Wednesday, June 30, 2004

Review of Network Security Hacks Posted

Amazon.com just posted my four star review of Network Security Hacks. My review probably sounds a little harsher than I intended, but I was worn down trying to get SPADE to integrate with a version of Snort newer than 2.0.5. The review mentions finding Spade 030125.1 on a Polish student's FTP site, which seems to be the only place it exists, aside from an old Archive.org copy. It seems the snort.conf v. 1.85 is the last to include SPADE directions in its text, even though the contrib directory has a really old SPADE version (Spade-092200.1.tar.gz), from Sep 00. Anyway, from the review:

"'Network Security Hacks' (NSH) has something for nearly everyone, although it focuses squarely on Linux, BSD, and Windows, in that order of preference. Administrators for commercial UNIX variants (Solaris, AIX, HP-UX, etc.) should be able to apply much of the book's advice to their environments, but they are not the target audience. NSH is written for admins needing quick-start guides for common security tools, and in this respect it delivers."

Sunday, June 27, 2004

Review of Secure Architectures with OpenBSD

Amazon.com just posted my five star review of Secure Architectures with OpenBSD. From the review:

"About a year ago I read and reviewed Michael Lucas' excellent "Absolute OpenBSD." That book covered OpenBSD 3.2 and the CURRENT of that time, pre-3.3. Palmer and Nazario's "Secure Architectures with OpenBSD" (SAWO) addresses OpenBSD 3.4, which at the time of writing is just behind the current release (3.5). Lucas' book is an excellent introduction to OpenBSD by a relative outsider; SAWO is a more detailed discussion by insiders. Each has its strengths and I highly recommend both."

Contribute Your dmesg Output

Do you run one of the BSDs? If so, consider sending the output of the dmesg command to the New York City BSD User's Group dmesg board. This is a great way to share information on supported hardware. I learned about this site through BSDNews.com. A response to that story mentioned this site which tracks SMP systems running FreeBSD.

Thursday, June 24, 2004

Interesting Email from Stephen Northcutt... or not?

If you're on a SANS mailing list you might have received the following email from "Stephen Northcutt." I haven't decided if it's true or not. I'm wondering why I would have received it, unless someone forged the message after acquiring a SANS email list? The alternative means Stephen Northcutt himself is making some odd claims...

"From - Thu Jun 24 22:27:26 2004
X-UIDL: 40a19c3900000b29
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path:
...edited...
X-ClientAddr: 63.100.47.56
Received: from 63-100-47-56.sans.org (63-100-47-56.sans.org [63.100.47.56])
...edited...
Date: Fri, 25 Jun 2004 2:14:37 +0000
Message-Id: <2004062521561.QJA00262@stinger.sans.org>
From: Stephen Northcutt
Subject: Stephen Northcutt needs your help
Precedence: bulk
Errors-To:
Sender:
To: Richard Bejtlich (SD599258)
...edited...

Hello,

This note is intended for U.S. citizens and is a personal note from Stephen Northcutt. For the past few weeks CERT and SEI, DoD government funded organizations, have been purchasing google adwords so that when people search for "SANS Training" they see an advertisement for CERT/SEI's network manager course.

I have a couple of concerns about this. The first is trademark or brand related, when you search for SANS training, you should get SANS training. Other competing commercial training companies have also engaged in this behavior and when I have written them and asked if this how they want to be remembered by the security community, they have discontinued this practice. I wrote cert@cert.org a couple weeks ago and they continue this practice.

My second concern is that the government offering the course violates the spirit and letter of OMB A 76. "Two of the key principles of Circular A-76 has always been that "in the process of governing, the Government should not compete with its citizens" and that "a commercial activity is not a governmental function."
http://www.whitehouse.gov/omb/circulars/a076/comments/a76-289.pdf

The course:
http://www.sei.cmu.edu/products/courses/cert/infosec-net-mgrs.html

The funding:
http://www.sei.cmu.edu/about/about.html
http://www.cert.org/faq/cert_faq.html#A4

My third concern is the amount of tax we pay as citizens. The government is in the process of authorizing about 481 billion dollars for DoD spending. The Department of Defense clearly has too much money if they can afford to create training that mirrors material widely available from SANS, MISTI, CSI, Intense School and other training organizations. I believe the money spent on CERT, SEI and the Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics should each be reduced by at least 10% immediately.

So I am asking for your help. If you agree with me please write your congress person and either use this note as a base or write your own. I would be honored if you would copy me, Stephen@sans.org. If you don't agree with me, or don't want to help me, that is fine, but before you send me a knee jerk email flame would you do three things. Look at your last paycheck stub and remind yourself how much tax you pay, second, consider the impact of the U.S. deficit (http://www.brillig.com/debt_clock/ ) and finally think about how you would feel if the government decided to compete in a disreputable manner with a course that took you months to write, SANS Security Leadership. After that, if you disagree with me, I would love to hear what you have to say. So please help me and write your congressman and tell them your home address, make sure they know you vote and you agree that the government has no business wasting taxpayer money competing with a course Stephen Northcutt does a better job of anyway.

To find your representative:
http://www.house.gov/writerep/

To find your congressional representative, the best link I could find is:
http://www.senate.gov/

Thank you for taking the time to help! Needless to say, I write this note as a private citizen and the author of SANS Security Leadership and am certain this note does not reflect the collective views and opinions of The SANS Institute.

Stephen Northcutt
Stephen@sans.org
(808) 823-1375"

This sounds like a hoax to me... can anyone confirm it? "...make sure they know you vote and you agree that the government has no business wasting taxpayer money competing with a course Stephen Northcutt does a better job of anyway." If this is a true statement by Stephen, I'd be surprised.

Burning DVDs in FreeBSD

Yesterday I reported my results burning CDs with FreeBSD. This morning I tried creating a DVD of the Fedora Core 2 distribution. After I downloaded the 4.1 GB .iso from a mirror, I used MD5 to verify the checksum matched. Since the .iso was ready to burn, I set up my Plextor burner.

First I checked the media, which was Memorex 4X DVD-R 4.7GB (pictured at left, purchased at buy.com). I had already installed dvd+rw-tools, available in the ports tree as sysutils/dvd+rw-tools. Using the dvd+rw-mediainfo command, I checked the DVD in the burner:

# dvd+rw-mediainfo /dev/cd0
INQUIRY: [PLEXTOR ][DVDR PX-708A ][1.06]
GET [CURRENT] CONFIGURATION:
Mounted Media: 11h, DVD-R Sequential
Media ID: ProdiscS03
Current Write Speed: 4.0x1385=5540KB/s
Write Speed #0: 4.0x1385=5540KB/s
Write Speed #1: 2.0x1385=2770KB/s
Write Speed #2: 1.0x1385=1385KB/s
GET [CURRENT] PERFORMANCE:
Write Performance: 4.0x1385=5540KB/s@[0 -> 2294911]
Speed Descriptor#0: 02/2298495 R@8.0x1385=11080KB/s W@4.0x1385=5540KB/s
Speed Descriptor#1: 02/2298495 R@8.0x1385=11080KB/s W@2.0x1385=2770KB/s
Speed Descriptor#2: 02/2298495 R@8.0x1385=11080KB/s W@1.0x1385=1385KB/s
READ DVD STRUCTURE[#10h]:
Media Book Type: 25h, DVD-R book [revision 5]
Legacy lead-out at: 2298496*2KB=4707319808
READ DVD STRUCTURE[#0h]:
Media Book Type: 25h, DVD-R book [revision 5]
Last border-out at: 0*2KB=0
READ DISC INFORMATION:
Disc status: blank
Number of Sessions: 1
State of Last Session: empty
Number of Tracks: 1
READ TRACK INFORMATION[#1]:
Track State: invisible incremental
Track Start Address: 0*2KB
Next Writable Address: 0*2KB
Free Blocks: 2297888*2KB
Track Size: 2297888*2KB

Everything looked ready to go, so I proceeded according to the directions in the FreeBSD Handbook:

# growisofs -dvd-compat -Z /dev/cd0=FC2-i386-DVD.iso
Executing 'builtin_dd if=FC2-i386-DVD.iso of=/dev/pass0 obs=32k seek=0'
/dev/pass0: "Current Write Speed" is 4.1x1385KBps.
0/4370640896 ( 0.0%) @0x, remaining ??:??
0/4370640896 ( 0.0%) @0x, remaining ??:??
8421376/4370640896 ( 0.2%) @1.8x, remaining 103:35
27066368/4370640896 ( 0.6%) @3.9x, remaining 40:07
45744128/4370640896 ( 1.0%) @3.9x, remaining 29:56
...edited...
4336517120/4370640896 (99.2%) @3.9x, remaining 0:06
4355194880/4370640896 (99.6%) @3.9x, remaining 0:02
builtin_dd: 2134112*2KB out @ average 3.9x1385KBps
/dev/pass0: flushing cache
/dev/pass0: updating RMA
/dev/pass0: closing disc

When I was done, I checked the media again:

# dvd+rw-mediainfo /dev/cd0
INQUIRY: [PLEXTOR ][DVDR PX-708A ][1.06]
GET [CURRENT] CONFIGURATION:
Mounted Media: 11h, DVD-R Sequential
Media ID: ProdiscS03
Current Write Speed: 4.0x1385=5540KB/s
Write Speed #0: 4.0x1385=5540KB/s
Write Speed #1: 2.0x1385=2770KB/s
Write Speed #2: 1.0x1385=1385KB/s
GET [CURRENT] PERFORMANCE:
Write Performance: 4.0x1385=5540KB/s@[0 -> 2294911]
Speed Descriptor#0: 02/2298495 R@8.0x1385=11080KB/s W@4.0x1385=5540KB/s
Speed Descriptor#1: 02/2298495 R@8.0x1385=11080KB/s W@2.0x1385=2770KB/s
Speed Descriptor#2: 02/2298495 R@8.0x1385=11080KB/s W@1.0x1385=1385KB/s
READ DVD STRUCTURE[#10h]:
Media Book Type: 25h, DVD-R book [revision 5]
Legacy lead-out at: 2298496*2KB=4707319808
READ DVD STRUCTURE[#0h]:
Media Book Type: 25h, DVD-R book [revision 5]
Last border-out at: 2134112*2KB=4370661376
READ DISC INFORMATION:
Disc status: complete
Number of Sessions: 1
State of Last Session: complete
Number of Tracks: 1
READ TRACK INFORMATION[#1]:
Track State: complete incremental
Track Start Address: 0*2KB
Free Blocks: 0*2KB
Track Size: 2134112*2KB
Last Recorded Address: 2134111*2KB
FABRICATED TOC:
Track#1 : 14@0
Track#AA : 14@2134112
Multi-session Info: #1@0

I then mounted the DVD:

# mount -t cd9660 /dev/cd0 /cdrom
# ls /cdrom
.discinfo RPM-GPG-KEY-fedora
Fedora RPM-GPG-KEY-fedora-rawhide
GPL RPM-GPG-KEY-fedora-test
README-Accessibility RPM-GPG-KEY-rawhide
README-en SRPMS
README-en.html TRANS.TBL
RELEASE-NOTES-en autorun
RELEASE-NOTES-en.html eula.txt
RPM-GPG-KEY images
RPM-GPG-KEY-beta isolinux

It worked. I also mounted the DVD as /dev/acd0 on my ThinkPad, which appears to dmesg as the following:

acd0: DVDROM at ata1-master UDMA33

I got this result by having 'hw.ata.atapi_dma=1' set in /boot/loader.conf. Without that setting, here is how the same drive appeared in dmesg:

acd0: DVDROM at ata1-master PIO4

For reference, here is atacontrol output for the laptop:

$ sudo atacontrol list
ATA channel 0:
Master: ad0 ATA/ATAPI rev 5
Slave: no device present
ATA channel 1:
Master: acd0 ATA/ATAPI rev 0
Slave: no device present

Having ATAPI DMA enabled helps with performance, according to this thread by someone having trouble burning with the same device I have. I believe because that posted is using an internal Plextor connected via ATA, he is in a different situation. I use a FireWire adapter on my laptop and desktop to connect my external Plextor drive.

Wednesday, June 23, 2004

Duplicating Data CDs with FreeBSD

I needed to become familiar with burning CDs on FreeBSD to support plans for live CD-based systems. I recently bought a Plextor PX-708UF DVD+-R/RW CD-R/RW drive and an Adaptec DuoConnect PC Card Adapter. I already reported on how these appear to FreeBSD.

For testing purposes and to create my own media set, I duplicated the three CD-ROMs released as Fedora Core 2. To convert the CD-ROM into a .iso file for burning, I used this syntax:

dd if=/dev/cd0 of=/var/iso/fedora_core_disc3.iso bs=2048

Here's a few notes on this command. /dev/cd0 is how my Plextor drive appears to FreeBSD. My laptop's native CD/DVD reader is /dev/acd0. I could not get this command to work without including 'bs=2048'. I learned why after reading a FreeBSD Diary entry:

"Data on CDs is written in blocks of 2 kB. By default dd reads 512
bytes at a time, and the CD driver doesn't support this. It would
work if you use bs=2k."

When I tried dd without the bs=2048 argument, I got this error:

dd: /dev/acd0: Invalid argument

I also tried acquiring the .iso using my native CD/DVD reader. I got this error, although the .iso creation seemed to work ok:

acd0: FAILURE - READ_BIG status=51
sensekey=ILLEGAL REQUEST error=1

Others have reported this issue, and some suggested editing /boot/loader.conf accordingly:

hw.ata.atapi_dma=0

This didn't fix the issue for me, so I acquired the .iso using the Plextor. It produced no visible errors.

When the process was done I wanted to check if the resulting .iso matched the CD from which it was derived. From Kris Kennaway I learned this command to get a MD5 hash of the original CD:

dd if=/dev/cd0 bs=2048 | md5

I then compared that output with the result of running md5 on this .iso. If they matched, the copy was good. This was the case. However, the MD5 hashes did not match the versions available at the Fedora site. As I trust the source of these CDs, I assume the difference is a result of taking an original Red Hat .iso, burning it to CD, and then deriving an image of that CD in .iso format. Perhaps the block sizes did not match up exactly?

To burn the new .iso to CD-R, I had to install cdrecord, found in sysutils/cdrecord. The first task was to ensure cdrecord could find my drive:

# cdrecord -scanbus
Cdrecord 2.00.3 (i386-unknown-freebsd5.2.1) Copyright (C) 1995-2002 Jorg Schilling
Using libscg version 'schily-0.7'
scsibus0:
0,0,0 0) 'PLEXTOR ' 'DVDR PX-708A ' '1.06' Removable CD-ROM
0,1,0 1) *
0,2,0 2) *
0,3,0 3) *
0,4,0 4) *
0,5,0 5) *
0,6,0 6) *
0,7,0 7) *

Once I knew where to find the drive, I checked what options it supported:

# cdrecord -v dev=0,0,0 -checkdrive driveropts=help
Cdrecord 2.00.3 (i386-unknown-freebsd5.2.1) Copyright (C) 1995-2002 Jorg Schilling
TOC Type: 1 = CD-ROM
scsidev: '0,0,0'
scsibus: 0 target: 0 lun: 0
Using libscg version 'schily-0.7'
Driveropts: 'help'
atapi: 0
Device type : Removable CD-ROM
Version : 0
Response Format: 1
Vendor_info : 'PLEXTOR '
Identifikation : 'DVDR PX-708A '
Revision : '1.06'
Device seems to be: Generic mmc2 DVD-R/DVD-RW.
cdrecord: This version of cdrecord does not include DVD-R/DVD-RW support code.
cdrecord: If you need DVD-R/DVD-RW support, ask the Author for cdrecord-ProDVD.
Driver options:
burnfree Prepare writer to use BURN-Free technology
noburnfree Disable using BURN-Free technology
varirec=val Set VariRec Laserpower to -2, -1, 0, 1, 2
Only works for audio and if speed is set to 4

Now that I knew what options to use, I burned the .iso to the CD-R. You'll see I enabled 'burnfree,' defined in the man page as "Turn the support for Buffer Underrun Free writing on."

# cdrecord -v dev=0,0,0 speed=8 driveropts=burnfree -eject
-data /var/iso/fedora_core_2_disc3.iso
Cdrecord 2.00.3 (i386-unknown-freebsd5.2.1) Copyright (C) 1995-2002 Jorg Schilling
TOC Type: 1 = CD-ROM
scsidev: '0,0,0'
scsibus: 0 target: 0 lun: 0
Using libscg version 'schily-0.7'
Driveropts: 'burnfree'
atapi: 0
Device type : Removable CD-ROM
Version : 0
Response Format: 1
Vendor_info : 'PLEXTOR '
Identifikation : 'DVDR PX-708A '
Revision : '1.06'
Device seems to be: Generic mmc2 DVD-R/DVD-RW.
cdrecord: This version of cdrecord does not include DVD-R/DVD-RW support code.
cdrecord: If you need DVD-R/DVD-RW support, ask the Author for cdrecord-ProDVD.
Using generic SCSI-3/mmc CD-R driver (mmc_cdr).
Driver flags : MMC-3 SWABAUDIO BURNFREE VARIREC
Supported modes: TAO PACKET SAO SAO/R96P SAO/R96R RAW/R16 RAW/R96P RAW/R96R
Drive buf size : 1190112 = 1162 KB
FIFO size : 4194304 = 4096 KB
Track 01: data 637 MB
otal size: 732 MB (72:35.06) = 326630 sectors
Lout start: 732 MB (72:37/05) = 326630 sectors
Current Secsize: 2048
ATIP info from disk:
Indicated writing power: 5
Is not unrestricted
Is not erasable
Disk sub type: Medium Type A, high Beta category (A+) (3)
ATIP start of lead in: -11634 (97:26/66)
ATIP start of lead out: 359846 (79:59/71)
Disk type: Short strategy type (Phthalocyanine or similar)
Manuf. index: 3
Manufacturer: CMC Magnetics Corporation
Blocks total: 359846 Blocks current: 359846 Blocks remaining: 33216
Starting to write CD/DVD at speed 8 in real TAO mode for single session.
Last chance to quit, starting real write 0 seconds. Operation starts.
Waiting for reader process to fill input buffer ... input buffer ready.
BURN-Free is OFF.
Turning BURN-Free on
Performing OPC...
Starting new track at sector: 0
Track 01: 0 of 637 MB written.
...edited...
Track 01: Total bytes read/written: 668934144/668934144 (326628 sectors).
Writing time: 552.030s
Average write speed 8.0x.
Min drive buffer fill was 99%
Fixating...
Fixating time: 32.601s
cdrecord: fifo had 10537 puts and 10537 gets.
cdrecord: fifo was 0 times empty and 10463 times full, min fill was 90%.

At some point in the future I'll use the drive to create DVDs, and report how that turned out as well.

The fact that I burned these CDs isn't rocket science, but I wanted to show the gear I used in case other people are looking to buy CD/DVD burners for FreeBSD.

I used a few other resources when learning how to burn CDs, including the FreeBSD Handbook and CD Burning from the Command Line.

Fedora Core 2-based Soekris System Operational

I'm not a big Linux user, but a lot of people like Fedora Core. Using the same methodology I used with FreeBSD and OpenBSD, I just installed Fedora Core 2 on a spare HDD on my laptop, then transferred that HDD to the Soekris.

Here are a few notes on peculiarities of Fedora. I chose a "custom installation," and selected "no packages." That still deployed about 562 MB of packages as part of the base OS installation. Thankfully only the first CD was needed. When I finished the installation, I rebooted the laptop to edit key files to allow serial access. I made important changes to /etc/grub.conf, thanks to this Remote Serial Console HOWTO:

# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE: You have a /boot partition. This means that
# all kernel and initrd paths are relative to /boot/, eg.
# root (hd0,0)
# kernel /vmlinuz-version ro root=/dev/hda2
# initrd /initrd-version.img
#boot=/dev/hda
default=0
#timeout=10
#splashimage=(hd0,0)/grub/splash.xpm.gz
serial --unit=0 --speed=9600 --word=8 --parity=no --stop=1
terminal --timeout=10 serial console
title Fedora Core (2.6.5-1.358)
root (hd0,0)
kernel /vmlinuz-2.6.5-1.358 ro root=LABEL=/ console=tty0 console=ttyS0,9600n8
initrd /initrd-2.6.5-1.358.img

After editing /etc/grub.conf, I shut down the laptop and moved the HDD to the Soekris. When it booted, I didn't see the Grub menu as expected. I hit return a few times and then saw boot messages scroll by. Kudzu started, due to the hardware differences between my laptop and the Soekris. Although the screen wasn't as legible as I would have hoped, I could still make out the text and configuration options. I chose to deinstall the laptop hardware no longer present on the Soekris, like its NIC, sound card, and so on. Kudzu then asked to install the Soekris National Semiconductor DP83815 MacPhyter NICs and Compaq ZFMicro Chipset USB. Along the way it also asked if I approved of making changes top /etc/inittab and /etc/securetty. It appears to have made these changes:

/etc/inittab

co:2345:respawn:/sbin/agetty ttyS0 9600 vt100

/etc/securetty

ttyS0

The addition to /etc/inittab appears to enable the serial console. The addition to /etc/securetty allows root to log in over the serial console.

Unlike FreeBSD but like OpenBSD, it appears Fedora Core 2 does not recognize my Linksys USB200M 10/100 NIC. Here is the uname, netstat, and df outputs for reference. Note the filesystem layout is the result of "autopartition." I've never understood why Red Hat doesn't create separate partitions for /, /usr, /var, /tmp, and so on.

uname -a
Linux localhost.localdomain 2.6.5-1.358 #1 Sat May 8 09:04:50 EDT 2004 i586 i586 i386 GNU/Linux

netstat -natup
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:1024 0.0.0.0:* LISTEN 1652/rpc.statd
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1633/portmap
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1827/sendmail: acce
tcp 0 0 :::22 :::* LISTEN 1806/sshd
tcp 0 672 ::ffff:10.2.2.69:22 ::ffff:10.2.2:57811 ESTABLISHED 2160/0
udp 0 0 0.0.0.0:1024 0.0.0.0:* 1652/rpc.statd
udp 0 0 0.0.0.0:68 0.0.0.0:* 1179/dhclient
udp 0 0 0.0.0.0:980 0.0.0.0:* 1652/rpc.statd
udp 0 0 0.0.0.0:111 0.0.0.0:* 1633/portmap

df -h
Filesystem Size Used Avail Use% Mounted on
/dev/hda2 55G 548M 51G 2% /
/dev/hda1 99M 5.9M 88M 7% /boot
none 63M 0 63M 0% /dev/shm

Soekris-based FreeBSD System Operational

I'd like to report successful use of FreeBSD 5.2.1 RELEASE on the same Soekris Net4801 on which I previously installed OpenBSD. I followed the same methodology: install FreeBSD on a spare HDD on my laptop, then move the HDD to the Soekris.

To send console messages to the serial line during the boot sequence, I followed the FreeBSD Handbook's advice:

echo -h > /boot.config

I tried to edit /etc/ttys to enable 19200 speed for ttyd0, but this did not work as I hoped. It seems the Soekris sends output to the serial line at 19200 prior to the FreeBSD boot sequence. Then, despite my attempted settings of 19200 in /etc/ttys, the FreeBSD boot sequence sends output at 9200. Accordingly, my /etc/ttys file has this entry to enable the serial console:

ttyd0 "/usr/libexec/getty std.9600" cons25 on secure

Notice the use of cons25. This lets me use vi properly, for example. I think the kernel must be recompiled to support speeds higher than 9600, as suggested by this section from the FreeBSD Handbook:

18.6.5.1 Setting a Faster Serial Port Speed

"By default, the serial port settings are: 9600 baud, 8 bits, no parity, and 1 stop bit. If you wish to change the speed, you need to recompile at least the boot blocks. Add the following line to /etc/make.conf and compile new boot blocks:

BOOT_COMCONSOLE_SPEED=19200

If the serial console is configured in some other way than by booting with -h, or if the serial console used by the kernel is different from the one used by the boot blocks, then you must also add the following option to the kernel configuration file and compile a new kernel:

options CONSPEED=19200


There is a sysctl variable, machdep.conspeed, which is set to 9600 by default. If changed to 19200 in /etc/sysctl.conf, the system will be available at 19200 once booted:

machdep.conspeed=19200

To set the speed by hand, issue this command:

sysctl machdep.conspeed=19200

FreeBSD sees the three NICs as sis devices, as does OpenBSD. Unlike OpenBSD, however, FreeBSD recognizes my Linksys USB200M 10/100 NIC, adding a fourth Ethernet interface if needed:

axe0: Linksys product 0x2226, rev 2.00/0.01, addr 2
axe0: Ethernet address: 00:10:60:25:a4:1a
miibus3: on axe0
rlphy0: on miibus3
rlphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto

axe0: flags=8802 mtu 1500
ether 00:10:60:25:a4:1a
media: Ethernet autoselect (none)
status: no carrier

Multiple helpful pages discuss FreeBSD on the Soekris:

wiki.wirelessleiden.nl
www.rfc1149.net
www.xinu.nl
www.webweaving.org

Tuesday, June 22, 2004

Red Cliff Consulting, a Trusted Professional Services Firm

Today I spoke with Kevin Mandia, lead author of Incident Response and Computer Forensics, the best IR book available. When the first edition was published, Kevin was director of incident response and computer forensics at Foundstone. I met him in person at the first SANSFIRE conference in 2001. Kevin hired me to join Foundstone's IR team in early 2002, and I left the team in early 2004 a few months after he did.

Kevin is now running Red Cliff Consulting, a professional services firm headquartered in Alexandria, VA. He describes his group as "the experts that experts consult." I won't argue with that assessment. For example, Curtis Rose just joined Red Cliff, after working for years at Sytex. Curtis is one of the co-authors of the forthcoming book Real Digital Forensics, along with myself and Keith Jones.

Kevin will be speaking at Black Hat 2004 in Las Vegas in late July. He plans to discuss "the five things that are problematic in incident response." His public speaking engagements are always incredibly informative and entertaining. Before the Foundstone Christmas party in December 2002, the IR team discussed how funny it would be if Kevin described our team's work in Haiku form. Sure enough, our fearless leader delivered his entire talk in Haiku.

Kevin Mandia
Leading Foundstone's IR team
Puts bad guys in jail

In any case, if you need a group of trusted, experienced computer forensic consultants, check out Red Cliff's services.

Book Chapter on Sguil Available Online

My publisher Addison-Wesley authorized me to post chapter 10 of my book The Tao of Network Security Monitoring: Beyond Intrusion Detection online. It's available at the Sguil site in .pdf format. This chapter complements my Sguil installation guide, discussing why Bamm started the Sguil project and how it differs from other monitoring applications.

My book will be on shelves in mid-July. If you'd like to attend live training on network security monitoring, sign up for my Network Security Monitoring with Open Source Tools class at USENIX Security '04 in San Diego. The class will be held on Monday 9 August 2004, and early conference registration ends 16 July. I will give away a limited number of free copies of the book and hope to debut a FreeBSD-based live CD with NSM tools.

Configuring RAID-0 with Vinum

I deployed a test platform as a network security monitoring sensor. It has two 4 GB HDDs. I wanted to create a /nsm partition that would span both drives, meaning it would occupy some of the first drive and all of the second drive. This was a proof of concept operation that could apply to systems with multiple, larger drives.

I decided to use Greg Lehey's Vinum, and thanks to some helpful notes from Bamm Visscher and Dave Wheeler, got it set up in a RAID-0 configuration.

When I installed FreeBSD on the system, I created a 768 MB /nsm1 partition on the first drive ad0 and used the entire second drive (ad1) for /nsm2. Here is what df saw after installation. Notice I use the -m switch to show all values in MB.

bourque:/root# df -m
Filesystem 1M-blocks Used Avail Capacity Mounted on
/dev/ad0s1a 247 35 192 16% /
devfs 0 0 0 100% /dev
/dev/ad0s1e 739 0 679 0% /nsm1
/dev/ad1s1d 3977 0 3659 0% /nsm2
/dev/ad0s1g 263 0 242 0% /tmp
/dev/ad0s1d 1978 302 1517 17% /usr
/dev/ad0s1f 495 0 455 0% /var

Here is what bsdlabel saw for each drive:

bourque:/root# bsdlabel /dev/ad0s1
# /dev/ad0s1:
8 partitions:
# size offset fstype [fsize bsize bps/cpg]
a: 524288 0 4.2BSD 2048 16384 32776
b: 524288 524288 swap
c: 8421777 0 unused 0 0 # "raw" part, don't edit
d: 4194304 1048576 4.2BSD 2048 16384 28552
e: 1572864 5242880 4.2BSD 2048 16384 28552
f: 1048576 6815744 4.2BSD 2048 16384 8
g: 557457 7864320 4.2BSD 2048 16384 34848

bourque:/root# bsdlabel /dev/ad1s1
# /dev/ad1s1:
8 partitions:
# size offset fstype [fsize bsize bps/cpg]
c: 8418753 0 unused 0 0 # "raw" part, don't edit
d: 8418753 0 4.2BSD 2048 16384 28552

Before I could use vinum, I needed to edit the disk labels so /dev/ad0s1e and /dev/ad1s1d changed from fstype 4.2BSD to vinum.

After running 'bsdlabel -e /dev/ad0s1' and 'bsdlabel -e /dev/ad1s1' here is what the two disks looked like to bsdlabel:

bourque:/root# bsdlabel /dev/ad0s1
# /dev/ad0s1:
8 partitions:
# size offset fstype [fsize bsize bps/cpg]
a: 524288 0 4.2BSD 2048 16384 32776
b: 524288 524288 swap
c: 8421777 0 unused 0 0 # "raw" part, don't edit
d: 4194304 1048576 4.2BSD 2048 16384 28552
e: 1572864 5242880 vinum
f: 1048576 6815744 4.2BSD 2048 16384 8
g: 557457 7864320 4.2BSD 2048 16384 34848

bourque:/root# bsdlabel /dev/ad1s1
# /dev/ad1s1:
8 partitions:
# size offset fstype [fsize bsize bps/cpg]
c: 8418753 0 unused 0 0 # "raw" part, don't edit
d: 8418753 0 vinum

Next I created the following /etc/vinum.conf file. Notice for the drive sizes I used the values reported by 'df -m':

drive drive1 device /dev/ad0s1e
drive drive2 device /dev/ad1s1d
volume nsm
plex org concat
sd length 739m drive drive1
sd length 3977m drive drive2

After editing /etc/vinum.conf, I ran vinum to create the RAID-0 system:

bourque:/root# create /etc/vinum.conf
2 drives:
D drive1 State: up /dev/ad0s1e A: 28/768 MB (3%)
D drive2 State: up /dev/ad1s1d A: 133/4110 MB (3%)

1 volumes:
V nsm State: up Plexes: 1 Size: 4716 MB

1 plexes:
P nsm.p0 C State: up Subdisks: 2 Size: 4716 MB

2 subdisks:
S nsm.p0.s0 State: up D: drive1 Size: 739 MB
S nsm.p0.s1 State: up D: drive2 Size: 3977 MB

That step created new devices for the vinum drive, as seen next:

bourque:/root# ls /dev/vinum/*
/dev/vinum/control /dev/vinum/controld /dev/vinum/nsm

/dev/vinum/plex:
nsm.p0

/dev/vinum/sd:
nsm.p0.s0 nsm.p0.s1

Now I needed to initialize the filesystem with newfs. The -U option enables soft updates:

bourque:/root# newfs -U /dev/vinum/nsm
/dev/vinum/nsm: 4716.0MB (9658368 sectors) block size 16384, fragment size 2048
using 26 cylinder groups of 183.77MB, 11761 blks, 23552 inodes.
with soft updates
super-block backups (for fsck -b #) at:
160, 376512, 752864, 1129216, 1505568, 1881920, 2258272, 2634624, 3010976,
3387328, 3763680, 4140032, 4516384, 4892736, 5269088, 5645440, 6021792,
6398144, 6774496, 7150848, 7527200, 7903552, 8279904, 8656256, 9032608,
9408960

When done I created a /nsm directory and mounted it:

bourque:/root# mkdir /nsm
bourque:/root# mount /dev/vinum/nsm
bourque:/root# df -h
Filesystem Size Used Avail Capacity Mounted on
/dev/ad0s1a 248M 36M 192M 16% /
devfs 1.0K 1.0K 0B 100% /dev
/dev/ad0s1e 739M 4.0K 680M 0% /nsm1
/dev/ad1s1d 3.9G 4.0K 3.6G 0% /nsm2
/dev/ad0s1g 263M 6.0K 242M 0% /tmp
/dev/ad0s1d 1.9G 303M 1.5G 17% /usr
/dev/ad0s1f 496M 370K 456M 0% /var
/dev/vinum/nsm 4.5G 4.0K 4.1G 0% /nsm

To enable this automatically, I added this line to /etc/fstab:

/dev/vinum/nsm /nsm ufs rw 2 2

In /boot/loader.conf, I added these entries:

vinum_load="YES"
vinum.autostart="YES"

The older method of adding 'start_vinum="YES"' in /etc/rc.conf is still supported, but the new method is preferred.

Monday, June 21, 2004

2004 CSI/FBI Study Released

The 2004 CSI/FBI Study has been published. You have to fill in the CSI's form to access a download link. CSI has always honored their no-spam pledges, so I didn't mind signing my life away to obtain a copy. I'll post my thoughts after I read it.

Participate in The Uptime Project

Several months ago I joined The Uptime Project, a site run by Ola Eriksson. Ola and others provide clients which collect uptime statistics from a variety of operating systems. Ola added me to his crew after I donated shell accounts on HP-UX and AIX systems. We now have a working HP-UX uptime client, with an AIX version in the works. I have two hosts in the top 50, but I don't expect that to last long. If I can't move them while on UPS power when I rearrange my basement, I will drop out of the rankings. :)

Saturday, June 19, 2004

Network Monitoring Products Reviewed by NWC

A few years ago while consulting for Foundstone I was asked to name a product which would inspect traffic exiting the enterprise. The goal was to identify unauthorized transmission of sensitive documents or data. Aside from a customized signature-based approach, I could not think of any off-the-shelf product with this capability. After reading Monitoring Data Departures by Lori MacVittie in the 27 May 04 issue of NWC, I learned of Vontu's Vontu Protect 3. Some of its claims are amusing, like "No false positives — every incident reported is a genuine policy violation." This is also true for signature-based intrusion detection systems, if one accepts (as I do) that an IDS which alerts based on a rule is merely doing what it was told to do. It's up to a decision maker to guide the policy that an administrator implements, and it's an analyst's responsibility to judge the likelihood that a given event respresents a security incident. If Vontu would like me to take a look at their product, feel free to contact me at blog at taosecurity dot com.

Two weeks earlier, NWC's Well-Connected Awards were published, complete with the most disgusting cover I've ever seen on a technical magazine. That earned the print edition a place in my circular bin, but the security awards were interesting. The "Network Behavior Anomaly Detection" award went to Q1 Labs, whose QVision tool seems to have been renamed QRadar. NWC liked this network behavior visualization product better than similar offerings from Arbor Networks and Lancope. Anyone interested in having me do a technical review of your product, please email blog at taosecurity dot com.

Soekris-based OpenBSD System Operational

Inspired by this article, I finally deployed my Soekris Net4801 small form factor system. I used a hard drive-based installation as I figured that would be the easiest way to experiment with OpenBSD and the Soekris. The installation was simple. First I swapped my main laptop HDD for an extra 3250 MB HDD to hold OpenBSD. Next I rebooted the laptop using the OpenBSD 3.5 installation CD, and installed OpenBSD. Here is my partition scheme:

$ df -h
Filesystem Size Used Avail Capacity Mounted on
/dev/wd0a 125M 21.8M 97.8M 18% /
/dev/wd0f 156M 2.0K 148M 0% /tmp
/dev/wd0d 2.0G 169M 1.7G 9% /usr
/dev/wd0e 501M 6.9M 469M 1% /var

After reboot, I made these edits:

/etc/ttys

tty00 "/usr/libexec/getty std.19200" vt100 on secure

/etc/boot.conf

set tty com0
stty com0 19200

/etc/hostname.sis0

inet 172.27.20.13 255.255.255.0

/etc/mygate

172.27.20.1

After these edits I shut down the system and installed the 3250 MB HDD in the Soekris. I put my original HDD back into my laptop, and connected a serial cable and null modem from the laptop to the Soekris. Before powering on the Soekris I connected to the serial console:

# tip -19200 com1
connected

When I plugged in the Soekris power, I saw these messages:

POST: 0123456789bcefghipajklnoq,,,tvwxy^[[2J
comBIOS ver. 1.24 20040312
Copyright (C) 2000-2004 Soekris Engineering.

net4801
CPU Geode 266 Mhz 0128 Mbyte Memory
Pri Mas IBM-DTCA-23240
LBA Xlt 788-128-63 3177 Mbyte

PXE-M00: BootManage UNDI, PXE-2.0 (build 082)

Slot Vend Dev ClassRev Cmd Stat CL LT HT Base1 Base2 Int
-------------------------------------------------------------------
0:00:0 1078 0001 06000000 0107 0280 00 00 00 00000000 00000000 00
0:06:0 100B 0020 02000000 0107 0290 00 3F 00 0000E101 A0000000 10
0:07:0 100B 0020 02000000 0107 0290 00 3F 00 0000E201 A0001000 10
0:08:0 100B 0020 02000000 0107 0290 00 3F 00 0000E301 A0002000 10
0:18:2 100B 0502 01018001 0005 0280 00 00 00 00000000 00000000 00
0:19:0 0E11 A0F8 0C031008 0117 0280 08 38 00 A0003000 00000000 11

Seconds to automatic boot. Press Ctrl-P for entering Monitor.
Using drive 0, partition 3.
Loading...
probing: pc0 com0 com1 pci mem[639K 127M a20=on]
disk: hd0+
> OpenBSD/i386 BOOT 2.06
switching console to com0
com0: changing speed to 19200 baud in 5 seconds, change your terminal to match
!
com0: 19200 baud
boot>
booting hd0a:/bsd:
entry point at 0x100120

[ using 404824 bytes of bsd ELF symbol table ]
Copyright (c) 1982, 1986, 1989, 1991, 1993
The Regents of the University of California. All rights reserved.
Copyright (c) 1995-2004 OpenBSD. All rights reserved. http://www.OpenBSD.org
OpenBSD 3.5 (GENERIC) #34: Mon Mar 29 12:24:55 MST 2004
deraadt@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Geode(TM) Integrated Processor by National Semi ("Geode by NSC" 586-class) 267 MHz
cpu0: FPU,TSC,MSR,CX8,CMOV,MMX
cpu0: TSC disabled
real mem = 133804032 (130668K)
avail mem = 117899264 (115136K)
using 1658 buffers containing 6791168 bytes (6632K) of memory
mainbus0 (root)
...truncated...

I now have a fully functional OpenBSD 3.5 system on the Soekris. That was fairly easy! Lots of sites describe how to install, augment, and use Soekris systems:

OpenBSD 3.5 on a Soekris Net4801
Netgate Soekris kits

Review of Security Sage's Guide to Hardening the Network Infrastructure Posted

Amazon.com just posted my three star review of Security Sage's Guide to Hardening the Network Infrastructure. From the review:

"This is a tough review to write, since I worked with the lead authors and series editor at Foundstone, and I'm mentioned by name on p. 384. "Security Sage's Guide to Hardening the Network Infrastructure" (HTNI) is mainly a collection of advice given in other security books, packaged with brochure-like commercial product descriptions. Much of the technical defensive recommendations lack the command-level syntax to put that advice into practical use. I was excited by the table of contents, but disappointed once I finished the book. I can't recommend HTNI unless your library doesn't already address essential networking and security techniques."

Friday, June 18, 2004

More Useful Package Management Tools

I stumbled across two useful FreeBSD package management tools yesterday. One is graphical and the other works via the command line. Both help administrators understand dependency issues when they might want to clean out unnecessary packages.

Keep in mind that installing software via the FreeBSD ports tree results in the installation of a package, but not necessarily the creation of a package that can be moved among systems. That is why administrators can install software with the ports tree and then use the FreeBSD pkg_info, pkg_delete, and other pkg tools to manipulated deployed applications.

The first tool is gpkgdep, in the ports tree as sysutils/gpkgdep, by Jack Slater. This is an older tool but it works fine on my FreeBSD 5.2.1 REL system. Gpkgdep has good online documentation, but I'll quickly describe its use via a few screenshots.



This screen shot shows the "Required Packages" tab. It shows all installed packages, not all of the packages which could be installed. (This differs from a tool like sysutils/pib, a Tcl/Tk tool which presents information found in the ports index.) At the top of the screen shot we see "nmap-3.5.0", with "pcre-4.5" indented below. This means pcre is a dependency of nmap, i.e., nmap needs pcre to run. If we wanted to remove pcre, it would prevent us from running nmap. Further down the list we see "p0f-2.0.3_1", which has no arrow to the left of its name nor anything listed below. This means p0f has no dependencies.



The next screen shot shows the "Dependent Packages" tab. This lists packages followed by their dependencies. In this view, we're looking at "pcre-4.5" at the top. Indented below it we see "ethereal-0.10.3" and "nmap-3.50". This means both ethereal and nmap depend upon pcre.



The final screen shot displays the "Remove Package Simulation." Here we can select packages and see their dependencies selected automatically. Here we see "ethereal-0.10-3" selected, and gpkgdep has dynamically selected Ethereal's dependencies. They are show with slightly greyed-out boxes.

Turning to the command line environment we have sysutils/pkg_tree by Edwin Groothuis. This tool provides similar information in CLI form. To see Ethereal's dependencies, try this:

$ pkg_tree ethereal
ethereal-0.10.3
|\__ jpeg-6b_2
|\__ libiconv-1.9.1_3
|\__ python-2.3.4
|\__ png-1.2.5_5
|\__ pkgconfig-0.15.0_1
|\__ perl-5.6.1_15
|\__ pcre-4.5
|\__ expat-1.95.7
|\__ net-snmp-5.1.1_4
|\__ gettext-0.13.1_1
|\__ libxml2-2.6.9
|\__ freetype2-2.1.7_3
|\__ tiff-3.6.1_1
|\__ imake-4.3.0_2
|\__ fontconfig-2.2.2,1
|\__ XFree86-libraries-4.3.0_7
|\__ XFree86-fontEncodings-4.3.0
|\__ glib-2.4.1_1
|\__ libXft-2.1.6
|\__ shared-mime-info-0.14_2
|\__ hicolor-icon-theme-0.5
|\__ atk-1.6.1
|\__ adns-1.0_1
|\__ XFree86-fontScalable-4.3.0
|\__ pango-1.4.0_1
\__ gtk-2.4.1
tethereal-lite-0.10.3
|\__ pkgconfig-0.15.0_1
\__ glib-1.2.10_11

This shows all of the packages needed by Ethereal and also Tethereal. Nmap is simpler:

$ pkg_tree nmap
nmap-3.50
\__ pcre-4.5

If you want to see all of the dependencies for the listed packages, use the -v option:

$ pkg_tree -v ethereal
ethereal-0.10.3
|\__ jpeg-6b_2
|\__ libiconv-1.9.1_3
|\__ python-2.3.4
|\__ png-1.2.5_5
|\__ pkgconfig-0.15.0_1
|\__ perl-5.6.1_15
|\__ pcre-4.5
|\__ expat-1.95.7
|\__ net-snmp-5.1.1_4
| \__ perl-5.6.1_15
|\__ gettext-0.13.1_1
| |\__ libiconv-1.9.1_3
| \__ expat-1.95.7
|\__ libxml2-2.6.9
| |\__ python-2.3.4
| |\__ pkgconfig-0.15.0_1
| \__ libiconv-1.9.1_3
...truncated...

If you run this tool without any options, it queries the package database for every installed application.

Keep these tools in mind when you feel like doing some package house cleaning.

Adventures with FreeBSD CURRENT

I decided to upgrade my Dell PowerEdge 2300 (dual PIII) system from FreeBSD 4 STABLE to FreeBSD 5.2.1 REL. Before installing the new OS, I tested the hardware for compatibility with the 5 tree by trying to boot the FreeSBIE live CD. That failed, so I next tried to boot the 5.2.1 installation CD. That also failed, hanging at this point:

SMP: AP CPU#1 launched!
Mounting root from ufs:/dev/md0
md0: Preloaded image 4423680 bytes at 0xc09e16d8

I tried a few simple fixes, like booting without ACPI enabled via the boot menu. I also tried a trick at the boot prompt noted in a newsgroup posting, namely:

unset acpi_load
set hint.apic.0.disabled=1

Note the first step disables ACPI, or "Advanced Configuration and Power Management support" (also at www.acpi.info). The second step disables APIC, the "Advanced Programmable Interface Controller." This site explains the relationship between ACPI and APIC.

None of these steps worked, so I decided to try installing the latest FreeBSD CURREENT snapshot. I burned the normal installation CD-ROM for 5-CURRENT and found it would boot on my Dell. I then installed it, and saw this as the result:

-bash-2.05b$ uname -a
FreeBSD janney.taosecurity.com 5.2-CURRENT-20040617-JPSNAP
FreeBSD 5.2-CURRENT-20040617-JPSNAP #0:
Thu Jun 17 01:58:11 GMT 2004 root@ushi.jp.freebsd.org:/usr/obj/usr/src/sys/GENERIC i386

Don't be worried about the "jp". This isn't some sort of Japanese distro. The "jp" is a reference to who built it -- the Japanese FreeBSD project.

Keep in mind that running CURRENT may bring problems, as it's not as stable as RELEASE. I also noticed this in dmesg output:

WARNING: WITNESS option enabled, expect reduced performance.

According to the man pages, witness "keeps track of the locks acquired and released by each thread." This is a troubleshooting mechanism. I can rebuild the kernel without it, as I see how it was built in GENERIC:

-bash-2.05b$ grep -i witness /usr/src/sys/i386/conf/GENERIC
options WITNESS # Enable checks to detect deadlocks and cycles
options WITNESS_SKIPSPIN # Don't run witness on spinlocks for speed

Anyway, I was happy to get the 5 tree running on this system.

Sunday, June 13, 2004

Cheap Domain Name Registration and Free Email Forwarding

Two years ago I registered the bejtlich.net and taosecurity.com domains through DomainDiscover. Since then I've used GoDaddy to register new domains like taosecurity.net and taosecurity.org (the latter after seeing that domain attributed to me in the new book Security Sage's Guide to Hardening the Network Infrastructure). I liked using DomainDiscover because they offered free email forwarding, but their $25 domain renewal fee seemed excessive.

GoDaddy offers domain name transfers for $7.95, which is excellent, but no free email forwarding. I decided to use ZoneEdit to host DNS records for the bejtlich.net, taosecurity.org, and taosecurity.net domains. ZoneEdit offers free email forwarding when you set up DNS records. Essentially, once I transfered or already had domains registered with GoDaddy, I changed the GoDaddy WHOIS records to list name servers owned by ZoneEdit. For example, here is my WHOIS record for taosecurity.net:

orr:/home/richard$ whois taosecurity.net
Registrant:
Richard Bejtlich
7799 Leesburg Pike Ste 1100S
Falls Church, Virginia 22043
United States

Registered through: GoDaddy.com
Domain Name: TAOSECURITY.NET
Created on: 07-May-04
Expires on: 07-May-05
Last Updated on: 11-Jun-04
...edited...
Domain servers in listed order:
NS18.ZONEEDIT.COM
NS8.ZONEEDIT.COM

Using dig, we can see the DNS records for taosecurity.net:

orr:/home/richard$ dig @ns18.zoneedit.com taosecurity.net -t any

; <<>> DiG 8.3 <<>> @ns18.zoneedit.com taosecurity.net -t
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3126
;; flags: qr aa rd; QUERY: 1, ANSWER: 7, AUTHORITY: 2, ADDITIONAL: 0
;; QUERY SECTION:
;; taosecurity.net, type = ANY, class = IN

;; ANSWER SECTION:
taosecurity.net. 2H IN A 216.98.141.250
taosecurity.net. 2H IN A 207.234.129.65
taosecurity.net. 2H IN MX 0 mail3.zoneedit.com.
taosecurity.net. 2H IN MX 0 mail4.zoneedit.com.
taosecurity.net. 2H IN NS ns18.zoneedit.com.
taosecurity.net. 2H IN NS ns8.zoneedit.com.
taosecurity.net. 2H IN SOA ns18.zoneedit.com. soacontact.zoneedit.com. (
1087014650 ; serial
4H ; refresh
2H ; retry
1w4d ; expiry
2H ) ; minimum


;; AUTHORITY SECTION:
taosecurity.net. 2H IN NS ns18.zoneedit.com.
taosecurity.net. 2H IN NS ns8.zoneedit.com.

;; Total query time: 68 msec
;; FROM: orr.taosecurity.com to SERVER: 65.125.227.35
;; WHEN: Sun Jun 13 19:06:42 2004
;; MSG SIZE sent: 33 rcvd: 233

With mail3 and mail4.zoneedit.com handling email forwarding, I can send messages to richard@taosecurity.net anywhere I like. If I relied on GoDaddy's extra email forwarding service, I'd have to pay an extra $10 or similar per domain.

If you're transferring an existing domain, I recommend taking these steps:

0. Disable any "zone transfer denial" preferences at your registrar. This caught me and delayed the transfer process until I told DomainDiscover to allow transfers.
1. Create zone records at ZoneEdit.
2. Change the DNS server entries at the existing registrar to point to the ZoneEdit DNS servers.
3. Change the contact information at the existing registrar to point to an email account outside of the domain being transferred. A Gmail or Yahoo! email account is perfect for this purpose.
4. Create the email forwarding records at ZoneEdit.
5. Request a zone transfer through GoDaddy.
6. Follow through on the zone transfer messages sent to the contact email on file at the original registrar.
7. Eventually the new name server information will propagate through DNS and outside parties will be able to contact you again.

As an added bonus, GoDaddy automatically performs a one year renewal for transferred domains. Since bejtlich.net was about to expire, I got a "free" renewal (although the transfer fee is basically the same as a new domain registration fee). If you're wondering how I handle email for taosecurity.com, I let the company hosting www.taosecurity.com, Niuhi.com, advertise MX records and run the domain's mail servers.

Of course, if I weren't a Comcast cable modem subscriber worried about seeing port 25 TCP blocked, I might operate my own email servers. I looked into DSL through SpeakEasy but only IDSL was available. Impressed by SpeakEasy's customer service and the prospect of static IPs, I readied myself for the high cost and low bandwidth. Eventually the IDSL plan fell through due to "no facilities available in the ILEC" -- after, of course, I had already bought an IDSL modem on eBay!

Review of Malware Posted

Months after I received a review copy of Ed Skoudis' Malware, I finally read and reviewed it. From the review:


"One of the impressive aspects of this book is the degree to which it is "future-proofed." Ed looks at current threats like worms, viruses, trojans, and user- and kernel-mode rootkits, like any author might. He then takes malicious software to the next level, from the kernel to BIOS and finally to CPU microcode. These BIOS- and microcode-level attacks are still largely theoretical (aside from BIOS-destroying code), at least as far as the public knows. When the world sees these threats emerge, "Malware" will be waiting to explain their capabilities."

I'd like to add a few Web sites to the many Ed mentions in his book. jesusmolina.com and microcodes.sf.net are good references for information on CPU microcode issues.

Wednesday, June 09, 2004

Sguil 0.4.0, Snort 2.1.3, Barnyard 0.2.0 Installation Guide Published

I just published a new guide for installing Sguil 0.4.0 with Snort 2.1.3 and Barnyard 0.2.0. This guide contains sections for each Sguil component, namely the sensor, database, server, and client. The dependency listings should help users deploy Sguil in a distributed manner, rather than running all components on a single platform. Please email sguil at taosecurity dot com if you have any comments on this guide.

Monday, June 07, 2004

Review of Anti-Spam Tool Kit Posted

Amazon.com just published my four star review of Anti-Spam Tool Kit. From the review:


"I've never been interested in viruses, worms, or spam. All three represent the lowest end of malware, with spam occupying a particularly disdainful place in the computer security hierarchy. I wasn't very excited when a review copy of "Anti-Spam Tool Kit" (ASTK) arrived in the mail, but I found myself drawn in by the value of the content and tools it described. I highly recommend anyone tasked with fighting spam read ASTK."

Update: Paul Wolfe sent a nice email regarding my review. I recommend if you have comments on ASTK you visit the ASTK book site at www.vorpalmedia.com. Tell him what you'd like to see in a second edition or comments on the first edition.

Friday, June 04, 2004

Report on Compatible Devices in FreeBSD

Sometimes it helps to know what hardware is compatible with non-Windows operating systems like FreeBSD. I wanted to buy a CompactFlash card and reader to work with my Soekris net4801 platform. I used the list at the flashdist site to guide my product purchase. I bought a SanDisk ImageMate 8 in 1 Reader/Writer, model SDDR-88-A15, pictured at above left. I also bought a 256 MB Type 1 CompactFlash card (product ID SDCFB-256-A10). Although the reader supports USB 2.0, my laptop natively only supports USB 1.1. I do own an Adaptec DuoConnect adapter, but only the FireWire port works. I have not had any luck with FreeBSD 5.2.1 REL and the ehci. driver.

Here is what dmesg reports when I attach the CF reader (with CF card inserted) to the USB port on my laptop:
umass0: SanDisk ImageMate 8 in 1, rev 2.00/91.39, addr 2

GEOM: create disk da0 dp=0xc3a81450
da0 at umass-sim0 bus 0 target 0 lun 0
da0: Removable Direct Access SCSI-0 device
da0: 1.000MB/s transfers
da0: 245MB (501760 512 byte sectors: 64H 32S/T 245C)
GEOM: create disk da1 dp=0xc3ab2850
da1 at umass-sim0 bus 0 target 0 lun 1
da1: Removable Direct Access SCSI-0 device
da1: 1.000MB/s transfers
da1: Attempt to query device size failed: NOT READY, Medium not present
...truncated...

You see the CF card is present on device da0, but devices da1 and up aren't ready as there's nothing inserted in those slots.


Using the device for storage is simple:

orr:/home/richard$ sudo mount -t msdos /dev/da0s1 /floppy
orr:/home/richard$ ls /floppy/
orr:/home/richard$ df -h
Filesystem Size Used Avail Capacity Mounted on
/dev/ad0s2a 5.8G 3.3G 2.0G 62% /
devfs 1.0K 1.0K 0B 100% /dev
/dev/ad0s2d 1.9G 1.2G 589M 68% /home
/dev/ad0s2f 739M 17M 662M 3% /tmp
/dev/ad0s2e 4.4G 135M 3.9G 3% /var
linprocfs 4.0K 4.0K 0B 100% /usr/compat/linux/proc
neely:/usr/ports 12G 8.1G 2.5G 76% /usr/ports
/dev/da0s1 244M 8.0K 244M 0% /floppy

I tried the CF reader in a machine with ehci support compiled in to the kernel, since it has USB 2.0 ports built-in. I got errors saying "usb3: unrecoverable error, controller".
As I mentioned the Adaptec DuoConnect earlier, here is how it appears in dmesg when attached:

cardbus1: Resource not specified in CIS: id=10, size=800
cardbus1: Resource not specified in CIS: id=14, size=4000
fwohci0: mem 0x88000000-0x88003fff,0x88004000-0x88 0047ff irq 11 at device 0.0 on cardbus1
fwohci0: OHCI version 1.10 (ROM=1)
fwohci0: No. of Isochronous channel is 4.
fwohci0: EUI64 08:00:28:56:02:00:49:8a
fwohci0: Phy 1394a available S400, 3 ports.
fwohci0: Link S400, max_rec 2048 bytes.
firewire0: on fwohci0
fwe0: on firewire0
if_fwe0: Fake Ethernet address: 0a:00:28:00:49:8a
sbp0: on firewire0
fwohci0: Initiate bus reset
fwohci0: BUS reset
fwohci0: node_id=0xc000ffc0, gen=1, CYCLEMASTER mode
firewire0: 1 nodes, maxhop <= 0, cable IRM = 0 (me)
firewire0: bus manager 0 (me)
cardbus1: Resource not specified in CIS: id=10, size=1000
ohci0: mem 0x88000000-0x88000fff irq 11 at device 0.4 on cardbus1
usb1: OHCI version 0.0
usb1: unsupported OHCI revision
ohci0: USB init failed
device_probe_and_attach: ohci0 attach returned 5
cardbus1: Resource not specified in CIS: id=10, size=1000
ohci0: mem 0x88000000-0x88000fff irq 11 at device 0.5 on cardbus1
usb1: OHCI version 15.15, legacy support
usb1: unsupported OHCI revision
ohci0: USB init failed
device_probe_and_attach: ohci0 attach returned 5
cardbus1: Resource not specified in CIS: id=10, size=100
cardbus1: at device 0.6 (no driver attached)
Although USB 2.0 doesn't work with this adapter, FireWire appears to be supported. I'm not the only person who has experience with this NEC chipset and USB 2.0 (see this thread.) I bought a Plextor 708UF external DVD burner, which offers USB 2.0 and FireWire support. Here is how it appears when connected to the Adaptec DuoConnect:

fwohci0: BUS reset
fwohci0: node_id=0xc000ffc1, gen=3, CYCLEMASTER mode
firewire0: 2 nodes, maxhop <= 1, cable IRM = 1 (me)
firewire0: bus manager 1 (me)
fwohci0: BUS reset
fwohci0: node_id=0xc000ffc1, gen=4, CYCLEMASTER mode
firewire0: 2 nodes, maxhop <= 1, cable IRM = 1 (me)
firewire0: bus manager 1 (me)
firewire0: New S400 device ID:00d0a910023005cd
GEOM: create disk cd0 dp=0xc4220e00
cd0 at sbp0 bus 0 target 0 lun 0
cd0: Removable CD-ROM SCSI-0 device
cd0: 50.000MB/s transfers
cd0: Attempt to query device size failed: NOT READY, Medium not present - tray closed

Notice the "1.06" in the output. That is the drive's firmware version. If I need to update it, I can use PXUpdate, as explained here.

Since this DuoConnect supports FireWire so well, maybe I should have bought a SanDisk Ultra Firewire ImageMate Reader (CDW sells them for $42). If I only wanted to use the CF card with my laptop, I could have also purchased a SanDisk PC Card Adapter .

I'm making this blog entry using a USB 200M 10/100 NIC. While I can't boot with it attached, once I insert it into my USB port it appears like this to dmesg:


axe0: Linksys product 0x2226, rev 2.00/0.01, addr 2
axe0: Ethernet address: 00:10:60:25:a4:1a
miibus1: on axe0
rlphy0: on miibus1
rlphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto

It's easy to configure it:

orr:/home/richard$ sudo ifconfig axe0 inet 192.168.2.5 netmask 255.255.255.0 up
orr:/home/richard$ sudo route add default 192.168.2.1
add net default: gateway 192.168.2.1
orr:/home/richard$ ping www.google.com
PING www.google.akadns.net (216.239.39.104): 56 data bytes
64 bytes from 216.239.39.104: icmp_seq=0 ttl=240 time=23.568 ms
^C

Since USB 1.1 "Full speed" supports 12 Mbps, I can't make full utilization of a 100 Mbps link. Since this NIC connects to a wireless 802.11b bridge, which eventually connects to a cable modem, the NIC isn't the bottleneck. USB 2.0 "High speed" supports 480 Mbps, and IEEE 1394a ("FireWire 400") supports 400 Mbps.

Thursday, June 03, 2004

Fixing Troublesome Port Upgrades

Today while trying to run portupgrade on my FreeBSD 5.2.1 REL system, I ran into this error:

drury# portupgrade -varp

---> Upgrade of devel/libbonobo started at: Thu, 03 Jun 2004 15:43:31 -0400
---> Upgrading 'libbonobo-2.6.0' to 'libbonobo-2.6.2' (devel/libbonobo)
---> Build of devel/libbonobo started at: Thu, 03 Jun 2004 15:43:31 -0400
---> Building '/usr/ports/devel/libbonobo'
===> Cleaning for libiconv-1.9.1_3
===> Cleaning for ORBit2-2.10.2
...edited...
===> Configuring for libbonobo-2.6.2
checking for a BSD-compatible install... /usr/bin/install -c -o root -g wheel
checking whether build environment is sane... yes
checking for gawk... no
checking for mawk... no
checking for nawk... nawk
checking whether gmake sets $(MAKE)... yes
checking whether to enable maintainer-specific portions of Makefiles... no
checking for perl... /usr/bin/perl
configure: error: XML::Parser perl module is required for intltool
===> Script "configure" failed unexpectedly.
Please report the problem to gnome@FreeBSD.org [maintainer]
and attach
the "/usr/ports/devel/libbonobo/work/libbonobo-2.6.2/config.log" including
the output of the failure of your make command. Also, it might be
a good idea to provide an overview of all packages installed on your
system (e.g. an `ls /var/db/pkg`).
*** Error code 1

Stop in /usr/ports/devel/libbonobo.

I found a thread with a similar problem. I also found an error, so I tried the following solution. I told portupgrade to upgrade the p5-XML-Parser port, which intltool complained about above. By using the -f switch I forced the reinstallation of the p5-XML-Parser port, and the -r switch told portupgrade to upgrade ports depending on p5-XML-Parser. This resulted in reinstallation of intltool and

drury# portupgrade -r -f p5-XML-Parser
---> Reinstalling 'p5-XML-Parser-2.34_1' (textproc/p5-XML-Parser)
---> Building '/usr/ports/textproc/p5-XML-Parser'
===> Cleaning for perl-5.8.4
...edited...
tar: lib/perl5/site_perl/5.6.1/mach/XML/Parser/LWPExternEnt.pl:
Cannot stat: No such file or directory
tar: Error exit delayed from previous errors
pkg_create: make_dist: tar command failed with code 512
---> Uninstalling the old version
---> Deinstalling 'p5-XML-Parser-2.34_1'
pkg_delete: package 'p5-XML-Parser-2.34_1' is
required by these other packages and may not be deinstalled
(but I'll delete it anyway):
eel2-2.6.1
gedit2-2.6.1
gtksourceview-1.0.1
intltool-0.30_1
libbonoboui-2.6.1
libgnome-2.6.1.1
libgnomeui-2.6.1.1
scrollkeeper-0.3.14_1,1
pkg_delete: file '/usr/local/lib/perl5/5.6.1/man/man3/XML::Parser.3.gz'
doesn't
really exist
pkg_delete: file '/usr/local/lib/perl5/5.6.1/man/man3/XML::Parser::Expat.3.gz'
doesn't really exist
pkg_delete: file '/usr/local/lib/perl5/5.6.1/man/man3/XML::Parser::Style::Debug.
3.gz'
doesn't really exist
...edited...
Installing /usr/local/lib/perl5/5.8.4/man/man3/XML::Parser::Style::Stream.3
Writing /usr/local/lib/perl5/site_perl/5.8.4/mach/auto/XML/Parser/.packlist
===> Compressing manual pages for p5-XML-Parser-2.34_1
===> Registering installation for p5-XML-Parser-2.34_1
===> Cleaning for perl-5.8.4
===> Cleaning for expat-1.95.7
===> Cleaning for p5-XML-Parser-2.34_1
---> Cleaning out obsolete shared libraries
[Updating the pkgdb in /var/db/pkg ... - 196 packages found
(-0 +1) . done]
---> Reinstalling 'intltool-0.30_1' (textproc/intltool)
---> Building '/usr/ports/textproc/intltool'
===> Cleaning for libiconv-1.9.1_3
...truncated...

When this was done I upgraded libbonobo independently:

drury# portupgrade -v libbonobo
---> Session started at: Thu, 03 Jun 2004 16:31:27 -0400
---> Upgrade of devel/libbonobo started at: Thu, 03 Jun 2004 16:31:28 -0400
---> Upgrading 'libbonobo-2.6.0' to 'libbonobo-2.6.2' (devel/libbonobo)
---> Build of devel/libbonobo started at: Thu, 03 Jun 2004 16:31:28 -0400
---> Building '/usr/ports/devel/libbonobo'
===> Cleaning for libiconv-1.9.1_3
===> Cleaning for ORBit2-2.10.2
===> Cleaning for bison-1.75_2
===> Cleaning for gettext-0.13.1_1
===> Cleaning for glib-2.4.1_1
===> Cleaning for gmake-3.80_2
===> Cleaning for libIDL-0.8.3_2
===> Cleaning for m4-1.4_1
===> Cleaning for pkgconfig-0.15.0_1
===> Cleaning for popt-1.6.4_2
===> Cleaning for perl-5.8.4
===> Cleaning for python-2.3.4
===> Cleaning for intltool-0.30_1
===> Cleaning for libxml2-2.6.9
===> Cleaning for p5-XML-Parser-2.34_1
===> Cleaning for libbonobo-2.6.2
===> Extracting for libbonobo-2.6.2

That took care of the earlier problems and updated the port.

Review of Anti-Hacker Tool Kit, 2nd Ed Posted

Amazon.com just published my four star review of Anti-Hacker Tool Kit, 2nd Ed. From the review:


"I reviewed the first edition "Anti-Hacker Tool Kit" (AHT:1E) in August 2002. This second edition (AHT:2E) follows only 18 months after the original was published. I don't believe enough time has passed to warrant an update, even though tools can evolve quickly. In certain aspects the book suffers from a lack of updates from AHT:1E author Keith Jones, who found the publisher's demands onerous. Nevertheless, AHT:2E is a must-buy if you didn't read AHT:1E."

Wednesday, June 02, 2004

Good News from Snort Land

I have two good pieces of news from the Snort development team. First, Snort 2.1.3 has been released. The big deal with this new release is multi event logging via event queue. This feature lets Snort generate multiple alerts per packet or stream, rather than alerting once and then moving on to the next packet or stream. It was introduced to address what H.D. Moore calls event masking.

The second good piece of news is the appearance of Sguil in several publications and presentations. First, Marty Roesch's AUSCERT 204 presentation (.pdf) includes Sguil along with ACID as two consoles for Snort. Sguil also appears in two new books, Syngress' Snort 2.1 and O'Reilly's Network Security Hacks. Both books spend most of their time explaining how to install older versions of Sguil, but it's the thought that counts.

Now that Snort 2.1.3 has been released, I plan to upgrade my Sguil for FreeBSD installation guide to use the new Snort, plus Barnyard 0.2.0, Sguil 0.4.0, MySQL 4.0.20, and other updated supporting applications.

Review of Hacking Exposed: Windows 2003 Posted

Amazon.com just posted my four star review of Hacking Exposed: Windows Server 2003. From the review:


"HE:W03 is still the best book available if you want to learn how to assess and compromise Windows servers using publicly available tools. It will not teach original exploitation techniques like coding exploits, although this is usually unnecessary when admins deploy stock servers with blank administrator passwords. The authors are experts when it comes to performing pen tests of Windows targets, even though they are unapologetic Windows fans. (Page 195 bears the quote "command-line brain damage of Linux.") Their bias is also apparent as they question the applicability of the word "monopoly" to Microsoft (a legal fact); this isn't surprising given the authors' employers. Their bias also colors their judgment in the introduction, where they propose that security is a zero sum game between security and usability. Attitudes like that can no longer cover for Microsoft's security lapses."