Security - We will get there

In snortcenter 2, it says "Once Sensor Agent can handle multiple snort daemons if the system has multiple network interfaces". In the case you even need to run multiple daemons in one engine on one interface, you seem to be out of luck.

Snortcenter agent will use the parameters passed by curl from snortcenter to construct two files, one for the config and another for the command line options. These two files need to be different for different daemons. After review the source code, I found there is one parameter passed to snortcenter agent called r_option which is taken from the sensor command line option tag after -R. The -R tag is used in snort to create distinct PID file and this tag after -R is used by snortcenter agent to construct those two file names too.

So the way to run multiple snort daemons in one engine on one interface is:

1. Use different sensor names for different daemons.
2. Use "-R tag" at the end of command line option when define the sensor in snortcenter.

One of the usage for this is to run multiple daemons for multiple policy sets. For example, one daemon to check policy violation while the other one to check the intrusion signatures for valid traffic.

I came across Skybox for Risk Management suit which can integrate network/firewall/servers into one view to analysis the overall security. It can help you put together regulation/standard requirement, vulnerabilities, network security etc. Here is the snippet:

Skybox's award-winning product, Skybox Viewâ„¢ creates a virtual Integrated Security Model (ISM) in order to understand IT network security risks, control dependencies and proposed changes within the context of your overall network design.

This virtual model can be safely attacked, changed, and analyzed for the purpose
of improving the security profile of the network as well as verifying security control compliance with defined policies.

The result is a more secure network, operational efficiency and reduced IT workload. This is achieved through continuous evaluation of an organization network security risk and connectivity profile.

Today we started our bus tour with TourEast for Orlando Disney World. I decided for bus tour just because it's much cheaper in March break and I want to check out more places as it's the first time I get into USA.
The bus went through Peace Bridge US custom, then take highway 90-79-19-77

Along HW19, there are at least 2 Peiking buffet. We had dinner at the one in Beckley. The food was good.

Night stay at around 11:30PM in Comfort Inn .It's in Jonesville of North Carolina and it has free wireless Internet access, tried the connectivity is good.

I can almost get my blackberry connected everywhere. Noticed the provider is changing from time to time. They are Cingular, AT&T, 1-80?? etc.

What a long trip. Tired and I will sure have a good sleep.

It's called "Bart's Preinstalled Environment (BartPE) bootable live windows CD/DVD" but it's actually a tool to create live cd out of your windows xp installation files. The native NTFS support and live cd approach make it a best candidate to do virus cleaning, rescure files etc.
The created basic live system is a little bit too simple but the tool give you the power to add applications by plugin into this live cd so it's really up to you to extend the usage of your live cd.

There are a lot plugin repositories available with applications from hard disk partitioning to wireless hacking. So you can create a Anti-Virus/Spyware, Rescure CD as well as a network security cd.
I created one live xp with firefox, explor2fs and putty. Good enough for my daily work.

Tips: You need to enable "RpcSS needs to launch DComLaunch Service first - SP2 only" in plugin, otherwise disk management will not work.

Disable split tunneling works.

Noticed that the client changed routing table so I tried to break it by modifying the routing table. I can manipulate routing table without noticed by the client software but can not establish communication to other destinations. The sniffer data proved that UDP packet was sent out but not ICMP/TCP. I can see returning UDP data packets but can not see it from application in the host. It's possible that vpn client software also implemented filtering in the stack plus the routing change for split tunneling control.

The VMC file is XML file contains all the config info. I noticed this by trying to figure out why the share folder is not working then found out you have to setup the folder share when the vm is running. :-)

What a mistake I had.

BTW, my colleague just showed me how to  use VPN to get around the split tunneling control in one physical machine. He uses a vm to connect vpn which has split tunneling control so he can still use the host machine to do things as he wants. He can also transfer files between his host to the machines in the tunnel using this folder sharing provided by VPC. Smart. Remind me I have done this similar thing before for another vpn client software.