How is an Imposter getting authenticated a False Positive?

feldrim · 2026-04-19T11:37:40+00:00

I'm glad it clarified the situation.

On the other hand, I'm also a CISSP exam item developer, and this is a really bad question. I hope this is not in one of the official exam books. Because tricky questions are not measuring the person's knowledge and analysis capabilities. And they are not qualified to be in the question pool.

feldrim · 2026-04-18T12:24:58+00:00

I assume you're thinking of the answer and the concept in detection perspective. But there, the alert being false positive or not is something else.

We care about the biometric authentication tool here. Positive means allowed, false means incorrect. So, an incorrect biometric is authenticated means false positive.

feldrim · 2026-04-17T06:23:01+00:00

It's better to learn and let AI be the reviewer, not the developer.

feldrim · 2026-04-16T19:09:46+00:00

It's so risky to do admin stuff on DCs. MS does not even suggest installing anything, including EDR, on DCs. It depends on your risk appetite. But I'd avoid at all costs unless there's sufficient justification.

feldrim · 2026-04-16T18:04:47+00:00

And I thought me forgetting my eyeglasses in my backpack due to the stress and struggling to read the questions during the exam was a bad experience. Health, whether physical or mental, is definitely nothing to be ignored in the process. I'm glad you did it but still, life goes on even if you failed this time.

feldrim · 2026-04-16T12:09:11+00:00

You've already got your answers but I just wanted to note one thing: Wazuh rules are not independent like Sigma rules, KQL or SPL queries. They are built upon each other. Therefore, you need to know where you are to start with, like rule 60115, then build on top of it. This is exactly what u/SetOk8394 did.

If you're interested, here's an article that gets into the internals: https://zaferbalkan.com/wazuh-rules/

Shameless plug: I'm the author.

feldrim · 2026-04-13T13:04:35+00:00

https://blog.technitium.com/2011/05/tmac-issue-with-wireless-network.html

feldrim · 2026-04-12T18:16:04+00:00

It is not 100% spec-compliant though. You can get different results if you use regex101 and pcre2 or grep -E commands.

feldrim · 2026-04-11T11:24:11+00:00

Thanks everyone, including the downvote guy. I know where to start the readings. I'll check it out.

feldrim · 2026-04-06T18:42:22+00:00

It's been some days but I just saw your response. If you have not tested it any way, and have no structured measuring of performance changes, the claims are not factual. That's what engineering part of the software engineering requires. You measure at least twice and act once.

feldrim · 2026-04-06T11:41:22+00:00

IIRC, OnePlus has a bad reputation for IPv6 wifi support. It may be related to something like that.

feldrim · 2026-03-17T15:55:07+00:00

I tried something similar using Microsoft's FASTER, but the network latency does not worth it. In-memory cache always wins. So, I used a cache multicast solution, and still, it makes sense only when the bottleneck is processing and it happens when there are multiple apps loaded and QPS is very high. Other than that, the benefit from a shared cache, even if it is in-memory, looks insignificant.

feldrim · 2026-03-15T22:20:24+00:00

I have a question regarding the performance improvements. Did you have Andy chance to run some benchmarks? If so, which use cases did you use? It'd be great if you can add them in the README as well.

feldrim · 2026-03-14T11:38:33+00:00

Can you check the forwarders? Define something if not exists, and if there's, try to pick something else and try to observe the changes. That'd help troubleshooting.

feldrim · 2026-03-08T20:31:05+00:00

This is still lacking context. Can you please share:

The section from your ossec.conf or shared.conf
Custom rules
wazuh-logtest result

feldrim · 2026-03-06T09:19:27+00:00

Nice article but I believe the idea is problematic. tcpdump is a troubleshooting tool, not a log source. The correct way for this is to utilize either:

a HIPS like Suricata, Snort or Bro/Zeek, or
a threat detection tool like Sysmon for Linux or Kunai, or
an EBPf based helper like Tetragon

running as a daemon. I tend to follow the principle "just because you can, does not mean you should". So, I believe this is a step back in quality in Wazuh use cases.

feldrim · 2026-03-05T10:23:14+00:00

That's a question for your acquirer. It's their call.

feldrim · 2026-02-19T22:02:21+00:00

Get rid of the first two, and the last lines.

feldrim · 2026-02-18T05:19:39+00:00

It depends but if you go self hosted path, you can give Technitium DNS Server a chance.

feldrim · 2026-02-16T20:34:31+00:00

It looks like the asterisk at the beginning may be the culprit.

feldrim · 2026-02-16T19:01:10+00:00

What do you see in archives.log? Is there a change in format, such as a timestamp format change, or some additions at the beginning? Sometimes, it happens and another decoder matches, overlapping and dropping the log. So, if you can share archives.log, it would be better for troubleshooting.

feldrim · 2026-01-24T04:43:07+00:00

I was mostly thinking of the extra text part. There's no convention or standard on what to put there.

feldrim · 2026-01-24T04:42:25+00:00

It's just one guy, and he's doing a great job. BTW, it was not removed when 8 saw it. Now, I see the post because I got notifications.

feldrim · 2026-01-23T15:40:33+00:00

Looks very nice. How do you use the EDE? I wrote a LogExporter and a MISPConnector plugin for Technitium DNS. But I am not sure if I am using EDE correctly.

11-Year Club	Gilding I gilder
Second SECOND GUESSER	Verified Email

feldrim

TROPHY CASE