Sguil Client on Ubuntu

Inspired by an old post, John Curry, and David Bianco's NSM Wiki, I decided I would install the Sguil client on Ubuntu. It was really easy. First I edited the /etc/apt/sources.list file to include the "universe" package collections: deb http://us.archive.ubuntu.com/ubuntu/ edgy universe deb-src http://us.archive.ubuntu.com/ubuntu/ edgy universeNext I updated the apt cache and added the libraries I needed.richard@neely:~$ sudo apt-get update...edited...richard@neely:~$ sudo apt-get install tclx8.4 tcllib iwidgets4 wiresharkReading package lists......

Read More

New Laptop Configuration

Last year I bought a Lenovo X60s laptop to serve as a portable VMware server for my classes. Recently my seven-year-old Thinkpad a20p has been giving me trouble, like losing half its RAM. When you only have 512 MB, that's a big deal. I decided that it was time to move operations to the newer laptop, even though the screen is smaller than I prefer for daily use. I figure I can get by with the smaller screen at least through the end of the year, when I hope to buy my next dream laptop.I decided this was the time to try a new laptop configuration....

Read More

Security Awareness

Check it out. Scanit is on the news aga...

Read More

Don'ts for Cisco router p1

Just compiled a list of services i used to check when i audit a Cisco router. Of course, there are lots more, but for now, i will just provide the basics. Enjoy and email me if there are any questions.no cdp enable (Disbale cdp. It is susceptible to spoofing and DoS. Need Proof of Concept? Email me)no ip unreachables (Disables ICMP unreachable messages)no ip source-route (Disables source routing)no service finger (Disables the finger daemon on the router. Finger has always been a problem source; it lets attackers know who is logged in and provides...

Read More

Cisco Street Commands p1

Basic Cisco IOS Router Management[ To save the current running configuration to the startup configuration in NVRAM, issuecisco#copy running-config to startup-configAlternatively, you can also issuecisco#write memoryThe router's configuration information is stored in a device called the Nonvolatile RAM (NVRAM), and the IOS images are stored in a device called the flash. It's important to keep these names straight because all flash memory is nonvolatile RAM. Most routers use Flash technology for their nonvolatile RAM. So it's easy to get confused...

Read More

Cisco Headquarters

Cisco Headquarters. This blog will incorporate most of the core technology and their respective IOS commands to get the job done. I dedicate this blog to anyone who never had a chance to go to the University, yet hardworking and continue to stri...

Read More

My First Post

My first official post. I not going to write exploits nor post vulnerabilities on this blog. Instead, i am going to post Cisco IOS commands that are frequently used to perform tasks. This will save network administrators going through the hassle of reading loads and loads of bulky documents. At times, i will also post free books and all of you can send request to my email to receive a copy. I will try my best to keep this blog updated with new commands and topics. Feel free to give comments.Lets take network security to the streets....

Read More

Jose Nazario on Botnets

I recommend reading Black Hat: Botnets Go One-on-One by Kelly Jackson Higgins. She interviews Jose Nazario for a peak at findings from his talk at Black Hat DC next week. I won't be attending, although I plan to stop by Thursday evening to meet friends Erik Birkholz, Rohyt Belani, and any other ex-Foundstoners we can fi...

Read More

Snort DCE/RPC Vulnerability Thoughts

Yesterday Sourcefire posted a new advisory on a vulnerability in the DCE/RPC preprocessor introduced in Snort 2.6.1. The vulnerable exists in 2.6.1, 2.6.1.1, 2.6.1.2, and 2.7 beta 1. A look at the snort/src/dynamic-preprocessors/dcerpc/ directory of Snort CVS shows dcerpc.c and smb_andx_decode.c were modified three days ago to patch the vulnerability. You can check the diffs for dcerpc.c and smb_andx_decode.c to see how Sourcefire addressed the...

Read More

Bejtlich Teaching at Techno Security 2007

I've previously spoken at the Techno Security 2005 and Techno Security 2006 conferences. A visit to the Techno Security 2007 conference page shows I will be teaching TCP/IP Weapons School (Layers 2-3) at the 2007 event this summer. I'll be teaching 6 and 7 June at one of my favorite vacation spots, Myrtle Beach Marriott Resort at Grande Dunes. I'll also be speaking as part of the technical tracks on 5 June. If you'd like to register for TCP/IP Weapons School, please check out the details here and return the registration form (.pdf) to me as...

Read More

Combat Insider Threats with Nontechnical Means

I've written many posts on insider threats, like How Many Spies and Of Course Insiders Cause Fewer Security Incidents. Recently a former Coca-Cola employee was found guilty of trying to steal Coke's trade secrets, with an intent to sell them to Pepsi. According to this story, detection of the plot was decidedly non-technical:In May, a letter appeared at Pepsi's New York headquarters offering to sell the trade secret. But that's how the beverage superpowers learned of common corporate priorities: Pepsi officials immediately notified Coke of the...

Read More

Shawn Carpenter Vindicated

Two years ago I posted Real Threat Reporting. My story discussed Shawn Carpenter, formerly an analyst at Sandia National Labs who discovered Titan Rain activity at his site. After bringing news of the intrusions to the FBI, Sandia fired him. According to these AP, ComputerWorld, and FCW stories, a New Mexico jury awarded Shawn "$35,661 for lost wages and benefits, $1,875 for counseling costs and $350,000 for emotional distress." The jury also awarded "$4.3 million in punitive damages" which makes "doing the right thing" a financially attractive...

Read More

Open Source Winners

The chart comes from How To Tell The Open Source Winners From The Losers by InformationWeek's Charles Babcock. You can more or less skip the article, but the chart is interesting. I don't think it's absolutely necessary to have a benevolent dictator if you have a core team like FreeBSD does. In fact, projects with benevolent dictators suffer from a single point-of-failure that might only be addressed by a fork or replacement by another like-minded...

Read More

February 2007 (IN)SECURE Magazine

The February 2007 (.pdf) issue of (IN)SECURE Magazine is available. This is a great magazine. Interesting articles include an interview with security researcher/ninja Joanna Rutkowska, discussions of Vista and Office 2007, and a neat overview of security careers by Mike Murrary. (Note to Mike: I've never heard of Tim Keanini until now. No offense, but I don't think he's up there with Marcus Ranum or Ron Gul...

Read More

Binary Upgrade of FreeBSD 6.1 to 6.2

Last year I described performing a binary upgrade of FreeBSD 6.0 to 6.1. Today I tried a similar process for FreeBSD 6.1 to 6.2, using Colin Percival's instructions for 6.1 to 6.2-RC1.shuttle01# mkdir /usr/upgradeshuttle01# cd /usr/upgradeshuttle01# fetch http://www.daemonology.net/freebsd-update/upgrade-to-6.2.tgzupgrade-to-6.2.tgz 100% of 18 kB 120 kBpsshuttle01# tar -xzf upgrade-to-6.2.tgzshuttle01# cd upgrade-to-6.2shuttle01#...

Read More

Another Anti-Virus Problem

Here's more evidence if you need to make a case that blindly requiring anti-virus or other agents on all systems is neither cost-free nor automatically justified, as I mentioned late last year. As reported by SANS @RISK (link will work shortly):Trend Micro Antivirus, a popular antivirus solution, contains a buffer overflow vulnerability when parsing executables compressed with the UPX executable compression program. A specially-crafted executable could trigger this buffer overflow and execute arbitrary code with SYSTEM/root privileges, allowing...

Read More

FISMA Redux

Late last year I mentioned I planned to read and review FISMA Certification & Accreditation Handbook by Laura Taylor. You know if I read a book on Cisco MARS on one leg of my last trip, I probably read a different book on the return leg. FISMA was that book. These comments are going to apply most directly to FISMA itself, based on what I learned reading Ms. Taylor's book. I'll save comments on the book itself for a later date.Last year I...

Read More

Earth to MARS

Disclaimer: I'm going to single out a book by Cisco employees that talks about a Cisco product. I have no personal feelings about Cisco. I have friends there. I've done work for Cisco. Since I think Cisco is eventually going to own all network security functions in their switches, I may even work for Cisco one day. This post is for all product vendors who approach understanding and defending the network in the ways described here. Wherever...

Read More

Not Your Father's TCP/IP Stack

I sometimes hear of people talking about controlling TCP and UDP ports, as if that is the battleground for network access in 2007. Reality check -- that hasn't been true for years, unfortunately. Boy, I miss those days -- the days when defined applications used defined ports and blocking all but a few meant understanding the applications permitted in the enterprise. The Cisco IPJ article Boosting the SOA with XML Networking reminded me with this...

Read More

I See You

In recent posts like Consider This Scenario, I posted information collected from my live network connection. I don't worry about exposing real data, as long as it belongs to my own network. I obviously don't expose client data!Today I received a new alert from OSSEC:OSSEC HIDS Notification.2007 Feb 08 09:46:13Received From: macmini->/var/log/auth.logRule: 5701 fired (level 12) -> "Possible attack on the ssh server (or version gathering)."Portion of the log(s):Feb 8 09:46:11 macmini sshd[21224]: Bad protocol version identification 'Yo....

Read More

Arbor Launches ATLAS

If you didn't see the announcement, you might like perusing Arbor Network's new Active Threat Level Analysis System (ATLAS) Initiative, "a multi-stage project to develop the world’s first globally scoped threat analysis network with the help of the service provider community." I'm not sure I totally agree with that description, but the range of data available looks interesting. I plan to mine some of my NSM session data based on information from ATLAS. I applaud Arbor for making this sort of information publicly and freely availab...

Read More

NoVA BUG Founded

If you visit www.novabug.org or novabug.blogspot.com, you'll see I just created the northern Virginia BSD users group.Two years ago I expressed interest in helping with this organization, but someone else registered novabug.org and did nothing with the name or concept. Following in the modest success of NoVA Sec, I thought it was time to create a BSD users group for the technical professionals in this area. I'll be looking for an organization to...

Read More

Snort Report 3 Posted

My third Snort Report has been posted. Using the snort.conf file built in the second Snort Report, I show how Snort can detect suspicious activity without using any rules or dynamic preprocessors. Granted, the examples are somewhat limited, but you get the idea. The purpose of these articles is to develop an intuitive understanding of Snort's capabilities, starting with the basics and becoming more complicat...

Read More

Single-Digit Security Service Providers

Yesterday I learned that more friends of mine from Foundstone have departed to start their own companies. I could probably list a dozen such companies with whom I do work, from whom I get leads, or to whom I pass leads. It seems this is a really popular way for security specialists to do work they enjoy without the burden of corporate management.I think clients like this approach because they always interact directly with the people doing the work. They can target specialists and only bring in the people they need. When I am hired for a project...

Read More

Consider This Scenario

The other day I posted I Am Not Anti-Log. I alluded to the fact that I am not a big log fan but I do see the value of logs. This post will give you an indication as to why I prefer network data to logs.Yesterday morning I installed OSSEC on the one system I expose to the Internet. OSSEC is really amazing in the sense that you can install it and immediately it starts parsing system logs for interesting activity. The system on which I installed...

Read More

TaoSecurity 2007 Training Schedule

I just posted the TaoSecurity 2007 Training Schedule on my company Web site. I didn't include all of the places I might be teaching this year. All of the public classes are tentative at this point, but I am working on securing hosting facilities. You'll notice I plan to conduct six public classes across the US, and I am appearing at a few overseas conferences too -- including a one-day public class in Sydney, Australia.If you would like to support my bid to teach at Black Hat USA Training (28-21 July 2007) in Las Vegas, NV, please email Ping...

Read More

Enemy-Centric vs Population-Centric Security

Gunnar Peterson pointed me to a great blog post he wrote called Protect the Transaction. He quotes Dave Kilcullen's post Two Schools of Classical CounterInsurgency, which discusses the difference between “enemy-centric” and “population-centric” counter-insurgency operations.I consider two responses to these posts. First, when monitoring, you can take a threat-centric or an asset-centric approach to monitoring insider threats. This is especially true when monitoring inside an organization. As I teach in my Network Security Operations class,...

Read More

Keith Jones on Forensics

Keith Jones, my friend from Jones, Rose, Dykstra and Associates and Real Digital Forensics coauthor wrote The Real World of Computer Forensics for CMP. It's a good read. Keith, Curtis (Rose) and I are discussing writing Real Digital Forensics 2, which will be fun to develop. We're considering writing a series of cases involving a single enterprise, but involving a wide variety of incident types and data sources. I don't see the book on shelves before 2008, though. It's a lot of work simply creating the evidence for analysis and inclusion...

Read More