Showing posts from April, 2004

Review of MySQL Tutorial Posted

Image just posted my five star review of MySQL Tutorial . From the review: "MySQL is the database used by many commercial and open source security products. Although the user is often 'shielded' from interacting with the database directly, it's important and sometimes crucial to know basic MySQL administration. MySQL Tutorial is the perfect companion to any security tool which depends on a MySQL database. For example, no one seriously expects to collect large amounts of data with Sguil and Snort unless a MySQL or similar database is working in the background. MySQL Tutorial gives the right details on the right subjects for those running integrated MySQL databases." This book has a cover price of $29.99. It is refreshing to see a 267 page book priced appropriately, especially since you can get it for less than $20 at .

Sguil 0.4.0 Released

Bamm released Sguil 0.4.0 yesterday. The changes are worth reading, but the major addition is the option to replace stream4 keepstats output with John Curry's open source SANCP (Security Analyst Network Connection Profiler) session data. SANCP is much more robust as it can track TCP, UDP, and ICMP, whereas stream4 only watched TCP. In this respect SANCP is like Argus . You can also tell the Sguil components a specified IP address to which they should bind. This facilitates the deployment of Sguil components in FreeBSD jails .

Fixing a Problematic Port

While trying to upgrade installed ports on a FreeBSD 4.9 STABLE machine, I encountered a problem with x11-fonts/libXft : [Updating the pkgdb in /var/db/pkg ... - 125 packages found (-1 +0) (...) done] ---> Installing the new version via the port ===> Installing for libXft-2.1.6 ===> libXft-2.1.6 depends on shared library: fontconfig.1 - found ===> libXft-2.1.6 depends on shared library: X11.6 - found ===> Generating temporary packing list ===> Checking if x11-fonts/libXft already installed ===> An older version of x11-fonts/libXft is already installed (Xft-2.1.2_1) You may wish to ``make deinstall'' and install this port again by ``make reinstall'' to upgrade it properly. If you really wish to overwrite the old port of x11-fonts/libXft without deleting it first, set the variable "FORCE_PKG_REGISTER" in your environment or the "make install" command line. *** Error code 1 Stop in /usr/port

Review of WarDriving Posted

It's been a long time since my last book review, but I've been busy finishing and copyediting my own book. Thankfully the long flights to and from Vancouver for CanSecWest gave me some reading time. I spent part of that time with WarDriving , which I gave three stars. From the review : "If you want to learn how to wardrive using Kismet or NetStumbler (and variants), WarDriving is for you. The book does a good job debunking certain myths, such as the prevalence of 'warchalking' or the widespread use of 'Pringles can antennas.' I found the practical advice, like disabling the TCP/IP stack on Windows prior to wardriving, especially helpful. The authors constantly advocate a professional mindset towards wardriving and do not suggest unethical use of insecure wireless networks."

Comments on TCP Reset Worries

I attended Paul Watson 's talk at CanSecWest this week on "Slipping in the Window" ( .ppt slides , .doc paper . Paul was inspired by last year's Black Hat 2003 Las Vegas talk "BGP Vulnerability Testing" by Matthew Franz & Sean Convery ( .pdf original talk ). I attended that presentation as well, and found Matt and Sean's conclusion to be accurate: why bother with lower layer attacks when you can own the router? In other words, so many routers are misconfigured, it's not necessary to resort to spoofing or other elaborate games to disrupt global routing. Paul dedided to focus on the likelihood of successful reset attacks against routers speaking BGP. He found that Matt and Sean's estimates for the time needed to guess the right TCP sequence number to reset a TCP connection were overstated. Matt and Sean did not take into account TCP receive windows, meaning a reset with a sequence number within the window would be accepted by the target

ightning Talk is a Go at CanSecWest

I just finished delivering my lightning talk at the CanSecWest conference in beautiful Vancouver, BC. I spoke for five minutes on Sguil . My slightly update slides are available in .pdf form here .

How to Renew DHCP IP Address with Cisco Router?

If anyone can help me with this, I would appreciate it. I can't figure out how to have my Cisco router renew its DHCP lease with my cable ISP. I appear to not be the only person with this problem. I don't have any ACLs which would deny DHCP traffic, either. This is the portion of my router config where I set up DHCP on the external interface: interface FastEthernet0/0 ip address dhcp ip access-group 101 in ip nat outside ip route-cache flow duplex auto speed auto no cdp enable Eventually my lease expires and I have to disable DHCP on fa0/0 because I can't reach the Internet: gill#conf term Enter configuration commands, one per line. End with CNTL/Z. gill(config)#int fa0/0 gill(config-if)#no ip address dhcp Upon issuing these commands my router releases its IP address, as seen with Tcpdump: 17:51:51.097987 > xid:0x2570 C: ether 0:c:ce:4e:53:a0 vend-rfc1048 DHCP:RELEASE SID: CID:"cisco-0

Calculating Security ROI Is a Waste of Time

I was pleased to read Infosec Economics by Lawrence Gordon and Robert Richardson in the 1 Apr 04 issue of Network Computing magazine. This duo says: "ROI (or bang for the buck) can't be applied perfectly to information security because often the return on information security purchases and deployments is intangible. Sure, companies invest in some solutions that offer benefits beyond security--faster network throughput in a new router that supports VPNs, for example--and they can calculate the ROI of these indirect benefits. But security requires factoring in the expectation of loss." I've been lucky to have never been tasked with calculating security's "return on investment," because I would have told my supervisor the answer is zero. There is no return to be made on security, because security is a loss avoidance and loss mitigation measure. Security is a way to deal with risk, which is the probability of loss. (I dealt with these definitions in O

Tips on Network Hardware from Snort-Inline Mailing List

I'm trying to figure out if it's possible to build a FreeBSD-based filtering bridge running Snort-inline . I submitted this question to see if anyone has FreeBSD and Snort-inline working. I just got this response from Alex Dupre: "The bridge doesn't support the divert socket and will not support it. We are working on a different approach to use snort in inline mode on a bridge, but there isn't an ETA (surely not soon)." While perusing the snort-inline-users mailing list I found this thread . It pointed me to makers of interesting network equipment. Emerging Technologies makes multi-port failover cards like the 2 port NIC pictured above. Shore Microsystems also makes failover devices, except these are independent appliances like the SM-2500 . I have no personal experience with these devices, but the posters in the snort-inline list seemed to like them. I note them here as a reference in the event I may need a similar product in the future. I'm c

Interface Bonding on FreeBSD

The question of how to combine traffic seen by two physical network interfaces into a single virtual interface is popular on the various IDS lists I watch. Below is the script I use to create a ngeth0 interface using the FreeBSD ng_eth netgraph node: bourque:/$ cat /usr/local/etc/rc.d/ #!/bin/sh -x # sf2 and sf3 are real interfaces which receive tap outputs; ngeth0 is created by ngctl # ng_ether must be loaded so netgraph can "see" the real interfaces sf2 and sf3 kldload ng_ether # bring up the real interfaces ifconfig sf2 promisc -arp up ifconfig sf3 promisc -arp up # create ngeth0 and bind sf2 and sf3 to it ngctl mkpeer . eiface hook ether ngctl mkpeer ngeth0: one2many lower one ngctl connect sf2: ngeth0:lower lower many0 ngctl connect sf3: ngeth0:lower lower many1 # bring up ngeth0 for sniffing duties ifconfig ngeth0 -arp up Linux has a channel bonding page at Sourceforge. I devote an entire chapter of my book on how to get access to traffic on the wire, wit

Earthlink Study Measures Spyware Infections

NWFusion informed me of an interesting press release . Earthlink reported the results of their customers running Webroot's Spy Audit program. This is a Windows executable which a user must download and run. Earthlink offers their own download , elsypaudit-i386-windows-all-2004., which may be the same program, although the file sizes are fairly different. Looking through strings output, I found a reference to , which appears to be the results page once a scan is done. I usually use Spybot Search & Destroy on Windows PC used by friends and family. I also used the Microsoft Update CD-ROM on systems with only dial-up modems. The Earthlink study found an average of 28 instances of spyware per audited host. They also found over 184,000 installations of "system monitors," which Earthlink defines as programs that "can capture virtually everything you do on your computer, from keys

Using Portaudit to Improve FreeBSD Security

I've started using the security/portaudit port to check the security status of FreeBSD's applications, so I thought I'd document my findings. Portaudit uses the Vulnerability and eXposure Markup Language , "an XML application for documenting security issues in a software package collection" like the FreeBSD ports system. You can browse the FreeBSD or OpenBSD VuXML pages to see vulnerabilities recorded since the VuXML project began in late 2003. Using the VuXML database is as simple as installing the Portaudit port. Be sure to have an up-to-date ports tree (perhaps by using net/cvsup as documented here ). Install Portaudit, and then run it as shown to check installed packages for problems. The -F flag tells Portaudit to fetch a new copy of the vulnerability database, while -a says check all installed ports/packages. moog:/root# portaudit -F -a >> Attempting to fetch from new database in

MetaCoretex Simplifies Database Testing

If Metasploit weren't enough, I learned of MetaCoretex recently. It's a vulnerability scanning framework currently implemented for database assessment. It's written in Java, so be sure to have the JDK already installed. After downloading and extracting the archive, the only change I made was to modify the last line of the script to know where to find Java on my FreeBSD system: /usr/local/jdk1.4.2/jre/bin/java -cp ${CP} com.securitycentric.metacoretex.Init & Execute the script, and MetaCoretex will launch an easy-to-use Java GUI. I plan to take a closer look at MetaCoretex once Visigoth pushes out a new release. Since I can remind him every day at work, hopefully we'll see 0.9 soon. :) Visigoth presented MetaCoretex at a meeting of the DC Security Geeks . After the meeting the publisher of the Security Technique online journal requested prospective writers submit stories to his site.

Metasploit Framework in Action

You may have seen the Slashdot article on the Metasploit Project . From the project's Web site: "The Metasploit Framework is an advanced open-source platform for developing, testing, and using exploit code. This release includes 18 exploits and 27 payloads; many of these exploits are either the only ones publicly available or just much more reliable than anything else out there. The Framework will run on any modern system that has a working Perl interpreter." I gave the project a try. First I read the Crash Course user's guide , which told me to install p5-ReadLine-Gnu . I did so using the FreeBSD ports tree: orr:/usr/ports/devel/p5-ReadLine-Gnu# make install ===> Vulnerability check disabled, database not found >> Term-ReadLine-Gnu-1.14.tar.gz doesn't seem to exist in /usr/ports/distfiles/. >> Attempting to fetch from Receiving Term-ReadLine-Gnu-1.14.tar.gz (65140 bytes): 100% ...truncated... On

Flyer for Tao of NSM Book Posted

My publisher sent my a .pdf flyer for my book. I also created a books page with an abbreviated Tao of NSM table of contents listed. Right now I'm in the copyedit phase. The publisher sends me chapters marked up in Microsoft Word and I make changes or comments as needed. I wrote most of the book in, but the publisher is more comfortable using Microsoft Office. I just learned I was accepted to speak at USENIX Security 04 in San Diego on 9 August. I will be teaching a class on network security monitoring based on my book.

Building and Deploying FreeBSD Packages

FreeBSD documentation is excellent, but I haven't found information on strategies for enterprise system administration duties. For example, what is the best way to deploy and upgrade software on multiple machines? Slashdot recently discussed building from source vs packages , but this topic doesn't get much public discussion. Most documentation talks about installing ports or packages from the perspective of a single machine. There's little or no material aside from newsgroup postings on ways to be more efficient. It makes more sense to me to designate the most powerful system at hand as a "package builder." Sys admins build their own packages from source on this machine and then deploy them on workstations and other servers. For example, I use my Shuttle SB52G2 , named 'neely', as a package builder. It runs FreeBSD 5.2.1, like most of the systems in my lab. Right now I'm building the newest OpenOffice port from source. It was recently updat

Network Computing Misses the Mark

Network Computing profiled the Net Optics 10/100BaseT Port Aggregator Tap . This device is unique in that it combines the two transmit lines from ports A and B into a single output, adding memory to buffer bursts exceeding 100 Mbps. I was glad to see this product receive attention in Network Computing, but I think the reviewer missed the mark. I was especially disappointed to read this comment: "...the unit is cost-effective only if you » need to multiplex a full-duplex network onto a half-duplex connection, » expect short traffic bursts above 100 percent utilization or » can't risk a down link from a loss of power on the tap. If none of these conditions apply, you're better off buying a switch with a mirror port off eBay for about $300." Does this author seriously recommend enterprise customers buy equipment from eBay? I'm a big eBay fan, having bought many servers from eBay for my home network. I wouldn't recommend doing the same at work. Furthermore,