Showing posts from June, 2005

Feds Adopt IPv6 by June 2008?

I read OMB: IPv6 by June 2008 today, which says: "The federal government will transition to IP Version 6 (IPv6) by June 2008, said Karen Evans, the Office of Management and Budget’s administrator of e-government and information technology. 'Once the network backbones are ready, the applications and other elements will follow,' she said today while testifying before the House Government Reform Committee." Riiight. Be prepared to see this slip to, oh, maybe never. The Federal government is also supposed to be securing its systems, and its report card is still lousy. Agencies have also known since Homeland Security Presidential Directive 12 (Aug 04) that they needed to implement smart cards, but problems are anticipated in meeting the deadlines. Marcus Ranum pointed me towards a talk by Bill Cheswick (.ppt) on IPv6 transition realities. It mentions several problems that might prevent IPv6 adoption, like unreasonable demands on routers, hosts which can pick a new

Bleeding Snort Spyware Listening Post Initial Results

I mentioned a few new projects at Bleeding Snort two weeks ago. Some initial results of the Spyware Listening Post are posted . Check it out -- it's about one page of information.

Nvu 1.0 Released

Anyone who's visited or has probably stared in awe at the wonder of the Web composition skills inherent in each site. No? Well, I think they are an improvement over the 1996-era, made-with-vi HTML I created by hand. I used a program called Nvu (pronounced "N-view") to lay out the tables for each site. Yesterday Nvu 1.0 was released, and today the www/nvu FreeBSD port was updated. I found Nvu doesn't produce perfect HTML, so I might use a program like Tidy to clean up the pages. The latest version of Tidy is also in the ports tree as www/tidy-devel . One day I will hire a Web developer to create modern Web pages for each site.

"IDS Is Dead" Prophet Misunderstands "Sniffing"

Many of you will remember two years ago quotes by Gartner analyst John Pescatore, such as this in Infoworld : "We think IDS is dead. It’s failed to provide enterprise value," Pescatore says. Now this security expert has written more words of wisdom is response to an apparent increase in reconnaissance for port 445 TCP. In More Port 445 Activity Could Mean Security Trouble , Pescatore writes: "An apparent increase in scanning activity may signal an impending malicious-code attack exploiting a critical Windows vulnerability." Fair enough -- but check out this gem from the next page: "The apparent increase in 'sniffing' on Port 445 is a serious concern for enterprise security managers, because it may indicate an impending mass malicious-code attack." Since when is remote reconnaissance considered "sniffing"? Sniffing is a term reserved for inspecting traffic either on the wire or passed via RF. The word implies having a degree of access

Initial Thoughts on Visible Ops

I just finished listening to a Webcast offered by Tripwire titled Security Compliance: Revving Up for Regs with a Unified Strategy . To be honest, I don't think the presenters used their time appropriately, and I think the material was not conveyed very well. I listened, however, because I have learned of a book by Tripwire co-founder Gene Kim called Visible Ops . Visible Ops is a four-step methodology to implement the IT Infrastructure Library (ITIL). Tripwire describes ITIL as a framework "for assuring effective, verifiable, repeatable IT change and system configuration management processes." The Visible Ops four step process is: Electrify the fence and modify first response. Catch & release and find fragile artifacts. Establish repeatable builds. Establish a repeatable build library. This Computerworld rticle from last year provides a good explanation and introduction to these ideas. The Visible Ops authors donated the results of their research to the Info


I already published the IPFW rules I'm using to defend my sensors, so I figured I would add the IPFW rules I'm using on my VPN concentrator / firewall / gateway (CFG). I relied on the FreeBSD Handbook examples heavily, as the placement of certain sections is crucial when the CFG is also NAT box. In these rules, interface xl0 is the interface facing the "Internet" while fxp0 faces a private internal network. Host bourque is a remote sensor with IP Since this entire setup exists in a lab, the addresses are considered "public" addresses. #!/bin/sh pub="xl0" pri="fxp0" cmd="ipfw -q add " ks="keep-state" skip="skipto 500" vpncfg_ip="" bourque_ip="" nameserver="" ok_tcp_out="22,80" ok_udp_out="53,123" ipfw -q -f flush $cmd 002 allow all from any to any via $pri $cmd 003 allow all from any to any via

Forwarding Nameserver with BIND 9

I know all of the djbdns fans will attack me, but I set up a forwarding nameserver with the built-in BIND 9.3.1 version packaged with FreeBSD 5.4. I did give djbdns the old college try using the ports tree, but I had trouble getting daemontools and scvscan working in the time I allotted for the project. I was able to get BIND working strictly as a forwarding server using the following steps. First I created a rndc.key file using rndc-confgen. janney:/etc/namedb# rndc-confgen -a wrote key file "/etc/namedb/rndc.key" I created a /etc/named/rndc.conf file and copied the contents of /etc/namedb/rndc.key into rndc.conf, along with the entries shown below: options { default-server localhost; default-key "rndc-key"; }; server localhost { key "rndc-key"; }; key "rndc-key" { algorithm hmac-md5; secret "OBSCURED"; }; I then modified /etc/namedb/named.conf in the following ways. listen-o

Portsnap and Squid

At BSDCan this year I listed to Kris Kennaway describe the FreeBSD package cluster (.pdf). He said he uses a caching Web proxy to optimize retrieval of source code when building packages. This makes an incredible amount of sense. Why download the same archive repeatedly from a remote site when you can download it once, and transparently let other clients retrieve the archive from the Web cache? I decided I needed to emulate this sort of environment for several of my FreeBSD systems. I use Colin Percival's excellent portsnap to keep my FreeBSD ports tree up-to-date. If one of my systems retrieves the necessary updates through a Web cache, the other systems can get the same files from the Web cache. That saves Colin bandwidth and me time. I set up Squid using the www/squid port. The only changes I made to the /usr/local/etc/squid/squid.conf file are listed below. http_port icp_port 0 acl our_networks src http_access allow our_

Simple IPFW Rules to Defend Sensors

I'm considered deploying the following rule set on a new batch of network security monitoring sensors running the FreeBSD IPFW firewall. I'm running the IPSec tunnel scenario I outlined earlier to carry packets between the sensor and a VPN concentrator / firewall / gateway (VPN CFG) running FreeBSD. My goal is to limit who the sensor can talk to, and to limit who the sensor accepts connections from. In this case, I'm telling the sensor to speak only with the VPN CFG and a specified DNS server. I leave the option of adding additional permitted systems, such as a trusted host that is allowed to SSH directly to the sensor for maintenance purposes. Here is the rule set I plan to run on the sensors. is the sensor management IP. is the VPN CFG management IP. is the nameserver. #!/bin/sh int="fxp0" cmd="ipfw -q add " mgt_ip="" vpncfg_ip="" nameserver=""

Nessus Registered Feed for Consultants

Yesterday I described my experience registering with Tenable Network Security to access their Registered Feed. I said "security consultants using Nessus must pay an annual $1200 fee to access the Direct Fee. Free use of the Tenable plugins is only allowed on one's own network." This first part was correct, but the second part was not. It turns out that Tenable approves use of the Registered Feed (with the seven day plugin lag) if the consultant signs Tenable's commercial agreement . I downloaded, signed, and faxed the document to Tenable. I just received back a copy signed by Tenable. This means I can now use the Registered Feed plugins to scan networks I do not own. If I want the most current plugins (without the seven day lag) I should still sign up for a Direct Feed and pay $1,200 per year. My original interest in using Nessus involved quick assessments as part of incident response remediation activities. The Registered Feed is sufficient in my mind for t

Trying Nessus Registered Feed

I described installing Nessus earlier , and last year I talked about the new Nessus license system. Since I was installing Nessus on a server strictly for scanning my own lab network, I decided to see what was involved with obtaining the Tenable Security Registered Feed. When I first installed Nessus, I received this warning: Loading the plugins... 204 (out of 2225) ------------------------------------------------------------------------------ You are running a version of Nessus which is not configured to receive a full plugin feed. As a result, your security audits might produce incomplete results. To obtain a full plugin feed, you need to register your Nessus scanner at the following URL : I manually checked the contents of the /usr/local/lib/nessus/plugins directory just after installing the security/nessus-plugins FreeBSD package to count the number of NASL scripts. There were indeed 2225. Next I ran /usr/local/sbin/nessus-update

Trying Snort VRT Rules and Oinkmaster

Last week I finally registered with to gain access to the rules created by the Sourcefire VRT . The process was really simple, especially now that security/oinkmaster is in the FreeBSD ports tree. I describe the experience from the perspective of running Sguil , but the general concepts apply to anyone using Snort. After registering with, logging in, and clicking the "Get Code" button at the bottom of the User Preferences page, I added the code to my oinkmaster.conf file. url = snortrules-snapshot-2.3.tar.gz Then I ran Oinkmaster in the /nsm/rules/testing directory on my Sguild server. allison:/root# oinkmaster -v -o /nsm/rules/testing Loading /usr/local/etc/oinkmaster.conf Adding file to ignore list: local.rules. Adding file to ignore list: deleted.rules. Adding file to ignore list: snort.conf. Found gzip binary in /usr/bin Found tar binary in /usr/bin Downloading file from http://www.snort

Nessus on FreeBSD

I'm rebuilding my laptop, and I needed to install Nessus . I prefer to install FreeBSD applications using pre-built packages whenever possible. I tried adding the nessus-2.2.4_1.tbz package but got this error when I started the nessus client. Ooops ... This nessus version has no gui support. You need to give nessus the arguments SERVER PORT LOGIN TRG RESULT as explained in more detail using the --help option. The package built by the FreeBSD cluster does not include GTK . If the system on which the package is built does not have GTK installed, Nessus will only support the CLI. GTK is not listed as a build or run dependency: janney:/usr/ports/security/nessus$ make pretty-print-build-depends-list This port requires package(s) "" to build. janney:/usr/ports/security/nessus$ make pretty-print-run-depends-list This port requires package(s) "" to run. Here is an example of a port that has build and run dependencies: janney:/usr/ports/security/nessus$ cd .

Three Pre-Reviews

I promise to start reading and reviewing books again, once my independent work schedule permits it. Until then, I would like to let you know about three new books I received. The first is one I specifically requested, and I think it is important reading for anyone developing security and networking appliances. Network Systems Design Using Network Processors: Intel 2XXX Version by Douglas E. Comer , published by Prentice Hall, looks like the definitive work on the Intel IXP2xxx network processor. Computer professionals will see fewer security and networking appliances built on commodity platforms as network processors and related hardware offload certain fuctions. I also received Windows Server 2003 Security: A Technical Reference by Roberta Bragg, published by Addison-Wesley. This is a really hefty book that appears to exceed the material in her earlier Hardening Windows Systems . I guarantee I will not read this book cover-to-cover (it's 1176 pages!) but it should be

Thoughts on Security Degrees

Since our CISSP discussion has been thought-provoking, I imagine this might be interesting too. Last night I taught a lesson on network security monitoring to a graduate level forensics class at George Washington University . Earlier this week my friend Kevin Mandia asked me to step in when he was unavailable to teach. I spent 2 1/2 hours describing NSM theory, techniques, and tools, and concluded with a Sguil demo. I do not have any formal degree involving computer security. I have considered pursuing an advanced degree. It would be incredible to work with Vern Paxson , for example. I am not sure how useful another degree would be for me, at this point. Computer security practitioners are often self-taught. This morning while perusing The Economist I came across the ultimate story of a successful self-taught technician. Those in the medical community may know the story that "Professor Christiaan Barnard performed the first human heart transplant." I learned in T


I read a short article by Kate Palmer in Foreign Policy magazine about evading country-imposed Internet filters. Ms. Palmer writes: "According to the OpenNet Initiative (ONI), a research organization devoted to tracking blocked Web sites, black market access to filtered pages in Saudi Arabia runs anywhere from $26 to $67 per Web site." Good grief! Can't these people get a shell account with OpenSSH and proxy their Web requests? I see a market opportunity here.

CardSystems Breach Follow-up

Anyone looking for additional details on the CardSystems Solutions intrusion may find Bruce Schneier's blog good reading. He notes that CardSystems was apparently not in compliance with Payment Card Industry (PCI) security guidelines, although on National Public Radio CardSystems' CEO said his company was in compliance. Phil Hollows has written multiple blog entries on the breach, one which correctly points out that compliance with an audit does not equal security.

Thesis Cites Tao

I was happy to hear that Bjarte Malmedal's thesis for his Master of Science in Information Security cites network security monitoring theory from my first book The Tao of Network Security Monitoring: Beyond Intrusion Detection . Bjarte cites my work to justify why a single packet inspection and collection tool or system does not sufficiently provide security awareness. His thesis, Using Netflows for Slow Port Scan Detection , argues that Argus session records can be used to detect stealthy reconnaissance. (Thanks to Jeffrey 'jf' Lim for correcting my earlier version of this story.) This is not particularly new, as Tom Ptacek points out. I think my first book makes the same point. I just thought it was cool to see my work cited elsewhere. :)

Bleeding Snort Starts snort.conf Collection

I read an announcement yesterday that the Bleeding Snort project has started recommending snort.conf files. I posted the following comment at Bleeding Snort: Hello, I think this sample snort.conf project is a great idea. One concern I have is the general reliance on output_database to insert Snort alerts into databases. output log_unified and output alert_unified have been available for around four years, but many snort.conf files and configuration guides still insist on using output database. For example, the snort.conf addition that I recommend in my Sguil installation guide uses output log_unified: filename snort.log, limit 128 Not using Barnyard can be a real performance killer. If the Snort process and the database are on separate systems, especially across Internet space, Snort will definitely drop packets as it tries to insert alerts. Thank you, Richard I do not understand why people insist on deploying Snort without Barnyard , FLoP , the recently resurrected Mudpit , or an

Marcus Ranum Interview at SecurityFocus

I'd like to thank Federico Biancuzzi for interviewing Marcus Ranum at SecurityFocus . The interview is brilliant in my opinion. Unfortunately, I learned of the interview by an ignorant Slashdot story that completely missed the points Marcus makes in the article. Can anyone recommend an alternative to Slashdot that has a lower number of idiotic stories, but still keeps up with technology current events? Anyway, here is my favorite excerpt: "Do you see any new, interesting, or promising path for network security? Nope! I see very little that's new and even less that's interesting. The truth is that most of the problems in network security were fairly well-understood by the late 1980's. What's happening is that the same ideas keep cropping up over and over again in different forms. For example, how many times are we going to re-invent the idea of signature-based detection? Anti-virus, Intrusion detection, Intrusion Prevention, Deep Packet Inspection - they al

(IN)SECURE Magazine Online

Mirko Zorz of Help Net Security was kind enough to notify me of his organization's new online magazine, (IN)SECURE . Based on perusing the first two issues, this looks like a fairly professional-quality magazine. I found a mix of strategic and technical advice in both issues, with short book reviews, software deployment discussions, configuration guidance, and other security information. Check it out -- it's free!

CISSP: Any Value?

A few of you wrote me about this post by Thomas Ptacek in response to my recent CISSP exam post. Tom has one of the best minds in the security business, and I value his opinions. Here are my thoughts on the CISSP and an answer to Tom's blog. (I did not realize Tom has despised the CISSP for so long!) On page 406 of my first book I wrote: "I believe the most valuable certification is the Certified Information Systems Security Professional (CISSP). I don't endorse the CISSP certification as a way to measure managerial skills, and in no way does it pretend to reflect technical competence. Rather, the essential but overlooked feature of the CISSP certification is its Code of Ethics... This Code of Ethics distinguishes the CISSP from most other certifications. It moves security professionals who hold CISSP certification closer to attaining the true status of 'professionals.'" In my book I compared the CISSP Code of Ethics to the National Society of Professio

CardSystems Solutions Intrusion Exposes 40 Million Credit Cards

I am stunned by the scale of this story, and I expect to hear it get worse. Yesterday MasterCard International issued a statement that said "MasterCard International reported today that it is notifying its member financial institutions of a breach of payment card data, which potentially exposed more than 40 million cards of all brands to fraud, of which approximately 13.9 million are MasterCard-branded cards. MasterCard International's team of security experts identified that the breach occurred at Tuscon-based CardSystems Solutions, Inc., a third-party processor of payment card data." This AP story mentions "the security breach involves a computer virus that captured customer data for the purpose of fraud" and MasterCard "did not know how a virus-like computer script that captured customer data got into CardSystems' network, which MasterCard said was infiltrated by an unauthorized individual." The same AP story reports that CardSystems did not

(ISC)2 Affiliated Local Interest Groups

As soon as I complained about the ISC2 CISSP survey yesterday, I received an email from (ISC)2 about their new Affiliated Local Interest Group pilot program. Mark Wilson, president of my local ISSA-NoVA chapter, mentioned that our group will be one of the few invited to the ALIG program. We have yet to know what this really means, but I will keep you informed.

Encrypted Laptop Hard Drives

Yesterday someone asked me what I thought about encrypted laptop hard drives. I believe he was referring to this recent Seagate press release . The new Seagate Momentus Full Disk Encryption (FDE) product should ship this winter and will provide OS-independent disk encryption. This Extreme Tech article references technology by 4c Entity to encrypt the drive.

(ISC)2 Conducting CISSP Exam Survey

Last month I reported a friend's experiences with the CISSP exam. This week I received an email from (ISC)2 regarding a survey of the CISSP exam. It reads in part: "(ISC)2 would like to extend to you the opportunity to provide key input into the content of the CISSP® examination. With assistance from Schroeder Measurement Technologies, Inc., (ISC)2’s services entity,(ISC)2 is conducting a CISSP job analysis study through an online survey. The purpose of the job analysis study is to ensure the currency of future CISSP examinations. As a CISSP certificate holder, we are asking you to participate in the survey. *Your responses are valued and essential*. We ask that you set aside 20 to 30 minutes of your time no later than Thursday, July 14, 2005 to complete the online survey." Once I started taking the survey, I saw these guidelines. "A comprehensive list of important job tasks performed by an Information Systems Security Professional is presented on the following

Gartner Survey Ranks Threats

I found the article Corporates focus on basics for IT security defences by John Leyden to be interesting. He reports on a survey presented by Gartner at their recent IT Security Summit. Gartner's survey found that IT staff ranked threats as follows: 1. Viruses and Worms 2. Outside Hacking or Cracking 3. Identity Theft and Phishing 4. Spyware 5. Denial of Service 6. Spam 7. Wireless and Mobile Device Viruses 8. Insider Threats 9. Zero Day Threats 10. Social Engineering 11. Cyber-Terrorism I am disappointed to see social engineering ranked so low. I am glad cyber-terrorism is dead last. I am surprised to see outside hacking ranked so high, even though I agree it should be a top three priority. Here is the list I would create (if I had to call these "threats;" many of these are not "threats." I rank these "problems" or issues using a mixture of likelihood and damage inflicted. I do not agree with all the categories

FreeBSD Post-Installation Tasks

Last night I installed FreeBSD 5.4 on my Dell PowerEdge 2300 server. Immediately following the installation, these are the tasks I performed. These are the same post-installation tasks I perform, in the same order, on every FreeBSD system I build. 1. When I install FreeBSD, I create a user and give him the /bin/sh shell. I used Linux before I used FreeBSD, and I remain more familiar with bash . Therefore, I install the most recent package available. I do this using the PACKAGESITE environment variable. Notice how pkg_add satisfies dependencies automatically. $ su - Password: janney# setenv PACKAGESITE janney# pkg_add -r bash Fetching Latest/bash.tbz... Done. Fetching All/libiconv-1.9.2_1.tbz... Done. Fetching Al

Bleeding Snort Innovations

Several interesting projects are taking shape at Bleeding Snort , described as "the aggregation point for Snort signatures and research." The spyware Blackhole DNS project collects domain names identified with spyware and provides a hosts file pointing to localhost for each. Matt Jonkman now wants to extend the idea to create the Spyware Listening Post . Rather than have a domain like point to localhost (, the Spyware Listening Post proposes resolving the host to an IP address operated by the SLP project. The SLP will measure the requests to gather intelligence on spyware. This is an interesting idea and I look forward to seeing how it develops. Bleeding Snort also houses the Snort Test Suite . Nothing appears to have been released, but it would be cool to see them coordinate with Turbo Snort Rules . Finally, I found a funny thread in the bleeding-sigs mailing list. Essentially a commercial vendor complained about a change in the Bl

OpenSolaris Lives

The OpenSolaris Project is alive. Ashlee Vance provides the most intelligent summary of the project that I've read. Something cool you can do immediately is browse the source using a Web front-end to CVS. This is really useful if you want to understand how the OS is assembled. A common criticism of this release is the lack of a downloadable .iso or similar distribution. You must start with Solaris Express: Community Release , Build 16 or newer, then follow the release notes . This is not as user-friendly as the new Fedora Core 4 release announced today. (Note on the announcement -- those Fedora/Red Hat people are so witty!) I plan to try each once I get some free time.

HTTP Request Smuggling

You may have seen this on Slashdot , but Garth Somerville sent me this link to a paper titled HTTP Request Smuggling (HRS) by Watchfire . You may remember Watchfire as the company that bought Web application security vendor Sanctum. Essentially HRS relies on sending conflicting values or malformed input in HTTP headers. Just as we saw years ago with IDSs, bad results happen when one product interprets commands on way and another product sees the world in a different way. I was pleased to see the Squid proxy server already addressed any problems back in April in two advisories . The answer is strict HTTP parsing, but rest assured many products will continue to let malformed protocols pass. This is another case where a small set of commands or input should be allowed, and everything else should be denied. The Intrusion Prevention System (IPS) model of "deny some, allow everything else" will fail here.

Comments on Israeli Intellectual Property Theft Stories

Thanks to Jason Anderson of Lancope for making me aware of a large case of intellectual property theft in Israel. This 29 May story explains how Israeli programmer Michael Haephrati was hired to create Trojan Horses for private investigation companies. Those PI firms then deployed the programs to target companies via "email attachments." The PIs sold what they found to competitors of the targets. For more details, I recommend Richard Steinnon 's blog. I found a detail in this story very interesting: "The Trojan sent images and documents to FTP servers in Israel, Germany and the US, court documents reveal." Regular blog readers know what that means. Any victim company practicing Network Security Monitoring could have complete records of the FTP traffic that carried documents or files stolen by the Trojan Horses. NSM practitioners would know when the activity started, what systems were victims, and when the last outbound connection took place. Dependi

Bejtlich at Techo Security Conference

If you're in Myrtle Beach, SC for the 2005 Techno Security Conference , stop by and say hello. I should be at the 3:00 pm Monday book signing, and I will be speaking on behalf of Tenable Security at 7:00 pm Monday. I hope to squeeze in a Monday afternoon visit to managed security vendor LURHQ while I am here as well. This is my first Techno Security Conference, but I don't plan to see any talks other than those by Ron Gula and Marcus Ranum tomorrow morning. The conference organizers told me this is the 7th such event, and they have over 1,000 attendees. The vendor exhibits and program seems very host-based forensics-centric. It seems that every associates the word "forensics" with host-based evidence, with few exceptions. I am sensitive to this situation as I devote several chapters in my new book Extrusion Detection to network-centric incident response and forensics. I intend for these chapters to supplement existing excellent works that take a traditional

Multiple New Pre-Reviews

I've been too busy to read as I transition to being an independent consultant. Once I have a few business and related issues on track, I will begin scheduling time for reading again. I have a huge reading list as usual. A few books not on the list, but which merit attention, include the following. Last month one of the books I pre-reviewed was a Windows title by O'Reilly. Here is another: Learning Windows Server 2003 by Jonathan Hassell . This book looks like it will help me with the Windows Server 2003 Trial Software I mentioned last month. Jonathan's book looks very thorough and I hope to get to it in a reasonable amount of time. O'Reilly sent me 802.11 Wireless Networks: The Definitive Guide, 2nd Ed by Matthew Gast . Given by the quality and quantity of Matthew's wireless blogging for O'Reilly, I think this book should be great. It even covers 802.11X, which is supported through hostapd and wpa_supplicant on FreeBSD 6.0. Syngress sent Net

Article on IPS Evaluations

Thanks to Ronaldo Vasconcellos for pointing me towards What to ask when evaluating intrusion prevention systems . This is an interview with Bob Walder of the NSS Group . I agree with the conclusion of the article: "I can't stress enough the need for a thorough bake-off in your own network. It's likely to be very different from a test lab environment and may throw up some very interesting challenges for the vendors." I provided inputs to an IPS test done by a partner company. I would be happy to conduct thorough IDS, IPS, or firewall testing for your environment too! Send an email to richard at taosecurity dot com if you are interested.

FreeBSD Ports Tree Breaks 13,000 Ports, and Other FreeBSD News

This week the FreeBSD ports tree broke the 13,000 mark. The tree has added about 2000 ports per year for the past four years. This graph shows the number of ports added per year since 1995. Just last six months ago I blogged about passing the 12,000 mark. For those of you not familiar with the FreeBSD ports tree, it's a set of files and directories bundled with FreeBSD that allows easy software installation from source code. The ports tree is a wrapper of sorts, built by FreeBSD users, that makes any necessary tweaks or modifications needed to get source code to compile and install on FreeBSD. The ports tree also automatically resolves dependencies, and can be kept up-to-date very well. For those not wishing to install from source, packages are available. I almost use packages exclusively on my laptop, for example. Speaking of the ports tree, there are several notable additions. First is John Curry 's SANCP , usually bundled with Sguil . SANCP is a session data probe wh

Testing New Rules with

On Sunday I wrote about . Today I saw a post to snort-users asking if anyone had rules to detect W32.Mytob.DL@mm . One response recommended checking Bleeding Snort new rules . Looking there I found WORM_Mytob rules in a Web-browsable CVS format. Very nice. I read the first rule and decided to see what had to say. I submitted the first rule after removing the classtype field, as TSR doesn't support it. Here was the response after a few minutes of waiting. This looks like a good rule from a speed perspective; it is slightly faster than the average RME for most of the stock Snort rule sets. VigilantMinds Customer Security Systems Manager Brian Dinello sent an email in response to my first story on TSR. As I learn what I can share about upcoming project developments, I will post word here.

DIY Security with Open Source

This morning I received word of a new SANS Webcast titled What Works in Intrusion Detection Systems . The introductory paragraph for the announcement starts with these two sentences: "The days of do-it-yourself security using free software have passed. There is broad understanding among CIOs and CISOs that an effective cyber security program cannot be implemented without commercial technology and services." As you might expect I strongly disagree with this claim. I was disappointed to see these sentiments expressed in an announcement about IDS sponsored by Sourcefire ! The introduction appears to be standard SANS boilerplate, however. You can see the same paragraph in the SANS What Works in Intrusion Prevention: Using Multi-Function Low-Cost Appliances and What Works in Business Transaction Integrity Monitoring announcements, among others. I find it sad that SANS would advocate this anti-open source stance. I never saw SANS teach commercial products at my first SANS

Test Your Snort Rules at

I missed the announcement in the Bleeding Snort forums last month of , a project supported by security vendor VigilantMinds . The idea is to submit a custom rule to see how it stacks up against other Snort rules in terms of " Relative Measure of Efficiency ". Looking at the chart below, you see various RMEs for different Snort rule sets. The important port is to notice how a rule like this BACKDOOR WinCrash 1.0 Server Active is considered "very slow" (probably due to PCRE matches), with a RME over 4 on Snort 2.2.0, compared to something like (IPS) ::MS-SQL Worm propagation attempt , with a RME around 1.4 on Snort 2.2.0. There's also a performance Wiki with speed tips. I think sites like this are a great idea and I thank VigilantMinds for helping Snort users understand the speed effects of the rules they write. I don't really care how accurate it is at this point -- it's great just to know that a rule you write is much slow

New Launched

Here's a quick note for anyone who cares -- content no longer at has been modified and moved to . There's kinks to iron out at both sites, but I should have those fixed during the next week.

Counterfeiters Kill Subway Stamps

I had no idea losers were selling Subway stamps on eBay or just plain counterfeiting them. Now Subway will end the program . This is a good example of reacting to a changing threat environment. When the stamp program was started in the 1980s, I imagine the majority of the users were honest and the technology to mass-produce look-alike stamps wasn't accessible to most people. Throw in high-quality printers and unscrupulous employees who steal and sell stamps, and we end up with the current situation. Perhaps Subway will institute some sort of electronic rewards card to replace the stamp system?