|
So I mentioning to a co-worker about the good ol' "system in the bricked up janitor closet" case and he mentioned that "Yeah, it was a server." That took me aback. In talking with him this happened in 2006, so I'm not sure if it's the same thing. Either it is same incident which means I know which university this was at - which happens to be my alma mater - or there are at least 2 incidents with physical plant bricking up a janitor closet with a system inside.
|
# ? Nov 14, 2014 23:42 |
|
|
# ? Jun 4, 2024 09:42 |
|
flosofl posted:poo poo like this and the AD story earlier are why packet captures are your best friend. Seriously, I don't know what I'd do without tcpdump. If you know how to use tcpdump and strace, then you can diagnose pretty much any "something's just not working" issue on a Linux system.
|
# ? Nov 15, 2014 06:07 |
|
dennyk posted:Seriously, I don't know what I'd do without tcpdump. If you know how to use tcpdump and strace, then you can diagnose pretty much any "something's just not working" issue on a Linux system. For sure. If things get escalated to us as "our poo poo is fine, it has to be your stuff", we get our customer's network staff on the line and we have a big packet capture party. After we make sure NTP is working properly on all the network equipment (boy, was THAT a lesson learned).
|
# ? Nov 15, 2014 06:24 |
|
dennyk posted:Seriously, I don't know what I'd do without tcpdump. If you know how to use tcpdump and strace, then you can diagnose pretty much any "something's just not working" issue on a Linux system. Add ltrace. And systemtap. But tcpdumping LDAP is kind of a waste of time in general...
|
# ? Nov 15, 2014 06:31 |
|
Lightning Jim posted:So I mentioning to a co-worker about the good ol' "system in the bricked up janitor closet" case and he mentioned that "Yeah, it was a server." That took me aback. In talking with him this happened in 2006, so I'm not sure if it's the same thing. Either it is same incident which means I know which university this was at - which happens to be my alma mater - or there are at least 2 incidents with physical plant bricking up a janitor closet with a system inside. Mine was a desktop where the person wanted a silent computer.
|
# ? Nov 15, 2014 07:00 |
|
Client: Hi, our vendor recently installed new equipment at Warehouse1, but we are unable to contact it. Can you investigate? MAC is abcd.1234.abcd Us: We've checked all the switches at Warehouse1 but have not been able to find the specified mac address. Could you please trace the connection and tell us where it is connected? Client: Uh, like we said, the vendor recently installed it. We don't know where it is connected. Us: OK. Well, we don't see it anywhere. Without someone physically tracing the cable, we can't provide any further information or help. Client: Well when I spoke with Other_Client_Tech he said you guys saw the MAC in VLAN 20. Us: Nobody here has ever confirmed seeing this MAC. Furthermore, VLAN 20 does not exist at Warehouse1. Client: How can we restore service to VLAN 20?
|
# ? Nov 15, 2014 10:53 |
|
I just noticed another great thing with our ticketing system. You can send email from it. This isn't the great thing, the great thing is the shortcut to open/close the email window. alt gr + e Guess how you make the € symbol. And then go ahead and guess how fun it is when you need to write the € symbol in notepad and copy/paste it into every email. I pray to god whatever poo poo system this crap is hosted on burns down to the ground because I loving can not deal with this anymore, I am actually considering just going back to work in a grocery store or something because between the ticketing system working against you every goddamn step of the way and the customers screaming about things way outside my control this just isn't worth it. Also, we're supposed to keep customer on the line throughout the whole process of ordering service for them for some insane reason. I can get all the information I need to send service in about 5 minutes (80% ofthe time at least), ordering the service can take 10-20 minutes after that. How pissed off would you be when you're calling just to order a new hdd when you know it's dead because you've tested it in 5 different computers and it doesn't get detected and you give someone all the info they need and then you have to sit and wait for 10 minutes because ??? Think I might go back to school.
|
# ? Nov 15, 2014 13:02 |
|
organburner posted:And then go ahead and guess how fun it is when you need to write the € symbol in notepad and copy/paste it into every email.
|
# ? Nov 15, 2014 14:07 |
|
internet jerk posted:Why? Arcsight is pretty great if you're feeding it good content. Oh wow, other companies use Arcsight? Our setup is pretty amazing - one console, a pile of loggers & connectors, everything from the corporation feeding through one place. Last time i checked, about a year ago, it handled ~40 billion events per day. You see, we get paid for each device that feeds logs through it, so it's getting everything - domain controllers, workstations, you name it. It takes around four hours to load 1 hour's worth of filtered events. Thousands of cases have been raised in its internal system - of course for anyone to investigate them they have to go through about 4 other systems as well. I'm pretty sure due to the sheer volume, an actual security event has never been detected. Oh, and one person does the case logging / monitoring. 5 or 6 people hold it together, and add more devices.
|
# ? Nov 15, 2014 15:29 |
|
One of our (small) clients is seeing change rates of several gigs per hour on their SBS server, which is killing offsite replication for us. Anyone know of a free tool to track which data is being changed and by what?
|
# ? Nov 15, 2014 18:56 |
They probably have a crypto virus. Good luck.
|
|
# ? Nov 15, 2014 19:02 |
|
iRend posted:Oh wow, other companies use Arcsight? That sounds awful and while I'm certainly no ArcSight pro I know enough to understand you get out of it what you put in. If you don't have rules, filters, and a network model etc set up to actually make use of correlation then it's basically a waste of your time and money as any sort of security analysis solution. ArcSight is like ze best SIEM available and tons of companies and gov agencies are balls deep in it. Where I work we're even having HP's SIOC bros build out content for us since we don't currently have a dedicated content dude; based off whatever use cases we've deemed Things We're Interested In Right Now. If something pops up in an active channel or a dashboard it's something that in theory we want to investigate. Sounds like you dudes are crushing its will to live with over worked connectors pumping infinite logs, continuously evaluating queries from uncorrelated data, partial matches to rules or just no rules for correlating, who knows whatever else? Basically it doesn't sound like any content or tuning / baselining has been done? Purely guessing - the entire point of the SIEM is to sculpt the mountain of varying levels of priority rated data into an actionable event by an analyst or engineer. If you just wanted to search straight log data from a device wouldn't it be quicker to do that by logging into the logger appliance(s)? Wait - how does "being paid per device feeding logs" work?
|
# ? Nov 15, 2014 19:52 |
|
organburner posted:Also, we're supposed to keep customer on the line throughout the whole process of ordering service for them for some insane reason. I can get all the information I need to send service in about 5 minutes (80% ofthe time at least), ordering the service can take 10-20 minutes after that. Last time I spoke with Dell about a DOA monitor, I felt he was really slow. I started out explaining I had tried several computers, several vga cables and a displayport cable, 100% sure it is the screen, as everything else works. When he ask me to try another cable, I start to wonder if he is incompetent or what. Then when he out of nowhere ask me if I am satisfied with the support I get and if I have any other Dell products I might need help with, before I have even given him my address, I ask if he is on a script. He confirms, and I feel so sorry for him. Must be humiliating having to do what he did. Phonecall lasted 30 minutes, with half of it noone saying anything.
|
# ? Nov 15, 2014 22:03 |
|
internet jerk posted:That sounds awful and while I'm certainly no ArcSight pro I know enough to understand you get out of it what you put in. If you don't have rules, filters, and a network model etc set up to actually make use of correlation then it's basically a waste of your time and money as any sort of security analysis solution. Client says "we will pay you a certain amount of money for every device that has logs processed". They also don't care about quality, just quantity. They want cases raised, not useful stuff. I mean after all if you're not seeing tickets come out of your multimillion dollar solution it's not worth anything, right? Queue 50 "Ping detected" cases per day. Also I'm 90% sure nobody knows how to create correlations. The people who did left the company. Another fun thing, we have to retain all the logs infinitely. As a wild guess , it's processing logs from about 12000 things. Also there's no fun thing like an MDL or DNS - mostly the only info that comes through on the loggers/consoles is an IP, maybe if you're lucky a hostname.
|
# ? Nov 16, 2014 00:44 |
|
iRend posted:Client says "we will pay you a certain amount of money for every device that has logs processed". ZoneAlarm... enterprise edition?
|
# ? Nov 16, 2014 17:31 |
|
Happiness Commando posted:One of our (small) clients is seeing change rates of several gigs per hour on their SBS server, which is killing offsite replication for us. Anyone know of a free tool to track which data is being changed and by what? I think process explorer and/or resource monitor may be able to tell you which process is writing that much.
|
# ? Nov 16, 2014 23:30 |
|
I have a ticket to get a list of department membership from a list of usernames. Luckily for me the users' OU is their department. Unluckily for me I apparently can't Powershell for poo poo. Can someone please tell me what I'm doing wrong in the following script? code:
code:
I've been wondering if I'm using the $Variable wrong, should I use Where-Object instead, or.. something else? Crowley fucked around with this message at 10:33 on Nov 17, 2014 |
# ? Nov 17, 2014 08:27 |
|
flosofl posted:poo poo like this and the AD story earlier are why packet captures are your best friend. ...Not to say I haven't done that in the past, but now all the people I could admit that to in the networking unit have left because of our horrible infrastructure management, leaving behind a bunch of incompetents who would probably just get pissed at me for trying to tell them how to do their job. Crowley posted:I have a ticket to get a list of department membership from a list of usernames. Luckily for me the users' OU is their department. Unluckily for me I apparently can't Powershell for poo poo.
|
# ? Nov 17, 2014 08:53 |
The AD commands for PS won't accept NT account names in the Domain\accountname form, you have to either get the account SID and look that up, or chop off the domain from the NT account name and perhaps add that manually as another search criteria. Additionally, I'm not sure if Get-ADOrganizationalUnit is the right command to use. I think you'll have better success with Get-ADUser to look up each user, and then pull out the OU from the DN with a regex or something stupid like that. (I can't find any commands or properties that let me navigate up the directory tree, from an object to the containing object.)
|
|
# ? Nov 17, 2014 09:41 |
|
Knormal posted:Me either, and I hate the language and its stupid syntax, but what happens if you remove the variable from the equation and just run "get-ADOrganizationalUnit -LDAPFilter '(name=DOMAIN\userinitials1)'? My first thought is the script is working, but the search is just coming up empty. Does your "Name" field really match "DOMAIN\userinitials"? I really like the way you're working with objects. Grab the output from one command and send it directly into the next one, and the language will just handle it. Turns out Get-ADOrganizationalUnit didn't work with DOMAIN\Username. Quite embarrassing I didn't test that in the first place. nielsm posted:Additionally, I'm not sure if Get-ADOrganizationalUnit is the right command to use. I think you'll have better success with Get-ADUser to look up each user, and then pull out the OU from the DN with a regex or something stupid like that. (I can't find any commands or properties that let me navigate up the directory tree, from an object to the containing object.) Get-ADUser seems to be the way to go for me - I just need to truncate $BrugerID since the "Identity" will only accept a username. More fiddling ahead. ..at least it's a learning experience.
|
# ? Nov 17, 2014 11:10 |
|
Crowley posted:Get-ADUser seems to be the way to go for me - I just need to truncate $BrugerID since the "Identity" will only accept a username. More fiddling ahead. code:
|
# ? Nov 17, 2014 12:16 |
|
Earl of Lavender posted:Regarding truncation: Regex with the Replace operator, perhaps? code:
I didn't know you could do that though, so I have something to work on there.
|
# ? Nov 17, 2014 13:45 |
|
Crowley posted:
Maybe code:
|
# ? Nov 17, 2014 19:38 |
|
sloshmonger posted:Maybe code:
Also change the single quotes in get-ADOrganizationalUnit -LDAPFilter '(name=$BrugerID)' to double quotes.
|
# ? Nov 17, 2014 19:42 |
|
An even better way to do this is with the Quest AD Powershell cmdlets. Dell made this REALLY GODDAMN HARD TO FIND since they bought out quest and want to push you toward buying an ActiveRoles server, but they're still available and still free: https://software.dell.com/registert/71110 You don't need the ActiveRoles server to use these; you just install and then add something like code:
Then, all you have to do is something like code:
potato of destiny fucked around with this message at 00:10 on Nov 18, 2014 |
# ? Nov 17, 2014 20:26 |
|
If you have a weird object in .NET chances are you can stick a .ToString() after it to convert to a string.
|
# ? Nov 18, 2014 00:23 |
|
potato of destiny posted:An even better way to do this is with the Quest AD Powershell cmdlets. Dell made this REALLY GODDAMN HARD TO FIND since they bought out quest and want to push you toward buying an ActiveRoles server, but they're still available and still free:
|
# ? Nov 18, 2014 00:27 |
|
organburner posted:I just noticed another great thing with our ticketing system. Of course this will require you learning to switch your " and @ but that's no problem, right?
|
# ? Nov 18, 2014 01:34 |
A ticket came in from the incredibly passive-aggressive "junior manager" of our department (loving everyone and their uncle is a manager, this guy is a 24 year old spoiled brat who manages nobody, mainly handles the department budget): please have Drone contact me. What kind of sane person opens a ticket to have me contact them about a non-IT issue instead of just... emailing me directly, or calling me?
|
|
# ? Nov 18, 2014 08:27 |
|
Drone posted:A ticket came in from the incredibly passive-aggressive "junior manager" of our department (loving everyone and their uncle is a manager, this guy is a 24 year old spoiled brat who manages nobody, mainly handles the department budget): please have Drone contact me. Oh please tell me he really used the word "drone."
|
# ? Nov 18, 2014 08:38 |
|
Arquinsiel posted:Switch keyboard layout to Irish and ctrl + alt + 4 will sort that out for you. Actually in regular US international the Euro sign is altgr + 5 so no Irish needed.
|
# ? Nov 18, 2014 09:07 |
Che Delilas posted:Oh please tell me he really used the word "drone." Nope, real name. Dude sits like 20 meters from me, too.
|
|
# ? Nov 18, 2014 10:50 |
|
spankmeister posted:altgr why am I having a hard time trying to figure out what this is?
|
# ? Nov 18, 2014 15:05 |
|
Trastion posted:why am I having a hard time trying to figure out what this is? Because a lot of keyboards no longer label the right 'ALT' key as 'ALT-GR' (maybe it is to save ink?)
|
# ? Nov 18, 2014 15:13 |
spog posted:Because a lot of keyboards no longer label the right 'ALT' key as 'ALT-GR' European keyboards do.
|
|
# ? Nov 18, 2014 15:24 |
|
nielsm posted:European keyboards do. Some do, some don't. I just checked the first 4 keyboards on Argos.co.uk - half had them, half didn't (including an official MS one)
|
# ? Nov 18, 2014 15:48 |
|
Trastion posted:why am I having a hard time trying to figure out what this is? Yeah it's right alt like already mentioned and I also just noticed that the keyboards at work don't have the GR either. So yeah, right alt + 5 when you use US international gives you €
|
# ? Nov 18, 2014 17:21 |
|
Webform ticket came in today:quote:Comments: i want to get back to oogle
|
# ? Nov 18, 2014 17:44 |
|
I'm not gonna change my keyboard layout just so I can write €'s in my emails without the window disappearing. Also, a while ago we complained that getting bonuses was next to impossible (need to have near enough perfect scores on our reviews consistently and pretty much never take any breaks for any reason ever) They changed the bonus system. Now you need to have the same stats as before to get it. Oh, also, the whole department needs to have the same stats, otherwise you get no bonus at all no matter how good your stats are.
|
# ? Nov 18, 2014 18:06 |
|
|
# ? Jun 4, 2024 09:42 |
|
Cisco is doing the free Meraki AP for attending a webinar thing again. Last year it was the MR16, I don't know what it will be this year. https://meraki.cisco.com/freeap is the website for those interested.
|
# ? Nov 18, 2014 18:27 |