Thursday, July 31, 2003

Installing Sguil in Red Hat 7.3

I just completed and uploaded a new installation guide .pdf for version 0.2.5 of Sguil. I included a new complete archive which provides everything you need to get Sguil running on a Red Hat 7.3 system. I also learned of this article posted on 29 July about installing Sguil on FreeBSD. I hope to incorporate this into the main Sguil guide once I try it out for myself. That was preceded by this BSDVault post.

Friday, July 25, 2003

Eagle Scout Security Project

An Eagle Scout candidate's service project is being used to assist security measures at Chicago's O'Hare airport:

"[T]he homemade devices in use at O'Hare, and similar ones elsewhere, are an optional, preliminary step to let passengers know whether their shoes will trigger alarms if they don't remove them and send them through the X-ray machines before walking through checkpoints... Inside each box is a wand, or small metal detector, held up with bungee cords. The box sounds an alarm if there's a violation. "

Thursday, July 24, 2003

Review of Linux on the Mainframe Posted just published my 4 star review of Linux on the Mainframe. From the review:

"Server consolidation" is the latest buzzword for downsized IT staffs. Many believe this means reducing the number of Windows servers running on Intel hardware. "Linux on the Mainframe," (LOTM) written by experts from IBM, offer an alternative: virtualization on the IBM zSeries and S/390 mainframes. Virtualization is the process of running dozens or hundreds of operating system "images," each of which thinks it is running on dedicated hardware. LOTM explains the improvements in reliability, availability, and serviceability from implementing this sort of system.

Wednesday, July 23, 2003

Criminals Keylogging Kiosks

Beware using public Internet kiosks. CNN warns of a criminal who collected usernames and passwords at Kinko's stores:

"For more than a year, unbeknownst to people who used Internet terminals at Kinko's stores in New York, Juju Jiang was recording what they typed, paying particular attention to their passwords. Jiang had secretly installed, in at least 14 Kinko's copy shops, software that logs individual keystrokes. He captured more than 450 user names and passwords, and used them to access and open bank accounts online."

Tuesday, July 22, 2003

Teaching Foundstone Classes at Black Hat

Attending Black Hat next week? I will be teaching the first day of Foundstone's Ultimate Hacking Expert class at Black Hat Training in Las Vegas on Mon 28 Jul 03. Stop by and say hi. I'll be there both days but very busy on Monday.

Evolution of Intrusion Detection Systems

I recently referenced this article on The Evolution of Intrusion Detection Systems by Paul Innella. It links to historical papers dating back to the 1980s and gives a foundation for the modern systems in use today.

VMWare Webinars

I use VMWare for a variety of testing and research reasons. We used VMWare in Lenny Zeltser's class, mentioned below. I noticed VMWare offers webinars, which introduce clients to their products. Numerous VMWare newsgroups are archived at Google.

Cisco IOS Vulnerability

The Full-Disclosure mailing list has been a good source of information about the recent Cisco IOS vulnerability. This post links to working exploit code and shows how it works with sample data from a router.

CERT®-Certified Computer Security Incident Handler

CERT announced a new CERT®-Certified Computer Security Incident Handler certification. A combination of coursework at CERT, a college course, three years' experience, a letter of recommendation, and passing a test results in earning the cert.

Saturday, July 19, 2003

Lenny Zeltser's Reverse Engineering Malware

I just finished day two of Lenny Zeltser's Reverse Engineering Malware course at SANSFIRE 2003. The class was excellent, with hands-on use of trial versions of IDA Pro to disassemble and Ollydbg to debug a bot (download -- beware!). The course combined passive analysis of the binary with active analysis of its behavior and its posture in memory.


As a network security monitoring analyst, I'm always looking for better ways to inspect network traffic.

I recently learned of a product by Palisade Systems called PacketHound which "is a network appliance that allows system administrators to block, monitor, log, or throttle LAN access to an expansive list of unproductive or potentially dangerous protocols and applications." I'm happy to see that "PacketHound is an Intel-based PC appliance running FreeBSD and containing one or more 10/100 or Gigabit Ethernet NICs." (FreeBSD is my favorite OS, and is popular in many network inspection appliances.)

The best selling point of PacketHound is its inspection method: "PacketHound passively scans TCP packets for the characteristics that match the protocols it is designed to monitor and block. Conventional approaches to monitoring and blocking rely on blocking TCP ports -- for example, Gnutella typically uses port number 6346 -- so a firewall would block Gnutella by shutting off access to port 6346. Unfortunately, this approach works only with unsophisticated users and applications; more sophisticated users and newer applications can easily switch to other ports and thereby bypass the firewall. PacketHound, on the other hand, uses the fundamental characteristics of the protocol itself in addition to relying on default port blocking and, as a result, is immensely more difficult to bypass." I imagine this sort of inspection could be done with Snort if it were given signatures and told to watch all ports. However, the chances of false alarms could be high.

Another network product, this from Vericept, looks promising. Vericept View for Privacy Protection comes in forms for financial services and health care providers. According to Network Computing, "Vericept's Intelligent Early Warning (VIEW) for Privacy Protection helps financial services organizations comply with the Gramm-Leach-Bliley Act. Using Vericept's linguistic and mathematical analysis of all TCP/IP network traffic, VIEW monitors all communications, including Internet, intranet, e-mail, IM, chat P2P, FTP, telnet and bulletin board postings, for inadvertent or malicious leaks of nonpublic personal information, such as credit card or social security numbers, account balances and payment or credit history. VIEW is designed to run on Vericept security appliances installed on a 10Base-T/100Base-T or Gigabit network." If indeed some intelligent algorithms are in play here, and not simple string or regular expression matching, this could be helpful to detect all sorts of abuse.

Friday, July 18, 2003

Sguil 0.2.5 on Windows

Want to become an "F8 monkey?" My friend Bamm Visscher released sguil 0.2.5 yesterday. Sguil is an interface to the Snort intrusion detection engine. By combining Snort with other code, it brings Snort closer to being an implementation of "network security monitoring," and not simply "intrusion detection."

Bamm has made a demo Sguil server available. Here's a step-by-step guide to installing the Sguil client on Windows, so you can access the Sguil server at Bamm's office.

1. Download and install the latest version of ActiveTCL. Below you see I downloaded the ActiveTCL Windows package. I installed it in "C:\Program Files\tcl".

2. Next, download the archive from Sourceforge:

3. Extract the contents of the .zip file. I extracted mine to "C:\Program Files\sguil". Once on your hard drive, edit the sguil.conf file located in the "C:\Program Files\sguil\sguil-0.2.5\client\" directory. Make the change as highlighted below to set your Sguil server to Bamm's office machine at

4. Now you need to associated the Tcl application with the Tcl interpreter. This will allow you to double-click on the file in "C:\Program Files\sguil\sguil-0.2.5\client\" and launch the application. In the Windows Explorer, right-click on and select properties:

5. You will see a button which says "Change". This allows you to associate the file with a new application. The screen shot shows mine associated with WordPad. We want to change that, so find the associated title "Wish Application" and click "Ok" to associate .tk files with "Wish":

6. When you're done, will be associated with "Wish":

7. That's it! Double-click on "" in the "C:\Program Files\sguil\sguil-0.2.5\client\" directory and you will be prompted for a username and password. Enter the name by which you want to be identified and any password you want:

8. You will be prompted to choose a sensor. Click the 'reset' button (that's the sensor name) and then 'Start SGUIL'.

9. You should a screen like the one below appear. If so, you're using Sguil!

10. This sensor is not monitoring the external interface of the network, so if you portscan or otherwise attack, it will not register on the Sguil interface. You can investigate the test alerts, though. For example, you can run a query on the source IP of the entry highlighted below by right-clicking on it:

Here are the results:

11. If you want to chat with other people using Sguil, select the "User Messages" tab and enter messages in the MSG: field. To see who is in using Sguil, type 'who':

If you have questions, the Sguil authors hang out in #snort-gui on Enjoy!

Thursday, July 17, 2003

Reviews of Intrusion Detection with SNORT, Intrusion Detection with Snort, and UNIX Shell Programming, 3rd Ed Posted just published my reviews of two new Snort books. I gave Intrusion Detection with SNORT: Advanced IDS Techniques Using SNORT, Apache, MySQL, PHP, and ACID three stars:

"Intrusion Detection with Snort: Advanced IDS, etc." (IDWS) was the second of this year's intrusion detection books I've reviewed. The first was Tim Crothers' "Implementing Intrusion Detection Systems" (4 stars). I was disappointed by IDWS, since I have a high opinion of Prentice Hall and the new "Bruce Perens' Open Source Series." (I'm looking forward to the book on CIFS, for example.) IDWS read poorly and doesn't deliver as much useful content as the competing Syngress book "Snort 2.0."

I gave the much better Snort 2.0 four stars. This book will appeal more to programmers than to casual Snort users:

"Snort 2.0" offers content not found in other books on Snort, such as Tim Crothers' more generic "Implementing IDS" (4 stars) and Rafeeq Rehman's "Intrusion Detection with Snort." (3 stars) I've read the best IDS books, and used IDS technology, since 1998, and "Snort 2.0" is the first to give real insight into an IDS' inner workings. Thanks to the technical knowledge of the author team, "Snort 2.0" earns the reader's appreciation by explaining how and why the open source Snort IDS works its magic.

I realized I never mentioned when published my four star review of UNIX Shell Programming, 3rd Ed. This was significant as it was my 100th technically-oriented book review. I've submitted reviews for eight other items, like a pack of CD-Rs, or books and videos on non-computer subjects like hockey or kenpo. So, although as of today I have 110 "reviews," only 102 are associated in some way with security or technology.

Tuesday, July 15, 2003

Code Red Two Years Old Today

Two years ago today I posted the first public warning and sighting of the Code Red worm. My analyst LeRoy Crooks detected it on the afternoon of Friday 13 Jul 01, and brought it to my attention. I posted my message on 15 Jul 01 and the worm hit full force on 19 Jul 01.

In happier new, according to Netcraft, "nearly 2 Million Active Sites [run] FreeBSD. . . Indeed it is the only other operating system [besides Windows and Linux] that is gaining, rather than losing share of the active sites found by the Web Server Survey."

Saturday, July 12, 2003


Microsoft released MS03-024: Buffer Overrun in Windows Could Lead to Data Corruption (817606). From the technical details, "By sending a specially crafted SMB packet request, an attacker could cause a buffer overrun to occur. If exploited, this could lead to data corruption, system failure, or—in the worst case—it could allow an attacker to run the code of their choice. An attacker would need a valid user account and would need to be authenticated by the server to exploit this flaw." I wonder of this is one of the vulnerabilities mentioned by Jeremy Allison of the Samba team on Slashdot last April?

Friday, July 11, 2003

The Design and Implementation of the FreeBSD Operating System

After perusing The Design and Implementation of the 4.4 BSD Operating System (Addison-Wesley, 1996) in the bookstore recently, I asked Kirk McKusick is he was working on a new edition of the book. He graciously replied:

We have just started working on a new edition of the 4.4BSD book to be called ``The Design and Implementation of the FreeBSD Operating System''. It will be based on the 5.X version of FreeBSD. It is to be published by Addison-Wesley and we hope to have it out in mid to late 2004.

I am really excited by this development. Several cool FreeBSD books have been published recently, like Absolute BSD and the The Embedded FreeBSD Cookbook. I can't wait to read the new McKusick book -- maybe by next year I'll be ready for it!

Hackers Hijack PC's for Sex Sites

Slashdot informed me of a New York Times article (free registration required) titled Hackers Hijack PC's for Sex Sites. Don't miss this post which offers some technical details which appear reasonable.

Thursday, July 10, 2003

Bonding Tap Outputs

While perusing the Focus-IDS mailing list I read this great thread on the use of taps for IDS, started in Dec 2001. (Did you know TAP means Test Administrative Port?) The question of how to combine the two output streams from a tap became an issue. "Real" taps like the Finisar UTP IL/1 below or the TopLayer Fast Ethernet Copper Tap have two inputs and two outputs:

With two outputs, how do you recombine the streams? Several posts mentioned the "THG", which refers to Finisar's (formerly Shomiti) Ten Hundred Gigabit system, as a means to combine the two streams sent out from tap ports A and B. Intrusion, Inc., makes a tap with a single output:

There's a problem with this setup. If the sum of the streams collected from the two inputs exceeds the capacity of the single output, packets are dropped. Whoops!

TopLayer's IDS Balancer was also mentioned as a way to aggregate streams, but I'm not convinced it's appropriate for the stream reassembly problem. This post claims:

"the core technology we use on the ASICs firstly track and follow "conversations" (flows, sessions call it what you will) - so in essence we have a "state table" (of sorts) which sees the first packet in a stream and sends it to Monitor Group 1 - any subsequent packet in the conversation (regardless of input port) is then sent to the same port (we do this on a mapping of IP to MAC plus a few other things). The next conversation is then sent to the 2nd Monitor port and so forth. So in terms of re-assembly - are we (at this level) truly re-assembling ??"

Usually the TopLayer product is used to distribute bandwidth amongst multiple intrusion detection systems. For example, one IDS watchs all Web traffic, while another watches everything else.

Robert Graham mentioned software implementations which see two NICs on the monitoring platform as a single virtual NIC. This is the method I documented for FreeBSD in this post, although vendors like Znyx offer some support for combining interfaces on non-Windows operating systems. Calvin Gorriaran told me OpenBSD's pf can be used to bridge the two interfaces listening for tap inputs. His method:

Create "/etc/bridgename.bridge0" with

add fxp0 add fxp1 -learn fxp0 -learn fxp1 -discover fxp0 -discover fxp1 -stp fxp0 -stp fxp1 link0 link1 rulefile /etc/bpf.conf up

Then in /etc/bpf.conf..

# bridge0 ruleset

block in on fxp0

block out on fxp0

block in on fxp1

block out on fxp1

Make sure both interfaces are up and reboot.

Greg Shipley weighed in with some of the nicest ASCII art on taps I've seen. :)

Windows Rootkits

Windows rootkits are all the rage these days. SecurityFocus offered this article last March. Today I learned of the yyt_hac rootkit. Greg Hoglund runs Hacker Defender, HE4Hook, NT Rootkit, and AFX Rootkit exist too.

Firewall on a Token USB-based NIC

I'm constantly on hostile networks, and I'm considering buying a Linksys USBVPN1 "firewall on a token" USB-based NIC. I don't trust software-based firewalls on Windows boxes, so I think this device might be useful.

Honeynet Project Paper on Credit Card Fraud

The Honeynet Project just posted a fascinating paper on credit card fraud via IRC. Lance mentioned this in his recent SANS webcast. Given the date of the "assessment" is 6 Jun, and the paper was released yesterday, it's possible he informed law enforcement and gave them time to exploit the Project's findings before going public.

Wednesday, July 09, 2003

Johnny Long and More

For the latest in the security world... check out, especially the googledorks site. U Illinois published a guide to reverse engineering software. Microsoft published Incident Response: Managing Security at Microsoft. I found Brian Carrier's Sleuth Kit Informer, a monthly newsletter on his forensic tools, informative. I was happy to see the good guys grab the domain, and received my first email screened by the Active Spam Killer. I was sad to read this dissertation on modelling critical infrastructure could be a "security threat." Fellow Foundstoner Dave Wong informed me of some cool wireless sites, including Hyperlink Tech, Demarc Tech, Socket Communications, and Cantenna.

More NSM Notes

I continue to explore ways to do network security monitoring. I've seen a few interesting posts in the TCPTrace archives, and and read references to the application monitor Zabbix, the graphical monitor Moodss, the Network Management Information System, and Big Brother mods. I'm giving up on using RMON2 and NetScout as I can't duplicate a production environment using low-cost used equipment. I might give LanStat a try.

Thoughts on New Lab

I'm building a new test lab. To start, I needed a lot of Cat 5 cables of specific lengths and colors.'s handy order form lets you specify just what you need, and their customer service is excellent. Next I wanted a new FreeBSD network management station, so I bought a used Dell Poweredge 2300. For experience with commerical UNIX boxes, I acquired (all used) a Sun Ultra 30 (AnswerBook; I needed a floppy and video adapter) an 7043-150 IBM RS/6000 Model 150 (hardware info) to run AIX 5L Version 5.2 (good AIX site, patches, and support for open source software), and an HP Visualize B2000 to run HP-UX 11i (software news, informal HP box timeline, floppy woes). (Linux is an option too! I feared I needed an adapter like this for HP's EVC-enabled DVI connector, but didn't need one.) Resellers include NORCO, Southwest Computer Solutions, AnySystem, and Elarasys.) Video standards helped me know I could connect, using adapters, to my PC monitor. I hope to run Windows Server 2003 on a Dell OptiPlex GX100, but may need more memory. I think my DSL line will have a Speedstream 5871 router.

Cisco Logging Network

I recently bought a Cisco 2651XM router (docs) and a Cisco Catalyst 2950T-24 switch (docs) from Black Hat Networks of Arlington, VA. I'd like to administer them and centralize logging without using the main data-carrying network. I looked at Cisco's Cabling Guide for Console and AUX Ports and considered administering the devices via serial cable to the console ports and sending the logs via other interfaces. (An explanation of the difference between console and AUX is here. Question 137 in the Cisco FAQ is helpful.)

The 24 port switch has plenty of extra interfaces to use, so I think I can dedicate one port to a separate "logging network." The router doesn't have an extra interface, but it does have its AUX port. Cisco offers this Connecting a SLIP/PPP Device to a Router's AUX Port PDF. A Google search found this post, which considered doing something similar, with log messages sent to a printer. (Even printers can be attacked.) Other posts (here and here) mentioned Kermit to log data, via a null modem and PPP session (mentioned here). I think this article on building a FreeBSD-based console server, with conserver and an EasyIO PCI serial card (vendor, or similar products) is the way to go, with PPP conf files available. (For an alternative, this thread debates the merits of setting up a parallel port point-to-point connection.)

Some people take the serial port to a whole new level. A serial sniffer exists. With PC Weasel 2000, which allows BIOS access via serial port: is a great site for information on logging.

Thursday, July 03, 2003

Cables for Gigabit

I was wondering if I would need a special cable, perhaps Cat 5e or 6, to operate at gigabit speeds when connecting the gigabit ports of my monitoring platform and switch. It turns out that Cat 5 happily supports gigabit speeds. This article provides a useful summary.

Wednesday, July 02, 2003

Top Three Advances in Honeynet Technology

I just listened to today's Top Three Advances in Honeynet Technology. Lance Spitzner was interesting as always. He announced a 3 minute video (45 MB) describing the Honeynet Project. It's fun watching "Sonja Johnson" and her DefCon shirt run around until she's captured in a corporate data center.

Two FreeBSD Interfaces on the Same Subnet

I'm testing a new Intel PRO 1000 MT gigabit NIC on a FreeBSD 5.0 REL box. The box already has a separate NIC with a 192.168.1.x address. I wanted the gigabit NIC to also have a 192.168.1.x address. However, when bringing up a second interface on the same subnet as an existing interface, you have to tell FreeBSD which interface to use for broadcasts. In other words, the second interface can't have the default netmask for the subnet. This was confirmed in this helpful post.

To bring up the first (primary) interface:

ifconfig ed1 netmask up

To bring up the second interface:

ifconfig em0 netmask up

Now both work properly.

"Super Zonda" Spammers

Slashdot featured a BBC story on the "Super Zonda" spammers. I modded up this post because it gives technical details missing or misleading in the original article.

Tuesday, July 01, 2003

California Disclosure Law

The Register reminded me that California's new security disclosure law became effective today. If you store data from customers in California, watch out. Here's an AP story, and here's a CNN story on a nationwide bill introduced last week. Managers understand the need for physical security, to lock doors and windows and install monitoring cameras. When will digital security be truly appreciated, with people, processes, and products allocated appropriately? Maybe when they're charged "up to $5,000 per violation, or up to $25,000 each day." Ouch.

Understanding DVD Storage

I'm looking for ways to archive entire 9.1 GB hard drives to DVD media. I've seen advertisements for 9.4 GB media. First, I learned the "GB" in "9.4 GB" doesn't really mean the "gigabyte" we grew up knowing. We learned in math or science class that a kilobyte wasn't 1000 bytes. It was (note the "was" -- I'll explain below) 2^10, or 1024^1, or 1024 bytes. A megabyte was 2^20, or 1024^2, or 1,048,576 bytes. A gigabyte was 2^30, or 1024^3, or 1,073,741,824 bytes.

According to the NIST Reference on Constants, Units, and Uncertainty, these definitions have changed:

  • kilobyte = 1000 bytes

  • megabyte = 1,000,000 bytes

  • gigabyte = 1,000,000,000 bytes

We have new terminology for the "prefixes of old":

  • kibibyte (kiB) = 1024 bytes

  • mebibyte (MiB) = 1,048,576 bytes

  • gibibyte (GiB) = 1,073,741,824 bytes

For example, discs advertised to be 4.7 GB are actually 4.7 billion bytes, or 4.37 "old GB." (Hard drive manufacturers pull the same trick, with "9.1 GB drives" reporting around 8.68 "old GB.") So, a 9.4 GB DVD really holds 8.75 "old GB" of data, which is bigger than a "9.1 GB" hard drive that really holds 8.68 "old GB".

I guess it's easiest to accept that any modern usage of the terms KB, MB, and GB denotes powers of 10 and not powers of 2, so a "new GB" is a billion bytes -- end of story. Here's a nice summary.

Back to DVDs! Unfortunately, 9.4 GB DVD media are dual-sided, single-layer. That means they must be manually flipped over, because they're essentially two DVD-5 discs glued together. Here's a diagram, courtesy of this site:

What about movie DVDs, which are reported to hold "8.5 GB" (really 8.5 billion bytes or 7.95 "old GB")? Most movie DVDs meet the DVD-9 specification, which is a single-sided, dual-layer disc:

Recognize that you have to be in the DVD manufacturing business to create DVD-9 discs, as consumer-grade DVD burners can't write dual-layer, single-sided media (and it's not for sale to most of us). So, until that changes, I'm restricted to reading and writing in single-sided, 4.37 GB chunks. Some DVD burners, like these from LaCie or Panasonic, advertise writing 9.4 GB media, but that's still to double-sided discs. Keep an eye on the list or DVDRHelp.

While researching for ways to archive a 730 MB hard drive, I learned 800 MB CD-Rs exist, but I guess your burner needs to recognize it.