Highlighter Super Users Series: Post 2

Back in November I published the first interview from the Highlighter™ Super Users blog series.
My goal with this series is to shed some light on all the great
things that can be achieved using this freeware tool. In part 2, I
interviewed toolsmith author and HolisticInfoSec.org
webmaster, Russ McRee.

Super User Interview #2: Russ McRee

Russ McRee is the
author of ISSA Journal’s toolsmith series and runs
HolisticInfoSec.org. In October 2011 Russ contacted me to discuss
Highlighter in that month’s issue of the ISSA Journal, and later for
the nomination of Highlighter for the 2011 Toolsmith Tool of the
Year. As someone who has analyzed Highlighter’s effectiveness as
a forensics tool for his own articles, I asked him to answer a few
questions based on his experience with the freeware tool.

Name

Russ McRee
Realm of work

Security Analytics (security incident management, security
monitoring, attack and penetration testing).
How did you hear of Highlighter?

I watch the websites and check for tool updates.
Do you know of any other tools that do what Highlighter does?

Log Parser, Log Parser Lizard, Log Parser Studio,
Splunk
How do you normally use Highlighter?

I mainly use Highlighter for Log analysis, forensic
investigations, demonstrations and research (see http://www.youtube.com/watch?v=w0uOCOINrWY
and https://www.sans.org/reading_room/whitepapers/logging/evil-lens-web-logs_33950)
Can you describe one scenario in which Highlighter helped you
find evil and/or solve crime?

I had a recent mysterious case of core utility files and
binaries gone missing from very important infrastructure
management servers that initially looked malicious and
intentional. Using Highlighter for analysis of Windows event logs
led to the discovery of a sync job gone awry (misconfiguration) in
the Application log via time stamp matching and keyword
highlights.
On a scale from 1 (worst) to 5 (best), how well does
Highlighter address your use case(s)?

4
What is missing from Highlighter for your use case(s)?

Word wrap option
What is one Highlighter feature addition that would serve the
Information Security community best?

Potential DB support
Are you aware of, or have you used, any of the following features:
- Activity Over Time feature that lets you view log data as a
  function of Entries Per Day
  
  No, I was not aware.
- Hotkeys feature
  
  Yes, I was aware of this feature.
- Ability to change basic font settings for your output
  
  Yes, I was aware of this feature.
Have you ever seen Highlighter used in such a way that your
eyeballs melted from all the Awesome?

My eyeballs melted from the awesome when I stuffed
Highlighter with a 2.44GB Swatch log file during large file
testing while writing October 2011’s toolsmith. It took a
little time to load and format (to be expected), but it handled
24,502,412 log entries admirably (no choking). I threw a query for
a specific inode at it and Highlighter tagged 1930 hits across 25
million+ lines in ten minutes.

Keep an eye out for
the final post in the Highlighter Super Users Series. If
you’re interested in sharing your own experiences with this tool,
please let me know by commenting below.

Print Share Comment Cite Upload Translate

APA

() » Highlighter Super Users Series: Post 2. Retrieved from https://www.truth.cx/2013/01/23/highlighter-super-users-series-post-2/.

MLA

" » Highlighter Super Users Series: Post 2." - , https://www.truth.cx/2013/01/23/highlighter-super-users-series-post-2/

HARVARD

» Highlighter Super Users Series: Post 2., viewed ,

VANCOUVER

- » Highlighter Super Users Series: Post 2. [Internet]. [Accessed ]. Available from: https://www.truth.cx/2013/01/23/highlighter-super-users-series-post-2/

CHICAGO

" » Highlighter Super Users Series: Post 2." - Accessed . https://www.truth.cx/2013/01/23/highlighter-super-users-series-post-2/

IEEE

" » Highlighter Super Users Series: Post 2." [Online]. Available: https://www.truth.cx/2013/01/23/highlighter-super-users-series-post-2/. [Accessed: ]

Select a language:

<div class="c00 c00v1">
 Back in November I published the first interview from the <a
 
 href="http://www.fireeye.com/content/fireeye-www/en_US/services/freeware/highlighter.html"
 title="Highlighter">Highlighter™</a> Super Users blog series.
 My goal with this series is to shed some light on all the great
 things that can be achieved using this freeware tool. In part 2, I
 interviewed toolsmith author and <a 
 href="http://holisticinfosec.org/component/option,com_frontpage/Itemid,1/">HolisticInfoSec.org
 </a>webmaster, Russ McRee. 
 Super User Interview #2: Russ McRee Russ McRee is the
 author of ISSA Journal's toolsmith series and runs
 HolisticInfoSec.org. In October 2011 Russ contacted me to discuss
 Highlighter in that month's issue of the ISSA Journal, and later for
 the nomination of Highlighter for the 2011 Toolsmith Tool of the
 Year. As someone who has analyzed Highlighter's effectiveness as
 a forensics tool for his own articles, I asked him to answer a few
 questions based on his experience with the freeware tool. <ol> <li>
 Name
 Russ McRee</li> <li>
 Realm of work
 Security Analytics (security incident management, security
 monitoring, attack and penetration testing).</li> <li>
 How did you hear of Highlighter?
 I watch the websites and check for tool updates.</li> <li>
 Do you know of any other tools that do what Highlighter does?
 Log Parser, Log Parser Lizard, Log Parser Studio,
 Splunk</li> <li>
 How do you normally use Highlighter?
 I mainly use Highlighter for Log analysis, forensic
 investigations, demonstrations and research (see <a
 
 href="http://www.youtube.com/watch?v=w0uOCOINrWY">http://www.youtube.com/watch?v=w0uOCOINrWY</a>
 and <a 
 href="https://www.sans.org/reading_room/whitepapers/logging/evil-lens-web-logs_33950">https://www.sans.org/reading_room/whitepapers/logging/evil-lens-web-logs_33950</a>)</li> <li>
 Can you describe one scenario in which Highlighter helped you
 find evil and/or solve crime?
 I had a recent mysterious case of core utility files and
 binaries gone missing from very important infrastructure
 management servers that initially looked malicious and
 intentional. Using Highlighter for analysis of Windows event logs
 led to the discovery of a sync job gone awry (misconfiguration) in
 the Application log via time stamp matching and keyword
 highlights.</li> <li>
 On a scale from 1 (worst) to 5 (best), how well does
 Highlighter address your use case(s)?
 4</li> <li>
 What is missing from Highlighter for your use case(s)?
 Word wrap option</li> <li>
 What is one Highlighter feature addition that would serve the
 Information Security community best?
 Potential DB support</li> <li>
 Are you aware of, or have you used, any of the following features:
 <ul> <li>
 Activity Over Time feature that lets you view log data as a
 function of Entries Per Day
 No, I was not aware.</li> <li>
 Hotkeys feature
 Yes, I was aware of this feature.</li> <li>
 Ability to change basic font settings for your output
 Yes, I was aware of this feature.</li> </ul> </li> <li>
 Have you ever seen Highlighter used in such a way that your
 eyeballs melted from all the Awesome?
 My eyeballs melted from the awesome when I stuffed
 Highlighter with a 2.44GB Swatch log file during large file
 testing while writing October 2011's toolsmith. It took a
 little time to load and format (to be expected), but it handled
 24,502,412 log entries admirably (no choking). I threw a query for
 a specific inode at it and Highlighter tagged 1930 hits across 25
 million+ lines in ten minutes.</li> </ol> Keep an eye out for
 the final post in the Highlighter Super Users Series. If
 you're interested in sharing your own experiences with this tool,
 please let me know by commenting below. </div>

First name:

Last name:

Related Posts