Showing posts from November, 2010

Trying Ubuntu 10.10 in AWS Free Usage Tier

After trying 60 Free Minutes with Ubuntu 10.10 in Amazon EC2 yesterday, I decided to take the next step and try the AWS Free Usage Tier . This blog post by Jay Andrew Allen titled Getting Started (for Free!) with Amazon Elastic Cloud Computing (EC2) helped me. One important caveat applies: this activity will not be completely free. The AMI chose uses a 15 GB filesystem, and the terms of the free usage stipulate no more than a 10 GB filesystem. I'll pay $0.50 per month for the privilege of using a prebuilt Ubuntu AMI. Since I'm an AMI n00b, I decided to pay the $0.50. At some point when I am comfortable creating or trusting 10 GB AMIs, maybe I'll switch. First I visited and signed up for Amazon EC2. At Amazon Web Services Sign In, I chose to "Identity Verification by Telephone." When I completed sign up I received three emails: 1) Amazon Virtual Private Cloud Sign-Up Confirmation; 2) Amazon Elastic Compute Cloud Sign-Up Conf

60 Free Minutes with Ubuntu 10.10 in Amazon EC2

I decided to try Ubuntu in the Cloud because 1) I had a few minutes this afternoon and 2) it's free. If you follow the directions on their Web site you'll have access to an Ubuntu 10.10 server for 60 minutes, hosted by Amazon Elastic Compute Cloud (Amazon EC2) . It's really simple, so easy a caveman could do it. (Ouch.) First make sure you have a public-private SSH key pair. richard@neely:~$ ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/richard/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/richard/.ssh/id_rsa. Your public key has been saved in /home/richard/.ssh/ The key fingerprint is: c6:e0:9c:84:74:3d:2d:09:b3:a2:e5:97:7b:63:59:da richard@neely The key's randomart image is: +--[ RSA 2048]----+ | . +o o | | . o o= . | | + + o | | + = = | | . . * S . | | . o =

Stop Killing Innovation

I hear and read a lot about how IT is supposed to innovate to enable "the business." Anytime I see "IT" in one part of a sentence and "the business" in another, a little part of me dies. Somewhere there is a Nirvana where "thought leaders" understand that there is no business without IT , that IT is as part of the business as the sales person or factory worker or janitor, and that IT would be better off not constantly justifying its existence to "the business." But I digress. I want to address the "innovation" issue in this post. CIO magazine recently published an interview with Vinnie Mirchandani titled Taking Business Risks With Your IT Budget . I liked what Mr Mirchandani had to say, although I'm going to omit his multiple references to "cloud." Instead, consider how he sees innovation in IT: More [CIOs] want to be [innovators], but organizations don’t let them... In the 1980s, we talked about IT

The Problem Is with Gmail

In my last post I lamented a problem with Sendmail on FreeBSD. I was trying to troubleshoot a problem sending email from FreeBSD's periodic scripts to Gmail. I've determined that, as crazy as this sounds, Gmail is broken. (Some of you are probably not surprised. If you want to skip the drama and see the bottom line, scroll to the bottom of the post.) Let me start my case by showing network transcripts of one successful "periodic" email and one unsuccessful "periodic" email. I'm not going to change any email addresses in this post. The following email is delivered successfully . Computer sits behind NAT so the public IP is The entries prior to the SMTP transactions (e.g. and similar) were added by Tcpflow, which I used to render the transcript manually. 220 ESMTP my6si2476635qcb.101

FreeBSD Sendmail Problem

Thanks for the help with my script issue recently. I was wondering if anyone has seen this problem with Sendmail? I aliased root to "taosecurity at gmail dot com" as shown below. (I used the real email address on the computer.) This is a fresh install of FreeBSD 8.1. $ uname -a FreeBSD 8.1-RELEASE FreeBSD 8.1-RELEASE #0: \ Mon Jul 19 02:55:53 UTC 2010 \ i386 vm# diff -u /etc/aliases /etc/aliases.orig --- /etc/aliases 2010-11-18 10:30:37.000000000 -0500 +++ /etc/aliases.orig 2010-11-18 10:30:26.000000000 -0500 @@ -18,7 +18,6 @@ # root's email from here. # root: me@my.domain -root: taosecurity at gmail dot com # Basic system aliases -- these MUST be present MAILER-DAEMON: postmaster vm# newaliases /etc/mail/aliases: 28 aliases, longest 21 bytes, 300 bytes total My /etc/mail and /var/spool directories are pristine from the factory" vm# ls -al /etc/mail total 300 drwxr-xr-

Thanks for Help with Startup Scripts

Thanks to @sevanjaniyan and @cperciva for helping with my FreeBSD startup script issue. By removing the ${barnyard2_flags} argument from the command_args section I was able to start barnyard2 properly: root 45842 54.9 0.5 18572 11116 ?? Ss 7:15PM 0:00.00 /usr/local/bin/barnyard2 -D -U -d /nsm/r200a -f snort.unified2 -c /usr/local/etc/nsm/barnyard2.conf In other words, the script has this now: . /etc/rc.subr name="barnyard2" load_rc_config $name rcvar=`set_rcvar` # set some defaults : ${barnyard2_enable="NO"} : ${barnyard2_conf="/usr/local/etc/barnyard2.conf"} : ${barnyard2_flags="-D"} command="/usr/local/bin/barnyard2" command_args="-c ${barnyard2_conf}" run_rc_command "$1" I made changes to some other startup scripts and needed to commit them via Git. I did it this way. richard@macmini:~/taosecurity_freebsd_sguil$ git status # On branch master # Changes to be committed: # (use "git rese

Calling FreeBSD Startup Script Experts

Has anyone encountered this situation? I've found several startup scripts on FreeBSD that result in duplicate arguments passed during startup. For example: vm# uname -a FreeBSD 7.3-RELEASE FreeBSD 7.3-RELEASE #0: Sun Mar 21 06:15:01 UTC 2010 i386 vm# pkg_info sancp-1.6.1_3 A network connection profiler vm# cat /etc/rc.conf # -- sysinstall generated deltas -- # Fri Nov 12 16:36:42 2010 # Created: Fri Nov 12 16:36:42 2010 # Enable network daemons for user convenience. # Please make all changes to this file, not to /etc/defaults/rc.conf. # This file now contains just the overrides from /etc/defaults/rc.conf. defaultrouter="" hostname="" ifconfig_em0="inet netmask" sshd_enable="YES" sancp_enable="YES" sancp_interface="em0" vm# cat /usr/local/etc/rc.d/sancp #!/bin/sh # # PROVIDE

Two New Tools in Snort

No sooner do I get Snort running than something breaks. However, thanks to Niels Horn I know a little more about two new tools included with Snort. First is u2spewfoo, which reads Unified2 output files and outputs them as text. [sguil@r200a /nsm/r200a]$ u2spewfoo snort.unified2.1289360307 | head -20 (Event) sensor id: 0 event id: 1 event second: 1289360859 event microsecond: 881345 sig id: 2011032 gen id: 1 revision: 4 classification: 3 priority: 2 ip source: ip destination: src port: 44597 dest port: 3128 protocol: 6 impact_flag: 0 blocked: 0 Packet sensor id: 0 event id: 1 event second: 1289360859 packet second: 1289360859 packet microsecond: 881345 linktype: 1 packet_length: 1168 00 15 17 0B | 7D 4C 00 13 | 10 65 2F AC | 08 00 45 00 04 82 C2 E3 | 40 00 3F 06 | 03 6E C0 A8 | 02 6B AC 10 02 01 AE 35 | 0C 38 73 6F | 02 7F 12 37 | D9 A8 80 18 03 EA 6D 85 | 00 00 01 01 | 08 0A 01 2A | 34 44 75 11 33 8C 41 46 | 69 72 73 74 | 25 32 43 25

Using Git with FreeBSD Sguil Scripts

Before today I never committed anything using Git . Previously I used CVS, but never got around to trying something more modern like SVN. However, I know several developers at work use Git, so I figured I would try committing my FreeBSD Sguil scripts (lame as they are) to Git at Sourceforge. This would allow me to keep track of changes and get the code out of my own repository for sharing and safekeeping. I started by cleaning up the directory where I kept the scripts. After following the instructions to enable Git , I took these actions. richard@macmini:~/taosecurity_freebsd_sguil$ git init Initialized empty Git repository in /home/richard/taosecurity_freebsd_sguil/.git/ richard@macmini:~/taosecurity_freebsd_sguil$ git config "Richard Bejtlich" richard@macmini:~/taosecurity_freebsd_sguil$ git config \ "" richard@macmini:~/taosecurity_freebsd_sguil$ git remote add origin \ ssh://taosecurity@taosecurit

Updates to Sguil on FreeBSD Scripts

Early last year I posted Notes on Installing Sguil Using FreeBSD 7.1 Packages where I examined using the various FreeBSD ports for Sguil . In that post I showed that a lot of work was required to deploy Sguil, even if you used the ports or packages. Previously I've written about a set of scripts I maintain for deploying Sguil platforms in my lab. I decided to take a look at those scripts and update them for a modern environment, since a lot has happened in the almost two years since I last used the scripts. First, I tested my old scripts on FreeBSD 7.x, and now 8.x is common. Second, Snort is available, and with it the new DAQ mechanism for accessing network traffic. Third, Barnyard has been deprecated in favor of Barnyard2, thanks to the guys at the NSMNow project. There have been a lot of changes with rules and other areas. I also wanted to try running a 64 bit environment on a Dell R200 as my primary lab sensor. Finally, I decided to switch from using CVS at So

Collage: Defeating Censorship [aka Security] with User-Generated Content

The Economist article Anti-censorship: Hidden truths; A new way of beating the web’s censors brought a system called "Collage" to my attention. Collage , a project by Sam Burnett, Nick Feamster, and Santosh Vempala, described this way on its project site: We have developed Collage, which allows users to exchange messages through hidden channels in sites that host user-generated content. Collage has two components: a message vector layer for embedding content in cover traffic; and a rendezvous mechanism to allow parties to publish and retrieve messages in the cover traffic. Collage uses user-generated content (e.g., photo-sharing sites) as “drop sites” for hidden messages. To send a message, a user embeds it into cover traffic and posts the content on some site, where receivers retrieve this content using a sequence of tasks. Collage makes it difficult for a censor to monitor or block these messages by exploiting the sheer number of sites where users can exchange m