Wednesday, October 11, 2006

Fedora Core 5 (FC5) and VMWare Server

This tripped me up a bit, so I figured I'd document my solution. After installing VMWare server on FC5, you need to run /usr/bin/vmware-config.pl. A few questions down, it asks you to help it compile a "suitable vmmon module for your running kernel", but it is looking in the wrong directory structure. To get past this step, I had to do the following:

yum install kernel-devel

or if you are running an SMP kernel:

yum install kernel-smp-devel

and then point the vmware-config.pl script to:

/lib/modules/[your kernel version here]/build/include/linux

where [your kernel version here] is the output of:

uname -r

As an example, at the time I write this, the directory would be:

/lib/modules/2.6.17-1.2187_FC5smp/build/include/linux

HTH.

Wednesday, October 04, 2006

Sguil and Tcl_FinalizeNotifier: notifier pipe not initialized

If you are trying to get Sguil working, and you run into the error:

Tcl_FinalizeNotifier: notifier pipe not initialized

then it's likely you have a threads enabled Tcl installed. Recompile Tcl without threads enabled, and the error should go away upon restart. This will at least impact both the sensor agent and the sguild server.

This also manifests itself within the client as showing, under the sensor status tab, that the sensor agent is connected to the server, but barnyard (BY column) is not, and there are no events appearing.

On an RPM based system, grab the source rpm (src.rpm, tcl-8.4.13-1.1.src.rpm as of this writing).

1. Install it with:

# rpm -ivh tcl-8.4.13-1.1.src.rpm
1:tcl warning: user brewbuilder does not exist - using root
warning: group brewbuilder does not exist - using root
warning: user brewbuilder does not exist - using root
warning: group brewbuilder does not exist - using root
warning: user brewbuilder does not exist - using root
warning: group brewbuilder does not exist - using root
warning: user brewbuilder does not exist - using root
warning: group brewbuilder does not exist - using root
warning: user brewbuilder does not exist - using root
warning: group brewbuilder does not exist - using root
warning: user brewbuilder does not exist - using root
warning: group brewbuilder does not exist - using root
warning: user brewbuilder does not exist - using root
warning: group brewbuilder does not exist - using root
warning: user brewbuilder does not exist - using root
warning: group brewbuilder does not exist - using root
########################################### [100%]

which will place a number of files in /usr/src/redhat/* (the user and group warnings are safe to ignore).

2. Next, edit the spec file, which is /usr/src/redhat/SPECS/tcl.spec.
In the %build section, remove:

--enable-threads

from the line:

%configure --enable-threads

Optionally, edit the line:

Release: 1.1

to be:

Release: 1.1nothreads

to make it easier to remember that the tcl package has threading disabled.

Save your changes to the file.

3. Next, rebuild the rpm:

# rpmbuild -ba tcl.spec
Executing(%prep): /bin/sh -e /var/tmp/rpm-tmp.45757
+ umask 022
+ cd /usr/src/redhat/BUILD
+ cd /usr/src/redhat/BUILD
+ /bin/mkdir -p tcl-8.4.13
+ cd tcl-8.4.13
+ /bin/gzip -dc /usr/src/redhat/SOURCES/tcl8.4.13-src.tar.gz
+ tar -xf -
+ STATUS=0
+ '[' 0 -ne 0 ']'

[snip]

Wrote: /usr/src/redhat/SRPMS/tcl-8.4.13-1.1nothreads.src.rpm
Wrote: /usr/src/redhat/RPMS/i386/tcl-8.4.13-1.1nothreads.i386.rpm
Wrote: /usr/src/redhat/RPMS/i386/tcl-devel-8.4.13-1.1nothreads.i386.rpm
Wrote: /usr/src/redhat/RPMS/i386/tcl-html-8.4.13-1.1nothreads.i386.rpm
Executing(%clean): /bin/sh -e /var/tmp/rpm-tmp.72451
+ umask 022
+ cd /usr/src/redhat/BUILD
+ cd tcl-8.4.13
+ rm -rf /var/tmp/tcl-8.4.13-1.1nothreads-root
+ exit 0

(if you get rpmbuild: command not found, then you need to run:

yum install rpm-build

to install the rpmbuild binary and supporting files)

4. Replace the current tcl with your new threads-disabled version:

# rpm -Uvh --force /usr/src/redhat/RPMS/i386/tcl-8.4.13-1.1nothreads.i386.rpm
Preparing... ########################################### [100%]
1:tcl ########################################### [100%]

Enjoy.

Monday, October 02, 2006

Network Security Monitoring isn't just IDS ...

While listening in on one of my favorite IRC channels, one of the members of the channel got some IDS alerts that indicated that one of his client's machines was scanning a university network. Typically this type of thing happens when a machine is successfully cracked, then the cracker or worm turns around and starts scanning for more machines to crack. However, in this instance, the scans that he was seeing were too random, too "all over the board." Now, if he were using only an IDS, he wouldn't have much further he could go, but he also had raw packet captures that provided him history, which is the point of my diatribe here. He loaded up the captures, and looked for activity prior to the time when his IDS started to generate alerts. Lo and behold, the same machine had visited a website at the same university that the scans were targeted at. Loading up the website provided the answer to the mystery.

The website was the website for a "Network Security" class, and the attacking machine had downloaded the 2nd homework assignment PDF. That PDF had instructed the students to use the tool NetBrute to scan the class server. Ignoring the questionable nature of this assignment*, since the analyst had the historical packet captures in addition to the IDS, it was reasonably safe to say that this was a benign incident.

* On to the questionable nature of the assignment: teachers, never unleash your students on a production network. There is so much potential for lawsuits or even jail time. Create a lab network, disconnected from everything, and only allow the students to use the tools on that.

** The same PDF that directed the students to scan the university site ALSO directed the students to scan a webserver belonging to Yahoo!. I'm amazed the teacher is still employed.