SYNful Packet

Community SANS Security 401: Security Essentials Bootcamp Style in Boulder, Colorado - Discount Code!

2009-09-02T12:45:00.010-06:00

http://www.sans.org/boulder09_cs/description.php?tid=672

I will be teaching (!) SANS Security 401 in Boulder, Colorado this Oct. 19 - 24th, 2009. This is a great "intro" class for folks starting out in computer and network security. The course covers the most common issues facing computer security professionals today. It's both broad and deep in it's scope of information. The course is broken out into the following daily topics:

Day 1: Networking Concepts
Day 2: Defense In-Depth
Day 3: Internet Security Technologies
Day 4: Secure Communications
Day 5: Windows Security
Day 6: Linux Security

Follow the links above for more detail on the topics covered for each day.

I'm working on getting some guest speakers for the lunch breaks covering more advanced topics. If you know of any folks local to the Boulder area that would be interesting to hear from, let me know!

Discount Code: If you use the discount code COINS-RF when registering, you'll get a 10% discount off the price of the course. Need a bigger discount? Contact me at rfifarek at sans DOT org for more information.

Department of Defense employees and contractors: Please note that the Security 401 SANS Security Essentials course prepares you to pass the GSEC and S+ certifications. These are two of the certifications which meet the requirements listed in DoD directive 8570.1 for IAT Level II employees and contractors. For details, click on http://www.giac.org/info/41124.

-R

WIP: Steps to Grow Physical Volume on LVM on Virtual Machine

2009-07-28T13:05:00.006-06:00

This is a work in progress, expect the post to change, perhaps drastically. This isn't the "simplest" way to do this, you could do this all online, but this allowed us to maintain consistency in setup across multiple physical and virtual machines.

Skeleton outline:

- Snapshot and shutdown the VM (bummer)
- Within VMware Infrastructure Client, extend the disk allocation for the VM
- Power on the VM
- Check that the disk size change is seen by the VM: run dmesg or fdisk -l
- fdisk the disk
- within fdisk, delete the physical partition that you wish to extend, then recreate the physical partition with the same options except extend the size to use the newly added free disk space
- write out the changes to disk and exit
- reboot the VM
- run pvdisplay
- run pvresize on the newly extended partition
- verify that the resize worked by comparing pvdisplay output
- verify that the new "Free PE" has increased with vgdisplay
- use lvcreate (-n LVNAME -L SIZE VolumeGroup) or lvextend to allocate new space

Voila!

Penetration Test Tip: Add already guessed or cracked passwords to wordlist

2009-06-25T15:13:00.006-06:00

When doing a penetration test, password attacks, while they lack the "sex appeal" of using the latest exploits in Metasploit to 0wn a b0x3r, are still disturbingly effective. Additionally, those same passwords are likely to be used on other machines, whether they be initial passwords for new/unused accounts or the same individual uses the same password on different systems.

Either way, once you guess a password (using enum.exe or the like) or crack a password from an encrypted hash (using John the Ripper or the like), add that password to the beginning of the master wordlist or dictionary list that you will use for the remainder of the penetration test, so that password is checked earlier rather than later.

Want to learn more? Check out:
SANS Security 560: Network Penetration Testing and Ethical Hacking

or

SANS Security 504: Hacker Techniques, Exploits and Incident Handling

-R

SANS Rocky Mountain 2009, July 7-13, in Denver, Colorado

2009-06-19T13:14:00.000-06:00

SANS returns to the Mile High City for SANS Rocky Mountain 2009, July 7-13, in Denver, Colorado! Now more than ever, hands-on experience will set you apart from others in the field, so don't miss this opportunity to register today for the best hands-on computer security training money can buy!

We're offering these popular SANS courses emphasizing penetration testing, computer forensics, and certifications for managers and technical staff alike:

* Security 401: SANS Security Essentials Bootcamp Style (GSEC meets DoD8570 IAT II)
* Security 560: Network Penetration Testing and Ethical Hacking (GPEN)
* Management 512: SANS Security Leadership Essentials For Managers with Knowledge Compression(TM) (GSLC certification meets DoD 8570 IAM I, II, III)
* Management 414: SANS® +S™ Training Program for the CISSP® Certification Exam (CISSP cert meets DoD8570 IAM II, III)
* Security 617: Wireless Ethical Hacking, Penetration Testing, and Defense (GAWN)

Firefox and Java for Mac OS X 10.5 Update 4 Issues and Work Around

2009-06-19T13:06:00.003-06:00

The most recent Java update for OS X 10.5 caused some of our Java web apps to break, here's what my coworker came up with for a work around:

Open Finder > Applications > Utilities> Java Preferences.

On the General tab, in each of the 2 windows (Java Applet Plugin & Java
Applications) drag Java SE 6 to the top of the list and then close the
window.

For Firefox:

In the menu bar select Firefox > Preferences.

Click on the Applications tab. Find Java Web Start file in the list
under Content Type.

To the right in the Action collumn click on the drop down and select Use
other....

Navigate to /System/Library/CoreServices/Java Web Start and click open.

Close the Preferences window.

Click on the Link to open you SANS@Home session.

When the window opens asking to open the file click on the drop down
menu and select other and navigate to /System/Library/CoreServices/Java
Web Start and click open.

IT Security Training: SANS Security 560 - Network Penetration Testing and Ethical Hacking, Denver, CO - starting Apr. 14, 2009

2009-03-30T07:49:00.004-06:00

I am running a Mentor class of SANS Security 560 - Network Penetration Testing and Ethical Hacking here in Denver, starting April 14, 2009. To sign up, login to your portal account at http://portal.sans.org, then navigate to:

http://www.sans.org/mentor/details.php?nid=14819

for more details and to register. As a favor to me, if you do register, please enter MENTOR RECRUIT in the comments section. That way, SANS knows I marketed my own class :)

Hope to see you there!

-Rich

OpenBSD pfsync protocol change between 4.3 and 4.4

2009-01-20T13:41:00.005-07:00

This doesn't appear to be well advertised, but there are some protocol changes in pfsync between OpenBSD 4.3 and 4.4 that make them not able to talk to each other.

https://kerneltrap.org/mailarchive/openbsd-misc/2008/12/4/4311914

If you're doing staggered upgrades of firewalls like I did, this might burn you.

"Low Tech Hacking"

2009-01-05T09:32:00.005-07:00

At times, I've been known to rage against "authority" figures and rules, generally minor stuff like speeding, etc. Somewhat related, I enjoy discovering or hearing/reading of others discovering ways of defeating high-tech devices, particularly when the means of defeat is a notably low tech method.

Not to rant too much, but speed/stop light cameras serve only to produce revenue for the city/county/state entitity, they don't save lives in any fashion. I've always been curious about means of defeating the cameras, with super-reflective license plate spray or similar. This one is certainly high on my list of cleverly low tech:

http://gizmodo.com/5069422/the-muppets-animal-caught-speeding-driving-police-crazy

Genius.

OpenVPN chroot and crl.pem

2008-11-24T09:31:00.003-07:00

At my job, we've been debugging a really annoying/frustrating issue where OpenVPN refused to read the crl.pem in the chroot directory:

openvpn[32275]: 192.168.1.24:2420 CRL: cannot read: crl.pem: Permission denied (errno=13)

OpenVPN would drop permissions after the chroot to nobody, but even with full read access permissions on the file and SELinux turned off, this error still occurred. Turns out, the chroot directory had 700 permissions:

drwx------ 4 root root 4096 Aug 29 19:49 /etc/openvpn/chroot

Changing these permissions to 755 (or ownership to nobody) fixed the issue.

Hope this helps.

SANS 2009 in Orlando, Florida March 2-9

2008-11-20T11:06:00.002-07:00

In much the same fashion as Las Vegas in Jan., I expect to be at the SANS conference in Orlando early Mar. Drop me a note if you will be attending, and let's meet up.

Join us once again in the Magic Kingdom for SANS 2009, March 2-9, where
you can receive the best in network and computer security training!
There is a great need for people with deep, technical skills in network
security in today's world. At SANS 2009, you can gain the training that
will ensure that you have those skills.

Timing is great. Flights to Orlando are typically inexpensive, and SANS
has discounted rates on hotel rooms. Register by January 21 to get a
$350 tuition discount. Start making your travel plans now!

SANS top-rated instructors, the 'Voices That Matter,' will be on hand
at this outstanding annual event. Choose from 35 courses that are packed
with immediately-useful techniques and tools! See our Event-At-A-Glance
page (http://www.sans.org/info/35639) for a complete list of courses
including several that are in alignment with DoD Directive 8570
requirements for Baseline IA Certifications. For more information see
http://www.sans.org/info/35644.

"SANS courses are hands-down the best security courses in the
industry." - Scott Hilts, Bruce Power

"SANS offers the real world experience that other training venues
can't." - Tom Boyd, Medco

"Thorough and current material, great presentation, real world
examples." - Jason White, University of Maryland

No SANS national event would be complete without our SANS@Night Series
featuring presentations on the most current topics in information
security by some of the best speakers in the industry.

Part of the package, as always, is an extensive Vendor Tools Expo &
Reception where you'll see live demonstrations of cutting-edge
technologies. Numerous SANS Lunch & Learn presentations and Cocktail
Briefs will help you find the right mix of tools and solutions for your
company's unique challenges.

At SANS 2009, you'll learn more than you can imagine and have countless
opportunities to expand your network of security experts and friends.
There's fun for the entire family, too, as this event takes place right
on the Disney property, minutes from EPCOT and Disney-MGM studios.
(http://www.disneyworld.com) This year, SANS 2009 coincides with ESPN
Weekend, which will feature live ESPN telecasts, motorcades, interview
sessions with famous athletes, and an interactive sports zone.

SANS has arranged discounted room rates at Walt Disney World Swan and
Dolphin Resorts which includes high-speed Internet access in your room.
Make your reservations now as this special deal is based on space
availability. (http://www.sans.org/info/35634)

Now is the best time to invest in your own deep, technical skills - an
investment that helps to ensure your future in uncertain times! So,
register today for SANS 2009. I look forward to sharing both the magic
of Disney and SANS training with you in Orlando!
(http://www.sans.org/info/35629)

Computer Security Training: SANS Security 504 Training in Denver, Colorado

2008-11-19T13:24:00.006-07:00

I'm running a local mentor class of SANS Security 504, starting on Jan. 15th, here's the info (take note of the Apple promotion):

SANS is bringing Security 504: SANS Hacker Techniques, Exploits and
Incident Handling to your local community in our popular Mentor hands-on
format! Beginning on January 15, SANS Mentor Richard Fifarek will be
leading this class in Denver, Colorado. For complete course details,
please click on http://www.sans.org/info/34234.

SANS END OF YEAR APPLE GIFT CARD PROMOTION: For a limited time SANS is
offering a $200 Apple gift card for registering and paying for this
class prior to December 31. Looking to try the new iPhone? Here is your
chance! Simply enter the word "Apple" in the comments box on the second
registration screen and make payment by December 31 to receive a $200
Apple gift card.

Why Choose the Mentor Program?

The Mentor Program, http://www.sans.org/info/34239, consists of small,
locally run, 10 week classes utilizing the same great SANS courseware
presented at the larger conferences. This unique program opens SANS
training up to students with family or work commitments necessitating a
more flexible option. Mentored students report several major benefits
of this format including: cost savings, time to digest the material,
convenient evening classes, small groups, a Mentor "coach", and
community networking.

COST SAVINGS: Is the slowing economy resulting in reduced training
budgets? With the SANS Mentor program, you save 25% off the regular
SANS tuition fee with the ability to save even more with group discounts
(see below). No need to spend money on travel and living expenses or
spend a week away from the family.

PACED STUDY: Take 10 weeks to work through and understand
the material. Past students report that the slower pace allows them to
absorb and apply the information. Each session provides you the
opportunity to apply the materials the next day when you return to the
office!

EVENING CLASSES: The Mentor program provides a method for learning the
SANS materials and working towards a GIAC certification without taking
time off from work.

COMMUNITY NETWORKING: The Mentor program allows you to work with local
security professionals in an open discussion format. This community
networking has been identified by students as a major benefit of the
Mentor program.

One recent Mentor student commented, "I thought that the class was
great. I would consider taking another SANS Mentor Program class. It
was much more convenient than traveling and I had the ability to review
material at my own pace." Clint Barnett - Computer & Information
Security Forensics Examiner

A SANS Institute course delivered locally in Denver, Colorado, by an
experienced SANS Mentor who will lead you over a comfortable and
convenient schedule, saving you money, while giving you the opportunity
to network with local security professionals. What a great
combination!! Plus SANS promises you will be able to use what you learn
in the classroom as soon as you return to the office.

TUITION DISCOUNTS!
SANS offers group registration discounts for 2 or more students who
register from the same organization. To obtain the Group Discount
fee and Registration Code offered for this course, contact Miranda
Ruddick at mentor@sans.org PRIOR to registering, and provide the
names and e-mail addresses of all the students registering within
your organization.

Does this sound like the kind of training that would help
you be more effective in your job? Then register today at
http://www.sans.org/info/34234 and see for yourself the excellent
value of SANS training and GIAC certification!

If you have any questions about this course offering, please contact
mentor@sans.org.

Metasploit Anti-Forensics Project (MAFIA) - Slacker.exe

2008-11-19T11:20:00.010-07:00

One of the tools in the Metasploit arsenal is slacker.exe, which allows an attacker to hide data in the slack space of NTFS. Recently, I've been playing with this scary awesome tool, and wanted to share what I found:

When a file system allocates space for a file, it allocates that space in a predetermined size data container, referred to as “blocks on Linux/Unix systems, and clusters on Windows systems.” (http://www.wikistc.org/wiki/Slack_space_data) As a file is written, blocks or clusters will be allocated to store the contents of the file, and each block or cluster will either be completely full or partially full. However, the size of most files will not be an even multiple of the block or cluster size. For example, a 1KB file is created and written to a file system with a 4KB block or cluster size. The file system can not allocate anything less than 4KB, thus when the file is written, 3KBs of the block or cluster is left unused. This unused space is referred to as slack space. Since this slack space is allocated but unused, it presents an appealing target for attackers to hide data.

As part of the Metasploit Anti-Forensic Investigation Arsenal (MAFIA), the Slacker tool is the first “tool that allows you to hide files within the slack space of the NTFS file system.” (http://www.metasploit.net/research/projects/antiforensics/) Slacker is a command line tool, here’s the help menu:

To hide a file with slacker.exe, one must choose a directory structure within which to select files to hide the data in ( {path} ), how deep to descend into the directory tree ( {levels} ), a file to store metadata for tracking information ( {metadata} ), a password to encrypt the metadata file ( {password} ), and options for how slack space is selected, data is obfuscated or not, and if you wish to use a file as an XOR key. For the purposes of the following example, the file to be stored in slack space was Salary.xls, a directory containing JPEG image files was used as slack space files (C:\Demo), a high resolution JPEG was used as the metadata file (C:\image.jpg), and the password used was “hide”:

To reverse the process, point slacker.exe at the metadata image file (in this case, C:\image.jpg) and supply the password and a filename for the extracted data:

Md5sum shows the extracted file and the original to be identical:

Looking at one of the files that were used for slack space to store the data and the original file, md5sum shows them to appear as identical as well:

which is the expected behavior, since slacker.exe will reset the file pointer to the original location after it completes it’s work. The same applies to the metadata file:

The only attribute that noticeably changes on either the slack space file or the metadata file is the “Date Modified” attribute, which can be reverted back using another tool in the MAFIA toolkit, timestomp.exe, discussed later. The data stored in the slack space files is unencrypted, but the metadata file information is stored in the slack space encrypted, thus preventing a forensic analysis from easily locating and retrieving the list of files that slacker.exe wrote the data out to. Without a tool that can read raw disk sectors, this type of data hiding would be easily missed, and with such a tool, tedious and very time consuming to locate.

Computer Security Training in Las Vegas, NV

2008-11-19T10:55:00.006-07:00

I'm scheduled to be in Las Vegas, NV this coming Jan. for SANS Security West, January 24 - February 1. If any of you reading this will be there, give me a shout, and let's meet up!

SANS is offering it's usual collection of top notch training classes:

- SEC401: SANS Security Essentials Bootcamp Style
- SEC504: Hacker Techniques, Exploits and Incident Handling
- SEC508: Computer Forensics, Investigation, and Response
- SEC560: Network Penetration Testing and Ethical Hacking
- MGT512: SANS Security Leadership Essentials for Managers with Knowledge Compression(tm)
- SEC501: Advanced Security Essentials -- Enclave Defender - NEW
- MGT414: SANS(r) +S(tm) Training Program for the CISSP(r) Certification Exam
- SEC502: Perimeter Protection In-Depth
- SEC503: Intrusion Detection In--Depth
- LEG523: Legal Issues in Information Technology and Information Security

They also have a great lineup of evening talks for attendees:

- Hot Trends 2009-2010 - Stephen Northcutt
- Crypto: The Pain Killer of Choice - Eric Cole
- Client Side Attacks: Forget 0-day, time for 0-exploit - Kevin Johnson
- Electronic Records Out of Control - Ben Wright
- State of the Hack: The Chinese Threat - Rob Lee

Hope to see you there!

Sguil RPMS and YUM Repository

2008-03-07T08:57:00.006-07:00

In an effort to improve the install process for Sguil, I've created and maintain a Sguil YUM repository for RHEL/CentOS 4/5 systems at:

http://synfulpacket.net/sguil (Sguil version 0.6.1)

or

http://synfulpacket.net/sguilcvs (Sguil version 0.7.0)

From the readme:

This is a *beta* Sguil 0.7.0 repo, so use at your own risk. It's intended to
work on CentOS 4 and 5.

In order to use this yum repo, you'll need to do the following:

1. Create a yum.conf entry. For CentOS 4+, create /etc/yum.repos.d/synful-sguilcvs.repo
with the following contents:
------------------ Below this line ------------------------

[sguil]
name=Sguil Repo at synfulpacket.net
baseurl=http://synfulpacket.net/sguilcvs/$releasever
gpgcheck=0

------------------ Above this line ------------------------

$releasever will expand to 5Client on RHEL5 Desktop installs,
I've placed a symlink to allow those installs to work.

2. Add the following line to CentOS - Extras:

exclude=libnet*

Now you should be able to run:

yum -y install sguil-server
yum -y install sguil-sensor
yum -y install sguil-client

and have the neccessary software download and installed.

Please report ANY issues to rfifarek *AT* synfulpacket *DOT* net, as this is completely
maintained by me.

Enjoy.

Richard H. Fifarek
rfifarek *AT* synfulpacket *DOT* net

In order to use the Sguil 0.6.1 repository, replace sguilcvs with sguil.

Thanks!

OpenBSD carp incorrect hash

2007-10-11T07:57:00.000-06:00

It's been a long time since I've posted anything here, and to you loyal readers (ha!), I apologize. I took on a new job in June, and have been spending all my energy building a new corporate data center essentially from scratch. It's a valuable experience, but time consuming. I really haven't done much true security work.

One project that I've been involved in was building a pair of redundant OpenBSD (4.1, 4.2) firewalls for the network. We ran into an interesting issue with CARP. Each firewall was complaining that the other was sending CARP packets that were corrupted, generating a log error of:

carp0: incorrect hash

On firewall1, our /etc/hostname.carp0 looked like:

inet 10.1.1.1 255.255.255.0 10.1.1.255 vhid 1 pass FunkyPassword advskew 1
inet alias 10.1.1.2 255.255.255.255
inet alias 10.1.1.3 255.255.255.255
inet alias 10.1.1.4 255.255.255.255
inet alias 10.1.1.5 255.255.255.255
inet alias 10.1.1.6 255.255.255.255

On firewall2, our /etc/hostname.carp0 looked like:

inet 10.1.1.1 255.255.255.0 10.1.1.255 vhid 1 pass FunkyPassword advskew 2
inet alias 10.1.1.2 netmask 255.255.255.255
inet alias 10.1.1.3 netmask 255.255.255.255
inet alias 10.1.1.4 netmask 255.255.255.255
inet alias 10.1.1.5 netmask 255.255.255.255
inet alias 10.1.1.6 netmask 255.255.255.255

In the manner in which I presented it here, the error should jump out almost immediately, however we were focused on the carp interface line (the first one), not on the aliases. Turns out that CARP packet hashes are based on ALL the uncommented information in /etc/hostname.carp0. The only difference should be the advskew value.

As always, the moral of the story, typos/details matter.

Hope this helps others not waste their time like I did :)

Rich

kernel + PF_RING rpm

2007-04-04T15:37:00.000-06:00

This is an update to my original post regarding PF_RING and how to build it. In this post, I'll be walking through just the steps of building the PF_RING kernel patch, and then building kernel RPMS with the added patch. This will simplify the process if you wish to use PF_RING on many sensors. Obviously, compiling on every machine is a waste of time and really not scalable. This post will duplicate some of the information from the original.

My work is on RedHat Enterprise 4, so if you are using a different distro, your mileage may vary, however, it shouldn't be drastically different.

UPDATE: Here's a Debian Sarge oriented howto:
http://bjou.homeunix.net/blog/2006/12/advanced-packet-capturing-howto-pf_ring-napi-and-extended-libpcap-on-debian-sarge/

There are 2 Fedora Core (4 and 5) instruction pages at:

http://wiki.ntop.org/mediawiki/index.php/Installing_PF_RING_and_nProbe_on_Fedora_Core_4_%28FC4%29

and

http://wiki.ntop.org/mediawiki/index.php/Installing_on_Fedora_Core_5_%28FC5%29

that these are based upon, and (hopefully) expand upon. Thanks to the authors of those.

Before beginning, make sure that your system is fully up to date with patches. These instructions presume that you have at least 2+ GBs of free disk space, primarily in /usr/src.

1. Software packages needed (in addition to a minimal install on RHEL):

glibc-kernheaders
autoconf
automake
bison
flex
cvs
gcc
gcc-c++
libtool
tcl (note this version is compiled without threading, so good for Sguil)
tcl-devel
tclx
rpm-build
redhat-rpm-config
openssl-devel
pcre-devel
ncurses-devel

On a registered RHEL, you'd run the command:

up2date -f install [package_name]

to download package_name and required dependencies, and install them.

* Note: not all of these are necessary for just PF_RING, however, are needed for other things like Snort, Sguil, barnyard, www.metre.net/sancp.html">SANCP, etc.

2. Remove software:

At a bare minimum, the following software packages need to be removed:
libpcap
ppp *
rp-pppoe *
wvdial *

The command to do this is:

rpm -e

* relies on libpcap. If needed, will need to be recompiled with the new libpcap that we'll compile and install later.

3. Install the kernel src.rpm of the latest kernel (on RHEL, kernel-2.6.9-42.0.10.EL.src.rpm at the time of this writing).

For RHEL 4, the file will be located ftp.redhat.com. For example, to get the latest kernel for RHEL as of today, you'd run the command:

wget ftp://ftp.redhat.com:/pub/redhat/linux/updates/enterprise/4XX/en/os/SRPMS/kernel-2.6.9-42.0.10.EL.src.rpm

where XX is the type of RHEL 4 you're running: Desktop (uhh, desktop), WS (workstation), ES (enterprise server), or AS (advanced server). If you don't know, run the command:

[root@hostname ~]# cat /etc/redhat-release
Red Hat Enterprise Linux WS release 4 (Nahant Update 4)

In this case, this machine was a workstation, so use WS.

Now install the kernel with the command:

rpm -ivh kernel-2.6.9-42.0.10.EL.src.rpm

This will place the vanilla 2.6.9 kernel src, RedHat's patches, spec file, etc. into /usr/src/redhat/{SOURCES,SPECS}.

4. Prep the kernel for the PF_RING patches.

Now we need to prep the kernel. First, change to the appropiate directory:

cd /usr/src/redhat/SPECS

Then run the command:

rpmbuild -bp --target $(arch) kernel-2.6.spec

If this works, you should see something similar to the following:

Building target platforms: i686
Building for target i686
Executing(%prep): /bin/sh -e /var/tmp/rpm-tmp.7797
+ umask 022
+ cd /usr/src/redhat/BUILD
+ LANG=C
+ export LANG
+ unset DISPLAY
+ cd /usr/src/redhat/BUILD
+ rm -rf kernel-2.6.9
+ /bin/mkdir -p kernel-2.6.9
+ cd kernel-2.6.9
+ /usr/bin/bzip2 -dc /usr/src/redhat/SOURCES/linux-2.6.9.tar.bz2
+ tar -xf -
+ STATUS=0
+ '[' 0 -ne 0 ']'
++ /usr/bin/id -u
+ '[' 0 = 0 ']'
+ /bin/chown -Rhf root .
++ /usr/bin/id -u
+ '[' 0 = 0 ']'
+ /bin/chgrp -Rhf root .
+ /bin/chmod -Rf a+rX,u+w,g-w,o-w .
+ cd linux-2.6.9
+ echo 'Patch #3 (patch-2.6.9-ac11.bz2):'
Patch #3 (patch-2.6.9-ac11.bz2):
+ /usr/bin/bzip2 -d
+ patch -p1 -s
[snip]
removed `./net/xfrm/xfrm_state.c.orig'
removed `./net/socket.c.orig'
removed `./net/netlink/af_netlink.c.orig'
removed `./net/ipv6/ip6_output.c.orig'
removed `./net/ipv6/addrconf.c.orig'
removed `./net/ipv6/netfilter/ip6_tables.c.orig'
removed `./net/bluetooth/af_bluetooth.c.orig'
removed `./net/8021q/vlan.c.orig'
removed `./net/sched/sch_api.c.orig'
+ find . -name '*~' -exec rm -fv '{}' ';'
+ exit 0

This applies all of the various patches (nearly 1000) to the vanilla kernel tree that RedHat applies to it's kernels.

Now we need to create a symlink to that patched kernel source to /usr/src with the command:

ln -s /usr/src/redhat/BUILD/kernel-2.6.X/linux-2.6.X /usr/src/linux

where X is the subversion. In this case, for RHEL 4, X = 9.

5. Download and build the PF_RING patch for your kernel.

Now we need to get the PF_RING patches downloaded and built for our kernel. PF_RING is currently only available via CVS. To do this, run the following:

cd /usr/src
CVSROOT=:pserver:anonymous@cvs.ntop.org:/export/home/ntop;export CVSROOT
mkdir pf_ring && cd pf_ring
cvs login

which should produce the following output:

Logging in to :pserver:anonymous@cvs.ntop.org:2401/export/home/ntop
CVS password:

At the prompt, type "ntop" (no quotes), and hit Enter. (Note: ntop will not appear on the screen.) Next type the following:

cvs checkout PF_RING

which, if it works, should produce something simliar to the following:

cvs checkout: Updating PF_RING
U PF_RING/README
U PF_RING/mkpatch.sh
cvs checkout: Updating PF_RING/kernel
U PF_RING/kernel/README
cvs checkout: Updating PF_RING/kernel/include
cvs checkout: Updating PF_RING/kernel/include/linux
U PF_RING/kernel/include/linux/ring.h
cvs checkout: Updating PF_RING/kernel/include/net
U PF_RING/kernel/include/net/PATCH-to-sock.h
cvs checkout: Updating PF_RING/kernel/net
U PF_RING/kernel/net/PATCH-to-Config.in
U PF_RING/kernel/net/PATCH-to-netsyms.c
cvs checkout: Updating PF_RING/kernel/net/core
U PF_RING/kernel/net/core/PATCH-1-to-dev.c
U PF_RING/kernel/net/core/PATCH-2-to-dev.c
U PF_RING/kernel/net/core/PATCH-3-to-dev.c
cvs checkout: Updating PF_RING/kernel/net/ring
U PF_RING/kernel/net/ring/Config.in
U PF_RING/kernel/net/ring/Kconfig
U PF_RING/kernel/net/ring/Makefile
U PF_RING/kernel/net/ring/Makefile-2.4.X
U PF_RING/kernel/net/ring/Makefile-2.6.X
U PF_RING/kernel/net/ring/ring_packet.c
cvs checkout: Updating PF_RING/userland
cvs checkout: Updating PF_RING/userland/libpcap-0.9.4-ring
U PF_RING/userland/libpcap-0.9.4-ring/README
U PF_RING/userland/libpcap-0.9.4-ring/pcap-int.h
U PF_RING/userland/libpcap-0.9.4-ring/pcap-linux.c
cvs checkout: Updating PF_RING/userland/libpfring
U PF_RING/userland/libpfring/Makefile
U PF_RING/userland/libpfring/pfcount.c
U PF_RING/userland/libpfring/pfring.c
U PF_RING/userland/libpfring/pfring.h
cvs checkout: Updating PF_RING/userland/pcount
U PF_RING/userland/pcount/Makefile
U PF_RING/userland/pcount/pcount.c

The current version of PF_RING comes with a script that creates a patch specific to your kernel. Now we'll get things in order to run that script with the following commands:

cd /usr/src/pf_ring/PF_RING
mkdir workspace
cd workspace
cd /usr/src/redhat/BUILD/kernel-2.6.X/linux-2.6.X
tar -czf /usr/src/pf_ring/PF_RING/linux-2.6.X.tar.gz linux-2.6.X
cd /usr/src/pf_ring/PF_RING

where X = 9 for RHEL4 (broken record).

Now edit the file mkpatch.sh, and adjust the following variables to match your environment:

SUBLEVEL=${SUBLEVEL:-18.1}

EXTRAVERSION=${EXTRAVERSION:--i686-smp-$PATCH}

For example, on RHEL 4, you'd change to the variables to:

SUBLEVEL=${SUBLEVEL:-9}

EXTRAVERSION=${EXTRAVERSION:--42.0.10.ELsmp-$PATCH}

Save your changes, and run the script:

sh ./mkpatch.sh

If all goes well, the output should look similar to the following:

Creating patch for Linux kernel linux-2.6.9 ...
Edit this file (mkpatch.sh) for a different kernel version
Kernel build area is /usr/src/pf_ring/PF_RING/workspace
rm: cannot remove `/usr/src/pf_ring/PF_RING/workspace/ring3': No such file or directory
Creating link to /usr/src/pf_ring/PF_RING in /usr/src/pf_ring/PF_RING/workspace called ring3
Found linux-2.6.9.tar.gz in source directory /usr/src/pf_ring/PF_RING/workspace
Untarring Linux sources (read-only tree) in /usr/src/pf_ring/PF_RING/workspace/linux-2.6.9
Cloning Linux sources (read-write tree) in /usr/src/pf_ring/PF_RING/workspace
Patching Linux sources ...
1. Install additional file include/linux/ring.h with definitions
for packet ring.
done
2. Install the ring sources under the kernel tree.
Installing kernel ring sources in
linux-2.6.9-42.0.3.ELsmp-ring3/net/ring ... done
3. Patch net/core/dev.c ...
Patch #1 (define ring_handler)
Patch #2 (modify function netif_rx and netif_receive_skb)
Patch #3 (modify dev_queue_xmit, found in PATCH-3-to-dev.c)
... done
4. Patching file net/Makefile ... done
5. Copy net/ring/Kconfig to linux-2.6.9-42.0.3.ELsmp-ring3/net/ring/Kconfig done
6. Patching file net/Kconfig ... done
diff --unified --recursive --new-file linux-2.6.9 linux-2.6.9-42.0.3.ELsmp-ring3 > linux-2.6.9-42.0.3.ELsmp-ring3.patch
Making Linux patch file. This could take some time, please wait ... done
Your patch file is now in /usr/src/pf_ring/PF_RING/workspace/linux-2.6.9-42.0.3.ELsmp-ring3.patch.gz

6. Apply the patch and build the kernel.

To setup the patch to be applied during the kernel RPM build, do the following:

gunzip /usr/src/pf_ring/PF_RING/workspace/linux-2.6.*patch.gz
cp /usr/src/pf_ring/PF_RING/workspace/linux-2.6.*patch /usr/src/redhat/SOURCES
cd /usr/src/redhat/SPECS

In the /usr/src/redhat/SPECS directory, there should be a kernel-2.6.spec file, apply the following patch to that file (adjust as you desire, but this works for me):


--- kernel-2.6.spec     2007-04-04 23:42:58.000000000 +0100
+++ kernel-2.6.spec.new 2007-04-04 18:18:37.000000000 +0100
@@ -22,7 +22,7 @@
# that the kernel isn't the stock distribution kernel, for example by
# adding some text to the end of the version number.
#
-%define release 42.0.10.EL
+%define release 42.0.10.EL.ring3
%define sublevel 9
%define kversion 2.6.%{sublevel}
%define rpmversion 2.6.%{sublevel}
@@ -699,6 +699,7 @@
Patch1333: linux-2.6.9-net-sctp-shutdown.patch
Patch1334: linux-2.6.9-net-sctp-receive-buffer.patch
Patch1335: linux-2.6.9-net-sctp.patch
+Patch1336: linux-2.6.9-42.0.10.ELsmp-ring3.patch

# NIC driver updates
Patch1350: linux-2.6.9-net-b44-4g4g.patch
@@ -2376,6 +2377,8 @@
%patch1334 -p1
# various sctp fixes
%patch1335 -p1
+# ring3
+%patch1336 -p1

# NIC driver fixes.
# Fix problems with b44 & 4g/4g

Exit and save the spec file. Change the directory:

cd /usr/src/redhat/SOURCES

and edit the following files:

kernel-2.6.9-i686.config
kernel-2.6.9-i686-hugemem.config
kernel-2.6.9-i686-smp.config

to include the following:

CONFIG_RING=m

similar to the following:

CONFIG_UNIX=y
CONFIG_NET_KEY=m
CONFIG_RING=m
CONFIG_INET=y
CONFIG_INET_TUNNEL=m

Run the following to compile the kernel, and build the RPMs:

rpmbuild -ba --target i686 /usr/src/redhat/SPECS/kernel-2.6.spec

If all goes well, you'll have RPMs in /usr/src/redhat/RPMS/i686 similar to:

kernel-2.6.9-42.0.10.EL.ring3.i686.rpm
kernel-debuginfo-2.6.9-42.0.10.EL.ring3.i686.rpm
kernel-devel-2.6.9-42.0.10.EL.ring3.i686.rpm
kernel-hugemem-2.6.9-42.0.10.EL.ring3.i686.rpm
kernel-hugemem-devel-2.6.9-42.0.10.EL.ring3.i686.rpm
kernel-smp-2.6.9-42.0.10.EL.ring3.i686.rpm
kernel-smp-devel-2.6.9-42.0.10.EL.ring3.i686.rpm

Install these RPMs as per usual, and reboot.

Enjoy.

FTP PORT command

2007-03-21T13:09:00.000-06:00

Where I work, we maintain a popular FTP site that serves up Terabytes of weather and climate research datasets. Obviously, this particular server is a Tier 1 service for IT, so I pay close attention to security issues with this machine.

Since it's running an FTP daemon, any number of FTP exploits or abuses are attempted on it, one in particular (an oldie but goodie) is the "FTP PORT Bounce attack". My IDS triggers on this with regularity, and on occasion I double check to make sure that the server isn't vulnerable to it.

Understanding the attack first requires understanding what the FTP PORT command does. In the FTP world, the PORT command isn't as common as it was previously since most sites have migrated away from "active" FTP to "passive" FTP. The PORT command was a standard part of an active FTP session, and while we encourage passive FTP, we still see active sessions being used legitimately. During an Active FTP session, when data is being sent over the data channel (not the command channel), the server initiates the connection to the client on the port number specified. The PORT command's syntax is:

PORT X1,X2,X3,X4,P1,P2

where X1, X2, X3, X4 are the IP address and P1, P2 are translated into a port number by multiplying P1 by 256 and then adding the resulting number to P2. So, for example, a packet capture that contains the following:

PORT 172,16,4,128,16,155

is trying to setup an active FTP session to 172.16.4.128 on port 4251 ((16*256) + 155).

There are a number of ways that this can be abused. Earlier versions of FTP server software didn't check the IP address supplied to make sure that it matched the IP address that it was sent from. This allowed the following to be accomplished:

- port scanning
An attacker can use a vulnerable FTP server to do port scanning for them. By specifying the IP address of the victim and stepping through the port numbers that the attacker is curious about, the FTP server can be used to port scan a victim with the added advantage of the scan appearing to come from the FTP server, not the attacker.

- bypass firewalls
Because the connection is initiated by the FTP server and not the attacker, packet filter devices maybe configured to allow traffic to traverse the firewall if the connection comes from a "trusted host" such as the FTP server.

Enjoy.

OT: A car guy that hates buying cars

2007-03-09T15:48:00.000-07:00

I'm a bit of a sports car nut, much to the chagrin of my beautiful, wonderful, loving wife (hi honey!). Cars, to her, are expensive, horrible investments that are scary necessities of life, and fast cars are the worst of the bunch. Ok, so she might be right, but she's missing one key element. The right car on the right road can be SO much fun.

We are looking to replace our boring, underpowered, really reliable Honda Civic. Since we live in Colorado, we both agreed that our next car has to have all-wheel drive, manual and be a 4 door sedan. 4-door sedans are a dime a dozen, but all-wheel drive is more "exclusive". That's where I stepped in and ruined it all. I want something that I ENJOY driving, a 4-door all-wheel drive sports sedan. Well, that knocked the potential contenders down quite a bit. Since I was allowed my requirement, to be fair, my wife was now given the opportunity to add hers, if she had one. She responds with "It has to be more luxurious than the Civic. It has to have leather interior, heated seats ... you know, luxury." Oh hell, we are SCREWED.

So, what we're left with (that we have any chance of affording) falls into either a family sedan or upscale sedan category, depending on who you talk to. The contenders are:
Audi A4 2.0T Quattro
BMW 328xi
Lexus IS250
MazdaSpeed6
Mercedes-Benz C-Class
Subaru Legacy 2.5GT Limited
Subaru WRX STi Limited
Volkswagen Passat
Volvo S60 R

The Lexus, Volkswagen, and the Volvo don't have the combination of performance and handling that I require, and the MazdaSpeed6 and MB C-Class are notably less reliable than average. The WRX STi is a brute, so much so that it would probably give my wife a heart attack, and not to mention, the Limited version is quite difficult to find, leaving:

Audi A4 2.0T Quattro
BMW 328xi
Subaru Legacy 2.5GT Limited

The Subaru is the bang-for-buck winner, hands down, and has a lot of aftermarket upgrade appeal. The BMW is a true drivers car, with a silky smooth inline-6, great handling and feel, but ouch, you pay for it. The A4's new 2.0T engine has solved some of the issues with the turbo lag of the original 1.8T, but it's still the weakest of the bunch.

Where's that winning lottery ticket when I need it?

Cheers.

Re: Security Mentoring

2007-03-01T09:08:00.000-07:00

Richard Bejtlich of TaoSecurity posted a response to this post, all of which got me thinking about how I got where I am today in my career, and how I expect to continue "forward".

To sum it up, I know I am where I am today because of two things:

- I continue to learn about my job (currently IT Security)
- Listening to people further along in their careers than I

Longer version:

#1: Life-long learning.
It's a cliche, I know, but it's a cliche because it's true. I spend many hours reading documentation, white papers, email discussion lists, etc. about the topics that pertain to my career and interests. I do my best to "teach myself" about new (or old) things that I feel I need and want to learn, and a very important part of this learning is breaking things, and learning how to fix them (all hail Google). I know there is a taboo about making mistakes, but honestly I'm a better employee because I make mistakes and learn from them, not because I avoid them by avoiding work. Regardless, continuing to stay "in learning mode" has been, by far, the most important and beneficial thing I have done to advance my career. Bar none.

#2: Pay attention to those around you, and the steps they took in their career paths.
People generally like to talk about themselves and their accomplishments, it's in our nature (why do you think I'm writing this? ;) ). In most situations, you are going to have someone you work for (read, "the boss" but it could also be anyone you consider a mentor), and in some situations you will have someone less senior working with you or possibly directly for you. Assuming you haven't reached what you consider is the pinnacle of your career (and only you can decide that), the position that you work for would be a next logical step in your career. Ask your boss about their career path to get a sense of what steps that person took to get there, but just as important, what steps they didn't take. Listen to what he or she says, but also listen to what they don't say. You can glean interesting, and potentially valuable, information from them. Not all bosses are equal, though, so learn to pick out the good bits from the bad.

"Deep thoughts, by Rich Fifarek"

3Ware disk copying

2007-03-01T08:38:00.000-07:00

I use a number of systems with 3Ware IDE RAID cards. Recently, we had a drive start giving us fits on one of the 3Ware cards. I'm not entirely convinced that the problem was the drive (I'm starting to think it was the power supply or long shot, motherboard), but in the process I discovered that if the drive is still readable, you can do a "dd" from the drive in the array to a new drive, and once complete, the 3Ware card will recognize the new drive as if it were the old drive. Since this was a 1TB RAID0 array, that was a nice option to have rather than rebuild the array from scratch and lose the data on there. Granted, it's RAID0 so the data wasn't critical, but it was nice to get it back nonetheless.

To do this, boot a live Linux CD distro, like Knoppix with the old drive plugged in as the Primary IDE Master and the new drive plugged in as the Secondary IDE Master, run the following:

dd if=/dev/hda of=/dev/hdc

as root. This process will take hours typically, so be patient. If you'd like to track it's progress, suspend the dd process (ctrl-Z), and then tell it resume running in the background (type bg, and then hit enter). Run the command "pidof dd" to get the PID of the dd process. To monitor the process of the disk copy, run "kill -USR1 [PID]", where [PID] is the number returned by "pidof dd".

Once complete, place the new drive in the 3Ware system, and it should show up as part of the original array.

Enjoy.

What's an IT Security person's "perfect" setup?

2007-02-16T10:01:00.000-07:00

Recently, I've been thinking about what would be an ideal "setup" for my position as an IT security person. I deal with a lot of sensitive information, both regarding people that I work with and about the systems that I'm responsible for securing.

What I mean when I say setup, is the equipment that I use to do my job. For example, I have to print out patch level reports for the rest of the team so that they can "go forth and patch". Problem is that the traffic between my scanning machine and the printer is unencrypted. If someone were already into our system, they could potentially grab a nice concise list of our vulnerabilities off the wire as my print job passes by. NOT GOOD. Stuff like that.

So here's an off the top of my head start:

- Multiple OS Desktop(s)
There are numerous ways to accomplish this, starting with 1 physical machine for each needed OS, up to a Virtual Machine for each OS. Typically, the general consensus is that you'll need a MS Windows instance and some UNIX or UNIX-like OS (Linux, *BSD, or Mac OS X) instance, to get good coverage for the various tools of the trade.

- Backups
Since this desktop machine will contain sensitive material, the backups should be performed encrypted, and ideally, separate from the standard backup system.

- Decent network printer
This is a tricky one because most IT budgets don't have room for a nice (for n values of nice) printer dedicated to one person, they are typically a shared resource. Most folks won't need color, so you can save by going with a black and white printer, however, it needs to be reasonably quick (say, 30 ppm), duplex capable (try not to kill a tree a day), reasonable cost per page, and durable.

- Office space
A security persons work space should ideally be a single occupant office, with a restricted (ideally documented and access logged) set of people that have access to the office. You can really get picky and require that janitorial staff are escorted by authorized individuals.

- Shredder, burn bin, or documentation destruction
Some form of documentation destruction should be employed, dictated in some sense by the sensitivity of information printed.

- Management Network
Ideally, this would be physically separate from your production network, and not only involve dedicated network security devices (IDS sensors and servers, firewalls), but also network infrastructure devices (routers, switches, bridges). Budgets and designs restrictions may limit one's ability truly achieve this, but the closer you can get, the better.

Issues to consider:
- Internet access for the desktop
You generally wouldn't want to allow internet access out from the management network, but the security person will need Internet access to do research pertinent to his or her job.

I'll update this post as I think of more. Please post any ideas you might have in the comments, or email me at rfifarek at gmail.com.

Enjoy.

Sguil Yum Repository

2007-02-14T14:33:00.000-07:00

As some of you (may) know, I've been working on creating a Sguil YUM repository, currently aimed at CentOS 4.X (which should work with RHEL 4.X). The end goal is to have a repository that you could point YUM at, and then execute:

yum install sguil-server

or

yum install sguil-sensor

where sguil-server and sguil-sensor are meta packages that pull down all the necessary binary packages needed to install a Sguil server or sensor. These package lists and versions are taken from InstantNSM.

It's not finished yet, but Real Soon Now (tm). I'll post updates as they come.

Solaris 10/11 Telnet Exploit

2007-02-12T10:16:00.000-07:00

I'm not going to repeat what others have already said regarding the telnet+login vulnerability, other than:

If you are running telnet, and it's internet facing, then you have much more fundamental network security problems to workout.

Solaris 10 - First Try

2007-02-09T07:23:00.000-07:00

I've been trying to install Solaris 10 yesterday and today, and have run into a nasty endless loop.

At work, we have a fairly large installation of Solaris 8. Our plans were to slowly replace our Solaris 8 SPARC machines with RedHat Linux Intel machines, with a target date of Oct. 2010. However, as time progresses these Solaris 8 machines are becoming more and more difficult to support software wise with regard to network integration. So, we're evaluating Solaris 10 as a stop gap upgrade.

Solaris 8 has given us problems in the past with package (and subsequent patch) dependencies, and our solution has been to "install everything", for better or worse. So, I did the same for Solaris 10, including the Solaris Validation packages. The initial install (from DVD) went smoothly, and rebooted off the hard drive just fine. It then brought up a secondary install step, where it asked for Solaris 10 software 5 CD/DVD. I popped the DVD in, hit Ok, and it promptly spit it out. Ok, given that it was the Validation software, which I likely didn't need, I told it to skip the software install. It continued forward, and asked me to Reboot the machine. I clicked on Reboot Now, and then ... nothing. Clicked again, nothing. Ok, I opened up a Terminal window, and typed reboot at the prompt, which worked. The machine rebooted, and launched the software installer again. Wash, rinse, repeat.

So, my next step was to download the ISO for CD 5 (wasn't that supposed to be part of the DVD????), and burn that. Well, this time it accepted the CD 5, and installed the software, so I figured I was in the clear. Reboot Now button still didn't work. Rebooted via the command line, and was promptly asked to install the software I had just installed. Lovely. Tried various tricks, but to no avail. So, this morning, I gave up, and started from scratch, however, this time I didn't select the Validation Packages. This will inevitably come back to bite me at the most inopportune time somewhere in the future when I've forgotten about Validation Packages and endless install+reboot loops (what is this, Windows?).

Long story short, removing the extra Validation packages from the install list solved this problem, and the machine booted properly.

It's interesting that they call the GNOME desktop environment, the Java Desktop.

Enjoy.

To Encrypt or Not to Encrypt

2007-02-01T14:19:00.000-07:00

Most computer folks would agree, encryption is a good thing, and for the most part, so would I. However, the point where it becomes harder to justify is when there is an IDS in the mix. There are things that you can do to "get around" the problem, but no matter how you look at it, encryption makes IDS harder to do.

As I mentioned in a previous post, one of the things I use my IDS for is to monitor software that reports it's version number over the network in some fashion. All I do is look for a particular combination of destination port, and a string within that packet, and I can pick out what version of software a machine is reporting. Very effective in catching out of date software that was missed in the last round of upgrades.

Once you add encryption to this, it becomes significantly more difficult to do this type of monitoring, along with numerous others. What happens when a Trojan bot connects to IRC using SSL? I can no longer see the commands that were issued to the bot, but seeing encrypted IRC traffic still tells me that something. Same thing with HTTPS, however, HTTPS traffic isn't likely to be considered unusual.

Food for thought.

Enjoy.

Dual Boot FreeBSD 6.2 and Linux (CentOS 4.4)

2007-02-01T12:27:00.000-07:00

I've been building some machines for testing various network foo, and found that this would a good opportunity to try FreeBSD again. I've been heavily into Linux lately, mainly due to job requirements, but I don't want my *BSD skills to horribly stagnate (shocking coming from a gov't employee, I know), and this seemed like a good time. Since I can't get completely away from Linux, I wanted this machine to be dual boot.

The first obstacle was installation. FreeBSD still uses, by default, an ncurses-based menu driven install, although I understand there is a GUI install system being developed. No problem, as I'm just as comfortable on the command line as I am with a graphical interface. Installing CentOS 4.4 has the option of a text menu install, but it defaults to a graphical install (my biggest annoyance with RH/Fedora/CentOS install (anaconda?) is that it picks the strangest hard disk layouts if you don't specify exactly what you want, and sometimes it even screws that up). The difference in install methods speaks to how Linux is trying to be everything to everybody, whereas FreeBSD is comfortable sticking to it's roots. Personally, I'm on the fence as to whether either camp has it "right." Both installs went smooth.

I installed FreeBSD first, giving it the first half of the hard drive (1 partition, with 5 slices within that partition), and CentOS the last half of the disk with 3 partitions. Given the maturity and open source nature of both of these operating systems, I was surprised that CentOS didn't recognize that FreeBSD was installed, and offer to add it to the GRUB boot menu like it would have done if it detected MS Windows something or other. Silly. Reminds me of Mom yelling at us as a kid, "Now children, stop fighting and play nice."

Anyway, the fix to that was (thankfully) fairly simple because GRUB is such a well designed boot loader. After installing CentOS, it left itself as the only option, so I boot into that, and edit /etc/grub.conf (symlink to /boot/grub/grub.conf), and add the following (YMMV, primarily with regard to partition numbers, etc.):

title FreeBSD 6.2
root (hd0,0,a)
kernel /boot/loader

and upon the next boot, FreeBSD 6.2 will be a boot option. Selecting it from the list allowed it to boot normally.

Enjoy.

Solaris 10 Ping-of-Death

2007-01-31T17:16:00.000-07:00

Once again, proof that "oldie-but-goodie" attacks (to quote Ed Skoudis) are still prevalent, and, scarier yet, still EFFECTIVE, ISC announced that there is a Ping-of-Death attack that will cause a kernel panic on Solaris 10. As of right now, there's not much info, you can read more over at ISC.

The obvious mitigation is to filter ping (ICMP echo-request) at your border router/firewall. There isn't much need to allow ping into your network.

Enjoy.

Netscreen VIP ("Service not supported for this VIP")

2007-01-31T16:52:00.000-07:00

While setting up a Netscreen 5GT, I ran into a bit of a perplexing issue.

Some background:

I was setting up the 5GT to do interface NAT from the Trust interface to the Untrust interface, with one caveat. I wanted to be able to Ssh from the Untrust interface to a machine on the Trust interface. Simple VIP (Virtual IP) right? Yes and no. In this case, since I had only 1 IP to play with on the Untrust interface, I setup the VIP on the Untrust IP itself.

The problem: when trying to create a VIP service (Network -> Interface -> Edit -> VIP/VIP Services, click on New VIP Service) with the Ssh port (22) on the same IP as the Untrust interface, it balks with the error message: "Service (port=22) not supported for this vip 192.168.1.1". WTF?

Turns out, that even though the Ssh management wasn't enabled on the Untrust interface, it still had the port reserved, such that I couldn't create a VIP service on that port. In order to get this to work, I had to change the Ssh port on the management (still disabled mind you) settings to 2222, so that I could then create the VIP service. To do this, in the WebUI, click on Configuration -> Admin -> Management, and change the Ssh port. If you wish to serve port 80 in a similar fashion, you'll need to change the HTTP port as well.

UPDATE: A reader (wow, someone actually reads this mindless drivel!) pointed out that this alone doesn't fix the problem, as you also need to create a policy rule that allows the Ssh traffic to pass through. In the WebUI, click on Policies. Set the drop down boxes at the top of the page to:

From: Untrust To: Trust

and click on New (in the right hand corner). Name the Policy something meaningful, and set the Source address to (ideally) a list of subnets to allow access from. Set the destination address to the VIP interface that you created (for me VIP::1), set the Service to SSH, and make sure the Action is set to Permit. Adjust other settings as necessary for your environment.

Enjoy.

Using IDS to monitor versions

2006-12-13T11:18:00.000-07:00

This probably isn't a new idea per se, but I've started experimenting with using our network IDS to monitor patchlevels on certain applications. The "low hanging fruit" in my case happens to be Thunderbird, which advertises it's version number in every email sent by it in the User Agent field. So, I write a Snort rule to flag versions that are less that the one I want (currently 1.5.0.8), and generate an alert.

Social Engineering and IDS Evasion

2006-12-06T09:27:00.000-07:00

This isn't IDS evasion in the truest sense, however, more of a social engineering trick that dawned on me that relates to IDS. This would only work in a small number of cases, but worth noting nonetheless.

I run a few Snort sensors, and like any "good IDS analyst" (tm), in addition to piping the packets through Snort, I also save the raw packet captures to disk. This is quite useful when trying to determine whether the alert is a false positive, giving the alert context, etc.

Now, as you can imagine, these files get large fast, and if I had to find three packets out of a 50GB packet capture, it would not be a quick endeavor. The typical solution is to rotate after a specified amount of time, and most docs give you examples rotating every 30 mins., depending on your average traffic, with a cron job.

Out of habit, most folks would use :00 and :30 as the times to rotate. Now, a clever individual might realize that this creates some opportunities:

- a brief period of time where packets aren't being captured (between shutdown and startup of the packet capture process)
- with proper timing of the attack, the packets would span 2 capture files. An analyst might not realize this, and thus not get the whole picture of the attack that generated the alert when plowing through raw packets.

The above opportunities could be used in combination with other tricks to further disguise an attack.

Some off the top of my head mitigations:
- run the cron job at unusual times (obscurity)
- create a script that randomizes the start/stop time (obscurity)
- start a new capture 1 min. before shutting down the old capture

Food for thought. Enjoy.

Rich

PF_RING and Snort

2006-11-14T07:13:00.000-07:00

In the hopes of minimizing packet loss on my Snort IDS sensors, I've been experimenting with the PF_RING Linux kernel patches. My initial results have been impressive as both sensors report 0% packet loss (I'm of course presuming it isn't a blatant lie :-) ). I'll try to document my experiences here.

UPDATE: An anonymous commenter (thanks!) noted that PF_RING doesn't report lost packets through libpcap (as Snort expects), but rather through files in /proc/net/pf_ring. I'm still working out the details on how to use that information effectively.

My work is on RedHat Enterprise 4, so if you are using a different distro, your mileage may vary, however, it shouldn't be drastically different.

UPDATE: Here's a Debian Sarge oriented howto:
http://bjou.homeunix.net/blog/2006/12/advanced-packet-capturing-howto-pf_ring-napi-and-extended-libpcap-on-debian-sarge/

There are 2 Fedora Core (4 and 5) instruction pages at:

http://wiki.ntop.org/mediawiki/index.php/Installing_PF_RING_and_nProbe_on_Fedora_Core_4_%28FC4%29

and

http://wiki.ntop.org/mediawiki/index.php/Installing_on_Fedora_Core_5_%28FC5%29

that these are based upon, and (hopefully) expand upon. Thanks to the authors of those.

Before beginning, make sure that your system is fully up to date with patches. These instructions presume that you have at least 2+ GBs of free disk space, primarily in /usr/src.

1. Software packages needed (in addition to a minimal install on RHEL):

glibc-kernheaders
autoconf
automake
bison
flex
cvs
gcc
gcc-c++
libtool
tcl (note this version is compiled without threading, so good for Sguil)
tcl-devel
tclx
rpm-build
redhat-rpm-config
openssl-devel
pcre-devel
ncurses-devel

On a registered RHEL, you'd run the command:

up2date -f install [package_name]

to download package_name and required dependancies, and install them.

* Note: not all of these are neccessary for just PF_RING, however, are needed for other things like Snort, Sguil, barnyard, sancp, etc.

2. Remove software:

At a bare minimum, the following software packages need to be removed:
libpcap
ppp *
rp-pppoe *
wvdial *

The command to do this is:

rpm -e

* relies on libpcap. If needed, will need to be recompiled with the new libpcap that we'll compile and install later.

3. Install the kernel src.rpm of the latest kernel (on RHEL, kernel-2.6.9-42.0.3.EL.src.rpm at the time of this writing).

For RHEL 4, the file will be located ftp.redhat.com. For example, to get the latest kernel for RHEL as of today, you'd run the command:

wget ftp://ftp.redhat.com:/pub/redhat/linux/updates/enterprise/4XX/en/os/SRPMS/kernel-2.6.9-42.0.3.EL.src.rpm

where XX is the type of RHEL 4 you're running: Desktop (uhh, desktop), WS (workstation), ES (enterprise server), or AS (advanced server). If you don't know, run the command:

[root@hostname ~]# cat /etc/redhat-release
Red Hat Enterprise Linux WS release 4 (Nahant Update 4)

In this case, this machine was a workstation, so use WS.

Now install the kernel with the command:

rpm -ivh kernel-2.6.9-42.0.3.EL.src.rpm

This will place the vanilla 2.6.9 kernel src, RedHat's patches, spec file, etc. into /usr/src/redhat/{SOURCES,SPECS}.

4. Prep the kernel for the PF_RING patches.

Now we need to prep the kernel. First, change to the appropiate directory:

cd /usr/src/redhat/SPECS

Then run the command:

rpmbuild -bp --target $(arch) kernel-2.6.spec

If this works, you should see something similar to the following:

Building target platforms: i686
Building for target i686
Executing(%prep): /bin/sh -e /var/tmp/rpm-tmp.7797
+ umask 022
+ cd /usr/src/redhat/BUILD
+ LANG=C
+ export LANG
+ unset DISPLAY
+ cd /usr/src/redhat/BUILD
+ rm -rf kernel-2.6.9
+ /bin/mkdir -p kernel-2.6.9
+ cd kernel-2.6.9
+ /usr/bin/bzip2 -dc /usr/src/redhat/SOURCES/linux-2.6.9.tar.bz2
+ tar -xf -
+ STATUS=0
+ '[' 0 -ne 0 ']'
++ /usr/bin/id -u
+ '[' 0 = 0 ']'
+ /bin/chown -Rhf root .
++ /usr/bin/id -u
+ '[' 0 = 0 ']'
+ /bin/chgrp -Rhf root .
+ /bin/chmod -Rf a+rX,u+w,g-w,o-w .
+ cd linux-2.6.9
+ echo 'Patch #3 (patch-2.6.9-ac11.bz2):'
Patch #3 (patch-2.6.9-ac11.bz2):
+ /usr/bin/bzip2 -d
+ patch -p1 -s
[snip]
removed `./net/xfrm/xfrm_state.c.orig'
removed `./net/socket.c.orig'
removed `./net/netlink/af_netlink.c.orig'
removed `./net/ipv6/ip6_output.c.orig'
removed `./net/ipv6/addrconf.c.orig'
removed `./net/ipv6/netfilter/ip6_tables.c.orig'
removed `./net/bluetooth/af_bluetooth.c.orig'
removed `./net/8021q/vlan.c.orig'
removed `./net/sched/sch_api.c.orig'
+ find . -name '*~' -exec rm -fv '{}' ';'
+ exit 0

This applies all of the various patches (nearly 1000) that RedHat applies to it's kernels.

Now we need to copy that patched kernel source to /usr/src with the command:

cp -a /usr/src/redhat/BUILD/kernel-2.6.X/linux-2.6.X /usr/src

where X is the subversion. In this case, for RHEL 4, X = 9.

Now, create a symlink from the actual kernel to the generic linux:

cd /usr/src
ln -s ./linux-2.6.X linux

where X is the subversion. Again, in this case, for RHEL 4, X = 9.

5. Download and build the PF_RING patch for your kernel.

Now we need to get the PF_RING patches downloaded and built for our kernel. PF_RING is currently only available via CVS. To do this, run the following:

cd /usr/src
CVSROOT=:pserver:anonymous@cvs.ntop.org:/export/home/ntop;export CVSROOT
mkdir pf_ring && cd pf_ring
cvs login

which should produce the following output:

Logging in to :pserver:anonymous@cvs.ntop.org:2401/export/home/ntop
CVS password:

At the prompt, type "ntop" (no quotes), and hit Enter. (Note: ntop will not appear on the screen.) Next type the following:

cvs checkout PF_RING

which, if it works, should produce something simliar to the following:

cvs checkout: Updating PF_RING
U PF_RING/README
U PF_RING/mkpatch.sh
cvs checkout: Updating PF_RING/kernel
U PF_RING/kernel/README
cvs checkout: Updating PF_RING/kernel/include
cvs checkout: Updating PF_RING/kernel/include/linux
U PF_RING/kernel/include/linux/ring.h
cvs checkout: Updating PF_RING/kernel/include/net
U PF_RING/kernel/include/net/PATCH-to-sock.h
cvs checkout: Updating PF_RING/kernel/net
U PF_RING/kernel/net/PATCH-to-Config.in
U PF_RING/kernel/net/PATCH-to-netsyms.c
cvs checkout: Updating PF_RING/kernel/net/core
U PF_RING/kernel/net/core/PATCH-1-to-dev.c
U PF_RING/kernel/net/core/PATCH-2-to-dev.c
U PF_RING/kernel/net/core/PATCH-3-to-dev.c
cvs checkout: Updating PF_RING/kernel/net/ring
U PF_RING/kernel/net/ring/Config.in
U PF_RING/kernel/net/ring/Kconfig
U PF_RING/kernel/net/ring/Makefile
U PF_RING/kernel/net/ring/Makefile-2.4.X
U PF_RING/kernel/net/ring/Makefile-2.6.X
U PF_RING/kernel/net/ring/ring_packet.c
cvs checkout: Updating PF_RING/userland
cvs checkout: Updating PF_RING/userland/libpcap-0.9.4-ring
U PF_RING/userland/libpcap-0.9.4-ring/README
U PF_RING/userland/libpcap-0.9.4-ring/pcap-int.h
U PF_RING/userland/libpcap-0.9.4-ring/pcap-linux.c
cvs checkout: Updating PF_RING/userland/libpfring
U PF_RING/userland/libpfring/Makefile
U PF_RING/userland/libpfring/pfcount.c
U PF_RING/userland/libpfring/pfring.c
U PF_RING/userland/libpfring/pfring.h
cvs checkout: Updating PF_RING/userland/pcount
U PF_RING/userland/pcount/Makefile
U PF_RING/userland/pcount/pcount.c

The current version of PF_RING comes with a script that creates a patch specific to your kernel. Now we'll get things in order to run that script with the following commands:

cd /usr/src/pf_ring/PF_RING
mkdir workspace
cd workspace
cp /usr/src/redhat/SOURCES/linux-2.6.9.tar.bz2 .
bunzip2 linux-2.6.9.tar.bz2
gzip linux-2.6.9.tar
cd ..

Now edit the file mkpatch.sh, and adjust the following variables to match your environment:

SUBLEVEL=${SUBLEVEL:-18.1}

EXTRAVERSION=${EXTRAVERSION:--i686-smp-$PATCH}

For example, on RHEL 4, you'd change to the variables to:

SUBLEVEL=${SUBLEVEL:-9}

EXTRAVERSION=${EXTRAVERSION:--42.0.3.ELsmp-$PATCH}

Save your changes, and run the script:

sh ./mkpatch.sh

If all goes well, the output should look similar to the following:

Creating patch for Linux kernel linux-2.6.9 ...
Edit this file (mkpatch.sh) for a different kernel version
Kernel build area is /usr/src/pf_ring/PF_RING/workspace
rm: cannot remove `/usr/src/pf_ring/PF_RING/workspace/ring3': No such file or directory
Creating link to /usr/src/pf_ring/PF_RING in /usr/src/pf_ring/PF_RING/workspace called ring3
Found linux-2.6.9.tar.gz in source directory /usr/src/pf_ring/PF_RING/workspace
Untarring Linux sources (read-only tree) in /usr/src/pf_ring/PF_RING/workspace/linux-2.6.9
Cloning Linux sources (read-write tree) in /usr/src/pf_ring/PF_RING/workspace
Patching Linux sources ...
1. Install additional file include/linux/ring.h with definitions
for packet ring.
done
2. Install the ring sources under the kernel tree.
Installing kernel ring sources in
linux-2.6.9-42.0.3.ELsmp-ring3/net/ring ... done
3. Patch net/core/dev.c ...
Patch #1 (define ring_handler)
Patch #2 (modify function netif_rx and netif_receive_skb)
Patch #3 (modify dev_queue_xmit, found in PATCH-3-to-dev.c)
... done
4. Patching file net/Makefile ... done
5. Copy net/ring/Kconfig to linux-2.6.9-42.0.3.ELsmp-ring3/net/ring/Kconfig done
6. Patching file net/Kconfig ... done
diff --unified --recursive --new-file linux-2.6.9 linux-2.6.9-42.0.3.ELsmp-ring3 > linux-2.6.9-42.0.3.ELsmp-ring3.patch
Making Linux patch file. This could take some time, please wait ... done
Your patch file is now in /usr/src/pf_ring/PF_RING/workspace/linux-2.6.9-42.0.3.ELsmp-ring3.patch.gz

6. Apply the patch and build the kernel.

To apply the patch, run the following:

cd /usr/src
zcat /usr/src/pf_ring/PF_RING/workspace/linux-2.6.*patch.gz | patch --dry-run -p0

If the last command doesn't report any errors, then run the following:

zcat /usr/src/pf_ring/PF_RING/workspace/linux-2.6.*patch.gz | patch -p0

The output should look similar to:

patching file linux-2.6.9/include/linux/ring.h
patching file linux-2.6.9/net/core/dev.c
Hunk #2 succeeded at 1302 (offset -56 lines).
Hunk #3 succeeded at 1519 with fuzz 2 (offset -60 lines).
Hunk #4 succeeded at 1738 with fuzz 2 (offset -43 lines).
patching file linux-2.6.9/net/core/dev.c.ORG
patching file linux-2.6.9/net/Kconfig
patching file linux-2.6.9/net/Makefile
Hunk #1 succeeded at 41 (offset 1 line).
patching file linux-2.6.9/net/Makefile.ORG
patching file linux-2.6.9/net/ring/Kconfig
patching file linux-2.6.9/net/ring/Makefile
patching file linux-2.6.9/net/ring/ring_packet.c

Next, run the following:

cd /usr/src/linux
make menuconfig

When the configuration menu appears, change the following:

Processor type and features -> High Memory Support -> 64GB
Device Drivers -> Networking Support -> Networking Options -> PF_RING (module)

Exit and save the configuration. Now, run the following to compile the kernel:

make
make modules
make modules_install
make install

UPDATE: If the first command 'make' fails with:


net/ring/ring_packet.c:15:26: linux/config.h: No such file or directory

then, as documented here, edit the file net/ring/ring_packet.c, and replace:


#include

with


#include

This sequence of commands will take a long time to complete, which is normal.

The command "make install" will place the new kernel in /boot, typically with a -prep tag:

[root@idsext ~]# ls -l /boot/*prep*
-rw-r--r-- 1 root root 492685 Nov 18 17:52 /boot/initrd-2.6.9-prep.img
-rw-r--r-- 1 root root 750587 Nov 18 17:52 /boot/System.map-2.6.9-prep
-rw-r--r-- 1 root root 1509678 Nov 18 17:52 /boot/vmlinuz-2.6.9-prep

as well as add an entry to /etc/grub.conf:

title Linux (2.6.9-prep)
root (hd0,0)
kernel /vmlinuz-2.6.9-prep ro root=/dev/md1
initrd /initrd-2.6.9-prep.img

Now, reboot the machine into the new kernel. NOTE: Do NOT remove older kernels until you are positive this one works. In fact, probably best to leave the old kernel there, so up2date doesn't get confused.

7. Compile libpfring, and test that the module works.

First off, start with doing the following:

cp /usr/src/linux/include/linux/ring.h /usr/include/linux

which will add the neccessary header file, ring.h, to the standard include directory.

Next, run the following:

cd /usr/src/pf_ring/PF_RING/userland/libpfring
make

If all goes well, you should see something similar to:

gcc -g -c -I/lib/modules/2.6.9-prep/source/include pfcount.c
gcc -g -c -I/lib/modules/2.6.9-prep/source/include pfring.c
ar rc libpfring.a pfring.o
ranlib libpfring.a
gcc -g pfcount.o pfring.o -o pfcount

Now, we are going to generate a .so from these files, by running the following:

gcc -shared -Wl,-soname -Wl,libpfring.so.0.9.4 -o libpfring.so.0.9.4 *.o -lc

Now, we copy the files we just created to a common system directory:

cp libpfring.a libpfring.so.0.9.4 /usr/local/lib
cp pfring.h /usr/local/include

Next, we need to add /usr/local/lib to the list of directories the dynamic loader will search:

echo "/usr/local/lib" >> /etc/ld.so.conf
ldconfig

To check that the dynamic loader sees the libraries, run the following:

ldconfig -v |grep pfring

which should produce the following output:

libpfring.so.0.9.4 -> libpfring.so.0.9.4

Now, to test the ring module we added to the kernel earlier, run the following:

./pfcount -v -i [interface]

where [interface] is the interface that you will be monitoring traffic on (and hopefully has traffic on it already, otherwise, this test won't be very interesting). For example, that interface for me is eth1, so I would type:

./pfcount -v -i eth1

and the output should look something similar to:

14:23:04.794105 [00:30:48:2B:EF:76 -> 00:07:E9:47:DD:5F] [192.168.36.39 -> 192.168.156.118] [caplen=66][len=66]
14:23:04.794162 [00:07:E9:47:DD:5F -> 00:30:48:2B:EF:76] [192.168.156.118 -> 192.168.36.39] [caplen=226][len=226]
14:23:04.794252 [00:07:E9:47:DD:5F -> 00:30:48:2B:EF:76] [192.168.156.118 -> 192.168.36.39] [caplen=338][len=338]
14:23:04.794341 [00:07:E9:47:DD:5F -> 00:30:48:2B:EF:76] [192.168.156.118 -> 192.168.36.39] [caplen=226][len=226]
14:23:04.794426 [00:07:E9:47:DD:5F -> 00:30:48:2B:EF:76] [192.168.156.118 -> 192.168.36.39] [caplen=226][len=226]
14:23:04.794514 [00:07:E9:47:DD:5F -> 00:30:48:2B:EF:76] [192.168.156.118 -> 192.168.36.39] [caplen=226][len=226]
14:23:04.794597 [00:07:E9:47:DD:5F -> 00:30:48:2B:EF:76] [192.168.156.118 -> 192.168.36.39] [caplen=226][len=226]
14:23:04.794680 [00:07:E9:47:DD:5F -> 00:30:48:2B:EF:76] [192.168.156.118 -> 192.168.36.39] [caplen=226][len=226]
14:23:04.794767 [00:07:E9:47:DD:5F -> 00:30:48:2B:EF:76] [192.168.156.118 -> 192.168.36.39] [caplen=226][len=226]
14:23:04.794849 [00:07:E9:47:DD:5F -> 00:30:48:2B:EF:76] [192.168.156.118 -> 192.168.36.39] [caplen=226][len=226]
14:23:04.794932 [00:07:E9:47:DD:5F -> 00:30:48:2B:EF:76] [192.168.156.118 -> 192.168.36.39] [caplen=226][len=226]
14:23:04.794995 [00:30:48:2B:EF:76 -> 00:07:E9:47:DD:5F] [192.168.36.39 -> 192.168.156.118] [caplen=66][len=66]
14:23:04.795030 [00:07:E9:47:DD:5F -> 00:30:48:2B:EF:76] [192.168.156.118 -> 192.168.36.39] [caplen=226][len=226]
14:23:04.795101 [00:07:E9:47:DD:5F -> 00:30:48:2B:EF:76] [192.168.156.118 -> 192.168.36.39] [caplen=226][len=226]
14:23:04.795355 [00:07:E9:47:DD:5F -> 00:30:48:2B:EF:76] [192.168.156.118 -> 192.168.36.39] [caplen=146][len=146]

Hit ctrl-C, and the last few lines of the output should give you summary similar to:

=========================
Absolute Stats: [3672 pkts rcvd][47 pkts dropped]
Total Pkts=3625/Dropped=1.3 %
3672 pkts [4116.2 pkt/sec] - 871764 bytes [7.82 Mbit/sec]
=========================
Actual Stats: 3672 pkts [1599568.0 ms][2.3 pkt/sec]
=========================

Now, run the following:

dmesg

and the last few lines of output should look similar to the following:

RING: succesfully allocated 128 KB [tot_mem=26509372][order=5]
RING: allocated 80 slots [slot_len=1618][tot_mem=131072]
device eth1 entered promiscuous mode

which is a good indication that the kernel module is working.

8. Next step is to build libpcap to use the PF_RING interface to the kernel.

First, run the following:

cd /usr/src/pf_ring/PF_RING/userland/
ls |grep pcap

The output should be something similar to:

libpcap-0.9.4-ring

which indicates that this version of PF_RING was built to work with a patched version of libpcap-0.9.4, so we need to download that version.

The simplest way to download that version is to run the following:

wget http://www.tcpdump.org/release/libpcap-0.9.4.tar.gz

which should produce output similar to:

--14:37:06-- http://www.tcpdump.org/release/libpcap-0.9.4.tar.gz
=> `libpcap-0.9.4.tar.gz'
Resolving www.tcpdump.org... 205.150.200.214
Connecting to www.tcpdump.org|205.150.200.214|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 425,887 (416K) [application/x-tar]

100%[===================================================>] 425,887 78.37K/s ETA 00:00

14:37:15 (79.23 KB/s) - `libpcap-0.9.4.tar.gz' saved [425887/425887]

If the above command doesn't work, you'll need to download it by hand. I'll leave that as an exercise for the reader to figure out.

Now, unpack the gzip'd tarball:

tar -zxvf libpcap-0.9.4.tar.gz

which should produce output similar to:

libpcap-0.9.4/./
libpcap-0.9.4/./ChmodBPF/
libpcap-0.9.4/./ChmodBPF/ChmodBPF
libpcap-0.9.4/./ChmodBPF/StartupParameters.plist
libpcap-0.9.4/./.cvsignore
libpcap-0.9.4/./CHANGES
libpcap-0.9.4/./CREDITS
libpcap-0.9.4/./FILES
libpcap-0.9.4/./INSTALL.txt
libpcap-0.9.4/./LICENSE
libpcap-0.9.4/./Makefile.in
libpcap-0.9.4/./README
[snip]
libpcap-0.9.4/./msdos/readme.dos
libpcap-0.9.4/./packaging/
libpcap-0.9.4/./packaging/pcap.spec
libpcap-0.9.4/./packaging/pcap.spec.in

Now, do the following:

cd libpcap-0.9.4
mv pcap-int.h pcap-int.h.orig
mv pcap-linux.c pcap-linux.c.orig
cp ../libpcap-0.9.4-ring/pcap* .
./configure CPPFLAGS="-I/usr/local/include" LDFLAGS="-L/usr/local/lib" CFLAGS="-D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64"

If the ./configure command completes without any errors, run the following:

make && gcc -shared -Wl,-soname -Wl,libpcap.so.`cat VERSION` -o libpcap.so.`cat VERSION` *.o -lc

If the above commands complete successfully, you should see something similar to:

gcc -O2 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -I. -DHAVE_CONFIG_H -D_U_="__attribute__((unused))" -c ./pcap-linux.c
gcc -O2 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -I. -DHAVE_CONFIG_H -D_U_="__attribute__((unused))" -c ./fad-getad.c
sed -e 's/.*/static const char pcap_version_string[] = "libpcap version &";/' ./VERSION > version.h
gcc -O2 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -I. -DHAVE_CONFIG_H -D_U_="__attribute__((unused))" -c ./pcap.c
gcc -O2 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -I. -DHAVE_CONFIG_H -D_U_="__attribute__((unused))" -c ./inet.c
gcc -O2 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -I. -DHAVE_CONFIG_H -D_U_="__attribute__((unused))" -c ./gencode.c
gcc -O2 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -I. -DHAVE_CONFIG_H -D_U_="__attribute__((unused))" -c ./optimize.c
gcc -O2 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -I. -DHAVE_CONFIG_H -D_U_="__attribute__((unused))" -c ./nametoaddr.c
gcc -O2 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -I. -DHAVE_CONFIG_H -D_U_="__attribute__((unused))" -c ./etherent.c
gcc -O2 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -I. -DHAVE_CONFIG_H -D_U_="__attribute__((unused))" -c ./savefile.c
rm -f bpf_filter.c
ln -s ./bpf/net/bpf_filter.c bpf_filter.c
gcc -O2 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -I. -DHAVE_CONFIG_H -D_U_="__attribute__((unused))" -c bpf_filter.c
gcc -O2 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -I. -DHAVE_CONFIG_H -D_U_="__attribute__((unused))" -c ./bpf_image.c
gcc -O2 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -I. -DHAVE_CONFIG_H -D_U_="__attribute__((unused))" -c ./bpf_dump.c
flex -Ppcap_ -t scanner.l > $$.scanner.c; mv $$.scanner.c scanner.c
bison -y -p pcap_ -d grammar.y
mv y.tab.c grammar.c
mv y.tab.h tokdefs.h
gcc -O2 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -I. -DHAVE_CONFIG_H -D_U_="__attribute__((unused))" -c scanner.c
gcc -O2 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -I. -DHAVE_CONFIG_H -D_U_="__attribute__((unused))" -Dyylval=pcap_lval -c grammar.c
sed -e 's/.*/char pcap_version[] = "&";/' ./VERSION > version.c
gcc -O2 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -I. -DHAVE_CONFIG_H -D_U_="__attribute__((unused))" -c version.c
ar rc libpcap.a pcap-linux.o fad-getad.o pcap.o inet.o gencode.o optimize.o nametoaddr.o etherent.o savefile.o bpf_filter.o bpf_image.o bpf_dump.o scanner.o grammar.o version.o
ranlib libpcap.a

Now, run the following:

make install && cp libpcap.so.0.9.4 /usr/local/lib

Next, make sure the dynamic loader sees this new library:

ldconfig -v |grep pcap

the output should look similar to:

libpcap.so.0.9.4 -> libpcap.so.0.9.4

9. Now, we build Snort 2.4.5 using the new libpcap and libpfring.

First, download snort-2.4.5:

cd /usr/src
wget http://www.snort.org/dl/old/snort-2.4.5.tar.gz

Now, unpack the gzip'd tarball:

tar -zxvf snort-2.4.5.tar.gz && cd snort-2.4.5

Next, use ./configure to setup the compile:

./configure --enable-timestats --enable-perfmonitor --enable-linux-smp-stats CPPFLAGS="-I/usr/local/include" LDFLAGS="-L/usr/local/lib -lpfring -lpcap"

The output should look similar to:

checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking whether to enable maintainer-specific portions of Makefiles... no
[snip]
config.status: creating m4/Makefile
config.status: creating etc/Makefile
config.status: creating templates/Makefile
config.status: creating src/win32/Makefile
config.status: creating config.h
config.status: executing depfiles commands

Now, run the following:

make && make install

If the above command completes successfully, then the command:

ldd /usr/local/bin/snort

should produce output similar to:

libpfring.so.0.9.4 => /usr/local/lib/libpfring.so.0.9.4 (0x00143000)
libpcap.so.0.9.4 => /usr/local/lib/libpcap.so.0.9.4 (0x00725000)
libpcre.so.0 => /lib/libpcre.so.0 (0x00760000)
libm.so.6 => /lib/tls/libm.so.6 (0x00111000)
libnsl.so.1 => /lib/libnsl.so.1 (0x007f2000)
libc.so.6 => /lib/tls/libc.so.6 (0x00147000)
/lib/ld-linux.so.2 (0x00615000)

where the line containing libpfring and libpcap are of particular importance.

At this point, you have a version of snort that will use the PF_RING ring module in the kernel. Congrats.

Some things of note:
- the ring module has some load options that affect it's behavior. You'll need to tweak these to your environment, however, most folks will want to add the following to the end of /etc/modprobe.conf:

options ring transparent_mode=0 bucket_len=1600

- if you disable transparent_mode (as I have with transparent_mode=0), do not run a program that uses the PF_RING interface (Snort, tcpdump, pfcount, etc.) on the management interface by accident, as you will lose connectivity to the machine.

Enjoy.

Fedora Core 5 (FC5) and VMWare Server

2006-10-11T07:54:00.000-06:00

This tripped me up a bit, so I figured I'd document my solution. After installing VMWare server on FC5, you need to run /usr/bin/vmware-config.pl. A few questions down, it asks you to help it compile a "suitable vmmon module for your running kernel", but it is looking in the wrong directory structure. To get past this step, I had to do the following:

yum install kernel-devel

or if you are running an SMP kernel:

yum install kernel-smp-devel

and then point the vmware-config.pl script to:

/lib/modules/[your kernel version here]/build/include/linux

where [your kernel version here] is the output of:

uname -r

As an example, at the time I write this, the directory would be:

/lib/modules/2.6.17-1.2187_FC5smp/build/include/linux

HTH.

Sguil and Tcl_FinalizeNotifier: notifier pipe not initialized

2006-10-04T14:40:00.000-06:00

If you are trying to get Sguil working, and you run into the error:

Tcl_FinalizeNotifier: notifier pipe not initialized

then it's likely you have a threads enabled Tcl installed. Recompile Tcl without threads enabled, and the error should go away upon restart. This will at least impact both the sensor agent and the sguild server.

This also manifests itself within the client as showing, under the sensor status tab, that the sensor agent is connected to the server, but barnyard (BY column) is not, and there are no events appearing.

On an RPM based system, grab the source rpm (src.rpm, tcl-8.4.13-1.1.src.rpm as of this writing).

1. Install it with:

# rpm -ivh tcl-8.4.13-1.1.src.rpm
1:tcl warning: user brewbuilder does not exist - using root
warning: group brewbuilder does not exist - using root
warning: user brewbuilder does not exist - using root
warning: group brewbuilder does not exist - using root
warning: user brewbuilder does not exist - using root
warning: group brewbuilder does not exist - using root
warning: user brewbuilder does not exist - using root
warning: group brewbuilder does not exist - using root
warning: user brewbuilder does not exist - using root
warning: group brewbuilder does not exist - using root
warning: user brewbuilder does not exist - using root
warning: group brewbuilder does not exist - using root
warning: user brewbuilder does not exist - using root
warning: group brewbuilder does not exist - using root
warning: user brewbuilder does not exist - using root
warning: group brewbuilder does not exist - using root
########################################### [100%]

which will place a number of files in /usr/src/redhat/* (the user and group warnings are safe to ignore).

2. Next, edit the spec file, which is /usr/src/redhat/SPECS/tcl.spec.
In the %build section, remove:

--enable-threads

from the line:

%configure --enable-threads

Optionally, edit the line:

Release: 1.1

to be:

Release: 1.1nothreads

to make it easier to remember that the tcl package has threading disabled.

Save your changes to the file.

3. Next, rebuild the rpm:

# rpmbuild -ba tcl.spec
Executing(%prep): /bin/sh -e /var/tmp/rpm-tmp.45757
+ umask 022
+ cd /usr/src/redhat/BUILD
+ cd /usr/src/redhat/BUILD
+ /bin/mkdir -p tcl-8.4.13
+ cd tcl-8.4.13
+ /bin/gzip -dc /usr/src/redhat/SOURCES/tcl8.4.13-src.tar.gz
+ tar -xf -
+ STATUS=0
+ '[' 0 -ne 0 ']'

[snip]

Wrote: /usr/src/redhat/SRPMS/tcl-8.4.13-1.1nothreads.src.rpm
Wrote: /usr/src/redhat/RPMS/i386/tcl-8.4.13-1.1nothreads.i386.rpm
Wrote: /usr/src/redhat/RPMS/i386/tcl-devel-8.4.13-1.1nothreads.i386.rpm
Wrote: /usr/src/redhat/RPMS/i386/tcl-html-8.4.13-1.1nothreads.i386.rpm
Executing(%clean): /bin/sh -e /var/tmp/rpm-tmp.72451
+ umask 022
+ cd /usr/src/redhat/BUILD
+ cd tcl-8.4.13
+ rm -rf /var/tmp/tcl-8.4.13-1.1nothreads-root
+ exit 0

(if you get rpmbuild: command not found, then you need to run:

yum install rpm-build

to install the rpmbuild binary and supporting files)

4. Replace the current tcl with your new threads-disabled version:

# rpm -Uvh --force /usr/src/redhat/RPMS/i386/tcl-8.4.13-1.1nothreads.i386.rpm
Preparing... ########################################### [100%]
1:tcl ########################################### [100%]

Enjoy.

Network Security Monitoring isn't just IDS ...

2006-10-02T20:55:00.000-06:00

While listening in on one of my favorite IRC channels, one of the members of the channel got some IDS alerts that indicated that one of his client's machines was scanning a university network. Typically this type of thing happens when a machine is successfully cracked, then the cracker or worm turns around and starts scanning for more machines to crack. However, in this instance, the scans that he was seeing were too random, too "all over the board." Now, if he were using only an IDS, he wouldn't have much further he could go, but he also had raw packet captures that provided him history, which is the point of my diatribe here. He loaded up the captures, and looked for activity prior to the time when his IDS started to generate alerts. Lo and behold, the same machine had visited a website at the same university that the scans were targeted at. Loading up the website provided the answer to the mystery.

The website was the website for a "Network Security" class, and the attacking machine had downloaded the 2nd homework assignment PDF. That PDF had instructed the students to use the tool NetBrute to scan the class server. Ignoring the questionable nature of this assignment*, since the analyst had the historical packet captures in addition to the IDS, it was reasonably safe to say that this was a benign incident.

* On to the questionable nature of the assignment: teachers, never unleash your students on a production network. There is so much potential for lawsuits or even jail time. Create a lab network, disconnected from everything, and only allow the students to use the tools on that.

** The same PDF that directed the students to scan the university site ALSO directed the students to scan a webserver belonging to Yahoo!. I'm amazed the teacher is still employed.

"Personal" Firewalls

2006-09-21T08:22:00.000-06:00

I just received (i before e, except after c) a new laptop at work, and due to software requirements, I still need to keep Windows XP on the machine, otherwise it would be wiped and replaced with Linux or *BSD. (In this instance, I'll use Knoppix to resize the NTFS partition with (aptly named) ntfsresize to free up space for Fedora Core 5 for dual booting.)

The first task with this type of OS is to download a personal firewall (personal is a misnomer, it should be host-based) such that I can connect to the network and download updates for Windows. I've typically used ZoneAlarm, but I've been looking for an excuse to try others, and this seems like a good one.

At first glance, I'm very excited about Core Force, a host-based IPS/IDS with firewalling capability (using OpenBSD's pf firewall package ported to Windows). Best of all, it's freely licensed using the Apache license.

http://force.coresecurity.com/

The other product I intend to try is:

http://www.personalfirewall.comodo.com/

I'll post updates as I get more familiar with these products.

Vulnerability Management

2006-09-19T10:37:00.000-06:00

I'm subscribed to numerous mailling lists from SANS, and this morning this little tidbit came across the @RISK list (full email here):

"For everyone who has ever tried to reduce vulnerabilities, and found it
very hard, today is a very good day.  NIST just announced (this morning)
that it is launching a cooperative effort involving NSA, DoD/DISA, DHS,
and the Center for Internet Security, with the help of security and
software vendors, to radically upgrade vulnerability management. The
program will bring automation and standardization to vulnerability
management, and it is real.  Within a few months, you should expect to
see new procurement language that can be used by any organization buying
software or system or system integration, that will require the vendors
and contractors to deliver systems and software compatible with the new
automated vulnerability management program.  SANS will do a free webcast
on it shortly to give you more details."

I'm pleased to hear this, as I think it has great potential. However, with every U.S. government program I reserve judgement until I see the results, as they often have good ideas or plans, but horrible implementation. A good example is FISMA, which gives government agencies scores based NOT on how they secure their infrastructure, but on how well they document it. In other words, they spend more time documenting than fixing the problems they've documented.

I know, because I do IT security work for the government. I spend up to 4 months a year focused on documentation and reporting, and I'm lucky in that I'm responsible for a "small" system, approx. 350 devices.

Inaugural post! RedHat IA64 "mixed-mode" RPMs

2006-09-19T08:58:00.000-06:00

With RedHat Enterprise on Itanium (IA64), you can run both 64-bit and 32-bit applications. However, the way in which RedHat handles this is not particularly intuitive, and can cause problems/confusion with the RPM database.

For instance:

[root@ia64 root]# rpm -q zlib
zlib-1.1.4-8.1
zlib-1.1.4-8.1

You may be wondering why there are two zlib packages listed in the rpm database, and you'd be right to do so. On i386 RedHat, finding a package listed twice in the database typically means that something went wrong with installing the update package, causing the rpm transaction to quit before removing the old database entry. However, in this case, that isn't what's happening; note that the version numbers are identical.

This is how RedHat handles having both 64-bit and 32-bit versions of the files. For 64-bit applications and libraries, it uses the RedHat standard directory structure. For the 64-bit version of zlib, the package installs the following:

[root@ia64 root]# rpm -ql zlib-1.1.4.ia64
/usr/lib/libz.so.1
/usr/lib/libz.so.1.1.4
/usr/share/doc/zlib-1.1.4
/usr/share/doc/zlib-1.1.4/README

However, for the 32-bit version of zlib, the results are slightly different:

[root@ap1 root]# rpm -ql zlib-1.1.4.i386
/emul/ia32-linux/usr/lib/libz.so.1
/emul/ia32-linux/usr/lib/libz.so.1.1.4
/usr/share/doc/zlib-1.1.4
/usr/share/doc/zlib-1.1.4/README

Note the leading /emul/ia32-linux (emul short for emulation). Thankfully, within /emul/ia32-linux, RedHat duplicates the standard directory structure, so things are where you expect them to be.

To verify:

[root@ap1 root]# file /usr/lib/libz.so.1.1.4 /emul/ia32-linux/usr/lib/libz.so.1.1.4
/usr/lib/libz.so.1.1.4: ELF 64-bit LSB shared object, IA-64, version 1 (SYSV), stripped
/emul/ia32-linux/usr/lib/libz.so.1.1.4: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), stripped

When installing packages, be careful to remember this oddity, because RedHat Enterprise v. 3 tools aren't kind enough to say something, they will default to installing 64-bit versions. While this isn't often a problem, there are instances when you want both versions. To make sure that you get the 32-bit version, pass the --arch= flag to up2date:

up2date --arch=i386 -i zlib

Enjoy.