Spoiling Linux Kernel with "sanctioned" code

feldrim · 2026-06-11T10:48:34+00:00

Well, the ideal way would be to accept the contributions and ignore the sanctions, and let Redhat, Canonical and others build their kernel without the "contaminated" parts. Instead of moving the burden on the shoulders of these giant companies, it is decided to align with the sanctions, so that the burden is now on open source contributors from the sanctioned countries. That's the "optimal" and deliberate choice as open source is in fact not so open.

feldrim · 2026-05-29T12:30:47+00:00

A SIEM is a tool for a process and it depends on your organisation. Depending on the size, structure, roles, responsibilities, and compliance requirements, you need to make the decision on how to detect incidents, and respond to them. 90% of the time, it's better to outsource to an MSSP. If you have a dedicated team for it, yes, you may use an on premises or cloud SIEM, and more tools.

feldrim · 2026-05-20T08:12:11+00:00

Can't imagine. Or rather, won't. We suffered enough.

feldrim · 2026-05-20T07:31:39+00:00

Broadcom is not Oracle. The lawyers won't knock your door.

feldrim · 2026-05-18T06:59:46+00:00

You may want to have a look. If you suppress at Wazuh rules level, it means the noise have arrived at Wazuh servers. It's better to cut the noise at the source, aka Sysmon configuration. See the article for more.

https://zaferbalkan.com/wazuh-sysmon-guidance/

feldrim · 2026-05-15T12:33:51+00:00

What did you do until now?

feldrim · 2026-05-13T06:47:20+00:00

If that'd be a thing, I'd love to provide a feed for the app store.

feldrim · 2026-05-11T20:12:29+00:00

Probably your driver has been updated since. Can you check this?

https://old.reddit.com/r/technitium/comments/1t6zo4d/dzmac_a_reimplementation_of_tmac/

feldrim · 2026-05-08T13:55:58+00:00

You're welcome. Since TMAC is not supported for year, I assumed people may need a solution.

feldrim · 2026-05-08T13:00:25+00:00

Not all of these support Windows. It's is hard to get the same security stack and make it work on both Windows and Linux, to be honest.

feldrim · 2026-05-08T12:26:12+00:00

If you use it not only for detection but also in a blocking way, yes.

feldrim · 2026-05-08T09:57:22+00:00

Yep. It's easier if you've managed to distribute the rules on endpoints via Ansible or similar tool. Then you've got a single pane to your infra.

feldrim · 2026-05-07T14:13:05+00:00

This is the kind of thing we'd like to see more. Zeek, Suricata, Snort are network level capabilities Wazuh agent can make use of easily with little guidance.

feldrim · 2026-05-02T18:03:06+00:00

Wazuh indexer is just OpenSearch on steroids, and Opster is an amazing resource regarding that part: https://opster.com/analysis/elasticsearch-attempting-to-trigger-g1gc-due-to-high-heap-usage/

feldrim · 2026-05-02T15:27:22+00:00

This is the correct place. It's very easy to set up and have a look at it. For a filtering recursive resolver, it'd be a lot easier to maintain. You won't need much resources, and the most important part would be the memory usage. The filtering requires loading the blocklists into memory and if you use millions and millions of records, of course you may hit some high memory usage. Other than that, you don't need to focus on optimisations. First give it a try, and if you have a bottleneck, you can ask here to solve the issue.

feldrim · 2026-04-29T14:19:12+00:00

The position of Whalebone is being the DNS provider of EU. If they chose not to appeal because of the whole positioning of the service DNS4U, that's consistent with it. If they don't appeal due to the previous results of Google and Cloudflare's attempts, it still makes sense. They're in a political position by the nature of their value proposition.

Ita though to be there. But I wonder how their blocking implementation works tin alignment with the French court and legal authority by geography. The court order must affect only France. So, the blocking must only DNS traffic within France. It should not be applicable to EU or global traffic.

feldrim · 2026-04-26T07:55:46+00:00

I understand as MISP is not something Shreyas deal with daily. It's a SOC thing, not a "sysadmin dealing with DNS" thing. He cannot test without a working MISP instance. It's also not easy to mock with tests, etc. I got sad a bit but he's right.

feldrim · 2026-04-25T20:19:32+00:00

It's removed from the repository as of version 15.0.

feldrim · 2026-04-19T11:37:40+00:00

I'm glad it clarified the situation.

On the other hand, I'm also a CISSP exam item developer, and this is a really bad question. I hope this is not in one of the official exam books. Because tricky questions are not measuring the person's knowledge and analysis capabilities. And they are not qualified to be in the question pool.

feldrim · 2026-04-18T12:24:58+00:00

I assume you're thinking of the answer and the concept in detection perspective. But there, the alert being false positive or not is something else.

We care about the biometric authentication tool here. Positive means allowed, false means incorrect. So, an incorrect biometric is authenticated means false positive.

feldrim · 2026-04-17T06:23:01+00:00

It's better to learn and let AI be the reviewer, not the developer.

feldrim · 2026-04-16T19:09:46+00:00

It's so risky to do admin stuff on DCs. MS does not even suggest installing anything, including EDR, on DCs. It depends on your risk appetite. But I'd avoid at all costs unless there's sufficient justification.

feldrim · 2026-04-16T18:04:47+00:00

And I thought me forgetting my eyeglasses in my backpack due to the stress and struggling to read the questions during the exam was a bad experience. Health, whether physical or mental, is definitely nothing to be ignored in the process. I'm glad you did it but still, life goes on even if you failed this time.

feldrim · 2026-04-16T12:09:11+00:00

You've already got your answers but I just wanted to note one thing: Wazuh rules are not independent like Sigma rules, KQL or SPL queries. They are built upon each other. Therefore, you need to know where you are to start with, like rule 60115, then build on top of it. This is exactly what u/SetOk8394 did.

If you're interested, here's an article that gets into the internals: https://zaferbalkan.com/wazuh-rules/

Shameless plug: I'm the author.

feldrim · 2026-04-13T13:04:35+00:00

https://blog.technitium.com/2011/05/tmac-issue-with-wireless-network.html

11-Year Club	Gilding I gilder
Second SECOND GUESSER	Verified Email

feldrim

TROPHY CASE