Site-to-Site Networking with ZeroTier I have been experimenting with ZeroTier and wanted to share how I was able to setup site-to-site connectivity between a home network and AWS to avoid installing the ZT app on every system in my network. It is easier than you might think. This is a quick how-to on setting up site-to-site connectivity from a private network to a basic AWS VPC. Prerequisites: A quick note for those not familiar with ZeroTier.

Use Kitchen-salt for testing I have put off learning how test-kitchen works with salt formulas for a while. Mainly due to the multi-step setup process that can be slightly confusing if you are not accustomed to working with developer tools day to day. It became clear though that learning this workflow would be really beneficial for developing salt-formulas and other projects because of the increased testing speed and the ability to quickly iterate changes without building bulky VM infrastructure.

Building a custom BRO IDS binary package Basically, there are two ways to install BRO. One is, download the source and compile it for your machine. The other option is to install BRO from a package. Compiling from source is a great option, which allows for customization but can become problematic when deploying BRO on several sensors. To address this challenge, compiling BRO on a build machine, and distributing the resulting package to sensor nodes for installation, seems like a good idea.

Installing pf_ring PF_RING is software that installs a network socket allowing for “High-speed packet capture, filtering and analysis” https://www.ntop.org/products/packet-capture/pf_ring/. It is useful in applications where capturing a lot of network traffic is a requirement such as Snort or BRO IPS/IDS deployments. When possible, I use salt to manage pf_ring deployments but manual steps are condensed from the online documentation located at https://www.ntop.org/get-started/download/#PF_RING. For the purpose of this article, we will be installing the stable package on a CentOS 7 system from http://packages.

Set per Interface Promiscuous mode State Automatically At some point while working on a Salt formula to deploy pfring, I got to a point where I wanted to set promiscuous mode on an interface automatically. I wasn’t exactly sure how to go about it on RHEL/CentOS 7. So many things have changed so I set out to do a quick google search. I found my Google foo was not very strong and searched for several solutions.

There are many reasons why one may want to set up a home lab. For me, the reason is being able to mock up several different scenarios using different software stacks and play with hardware. If you want to set up a lab like I have, it requires ESXi as the hypervisor on physical hardware. However, you can choose VirtualBox, VMware Workstation, XenServer, KVM or whatever hypervisor you wish to use.

Deploy Graylog using SaltStack and supporting formulas I ’ve written a formula for deploying Graylog with additional Salt formulas for Elasticsearch and MongoDB, which support a Graylog install. Currently, this has only been deployed on CentOS 7 so the Salt states are pretty specific to CentOS and RHEL based distros. There are plans to expand support to Debian distros in the future though. Both the Elasticsearch and MongoDB formulas can be used on their own, while the Graylog formula can be used in conjuncture with or deployed after the other requirements have been satisfied.

Content Packs for Graylog Lately, I have been working with Graylog a lot so I decided to update a few items on github and update their entries on the Graylog marketplace website. BRO content pack for Graylog The BRO IDS content pack contains pipeline rules, a stream, a dashboard displaying interesting activity, and a syslog tcp input to capture and index BRO logs coming from a Security Onion sensor. Fortinet content pack for Graylog The Fortigate UTM content pack contains extractors, a stream, a dashboard displaying the last 24 hours of activity, and a syslog tcp input.

rsync is an awesome tool that I have used extensively. However, I think it is time to explore other tools that can replace some of what rsync has been doing for so many years. I’m not saying you should never use rsync. What I am saying is there are other options, and in some circumstances, rsync isn’t the default choice anymore (at least for me). I went looking for an rsync replacement because I was seeing extremely slow transfer times when moving large data files.

Overview As with any system running software, you are going to have to apply patches to it at some point and VMware is no different. VMware recommends customers install all security patches to maximize the protection that VMware provides. For a list of all security patches, you can go here https://my.vmware.com/group/vmware/patch#search. Login with your myvmware credentials. Once it has been determined patches are available for ESXi, download the offline bundle so they can be pushed out to each VMware host as needed.