Wednesday, November 30, 2005

Why Duplicate Packets May Appear on SPAN Ports

I noticed a post to snort-users today asking if Snort had a problem with duplicate packets:

"We have a range of switches being used within our network for port monitoring, and a couple have had to be set up in such a way that you can end up seeing each packet TWICE on the snort interface. I've been told by our network engineers that this has to be the case in order for the IDS to see the networks it needs to on one card."

I think I know why this is happening. I cover this issue in day one of my Network Security Operations course.

Essentially, the admin who sets up the SPAN port has to decide if he or she wants to copy traffic in to the SPAN port, out of the SPAN port, or in and out of the SPAN port. If the decision is made to copy in and out of the SPAN port, duplicate packets will appear when intra-switch traffic is carried.

Tuesday, November 29, 2005

Two New Pre-Reviews

Thank you to the publishers who sent two new books in the last few weeks. First is Phishing Exposed, by Lance James, published by Syngress. This looks like a great book. I loved Inside the Spam Cartel, so I have high hopes for this new book. The book appears to have plenty of technical details.

Next is Running IPv6 by Iljitsch van Beijnum, published by Apress. I liked his book BGP. I already read and reviewed IPv6 Network Administration from O'Reilly, which appears similar to this new book. I'll let you know how the two books differ after I read the latest title.

Monday, November 28, 2005

Bejtlich Teaching Next Week at USENIX LISA

Next week I will present three full-day tutorials at USENIX LISA 2005 in San Diego, CA, from 6-8 December 2005. I will teach network security monitoring, incident response, and forensics. I hope to attend a tutorial on Monday afternoon and several presentations on Friday as well. I'll be wearing TaoSecurity clothing, so please stop by to chat if you're nearby! I believe Addison-Wesley will also sponsor a book-signing, but I do not know when that will be.

Update: I just learned the book signing will take place in the Golden Ballroom from 5:30 to 6:30 p.m., Wednesday, 7 December.

SANS Replaces Several Threat References in Top 20

Last week I posted comments about several misuses of the word "threat" in the latest SANS twenty most critical Internet security vulnerabilities. After receiving an email from Alan Paller, I returned to the SANS site and saw many of my recommended changes were made. For example, you can now "Jump To Index of Top 20 Vulnerabilities", instead of "threats." I appreciate SANS taking my suggestions to heart.

Update: It's becoming clear where the confusion regarding "threat" vs "vulnerability" originates for the SANS Top 20. One of you pointed me towards the article Mac OS X Under Scrutiny. See how many misuses of the term threat you can find. Here's a freebie:

"SANS's Dhamankar stressed that the intent was not to call the Mac OS X operating system a threat, but to give Mac users a wake up call."

Saturday, November 26, 2005

Three Great Session Data Articles

I just happened upon three great articles by Michael W. Lucas on collecting and analyzing session data on FreeBSD. They are:

Michael introduces several techniques and tools not mentioned in my books, like softflowd,, flowscan, CUFlow, and others. Nice work! (Incidentally, I am the USENIX instructor Michael references in his last article.) :)

Friday, November 25, 2005

NISCC Director Understands Real Threats

Roger Cummings, director of the UK's National Infrastructure Security Co-ordination Centre made interesting comments reported by

"Cummings said the most significant element in the malicious marketplace is foreign states, whose target is information. Next are criminals who are trying to compromise the CNI in order to sell information. Hackers motivated by kudos or money have 'a variable capability' when it comes to attacks... However, these pose a more serious threat than terrorists, who currently have a low capability."

The article continues:

"NISCC is working with its equivalents in the countries concerned to try to shut the attacks down, Cummings said. The agency cannot name the countries concerned as this may 'ruin diplomatic efforts to halt the attacks,' he added."

Imagine that -- he didn't say "holes in Internet Explorer," or "Windows RPC services." The director named parties with the capability and intentions to exploit vulnerabilities in assets.

A visit to the NISCC site shows separate threats and vulnerabilities pages. The threats page begins with these words:

"NISCC's key role is to minimise the risk of electronic attack to the CNI. This involves assessing 'threats' from a variety of sources including criminals, foreign intelligence services, terrorists or virus writers."

The vulnerabilities page begins with these words:

"NISCC undertakes research into computer vulnerabilities or 'weaknesses' and augments this with extensive intelligence to determine the extent of threats to the Critical National Infrastructure from hostile and malevolent elements.

Working with a number of partners, NISCC has had considerable success in identifying problems, and getting vendors to provide software 'patches', through a policy of 'responsible disclosure'."

So, here is another organization that understands the difference between threats and vulnerabilities.

Tenable and Nessus News

Federico Biancuzzi conducted an extensive interview with Tenable Network Security co-founder and Extrusion Detection contributor Ron Gula. He discusses Nessus 3, including features and licensing changes. Ron also mentions Nessus support services, training, certification, and books, which all sound cool to me.

Tuesday, November 22, 2005

The Good and the Bad About the New SANS Top 20

Back in January I noted that SANS was not using the terms "threat" and "vulnerability" properly in its call for help on the "twenty most critical Internet security vulnerabilities," represented by the logo at left.

You will remember that a threat is a party with the capabilities and intentions to exploit a vulnerability in an asset. A vulnerability is a weakness in an asset that could lead to exploitation. An intruder (the threat) exploits a hole (the vulnerability) in Microsoft IIS to gain remote control of a Web server. In other words, threats exploit vulnerabilities.

Today, version 6 of the Top 20 was released. I'll start with "the good." I believe the majority of the 2005 content is much better than the 2004 edition. The 2004 list, and previous lists, displayed 10 Windows vulnerabilities and 10 (often dubious) Unix vulnerabilities. The 2005 list, in contrast, displays the following vulnerabilities:

Top Vulnerabilities in Windows Systems

* W1. Windows Services
* W2. Internet Explorer
* W3. Windows Libraries
* W4. Microsoft Office and Outlook Express
* W5. Windows Configuration Weaknesses

Top Vulnerabilities in Cross-Platform Applications

* C1. Backup Software
* C2. Anti-virus Software
* C3. PHP-based Applications
* C4. Database Software
* C5. File Sharing Applications
* C6. DNS Software
* C7. Media Players
* C8. Instant Messaging Applications
* C9. Mozilla and Firefox Browsers
* C10. Other Cross-platform Applications

Top Vulnerabilities in UNIX Systems

* U1. UNIX Configuration Weaknesses
* U2. Mac OS X

Top Vulnerabilities in Networking Products

* N1. Cisco IOS and non-IOS Products
* N2. Juniper, CheckPoint and Symantec Products
* N3. Cisco Devices Configuration Weaknesses

Bravo. I think that is a significant step towards realizing the scope of the problem at hand. To be fair to Microsoft, I believe there could have been "Unix services" and "Unix libraries" sections. I applaud the addition of network products and other applications. Content-wise, this is a great resource.

Now, "the bad." The top of the page has this link: -----Jump To Index of Top 20 Threats -----. For Pete's sake, the title of the document is "The Twenty Most Critical Internet Security Vulnerabilities." These are not threats.

Let's see other terms in use:

In the introduction we see:

"In addition to Windows and UNIX categories, we have also included Cross-Platform Applications and Networking Products. The change reflects the dynamic nature of the evolving threat landscape."

I can accept this use of the term threat, if the intent is to refer to parties who exploit vulnerabilities.


"We will update the list and the instructions as more critical threats and more current or convenient methods of protection are identified, and we welcome your input along the way."

Here, threats should be "vulnerabilities".

Section C2:

"Compromising a gateway could potentially cause a much larger impact since the gateway is the outer layer of protection and the only protection for some threats in many small organizations."

This should either replace "threats" with "vulnerabilities", or "for some" with "from some".

Section C5:

"The main threats arising from P2P software are:"

I think threats should be "risks" here, although the list is a muddle of different issues.

Later in that section:

"The number of threats using P2P, IM, IRC, and CIFS within Symantec's top 50 malicious code reports has increased by 39% over the previous six-month period."

Here, I can accept the use of the term as long as the intent is to describe parties abusing P2P, IM, etc.

Section C8:

"These applications provide an increasing security threat to an organization. The major threats are the following:"

Here's a simple rule of thumb: applications can never be "threats." Again, I suggest replacing the second "threats" here with "risks".

One final note: I am not a lone voice speaking on this subject. The Financial Times, of all people, is linked from the SANS page with a story Hackers pose new threat to desktop software. That's the proper use of the term threat, since a hacker is a "party."

Security will not be taken seriously as a "profession" until its "thought leaders" use basic terms properly.

Monday, November 21, 2005

Demand for a BSD Associate Certification Guide

I have an idea for a new book. For the last year I have been part of
the BSD Certification Group (BSDCG). I started out as a Group member, but moved to the Advisory Board when TaoSecurity business occupied too much of my time.

Last month the BSDCG published its BSD Associate Exam Objectives (.pdf) The document outlines all the skills a candidate for the BSD Associate cert is expected to have. However, no specifics are given. For example:

3.2.12 Change the encryption algorithm used to encrypt the password database.


Given a screenshot of a password database, the BSDA candidate should be
able to recognize the encryption algorithm in use and how to select
another algorithm. The candidate should also have a basic understanding
of when to use DES, MD5 and Blowfish.

login.conf(5); auth.conf(5); passwd.conf(5); adduser.conf(5) and adduser(8)

I am considering writing a BSD Associate Certification Guide. The guide will cover all of the 7 domains on the cert:

1. Installing and Upgrading the OS and Software
2. Securing the OS
3. Files, Filesystems, and Disks
4. Users and Accounts Management
5. Basic System Administration
6. Network Administration
7. Basic Unix Skills

Half of the work is already done. I know everything that needs to be covered. What I need to do now is provide answers to the questions.

What do you think? Would you like a book that addresses all of the seven domains for all of the BSD OS' covered by the cert (FreeBSD, NetBSD, OpenBSD, DragonFly BSD)?

Extrusion Detection Shipping

Good news -- several of you have reported receiving copies of my new book Extrusion Detection, ordered through regular online vendors. I'm happy to see finally listing the book as "Usually ships within 24 hours." It appears has a great deal, with free shipping and a $29.69 price.

If you have any suggested changes, please let me know within the next 10 days. I owe corrections to my publisher for the second printing on 2 December. Thank you!

Tethereal Ring Buffer Syntax Changes Again

It's tough to keep up with syntax changes in Tethereal. Only a few months ago I posted syntax to use Tethereal in ring buffer mode. I like ring buffer mode because it is a "fire and forget" solution for collection full content data. You tell Tethereal how many files, and of what size, it should collect, and then the program just keeps logging as much as you specify.

Today when trying Tethereal 0.10.13, I discovered the syntax has changed again. First, the relevant man page excerpt:

-a Specify a criterion that specifies when Tethereal is to stop writ-
ing to a capture file. The criterion is of the form test:value,
where test is one of:

duration:value Stop writing to a capture file after value seconds
have elapsed.

filesize:value Stop writing to a capture file after it reaches a
size of value kilobytes (where a kilobyte is 1024 bytes). If this
option is used together with the -b option, Ethereal will stop
writing to the current capture file and switch to the next one if
filesize is reached.

files:value Stop writing to capture files after value number of
files were written.

-b Cause Tethereal to run in "multiple files" mode. In "multiple
files" mode, Tethereal will write to several capture files. When
the first capture file fills up, Tethereal will switch writing to
the next file and so on.

The created filenames are based on the filename given with the -w
flag, the number of the file and on the creation date and time,
e.g. savefile_00001_20050604120117.pcap, save-
file_00001_20050604120523.pcap, ...

With the files option it's also possible to form a "ring buffer".
This will fill up new files until the number of files specified, at
which point Tethereal will discard the data in the first file and
start writing to that file and so on. If the files option is not
set, new files filled up until one of the capture stop conditions
match (or until the disk if full).

The criterion is of the form key:value, where key is one of:

duration:value switch to the next file after value seconds have
elapsed, even if the current file is not completely filled up.

filesize:value switch to the next file after it reaches a size of
value kilobytes (where a kilobyte is 1024 bytes).

files:value begin again with the first file after value number of
files were written (form a ring buffer).

Ok, so how do I use this? I create the following simple shell script:


# Capture file size in KB; here is 1 GB
# Here is 100 MB

# Number of files to capture

# Interface to watch

/usr/X11R6/bin/tethereal -n -i $INTERFACE -s 1515 -q -a filesize:$FILESIZE -b files:$FILENUMBER
-w /nsm1/lpc/fullcontent.lpc

The preceding script tells Tethereal to collect five 100,000 KB files. When the fifth one reaches the 100 MB limit, Tethereal begins overwriting the first one. Check out these directory listings as time progresses. First, the initial capture file. Notice the naming convention Tethereal uses. (Note: 100,000 KB != 100 MB, but it's close enough for our purposes.)

sensor01:/nsm1/lpc# ls -alh
total 35780
drwxr-xr-x 2 root wheel 512B Nov 22 15:23 .
drwxr-xr-x 5 root wheel 512B Nov 22 15:00 ..
-rw------- 1 root wheel 35M Nov 22 15:24 fullcontent_00001_20051122152344.lpc

After a while, we have five files:
sensor01:/nsm1/lpc# ls -alh
total 483300
drwxr-xr-x 2 root wheel 512B Nov 22 15:24 .
drwxr-xr-x 5 root wheel 512B Nov 22 15:00 ..
-rw------- 1 root wheel 98M Nov 22 15:24 fullcontent_00001_20051122152344.lpc
-rw------- 1 root wheel 98M Nov 22 15:24 fullcontent_00002_20051122152407.lpc
-rw------- 1 root wheel 98M Nov 22 15:24 fullcontent_00003_20051122152419.lpc
-rw------- 1 root wheel 98M Nov 22 15:24 fullcontent_00004_20051122152430.lpc
-rw------- 1 root wheel 81M Nov 22 15:24 fullcontent_00005_20051122152441.lpc

When the fifth file is completed, the first is overwritten:

sensor01:/nsm1/lpc# ls -alh
total 409316
drwxr-xr-x 2 root wheel 512B Nov 22 15:24 .
drwxr-xr-x 5 root wheel 512B Nov 22 15:00 ..
-rw------- 1 root wheel 98M Nov 22 15:24 fullcontent_00002_20051122152407.lpc
-rw------- 1 root wheel 98M Nov 22 15:24 fullcontent_00003_20051122152419.lpc
-rw------- 1 root wheel 98M Nov 22 15:24 fullcontent_00004_20051122152430.lpc
-rw------- 1 root wheel 98M Nov 22 15:24 fullcontent_00005_20051122152441.lpc
-rw------- 1 root wheel 8.7M Nov 22 15:24 fullcontent_00006_20051122152453.lpc

This processes continues until Tethereal is killed. It is a great full content data collection system.

Friday, November 18, 2005

Security Awareness Training: A Waste of Time?

Extrusion Detection contributing author Rohyt Belani told me about his new SC Magazine article Changing End Users' Security Mindset. Here are some astonishing excerpts:

"[M]y company [Red Cliff Consulting] has conducted numerous social engineering exercises for Fortune 500 companies whose success relies heavily on the protection of intellectual property.

These exercises involved scripted telephone calls to the organizations' customer service departments and mass phishing emails targeting a randomly selected set of employees. The objective was to collect sensitive data, the results were astounding.

627 of the 1000 people targeted by 'spear phishing' emails (aimed at pilfering the employees' corporate VPN credentials) succumbed to the attack and only 4 of the 373 that did not respond reported the issue to information security staff.

It's not so much those statistics that made the results astounding; but the fact that all these organizations had recently conducted user awareness workshops that addressed the threats posed by social engineers."

Wow. Maybe their Human Firewall was down?

I crack myself up. Anyway, Rohyt mostly blames the staff who offer security awareness training:

"[T]he information security staff must assume the onus of taking the initiative of developing innovative user awareness programs that pique the employees' interest. The majority of the security awareness sessions I attended were unstimulating affairs couching the do's and don'ts of security."

I think it is time to face the fact that security awareness training is generally a waste of time. Trainers can stand on their heads and juggle flaming swords, and some attendees will take a nap. People who handle the most sensitive classified data in the world will happily click on the dancing donkey that appears in their inbox. All it takes to suffer an internal compromise is for one of Rohyt's 1000 respondents to provide their corporate VPN credentials.

In the remainder of Rohyt's article, he does provide good guidelines for improving the quality of security awareness training. However, there is no way to achieve 100% compliance with security policies and sound practices.

So what is my answer? The people with the best capability to address the problem must be given the authority and resources to do so. Those people are the information security staff. They should have the power to remove administrative accounts from normal desktop users. The should have the resources to deploy a proxy to filter and block malicious inbound and outbound traffic. Their concerns should not be sidelined in order to meet "business requirements."

Disagree with me? Well, there are many aspects of business that individual employees should care about. The quality of their work environment is important. I have worked in numerous buildings with asbestos and water problems (thanks .mil). Was it my job to become an environmental engineer? Corporate financial health is another important aspect of a business. Should employees receive accounting training?

Speaking of business concerns: am I the only person who is sick of hearing media pundits tell technical people we need to spend more time and effort understanding "the business?" There are only so many hours in the day. Who is supposed to understand the technical issues facing an organization if we are also tasked with making business decisions?

Why don't I read about business managers being advised to understand TCP/IP?

This is called division of labor, and it's what enables companies to scale to their present size. I am forced to perform business and technical functions by virtue of the size of my small company. As a person who enjoys technical issues, I am not pursuing business issues by choice!

What do you think?

Thursday, November 17, 2005

FCW Reports DoD to Hold Security Stand-Down

I read that DoD plans to hold a security stand-down on 29 November "to focus on information assurance and network security." Apparently United States Strategic Command, one of nine Unified Commands, issued the order. The news came from Air Force Lt. Gen. Charlie Croom, director of the Defense Information Systems Agency and commander of the Joint Task Force - Global Network Operations (JTF-GNO).

FCW says "some DOD officials are concerned about the amount of hardware and software manufactured overseas and whether they might incorporate malicious code. [Croom] said one way to fight the problem is to require companies to assure DOD that their products are safe and for the military to monitor them closely." (emphasis added)

I like the fact Lt Gen Croom understands the importance of monitoring.

A separate article conveys this story, indicating Lt Gen Croom is a fair guy:

"The first time Croom showed up for a meeting at DISA, someone announced his presence and everyone in the room snapped to attention, as they did with previous DISA commanders, a headquarters employee said.

Croom told everyone at the meeting that that was the first and last time anyone was to announce him and have everyone stand at attention."

That's amazing. I have seen commanders institute similar policies on operations floors, but generally you're expected to stand when the commander enters a meeting room.

The FCW article did not say much about what constitutes a network "stand-down," other than "changing passwords" and "conduct[ing] certain activities to strengthen and become more aware of network security." Can anyone elaborate on this? A department-wide password change sounds like an immense incident response action. I believe we instituted a similar action once when I was still in uniform.

Typically stand-downs are held in the flying community when an aircraft crashes due to a mechanical problem. The rest of the community wants to verify that their aircraft are not also afflicted. I believe the Titan Rain intrusions may be the "crash" that prompted this stand-down. FCW reports "Croom said DOD networks are being intruded on. 'The enemy is among us,' he said."

Wednesday, November 16, 2005

Thoughts on CMP Acquisition of Black Hat

I just learned that CMP Media, publishers of IT magazines like Network Computing and IT Architect (formerly Network Magazine) just acquired Jeff Moss' Black Hat, Inc. for $10 million. I'm amazed that Black Hat went for that much. The organization may offer consulting, but it's mainly known for its conferences. Those conferences rely on instructors, none of whom are obligated to speak (as far as I know). Without any intellectual property, substantial workforce, or product lines, I'd say Black Hat did pretty well for itself!

I did not realize until now that CMP also owns the Computer Security Insitutute, who runs their own security conferences. The CSI conference is a strange beast. I wouldn't consider William Safire to be a "security expert," but there he is appearing as a keynote CSI speaker. Perhaps Black Hat is supposed to pull in another sort of demographic, one without as much gray hair?

BSD Certification Group Solicits Donations

The BSD Certification Group is soliciting donations to offset the costs of creating the certification. The main expense is psychometric analysis of the proposed certification exam. This is fancy talk for ensuring the test assesses what the BSD Certification Group expects to measure. The BSDCG was incorporated as a non-profit corporation (a 501(c)(3) scientific and educational charitable organization) in the state of New Jersey, but the IRS has not validated their status yet.

Tuesday, November 15, 2005

Using Cache Snooping to Estimate Code Spread

I've stayed out of the whole Sony DRM affair because I felt Windows guru Mark Russinovich has forgotten more about Windows internals than I will ever know. I try to avoid commenting on issues out of my league, and Windows rootkits are generally not something I know how to analyze at the host level.

However, today I learned of a Wired story that incorporates new Dan Kaminski research. Dan has provided a conservative estimate of the number of systems on which the Sony DRM software is installed, based on Luis Grangeia's cache snooping methodology.

Essentially Dan used his Deluvian Scanning Platform -- DoxPara Infrastructure Validation Project (DIVP) to ask name servers if they had cached results for the hosts associated with Sony's DRM. For example, in the following I query a name server to see if it knows how to resolve The key is to tell the name server not to perform recursion; if the name server can't answer my request on its own, it has to report the authoritative name servers for .net:

orr:/home/richard$ dig A +norecurse

; <<>> DiG 9.3.1 <<>> A +norecurse
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29658
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 14

; IN A

net. 44802 IN NS
net. 44802 IN NS
net. 44802 IN NS
net. 44802 IN NS
net. 44802 IN NS
net. 44802 IN NS
net. 44802 IN NS
net. 44802 IN NS
net. 44802 IN NS
net. 44802 IN NS
net. 44802 IN NS
net. 44802 IN NS

;; ADDITIONAL SECTION: 155541 IN A 159964 IN AAAA 2001:503:a83e::2:30 156332 IN A 159476 IN AAAA 2001:503:231d::2:30 156283 IN A 156283 IN A 156283 IN A 156283 IN A 156283 IN A 156283 IN A 156299 IN A 156299 IN A 156299 IN A 156299 IN A

;; Query time: 49 msec
;; WHEN: Tue Nov 15 16:12:49 2005
;; MSG SIZE rcvd: 503

As you can see, did not know how to resolve, so it gave the .net generic top level domain server list.

Next I ask to resolve, but I just use the host command and I allow to ask a name server that knows how to resolve

orr:/home/richard$ host
Using domain server:
Aliases: has address
Using domain server:

Using domain server:

I get a response -- is Now when I use dig again and specify no recursion, responds with the IP -- it has been cached.

orr:/home/richard$ dig A +norecurse

; <<>> DiG 9.3.1 <<>> A +norecurse
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42310
;; flags: qr ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

; IN A




;; Query time: 49 msec
;; WHEN: Tue Nov 15 16:13:20 2005
;; MSG SIZE rcvd: 131

Dan used this technique to ask as many name servers as possible to resolve, and When I asked the name server about, I got these results:

orr:/home/richard$ dig A +norecurse

; <<>> DiG 9.3.1 <<>> A +norecurse
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10447
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2

; IN A


;; ADDITIONAL SECTION: 155728 IN A 155944 IN A

;; Query time: 53 msec
;; WHEN: Tue Nov 15 16:29:38 2005
;; MSG SIZE rcvd: 125

This means some system has asked to resolve an unspecified host before I did. There is no result for, however. Compare that result with the following for

orr:/home/richard$ dig A +norecurse

; <<>> DiG 9.3.1 <<>> A +norecurse
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37716
;; flags: qr ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

; IN A



;; ADDITIONAL SECTION: 147104 IN A 147320 IN A

;; Query time: 53 msec
;; WHEN: Tue Nov 15 18:53:23 2005
;; MSG SIZE rcvd: 135

Notice the answer?

Next I try querying for, and we check the dig results again:

orr:/home/richard$ host
Using domain server:
Aliases: has address
Using domain server:

Using domain server:

orr:/home/richard$ dig A +norecurse

; <<>> DiG 9.3.1 <<>> A +norecurse
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 284
;; flags: qr ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

; IN A



;; ADDITIONAL SECTION: 146980 IN A 147196 IN A

;; Query time: 53 msec
;; WHEN: Tue Nov 15 18:55:26 2005
;; MSG SIZE rcvd: 141

The other two domains returned the gtld name servers. That means no one else asked about those domains or hostnames recently.

Nice work Dan -- cool stuff.

Monday, November 14, 2005

Extrusion Detection Shipping at Barnes and Noble

I got two boxes of Extrusion Detection copies from my publisher today. Looking at, I see Barnes and Noble lists the book as "Usually ships within 24 hours." I would give B&N a try, or order directly from the publisher, if you really want a copy of the book quickly.

Alternatively, you might be able to win a copy in the monthly raffle held at my local ISSA NoVA chapter meeting. Last time I provided a copy of Real Digital Forensics and a Network Security Operations T-shirt. Tuesday (tomorrow) is the last day to RSVP for the Thursday meeting. Steve Crocker will talk about securing DNS at the Oracle building in Reston.

Sunday, November 13, 2005

Problems with FreeBSD 6.0 as VMware Workstation Guest

I've encountered a problem running FreeBSD 6.0 as a guest OS in VMware Workstation 5.0. I discovered the FreeBSD VM runs at half speed, such that 10 seconds of real time appears to be 5 or so seconds within the VM. I tried installing the vmware-guestd port but that had no effect, even though it is running in the VM.

After reading this post, I tried changing this sysctl:

gruden:/root# sysctl -a kern.timecounter.hardware
kern.timecounter.hardware: ACPI-fast
gruden:/root# sysctl kern.timecounter.hardware=TSC
kern.timecounter.hardware: ACPI-fast -> TSC

That had no effect. This is my freebsd.vmx file:

config.version = "8"
virtualHW.version = "4"
scsi0.present = "TRUE"
scsi0.virtualDev = "lsilogic"
memsize = "128"
ide0:0.present = "TRUE"
ide0:0.fileName = "FreeBSD-000003.vmdk"
ide1:0.present = "TRUE"
ide1:0.fileName = "auto detect"
ide1:0.deviceType = "cdrom-raw"
floppy0.fileName = "A:"
ethernet0.present = "TRUE"
usb.present = "FALSE"
sound.present = "FALSE"
sound.virtualDev = "es1371"
displayName = "freebsd6-0_a"
guestOS = "freebsd"
nvram = "freebsd.nvram"

sound.startConnected = "FALSE"

usb.generic.autoconnect = "FALSE"

floppy0.startConnected = "FALSE"

ide0:0.redo = ""
ethernet0.addressType = "generated"
uuid.location = "56 4d 1e 0b c0 77 f6 f2-55 f3 38 5f 3a 47 3e b3"
uuid.bios = "56 4d 1e 0b c0 77 f6 f2-55 f3 38 5f 3a 47 3e b3"
tools.remindInstall = "FALSE"
ethernet0.generatedAddress = "00:0c:29:47:3e:b3"
ethernet0.generatedAddressOffset = "0"

ide1:0.startConnected = "FALSE"

tools.syncTime = "TRUE"

Originally the file had the last variable appear thus:

tools.syncTime = "FALSE"

Either setting had no effect. The host OS is Windows Server 2003 Enterprise x64 Edition SP1. The weird part of this is that a FreeBSD 5.4 VM running within exactly the same parameters has no problem on this system. This does not appear to be an isolated problem.

Is anyone successfully running FreeBSD 6.0 within VMware Workstation?

Update: I just copied a complete clone of this VM to my Windows 2000 Professional laptop running the same version of VMware Workstation. (Yes, I have two licenses!) :) It made no difference. The 5.5 RC2, VMware Workstation 5.5.0 build-18007, was no better with FreeBSD 6.0 as far as time goes. However, the excessive beeping that I saw with FreeBSD 6.0 on VMware WS 5.0 was shortened considerable on WS 5.5.

I just posted this story as a question to the VMTN forums. I also posted to freebsd-emulation.

Saturday, November 12, 2005

Presentations on OpenBSD Ports and More

Joe Stevensen sent word of two new OpenBSD presentations. The first is OpenBSD Ports and Packages, by Marc Espie. He takes some shots at the other BSDs, including FreeBSD. He's wrong about Python being needed to update FreeBSD ports. An article I wrote for the February 2006 Sys Admin magazine on keeping FreeBSD up-to-date doesn't use any Python, but it does require Ruby and Perl.

I do agree with some of Marc's critique, however. It would be nice to have package update tools built into the base system. Perhaps they could be written in Perl to avoid adding Ruby? We are starting to see new ports tools developed outside of the base now being added to the base, with Colin Percival's portsnap now in FreeBSD 6.0. I expect to see this trend continue because Colin is a member of the FreeBSD project now. (He's the security officer.)

The second presentation is OpenBSD Networking Update by Henning Brauer. OpenBSD is doing some cool work with OpenBGPD and I see now that OpenOSPFD is planned as well.

Thursday, November 10, 2005

Sample Extrusion Detection Chapter Posted

My publisher just posted Chapter 4: Enterprise Network Instrumentation from my new book, Extrusion Detection: Security Monitoring for Internal Intrusions. The table of contents, preface, foreword by Marcus Ranum, and index are also all online. Marcus' foreword (.pdf) is a different than most; he interviews me. For example:

"MJR: I’ve noticed you’re a fan of Bruce Lee! It’s interesting to me how a lot of us security guys find parallels between computer/network security and the martial arts/art of war. Remember Lee’s great “It’s like a finger pointing away to the moon” speech? What do you think would be the equivalent for a student of computer security? What do you think Bruce would tell us?

RB: I am indeed a fan of Bruce Lee, and I’ve practiced several martial arts... I advise that intruders should be viewed as smart (sometimes smarter than you) and unpredictable, and able to beat your defenses. Bruce would probably agree. He would train to be ready for whatever his opponent would deliver, and he would have techniques in place to deal with the consequences of not blocking an initial punch or kick. Rather than failing catastrophically when an opponent lands a blow, Bruce would take advantage of the attacker’s proximity to initiate a different sort of counterattack or improved defense."

The chapters are as follows:

  1. Network Security Monitoring Revisited

  2. Defensible Network Architecture

  3. Extrusion Detection Illustrated

  4. Enterprise Network Instrumentation

  5. Layer 3 Network Access Control

  6. Traffic Threat Assessment

  7. Network Incident Response

  8. Network Forensics

  9. Traffic Threat Assessment Case Study

  10. Malicious Bots

  • Epilogue

  • Appendix A: Collecting Session Data in an Emergency

  • Appendix B: Minimal Snort Installation Guide

  • Appendix C: Survey of Enumeraiton Methods

  • Appendix D: Open Source Host Enumeration

The book should begin shipping tomorrow. If you have any suggestions for errata, please send them to me via richard at taosecurity dot com. Thank you!

Deleting Hard Drives

Today the subject of deleting hard drives was raised in the #snort-gui IRC channel. jrk and geek00L mentioned using Darik's Boot and Nuke (DBAN), an open source (GPL) "self-contained boot floppy that securely wipes the hard disks of most computers."

I found DBAN very easy to use. It boasts some impressive features too.

When you boot from the floppy image or CD-ROM .iso you see this screen.

The About screen offers warnings and caveats.

I like the ability to boot using one of the available deletion methods.

I simply hit [enter], which started DBAN in interactive mode. Here you can set parameters for wiping the drive.

In the future I plan to carry a DBAN floppy with me to wipe hard drives prior to installing my own NSM software.

Tuesday, November 08, 2005

Powerful Laptop Recommendations?

I'm looking for a replacement for my aging, circa-2000 IBM Thinkpad a20p, pictured at right. I was wondering if you might have any recommendations? I plan to dual-boot Windows XP and FreeBSD 6.0 on this system. It needs to be powerful as I would like to use it for teaching classes as well. Here are the specs I had in mind:

  • Intel® Pentium® M Processor 760 [2.00GHz, 2MB L2 cache, 533MHz FSB]

  • 2 GB RAM

  • 60 GB+ 7200 RPM HDD

  • NVIDIA GeForce video, to take advantage of their FreeBSD drivers and avoid ATI

  • Gigabit NIC

  • 802.11b/g is nice, especially if disabled via external switch

  • Bluetooth -- not sure if I need it?

  • Under 7 lbs -- my current laptop is more like a ThinkBrick

  • At least a 14.1" screen; I don't care about widescreens

I like the features of the Toshiba Tecra M3, but the reviews are terrible. I really like the durability and keyboard of my Thinkpad and I worry what other vendors are going to provide. I appreciate your help.

Update: Thank you for all of your comments. I've decided to wait for the arrival of Windows Vista in Q306. By that time I expect to see Intel Virtualization Technology in 64 bit mobile CPUs like the Intel Merom, which will be very helpful for my classroom setup. There's an outside chance I would get a Mac running on Intel as well, if VMware was supported.

Congratulations to Feds

I'd like to congratulate the United States Attorney's Office, Central District of California for indicting a bot net controller. According to the press release and the indictment (.pdf), up to 400,000 victims were compromised. You can track the progress of this case through the Post Indictment Arraignment Calendar.

This is exactly the sort of work that needs to be done. Security professionals cannot win against intruders if only the "vulnerability" variable of the risk equation is addressed. We need law enforcement to reduce the "threat" variable as well. The suspect in this case is a 20-year-old living in California. This is the sort of perpetrator who can be deterred, unlike a foreign intelligence agent or member of organized crime. The more bot net operators who are put in jail, the fewer lower-end threats we will need to stop.

Monday, November 07, 2005

New Tip Posted just posted a short article I wrote titled Using attack responses to improve intrusion detection. It's about watching outbound traffic to identify intrusions. From the article:

"Network-based IDSes are deployed to identify compromised targets, while network-based IPSes are deployed in an effort to prevent compromise. Both systems must be able to recognize malicious traffic to issue warnings or block offending packets.

IDSes, however, have the upper hand in identifying intrusions, because they have the luxury of generating an alert based on traffic from the attacker to the victim or from the victim to the client. In other words, an IDS can alert on either the inbound attack traffic or the outbound victim response.

But to prevent an intrusion, an IPS must deny incoming attack traffic. An IPS that only inspects outbound traffic allows a target to be compromised. An IPS that makes a block decision based on responses from the victim is an 'intrusion containment system,' not an IPS."

I've contacted the site editor to see if they can fix the corrupted Windows command prompt output.

Websense ToorCon Presentation

Thanks to a comment from Shahid for pointing me to the WebSense Security Labs presentation The Web Vector: Exploiting Human and Browser Vulnerabilities (.pdf). I think the most interesting part of the briefing is the introduction of Web-based bot net command and control. Because organizations are locking down outbound IRC, bot net controllers are using HTTP as a replacement protocol. If anyone has any experience with this sort of traffic, I would be interested in hearing from you.

Friday, November 04, 2005

Latest Book Arrives Soon

My third book, Extrusion Detection: Security Monitoring for Internal Intrusions, should appear on book shelves very soon. Addison-Wesley updated the publication date to reflect today (4 November 2005), a week earlier than the planned 11 November launch. I have not yet received a copy, and no preview chapters have been posted yet. I was assured that Chapter 4, Enterprise Network Instrumentation, would be made available in .pdf form at the publisher's Web site.

I looked at the Best Book Buys Top 100 List this evening and saw these results:

I don't understand these book rankings, which are listed "as of 28-Oct-2005". Here are the top 5 books:

  1. Wild at Heart: Discovering the Secret of a Man's Soul by John Eldredge

  2. The Complete Calvin and Hobbes by Bill Watterson

  3. Financial Accounting by Robert Libby

  4. The Game: Undercover In The Secret Society Of Pick-up Artists by Neil Strauss

  5. The World Is Flat: A Brief History Of The Twenty-first Century by Thomas L. Friedman

I could not imagine a more ecclectic groups of books! I guess having my three books in the rankings is better than not seeing them there. Incidentally, the list includes two other books to which I contributed; number 11 is Incident Response & Computer Forensics, 2nd Ed by Chris Prosise, Kevin Mandia, and number 18 is Hacking Exposed: Network Security Secrets and Solutions, 4th Ed by Stuart McClure, Joel Scambray, and George Kurtz.

I have ideas for another book which I plan to reveal soon. If anyone has feedback on any of my books or ideas for future work, please feel free to leave a comment or send me email. Thank you.

Sguil 0.6.0-RC2 Available

After much development, Sguil 0.6.0-RC2 is now available for download. Several new features appear in 0.6.0, including:

  • MySQL's MERGE storage engine is used. The MERGE storage engine, also known as the MRG_MyISAM engine, is a collection of identical MyISAM tables that can be used as one. All Snort alerts and SANCP session data is now stored in MERGE tables, resulting in better scalability and performance. Sguil author Bamm Visscher reports "I went from being able to keep ~6 million rows to >300 million rows."

  • All sensor communication is performed through sensor_agent.tcl. This allows Sguil to be seemingly one of the few programs that respects the new licensing of MySQL under the GPL.

  • Support for Snort's sfPortscan function has been added. Users no longer need to patch and use the portscan preprocessor.

  • Increased use of tabs for window management provides better access to new information like sensor status.

Barring unforeseen issues, Sguil 0.6.0-RC2 will be released soon as 0.6.0. If you'd like to test the RC2, please download it.

I plan to create a VM image using FreeBSD 6.0 RELEASE and Sguil 0.6.0, suitable for use in VMware Player.

FreeBSD 6.0 RELEASE Announced

FreeBSD 6.0 RELEASE has been officially announced. When I get a chance I intend to upgrade my 5.4 systems to 6.0 to take advantage of bpfstat on my sensors.

I should have a new article in the February 2006 issue of SysAdmin Magazine explaining the simplest way to keep the FreeBSD OS and applications up-to-date.

Network Forensics? Please.

Today I looked at the Interop New York 2005 Schedule and noticed an item called "Network Forensic Day" taught by Pine Mountain Group. I try to stay current with people and companies performing security work, but I had never heard of PMG. I looked at the description of the course, wondering if the "network" meant "enterprise," as in "how to use forensics in the enterprise." I think that is a misapplication of the term network in that context, but it's common enough. Alternatively, perhaps "network" meant "traffic," which is how I use the term.

When I mention "network forensics," I define it as the art of collecting, protecting,
analyzing, and presenting network traffic to support remediation or prosecution.
This is in line with the definition of forensics:

"1. The art or study of formal debate; argumentation.
2. The use of science and technology to investigate and establish facts in criminal or civil courts of law."

It turns out PMG's use of the term "Network Forensics" has nothing to do with any recognized application of the term. They say:

"Network Forensics is the study of the micro transactions of inter-network components, platforms and the applications that process on and across them.

By taking a forensic measurement of a micro transaction, quantifying the repeated dependency on the micro to that of the macro we can quantify the improvement for an end user that specific IT optimizations might provide. On the business process side, quantification of the cost of the macro transaction time spent by an end user can be quantified in annual cost or lost productivity associated with slow applications. Knowing optimization improvements and their associated costs allows a long term ROI to be considered. The result? Best bang for the buck optimization!

Come join PMG NetAnalyst in a day of cross technology, vendor independent network training with a twist: PMG will take you on a journey down several complex multi-vendor network environments where troubles abound. You will be taught how to use a well rounded 'bag of tools' to analyze and troubleshoot the issues as well as how applying best practices could have avoided these issues. Forensics Day will show you how to save money as well as improve performance and reliability by using 'brain cells' instead of budget to solve and even prevent problems."

Please. This is not "network forensics" by any stretch of the imagination. This is an attempt to add a sexy name to the otherwise boring ideas of network troubleshooting. The latest iteration and expansion of the concept uses the term Business Service Management, which I learned about recently though the 1 September 2005 Network Computing magazine.

I understand there are similar uses of the term "forensics" outside of the legal realm. However, "network forensics" has had a security association for years. I would like to see it stay that way to avoid further cluttering our professional landscape.

Network Computing Misses the Mark

I really enjoy reading the free IT magazine Network Computing. However, I believe comments by NWC authors in the last two issues demonstrate some fundamental misunderstandings of open source applications and system administration. These are not earth-shattering issues, but I thought I would share them with you.

First, the 27 October 2005 issues includes an article called Open-Source Security Technology Joins Endangered List. Here are excerpts:

"For many users and vendors, network security is dependent on a collection of open-source programs that provide key capabilities, sometimes as standalone tools and sometimes as the basis for commercial products. Last month, however, the open-source status of two of those key technologies--Snort and Nessus--became threatened....

The moral is that heavy reliance on open source carries risk, and that the greatest insurance policy for open-source technology is participation by a large number of users and developers. If you're thinking of using open source, keep a close eye on what happens to both Snort and Nessus."

I would argue that open source carries much less "risk" when compared to closed applications. The fact that the code is open is the "greatest insurance policy," not "participation by a large number of users and developers." If an open source program is no longer maintained, it can be assumed by another developer. Assuming the license is truly open, that new developer can resume the project, fork it, or rebuild from scratch using the original as inspiration.

For example, Linux guru Tim Lawless started the Saint Jude project to protect the integrity of the Linux kernel, but had to abandon coding it in 2002. Last week Rodrigo Rubira Branco took over maintainership and released a new version. BASE, the replacement for the Web-based alert browser ACID, is a second example. The new version of SPADE hosted by Bleeding Snort is a third example. None of this would be possible with so-called less "risky" closed programs.

The second example of Network Computing missing the mark appeared in the following letter and response:

"I have a question concerning an application one of my consultancy clients needs that's targeted for Microsoft Data Center Server 2003, a product used to manage DPM, on Unisys 3S7000. The systems integrator is saying that 'for performance reasons,' it plans to 'modify the operating system' for the application.

It's been a long time since I've heard of any vendor advocating modification of a native OS to boost performance or achieve goals not supported by the OS. I've been all over Microsoft's OEM partner site and haven't read anything about using Data Center Server as an OEM product. Not even its predecessor, Data Center Server 2000, was ever available as a shrinkwrapped product; you had to have Microsoft services to implement it.

Have you ever heard of any vendor wanting to tweak the Windows kernel in order to support its application? Sounds risky...

Don MacVittie replies: Larry, your instincts are dead-on. Even in the Linux world, tweaking the OS for the application layer is generally considered taboo. There's just too much that can go wrong.

Are you sure the vendor is talking about making code changes to the kernel? Maybe what it has in mind is custom drivers, which are more acceptable, or a custom build, which is relatively common for OEMs.

If the vendor really does want to modify the kernel, you should tell your client to run away from it as fast as it can. There are enough good products out there to handle high-volume backups and replication without having to resort to such a drastic measure."

Good grief. "Even in the Linux world, tweaking the OS for the application layer is generally considered taboo. There's just too much that can go wrong." Like what, better performance? I do not know if it is possible for end users to make any modifications to the Windows kernel, perhaps via a sysctl mechanism as found in BSD. I do not fault the NWC writer for advising users to stay away from Windows kernel tweaks.

Linux and BSD are completely different beasts. I find the power to alter the kernel to be an advantage, not voodoo. In production I make few kernel customizations on BSD not because I am scared and need to "run away." I only make the customizations with which I am familiar, like adding support for IPSec or NAT. If I encountered a problem that could be addressed by customizing the kernel, I would take full advantage of the control that an open source OS provides.

What are your thoughts on these issues?

Tuesday, November 01, 2005

Dealing with FreeBSD Port Options

Sometime when you build a port in FreeBSD, you are confronted with a curses menu like the following. This example shows the menu that appears when you run 'make' as root in the /usr/ports/ftp/gftp directory. If you hit 'OK' and then interrupt the port building process, and run 'make' again, you will not see the menu:

orr:/usr/ports/ftp/gftp# make appears, hit 'OK'...
===> WARNING: Vulnerability database out of date, checking anyway
===> Found saved configuration for gftp-2.0.18
===> Extracting for gftp-2.0.18
=> Checksum mismatch for gftp-2.0.18.tar.gz.
===> Refetch for 1 more times files: gftp-2.0.18.tar.gz
orr:/usr/ports/ftp/gftp# make
===> WARNING: Vulnerability database out of date, checking anyway
===> Found saved configuration for gftp-2.0.18
===> Extracting for gftp-2.0.18
=> Checksum mismatch for gftp-2.0.18.tar.gz.
===> Refetch for 1 more times files: gftp-2.0.18.tar.gz
===> WARNING: Vulnerability database out of date, checking anyway
===> Found saved configuration for gftp-2.0.18

What is happening? Where is the menu?

It turns out the menu process creates a file called 'options' in the /var/db/ports/PORTNAME directory. For example:

orr:/var/db/ports/gftp$ ls -al
total 6
drwxr-xr-x 2 root wheel 512 Nov 1 15:00 .
drwxr-xr-x 3 root wheel 512 Nov 1 14:44 ..
-rw-r--r-- 1 root wheel 167 Nov 1 14:59 options
orr:/var/db/ports/gftp$ cat options
# This file is auto-generated by 'make config'.
# No user-servicable parts inside!
# Options for gftp-2.0.18

If you want to eliminate the menu on a subsequent run of 'make', just delete the options file.

New FreeBSD Logo Announced

There you have it. That is the new FreeBSD logo. I think it is a mess. I cannot picture it being embroidered on a polo shirt. That is my basic test for a good logo. On the bright side, I hope to see Beastie disappear off the front of the FreeBSD Web site now.

BSD Certification Group Publishes Usage Survey Results

The BSD Certification Group has released the results of their usage survey here (.pdf). Here is a quick look at the numbers:

  • 77% report using FreeBSD

  • 33% report using OpenBSD

  • 16% report using NetBSD

  • 3% report using DragonFly BSD

  • 7% report "other"

On a related note, I have resigned my seat on the Certification Group and joined the Advisory Board due to time constraints caused by running TaoSecurity.