TaoSecurity Blog

freebsd.png" align=left>I read a great article at ZDNet UK based on the May-June 2004 FreeBSD Status Report . Citing release engineer Scott Long, the article says he hopes FreeBSD 5.3 will arrive on the first of October, 2004. I like to see this sort of FreeBSD coverage in more mainstream publications, like last week's CNN article on open source. On a different note, visit the redesigned Sguil homepage . Scott Dexter did a really nice job, and we're looking for someone with suitable graphics-fu to redesign the Sguil logo. Please send any ideas to 'scottder at sguil dot net'.

Amazon.com just posted my five star review of Wi-Foo . The book's Web site is wi-foo.com . From the review: "'Wi-Foo' is the wireless book the security community needs. The book mixes theory, tools, and techniques in a manner helpful to those on the offensive or defensive side of the wireless equation. After reading 'Wi-Foo,' I'm glad I didn't try to cover similar topics in my 'Tao of Network Security Monitoring' -- these authors have written the definitive wireless 'hacking' text. Several aspects of 'Wi-Foo' make the book a winner. First, with the exception of crypto topics in chapters 11 and 12, they tend to defer to previously published works rather than rehash old topics. For example, rather than exhaustively explain 802.11i, they refer readers to 'Real 802.11 Security,' an excellent defense-oriented wireless book. 'Wi-Foo' also assumes readers are familiar with TCP/IP and system administration, leaving o

Critics of intrusion detection systems say signature-based IDSs are too easy to evade, bypass, or fool. This is true when the IDS only provides alert data to analysts. Alerts are the results of judgements made by the IDS developers, as encoded in the IDS' rules and logic. To deal with events that have no signatures, we can turn to other forms of network security monitoring data. Session data is a record of transactions between parties, typically storing source and destination IP addresses and ports, session start and end times, and counts of packets and bytes of data sent by source and destination. Session data is best captured for connection-oriented TCP traffic, but sessions can be emulated for connectionless protocols like UDP and ICMP in a request-response model. Session data is immune to encryption, because no payloads are captured. Session data is also not dependent on signatures, because every transaction is recorded. This "neutrality" makes session data an e

Amazon.com just posted my five star review of Hardening Windows Systems . From the review: "Roberta Bragg's _Hardening Windows Systems_ (HWS) is exactly the sort of book I expected from McGraw-Hill/Osborne's new 'Hardening' series. The publisher gained fame through its assessment-oriented 'Hacking Exposed' series, and now it advocates preventing intrusions via configuration instead of assessment. (Those familiar with my Network Security Monitoring theories will remember I believe 'prevention eventually fails,' but I still recommend doing everything possible to make the intruder's task difficult!) HWS is a Windows security tour-de-force, and I intend to recommend it often."

I just finishing reading the second edition of Know Your Enemy and wrote a review for Amazon.com . Unfortunately, Amazon.com is treating this completely new second edition as though it were the first edition . When I tried to post my review, I received this response: "Oops! Only one review per customer per product set is allowed. Your review was not accepted because we only allow each customer to write one review of each product set. An example of a product set is the collection of all editions of a book: hardcover, paperback, and audiobook. If you'd like, you can edit your existing review." I'm sure Amazon.com does this to prevent multiple reviews by the same person, but these are two completely different books. Amazon.com also harassed me to provide a real name to appear in my review. I had to tie this to a credit card. Aside from that aspect, I think this is a good idea. Review readers are supposed to believe the words of someone providing a "real nam

Today while perusing the SANS Incident Handler's Diary , I noticed the "Handler On Duty" was Tom Liston, and his Web site was listed as LaBrea Technologies . I remembered Tom from his July 2001 post to the intrusions@incidents.org mailing list. There he theorized on the idea for his LaBrea "tarpit," code to trap malware visiting non-existent local IPs using various TCP tricks. Fearing DMCA, Tom no longer hosts LaBrea at his site, but it's available in the FreeBSD ports tree as security/labrea , and elsewhere. A visit to LaBrea Technologies shows Tom is working on the "LaBrea Sentry IPS - Next Generation Intrusion Prevention System." From Tom's description: "LaBrea Sentry connects to the local network and monitors attempts to access unused IP addresses. Once such attempts are detected, the LaBrea Sentry creates virtual machines to emulate an active server on the unused IP address, executes countermeasures defined by the user, l

After installing a self-contained Sguil 0.5.0 installation on a new laptop, I updated my Sguil installation guide for Sguil 0.5.0. The new guide takes into account the merging of xscriptd's functions into sensor_agent.tcl and sguild. I also caught a problem with the databases/mysqltcl FreeBSD port. By default the Makefile requires mysql323-client as a dependency, but I recommend changing that to mysql40-client to keep all components running MySQL 4.0.20. Changes like these are the reason I didn't explain how to install Sguil in my book. As Sguil progresses towards a 1.0 release, a lot will change under the hood. The user interface and method of operation will remain stable, so I describe those features in my book.

My wife found a copy of my book left in our garage today by the UPS or Fedex delivery person! I'm very happy to see it in print. Four years ago Karen Gettman from Addison-Wesley approached me about writing a book. Initially I wanted to write "Intrusion Detection and Incident Response Illustrated," but I decided to wait until I felt I was ready. At Black Hat last year, I met my editor Jessica Goldstein from Addison-Wesley. I presented the proposal I had worked on all of the previous night. About a month later I signed a contract, and by March of this year submitted my draft of the text. Now, less than a year after that Black Hat meeting, I have a copy of my book in hand. Thank you to every who assisted -- you're all in the preface! Some of you will be getting review copies soon. I expect to see the book available from online booksellers next week, and in stores before the end of the month. Please send feedback to blog at taosecurity dot com. Update: I asked

Packet Storm posted word of a new release of Laurent Constanin's Netwox . I had never tried it before, but was aware of the project from articles like Linux Security and elsewhere. The Network Toolbox consists of three components: Netwib , a network library; Netwox , the collection of 150+ tools , and Netwag , a Tcl/Tk interface. Given that Sguil is also written in Tcl/Tk, I was interested in trying out this tool. If you just run Netwox, you'll be presented by a series of menus which help you select the proper command line switches to use various tools. In the following example I use the menus to eventually see how Netwox recognizes the NICs in my workstation: drury:/usr/local/src/netw-ib-ox-ag-5.19.0/src/netwag-src/src$ sudo netwox Netwox toolbox version 5.19.0. Netwib library version 5.19.0. ######################## MAIN MENU ######################### 0 - leave netwox 3 - search tools' title 4 - display help of one tool 5 - run a tool selecting p

Amazon.com just posted my four star review of Snort 2.1 . Several quotes from my review of Snort 2.0 appear in the new book, even though I also gave that first edition four stars. From the end of the review of the new edition: "I would enjoy seeing three improvements in the third edition. First, thoroughly scrub the book for old information. Watch out for people writing about 'Cerebus' or http_decode or offerings from Silicon Defense, whose Web site disappeared in early 2004. Second, tell people to read the excellent Snort manual before reading the book. There's no need to address topics well-covered in the manual, like all of the IP- and TCP-based rule options. Third, ditch the existing rules chapter in favor of two new ones, one explaining principles via existing rules, and one showing advanced rule development. I still recommend buying this book, but you might guide your reading choices by the comments in this review."

I've never explained how I like to keep Snort rules updated on my sensors. The tool of choice for automatic rule updates is Andreas Ostling's Oinkmaster , a Perl script. Here is a sample run. First I make a temporary directory to hold old Snort rules files, then download and extract the snapshot version of Oinkmaster. (Oinkmaster 1.0 was released in May, but the snapshot includes some improvements discussed in the oinkmaster-users mailing list .) [root@sensor root]# mkdir /tmp/oldrules [root@sensor root]# cd /usr/local/src [root@sensor src]# wget http://oinkmaster.sourceforge.net/oinkmaster-snapshot.tar.gz --15:05:14-- http://oinkmaster.sourceforge.net/oinkmaster-snapshot.tar.gz => `oinkmaster-snapshot.tar.gz' Resolving oinkmaster.sourceforge.net... done. Connecting to oinkmaster.sourceforge.net[66.35.250.209]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 68,234 [application/x-tar] 100%[====================================>]

My publisher Addison-Wesley made a few more excerpts from my book The Tao of Network Security Monitoring: Beyond Intrusion Detection available online. The 48-page file bejtlich_chs.pdf contains chapter 2, "What is NSM?" and the previously announced chapter 10, "NSM with Sguil." You can also read Ron Gula 's foreword or peruse the 34-page index in .pdf form. Currently the Addison-Wesley site lists 16 July as the availability date for the book. Amazon.com shows 1 July, which is wrong, while Barnes and Noble shows 28 July. The actual release date should be sometime next week or the week after.

Amazon.com just posted my five star review of BSD Hacks . This is a great book and a must-buy for all BSD users. From the review: " BSD Hacks is the book I hoped to read. I've been using FreeBSD in production and test environments for about four years (since 4.1 REL), and I've played with OpenBSD and NetBSD for about a year each. I was looking for a book that would explore the nooks and crannies of BSD without covering the introductory issues often found elsewhere. By hack 10 I had already learned enough to justify purchasing BSD Hacks . Unless you're a member of the core team, you'll find enough tricks and tips to make BSD Hacks a welcome addition to your system administration library."

Lots has been happening in the Sguil world this past week. Bamm released Sguil 0.5.0 last week. The major development was the merging of xscriptd functionality into sguild. That's one less component to worry about. I also made some changes to the instructions for building IncrTcl in my Sguil installation guide , thanks to Mark Bergstrom. My guide still applies to Sguil 0.5.0, although the advice on xscriptd now belongs in the sguild configuration section. I'll produce a new guide for Sguil 0.5.1 when it arrives, as I hope to incorporate Snort 2.2.0 as well. After nearly four years of asking Bamm for feature requests in various apps he's written, I finally committed my own change to Sguil. I committed a change to sguil.tk and qrylib.tcl to support querying for events by source or destination port. Unfortunately I made a mistake merging my changes into the version I checked into CVS, and Bamm made a correction to sguil.tk shortly after my commit! I duplicated a

This isn't the most exciting topic, but I wanted to report another successful piece of hardware with FreeBSD. Earlier I wrote about the Adaptec DuoConnect PC Card adapter which provides my laptop with FireWire (but not USB 2.0, unfortunately). To add some external high-speed storage to my laptop, I bought a ByteCC 2.5 HDD enclosure with FireWire and USB 2.0 from XPCGear.com . I liked this model because I could buy an AC adapter with it. I could have drawn power from the laptop's single on-board USB 1.1 port, but I prefer to leave that free as the USB 2.0 ports on the Adaptec card don't work properly under FreeBSD. Here is how a 30 GB HDD appeared in dmesg output when plugged into the Adaptec adapter using FireWire: GEOM: create disk da0 dp=0xc3a81450 da0 at sbp0 bus 0 target 0 lun 0 da0: Fixed Direct Access SCSI-0 device da0: 50.000MB/s transfers, Tagged Queueing Enabled da0: 28615MB (58605120 512 byte sectors: 255H 63S/T 3648C) As this was a NTFS drive, I moun

Several months ago I asked the readership of the freebsd-hardware mailing list if anyone had experience with the Dell PowerEdge 750 1U server, especially its DELL CERC SATA 1.5/6ch RAID-0 (an Adaptec card) setup. Today we finally received a system on which I could test FreeBSD, so these are my results. I found I could not load FreeBSD 5.2.1 on the box. Although I was able to get through the boot procedure, FreeBSD did not see the hard drive. I decided to try the same snapshot of FreeBSD-CURRENT from 17 Jun 04 that worked on my Dell PowerEdge 2300. Thankfully the RAID-0 setup was recognized as a single 465 GB hard drive. It was device aacd0, indicating use of the aac driver. Once I saw this I checked the CVS files associated with the aac driver and saw no substantial changes to the code since my 17 Jun snapshot was taken. The installation proceeded normally until newfs started. At that point the system froze. I cycled through the virtual terminals and saw this message: E

I learned from this post that packages of OpenOffice.org 1.1.2 are available . I intend to upgrade via package since building OOo using the ports tree takes forever. I also learned a few lessons about document management this past weekend while creating slides for my USENIX talk . I found that I could create and save a presentation in .sxi format, only to have OOo not able to open it. I lost several hours worth of work due to this flaw. I was unable to open several .sxi files built with OOo 1.1.1 on FreeBSD, and was unable to get OOo 1.1.1 on Fedora Core 2 or OOo 1.1.2 on Windows 2000 to read the problematic .sxi either. I dealt with this in two ways. First, I chopped up my presentation into eight smaller files. This limited the damage in the event some slide became corrupt and prevented access to the rest of the presentation. Second, I saved every presentation in .sxi and .ppt formats. That way I could try opening the presentation in PowerPoint if OOo decided not to r