Saturday, September 30, 2006

PgOSS Meetup - Continued

Thanks to surface for recording cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 talk in mp3 format so that we can share cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 PgOSS presentation with ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs. Here's cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 second presentation that done by Vicky -

http://mysurface.no-ip.org/download/02vick.mp3

And for anyone who stay around Pulau Penang, and you would like to join us in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next meetup, you can find cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 information @t

http://foss.org.my/projects/meetups/2006-09/pgoss/

By cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 way I'm looking for anyone who would like to share cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir OSS expereience and skills in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 meetup, please email me and I would like to hear from you. My email is as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same as always geek00L[at]gmail.com.

Enjoy :]

PgOSS Meetup

This is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first official meetup for Penang Open Source Software Meetup, you can find cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 initial meetup announcement @t

http://my.opera.com/mysurface/blog/show.dml/484686

http://aizatto.com/blog/archives/180

The meetup is over, I know many of you are looking for me in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 meetup since I'm one of organizer, however I were not be able to attend cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 meetup due to some personal issue, fortunately cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are aizat and surface who are willing to help, aizat was down from Kuala Lumpur to Penang and I'm glad that he makes his way here :)

Anyway thanks to everyone that coming to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 meetup, especially Dr. Dhanesh who has helped organizing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 meetup.

I hope that we can organize cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 meetup again next month and looking forward to see everyone in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 meetup if possible. For more information regarding cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 meetup, I think aizat and surface will blog cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 wrap-up.

This is not a hardcore OSS meetup, and PgOSS guys have captured cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 scene to share and you can download it via

http://mysurface.no-ip.org/download/01aizat.mp3

Have fun with OSS!!!!!

Cheers :]

P/S: For whoever think I'm coming, I'm cheating for good intention :P

Thursday, September 28, 2006

Snort and ModSec2Sguil

I know I haven't been posting in my blog for quite sometimes, lots of things in my mind that I have to get it done. However for those who is snort lover, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 snort 2.6.1 beta2 is already out for quite sometimes, and I just noticed it. Lots of decoders are added to solve cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 detection issue. I hope I can spare my time to test those preprocessors but this is not cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 case, maybe next month or when snort 2.6.1 releases.

For Sguil Lovers, check out -

http://www.inliniac.net/blog/?p=43


Mod_Security Logs now can be managed and analyzed thru Sguil, thanks to Victorj who has written ModSec2Sguil. I hope it will be added as extra features for Sguil. This is good news for serious and heavy users of Mod_Security. You can have centralized center to perform analysis on Mod_Sec Logs now.

I will try my best to write more about NSM stuffs when I have time, currently I'm still testing OpenBSD PF layer 2 filtering stuffs and hopefully I can blog about it when I have time.

Cheers :]

Saturday, September 23, 2006

HITB Conference 2006

Finally everything is over, I'm glad that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 training class was going fine for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first time me and mel conducting it togecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r.

For cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Capture The Flags Hacking Competition. While it is not perfect, we all learnt something from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 setup and improvement can be done in future, thanks to all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CTF Crews, speakers who submitted cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 daemons as well as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 volunteers who doing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cabling job.

I don't have much time to get into any speaker's talk but Philippe Biondi, since I use Scapy a lot and his talk was really interesting including cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tricks and tips on toying with IPv6.

Finally thanks to all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 HITB members to make this conference successful.

Again, I'm glad to work with you guys - mel, takizo, rd, xwings, ditesh, adli, y0muds and some ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r cool guys. You all just r0x0r5!!!!!

Special thanks to mel for his clocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365s, takizo who offers me his place to stay while I'm homeless..... and his kindness for donating so much $$$$$ to NCC.

Cheers :]

Saturday, September 16, 2006

Short Note

FreeBSD gtk cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365me for user is located at ~/.gtk-2.0 but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 global one is at /usr/X11R6/share/cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365mes. Change cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365me as you wish or you can download those cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365mes from whatever look - gnome-look, kde-look, and so forth.

By cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 way, for user who are not using gnome or kde, if you want to change your gtk setting, try

http://plasmasturm.org/code/gtk-chcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365me/


Nice little tool indeed.

Anyway I will be heading to Kuala Lumpur for HackInTheBox Conference, geek party will be launched soon!!!!!

Enjoy :]

Monday, September 11, 2006

TCPstat: Detecting SYN DOS?

shell>tcpstat -i fxp0 -o "PPS\=%p\ TCP\=%T\n"
PPS=1505.20 TCP=6850
PPS=1642.80 TCP=7540
PPS=1492.60 TCP=7020
PPS=1565.20 TCP=7384
PPS=1500.00 TCP=6958
PPS=1649.80 TCP=7724
PPS=1622.80 TCP=7505
PPS=1653.20 TCP=7658
PPS=1791.40 TCP=8443

shell>tcpstat -i fxp0 -o "PPS\=%p\ TCP-SYN\=%T\n" -f "tcp[13]=2"
PPS=42.40 TCP-SYN=212
PPS=44.00 TCP-SYN=220
PPS=40.40 TCP-SYN=202
PPS=38.20 TCP-SYN=191
PPS=42.00 TCP-SYN=210
PPS=38.60 TCP-SYN=193
PPS=49.60 TCP-SYN=248
PPS=38.80 TCP-SYN=194
PPS=34.80 TCP-SYN=174

I'm running cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m in parallel, with ratio you can easily detect SYN DOS. Just mindless idea here :P

Happy monitoring (:])

TCPstat - Report your NIC statistic

Just come across this network interface statistic reporting tool, while most of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tools just offer links accounting, this tools can do protocol breakdown on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fly. The default mode of tcpstat reports

shell>tcpstat -i fxp0
Time:1157911172 n=7049 avg=607.08 stddev=659.37 bps=6846924.80
Time:1157911177 n=6614 avg=632.79 stddev=668.06 bps=6696438.40
Time:1157911182 n=7242 avg=648.16 stddev=677.81 bps=7510414.40
Time:1157911187 n=6533 avg=555.01 stddev=651.15 bps=5801387.20
Time:1157911192 n=1417 avg=588.38 stddev=659.08 bps=1333964.80

You can tweak cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 output format to display per protocol basis,

shell>tcpstat -i fxp0 -o "TotalPackets\=%n\ ARP\=%A\ IP\=%I\ ICMP\=%C\ TCP\=%T\ UDP\=%U\n"
TotalPackets=6482 ARP=10 IP=6466 ICMP=37 TCP=5858 UDP=570
TotalPackets=5423 ARP=13 IP=5406 ICMP=33 TCP=4710 UDP=662
TotalPackets=6288 ARP=18 IP=6261 ICMP=36 TCP=5462 UDP=762
TotalPackets=6271 ARP=11 IP=6256 ICMP=37 TCP=5451 UDP=767
TotalPackets=6466 ARP=12 IP=6449 ICMP=34 TCP=5669 UDP=744
TotalPackets=6909 ARP=6 IP=6898 ICMP=42 TCP=6197 UDP=658
TotalPackets=6530 ARP=13 IP=6512 ICMP=43 TCP=5824 UDP=644
TotalPackets=6629 ARP=7 IP=6617 ICMP=42 TCP=5805 UDP=769
TotalPackets=7382 ARP=8 IP=7367 ICMP=44 TCP=6448 UDP=874
TotalPackets=5904 ARP=9 IP=5891 ICMP=42 TCP=5128 UDP=720
TotalPackets=5991 ARP=8 IP=5977 ICMP=35 TCP=5140 UDP=801
TotalPackets=5959 ARP=10 IP=5945 ICMP=41 TCP=5195 UDP=708
TotalPackets=5439 ARP=8 IP=5425 ICMP=34 TCP=4880 UDP=510

By cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 way, this tools support BPF expression filtering, neat!

Enjoy ;]

TCPdstat Graphing & P0f 2 New Release

Just have some interesting read on graphing network statistic using tcpdstat. I think sometimes visualization helps in traffics analysis. Check it out @

http://ilopez.com/?postid=166

By cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 way for people who hasn't noticed, P0f-2.0.8 is out, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tool is re-written and better now however one have to relearn P0f signatures writing since it is completely different now. Check out all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 interesting features here -

http://lcamtuf.coredump.cx/p0f/README


Cheers :]

Friday, September 08, 2006

! Computer

Having sticking with computer too much, I come to realize I need sports. Apparently it is not healthy to sit in front of computers without experience ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r activities. Today I decide to do swimming, and yes I decide to do it maybe twice a week because it is refreshing me, especially now I'm kind of braindead. Sport is helping, especially when you are stucked with computer too much.

By cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 way I may buy basketball as well, been a while I haven't played basketball and I need cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sound - sop!

Let's kick ass without computing, cheers!!!!!

Thursday, September 07, 2006

OpenBSD 4.0 BPF

I read this in OpenBSD Current(4.0) Daily changelog .....

- Allow bpf(4) to ignore packets based on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir direction.

I tag this down so that I will test it out when OpenBSD 4.0 is ready. Sound like a feature to analyzt.

Cheers :]

Friday, September 01, 2006

The Art Of Network Stegno Detection

Dealing with network covert channel, it would be seriously hard to detect by using purely signature based detection methodologies, you will come to realize that when you can't fingerprint it, you'll have to characterize it. What I mean by characterize is "To be a distinctive trait or mark of; distinguish"(definition from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365freedictionary.com). To be even clear about how it can be done, think behavioural and statistical analysis. I'm coming to this conclusion when I have almost finished reading cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 papers in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 link below -

http://www.gray-world.net/papers.shtml

I most properly agree that covert channel detection can occur by luck when you are monitoring large network. But in small and medium network, you will have higher chance of detecting covert channel if you are implemeting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following -

- Tighten Network Access Control

- Client & Server Services Profiling

- Network Traffic Profiling

Most of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 covert channels will try to act as normal legitimate traffics, or it will be more of protocol over protocol tunneling. It doesn't break cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 protocol, however it will introduce different behaviour in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 protocol, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most obvious will be long and continuatious traffic of http, odd sequence numbers usage and so forth. Keep in mind that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 attribute of protocol fields may change and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 connection states as well.

Tightening network access control can prevent network noise, we are not using network access control to block against covert channel(as you can never block this type of stealthy connections that looks like legitimate one). Client service profiling is defined as what kind of services are allowed to be used by client such as http, https, pop3 and all(outgoing). Server service profiling should be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 services that are accessible to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 world(incoming). Depends on your network environment, services profiling is a must to identify covert channel because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 covert channel will mostly carry over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 legitimate services(as I said it bypasses network access control). The network traffic profiling will be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 protocol break down and each protocol usages, this is mostly done by using flow/session data collectors, it will generate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 statistic of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network flows that allowing you to identify cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 weird connections by protocols, this is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 lead to analysis of covert channels.

There's a little tool to demonstrate statistical covert channel detection which is called tcpstatflow written by fryxar, you can download it here -

http://www.geocities.com/fryxar/

While I don't get it to compiled on FreeBSD, I have luck with Ubuntu. Here's what I have done

geek00l@hell:~/Desktop/Covert-Tools$ cd tcpstatflow/
geek00l@hell:~/Desktop/Covert-Tools/tcpstatflow$ make
geek00l@hell:~/Desktop/Covert-Tools/tcpstatflow$ ls
datalink.c datalink.o flow.c flow.o main.c main.o Makefile README tcpflow.h tcpip.c tcpip.o tcpstatflow util.c util.o
geek00l@hell:~/Desktop/Covert-Tools/tcpstatflow$ ./tcpstatflow
./tcpstatflow[29633]: no suitable device found
geek00l@hell:~/Desktop/Covert-Tools/tcpstatflow$ ./tcpstatflow -h
./tcpstatflow version 1.1 by Fryxar (thanks Jeremy Elson!)

usage: ./tcpstatflow [-hpvD] [-d debug_level] [-f tcptimeout]
[-i iface] [-t statistics_time] [-x bytes_threshold]
[-y time_threshold] [-z packets_threshold] [expression]

-d: debug level; default is 1
-D: start as daemon (log to syslog)
-h: print this help message
-i: network interface to listen
(type "ifconfig -a" for a list of interfaces)
-f: TCP timeout in seconds; default is 7200
-p: don't use promiscuous mode
-v: verbose operation equivalent to -d 10
-t: statistics time; default is 3600, use 0 to disable
-x: cummulative bytes in both senses threshold to report an alarm; default is 50000
-y: duration (in seconds) threshold to report an alarm; default is 86400
-z: cummulative packets in both senses threshold to report an alarm; default is 1000000
expression: tcpdump-like filtering expression

Running my own simple but fast ssh sock proxy channel(Dynamic port forwarding)

geek00l@hell:~/Desktop/Covert-Tools/hcovert-0.5$ ssh -ND 5555 root@1.2.3.4 -p 2222

On cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r hand, I also run corkscrew which allowing tunneling ssh through http proxy that I have setup at 1.2.3.4 port 8080. You can install corkscrew by using apt-get on Ubuntu and pkg_add on FreeBSD.

Now I have run cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sock proxy and ssh over http proxy, I also connect my browser and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r applications to use cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sock proxy as well as scp through cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 http proxy.

Here's cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 result of my tcpstatflow,

geek00l@hell:~/Desktop/Covert-Tools/tcpstatflow$ sudo ./tcpstatflow -i eth0
Password:
./tcpstatflow[29651]: listening on eth0
Potencial tunnel = 10.0.0.10:2302->1.2.3.4:2222: packets rx=1860 tx=1135, bytes rx=1808079 tx=50182, seconds=234
Stats= mallocs: 9, cleans: 8, reuses: 0, flows: 1, Packets: 4219 drops: 707 (16%)
Potencial tunnel = 10.0.0.10:2496->1.2.3.4:8080: packets rx=3425 tx=4741, bytes rx=50023 tx=5204157, seconds=228

That's pretty neat, but I'm running tcpstatflow in default mode, you can tweak cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 threshold when coming to detect different kind of covert channels, while you may think that icmp covert channel can bypass this tool, it may be true since this is only for tcp connection, but I believe that icmp covert channel can be restricted with your network access control(Only allow icmp ping echo and reply) and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 detection of icmp covert channel can be done via its bytes transfer per flow easily when you have your flow collector in place.

You may check out one of sguil aliance - Victorj, using his mysql-fu, to detect icmp tunnel via Sguil

http://www.inliniac.net/blog/?p=24

http://www.inliniac.net/blog/?p=27

I have mentioned that monitoring large network can be very headache for covert channel detection, but guess what? Try ourmon!

Now you know why NSM emphasizes on statistical data as well!!!!!

Enjoy (:])