OpenBSD Funding Highlights Open Source Development Issues

In mid-March the OpenBSD Journal featured a story on funding OpenBSD SMP development. I found it interesting to get a glimpse into the workings of the open source community when it comes to making important advances in operating systems. The story was really a post of a message Theo made to a mailing list, but the commentary was interesting. It reminded me of the donations to Colin Percival's Freebsd-update proje...

Read More

New Utilities for Investigating Systems

I've come across a few interesting utilities that deserve a look. PyFlag is a Web-based forensic analysis suite written in Python. It's a complete rewrite of the original FLAG tool. Microsoft released portrptr.exe recently. Port Reporter runs as a service on Windows 2000/XP/2003 systems, logging sockets used to the c:\winnt\system32\logfiles\portreporter directory. Here are sample records:04/3/29,9:38:18,TCP,21,10.10.10.3,24898,192.168.50.204/3/29,9:38:25,TCP,1163,10.10.10.3,,0.0.0.004/3/29,9:38:25,TCP,1163,10.10.10.3,24899,192.168.50.204/3/29,9:38:50,TCP,1166,10.10.10.3,24900,192.168.50.204/3/29,9:38:55,TCP,1167,10.10.10.3,24901,192.168.50.2The...

Read More

Online Debian Book

I decided to move my old Pentium 90 from Red Hat 6.2 to Debian. I installed 3.0r2 using the 2.2 kernel boot floppies. The P90 doesn't support booting from the blazingly fast 2X speed Sony CD-ROM, which also requires a the CDU31A driver. I couldn't find support for this driver in the 2.4 kernel boot floppies. I also had to load the 8390 and smc-ultra kernel modules to support a Linksys ISA NIC. Along the way I found The Debian Universe, which "aims to become a complete guide to installing, managing and running Debian GNU/Linux." This is great...

Read More

Draft Cover Art for my Book

I received draft cover art for my upcoming book The Tao of Network Security Monitoring: Beyond Intrusion Detection. That's a praying mantis on the cover. I first studied a form of praying mantis kung fu ten years ago in the town where I grew up. The school is still going strong as the Michael Macaris Kung Fu Academy in Billerica, Massachuset...

Read More

The Applicability of Corporate Fraud to Digital Security

I've been on the lookout for Corporate Fraud: Case Studies in Detection and Prevention by John D. O'Gara. I thought it might contain insights useful for intrusion detection. Looking at the sample excerpt, (.pdf), it seems more suited to corporate types. However, I found this statement to be fascinating: "Effective prevention depends on the probability of detection and prosecution more than on any other single factor, because management fraud typically involves override rather than taking advantage of control weaknesses." This ties in to my idea...

Read More

New Sguil Installation Guide Released

I just released a new Sguil install guide using Sguil 0.3.1, FreeBSD 5.2.1 REL, Snort 2.1.1, Barnyard 0.2beta2, MySQL 4.0.18, and other updates. It's available in text form at http://sguil.sourceforge.net/downloads/sguil_guide_0-3-1_02.txt. The packages for FreeBSD 5.2.1 mentioned in the guide are available at sguil_0-3-1_f5-2-1_pkg.tar.gz (24 MB). I wanted to get this out to accompany the article in Sys Admin magazine. The new guide is a text version, which I felt was more appropriate for the Sguil user community. I composed the guide in vi,...

Read More

TheJemReport.com Publishes Benchmarking Results

TheJemReport.com published several good articles on FreeBSD recently. I was impressed by the author's attention to detail for each report, but I am not in a position to try to confirm or refute his claims. With a three word summary, they are:Hardware Benchmarking with FreeBSD; be very thoroughScheduler Performance: ULE vs. 4BSD; 4BSD is fasterThe 64-bit Question: AMD64 vs. i386; Athlon usually w...

Read More

Snort_Inline: Snort-based "Intrusion Prevention"

The Snort_inline project released a version compatible with Snort 2.1.1 this week. Snort_inline works with firewall software on the same host to drop packets matching Snort signatures. Apparently there is experimental support for running Snort_inline on FreeBSD using using divert(4) and ipfw(8). Just the other day I read a news posting on the snort_inline mailing group archives, but today the archive is gone. I subscribed to the mailing list just now and plan to ask what's happened. Update: The archive is back and here is the post of inte...

Read More

Weekly FreeBSD cvs-src Summaries

Want to know more about FreeBSD development? Don't want to subscribe to the freebsd-current mailing list, or search the archives? If the answer to either question is yes, visit Mark's weekly FreeBSD cvs-src summaries. Mark Johnston was inspired by this thread to post his first summary in late January. Mark reads emails on commits to cvs-src and summarizes what he believes is important. Some of what he writes brings obscure topics to the FreeBSD...

Read More

Latest Fedora News

I just received the latest Red Hat email newsletter, which contained this news on Fedora: "Fedora, the community-supported Linux distribution project sponsored by Red Hat, has been making great progress as of late. Fedora Core 2, Test 2 is expected to be released in early April and the finished Fedora Core 2 distribution should be available in May. FC2 is the industry's first Linux distribution based on the Linux 2.6 kernel, and supports 32-bit x86 and 64-bit x86-84 systems. It also includes Security Enhanced Linux (SELinux) technology, which was...

Read More

ICSA Labs Announces Security Device Event Exchange (SDEE)

Sebastien Tricaud's post to Focus-IDS informed me of the Security Device Event Exchange (SDEE), an IDS alert format and transport protocol specification. ICSA's Intrusion Detection Systems Consortium (IDSC) devised the SDEE specification. The IDSC consists of Cisco, Fortinet, Infosec Technologies, ISS, SecureWorks, Sourcefire, Symantec, and Tripwire. TruSecure, owner of ICSA Labs, published a press release which says in part: "IDSC members Jeff Platzer and Mike Hall of Cisco Systems, Robert Graham of ISS, Marty Roesch of Sourcefire and Marcus...

Read More

Slyck is the Place to Understand Peer-to-Peer

Earlier today I reported on law enforcement's desire to wiretap all sorts of communications. While doing research I discovered an incredible resource for peer-to-peer users called Slyck.com. Slyck does an excellent job categorizing and explaining a dozen individual file sharing methods, then offers information on programs implementing each method. This is a great resource for anyone trying to understand file sharing protocols they might see on their networ...

Read More

Incredibly Misleading Article Corrected by Commenters

An OSViews.com report, Thank Apple for FreeBSD, is one of the most inaccurate articles I've ever read. I don't recommend spending time on the article itself, but I do believe reader's reactions to the article are noteworthy. People often claim Apple's Mac OS X is somehow "built on" FreeBSD or is "FreeBSD underneath." Several of the people who commented on the OSViews story give true insight, especially this response. I find it ironic that the OSViews tag line is "Why should seasoned journalists have all the fun?" Simple -- they tend to avoid...

Read More

Excellent Coverage of Wiretapping Issues at News.com

News.com published an article titled FBI adds to wiretap wish list yesterday. This is the latest of many excellent News.com articles on wiretapping issues in the United States. News.com summarizes a a"joint petition for expedited rulemaking" (.pdf) submitted to the Federal Communications Commission by the US Dept. of Justice, FBI, and Drug Enforcement Agency.The Feds are asking the FCC to expand the scope of the Communications Assistance for Law Enforcement Act, or CALEA. CALEA requires telecommunications carriers to allow law enforcement "to...

Read More

NSM Article in April Sys Admin Magazine

The April 2004 issue of Sys Admin magazine features an article I wrote titled "Integrating the Network Security Monitoring Model." Sys Admin summarizes it by saying: "This article examines intrusion detection through an operational model called network security monitoring (NSM). Bejtlich explains NSM theory and introduces several tools to integrate NSM concepts into existing systems." I imagine the April issue will be on newstands within the next...

Read More

Department of Health and Human Services Security Incident World Record

FCW reports the Department of Health and Human Services recorded "348.9 million [security] incidents" in 2003. In contrast, the Department of Housing and Urban Development reported a "single information security incident" last year. It sounds like DHHS reported every packet dropped by their firewalls. That's about 11 "incidents" per second. I can't imagine the sort of manager who let an outrageous figure like this leave his or her de...

Read More

Andrew Baker Announces New Barnyard Beta

Andrew Baker announced a new beta version of Barnyard today on the Snort-users mailing list. This is an important event because Andrew has integrated support for Sguil. op_sguil.c and op_sguil.h are now in the Barnyard CVS repository. This move reduces the amount of patching needed to get Sguil working with Snort and Barnya...

Read More

Article on Cfengine

I'm researching issues relating to administrating dozens or hundreds of similarly configured FreeBSD systems. I think I will try to use Cfengine to enforce configuration management. Kirk Bauer just wrote a Linux Journal article on Cfengine, which appears in the ports tree as sysutils/cfengine2. I'm looking at using Nagios to gather system status and Samhain for file integrity. I'll probably centralize log collection with syslog-ng. I'd like to use binary updates installed from my own update server. I may place various server applications...

Read More

Security Articles in Newest Cisco Packet Magazine

The first quarter 2004 issue of Cisco's Packet magazine is all about security. The Locking Down IOS article mentions enhancements in IOS 12.3T. The "T" means this IOS release is from the "advanced technology" "software train," from which the 12.4 mainline train will be released.For me the most interesting addition is IP Traffic Export. This feature tells the router to export selected traffic out a LAN or VLAN interface, where a monitoring platform...

Read More

Portupgrade Errors

It's been a while since I upgraded my ports tree, and I ran into errors when I upgraded the tree using portupgrade today. Here's some of what I saw: ! net/p5-Socket6 (p5-Socket6-0.14) (uninstall error) ! lang/python (python-2.3.3_1) (uninstall error) ! security/p5-Digest (p5-Digest-1.05) (uninstall error)---> Session ended at: Sat, 06 Mar 2004 15:03:40 -0500 (consumed 01:25:26)portsclean -CDD/usr/local/sbin/portsclean:35:in...

Read More

US Frequency Allocation Chart Available

My local amateur radio club informed me that the US Frequency Allocation Chart for 2003 could be ordered from the US government printing office Web site for $4.25. This is an impressive wall chart showing frequenices allocated by the FCC. I ordered one for my office. There are .pdf versions available as well. The one-page graphical version is just barely legible, depending on the quality of your printer. The "text" version is 88 pages, but all...

Read More

Browsing Ports with Pib

Pib is another useful package management tool. It's a Tcl/Tk-based browser which shows information on ports and their installation status.The following is the Ports INDEX browser window. This screen shot shows the security/openssh-askpass port. We see it is installed because the green "install" keyword is lit. Ports that are not installed do not show "clean". Pib is useful because one can quickly browse the ports tree, select a port, and read...

Read More

Removing Packages with pkg_cutleaves

You may have read Dru Lavigne's article on Cleaning and Customizing Your Ports. She mentioned used portsclean to remove working directories and distfiles with 'portsclean -CDD':orr:/root# portsclean -CDDCleaning out /usr/ports/*/*/work...Delete /usr/ports/sysutils/gkrellm2/workDelete /usr/ports/net/netmap/workDelete /usr/ports/graphics/graphviz/workdone.Detecting unreferenced distfiles...Delete /usr/ports/distfiles/graphviz-1.10.tar.gzDelete /usr/ports/distfiles/legacy_132beta4_src.tar.gzDelete...

Read More

Shoki News

I have not yet tried the Shoki open source intrusion detection system, but I have been in contact with its author, Stephen Berry. I asked if he planned to augment Shoki to allow logging to a flat text file, and Stephen added the feature in the latest interim release of shoki (shoki-0.3.0.1078134186). I also asked him about forthcoming releases: "All of the interim releases are the result of me merging the stuff in my development tree with the stuff in my release tree. Once that's all done (Real Soon Now), I'll release that as the `official' 0.3.0...

Read More

FreeSBIE Project Releases FreeSBIE-1.0

Last month I wrote about the FreeSBIE live CD-ROM FreeBSD distribution. The team just released FreeSBIE-1.0 for download. The announcement describes the project and the package list details all the goodies in the .iso image. This version is based on FreeBSD 5.2.1 RELEASE.Update: This Slashdot post on FreeSBIE brought several other cool projects to my attention, including LiveBSD and BSDeviant, along with general sites like LiveCDNews. I also...

Read More