Friday, March 27, 2009

Unofficial Snort 2.8.3.x patch for GCC 4.3.x build errors

Noted some issues lately in the community with build issues when building snort 2.8.3.x using GCC 4.3.x. Specifically you may receive output as follows:

In function ‘open’,
inlined from ‘server_stats_save’ at server_stats.c:349:
/usr/include/bits/fcntl2.h:51: error: call to ‘__open_missing_mode’ declared with attribute error: open with O_CREAT in second argument needs 3 arguments
make[5]: *** [server_stats.o] Error 1
make[5]: Leaving directory `~/snort-2.8.3.1/src/preprocessors/flow/portscan'
make[4]: *** [all-recursive] Error 1
make[4]: Leaving directory `~/snort-2.8.3.1/src/preprocessors/flow'
make[3]: *** [all-recursive] Error 1
make[3]: Leaving directory `~/snort-2.8.3.1/src/preprocessors'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `~/snort-2.8.3.1/src'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `~/snort-2.8.3.1'
make: *** [all] Error 2
If you are receiving the aforementioned error on build, it's likely a simple fix that you can apply to src/preprocessors/flow/portscan/server_stats.c... yes, the patch is below:

if you don't know how to patch the file, I suggest using google to figure it out ;-)

Click me for the patch
MD5
SHA256

Cheers,
JJC

Monday, March 23, 2009

InProtect 1.00.0 Beta_2 VMWare Image

Given recent developments that the team has made on the InProtect project and the many emails that I see floating about on the lists, I decided to create a VMware image of an "almost" fully functioning InProtect installation. I say "almost" because, of course, like the LiveUSB that I released some time ago, I can't put the latest version of Nessus on the VM due to licensing restrictions imposed by Tenable. Note that I did not include greatly detailed instructions on the use of InProtect, I may do this later but haven't the time right now.

Please try to remember that this is a BETA, and as such may not be fully functional... if you find bugs or the like, please feel free to file them at the sf site or hit us up !

So, the quick and dirty of it is that all you will need to do is go to the Nessus website and download the latest Nessus tarball from them, upload it to the VM (scp), install it (pkg_add), start it, register it and run the /opt/Inprotect/sbin/updateplugins_1.00.pl script! Whew, that was one long runon sentence!. For everything to match up, create a user "inprotect" with password "inprotect" in your Nessus daemon. Once you have completed the aforementioned steps, you are all set and should be able to scan, note that if you want to scan outside of the VM, you will need to modify the configuration of the interface to be bridged etc... The interface is set for DHCP and everything will startup just fine with any address that you assign it or that it receives.


You will also need to throw the jpgraph stuff in /opt/Inprotect/html if you want the nifty graphs to work... but I'll probably speak more to this in an upcoming post.

I essentially used the install script to install in /opt/Inprotect on, you guessed it, FreeBSD 7.1R but of course had to make a few minor adjustments (it's not always 100% out of the gate) to get everything working together. That being said, you can probably do the same on your own distro.

some important info that you will (or may) need, i.e. username/password/medium

inprotect/inprotect/shell
root/root/console
root/root/mysql
admin/password/inprotect web interface

phpMyAdmin is installed: http://ipofyourvm/phpmyadmin/ for your mysqling pleasure.

To access InProtect simply browse to the ip of your VM: http://ipofyourvm

If you want nmap, build it from ports: /usr/ports/security/nmap

Get the VMWare Image Here
MD5
SHA256

Cheers,
JJC

Wednesday, March 18, 2009

PHPIDS Phase 1.1

I have been reviewing PHPIDS for some time now, and have come to the conclusion that while a novel idea... it is simply overkill and extra rubbish to include in your php code. I also have some ideas surrounding evasion techniques.... Don't get me wrong, I think that in the right place (i.e. a server that you can not load a real IDS/IPS such as mod_security on) it is better than nothing. I will place one caveat on that though, I am not 100% sure what it does to load capacity (or increasing the load of) and existing site. I'll be conducting some extensive load testing on it over the next week or so and posting those results.

JJC

twitter

I have been having some fun on twitter lately (instead of evaluating security foo hah!), though I have been on it for some time and not really using it. If you want to join into the fun, I am enhancedx.

Obviously the whole web2.0 movement introduces all new concerns surrounding security, especially as related to physical security of ones person. Specifically I am talking about social networking apps like twitter, loopt and the like. These are fun to play with and share your daily travels / ramblings with people, but if the user does not pay attention, they can also lead people directly to you. Of course, I am sure that EVERYONE is well versed it the features of these apps and therefore only shares their location when they want to, right? Of course people don't reuse the same password for multiple accounts and don't have their identity stolen ever either.. so what am I worrying about, sheesh!

Cheers,
JJC

Wednesday, March 11, 2009

openpacket.org

I recently took over managing and maintaining OpenPacket.org from of TaoSecurity. I would like to extend my thanks to Richard for his time and efforts in getting OpenPacket.org off the ground.

The mission of OpenPacket.org is to provide quality network traffic traces to researchers, analysts, and other members of the digital security community. One of the most difficult problems facing researchers, analysts, and others is understanding traffic carried by networks. At present there is no central repository of traces from which a student of network traffic could draw samples. OpenPacket.org provides one possible solution to this problem.

Analysts looking for network traffic of a particular type can visit OpenPacket.org, query the OpenPacket.org capture repo for matching traces, and download those packets in their original format (e.g., Libpcap, etc.). The analyst will be able to process and analyze that traffic using tools of their choice, like Tcpdump, Snort, Ethereal, and so on.

Analysts who collect their own traffic will be able to submit it to the OpenPacket.org database after they register.

Anonymous users can download any trace that's published. Only registered users can upload. This system provides a level of accountability for trace uploads.

Our moderators will review the trace to ensure it does not contain any sensitive information that should not be posted publicly. Besides appearing on the site, once a trace has been published you can receive notice of it via this published trace RSS feed.

If you have any doubt regarding the publication of a trace, do not try to submit it. When moderators are unsure of the nature of a trace, we will reject it. OpenPacket.org is not a vehicle for publishing enterprise data as contained in network traffic.

In the upcoming months you will see significant changes and improvements to the OpenPacket.org site. Many of these suggestions are the result of user feedback, so please keep it coming and stay tuned as updates are released!

JJC