Monday, October 31, 2011

Automated Teller Phone Phishing

Early this morning I was awakened by my ringing cell phone.  When I answered it, I was greeted by an automated teller stating that my Wells Fargo debit card had been disabled.  The cause was due to potentially fraud activity.  This of course was highly worrisome as I can now not use my non-existent Wells Fargo debit card.  Subsequently I hung up on the automated teller while swearing at it and throwing miscellaneous items around the bedroom.

This is all well and good until I received another call a bit over 10 hours later stating the same thing.  This time though, I decided to play along.  To play along, I had to enter a 1 to be immediately transferred to debit card security services.  Upon selecting one, the same automated teller stated that it would require four pieces of information from me to re-activate my card.  The first was the last four of my social, duly entered "6666".  The next was the full 16 digits of my card.. I could not get past this point as the automated teller was checking for at least basic validity of the card.  Note that I am prepared now though and have generated some bogus numbers that I will enter.  I'll also record and post said recording.

The automated teller clearly sounds like a generic asterisk type.  That said, I'm gonna actually try to post some more useful security and BSD stuff!

Monday, March 28, 2011

PulledPork 0.6.0 the Smoking Pig, He's on Fire!

It has been some time since I posted anything at all, I had considered adding "relevant".  But that's simply not true, since it's been dead air for a while.

Having said this, I am pleased to announce PulledPork V 0.6.0 - the Smoking Pig is finally released as of, well, right now!

This version represents a decent amount of time spent improving the core of the tool to enhance speed, a large number of feature enhancements and also not an insignificant number of bugfixes!  A few quick notes before I copy and paste the changelog notes; If you are changing rulestate by doing anything in the drop|enable|disable config files with the category, you will now need to prepend the category that you want to modify with ET- or VRT- (based on where the rules came from).  Another item of note is that multiple rulesets are now fully supported, thus no need to run two or more instances of PulledPork.  Lastly but certainly not least is the capability to ignore source files on a more granular level: (plaintext, preproc, shared object or global).

One more big feature enhancement that I would like to point out, is the capability to create a backup/archive of your existing rules files / config files / whatever else you want!  kthx, moving on...

Please be sure to read through the documentation THOROUGHLY, a couple of the above noted changes could affect your implementation and I don't want you to be terribly shocked by that.  Plus, the things that you will need to update are trivial!

The new PulledPork can be downloaded at the following location:
SHA1 Checksum: c4fdf58c716017a0ebad3c46f770fda54c8f23b2
MD5 Checksum: d65c4ef29956823a1a5a05921f219a29
Without further rambling on my part, the changelog notes:

v0.6.0 the Smoking Pig

New Features / changes:
  • Added -q command line switch to squelch everything except fatal errors
  • Code clean up for readability
  • Move debug output to allow for better debugging of actual variable values
  • Update config to allow for ssl from ET
  • Update config to allow for new snort rules gzip
  • Bug #55 - Create capability to ignore more granularly (plaintext, preproc, shared object or global).
  • Bug #50 - You can now create backups and archives of your existing config and rules files etc...
    • This adds the PM requirement of File::Find
  • Bug #56 - More verbose output when a flowbit is re-enabled (only when run with -v)
  • Bug #60 - added -E flag that will cause ONLY enabled rules to be written to output files
  • Bug #47 - added -R flag that will set the state of the rules specified in enablesid.conf back to their ORIGINAL state, as read from the source rules tarball.
  • Bug #63 - added sid MSG information to changelog output.
  • Added -k and -K options to allow for the writing of the original source file rather than one large output file.
  • Bug #66 - Prepend VRT rulesets with VRT- and ET rulesets with ET- to allow for paralell ruleset operations.  This also provides more granularity in that scenario wherein the user could set state in a VRT or ET category only by specifying VRT-category or ET-category in the sid state modification files.
  • Added support for 500 errors, specifying that users should update their root cert store!
Bug Fixes:
  • Bug #39 - updated to allow for use of username:pass@proxy.url
  • Bug #49 - fix for race condition not allowing HUP to work with -nTH switches specified
  • Bug #40 - allow so_rules to be handled when non VRT rulesets are downloaded
  • Bug #45 - create a blank so_stub rules file so that we don't get an error re: a blank file from snort when generating so_stubs! (only if the file does not already exist, and only if you are using SOs!)
  • Bug #46 - throw error if a config file that is specified does not exist   
  • Bug #42 - Added OpenSUSE-11-3 to list
  • Fixed race condition that did not properly handle certain spaces in flowbits set and isset values, resulting in unchecked flowbits etc...
  • Bug #51 - Increased timeout value to 60 seconds
  • Bug #53 - Fixed pcre issue that caused certain rules containing isset and set flobwits values to incorrectly be auto-enabled.
  • Bug #61 - Fixed so that .so rules are not touched!
  • Bug #67 - Fixed regex to allow for space between ( and msg.
  • Bug #71 - Flaw in if statement logic did not allow for proper multiline rule parsing
  • Undocumented ID - Flaw in changelog routine did not allow for proper writing of sid-msg or sid in "deleted rules" section of the changelog.
  • Bug #62 - Added check for amd64 string during arch detection!

Special Notes:
  • Bug #47 - This should be used by advanced users only, it can produce results that may not make sense to the typical user.  And frankly, I don't understand it ;-)
  • Bug #60 - This fix WILL cause inconsistency in your changelog, as when PP reads the old rules from the existing rules file, it will have only the enabled rules in it.. thus any rules that were not enabled in that file will show up as NEW rules in the changelog output, you have been warned, so no whining!
 That should just about cover it for now, as always, I want to also thank the community for their support and feedback!  If you have any questions, comments, concerns, or otherwise then please feel free to hit me up in #snort or #pulledpork on freenode.  You are also always welcome and encouraged to join the mailing list that can be found at  And of course you can also submit feedback / bugs / feature requests at


    Wednesday, December 8, 2010

    Snort on FreeBSD i386 the easy way!

    This is a quick posting to help you get Snort 2.9.0.x up and running on your FreeBSD!

    I can't make it much easier than this, I have created new ports for Snort and DAQ 0.4 (and subsequently packages) that you can install directly.  The ports are submitted so look for the following in your ports tree:

    updated: /usr/ports/security/snort
    new: /usr/ports/security/daq

    Components required:
    • Fresh FreeBSD Install
      • Miminal (i386)
    • Access to the internet from said BSD boxen
    • Basic knowledge of Snort

    Once you have the above handled, you can issue the following command:
    $ pkg_add -r

    Output from the command on a Freshly installed FreeBSD Mimimal system:
    $ pkg_add -r
    Fetching Done.
    Fetching Done.
    Fetching Done.
    Fetching Done.

    Some checksums for your reviewing pleasure:
    • MD5 (daq-0.4.tbz) = 249d2d79fc03eb2d4e2e133da505d146
    • MD5 (libdnet-1.11_3.tbz) = b861399b4710825419240a6443ec0eb9
    • MD5 (libpcap-1.1.1.tbz) = 678ec713419066c884ceda82ebcfe66f
    • MD5 (pcre-8.10.tbz) = 03cc8232b4ea9ecb968eb67211246f20

    • SHA256 (daq-0.4.tbz) = f8e60e09c0ab4acc1726f180b2e9d58c7f557b4736a3e53e137d8cb186d71984
    • SHA256 (libdnet-1.11_3.tbz) = 92f731313eea3867ab36ad789d938a66b83dda282e293a5a3d830f138c56b6f1
    • SHA256 (libpcap-1.1.1.tbz) = fe7991735055bb92bc38a2550d6428200eb7491e0152fa59d75db1569918c4a4
    • SHA256 (pcre-8.10.tbz) = e9517918174e4b569d9b4d1b3c902db529e0c3bd67a4a4ae7f1b830aac66e7b1
    The above packages were build with the following configuration options: --enable-dynamicplugin --enable-flexresp3 --enable-ipv6 --enable-gre --enable-targetbsed --enable-decoder-preprocessor-rules --enable-zlib --enable-reload --enable-active-response --enable-normalizer --enable-react --enable-perfprofiling

    I will likely be updating the ports / packages, so keep an eye out!


    Thursday, October 21, 2010

    Haz The Drowning Rat? - PulledPork 0.5.0 is now floating!

    This release of PulledPork (The Drowning Rat) represents quite a bit of development to include a number of community requested capabilities, change a few around, and repair some bugs!  Again, I would like to thank the community for their support, contribution and use of the PulledPork Snort rule management system.  The next section is an excerpt from the README.CHANGES and below there I may discuss some example use-cases and include some sample output.

    PulledPork Changelog


    New Features / changes:
    - Automatic VRT tarball name determination (based on local Snort Version)
    - Full support for ET Pro rulesets
    - Full support for new ET Download scheme
    - Issue #27 Modifysid capability
    - Capability to retrieve multiple rulesets in a single run
    - Issue #24 Added verbose output showing all requests, results and urls
    - Verbose output now shows percentage bar for downloads
    - Extra Verbose output now shows additional HTTP debug!
    - Set value in default.conf file to https for VRT downloads
    - Set UA Value to (PulledPork/X.X.X)
    - Capability to log critical information to syslog
    - Grabonly option, for those that only want to download the tarball(s)
    - Issue #34 Added the capability to specify the order of disable / enable / drop
        using the state_order configuration option in the master config file
    - Added a contrib directory
    - Added to contrib directory
        * converts oinkmaster config files to PP config files
        * Thx Russell Fulton!
    - Added README.CONTRIB to track contrib files (ohai manifest)
    - Perl Modue Requirement Changes (SEE SECTION BELOW)
    - Issue #38 Added capability to extract reference docs from tarball and
        store in a defined path, NOTE this dramatically increases PP runtime
        * runtime value is -r

    Bug Fixes:
    - Should now correctly use environmentally set proxy settings
        * Shout to pkthound for his work and contribution here!
    - Fixed case where rules with multiple flowbit (un)?set values would not
        properly populate all of the flowbit values into the rules hash
    - Bug #29 - fixed to allow for proper generation
    - Bug #28 - fixed numerous spellification issues
    - Bug #32 - fixed to allow for so stub generation in nodownload and !nodownload case

    Perl Module Requriement Changes:
    - LWP::Simple no longer
    - LWP::UserAgent now required
    - HTTP::Request now required
    - HTTP::Status now required
    - SYS::Syslog now required
    - Crypt::SSLeay now required
    - Carp now required

    As you can see, and as I had indicated, there are a number of significant improvements and fixes.  It is important to note that there are a number of changes, that include new and changed options, to the master config and the addition of the modifysid.conf file that allows you to modify rules based on regular expression matches etc...

    Of course we also now fully support (ET Pro and the new ET open) rules and the capability to download multiple rulesets in a single run, rather than multiple config files referencing other .rules files as local rules etc...

    One other seemingly insignificant change is the capability to change the order that the rules modification routines run, this means that you can more granularly control rule state.  The default processing order is (enable, drop, disable), this can now be changed though to allow for the disabling of all rules in a specific category (or however you would do it) and then selectively enabling rules out of that category, by simply changing the run order to disable,drop,enable.  Of course combining this with the pcre, category, modifysid etc.. capabilities gives you quite a bit of versatility.

    So, without further adeau, I give you:
          _____ ____
         `----,\    )
          `--==\\  /    PulledPork v0.5.0 The Drowning Rat
         .-~~~~-.Y|\\_  Copyright (C) 2009-2010 JJ Cummings
      @_/        /  66\_
        |    \   \   _(")
         \   /-| ||'--'  Rules give me wings!
          \_\  \_\\

    Checking latest MD5 for snortrules-snapshot-2861.tar.gz....
        They Match
    Prepping rules from snortrules-snapshot-2861.tar.gz for work....
    Checking latest MD5 for etpro.rules.tar.gz....
        They Match
    Prepping rules from etpro.rules.tar.gz for work....
    Checking latest MD5 for emerging.rules.tar.gz....
        They Match
    Prepping rules from emerging.rules.tar.gz for work....
    Reading rules...
    Reading rules...
    Activating security rulesets....
    Setting Flowbit State....
        Enabled 264 flowbits
        Enabled 29 flowbits
        Enabled 4 flowbits
        Enabled 2 flowbits
    Writing /home/jj/snort.rules....
    Writing /home/jj/
    Writing /home/jj/sid_changes.log....
    Rule Stats....
        Enabled Rules:----4506
        Dropped Rules:----0
        Disabled Rules:---17797
        Total Rules:------22303
    Please review /var/log/sid_changes.log for additional details
    Fly Piggy Fly!
    Bah, Paste chopped my flying pig up ;-)

    Get it here:
    pulledpork-0.5.0.tar.gz latest hashes:
    MD5SUM = 60c0abe78945876c643760b3bb2afdb6
    SHA256 = 9e69873d737e4fc8dfd9b3a98316e4ff41bd8c4accda72f18036b96568c48872


    Monday, October 4, 2010

    Snort 2.9.0 is teh outed, must haz bakon!!

    Snort 2.9.0 introduces:
    • Feature rich IPS mode including improvements to Stream for inline deployments. Additionally a common active response API is used for all packet responses, including those from Stream, Respond, or React. A new response module, respond3, supports the syntax of both resp & resp2, including strafing for passive deployments. When Snort is deployed inline, a new preprocessor has been added to handle packet normalization to allow Snort to interpret a packet the same way as the receiving host.
    • Use of a Data Acquisition API (DAQ) that supports many different packet access methods including libpcap, netfilterq, IPFW, and afpacket. For libpcap, version 1.0 or higher is now required. The DAQ library can be updated independently from Snort and is a separate module that Snort links. See README.daq for details on using Snort and the new DAQ./li>
    • Updates to HTTP Inspect to extract and log IP addresses from X-Forward-For and True-Client-IP header fields when Snort generates events on HTTP traffic.
    • A new rule option 'byte_extract' that allows extracted values to be used in subsequent rule options for isdataat, byte_test, byte_jump, and content distance/within/depth/offset.
    • Updates to SMTP preprocessor to support MIME attachment decoding across multiple packets.
    • Ability to "test" drop rules using Inline Test Mode. Snort will indicate a packet would have been dropped in the unified2 or console event log if policy mode was set to inline.
    • Two new rule options to support base64 decoding of certain pieces of data and inspection of the base64 data via subsequent rule options.
    • Updates to the Snort packet decoders for IPv6 for improvements to anomaly detection.
    • Added a new pattern matcher that supports Intel's Quick Assist Technology for improved performance on supported hardware platforms. Visit to find out more about Intel Quick Assist. The following document describes Snort's integration with the Quick Assist Technology:
    • Reference applications for reading unified2 output that handle all unified2 record formats used by Snort.
    Snort 2.9.0 is now available at Please see the Release Notes and ChangeLog for more details.