Technical Stuff

This is a highly specialized note, but it might be helpful as a test idea for more general use cases. I have a bluecoat web proxy serving as a reverse proxy for some images on our web site.  A citrix netscaler sits in front of the bluecoats and distributes the load the bluecoats.  We use Qradar as our SEIM and this is how I test one of the bluecoats using "live" data: Start by getting a cvs text file of successful queries from Qradar (i.e. run a search, export the raw events as CSV. transform log into generic URLS: sed -e 's/^.*PROXIED //' 2010-05-26-data_export.csv| awk '{ print $7 "://" $8 ":" $9$10 } ' | grep "^http" > /tmp/1 : use the computed URLS and run against the bluecoat: for LINE in `cat /tmp/1`; do http_proxy=http: //BLUECOAT001:80 wget "$LINE" ; done : Run against comparative bluecoat: for LINE in `cat /tmp/1`; do http_proxy=http: //BLUECOAT002:80 wget "$LINE" ; done : Compare the

 Here is a neat little debug command for Checkpoint. fw ctl zdebug drop | grep 10.1.1.1

PERL has a seemingly infinite number of libraries out there.  One that I find extremely helpful and which I just happened to stumble upon is the Data::Dumper one.  For anyone that has used Perl references and anonymous hashes, you know how tough debugging can be.   But Data::Dumper is so cool.  Just use the library and then print the main reference to see the whole tree: #!/usr/bin/perl use Data::Dumper; use warnings; use diagnostics; use strict; my ($nextline,$HOST,$COMPONENT,$RESTOFLINE,$PHASE,$INTERVAL,$FLOWS,$OVERFLOW); my ($masterHash); $masterHash = {}; while ( defined($nextline= ) ) {         chomp ($nextline);         if ( $nextline =~ m/^[A-Za-z]+\s+\d+\s+\d+:\d+:\d+\s+([A-Za-z0-9_]+)\s+\[\d+\]\s+([A-Za-z0-9_]+):(.*)$/ )         {                 $HOST = $1;                 $COMPONENT = $2;                 $RESTOFLINE = $3;                 $HOST = lc($HOST);                 $COMPONENT = lc($COMPONENT);                 if ( $RESTOFLINE =~ m/\s+\[\w+\]\s+\[\d+\]\s+([0-9])\s+:

Modern Firefox versions store cookies in an sqllite database which makes them hard to extract.  There is an add-on that allows you to export, but that is overkill for me, since all i wanted to do was download a file using wget. Awesomely, the man page showed a really easy wy to do this quickly.... View your cookies through Firefox's normal Preferences->Privacy->Cookies. The name listed on the right is the Name.  Click on each name, and notice the value.  Put those together to get a command line that works: wget --no-cookies --header "Cookie:  <NAME>=<VALUE> "    https://example.com/dir/file1 Voila.

I ran into problem where a vendor wanted to know all of the patches that installed via RPM to their appliance for a given day. RPM stores that info but I didn't know how to access it easily.  There is probably an easier way to do this, but I put the following command line together and it seems to work: rpm -qai | egrep -3 "Mon 20 Sep|Tue 21 Sep" | egrep "^Name|^Install Date" | sed -e 's/Relocations:.*$//' | sed -e 's/Build Host.*$//' | sed -e 's/   */ /g' | perl -e 'while (defined($line1= )) { $line2 = ; chomp ($line1); chomp ($line2); print "$line1\t\t$line2\n";}' | sort Fun times.

Stuck with winblows on the desktop.  Downloaded an ISO from a vendor and needed to copy to an appliance.  But security is tight except for stuff initiated from the appliance.  Quickest solution was to run SSHD under cygwin: ssh-keygen -t rsa -f /etc/ssh_host_rsa_key ssh-keygen -t dsa -f /etc/ssh_host_dsa_key vi /etc/defaults/etc/sshd_config --- sshd_config.orig    2010-09-02 13:30:23.690702700 -0500 +++ sshd_config 2010-09-02 13:24:02.021270400 -0500 @@ -94,6 +94,7 @@  #TCPKeepAlive yes  #UseLogin no  #UsePrivilegeSeparation yes +UsePrivilegeSeparation no  #PermitUserEnvironment no  #Compression delayed  #ClientAliveInterval 0 /usr/sbin/sshd -f /etc/defaults/etc/sshd_config -d

I've been working at a company for a little over 2 years now that is a microsoft sycophant company.  When it doesn't use microsoft, it uses the biggest, least agile vendor it can find. I didn't realize how much working with microsoft killed my computer interest.  In the past few weeks I've been working on upgrading and redesigning my home systems.  I had a fairly archaic Fedora Core 9 home server which I rarely used except to run Alpine on (to report my spam easily.)  I've decided it is time to go massively virtual. I built a new VirtualBox virtual machine on my laptop.  I migrated the FC9 box from a standalone server to the VM (not that hard really, just some dump/restore actions and voila.) The new task is to create a new FC13 box as the host OS.  Build a couple of VMs under it with different functions.  I should be able to upgrade the host OS and guest OSs on a different schedule and that should make keeping up with updates and new releases earlier, since I

Until I can get a real workstation at work and get off this winblows, Cygwin is my friend.  I am working on some OO programming with PERL and really need to be able to log syslog messages locally. After installing syslog-ng, I couldn't figure out how to run it, till I stumbled on a page that mentioned the syslogd-config command. Initially I had some problems because the /etc/passwd and /etc/group files were not world readable (don't know if that is a side effect of the Legato restore of my laptop or just the default behavior) however a quick " chmod a+r /etc/passwd /etc/group " seemed to help. running syslogd-config yielded this output: > syslogd-ng-config Creating default /etc/syslog-ng.conf file Warning: The syslogd service is already installed.  You can not run both, syslogd and syslog-ng in parallel. Do you want to deinstall the syslogd service in favor of syslog-ng? (yes/no) yes Warning: The following function requires administrator privileg

PERL has a lot of cool built in operators to find things like number of elements in an array an such ($# ) which are very straight forward when using basic data types. With C I never had a problem with the indirection associated with pointers and dereferencing.  Of course, being the pedantic guy I am, I always used parentheses to excess. Anyway, I was working on some code to retrieve as set of fields back from an Omnibus database and the database function returns a reference to an array of arrays.  I only expect 1 row coming back, but I needed a quick way to tell that.  With a little experimentation I found it was: $#$resultsPTR  Sure it is easy now, but I had to run through a few iterations to figure out just what $# wanted to see. Here is a larger code chunk to put things in perspective, hopefully sanitized enough to  be public: #!/usr/bin/perl # # $Id$ # use strict; use warnings; use diagnostics; use POSIX ":sys_wait_h"; use lib "/packages"; require &

I have a project that I really need to add some parallelism  to increase the speed.  I poked around on the perl.org and managed to cobble together this little bit of code to show how the children worked. This is non-blocking using waitpid. #!/usr/bin/perl # # $Id$ # use strict; use warnings; use diagnostics; use POSIX ":sys_wait_h"; sub main () {     my ($CHILDNUM);     my ($childFhPTR,$FHx, $cPID);     my ($sleeptime,$keepgoing,$nextkid,$linenum,$nextline);     foreach $CHILDNUM ( 0,1,2,3,4 )     {         if ( !defined($cPID = open ($FHx, "-|")) )         {             die "can not spawn child for some reason maybe ($!)";         }                 if ( $cPID == 0 )    # child         {             $sleeptime = int(rand(25));             print STDOUT "I am child ($$) with CHILDNUM ($CHILDNUM) and will be sleeping for ($sleeptime) seconds\n";             sleep $sleeptime;             print STDOUT "This is chil

http://www.zdnet.com/blog/bott/linux-infection-proves-windows-malware-monopoly-is-over/2206?tag=content;feature-roto That is right.  This zdnet guy has once an for all proved that M$ is just as secure as Linux.  That's right you read it here, and I completely agree. I mean everyone knows that the 3rd party package in question is a fundamental piece of Linux.  That this freeware IRC server could be compromised 8 months ago and then installed on a Linux box just shows that software can been modified to have a back door.  And clearly this is the same thing as the vendor provided web browser in Microsoft being poorly designed and integrated into the OS in such a tight knit fashion that simple web surfing exploits own the machine. Now that I know this, I'll be stopping by Best Buy on the way home to purchase Windows 7 to replace my Linux installations and finally have the kind of security that I've always dreamed.

 Stolen from: http://lifehacker.com/5557424/make-misspellings-stand-out-even-more-in-firefoxs-spell-check?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+lifehacker%2Ffull+%28Lifehacker%29 Enter About:config in the Firefox address bar. If it pops up an alert, tell it that you know what you're doing and proceed. Search for ui.SpellCheckerUnderlineStyle . If you find anything, skip to step 5. If your system is like mine, you found nothing. That means you have to add this configuration value. Right-click the main portion of the window and select New > Integer . Now, enter ui.SpellCheckerUnderlineStyle to create a setting by this name. Now you can set the value of this setting to one of several options: 0 for no highlighting, 1 for a dotted line, 2 for long dots, 3 for a single straight line, 4 for a double underline (like you see above – that's my pick), and 5 for a squiggly line, which is the default.  Cool.  The double line real

I'm working on building my new Fedora 13 laptop (Studio XPS 16 which is awesomely fast) Anyway, in trying to de-duplicate a lot of files that I have spread across my old Fedora server and Mac Mini. The worst offenders are my MP3 files that I've downloaded and in many cases imported into iTunes.  So I've been using locate and xargs to compare file sizes and make sure I have 1 good copy of every MP3. Many songs have special punctuation like "'" in them which causes xargs problems.  But since I'm using locate and not find, I had to replace newlines with NULL (\0). Here's a quick little hack for that. locate -i "ring of fire" | perl -e 'while (<STDIN> ) { chomp $_; print $_ . "\0" }' | xargs -0 -I {} ls -l {}

Newer versions of Gnome seem to lack a quick link to window control.  Namely, window focus.  Blame too many years of twm and X11, because I love the focus to follow the mouse.  I even run xmouse or whatever under winblows. In fedora 13, I installed gconf-editor with yum and then ran the utility. Under /apps/metacity/general there is an option for focus_mode.  Setting it to "mouse" makes the world just a little bit happier.

I am finally going to upgrade trusty 8200 Dell Inspiron laptop.   I bought it back in 2002 or 2003 and thanks to maximizing the RAM and Linux I've been able to use it for years.  I'm going to miss the 15" 1600x1200 screen that it had. Thanks to HD TV high resolution screens are a thing of the past, and getting high resolution on a small (~15") screen is all but impossible ( HDTV Ruined LCDs ).  However, I did manage to find the Dell Studio 16 XPS with 1920x1080 resolution. Ordered components for new laptop 1 224-6716 Studio XPS 16 Notebook 1 317-2361 Intel Core i7 720QM 1.6GHz (2.8 GHz Turbo Mode, 6MB Cache) 1 317-2366 8GB, DDR3, 1333MHz 2 Dimm 1 320-8330 15.6 inch Wide Screen 16:9 1080p Full HD WLED LCD, W/2.0 MP, XPS 1645 1 421-1010 Dell Webcam Central v1.4 1 421-0188 Facial Recognition 1 320-8350 ATI Mobility RADEON HD 4670 1GB 1 330-5460 DELL RESOURCE DVD,BACK-UP,XPS 1645 1 341-8989 500GB 7200RPM Free Fall SensorSeagate Hard Drive 1 320-8351 O

Always being a wanna-be programmer, I'm only now learning development tools. Subversion is cool in itself, but when I was just starting with it a few months ago I wasn't googling tags correctly and only found parts about how cvs tags didn't work. Inspired today, I decided to search again and found the right information this time. For me a compressed tag with date, rev #, and id are good enough.  So all I had to do to get this working was to add a line in my PERL script under a comment: $Id$ and then change the svn property for the affected files with: svn propset svn:keywords Id lib/* now when I commit files, they automatically get updated with the latest tag. There are other more useful settings but this was my little discovery for today.  Since I'm forced to work under winblows and that means I have to use Cygwin to be productive at all, I haven't explored how to make this the default yet.

The team captain for one of my hockey teams sent out the playoff schedule.  Unfortunately whatever method he used to forward the message, attached the original message in a raw mbox format.  Because it contained an attached m$ word document, it arrived at my Gmail inbox in base64 MIME format and Goggle didn't parse the attachment. Luckily, openssl has base64 encoding built in and with a little massaging I was able to decode the playoff schedule. First, save the raw attachment.  Delete all the lines before the actual base64 code.  Delete all of the lines after the base64 code.  Hint: don't even save the base64 header information. Next, tell openssl to decode that file: openssl base64 -d -in srcfile -out sched.doc

I am developing some PERL scripts for OMNIbus/Netcool at work.  Because my company restricts freedom and discourages innovation, we are stuck on Microsoft.  Luckily they haven't locked us down to the point where we can not install new software.   So I've become a big fan of Cygwin.  I've never used heroin, but I suspect my use of Cygwin is much like an addict's use of Methadone.  It keeps me alive, just barely. Anyway, this piece of knowledge was not the most straightforward piece to find, or I'm just an idiot (not that those are mutually exclusive.)  However on the winblows box, syslong-ng runs under Cygwin and even sets itself up as a service which is cool. Side Note:  if you want to upgrade Cygwin and are getting file in use problems and are running syslog-ng, you probably need to shutdown the service during upgrades. Anyway, marking and statistics in /var/log/messages on winblows are pointless and just consume disk space.   Normal google searching didn't

I always have a heck of a time getting M$ to do what I want.   I guess because I am not a "defaults" kind of person.  Black text on a white background is gross.   Anyway Word has always had a wordperfect setting where I can get white text on a blue background.  Not as nice as a black background, but better than white. Unfortunately, many people send HTML emails and when replying I have to edit in HTML mode to preserve any kind of useful chain.  Up until today I've had a problem that eluded me.  Many times my initial typing would all be hidden because (I assume) the text color matched the background color.  Now this only happened with HTML replies.  I had to highlight my text, and click the Text Color (Auto) button to correct. The solution was not straightforward to me, but I found it today: (in Outlook) Tools->Options->Mail Format->Fonts These fonts are used and override (or interfere) with the blue background/ white text global option. Also, changed the "

I have always had the hardest time working with xargs.  I usually end up with a bash foreach loop and some backticks instead.  But it really is cleaner to be able to specify a pipe from the generating command. I had a situation recently where I had added some code to a PERL script that I was trying to understand.  I added some File::Temp code to dump incoming variables and the current environment.  I just used /tmp as my template directory since it was always guaranteed to be there and I didn't want to have even more code to create and maintain a new sub-directory.  Wow, that is lazy.  Anyway, I ended up with a bunch of /tmp/?????????? files, so I needed a quick way to grab all my files from temp and move them to a sub-directory for review.  xargs was the perfect solution here, AND (drum roll) I actually got it to do what I needed it to do: cd /tmp/1 mkdir /tmp/1 fgrep -l dudeatwork.cgi ?????????? | xargs -I {} mv {} 1 which looks at all the files with 10 character names, look

I am a big fan of indeed.com and its job search aggregation functions.  I usually keep RSS links in my Google reader profile.  I like to search based on geography and I use a number of keyword searches.  Once you get to more than a couple of jobs links, updating them can be a bit tedious.  But luckily Google has a nice way to Import and Export through  OPML formatted files.  I am no expert on OPML, but using an export of my current RSS feeds I was able to piece together a quick and dirty little PERL script to generate a batch of update RSS feeds.  This script is really basic, I just hard coded the input strings and locations, but for 5 minutes it did the job fine. I merged the output of this script to the downloaded OPML file from Google Reader and then reimported. Due to how the blog interprets stuff, I had to add some backslashes, which need to be removed before this will actually work. Basically you need to s/<\\/ --------CODE BEGIN----- #!/usr/bin/perl -w my @SearchStrin