Sweet Security: Deploying a Defensive Raspberry Pi

to say so I'm gonna forget half of it but uh thanks everybody for coming thanks to the sponsors right here if you haven't entered the raffle yet there's a raffle out there I think you can win a GoPro or a Fitbit or both if it's your day there is a feedback form online so if you want to leave some feedback go online I think that's about it so let me introduce our next speaker Travis Smith he's from tripwire and he's going to talk about sweet security thanks everybody so my name's Travis Smith I'm from tripwire I'm on our security research team although I'll be talking about stuff completely not related to tripwire so I'm glad that they gave me time to do

this today so let's just jump right into it cuz I think directly after me is lunch so so first of why I really got into the research around all of this the first step is tripwire was acquired by Belden about a year ago a little over a year ago maybe and so they are heavily in the industrial space so they came to me and said you know what do what does tripwire do that we can you know play into this market of the you know is it a good fit is it you know any additional stuff that we need to do and so a Mike all right well let me look into it the other part was I went home and you know

I'm looking at all these things that are on my network and you know are they safe are they secure you know is my you know can I install antivirus on my toothbrush or you know is my door lock safe from shellshock Reich cities are all questions that I had when I'm looking around and you know when I started getting into it I realized that you know there's so many things both that are parable to both the Internet of Things world as well as the industrial world you know the ICS versus IOT and the big thing is is that these are either outdated systems you can't install patches patches aren't available you can't even stall security tools most the

time and even if none of those are the case and they are up-to-date systems and you can install patches and you can't install security products sometimes you can't or you don't want to you need uptime or you need to maintain operational stability in the environment and you just don't want to take that risk right so really this is all about protecting the unpassable right so that's across all these environments and that's really what I want to get into today and that's what got me into network security monitoring and deploying a bunch of security tools on a very small form factor that can be used in either small environments like your home a small business or even you know

potentially up into larger environments so what I wanted to do is install this on like I said a Raspberry Pi I had one laying around had a model B+ and I really didn't want to take it off my network at home mainly because it was running what I saw a software called raspberry pints which is a digital tablet or my kegerator and I just couldn't sacrifice the beer right so I bought a new one luckily last year I guess two years ago now the model b2 came out which has a lot better more processor more memory all that good stuff so there's really lightweight what you need the the motherboard which is the Raspberry Pi 35

bucks a case a power adapter memory cards eight gigs is about all you need obviously more is better as I'm gonna get into later all said and done 50 60 bucks and you're good to go as far as hardware boys from the the operating system standpoint there's a couple different options especially when you're looking at Raspberry Pi devices so what I use is raspbian which is a deviant variant very similar to deviant if you're if you've ever used it before is a simple install ready to go newbs is another option that's new out of the box software there's essentially just an easy way to install the raspbian gives you a guided tour all that kind of good

stuff really good for noobs right the other option is once you mate I've never used this but it is Ubuntu so it's very DB in ish like you could probably use it and another interesting one that I would like to play with eventually but definitely out of the scope of this project is Windows 10 right no way don't use it not because it's windows you know have anything against Windows but a lot of the tools I'll be discussing today are Linux only pieces of software so you don't want to don't want to use it but if you are gonna use it go ahead so getting into it so the protection that I wanted to do is

network security monitoring the tool I used is bro IDs there's a couple options don't get into that but when you're looking at these types of environments the attacks that are going against them they're all for the most part gonna be network based attacks right so the attacker needs to you know exploit you across the network obviously there are cases where they be not on the network and then if they are gonna actually excellent rate data off of you right they're gonna probably get that across the network so there's you know data going across the wire that we can monitor so we can do packet captures and just monitor all these packet captures and look at them like we're looking at

right here but nobody wants to look at packet captures all day and monitor them so that's why I like variety yes what it does it sucks in the data it's an NSM ids/ips IPS whatever gonna call it and does a full OSI layer inspection of all the traffic that goes across so it does typical IDs stuff you know looking for known exploits pulls out the relevant metadata from all of the packets so you get things like your DHCP traffic and HTTP traffic SSH SSL traffic so I can pull out certificates if you know it is actually in line and can do that type of stuff and then especially around the ICS and environments it does dnp3 and Modbus

supports a little bit lagging in those if you are from an ICS type environment but it is an option that's there and it does allow you to write your own rules for it so what they call bro code you can be a programmer and write your own rules for it and I'll show you how to do that in a minute but so there's things the bottom two that I've listed there that you're in bold kind of see that the Intel and the notice log that's where all of the you know custom stuff that we're gonna be looking at some cool data that's in there so when you uninstall it obviously there's just a few dependencies you want to install you

just download the source you configure it you can put it anywhere any directory you want and you do miss that one you do a make and you just wait and wait and wait and wait so the on the model B so the older one it took three hours for me to build this software the newer one is about 45 minutes so if you do this go out have some lunch have a beer have coffee and come back and then you know wait a little bit longer and then do the make install and you're good to go so once it's installed obviously we need to monitor the traffic right so the Raspberry Pi ships with just one

physical net card hard wired card so there's a couple different ways we can do it the first is set it up as a gateway the advantage there is you don't need to buy any additional hardware very simple to do to some configuration in the Raspberry Pi the downsides is one that it's not directly in line with your traffic so attackers conventionally bypass it if they know it's there they could just use the real gateway and void yours altogether the other is there's possible performance implications about using this in line right so it's a Raspberry Pi it's small it doesn't have a lot of processor power behind it I did run tests on my network at home said you

have all this set up at my house I did speed tests didn't notice any difference before after I have this in but if you're doing you know a lot of Netflix and a lot of downloading and a lot of streaming that might be an issue the other option is a span or a me report right so if you have this at your home you probably don't again no additional hardware needed the attackers can't bypass it if you have it all set up correctly right because all of the traffic would be going out the span port and the Raspberry Pi isn't in line so if you do have performance implications that's not gonna happen the downside right if we're you know

we're talking about us at home using it your network router probably doesn't have that feature enabled maybe it does then the final one is to set it up in line right the baton downside is you have to buy an additional network adapter for it right cuz it comes shipped with one does have 4 USB ports so you do have that option again the same performance possibility implications with it and that's about it so we have our device set up we have bro installed and there's a really cool feature service that's available that we can do threat intelligence for free right so that's from Liam Randle and is a critical stack company and they provide a service that

is as point-and-click integration with threat intelligence so you sign up and it's all free you go to their website I think it's Intel critical STATCOM and just choose which integrations you want so you can pull down things like tor exit node IP addresses known command and control servers known phishing addresses and on phishing emails known there's a ton of them and then you just install your agent alongside of it and you're good to go so what does that look like so we just have an agent you install it the agent knows you just give it your API key it goes it pulls from over a hundred different threat feeds that are available and they have well over a

million different indicators of compromised that are in your environment and it converts it all of that into actual the bro code that gets injected directly into bro itself so very easy to get set up and be able to monitor any traffic on your environment all right very easy to do as of mid last year so I work very closely with them because they did not have a arm-based agent for it and that's a lot of problems with installing some of these security tools on the raspberry PI's they're all arm based so they did release a ARM based version for me it's on their website you just install it give it the API key that you get when you install and you're up

and running it does everything automatically in the background so highly recommend checking out that service so now that we have all of that data there we need to do something with it so what I like to use is a service called log stash log stash is an open source log management product that's from the elastico so it's part of what we call the elk stock being a as elasticsearch Ellis log stash and KS Qabbani and we're gonna use all three of those today so the first one is log stash some a very high-level architectural viewpoint it's very complicated crazy right so you take a data input you do something with it on the filter plugin and then you send it

somewhere alright very novel concept so let's dig in and see kind of what that looks like you know under the hood so the three levels we have inputs filters and outputs so the in inputs we have I think now there's a well over 40 different types of inputs so if you're on the Raspberry Pi you can do things like local files set up a syslog collector if you do have other network devices you want to bring it into standard in if you want to just if you're debugging and troubleshooting and want to play around with it over the command line so take all that data in then it sends it to its filter plugin there's a ton of different plugins here

the ones we're gonna be using today are grok gerak is going to be normalizing our messages so pulling out the who the what the way or the way and the why all of those out of the message and then when we get things out of there we can add it to some of the other plugins so we're going to do some geoip stuff some translation which is really cool and some of the date filtering stuff that might not seem apparent if you're gonna set this up yourself then you can send it out somewhere so elasticsearch is really what it's built for but it can do so much more right so if you can set up as

a syslog forwarder to just build for it on the relevant information that you care about I have it set up to send me email alerts for some specific things and I'll show you in a second standard out does other relational databases page or duty if yours in that kind of thing so a lot of different integration points for logstash so it's not a just one to one translation of what the filters we can use as many as we want so we can do you know multiple different inputs multiple different filters multiple different outputs doesn't matter handles it all really well so here's what we're gonna do like I said we're gonna utilize some custom patterns and that's really the

normalization engine of what it's pulling the relevant metadata out of the logs that we're looking at the grokking is the actual normalization of that we have some custom fields that can give us some more context around the data geoip some stuff and then do some date matching and translations for some additional threat intelligence so first step is installing the database so elasticsearch is the database very easy to install this is the devian package download it install it they had their elastico conference last week and now they're on version 2.2 so I thank them for giving me a new version before my talk today but the previous versions you had to configure a cluster name in the elasticsearch gamma file

which is this in the etsy directory I don't believe you need to do that in version 2 to it 2.2 but if it's there you might want to change it otherwise by default it will go through and connect to other ones if there's no security in place so I did some you know setup on my network at work and was wondering why my brand-new elasticsearch instance had a ton of data in it and since because they started talking to each other and I didn't set up any security the Sai component is logstash again very easy just download the the data unzip it and you can to see here as a sample configuration looking at just

one standard in one standard out problem is is that there's a no FFI available for the armed instance so we need to get around that to begin with so do that need ant to build it so you need to first get ant you need to get the FFI from github links here go in there build it then copy the code to log stash and from there packet it package it all up together rerun the command and you're good to go right so there's one little spiny small little detail that you need to watch out for if you can install log stash on your elasticsearch cluster final one is Kabana so Cubana is our visualization engine for the elk stack

just download it unzip it run it and you have another error so we need another the nodejs for the arm so let's download it repackage it put it into your Cabana directory and you are good to go soon that's all done said and go we have a nice pretty elastic search that we can start doing stuff with now the next step would be is Riggin to stump a ton of data in there we can do index searching and things like that but we want to add some metadata and actually normalize the messages so here's a very simple command sorry log stash configuration file so log stash is controlled by a set of either one or many configuration files

so these can put you can put all of these in one directory and it will just suck them in and add them in alphabetical order right so you can have what I do when I have a highly complex locks - configuration as I just put my input in one configuration file and its have zero underscore input my output as nine underscore output and then I do all of my filtering in excuse me anywhere between two and eight so here we're just looking at all of the logs in the log stash directory so that would be you know start out logs it does to support asterisks and then outputting em to elastic search and again we have our

cluster name down there if that is necessary for our environment so here's a sample normalization for an Apache access log so this is just taking in the message right so that's here on the left and trying to normalize it in this so it's taking something that looks like an IP and putting it into the client column and then taking something looks like a word putting into the method column so on and so forth and if it all matches then it's gonna pass it off to the output and outputs gonna put it wherever it needs to go not entirely useful when we're looking at bro data so what we're gonna do is we are going to put all of

our normalization stuff in its own custom directory so we're gonna create a folder called custom patterns and then put all of our stuff in there so the configuration files I have is I have the full log normalization message one per line and then I give it a what I call a rule ID so in this case I'm gonna have a rule ID called two nine one zero zero nine and put my broke code in there not broken normalization so here's what that looks like right so I have a rule called wrote rule and you know concatenates us here but this would all be one line saying two nine one zero zero nine space and then all of my message here so this

is pulling out things like start time UID source IPS destination IP eSports description scene where so this is gonna really depend on really what your normalizing so if this is bro it's all comma separated so it's pretty relatively straightforward to normalize if you get into more complex log formats this can get a little bit tricky but here's an example of what it is and I have all this stuff available I'll give you a link in a minute so now that it's in there what I do is I wrap all of my configuration and if-else conditional statements so what I have here is a conditional statement saying if the message looks like my huge long reg X

then go through and do my rocking if this looks confusing you don't know how this would work it's actually relatively simple so on the bottom down here we have the the rule message okay and all I have to do is this take off the rule ID and then I remove all of the capture groups and then just put the regex up top so relatively simple you could do this with some scripting and it'll do all of your code very simple for you so now that we're here the reason that we do these if conditional statements is to do the use the add field functionality and there's a few reasons why I like to do this one is I

can add additional context drawing messages so right here I'm adding a device type action and status so these are the Cee common event event enumeration I think that's right the stuff originally done by mightor things like you know what a login or a logon or authenticated might be you can normalize it into one actions same thing around status it's kind of the core of what a log management product would do and the second component is doing the rule ID and the reason I do this is I can make log stash be more performant for me so it's a top down normalization engine so it's going to match every single message from the top down until it finds a match so by

doing adding a rule ID to all of these messages I can continually run a query against my elasticsearch database and see what the most commonly used normalization rules are and bubble those up to the top of my configuration engine so it doesn't have to do the computationally expensive regular expression across all of my logs so it makes for a happier log stash so if we are doing IP addresses the GIP function in the log stash is really nice it allows you to just look up a geo light city database that would be local on the you know on our raspberry pi in this case and provide a set of coordinates to it so here I'm looking up a destination

IP address and if I find a match in my database it's gonna add all of these fields so longitude latitude city continent country postal code to a geo IP destination target and this would be another field in my elasticsearch database so logstash does ship with one Joo IP field that you can use and I think this is called G IP so if you have multiple ones which most often more often than not you will have rights we're gonna have source IPS or destination IP ease proxy IPs you're gonna want to update your cluster so we need to add a new template to the elasticsearch database to figure that out so the way we do that small so

there's a curl command that we can just actually get our template and here's what it outputs so I have to do is just remove some of the key fields so just remove the name log stash the order so if on the left you can see there's the geoip cluster on the right I changed that to geoip underscore DST for my destination GIP so we can add as many of these as we'd like so we can do things like GIP source or GRP proxy and you know you can do as many as you like and and just push it back there so then that's just another curl expert command and you just just do dash D and then add

that huge long string there so pretty straightforward and easy to do then the final one is something that might not really seem relevant when you're starting this up on yourself and that's doing the date matching functionality so if you're collecting data in real time this is an issue right so in a logging perspective we have two times we always have collect time and we always have event time right so there's usually other but those are the two main ones we always look at when we're talking about logs so if you're clicking in real time the collect time is usually the event time there are cases when the collect time is not the event time maybe you're

doing batch collection of files the file is only collecting every five minutes or in the case of Bro it's really nice about bro is that you can feed it packet capture data so if you have an event that you are curious about you pack do the packet capture off and then you can take those peak apps offline and feed them into burrow right so without this date matching you would just get a huge spike of data as soon as you can put the data but if you do this you can then match the time that's from the packet capture and then you get a nice histogram and the elasticsearch and gives you count the time context around

there so nice little gotcha if you're doing any forensics data the last one is the Translate plugin so this is the really fun plugin for me so what I do is a translation of field that I'm normalizing so in this case I'm normalizing a destination IP field and then looking up whatever I find there in a llamo file so I have a right here of an IP llamo file and I feed this with malicious IP addresses so if I see IP address one dot one dot one dot one and destination IP and I do see it in the IP llamo file I can then put a value inside the malicious IP field so what I do is I

just put the feet of the word yes in there so I can then do later queries to say is malicious IP equal yes and if that is the case then I know I have some type of security event that I want to take a look at so what goes in there what does it look like this is a dictionary hash so just some value : another value so IP addresses and file hashes so IP addresses file hashes websites email addresses so those are the four that I primarily use and just put the word yes next to it and I just put it into a malicious something field so that's a what elastico calls a community maintain plugin so it doesn't

install by default so we can just do a quick install of it and it will install for us and then here's this kind of example of what it looks like and a couple different external sources that I use so one is a from tor project that is just a list of tor IP addresses another one is a list of malicious known malicious IP addresses and we can just scrape that website pull down the list format it into our Yama file and we're good to go so log stash will readjust that lock wire that Yama file every 300 seconds every five minutes so if we can you know be populate it more often than that we can set a parameter to shorten

that or if you don't you know if you do it less you can make it longer you'd be good to go so going back to here so I I popular on a virtual machine on my desktop and I had about roughly a million IO sees between IP addresses in file hashes and that's when log stash completely fell over but I didn't have I didn't tune it I didn't you know mess up the JVM at all so it is possible if you have a lot more than that if you're doing a massive IOC database that you can tune the JVM or add more memory or add more processes things like that but on a Raspberry Pi I probably wouldn't

recommend putting a thousand or a million uh I all season there so one of the reasons why I do this one is I can search for it later another is I can get notified so I'm using here the email output plugin so not only is it outputting it to my elasticsearch cluster I'm also getting notified so anytime at my home I typically don't do a lot of tor networking at my house if any of my devices are connecting to a tor network I can get an email automatically right so we can do things like no and tor appeared tor IP addresses malicious IP addresses any file hashes and then just get very quick email notifications you

can kick off your thing so on the bottom you see here HTML body that's not a variable what that looks like is it's something like this very simple it can do HTML or just raw text I'm just set it up good to go gives me the information that I need immediately and we're good to go so here's the the email alerts that I do set up automatically so I guess that tor IP addresses is malicious IP addresses malicious file hashes so those are all things that are coming from my mo files that I'm doing through the translations the Intel and the notice logs from bro those are the things that are primarily fed by a

critical stack so if critical stack is telling me that something is bad I want to pay attention to that I also do some geoip emails there so thanks coming you know tor from China or Russia I don't generally don't do a lot of browsing of those services but obviously attribution as as easy as an IP address now so we can do that and then some device specific whitelisting so I did a I put all my machines in learn only mode and I just monitored the traffic for a few weeks and looked at what everything was communicating to so but you know my fridge or my TV or my thermostat generally only communicate to a very

small handful of IP addresses so if you know it's usually for updates or for control of the device you know when I'm out and about they typically don't change those IP addresses very often so if something is outside the norm of those I can set up alerts to see if you know something fishy is going on so here is what we're at we end up with so here's the Cabana dashboard from the bro data fed with years and years and years of malicious pcap data so we can see interesting things like spikes in the histogram on the top pie charts which everybody loves it gives you some pretty cool context what I really love about

the Cabana interface is that it's very interactive and you can zoom in and out of the database to give you context so if you so on the left here I have the destination IP addresses or source IP addresses so these could be things like your internal devices and you know maybe you can click on you know the green one here that might be or you know your Xbox whatever and you can click on that and that'll reframe the entire dashboard and in the context of just that what you just clicked on so it gives you ability to zoom in or out and kind of see what's going on here is a feed of that same set of data except

with the context instead of show me all the data it's just saying show me everything that I know is malicious so as this is everything that went through my threat Intel feeds and got tagged as yes as malicious so I can do things like my geoip map the IP addresses to see where they're at see if they're coming you know from nefarious places online see which of my devices may be communicating there and you know potentially address that kind of type of information again just a bigger geoip map gives you a little bit of information on what you are seeing on your network so that's a lot of text and a lot of configuration it might be well

above your head it might be so easy to you're like I don't even want to do it I put all of the scripting on there on my github page so I can go here I have scripts that will all you have to do is just give it your critical stack API key and it'll install bro critical stack elasticsearch logstash kibana and configure them all for you might take a little while but it will do it all for you so recommend doing that if you're interested in setting up this environment so here's what our environment looks like so we have our devices on the right thing you know all of our IOT devices or this could be

industrial devices your your enterprise network going through bro and out to the Internet so bro is fed by critical stack which is fed by other third party sources things like fishtank open fish mal code you know they have a ton of different ingest points output to log stash and then we can set up our reporting a workflow off of that things like just output it directly to our lassic search or actually set up alerts to our email phone page or duty and actually let us control our environment better than we could have before alright but that's not enough right I had to put a picture of Leonardo DiCaprio since he won last night so there's more that we

can do here right so this is very defensive and you know what's happening to me what you know but you know obviously we like to do a little bit more meu might want to get a little bit more offensive on it alright so we can do things like set up our Raspberry Pi to do network scanning so I can just do very quick end map scans across my entire network and see new things are that are going on there so what mine is doing is this every minute it's just doing a ping scan seeing what's on there and if anything is new it adds it to a sequel Lite database that I can use and

interact with later but then it just also emails me saying something is coming up here either kind of live in the country so this isn't a big deal for me but when I lived you know here in San Francisco years ago and I in a very popular populated apartment complex this is something I was very worried about somebody getting onto my network and and you know stealing my data right at least my bandwidth so again on the the suite security page on my github page I have all of the ability to set up the nmap scan and do all of that so when I see new devices I can ingest it directly into open Voss which

also runs on the Raspberry Pi so we can just install the dependencies get up and running so the the libraries the scanner the manager see a live stuff will need so we can interact with it programmatically as well as green bones so we can I like I'm a visual person so I like the you know the actual GUI it's not that difficult to do but there's scripts on the suite security github page if you want to install that as well one thing to note it's works but it's very slow even on the new one it's it takes a while to do a scan of my environment so I think I have setup here right so what I do is I do a full and

fast scan of my entire network or sorry of any new devices and it takes a while it'll take on my network of well over an hour to finish any scans so if you are setting this up I would recommend probably deploying two raspberry PI's do one for the the bro IDF stuff or another one for some more offensive stuff and will be a probably a bit more performant so when I seen your devices I just get a quick email alert that's you have some just simple SMTP email learning from the the Python scripts I have one there so there are some commercial options available that do a lot of the same things - you know some actual

vulnerability scanning and things like that Trend Micro has some medieval-looking routers that will do we call a eye protection at least what they call air protection which is a web service from Trend Micro so that just does something very simple like I visited website talks to their website is you know their service is the service safe yes it is you can go you know on the other side is this service safe you know it's not it's dangerous don't do that and they'll block it right so they do you know a huge list of things that they're you know looking for in their service they also have what they call Auto patching which is interesting so somebody attacks you they say you

know over the network and they the router patches all vulnerabilities which is amazing that they can patch a vulnerability over the network right what that is doing it's deep packet inspection so they're just doing NSM right so is this the idea of service they have there but the marketing people like to have fun I guess so there are these are the devices that you can install that on a bunch of the RTA CS they are quite expensive unless you get down to the 56 you which doesn't really do a lot so I mean if you're looking at three four hundred dollars to deploy one of these and you could use suite security for 65 it's a little bit more

financially better at least for me it was so there's some future work that goes here number one is a Raspberry Pi released the model three today which is great timing so that one's gonna have a 64-bit processor it's ten times more performant I believe they said that also includes built-in Wi-Fi so now you can have two network cards on there built-in you don't need additional pieces so since it is 64-bit I think they still don't release a 64-bit OS I think they're still relying on a 32-bit so all of the code should still work they're just fun once they go to 64 there might be issues but we'll let future us figure that out so I'm looking into how I can integrate

this with some of my third-party firewalls so if I can communicate with my actual firewall my home network and say I'm seeing these types of threat Intel you know and be proactive about it so if I know that this is malicious IP is bad don't tell me that I went to it you know just block it for me and I you know it's potential we can do that with IP tables on the Raspberry Pi itself if it you know is in line instead of a spammy report and just block the communication at that point so it's interesting to go a little bit less proactive and or a little less reactive and more proactive by the way around the

other one is security onion so security onion has a ton of cool tools that I haven't really had a chance to play around on the you know the ARM architecture of the Raspberry Pi so I'm not even sure if they will install so be curious to know if anybody of you guys has donated that so they do a lot of the same things like you know bro and some of these are the things Elsa you snort I chose to go bro over snort for performance reasons when snort was installed on the Raspberry Pi it just completely knocked it over I couldn't do anything on the the Raspberry Pi after that so bro is a little bit more

performant and then the Kali Linux also installs on raspberry PI's which is interesting and fun at the same time so they do have an image available you can download install and deploy in a Raspberry Pi so we might be able to leverage that in the future and be a little bit more offensive with our capabilities if somebody's coming onto our network yeah so that's where we're at there so that's kind of what I had for you and I just wanted to you know this isn't the end of the discussion I really want to know kind of what you guys think about you know how this would deploy in your networks or you know future work that you might want to see

you around this environment and that's what I have so the floor is yours [Applause] yeah I think we have a question down here I may have missed it but I wasn't I didn't see how you were handling the the problem of dots in rows logs and elastic searches failure to report this since elasticsearch to dot oh I think it was they don't the dot 2.2 they don't well I guess since two they don't deal well with dots and field names I missed how you were it was that in your normalization code that you were getting rid of those impro so these questions around elasticsearch 2.0 and their ability to use fields right is that is

that yeah yeah yeah all right like I said I haven't had a chance to play with 2.2 you know obviously they just released 2.2 last week - oh I haven't had a chance to play with I the stuff that I'm using Disney using the you know that type of functionality it's using my own custom stuff that I define so if there are issues with you know formatting and issues like that we can easily work around it it's not that big of a deal it's this configuration at that point any other questions comments concerns yeah let's talk after it I get that information okay no more questions well Travis thanks for that was a pretty sweet talk on behalf of thank you you

can let us know if there's any malicious traffic once you put that on I will so if there's no more questions thanks once again that's all you guys get back too much