Plugins for Firebird

Don't care to see Macromedia Flash on Web sites while using Firefox? Try installing Flashblock. You can install the .xpi file as a user and have it work at sites like Tom's Hardware as soon as you restart Firefox.Another cool plugin for Firebird (or Mozilla for that matter) is Live HTTP Headers. You can use this plugin to watch your browser's HTTP requests and the server's HTTP responses. To install this plugin, change the permissions on your...

Read More

Building Kernel and World on One System, Installing on Another

I'd read Tracking for Multiple Machines in the FreeBSD Handbook, which gives hints on building the FreeBSD userland, or "world," and kernel on one system and installing them on another system. You might do this because the target system is slow and your build machine is fast, or because you prefer to let production machines serve users rather than use CPU cycles rebuilding the world and kernel. Inspired by this post, I decided to try building the...

Read More

Tom's Hardware on NICs

Tom's Hardware wrote a good article titled Gigabit Ethernet: On-Board Chips Reviewed. It explains the importance of high bandwidth PCI buses. I recommend reading it, but keep in mind the following feedback I sent the site:Hello,I found your article "Gigabit Ethernet: On-Board Chips Reviewed" useful. I'm really glad to see someone authoritatively discuss NIC issues. However, I think you use some throughput terms in odd ways. I believe a few changes could make it easier for the reader to appreciate your analysis.For example, here you say "133...

Read More

Upgrading Cisco Router IOS

Today I upgraded the flash and system RAM in my Cisco 2651XM router. Before upgrading the router memory, I had this in place:C2600 platform with 65536 Kbytes of main memory16384K bytes of processor board System flash (Read/Write)I bought 64 MB extra main memory and 16 MB extra flash memory. When I opened up the router, the insides looked like this diagram: I had a single 64 MB DRAM DIMM in the "Primary memory" slot with one free. I had no memory...

Read More

Thoughts on High Speed Network Monitoring

I've been following an interesting thread on snort-users about collecting alert data on high speed networks. Users are debating how much traffic Snort can handle. One way to at least start answering this questions is to enable the performance monitor. Vjay Larosa's post was helpful, as it pointed me towards perfmon-graph. This Perl script works with Snort performance monitor output and RRDtool output to produce graphs of Snort performance statistics....

Read More

Installing Open Source Software on AIX

Last year I wrote about installing open source software on two commercial UNIXes, Solaris and HP-UX. Today I want to document how to install a few software packages on another commercial UNIX -- AIX. First, I needed to get the ever popular wget onto the AIX 5.1 box to make retrieval of other software easier. I retrieved a wget package from UCLA's Public Domain Software Library for AIX using ftp. I then followed their instructions to extract and install the binary package: # zcat wget.1.9.1.tar.Z | (cd /; tar xvpf -)x ./usr/local/bin/wget, 619059...

Read More

Incident Handling (INCH) IETF Working Group

This weekend at BSDCan Michael Richardson mentioned a security-oriented IETF working group I'd never heard of before. It's called Incident Handling and its purpose is "to define a data format for exchanging security incident information used by a CSIRT." Also: "The working group has created four documents. A data model named the Incident Object Description Exchange Format (IODEF), and an associated implementation in an XML DTD, is the format defined for exchanging incident data. The IODEF conforms to a set of requirements for a Format for INcident...

Read More

Michael Boman Posts IDS, Snort, and Sguil Presentations

Sguil developer Michael Boman gave four presentations to the Linux Users Group Singapore this month. They discuss IDS, Snort, ACID, and Sguil. I recommend perusing them at boseco.com. These presentations are viewable online and are a good introduction for people trying to understand IDS from the ground up. I found the Snort presentation helpful for its concise Snort development timeli...

Read More

Great News from Mar-Apr 04 FreeBSD Status Report

freebsd.png" align=left>The Mar-Apr 04 FreeBSD Status Report brings many glad tidings. The best in my opinion is word of a new version of Kirk McKusick's classic, called The Design and Implementation of the FreeBSD Operating System (here's the Amazon.com link). It doesn't get any better than this, folks. Kirk wrote the definitive BSD book, The Design and Implementation of the 4.4 BSD Operating System, in 1996. This long-awaited update is "based on FreeBSD 5.2 and the upcoming FreeBSD 5.3 releases... It is now in final production by Addison-Wesley...

Read More

Thoughts on Cisco IOS

Yesterday I mentioned the report of the theft of Cisco's IOS. While I have no evidence to support this theory, I always assumed that various nefarious parties already had access to some or all of Cisco's previous IOS versions. While access to source code is not necessary to discover vulnerabilities, the allure of obtaining such a prize (for intellectual and competitive intelligence pursuits) made theft a likely scenario. The February report of the theft of Microsoft's source surely did not represent the first time unsavory parties had access...

Read More

Disabling Vulnerability Checks with Portaudit

Last month I described the security/portaudit tool, which checks for vulnerable ports and prevents their installation. Sometimes it's reasonable to install a port that has a vulnerability, if the risk is acceptable. For example, the databases/mysql-client port currently reports a security problem when I try to install it:neely:/usr/ports/databases/mysql40-client$ make===> mysql-client-4.0.18_1 has known vulnerabilities:>> MySQL insecure...

Read More

Cisco Source Code Publicly Reported as Stolen

I first read this on the NANOG list, but it appears to have been broken by BugTraq. According to this translation of the original Russian story: "As it became known to SecurityLab, the source code of operating system CISCO IOS 12.3, 12.3t, which is used in the majority of Cisco network devices has been stolen on May 13, 2004. The total volume of the stolen information represents about 800MB in an archive file." The Russian site shows "ipv6_discovery_test.c -- Neighbor Discovery unit tests" and "ipv6_tcp.c -- IP version 6 support functions for...

Read More

Live from BSDCan Day Two

Day two of the first ever BSDCan is over. This concludes the conference, which we believe was a great success. Dan Langille reported over 175 attendees and is making plans for a second conference next year. I started the day with Michael Richardson discussing libpcap 1.0. Michael described how the current libpcap file format, major version 2 minor version 4, will eventually become major version 3. The current format presents a header (pcap_file_header)...

Read More

Live from BSDCan

Day one of BSDCan today was great. I first attended Network Buffer Allocation in the FreeBSD Operating System by Bosko Milekic. He gave an overview of changes made in FreeBSD 5.x to improve TCP/IP performance, especially on SMP systems. I then heard conference organizer Dan Langille discuss Bacula, a backup solution I intend to try. After lunch I presented Network Security Monitoring with Sguil, which was fun. The last formal talk I saw was by...

Read More

Wednesday I reported the publication of an exploit for the FTP service used by the Sasser worm. Now there's a new worm called Dabber exploiting the same vulnerability in Sasser's FTP service. Read each link for LURHQ's analysis of each worm. If you've been seeing increased scans to ports 9898 and 5554 TCP, you'll know why after reading the advisories. Port 5554 TCP is the Sasser FTP server. Port 9898 is the Dabber back do...

Read More

Windows Roadmap Article

I found this Neowin.net article to be a good summary of future Microsoft OS release plans. The key points I noted are:Microsoft is adopting a "4 year release schedule for Windows Server then that would place Windows Server Longhorn in 2007 (4 years from Server 2003)""[W]e'll be seeing Windows Client Longhorn in 2006""Microsoft will release an update every 2 years after an initial major release which refreshes the Operating System with add-ons, security...

Read More

Amazon.com Posts Page for My Book

A visit to Amazon.com reveals a page for my book. Amazon.com reports the publication date as 14 July 2004. This is a little earlier than I expected, but everything remains on schedule. Perhaps my publisher built in a little time for problems, and thankfully we haven't had any major difficulties yet. You may notice the cover is similar to Secure Architectures with OpenBSD and the second edition of Know Your Enemy. All three books are part of...

Read More

Working with Debian Again

I'm taking another look at Debian, as I may need to run some software tied to Linux firewalling software not found on FreeBSD. I took advantage of a few good articles, including Introduction to Debian Software Package Management, the Apt How-To, Apt-Pinning for Beginners, and Using APT with more than 2 sources. Following their advice I created an /etc/apt/sources.list like this: #Stabledeb http://ftp.us.debian.org/debian stable main non-free contribdeb http://non-us.debian.org/debian-non-US stable/non-US main contrib non-free#Testingdeb http://ftp.us.debian.org/debian...

Read More

Alleged Exploit for Sasser FTP Server Released

We've heard of intruders exploiting systems already infected by worms, but this is another way to take advantage of poorly deployed systems. A Romanian coder released sasserftpd.c recently. This code attacks the FTP server used by Sasser to propogate. The rogue Sasser FTP server listens on port 5554 TCP on versions a through d and port 1023 TCP on version e. The Romanian exploit attacks this FTP serv...

Read More

Speaking at BSDCan.org Friday

Dan Langille just added me to the schedule at BSDCan, the first BSD Canada conference. I'll be presenting Network Security Monitoring with Sguil on Friday at 2 pm. I plan to discuss many short case studies on using Sguil to detect and validate security incidents, followed by a short live demo of Sguil on FreeBSD. Come by and say hel...

Read More

Usability Tips for UNIX

I want to note a couple of helpful hints I stumbled across. First, I learned something new about the xterm program. I run FreeBSD on many systems and start X manually with 'startx'. One system has Windowmaker for a window manager. When I launch an xterm, the new instance doesn't read .profile. This means the prompt stays with the default, rather than changing to suit my needs. For example, my .profile has this entry to change the prompt:PS1='`hostname...

Read More

Blastwave: Open Source Solaris Package Management System

I was looking to upgrade a few packages installed from Sunfreeware.com when I stumbled upon Blastwave.org. Blastwave.org is a "community software" (CSW) site which emulates the Debian apt-get system for installing Solaris packages. Once you install the pkg-get package, you can install Solaris software as easily as this: pkg-get install muttPkg-get installs the dependencies and the desired package. The executable's home is /opt/csw/bin, unlike /usr/local/bin for packages installed from Sunfreeware.com. Here is a comparison of how mutt, from...

Read More

Discussion of IPv6 Options on BSD

I'm interested in experimenting with IPv6 at some point. Since most of the operating systems I use in my lab have IPv6 stacks, I plan to run a native IPv6 VLAN internally. I'm also interested in connectivity to other IPv6-enabled sites. This OpenBSD Journal article offers a few options for people wanting to use IPv6 across the IPv4 Internet. I plan to try one of these solutions and post my results here in the futu...

Read More

Carter Bullard Releases Argus 2.0.6

Normally a change from a 2.0.5 to 2.0.6 release wouldn't be big news. That's not the case with Argus, however. 2.0.6 has been about a year in the making. Argus is the world's longest living open source session data collection program. It runs on most any UNIX distribution and appears in my book. Give it a t...

Read More

TaoSecurity.com Moves to Niuhi

Visitors to www.taosecurity.com will notice they are no longer redirected to mywebpages.comcast.net/taosecurity. I've started hosting TaoSecurity.com at Niuhi.com, co-operated by a fellow security consultant. This move should only have positive effects. If you bookmarked the old Comcast site, please use www.taosecurity.c...

Read More

Upgrading Ruby

This morning when checking for updated applications I saw that lang/ruby18 was updated recently:drury:# portversion -v | grep rubyruby-1.8.1_2 < needs updating (port has 1.8.1.2004.05.02)ruby18-bdb1-0.2.2 = up-to-date with portI remembered what trouble we had with Ruby and Portupgrade a few months ago, so I used Portupgrade to upgrade Ruby by itself:drury# portupgrade -v ruby^M---> Session started at: Tue, 04 May...

Read More

Review of Network Security Assessment Posted

Amazon.com just published my four star review of Network Security Assessment. From the review: "Network Security Assessment (NSA) is the latest in a long line of vulnerability assessment / penetration testing books, stretching back to Maximum Security in 1997 and Hacking Exposed shortly thereafter. NSA is also the second major security title from O'Reilly this year, soon to be followed by Network Security Hacks. NSA is a good book with some new...

Read More

Review of Ethereal Packet Sniffing Posted

Amazon.com just posted my five star review of Ethereal Packet Sniffing. From the review: "Ethereal Packet Sniffing is the first book in Jay Beale's new Open Source Security Series with Syngress. It's a great book to lead the way. Ethereal is full of helpful tips and clear discussions that benefit newbies and wizards alike. I've been using Ethereal for around five years, and this book still taught me a few new tricks. The key to the new material...

Read More

Fixing Another Problem with Ports

Today while using portupgrade to update my ports tree, I ran into this problem. The process was trying to upgrade OpenMortal when it died:---> Uninstallation of openmortal-0.6 ended at: Sat, 01 May 2004 18:26:13 -0400 (consumed 00:02:22)---> Upgrade of games/openmortal ended at: Sat, 01 May 2004 18:26:13 -0400 (consumed 00:02:28)[Updating the pkgdb in /var/db/pkg ... - 258 packages found(-1 +0) (...)ruby18 in malloc(): error: allocation...

Read More

Packet Description Markup Language

While reviewing a new book on Ethereal, I learned about the Packet Details Markup Language (PDML). PDML is a way to express a packet in XML format. For example, here is an ICMP echo request: tethereal -n -r snort.log.1082637820 -T pdml icmp <?xml version="1.0"?> <pdml version="0" creator="ethereal/0.10.3"> <packet> <proto name="geninfo" pos="0" showname="General information" size="60"> <field name="num" pos="0" show="1" showname="Number" value="1" size="60"/> <field name="len" pos="0" show="60" showname="Packet...

Read More