Review of MySQL Tutorial Posted

Amazon.com just posted my five star review of MySQL Tutorial. From the review: "MySQL is the database used by many commercial and open source security products. Although the user is often 'shielded' from interacting with the database directly, it's important and sometimes crucial to know basic MySQL administration. MySQL Tutorial is the perfect companion to any security tool which depends on a MySQL database. For example, no one seriously expects...

Read More

Sguil 0.4.0 Released

Bamm released Sguil 0.4.0 yesterday. The changes are worth reading, but the major addition is the option to replace stream4 keepstats output with John Curry's open source SANCP (Security Analyst Network Connection Profiler) session data. SANCP is much more robust as it can track TCP, UDP, and ICMP, whereas stream4 only watched TCP. In this respect SANCP is like Argus. You can also tell the Sguil components a specified IP address to which they should bind. This facilitates the deployment of Sguil components in FreeBSD jai...

Read More

Fixing a Problematic Port

While trying to upgrade installed ports on a FreeBSD 4.9 STABLE machine, I encountered a problem with x11-fonts/libXft:[Updating the pkgdb in /var/db/pkg ... - 125 packages found (-1 +0) (...) done]---> Installing the new version via the port===> Installing for libXft-2.1.6===> libXft-2.1.6 depends on shared library: fontconfig.1 - found===> libXft-2.1.6 depends on shared library: X11.6 - found===> Generating temporary packing...

Read More

Review of WarDriving Posted

It's been a long time since my last book review, but I've been busy finishing and copyediting my own book. Thankfully the long flights to and from Vancouver for CanSecWest gave me some reading time. I spent part of that time with WarDriving, which I gave three stars. From the review: "If you want to learn how to wardrive using Kismet or NetStumbler (and variants), WarDriving is for you. The book does a good job debunking certain myths, such as...

Read More

Comments on TCP Reset Worries

I attended Paul Watson's talk at CanSecWest this week on "Slipping in the Window" (.ppt slides, .doc paper. Paul was inspired by last year's Black Hat 2003 Las Vegas talk "BGP Vulnerability Testing" by Matthew Franz & Sean Convery (.pdf original talk). I attended that presentation as well, and found Matt and Sean's conclusion to be accurate: why bother with lower layer attacks when you can own the router? In other words, so many routers are misconfigured, it's not necessary to resort to spoofing or other elaborate games to disrupt global...

Read More

ightning Talk is a Go at CanSecWest

I just finished delivering my lightning talk at the CanSecWest conference in beautiful Vancouver, BC. I spoke for five minutes on Sguil. My slightly update slides are available in .pdf form he...

Read More

How to Renew DHCP IP Address with Cisco Router?

If anyone can help me with this, I would appreciate it. I can't figure out how to have my Cisco router renew its DHCP lease with my cable ISP. I appear to not be the only person with this problem. I don't have any ACLs which would deny DHCP traffic, either. This is the portion of my router config where I set up DHCP on the external interface: interface FastEthernet0/0 ip address dhcp ip access-group 101 in ip nat outside ip route-cache flow duplex auto speed auto no cdp enableEventually my lease expires and I have to disable DHCP on fa0/0 because...

Read More

Calculating Security ROI Is a Waste of Time

I was pleased to read Infosec Economics by Lawrence Gordon and Robert Richardson in the 1 Apr 04 issue of Network Computing magazine. This duo says:"ROI (or bang for the buck) can't be applied perfectly to information security because often the return on information security purchases and deployments is intangible. Sure, companies invest in some solutions that offer benefits beyond security--faster network throughput in a new router that supports...

Read More

Tips on Network Hardware from Snort-Inline Mailing List

I'm trying to figure out if it's possible to build a FreeBSD-based filtering bridge running Snort-inline. I submitted this question to see if anyone has FreeBSD and Snort-inline working. I just got this response from Alex Dupre:"The bridge doesn't support the divert socket and will not support it. We are working on a different approach to use snort in inline mode on a bridge, but there isn't an ETA (surely not soon)."While perusing the snort-inline-users mailing list I found this thread. It pointed me to makers of interesting network equipment....

Read More

Interface Bonding on FreeBSD

The question of how to combine traffic seen by two physical network interfaces into a single virtual interface is popular on the various IDS lists I watch. Below is the script I use to create a ngeth0 interface using the FreeBSD ng_eth netgraph node:bourque:/$ cat /usr/local/etc/rc.d/001.bond.sh #!/bin/sh -x# sf2 and sf3 are real interfaces which receive tap outputs; ngeth0 is created by ngctl# ng_ether must be loaded so netgraph can "see" the real...

Read More

Earthlink Study Measures Spyware Infections

NWFusion informed me of an interesting Earthlink.net press release. Earthlink reported the results of their customers running Webroot's Spy Audit program. This is a Windows executable which a user must download and run. Earthlink offers their own download, elsypaudit-i386-windows-all-2004.0.133.0.0.10.exe, which may be the same program, although the file sizes are fairly different. Looking through strings output, I found a reference to http://spyauditresults.earthlink.net/index.php, which appears to be the results page once a scan is done. ...

Read More

Using Portaudit to Improve FreeBSD Security

I've started using the security/portaudit port to check the security status of FreeBSD's applications, so I thought I'd document my findings. Portaudit uses the Vulnerability and eXposure Markup Language, "an XML application for documenting security issues in a software package collection" like the FreeBSD ports system. You can browse the FreeBSD or OpenBSD VuXML pages to see vulnerabilities recorded since the VuXML project began in late 2003.Using...

Read More

MetaCoretex Simplifies Database Testing

If Metasploit weren't enough, I learned of MetaCoretex recently. It's a vulnerability scanning framework currently implemented for database assessment. It's written in Java, so be sure to have the JDK already installed. After downloading and extracting the archive, the only change I made was to modify the last line of the mctx.sh script to know where to find Java on my FreeBSD system: /usr/local/jdk1.4.2/jre/bin/java -cp ${CP} com.securitycentric.metacoretex.Init &Execute the mctx.sh script, and MetaCoretex will launch an easy-to-use Java...

Read More

Metasploit Framework in Action

You may have seen the Slashdot article on the Metasploit Project. From the project's Web site:"The Metasploit Framework is an advanced open-source platform for developing, testing, and using exploit code. This release includes 18 exploits and 27 payloads; many of these exploits are either the only ones publicly available or just much more reliable than anything else out there. The Framework will run on any modern system that has a working Perl interpreter."I gave the project a try. First I read the Crash Course user's guide, which told me to...

Read More

Flyer for Tao of NSM Book Posted

My publisher sent my a .pdf flyer for my book. I also created a books page with an abbreviated Tao of NSM table of contents listed. Right now I'm in the copyedit phase. The publisher sends me chapters marked up in Microsoft Word and I make changes or comments as needed. I wrote most of the book in OpenOffice.org, but the publisher is more comfortable using Microsoft Office. I just learned I was accepted to speak at USENIX Security 04 in San Diego on 9 August. I will be teaching a class on network security monitoring based on my bo...

Read More

Building and Deploying FreeBSD Packages

FreeBSD documentation is excellent, but I haven't found information on strategies for enterprise system administration duties. For example, what is the best way to deploy and upgrade software on multiple machines? Slashdot recently discussed building from source vs packages, but this topic doesn't get much public discussion. Most documentation talks about installing ports or packages from the perspective of a single machine. There's little or...

Read More

Network Computing Misses the Mark

Network Computing profiled the Net Optics 10/100BaseT Port Aggregator Tap. This device is unique in that it combines the two transmit lines from ports A and B into a single output, adding memory to buffer bursts exceeding 100 Mbps. I was glad to see this product receive attention in Network Computing, but I think the reviewer missed the mark. I was especially disappointed to read this comment:"...the unit is cost-effective only if you » need to multiplex a full-duplex network onto a half-duplex connection, » expect short traffic bursts above...

Read More