Investigative Leads for Network Security Monitoring

When I worked incident response for Foundstone, my boss Kevin Mandia taught me about "investigative leads." This is a Bureau/law enforcement term for items which are recognized as important in a report but require additional scrutiny. I have several network security monitoring investigative leads which I have not yet had time to follow. I list them here in the event one or more of my readers have checked them out:

  • In November Dave Aitel of Immunity, Inc. posted an announcement of his company's CANVAS Reference Implementation (CRI). CANVAS is a penetration testing toolkit consisting of private exploits written by Immunity, Inc. The CRI is a subset of CANVAS, available for free under NDA, aimed at those wishing to test IDS and layer 7 firewalls (aka "IPS"). I plan to try this out soon, but don't expect public results due to the NDA.

  • There's an extended focus-ids thread discussing the need for packet capture and the problems of doing so in high bandwidth environments. Anyone who has seen my Wish List will notice I am researching hardware-based approaches to the problem, like network processors, FPGAs, and microcontrollers.

  • A friend pointed me to l7-filter, an "Application Layer Packet Classifier for Linux." This looks really cool. Along with the upcoming release of Snort 2.3 with integrated inline capabilities, I'm being forced to deploy one or more Linux boxes to try these features. If l7-filter is able to profile traffic running on arbitrary ports, it will give open-source-bound NSM analysts a powerful new capability.

  • If you have trouble justifying your monitoring duties, you'll face less resistance if you share Wanted: Chief Espionage Officer with the doubting parties. I have yet to read all of this article, but it's a detailed look at (illegal) corporate intelligence gathering.

Regarding the third point -- would anyone care to suggest a Linux distro for my snort-inline and l7-filter projects? I'm going to be running on minimal hardware without X. I'm leaning toward Debian or Slackware and away from Fedora Core, Mandrake, and Gentoo. I'd like a Linux distro that uses the kernel as-is, or as much as possible. Is there such a thing? Coming from BSD-land, I'm not current on the Linux scene. Thank you.


gabe anzelini said…
For a BSD user, I would say that gentoo is the most BSD-like. However, on minimal hardware and since you just want to set something up (quick?) to test this out, I would say debian. It is what I use when I need to get a box and running quickly.
Jacek said…
My vote goes to Debian.
One Guy Nick said…
I am posting this from a gentoo box. I run O*Bsd and FreeBSD on servers in the house. If you desire a stripped down linux system much like you get with a standard bsd install...stick with gentoo. Check out to see what the community is like. I have been a long time unix guy and for me gentoo makes me feel comfy. Hope this helps!
jeraklo said…
For BSD-style OS paradigm use Gentoo, altough it can take few hours to setup average box (by default, it forces you to compile a kernel). Gentoo curently has more than 8300 BSD-style ports.

For classical GNU/Linux binary package based distro go with Debian but beware of manualy installing software that is not supported by project.

Of course you can have vanilla kernel on both of these distros.

My vote goes to Gentoo.
Anonymous said…
Slackware ships a clean kernel from, they don't add patches to it like most vendors do. It's uses BSD style start up init scripts instead of the System V style that most other Linux distro's use. The packagemanagement is quite minimal, compared to freebsd.

It runs on minimal hardware.

So i suggest Slackware. :-)
Anonymous said…
Debian is a good choice, however if you need something even more minimalistic I've used leaf (particularly Bering-uClibc) to build a couple of firewalls/routers and it works nice. Leaf is as minimalistic as you can get without actually building your own distro from scratch.
raz0rsharp said…
I'd go with Slackware, and if you feel really ambitious you could do a linux-from-scratch or customized knoppix. Of course this is just my own opinion -- I just installed my firewall / gateway and put fedora core 1 on it (mainly cause I already had the cds downloaded and burned).

Good luck.
Scott said…
Richard, I have some experience with Debian if you want some help, tap me in #snort-gui
Anonymous said…
I've been running Debilian for a few years now and I'm finally fed up with it. I switched my desktop over to Gentoo and I'm reasonably happy with it.
"Debian Stable" is often mangled to "Debilian Stale" and at least the "Stale" part is true. Debian Stable often lacks new software so one ends up either creating a Debian package for it or manually installing the .tgz - which in itself is an Abomination™ against the packaging effort and concept.
I haven't tried Slackware, but I'd shy away from RedHat and SuSE as well. My preferred distro of the year seems to be Gentoo.

cheers, Axel (
AUGURY said…
I've been building snort sensors based on corelinux from It's based on the 2.4.18 kernel and almost nothing installed on it. You get the bare minimums and build from the ground up. It has absolutely no servers running by default so an nmap scan shows nothing. It takes a little more time to setup than common distros but once you get the commands down you can build a sensor within 3 hours, totally configed; and it uses the unaltered kernel image from BTW Loved the "Tao of Network Security Monitoring," It was a smooth enjoyable read.
Ryan said…
There is nothing from keeping you from using a stock linux kernel on Gentoo. emerge development-sources to get the latest 2.6 kernel.
This comment has been removed by a blog administrator.
Anonymous said…
This comment has been removed by a blog administrator.
Anonymous said…
This comment has been removed by a blog administrator.

Popular posts from this blog

Five Reasons I Want China Running Its Own Software

Cybersecurity Domains Mind Map

A Brief History of the Internet in Northern Virginia