Understanding Tcpdump's -d Option

Have you ever used Tcpdump's -d option? The man page says:-d Dump the compiled packet-matching code in a human readable form to standard output and stop.I've never used that option before, but I just saw a Tcpdump developer use it to confirm a Berkeley packet filter in this thread. The user in the thread is trying to see TCP or UDP packets with a source address of "centernet.jhuccp.org" (162.129.225.192). First he specifies an incorrect BPF filter, which the developer then corrects. This is mildly interesting, but the useful information...

Read More

Fedora Legacy Project Provides Updates for Old Red Hat Linux Versions

Are you still running Red Hat Linux 7.3 or 9.0? What about Fedora Core 1? If you want to keep those systems patched now that Red Hat has suspended support, consider the Fedora Legacy Project. I just read their advisory for Tcpdump, notifying users of updated libpcap and Tcpdump packages. (Note: The URLs in the advisory are funky. Visit http://download.fedoralegacy.org/redhat/9/updates/i386/ to access the RPMs for Red Hat Linux 9.0 directly.) I used their libpcap and Tcpdump RPMs to patch a system and had no proble...

Read More

FreeBSD 5.3 on the SlickNode PC

I previously reported my successful installation of FreeBSD on a Soekris net4801. While the Soekris is a really popular small form factor system, it lacks a fan to keep moving components (like laptop HDDs) cool. It's also not the sort of system you can use to replace a tower PC, since it doesn't have video output, a CD, or mouse and keyboard inputs. If you need the sort of functionality a true PC provides, but want small form factor, check out...

Read More

Open Source Operating Systems with Fall Release Dates

This fall will see the release of upgrades to several open source operating systems I use. First, FreeBSD 5.3 is currently scheduled to be released on 17 October. Over the weekend a sixth beta was cut and a seventh and final beta will be produced this weekend. The following week a release candidate (RC) will arrive. Although no second RC is planned, I expect to see one. The arrival of FreeBSD 5.3 RELEASE will mark the 5.x tree as STABLE. The...

Read More

Further Musings on Digital Crime

Adam Shostack posted a response to my Thoughts on Digital Crime blog entry. Essentially he questions the "bandwidth" of the law enforcement organizations I listed, i.e., their ability to handle cases. The FBI CART Web page says "in 1999 the Unit conducted 2,400 examinations of computer evidence." At HTCIA I heard Mr. Kosiba state that thus far, in 2004, CART has worked 2,500 cases, which may involve more than one examination per case. The 50+ CART examiners and support personnel and 250 field examiners have processed 665 TB of data so far this...

Read More

"Certified" Digital Forensics Labs

One helpful speaker at the HTCIA conference was Timothy Kosiba of the FBI Computer Analysis and Response Team (CART). (Some people say "CART Team." These are probably the same people who say "NIC Card," forgotting "NIC" means "Network Interface Card.") Mr. Kosiba explained the rising importance of forensic lab accreditation by the American Society of Crime Laboratory Directors / Laboratory Accreditation Board (ASCLD/LAB). Apparently the CART parent organization, the FBI Lab, only attained ASCLD/LAB accreditation four years ago, in the wake...

Read More

Thoughts on Digital Crime

Last week I spoke at and attended the High Technology Crime Investigation Association International Conference and Expo 2004. The keynote speaker was US Attorney General John Ashcroft. Although I spent time furiously copying notes on his speech, the text is online. Not printed in that text was the AG's repeated theme: the US Department of Justice and Federal Bureau of Investigation are committed to "protecting lives and liberty." I thought this was a curious stance given the recent efforts to scale back the Patriot Act. The AG mentioned...

Read More

Vulnerability in Symantec Security Appliances

Speaking of attacking appliances, a Rigel Kent Security advisory claims: "Three high-risk vulnerabilities have been identified in the Symantec Enterprise Firewall products and two in the Gateway products. All are remotely exploitable and allow an attacker to perform a denial of service attack against the firewall, identify active services in the WAN interface and exploit the use of default community strings in the SNMP service to collect and alter the firewall or gateway's configuration. Moreover, the administrative interface for the firewall does...

Read More

Security Reports Everywhere

The latest Symantec Internet Security Threat Report (volume VI) was released this week, along with Six Secrets of Highly Secure Organizations by CIO, CSO, and PricewaterhouseCoopers. The Symantec report requires "registration," but in return you receive a hefty 50 pages or so of data (ignoring the blank pages, covers, etc.) Here are a few excerpts I found interesting:"Over the past six months, the average time between the announcement of a vulnerability and the appearance of associated exploit code was 5.8 days... This means that, on average,...

Read More

Review of High-Tech Crimes Revealed Posted

Amazon.com just posted my four star review of High-Tech Crimes Revealed: Cyberwar Stories From The Digital Front. From the review:"Prior to 'High-Tech Crimes Revealed' (HTCR) I read and reviewed 'Stealing the Network: How to Own a Continent' (HTOAC). While HTOAC is fictional and written almost exclusively from the point of view of the 'hacker,' HTCR is mostly true and written from the law enforcement perspective. On the strength of the cases described...

Read More

Donate and Acquire Gmail Accounts

Do you have any Gmail invitations you don't need? Do you want a Gmail account? If the answer to either question is yes, visit isnoop.net. Their "Gmailomatic" site will accept invitations sent activated by clicking "Invite a friend to join Gmail!" from within your Gmail account. Send the invite to "gmail@isnoop.net" and the invitation will be made available for anyone who requests it through isnoop.net. I donated two invites a few minutes ago. Literally within seconds of seeing the donation count increase by two, both were snatched up by...

Read More

FreeBSD on Soekris

I've been reading David Courtney's Soekris guide. It's incredibly detailed and explains how to install FreeBSD 4.9 and FreeBSD 5.2.1 onto the Soekris net4801. I previously described my experiences with the Soekris, but David's document addresses issues I hadn't considered. For example, he discusses the Soekris BIOS and shows how to navigate it. His setup uses PXE and he installs the OS onto a 2.5 inch laptop hard drive rather than a CF ca...

Read More

News SANS Practical Discusses Sguil

SANS' GIAC just published Sguil contributor Chris Reining's GCIA practical titled The State of Intrusion Detection (.pdf). This is not a follow-on to the 1999 CERT classic State of the Practice of Intrusion Detection Technologies. Rather, Chris describes the shortcomings of other technologies like ACID, and how to use Sguil to detect and respond to intrusions. I like seeing discussion of Sguil infiltrate the SANS Reading Room. Incidentally -- I haven't read all of Chris' paper with a critical eye yet, so I can't vouch for his conclusions right...

Read More

SNORT_2_3 CVS Branch and Other NSM Tools

The SNORT_2_3 branch was marked in CVS shortly after I first posted the snort-inline story. Release manager Jeremy Hewlett made the announcement. If you follow the instructions to check out Snort from CVS, be sure to use SNORT_2_3 for your tag and run 'autojunk.sh' before trying to run 'configure'. Remember this is not a new Snort release, only the appearance of new code in CVS.Along with Snort, there are new versions of passive fingerprinting tool p0f, and the passive asset detection system (PADS) availab...

Read More

Cisco Announces New Routers with Focus on Security

Two days ago Cisco announced a new set of Integrated Services Routers, including the 1800, 2800, and 3800 series. For historical comparison, the 2600 was announced in March 1998 and the last enhancements to that line, the 2600XM series and 2691, were announced in June 2002. The press release shows an interesting bias; emphasis is added: "Cisco Systems today announced a new line of integrated services routers, the industry's first routers to deliver secure, wire-speed data, voice, video and other advanced services to small and medium-sized businesses...

Read More

Excellent Windows Service Minimization Guide

In my last story I originally stated "With Windows, unless I deploy a host-based firewall, it is difficult if not impossible to disable unnecessary services." I based this assessment on previous experiences where it was difficult to get a "clean" netstat output (meaning no unnecessary listening services). Getting to this point, as described by books like Securing Windows NT/2000 Servers for the Internet, was difficult and in many cases left services...

Read More

My Opinion on Windows-Based Sensors

I'm slowly working through the last few days' developments while I attended my 10th reunion at the US Air Force Academy. I recently received the following email:"I have been reading your book on The Tao of NSM. I am an amateur but very interested in the subject. My only issue is that I am very uncomfortable with your bias against Windows and for the OpenSoftware. [sic] In our market, 95% of the desktops and 55% of the servers are Windows. We...

Read More

Review of Stealing the Network: How to Own a Continent Posted

Amazon.com just posted my four star review of Stealing the Network: How to Own a Continent. I really enjoyed reading this fictional yet techincal work. From the review: "'Stealing the Network: How to Own a Continent' (STN:HTOAC) is a detailed look at the capabilities a structured threat could apply to the world's vulnerable digital infrastructures. Rather than hire a Beltway Bandit, I recommend those planning the digital defense of this nation...

Read More

Snort-Inline Developments

I noticed a post to the snort-inline mailing list last week that announced a "changing maintainer and future plans." Snort-inline is a project which allows a Snort sensor positioned inline (as opposed to sniffing passively offline) to accept packets from IPTables and then make pass/drop decisions. William Metcalf is taking over as lead developer from Rob McMillen, although Rob will remain with the project along with newcomer Victor Julien. William claims "we have been very busy working on snort_inline and evaluating the snort_inline code that...

Read More

Question on NSM Methodology

I received the following question via email today: "I'm a huge fan of your newest book, and I read it cover-to-cover in a handful of evenings. However, I have a question about the approach you take for doing network monitoring.The average throughput of our Internet connection is around 5Mbits/sec sustained. I would love to implement Sguil as an interface to my IDS infrastructure (currently Acid and Snort on the network side), but I ran some numbers...

Read More

Early Look at FreeBSD Migration Guide

Bruce Mah is requesting comments on his FreeBSD Migration Guide. The guide explains the FreeBSD release process, new features in 5.3, and how to upgrade from 4.x to 5.3. Remember this is a draft, but if you have feedback join the thread on freebsd-curre...

Read More

TaoSecurity.Blogspot.com on BlogShares.com

Over the weekend I learned about BlogShares.com, a fantasy stock market for Blogs. It was originally created by Seyed Razavi, but he turned over management of the project late last year. I found out that TaoSecurity.Blogspot.com was listed on the BlogShares market, so I registered myself as the owner. I found out Barry Irwin, owner of lair.moira.org, holds 4000 shares of this blog, and I as the Blog owner was given 1000. I found out about Barry's site when researching the nVidia driver issue mentioned earlier. I haven't figure out Blogshares...

Read More

Nvidia Will Get My Vote

Last month Nvidia released FreeBSD drivers for their products. The README describes how to install and configure the drivers. Their forums offer advice for those having problems. Slashdot reported on this as well. If anyone can recommend a dual-DVI card that works with FreeBSD, please email me at richard at taosecurity dot c...

Read More

The Macintosh of Vacuums

In the spirit of reporting on technology, I feel compelled to report on the latest gadget to enter my home -- the DCO7. What is it, you might ask? A miniature rocket? A new USB device? This, my friends, is the most amazing vacuum cleaner I have ever used. I call it the Macintosh of Vacuums due to its elegant engineering, thoughtful design, and superior performance. The product is made by Dyson, a British company founded by inventor James Dyson....

Read More

FreeBSD 5.3-BETA3 Available

FreeBSD 5.3-BETA3 is now available via FTP from sites like ftp10.freebsd.org/pub/FreeBSD/releases/i386/ISO-IMAGES/5.3/. I covered the release of BETA1 and BETA2 previously. If you'd like more information on changes to the network stack in 5.3, read Andre Oppermann's presentation (.pdf) from SUCON 04. The announcement mentions that the "MP-safe network stack is now enabled by default" and "X server configuration has been removed from sysinstall."There...

Read More

Amazon Finally Discounts My Book

After more than a month of selling my book at cover price, Amazon.com is now selling The Tao of Network Security Monitoring: Beyond Intrusion Detection for $33.99, a 32% discount. The US-based site still doesn't show as much information as Amazon.ca, where the table of contents and preface are posted. Barnes and Noble has the book for $1 more, and Bookpool is still the best buy with a 45% discount and $27.25 price. The best place to get all of...

Read More

Netdude Continues to Amaze

Last week I posted a method to extract individual pcap files from a larger pcap file. Originally I thought it would be useful to have a tool which would extract all individual flows from a pcap file into pcap format. Note this is different from the capability offered by the excellent Tcpflow, which extracts the application data from all TCP flows. I thought the tool Netdude might have this capability when I saw its libnetdude plugin Flow Demultiplexer. I was familiar with plugins for Netdude, the graphical interface. Flow Demultiplexer is not...

Read More

Review of IRC Hacks Posted

Amazon.com just posted my four star review of IRC Hacks. From the review: "'IRC Hacks' is not a more recent version of Alex Charalabidis's 'The Book of IRC.' Published by No Starch Press in 2000, 'The Book of IRC' focuses on more introductory material, and thoroughly covers the issues facing most IRC users. Unlike the older No Starch book, 'IRC Hacks' devotes over 200 pages to bot development. In other words, the 'IRC Hacks' authors concentrate...

Read More