Showing posts from June, 2004

Review of Network Security Hacks Posted

Image just posted my four star review of Network Security Hacks . My review probably sounds a little harsher than I intended, but I was worn down trying to get SPADE to integrate with a version of Snort newer than 2.0.5. The review mentions finding Spade 030125.1 on a Polish student's FTP site , which seems to be the only place it exists, aside from an old copy. It seems the snort.conf v. 1.85 is the last to include SPADE directions in its text, even though the contrib directory has a really old SPADE version (Spade-092200.1.tar.gz), from Sep 00. Anyway, from the review: "'Network Security Hacks' (NSH) has something for nearly everyone, although it focuses squarely on Linux, BSD, and Windows, in that order of preference. Administrators for commercial UNIX variants (Solaris, AIX, HP-UX, etc.) should be able to apply much of the book's advice to their environments, but they are not the target audience. NSH is written for admins needing quic

Review of Secure Architectures with OpenBSD

Image just posted my five star review of Secure Architectures with OpenBSD . From the review: "About a year ago I read and reviewed Michael Lucas' excellent "Absolute OpenBSD." That book covered OpenBSD 3.2 and the CURRENT of that time, pre-3.3. Palmer and Nazario's "Secure Architectures with OpenBSD" (SAWO) addresses OpenBSD 3.4, which at the time of writing is just behind the current release (3.5). Lucas' book is an excellent introduction to OpenBSD by a relative outsider; SAWO is a more detailed discussion by insiders. Each has its strengths and I highly recommend both."

Contribute Your dmesg Output

Do you run one of the BSDs? If so, consider sending the output of the dmesg command to the New York City BSD User's Group dmesg board . This is a great way to share information on supported hardware. I learned about this site through . A response to that story mentioned this site which tracks SMP systems running FreeBSD.

Interesting Email from Stephen Northcutt... or not?

If you're on a SANS mailing list you might have received the following email from "Stephen Northcutt." I haven't decided if it's true or not. I'm wondering why I would have received it, unless someone forged the message after acquiring a SANS email list? The alternative means Stephen Northcutt himself is making some odd claims... "From - Thu Jun 24 22:27:26 2004 X-UIDL: 40a19c3900000b29 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Return-Path: ...edited... X-ClientAddr: Received: from ( []) ...edited... Date: Fri, 25 Jun 2004 2:14:37 +0000 Message-Id: <> From: Stephen Northcutt Subject: Stephen Northcutt needs your help Precedence: bulk Errors-To: Sender: To: Richard Bejtlich (SD599258) ...edited... Hello, This note is intended for U.S. citizens and is a personal note from Stephen Northcutt. For the past few weeks CERT and SE

Burning DVDs in FreeBSD

Yesterday I reported my results burning CDs with FreeBSD. This morning I tried creating a DVD of the Fedora Core 2 distribution. After I downloaded the 4.1 GB .iso from a mirror, I used MD5 to verify the checksum matched. Since the .iso was ready to burn, I set up my Plextor burner. First I checked the media, which was Memorex 4X DVD-R 4.7GB (pictured at left, purchased at ). I had already installed dvd+rw-tools , available in the ports tree as sysutils/dvd+rw-tools . Using the dvd+rw-mediainfo command, I checked the DVD in the burner: # dvd+rw-mediainfo /dev/cd0 INQUIRY: [PLEXTOR ][DVDR PX-708A ][1.06] GET [CURRENT] CONFIGURATION: Mounted Media: 11h, DVD-R Sequential Media ID: ProdiscS03 Current Write Speed: 4.0x1385=5540KB/s Write Speed #0: 4.0x1385=5540KB/s Write Speed #1: 2.0x1385=2770KB/s Write Speed #2: 1.0x1385=1385KB/s GET [CURRENT] PERFORMANCE: Write Performance: 4.0x1385=5540KB/s@[0 ->

Duplicating Data CDs with FreeBSD

I needed to become familiar with burning CDs on FreeBSD to support plans for live CD-based systems. I recently bought a Plextor PX-708UF DVD+-R/RW CD-R/RW drive and an Adaptec DuoConnect PC Card Adapter . I already reported on how these appear to FreeBSD. For testing purposes and to create my own media set, I duplicated the three CD-ROMs released as Fedora Core 2 . To convert the CD-ROM into a .iso file for burning, I used this syntax: dd if=/dev/cd0 of=/var/iso/fedora_core_disc3.iso bs=2048 Here's a few notes on this command. /dev/cd0 is how my Plextor drive appears to FreeBSD. My laptop's native CD/DVD reader is /dev/acd0. I could not get this command to work without including 'bs=2048'. I learned why after reading a FreeBSD Diary entry: "Data on CDs is written in blocks of 2 kB. By default dd reads 512 bytes at a time, and the CD driver doesn't support this. It would work if you use bs=2k." When I tried dd without the bs=2048 argument, I got t

Fedora Core 2-based Soekris System Operational

I'm not a big Linux user, but a lot of people like Fedora Core . Using the same methodology I used with FreeBSD and OpenBSD , I just installed Fedora Core 2 on a spare HDD on my laptop, then transferred that HDD to the Soekris. Here are a few notes on peculiarities of Fedora. I chose a "custom installation," and selected "no packages." That still deployed about 562 MB of packages as part of the base OS installation. Thankfully only the first CD was needed. When I finished the installation, I rebooted the laptop to edit key files to allow serial access. I made important changes to /etc/grub.conf, thanks to this Remote Serial Console HOWTO : # grub.conf generated by anaconda # # Note that you do not have to rerun grub after making changes to this file # NOTICE: You have a /boot partition. This means that # all kernel and initrd paths are relative to /boot/, eg. # root (hd0,0) # kernel /vmlinuz-version ro root=/dev/hda2 #

Soekris-based FreeBSD System Operational

I'd like to report successful use of FreeBSD 5.2.1 RELEASE on the same Soekris Net4801 on which I previously installed OpenBSD . I followed the same methodology: install FreeBSD on a spare HDD on my laptop, then move the HDD to the Soekris. To send console messages to the serial line during the boot sequence, I followed the FreeBSD Handbook 's advice: echo -h > /boot.config I tried to edit /etc/ttys to enable 19200 speed for ttyd0, but this did not work as I hoped. It seems the Soekris sends output to the serial line at 19200 prior to the FreeBSD boot sequence. Then, despite my attempted settings of 19200 in /etc/ttys, the FreeBSD boot sequence sends output at 9200. Accordingly, my /etc/ttys file has this entry to enable the serial console: ttyd0 "/usr/libexec/getty std.9600" cons25 on secure Notice the use of cons25. This lets me use vi properly, for example. I think the kernel must be recompiled to support speeds higher than 9600, as suggested by

Red Cliff Consulting, a Trusted Professional Services Firm

Today I spoke with Kevin Mandia, lead author of Incident Response and Computer Forensics , the best IR book available. When the first edition was published, Kevin was director of incident response and computer forensics at Foundstone . I met him in person at the first SANSFIRE conference in 2001. Kevin hired me to join Foundstone's IR team in early 2002, and I left the team in early 2004 a few months after he did. Kevin is now running Red Cliff Consulting , a professional services firm headquartered in Alexandria, VA. He describes his group as "the experts that experts consult." I won't argue with that assessment. For example, Curtis Rose just joined Red Cliff, after working for years at Sytex . Curtis is one of the co-authors of the forthcoming book Real Digital Forensics , along with myself and Keith Jones. Kevin will be speaking at Black Hat 2004 in Las Vegas in late July. He plans to discuss "the five things that are problematic in incident re

Book Chapter on Sguil Available Online

My publisher Addison-Wesley authorized me to post chapter 10 of my book The Tao of Network Security Monitoring: Beyond Intrusion Detection online. It's available at the Sguil site in .pdf format. This chapter complements my Sguil installation guide , discussing why Bamm started the Sguil project and how it differs from other monitoring applications. My book will be on shelves in mid-July. If you'd like to attend live training on network security monitoring, sign up for my Network Security Monitoring with Open Source Tools class at USENIX Security '04 in San Diego. The class will be held on Monday 9 August 2004, and early conference registration ends 16 July. I will give away a limited number of free copies of the book and hope to debut a FreeBSD-based live CD with NSM tools.

Configuring RAID-0 with Vinum

I deployed a test platform as a network security monitoring sensor. It has two 4 GB HDDs. I wanted to create a /nsm partition that would span both drives, meaning it would occupy some of the first drive and all of the second drive. This was a proof of concept operation that could apply to systems with multiple, larger drives. I decided to use Greg Lehey's Vinum , and thanks to some helpful notes from Bamm Visscher and Dave Wheeler, got it set up in a RAID-0 configuration. When I installed FreeBSD on the system, I created a 768 MB /nsm1 partition on the first drive ad0 and used the entire second drive (ad1) for /nsm2. Here is what df saw after installation. Notice I use the -m switch to show all values in MB. bourque:/root# df -m Filesystem 1M-blocks Used Avail Capacity Mounted on /dev/ad0s1a 247 35 192 16% / devfs 0 0 0 100% /dev /dev/ad0s1e 739 0 679 0% /nsm1 /dev/ad1s1d 3977 0 3659 0% /nsm2 /dev/ad

2004 CSI/FBI Study Released

The 2004 CSI/FBI Study has been published. You have to fill in the CSI's form to access a download link. CSI has always honored their no-spam pledges, so I didn't mind signing my life away to obtain a copy. I'll post my thoughts after I read it.

Participate in The Uptime Project

Several months ago I joined The Uptime Project , a site run by Ola Eriksson. Ola and others provide clients which collect uptime statistics from a variety of operating systems. Ola added me to his crew after I donated shell accounts on HP-UX and AIX systems. We now have a working HP-UX uptime client, with an AIX version in the works. I have two hosts in the top 50, but I don't expect that to last long. If I can't move them while on UPS power when I rearrange my basement, I will drop out of the rankings. :)

Network Monitoring Products Reviewed by NWC

A few years ago while consulting for Foundstone I was asked to name a product which would inspect traffic exiting the enterprise. The goal was to identify unauthorized transmission of sensitive documents or data. Aside from a customized signature-based approach, I could not think of any off-the-shelf product with this capability. After reading Monitoring Data Departures by Lori MacVittie in the 27 May 04 issue of NWC , I learned of Vontu 's Vontu Protect 3 . Some of its claims are amusing, like "No false positives — every incident reported is a genuine policy violation." This is also true for signature-based intrusion detection systems, if one accepts (as I do) that an IDS which alerts based on a rule is merely doing what it was told to do. It's up to a decision maker to guide the policy that an administrator implements, and it's an analyst's responsibility to judge the likelihood that a given event respresents a security incident. If Vontu would like

Soekris-based OpenBSD System Operational

Inspired by this article , I finally deployed my Soekris Net4801 small form factor system. I used a hard drive-based installation as I figured that would be the easiest way to experiment with OpenBSD and the Soekris. The installation was simple. First I swapped my main laptop HDD for an extra 3250 MB HDD to hold OpenBSD. Next I rebooted the laptop using the OpenBSD 3.5 installation CD, and installed OpenBSD. Here is my partition scheme: $ df -h Filesystem Size Used Avail Capacity Mounted on /dev/wd0a 125M 21.8M 97.8M 18% / /dev/wd0f 156M 2.0K 148M 0% /tmp /dev/wd0d 2.0G 169M 1.7G 9% /usr /dev/wd0e 501M 6.9M 469M 1% /var After reboot, I made these edits: /etc/ttys tty00 "/usr/libexec/getty std.19200" vt100 on secure /etc/boot.conf set tty com0 stty com0 19200 /etc/hostname.sis0 inet /etc/mygate After these edits I shut down the system and installed the 3250

Review of Security Sage's Guide to Hardening the Network Infrastructure Posted

Image just posted my three star review of Security Sage's Guide to Hardening the Network Infrastructure . From the review: "This is a tough review to write, since I worked with the lead authors and series editor at Foundstone, and I'm mentioned by name on p. 384. "Security Sage's Guide to Hardening the Network Infrastructure" (HTNI) is mainly a collection of advice given in other security books, packaged with brochure-like commercial product descriptions. Much of the technical defensive recommendations lack the command-level syntax to put that advice into practical use. I was excited by the table of contents, but disappointed once I finished the book. I can't recommend HTNI unless your library doesn't already address essential networking and security techniques."

More Useful Package Management Tools

I stumbled across two useful FreeBSD package management tools yesterday. One is graphical and the other works via the command line. Both help administrators understand dependency issues when they might want to clean out unnecessary packages. Keep in mind that installing software via the FreeBSD ports tree results in the installation of a package, but not necessarily the creation of a package that can be moved among systems. That is why administrators can install software with the ports tree and then use the FreeBSD pkg_info, pkg_delete, and other pkg tools to manipulated deployed applications. The first tool is gpkgdep , in the ports tree as sysutils/gpkgdep , by Jack Slater. This is an older tool but it works fine on my FreeBSD 5.2.1 REL system. Gpkgdep has good online documentation, but I'll quickly describe its use via a few screenshots. This screen shot shows the "Required Packages" tab. It shows all installed packages, not all of the packages which could be i

Adventures with FreeBSD CURRENT

I decided to upgrade my Dell PowerEdge 2300 (dual PIII) system from FreeBSD 4 STABLE to FreeBSD 5.2.1 REL. Before installing the new OS, I tested the hardware for compatibility with the 5 tree by trying to boot the FreeSBIE live CD. That failed, so I next tried to boot the 5.2.1 installation CD. That also failed, hanging at this point: SMP: AP CPU#1 launched! Mounting root from ufs:/dev/md0 md0: Preloaded image 4423680 bytes at 0xc09e16d8 I tried a few simple fixes, like booting without ACPI enabled via the boot menu. I also tried a trick at the boot prompt noted in a newsgroup posting, namely: unset acpi_load set hint.apic.0.disabled=1 Note the first step disables ACPI , or "Advanced Configuration and Power Management support" (also at ). The second step disables APIC , the "Advanced Programmable Interface Controller." This site explains the relationship between ACPI and APIC. None of these steps worked, so I decided to try installing the lat

Cheap Domain Name Registration and Free Email Forwarding

Two years ago I registered the and domains through DomainDiscover . Since then I've used GoDaddy to register new domains like and (the latter after seeing that domain attributed to me in the new book Security Sage's Guide to Hardening the Network Infrastructure ). I liked using DomainDiscover because they offered free email forwarding, but their $25 domain renewal fee seemed excessive. GoDaddy offers domain name transfers for $7.95, which is excellent, but no free email forwarding. I decided to use ZoneEdit to host DNS records for the,, and domains. ZoneEdit offers free email forwarding when you set up DNS records. Essentially, once I transfered or already had domains registered with GoDaddy, I changed the GoDaddy WHOIS records to list name servers owned by ZoneEdit. For example, here is my WHOIS record for orr:/home/richard$ whois

Review of Malware Posted

Months after I received a review copy of Ed Skoudis ' Malware , I finally read and reviewed it. From the review: "One of the impressive aspects of this book is the degree to which it is "future-proofed." Ed looks at current threats like worms, viruses, trojans, and user- and kernel-mode rootkits, like any author might. He then takes malicious software to the next level, from the kernel to BIOS and finally to CPU microcode. These BIOS- and microcode-level attacks are still largely theoretical (aside from BIOS-destroying code), at least as far as the public knows. When the world sees these threats emerge, "Malware" will be waiting to explain their capabilities." I'd like to add a few Web sites to the many Ed mentions in his book. and are good references for information on CPU microcode issues.

Sguil 0.4.0, Snort 2.1.3, Barnyard 0.2.0 Installation Guide Published

I just published a new guide for installing Sguil 0.4.0 with Snort 2.1.3 and Barnyard 0.2.0 . This guide contains sections for each Sguil component, namely the sensor, database, server, and client. The dependency listings should help users deploy Sguil in a distributed manner, rather than running all components on a single platform. Please email sguil at taosecurity dot com if you have any comments on this guide.

Review of Anti-Spam Tool Kit Posted

Image just published my four star review of Anti-Spam Tool Kit . From the review: "I've never been interested in viruses, worms, or spam. All three represent the lowest end of malware, with spam occupying a particularly disdainful place in the computer security hierarchy. I wasn't very excited when a review copy of "Anti-Spam Tool Kit" (ASTK) arrived in the mail, but I found myself drawn in by the value of the content and tools it described. I highly recommend anyone tasked with fighting spam read ASTK." Update: Paul Wolfe sent a nice email regarding my review. I recommend if you have comments on ASTK you visit the ASTK book site at . Tell him what you'd like to see in a second edition or comments on the first edition.

Report on Compatible Devices in FreeBSD

Sometimes it helps to know what hardware is compatible with non-Windows operating systems like FreeBSD. I wanted to buy a CompactFlash card and reader to work with my Soekris net4801 platform. I used the list at the flashdist site to guide my product purchase. I bought a SanDisk ImageMate 8 in 1 Reader/Writer , model SDDR-88-A15, pictured at above left. I also bought a 256 MB Type 1 CompactFlash card (product ID SDCFB-256-A10). Although the reader supports USB 2.0, my laptop natively only supports USB 1.1. I do own an Adaptec DuoConnect adapter, but only the FireWire port works. I have not had any luck with FreeBSD 5.2.1 REL and the ehci . driver. Here is what dmesg reports when I attach the CF reader (with CF card inserted) to the USB port on my laptop: umass0: SanDisk ImageMate 8 in 1, rev 2.00/91.39, addr 2 GEOM: create disk da0 dp=0xc3a81450 da0 at umass-sim0 bus 0 target 0 lun 0 da0: Removable Direct Access SCSI-0 device da0: 1.000MB/s transfers da0: 245MB (501760

Fixing Troublesome Port Upgrades

Today while trying to run portupgrade on my FreeBSD 5.2.1 REL system, I ran into this error: drury# portupgrade -varp ---> Upgrade of devel/libbonobo started at: Thu, 03 Jun 2004 15:43:31 -0400 ---> Upgrading 'libbonobo-2.6.0' to 'libbonobo-2.6.2' (devel/libbonobo) ---> Build of devel/libbonobo started at: Thu, 03 Jun 2004 15:43:31 -0400 ---> Building '/usr/ports/devel/libbonobo' ===> Cleaning for libiconv-1.9.1_3 ===> Cleaning for ORBit2-2.10.2 ...edited... ===> Configuring for libbonobo-2.6.2 checking for a BSD-compatible install... /usr/bin/install -c -o root -g wheel checking whether build environment is sane... yes checking for gawk... no checking for mawk... no checking for nawk... nawk checking whether gmake sets $(MAKE)... yes checking whether to enable maintainer-specific portions of Makefiles... no checking for perl... /usr/bin/perl configure: error: XML::Parser perl module is required for intltool ===> Script "conf

Review of Anti-Hacker Tool Kit, 2nd Ed Posted

Image just published my four star review of Anti-Hacker Tool Kit, 2nd Ed . From the review: "I reviewed the first edition "Anti-Hacker Tool Kit" (AHT:1E) in August 2002. This second edition (AHT:2E) follows only 18 months after the original was published. I don't believe enough time has passed to warrant an update, even though tools can evolve quickly. In certain aspects the book suffers from a lack of updates from AHT:1E author Keith Jones, who found the publisher's demands onerous. Nevertheless, AHT:2E is a must-buy if you didn't read AHT:1E."

Good News from Snort Land

I have two good pieces of news from the Snort development team. First, Snort 2.1.3 has been released. The big deal with this new release is multi event logging via event queue . This feature lets Snort generate multiple alerts per packet or stream, rather than alerting once and then moving on to the next packet or stream. It was introduced to address what H.D. Moore calls event masking . The second good piece of news is the appearance of Sguil in several publications and presentations. First, Marty Roesch's AUSCERT 204 presentation ( .pdf ) includes Sguil along with ACID as two consoles for Snort. Sguil also appears in two new books, Syngress' Snort 2.1 and O'Reilly's Network Security Hacks . Both books spend most of their time explaining how to install older versions of Sguil, but it's the thought that counts. Now that Snort 2.1.3 has been released, I plan to upgrade my Sguil for FreeBSD installation guide to use the new Snort, plus Barnyard 0.2.0, S

Review of Hacking Exposed: Windows 2003 Posted

Image just posted my four star review of Hacking Exposed: Windows Server 2003 . From the review: "HE:W03 is still the best book available if you want to learn how to assess and compromise Windows servers using publicly available tools. It will not teach original exploitation techniques like coding exploits, although this is usually unnecessary when admins deploy stock servers with blank administrator passwords. The authors are experts when it comes to performing pen tests of Windows targets, even though they are unapologetic Windows fans. (Page 195 bears the quote "command-line brain damage of Linux.") Their bias is also apparent as they question the applicability of the word "monopoly" to Microsoft (a legal fact); this isn't surprising given the authors' employers. Their bias also colors their judgment in the introduction, where they propose that security is a zero sum game between security and usability. Attitudes like that can no longer cover