Sunday, January 29, 2006

Truman - Malware Analysis Network

Truman can be used to build a "sandnet", a tool for analyzing malware in an environment that is isolated, yet provides a virtual internet for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 malware to interact with. This is what has been stated in it's main site and I'm pretty interested in this tool especially for someone who has deployed mwcollect and nepencá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365s to collect malwares, apparently truman suits cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 need to analyze malwares or worms that being collected since mwcollect and nepencá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365s are used to collect malwares or worms that spreading across cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 internet automatically and truman is used to provide sandnet to analyze cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 behaviours of malwares or worms, I think cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y play well togecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r as a complete suit to fill in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 need of security analyzt or malware researcher.

Enjoy :]

Friday, January 27, 2006

Writing PF and Snort rules - Syntax Identical?

Writing Firewall and IDS rules now is part of my job where I have to write when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re's a need. Before I have used OpenBSD which was three years back, I remember that I was using redhat linux-6.0/7.2 and had tried to finish cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IPchain/IPtables documentations and I did, but I found myself kind of short memory which can't remember how to write a proper firewall rules without refering to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 documentation or manual, IPtables is considered solid but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rule writing part seems to be cryptic and that's one of main reason why tools like firewallbuilder and etc getting popular because simplifying user/admin's job to get cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir job done on firewalling. They no longer need to learn IPtables in hardway. I do know those people who is IPtables hardcorer but remember it takes longer time to learn cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n it supposes to be, no offense on any firewalling technologies but I guess lots of people agree with me.

I use linux, and yet I tried out OpenBSD which was 3.5, I manage to learn it quickly especially cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 configuration part for apache, ftpd and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r services, however my main purpose of using OpenBSD would be running a security device since OpenBSD itself is secured by default. Since OpenBSD offers it's own firewall calls PF, hence I start learning it by reading cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 manual and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 documentation in openbsd.org, quickly googling and learning how ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r people put cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rules togecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r, it seems that PF is much simpler and easy to understand, I'm now able to write PF rules file without much refering to it's manual and documentations, more fun as well since less headache on loading PF rules.

Last year I start writing snort rules after joining new company, I have used snort since two years back but never write any rules till last year where I have to. At first it looks complicated but after a while you might feel comfortable since cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tricky part would be how to write cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rules that detecting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 intrusions perfectly instead of it's syntax.

Apparently eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r PF Firewall rules or Snort IDS rules are very human readable and you can quickly understand what it does or perform. Then I found out why I can quickly adapt to Snort rules writing since it is actually identical and similar to writing PF rules. Let's take a look at both rules writing structure.

Below it's cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 syntax of PF rules


(pf action) [log] [quick] on [interface] [af] [protocol] from [src_addr[port src_port]] (direction) [dst_addr[port dst_port]] [flags tcp_flags] [state]

And yet cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 syntax of Snort rule

(snort action) [protocol] [src_addr[src_port]] (direction) [dst_addr[dst_port]] (msg:"PF Snort l33t"; optional classtype; optional snort ID (sid); optional revision (rev) number;)

I have bold cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 similarities between cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m, and if you read cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m correctly, you may find both of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m are almost similar and not much differences, however don't you think this is cool, I have killed two birds with one stone. PF makes me easy going on Snort (:])


What a Coincidence !!!!!

Before I'm offline from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Matrix, Happy Chinese New Year to everybody and to all people around cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 world - peace

Bro-IDS - Installation Experience

I'm always fascinated by Intrusion Detection System's technologies and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re's one IDS that I would like to try for long time and haven't have time to play with it. I recall myself of trying to install Bro-IDS on OpenBSD 3.6 but having problem with that. Now I'm back to retry it again on OpenBSD Current. Surprisingly I have no problem to get it install at all, here's how I get it done which is straight forward. You need gmake and bison to get it compiled.

shell>pkg_add ${PKG_PATH}gmake-3.80p1.tgz bison-2.1p0.tgz

shell>cd /usr/local/src

shell>wget ftp://bro-ids.org/bro-0.9-stable.tar.gz

shell>tar xvzf bro-0.9-stable.tar.gz

shell>./configure --prefix=/usr/local/stow/bro-0.9a11

shell>gmake && gmake install

Then to simplify cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 management of software updates, again I use stow

shell>cd /usr/local/stow

shell>stow bro-0.9a11

It will automatically place all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 symlinks to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 proper directories to help you ease you work when you need to update next time.

The installation part is done and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tricky part would be configurations and trying to understand how Bro-IDS works, RTFM time again.

Till next time ..... :]

Thursday, January 26, 2006

Mytop - Top of Mysql

Mytop is a console-based (non-gui) tool for monitoring cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 threads and overall performance of a MySQL 3.22.x, 3.23.x, and 4.x server. This is stated in it's site, however I have tried it on Mysql-5.0.18 and it works without any issue. With mytop monitoring mysql server is a lot more easier. After installing it from OpenBSD package, I just run it and it works :]

shell>mytop --password=Ilovesguil

Here's cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 screenshot of mytop .....


It shows cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 process info and who is currently login to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 database.

Snort2c + Expiretable

I have mentioned about snort2c previously in this post. Few things I would like to point out would be snort should be compiled with flex-resp in order to perform active response against cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 threat. Anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r thing I would like to share would be expiretable which is used to remove entries from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 pf table specified by table. Again we look at what is snort2c, snort2c works monitoring snort's alertfile using a kqueue filter and blocking any attacker's ip that not in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 whitelist file. It uses a (persist) table and a (block in) rule that blocks any access against our network.

So it's all about pf table now, since snort2c doesn't has feature which auto flush cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 table's entry(in todo list of snort2c indeed), expiretable is what we need. Since it is in OpenBSD current port, I can just install it through latest packages.

shell>export PKG_PATH=\ ftp://ftp.openbsd.org/pub/OpenBSD/snapshots/packages/i386/

shell>pkg_add ${PKG_PATH}expiretable-0.5.tgz

Then I quickly adding snort2c table in /etc/pf.conf

EXT=pcn0

scrub all

table persist <>

pass in on $EXT from any to $EXT keep state

block in quick on $EXT from <>

Now we can actually specify cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 age of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 table entry to be flushed, it's useful where we don't have to remove cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IP addresses that been blocked in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 table but autoflush it after certain period, this may ease cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 job of manually removing IP from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 table or maybe flushing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 table.

With expiretable installed, I just need to run it as cronjob

shell>crontab -e

Add this line at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 end of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 file.

*/5 * * * * /usr/local/sbin/expiretable -t 1800 snort2c

So cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 expiretable will check on every 5 minutes and flushing snort2c table entries that last 30 minutes. The expiretable-0.6 is out and you may try out if you feel adventurous.

Have fun with IPS :]

Tuesday, January 24, 2006

OpenBSD pktstat

I have found a interesting tool to monitor cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network interface in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 OpenBSD port recently - pktstat. The pktstat program displays a real-time summary of packet activity on an interface and maybe you are thinking of tools like ifstat and etc, however pktstat has it's own interesting features that not offered by ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r tool, let's check it out.

After finish cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 installation via package, I quickly run pktstat on my NIC - pcn1. By default pktstat shows bit per second statistic of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 interface. However you can force it to show bytes per second by running,

shell>pktstat -B -i pcn1

or showing packets per second

shell>pktstat -p -i pcn1

I can just show total traffic on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fly by using -T switch,

shell>pktstat -T -i pcn1


One of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 interesting feature of pktstat is that you can separate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network flow to view clearly about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 total statistic of each connections via -c switch, else it will just show cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 streams of both sides in single line.

shell>pktstat -B -c -i pcn1


Anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r reason I like about it would be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bpf filter, you can specify it to suit your needs and what connections statistic you want to watch and etc through cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bpf filter. I just run

shell>pktstat -i pcn1 tcp


To view only udp connection statistics,

shell>pktstat -i pcn1 udp


I feel that pktstat is pretty neat tool to monitor cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network interface, you can actually use it effectively to detect DOS attack or maybe network compromised. Few interesting stuffs you can do such as showing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 flows from and to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network with 192.168.0.0/24 with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 command

shell>pktstat -B -n -i pcn1 net 192.168.0.0/24

as well as showing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hosts that sending tcp packet contains syn flag.

shell>pktstat -c -i pcn1 tcp[13]==2

The best part is that it is flexible and you can toggle it to change cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 mode such as pressing T key to get into total mode and all. Changing mode on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fly is good where you don't have to retype cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 commands to show cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 output you want. You can play with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Abbreviation patterns for furcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r combining flows. The Abbreviation file can be used through -A switch in command line and below are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 example of abbreviation that I have taken from man page

dns @ udp *:domain <-> *
dns @ udp * <-> *:domain
irc @ udp 192.168.0.81:6666 <-> *

www @ tcp 192.168.0.23:80 <-> *

The last one I have added myself and I guess it's not hard to figure out how to write cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 abbreviation file. Pktstat by default searches cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ~/.pktstatrc or specify in /etc/pktstatrc. You can suppress it by supplying -A none option.

Monitoring with pktstat on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fly (:])

Monday, January 23, 2006

CNY is around .....

Since Chinese New Year is around, I have been really busy to get things in order, while trying to get jobs done, I have to prepare and buying ding ding dong dong for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sake of CNY. Time seems not enough at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 moment, or should I say it's not enough all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 while.

God should give us 48 hours a day :P

Friday, January 20, 2006

Adding Sguil startup on B00T

I have just added sguil components startup on boot in /etc/rc.local so that you won't need to run that 6 scripts in ~ anymore. However I have only put it into my documentation instead of syncing it to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 VMware Image since uploading is slow over here for around 100MB file. I blog it here instead of anyone interested. Just open cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 /etc/rc.local file, and append cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 lines below at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 end of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 file.

if [ -x /usr/local/bin/sancp ]; cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n
echo -n " sancp"; /usr/local/bin/sancp -d /nsm/snort_data/pcn1/sancp -i pcn1 -u sguil -g sguil -c /etc/sguil/sancp.conf > /var/log/sancp.log -D
fi

if [ -x /usr/local/bin/snort ]; cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n
echo -n " snort"; /usr/local/bin/snort -u sguil -g sguil -c /etc/sguil/snortrules-pcn1/snort.conf -l /nsm/snort_data/pcn1 -m 122 -A none -i pcn1 -D
fi

if [ -x /usr/local/bin/tclsh ]; cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n
echo -n " sguild"; /usr/local/stow/sguil-0.6.0p1/server/sguild -c /etc/sguild/sguild.conf -u /etc/sguild/sguild.users -A /etc/sguild/sguild.access -D
fi

if [ -x /usr/local/bin/tclsh ]; cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n
echo -n " sensor_agent"; /usr/local/stow/sguil-0.6.0p1/sensor/sensor_agent.tcl -c /etc/sguil/sensor_agent-pcn1.conf -D
fi

if [ -x /usr/local/bin/barnyard ]; cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n
echo -n " barnyard"; /usr/local/bin/barnyard -c /etc/sguil/barnyard-pcn1.conf -d /nsm/snort_data/pcn1 -g /nsm/sguild_data/rules/pcn1/gen-msg.map -s /nsm/sguild_data/rules/pcn1/sid-msg.map -f snort.log -w /nsm/snort_data/pcn1/waldo.file -D
fi

You will have to edit line number 3 of /usr/local/stow/sguil-0.6.0p1/server/sguild and /usr/local/stow/sguil-0.6.0p1/sensor/sensor_agent.tcl. Just change it from

exec tclsh "%0" "%@"

to

exec /usr/local/bin/tclsh "%0" "%@"

Now all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sguil components will startup properly in order and directly you can connect to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sguil server using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 client after reboot.

Cheers ( :])

Generating html report with Sguil

There's a tcl script added to sguil which is not much be used yet - incident_report.tcl, it resides in /usr/local/stow/sguil-0.6.0p1/server/contrib if you use my Sguil Vmware Image, this script really fills cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 part of sguil where you can't generate a nice report for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 incidents. Using incident_report.tcl, you can generate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 report by just running cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 command below.

shell>/usr/local/stow/sguil-0.6.0p1/server/contrib/incident_report.tcl --outfile IR_report.html

With that I have generated cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IR_report.html and this is good since I guess most of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 companies require you to send or submit reports when you are performing your task, that should be it. You can generate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 html report by specifying cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 starting and ending date as well, however ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r options that you can define, I just leave it for you to figure out.

Enjoy cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 screenshots :]


Thursday, January 19, 2006

Sguil On OpenBSD Current tested

I have tested Sguil-0.6.0p1 on OpenBSD current, everything seems go smoothly and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 crash of mysqltcl gone. Thanks to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Mysql 5 ports which has really made deployment of sguil on OpenBSD easier. However one thing I notice would be tcpdump can't be run as normal user and requires root privilege, even after I have changed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 owner of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tcpdump to ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r user, I still can't run it as that particular user, it can only be run as root. To workaround on this and not to change cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 binary owner in /usr/sbin, I decide to install tcpdump-3.8.3 instead of using native tcpdump in OpenBSD. After all it works and I can run tcpdump as any users now to at least able to read and write cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 pcap file.

Anyway here's little correction updates for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 OpenBSD Sguil Vmware Image, for anyone who try it.

- Barnyard pointing to wrong directory for sid-msg.map and gen-msg.map, this causes cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 snort rules not displaying in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sguil client analyst console when check on show rules, it supposes pointing to /nsm/sguild_data/rules/pcn1 instead of /usr/local/snortrules-pcn1 since /usr/local/snortrules-pcn1 is for sensor and /nsm/sguild_data/rules/pcn1 is for sguild to show's cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rules.

- Tcpflow is not installed, so it causes session data can't be generated. If you have internet connections, installing it is just a glance.

shell>PKG_PATH=ftp://ftp.openbsd.org/pub/OpenBSD/3.8/packages/i386/
shell>export PKG_PATH
shell>pkg_add ${PKG_PATH}tcpflow-0.21.tgz

Please do feedback if you find anything wrong or not working in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 VMware Image, enjoy :]

I have heard about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Anonymous Live CD that using OpenBSD - Kaos, do you think it would be cool to have Sguil Live CD that using OpenBSD which allows you to mount /nsm to hard drive maybe?

Wednesday, January 18, 2006

Mysql-5.0.18 In Da House

Previously I have installed Mysql 5 using source for my Sguil build, however now Mysql-5.0.18 is already in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 OpenBSD Current Port. Thanks to Brad[at]openbsd.org who has updated it. This would ease my deployment of Mysql 5 on OpenBSD.

You can install it via current port or checkout cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cvsweb here.

Enjoy!!!!!

Splitvt - Two shells in a window

I have just come across cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 old tool call splitvt, it will split two shells in a window when you run cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 command with it, so I think it's best that I can run splitvt to ssh to my Sguil VMware image since I need two logins at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same time. Then I can su - sguil for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 second shell in a window and run cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 scripts. It's much more faster and easy. Since splitvt is in package, I just install it using package and directly I run

shell>splitvt ssh 192.168.0.170 -l root

And I have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 screen like below and easily I can run cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 scripts for both shells.


Small tool always helps :]

Tuesday, January 17, 2006

100th post - OpenBSD Sguil VMimage released

Celebrating my 100th post of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 blog with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 OpenBSD Sguil VMware Image released, you can just download it from here and load it to your VMplayer now. This release without sguil client installed since I don't want to add X to it. It's about 410MB and I have compressed it using tar and gzip and it is around 105MB after compression. I will start testing Hanashi's InstantNSM and try to release Centos Sguil VMImage as soon as I have time in hand. Below is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 info of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 OpenBSD Sguil Vmware Image.

Basic Info

System User

Username: root
password: r00t

Username: sguil
password: sguilNSM

Mysql Database

Username: root
password: r00t

Username: sguil
password: sguil

Sguild client User

Username: sguil
password: sguil

Sguil server - pcn0[192.168.0.170]
Sguil sensor - pcn1[192.168.0.171]

/etc/sguild - sguil server configuration
autocat.conf
sguild.access
sguild.conf
sguild.email
sguild.queries
sguild.reports
sguild.users

/etc/sguil - sguil sensor configuration
barnyard-pcn1.conf
sancp.conf
sensor_agent-pcn1.conf
snortrules-pcn1 - directory that storing sensor snort rules and config

/nsm - storing all NSM data
/nsm/mysql - storing nsm mysql database
/nsm/sguild_data - storing sguil server data including archive and rules
/nsm/snort_data - storing intrusion, portscan, session data

To change your Network configuration

Changing NIC's config(/etc/hostname.$NIC storing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NIC config)

shell>echo "inet 192.168.0.x 255.255.255.0 NONE" > /etc/hostname.pcn0

shell>echo "inet 192.168.0.x 255.255.255.0 NONE" > /etc/hostname.pcn1

Changing default router ip(/etc/myfate storing default gateway IP)

shell>echo "192.168.0.1" > /etc/mygate

Changing DNS info(/etc/resolv.conf - similar to linux)

shell>echo "nameserver 1.2.3.4" > /etc/resolv.conf

shell>echo "nameserver 5.6.7.8" >> /etc/resolv.conf


To reset your network config without reboot OS

shell>sh /etc/netstart

You will have to run Sguil server, sensor, barnyard, sancp, snort and mysql by hand, you just have to run cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 script in /root and /home/sguil, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are total six scripts and you have to run it in order.

Login as root,

shell>./mysql_start.sh

shell>./snort_start.sh

shell>./ sancp_start.sh

Login as user sguil in anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r screen

shell>./sguild_start.sh

shell>./sensor_agent_start.sh

shell>./barnyard_start.sh

That's all, if you have any doubt about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Sguil VM, I do welcome any question and feedback. But NO SPAM, please!!!!! Hopefully I will be able to continue this blog with much efforts, improvements and benefits ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs.

Cheers and Enjoy (:])

Saturday, January 14, 2006

OpenBSD Sguil Installation Script

I have just finished my Sguil Installation Script for OpenBSD, it will automate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 whole process of installation by running cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 script, I have uploaded it to here and you shall find cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 script's name is SguilOBSD_install.sh. However you still have to configure sguil manually, I wish I have time to work on automating sguil configuration as well. Just to remind that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sguil client installation script which is sguilclient_OBSD.sh is not compatible with SguilOBSD_install.sh, you shall install cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m in different machine since it's not a good idea to run sguil client in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same machine anyway.

I have just uploaded cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 patched barnyard and patched sancp to this location as well, I call cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m as barnyard-0.2.0-patched.tar.gz and sancp-1.6.1-patched.tar.gz, if you are using my installation script and you want to patch barnyard and sguil yourself, you have to tweak my installation script yourself since cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 installation script is fetching cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se two files from my central source location. I have also created cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tclx8.4.tar.gz and uploaded to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same location as well since I don't want to install bzip2 in my system to keep minimal packages installation since tclx only distributes it's file with bzip compression.

I have also fix cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 minor erros in my installation guide.

I'm kind of tiring now after working on OpenBSD Sguil stuffs, however it's worth to spend times on it and I hope you find it useful.

(:])

Vmware FreeBSD Sguil

This is considered late post since most of people out cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re should have already known this, however I just mentioned it here for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sack of Richard. Instead of connecting to sguil demo server, if you really want to try out and know how Sguil works, now you have Sguil Vmware image available here. Sguil is deployed on FreeBSD platform and working properly. Insist I will try Richard's installation script as well as InstantNSM's installation script once I have time in hand.

Scottder has put up my Sguil on OpenBSD guide at this location, thanks again to all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sguil lamerz and enjoy yourself at Shmoocon if you are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re.

By cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 way, I'm writing Sguil Installation Script for Sguil on OpenBSD to ease cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 deployment.

Cheers and peace :]

Friday, January 13, 2006

Sguil-0.6.0p1 On OpenBSD Installation Guide

Coincidentally, just one year after cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 released of previous Sguil-0.5.3 installation guide, I have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 second one finished which is based on Sguil-0.6.0p1. I have uploaded it to http://www.dissectible.org/anonymous/Sguil_OBSD, please do feedback if you try it so that I can improve it from time to time. I decide to release in text, abiword, openoffice writer and pdf format, don't ask me why abiword format but I have used it to write this documentation.

If you are preparing to deploy Sguil-0.6.0p1 on OpenBSD-3.8, I have uploaded all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sources that needed to deploy at http://www.dissectible.org/anonymous/Sguil_OBSD/source. It will serve as central location to ease your deployment.

Enjoy(:])

OpenBSD Sguil-0.6.0p1

I have installed Sguil-0.6.0p1 on OpenBSD 3.8 with Mysql 5. It's painful process that I have gone through however it is finally finished. The documentation on how it can be done is in cleaning up process, again I will upload it to dissetible.org as long as I have it done, stay tuned :].

Below is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 screenshot of my OpenBSD Sguil.


Tiring ................zzzZZZZzzzzZ...

Tuesday, January 10, 2006

OpenBSD Snort-ClamAV

There's one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 project in Bleedingsnort that I would like to try out - Snort-ClamAV, with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ClamAV preprocessors, it can scan cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 data stream that travelling across cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 wire for viruses, maybe it is not as useful as it seems since nowadays most of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 host has personal antivirus software deployed, however it would notify and may drop cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 viruses/worms before reaching your client host in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network. Here's how I get Snort-ClamAV to work on OpenBSD current.

Installing ClamAV-0.87.1 from source

shell>groupadd clamav

shell>useradd -g clamav -d /home/clamav -s /bin/false -c "Clam Antivirus" clamav

shell>cd /usr/local/src

shell>wget http://jaist.dl.sourceforge.net/sourceforge/clamav/
clamav-0.87.1.tar.gz

shell>tar xzf clamav-0.87.1.tar.gz

shell>clamav-0.87.1

shell>./configure --prefix=/usr/local/clamav --sysconfdir=/usr/local/clamav/etc --disable-pthreads --disable-clamuko

shell>make && make install

Installing Snort-ClamAV preprocessor

cd /usr/local/src

shell>wget http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/
root.tar.gz?root=Snort-Clamav&view=tar

shell>wget http://www.snort.org/dl/current/snort-2.4.3.tar.gz

shell>tar xzf snort-2.4.3.tar.gz

shell>tar xzf root.tar.gz

shell>cp /usr/local/src/Snort-Clamav/snort-clamav/snort-2.4.3-clamonly.diff /usr/local/src/

shell>patch -p0 <>cd snort.2.4.3

shell>cp ./m4/libprelude.m4 /usr/local/share/aclocal/

shell>export AUTOCONF_VERSION=2.59

shell>export AUTOMAKE_VERSION=1.9

shell>autoreconf -f

shell>./configure --enable-clamav --with-clamav-includes=/usr/local/include --with-clamav-defdir=/var/clamav --prefix=/usr/local/snort-clamav

shell>make && make install

You should add cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ClamAV preprocessor before http_inspect preprocessor in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 snort configuration file, I have renamed my snort configuration to snort_clamav.conf to reflect it's changes.

Just add cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 line below which will inspect all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network stream that flow to client host,

preprocessor clamav: ports all, toclientonly, dbdir /var/clamav, file-descriptor-mode

You can start running snort by now,

shell>/usr/local/snort-clamav/bin/snort -c /usr/local/src/snort-2.4.3/etc/snort_clamav.conf -l /usr/local/src/snort-2.4.3/snort_log

If you are getting error where preprocessor clamAV not found, that most prolly is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cause of you haven't do autoreconf -f or --enable-clamav when compiling Snort-ClamAV.

Hopefully this helps people who want to get Snort-ClamAV working on OpenBSD ;-)

OpenBSD Snortalog

I'm pretty sure most of you find that snort is not well supported under OpenBSD, what I mean it is not well supported would be it is always lack of documentations on how we can run snort or snort related tools on OpenBSD platform. Here I will share with OpenBSD and snort users how I get Snortalog working on OpenBSD.

What is Snortalog anyway? Snortalog is a tool written in perl that used to analyze cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 log files, it provides comprehensive and complete needs when comes to analyze snort log and firewall log as well, currently it supports wide range of firewalls logs including Checkpoint firewall, ipfw, iptables, pf and etc. Since it is using perl Tk to build it's gui which is similar to Oinkmaster gui, I'm pretty happy as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 gui should run out of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 box. Anyway you can still run Snortalog in command lind interface. To get snortalog working,

Installing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 needed dependencies for snortalog to work properly.

shell>pkg_add ${PKG_PATH}gd-2.0.33p2.tgz

shell>pkg_add ${PKG_PATH}p5-GD-Graph-1.43.tgz

shell>pkg_add ${PKG_PATH}p5-GD-TextUtil-0.86.tgz

shell>pkg_add ${PKG_PATH}htmldoc-1.8.23.tgz

Since HTML-HTMLDocis not available via OpenBSd port/package, I just download it.

shell>wget http://cpan.mirror.solnet.ch/modules/by-module/HTML/ HTML-HTMLDoc-0.10.tar.gz

In order to run snortalog in gui mode, it requires perl TK, however I get an error if I install p5-Tk from port, when I run

shell>./snortalog.pl -x
unknown option "accelerator" at /usr/local/libdata/perl5/site_perl/i386-openbsd/Tk.pm 247.
at /usr/local/libdata/perl5/site_perl/i386-openbsd/Tk/Menu/Item line 47

Since I'm not perl expert, directly I just download cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 perl Tk from cpan mirror site to install from source.

shell>wget http://cpan.mirror.solnet.ch/modules/by-module/Tk/
Tk800.025.tar.gz

shell>tar xvzf Tk800.025.tar.gz

shell>cd Tk800.25

shell>perl Makefile.PL

shell>make && make install

To configure rules path in snortalog.pl, just edit cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 line below in snortalog.pl,

$rules_file = "/usr/local/src/snort-2.4.3/rules"; $RULES = 1; # Path to find Rules file

Generate rule ID for snortalog,

shell>cat /usr/local/src/snort-2.4.3/rules/*.rules | ./snortalog.pl -genref ruleID.ref

You are pretty done with snortalog configuration and you can just launch snortalog gui with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 command below,

shell>./snortalog.pl -x

Snortalog GUI, you can generate report based on variety of options.

This is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Ascii report that generated by loading snort alert file.

-Snortalog HTML report-

Report showing distribution of attack methods ...

I'm pretty satisfy about Snortalog and it really suits my need when comes to analyze firewall and ids logs.

Cheers!

Saturday, January 07, 2006

Why Network Security Monitoring[NSM]?

If you snort user, and you like to stay cutting edge, bleeding-snort is what you suppose to try. Bleeding-snort offers cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 latest snort rule vs exploits/intrusions detected to date, it is double edged sword as at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same time it delivers cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 latest snort ruleset , it does offer you false positive as well since cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ruleset is not tested heavily when outbreak period. However we would racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r getting false positive instead of missing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 detection of attacks when risk is out cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re somewhere since disabling snort rule never require a rocket scientist :P. Anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r thing I like about bleeding snort is that it does offer few interesting projects that related to snort which you can play around and implement depends on your network architecture and needs.

Okay, back to bleeding snort rules testing, I downloaded cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 latest bleeding snort rules from here, untar it to rules directory, and quickly add it to snort.conf. Since my intension is testing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 wmf exploits, I decided to run metasploit msfweb to upload cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 exploit to port 8080. Then on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 snort sensor host, I just run cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 command below,

shell>/usr/local/bin/snort -c /usr/local/src/snort-2.4.3/etc/snort.conf -l /usr/local/src/snort-2.4.3/snort_log -D

On cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r hand, I just use tcpdump to capture full content traffics,

shell>tcpdump -qeXX -tttt -n -s 1550 -w /nsm/full_trace.pcap &

Then I tail cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 alert log to view attacks in real time,

shell>tail -f /usr/local/src/snort-2.4.3/snort_log/alert

Msfweb is running and waiting for connections to http://192.168.0.233:8080, and you may notice session 1 started ... someone was exploited!!!

There are connections from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 victims, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first connection is not gzip-encoded, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rest are gzip-encoded.

Just click on session 1 and you are already in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vulnerable hosts, let's run ipconfig /all ...

Checking cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 services in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 system ...

Back to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sensor that running snort with bleeding snort rule loaded, I smell something bad when I tail cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 alert file, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n I load cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fishy pcap file that it captures in /usr/local/src/snort-2.4.3/snort_log to ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365real, apparently it is just showing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 single packet that successfully exploiting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vulnerable victim which is not gzip encoded when I try to run wget http://192.168.0.233:8080, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rest of it I just connect to http://192.168.0.233:8080 with different kind of web browsers including lynx as victims.

You should see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 matching snort rule with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SID of 2002742 and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 payload in ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365real. However do you really see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 whole session of where cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bad guys executing commands in your vulnerable host? That's where full content traffic data comes in hand when performing network forensic.

Immediately I load cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tcpdump log - full_trace.pcap to ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365real. Since I have snort rule detects that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 src ip is 192.168.0.233 and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 destination ip is 192.168.0.50(refer to screenshot 5), I can easily query it with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 expression of ip.addr eq 192.168.0.233 and ip.addr eq 192.168.0.50 to trace cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 session between cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se two hosts.

Do you see something similar in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 data payload comparing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 third screenshot ...

When I try to follow tcp stream to generate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 transcript, everything is pretty obvious. You should understand perfectly what is happening and planning for countermeasure now.

Apparently we can alway do more with less, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 whole process requires more efforts and lacking of efficiencies. That's where Network Security Monitoring(NSM) comes into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 place, if you have NSM model deployed, it wouldn't take that hard to perform incident response and handling or even network forensic, that's why NSM requires cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 interaction of security analyst.

Network Security Monitoring(NSM) is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 model that not only relies totally on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 capabilities of Intrusion Detection System but a complete framework that utilizes cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 capabilities of security analyst, it is a must for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security analyst to fully understand what is happenning in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network as well as performing network forensic and investigation perfectly.

Get yourself dirty with NSM now (:])

Thursday, January 05, 2006

~OpenBSD Colorful Shell~

Previously I have shown how you able to have colorful shell on FreeBSD and now I have it on OpenBSD, you can easily configure it by installing gnuls from ports /packages, after you have installed it , just add one liner to ~/.profile or ~/.bashrc, depends on what shell you are using.

shell>echo "alias ls='gls --color'" >> ~/.profile

or

shell>echo "alias ls-'gls --color'" >> ~/.bashrc

Then you are done.

Everyone loves color :)

OpenBSD Oinkmaster-Gui

Today I have just downloaded Oinkmaster to my OpenBSD machine and found that it does offer GUI, after reading cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 README, I feel like trying on it, and once I run oinkgui.pl under /usr/local/src/oinkmaster-1.2/contrib directory, I get an error of which perl Tk not found, fortunately perl Tk is available via /usr/ports/x11/p5-Tk , I quickly make install and able to run oinkgui.pl without problem :]

You will have to configure cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 path manually, this should be easily done.

Snort rules update successfully, one thing I like about it is that you can just click on Save current settings button and it will save cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 configuration to /root/.oinkguirc automatically.

Oink....oink......oinK.........

OpenBSD ClamAV

When I check on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ClamAV site today, it seems cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is already signature for WMF exploits, I quickly install it through OpenBSD port and would like to give it a try since I'm thinking of trying on Snort+Clamav that available in bleeding as well.

Installing ClamAV via port,

shell>cd /usr/ports/security/clamav; make install

It will add a user _clamav automatically, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n you have to configure cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 clamd.conf and freshclam.conf manually. Just copy cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 default one to /etc.

shell>cp /usr/local/share/examples/clamav/clamd.conf /etc

shell>cp /usr/local/share/examples/clamav/freshclam.conf /etc

You should be able to figure out how to configure it properly with this doc.

After you have configured it, I suggest you run freshclam to update cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 signature database first since you don't have main.cvd and daily.cvd initially.

I quickly scan /root/WMF by using clamscan, and apparently it works perfectly. You may see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 result below.


Why use commercial AV when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re's effective and cool one available??!!!

Wednesday, January 04, 2006

Opera Browser - Saving cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 0 days

The current hottest security topic would be Windows Metafile Exploit, it is still considered 0 days since Microsoft hasn't released any patches until 10th of Jan. Considering all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 windows users in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 dangerous zone now especially those users who totally have no idea and lack of awareness.

HD Moore has released cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 exploit and I think it's worth to give it a try, I know cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are people saying HD Moore is totally irresponsible and not suppose to release it. However cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 name says it all - Metasploit, it just do it right :P.

Surprisingly I able to use Metaploit on OpenBSD without any problem, just download cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 latest Metasploit snapshot and untar it, everything is working properly and I just launched cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 web base Metasploit - msfweb and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re will be port 55555 listenning on localhost. Then I connect to http://127.0.0.1:55555 and choose cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 windows metafile exploit, upload cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 exploit code to localhost port 8080.

Msf Web launching .....

There are connections from victims .....

Since my Ip is 192.168.0.233 on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 evil host that running Metasploit, in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 victim host, I just use my Mozilla Firefox browser to connect to http://192.168.0.233:8080. You may see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 funny strings in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 browser and it is executed without prompting any message. I have tried using Internet explorer and apparently I have same result as Firefox browser.

However when I use Opera Browser to connect to http://192.168.0.233:8080, it prompts you cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 message and asking whecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r you want to save or open cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 wmf file, this seems safer for novice user since cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 file name is weird as well, ain't it :]

It warns that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 file is executable and you may save cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 file first before using it, this is apparently useful since you can scan it using your antivirus later if you have one.

There are unofficial patches available out cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re, but normally users or corporate just choose to wait for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 official patch from Microsoft. As a security or system administrator, you should send out notice to all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 users to notify cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m since cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re will be worms in a wild before patch arrives.

Tuesday, January 03, 2006

OpenBSD OpenOffice-2.0

Finally I have OpenOffice 2.0 working on OpenBSD, nothing impressive but I'm happy with it since I can use OpenBSD as my workstation when everything I need is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re and OO is one of that. You can find how to install OpenOffice on OpenBSD here. Below are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 three screenshots that I have and I'm currently running OpenBSD Current.

OpenOffice 2.0 launching ...

OpenOffice Presentation


You may need to install Java Runtime Environment(JRE) or else it will keep saying can't find JRE. You can install it via /usr/ports/devel/jdk/1.4, remember don't install 1.5 since it doesn't has cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 plugin for firefox where you need it. You may have to download cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 jdk source manually and put it in /usr/ports/distfiles/. You can refer to /usr/ports/devel/jdk/1.4/distinfo to know what you should download manually.

After finish cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 installation of jdk, you have to configure cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 JRE for OO manually, launch soffice and go to Tools->Options->Java->check on Use a Java runtime environment, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n Add /usr/local/jdk-1.4.2/jre and you are done after restarting soffice.

Enjoy :]