AWS Monitoring with IFTTT

AWS Monitoring with IFTTT

Performance monitoring is two-fold. There is proactive performance monitoring and reactive investigation. The majority of my posts and case studies reflect the latter. This post is more related to the former. Services on premise typically rely on SLAs, NetFlow, scripts, synthetic transactions and more to provide monitoring and alerting. While some of this is possible in the cloud to keep track of specific pieces, you first need a good foundation by knowing if the underlying technology by your cloud provider is operating as expected. In this example, I will walk through setting up an alert to monitor individual Amazon Web Services and send a notification using an IFTTT applet.   Create the Applet Before creating an applet/recipe, you might want to see if one is already available with the functionality you need in IFTTT's discover section. If one isn't available, you can create one following their instructions here. I will skip the step by step that they provided, and demonstrate how you might...
Read More

Case of an FQDN Issue

The phrase, "I can't access my shared drive" was intermittent, but becoming common for a remote location connected via an MPLS circuit. Without hesitation the finger was pointed at the network and my phone rang. People connect to shared drives everyday, but it is one of those things they take for granted. Behind the scenes there are many layers of technology, protocols, and devices working together to make those connections happen. I can’t count the number of ways to hinder performance of a network share or prevent it from working altogether. *SPOILER* If you’re like me and you like to know the big picture first, the problem in this case was DNS. Read on for the details, or just know a great test is to place a ‘.’ at the end of your DNS path. To kick things off I asked for a screen shot of the error. This is what I received: Obviously, this was not very helpful (are error messages ever?)....
Read More
AWS Cloud Practitioner

AWS Cloud Practitioner

My career has recently shifted directions. While I still have a passion for network performance and the apps that run on the network, my focus will be directed towards the cloud and the future of application performance. More specifically, I will be specializing in AWS technologies. To start that journey, I achieved the AWS Cloud Practitioner certification. I felt this certification was another test that was well done. It was a good entry level test, but still reinforced the knowledge Amazon feels you need. It has a good blend of introductory content and challenging material. I was able to achieve it with two weeks of evening study. If you'd like to pursue it as well, here are the resources I recommend: Amazon's training Amazon Whitepapers A Cloud Guru ...
Read More

Synchronize Wireshark Profiles

As mentioned in this post, you can create and share custom profiles. However, that is not the extent of profile management. Another great way to utilize these files is to synchronize Wireshark profiles between systems. In this day and age you probably have more than one computer (laptop, VM, home desktop??). Also, if you’re like me you probably have Wireshark installed on anything you can get your hands on! It can be a bit of a pain to keep your favorite Wireshark settings such as protocol options, coloring rules, and saved display filters up to date with each Wireshark installation. Using Dropbox (or a similar service) you can easily keep your Wireshark profiles in sync on all computers. All that is required is another quick and easy modification and a shared storage location; whether it be a local storage drive or cloud storage. The pertinent folders are shared in the previously linked post as well as in the Wireshark documentation....
Read More
Share Wireshark Profiles

Share Wireshark Profiles

As mentioned in this post, Wireshark is easy to customize and even provides the ability to share custom profiles. Just about everything that can be modified can be shared. I outlined several of those items in the linked post. Wireshark uses files to store the config items located in a couple of key places. The ones I have shared below are all contained in the "Personal configuration" directory. To get sharing right away follow these steps: Open the "Help" menu Click the "About Wireshark" option Select the "Folders" tab Find the folder that contains the file(s) you want to change Copy or share that folder Place the respective folder(s) or file(s) into the same directory on the other install The next time you open Wireshark you'll have access to the new profiles Shared Profiles Here is my...
Read More
Wireshark Profiles

Wireshark Profiles

  One of the great things about Wireshark is the completely customizable interface. Users can change the layout, column settings, protocol decode options, add/remove buttons, change colors, add/remove filters, and more. There is a lot of documentation on how to even write new protocol dissectors. Due to its open source nature and the active development community, one can modify the code and/or participate in its official development. What this means is no two instances of a Wireshark install have to be the same. Analysts can mold the tool into exactly what they need for their particular job. This is all done through the use of profiles.   In fact, a single install can have multiple profiles. This is useful to tailor different profiles to specific protocols or troubleshooting scenarios. For example, one profile could be used for troubleshooting web traffic and another could be used for diagnosing wireless issues. I currently have about 10 profiles ranging from a minimalist view to one specifically for...
Read More

Problems After Updates?

One of the most common problems any IT admin faces is a software update. While software updates are generally considered a good thing, because they patch security flaws, fix bugs, try to improve performance, and more, they are also a common source of problems. Every admin knows to be ready for calls after a scheduled maintenance window. This issue was no different.   A ticket came in stating users could not access a web app through the backend system after an upgrade to Java 1.7. The server, java, and app logs all looked ok and appeared to be running properly. Also, interestingly, the web app worked when accessed directly from a web browser. This sounded like a perfect opportunity for a quick packet capture and analysis. Here is what was produced:     *Note: In order to maintain the SSL session info I could not anonymize this, so I'm just using a screen shot instead of sharing the capture on CloudShark.   I've done quite a few...
Read More

Using Fiddler to Fix Issues

I've helped many users who say Fiddler has "fixed" their issue. Unfortunately, this is a bit deceptive. Fiddler is an excellent debugging tool for web apps, but it does not permanently resolve problems. What it does do is act as a proxy with its own connection settings. This allows it to act as a "man in the middle" and even decrypt the traffic to provide better more insight into application behavior. Sometimes, this is just enough to correct the underlying problem and give the illusion that all is well. This can be very frustrating when trying to find and debug the problem! I have personally seen Fiddler "help" with the following: Proxy issues TLS versioning SSL cert problems Telerik themselves have a great post on this here outlining the technical details and corrective actions. If you do any sort of debugging with Fiddler it's worth a read. Side Note: If you help end users, but...
Read More

Case of the Large Header

Just because you can do something doesn't always mean you should. One such example of this is using large HTTP headers. While the HTTP specification itself doesn't set boundaries, most web servers have default limits around 8 KB. Other devices in the path such as firewalls/WAFs, proxies, and load balancers also have similar limits.   Problem The application testers were receiving a reset error. Their application and web server logs did not show any problems.   Analysis The first question asked was, "If the web server isn't sending the reset error, what is?" In this case we found there were several devices in the path including a domain firewall and a load balancer. The firewall admin saw two-way traffic hitting an accept rule and passing through. That left the load balancer. The load balancer admin confirmed via a packet capture that it was, in fact, sending a reset near the end of the TCP stream. Why would the load balancer send a reset? A load balancer does exactly that....balances...
Read More

Packet Threat Analysis

Everyone needs to do some housekeeping at different points, and I figured it was time I did some a basic security sweep of my setup. To get started, I performed a quick packet capture on the very server that hosts this blog. I decided to give one of CloudShark's newer and more distinct features a spin with my recently created account; their Threat Assessment tool. I thought it would be interesting to pit this against PacketTotal as well. These are both great tools with similar, but also different purposes. At the time, I had SSH and web ports open along with a few other unused ports for various common services. The only true security measure in place was a few basic iptables rules.   CloudShark What I Liked: Up front, quick severity level rating dashboard Brief descriptions of issues which helps puts everything in laymen's terms World map view Privacy settings ...
Read More