Unless I’m just not seeing it, there isn’t a way to differentiate alerts from drops with BASE for snort.  They all appear the same, and unless you know the the sid or the .rules file, all the information looks the same.  To help alleviate this, and give users the abillity to see rules that are dropping packets at a glance, I decided to task Oinkmaster.pl with this job.  Adding the phrase “DROPPED” to the end of the “msg:” section of the signature will make it appear that way in BASE and Aanval can now send an email whenever one of these rules are kicked off.
To do so simply add the following to your oinkmaster.conf file:

modifysid sid or rule “(.*msg:\s*”.+?)”(\s*;.+;)” | “${1}, DROPPED”${2}”

I’ve made the switch to Windows 7 on one of my machines.  It’s time to wrap my head around this new beast.  I installed Win7 x64 on a second hard drive and was dual booting the system for some of the tools I needed.

Now that Windows XP mode is up and running and documents were transferred, I decided it was time for XP to go, cutting the cord.  Unfortunately it’s not as easy as just removing the hard drive and calling it good, though the process isn’t all that hard. NOTE: Do at your own risk; I’m not responsible for damage.

1. Start the machine in Windows XP
2. Show hidden files and folders if they aren’t already and copy the “boot” folder and the bootmgr file to the Win7 drive.
3. Shut the machine down, remove the XP drive and boot off the Win7 DVD
4. Enter the System Recovery mode after the machine boots and click “Next” to enter the Recovery Toolbox
5. Click “Command Prompt” and type:

   "bootrec /fixmbr"

   "bootrec /fixboot"

6. Reboot into Windows 7 and open a command prompt. Run the following command to remove the other second boot option:

   "BCDEdit /delete {ntldr} /f"

More information if you installed on a second partition can be found at: http://blogs.techrepublic.com.com/window-on-windows/?p=1751&tag=leftCol;post-1306

One of my biggest peeves about Snort and running it inline is having to restart the Snort process to load new rules.  This had me worried with putting snort into production as it would make it awfully hard to tweak it while live.

Today I was browsing the Snort manual and found two short paragraph’s relating to the “–enable-reload” option.  Wha?  Why didn’t I find this earlier?  After a quick recompile with the “–enable-reload” command.  What a life saver this will be when we go live!

After using that option, you can simply issue a “kill -SIGHUP pid” to have it reload without restarting!

Check out the pg 107 of the Snort manual though, as some changes require a restart, so your not going to get off completely scott free.

Boy, when I started down the process of trying to get an IPS system setup, I had no idea what I was getting myself into.  I’m not much of a security guy or a linux guy, but I thought I’d give it a go.  I followed many different guides that all worked great for me, and thank you to those who put the following guides together: http://ubuntuforums.org/showthread.php?t=919472,  http://www.openmaniak.com/inline.php,  http://forum.learnit.vn/showthread.php?p=7007

If you have information you’d like to share and include in The Hatch, please feel free to use the link at the top of the page titled “Submit Hatch Information”.  You will be presented with a form asking for the state, river name, bug, and month’s you’ll find the bug hatching. These updates will be included in periodic updates to the app.

Thanks everyone.

After the purchase of a new MacBook Pro about a year ago, I thought you know what?  I’m going to try and develop an app.  I hadn’t seen anything related to fly fishing and thought maybe I could create an app that provides a hatch chart for rivers across the US!

Following along a previous post about reading and goals, especially the Bible, I happened across a website called http://www.youversion.com.  It’s essentially an online bible, journal, reading plans, and community based website, but I’d say one of the best features is the slew of mobile apps.

Working on a new feature as I can find the time.  I think you’ll all enjoy it.

Waiting for the new version has been like having to wait for the salmonflys on the Deschutes!  It’s finally here again and I’m really excited about the new release!  Make sure to check out the updated version of The Hatch 2 for your iPhone or iPod Touch!  Version 2.0.4 boasts a new logo and PICTURES, and lots of them!

You can find it over on iTunes: http://www.itunes.com/apps/thehatch

Make sure you check out the new website for the app over at http://www.thehatchapp.com

An update to the lite version will be coming shortly, so hang in there.

Some of you may have noticed “The Hatch” isn’t on the app store right now, well, your right.  Unfortunately I had to pull it from the App Store due to an issue with the logo.  A new version has been submitted to Apple, and now it’s just the waiting game until it’s approved.

Sorry for the inconvenience, it should be resolved shortly.  I think most everyone will be very excited for the next version 2.0.4….can anyone say “pictures”?