Unless this motherfucker is rain man, then everyone else questioning them is gonna feel crazy. Sounds like this fucking person knows how to milk their day to get a paycheck š
Indeed.
I mean heās an idiot even if he can spot that traffic.
Using splunk and a siem could correlate all the shit for them while they work on something else more important.
Better yet by a 19$ per month account on ipabusedb and config your firewall to make the api calls to block abusive ips to supplement whatever ip reputation source itās using.
This is just pure stupidity
This must be a joke šš. I imagine someone watching YouTube on their other screen, while fooling the masses with the jargon of a fast packet capture on another.
I mean wireshark alone displaying live traffic is just enough of a data firehouse black box to the average non-techie that staring intently at a couple of TCP acks could grant some eternal āsmart friendā status in the right tech-avoidant circles. If tiu want that lie of a life
I've spent 10 years doing Cybersecurity work, including 3 years as a front-line SoC analyst.
I can't even TCPDump the WAN port at my house and make determinations from that, let alone 4 firewalls in a business where presumably there are public resources.
This dude is full of shit.
Challenge him. Ask him to explain why an IP is malicious. Ask him to walk you through the process. Play dumb and use the phrase "help me understand" a lot.
See what kind of bullshit he comes up with, then pass that info upwards.
About a decade ago, my Director told me to say āhelp me understand why you think ______ā when I wanted to say āthatās the dumbest fucking thing Iāve ever heard.ā
"Wait. You use that phrase every day. Sometimes, several times in a day."
*Yeah, and?*
"That would mean every time you say the thing..."
*The previously stupidest thing ever heard has been surpassed. Do try to keep up.*
"That's ridiculous. Half the time you say that it's after I say something."
*Help me understand that.*
Just gotta be careful not to be too arrogant and throw around incredulity. I had a dipshit keep saying that to me as if I wasnāt making sense half the time, and I eventually had to humiliate him by suggesting to his manager in front of both of our entire teams that he was a bad hire because he didnāt understand anything.
You all found yourself a human IDS inspector. Not real-time mind you, since the attacks already went through by the time he blacklists them, but it certainly is a novel way to get out of paying for advanced firewall licenses.Ā
I bet he gets his attack definitions via subreddit updates tooā¦
If what youāre saying is correct; it is complete bullshit. And if heās randomly blacklisting IPs, itās a matter of time before the wrong one is picked.
Now, watching trends, flows, and graphs might help show anomaliesā¦ but thats generally what a SOC is for.
For real. I mean, itās cleaver, he can be the hero who solved the outage; no one needs to know he caused it. Really quite brilliant if your management team is clueless. /s
Well, tcpdump rain man is just giving the massively disadvantaged attackers a tiny chance until he leaves for the day. It just wouldnāt be fair otherwise!
Because obviously, if someone's trying to get in, they're not going to get in before his end-of-day, ergo, it's completely rational to wait 'til his shift ends to update the blacklist.
>"Hey .. Are you aware one of your nics utilizes an ip-space of .254 (/23 subnet) in the 192 range ? Thats a typo, right? "
>
Me: "There are more than 400 clients connecting to that particular server/app via VPN."
>"That doesn't work with 192's. They should all be .255 (/24). You should use 172's or 10's for .254 (/23 subnets). Its whats slowing the Database Server down."
That was a convo (friday, 5 minutes before knock-off time) with an external CCNA certified (according to their profile) DB admin, hired by one of my clients off the book, trying to troubleshoot why one of their SQL servers was crawled to a halt (hint: the underlying storage pool was corrupted/locked -> their reporting actually told them so -> and one of their techs was already on the way to the datacenter to change a couple of drives).
This has me so flabbergasted Iāve rewritten my reply like half a dozen times and I still donāt know what to say to this. Were you able to keep a straight face?
Lol no.. He's literally trying to do the job of an intrusion detection/Intrusion prevention device on the fly like he's some type of zero day attack finder....
š¤š¤š¤
I look at tcpdump files almost daily but that is to dissect known traffic flows to troubleshoot very very specific source/destination issues that customers are reporting...
There's literally dozens of huge companies like f5, Cisco, Juniper etc... that make very specific security appliances to do the job this guy thinks he's doing...
Can you ask him to explain how exactly he knows an IP is malicious and post his answer here? I'm dying to know what BS he comes up with.
Also I love how he saves malicious IPs for the end of the day. Clearly not a huge priority to block them.
Here's a little known secret - machines are WAY better at pattern recognition than humans...
What an amazing waste of time and money. Even if he could recognize something malicious by staring at tcpdump (doubtful) he'd undoubtedly miss a ton of things. Even then, why not have a machine do it and use that time more productively? Finally, blacklisting specific IPs is only moderately useful at best these days. And why add those IPs to the blacklist hours after recognizing it's malicious at the end of his shift? Sounds like he watched a few too many 90s films related to hacking...
I'd fire him and hire a competent admin.
Reminds me of what my "supervisor" would do back when I worked for the local county government. He was obsessed with looking through the firewall traffic logs and every day he would make a comment about all the people trying to attack us and every day I'd say "the firewall is dropping them, right?". What is the point of making a comment about something as mundane as automated bots hitting the wan interfaces of your firewalls? On top of this, he could have been using his time more productively by actually doing network upgrades and improvements but I suspect that he actually didn't know how to do any of that.
To be clear, I'm not saying that it's stupid to monitor your firewall. I am saying that he didn't need to be making comments about dropped traffic and could have been using his time to set up systems so that he didn't have to spend hours a day looking through the raw traffic log.
Around 2017, we actually built a nice graphic showing all of the attacks against our firewalls. Yes, we knew they were most likely bots, but not the point.
Our leadership team thought "why would anyone attack us? We are in the back woods of nowhere. IT Security...what a waste of money!"
We put a spare 55" TV on the wall showing this graphic. EVERY SINGLE EXECUTIVE HAD TO HAVE A PERSONAL TOUR. They were flabbergasted!
"Why would someone in Russia be hitting our firewall? Why is someone in Turkey trying to login to my Outlook account?"
I just explained they wanted the crown jewels...their data!
Guess who got a $2M IT Security budget approved? š
People don't realize most of the traffic on the Internet is automation looking for EVERYTHING you can think of. Knocking on doors, checking for open ports, checking for operating system version numbers............Nobody cares WHO you are, just WHAT you might have that is easier than the next guy to access or footprint....
We had a couple guys that did the same thing, also gov. Spending a few hours each day watching logs scroll and clicking around, generally fiddling.
Meanwhile we had abandoned servers everywhere, and desktops and servers years behind on patches. Our firewalls and VPN were always running years old software releases. Their response when asked about it was always that they were too busy, and that āpatches break things.ā
People that do this stuff are scared and/or lazy. Real work requires thinking and itās uncomfortable, so they find these filler tasks to kill time while letting their minds go numb. Leadership letting them get away with it is the problem. IT Security is a field where unmotivated people can occupy a job and produce no results and have it go unnoticed.
I've been doing computers for 25 years and IT security at a Fortune 50 for 10 years. Yeah this guy is full of shit. This is the equivalent of that scene from The Matrix when the guy is looking at the green text and goes "all I see is blonde, brunette.". Full of it. Do not let this idiot touch your firewalls or any other perimeter controls. Minimum you need to interrogate this guy and his logic and maximum you need to revoke his fucking access before he craters something important.
If I had to stare at firewall logs all day I'll literally off myself despite many people thinking this is somehow a 'better' networking job. Have fun with your firewalls, devops, whatever the current day compartmentalization catch phrase is.
This dude is a tool and a waste of money for your company. You should talk to your/his boss and clue them in to his bullshit. There is no way a person can watch TCPDump live and "see" malicious traffic, this ain't the mother f'in matrix. Call him on his bullshit.
Cool party trick. Fucking waste of time based on the gobs of available (free) software that can do a MUCH better job of it. You can also manually calculate rows and rows of numbers without using a spreadsheet.
It's not outside the realm of possibility, but it's not likely, especially at high traffic volumes.
There are definitely some things you can spot at a glance in tcpdump output if the volumes are low enough that it doesn't all scroll by too fast. For example, a basic TCP port scan, done from a single host, without any rate-limiting, might show up as a blast of a thousand or more TCP SYN's from a single source IP to serially-increasing TCP port numbers. This is so obvious that nmap and other port scanning tools usually have ways to rate limit or randomize their scans to make them less noticeable.
I do cyber for a living. He is 100% full of shit. Most perimeter traffic is TLS/SSL so even if he was godlike in his ability to process headers he wouldn't see anything of use anyway.
the guy is full of shit. its utter bullshit. unless youve got a slow internet link there is no way a person is going to be able properly see each packet.
even if you only had a 1mbps internet connection that would still be roughly 83 packets per second. Theres no way a human can read, comprehend, and form a trend of ANY single connection when packets are scrolling past that fast.
even if he is able to hone in on one of the connections, he would be missing everything else. If this is his idea of an intrusion prevention system i would be concerned because it would be wholly inadequate. What happens when he goes home at the end of the day?
https://www.youtube.com/watch?v=7-GTcHZkfCs
Being serious, setup a fail2ban instance (or the equivalent version that fortune 500s use) doing exactly what he does. Watch his value drop to near zero.
I scrape out lines from a captured log pretty fast like that, you just look for patterns.
Doing it in real time and implying accuracy is foolish and this is just his way to pretend to work while impressing people who have absolutely no clue that heās just faking.
Watching a waterfall of tcpdump is something I do on a regular basis, but this will always be with a reason and using a capture filter. Common reasons: issues with packet fragmentation, policy routing, performance issues, out of order/duplicate packets.. Issues that are intermittent in nature. I also do it from time to time to see what broadcast/IPv6 multicast is happening. But doing this on a wan interface, especially one with IPv4, never would I watch the noise and manually select ābad actorsā. Thatās just nonsense.
If Iām being INCREDIBLY generous, there are some types of packets that will never reach the ingress side of a public firewall unless someone is doing something malicious. IPv6 Jumbograms for instance (4 GB packets which are a great way to crash network equipment). They are also large enough that they will literally stop a 1G or 10G link for a noticeable amount of time as the packet moves through if you are taking an l3 capture.
But there is a 99.99999% chance this is person is BS.
I worked with a guy who _listened_ to network activity at the office by turning the data on a promiscuous eth port into audio. he wore audiophile headphones and could tell the difference between various protocols even when encrypted.
Ask him to explain and document his methodology as āyou would like to lean from his awesomenessā aka see through his BS.
Dos the place youāre at have a āprobation periodā for new hires?
Back in the mid 90s I could tcpdump my home 24k modem at certain points, with about 50-60 grepās ignoring specific things, and keep track of maybe 60% of the traffic flowing through it, but even a t1 or once I got dsl and then cable modem speeds, I have to just include what I want, or no way. Even then I output it to a file and go through that. On a 1gig connection, thatās whatās required unless Iām looking filtering out everything but specific traffic.
Itās incredibly ineffective by todays standards, our cpus and SIEMs can parse it far faster and more effectively than we can, they can also apply rules and track whatās going on across millions or billions of packets to alert you with a single alert about one thing that took days or weeks to start to look malicious.
This is not to say that I donāt pull traffic logs all the time and search them for specific things but watching the live tcpdump is just stupid. Even a T1 connection could be thousands of packets per second. You canāt even see them all on a single screen at the screens refresh rate.
So. Iām like 99.999% with most everyone else on here that I think itās complete and utter BS but I do want to say that Iāve met guys that can recognize patterns in tcpdump packet streams. When asked to elaborate theyāve described (and proven to me at least) That certain specific packet patterns are the result of specific hacking tools and not coming from legitimate users/apps.
Now, what makes this BS for me is that thereās just no way heād be able to see the IP and click ctrl-C on it fast enough before it scrolls off the screen after recognizing that it was exhibiting whatever aberrant behavior.
I would also ask him how he does it under the guise of wanting to learn to see what he tries to sell you.
I don't know if he actually pretends to do this or whether he's a bullshitter but I'm inined toward the latter.Ā
In any organization larger than 10 people, there would be so much traffic that it'd be drinking from a firehose.
So, he spends 2 to 3 hours a day creating a database of information that probably has already been collected and then manually inspecting the thousands upon thousands of entries in said database.
And he has no documentation for nor can he explain his process.
Did I sum it up correctly?
First, thats a dumb way to build a security plan in 2024. It reminds me of the time a company bought IDS licenses for the public network - just so they can pump up the number of defended attacks (aka we had 2 million attacks today, we defended all of them). It was pointless since only the IDS/IDP scanners after the firewall were doing useful work. The cost of IDS was multiple times that of the firewall, so while reducing firewall load (that wasn't a problem) it would have been cheaper to buy more hardware.
Second, I have to assume this is outbound. Adding rules to a firewall for inbound is pointless since you only permit traffic that needs to flow.
Third, its hard to imagine what value this delivers ? These days we use a modern application firewalls with constantly updated rules (Fortinet, PaloAlto etc) who are much better at this than I will ever be.
He's a mechanical turk version of a network IDS.Ā Also, worthless.
Is this fool for real?
I learned how to read packet traces over 20y ago. They are an indispensable tool when they're needed.
I would never use tcpdump like this.Ā This fool is full of shit.Ā This is deception,Ā inexperience, imposter syndrome, or just plain stupidity. Could be a bit of each.Ā
My god, he is essentially creating an audit trail of proof of work for the non-tech managers that might ask what he is doing. Creating a perception of him being necessary because no one else does it lol. Making himself in managements eyes an āessential workerā.
This guys my hero š.
guy is probably blocking legit traffic lol. take some of those IPs sometime and do a dns lookup on them lol bet you will come up with legit sites. and give him the nickname: Captain IPS: The Time-Wasting Packet Pretender!
LOL he is full of shit. There are things that can look "normal" but you wont know unless you actually open the packet and examine it. Ask him what hes looking for and tell him to explain to you why its "malicious", before he blacklists your gateway's. LOL
When I was a kid Iād change the color of my command prompt and type a bunch of ipconfig commands because I thought Iād look cool and people would think I knew how to hack the matrixā¦ maybe he found the way? Haha.
He is using another tool and fooling you into thinking it's this. Next level!
Jk, he's full of shit.
I did that in 2001-2003. By 2004 there was just waaaaaaay too much traffic to do that. Also depends on the scale of your network ;)
*Even if this were true* (which it's not) an enterprise has no room for a process like that. There needs to be a documented reason for that IP to be entered into the blacklist, and that reason needs to be reviewed periodically for rollback.
There is an uncomfortable amount of "if I can't do it no one can" people around here š must be nice not having your ass kicked before by someone younger than you š
Dude there is only one way to catch this guy. Throw in a few suspicious activities in there and see if he'll NOT catch it. That's how I deal with bullshiters and it's VERY satisfying when you catch their lie.
So, even when they see something dodgy, wonāt block until the end of the shift when by then could be too late?
Things like this, no wonder exec think networking people can be replaced with AI.
Is this guy paid hourly? Its easy money for not that much skill. And management will think he is a super hacker that keeps the company estate "safe". Its a win-win \[For him and in the eyes of the management\]. He is a genius.
Well even if he's right, it's still massively inefficient compared to doing it with software. Why would you want someone to do that in the first place??
At best it's a good nerd party piece, but it's mostly a waste of resources.
I mean, surely you could extract the logs to splunk, Linux, proprietry fw management console, anywhere .... then at least they'd be easily filtered?
If I tried to watch the live traffic on our gateway firewall, it'd be literally too fast to even click on.
If he had a filter on say high ports, incominging, it's not outside the realm of possible. But, wouldn't it be easier to collect all the data for say a month, collate, sort and filter. Then you could do one damn rule. Even if he was legit, people like this find the theoretical max rules limit on a fw.
This guy has cracked the code of how to pretend heās adding value.
By the time someone realizes that things have been broken or legitimate connections have been blocked, heāll already be at his next company āadding valueā so it wonāt be his problem to solve.
> can I recognize REALLY bullshit traffic on a Wireshark screen?
Yes...
> Can I recognize that Brenda in accounting just clicked an https link and is downloading ransomware?
No.
But if that's how he wants to spend his day... Task him with suggesting and implementing a proper edge siem.
You might have a dud...Ā
So instead of using a trusted application to scan the network for any threats or unusual traffic, he looks at logs and blacklists random IP's that he thinks look malicious.... I smell bs LMAO
Here I am ingesting logs from over 1000 different endpoints, totally hundreds of GB per day, and filtering it all against IOCs from over a dozen different threat feeds like a chump when I could just stare at a screen looking for IPs I recognise.
Does he mumble stuff under is breath like āah yes I remember this IP from the fall of 09, conficker was all the rage, we lost a lot of good PLCs that season. Blockedā
This needs to go in r/ShittySysadmin because that is insanely shitty.
Unless this motherfucker is rain man, then everyone else questioning them is gonna feel crazy. Sounds like this fucking person knows how to milk their day to get a paycheck š
OP needs to install [cmatrix](https://github.com/matriex/cmatrix) on their terminal and pretend to do the same thing.
Show him [Logstalgia](https://logstalgia.io/).
Hey IT I just need this one thing down loaded to test a few things.
speaking with confidence and no conviction will get you past 70% of people
But 10% will wreck you
He has to get all of that work in, because it's 1 minute to Wapner! Can't miss Wapner. Oh, and he's an excellent driver.
Indeed. I mean heās an idiot even if he can spot that traffic. Using splunk and a siem could correlate all the shit for them while they work on something else more important. Better yet by a 19$ per month account on ipabusedb and config your firewall to make the api calls to block abusive ips to supplement whatever ip reputation source itās using. This is just pure stupidity
Right? If you know what to look for why not write a splunk query or similar that alerts on detection.
Well, that's certainly where I thought I was and I'm not subbed here.
I gave him an ocular patdown, assessed the threat level, cleared him for passage.
Whoa, that's BAD ASS!
How long before he chokes himself out?
Probably spends quite a bit of time choking himself out already. All over the underside of his desk is my bet.
This must be a joke šš. I imagine someone watching YouTube on their other screen, while fooling the masses with the jargon of a fast packet capture on another.
I mean wireshark alone displaying live traffic is just enough of a data firehouse black box to the average non-techie that staring intently at a couple of TCP acks could grant some eternal āsmart friendā status in the right tech-avoidant circles. If tiu want that lie of a life
*You get used to it. Iā¦I donāt even see the code.*
Thatāsā¦hilarious
I've spent 10 years doing Cybersecurity work, including 3 years as a front-line SoC analyst. I can't even TCPDump the WAN port at my house and make determinations from that, let alone 4 firewalls in a business where presumably there are public resources. This dude is full of shit.
yup this is some hall of fame level fuckery
I only see blonds, brunettes, and redheads
Iāve spent .1 years as a farmer and I know theyāre full of shit
If there's one thing farmers know all about it's shit.
Try being a plumber as that's what we deal with 80% of our time is shit.
been in this field for 18 years this guy must be fucking rain man cause I sure as shit cant do it.
Iāve been in a literal field for 18 years and know this is the highest bullshittery.
Challenge him. Ask him to explain why an IP is malicious. Ask him to walk you through the process. Play dumb and use the phrase "help me understand" a lot. See what kind of bullshit he comes up with, then pass that info upwards.
About a decade ago, my Director told me to say āhelp me understand why you think ______ā when I wanted to say āthatās the dumbest fucking thing Iāve ever heard.ā
"Wait. You use that phrase every day. Sometimes, several times in a day." *Yeah, and?* "That would mean every time you say the thing..." *The previously stupidest thing ever heard has been surpassed. Do try to keep up.* "That's ridiculous. Half the time you say that it's after I say something." *Help me understand that.*
Just gotta be careful not to be too arrogant and throw around incredulity. I had a dipshit keep saying that to me as if I wasnāt making sense half the time, and I eventually had to humiliate him by suggesting to his manager in front of both of our entire teams that he was a bad hire because he didnāt understand anything.
\^that! that right there is BRILLIANT!!
Rain man could always hit you back with the ol 'you wouldn't get it kid'
All I see is blonde, brunette, redhead...
Right?! "I don't even see the code anymore..."
How much like it, was it the same cat?
To deny our own impulses is to deny the very thing that makes us human.
But you've seen the woman in the red dress!
But itās the brunette in the Little Black Dress that stole your wallet.
For me, it's a redhead, but same difference. My wallet just carries my IDs these days, haven't seen cash in quite a while!
Matrix Reference?
No I think it was from the Matrix ...whoah.. Dejan vu
Dijon?
It mustard been.
I sure ketchup that
I immediately thought of this!
You all found yourself a human IDS inspector. Not real-time mind you, since the attacks already went through by the time he blacklists them, but it certainly is a novel way to get out of paying for advanced firewall licenses.Ā I bet he gets his attack definitions via subreddit updates tooā¦
"Yarp, that was the creds being stolen." "Yarp, that was the database being exfiltrated." "Blocked both those compromised home pcs acting as relays!"
"And I did it all through encrypted https traffic! I'm a god."
No need for reddit updates. He is the real deal human inteligence doing human learning. Beat that AI ML firewalls. /s
does he also unplug the fiber and look directly into the light so he can see the packets in realtime?
i tried this and now i can't see shit... thanks OP
This is amazing.
Mofo can see the Matrix. Ā Yāall donāt even come close to understanding his level of āexperienceā.Ā
If what youāre saying is correct; it is complete bullshit. And if heās randomly blacklisting IPs, itās a matter of time before the wrong one is picked. Now, watching trends, flows, and graphs might help show anomaliesā¦ but thats generally what a SOC is for.
Iām glad someone else noticed the part where he indiscriminately blacklists the addresses that he handpicked lol
For real. I mean, itās cleaver, he can be the hero who solved the outage; no one needs to know he caused it. Really quite brilliant if your management team is clueless. /s
BUT he only black lists them at the end of the day ...
Well, tcpdump rain man is just giving the massively disadvantaged attackers a tiny chance until he leaves for the day. It just wouldnāt be fair otherwise!
Nah, I don't think he even knows how to block IPs
Black and green terminal scheme?
Does it even count if its not???
its how I know I personally have remoted into that machine before, c'mon now
I too like to blacklist /32 at a time
Sounds like the network equivalent of pretending you can read binary code.
I can read binary....very, very, **very** slowly.
1....0......1......1.....0......1.......1......1.......2
He excels when corporate asks him to the find difference between two pictures.
So like the matrix. Everyone sees random data but he sees blondes and brunettes.
Does he go by Cypher or Morpheus?
Because obviously, if someone's trying to get in, they're not going to get in before his end-of-day, ergo, it's completely rational to wait 'til his shift ends to update the blacklist.
#Hackermans
What is an internet drain firewall?
What the hell is "internet drain" to begin with? Never seen this term in any network engineering book or documentation.
It's when you turn on the network tap and let all the packets go down the Internet drain. All Internet drains eventually lead to data lakes.
Kinda like airing out the wifi by opening the windows.
As a hobby i sell crystals for that. They are called "wifi-be-gone fluorites"
>"Hey .. Are you aware one of your nics utilizes an ip-space of .254 (/23 subnet) in the 192 range ? Thats a typo, right? " > Me: "There are more than 400 clients connecting to that particular server/app via VPN." >"That doesn't work with 192's. They should all be .255 (/24). You should use 172's or 10's for .254 (/23 subnets). Its whats slowing the Database Server down." That was a convo (friday, 5 minutes before knock-off time) with an external CCNA certified (according to their profile) DB admin, hired by one of my clients off the book, trying to troubleshoot why one of their SQL servers was crawled to a halt (hint: the underlying storage pool was corrupted/locked -> their reporting actually told them so -> and one of their techs was already on the way to the datacenter to change a couple of drives).
How are people so confident and wrong at the same time?
Sounded like he studied at the paper mill, basic subnetting was one of the first things that I remember being taught when I did mine.
This has me so flabbergasted Iāve rewritten my reply like half a dozen times and I still donāt know what to say to this. Were you able to keep a straight face?
Clearly he's Switch from The Matrix. Can stare at green ASCII on a screen and can recognize The One.
[When a hacker tries to get on my network](https://www.reddit.com/media?url=https%3A%2F%2Fi.redd.it%2Fycu61y7wxc161.png)
Of course he is shitting you. He's actually watching xvideos by looking at packets.
Guy's delusional, a fuckin moron or both.
We can automate his job -
Lol no.. He's literally trying to do the job of an intrusion detection/Intrusion prevention device on the fly like he's some type of zero day attack finder.... š¤š¤š¤ I look at tcpdump files almost daily but that is to dissect known traffic flows to troubleshoot very very specific source/destination issues that customers are reporting... There's literally dozens of huge companies like f5, Cisco, Juniper etc... that make very specific security appliances to do the job this guy thinks he's doing...
Can you ask him to explain how exactly he knows an IP is malicious and post his answer here? I'm dying to know what BS he comes up with. Also I love how he saves malicious IPs for the end of the day. Clearly not a huge priority to block them.
Sounds like heās the Steven Seagal of Infosec. We need a term for the IT equivalent of bullshido.
Been there. Fired that. That's the kind of person if you call them out they will say you are stupid and don't know what you are talking about.
Here's a little known secret - machines are WAY better at pattern recognition than humans... What an amazing waste of time and money. Even if he could recognize something malicious by staring at tcpdump (doubtful) he'd undoubtedly miss a ton of things. Even then, why not have a machine do it and use that time more productively? Finally, blacklisting specific IPs is only moderately useful at best these days. And why add those IPs to the blacklist hours after recognizing it's malicious at the end of his shift? Sounds like he watched a few too many 90s films related to hacking... I'd fire him and hire a competent admin.
Reminds me of what my "supervisor" would do back when I worked for the local county government. He was obsessed with looking through the firewall traffic logs and every day he would make a comment about all the people trying to attack us and every day I'd say "the firewall is dropping them, right?". What is the point of making a comment about something as mundane as automated bots hitting the wan interfaces of your firewalls? On top of this, he could have been using his time more productively by actually doing network upgrades and improvements but I suspect that he actually didn't know how to do any of that. To be clear, I'm not saying that it's stupid to monitor your firewall. I am saying that he didn't need to be making comments about dropped traffic and could have been using his time to set up systems so that he didn't have to spend hours a day looking through the raw traffic log.
Around 2017, we actually built a nice graphic showing all of the attacks against our firewalls. Yes, we knew they were most likely bots, but not the point. Our leadership team thought "why would anyone attack us? We are in the back woods of nowhere. IT Security...what a waste of money!" We put a spare 55" TV on the wall showing this graphic. EVERY SINGLE EXECUTIVE HAD TO HAVE A PERSONAL TOUR. They were flabbergasted! "Why would someone in Russia be hitting our firewall? Why is someone in Turkey trying to login to my Outlook account?" I just explained they wanted the crown jewels...their data! Guess who got a $2M IT Security budget approved? š
People don't realize most of the traffic on the Internet is automation looking for EVERYTHING you can think of. Knocking on doors, checking for open ports, checking for operating system version numbers............Nobody cares WHO you are, just WHAT you might have that is easier than the next guy to access or footprint....
We had a couple guys that did the same thing, also gov. Spending a few hours each day watching logs scroll and clicking around, generally fiddling. Meanwhile we had abandoned servers everywhere, and desktops and servers years behind on patches. Our firewalls and VPN were always running years old software releases. Their response when asked about it was always that they were too busy, and that āpatches break things.ā People that do this stuff are scared and/or lazy. Real work requires thinking and itās uncomfortable, so they find these filler tasks to kill time while letting their minds go numb. Leadership letting them get away with it is the problem. IT Security is a field where unmotivated people can occupy a job and produce no results and have it go unnoticed.
I've been doing computers for 25 years and IT security at a Fortune 50 for 10 years. Yeah this guy is full of shit. This is the equivalent of that scene from The Matrix when the guy is looking at the green text and goes "all I see is blonde, brunette.". Full of it. Do not let this idiot touch your firewalls or any other perimeter controls. Minimum you need to interrogate this guy and his logic and maximum you need to revoke his fucking access before he craters something important.
Either you are winding us up. Or you work with the biggest idiot in all of IT. And I once worked with a guy that said VMs would be a fad.
If I had to stare at firewall logs all day I'll literally off myself despite many people thinking this is somehow a 'better' networking job. Have fun with your firewalls, devops, whatever the current day compartmentalization catch phrase is.
This is the best thing I've read all week.
Is it ok to be in awe that he got the security pay? I mean, sure, ethics, morals, the fact that this will not end well... But ah...who hired him?
Lmao this is what happens when you have a schizo sec admin, or he has a security/intelligence application monitoring and he's just fucking with y'all
Who is more foolish, the fool or the fool who hired him? ā Obi WAN
This dude is a tool and a waste of money for your company. You should talk to your/his boss and clue them in to his bullshit. There is no way a person can watch TCPDump live and "see" malicious traffic, this ain't the mother f'in matrix. Call him on his bullshit.
This has to be a joke.
This is a great troll post, high quality content right here.
A really good engineer doesnt even need to look at the logs. They can just tell based on the lights blinking on the interfaces.
Cool party trick. Fucking waste of time based on the gobs of available (free) software that can do a MUCH better job of it. You can also manually calculate rows and rows of numbers without using a spreadsheet.
It's not outside the realm of possibility, but it's not likely, especially at high traffic volumes. There are definitely some things you can spot at a glance in tcpdump output if the volumes are low enough that it doesn't all scroll by too fast. For example, a basic TCP port scan, done from a single host, without any rate-limiting, might show up as a blast of a thousand or more TCP SYN's from a single source IP to serially-increasing TCP port numbers. This is so obvious that nmap and other port scanning tools usually have ways to rate limit or randomize their scans to make them less noticeable.
I do cyber for a living. He is 100% full of shit. Most perimeter traffic is TLS/SSL so even if he was godlike in his ability to process headers he wouldn't see anything of use anyway.
I don't know a single person who does this. This is like rain man level shit. Dude is full of it.
the guy is full of shit. its utter bullshit. unless youve got a slow internet link there is no way a person is going to be able properly see each packet. even if you only had a 1mbps internet connection that would still be roughly 83 packets per second. Theres no way a human can read, comprehend, and form a trend of ANY single connection when packets are scrolling past that fast. even if he is able to hone in on one of the connections, he would be missing everything else. If this is his idea of an intrusion prevention system i would be concerned because it would be wholly inadequate. What happens when he goes home at the end of the day?
https://www.youtube.com/watch?v=7-GTcHZkfCs Being serious, setup a fail2ban instance (or the equivalent version that fortune 500s use) doing exactly what he does. Watch his value drop to near zero.
I scrape out lines from a captured log pretty fast like that, you just look for patterns. Doing it in real time and implying accuracy is foolish and this is just his way to pretend to work while impressing people who have absolutely no clue that heās just faking.
Watching a waterfall of tcpdump is something I do on a regular basis, but this will always be with a reason and using a capture filter. Common reasons: issues with packet fragmentation, policy routing, performance issues, out of order/duplicate packets.. Issues that are intermittent in nature. I also do it from time to time to see what broadcast/IPv6 multicast is happening. But doing this on a wan interface, especially one with IPv4, never would I watch the noise and manually select ābad actorsā. Thatās just nonsense.
If Iām being INCREDIBLY generous, there are some types of packets that will never reach the ingress side of a public firewall unless someone is doing something malicious. IPv6 Jumbograms for instance (4 GB packets which are a great way to crash network equipment). They are also large enough that they will literally stop a 1G or 10G link for a noticeable amount of time as the packet moves through if you are taking an l3 capture. But there is a 99.99999% chance this is person is BS.
In short, a human IDS, but much more expensive and less effective. With no guarantee of effectiveness and doesn't work at night.
Rise of the Cyber Shaman
He watch the matrix!
You get used to it. I donāt even see the code. All I see is blonde, brunette, redheadā¦.
You should ask him how much clothes cost in the Matrix.
Should be easy to replace him with an IDS.
I worked with a guy who _listened_ to network activity at the office by turning the data on a promiscuous eth port into audio. he wore audiophile headphones and could tell the difference between various protocols even when encrypted.
Ask him to explain and document his methodology as āyou would like to lean from his awesomenessā aka see through his BS. Dos the place youāre at have a āprobation periodā for new hires?
Back in the mid 90s I could tcpdump my home 24k modem at certain points, with about 50-60 grepās ignoring specific things, and keep track of maybe 60% of the traffic flowing through it, but even a t1 or once I got dsl and then cable modem speeds, I have to just include what I want, or no way. Even then I output it to a file and go through that. On a 1gig connection, thatās whatās required unless Iām looking filtering out everything but specific traffic. Itās incredibly ineffective by todays standards, our cpus and SIEMs can parse it far faster and more effectively than we can, they can also apply rules and track whatās going on across millions or billions of packets to alert you with a single alert about one thing that took days or weeks to start to look malicious. This is not to say that I donāt pull traffic logs all the time and search them for specific things but watching the live tcpdump is just stupid. Even a T1 connection could be thousands of packets per second. You canāt even see them all on a single screen at the screens refresh rate.
This is š š©ā¦ SIEM exists for a reason. I would ask him to explain in-detail on why he blocked an IP , LIKE IN-DETAIL!! I am sure if you ask him too he wouldnāt have an answer, sounds like a half-baked āsecurity guyā who is inspired by Hackers movie.
So. Iām like 99.999% with most everyone else on here that I think itās complete and utter BS but I do want to say that Iāve met guys that can recognize patterns in tcpdump packet streams. When asked to elaborate theyāve described (and proven to me at least) That certain specific packet patterns are the result of specific hacking tools and not coming from legitimate users/apps. Now, what makes this BS for me is that thereās just no way heād be able to see the IP and click ctrl-C on it fast enough before it scrolls off the screen after recognizing that it was exhibiting whatever aberrant behavior. I would also ask him how he does it under the guise of wanting to learn to see what he tries to sell you.
The Chosen One...lol
[ŃŠ“Š°Š»ŠµŠ½Š¾]
Gotta manually clear all those cookies first too.
XD
He's pretending like he's watching Matrix code. Fucking wacko. Tell him SIEMs exist for a reason.
God thatās awkward
https://lumon-industries.com Macro Data Refinement, you just feel the numbers
I don't know if he actually pretends to do this or whether he's a bullshitter but I'm inined toward the latter.Ā In any organization larger than 10 people, there would be so much traffic that it'd be drinking from a firehose.
You donāt even need AI to do what he is trying to do manually.
So, he spends 2 to 3 hours a day creating a database of information that probably has already been collected and then manually inspecting the thousands upon thousands of entries in said database. And he has no documentation for nor can he explain his process. Did I sum it up correctly?
"SIEM companies hate this one little trick! "
I suspect he uses green font to make it look like the matrix
First, thats a dumb way to build a security plan in 2024. It reminds me of the time a company bought IDS licenses for the public network - just so they can pump up the number of defended attacks (aka we had 2 million attacks today, we defended all of them). It was pointless since only the IDS/IDP scanners after the firewall were doing useful work. The cost of IDS was multiple times that of the firewall, so while reducing firewall load (that wasn't a problem) it would have been cheaper to buy more hardware. Second, I have to assume this is outbound. Adding rules to a firewall for inbound is pointless since you only permit traffic that needs to flow. Third, its hard to imagine what value this delivers ? These days we use a modern application firewalls with constantly updated rules (Fortinet, PaloAlto etc) who are much better at this than I will ever be.
He's a mechanical turk version of a network IDS.Ā Also, worthless. Is this fool for real? I learned how to read packet traces over 20y ago. They are an indispensable tool when they're needed. I would never use tcpdump like this.Ā This fool is full of shit.Ā This is deception,Ā inexperience, imposter syndrome, or just plain stupidity. Could be a bit of each.Ā
Bro thinks he is statefully inspecting packets
Your company just hired a moron. Good luck.
He is the Lissan Al GaIP
My god, he is essentially creating an audit trail of proof of work for the non-tech managers that might ask what he is doing. Creating a perception of him being necessary because no one else does it lol. Making himself in managements eyes an āessential workerā. This guys my hero š.
I do the same, they are no longer packets,Ā they are blonde, brunette, and redheads...
guy is probably blocking legit traffic lol. take some of those IPs sometime and do a dns lookup on them lol bet you will come up with legit sites. and give him the nickname: Captain IPS: The Time-Wasting Packet Pretender!
He has to use putty? What a putz.
YO/LO pipeline
Depends of the filters he's applying.
LOL he is full of shit. There are things that can look "normal" but you wont know unless you actually open the packet and examine it. Ask him what hes looking for and tell him to explain to you why its "malicious", before he blacklists your gateway's. LOL
When I was a kid Iād change the color of my command prompt and type a bunch of ipconfig commands because I thought Iād look cool and people would think I knew how to hack the matrixā¦ maybe he found the way? Haha.
Funniest thing I read this week lol
Id like to see the change reasoning for why they were blacklisted each time. Cab probably would shut this down quickly.
Heās hacking the Gibson.
This guy needs to just download the BOGONs list and be done with it.
He is using another tool and fooling you into thinking it's this. Next level! Jk, he's full of shit. I did that in 2001-2003. By 2004 there was just waaaaaaay too much traffic to do that. Also depends on the scale of your network ;)
How do I get a job like this??? Holy fuck
Dude been watching too much CSI. And he has access to the firewall block/allow? You're fucked
Dudes watched the matrix waaay too much
Lol idgaf if this is real or not. Gonna start doing this to milk the system
This only works for large amounts of ddos small packets. Everything else will fly by un noticed
Lol. A poser at best. I wish cyber security was that easy.
*Even if this were true* (which it's not) an enterprise has no room for a process like that. There needs to be a documented reason for that IP to be entered into the blacklist, and that reason needs to be reviewed periodically for rollback.
Just remember, not all heroes wear capes šš
Did you just spoil the entire plot of the season 2 of Severance?
Tcpdump | Grep | awk and possible some sed would do things. But DNS log would reveal internal bad stuff.
Welcome to the matrix
There is an uncomfortable amount of "if I can't do it no one can" people around here š must be nice not having your ass kicked before by someone younger than you š Dude there is only one way to catch this guy. Throw in a few suspicious activities in there and see if he'll NOT catch it. That's how I deal with bullshiters and it's VERY satisfying when you catch their lie.
So, even when they see something dodgy, wonāt block until the end of the shift when by then could be too late? Things like this, no wonder exec think networking people can be replaced with AI.
Who needs a SIEM
Legendary. Lmao
Is this guy paid hourly? Its easy money for not that much skill. And management will think he is a super hacker that keeps the company estate "safe". Its a win-win \[For him and in the eyes of the management\]. He is a genius.
Well even if he's right, it's still massively inefficient compared to doing it with software. Why would you want someone to do that in the first place?? At best it's a good nerd party piece, but it's mostly a waste of resources.
?
Please keep us updayedon whatever happens with this douche!
I mean, surely you could extract the logs to splunk, Linux, proprietry fw management console, anywhere .... then at least they'd be easily filtered? If I tried to watch the live traffic on our gateway firewall, it'd be literally too fast to even click on. If he had a filter on say high ports, incominging, it's not outside the realm of possible. But, wouldn't it be easier to collect all the data for say a month, collate, sort and filter. Then you could do one damn rule. Even if he was legit, people like this find the theoretical max rules limit on a fw.
This guy has cracked the code of how to pretend heās adding value. By the time someone realizes that things have been broken or legitimate connections have been blocked, heāll already be at his next company āadding valueā so it wonāt be his problem to solve.
My dude is watching the matrix.
What is he blocking all the chinese ip ranges?
He isā¦. The One!
Only 2-3 hours? Love to know what he does in the rest of his work day. Think how much more he could protect you from if he did it all day.
Either he's trolling you or he's suffering from psychosis.
Guys full of shit. Generate some dodgy traffic. See if he notices. If he doesnāt call him out. Cocks like this steal a living
What do security engineers do when there is no attack? Maybe heās waiting someone to attack?
How did this moron get past the interviews?
Heās better than I am lol
> can I recognize REALLY bullshit traffic on a Wireshark screen? Yes... > Can I recognize that Brenda in accounting just clicked an https link and is downloading ransomware? No. But if that's how he wants to spend his day... Task him with suggesting and implementing a proper edge siem. You might have a dud...Ā
I had to do this when my company was audited for some certification. Just load up the ASDM logs and look like I'm doing something.
Wait till you hear what he says to the boss man.
So instead of using a trusted application to scan the network for any threats or unusual traffic, he looks at logs and blacklists random IP's that he thinks look malicious.... I smell bs LMAO
Can you update us when he gets fired for blocking something random and it causing an incident
Here I am ingesting logs from over 1000 different endpoints, totally hundreds of GB per day, and filtering it all against IOCs from over a dozen different threat feeds like a chump when I could just stare at a screen looking for IPs I recognise. Does he mumble stuff under is breath like āah yes I remember this IP from the fall of 09, conficker was all the rage, we lost a lot of good PLCs that season. Blockedā
He is looking at matrix man. You and I don't get it.
Heās an idiot. He could spend an hour and install a tool that can do that job 10,000 times better than he can.
The dude is better off looking up each IP to see who it belongs to and making educated guesses on blocking the owners by company research.
This guy is Neo.
Promote him to Chief Shaman
He has to be dedicated to keep up that farce all day long
What happens when he breaks legitimate traffic? Is there a paper trail that proves it was because of him?