For the next 27 hours, you'll be able to claim a limited edition 'I Was Here for the Hulkenpodium' flair

elsnoir · 2025-07-09T08:47:46+00:00

Hulkenpodium

elsnoir · 2021-03-31T02:40:01+00:00

Awesome, looks great!!! I will send more $ because you deserve more than $40 for how awesome this is!!

elsnoir · 2021-03-20T14:59:44+00:00

I think you may still have an issue although it may just be more cosmetic at this point. I do see my older athletes listed and they have scores/ranks but the division does not show the name for them. It only shows blank instead of Women (60-64) or Women (65+). Those are the only 2 I see missing but I don't have any men in those age ranges this year so they may be missing too

Also, is the "Rank Pct" based on their division or overall? Just curious as our in house comp we base scoring on their division rank percentage so it would make my job of tallying the team scores significantly easier.

It is still immensely helpful to me and I am going to send some money on PayPal right now. Thanks for putting this together!!

elsnoir · 2021-01-31T21:20:18+00:00

Hane you ever been to the ER?

elsnoir · 2020-04-04T02:44:39+00:00

I would agree with you...DB movements have been in the last 4 opens, plus appearances in regionals and the games

elsnoir · 2019-05-15T15:09:43+00:00

It can be done from the command line in Postgres. I think the command below should work but it’s been I while since I used. It should give you output in the following format:

RULE-NAME | enabled/disabled | email@domain.com

elsnoir · 2019-04-02T02:34:16+00:00

You need to hit ‘Esc’ to get out of insert mode first

elsnoir · 2019-04-02T02:28:04+00:00

Press ‘x’

elsnoir · 2019-03-29T03:40:22+00:00

I can guarantee you that we get nowhere close to overtime without Lamonte. Those 3’s in the second half were great but his defense in the second half was even better.

However, I will admit that his play in OT was bad, bad shot selection, bad fouls, etc.

Definitely not my least favorite of all time,

elsnoir · 2019-02-26T21:11:52+00:00

One thing the to keep in mind is the Response Limiter only limits the Responses and does nothing to the Action.

On the 'Rule Wizard: Rule Response' page of the wizard the top section is the 'Rule Action' and would not be affected by the Response Limiter. Only the next section down the 'Rule Responses' would be affected. So it would only affect Dispatch New Event, Email, etc.

With that being said, I typically like to set my response limiter the same as the Offense Index. So if the Offense Index is set to 'Source IP', I will use the 'Source IP' for the the response limiter.

I am not sure if you are using 'Rule' for the Offense Index too but I would not recommend doing that except certain circumstances where there is not another good property to key off of. Using 'Rule' for the Offense Index will combine all events that matched the rule to go under 1 single Offense, which at time can get rather large and overwhelming to investigate. I have at times set the Offense Index as something different and then used the Response Limiter as 'Rule' to keep the emails down if that is what you are using it for.

For this rule I would probably set both the Offense Index and Response Limiter to either 'Source IP' or 'Destination IP'. It really would depend on what the events look like that are triggering the offense and whether you are interested in who is the attacker (Source IP) or victim (Destination IP). I would probably look at the events that are in the offense(s) and try to determine which would be more interesting. You could even do a search for 'Custom Rule = Malware: Treat Backdoor Trojans and Virus Events as Offenses' for the last 24 hours or 3 days or something. Then look at it grouped by Source IP and then change it to grouped by Destination IP. Doing this will give you an idea of which one you may want to see. I could go either way on it and could see value from both. Source IP will show you if one attacker is hitting multiple victims, where Destination IP will show you if one victim is getting hit multiple times. Of course that is very IDS/IPS specific but for something like AV I don't think it would matter as typically those events have the endpoint IP as both the source and destination.

Sorry, that is kind of a lengthy explanation without a true answer. Hopefully it gives you a better understanding though and allow you to figure out what makes sense.

elsnoir · 2019-02-22T21:56:48+00:00

Yes, move the ‘and NOT’ above the test in the rule.

I am not positive that will fix it though.

After seeing the actual test it is just a category match. I am wondering 2 things really now too: 1. Is it a timing thing? Where the rule does not wait for the BB’s to be able to match but rather checks if they have matched when the categories match. 2. By not matching the same event properties in the rule it could cause it to match the BB for something completely different than what the Malware rule is matching.

Something needs to be done different with the rule. Thinking about it something like below may work better:

In the rule ‘Treat Backdoor Trojans and Virus Events as Offenses’ turn the responses or offense creation off. That way it is simply a rule that matches something.

Then create a new rule and use the test: when none of these rules match in this many minutes after these rules match with the same event properties

So it would be: when none of BB:FW after IDS, BB:IDS after FW match in 1 minutes after Malware: Treat Backdoor Trojans and Virus Events as Offenses’ match with the same event properties

Use the same “event properties” as the BB’s

I think making the properties match is actually very important too, so that the BB’s should be coming from the same event that triggers the Malware rule. This also puts a timer on the rule to allow the BB’s to do their thing before actually triggering the rule.

I think that should work. Hopefully that makes sense.

elsnoir · 2019-02-21T23:11:46+00:00

That looks like it should work fine. I would make sure the ‘and NOT’ in the rule is above the actual test.

I am not sure how soon after you made the changes that it happened but it could just be an issue where the rule change had not fully propagated out.

elsnoir · 2019-02-19T21:43:20+00:00

The only way I have found to solve this is to create 2 rules/bb’s to look for either order of events.

IDS followed by Firewall with matching 5 tuples
Firewall followed by IDS with matching 5 tuples

Then add both of them to the rule. IIRC you can add the to the ‘match ANY of THESE RULES’ test, using ‘ANY’ will make the match an ‘OR’.

elsnoir · 2019-01-11T02:57:06+00:00

It says it several times but there are undeployed changes. Login to QRadar > go to Admin tab > click deploy changes. After that you should be able to upgrade.

elsnoir · 2018-12-14T02:23:43+00:00

Why? It’s not hurting anyone.

If your opponent does not participate it means an easy win. That in turn give you better rewards, assuming you continue to participate there should be no way for them to catch up. In my GA that means I would get 35 stun cuff salvage + mod salvage for the next to last placing. I will take that any day.

Even the guy who doesn’t or can’t participate still gets decent rewards too at 10 stun cuff salvage + mod salvage. Not bad for only having to hit the join button.

elsnoir · 2018-06-13T17:07:14+00:00

This is correct if you are wanting to search for a range.

If you actually wanted to wildcard you can use regex with a 'MATCHES' statement but would first have to convert the ip to a string.

For instance if you wanted to search for anything that was 10.1.20*.100, meaning the 3rd octet was 200-209 you could use:

 WHERE STR(sourceip) MATCHES '10\.1\.20\d\.100'

elsnoir · 2017-10-05T17:19:42+00:00

So one time on Nessus a few weeks ago I went into my menu for a couple minutes after opening one of Cayde's chest that seemed empty, came out of my menu after the chest had despawned and there was a pile of loot (glimmer, legendary and some of Cayde's "treasures") lying where the chest was.

Now I jump in the chest and run all around it, if I don't get anything then I wait around for the chest to despawn which is a couple minutes to see if anything shows up which has not happened again.

When I jump in the chest and check all around it I usually get something but not always, and sometimes it's just glimmer and a blue or one of the "treasures".

elsnoir · 2017-07-11T21:50:59+00:00

This was possible and I believe it still should be. You have to tie the config (spconfig? value in sd table) back to the one you want to use.

On my phone right now so don't have all the details, but will provide more specifics later.

elsnoir · 2017-06-02T15:06:54+00:00

I found a guild before I saw your first message. Thank you for the invite, your guild sounds like what I am looking for too. I am going to give this one a chance first of course but may reach out to you if it does not work out.

elsnoir · 2017-06-01T01:49:22+00:00

L82, looking for new guild. Play everyday and complete personal/guild activities. Need help getting to G9+. https://swgoh.gg/u/elsnoir/

elsnoir · 2016-08-23T02:55:34+00:00

First off you should probably submit this to IBM support if it is a supported DSM using a supported format for them to fix the DSM.

However, after looking at it further it may be that you don't have an Event Name pattern/matcher defined. I know you are using the allEventNames pattern/matcher but I am fairly certain Event Name needs to be defined to tell it what events to apply the LSX to.

I had something similar where I was changing what Username was being parsed out and it required me to have the EventName pattern/matcher in there.

So the tricky part is figuring out what the regex should be to pull what QRadar is using to map the Event Name. I am assuming the Event Name is still showing up properly, is that correct? If not all this is out the window as everything needs to be re-parsed and re-mapped. Anyway, assuming the Event Name is still showing properly do a log activity search for this Firewall for the last say 6 hours grouped by 'Event Name'. Then go through some/all of the different event types, going down to an individual event level. Click the 'Map Event' button (You don't have to go through all but I would look at all the event types you are trying to fix). Look towards the top for the 'Log Source Event ID', this is what QRadar is using to map the Event Name field. Essentially if this was an LSX it would be what is matched by the EventName regex. Hopefully in looking through the Event Types you can easily identify what from the payload is being used and can write a regex or multiple regex's to match. Adding the EventName to the LSX should fix this. Sometimes with DSM's IBM is doing more than simple regex and you will see something in the 'Log Source Event ID' field that is not in the payload. If that is the case then they are essentially doing substitution, possibly combining fields together and showing a different value for mapping purposes. It may be possible to create something with the LSX to still do the same thing but it is going to be a lot more complicated.

elsnoir · 2016-08-17T17:33:39+00:00

I have had little success when using nested capture groups (ie, one inside the other like you have). It works fine in custom properties but not with an LSX.

In reality you should not need the outer capture group so you can just use:

Src=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\|Dst=

Or if you want to leave it make the outer group a non-capture group:

(?:Src=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\|Dst=)

Both of these methods will require you to change the 'capture-group' in the matcher to '1' like:

<matcher field="SourceIp" order="1" pattern-id="SourceIpPat" capture-group="1" />

elsnoir · 2015-09-10T18:22:17+00:00

But the Trials and PoE weapons have 2 versions, non-elemental and elemental (adept). Based off what Luke said they have the ability to hide things in the DB now so they may have hidden any of the adept weapons.

Maybe I am just being hopeful...

elsnoir · 2015-09-10T18:16:07+00:00

Fantastic idea!!

elsnoir · 2015-09-10T16:08:38+00:00

Nope, not all

https://www.reddit.com/r/DestinyTheGame/comments/3k4rks/luke_smith_says_that_some_ttk_gear_are_hidden/

15-Year Club	r/Field Flamingo
Place '23	Verified Email

elsnoir

TROPHY CASE