Snort Add-Ons

Over the last few days I've reviewed several add-ons for Snort. First, everyone using Snort knows about Barnyard. Barnyard processes the output from the spo_unified plugin, which Marty first described in June 2001. spo-unified creates two log files. To paraphrase Marty, the alert file contains event data (generator, sid, rev, classification, priority, event_reference), timestamp, source IP, destination IP, source port, destination port, protocol, and TCP flags (if applicable). The log file contains the event data, flags that indicate the...

Read More

Voice-Based Fraud Detection

The Register reports on the latest in fraud detection: "Online insurer Esure is to use technology that recognises when a speaker is under stress in a bid to detect fraud. The company hopes using voice risk analysis (VRA) technology will speed genuine claims, cut fraud and make its claims process more efficient... VRA - which identifies micro changes in the voice that can occur when a speaker is showing higher levels of stress - will be used by esure from 4 December. The company is keen to emphasise that the technology is a 'stress detector' not...

Read More

According to Reuters, a 38 year old Home Depot worker was arrested for stealing laptops from Wells Fargo. From the article: "Police recovered the equipment at Krastof's home, along with equipment used for scanning identity cards and checks, he said. 'He is a low-level ID theft kind of guy,' White said of Krastof. Krastof told police that he did not know that sensitive data was on the computer, according to [policeman] White. Wells Fargo will be able to keep the $100,000 reward it had offered in the case, since the arrest was made from regular...

Read More

Ron Gula Replies to Information Security Review of NeVO

You may have read the fairly critical Information Security review of NeVO by Tenable Security. CTO Ron Gula posted a response to the focus-ids group which makes for good reading: "Since NeVO is on 'all' of the time and it matches for specific vulnerabilities, that means that the vulnerability and IDS correlation which occurs at the Lightning Console is that much more accurate. Our concern at Tenable is that doing correlation based on 'old' vulnerability data (like on a month old Nessus scan) or 'relavent' vulnerability data (like all of the IIS...

Read More

Tepatche - Automatic OpenBSD System Patcher

I continue to watch for tools to keep BSD systems up-to-date. I learned of a new application for OpenBSD called Tepatche. The author wrote this article for next month's Sys Admin magazine. He also mentions the openbechede package management project. Incidentally, Colin Percival reports he's attained the $1000 mark needed to buy a new box to provide freebsd-update binary updates. Hopefully we'll see them available for the 5.X tree soon. While poking around Amazon.com I found a new BSD book will be published in the spring: FreeBSD and OpenBSD...

Read More

Wells Fargo Offers $100,000 For Info Leading to Conviction of Laptop Thief ZDNet reports the following:"Wells Fargo said on Friday it had offered a $100,000 reward for information leading to the arrest and conviction of the burglar who stole a bank consultant's computer that had sensitive customer information on it. The computer was one of several stolen earlier this month from the office of an analyst for the bank in Concord, California, the bank...

Read More

Finding the Name of FreeBSD Packages to Install

I usually install FreeBSD applications using the ports system, but I wanted to know how to use the package collection as well. I wondered how to quickly locate the name and URL of a package so I could pass them as a parameter to pkg_add -r. Using this command FreeBSD fetches the package specified and installs any dependencies automatically.I found the answer at the FreeBSD Ports Changes page. Here you can query for a package (or port) by name,...

Read More

Tim O'Reilly on Computer Books

Tim O'Reilly of O'Reilly publishing answered questions on the economics of writing on computer topics. I found this excerpt interesting: "Your choice of publisher helps [a book be successful]. The clearest lesson from Bookscan (to refer to the data that started this thread) is that the market is consolidating. Fully 80 percent of the market shown by Bookscan (about 65-70 percent of U.S. domestic retail sales, including online accounts) is owned by Pearson, Wiley, O'Reilly, and Microsoft Press, in that order. If you add Osborne and Sybex, you get...

Read More

Other Tidbits on SSH, IRC, and other Topics

I needed to bounce through a couple systems while working on a hostile classroom network this week. I found this book excerpt which explains how to chain SSH connections. I started using the EPIC IRC client on FreeBSD and I wanted to use a customization script. I remembered using Splitfire and found it to be useful. In #snort-gui we've been using Pastebot to provide chunks of text via HTTP rather than IRC on homefries. Rob Lee's incident-response.org domain registration apparently expired and was scooped by someone else. You can access Rob's...

Read More

PostgreSQL 7.4 Released. Watch Out For MySQL "Gotchas"

PostgreSQL 7.4 was released this week. We use MySQL in the Sguil project but we used PostgreSQL with older NSM tools. I learned about this MySQL "gotchas" site showing odd MySQL behavior. This could prompt a war between the MySQL and PostgreSQL communities.Speaking of wars, I ran across a site which claims to benchmark various UNIX operating systems. The results caused a crazy thread among OpenBSD use...

Read More

What Makes For Credible Certifications?

Peter Stephenson contributed to a SC Magazine article that featured criteria for credible certifications. I found his comments worthwhile:"The major question to be asked about certifications and their value is: 'Where does the cert come from and what are its objectives?'A good industry certification will have several recognizable components if it is to be credible:It is based upon an accepted common body of knowledge that is well understood, published and consistent with the objectives of the community applying it.It requires ongoing training...

Read More

Network Security Monitoring Saves My Bacon

Long-time readers of this blog know I subscribe to a security theory called network security monitoring. Two of NSM's principles are "some intruders are smarter than you" and "intruders are unpredictable." Believing these principles changes the way defenders look at watching their networks. If you assume a smart, unpredictable enemy, you have to take as many defensive actions as possible in the remote hope of catching a bad guy.This morning I...

Read More

TruSecure: "k3wl ," Like "Hackweiser and G-force Pakistan"

The BBC wrote an article about the threat intelligence group, "codename IS/Recon (Information Security Reconnaissance)." They're TruSecure's "moles" -- people who befriend the "underground" and acquire information on their intentions and capabilities. The national intelligence community calls that "human intelligence," or HUMINT. The article claims TruSecure "currently tracks more than 11,000 individuals in about 900 different hacking groups and gangs." It also states they collect "200 gigabytes of information a day," which "has enabled the...

Read More

Mapping the Internet on a Dare

Slashdot reported on the Opte Project. It's a single guy who's mapping the Internet using code he wrote. Commercial companies like Lumeta provide much more enhanced functionality, but this is still a cool hack. The Slashdot thread features commentary by Hal Burch and Fyodor, and a useful summary of similar projects. The image at left is supposedly "1/5 of the Internet," but as one Slashdot reader mentioned, it looks a lot like a brain! Given Google has replaced the brain of many people, I imagine this image is appropriate. ...

Read More

rying Fedora Core 1

Today I installed Fedora Core Release 1 in a VMWare session on my laptop. I was unable to using the CD-ROMs I burned and got the same error as described in this thread. I ended up installing the OS using the three .iso files on my laptop hard drive. I installed a default desktop into a 4 GB partition. Here are the daemons listening, the filesystem stats, and the uname output: [root@localhost root]#netstat -natupActive Internet connections (servers and established)Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program nametcp...

Read More

Let Freedom Ring...Not

The so-called "hacker" who "defaced" aljazeera.net was sentenced yesterday to 1000 hours of community service and a $2000 fine, according to stories by aljazeera.net and Reuters. The intruder, a "Web designer," "posed as an Al Jazeera employee." presumably to Verisign, the registry for the .net domain. This far more informative article has technical details on the "hack." Apparently the perpetrator convinced Verisign to change its listing for aljazeera.net's domain servers to a system controlled by the intruder. The DoJ reports the perp also...

Read More

Stephen Northcutt Hints at New 2004 SANS Courses

I received an email from Stephen Northcutt discussing various SANS initiatives. I found the last paragraph interesting. As this was a mass-mailing I'd like to share what he said: "We do have other tracks in development if the writers and researchers stay on track in the second half of 04 we hope to complete a track on content and email security and a six day legal track designed primarily for attorneys. We have an advanced windows operations and advanced windows audit track in the works. On the unix side of the house we are working on a Linux,...

Read More

While reading this OSNews thread on FreeBSD, I learned of the portsman tool. It's a curses-based front end to the FreeBSD ports tree. It offers similar functionality to portupgrade but through a menu system. I found it interesting that it was hosted at berlios and not at SourceForge like most open source projects. One adjustment I made to use portsman was to change the default TERM value from 'xterm' to 'xterm-color' so I could see the menu better...

Read More

21st Century Pilotless Airwolf Stolen

OK, it's obviously not Airwolf. According to this Israeli newspaper the Steadicopter was recently stolen a few days after the completion of its test program and final test flights. According to the article:"Steadicopter CEO Tuvia Scgl told 'Globes' today that he had no doubt that industrial espionage was behind the theft. "We're convinced that the thief was working for our competitors, because he went directly to the helicopter's location, and...

Read More

Criminals Extort Companies With DoS Attacks

I learned at Slashdot of an article at Financial Times about criminals extorting companies by subjecting them to denial of service attacks. From the article: "More than a dozen offshore gambling sites serving the US market were hit by the so-called Distributed Denial of Service attacks and extortion demands in September and the tactic is now spreading. Sites have been asked to pay up to $50,000 to ensure they are free from attacks for a year. Police are urging any victims not to give in to blackmail and report the crime." This is a lot easier...

Read More

New Sguil 0.3.0 Install Doc for FreeBSD 4.9 REL

I just published a new installation guide for Sguil 0.3.0. Sguil is an interface to Snort which operates using Network Security Monitoring principles. This means it is dedicated to answering the "now what?" question that faces analysts who receive IDS alerts. Sguil provides alert, session, and full content data with a minimum of mouse clicks, window changes, and keystrokes. Users not familiar with FreeBSD should have no problems following the instructions. I provide dozens of screen shots and step-by-step comments to get the OS and all needed...

Read More

More BSD Stuff

I found a new FreeBSD-based bootable CD-ROM firewall called NetBoz. I haven't tried it yet, but someone put a lot of thought into the logo! I'm often asked why I like FreeBSD. I think the FreeBSD's ports tree is the best of the three BSD's, with over 9000 applications available. FreeBSD offers the FreshPorts site to track updates and changes to ports. OpenBSD has http://ports.puffy.nu/, openbsd.hstd.net and bsdcoders.org. This post puts the OpenBSD port count at over 2000 as of May 2003. OpenBSD's "higher standards" keeps the count down compared...

Read More

The Game of 'Life' in PostScript

Do you know the game of "Life"? The game was created by mathematician John Conway and described in this 1970 Scientific American article. Based on a small set of rules, the game looks at the initial configuration of a set of counters (representing "organisms") and moves them forward through time. Certain arrangements result in life, while others perish. The coolest implementation of this game is one in PostScript. Remember PostScript is a programming...

Read More

SilentPCReview.com Provides Info on Quiet PCs

I'm thinking of building my own firewall appliance. It would be nice to have a "quiet" PC. I found SilentPCReview.com offers reviews, forums, and news on the quiet PC sce...

Read More

My C-64 Rides AgainThanks to a RR-Net kit, my Commodore 64 is now on the Internet. I browsed taosecurity.com using the Contiki Web browser and I served Web pages sing the Contiki Web server. It's slow, but really amazing to think a machine that hasn't been used in 13 years is now on the Internet! There's also a version of VNC which I haven't tried yet. I still need to try downloading software and getting it to the C-64. The RR-Net package arrived...

Read More

Using fastest_cvsup and freebsd-update Tools

While reading a OSNews thread on FreeBSD 4.9, I heard of a tool called fastest_cvsup. You use it in conjunction with cvsup on FreeBSD, NetBSD, and OpenBSD to find the "fastest" source distribution site. I use it in a shell script to update one of my boxes like this:#!/bin/sh# Ports updater by Richard Bejtlich# 0925 07 Nov 03SERVER=`fastest_cvsup -q -c us`echo "cvsup -g -L 2 -h $SERVER /usr/local/etc/ports-supfile"cvsup -g -L 2 -h $SERVER /usr/local/etc/ports-supfileecho...

Read More

Testers for DRAFT Sguil on FreeBSD Installation Guide Needed

I announced the availability of Sguil 0.3.0, so I've been working on a new installation guide. I'm not a big Linux fan so I've been wanting to move my document to reflect FreeBSD. Today I completed the install guide and posted it at http://taosecurity.com/install_freebsd_4-9-REL_DRAFT.zip. If you're so inclined, download the installation doc and try it out. I used FreeBSD 4.9 RELEASE only to have access to that distro's ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-4.9-release/ packages. These are the same as would be found on the...

Read More

Snort 2.0.3 Released

Yesterday Marty released Snort version 2.0.3, which contains a few bug fixes. Last week Bamm announced the release of Sguil version 0.3.0. I still need to update the documentation. I had already planned a FreeBSD-only installation guide, even before all the turmoil with Red Hat Linux. I hope to have the guide done by next week.A few weeks ago a good thread on snort-users discussed hardware for Snort and ways to avoid dropping packe...

Read More

Do You Bluejack?

Here's a great example of creative minds taking advantage of new technology. Those crafty, meddling kids in the United Kingdom have popularized a way to send text messages to unsuspecting owners of Bluetooth-enabled phones and PDAs. The BluejackQ (or "Bluejack You") site, apparently run by a 13 year old English girl, has all the details. Her site has been hammered recently by visitors, but she reports it's weathered the storm. Netcraft reports she's running Apache on Linux, so good for her! A poorly edited by technically informative Slashdot...

Read More

Wireless IDS "All the Rage"

Researching my book I came across this fairly informative article on wireless IDS. It's useful as it spells out three ways to accomplish the task. The article publisher, Unstrung, has written about Joshua Wright's attacks on LEAP, the vendor's response, and wireless IDS servic...

Read More

Security Hole in Ethereal; Upgrade Now

The Ethereal project makes the finest open source protocol analyzer available. Yesterday they announced a vulnerability affecting at least Ethereal 0.9.15. They recommend upgrading to 0.9.16 right away. From the advisory: Description:Potential security issues have been discovered in the following protocol dissectors: An improperly formatted GTP MSISDN string could cause a buffer overflow. A malformed ISAKMP or MEGACO packet could make Ethereal or Tethereal crash. The SOCKS dissector was susceptible to a heap overlfow. Impact:...

Read More

I read today on Slashdot that Red Hat will discontinue maintenance and errata support for all versions of Red Hat Linux through 9.0 by 30 April 2004, and produce no other products in that line. Everyone looking for a "free" version of "Red Hat" will have to check out their Fedora Project as Red Hat now focuses on its Red Hat Enterprise Linux line. Those wishing to try the "Fedora Core" are directed to a download page mentioning the Red Hat beta OS severn. Looking at the Fedora release schedule, the Fedora offering is called cambridge and was...

Read More

Threat Matrix Chart Clarifies Definition of "Threat"

I ran across this chart at the Kentucky government security page, of all places. They must have reproduced it from a Department of Homeland Security briefing. It shows the five components used to judge a threat: existence, capability, history, intentions, and targeting. My earlier definitions focuses on capability and intentions, as I believe existence is taken for granted once you begin a threat assessment. You can easily wrap history into intentions....

Read More

FreeBSD 5.2 RELEASE Due 2 Dec

read the new FreeBSD release schedule today and learned FreeBSD 5.2 is due 2 Dec 03, with FreeBSD 5.3 scheduled for 29 Mar 04. FreeBSD 5.2 will still be a "new technology" release, and 5.3 will be the first released to be considered "stable." Currently, FreeBSD 4.9 is the newest "stable" release. I also learned that Robert Watson, one of the brains behind FreeBSD, has posted a Web-browsable interface to BSD and Linux source code. Do you want...

Read More

Last Thursday DeMarc announced its acquisition of the Sentaurus IDS from Silicon Defense. In June I listed various companies selling Snort-based IDS appliances. It looks like Silicon Defense's support for its Windows version of Snort continues at WinSnort.com. This appears to be different from the binaries available at Snort.org. (I didn't check the WinSnort version because downloads there require registration.) DeMarc was famous for its GUI for Snort alerts, which no longer appears as a Snort add-on. However, it's now called PureSecure Personal...

Read More

Reviews of C Primer Plus, 4th Ed, The Myth of Homeland Security, and Beyond Fear Posted

Amazon.com just publishes three new reviews. First, from the five star review of C Primer Plus, 4th Ed by Stephen Prata: "Stephen Prata's C Primer Plus, 4th Ed (CPP4E) is an excellent book. I took a close look at the competition and even started reading O'Reilly's Practical C Programming before realizing CPP4E was the book for me. I had no C programming background, but had the knowledge of C-64 BASIC, Pascal, and other languages shared by many kids...

Read More