH brute force packets and perhaps try to implement any possible detection mechanism or rules for this type of attacks. I’ve discovered few key indicators when the brute force launched from tools like window size etc but still need more packets and more analysis.

e). Preparing myself of SANS GIAC Certified Incident Handler training and certification. Why GCIH and not GCIA? Because I will participate event held by sansasia where they only offer GCIH and GCFA (GIAC Certified Forensic Analyst). So I chose GCIH and let my colleague take GCFA. It will be held at Furama Riverfront Hotel, Singapore from 30th June until 5th July.

p/s: Thanks to wifey in advance for her sacrifice to take care of our double whammy naughty twin while I’m not around to assist her.

So that’s all. Hopefull everything goes well and according to plan. Wish me luck eh?