Review of Network Security Hacks Posted

Amazon.com just posted my four star review of Network Security Hacks. My review probably sounds a little harsher than I intended, but I was worn down trying to get SPADE to integrate with a version of Snort newer than 2.0.5. The review mentions finding Spade 030125.1 on a Polish student's FTP site, which seems to be the only place it exists, aside from an old Archive.org copy. It seems the snort.conf v. 1.85 is the last to include SPADE directions...

Read More

Review of Secure Architectures with OpenBSD

Amazon.com just posted my five star review of Secure Architectures with OpenBSD. From the review: "About a year ago I read and reviewed Michael Lucas' excellent "Absolute OpenBSD." That book covered OpenBSD 3.2 and the CURRENT of that time, pre-3.3. Palmer and Nazario's "Secure Architectures with OpenBSD" (SAWO) addresses OpenBSD 3.4, which at the time of writing is just behind the current release (3.5). Lucas' book is an excellent introduction...

Read More

Contribute Your dmesg Output

Do you run one of the BSDs? If so, consider sending the output of the dmesg command to the New York City BSD User's Group dmesg board. This is a great way to share information on supported hardware. I learned about this site through BSDNews.com. A response to that story mentioned this site which tracks SMP systems running FreeB...

Read More

Interesting Email from Stephen Northcutt... or not?

If you're on a SANS mailing list you might have received the following email from "Stephen Northcutt." I haven't decided if it's true or not. I'm wondering why I would have received it, unless someone forged the message after acquiring a SANS email list? The alternative means Stephen Northcutt himself is making some odd claims... "From - Thu Jun 24 22:27:26 2004 X-UIDL: 40a19c3900000b29 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Return-Path: ...edited... X-ClientAddr: 63.100.47.56 Received: from 63-100-47-56.sans.org (63-100-47-56.sans.org...

Read More

Burning DVDs in FreeBSD

Yesterday I reported my results burning CDs with FreeBSD. This morning I tried creating a DVD of the Fedora Core 2 distribution. After I downloaded the 4.1 GB .iso from a mirror, I used MD5 to verify the checksum matched. Since the .iso was ready to burn, I set up my Plextor burner.First I checked the media, which was Memorex 4X DVD-R 4.7GB (pictured at left, purchased at buy.com). I had already installed dvd+rw-tools, available in the ports...

Read More

Duplicating Data CDs with FreeBSD

I needed to become familiar with burning CDs on FreeBSD to support plans for live CD-based systems. I recently bought a Plextor PX-708UF DVD+-R/RW CD-R/RW drive and an Adaptec DuoConnect PC Card Adapter. I already reported on how these appear to FreeBSD.For testing purposes and to create my own media set, I duplicated the three CD-ROMs released as Fedora Core 2. To convert the CD-ROM into a .iso file for burning, I used this syntax:dd if=/dev/cd0...

Read More

Fedora Core 2-based Soekris System Operational

I'm not a big Linux user, but a lot of people like Fedora Core. Using the same methodology I used with FreeBSD and OpenBSD, I just installed Fedora Core 2 on a spare HDD on my laptop, then transferred that HDD to the Soekris. Here are a few notes on peculiarities of Fedora. I chose a "custom installation," and selected "no packages." That still deployed about 562 MB of packages as part of the base OS installation. Thankfully only the first CD was needed. When I finished the installation, I rebooted the laptop to edit key files to allow serial...

Read More

Soekris-based FreeBSD System Operational

I'd like to report successful use of FreeBSD 5.2.1 RELEASE on the same Soekris Net4801 on which I previously installed OpenBSD. I followed the same methodology: install FreeBSD on a spare HDD on my laptop, then move the HDD to the Soekris. To send console messages to the serial line during the boot sequence, I followed the FreeBSD Handbook's advice: echo -h > /boot.configI tried to edit /etc/ttys to enable 19200 speed for ttyd0, but this did not work as I hoped. It seems the Soekris sends output to the serial line at 19200 prior to the FreeBSD...

Read More

Red Cliff Consulting, a Trusted Professional Services Firm

Today I spoke with Kevin Mandia, lead author of Incident Response and Computer Forensics, the best IR book available. When the first edition was published, Kevin was director of incident response and computer forensics at Foundstone. I met him in person at the first SANSFIRE conference in 2001. Kevin hired me to join Foundstone's IR team in early 2002, and I left the team in early 2004 a few months after he did. Kevin is now running Red Cliff Consulting, a professional services firm headquartered in Alexandria, VA. He describes his group...

Read More

Book Chapter on Sguil Available Online

My publisher Addison-Wesley authorized me to post chapter 10 of my book The Tao of Network Security Monitoring: Beyond Intrusion Detection online. It's available at the Sguil site in .pdf format. This chapter complements my Sguil installation guide, discussing why Bamm started the Sguil project and how it differs from other monitoring applications.My book will be on shelves in mid-July. If you'd like to attend live training on network security monitoring, sign up for my Network Security Monitoring with Open Source Tools class at USENIX Security...

Read More

Configuring RAID-0 with Vinum

I deployed a test platform as a network security monitoring sensor. It has two 4 GB HDDs. I wanted to create a /nsm partition that would span both drives, meaning it would occupy some of the first drive and all of the second drive. This was a proof of concept operation that could apply to systems with multiple, larger drives.I decided to use Greg Lehey's Vinum, and thanks to some helpful notes from Bamm Visscher and Dave Wheeler, got it set up...

Read More

2004 CSI/FBI Study Released

The 2004 CSI/FBI Study has been published. You have to fill in the CSI's form to access a download link. CSI has always honored their no-spam pledges, so I didn't mind signing my life away to obtain a copy. I'll post my thoughts after I read ...

Read More

Participate in The Uptime Project

Several months ago I joined The Uptime Project, a site run by Ola Eriksson. Ola and others provide clients which collect uptime statistics from a variety of operating systems. Ola added me to his crew after I donated shell accounts on HP-UX and AIX systems. We now have a working HP-UX uptime client, with an AIX version in the works. I have two hosts in the top 50, but I don't expect that to last long. If I can't move them while on UPS power when I rearrange my basement, I will drop out of the rankings. ...

Read More

Network Monitoring Products Reviewed by NWC

A few years ago while consulting for Foundstone I was asked to name a product which would inspect traffic exiting the enterprise. The goal was to identify unauthorized transmission of sensitive documents or data. Aside from a customized signature-based approach, I could not think of any off-the-shelf product with this capability. After reading Monitoring Data Departures by Lori MacVittie in the 27 May 04 issue of NWC, I learned of Vontu's Vontu Protect 3. Some of its claims are amusing, like "No false positives — every incident reported is...

Read More

Soekris-based OpenBSD System Operational

Inspired by this article, I finally deployed my Soekris Net4801 small form factor system. I used a hard drive-based installation as I figured that would be the easiest way to experiment with OpenBSD and the Soekris. The installation was simple. First I swapped my main laptop HDD for an extra 3250 MB HDD to hold OpenBSD. Next I rebooted the laptop using the OpenBSD 3.5 installation CD, and installed OpenBSD. Here is my partition scheme: $ df -hFilesystem Size Used Avail Capacity Mounted on/dev/wd0a 125M 21.8M 97.8M 18% //dev/wd0f...

Read More

Review of Security Sage's Guide to Hardening the Network Infrastructure Posted

Amazon.com just posted my three star review of Security Sage's Guide to Hardening the Network Infrastructure. From the review: "This is a tough review to write, since I worked with the lead authors and series editor at Foundstone, and I'm mentioned by name on p. 384. "Security Sage's Guide to Hardening the Network Infrastructure" (HTNI) is mainly a collection of advice given in other security books, packaged with brochure-like commercial product...

Read More

More Useful Package Management Tools

I stumbled across two useful FreeBSD package management tools yesterday. One is graphical and the other works via the command line. Both help administrators understand dependency issues when they might want to clean out unnecessary packages.Keep in mind that installing software via the FreeBSD ports tree results in the installation of a package, but not necessarily the creation of a package that can be moved among systems. That is why administrators...

Read More

Adventures with FreeBSD CURRENT

I decided to upgrade my Dell PowerEdge 2300 (dual PIII) system from FreeBSD 4 STABLE to FreeBSD 5.2.1 REL. Before installing the new OS, I tested the hardware for compatibility with the 5 tree by trying to boot the FreeSBIE live CD. That failed, so I next tried to boot the 5.2.1 installation CD. That also failed, hanging at this point:SMP: AP CPU#1 launched!Mounting root from ufs:/dev/md0md0: Preloaded image 4423680 bytes at 0xc09e16d8I tried...

Read More

Cheap Domain Name Registration and Free Email Forwarding

Two years ago I registered the bejtlich.net and taosecurity.com domains through DomainDiscover. Since then I've used GoDaddy to register new domains like taosecurity.net and taosecurity.org (the latter after seeing that domain attributed to me in the new book Security Sage's Guide to Hardening the Network Infrastructure). I liked using DomainDiscover because they offered free email forwarding, but their $25 domain renewal fee seemed excessive. GoDaddy offers domain name transfers for $7.95, which is excellent, but no free email forwarding. I...

Read More

Review of Malware Posted

Months after I received a review copy of Ed Skoudis' Malware, I finally read and reviewed it. From the review: "One of the impressive aspects of this book is the degree to which it is "future-proofed." Ed looks at current threats like worms, viruses, trojans, and user- and kernel-mode rootkits, like any author might. He then takes malicious software to the next level, from the kernel to BIOS and finally to CPU microcode. These BIOS- and microcode-level...

Read More

Sguil 0.4.0, Snort 2.1.3, Barnyard 0.2.0 Installation Guide Published

I just published a new guide for installing Sguil 0.4.0 with Snort 2.1.3 and Barnyard 0.2.0. This guide contains sections for each Sguil component, namely the sensor, database, server, and client. The dependency listings should help users deploy Sguil in a distributed manner, rather than running all components on a single platform. Please email sguil at taosecurity dot com if you have any comments on this gui...

Read More

Review of Anti-Spam Tool Kit Posted

Amazon.com just published my four star review of Anti-Spam Tool Kit. From the review: "I've never been interested in viruses, worms, or spam. All three represent the lowest end of malware, with spam occupying a particularly disdainful place in the computer security hierarchy. I wasn't very excited when a review copy of "Anti-Spam Tool Kit" (ASTK) arrived in the mail, but I found myself drawn in by the value of the content and tools it described....

Read More

Report on Compatible Devices in FreeBSD

Sometimes it helps to know what hardware is compatible with non-Windows operating systems like FreeBSD. I wanted to buy a CompactFlash card and reader to work with my Soekris net4801 platform. I used the list at the flashdist site to guide my product purchase. I bought a SanDisk ImageMate 8 in 1 Reader/Writer, model SDDR-88-A15, pictured at above left. I also bought a 256 MB Type 1 CompactFlash card (product ID SDCFB-256-A10). Although the reader...

Read More

Fixing Troublesome Port Upgrades

Today while trying to run portupgrade on my FreeBSD 5.2.1 REL system, I ran into this error:drury# portupgrade -varp---> Upgrade of devel/libbonobo started at: Thu, 03 Jun 2004 15:43:31 -0400---> Upgrading 'libbonobo-2.6.0' to 'libbonobo-2.6.2' (devel/libbonobo)---> Build of devel/libbonobo started at: Thu, 03 Jun 2004 15:43:31 -0400---> Building '/usr/ports/devel/libbonobo'===> Cleaning for libiconv-1.9.1_3===> Cleaning for...

Read More

Review of Anti-Hacker Tool Kit, 2nd Ed Posted

Amazon.com just published my four star review of Anti-Hacker Tool Kit, 2nd Ed. From the review: "I reviewed the first edition "Anti-Hacker Tool Kit" (AHT:1E) in August 2002. This second edition (AHT:2E) follows only 18 months after the original was published. I don't believe enough time has passed to warrant an update, even though tools can evolve quickly. In certain aspects the book suffers from a lack of updates from AHT:1E author Keith Jones,...

Read More

Good News from Snort Land

I have two good pieces of news from the Snort development team. First, Snort 2.1.3 has been released. The big deal with this new release is multi event logging via event queue. This feature lets Snort generate multiple alerts per packet or stream, rather than alerting once and then moving on to the next packet or stream. It was introduced to address what H.D. Moore calls event masking.The second good piece of news is the appearance of Sguil in several publications and presentations. First, Marty Roesch's AUSCERT 204 presentation (.pdf) includes...

Read More

Review of Hacking Exposed: Windows 2003 Posted

Amazon.com just posted my four star review of Hacking Exposed: Windows Server 2003. From the review: "HE:W03 is still the best book available if you want to learn how to assess and compromise Windows servers using publicly available tools. It will not teach original exploitation techniques like coding exploits, although this is usually unnecessary when admins deploy stock servers with blank administrator passwords. The authors are experts when it...

Read More