FreeBSD 5.3 Arrives in October?

freebsd.png" align=left>I read a great article at ZDNet UK based on the May-June 2004 FreeBSD Status Report. Citing release engineer Scott Long, the article says he hopes FreeBSD 5.3 will arrive on the first of October, 2004.I like to see this sort of FreeBSD coverage in more mainstream publications, like last week's CNN article on open source. On a different note, visit the redesigned Sguil homepage. Scott Dexter did a really nice job, and we're looking for someone with suitable graphics-fu to redesign the Sguil logo. Please send any ideas...

Read More

Review of Wi-Foo: The Secrets of Wireless Hacking Posted

Amazon.com just posted my five star review of Wi-Foo. The book's Web site is wi-foo.com. From the review: "'Wi-Foo' is the wireless book the security community needs. The book mixes theory, tools, and techniques in a manner helpful to those on the offensive or defensive side of the wireless equation. After reading 'Wi-Foo,' I'm glad I didn't try to cover similar topics in my 'Tao of Network Security Monitoring' -- these authors have written the...

Read More

Using Session Data to Scope Events Without Signatures

Critics of intrusion detection systems say signature-based IDSs are too easy to evade, bypass, or fool. This is true when the IDS only provides alert data to analysts. Alerts are the results of judgements made by the IDS developers, as encoded in the IDS' rules and logic. To deal with events that have no signatures, we can turn to other forms of network security monitoring data. Session data is a record of transactions between parties, typically storing source and destination IP addresses and ports, session start and end times, and counts of...

Read More

Review of Hardening Windows Systems Posted

Amazon.com just posted my five star review of Hardening Windows Systems. From the review: "Roberta Bragg's _Hardening Windows Systems_ (HWS) is exactly the sort of book I expected from McGraw-Hill/Osborne's new 'Hardening' series. The publisher gained fame through its assessment-oriented 'Hacking Exposed' series, and now it advocates preventing intrusions via configuration instead of assessment. (Those familiar with my Network Security Monitoring...

Read More

Review of Know Your Enemy: 2nd Ed Exclusively at TaoSecurity

I just finishing reading the second edition of Know Your Enemy and wrote a review for Amazon.com. Unfortunately, Amazon.com is treating this completely new second edition as though it were the first edition. When I tried to post my review, I received this response: "Oops! Only one review per customer per product set is allowed. Your review was not accepted because we only allow each customer to write one review of each product set. An example...

Read More

A Different Take on Intrusion Prevention Systems

Today while perusing the SANS Incident Handler's Diary, I noticed the "Handler On Duty" was Tom Liston, and his Web site was listed as LaBrea Technologies. I remembered Tom from his July 2001 post to the intrusions@incidents.org mailing list. There he theorized on the idea for his LaBrea "tarpit," code to trap malware visiting non-existent local IPs using various TCP tricks. Fearing DMCA, Tom no longer hosts LaBrea at his site, but it's available in the FreeBSD ports tree as security/labrea, and elsewhere. A visit to LaBrea Technologies...

Read More

Install Guide for Sguil 0.5.0 Posted

After installing a self-contained Sguil 0.5.0 installation on a new laptop, I updated my Sguil installation guide for Sguil 0.5.0. The new guide takes into account the merging of xscriptd's functions into sensor_agent.tcl and sguild. I also caught a problem with the databases/mysqltcl FreeBSD port. By default the Makefile requires mysql323-client as a dependency, but I recommend changing that to mysql40-client to keep all components running MySQL 4.0.20. Changes like these are the reason I didn't explain how to install Sguil in my book. As...

Read More

The Tao of NSM Is Published!

My wife found a copy of my book left in our garage today by the UPS or Fedex delivery person! I'm very happy to see it in print. Four years ago Karen Gettman from Addison-Wesley approached me about writing a book. Initially I wanted to write "Intrusion Detection and Incident Response Illustrated," but I decided to wait until I felt I was ready. At Black Hat last year, I met my editor Jessica Goldstein from Addison-Wesley. I presented the proposal...

Read More

Netwox, the Network Toolbox

Packet Storm posted word of a new release of Laurent Constanin's Netwox. I had never tried it before, but was aware of the project from articles like Linux Security and elsewhere. The Network Toolbox consists of three components: Netwib, a network library; Netwox, the collection of 150+ tools, and Netwag, a Tcl/Tk interface. Given that Sguil is also written in Tcl/Tk, I was interested in trying out this tool. If you just run Netwox, you'll be presented by a series of menus which help you select the proper command line switches to use various...

Read More

Review of Snort 2.1 Posted

Amazon.com just posted my four star review of Snort 2.1. Several quotes from my review of Snort 2.0 appear in the new book, even though I also gave that first edition four stars. From the end of the review of the new edition: "I would enjoy seeing three improvements in the third edition. First, thoroughly scrub the book for old information. Watch out for people writing about 'Cerebus' or http_decode or offerings from Silicon Defense, whose Web...

Read More

Using Oinkmaster to Update Snort Rules

I've never explained how I like to keep Snort rules updated on my sensors. The tool of choice for automatic rule updates is Andreas Ostling's Oinkmaster, a Perl script. Here is a sample run. First I make a temporary directory to hold old Snort rules files, then download and extract the snapshot version of Oinkmaster. (Oinkmaster 1.0 was released in May, but the snapshot includes some improvements discussed in the oinkmaster-users mailing list.) [root@sensor root]# mkdir /tmp/oldrules[root@sensor root]# cd /usr/local/src[root@sensor src]# wget...

Read More

Another Chapter, Plus Foreword and Index from Book Posted

My publisher Addison-Wesley made a few more excerpts from my book The Tao of Network Security Monitoring: Beyond Intrusion Detection available online. The 48-page file bejtlich_chs.pdf contains chapter 2, "What is NSM?" and the previously announced chapter 10, "NSM with Sguil." You can also read Ron Gula's foreword or peruse the 34-page index in .pdf form.Currently the Addison-Wesley site lists 16 July as the availability date for the book. Amazon.com shows 1 July, which is wrong, while Barnes and Noble shows 28 July. The actual release date...

Read More

Review of BSD Hacks Posted

Amazon.com just posted my five star review of BSD Hacks. This is a great book and a must-buy for all BSD users. From the review: "BSD Hacks is the book I hoped to read. I've been using FreeBSD in production and test environments for about four years (since 4.1 REL), and I've played with OpenBSD and NetBSD for about a year each. I was looking for a book that would explore the nooks and crannies of BSD without covering the introductory issues often...

Read More

Sguil Development Issues

Lots has been happening in the Sguil world this past week. Bamm released Sguil 0.5.0 last week. The major development was the merging of xscriptd functionality into sguild. That's one less component to worry about. I also made some changes to the instructions for building IncrTcl in my Sguil installation guide, thanks to Mark Bergstrom. My guide still applies to Sguil 0.5.0, although the advice on xscriptd now belongs in the sguild configuration section. I'll produce a new guide for Sguil 0.5.1 when it arrives, as I hope to incorporate Snort...

Read More

External 2.5 Hard Drive Enclosure

This isn't the most exciting topic, but I wanted to report another successful piece of hardware with FreeBSD. Earlier I wrote about the Adaptec DuoConnect PC Card adapter which provides my laptop with FireWire (but not USB 2.0, unfortunately). To add some external high-speed storage to my laptop, I bought a ByteCC 2.5 HDD enclosure with FireWire and USB 2.0 from XPCGear.com. I liked this model because I could buy an AC adapter with it. I could have drawn power from the laptop's single on-board USB 1.1 port, but I prefer to leave that free...

Read More

FreeBSD on the Dell PowerEdge 750

Several months ago I asked the readership of the freebsd-hardware mailing list if anyone had experience with the Dell PowerEdge 750 1U server, especially its DELL CERC SATA 1.5/6ch RAID-0 (an Adaptec card) setup. Today we finally received a system on which I could test FreeBSD, so these are my results. I found I could not load FreeBSD 5.2.1 on the box. Although I was able to get through the boot procedure, FreeBSD did not see the hard drive. I...

Read More

OpenOffice.org 1.1.2 Packages Available for FreeBSD

I learned from this post that packages of OpenOffice.org 1.1.2 are available. I intend to upgrade via package since building OOo using the ports tree takes forever. I also learned a few lessons about document management this past weekend while creating slides for my USENIX talk. I found that I could create and save a presentation in .sxi format, only to have OOo not able to open it. I lost several hours worth of work due to this flaw. I was...

Read More