Security - The Global Perspective

Automated Teller Phone Phishing

2011-10-31T19:30:00.000-04:00

Early this morning I was awakened by my ringing cell phone. When I answered it, I was greeted by an automated teller stating that my Wells Fargo debit card had been disabled. The cause was due to potentially fraud activity. This of course was highly worrisome as I can now not use my non-existent Wells Fargo debit card. Subsequently I hung up on the automated teller while swearing at it and throwing miscellaneous items around the bedroom.

This is all well and good until I received another call a bit over 10 hours later stating the same thing. This time though, I decided to play along. To play along, I had to enter a 1 to be immediately transferred to debit card security services. Upon selecting one, the same automated teller stated that it would require four pieces of information from me to re-activate my card. The first was the last four of my social, duly entered "6666". The next was the full 16 digits of my card.. I could not get past this point as the automated teller was checking for at least basic validity of the card. Note that I am prepared now though and have generated some bogus numbers that I will enter. I'll also record and post said recording.

The automated teller clearly sounds like a generic asterisk type. That said, I'm gonna actually try to post some more useful security and BSD stuff!

PulledPork 0.6.0 the Smoking Pig, He's on Fire!

2011-03-28T19:45:00.004-04:00

It has been some time since I posted anything at all, I had considered adding "relevant". But that's simply not true, since it's been dead air for a while.

Having said this, I am pleased to announce PulledPork V 0.6.0 - the Smoking Pig is finally released as of, well, right now!

This version represents a decent amount of time spent improving the core of the tool to enhance speed, a large number of feature enhancements and also not an insignificant number of bugfixes! A few quick notes before I copy and paste the changelog notes; If you are changing rulestate by doing anything in the drop|enable|disable config files with the category, you will now need to prepend the category that you want to modify with ET- or VRT- (based on where the rules came from). Another item of note is that multiple rulesets are now fully supported, thus no need to run two or more instances of PulledPork. Lastly but certainly not least is the capability to ignore source files on a more granular level: (plaintext, preproc, shared object or global).

One more big feature enhancement that I would like to point out, is the capability to create a backup/archive of your existing rules files / config files / whatever else you want! kthx, moving on...

Please be sure to read through the documentation THOROUGHLY, a couple of the above noted changes could affect your implementation and I don't want you to be terribly shocked by that. Plus, the things that you will need to update are trivial!

The new PulledPork can be downloaded at the following location:
http://pulledpork.googlecode.com/files/pulledpork-0.6.0.tar.gz
SHA1 Checksum: c4fdf58c716017a0ebad3c46f770fda54c8f23b2
MD5 Checksum: d65c4ef29956823a1a5a05921f219a29
Without further rambling on my part, the changelog notes:

v0.6.0 the Smoking Pig

New Features / changes:

Added -q command line switch to squelch everything except fatal errors
Code clean up for readability
Move debug output to allow for better debugging of actual variable values
Update config to allow for ssl from ET
Update config to allow for new snort rules gzip
Bug #55 - Create capability to ignore more granularly (plaintext, preproc, shared object or global).
Bug #50 - You can now create backups and archives of your existing config and rules files etc...

This adds the PM requirement of File::Find

Bug #56 - More verbose output when a flowbit is re-enabled (only when run with -v)
Bug #60 - added -E flag that will cause ONLY enabled rules to be written to output files
Bug #47 - added -R flag that will set the state of the rules specified in enablesid.conf back to their ORIGINAL state, as read from the source rules tarball.
Bug #63 - added sid MSG information to changelog output.
Added -k and -K options to allow for the writing of the original source file rather than one large output file.
Bug #66 - Prepend VRT rulesets with VRT- and ET rulesets with ET- to allow for paralell ruleset operations. This also provides more granularity in that scenario wherein the user could set state in a VRT or ET category only by specifying VRT-category or ET-category in the sid state modification files.
Added support for 500 errors, specifying that users should update their root cert store!

Bug Fixes:

Bug #39 - updated to allow for use of username:pass@proxy.url
Bug #49 - fix for race condition not allowing HUP to work with -nTH switches specified
Bug #40 - allow so_rules to be handled when non VRT rulesets are downloaded
Bug #45 - create a blank so_stub rules file so that we don't get an error re: a blank file from snort when generating so_stubs! (only if the file does not already exist, and only if you are using SOs!)
Bug #46 - throw error if a config file that is specified does not exist
Bug #42 - Added OpenSUSE-11-3 to list
Fixed race condition that did not properly handle certain spaces in flowbits set and isset values, resulting in unchecked flowbits etc...
Bug #51 - Increased timeout value to 60 seconds
Bug #53 - Fixed pcre issue that caused certain rules containing isset and set flobwits values to incorrectly be auto-enabled.
Bug #61 - Fixed so that .so rules are not touched!
Bug #67 - Fixed regex to allow for space between ( and msg.
Bug #71 - Flaw in if statement logic did not allow for proper multiline rule parsing
Undocumented ID - Flaw in changelog routine did not allow for proper writing of sid-msg or sid in "deleted rules" section of the changelog.
Bug #62 - Added check for amd64 string during arch detection!

Special Notes:

Bug #47 - This should be used by advanced users only, it can produce results that may not make sense to the typical user. And frankly, I don't understand it ;-)
Bug #60 - This fix WILL cause inconsistency in your changelog, as when PP reads the old rules from the existing rules file, it will have only the enabled rules in it.. thus any rules that were not enabled in that file will show up as NEW rules in the changelog output, you have been warned, so no whining!

That should just about cover it for now, as always, I want to also thank the community for their support and feedback! If you have any questions, comments, concerns, or otherwise then please feel free to hit me up in #snort or #pulledpork on freenode. You are also always welcome and encouraged to join the mailing list that can be found at http://groups.google.com/group/pulledpork-users/. And of course you can also submit feedback / bugs / feature requests at http://pulledpork.googlecode.com.

Regards,
JJC

Snort 2.9.0.2 on FreeBSD i386 the easy way!

2010-12-08T18:19:00.003-05:00

This is a quick posting to help you get Snort 2.9.0.x up and running on your FreeBSD!

I can't make it much easier than this, I have created new ports for Snort 2.9.0.2 and DAQ 0.4 (and subsequently packages) that you can install directly. The ports are submitted so look for the following in your ports tree:

updated: /usr/ports/security/snort
new: /usr/ports/security/daq

Components required:

Fresh FreeBSD Install

Miminal (i386)

Access to the internet from said BSD boxen
Basic knowledge of Snort

Once you have the above handled, you can issue the following command:

$ pkg_add -r http://www.rootedyour.com/enhanced/snort/snort-2.9.0.2.tbz

Output from the command on a Freshly installed FreeBSD Mimimal system:

$ pkg_add -r http://www.rootedyour.com/enhanced/snort/snort-2.9.0.2.tbz

Fetching http://www.rootedyour.com/enhanced/snort/snort-2.9.0.2.tbz... Done.

Fetching http://www.rootedyour.com/enhanced/All/libpcap-1.1.1.tbz... Done.

Fetching http://www.rootedyour.com/enhanced/All/libdnet-1.11_3.tbz... Done.

Fetching http://www.rootedyour.com/enhanced/All/daq-0.4.tbz... Done.

Some checksums for your reviewing pleasure:

MD5 (daq-0.4.tbz) = 249d2d79fc03eb2d4e2e133da505d146
MD5 (libdnet-1.11_3.tbz) = b861399b4710825419240a6443ec0eb9
MD5 (libpcap-1.1.1.tbz) = 678ec713419066c884ceda82ebcfe66f
MD5 (pcre-8.10.tbz) = 03cc8232b4ea9ecb968eb67211246f20
SHA256 (daq-0.4.tbz) = f8e60e09c0ab4acc1726f180b2e9d58c7f557b4736a3e53e137d8cb186d71984
SHA256 (libdnet-1.11_3.tbz) = 92f731313eea3867ab36ad789d938a66b83dda282e293a5a3d830f138c56b6f1
SHA256 (libpcap-1.1.1.tbz) = fe7991735055bb92bc38a2550d6428200eb7491e0152fa59d75db1569918c4a4
SHA256 (pcre-8.10.tbz) = e9517918174e4b569d9b4d1b3c902db529e0c3bd67a4a4ae7f1b830aac66e7b1

The above packages were build with the following configuration options: --enable-dynamicplugin --enable-flexresp3 --enable-ipv6 --enable-gre --enable-targetbsed --enable-decoder-preprocessor-rules --enable-zlib --enable-reload --enable-active-response --enable-normalizer --enable-react --enable-perfprofiling

I will likely be updating the ports / packages, so keep an eye out!

JJC

Haz The Drowning Rat? - PulledPork 0.5.0 is now floating!

2010-10-21T15:31:00.000-04:00

This release of PulledPork (The Drowning Rat) represents quite a bit of development to include a number of community requested capabilities, change a few around, and repair some bugs! Again, I would like to thank the community for their support, contribution and use of the PulledPork Snort rule management system. The next section is an excerpt from the README.CHANGES and below there I may discuss some example use-cases and include some sample output.

PulledPork Changelog

v0.5.0

New Features / changes:
- Automatic VRT tarball name determination (based on local Snort Version)
- Full support for ET Pro rulesets
- Full support for new ET Download scheme
- Issue #27 Modifysid capability
- Capability to retrieve multiple rulesets in a single run
- Issue #24 Added verbose output showing all requests, results and urls
- Verbose output now shows percentage bar for downloads
- Extra Verbose output now shows additional HTTP debug!
- Set value in default.conf file to https for VRT downloads
- Set UA Value to (PulledPork/X.X.X)
- Capability to log critical information to syslog
- Grabonly option, for those that only want to download the tarball(s)
- Issue #34 Added the capability to specify the order of disable / enable / drop
    using the state_order configuration option in the master config file
- Added a contrib directory
- Added oink-conv.pl to contrib directory
    * converts oinkmaster config files to PP config files
    * Thx Russell Fulton!
- Added README.CONTRIB to track contrib files (ohai manifest)
- Perl Modue Requirement Changes (SEE SECTION BELOW)
- Issue #38 Added capability to extract reference docs from tarball and
    store in a defined path, NOTE this dramatically increases PP runtime
    * runtime value is -r

Bug Fixes:
- Should now correctly use environmentally set proxy settings
    * Shout to pkthound for his work and contribution here!
- Fixed case where rules with multiple flowbit (un)?set values would not
    properly populate all of the flowbit values into the rules hash
- Bug #29 - fixed to allow for proper sid-msg.map generation
- Bug #28 - fixed numerous spellification issues
- Bug #32 - fixed to allow for so stub generation in nodownload and !nodownload case

Perl Module Requriement Changes:
- LWP::Simple no longer
- LWP::UserAgent now required
- HTTP::Request now required
- HTTP::Status now required
- SYS::Syslog now required
- Crypt::SSLeay now required
- Carp now required

As you can see, and as I had indicated, there are a number of significant improvements and fixes. It is important to note that there are a number of changes, that include new and changed options, to the master config and the addition of the modifysid.conf file that allows you to modify rules based on regular expression matches etc...

Of course we also now fully support (ET Pro and the new ET open) rules and the capability to download multiple rulesets in a single run, rather than multiple config files referencing other .rules files as local rules etc...

One other seemingly insignificant change is the capability to change the order that the rules modification routines run, this means that you can more granularly control rule state. The default processing order is (enable, drop, disable), this can now be changed though to allow for the disabling of all rules in a specific category (or however you would do it) and then selectively enabling rules out of that category, by simply changing the run order to disable,drop,enable. Of course combining this with the pcre, category, modifysid etc.. capabilities gives you quite a bit of versatility.

So, without further adeau, I give you:

    http://code.google.com/p/pulledpork/
      _____ ____
     `----,\    )
      `--==\\ /    PulledPork v0.5.0 The Drowning Rat
       `--==\\/
     .-~~~~-.Y|\\_ Copyright (C) 2009-2010 JJ Cummings
@_/        / 66\_ cummingsj@gmail.com
    |    \   \   _(")
     \   /-| ||'--' Rules give me wings!
      \_\ \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Checking latest MD5 for snortrules-snapshot-2861.tar.gz....
    They Match
    Done!
Prepping rules from snortrules-snapshot-2861.tar.gz for work....
    Done!
Checking latest MD5 for etpro.rules.tar.gz....
    They Match
    Done!
Prepping rules from etpro.rules.tar.gz for work....
    Done!
Checking latest MD5 for emerging.rules.tar.gz....
    They Match
    Done!
Prepping rules from emerging.rules.tar.gz for work....
    Done!
Reading rules...
Reading rules...
Activating security rulesets....
    Done
Setting Flowbit State....
    Enabled 264 flowbits
    Enabled 29 flowbits
    Enabled 4 flowbits
    Enabled 2 flowbits
    Done
Writing /home/jj/snort.rules....
    Done
Generating sid-msg.map....
    Done
Writing /home/jj/sid-msg.map....
    Done
Writing /home/jj/sid_changes.log....
    Done
Rule Stats....
    New:-------0
    Deleted:---0
    Enabled Rules:----4506
    Dropped Rules:----0
    Disabled Rules:---17797
    Total Rules:------22303
    Done
Please review /var/log/sid_changes.log for additional details
Fly Piggy Fly!

Bah, Paste chopped my flying pig up ;-)

Get it here:

pulledpork-0.5.0.tar.gz latest hashes:
MD5SUM = 60c0abe78945876c643760b3bb2afdb6
SHA256 = 9e69873d737e4fc8dfd9b3a98316e4ff41bd8c4accda72f18036b96568c48872

Cheers,

JJC

Snort 2.9.0 is teh outed, must haz bakon!!

2010-10-04T20:30:00.000-04:00

Snort 2.9.0 introduces:

Feature rich IPS mode including improvements to Stream for inline deployments. Additionally a common active response API is used for all packet responses, including those from Stream, Respond, or React. A new response module, respond3, supports the syntax of both resp & resp2, including strafing for passive deployments. When Snort is deployed inline, a new preprocessor has been added to handle packet normalization to allow Snort to interpret a packet the same way as the receiving host.
Use of a Data Acquisition API (DAQ) that supports many different packet access methods including libpcap, netfilterq, IPFW, and afpacket. For libpcap, version 1.0 or higher is now required. The DAQ library can be updated independently from Snort and is a separate module that Snort links. See README.daq for details on using Snort and the new DAQ./li>
Updates to HTTP Inspect to extract and log IP addresses from X-Forward-For and True-Client-IP header fields when Snort generates events on HTTP traffic.
A new rule option 'byte_extract' that allows extracted values to be used in subsequent rule options for isdataat, byte_test, byte_jump, and content distance/within/depth/offset.
Updates to SMTP preprocessor to support MIME attachment decoding across multiple packets.
Ability to "test" drop rules using Inline Test Mode. Snort will indicate a packet would have been dropped in the unified2 or console event log if policy mode was set to inline.
Two new rule options to support base64 decoding of certain pieces of data and inspection of the base64 data via subsequent rule options.
Updates to the Snort packet decoders for IPv6 for improvements to anomaly detection.
Added a new pattern matcher that supports Intel's Quick Assist Technology for improved performance on supported hardware platforms. Visit http://www.intel.com to find out more about Intel Quick Assist. The following document describes Snort's integration with the Quick Assist Technology: http://download.intel.com/embedded/applications/networksecurity/324029.pdf.
Reference applications for reading unified2 output that handle all unified2 record formats used by Snort.

Snort 2.9.0 is now available at http://www.snort.org/snort-downloads. Please see the Release Notes and ChangeLog for more details.

The Pig Doktah is Born! - A Snort Performance Monitor Interpretation Tool

2010-09-08T10:59:00.002-04:00

After receiving a variety of feedback via email, irc, twitter and even some comments on this blog, I have decided to start an updated and maintained project to parse, display, and ultimately make configuration / tuning suggestions based on the snort performance monitor output. As you may have guessed by now, this tool is called the Pig Doktah and can be found at http://thepigdoktah.googlecode.com. The current version reads snort performance monitor output and stores in a hash for quick access, sorting etc...

I am still quite interested in what specific metrics people are most interested, so please don't hesitate to hit me up via comment on this blog, irc (freenode - #snort), email, or twitter.

During the development, and for the foreseeable future, I will have the latest version of the code sending output to this location on an hourly basis: http://rootedyour.com/enhanced/pminfo.htm

Sample output:

-= Tha Pig Doktah 0.1 Dev =-
Copyright (C) 2010 JJ Cummings

Report Info:
   Processed: /var/tmp/snortstat
   First Entry: Wed Sep 1 11:34:05 2010
   Last Entry: Wed Sep 8 09:00:17 2010
   Time Span: 6 days, 21 hours, 26 minutes and 12 seconds

Wirespeed:
   High: 10.613 Mbits/Sec | Sat Sep 4 07:59:48 2010
   Low: 0.006 Mbits/Sec | Sat Sep 4 07:12:47 2010
   Avg: 1.953 Mbits/Sec

% Packet Loss:
   High: 10.504% | Sat Sep 4 03:00:00 2010
   Low: 0.000% | Wed Sep 8 08:41:27 2010
   Avg: 1.002%

Additional Info:
   Avg Pkt Size: 803.413 bytes
   Avg Syns/Sec: 0.181
   Avg SynAcks/Sec: 0.124
   Avg Alerts/Sec: 0.001
   Avg Current Cached Sessions: 6671.668

Raw Values:
   alerts avg = 0.001
   alerts high = 0.032
   alerts high_date = Wed Sep 1 12:32:57 2010
   alerts low = 0.000
   alerts low_date = Wed Sep 8 09:00:17 2010
   attrib_hosts_current avg = 0.000
   attrib_hosts_current high = 0.000
   attrib_hosts_current high_date = Wed Sep 8 09:00:17 2010
   attrib_hosts_current low = 0.000
   attrib_hosts_current low_date = Wed Sep 8 09:00:17 2010
   attrib_reloads avg = 0.000
   attrib_reloads high = 0
   attrib_reloads high_date = Wed Sep 8 09:00:17 2010
   attrib_reloads low = 0
   attrib_reloads low_date = Wed Sep 8 09:00:17 2010
   bytes_applayer avg = 0.252
   bytes_applayer high = 1.352
   bytes_applayer high_date = Sat Sep 4 07:59:48 2010
   bytes_applayer low = 0.006
   bytes_applayer low_date = Tue Sep 7 09:13:56 2010
   bytes_ipfrag avg = 0.000
   bytes_ipfrag high = 0
   bytes_ipfrag high_date = Wed Sep 8 09:00:17 2010
   bytes_ipfrag low = 0
   bytes_ipfrag low_date = Wed Sep 8 09:00:17 2010
   bytes_ipreass avg = 2279.291
   bytes_ipreass high = 3660
   bytes_ipreass high_date = Thu Sep 2 13:47:36 2010
   bytes_ipreass low = 368
   bytes_ipreass low_date = Thu Sep 2 10:22:15 2010
   bytes_tcprebuilt avg = 892.669
   bytes_tcprebuilt high = 1458
   bytes_tcprebuilt high_date = Sun Sep 5 15:19:06 2010
   bytes_tcprebuilt low = 136
   bytes_tcprebuilt low_date = Sat Sep 4 00:58:27 2010
   cpu1_idle avg = 95.767
   cpu1_idle high = 99.977
   cpu1_idle high_date = Sat Sep 4 00:58:27 2010
   cpu1_idle low = 69.943
   cpu1_idle low_date = Tue Sep 7 06:20:11 2010
   cpu1_sys avg = 0.051
   cpu1_sys high = 0.287
   cpu1_sys high_date = Sat Sep 4 07:59:48 2010
   cpu1_sys low = 0.000
   cpu1_sys low_date = Wed Sep 8 08:07:19 2010
   cpu1_user avg = 4.183
   cpu1_user high = 29.860
   cpu1_user high_date = Tue Sep 7 06:20:11 2010
   cpu1_user low = 0.023
   cpu1_user low_date = Sat Sep 4 00:58:27 2010
   cpu_count avg = 1.000
   cpu_count high = 1
   cpu_count high_date = Wed Sep 8 09:00:17 2010
   cpu_count low = 1
   cpu_count low_date = Wed Sep 8 09:00:17 2010
   drops avg = 1.002
   drops high = 10.504
   drops high_date = Sat Sep 4 03:00:00 2010
   drops low = 0.000
   drops low_date = Wed Sep 8 08:41:27 2010
   filtered_tcp avg = 3790.598
   filtered_tcp high = 45608
   filtered_tcp high_date = Tue Sep 7 09:24:12 2010
   filtered_tcp low = 85
   filtered_tcp low_date = Wed Sep 1 11:50:25 2010
   filtered_udp avg = 3790.598
   filtered_udp high = 45608
   filtered_udp high_date = Tue Sep 7 09:24:12 2010
   filtered_udp low = 85
   filtered_udp low_date = Wed Sep 1 11:50:25 2010
   frag_auto avg = 0.000
   frag_auto high = 0.000
   frag_auto high_date = Wed Sep 8 09:00:17 2010
   frag_auto low = 0.000
   frag_auto low_date = Wed Sep 8 09:00:17 2010
   frag_complete avg = 0.000
   frag_complete high = 0.000
   frag_complete high_date = Wed Sep 8 09:00:17 2010
   frag_complete low = 0.000
   frag_complete low_date = Wed Sep 8 09:00:17 2010
   frag_current avg = 0.000
   frag_current high = 0
   frag_current high_date = Wed Sep 8 09:00:17 2010
   frag_current low = 0
   frag_current low_date = Wed Sep 8 09:00:17 2010
   frag_delete avg = 0.000
   frag_delete high = 0.000
   frag_delete high_date = Wed Sep 8 09:00:17 2010
   frag_delete low = 0.000
   frag_delete low_date = Wed Sep 8 09:00:17 2010
   frag_faults avg = 0.000
   frag_faults high = 0
   frag_faults high_date = Wed Sep 8 09:00:17 2010
   frag_faults low = 0
   frag_faults low_date = Wed Sep 8 09:00:17 2010
   frag_flushes avg = 0.000
   frag_flushes high = 0.000
   frag_flushes high_date = Wed Sep 8 09:00:17 2010
   frag_flushes low = 0.000
   frag_flushes low_date = Wed Sep 8 09:00:17 2010
   frag_insert avg = 0.000
   frag_insert high = 0.000
   frag_insert high_date = Wed Sep 8 09:00:17 2010
   frag_insert low = 0.000
   frag_insert low_date = Wed Sep 8 09:00:17 2010
   frag_max avg = 0.000
   frag_max high = 0
   frag_max high_date = Wed Sep 8 09:00:17 2010
   frag_max low = 0
   frag_max low_date = Wed Sep 8 09:00:17 2010
   frag_new avg = 0.000
   frag_new high = 0.000
   frag_new high_date = Wed Sep 8 09:00:17 2010
   frag_new low = 0.000
   frag_new low_date = Wed Sep 8 09:00:17 2010
   frag_timeout avg = 0.000
   frag_timeout high = 0
   frag_timeout high_date = Wed Sep 8 09:00:17 2010
   frag_timeout low = 0
   frag_timeout low_date = Wed Sep 8 09:00:17 2010
   kpkts_applayer avg = 121425.178
   kpkts_applayer high = 444882
   kpkts_applayer high_date = Thu Sep 2 22:42:20 2010
   kpkts_applayer low = 5738
   kpkts_applayer low_date = Wed Sep 1 18:55:09 2010
   kpkts_ipfrag avg = 0.000
   kpkts_ipfrag high = 0.000
   kpkts_ipfrag high_date = Wed Sep 8 09:00:17 2010
   kpkts_ipfrag low = 0.000
   kpkts_ipfrag low_date = Wed Sep 8 09:00:17 2010
   kpkts_ipreass avg = 0.022
   kpkts_ipreass high = 0.366
   kpkts_ipreass high_date = Tue Sep 7 06:20:11 2010
   kpkts_ipreass low = 0.000
   kpkts_ipreass low_date = Wed Sep 8 08:31:29 2010
   kpkts_iptcprebuilt avg = 0.273
   kpkts_iptcprebuilt high = 1.646
   kpkts_iptcprebuilt high_date = Thu Sep 2 22:42:20 2010
   kpkts_iptcprebuilt low = 0.006
   kpkts_iptcprebuilt low_date = Tue Sep 7 09:13:56 2010
   kpkts_wire avg = 0.252
   kpkts_wire high = 1.352
   kpkts_wire high_date = Sat Sep 4 07:59:48 2010
   kpkts_wire low = 0.006
   kpkts_wire low_date = Tue Sep 7 09:13:56 2010
   mbits_applayer avg = 803.413
   mbits_applayer high = 1009
   mbits_applayer high_date = Sat Sep 4 08:09:48 2010
   mbits_applayer low = 120
   mbits_applayer low_date = Mon Sep 6 05:52:07 2010
   mbits_ipfrag avg = 2.434
   mbits_ipfrag high = 17.685
   mbits_ipfrag high_date = Tue Sep 7 06:20:11 2010
   mbits_ipfrag low = 0.007
   mbits_ipfrag low_date = Mon Sep 6 17:12:03 2010
   mbits_ipreass avg = 0.000
   mbits_ipreass high = 0.000
   mbits_ipreass high_date = Wed Sep 8 09:00:17 2010
   mbits_ipreass low = 0.000
   mbits_ipreass low_date = Wed Sep 8 09:00:17 2010
   mbits_tcprebuilt avg = 0.482
   mbits_tcprebuilt high = 8.324
   mbits_tcprebuilt high_date = Tue Sep 7 06:20:11 2010
   mbits_tcprebuilt low = 0.000
   mbits_tcprebuilt low_date = Tue Sep 7 01:11:34 2010
   mbps_snort avg = 0.000
   mbps_snort high = 0
   mbps_snort high_date = Wed Sep 8 09:00:17 2010
   mbps_snort low = 0
   mbps_snort low_date = Wed Sep 8 09:00:17 2010
   mbps_wire avg = 1.953
   mbps_wire high = 10.613
   mbps_wire high_date = Sat Sep 4 07:59:48 2010
   mbps_wire low = 0.006
   mbps_wire low_date = Sat Sep 4 07:12:47 2010
   patmatch avg = 320.575
   patmatch high = 556.312
   patmatch high_date = Sun Sep 5 19:37:37 2010
   patmatch low = 2.946
   patmatch low_date = Wed Sep 8 07:11:52 2010
   pktbytes avg = 803.413
   pktbytes high = 1009
   pktbytes high_date = Sat Sep 4 08:09:48 2010
   pktbytes low = 120
   pktbytes low_date = Mon Sep 6 05:52:07 2010
   pkts_blocked avg = 0.229
   pkts_blocked high = 14.322
   pkts_blocked high_date = Sun Sep 5 20:50:12 2010
   pkts_blocked low = 0.109
   pkts_blocked low_date = Sat Sep 4 01:34:34 2010
   pkts_dropped avg = 0.000
   pkts_dropped high = 0
   pkts_dropped high_date = Wed Sep 8 09:00:17 2010
   pkts_dropped low = 0
   pkts_dropped low_date = Wed Sep 8 09:00:17 2010
   pkts_dropped_percentage avg = 0.172
   pkts_dropped_percentage high = 9.096
   pkts_dropped_percentage high_date = Sun Sep 5 20:50:12 2010
   pkts_dropped_percentage low = 0.003
   pkts_dropped_percentage low_date = Wed Sep 1 11:50:25 2010
   pkts_total avg = 2106.252
   pkts_total high = 38320
   pkts_total high_date = Thu Sep 2 22:42:20 2010
   pkts_total low = 0
   pkts_total low_date = Wed Sep 8 08:41:27 2010
   sessions_close avg = 0.000
   sessions_close high = 0.000
   sessions_close high_date = Wed Sep 8 09:00:17 2010
   sessions_close low = 0.000
   sessions_close low_date = Wed Sep 8 09:00:17 2010
   sessions_closed avg = 1024.846
   sessions_closed high = 2980
   sessions_closed high_date = Mon Sep 6 12:37:55 2010
   sessions_closed low = 2
   sessions_closed low_date = Wed Sep 1 11:34:05 2010
   sessions_cur avg = 6671.668
   sessions_cur high = 8173
   sessions_cur high_date = Sun Sep 5 21:10:31 2010
   sessions_cur low = 51
   sessions_cur low_date = Wed Sep 1 11:34:05 2010
   sessions_del avg = 0.177
   sessions_del high = 3.055
   sessions_del high_date = Mon Sep 6 05:52:07 2010
   sessions_del low = 0.000
   sessions_del low_date = Sun Sep 5 19:53:29 2010
   sessions_dropped avg = 0.001
   sessions_dropped high = 0.006
   sessions_dropped high_date = Wed Sep 1 11:50:25 2010
   sessions_dropped low = 0.000
   sessions_dropped low_date = Wed Sep 8 09:00:17 2010
   sessions_est avg = 0.376
   sessions_est high = 11.686
   sessions_est high_date = Sun Sep 5 20:50:12 2010
   sessions_est low = 0.003
   sessions_est low_date = Wed Sep 1 11:50:25 2010
   sessions_init avg = 0.001
   sessions_init high = 0.174
   sessions_init high_date = Tue Sep 7 18:18:34 2010
   sessions_init low = 0.000
   sessions_init low_date = Wed Sep 8 08:46:27 2010
   sessions_max avg = 0.000
   sessions_max high = 0.000
   sessions_max high_date = Wed Sep 8 09:00:17 2010
   sessions_max low = 0.000
   sessions_max low_date = Wed Sep 8 09:00:17 2010
   sessions_midstream avg = 6703.818
   sessions_midstream high = 8175
   sessions_midstream high_date = Sun Sep 5 21:03:29 2010
   sessions_midstream low = 51
   sessions_midstream low_date = Wed Sep 1 11:34:05 2010
   sessions_new avg = 0.165
   sessions_new high = 3.062
   sessions_new high_date = Mon Sep 6 05:52:07 2010
   sessions_new low = 0.016
   sessions_new low_date = Fri Sep 3 20:12:36 2010
   sessions_pruned avg = 579.871
   sessions_pruned high = 953
   sessions_pruned high_date = Sun Sep 5 08:30:47 2010
   sessions_pruned low = 3
   sessions_pruned low_date = Wed Sep 1 11:50:25 2010
   sessions_timedout avg = 5066.950
   sessions_timedout high = 7586
   sessions_timedout high_date = Sun Sep 5 21:22:42 2010
   sessions_timedout low = 31
   sessions_timedout low_date = Wed Sep 1 11:34:05 2010
   sessions_udp_cachedSsns_sec avg = 0.000
   sessions_udp_cachedSsns_sec high = 0
   sessions_udp_cachedSsns_sec high_date = Wed Sep 8 09:00:17 2010
   sessions_udp_cachedSsns_sec low = 0
   sessions_udp_cachedSsns_sec low_date = Wed Sep 8 09:00:17 2010
   sessions_udp_cached_current avg = 0.000
   sessions_udp_cached_current high = 0.000
   sessions_udp_cached_current high_date = Wed Sep 8 09:00:17 2010
   sessions_udp_cached_current low = 0.000
   sessions_udp_cached_current low_date = Wed Sep 8 09:00:17 2010
   sessions_udp_cached_max avg = 0.000
   sessions_udp_cached_max high = 0
   sessions_udp_cached_max high_date = Wed Sep 8 09:00:17 2010
   sessions_udp_cached_max low = 0
   sessions_udp_cached_max low_date = Wed Sep 8 09:00:17 2010
   sessions_udp_cached_sec avg = 0.000
   sessions_udp_cached_sec high = 0
   sessions_udp_cached_sec high_date = Wed Sep 8 09:00:17 2010
   sessions_udp_cached_sec low = 0
   sessions_udp_cached_sec low_date = Wed Sep 8 09:00:17 2010
   stream_fault avg = 13.182
   stream_fault high = 59
   stream_fault high_date = Wed Sep 8 05:04:52 2010
   stream_fault low = 0
   stream_fault low_date = Wed Sep 8 00:51:37 2010
   stream_flush avg = 21.526
   stream_flush high = 365.535
   stream_flush high_date = Tue Sep 7 06:20:11 2010
   stream_flush low = 0.013
   stream_flush low_date = Thu Sep 2 05:44:59 2010
   stream_timeout avg = 239.842
   stream_timeout high = 3578
   stream_timeout high_date = Sun Sep 5 20:50:12 2010
   stream_timeout low = 1
   stream_timeout low_date = Wed Sep 1 11:50:25 2010
   synacks avg = 0.124
   synacks high = 2.771
   synacks high_date = Mon Sep 6 12:42:56 2010
   synacks low = 0.006
   synacks low_date = Sat Sep 4 00:58:27 2010
   syns avg = 0.181
   syns high = 6.072
   syns high_date = Mon Sep 6 05:52:07 2010
   syns low = 0.019
   syns low_date = Fri Sep 3 20:12:36 2010

Snort Performance Stats Tool Info

2010-09-01T19:11:00.009-04:00

I have noticed that there are not a ton of tools out there (definitely not many currently maintained) that can be used to parse the information from the snort performance monitor. As such, I am considering writing one and wanted to see what the interest would be. If there is indeed interest, then I would also like to know what format(s) and types of information would be most useful to the community. Of course I know what will be useful to myself, and will likely be writing about that in the near future. For now, here is some sample output from a quick perl parser that I wrote today.

$ ./pminfo.pl /var/tmp/snortstat

-= Tha Pig Doktah 0.1 Dev =-
Copyright (C) 2010 JJ Cummings

Report Info:
   Processed: /var/tmp/snortstat
   First Entry: Wed Sep 1 11:34:05 2010
   Last Entry: Wed Sep 1 22:27:47 2010
   Time Span: 0 days, 10 hours, 53 minutes and 42 seconds

Wirespeed:
   High: 6.683 Mbits/Sec | Wed Sep 1 12:54:00 2010
   Low: 0.007 Mbits/Sec | Wed Sep 1 18:14:18 2010
   Avg: 0.276 Mbits/Sec

% Packet Loss:
   High: 3.817% | Wed Sep 1 20:13:39 2010
   Low: 0.000% | Wed Sep 1 22:22:47 2010
   Avg: 0.095%

Additional Info:
   Avg Pkt Size: 363 bytes
   Avg Syns/Sec: 0.153
   Avg SynAcks/Sec: 0.105
   Avg Alerts/Sec: 0.001
   Avg Current Cached Sessions: 2326

Obviously this is was only as a quick test and does not include all of the important pieces of data. Please feel free to hit me up in #snort (on freenode), twitter, email(if'n you knows it), or post a comment here.

Cheers,
JJC

PulledPork 0.4.2 501 error when downloading rules

2010-07-01T13:50:00.000-04:00

This issue most typically stems from a missing Perl Module that is required to communicate via SSL using LWP::Simple. This required Perl Module is Crypt::SSLeay and is not included in the LWP::Simple redistributed package from the Ubuntu 8.x repositories, and will typically fail to install via CPAN on many Ubuntu server installations. As such you simply need to do the following (on Ubuntu, since this is the only place I have seen it broken):

sudo apt-get install libcrypt-ssleay-perl

Of course if you are not running Ubuntu then you will need to use CPAN or find whatever repackaged garbage that your distro is using to distribute this ;-).

One other cause could be that your root certificates are outdated, so if you have the aforementioned PM installed and are still receiving a 501.. this is likely the cause... google how to update your root certificates for your distro! Again, for the sake of completeness, this is how you do it on Ubuntu:

sudo apt-get install ca-certificates
sudo update-ca-certificates

I have also added this to the PP FAQ.

Cheers,
JJC

PulledPork 0.4.2 - get it while it's hawt!

2010-06-29T17:12:00.006-04:00

This release represents a number of significant enhancements and features (all listed below). Probably the most important to note are the changes from a delimeter of | to : when modifying rule state. We also now automatically determine snort version and OS arch. One of the most useful features, IMHO, is the pcre: rule state modification capability.. see the rule modification configs for more details... but let's say that I wanted to disable ALL MSXX rules because I run a strictly *nix environment... simply place something like pcre:MS\d{2}-\d+ into the disablesid.conf and use that file by specifying -i.

As noted below, there are MANY other changes, fixes, and additions so please don't hesitate to ask questions in irc (freenode #pulledpork) or on the mailing list.

get it here -> http://code.google.com/p/pulledpork

v0.4.2

New Features / changes:

Capability to modify rules by category (See README.CATEGORIES)
Capability to modify rules using regular expressions (pcre:) - See sid modification configs
Capability to use regular expressions in specific rule modifications - See sid modification configs
Changed the | delimiter for cve,bugtraq etc to :
Added README.CATEGORIES
Added README.SHAREDOBJECTS
Follow flowbit chains
Moved README files to doc
Automatically determine arch
Automatically determine Snort Version
Added some verbiage surrounding HUP vs Restart vs When/where/who and how
Added support for new snort.org download scheme of http://snort.org/reg-rules...

Bug Fixes:

Certain rules specific GID values were not being properly parsed by the modifysid sub.
Bug #20 fixed, ranges are no longer off by +1 additional rule being enabled
Enhancement request #21, added more descript information to dropsid.conf and to README
Fixed flaw that caused certain flowbits to not be set (when GID boundaries were crossed and multiple keys were checked)
Enhancement request #22 updated the master config file to contain all of the currently available precompiled SO rules
Remove risky system calls, use handles instead

pulledpork-0.4.2.tar.gz latest hashes:
MD5SUM = d11b9d884f940a0df293718a4d4b3913
SHA256 = 3491b8c3c99c621cfd6467da2c43866f33ede1d096538e4a497cdf52b49ad677

Cheers,
JJC

PulledPork 0.4.1, I see your sensitive data!

2010-04-26T20:14:00.000-04:00

In conjunction with the Snort 2.8.6 release and the new Snort Rules tarball format, pulledpork 0.4.1 is now released! As noted below, there are a number of changes and fixes. When updating your pulledpork, please be sure to use the latest master configuration file that is included in the release tarball and read through it thoroughly.

Notable changes include the tarball filename change, preprocessor rules and sensitive data rules. Note that pulledpork 0.4.0 will still work with 2.8.6 but will not properly make use of the new rules that I just listed and that you will need to change the rules tarball name for VRT releases. Please also note that if you use pulledpork 0.4.1 and are still using Snort 2.8.5.3 that you need to make some changes in the "ignore" variable section of the pulledpork.conf file.

New Features/changes:

Flowbit tracking! - This means that all flowbits are not enabled when a specific base ruleset is specified (security etc...) but rather all flowbits are now tracked, allowing for only those that are required to be enabled.

Adjusted pulledpork.conf to account for new snort rules tarball naming and packing scheme, post Snort 2.8.6 release.

Added option to specify all rule modification files in the master pulledpork.conf file - feature request 19.

Added capability to specify base ruleset (see README.RULESETS) in master pulledpork.conf file.

Handle preprocessor and sensitive-information rulesets

Bug Fixes:

18 - non-rule lines containing the string sid:xxxx were being populated into the rule data structure, added an extra check to ensure that this does not occur

Cleaned up href pointers, syntactical purposes only...

Modified master config to allow for better readability on smaller console based systems

Error output was not always returning full error, fixed this

Thanks to the community for continued support and feedback!

Cheers,
JJC

Snort 2.8.6 Release is OUT, WGET it nao! kthx!

2010-04-26T14:25:00.000-04:00

That's right, the new Snort 2.8.6 Release is out, get it at snort.org!

Release Notes:

2010-04-22 - Snort 2.8.6

[*] New Additions
   * HTTP Inspect now splits requests into 5 components -
     Method, URI, Header (non-cookie), Cookies, Body.
     Content and PCRE rule options can now search one or more of these buffers.

     HTTP server-specific configurations to normalize the HTTP header and/or
     cookies have been added.

     Support gzip decompression across multiple packets.

   * Added a Sensitive Data preprocessor, which performs detection of
     Personally Identifiable Information (PII). A new rule option is available
     to define new PII. See README.sensitive_data and the Snort Manual
     for configuration details.

   * Added a new pattern matcher and related configurations. The new pattern
     matcher is optimized to use less memory and perform at AC speed.

[*] Improvements
   * Addressed problem to resolve output obfuscation affecting packets
     when Snort is inline.

   * Preprocessors with memcap settings can now be configured in a "disabled"
     state. This allows you to configure that memcap globally, but only enable
     the preprocessor in targeted configurations.

Pulling Pork with the Drunken Leprechaun (PP 0.4.0)

2010-03-26T12:41:00.002-04:00

PulledPork 0.4.0 (Drunken Leprechaun) is officially released and can be downloaded here -> pulledpork-0.4.0.tar.gz

This version constitutes a major rewrite of the rule reading, modification and writing system to improve speed, future module addition, supportability, and of course reliability. Incidentally, the codename was partially chosen due to a majority of the rewrites being finished on St. Patrick's Day.

One specific change to note is the use of Archive::Tar, this makes PulledPork more system independent. As such though, you will need to install Archive::Tar if you do not have it currently installed, you can do so using CPAN, please see the PulledPork FAQ for further information.

New Features/changes:

Enablesid (-e enablesid.conf)
Moved all .conf files under etc/
Ability to define sid ranges in any of the sid modification .conf files
Ability to specify references in any of the sid modification .conf files
Ability to ignore entire rule categories (i.e. not include them)
Specify locally stored rules files that need their meta data included in sid-msg.map
All rulestate modifications, comparisons etc.. are now handled in-memory
Rewrite of sid-msg.map generation code to allow for all proper character reading and addition to sid-msg.map
No longer reliant on tar binary, now using Archive::Tar
Ability to specify your arch for so_rules
Added significant amounts of debug output when an error is detected
Rules are now written to only two distinct files
Cleaned up changelog and added more information to it

Bug Fixes:

Properly account for whitespace in non-standard rulesets such as ET
Cleaned up and improved the changelog to display new / deleted sids and rule totals
Certian conditions caused the md5 check to fail even when valid - This was primarily an ET issue, but did manifest on VRT rulesets also
Many small fixes that were not tracked well :-P
Do not overwrite local.rules, but still include in sid-msg.map generation

A little more detail about some of the new key features, note that there are more.. please read through all of the conf files and README thoroughly:

Initially you may not notice a significant performance increase, unless you already have a large count of disable or drop sids specified in your configuration because this is where the major improvement was made. I can't help how slow your internet connection is and thusly how long it takes you to download the tarball itself ;-).

One key change that you will note is that all rules are now written to only two distinct files.. one for GID:1 rules and one for GID:3 rules. The logic behind this is simple; if a new rule category comes out (a new or different .rules file within the VRT or ET tarball) then it will automatically be included in your snort.conf as you will have only one or both of the aforementioned GID:1 or GID:3 rules files included . Please note these changes in the rule_path and sostub_path within the pulledpork.conf file.

Somewhat hand-in-hand with the previous change is the addition of the ignore variable within the pulledpork.conf file.. this specifies what categories/rule files that you want excluded from your configuration. By default these are deleted, experimental, and local.

If you have a local.rules file or other already locally existing rules files, you can specify them with the local_rules variable, doing so will tell pulledpork to read these rules and populate their meta data into the sid-msg.map.

Enablesid - This was a widely requested feature, the capability to enable specific sids etc.

Sid modification ranges - This stemmed from one of the enablesid requests (an option to enable ALL sids) and my interpretation of what I thought would be more useful. This feature gives you the capability to specify a range of sids in any of the sid state modification configuration files in the format of GID:SID-GID:SID. Please see the individual configuration files for additional information.

Reference modification - This was another community request and allows the user to specify any reference within a rule and perform an operation on that rule (disable, enable, drop...). The formatting is simple, the user specifies, in one of the sid state modification configuration files, the reference information such as cve|XXX-XXXX,MSXX-XXXX. Please see the individual configuration files for additional information.

Excerpt from an example configuration file:

# example of enabling ranges and references!

# you should be specific when enabling a range of rules.. don't just put an extremely high number

# this would be at the cost of speed and memory usage.

1:1101,1:800,1:1200-1:2000,cve|1999-0499,bugtraq|22026,MS09-004

Excerpt from new changelog format:

-=Begin Changes Logged for Tue Mar 23 19:15:02 2010 GMT=-

New Rules

1:16492

1:16493

1:16494

1:16495

1:16496

1:16497

1:16498

1:16499

1:16500

Set Policy: security

Rule Totals

New:-------9

Deleted:---0

Enabled:---5378

Dropped:---0

Disabled:--3606

Total:-----8984

-=End Changes Logged for Tue Mar 23 19:15:02 2010 GMT=-

You will want to take the paths out of your old pulledpork.conf and use the new pulledpork.conf, since there are so many new features and variables pulledpork will not function without the updated pulledpork.conf file. All of the other sid modification conf files remain unchanged, however.

Please be sure that you read the README and all configuration files thoroughly as there are many changes.

JJC

Hogging the Snort Host Attribute Table

2010-02-25T12:56:00.013-05:00

Hogger is a new Snort supportive tool written in Perl, by Parker Crook, that allows you to create a Host Attribute Table from an nmap scan. But first, a little primer; A feature within Snort that has received some traction lately is that of the --enable-targetbased configuration option. This allows you to specify a Host Attribute Table that contains critical information about what your network host topology is (i.e. OS, services etc..). Using this information, snort can then properly reassemble fragments, track streams and a number of other things. All of these items are covered in Joel Esler's recent CSO article that can be found at This URL. This is an excellent article that covers what Host Attribute Tables are and how to use them, so please read the article for a better understanding!

Now that you know all about the Host Attribute Table, let's jump into the purpose and use of hogger. As mentioned previously, hogger was written by Parker Crook to create a Host Attribute Table using the resulting output of an nmap scan. Without further adieu, let's walk through the usage of hogger!

Requirements:

Perl
XML::Writer (perl module)
Nmap
Hogger

Steps:

Install XML::Writer
Get hogger
Install Nmap
Run Nmap with correct options
Run hogger against Nmap output file
Start your snorting!

1: Installing XML::Writer

$perl -MCPAN -e shell
cpan[1]> install XML::Writer

2: Get Hogger

$wget http://hogger.googlecode.com/files/hogger.tar.gz
$tar xvfz hogger.tar.gz

3: Install Nmap

Use whatever tool that your distribution / OS uses to install Nmap, or get the source from nmap.org and build it yourself!

4: Run Nmap

$mkdir ~/hogger/nmap
$cd ~/hogger/nmap
$nmap -sV -T4 -oN scan.nmap 192.168.1.0/24
Starting Nmap 5.21 ( http://nmap.org ) at 2010-02-25 18:46 UTC
..output suppressed...

5: Run hogger (against scan.nmap)

$cd ~/hogger
$./hogger.pl -c nmap/hostmap.csv -n nmap/scan.nmap -x nmap/host_attrib_table.xml

6: Start your snorting - At this point you can take the newly created host_attrib_table.xml file and place the path to it in your snort.conf, assuming your built snort with the correct option:

attribute_table filename /path/to/host_attrib_table.xml

Now that we have all of this running, let's examine some of the options that are currently available in hogger and dissect our hogger run: "./hogger.pl -c nmap/hostmap.csv -n nmap/scan.nmap -x nmap/host_attrib_table.xml".

Hogger help output:

Usage: ./hogger.pl [-r? -help] -n -c -x

Options:

-c Where the human-readable/modifiable csv file containing host information lives.

-n Where the nmap file containing host information lives.

-r Process the csv file and output to xml for snort, but do not read an nmap file.

-x Where you want to create the host_attribute table.xml (Overwrites existing files)

-help/? Print this information

Starting with the -c flag, this is a file that will be created by hogger if it does not exist, and is simply a csv file that you can modify (for those hosts that nmap either misses or is not as accurate as you would like). A few sample entries in the file (hostmap.csv) that we created in the above test run:

192.168.1.1, Linux, 23|tcp|telnet 53|tcp|domain 443|tcp|ssl/http
192.168.1.2, Linux, 23|tcp|telnet 53|tcp|domain 443|tcp|ssl/http
192.168.1.7, FreeBSD, 22|tcp|ssh 53|tcp|domain 80|tcp|http 3000|tcp|http 3128|tcp|http-proxy 3306|tcp|mysql 5000|tcp|http-proxy 8443|tcp|http

Next we see the -n flag, this is the flag that specifies where the nmap output file (that we previously created using the nmap -oN scan.nmap option). This is the file that hogger reads to create entries in the -c .

The -r flag is fairly straightforward and specifies that you ONLY want to read the csv file specified with the -c flag value.

The final flag that we will discuss is the -x flag, this is a required flag and tells hogger where you want the resulting output (the Host Attribute Table) to be placed. Examples from the output, matching those noted in the -c flag information above:

<SNORT_ATTRIBUTES>
<ATTRIBUTE_TABLE>
<HOST IP="192.168.1.1">
<OPERATING_SYSTEM>
<NAME ATTRIBUTE_VALUE="Linux" CONFIDENCE="90"></NAME>
<FRAG_POLICY>Linux</FRAG_POLICY>
<STREAM_POLICY>linux</STREAM_POLICY>
</OPERATING_SYSTEM>
<SERVICES>
<SERVICE>
<PORT ATTRIBUTE_VALUE=" 23" CONFIDENCE="100"></PORT>
<IPPROTO ATTRIBUTE_VALUE="tcp" CONFIDENCE="100"></IPPROTO>
<PROTOCOL ATTRIBUTE_VALUE="telnet 53" CONFIDENCE="95"></PROTOCOL>
</SERVICE>
</SERVICES>
</HOST>
<HOST IP="192.168.1.2">
<OPERATING_SYSTEM>
<NAME ATTRIBUTE_VALUE="Linux" CONFIDENCE="90"></NAME>
<FRAG_POLICY>Linux</FRAG_POLICY>
<STREAM_POLICY>linux</STREAM_POLICY>
</OPERATING_SYSTEM>
<SERVICES>
<SERVICE>
<PORT ATTRIBUTE_VALUE=" 23" CONFIDENCE="100"></PORT>
<IPPROTO ATTRIBUTE_VALUE="tcp" CONFIDENCE="100"></IPPROTO>
<PROTOCOL ATTRIBUTE_VALUE="telnet 53" CONFIDENCE="95"></PROTOCOL>
</SERVICE>
</SERVICES>
</HOST>
<HOST IP="192.168.1.7">
<OPERATING_SYSTEM>
<NAME ATTRIBUTE_VALUE="FreeBSD" CONFIDENCE="90"></NAME>
<FRAG_POLICY>BSD</FRAG_POLICY>
<STREAM_POLICY>bsd</STREAM_POLICY>
</OPERATING_SYSTEM>
<SERVICES>
<SERVICE>
<PORT ATTRIBUTE_VALUE=" 22" CONFIDENCE="100"></PORT>
<IPPROTO ATTRIBUTE_VALUE="tcp" CONFIDENCE="100"></IPPROTO>
<PROTOCOL ATTRIBUTE_VALUE="ssh 53" CONFIDENCE="95"></PROTOCOL>
</SERVICE>
</SERVICES>
</HOST>

Having said all of this, I am not going to go into detail about the flags used during the Nmap scan, suffice it to say that those are the suggested flags and that the -oN is required to produce the output file for hogger to read.

Overall I think that the concept behind hogger is excellent and that it should provide useful aide to all you snort heads out there! This tool gets a thumbs up from me and should be one that you put into your snort bag of tricks and is also one that I am planning on contributing to.

Cheers,

JJC

Writing Snort Rules Correctly (via Joel Esler)

2010-02-23T10:41:00.005-05:00

Joel Esler recently published an article entitled "Writing Snort Rules Correctly". I certainly suggest having a read through of this ,as it discusses a number of the finer points (including PCRE) when writing a snort rule using a previously published example rule. Joel dissects the rule, pointing out the good and bad while making note of better methods.

Just a short post, but I thought it worth posting to bring more attention to the aforementioned article by Joel Esler.

JJC

ET Rules and /\s?/

2010-01-12T18:12:00.003-05:00

It was recently brought to my attention that many of the rules within the various Emerging Threats ruleset have a whitespace after value definitions such as flowbits:set and msg:"\s?". Unfortunately I did not notice this within the ET rulesets.

PulledPork was originally written to handle VRT rulesets from snort.org (none have this formatting flaw) and as such I had not accounted for it, as mentioned previously. The fix is a simple regex modification to the PulledPork code, you can get the patch here: http://pulledpork.googlecode.com/files/pp_304_whitespace.patch and apply it to pulledpork.pl.

For those that might ask the question "what if there are multiple whitespaces, ala \s*" this is NOT the case, I spoke with rotorhead from the ET team and all ET rules are normalized to atleast remove multiple whitespace chars.

This fix has already been checked into svn but I will not be re-releasing 0.3.4 to account for this.. but will likely be generating daily snapshots in the near future.

Cheers,
JJC

Time to own your rules - PulledPork 0.3.4 Released!

2010-01-11T15:34:00.010-05:00

After what seems like forever since I have made a post about anything, I am pleased to announce the general availability of the latest version of PulledPork! This new version (v0.3.4) has a significant number of bugfixes for a variety of OS/distributions in addition to the numerous feature enhancements noted below.

I would like to thank all of the individuals that provided beta testing assistance and valuable feedback. I would also like to thank all of the users that have adopted PulledPork and sent in comments / feature requests. PulledPork certainly would not be where it is without your support and contributions!

Now that we are through the mushy stuff, on to the features!

VRT Rulesets! - Support metadata based VRT recommended rulesets - The short of it is that you can now specify a default pre-defined ruleset, yes.. this ruleset was designed by the VRT! The individual pre-defined rulesets that can be specified are fairly straightforward:

Connectivity - You run a lot of real time applications (VOIP, financial transactions, etc), and don't want to run any rules that could affect the current performance of your sensor. The rules in this category make snort happy, additionally this category focuses on the high profile most likely to affect the largest number of people type of vulnerabilities.

Balanced - You are normal, you run normal stuff and you want normal security protections. This is the best policy to start from if you are new, old, or just plain average. If you don't have any special requirements for super high speeds or super secure networks, start here.

Security - You don't care about dropping your bosses email, everything in your environment is tightly regulated and you don't tolerate people stepping outside of your security policy. This policy hates on IM, P2P, vulnerabilities, malware, web apps that cause productivity loss, remote access, and just about anything not related to getting work done. If you run your network with an iron fist, start here!

Changelog - This feature allows you to specify that you want a changelog (any rule that has any change in it from your previous ruleset, i.e. disabled, enabled, modified etc..) maintained for any and all changes, in a specified log file.

Inline Drops - This feature allows you to specify what SIDs you want to be set to drop, for those running an inline setup!

Multiline Rules - Added full support for parsing of multiline rules.

Enhancements - Many minor enhancements made to the debugging output, speed enhancements, code cleanup, error handling etc...

There are quite a few runtime options and configuration options, please be sure to read through the README files thoroughly, also please be sure to use the latest pulledpork.conf that is included in the tarball! That's about it for now, please feel free to participate by asking questions on the mail list at http://groups.google.com/group/pulledpork-users/ or on freenode in #snort or #pulledpork

One final note, all of the release tarballs will now be named as pulledpork-X.X.X.tar.gz to help out with those maintaining packages and ports, thanks!

Download the tarball here pulledpork-0.3.4.tar.gz
MD5SUM = 034f90a2555c5f82e760b0ce68489ad2
SHA256 = 8b775e6476d653733f3d29ea9c962a76feaf148f3204a90fd47c646802448b80

Cheers,
JJC

Pulledpork v0.2.5 - Released

2009-10-14T10:29:00.004-04:00

A new and updated version of pulledpork is out, this version adds functionality and also addresses a number of previously reported bugs, a few simple examples:

Improved and cleaned up code for efficiency and speed
Do not overwrite local.rules on run
Do not attempt to copy . and .. as rules files
Much more...

The primary feature that has been added allows for the capability to download rules from sites other than snort.org (VRT). Any url can be specified to download a rules tarball from, however md5 hash verification will only work when VRT or ET locations are specified. If a different location (i.e. a local redistribution point) is specified, please be sure to specify the -d (do not verify md5) option. Please see the README and pulledpork.conf files for more information on usage of new and existing options and features.

New option runtime flag:

-u Where do you want me to pull the rules tarball from

(ET, Snort.org, see pulledpork config base_url option for value ideas)

A new tarball containing all of the new features will be published today at http://code.google.com/p/pulledpork/downloads/list

Snort 2.8.5 at snort.org... get it while it's hot!

2009-09-16T16:16:00.001-04:00

Snort 2.8.5 is teh outed, get it or DIAF!

Snort 2.8.5 introduces:

- Ability to specify multiple configurations (snort.conf and everything
it includes), bound either by Vlan ID or IP Address. This allows you
to run one instance of Snort with multiple snort.conf files, rather
than having separate processes. See README.multipleconfigs for
details.

- Continued inspection of traffic while reloading a configuration.
Add --enable-reload option to your configure script prior to building.
See README.reload for details.

- Rate Based Attack Prevention for Connection Attempts, Concurrent
Connections, and improved rule/event filtering. See README.filters
for details.

- SSH preprocessor

- Performance improvements in various places

Please see the Release Notes and ChangeLog for more details.

http://www.snort.org/downloads

kthyx

JJC

pulledpork google group

2009-07-16T20:57:00.003-04:00

Not that anyone actually needs help, but if you want a different place where you can share comments, thought, desired features or complaints, I have created a google group for pulled pork:

=> http://groups.google.com/group/pulledpork-users

Cheers,
JJC

pulledpork 0.2.2 and new features

2009-07-16T20:38:00.002-04:00

Get it while it's hot @here!

I have received a few requests to build support into pulledpork for the restarting of processes (i.e. snort after downloading new rules or modifying the ruleset using disablesid). In response to this, it is done ^-^. You will note in the pulledpork.conf file that there is a new option at the bottom called pid_path. Simply list the path to your pid files (/var/run/snort_intx.pid,/path/to/another/pid.pid) etc... and specify -H at runtime.. you will be magically pleased (assuming you run pulledpork under a context that has permissions to restart said PID).

I also added a second option "-n" that will allow you to make modifications to the disablesid.conf file and re-execute pulledpork without attempting to download the current ruleset or md5 again (ala tuning exercises...).

Please see the included README for additional info and general guidelines on usage... below is some sample output.

./pulledpork.pl -c ../pulledpork.conf -i disablesid.conf -THn
Prepping files for work....
Done!
Copying rules files....
Done!
Disabling your chosen SID's....
Disabled 1 rules in /usr/local/etc/snort/rules/web-iis.rules
Disabled 2 rules in /usr/local/etc/snort/rules/backdoor.rules
Disabled 1 rules in /usr/local/etc/snort/rules/rpc.rules
Disabled 1 rules in /usr/local/etc/snort/rules/exploit.rules
Done
HangUP Time....
Done!
Fly Piggy Fly!

That's all for now, enjoy!

JJC

Snorby for Snort, a Recipe with Barnyard2 and Unified2

2009-07-15T12:15:00.021-04:00

Snorby, an all new frontend (yes, it's still Beta) for snort has recently emerged. As such I decided that I would take a look and give my thoughts as well as a quick recipe to get it running fairly quickly using barnyard2. During my testing of Snorby, I talked with the creator (mephux) about his plans for Snorby and also worked through a couple of bugs, that he jumped on right away.

Note: This posting details how to get Snorby working with apache and passenger, NOT Webrick.. if you want that please read the details of how to do so at the Snorby site.

Recipe Components:

FreeBSD 8.0R
apache22
ruby-gems
ruby-iconv
prawn (gem)
rake (gem)
mysql (gem)
rails (gem)
passenger (formerly modrails)
mysql
snort
barnyard2
git

Ok, let's get the dependencies and such out of the way. I am making several assumptions in writing this... the least of which is that you know how to use google if you can't figure something out... also that you already have the base of some of these items installed (ala, FreeBSD, apache, snort). If not, I have previous posts that discuss the setup of said items, and I am again going to drop the google bomb!

We need ruby-gems to get passenger running and ultimately Snorby:

$ cd /usr/ports/devel/git/ && sudo make install clean
...I deselect all of the options, I just want regular old git for this exercise
...output suppressed
$ cd /usr/ports/devel/ruby-gems/ && sudo make install clean
...output suppressed
$ sudo gem install prawn --no-rdoc --no-ri
...output suppressed
$ sudo gem install rake --no-rdoc --no-ri
...output suppressed
$ sudo gem install rails --no-rdoc --no-ri
...output suppressed
$ sudo gem install mysql --no-rdoc --no-ri
...output suppressed
$ sudo gem install passenger --no-rdoc --no-ri
...output suppressed
$ sudo passenger-install-apache2-module
...run through the setup and perform the steps that are noted to activate the passenger capabilities with apache.. ala vi httpd.conf and add the 3 lines that you are told to.
$ cd /usr/local/www/ && sudo git clone git://github.com/mephux/Snorby.git
...output suppressed/usr/ports/converters/ruby-iconv
$ cd /usr/ports/converters/ruby-iconv && sudo make install clean

At this point you are ready to modify your database and email configuration for Snorby. If you have not done so, you should create a snort database (I have called mine snort and created a user "snorby" with password "snorby".. ok that's not really the password but for this writeup it is! This user has full access (not grant) to the snort database. I have also created the apt tables in this database using the create_mysql sql that is included in both Snorby and Snort!

$ sudo cp /usr/local/www/Snorby/config/database.yml.example /usr/local/www/Snorby/config/database.yml
$ sudo cp /usr/local/www/Snorby/config/email.yml.example /usr/local/www/Snorby/config/email.yml

Now choose your preferred editor and modify the /usr/local/www/Snorby/config/database.yml file.. we are only concerned with the production info... you can also modify the email.yml but don't have to for our current purposes.

Install additional gem requirements and setup Snorby to run!

$ cd /usr/local/www/Snorby && sudo rake gems:install
...output suppressed
$ cd /usr/local/www/Snorby && sudo rake snorby:setup RAILS_ENV=production
...output suppressed

At this point you are ready to tell apache all about Snorby, so lets modify our vhost or apache config again. Simply add the following under the vhost of your choice, you need to be sure that RewriteEngine On and RewriteOptions inherit are specified in this vhost (or in scope of your config):

DocumentRoot /usr/local/www/Snorby/public

RailsBaseURI /

<directory "/usr/local/www/Snorby/public">
AllowOverride All
Order deny,allow
Allow from all
</directory>

Once this is complete, restart apache and you will get the login for Snorby when you browse to that vhost. The default username is snorby and password is admin.

We are now ready to modify our snort config to output unified2, modify your snort.conf and comment out your old output plugins or simply replace them with the following:

output unified2: filename snortunified2.log, limit 128

Note that unified2 contains all log and alert data, so no longer do you need two files! And now it's time for barnyard2. Go ahead and fetch the latest version from securixlive.com, configure with "--with-mysql" option. Once that is done copy the barnyard.conf to /usr/local/etc/snort/ and let's go ahead and edit that file, putting in the mysql information that you used with Snorby earlier and making sure that we have our input specified as unified2. You should go through and make sure that all of the paths to the map and ref files are specified correctly. Once that's done, you are ready to fire it up!

sudo barnyard2 -c /usr/local/etc/snort/barnyard2.conf -d /var/log/snort -f snortunified2.log -w /var/log/snort/barnyard2.waldo -D

You should now be receiving events in the snort mysql database and seeing them in Snorby.

Please note that there are a number of security considerations that I did not take into account (ala running all this stuff under root) so please take that into consideration.

Overall, I give Snorby a good rating, it certainly has lots of eye candy at this point. Mephux promises that much of the functionality that everyone wants is coming shortly... I would say that Snorby has a good start and promises to be a decent usable frontend for viewing snort events. Is it a sguil, certainly not... but it does look like it will be a decent alternative to BASE.

Cheers,
JJC

PayPal shuts Hackers for Chartity down?

2009-07-15T12:11:00.002-04:00

Yesterday, paypal froze the assets of hackersforcharity.org down, please read more here and spread the word of the evils ;-)

"I had a subscription system running under WP-MEMBER for about a year before that software flaked out on me. Multiple domains caused problems that were irreconcilable. I had donations for our work in Africa coming in (not through wp-member) and a few hundred subscribers to Informer through wp-member. All said, when I switched to Suma, I had 10,000$US in my personal paypal account. That was my family’s support money as well as money for our food program in Kenya."

http://www.hackersforcharity.org/259/paypal-shuts-us-down/

I thought about writing a long rant today, but simply don't have the energy... please read the above link for rant material.

JJC

BASE / ACID outdated reference links - a fix

2009-06-25T15:26:00.007-04:00

Recently, with changes to the snort.org site, the Snort mailing lists have been quite inundated with questions about the link to the SID reference and how it is no more. As a partial means of compensating for this and to help the community, we have recently added an up-to-date tool at rootedyour.com that will allow for you to once again have a valid snort reference link.

In BASE, simply locate the following section of your base_conf.php:

/* Signature references */
$external_sig_link = array('bugtraq' => array('http://www.securityfocus.com/bid/', ''),
'snort' => array('http://www.snort.org/pub-bin/sigs.cgi?sid=', ''),
'cve' => array('http://cve.mitre.org/cgi-bin/cvename.cgi?name=', ''),
'arachnids' => array('http://www.whitehats.com/info/ids', ''),
'mcafee' => array('http://vil.nai.com/vil/content/v_', '.htm'),
'icat' => array('http://icat.nist.gov/icat.cfm?cvename=CAN-', ''),
'nessus' => array('http://www.nessus.org/plugins/index.php?view=single&id=', ''),
'url' => array('http://', ''),
'local' => array('signatures/', '.txt'));

and modify the 'snort' line to match:

'snort' => array('http://www.rootedyour.com/snortsid?sid=', ''),

Once this is done, you are all set, the snort documentation link will now take you to rootedyour.com and display the info for that SID.

Obviously if you want to do this in other applications, simply point them to http://www.rootedyour.com/snortsid?sid=xxxxx where xxxxx is the SID that you want to know about. ex: http://rootedyour.com/snortsid?sid=234

Cheers,
JJC

Fly Clear, Sensitive Data Disposal Concerns

2009-06-23T11:41:00.004-04:00

Early today, the company that produces the Clear Pass announced via press release and on their website that they were shutting down operations effective at 23:00 on June 22.

Noted on their website:
Spokespeople at various Clear equipped airports said that qualified clear users would be allowed to pass through the "premium" lanes at said airports.

Of course, to me, this leaves a big question out there: WHAT IS GOING TO HAPPEN WITH THE BIOMETRIC DATA? I mean, these guys collected BIOMETRIC and more info (retinal scans, complete fingerprint sets, background information, credit information etc...) and what is going to happen to this data? Will it be sold off to the highest bidder, handed over to one of the many alphabet soup government agencies, placed into a dumpster by an angry employee or what? That is of course the only question that I have. If you were one of the many that signed up, you had the option to opt in or out of their program that shared the biometric information with the feds, but what now? My largest concern is of course the first and thirt item that I listed. What do you think?

Cheers,
JJC

pulledpork included in Security Onion LiveCD

2009-06-16T13:07:00.003-04:00

Today, Doug Burks (the creator of the Security Onion LiveCD) announced the release of the latest rev of this tool. Included in this tool are "you guessed it" pulledpork and a number of other useful tools to the sekuritah professional :-)

Read more here => http://securityonion.blogspot.com/2009/06/security-onion-livecd-20090613.html

I would like to extend a thanks to Doug for his work on this tool and the inclusion of pulledpork and the other tools. While I have not yet had the opportunity to download and try out this LiveCD, I will be doing so soon.

Cheers,
JJC

How to block robots.. before they hit robots.txt - ala: mod_security

2009-06-05T19:04:00.007-04:00

As many of you know, robots (in their many forms) can be quite pesky when it comes to crawling your site, indexing things that you don't want indexed. Yes, there is the standard of putting a robots.txt in your webroot, but that is often not highly effective. This is due to a number of facts... the least of which is not that robots tend to be poorly written to begin with and thus simply ignore the robots.txt anyway.

This comes up because a friend of mine that runs a big e-com site recently asked me.. "J, how can I block everything from these robots, I simply don't want them crawling our site." My typical response to this was "you know that you will then block these search engines and keep them from indexing your site"... to whit "yes, none of our sales are organic, they all come from referring partners and affiliate programs".... That's all that I needed to know... as long as it doesn't break anything that they need heh.

After puting some thought into it, and deciding that there was no really easy way to do this on a firewall, I decided that the best way to do it was to create some mod_security rules that looked for known robots and returned a 404 whenever any such monster hit the site. This made the most sense because they are running an Apache reverse proxy in front of their web application servers with mod_security (and some other fun).

A quick search on the internet found the robotstxt.org site that contained a listing (http://www.robotstxt.org/db/all.txt) of quite a few common robots. Looking through this file, all that I really cared about was the robots-useragent value. As such, I quickly whipped up the following perl that automaticaly creates a file named modsecurity_crs_36_all_robots.conf. Simply place this file in the apt path (for me /usr/local/etc/apache/Includes/mod_security2/) and restart your apache... voila.. now only (for the most part) users can browse your webserver. I'll not get into other complex setups, but you could do this on a per directory level also, from your httpd.conf, and mimic robots.txt (except the robots can't ignore the 404 muahahaha).

#####################Begin Perl#######################

#!/usr/bin/perl

##
## Quick little routine to pull the user-agent string out of the
## all.txt file from the robots project, with the intention of creating
## regular expression block rules so that they can no longer crawl
## against the rules!
## Copyright JJ Cummings 2009
## cummingsj@gmail.com
##

use strict;
use warnings;
use File::Path;

my ($line,$orig);
my $c = 1000000;
my $file = "all.txt";
my $write = "modsecurity_crs_36_all_robots.conf";
open (DATA,"<$file");
my @lines = ;
close (DATA);

open (WRITE,">$write");
print WRITE "#\n#\tQuick list of known robots that are parsable via http://www.robotstxt.org/db/all.txt\n";
print WRITE "#\tgenerated by robots.pl written by JJ Cummings \n\n";
foreach $line(@lines){
if ($line=~/robot-useragent:/i){
$line=~s/robot-useragent://;
$line=~s/^\s+//;
$line=~s/\s+$//;
$orig=$line;
$line=~s/\//\\\//g;
#$line=~s/\s/\\ /g;
$line=~s/\./\\\./g;
$line=~s/\!/\\\!/g;
$line=~s/\?/\\\?/g;
$line=~s/\$/\\\$/g;
$line=~s/\+/\\\+/g;
$line=~s/\|/\\\|/g;
$line=~s/\{/\\\{/g;
$line=~s/\}/\\\}/g;
$line=~s/$/\\\(/g;
$line=~s/$/\\\)/g;
$line=~s/\*/\\\*/g;
$line=~s/X/\./g;
$line=lc($line);
chomp($line);
if (($line ne "") && ($line !~ "no") && ($line !~ /none/i)) {
$c++;
$orig=~s/'//g;
$orig=~s/`//g;
chomp($orig);
print WRITE "SecRule REQUEST_HEADERS:User-Agent \"$line\" \\\n";
print WRITE "\t\"phase:2,t:none,t:lowercase,deny,log,auditlog,status:404,msg:'Automated Web Crawler Block Activity',id:'$c',tag:'AUTOMATION/BOTS',severity:'2'\"\n";
}
}
}
close (WRITE);
$c=$c-1000000;
print "$c total robots\n";

#####################End Perl#######################

To use the above, you have to save the all.txt file to the same directory as the perl.. and of course have +w permissions so that the perl can create the apt new file. This is a pretty basic routine... I wrote it in about 5 minutes (with a few extra minutes for tweaking of the ruleset format output (displayed below). So please, feel free to modify / enhance / whatever to fit your own needs as best you deem. **yes, I did shrink it so that it would format correctly here**

#####################Begin Example Output#######################

SecRule REQUEST_HEADERS:User-Agent "abcdatos botlink\/1\.0\.2 $test links$" \
"phase:2,t:none,t:lowercase,deny,log,auditlog,status:404,msg:'Automated Web Crawler Block Activity',id:'1000001',tag:'AUTOMATION/BOTS',severity:'2'"
SecRule REQUEST_HEADERS:User-Agent "'ahoy\! the homepage finder'" \
"phase:2,t:none,t:lowercase,deny,log,auditlog,status:404,msg:'Automated Web Crawler Block Activity',id:'1000002',tag:'AUTOMATION/BOTS',severity:'2'"
SecRule REQUEST_HEADERS:User-Agent "alkalinebot" \
"phase:2,t:none,t:lowercase,deny,log,auditlog,status:404,msg:'Automated Web Crawler Block Activity',id:'1000003',tag:'AUTOMATION/BOTS',severity:'2'"
SecRule REQUEST_HEADERS:User-Agent "anthillv1\.1" \
"phase:2,t:none,t:lowercase,deny,log,auditlog,status:404,msg:'Automated Web Crawler Block Activity',id:'1000004',tag:'AUTOMATION/BOTS',severity:'2'"
SecRule REQUEST_HEADERS:User-Agent "appie\/1\.1" \
"phase:2,t:none,t:lowercase,deny,log,auditlog,status:404,msg:'Automated Web Crawler Block Activity',id:'1000005',tag:'AUTOMATION/BOTS',severity:'2'"

#####################End Example Output#######################

And that folks, is how you destroy robots that you don't like.. you can modify the error that returns to fit whatever suits you best.. 403, 404.....

Cheers,
JJC

pulledpork tarball

2009-06-03T16:25:00.001-04:00

It's up... get it while it's hot -> http://code.google.com/p/pulledpork/downloads/list

Cheers,
JJC

v0.2 Beta 1 is the outed! -> pulledpork that is <-

2009-06-02T19:54:00.008-04:00

As the title indicates, the first beta for v0.2 of pulledpork has just been checked in to the pulledpork svn..

A shortlist of the current featuresets below

Release 0.1:

First Beta Release
Downloads latest rules file
Verifies MD5 of local rules file
If MD5 has not changed from snort.org.. doesn't fetch files again
handle both rules and so_rules
Capability to generate stub files

Release 0.2:

Rule modification, i.e. disabling of specific rules within rule sets (also for GID 3 rules)
Outputs changes in rules files if any rules have been added / modified
Compares new rules files with current rule sets

So, as you can see above I have added quite a bit of code and functionality to pulled pork. The disablesid function should be pretty robust (perhaps I'll add some additional error handling), but for the most part it should rock and roll!

I'll likely be adding a modifysid section to mirror what oinkmaster does with their modifysid function.. but that's probably still a few weeks out.

Having said all of this, please download, test and post any bugs/issues that you find on the google code page for pulledpork or catch me in #snort on freenode.

And now, the gratuatis screenshot ;-)

Cheers,
JJC

PulledPork Checkin

2009-06-01T15:18:00.003-04:00

Quick update today with big enhancements coming this week in the bbq pulledpork arena! (hopefully).

This past Friday I checked in some code for PulledPork that allows for the handling of any format contents of md5 file from the snort.org servers.. we won't be foiled again ;-)

Get your great tasting pulledpork here => http://code.google.com/p/pulledpork

Cheers,
JJC

Pimping Tha All New Snort.org

2009-05-28T10:32:00.003-04:00

The home of Snort, snort.org received a facelift last night! The site has been largely static and unchanged for some time now.

A shortlist of the new features on the new snort.org that should make life easier for all:

• New navigation
• Improved account management
• New user forums
• Persistent link panel
• Improved VRT subscription management

What this does NOT mean is that your tools that automatically fetch snort rules tarballs will be broken... everything is still 100% functional and up in that area.

Having said all of this, please check out the new snort.org for yourself!

I extend a hearty good job to the entire snort.org team for their efforts in this, it looks and functions excellently!

Cheers,
JJC

Baconator Renamed => Pulled_Pork

2009-05-26T15:48:00.003-04:00

So, for some "mostly obvious reasons" I have renamed the Baconator project to Pulled_Pork. This was for a variety of reasons and if you really want to know I'll explain it.. Just drop by #snort on freenode... suffice it to say that this new name is more fitting. Please also note the google code location has changed from /p/baconator to /p/pulledpork. I did note on the baconator page that this change has occured.

The new location => http://code.google.com/p/pulledpork/

As always, thanks for the support and please fetch the latest version to do some testing for me!

Cheers,
JJC

Baconator 0.1 Beta 2 (try me)

2009-05-18T21:34:00.004-04:00

I have completed the 0.1 Beta 2 of Baconator and believe it to be fairly stable and user friendly! Please give it a roll (it's not in a tarball yet, so you will have to check it out as noted below) and let me know if you experience any issues or have any updates / features that you would like to see.

The timeline:
Release 0.1:(This is complete)

First Beta Release
Downloads latest rules file
Verifies MD5 of local rules file
If MD5 has not changed from snort.org.. doesn't fetch files again
handle both rules and so_rules
Capability to generate stub files

Release 0.2:(I have started to work on this piece, probably finished in a few more weeks)

Rule modification, i.e. disabling of specific rules within rule sets
Capability to compile so_rules from source
Outputs changes in rules files if any rules have been added / modified
Compares new rules files with current rule sets
Option to use Emerging-Threats rules in addition to snort.org rules
Option to define custom URL to fetch rules tarballs from
Automated retrieval of certain variables (Distro, Snort Version.. etc)

Next Release...

TBD by community needs / requests

Visit the google code site for info on how to check out the code etc..

http://code.google.com/p/baconator/

Cheers,
JJC

N.J. accidentally reveals personal data of 28K unemployed residents

2009-05-18T20:34:00.004-04:00

Article here => http://www.nj.com/news/index.ssf/2009/05/3k_unemployed_nj_residents_may.html

Somehow these statements make it ok? => "This is a fluke," department spokesman Kevin Smith said. "This was just a clerical error."

Right, it's just a clerical error that affects 28,000 individuals lol. I'll grant them that it's not as major as many other items that have occurred.. but they seem to not take it seriously is my short and sweet point!

Yes, they (as I have stated in the past) like all other agencies have a standard => http://www.state.nj.us/it/ps/p7cir.html, but evidently as long as "It's just a clerical error" again, it's ok.

Anyway, just wanted to start the week off on a small soap box ;-)

Cheers,
JJC

Snort 2.8.5 at snort.org... get it while it's hot!

2009-05-14T10:48:00.000-04:00

A beta version of Snort 2.8.5 is now available on snort.org, at
http://www.snort.org/dl/

Snort 2.8.5 introduces:

- Ability to specify multiple configurations (snort.conf and everything
it includes), bound either by Vlan ID or IP Address. This allows you
to run one instance of Snort with multiple snort.conf, rather than
having separate processes.

- Continued inspection of traffic while reloading a configuration.
Add --enable-reload option to your configure script prior to building.

- Rate Based Attack prevention for Connection Attempts, Concurrent
Connections, and improved rule/event filtering. See README.filters
for details.

- SSH preprocessor (no longer experimental)

- Performance improvements in various places

Please see the Release Notes and ChangeLog for more details.

Please submit bugs, questions, and feedback to snort-beta@sourcefire.com.

DC Agency Accidentally Emails PII about College Financial Aide Applicants <= WHAT?

2009-05-13T17:06:00.003-04:00

Yes, the headline is indeed true. Yet another in a seemingly endless series of silly (stupid) mistakes made by individuals that lead to significant data leakage.

The Article:
D.C. Agency Accidentally E-Mails Personal Data About College Financial Aid Applicants

How many times is this going to happen before people begin to take things as simple as user education / training, as related to security, seriously? Having worked for a variety of branches within the federal government, I can tell you that they do have some fairly basic protocols in-place that allow for basic online (depending on the agency/organization either annual, semi-annual etc...) instruction and in the same session, testing. This then creates a nifty little certificate that you can hang in your little cubicle and is tracked by the CSO (or equivalent thereof) to provide for proof that said Agency/organization is meeting with their requirements.

Evidently though, the "don't email sensitive rubbish out" section was missing in the OSSE's online curriculum?

You tell me...
JJC

Baconator - Shared Object Snort Rule Management!

2009-04-21T22:17:00.005-04:00

Recently while taking a plane ride from one lovely airport to another and doing some snort shared object rule development, I realized that I did not have a clean and easy way of fetching the latest snort rule tarball.

Don't get me wrong and misinterpret this post, I love Oinkmaster and have been a user of it for many a year!

Now, having said that... Oinkmaster does have it's shortcomings (for me anyway); the least of which is certainly not the fact that it currently does NOT handle shared object rules. With the release of Snort 2.8.4 and it's awesome new dcerpc2 preprocessor... the use of so_rules will most likely be much more prevalent.. and as such, with threats like Conficker and it's varients out there, I needed a way to handle this.

I did consider modifying Oinkmaster to fit my needs, but when I started writing the code at 30,000 feet... I didn't have the Oinkmaster codebase with me.

As a direct result of this thought and the lack of codebase on the plane... I started Baconator. Baconator is a Snort rule management tool that also handles so_rules, the creation of stub files from said so_rules, complete file validation (via MD5) against current VRT releases. It also does much more... or, will anyway.

I'll be posting more about Baconator as I complete the code. For now, if you want to try it out (it's not yet complete) you can checkout the code from the svn repo at http://code.google.com/p/baconator/.

The current code will fetch the latest ruleset from snort.org (ultimately I'll probably build the functionality in to fetch from ET). If you have an existing copy of the rules tarball from snort.org it will fetch the latest rule tarball md5 from snort.org and compare so that it doesn't re-fetch the same tarball again. It then performs the various extraction routines as defined in the conf file or at runtime and puts the files where you tell it to.. the rules files that is!

More info can be found on the google code page for Baconator. I'll also be updating that site regularly with updates to the timeline, current svn etc...

Cheers,
JJC

Can Haz Snort 2.8.4!

2009-04-07T17:20:00.001-04:00

With the new release of snort 2.8.4 you will need to upgrade immediately from whatever version you are on. If you do not upgrade, your sensorfail will be epic when you try to run any updated rules. This is due to the new DCERPC preprocessor and all new rules being built to use this new functionality.

Snort 2.8.4 is now available on snort.org, at http://www.snort.org/dl/

Snort 2.8.4 introduces:

- A revised DCE/RPC preprocessor with more rule options

With the new DCE/RPC preprocessor, there will be a number of updates
to the rules. Please be sure to update your rules to the latest
when that package is available (next few days).

- Support for IPv6 in Frag3 and all application preprocessors

- Improved target-based support in preprocessors

- Option to automatically pre-filter traffic that is not inspected in
order to improve performance

- Several other improvements and fixes

Please see the release notes and changelog for more details.

Cheers,
JJC

Snort 3.0 Beta 3!

2009-04-05T20:46:00.007-04:00

This last Thursday, Martin Roesch published a new blog entry discussing the Snort 3.0 architecture and some testing that has been conducted and has yet to be conducted. Definitely a good read and example of how software should be optimized and developed to work with current architectures and feature-sets!

Find this here: http://securitysauce.blogspot.com/2009/04/snort-30-beta-3-released.html

Cheers,
JJC

Unofficial Snort 2.8.3.x patch for GCC 4.3.x build errors

2009-03-27T18:48:00.003-04:00

Noted some issues lately in the community with build issues when building snort 2.8.3.x using GCC 4.3.x. Specifically you may receive output as follows:

In function ‘open’,
inlined from ‘server_stats_save’ at server_stats.c:349:
/usr/include/bits/fcntl2.h:51: error: call to ‘__open_missing_mode’ declared with attribute error: open with O_CREAT in second argument needs 3 arguments
make[5]: *** [server_stats.o] Error 1
make[5]: Leaving directory `~/snort-2.8.3.1/src/preprocessors/flow/portscan'
make[4]: *** [all-recursive] Error 1
make[4]: Leaving directory `~/snort-2.8.3.1/src/preprocessors/flow'
make[3]: *** [all-recursive] Error 1
make[3]: Leaving directory `~/snort-2.8.3.1/src/preprocessors'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `~/snort-2.8.3.1/src'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `~/snort-2.8.3.1'
make: *** [all] Error 2

If you are receiving the aforementioned error on build, it's likely a simple fix that you can apply to src/preprocessors/flow/portscan/server_stats.c... yes, the patch is below:

if you don't know how to patch the file, I suggest using google to figure it out ;-)

Click me for the patch
MD5
SHA256

Cheers,
JJC

InProtect 1.00.0 Beta_2 VMWare Image

2009-03-23T18:48:00.008-04:00

Given recent developments that the team has made on the InProtect project and the many emails that I see floating about on the lists, I decided to create a VMware image of an "almost" fully functioning InProtect installation. I say "almost" because, of course, like the LiveUSB that I released some time ago, I can't put the latest version of Nessus on the VM due to licensing restrictions imposed by Tenable. Note that I did not include greatly detailed instructions on the use of InProtect, I may do this later but haven't the time right now.

Please try to remember that this is a BETA, and as such may not be fully functional... if you find bugs or the like, please feel free to file them at the sf site or hit us up !

So, the quick and dirty of it is that all you will need to do is go to the Nessus website and download the latest Nessus tarball from them, upload it to the VM (scp), install it (pkg_add), start it, register it and run the /opt/Inprotect/sbin/updateplugins_1.00.pl script! Whew, that was one long runon sentence!. For everything to match up, create a user "inprotect" with password "inprotect" in your Nessus daemon. Once you have completed the aforementioned steps, you are all set and should be able to scan, note that if you want to scan outside of the VM, you will need to modify the configuration of the interface to be bridged etc... The interface is set for DHCP and everything will startup just fine with any address that you assign it or that it receives.

You will also need to throw the jpgraph stuff in /opt/Inprotect/html if you want the nifty graphs to work... but I'll probably speak more to this in an upcoming post.

I essentially used the install script to install in /opt/Inprotect on, you guessed it, FreeBSD 7.1R but of course had to make a few minor adjustments (it's not always 100% out of the gate) to get everything working together. That being said, you can probably do the same on your own distro.

some important info that you will (or may) need, i.e. username/password/medium

inprotect/inprotect/shell
root/root/console
root/root/mysql
admin/password/inprotect web interface

phpMyAdmin is installed: http://ipofyourvm/phpmyadmin/ for your mysqling pleasure.

To access InProtect simply browse to the ip of your VM: http://ipofyourvm

If you want nmap, build it from ports: /usr/ports/security/nmap

Get the VMWare Image Here
MD5
SHA256

Cheers,
JJC

PHPIDS Phase 1.1

2009-03-18T20:08:00.003-04:00

I have been reviewing PHPIDS for some time now, and have come to the conclusion that while a novel idea... it is simply overkill and extra rubbish to include in your php code. I also have some ideas surrounding evasion techniques.... Don't get me wrong, I think that in the right place (i.e. a server that you can not load a real IDS/IPS such as mod_security on) it is better than nothing. I will place one caveat on that though, I am not 100% sure what it does to load capacity (or increasing the load of) and existing site. I'll be conducting some extensive load testing on it over the next week or so and posting those results.

JJC

twitter

2009-03-18T19:59:00.005-04:00

I have been having some fun on twitter lately (instead of evaluating security foo hah!), though I have been on it for some time and not really using it. If you want to join into the fun, I am enhancedx.

Obviously the whole web2.0 movement introduces all new concerns surrounding security, especially as related to physical security of ones person. Specifically I am talking about social networking apps like twitter, loopt and the like. These are fun to play with and share your daily travels / ramblings with people, but if the user does not pay attention, they can also lead people directly to you. Of course, I am sure that EVERYONE is well versed it the features of these apps and therefore only shares their location when they want to, right? Of course people don't reuse the same password for multiple accounts and don't have their identity stolen ever either.. so what am I worrying about, sheesh!

Cheers,
JJC

openpacket.org

2009-03-11T17:44:00.004-04:00

I recently took over managing and maintaining OpenPacket.org from Richard Bejtlich of TaoSecurity. I would like to extend my thanks to Richard for his time and efforts in getting OpenPacket.org off the ground.

The mission of OpenPacket.org is to provide quality network traffic traces to researchers, analysts, and other members of the digital security community. One of the most difficult problems facing researchers, analysts, and others is understanding traffic carried by networks. At present there is no central repository of traces from which a student of network traffic could draw samples. OpenPacket.org provides one possible solution to this problem.

Analysts looking for network traffic of a particular type can visit OpenPacket.org, query the OpenPacket.org capture repo for matching traces, and download those packets in their original format (e.g., Libpcap, etc.). The analyst will be able to process and analyze that traffic using tools of their choice, like Tcpdump, Snort, Ethereal, and so on.

Analysts who collect their own traffic will be able to submit it to the OpenPacket.org database after they register.

Anonymous users can download any trace that's published. Only registered users can upload. This system provides a level of accountability for trace uploads.

Our moderators will review the trace to ensure it does not contain any sensitive information that should not be posted publicly. Besides appearing on the site, once a trace has been published you can receive notice of it via this published trace RSS feed.

If you have any doubt regarding the publication of a trace, do not try to submit it. When moderators are unsure of the nature of a trace, we will reject it. OpenPacket.org is not a vehicle for publishing enterprise data as contained in network traffic.

In the upcoming months you will see significant changes and improvements to the OpenPacket.org site. Many of these suggestions are the result of user feedback, so please keep it coming and stay tuned as updates are released!

JJC

New IDS/IPS technologies

2009-01-15T14:05:00.002-05:00

Recently while parusing the intertubes I ran across a new IDS/IPS technology (PHPIDS) "http://www.php-ids.org". This is an interesting and simple concept that can add an additional layer of security to your web application(s). This being said, I am not sure that I would run it solely, but I will be testing it over the week and posting the results subsequently.

HeX 2.0 USB RC1 (4G)

2008-11-27T21:56:00.004-05:00

Happy Thanksgiving, my gift to you.. HeX 2.0 LiveUSB RC1 (the 4G version)

Yes, I know, I can hardly believe what I am typing! I finally got it finished and uploaded. As noted above this is the 4G version... I am working on a 2G but it might now be squeezable into that small of a space.. so more to come! This 4G version has a decent amount of workable space so that you can store items etc...

You can obtain the image at the following US site, will be publishing to the site and full mirror list shortly.

Also, remember that to write the image, you simply use dd to the thumb drive itself (not a partition/slice/etc). i.e. on OSX if you have only that USB device connected that you want to write to: "dd bs=2048 if=/path/to/hex-i386-2.0-USB-4G.img.gz of=/dev/rdisk1" (you may need to run under sudo...)

Note this is a 1.4G file, I will also be publishing this to the Security Torrent Depot shortly!

http://us.rawpacket.org/image/hex-i386-2.0-USB-4G.img.gz
http://us.rawpacket.org/image/hex-i386-2.0-USB-4G.img.gz.md5
http://us.rawpacket.org/image/hex-i386-2.0-USB-4G.img.gz.sha256

Cheers,
JJC

HeX 2.0R Released!

2008-10-06T16:18:00.002-04:00

After much adeau, HeX 2.0R is out... the improvements are numerous and include:

1. FreeBSD 7 Stable
2. Unionfs
3. NSM Console updates
4. Tons of analysis alias and scripts
5. Tons of NSM tools' signatures
6. Firefox - Useful websites bookmark
7. Liferea - Security rss feeds

For more info: http://us.rawpacket.org

Thanks to the rest of the HeX team for diligent and hard work on this.... more to come!

J

Slack @$$?

2008-09-16T23:58:00.001-04:00

I apologize for my seemingly slacke-***edness of late... I have been extraordinarily busy performing some work for a new security firm and thus unavailable to post here. I do have quite a bit of material that I will be posting in the upcoming months and weeks so stay tuned, things are about to get exciting :-).

Also, as a side note, please pay close attention to the openpacket.org site, as we will be making some major changes shortly.

Cheers,
JJC

How are your "Debian" SSL certs doing

2008-05-16T16:39:00.003-04:00

Last night, while interviewing with Paul and Larry on the pauldotcom.com podcast, I had an interesting thought whilst bashing Debian and the latest OpenSSL party that they have created.

How many root Certificate Authorities run debian and generate signed ssl keys?

Obviously the implications on this are substantial.. I get in the middle of an affected ecom server/application and grab credit card numbers and identity info for a day or so.. then meander on my way. Alarming because of course it does not produce any real auditable trail for analysts to follow... I mean, there was no real break in as with TJX or Advance Auto....

So, the moral of this story is that you need to check with your CA and see if they issued you any certs/keys from any affected systems. If that is the case then they of course need to re-issue a known good cert/key to you.

I *hope* but doubt that it will happen, that any affected CA would notify their customer base if they had issued anything from an affected system.

Cheers,
JJC

"Block the Bad" OSS IPS with Content Filtration and Transparent Proxy Acceleration pt 1.

2008-04-13T21:58:00.009-04:00

In this two part series I will discuss and demonstrate the creation of an inline security and content filtration system built on FreeBSD 7.0R. What is a security and content filtration system you might ask? Simply put it is a system that has the capabilities of an IPS with the included benefit of advanced content filtration (things like blacklists, page content scoring "keywords etc", greylists, whitelists and so on...).

This first part, entitled "block the bad" will deal with the IPS aspect of the system that includes some new "or newly revisited" ways of utilizing snortsam with barnyard rather than directly patching snort. This is good for a variety of reasons that include the capability to keep your snort version updated without having to continually re-patch it for snortsam, and not having to load snort down with more work than what it was intended "SNIFFING J00r PAket F00".

Some things in the below documented barnyard snortsam plugin have been hacked together, and I am sure that more capable individuals "rotorhead, Obiwan..." will write a non-hacked-together plugin in the near future. But this will get you up and rolling for now.

A few assumptions are made before we get started... the first is that you have already built snort (2.8.1 is the latest as of the time I wrote this), and if not that you can follow the directions to do so on a previous posting of mine. The second assumes if you want to see output such as BASE, you read and followed that entire posting. The third assumption is that you know how to modify your kernel options and ultimately make and install a new kernel. The fourth and final assumption is that if any of the previous assumptions are not true, you know how to use google.

Now, to the heart of the subject at hand, we will be using the following for the remainder of the excercise:

Snort 2.8.1 (see above)
barnyard 0.20.0 (with a modified snortsam plugin)
snortsam 2.52
ipf
ipfw (this will come into play in the next part re: content filtering, but can also be used to block by entire source or destination *not protocol/port* hence ipf)

So, for our first step (since we have snort built/running) let's get our barnyard patched so that we have the snortsam plugin. If you previously built barnyard and still have all of the source, that's great... but remember to make clean before we do anything. For my purposes I'll be demonstrating with a freshly downloaded barnyard. You will need autotools "cd /usr/ports/devel/autotools/ && make install clean" to finish the patch work.

[jj@Azazel /usr/home/jj]$ wget http://www.snort.org/dl/barnyard/barnyard-0.2.0.tar.gz

2008-04-13 18:14:39 (537 KB/s) - `barnyard-0.2.0.tar.gz' saved [161543/161543]

[jj@Azazel /usr/home/jj]$ tar xvfz barnyard-0.2.0.tar.gz
x barnyard-0.2.0/

[jj@Azazel /usr/home/jj]$ wget http://www.snortsam.net/files/barnyard-plugin/barnyard-snortsam-patch.gz

2008-04-13 18:16:37 (148 KB/s) - `barnyard-snortsam-patch.gz' saved [27149/27149]

[jj@Azazel /usr/home/jj]$ gunzip barnyard-snortsam-patch.gz
[jj@Azazel /usr/home/jj]$ cd barnyard-0.2.0
[jj@Azazel /usr/home/jj/barnyard-0.2.0]$ patch -p1 < ../barnyard-snortsam-patch
Hmm... Looks like a unified diff to me...
...
Hunk #1 succeeded at 1.
Hunk #2 succeeded at 33.
Hunk #3 succeeded at 54.
...
done
[jj@Azazel /usr/home/jj/barnyard-0.2.0]$ ./autojunk.sh
configure.in:147: warning: underquoted definition of SN_CHECK_DECL
configure.in:147: run info '(automake)Extending aclocal'
configure.in:147: or see http://sources.redhat.com/automake/automake.html#Extending-aclocal
autoheader-2.61: WARNING: Using auxiliary files such as `acconfig.h', `config.h.bot'
autoheader-2.61: WARNING: and `config.h.top', to define templates for `config.h.in'
autoheader-2.61: WARNING: is deprecated and discouraged.
autoheader-2.61:
autoheader-2.61: WARNING: Using the third argument of `AC_DEFINE' and
autoheader-2.61: WARNING: `AC_DEFINE_UNQUOTED' allows one to define a template without
autoheader-2.61: WARNING: `acconfig.h':
autoheader-2.61:
autoheader-2.61: WARNING: AC_DEFINE([NEED_FUNC_MAIN], 1,
autoheader-2.61: [Define if a function `main' is needed.])
autoheader-2.61:
autoheader-2.61: WARNING: More sophisticated templates can also be produced, see the
autoheader-2.61: WARNING: documentation.
[jj@Azazel /usr/home/jj/barnyard-0.2.0]$

Now that we have the main part of the patch completed we need to make a few quick modifications to "src/output-plugins/op_alert_fwsam.c" so that it handles the barnyard output properly and loads the sid-msg.map file via a hard coded path (line 191). I threw a patch out there so that you don't need to do this manually, located here: http://www.redsphereglobal.com/data/tools/security/patches/barnyard-snortsam-hack.gz.

[jj@Azazel /usr/home/jj]$ wget http://www.redsphereglobal.com/data/tools/security/patches/barnyard-snortsam-hack.gz

2008-04-13 18:52:54 (1.15 MB/s) - `barnyard-snortsam-hack.gz' saved [641/641]

[jj@Azazel /usr/home/jj]$ gunzip barnyard-snortsam-hack.gz
[jj@Azazel /usr/home/jj]$ cd barnyard-0.2.0
[jj@Azazel /usr/home/jj/barnyard-0.2.0]$ patch -p1 < ../barnyard-snortsam-hack Hmm... Looks like a unified diff to me... The text leading up to this was: ...
Patching file src/output-plugins/op_alert_fwsam.c using Plan A...
Hunk #1 succeeded at 188.
Hunk #2 succeeded at 815.
done
[jj@Azazel /usr/home/jj/barnyard-0.2.0]$

This patch or "hack" has assumed that the location of your sid-msg.map is at /usr/local/etc/snort/sid-msg.map if this is not the case, you will need to edit /src/output-plugins/op_alert_fwsam.c around line 191 and specify the correct path. At this point you can configure barnyard and build as you normally would.

[jj@Azazel /usr/home/jj/barnyard-0.2.0]$./configure --enable-mysql
[jj@Azazel /usr/home/jj/barnyard-0.2.0]$make
[jj@Azazel /usr/home/jj/barnyard-0.2.0]$sudo make install

Your barnyard is now ready and we will cover the config file and startup after we get ipf and snortsam up and running.

The next step is to add the following to our Kernel so that we have ipf and ipfw enabled and running by default at boot.

# IPFW support

options IPFIREWALL #Enable IPFW directly in the kernel
options IPFIREWALL_FORWARD #Enable the Ip Forwarding function of IPFW
options IPFIREWALL_VERBOSE
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPDIVERT #allow this host to divert packets to/through different ints and routes

# IPF Support - default is to accept
options IPFILTER
options IPFILTER_LOG

Once these have been added please build your kernel, install and reboot. At this point we are ready to fetch and make snortsam.

[jj@Azazel /usr/home/jj]$ wget http://www.snortsam.net/files/snortsam/snortsam-src-2.52.tar.gz

2008-04-13 19:17:28 (497 KB/s) - `snortsam-src-2.52.tar.gz' saved [1075606/1075606]

[jj@Azazel /usr/home/jj]$ tar xvfz snortsam-src-2.52.tar.gz
x snortsam
[jj@Azazel /usr/home/jj]$ cd snortsam
[jj@Azazel /usr/home/jj/snortsam]$ sh ./makesnortsam.sh
-------------------------------------------------------------------------------
Building SnortSam (release)
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Building SnortSam (debug)
-------------------------------------------------------------------------------
Done.
[jj@Azazel /usr/home/jj/snortsam]$sudo cp snortsam* /usr/local/bin/

That's it for the snortsam build, now we are ready to configure everything and fire it up for a test! The first thing that we will configure is our snortsam. There is a good amount of documentation under snortsam/docs/README.conf that covers basic configuration. For our purposes we will create the file /etc/snortsam.conf and place the following in it.

defaultkey secrets
port 6783
accept 192.168.1.0/24
keyinterval 30 minutes
ipf bge0

This configuration specifies a default key of "secrets" and that the snortsam daemon should listen on port 6783 for connectoins from the 192.168.1.0/24 network. The configuration also specifies that the connection between the client (barnyard) and snortsam daemon will be rekeyed every 30 minutes and that ipf will be used on bge0 locally.

On to the barnyard configuration, this file will be barnyard-snortsam.conf located at /usr/local/etc/. The only line that needs to be in this file is the one that calls the snortsam plugin for barnyard and specifies the host:port/password

output alert_fwsam: 192.168.1.7:6783/secrets

The barnyard snortsam plugin uses a sid-block.map file to define what sids will be blocked, how they will be blocked and for how long they will be blocked. The format is quite simple "sid: where[option],duration;" and to test we will put the file at /usr/local/etc/snort/sid-block.map with the following entry

9999999: src[conn], 15 seconds;

I chose sid 9999999 so that I could create a custom rule in my local.rules to test my configuration.

alert icmp any any -> 1.2.3.4 any (msg:"test"; sid:9999999;)

Assuming you were able to add that rule, we are now at the point to fire things up and give it a good old fashioned roll (all in debugging verbose mode of course)!

Restart your snort so that it sees the new SID if you have not done so... -HUP FTW!@!!
Start snortsam (must be as root right now to have access to ipf)

[jj@Azazel /usr/home/jj]$ sudo snortsam-debug

Start barnyard with the new config file (even if you have a previosly running barnyard from the previous security appliance article... this will run at the same time, we have specified a new waldo file and pid file). Note that the following is ALL ONE LINE... no line breaks or crs! Note that this uses the snort.alert and not the snort.log just like the syslog facility.

[jj@Azazel /usr/home/jj]$ sudo /usr/local/bin/barnyard -c /usr/local/etc/barnyard-snortsam.conf -g /usr/local/etc/snort/gen-msg.map -s /usr/local/etc/snort/sid-msg.map -d /var/log/snort/ -f snort.alert -w /var/log/snort/barnyard-snortsam.waldo -p /usr/local/etc/snort/classification.config -X /var/barnyard-snortsam.pid -vvv

After starting barnyard you should see the following debug output from your snortsam-debug:

Debug: Connection from: 192.168.1.7.
Debug: Received Packet: CHECKIN
Debug: Snort SeqNo: cbb9
Debug: Mgmt SeqNo : 7000
Debug: Status : 1
Debug: Version : 14

Now that everything is up and running we can test. The best way to test all aspects is to point a separate system at the IP of this box (default router/gateway) or on my system as evident by the above config "192.168.1.7" and ping 1.2.3.4 with that separate system. The ipfw options that we previously set in the kernel will allow this host to simply route the traffic to the proper destination. You should see debug output from your snortsam-debug as such:

Blocking host 192.168.1.43 in connection 192.168.1.43->1.2.3.4:0 (icmp) for 60 seconds (Sig_ID: 9999999).
Debug: [ipf][28201600] Plugin Blocking...
Debug: [ipf][28201600] command /bin/echo "@1 block in log level local7.info quick on bge0 proto 1 from 192.168.1.43/32 to 1.2.3.4/32"|/sbin/ipf -f -

We can see from the output that it is blocking the source address of 192.168.1.43 and proto 1 (ICMP) only. This means that this host can still browse the internet and do everything (other than send icmp to 1.2.3.4 for 60 seconds), this is a function of the [conn] option in the sid-block.map file.

Wonderful, we now have a functioning version of snortsam running off of the snort output and not snort directly. This means that we can upgrade / change our snort instance itself and not have to re-patch and mess with that... (this of course assumes that the version you use can output unified so that your patched version of barnyard can read it). The final step in this process is to add the sids that you want to block to the sid-msg.map file. I have modified the create-sidmap.pl file to create a sid-block.map compatible output by reading all of the .rules files in a directory and dumping "sid: src[conn], 30min;" output. This output blocks the service by source that the alert was generated from for 30 minutes. The file can be obtained at http://www.redsphereglobal.com/data/tools/security/patches/create-sidblock.pl.gz. Usage is simple and as follows (again, note that it's one line):

[root@Azazel /home/jj]# ./create-sidblock.pl /usr/local/etc/snort/rules/ > /usr/local/etc/snort/sid-block.map
[root@Azazel /home/jj]# tail -n 3 /usr/local/etc/snort/sid-block.map
2500000: src[conn],30min;
2510000: src[conn],30min;
9999999: src[conn],30min;

I suggest that you not put ALL sids in this file, but rather take a subset from rules files that you know are bad news. To do this simply copy the .rules files into a directory of your choice and run the script against that directory (note that the sid-block.map must always live in /usr/local/etc/snort at this time). Other suggestions include daemonizing your barnyard instance (-D) rather than -vvv. The rest you can figure out.

The next part of this series will cover adding content filtration and a transparent squid instance into the mix on this box.

Cheers,
JJC

Cisco Acquires Sguil!

2008-04-01T09:20:00.005-04:00

In many of my past writings I have mentioned using Sguil and have been an avid user of the solution. On that front, I would like to extend my congratulations to the core members of the team for their great success! It will be exciting to see it running on IOS!

Cisco Announces Agreement to Acquire Sguil™ Open Source Security Monitoring Project

Acquisition Furthers Cisco’s Vision for Integrated Security Products

SAN JOSE, Calif., and LONGMONT, Color., April 1st, 2008 – Cisco and the Sguil™ project today announced an agreement for Cisco to acquire the Sguil™ project, a leading Open Source network security solution. With hundreds of installations world-wide, Sguil™ is the de facto reference implementation for the Network Security Monitoring (NSM) model. Sguil™-based NSM will enable Cisco’s customer base to more efficiently collect and analyze security-related information as it traverses their enterprise networks. This acquisition will help Cisco to cement its reputation as a leader in the Open Source movement while at the same time furthering its long-held vision of integrating security into the network infrastructure.

Under terms of the transaction, Cisco has acquired the Sguil™ project and related trademarks, as well as the copyrights held by the five principal members of the Sguil™ team, including project founder Robert "Bamm" Visscher. Cisco will assume control of the open source Sguil™ project including the Sguil.net domain, web site and web site content and the Sguil™ Sourceforge project page. In addition, the Sguil™ team will remain dedicated to the project as Cisco employees, continuing their management of the project on a day-to-day basis.

To date, Sguil™ has been developed primarily in the Tcl scripting language, support for which is already present inside many of Cisco’s routers and switches. The new product, to be known as “Cisco Embedded Monitoring Solution (CEMS)”, will be made available first in Cisco’s carrier-grade products in 3Q08, with support being phased into the rest of the Cisco product line by 4Q09. Linksys-branded device will follow thereafter, though the exact deployment schedule has yet to be announced.

“We’re extremely pleased to announce this deal,” said Cisco’s Chief Security Product Manager Cletus F. Simmons. “For some time, our customers have told us that our existing security monitoring products did not extend far enough into their network infrastructure layer. Not only was it sometimes difficult to intercept and monitor the traffic, but there were often political problems at the customer site with deploying our Intrusion Detection Systems, as management had heard several years ago that they ere ‘dead’. Now, with Sguil™ integrated into all their network devices, they’ll have no choice!”

Although the financial details of the agreement have not been announced, Sguil™ developer Robert Visscher will become the new VP of Cisco Rapid Analysis Products for Security. “This deal means a lot to the Sguil™ project and to me personally,” Visscher explains. “Previously, we had to be content with simply being the best technical solution to enable intrusion analysts to collect and analyze large amounts of data in an extraordinarily efficient manner. But now, we’ll have the additional advantage of the world’s largest manufacturer of networking gear shoving it down their customers’ throats! We will no longer have to concern ourselves with mere technical excellence. Instead, I can worry more about which tropical island to visit next, and which flavor daiquiri to order. You know, the important things.”

About Cisco Systems

Cisco, (NASDAQ: CSCO), is the worldwide leader in networking that transforms how people connect, communicate and collaborate. Information about Cisco can be found at http://www.cisco.com. For ongoing news, please go to http://newsroom.cisco.com.

About Sguil™

Sguil™ is the leading Network Security Monitoring (NSM) framework. It is built for network security analysts by network security analysts. Sguil’s main component is an intuitive GUI that provides access to a wide variety of security related information, including real-time IDS alerts, network session database and full packet captures. Sguil™ was written by Robert “Bamm” Visscher, who was apparently too cheap to buy a book on Java or C.

Again, congrats to the team... if you get a chance, please stop in at #snort-gui on freenode and say hi / congratulate the team.

Cheers,
JJC

Oh noes, can't has document drops!!

2008-03-28T22:13:00.003-04:00

It's not much for me to post, but I can't stop laughing!

dakrone++

http://writequit.org/blog/?p=158

Kthxbye,
JJC

pauldotcommunity.blogspot.com

2008-03-19T14:15:00.003-04:00

I will be contributing to the pauldotcommunity blog site moving forward. You will find posts in both this blog and global-security. Hopefully we will be able to publish some useful information in at least one of these locations :-P

Cheers,
JJC

FreeBSD USB Booting Issues (BTX)

2008-03-19T09:04:00.003-04:00

Since we have been building LiveUSB tools that were based on FreeBSD there has historically been an issue with several makes of laptop/hardware on boot. This problem has manifested in many ways but always yields the same result; a non-working LiveUSB tool for the system owner. This problem had to do with the BTX Loader not playing well with the specific hardware in question and not loading/running properly via USB.

The good news is that recently a patch was released that should rectify this issue! I will be applying this patch to all FreeBSD based LiveUSB releases going forward. Thanks for all of the community feedback and support on all of this.

For those that may be curious, here is the patch: http://people.freebsd.org/~jhb/patches/btx_real.patch. Moving forward (post 7.0R) all releases will be patched from the freebsd folks direclty.

Cheers,
JJC

HeX 1.0.3 LiveUSB Final (Bug Fixes)

2008-03-17T17:21:00.004-04:00

I just finished the bugfix version of the HeX 1.0.3 Live (CNY Release) image.

You can get it (in torrent form) from the Security Torrent Depot at http://www.redsphereglobal.com:88/torrent.html?info_hash=77f31dbc8d641500530760e62f17d1a08e433b96 or you can get it from the below direct download site.

USA Site
MD5 (HeX-i386-1.0.3-final-usb.img.gz) = 5fb1498b3437fada0b38602324d8f5e0

Usage instructions are simple:

dd if=/path/to/HeX-i386-1.0.3-final-usb.img of=/path/to/usbstick/device bs=1M

Look for the new HeX 2.0 to be out soon, all based on FreeBSD 7.0R!

Note that some usb sticks will be smaller than others (even if it's "2G") and that even if you write it and dd produces an error saying that not enough space is available... this is OK and your HeX LiveUSB will still work fine.

Cheers,
JJC

Security Torrents

2008-02-29T10:06:00.003-05:00

To fill the need to host and download multiple large security related torrents, I have put a tracker online at http://www.redsphereglobal.com:88. You will primarily find items on this site in the following categories:

Toolkits
Anything that I or various other contributing members find useful, relevant or fun with respect to security. Current items that will go into this category are the various HeX (all) releases and InProtect LiveUSB releases.

Distros
Any custom distributions that have been designed to fit security needs and/or perform specific tasks.

Packet-Captures
Any large packet captures or trace files that are obviously not going to fit on the www.openpacket.org site. There is one up there now, it is the malicious traffic that Richard Bejlich captured at the 2007 Shmoocon. This torrent was created and added by giovani...so a shout out goes to him!

Having said all of that, we will (as with all trackers) need seeders. So if you have a little extra bandwidth and/or want to contribute in any way please let us know!

Cheers,
JJC

FreeBSD 7.0 Released

2008-02-29T09:51:00.004-05:00

I am pleased to announce (a few days late) that FreeBSD 7.0R has been released as of Feb 27, 2008! More info here on the release.

You might (I hope not) wonder why this is exciting? Really, aside from the dramatic and significant enhancements to the overall functionality and stability of the operating system, it means that several OSS projects will be moving forward with new development work based on the 7.0 Release. Specifically, we will now begin work on HeX 2.0 with new nifty features to suit your packet loving needs! I also suspect that we will see some additional traction from the freesbie folks.

Further, I will be releasing a new version of the InProtect LiveUSB that will be based on FreeBSD 7.0 Release as soon as the build finishes!

Shmoocon 4 in review

2008-02-20T10:25:00.006-05:00

For those that have not attended or are not familiar with shmoocon, it's an annual hacker con. The event is held in Washington DC and additional event info can be found on their site at http://shmoocon.org.

Tickets are released on a timed basis and come in three classes... the early bird ticket for $75, the normal ticket for $150, and the I pissed around and didn't get a less expensive ticket for $300. When I say "timed basis", they have specific dates and times that they will make a certain number of each ticket class available. Needless to say, on the ticket release dates the shmoo ticketing server was quite loaded but luckily I was able to obtain one of the early bird special tickets.

Day One:

The con kicked off on Friday Feb-15 with a single track of talks. I missed the first few talks (schedule here) and caught a little more than the last half. Unfortunately I don't really recall the first talks, so they must not have been altogether that interesting for me. I primarily payed attention to the last three talks:

Hacking the Samurai Spirit - Isaac Mathis
New Countermeasures to the Bump Key Attack - Deviant Ollam
Keynote Address - J. Alex Halderman

Hacking the Samurai Spirit:

The premise of this talk was to discuss the current cultural differences, history and mindset of the Japanese as related to Information Security. While this talk was humerus I did not find it terribly technically relevant. The speaker seemed to more be giving a history of security related events over the past 60 years in Japan, though there were some good and interesting points in the end that did relate to Information Security. Specifically, the speaker detailed how there are several scams occurring concerning the uneducated internet user in Japan. A simple example of this type of scam would be a pr0n site that requires the user to click on an I Agree, Enter type link prior to gaining access to the goods. Once this action has been completed, the user is then told that they have just agreed to paying X amount of money to access the site and that if they do not pay said money they will be sued. The people in Japan are afraid of reprise of any type and typically will pay this immediately. So overall I would rate this talk somewhere in the middle due to it's humerus nature.

New Countermeasures to the Bump Key Attack

Having just sat through the history lesson re: Japan, I was certainly ready for something different and more exciting. New Countermeasures to the Bump Key Attack certainly delivered this for me. I (as many in the security community) have been aware for years about the gross weaknesses that exist in the physical lock world. Thanks to the consistent pounding and education of the world by people such as Deviant Ollam. This talk covered the basics of lock-picking using bump keys and modified bump keys then detailed how may lock manufacturers are dealing with this issue. The media for the presentation itself was well done and clear, further the presenter did a great job at getting the point across.

A challenge was also issued during this talk, the title "Gringo Warrior". The setting for Gringo Warrior is simple, you are a Gringo that got a little blitzed in Tijuana and woke up in a Mexican jail cell with no recollection of the night before. In walks the corrupt policia and tells you that you have to pay a fine, the cost of that fine is whatever money you have in your bank account. He tells you that he will leave you for an hour to consider this. Luckily while they were emptying your pockets they missed your lock-picking tools. Your challenge is to pick the handcuffs that you are in, pick the cell door, disable the cell guard and pick a lock cabinet that has your passport in it. At this point, you have a choice; you must either pick the front door lock to leave, or you can pick an additional locked door in the cabinet to obtain a handgun and shoot out a surveillance camera to sneak out a window. This was a timed event, the event winner took under a minute:30 to complete the entire course and received a social engineering kit (hardhat and several vendor specific polos)!

Keynote

This talk was concerning the new electronic voting systems and their MANY security flaws. It was both interesting and somewhat technical but more detailing the process that they took to obtain their first voting machine to test (somewhat clandestine in nature and humerus). The short of it is, as we all now know, that these devices have historically been easily compromised both electronically and physically. One key point of humor is that diebold (the primary manufacturer) had a high resolution picture of the actual keys used to access the IO ports of the system on their website, from this picture they were able to successfully create a working keyset.

Day Two and Three:

I am bundling these days together and only writing about the talks that I found interesting for the remainder of this posting.

VoIP Penetration Testing: Lessons Learned -John Kindervag and Jason Ostrom
Got Citrix? Hack It! - Shanit Gupta
Advanced Protocol Fuzzing - What We Learned when Bringing Layer2 Logic to "SPIKE Land" - Enno Rey and Daniel Mende

VoIP Penetration Testing

This talk primarly dealt with using the voiphopper tool to jump onto voice vlans and conduct your activities as needed there. The fun part would be to jump onto the voice vlan and do a little fuzzing using spike or the like ;-). Overall a fairly interesting talk and there were demonstrations that made it a bit more exciting.

Got Citrix? Hack It!

I found this talk to be fairly basic, but that said quite technically relevant. I think that we often do not consider the most simple way to get into something and that is why this was a good talk. The premise of this was hacking Citrix and primarily focused on using the Kiosk mode. The speaker pointed out that often while the kiosk has a limited set of initial applications available to be run, or force-ran that they hotkeys are still often active. Examples include cntl+n to open a new Internet Explorer Browser instance that now has the address bar in it, you can therefore browse wherever you want and grab a payload to further break into your mom's kiosk. Other examples are cntl+h (history) cntl + F1 (shortcut for cntl+alt+del) and so on.

Advanced Protocol Fuzzing

Probably the best talk of the con in my opinion, this talk focused on the steps that some German researches took to fuzz several layer 2 protocols. They worked though creating the protocol definitions in SPIKE and Sulley and their various reverse engineering processes from various sources including Wireshark. This talk also included a live demo of crashing a medium sized Cisco Cat using LLDP fuzzing techniques.

All the other talks...

I am sure that there were several other good talks, unfortunately due to the nature of three being scheduled at the same time, I was not able to see everything. Shmoocon does post videos of the talks on their site, so keep an eye out. Unfortunately I did attend several talks that were presented by fairly well known people, and I believe that this was the only reason that these talks were approved as they contained really no new or relevant information.

Overall I would rate shmoocon as a good time with decent material and good speakers. I mean, for $75 I can't complain, I certainly feel like I got my moneys worth. Perhaps next year or at an upcoming con I will present on HeX with the team, so keep an eye out!

Cheers,
JJC

InProtect LiveUSB 0.80.3 Beta!

2008-02-19T21:48:00.004-05:00

Though the InProtect project has not made a large number of public postings lately (beta releases and the like...) we have been quite busy. We will soon be releasing a tarball of the latest 0.80.3RC1. That is not, however, the purpose of this article but rather I am releasing a liveUSB image that is an entirely self-contained and functioning installation of InProtect on a FreeBSD 6.3-Current system.

I came up with the idea to create the InProtect LiveUSB when someone requested that I build one for another project that I am an active member of (HeX). Unfortunately it has taken me several months to get the time put together to actually build this tool. Having said that, I am quite pleased with the outcome and functionality of the tool. Placing this tool onto a USB thumb drive gives the user extreme versatility from the perspective of security. Obviously the nature of a USB thumb drive is not terribly secure; we can put them in our pocket and have them fall out in a parking lot where anyone could conceivably pick it up and snag the data off of it and multiple other scenarios. I am more talking about the security of the location or client that may have a sensitive environment with sensitive data and the like. In this scenario the USB device could be taken in and left with the organization, post scan, that has such sensitive data. Again though, the primary purpose of this build is to allow for a solid demo of the InProtect system.

As I said earlier, the system was built using FreeBSD 6.3-Current, ontop of this I built fluxbox (and several applications such as firefox), mysql51, apache22, php5 and several perl modules that are InProtect dependencies. I manually configured all of the components to work with InProtect, the installer currently does not work on freebsd though I am in the process of building a port. In-short, and as stated earlier, this is a fully functional InProtect scanner with a few things that need to be completed by the end-user; Nessus 3.0.x install and jpgraph for php5 install.

The Nessus and jpgraph items are not included in this image due to their licensing restrictions (not GPL). It is for this reason they must be manually installed.

First you will need to download the InProtect LiveUSB 0.80.3 image here:

http://www.redsphereglobal.com/data/tools/security/live/inprotect-i386-0.80.3-beta.usb.img.gz
MD5 (inprotect-i386-0.80.3-beta.usb.img.gz) = 605a5b20d754ea7e6305922695f301ba
SHA256 (inprotect-i386-0.80.3-beta.usb.img.gz) = 1d562d17db0ef4e3afefcca18fd40932b7faecdddd673910c3ad11a4aab4434b

After obtaining the image and gunzipping it you will want to use dd to write it to a 2G or larger USB thumb drive. NOTE that you want to write it to the device itself and NOT to a specific partition on the device. Also, if you didn't figure it out... this will overwrite anything that you may currently have on your thumb drive.

dd if=/path/to/foo/inprotect-i386-0.80.3-beta.usb.img of=/dev/da0 bs=1M

Your output file path may be different than /dev/da0 (this is mine on a freebsd boxen). The key is that you are writing directly to the device address and NOT to a partition, that will NOT work. Assuming that you have a thumb drive and computer capable of USB2.0 this process should take around 10 minutes to write all of the data.

At this point you should be able to boot from your new shiny LiveUSB thumbdrive. The initial login details are simple (these ARE case sensitive so pay attention!):

Username: InProtect
Password: inprotect

Once logged in type startx to get into fluxbox. From here, if you are not familiar suggest playing around just a little bit. A few tips, this isn't windoze, you access the main menuwith fluxbox, I by right clicking anywhere on the desktop. The image to the right shows the menu of the InProtect LiveUSB. The highlighted option will take you to the Nessus and jpgraph installation instructions.

Even before you install Nessus or jpgraph you will be able to login to the local instance of InProtect by selecting the InProtect menu option as displayed below. Once you have selected the InProtect menu item, you will be able to use admin / admin for the login and password to access the local instance of InProtect.

Note that until you install Nessus you will not be able to run any scans.

In this image I have already created a default scan zone and default scanner so that once Nessus is installed and the Nessus user created, as noted in the instructions contained on the image, the system is fully functional and scans can be immediately created and executed.

As always please feel free to contact me or leave any comments, criticisms, suggestions or otherwise that you might have.

Cheers,
JJC

HeX 1.0.3 LiveUSB (CNY Release)

2008-02-15T11:06:00.002-05:00

After much adeau, here it is! Instructions for usage are quite simple, dd it to your usb thumb drive (the drive, not a partition or it will NOT work). This image includes all of the same features as our mainline HeX 1.0.3 release but is on USB not CD, the filesystem is therefore also writable. You will need a minimum of a 2G Thumb Drive or Memory Stick to write this. I say "Memory Stick" because I have heard rumor of some people using SD rather than USB Thumb Drives to use this tool.

So for example on my freebsd system I would dd as follows:

dd if=/path/to/foo/hex-i386-1.0.3.usb.img of=/dev/da0 bs=1M

command is simple... if is the Input File, output is the Output File (in this case it is the da0 device) and bs=1M is setting the block size to 1mb - this helps to speed up the write process.

Downloads:
USA Site (521MB)
USA MD5 Verification
USA SHA256 Verification

Malaysia Mirrors to be populated soon, I'll post them when they are.

Cheers,
JJC

Shmoocon Starts Tomorrow

2008-02-14T11:05:00.004-05:00

I trust that we are all prepared for absurdities and enjoyable semi-sober technical security banter? In any event, shmoocon DC 2008 starts tomorrow afternoon and I look forward to seeing you there. You can find the schedule on the shmoocon site itself.

I wanted to comment that if you do not currently have a ticket, there are several for sale on Ebay:

I suspect that there may even be some hockers outside ;-)

Cheers,
JJC

HeX 1.0.3, the CNY Release

2008-02-14T10:52:00.003-05:00

I am pleased to announce the release of HeX 1.0.3, release info is below. Thanks to the entire development team for their dedication and hard work. This release has been dubbed the CNY, or Chinese New Year release.

With the recent release of FreeBSD 7.0 RC2, we anticipate an actual 7.0 release in the near future. When the Release version of 7.0 becomes available we will begin working on the new HeX 2.0 project.

Get HeX 1.0.3 Here:
US Mirrors:
https://secure.redsphereglobal.com/data/tools/security/live/hex-i386-1.0.3.iso
https://secure.redsphereglobal.com/data/tools/security/live/hex-i386-1.0.3.iso.md5
https://secure.redsphereglobal.com/data/tools/security/live/hex-i386-1.0.3.iso.sha256

Malaysia Mirrors:
http://bsd.ipv6.la/hex-i386-1.0.3.iso
http://bsd.ipv6.la/hex-i386-1.0.3.iso.md5
http://bsd.ipv6.la/hex-i386-1.0.3.iso.sha256

Fixed:
- pkg_info works after installation
- ping works without sudo
- procfs is correctly mounted on /proc at boot

Upgraded:
1. NSM Console 0.6-DEVEL
Features:
- 'dump' command added, you can now dump packet payloads into a binary
file for later analysis
- Significant speedups in the harimau module and 'checkip' command if
wget is installed
- tcpxtract configuration file changed to extract more types of files
- Added foremost module
- Added clamscan module (Thanks JohnQPublic)
- Argus and tcptrace have reverse dns turned off by default now, it
was causing the module to hang for extremely large pcap files. Can be
switched on by changed the module options
- rot13 encoding and decoding added :)
Bugfixes:
- alias command
- urlescape (en|de)coding
- file existence check
- many other things
All the other enhancements, bugfixes and additions since the 0.2
release (there have been many!)

New Application Packages:
- xplot
- uni2ascii
- vnc
- vsftpd
- samplicator
- sflowtool
- pmacct
- ming
- ploticus
- tcpick
- bvi
- elinks
- feh
- tftpgrab
- arpwatch

Misc:
- New wallpapers with different color schemes

The LiveUSB image will be out shortly, it is undergoing a quick regression test currently.

Cheers,
JJC

Column Update - Global Security

2008-02-04T11:13:00.000-05:00

I apologize for my lax postings lately but have been largely unavailable to write due to several family matters that required travel and immediate attention.

Note that we are now back on-track for continued analysis of security tools and how-to direction, possibly even some rants and noob bashing ;-).

Cheers,
JJC

HeX and NSM-Console Writeup in ISSA Journal

2008-02-04T10:56:00.000-05:00

Russ McRee has written a nice piece about the HeX Live project and the included NSM-Console in his 'toolsmith' section of the ISSA Journal. This 3.5 page writeup has clearly captured our intent behind HeX and the NSM-Console created by Mathew Lee Hinman.

If you are not an ISSA subscriber, you can access the writeup at Russ McRee's column or here in the form of pdf.

I would like to thank the community for their continued support and feedback on this project.

Cheers,
JJC

How do I know if my Snort implementation is working?

2008-01-10T12:12:00.000-05:00

How do I test Snort? How do I know if Snort is sniffing packets? How do I know if Snort is running properly? How do I generate a test alert with Snort? Recently, and over the years, I have regularly seen people join the #snort channel on freenode and post these very questions to the snort mailing lists. Perhaps this little article will index properly in the search engines and end their questions, this is of course assuming that they know how to use a search engine ;-).

There are really several ways of testing snort, some much more complex than others. Probably the most simple way is to define a custom rule that you can easily produce the traffic to trigger the alert. This can be done by creating a simple rule that looks for traffic of a certain type, to a certain address or many other ways but for the purposes of this article we will be looking for traffic to a certain address (as this tends to be the most easily produced). We begin by creating a custom rule either in a new rules file or by adding the rule into an existing rules file. To simplify this you can download the rule from the url below:

https://secure.redsphereglobal.com/data/tools/security/snort/rules/snort-test.rules

Once you have downloaded this rule file and added it to your snort.conf so that Snort has loaded it, simply generate traffic from the monitored network to one or more of the following hosts: 121.175.169.102,193.71.199.6,200.123.165.130. This traffic can be of almost any type. I will typically browse via browser or telnet to a standard IRC port (at the time that I wrote this, these hosts were on the known C&C list) such as 6666, 6667 ....

Once this is done you will see the alerts being generated by snort (assuming that everything is configured properly).

As a second method, you can attempt to generate traffic that an existing snort rule can detect and alert on. To do this, I suggest using a tool such as Metasploit to generate actual attack traffic. You will want to test it against a host that you own, I certainly am not advocating attacking someones network with Metasploit from your network, this host should either be intended to be a test host, and/ or be immune to the attack. A simple example would be to enable the web-iis.rules from snort.org and launch an attack against one of your patched webservers from metasploit in an attempt to exploit MS01-23 using the Metasploit Framework Exploit. This will in-turn generate the WEB-IIS ISAPI .printer access alert to fire.

Either of those two methods should allow you to test your Snort installation, there are some other tcpreplay type tools that you can generate traffic from some signatures with, but by and large they are not effective tests.

Regards,
JJC

HeX Virtual Appliance Image: 1.0.2R

2008-01-10T12:05:00.000-05:00

While I have not yet had time to create images for multiple Virtualization technologies, I did finish the image for VMware. Please obtain it at the below URL.

This image is 825M in size and will decompress to a 3G VM.

https://secure.redsphereglobal.com/data/tools/security/live/HeX_1.0.2_VMware.tar.gz
https://secure.redsphereglobal.com/data/tools/security/live/HeX_1.0.2_VMware.tar.gz.md5
https://secure.redsphereglobal.com/data/tools/security/live/HeX_1.0.2_VMware.tar.gz.sha256

Enjoy,
JJC

HeX 1.0.2 LiveUSB Update

2008-01-08T00:03:00.000-05:00

Unfortunately, the previous HeX 1.0.2 LiveUSB image was not the proper release, thanks to those that pointed this out. This has since been remediated, the original links are still valid, I will re-post here for your downloading pleasure.

For additional information on the project, please read my earlier post at: http://global-security.blogspot.com/2008/01/hex-102r-liveusb-release.html

https://secure.redsphereglobal.com/data/tools/security/live/HeX-i386-1.0.2.img.gz
https://secure.redsphereglobal.com/data/tools/security/live/HeX-i386-1.0.2.img.gz.md5
https://secure.redsphereglobal.com/data/tools/security/live/HeX-i386-1.0.2.img.gz.sha256

Cheers,
JJC

Screencast: An Introduction to NSM-Console

2008-01-07T09:01:00.000-05:00

Dakrone has created a useful screencast of his new tool, read / see more on his blog

http://thnetos.wordpress.com/2008/01/05/screencast-an-introduction-to-nsm-console/

Cheers,
JJC

HeX 1.0.2R LiveUSB Release

2008-01-07T08:29:00.000-05:00

As I have been away on holiday, I have been unable to release the next iteration of the HeX LiveUSB tool. Let this post serve to remediate that (albeit a bit late). Without further adeau, the download is located at the following URLs:

https://secure.redsphereglobal.com/data/tools/security/live/HeX-i386-1.0.2.img.gz
https://secure.redsphereglobal.com/data/tools/security/live/HeX-i386-1.0.2.img.gz.md5
https://secure.redsphereglobal.com/data/tools/security/live/HeX-i386-1.0.2.img.gz.sha256

For those that are not familiar with the HeX project, please read further at rawpacket.org. The LiveUSB project is a subset of the overall HeX project and adds a bit of functionality to suit your portable packet monkeying needs. Essentially it gives you a slightly larger (and writable) filesystem to do with what you please; i.e. update signatures, modify configurations, store data and the like.

To use the LiveUSB; simply download decompress and dd onto your device (example on fbsd: dd if=/path/to/HeX-i386-1.0.2.img of=/dev/da0 bs=1M). Note that for speed purposes it is important to increase your default block size in fbsd, the value of 1M takes about 200 seconds for my system to write the entire 2G image.

This release contains the NSM Console as described below.

Matthew(Dakrone) is the main developer of NSM Console, here’s the short description about it -

NSM Console (Network Security Monitoring Console) is a framework for performing analysis on packet capture files. It implements a modular structure to allow for an analyst to quickly write modules of their own without any programming language experience which means you can quickly integrate all the other NSM based tools to it. Using these modules a large amount of pcap analysis can be performed quickly using a set of global (as well as per-module) options. NSM Console also aims to be simple to run and easy to understand without lots of learning time.

If you want more information about what it is (and what it does), check out this introductory post -

http://thnetos.wordpress.com/2007/11/27/nsm-console-a-framework-for-running-things/

You can access NSM Console by clicking the menu -> NSM-Tools -> NSM Console

There are also several bug fixes in this release, as well as new nifty wallpapers (for the holiday season hah).

http://www.rawpacket.org/projects/hex/artwork

1. unicornscan run time error
2. svn run time error
3. lsof run time error
4. firefox startup issue
5. pidgin and liferea dbus issue
6. CDROM-Mount.sh syntax error
7. script command issue
8. ping setuid issue

Other known major or minor issues in the Base System are fixed, thanks to chfl4gs_.

Cheers,
JJC

Happy New Year!

2008-01-04T17:11:00.000-05:00

Greetings all, and Happy New Year!

I have been traveling for roughly the past three weeks and have therefore been unable to publish any updates to this site. Rest assured though that I have some good new material for the 2008 security and noob thrashing season ;-)

That said, I trust that everyone had a fantastic holiday and New Year celebration! I want to thank you all for the support and feedback that I continually receive.

Regards,
JJC

Ubuntu Bashing Continued

2007-12-18T19:58:00.001-05:00

It has been a while since I upgraded and subsequently wrote about my experience of upgrading Ubuntu 7.04 to Ubuntu 7.10. I gave Ubuntu 7.10 the good old college try, but have to report that I am now back to my FreeBSD Laptop.

The primary issues that I had with Ubuntu 7.10 had to deal with wireless networking. The connection speed would never exceed 23mbps and even when the driver stated that it was connected at 23mbps I could not achieve throughput of more than 5mbps, even with the laptop sitting 5' from the AP. The second, and most irritating, issue with the wireless networking setup of Ubuntu 7.10 was the consistent disconnects and intermittent reconnects. Often it would not reconnect and I would have to reboot and piss with it for 30 minutes before it would inexplicably reconnect. Of course this started to remind me of M$ reboots and I had to immediately remediate the situation with ufs and FreeBSD!

At first I thought that this was potentially related to the Broadcom 43XX chipset in the test laptop. I then tested with different Intel (non proprietary) wireless cards and different APs. An additional reason that I tested with different access points was due to the range limitation that I was experiencing with Ubuntu 7.10. I was only able to get to roughly 30' from the AP before I would lose signal.

The combination of these three wireless issues, in addition to the upgrade pain, led me to flatten the system and slap FreeBSD 6.2 REL onto it. That said, I am now back into my comfort zone of *BSD. I will also say that I have loaded the Broadcom 43xx windows driver using ndis and that I now have full 54mbps connectivity and a range of greater than 50' from the same APs that I had less than 30' with Ubuntu 7.10.

So, to conclude and finish this mild rant, I think that the new Ubuntu 7.10 is a decent distro overall "for the click brigade" but I also think that more time should have been put into the guts as opposed to the shininess of the whole thing. Of course, if you read some of my previous postings about the shininess setup issues that I experienced out of the box with Ubuntu 7.10....then perhaps they should have put more time into that as well.

Previous articles:
Ubuntu 7.04 to 7.10 Upgrade Notes Pt. 1
Ubuntu Upgrade to 7.10 Strike 2
Ubuntu Upgrade....or not (with compiz)

Cheers,
JJC

InProtect Update...

2007-12-13T14:24:00.000-05:00

And a few operational notes....

We are working hard to get out the next RC for your scanning pleasure. In the meantime, please continue the use and bug reporting, it's been great thus far!

Now, as to a big bug and how to properly handle it. In previous versions of InProtect you were able to control the number of scans with the max_scans value in the Nessus Servers configuration dialogue. Unfortunately with the modification of the nessus_run.pl script to streamline the scanning process, the max_scans variable does not properly control the actual scans being processed by the scanner. A simple example is as follows;

Lets say you schedule a scan with 60 hosts (IP Addresses) to be scanned and have limited in the Nessus Scanner Max_Scans setting a maximum of 10 concurrent scans on said server. When this scheduled scan starts to run it will start out with 10 scans, once those begin to complete it will immediately say that it's running 20 scans then 30 and so on.

To remediate this issue, you need to do a couple of things...first lets go ahead and kill our sched.pl process so that we can clean up the database (if you still show multiple scans running and none are actually running "ps -auxxx | grep nessus"). Once this is complete, go ahead and look in your Inprotect database under the nessus_scan table for any record with a value of 'R' in the status field ( select * from nessus_scan where status='R';". If you find that you do have records with 'R' as their status, you need to set them as 'C' "UPDATE`inprotect`.`nessus_scan` SET `status` = 'C' WHERE `status` = 'R' ; ", you will also need to reset the current_scans value in the nessus_servers table "UPDATE `inprotect`.`nessus_servers` SET `current_scans` = '0';". After completing these steps you can now start your sched.pl up again. As another note, you may want to set all of the status values to 'C' just to clean up that table, once you restart sched.pl it will clean out all of the 'C' status scans and set their main schedule back to a scheduled status.

Now that we have cleaned up the remnants of the aforementioned bug, lets go ahead and talk about the current workaround. This workaround is fairly straightforward and consists of two simple modifications to your scan profile and your nessus server settings. First, let's get into the InProtect GUI and select Settings -> Nessus Servers -> Edit, at this point we will be modifying the value for Max number of hosts to scan and setting it to an extremely high number such as 10000 or more.

The next part of this workaround is to define the maximum hosts that will be scanned in the actual scan profile. This will tell the nessusd server itself how many scans that it is allowed to run at the same time. Select Settings -> Nessus Scan Profiles -> Edit your existing default profile -> Preferences, under the serverprefs section are the options max_checks and max_hosts. The max_checks value defines the number of test to be run concurrently against a single hosts and the max_hosts defines the maximum concurrent number of hosts that the nessusd server will scan. As you can see by the below image, I have set my default values to 4 checks and 10 hosts.

Regards,
JJC

managing snort rulesets cont...

2007-12-10T21:22:00.000-05:00

I need to amend my previous posting about the usage of Oinkmaster to automate and manage your Snort rules. I had added in the simple script a command that updates the sid-msg.map in a fairly unclean way. There is, infact, included within the /contrib of Oinkmaster a nifty little script called create-sidmap.pl. This script reads all of the rules from the rules path that you specify and generates sid-msg.map output that can be redirected into a clean sid-msg.map file.

The location in my original posting that should be changed is highlighted here:

secure2# vi /usr/local/bin/autooinkall.sh
#! /bin/sh
#
# simple script to run oinkmaster and obtain bleeding threat updates
# in addition to the regular snort.org updates
#
/usr/local/bin/oinkmaster -o /usr/local/etc/snort/rules/
/usr/local/bin/oinkmaster -C /usr/local/etc/oinkmaster-bleeding.conf -o /usr/local/etc/snort/rules/
cat /usr/local/etc/snort/rules/bleeding-sid-msg.map >> /usr/local/etc/snort/rules/sid-msg.map
/bin/kill -HUP `cat /var/run/snort_em1.pid`
/bin/kill -HUP `cat /var/run/by.pid`

This should be changed to /path/to/your/create-sidmap.pl /path/to/rules/ > /usr/local/etc/snort/rules/sid-msg.map so that the whole thing looks like the following:

secure2# vi /usr/local/bin/autooinkall.sh
#! /bin/sh
#
# simple script to run oinkmaster and obtain bleeding threat updates
# in addition to the regular snort.org updates
#
/usr/local/bin/oinkmaster -o /usr/local/etc/snort/rules/
/usr/local/bin/oinkmaster -C /usr/local/etc/oinkmaster-bleeding.conf -o /usr/local/etc/snort/rules/
/usr/lobal/bin/create-sidmap.pl /usr/local/etc/snort/rules > /usr/local/etc/snort/rules/sid-msg.map
/bin/kill -HUP `cat /var/run/snort_em1.pid`
/bin/kill -HUP `cat /var/run/by.pid`

Regards,
JJC

HeX 1.0.1R LiveUSB Image

2007-12-03T10:41:00.000-05:00

After receiving numerous requests to create a HeX Live USB Key Image, I have completed it. This image includes all of the standard tools that you will find on HeX and is writable; so you can update things (signatures etc), make changes and so on.

To use this tool, simply download it from the below location, decompress it and use dd to place it onto your USB Key. If you are not familiar with the dd syntax it's quite simple really; dd if=/path/to/extracted/hex-i386-1.0.1.usb.img of=/dev/da0 (your USB device). Note, that you should not dd this to a mounted partition, it will not work. You need to dd onto a USB Key that you don't mind losing the data on, because this will overwrite everything on that key. You can create a small partition after the dd (this of course assumes that you know how to do this, leaving the existing partition in-place) and have that to write data to etc...

This image does require a minimum 2G key (actually uses 1.75G), and has no minimum memory requirements (other than standard fbsd and X requirements).

https://secure.redsphereglobal.com/data/tools/security/live/hex-i386-1.0.1.usb.img.gz
http://secure.redsphereglobal.com:8080/data/tools/security/live/hex-i386-1.0.1.usb.img.gz
MD5 (hex-i386-1.0.1.usb.img.gz) = cd7489ba0a2a1fe824d286c72eee6842
SHA256 (hex-i386-1.0.1.usb.img.gz) = ffbb428145e0184d3848e45afee0d10ba41a4d9177688db10befc943dd4058f5

Please test this out and let me know how it works for you, or let the entire team at rawpacket.org know.

Regards,
JJC

beta.openpacket.org updates

2007-11-26T16:36:00.000-05:00

Several updates have been made to the http://beta.openpacket.org:8080 site, please stop by and help us continue to test the site.

Cheers,
JJC

InProtect Beta 0.80.2

2007-11-26T15:39:00.000-05:00

In the interest of continuing a good thing (although this post is a bit late), we have released a new bugfix version of InProtect 0.80.x. This version is 0.80.2 and can be found at our sourceforge download location.

We hope to have an official release out on or about the new year and are working hard to meet this deadline. I would like to thank all of the users for their feedback and continued support of this project. It is always refreshing and energizing when there is good positive community usage and feedback!

As always, I invite you to join us in freenode or arcnet in #inprotect to tell us about your experiences, issues, bugs and the like.

Regards,
JJC

FreeBSD jabberd port mysql bug

2007-11-26T15:05:00.000-05:00

As a quick post (esp since I have not been posting much lately) I recently ran into another issue with jabberd on freebsd. I say another, if you will remember a previous post concerning sasl - http://global-security.blogspot.com/2007/08/pidgin-on-linux-w-jabberd2-on.html.

This has more to do with cleaning up some of the errors that seem to exist in the mysql schema. Specifically, if you install jabberd2 from the ports tree "/usr/ports/net-im/jabberd" and configure it to use mysql as it's storage engine, you will receive several errors in your stdout our log files (depending on your configuration). These errors are generated when a users status changes, i.e. login, logout, away etc... I have included a quick snapshot of the errors below.

Nov 26 14:48:48 secure2 jabberd/sm[1629]: mysql: sql delete failed: Table 'jabberd2.status' doesn't exist
Nov 26 14:50:26 secure2 jabberd/sm[1629]: mysql: sql delete failed: Unknown column 'collection-owner' in 'where clause'
Nov 26 14:51:10 secure2 jabberd/sm[1629]: mysql: sql select failed: Unknown column 'object-sequence' in 'order clause'
Nov 26 14:51:10 secure2 jabberd/sm[1629]: mysql: sql insert failed: Unknown column 'status' in 'field list'
Nov 26 14:52:17 secure2 jabberd/sm[1629]: mysql: sql insert failed: Unknown column 'show' in 'field list'
Nov 26 14:52:58 secure2 jabberd/sm[1629]: mysql: sql insert failed: Unknown column 'last-login' in 'field list'
Nov 26 14:55:46 secure2 jabberd/sm[1629]: mysql: sql insert failed: Unknown column 'last-logout' in 'field list'
Nov 26 14:59:46 secure2 jabberd/c2s[1631]: [7] [192.168.1.2, port=3746] disconnect jid=user@test.com/Home, packets: 15
Nov 26 14:59:46 secure2 jabberd/sm[1629]: session ended: jid=user@test.com/Home
Nov 26 15:00:05 secure2 jabberd/c2s[1631]: [7] [192.168.1.2, port=3932] connect
Nov 26 15:00:05 secure2 jabberd/c2s[1631]: [7] SASL authentication succeeded: mechanism=DIGEST-MD5; authzid=user@test.com
Nov 26 15:00:05 secure2 jabberd/c2s[1631]: [7] bound: jid=user@test.com/Home
Nov 26 15:00:05 secure2 jabberd/c2s[1631]: [7] requesting session: jid=user@test.com/Home
Nov 26 15:00:05 secure2 jabberd/sm[1629]: session started: jid=user@test.com/Home

To remediate this, simply run the following against your jabberd2 mysql database:

CREATE TABLE `status` (
`collection-owner` varchar(256),
`object-sequence` bigint,
`status` text NOT NULL,
`show` text,
`last-login` int DEFAULT '0',
`last-logout` int DEFAULT '0',
PRIMARY KEY (`collection-owner`));

This will get ya going, I'm not gonna go into what's wrong with the script that is included in the jabberd2 install, I think that it's pretty straight forward.

Also note, I will try to post more regularly now but it's been a hectic few weeks for me (new job, family visiting etc...)

Cheers,
JJC

InProtect 0.80.1 Beta

2007-11-12T23:08:00.000-05:00

Fixed a few of the issues that everyone was experiencing... also updated the following:

clean install - fixed bad syntax issues
clean install - set proper version in db
clean install - changed admin to Admin in user group data (Admin is the original user for conformity)
upgrade - set proper version in db
upgrade - changed admin to Admin in user group data (Admin is the original installed user and this setting must match the current user so that proper access is given to Admin)

Also added note that Admin password is "admin" in INSTALL, this is changed as of versions 0.80.x

new tarball can be found here:

https://secure.redsphereglobal.com/data/tools/inprotect/inprotect-0.80.1.tar.gz
https://secure.redsphereglobal.com/data/tools/inprotect/inprotect-0.80.1.tar.gz.md5
https://secure.redsphereglobal.com/data/tools/inprotect/inprotect-0.80.1.tar.gz.sha256

We should have the sourceforge project site updated with this tarball at some point tomorrow. I will also be following up with upgrade instructions tomorrow, as the current instructions do not include details of upgrading to 0.80.x.

Cheers,
JJC

InProtect 0.80.0 Beta fixed clean install sql

2007-11-12T17:36:00.000-05:00

My apologies for the issues that people have been experiencing with the new Beta of InProtect, but please remember that this is the purpose of a beta.

I appreciate all of the feedback in IRC and comments on this blog. Below is the URL to a version of InProtect with a cleaned up clean install sql script. Note that you may still have issues with the actual install script (not the .sql) and I am working on that right now, hopefully will have that out shortly for you.

InProtect 0.80.0 Beta **FIXED**
MD5
SHA256

Regards,
JJC

InProtect 0.80.0 Beta Released!

2007-11-08T21:13:00.000-05:00

So we have *finally* managed to get the 0.80.0 Beta out the door, unfortunately the new packaged does not include any of the new info for the install or upgrade (there are twelve of us working on this). I'll be covering some of these topics in follow up articles over the next day or so.

Get the InProtect 0.80.0 Beta Here!

For now, let's talk about some of the major changes that we have incorporated into this version.

Gui:

Completely revamped menu system, access control driven.
User customizable dashboard.
Html and PDF report formats match.
Exportable xls reports.
Cleaned up excessive and unneeded sql queries to enhance speed.
Role-Based permissions.
Exception list for hosts.
Host specific lookup capabilities.
Cleaner interface.

Database:

All passwords are encrypted using user definable cryptographic standards such as blowfish.
Sensitive data is encrypted.
Database structure modified to allow for role-based permissions.
Database structure modified to enhance and improve large query response (including indexing).

Engine:

Max server scans are now run in a single session rather than multiple individual sessions, this reduces the load on both the nessus scanner and the InProtect console server.
Encryption and decryption functions added for sensitive data.
Multiple unneeded queries removed to enhance performance.
Query function creation and destruction cleaned up to enhance performance.

That is basically a quick run-through of the new features (there are more.. but these are the big ones IMHO). There are a few additional perl libraries that are not yet mentioned in the documentation contained in the 0.80.0 tarball but are required in addition too those mentioned in the documentation, I'll list them here for you.

New Perl libraries:

Crypt::CBC
MIME::Base64
IO::Socket
POSIX
Socket

This should be some good info to get you started for now, but as I said earlier, I will be posting some additional information (detailed info) for new installs and upgrades over the next few days. I will also try to update the official wiki and FAQ with these instructions.

So, for now feel free to download and play with it, let me know what you think, I can usually be found in #inprotect on freenode.

Cheers,
JJC

MySpace accont pwnage!

2007-11-05T13:36:00.000-05:00

As the title indicates and as I have wanted to write about for some time now, ever since I noticed that the MySpace login page is not protected by any type of encryption, this posting is about sniffing MySpace passwords off of your network...

To test this theory, and have a little fun, I used snort to sniff some packets off of a ToR (The Onion Router) system that I built specifically for this purpose. The results below are fairly self-evident, though the names, dates, and locations have been changed to protect the guilty ^_^. As we can see from the below highlighted output, the username is j00r_myspace_pwned@hotmail.com and their password is password12345. I am both surprised and not surprised to see this on the internet today.

POST /index.cfm?fuseaction=login.process HTTP/1.1
Host: secure.myspace.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.8) Gecko/20071008 Firefox/2.0.0.8
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://www.myspace.com/
Cookie: MSCulture=IP=10.10.10.10&IPCulture=en-US&PreferredCulture=en-US&Country=US&timeZone=0&ForcedExpiration=633298319485005304&USRLOC=QXJlYUNvZGU9MjA3JkNpdHk9Q2FtZGVuJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT01MDAmTGF0aXR1ZGU9NDQuMjI1MyZMb25naXR1ZGU9LTY5LjA5MjMmUG9zdGFsQ29kZT0mUmVnaW9uTmFtZT1NRQ%3D%3D; SessionDDF1=933aa40e14c3e8ee00fd99a3ab029eea43bb704eb259248a

Content-Type: application/x-www-form-urlencoded
Content-Length: 586

__VIEWSTATE=%2FwEPDwUKMTI3ODg2ODMzM2QYAQUeX19Db250cm9sc1JlcXV
pcmVQb3N0QmFja0tleV9fFgIFMGN0bDAwJE1haW4kU3BsYXNoRGlzcGxheSRjdGw
wMCRSZW1lbWJlcl9DaGVja2JveAUwY3RsMDAkTWFpbiRTcGxhc2hEaXNwbGF5JG
N0bDAwJExvZ2luX0ltYWdlQnV0dG9u&NextPage=&ctl00%24Main%24Splash
Display%24ctl00%24Email_Textbox=j00r_myspace_pwned%40hotmail.com
&ctl00%24Main%24SplashDisplay%24ctl00%24Password_Textbox=password12345&ctl00%24Main%24SplashDisplay
%24ctl00%24Login_ImageButton.x=26&ctl00%24Main%24SplashDisplay%24ctl00%24Login_ImageButton.y=14&ctl00%24
Main%24SplashDisplay%24ctl00%24nexturl=&ctl00%24Main%24SplashDisplay%24ctl00%24apikey=
HTTP/1.1 302 Found
Cache-Control: private
Content-Length: 214
Content-Type: text/html; charset=utf-8
Location: http://login.myspace.com/index.cfm?fuseaction=ad&MyToken=2d99f690-abae-4839-97dd-64b48d1edd52
Server: Microsoft-IIS/6.0
X-AspNet-Version: 2.0.50727
Set-Cookie: MYUSERINFO=; domain=.myspace.com; expires=Wed, 19-Jan-2005 08:28:17 GMT; path=/
Set-Cookie: MYUSERINFO=; domain=myspace.com; expires=Wed, 19-Jan-2005 08:28:17 GMT; path=/
Set-Cookie: USER=; domain=.myspace.com; expires=Wed, 19-Jan-2005 08:28:17 GMT; path=/
Set-Cookie: USER=; domain=myspace.com; expires=Wed, 19-Jan-2005 08:28:17 GMT; path=/
Set-Cookie: MYUSERINFO=MIICtQYKKwYBBAGCN1gDlqCCAqUwggKhBgorBgEEAYI3WAMBoIICkTCCAo0CAwIAAQICZgMCAgDABAjl8wldaxuF7AQQzm1U8TfL0hIgLZm%2f%2baYNBwSCAmDFTCkutM5yyyvSN8vTANn5kgTYOPD3DWWxRcRQEx2ehj0nYpz3kqS0jJaAnb1PD7auiaNq8XMaipcAFbJbzntSKmLEwK7H%2brQknmAbEpo4YP3ofM9GcZb5ZYWzN2hj%2bclZDsJ4M%2fEPlqDElkLW7cWbUGcP2KMMcd%2bxJDxL3tcHHNaZymfryqMHpEibZtUEs%2bvHjbbQ8pcVNm%2bFyfO8yfnIJ20BCwebS7ZiseN0D0I8yWuZRwULf
7HTAYB8jdhQyx49ULlkCUT4DL0iORqNL8Q3CvSdRwS7zT7cyBNC%2fg6%2b0Hy1D4NGHQcSzIXJ2tGg2%2bz5kCDPrARZVK5qgsSbI90ouN5LKu4kPLDd7w9%2fHtsFo%2ft%2bP4h4k%2fMq57s%2fuPPkM4J4h7ewHwEIVzv4lnk39l7QTthhroMwi9Qn196c%2fDNByifjkOAocz09n%2fB4t%2bzycg7B8VyIlY1P%2f29syvz%2ft5NbkbyYbAu6Sfz0%2biNM%2fjuqEFHAY1dGU6W%2btR8GD%2bGvsWttdb8kPXKL4x6HpIr1QyGIwk0SZEDr2oMzZjcQegezv3loAV9JivU8HmYaaibwLMJUVIPv6uvvr1slqJ%2f7dmG6hjFeEDjb4uEvrYfZrV0R75JQPd3W6MXjciL%2bRW3YDuK
XGghi9I70PnpFuWeEkzE11U2IkyX3jb6GP4uOAl4KEZtQoF8LSsezdXPjlBP%2f1Q0upnPXJTzy0RNTfZZ0bdOuqnC13%2fNXIL96aZKgo0KVILrKN7E2uJYGkavoYyeK7Efolb%2f%2fgLSrX%2bUoicGc2oLceCWhrVxXdZAVt%2b0c7YNUTQ%3d%3d; domain=.myspace.com; path=/; HttpOnly
Set-Cookie: MSCulture=IP=10.10.10.10&IPCulture=en-US&PreferredCulture=en-US&Country=US&timeZone=0&ForcedExpiration=633298319485005304&USRLOC=QXJlYUNvZGU9MjA3JkNpdHk9Q2FtZGVuJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT01MDAmTGF0aXR1ZGU9NDQuMjI1MyZMb25naXR1ZGU9LTY5LjA5MjMmUG9zdGFsQ29kZT0mUmVnaW9uTmFtZT1NRQ==; domain=.myspace.com; expires=Mon, 12-Nov-2007 12:00:36 GMT; path=/
Set-Cookie: LASTUSERCLICK=%7bts+'2007-11-05+04%3a00%3a36'%7d; domain=.myspace.com; path=/
Set-Cookie: GADC=EUD=0:0:YTVkMTA4OTQ5ZDg5ZWI0OekNaTFtgDI_S7P6H2jrQzkk4nPuDPBbmATsWT8Cbo-Vd3Hgs227A2MQcf3dzClR3nwSH5PPEg8uiygF6KzHRgPJYhvfCX0YsIcKZKOEwjO3; domain=.myspace.com; expires=Fri, 05-Nov-2027 11:00:36 GMT; path=/
Set-Cookie: SplashDisplayName=j00r_myspace_pwned; domain=.myspace.com; path=/
Set-Cookie: D
ERDB=ZG9tYWluPS5teXNwYWNlLmNvbSZ0bGQ9Y29tJnNtb2tlcj0yJnNleHByZWY9MSZ1dHlwZT0yJnJlbGlnaW9uaWQ9MCZyZWdpb249MjAmcG9zdGFsY29kZT0wNDU3MiZtYXJpdGFsc3RhdHVzPU0maW5jb21laWQ9MCZoZWlnaHQ9MTcxJmdlbmRlcj1NJmZyaWVuZHM9MSZldGhuaWNpZD04JmFnZT0zMCZib2R5dHlwZWlkPTYmY2hpbGRyZW5pZD00JmNvdW50cnk9VVMmZGF0aW5nPTAmZHJpbmtlcj0xJmVkdWNhdGlvbmlkPTEmcmVsYXRpb25zaGlwcz0wJm5ldHdvcmtpbmc9MCZkaXNwbGF5bmFtZT1KZXJlbXkmZnJpZW5kaWRfaW50PTE0MzE0MDkxNyZpcGFkZHJlc3M9JzY
5LjM5LjExMC4yNycmc2NobD0wJnNjaGw9MCZzY2hsPTAmZ3JwPTAmZ3JwPTAmZ3JwPTAmY3VsdHVzZXJwcmVmPTEwMzM=; domain=.myspace.com; path=/
Set-Cookie: MSCulture=IP=10.10.10.10&IPCulture=en-US&PreferredCulture=en-US&Country=US&timeZone=0&ForcedExpiration=633298319485005304&USRLOC=QXJlYUNvZGU9MjA3JkNpdHk9Q2FtZGVuJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT01MDAmTGF0aXR1ZGU9NDQuMjI1MyZMb25naXR1ZGU9LTY5LjA5MjMmUG9zdGFsQ29kZT0mUmVnaW9uTmFtZT1NRQ==; domain=.myspace.com; expires=Mon, 12-Nov-2007 12:00:36 GMT; path=/
Set-Cookie: Login=; domain=.myspace.com; path=/
X-Server: ce28ca171d6578a0dad1823b61ec8978cabea8d4955341dd
Date: Mon, 05 Nov 2007 12:00:36 GMT

I am surprised because I know that MySpace receives a large amount of traffic and has quite the large user base, I would therefore think that they would provide SSL/TLS transport as a minimum to protect the authentication information of their user base. But I am also not surprised by the fact that this is yet another blaring sign pointing to the fact that many organizations, engineers and so on do not take security seriously, nor do they develop with security as even so much as an afterthought.

I also find it quite humorous that they actually have "Safety Tips" on their site. Probably the most humerus of which is their sixth tip on that page: "Don’t get hooked by a phishing scam. Phishing is a method used by fraudsters to try to get your personal information, such as your username and password, by pretending to be a site you trust. Click here to learn more." I suppose that they are right though...I mean, why submit your information to a phishing site/scam when they can just sniff your traffic and own your account!

Of course gaining access to the users account is only the beginning, this opens up the door to a whole realm of possibilities, given the fact that *most* users will use the exact same password for all of their accounts. Or they will at least use a basic derrivation of that password, an example would be adding a different number to the end in each instance i.e. password1, password2, password3. Compromising the email account associated with the MySpace account also makes it extremely easy to gain additional information about an individual and ultimately be able to steal various types of sensitive information or even to further breach their resources (corporate accounts and the like).

With the use of ToR and various anonymizers growing every day, and the level of expertise / knowledge of the basic ToR user not being that of a security minded individual, it is surprisingly easy to grab a number of MySpace user accounts in short-order. During my testing period (roughly two weeks) of running a ToR server and sniffing for the magic MySpace packet, I was able to build a database of over 20 accounts and their associated passwords. Conceivably I could create a network of ToR servers and be able to easily own accounts at a fairly rapid rate.

All of this said, I strongly urge MySpace to purchase an SSL cert or two and use them, if nothing more than for the login process "This is what google does with gmail, a user browses to http://gmail.google.com and to logon is redirected to the https:// site, after authentication they are directed back to the http:// site".

For fun, I have included below a snort rule that should catch the magic MySpace packet ;-), this is from bleedingthreats.net.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY Myspace Login Attempt"; flow:established,to_server; content:"login.myspace.com"; uricontent:"/index.cfm?fuseaction=login"; classtype:policy-violation; sid:2002872; rev:2;)

I would like to thank Jeff for sending me some of his pcap data for analysis!

Cheers,
JJC

Coming Soon - InProtect 0.80.0 Beta

2007-11-04T21:52:00.000-05:00

I am excited to announce that we are on track for a beta/alpha release of InProtect 0.80.0 this coming week. You will see a great deal of enhancements in this version, including cleaner reports and graphs, user customizable dashboard, more efficient scan scheduler and controller...and much more!

I have included a "teaser" screenshot below. Note that the latest code is always available from the InProtect Sourceforge SVN repo (but that should be considered "alpha" only)...since we are consistently making changes, fixes, tests and updates...

I am also entertaining the idea of replacing / augmenting the nmap functionality with unicornscan (sice unicorns are fast! <3 Unicorns), let me know what your thoughts / concerns / comments are.

Cheers,
JJC

Nessus 3.06 on Ubuntu 7.10 _Gutsy Gibbon_

2007-10-31T21:41:00.000-04:00

Post upgrading to Gutsy Gibbon on one of my test systems I needed to install an application that I regularly use (Nessus). To install this I downloaded the standard Nessus 3.0.6 deb package from nessus.org and attempted install via the package manager. The installation attempt produced the following Error: Dependency is not satisfied: libssl0.9.7. Normally I wouldn't write about this, but given the fact that I noticed several locations on the internet (various forums and blogs) about this issue being unresolved for many users I figured I would post what worked for me.

The first thing that I did was install libssl-dev "sudo apt-get install libssl-dev". After installing libssl-dev I again attempted to install the Nessus 3.0.6 deb package and received the same error " Error: Dependency is not satisfied: libssl0.9.7". My next step was to download libssl0.9.7_0.9.7g-5ubuntu1.1_i386.deb directly from packages.ubuntu.com and install this deb package. That's what did the trick, Nessus is now up and running and everyone (me) is happy.

Cheers,
JJC

HeX-VA (Virtual Security Appliance)

2007-10-29T10:02:00.001-04:00

I am pleased to announce the release of the HeX Virtual Appliance!

To facilitate quick and easy use of the tools that are built into the HeX Live CD, we have installed the Live CD on four Virtual Machines to create four Security Virtual Appliance Images. These images are intended to aide in the rapid deployment and usability of the HeX Live Toolkit and we are dubbing it HeX-VA. The images are designed for use with Parallels, Qemu, VMware and Virtualbox virtualization technologies. If you have any problems using these images or have any suggestions, please feel free to contact us or stop by #rawpacket on freenode.

Thanks to geek00l for the screenshots and continued hard work on this project! I have included the US Mirrors below for your downloading pleasure. If you are not US based, there are other Malaysian mirrors listed on the official rawpacket.org site under the Virtual Appliance project section.

HeX-Paralleles | md5 | sha256
HeX-Qemu | md5 | sha256
HeX-VMware | md5 |sha256
HeX-Virtualbox | md5 |sha256

I'll be posting some detailed directions shortly on the usage of NTop and some specifics on tuning it for your environment (by request).

Cheers,
JJC

Screenshots of various HeX-VAs:

HeX 1.0.1 Release (Bug Fixes)

2007-10-26T14:30:00.000-04:00

So, due to several flaws that people were experiencing with HeX 1.0R we are releasing an updated version (1.0.1). The fixes in this version include increased bootup speed; during the extraction and loading of the data into mfs /var, the IO process of several different system types was causing an apparent system hang, this has been resolved.

Another major issue that was occurring was with the msfweb not loading properly or not functioning when loaded. It turns out that this was actually a firefox related issue; deleting ~/.mozill/firefox and using the global Firefox configuration fixed the problem (note that this also fixed javascript issues in ntop and darkstat).

As geek00l says, we are "shamelessly" releasing this fixed version. As always please give it a roll and let us know if you experience any issues. You can report bugs using our Trac interface, the Mailing List or via IRC in #rawpacket on freenode.

Download URLs:

Cheers,
JJC

Openpacket.org Beta

2007-10-23T12:01:00.000-04:00

The openpacket.org beta site is live (and has been for a while, but I did not think to post about it) :-\

This site is the brainchild of Richard Bejtlich who announced the beta at http://openpacket.blogspot.com. Please swing by and drop some pcap data or just some comments / requests.

The site is located at http://beta.openpacket.org:8080

Cheers,
JJC

InProtect, on track for alpha release

2007-10-22T11:40:00.000-04:00

...We hope to have an alpha/beta release of the upcoming InProtect 0.80.0 within two weeks.

Good positive progress has been made tuning all of the elements of the engine itself for improved performance in lowering the overall load of the scheduling engine itself. We are currently working on migration scripts for users using both the 0.22.5 and 0.22.5JC versions.

You will see some big database changes and enhancements to the GUI in the form of role-based permissions, a per-user customizable dashboard at login, cleaned up table indexes and optimized queries and much much more.

Cheers,
JJC

Ubuntu Upgrade...or not (with compiz)

2007-10-20T19:52:00.000-04:00

Perhaps it was a lack of patience on my part, or poor forward planning on Ubuntu's part, but I could no longer continue to attempt upgrading after what was likely the 30th failed attempt. As a result of this upgrade attempt outcome I decided to backup the /home/* directories and perform a clean install.

As one would expect the standard install succeeded with no problem. The expected options were available from custom partitioning to setting initial user and permissions during the installation. The only real issue that I had was with the "seamless" compiz implementation that I had heard so much about.

For this installation I used an HP laptop that I have, this laptop contains an ATI X series video card and therefore supports 3D acceleration. I was disappointed that the compiz (3D) desktop acceleration did not work out of the box, so here is what I did to make it work: Initially I simply tried to enable Extra effects after enabling the proprietary video card. This only produced the error "Composite extension not found"...after enabling in xorg.conf (as described below) I received the fairly generic error "Unable to enable visual effects" or similar... So here are my steps to enable compiz on Ubuntu 7.10 with ATI drivers (what worked for me)

Enable all of the repos that have proprietary software and the like System -> Administration -> Software Sources.
Enable the proprietary video card driver from the Restricted Drivers Manager.
Make sure composite extensions are enabled : vi /etc/X11/xorg.conf

Section "Extensions"
Option "Composite" "1"
EndSection

Install xserver-xgl "sudo apt-get install xserver-xgl
Install compizconfig-settings-manager "sudo apt-get install compizconfig-settings-manager" *this is not a requirement but gives you a level of customization that is nice.
Restart X
Try it out System -> Preferences -> Appearance -> Visual Affects (select what you want here...I used Extra then Custom from the last apt-get install)

Everything else worked nicely, enabled the proprietary fwcutter for my wireless card and it worked, no more mucking with it as in previous versions, very nice!

All in all, I give this version a Thumbs Up despite the upgrade mess, seems more stable so far and clean.

Hope this helps someone out :-)

Cheers,
JJC

Ubuntu Upgrade to 7.10 Strike 2

2007-10-19T22:12:00.000-04:00

As I write this, I have attempted roughly 10 "upgrades" via the Update Manager with the same result each time as displayed below.

Obviously this is producing some anxiety on my behalf, as I am anxious to upgrade. That said, I fear that the upgrade process, much like previous upgrade processes from the Ubuntu folks, is a complete joke.

In preparation for the joke to be a fact, I kicked off the download and noted again that the servers are getting hammered... bitTorrent anyone?

Cheers,
JJC

Ubuntu 7.04 to 7.10 Upgrade Notes pt 1

2007-10-18T23:22:00.000-04:00

Time to see if the Ubuntu folks have cleaned up their upgrade process. Previous upgrade attempts have been painful to say the least (this means pre-7.10).

I kicked the process off at about 21:30 EST by updating my existing 7.04 installation with all of the latest package updates as noted in the Ubuntu upgrade process documentation. The update went smoothly with the simple exception that a boatload of other users must be doing the same thing and loading up the repos. I did have to restart the updates a few times to get all files to download (again, likely related to repo overload, considering the fact that I regularly update my Ubuntu systems and this is not a normal occurrence). It should be noted that the Upgrade to 7.10 option was available prior to updating my packages, but IAW the upgrade documentation I performed the package update first.

The first thing we do after making sure all packages are updated is click on the Upgrade button to kick off the 7.04 to 7.10 upgrade process and again click Upgrade in the release notes. This kicked off the upgrade process and started to download the Upgrade Tool (again a little slow...likely load related). Once the Upgrade Tool finished downloading and kicked off, more downloading and waiting as the Upgrade Tool runs through upgrade preparations, software channel modifications, fetching upgrades, installing upgrades, clean up and system restart.

This is where the trouble began, again I suspect due to load on the distribution servers. After waiting for about an hour on file 50 of 56, I canceled the process and started again in the hopes that it would jumpstart the download. Unfortunately this did not work, so I left it to fetch overnight, and woke up to the screenshot to the right.

With all of the excitement and everyone else attempting to update and upgrade at the same time, I'll be intermittently trying to complete my upgrade over the next week in the hopes that it will complete. That being said, I have spoken with a few of my associates that were able to fetch all of the upgrade files (~6 hours of downloading at painfully slow rates) and they had their upgrade fail roughly halfway through the process, thereby rendering their system useless and forcing a clean install of 7.10.

The same associate of mine "giovani" also suggested using bittorrent for the mass distribution medium, to alleviate some of the pain that we are all feeling with the seemingly overloaded repos. Something definitely needs to be done, bittorrent or otherwise, to clean up these load produced upgrade and update failures.

More to follow...

Cheers,
JJC

Optimizing MySQL on FreeBSD part 1

2007-10-18T15:37:00.000-04:00

I have written a few other times at a few separate locations about tuning MySQL in the past, so I'm going to attempt and write a bit of updated material and keep it all in one place, this blog. I will be following up in the next few months concerning additional tuning steps that can be taken.

Recently while browsing the interweb, I came across a nifty little perl script written by Major Hayden of rackspace.com.

I put a copy of this perl script here for ease of downloading and use. To get it, simply download -> extract it -> make executable. Of course you need perl installed to use it...

Some examples of output that I received when I ran the script ./mysqltuner.pl on one of my higher transaction test servers:

General recommendations:
Reduce your overall MySQL memory footprint for system stability
Enable the slow query log to troubleshoot bad queries
Reduce or eliminate persistent connections to reduce connection usage
Adjust your join queries to always utilize indexes
Variables to increase:
*** MySQL's maximum memory usage exceeds your installed memory ***
*** Add more RAM before increasing any MySQL buffer variables ***
max_connections (> 125)
key_buffer_size (> 11.1G)
query_cache_size (> 256M)
join_buffer_size (> 1024.0M, or always use indexes with joins)
Variables to decrease:
wait_timeout (<>

I modified most of the variables in question in my /etc/my.cnf and restarted mysqld and let it run for a few days. I then ran the script again and got the following output:

./mysqltuner.pl
MySQL High-Performance Tuner - Major Hayden
Bug reports, feature requests, and downloads at mysqltuner.com
Run with '--help' for additional options and output filtering
Please enter your MySQL login: root
Please enter your MySQL password:
[OK] Currently running supported MySQL version 5.0.41-log
-------- General Statistics --------------------------------------------------
[--] Up for: 6d 5h 5m 20s (8M q [16.393 qps], 139K conn, TX: 2G, RX: 4G)
[--] Reads / Writes: 65% / 35%
[!!] Maximum possible memory usage: 442.7G (1341% of installed RAM)
[OK] Slow queries: 0%
[OK] Highest usage of available connections: 49%
[OK] Key buffer size / total MyISAM indexes: 12.0G/11.1G
[OK] Key buffer hit rate: 99.8%
[OK] Query cache efficiency: 31.5%
[OK] Query cache prunes per day: 0
[OK] Sorts requiring temporary tables: 0%
[!!] Joins performed without indexes: 2838670
[OK] Temporary tables created on disk: 0%
[OK] Thread cache hit rate: 99%
[OK] Table cache hit rate: 78%
[OK] Open file limit used: 13%
[OK] Table locks acquired immediately: 99%
-------- Recommendations -----------------------------------------------------
General recommendations:
Reduce your overall MySQL memory footprint for system stability
Enable the slow query log to troubleshoot bad queries
Adjust your join queries to always utilize indexes
Variables to increase:
*** MySQL's maximum memory usage exceeds your installed memory ***
*** Add more RAM before increasing any MySQL buffer variables ***
join_buffer_size (> 1.5G, or always use indexes with joins)

All in all, this is a highly useful script to get some quick stats and easy adjustment variables to help tune your MySQL server. I should also note that this is not specific to FreeBSD, but I happen to be a FreeBSD junkie and this this was all tested on a FreeBSD 6.2 Rel box.

Cheers,
JJC

Canonical releases Ubuntu 7.10

2007-10-18T11:32:00.000-04:00

Canonical Ltd. released the latest version (7.10) of the Ubuntu Server, Desktop, Kubuntu and Edubuntu Editions today. You can get more information about these releases and download them at the official Ubuntu site.

The Ubuntu developers have also created an upgrade path for users that are currently on the 7.04 ("Feisty Fawn") release. As stated on their website, the migration is as simple as insuring that all updates have been applied to your Feisty Fawn installation then opening System -> Administration -> Update Manager -> Select Upgrade (you may need to check for new updates). At this point you simply follow the on-screen instructions.

I will be testing this process tonight on my HP laptop and posting my results when complete.

Cheers,
JJC

HeX Live 1.0 Release

2007-10-18T09:49:00.000-04:00

After 6 months of heavy development and debugging I am pleased to announce the release of the HeX Live CD 1.0 Release. What is HeX Live? HeX Live is the worlds first and foremost Network Security Monitoring & Network Based Forensics liveCD. The intent is to provide a wide array of highly usable tools in a pre-packaged format that the analyst can use to investigate and monitor real-time network activity, whether security related or in the course of reviewing traffic to determine bandwidth over utilization sources and so on...

This will be the final major release of HeX LiveCD until the release of FreeBSD 7.0 Rel, this is of course pending no major bugs are located in HeX 1.0R. If there are any major bugs found, then a bug-fixed HeX will be released prior to FreeBSD 7.0 Rel.\\

For a detailed list of what applications can be found on HeX Live 1.0R check out the actual project at rawpacket.org.

I have also included in this posting the CD covers that were created by vickz, fantastic work man! You can download the HeX LiveCD 1.0R from the following locations:

US Server (East Coast) | MD5 | SHA256 | User Guide
Malaysia Server | MD5 | SHA256 | User Guide

I will try to get some decent screenshots posted soon so that everyone can see just how slick the HeX LiveCD 1.0R really is. I would also suggest that you download it and play with it. There are a good number of tools on here for packet monkeys of all ages and skill to have a good old time!

I'll leave it at that for now, and again would like to thank the community for their support and feedback throughout the development process of this tool.

Shout to Geek00l for organizing everything and kicking some a$$!
Shout to ch4flgs_ and zarul for everything!
Shout to all others involved in this project (esp for putting up with me)

Cheers,
JJC

Loose lips sink ships!

2007-10-10T12:57:00.000-04:00

During recent interweb browsing and reading I came across the following and have to comment, it's been in the news lately but this just brought it up again for me; http://www.nysun.com/article/64163.

WASHINGTON — Al Qaeda's Internet communications system has suddenly gone dark to American intelligence after the leak of Osama bin Laden's September 11 speech inadvertently disclosed the fact that we had penetrated the enemy's system.

The intelligence blunder started with what appeared at the time as an American intelligence victory, namely that the federal government had intercepted, a full four days before it was to be aired, a video of Osama bin Laden's first appearance in three years in a video address marking the sixth anniversary of the attacks of September 11, 2001. On the morning of September 7, the Web site of ABC News posted excerpts from the speech.

But the disclosure from ABC and later other news organizations tipped off Qaeda's internal security division that the organization's Internet communications system, known among American intelligence analysts as Obelisk, was compromised. This network of Web sites serves not only as the distribution system for the videos produced by Al Qaeda's production company, As-Sahab, but also as the equivalent of a corporate intranet, dealing with such mundane matters as expense reporting and clerical memos to mid- and lower-level Qaeda operatives throughout the world.

Has the media lost all of their capability to make good discretionary decisions? Further, typically they have subject-matter experts, one would think that such experts would know better. But I suppose that it is all about the ratings and making that next buck!

While intranets are usually based on servers in a discrete physical location, Obelisk is a series of sites all over the Web, often with fake names, in some cases sites that are not even known by their proprietors to have been hacked by Al Qaeda.

Similar to a botnet etc... effectively a chain of pwned servers. This is certainly not a new concept and usage of such a concept in conjunction with services such as ToR (The Onion Router) would make tracking Obelisk users virtually impossible.

One intelligence officer who requested anonymity said in an interview last week that the intelligence community watched in real time the shutdown of the Obelisk system. America's Obelisk watchers even saw the order to shut down the system delivered from Qaeda's internal security to a team of technical workers in Malaysia. That was the last internal message America's intelligence community saw. "We saw the whole thing shut down because of this leak," the official said. "We lost an important keyhole into the enemy."

We most certainly did lose an important keyhole, ya think? If a keyhole is what you would call it. The intel received from such a source could easily help thwart future planned terrorist and military actions etc...

By Friday evening, one of the key sets of sites in the Obelisk network, the Ekhlaas forum, was back on line. The Ekhlaas forum is a password-protected message board used by Qaeda for recruitment, propaganda dissemination, and as one of the entrance ways into Obelisk for those operatives whose user names are granted permission. Many of the other Obelisk sites are now offline and presumably moved to new secret locations on the World Wide Web.

The founder of a Web site known as clandestineradio.com, Nick Grace, tracked the shutdown of Qaeda's Obelisk system in real time. "It was both unprecedented and chilling from the perspective of a Web techie. The discipline and coordination to take the entire system down involving multiple Web servers, hundreds of user names and passwords, is an astounding feat, especially that it was done within minutes," Mr. Grace said yesterday.

I agree with Mr. Grace, to an extent, it would be a feat indeed if individual personnel were involved. I think that it's also plausible to think that this network operated much like a botnet. From that perspective there could have been a simple command or series of commands that initiated the automatic shutdown or action to be taken in the event of a security breach.

The head of the SITE Intelligence Group, an organization that monitors Jihadi Web sites and provides information to subscribers, Rita Katz, said she personally provided the video on September 7 to the deputy director of the National Counterterrorism Center, Michael Leiter.

Ms. Katz yesterday said, "We shared a copy of the transcript and the video with the U.S. government, to Michael Leiter, with the request specifically that it was important to keep the subject secret. Then the video was leaked out. An investigation into who downloaded the video from our server indicated that several computers with IP addresses were registered to government agencies."

Yesterday a spokesman for the National Counterterrorism Center, Carl Kropf, denied the accusation that it was responsible for the leak. "That's just absolutely wrong. The allegation and the accusation that we did that is unfounded," he said. The spokesman for the director of national intelligence, Ross Feinstein, yesterday also denied the leak allegation. "The intelligence community and the ODNI senior leadership did not leak this video to the media," he said.

Ms. Katz said, "The government leak damaged our investigation into Al Qaeda's network. Techniques and sources that took years to develop became ineffective. As a result of the leak Al Qaeda changed their methods." Ms. Katz said she also lost potential revenue.

A former counterterrorism official, Roger Cressey, said, "If any of this was leaked for any reasons, especially political, that is just unconscionable." Mr. Cressey added that the work that was lost by burrowing into Qaeda's Internet system was far more valuable than any benefit that was gained by short-circuiting Osama bin Laden's video to the public.

I personally think that it's more than unconscionable, I dare say it's borderline treason!

While Al Qaeda still uses human couriers to move its most important messages between senior leaders and what is known as a Hawala network of lenders throughout the world to move interest-free money, more and more of the organization's communication happens in cyber space.

"While the traditional courier based networks can offer security and anonymity, the same can be had on the Internet. It is clear in recent years if you look at their information operations and explosion of Al Qaeda related Web sites and Web activities, the Internet has taken a primary role in their communications both externally and internally," Mr. Grace said.

Cheers,
JJC

HeX Live Pending Release

2007-10-09T16:27:00.000-04:00

For all of you anxious packet monkeys out there, the HeX LiveCD 1.0R will soon be available. We are running through extensive tests and bug fixing excersizes right now, but anticipate releasing this new version within the next week. I'll post an update once released, as well as the standard US mirrors.

This project has also been gaining a good amount of momentum and continued community support. I would like to thank all involved, esp geek00l and chfl4gs_ (the core founders)!

If you want some additional information concerning this project, please check out www.rawpacket.org!

Cheers,
JJC

InProtect Wiki and Update

2007-10-09T16:04:00.000-04:00

The project continues to gain speed and support from the community (thanks again everyone!). The core team is currently meeting every other Sunday, in the secret InProtect cave, to hash out the roadmap and future plans. Unfortunately I was not in town for the most recent meeting and away from the interweb and therefore did not make the meeting.

However I still have some updates that I can post;
The InProtect Wiki is now online and we will be working hard to keep it updated with the latest goodies, FAQ, etc...! http://inprotect.wiki.sourceforge.net, please check it out and let us know what we can do to improve it or what you would like to see added.

I continue to get visitors to #inprotect on irc.freenode.net and appreciate all of the continued feedback.

We anticipate having the CVS -to- SVN conversion done shortly and subsequently publishing an Alpha release of the new version. We will also be updating the InProtect home page with meeting notes, roadmap and so on, in the near future!

Cheers,
JJC

FIXED::[Bug 1641] NessusClient 3.0.0 Beta 4 Crash on Server Connect

2007-10-01T11:39:00.000-04:00

I must say that I am quite pleased with Renaud Deraison of nessus.org for his rapid response and remediation of the bug that I discovered last week (NessusClient 3.0.0 Beta 4 Bug). There was an uninitialized pointer when a class was created from an XML file (rather than dynamically), which in turn created a bad memory access and therefore crashed the client.

Nessus.org has posted a fixed version, Beta 5 of the 3.0.0 NessusClient at their typical download location: http://www.nessus.org/download/.

I would also like to add to my previous posting about the feature set of the NessusClient and it's inability to export to XML (this is still true) but can be worked around (too a degree anyway). When you scan a host and if you chose to save the session, upon exiting the NessusClient, it creates a .nessus file which is pure XML (albeit it's a different XML format than the CLI xml), and which contains much more information about the scan than the other formats (it contains all the scan results, the policies, the targets associated to each scan, etc...

Thx again Renaud!

Cheers,
JJC

HeX Live Update

2007-09-28T10:49:00.000-04:00

Excerpt from geek00l:

For all the HeX liveCD users out there, we have been developing this liveCD for quite sometimes and I have received some positive and negative comments and various inputs from the users, therefore instead of me receiving the email and redirect to other co-developers, I decide to create the mailing list for the HeX liveCD so that it will has life of its own ;P

There you go -

http://groups.google.com/group/HeX-liveCD?hl=en

Since this is public group and mainly used for mailing list management, I decided to use google group as it is convenience and easy. Therefore feel free to join us!!!!!

On the other hand, you can visit us at Freenode #rawpacket. Most of us are slacking there.

I would also like to thank everyone for their feedback and support of this project, one small step at a time. As to some additional information, there has been some discussion surrounding the creation of a VM image / Virtual Appliance that would embody the HeX Live CD capabilities and give the network analyst a broad set of tools. I'll post updated about this as they are available.

Cheers,
JJC

Security - The Global Perspective

Automated Teller Phone Phishing

PulledPork 0.6.0 the Smoking Pig, He's on Fire!

Snort 2.9.0.2 on FreeBSD i386 the easy way!

Haz The Drowning Rat? - PulledPork 0.5.0 is now floating!

Snort 2.9.0 is teh outed, must haz bakon!!

The Pig Doktah is Born! - A Snort Performance Monitor Interpretation Tool

Snort Performance Stats Tool Info

PulledPork 0.4.2 501 error when downloading rules

PulledPork 0.4.2 - get it while it's hawt!

PulledPork 0.4.1, I see your sensitive data!

Snort 2.8.6 Release is OUT, WGET it nao! kthx!

Pulling Pork with the Drunken Leprechaun (PP 0.4.0)

Hogging the Snort Host Attribute Table

Writing Snort Rules Correctly (via Joel Esler)

ET Rules and /\s?/

Time to own your rules - PulledPork 0.3.4 Released!

Pulledpork v0.2.5 - Released

Snort 2.8.5 at snort.org... get it while it's hot!

pulledpork google group

pulledpork 0.2.2 and new features

Snorby for Snort, a Recipe with Barnyard2 and Unified2

PayPal shuts Hackers for Chartity down?

BASE / ACID outdated reference links - a fix

Fly Clear, Sensitive Data Disposal Concerns

pulledpork included in Security Onion LiveCD

How to block robots.. before they hit robots.txt - ala: mod_security

pulledpork tarball

v0.2 Beta 1 is the outed! -> pulledpork that is <-

PulledPork Checkin

Pimping Tha All New Snort.org

Baconator Renamed => Pulled_Pork

Baconator 0.1 Beta 2 (try me)

N.J. accidentally reveals personal data of 28K unemployed residents

Snort 2.8.5 at snort.org... get it while it's hot!

DC Agency Accidentally Emails PII about College Financial Aide Applicants <= WHAT?

Baconator - Shared Object Snort Rule Management!

Can Haz Snort 2.8.4!

Snort 3.0 Beta 3!

Unofficial Snort 2.8.3.x patch for GCC 4.3.x build errors

InProtect 1.00.0 Beta_2 VMWare Image

PHPIDS Phase 1.1

twitter

openpacket.org

New IDS/IPS technologies

HeX 2.0 USB RC1 (4G)

HeX 2.0R Released!

Slack @$$?

How are your "Debian" SSL certs doing

"Block the Bad" OSS IPS with Content Filtration and Transparent Proxy Acceleration pt 1.

Cisco Acquires Sguil!

Oh noes, can't has document drops!!

pauldotcommunity.blogspot.com

FreeBSD USB Booting Issues (BTX)

HeX 1.0.3 LiveUSB Final (Bug Fixes)

Security Torrents

FreeBSD 7.0 Released

Shmoocon 4 in review

InProtect LiveUSB 0.80.3 Beta!

HeX 1.0.3 LiveUSB (CNY Release)

Shmoocon Starts Tomorrow

HeX 1.0.3, the CNY Release

Column Update - Global Security

HeX and NSM-Console Writeup in ISSA Journal

How do I know if my Snort implementation is working?

HeX Virtual Appliance Image: 1.0.2R

HeX 1.0.2 LiveUSB Update

Screencast: An Introduction to NSM-Console

HeX 1.0.2R LiveUSB Release

Happy New Year!

Ubuntu Bashing Continued

InProtect Update...

managing snort rulesets cont...

HeX 1.0.1R LiveUSB Image

beta.openpacket.org updates

InProtect Beta 0.80.2

FreeBSD jabberd port mysql bug

InProtect 0.80.1 Beta

InProtect 0.80.0 Beta *fixed clean install sql*

InProtect 0.80.0 Beta Released!

InProtect 0.80.0 Beta fixed clean install sql