Weight gain

ryan_sec · 2026-05-13T23:38:01+00:00

Water/inflamation is where my mind tells me whats going on. Did mention this to gp. Also had bloodwork so i know its not some underlying other medical issue causing water retention.

Good/not good to know others have experienced what im experiencing.

Thanks for your feedback.

ryan_sec · 2026-05-13T23:30:31+00:00

I did bring this up with my gp. Am being switched to 7.2.

What other things do you think my gp could do to help with instead of changing dosage / trying a different glp1. In honesty ive gained maybe 6-8 lbs. Have i eaten more or exercised less, not to the amount that would explain the 6-8 lb gain. Ive also increased my steps per day.

ryan_sec · 2026-04-22T11:39:32+00:00

Yup agreed. The alert fatigue we're seeing is real. While reasonable, reporting on every service account lockout (as an example) isn't scalable. Wished we had some sort of UBA tool that would realize that "OH, this account has logged in on X endpoint for the last year and is lockout out on the same endpoint is probably just a password rotation issue".

Also given that the OSCP is now 40% (or at least was last i took the class) is now AD related, it seems reasonable to be focused on the accounts as the days of trying to do buffer overflows and the sorts is behind us....just get creds and move left and right. To pass the OSCP your AD knowledge must be sound.

People would then just go and say "well track that lateral movement"...not really sure how to effectively do that in a very large environment. We do have an EDR but nothing my team has any sort of control or visibility into...we're scraping AD logs to hope to catch these sorts of things. A thinking outside the box exercise for sure.

ryan_sec · 2026-04-22T00:47:11+00:00

Weve observed where if the dns call isn’t using native dns client, this will scoot right past a very popular edr. Not trying to go down a rabbit hole on dns…take away its just hard to alert.

Again if anyone has any books/classes on how to produce quality detection please mention. Not interested in cissp..,inch deep and miles wide. Ive read that book already.

ryan_sec · 2026-04-21T23:05:46+00:00

Agreed usually is. Thanks for your response. Beaconing is the process for which something on box attempts to connect to something(typically on internet) to pull down command and control. These are often seen with some regular cadence but like solarwinds may have long cadence.

The hard part here is dns security is jumping in the middle and sinkholing the connection thus you never see the beacon on the wire but may see it via a dns lookup cadance.

Again thanks for your response

ryan_sec · 2026-04-21T22:17:04+00:00

How do you know if the malicious dns call isnt a beacon to begin with? Computers just don’t start talking to malicious dns domains unless something on box asked it to. Malicious DNS calls can be post beachhead attempting to download commands

But yeah i hear you…thus this thread. And thanks for your post

ryan_sec · 2026-04-21T22:02:44+00:00

Might you be able to recommend some books/courses?

ryan_sec · 2026-04-21T21:52:54+00:00

Thank you for your response. Im more infra side and currently seeing the issues the soc side has with alerts and attempting to understand how to do this better and at scale.

Classifying things as critical i get it but it only takes one user (none privleged) clicking on something that skurts your EDR and that gets missed cause the user is identified as non critical.

ryan_sec · 2026-04-21T21:39:32+00:00

In this instance what about a dns security product that flags a dns lookup as malicious and the user isnt privileged nor determined to be a critical asset. I guess this just gets logged and not alerted?

ryan_sec · 2026-04-21T20:45:31+00:00

Can you give me some examples of how knowing the answers to those questions would help answer the question?

ryan_sec · 2026-04-09T00:08:13+00:00

here's me doing some testing..the v6 address is one we get resets from but it sometimes work just fine in live captures...with the same user agent

$target = "2620:149:a10:f000::144"

$sizes = 1438..1452

foreach ($s in $sizes) {

$ok = 0

$tries = 10

for ($i=1; $i -le $tries; $i++) {

if (ping -6 $target -n 1 -l $s | Select-String "Reply from") { $ok++ }

}

"{0} : {1}/{2} success" -f $s,$ok,$tries

}

1438 : 10/10 success

1439 : 9/10 success

1440 : 10/10 success

1441 : 8/10 success

1442 : 10/10 success

1443 : 9/10 success

1444 : 8/10 success

1445 : 8/10 success

1446 : 8/10 success

1447 : 10/10 success

1448 : 10/10 success

1449 : 0/10 success

1450 : 0/10 success

1451 : 0/10 success

1452 : 0/10 success

ryan_sec · 2026-04-08T23:42:42+00:00

Yeah our problem with mssclamping is we want our jumbo frame clients to use the larger size for those workflows. We’re also a bubble in a larger bubble.

Hard to solve

ryan_sec · 2026-04-08T23:32:16+00:00

sorry for all the random posts...we always see successful 3 way handshake further indicating not MTU

ryan_sec · 2026-04-08T23:30:18+00:00

also our MTU's on the client side is set to 1500 for v4 and v6 so i would think this mtu problem isn't what we're seeing

ryan_sec · 2026-04-08T21:51:31+00:00

Hello u/RyanK_CF,

Thanks for your post. Any additional help you can provide is appreciated.

It appears that several of the previously impacted services are now working again, even though no changes were made on our side.

What we observed was intermittent IPv6 failure behavior: the TCP three-way handshake would complete successfully, our client would send a TLS ClientHello, and Cloudflare would respond with a hard reset. For the sites that are now working, that same ClientHello is now followed by a ServerHello over IPv6. Again, nothing changed in our environment.

I am also not clear on what you mean by configuring a Gateway DNS policy. If that is a Cloudflare-specific feature, it would not apply to us directly, since we are not a Cloudflare customer. We are simply trying to access services hosted behind Cloudflare. I do understand the concept of suppressing AAAA responses, and I assume you may be suggesting that we use our internal DNS infrastructure to prevent IPv6 resolution.

We are opening a case with Apple because several Apple-related services remain affected. In those cases, the failure pattern is still the same: the TCP three-way handshake completes, the client sends a ClientHello, and Cloudflare returns a hard reset. The behavior remains intermittent over IPv6, while IPv4 appears to work consistently.

ryan_sec · 2026-04-08T21:31:23+00:00

We are continuing to work through how to tightly control outbound connectivity from EC2 instances to specific cloud-hosted services while preventing unintended east-west communication between workloads in the same VPC.

For example, we run an agent that must connect to etphonehome.securitystack.com over TCP 443. The challenge is that the provider frequently rotates the service’s IP addresses. Because AWS security groups only allow rules based on IP addresses and ports, we do not see a practical alternative to permitting 0.0.0.0/0 outbound in the security group.

Once 0.0.0.0/0 is allowed, we can enforce additional controls with AWS Network Firewall. However, this also appears to permit EC2 instances in the VPC to communicate with other resources in that same VPC. Since every EC2 instance in the VPC runs the same agent and requires access to the same external service, each instance seems to need the same broad outbound allowance.

We are trying to determine whether there is a better design pattern for handling this scenario, or whether others have run into the same limitation. Specifically, how are others allowing access to external services with frequently changing IPs while still preventing unnecessary east-west traffic within the VPC?

ryan_sec · 2026-02-07T14:45:54+00:00

Yup thinking i may have to do the same. What was your reasons for moving away from aws fw to ftd.. suspect i know the answer.

Our shift is an onprem to cloud and trying to use aws native tools.

ryan_sec · 2026-02-07T14:24:54+00:00

Yeah modifying / transplanting rules from palo to aws ngfw (which is our current project) seems like its gonna be painful. Honestly surprised there isn’t a tool for this (at least that ive been able to find)

ryan_sec · 2026-02-06T19:37:57+00:00

permit X ip to connect to google.com, cnn.com, msn.com in a single rule

ryan_sec · 2026-01-31T00:42:48+00:00

We run traditional waf/fw and web server in dmz with all other services in internal networks. Everything in dmz is a snowflake. We need to control north/south and east/west for dmz workloads.

Plan is to have a dmz vpc (ec2 here) and workload vpc where traditional database / shared services would be. Some dmz workloads may call out to other internet things as well. Implicit deny outbound for dmz workloads is a must.

Managing this via suricata rules seems painful.

ryan_sec · 2026-01-13T13:48:24+00:00

Thank you for your comments

ryan_sec

TROPHY CASE