Thursday, November 18, 2010

The Problem Is with Gmail

In my last post I lamented a problem with Sendmail on FreeBSD. I was trying to troubleshoot a problem sending email from FreeBSD's periodic scripts to Gmail. I've determined that, as crazy as this sounds, Gmail is broken. (Some of you are probably not surprised. If you want to skip cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 drama and see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bottom line, scroll to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bottom of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 post.)

Let me start my case by showing network transcripts of one successful "periodic" email and one unsuccessful "periodic" email. I'm not going to change any email addresses in this post.

The following email is delivered successfully. Computer vm.taosecurity.com sits behind NAT so cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 public IP is 73.128.35.11. The entries prior to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SMTP transactions (e.g. 074.125.091.027.00025-073.128.035.011.57184: and similar) were added by Tcpflow, which I used to render cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 transcript manually.

074.125.091.027.00025-073.128.035.011.57184: 220 mx.google.com ESMTP my6si2476635qcb.101

073.128.035.011.57184-074.125.091.027.00025: EHLO vm.taosecurity.com

074.125.091.027.00025-073.128.035.011.57184: 250-mx.google.com at your service, [73.128.35.11]
250-SIZE 35651584
250-8BITMIME
250-ENHANCEDSTATUSCODES
250 PIPELINING

073.128.035.011.57184-074.125.091.027.00025: MAIL From: SIZE=917

074.125.091.027.00025-073.128.035.011.57184: 250 2.1.0 OK my6si2476635qcb.101

073.128.035.011.57184-074.125.091.027.00025: RCPT To:
DATA

074.125.091.027.00025-073.128.035.011.57184: 250 2.1.5 OK my6si2476635qcb.101
354 Go ahead my6si2476635qcb.101

073.128.035.011.57184-074.125.091.027.00025: Received: from vm.taosecurity.com (localhost [127.0.0.1])
.by vm.taosecurity.com (8.14.4/8.14.4) with ESMTP id oAJ66xa2021306
.for ; Fri, 19 Nov 2010 01:06:59 -0500 (EST)
.(envelope-from analyst@vm.taosecurity.com)
Received: (from root@localhost)
.by vm.taosecurity.com (8.14.4/8.14.4/Submit) id oAJ66xF4021296
.for root; Fri, 19 Nov 2010 01:06:59 -0500 (EST)
.(envelope-from analyst)
Date: Fri, 19 Nov 2010 01:06:59 -0500 (EST)
From: analyst
Message-Id: <201011190606.oAJ66xF4021296@vm.taosecurity.com>
To: root@vm.taosecurity.com
Subject: vm.taosecurity.com security run output

Checking setuid files and devices:

Checking for uids of 0:
root 0
toor 0

Checking for passwordless accounts:

Checking login.conf permissions:

vm.taosecurity.com login failures:

vm.taosecurity.com refused connections:

-- End of security output --

073.128.035.011.57184-074.125.091.027.00025: .

074.125.091.027.00025-073.128.035.011.57184: 250 2.0.0 OK 1290128829 my6si2476635qcb.101

073.128.035.011.57184-074.125.091.027.00025: QUIT

074.125.091.027.00025-073.128.035.011.57184: 221 2.0.0 closing connection my6si2476635qcb.101

The following email fails to be delivered. Computer r200b has cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 public IP address 73.128.35.11 as shown. Again cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 lines are prepended by Tcpflow headers.

074.125.091.027.00025-073.128.035.011.19228: 220 mx.google.com ESMTP f23si2500736qcq.34

073.128.035.011.19228-074.125.091.027.00025: EHLO r200b.taosecurity.com

074.125.091.027.00025-073.128.035.011.19228: 250-mx.google.com at your service, [73.128.35.11]
250-SIZE 35651584
250-8BITMIME
250-ENHANCEDSTATUSCODES
250 PIPELINING

073.128.035.011.19228-074.125.091.027.00025: MAIL From: SIZE=1658

074.125.091.027.00025-073.128.035.011.19228: 250 2.1.0 OK f23si2500736qcq.34

073.128.035.011.19228-074.125.091.027.00025: RCPT To:
DATA

074.125.091.027.00025-073.128.035.011.19228: 250 2.1.5 OK f23si2500736qcq.34
354 Go ahead f23si2500736qcq.34

073.128.035.011.19228-074.125.091.027.00025: Received: from r200b.taosecurity.com (localhost [127.0.0.1])
.by r200b.taosecurity.com (8.14.4/8.14.4) with ESMTP id oAJ17UwM063291
.for ; Thu, 18 Nov 2010 20:07:30 -0500 (EST)
.(envelope-from richard@r200b.taosecurity.com)
Received: (from root@localhost)
.by r200b.taosecurity.com (8.14.4/8.14.4/Submit) id oAJ17UKs063248
.for root; Thu, 18 Nov 2010 20:07:30 -0500 (EST)
.(envelope-from richard)
Date: Thu, 18 Nov 2010 20:07:30 -0500 (EST)
From: Richard Bejtlich
Message-Id: <201011190107.oAJ17UKs063248@r200b.taosecurity.com>
To: root@r200b.taosecurity.com
Subject: r200b.taosecurity.com security run output

Checking setuid files and devices:

Checking for uids of 0:

root 0
toor 0

Checking for passwordless accounts:

Checking login.conf permissions:

r200b.taosecurity.com kernel log messages:
+++ /tmp/security.QW4ZT9Yc.2010-11-18 20:07:29.000000000 -0500

+bge0: promiscuous mode enabled
+bge0: promiscuous mode disabled
+bge0: promiscuous mode enabled
+bge0: promiscuous mode disabled
+bge0: promiscuous mode enabled
+bge0: promiscuous mode disabled
+bge0: promiscuous mode enabled

r200b.taosecurity.com login failures:

Nov 17 07:51:58 r200b sshd[53170]: error: connect_to 73.128.35.11 port 80: failed.
Nov 17 07:52:02 r200b sshd[53170]: error: connect_to 73.128.35.11 port 80: failed.

r200b.taosecurity.com refused connections:

Checking for a current audit database:

Database created: Thu Nov 18 19:05:00 EST 2010

Checking for packages with security vulnerabilities:

0 problem(s) in your installed packages found.

-- End of security output --

073.128.035.011.19228-074.125.091.027.00025: .

074.125.091.027.00025-073.128.035.011.19228: 550-5.7.1 [73.128.35.11] The IP you're using to send mail is not authorized to
550-5.7.1 send email directly to our servers. Please use cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SMTP relay at your
550-5.7.1 service provider instead. Learn more at
550 5.7.1 http://mail.google.com/support/bin/answer.py?answer=10336 f23si2500736qcq.34

073.128.035.011.19228-074.125.091.027.00025: QUIT

Darn. As you can see, Gmail claims "The IP you're using to send mail is not authorized to send email directly to our servers." Is that true? Didn't I just send email from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same IP address, as far as Gmail was concerned?

There is basically no difference between cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se emails, ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r than cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 contents of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security reports in each. (Hint, hint.)

I can prove cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Gmail error message is bogus.

Let's start by showing both computers can send email to Gmail. If I don't send email using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 periodic scripts, I can send email to Gmail from both systems successfully.

First, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 message from host vm succeeds (and I saw it in my Inbox).

vm# mail -v -s "From vm" taosecurity@gmail.com
Test from vm.
.
EOT
taosecurity@gmail.com... Connecting to [127.0.0.1] via relay...
220 vm.taosecurity.com ESMTP Sendmail 8.14.4/8.14.4; Fri, 19 Nov 2010 01:31:20 -0500 (EST)
>>> EHLO vm.taosecurity.com
250-vm.taosecurity.com Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-DELIVERBY
250 HELP
>>> MAIL From: SIZE=58
250 2.1.0 ... Sender ok
>>> RCPT To:
>>> DATA
250 2.1.5 ... Recipient ok
354 Enter mail, end with "." on a line by itself
>>> .
250 2.0.0 oAJ6VKaj021400 Message accepted for delivery
taosecurity@gmail.com... Sent (oAJ6VKaj021400 Message accepted for delivery)
Closing connection to [127.0.0.1]
>>> QUIT
221 2.0.0 vm.taosecurity.com closing connection

vm# grep oAJ6VKaj021400 /var/log/maillog

Nov 19 01:31:20 vm sm-mta[21400]: oAJ6VKaj021400: from=,
size=393, class=0, nrcpts=1, msgid=<201011190631.oAJ6VKlp021399@vm.taosecurity.com>,
proto=ESMTP, daemon=Daemon0, relay=localhost [127.0.0.1]

Nov 19 01:31:20 vm sendmail[21399]: oAJ6VKlp021399: to=taosecurity@gmail.com, ctladdr=analyst
(1001/1001), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30058, relay=[127.0.0.1]
[127.0.0.1], dsn=2.0.0, stat=Sent (oAJ6VKaj021400 Message accepted for delivery)

Nov 19 01:31:21 vm sm-mta[21402]: oAJ6VKaj021400: to=,
ctladdr= (1001/1001), delay=00:00:01, xdelay=00:00:01,
mailer=esmtp, pri=30393, relay=gmail-smtp-in.l.google.com. [74.125.91.27], dsn=2.0.0, stat=Sent
(OK 1290130290 g35si2521350qcs.118)

Second, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 message from r200b succeeds (and I saw it in my Inbox).

r200b:/root# mail -v -s "From r200b" taosecurity@gmail.com
Test from r200b.
.
EOT
taosecurity@gmail.com... Connecting to [127.0.0.1] via relay...
220 r200b.taosecurity.com ESMTP Sendmail 8.14.4/8.14.4; Thu, 18 Nov 2010 20:31:01 -0500 (EST)
>>> EHLO r200b.taosecurity.com
250-r200b.taosecurity.com Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-DELIVERBY
250 HELP
>>> MAIL From: SIZE=64
250 2.1.0 ... Sender ok
>>> RCPT To:
>>> DATA
250 2.1.5 ... Recipient ok
354 Enter mail, end with "." on a line by itself
>>> .
250 2.0.0 oAJ1V1Xx063384 Message accepted for delivery
taosecurity@gmail.com... Sent (oAJ1V1Xx063384 Message accepted for delivery)
Closing connection to [127.0.0.1]
>>> QUIT
221 2.0.0 r200b.taosecurity.com closing connection

r200b:/root# grep oAJ1V1Xx063384 /var/log/maillog

Nov 18 20:31:01 r200b sm-mta[63384]: oAJ1V1Xx063384: from=<
richard@r200b.taosecurity.com>, size=417, class=0, nrcpts=1, msgid=<
201011190131.oAJ1V1SP063383@r200b.taosecurity.com>, proto=ESMTP, daemon=Daemon0,
relay=localhost [127.0.0.1]

Nov 18 20:31:01 r200b sendmail[63383]: oAJ1V1SP063383: to=taosecurity@gmail.com, ctladdr=richard
(1001/1001), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30064, relay=[127.0.0.1]
[127.0.0.1], dsn=2.0.0, stat=Sent (oAJ1V1Xx063384 Message accepted for delivery)

Nov 18 20:31:02 r200b sm-mta[63386]: oAJ1V1Xx063384: to=,
ctladdr= (1001/1001), delay=00:00:01, xdelay=00:00:01,
mailer=esmtp, pri=30417, relay=gmail-smtp-in.l.google.com. [74.125.91.27], dsn=2.0.0, stat=Sent
(OK 1290130252 m5si2493978qcu.183)

As you can see, both computers, vm and r200b, can send email fine to Gmail.

Now this will blow your mind. What happens when I manually send an email with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 content of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 periodic email that Gmail refused to accept from r200b?

Let's send it from vm, which so far has had no trouble talking to Gmail under any circumstances, whecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r sending manual email or its own periodic output.

vm# mail -v -s "From vm, fake periodic output for blog" taosecurity@gmail.com
Checking setuid files and devices:

Checking for uids of 0:
root 0
toor 0

Checking for passwordless accounts:

Checking login.conf permissions:

r200b.taosecurity.com kernel log messages:
+++ /tmp/security.QW4ZT9Yc.2010-11-18 20:07:29.000000000 -0500
+bge0: promiscuous mode enabled
+bge0: promiscuous mode disabled
+bge0: promiscuous mode enabled
+bge0: promiscuous mode disabled
+bge0: promiscuous mode enabled
+bge0: promiscuous mode disabled
+bge0: promiscuous mode enabled

r200b.taosecurity.com login failures:
Nov 17 07:51:58 r200b sshd[53170]: error: connect_to 73.128.35.11 port 80: failed.
Nov 17 07:52:02 r200b sshd[53170]: error: connect_to 73.128.35.11 port 80: failed.

r200b.taosecurity.com refused connections:

Checking for a current audit database:

Database created: Thu Nov 18 19:05:00 EST 2010

Checking for packages with security vulnerabilities:

0 problem(s) in your installed packages found.

-- End of security output --
.
EOT
taosecurity@gmail.com... Connecting to [127.0.0.1] via relay...
220 vm.taosecurity.com ESMTP Sendmail 8.14.4/8.14.4; Fri, 19 Nov 2010 02:03:17 -0500 (EST)
>>> EHLO vm.taosecurity.com
250-vm.taosecurity.com Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-DELIVERBY
250 HELP
>>> MAIL From: SIZE=1026
250 2.1.0 ... Sender ok
>>> RCPT To:
>>> DATA
250 2.1.5 ... Recipient ok
354 Enter mail, end with "." on a line by itself
>>> .
250 2.0.0 oAJ73HIk021517 Message accepted for delivery
taosecurity@gmail.com... Sent (oAJ73HIk021517 Message accepted for delivery)
Closing connection to [127.0.0.1]
>>> QUIT
221 2.0.0 vm.taosecurity.com closing connection

vm# grep oAJ73HIk021517 /var/log/maillog

Nov 19 02:03:17 vm sm-mta[21517]: oAJ73HIk021517: from=,
size=1361, class=0, nrcpts=1, msgid=<201011190703.oAJ73G8n021516@vm.taosecurity.com>,
proto=ESMTP, daemon=Daemon0, relay=localhost [127.0.0.1]

Nov 19 02:03:17 vm sendmail[21516]: oAJ73G8n021516: to=taosecurity@gmail.com, ctladdr=analyst
(1001/1001), delay=00:00:01, xdelay=00:00:00, mailer=relay, pri=31026, relay=[127.0.0.1]
[127.0.0.1], dsn=2.0.0, stat=Sent (oAJ73HIk021517 Message accepted for delivery)

Nov 19 02:03:18 vm sm-mta[21519]: oAJ73HIk021517: to=,
ctladdr= (1001/1001), delay=00:00:01, xdelay=00:00:01,
mailer=esmtp, pri=31361, relay=gmail-smtp-in.l.google.com. [74.125.91.27], dsn=5.0.0,
stat=Service unavailable

Nov 19 02:03:18 vm sm-mta[21519]: oAJ73HIk021517: oAJ73IIk021519: DSN: Service unavailable

What's up with that, Gmail? If I sniff cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 traffic I can see Gmail refuse it again:

074.125.091.027.00025-073.128.035.011.58727: 220 mx.google.com ESMTP o12si2579217qcs.143

073.128.035.011.58727-074.125.091.027.00025: EHLO vm.taosecurity.com

074.125.091.027.00025-073.128.035.011.58727: 250-mx.google.com at your service, [73.128.35.11]
250-SIZE 35651584
250-8BITMIME
250-ENHANCEDSTATUSCODES
250 PIPELINING

073.128.035.011.58727-074.125.091.027.00025: MAIL From: SIZE=1361

073.128.035.011.58727-074.125.091.027.00025: MAIL From: SIZE=1361

074.125.091.027.00025-073.128.035.011.58727: 250 2.1.0 OK o12si2579217qcs.143

073.128.035.011.58727-074.125.091.027.00025: RCPT To:
DATA

074.125.091.027.00025-073.128.035.011.58727: 250 2.1.5 OK o12si2579217qcs.143
354 Go ahead o12si2579217qcs.143

073.128.035.011.58727-074.125.091.027.00025: Received: from vm.taosecurity.com (localhost [127.0.0.1])
.by vm.taosecurity.com (8.14.4/8.14.4) with ESMTP id oAJ73HIk021517
.for ; Fri, 19 Nov 2010 02:03:17 -0500 (EST)
.(envelope-from analyst@vm.taosecurity.com)
Received: (from root@localhost)
.by vm.taosecurity.com (8.14.4/8.14.4/Submit) id oAJ73G8n021516
.for taosecurity@gmail.com; Fri, 19 Nov 2010 02:03:16 -0500 (EST)
.(envelope-from analyst)
Date: Fri, 19 Nov 2010 02:03:16 -0500 (EST)
From: analyst
Message-Id: <201011190703.oAJ73G8n021516@vm.taosecurity.com>
To: taosecurity@gmail.com
Subject: From vm, fake periodic output for blog

Checking setuid files and devices:

Checking for uids of 0:
root 0
toor 0

Checking for passwordless accounts:

Checking login.conf permissions:

r200b.taosecurity.com kernel log messages:
+++ /tmp/security.QW4ZT9Yc.2010-11-18 20:07:29.000000000 -0500
+bge0: promiscuous mode enabled
+bge0: promiscuous mode disabled
+bge0: promiscuous mode enabled
+bge0: promiscuous mode disabled
+bge0: promiscuous mode enabled
+bge0: promiscuous mode disabled
+bge0: promiscuous mode enabled

r200b.taosecurity.com login failures:
Nov 17 07:51:58 r200b sshd[53170]: error: connect_to 73.128.35.11 port 80: failed.
Nov 17 07:52:02 r200b sshd[53170]: error: connect_to 73.128.35.11 port 80: failed.

r200b.taosecurity.com refused connections

Checking for a current audit database:

Database created: Thu Nov 18 19:05:00 EST 2010

Checking for packages with security vulnerabilities:

0 problem(s) in your installed packages found.

-- End of security output --

073.128.035.011.58727-074.125.091.027.00025: .

074.125.091.027.00025-073.128.035.011.58727: 550-5.7.1 [73.128.35.11] The IP you're using to send mail is not authorized to
550-5.7.1 send email directly to our servers. Please use cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SMTP relay at your
550-5.7.1 service provider instead. Learn more at
550 5.7.1 http://mail.google.com/support/bin/answer.py?answer=10336 o12si2579217qcs.143

073.128.035.011.58727-074.125.091.027.00025: QUIT

The transcript ends with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bogus "The IP you're using to send mail is not authorized to send email directly to our servers." message. So what's cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bottom line?

Gmail appears to be filtering email based on content, providing a bogus "The IP you're using to send mail is not authorized to send email directly to our servers." message.

Does anyone have anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r explanation? I would love to hear it. Thank you.

Incidentally, I am considering workarounds that WOULD use my ISP's SMTP server and hopefully avoid this problem. Also, I don't expect to see this issue using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Gmail Web interface. It must be a filter Gmail applies when users talk to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir SMTP servers directly.

FreeBSD Sendmail Problem

Thanks for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 help with my script issue recently. I was wondering if anyone has seen this problem with Sendmail? I aliased root to "taosecurity at gmail dot com" as shown below. (I used cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 real email address on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 computer.) This is a fresh install of FreeBSD 8.1.

$ uname -a
FreeBSD vm.taosecurity.com 8.1-RELEASE FreeBSD 8.1-RELEASE #0: \
Mon Jul 19 02:55:53 UTC 2010 \
root@almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386

vm# diff -u /etc/aliases /etc/aliases.orig
--- /etc/aliases 2010-11-18 10:30:37.000000000 -0500
+++ /etc/aliases.orig 2010-11-18 10:30:26.000000000 -0500
@@ -18,7 +18,6 @@
# root's email from here.

# root: me@my.domain
-root: taosecurity at gmail dot com

# Basic system aliases -- cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se MUST be present
MAILER-DAEMON: postmaster
vm# newaliases
/etc/mail/aliases: 28 aliases, longest 21 bytes, 300 bytes total

My /etc/mail and /var/spool directories are pristine from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 factory"

vm# ls -al /etc/mail
total 300
drwxr-xr-x 2 root wheel 512 Oct 31 11:28 .
drwxr-xr-x 20 root wheel 2048 Nov 18 10:30 ..
-rw-r--r-- 1 root wheel 6818 Jul 18 22:25 Makefile
-rw-r--r-- 1 root wheel 2905 Jul 18 22:25 README
-rw-r--r-- 1 root wheel 634 Jul 18 22:25 access.sample
-rw-r--r-- 1 root wheel 1695 Nov 18 10:30 aliases
-rw-r----- 1 root wheel 65536 Nov 18 10:30 aliases.db
-rw-r--r-- 1 root wheel 58276 Jul 18 22:25 freebsd.cf
-rw-r--r-- 1 root wheel 4118 Jul 18 22:25 freebsd.mc
-r--r--r-- 1 root wheel 40751 Jul 18 22:25 freebsd.submit.cf
-r--r--r-- 1 root wheel 901 Jul 18 22:25 freebsd.submit.mc
-r--r--r-- 1 root wheel 5657 Jul 18 22:25 helpfile
-rw-r--r-- 1 root wheel 409 Jul 18 22:25 mailer.conf
-rw-r--r-- 1 root wheel 253 Jul 18 22:25 mailertable.sample
-rw-r--r-- 1 root wheel 58276 Jul 18 22:25 sendmail.cf
-r--r--r-- 1 root wheel 40751 Jul 18 22:25 submit.cf
-rw-r--r-- 1 root wheel 582 Jul 18 22:25 virtusertable.sample

vm# ls -al /var/spool
total 16
drwxr-xr-x 8 root wheel 512 Jul 18 22:23 .
drwxr-xr-x 23 root wheel 512 Nov 12 11:45 ..
drwxrwx--- 2 smmsp smmsp 512 Nov 18 10:00 clientmqueue
drwxrwxr-x 2 uucp dialer 512 Nov 12 16:45 lock
drwxr-xr-x 2 root daemon 512 Jul 18 22:23 lpd
drwxr-xr-x 2 root daemon 512 Nov 18 10:31 mqueue
drwx------ 2 root daemon 512 Jul 18 22:23 opielocks
drwxr-xr-x 3 root daemon 512 Jul 18 22:23 output

I can send email when testing as root (email addr "obfuscated"):

vm# date | sendmail -v -Am postmaster
postmaster... aliased to root
root... aliased to taosecurity at gmail dot com
taosecurity at gmail dot com... Connecting to gmail-smtp-in.l.google.com. via esmtp...
220 mx.google.com ESMTP n10si1312258qcu.1
>>> EHLO vm.taosecurity.com
250-mx.google.com at your service, [98.218.35.11]
250-SIZE 35651584
250-8BITMIME
250-ENHANCEDSTATUSCODES
250 PIPELINING
>>> MAIL From: SIZE=29
250 2.1.0 OK n10si1312258qcu.1
>>> RCPT To:
>>> DATA
250 2.1.5 OK n10si1312258qcu.1
354 Go ahead n10si1312258qcu.1
>>> .
250 2.0.0 OK 1290094272 n10si1312258qcu.1
taosecurity at gmail dot com... Sent (OK 1290094272 n10si1312258qcu.1)
Closing connection to gmail-smtp-in.l.google.com.
>>> QUIT
221 2.0.0 closing connection n10si1312258qcu.1

That worked. However, I cannot send email as a user:

$ date | sendmail -v -Am postmaster
postmaster... aliased to root
root... aliased to taosecurity at gmail.com
collect: Cannot write ./dfoAIFVDIG019327 (bfcommit, uid=1001, gid=25): Permission denied
queueup: cannot create queue file ./qfoAIFVDIG019327, euid=1001, fd=-1, fp=0x0: Permission denied

Behavior is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same on FreeBSD 7.3 with a fresh install.

I did a ton of research and usually found references to incorrect permissions, etc. In fact, in this post I got cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 idea to check directories using mtree:

r200a# mtree -p /var -e -U -f /etc/mtree/BSD.var.dist
run changed
permissions expected 0755 found 0777 modified
r200a# mtree -p /var -e -U -f /etc/mtree/BSD.sendmail.dist
./var missing (created)
./var/spool missing (created)
./var/spool/clientmqueue missing (created)

Computer r200a was anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r FreeBSD system where I tried to fix this problem. However, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se changes made no difference.

Any ideas? Thank you.

Update: The reason I investigated this activity was I found errors like this in /var/log/messages on anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r FreeBSD system, r200b:

Nov 13 03:01:11 r200b sm-mta[40505]: oAD81AUR040505: Losing ./qfoAD81AUR040505: savemail panic
Nov 13 03:01:11 r200b sm-mta[40505]: oAD81AUR040505: SYSERR(root): savemail: cannot save rejected email anywhere

As you can see, whatever was trying to send email using sm-mta was failing.

Sunday, November 14, 2010

Thanks for Help with Startup Scripts

Thanks to @sevanjaniyan and @cperciva for helping with my FreeBSD startup script issue. By removing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ${barnyard2_flags} argument from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 command_args section I was able to start barnyard2 properly:

root 45842 54.9 0.5 18572 11116 ?? Ss 7:15PM 0:00.00
/usr/local/bin/barnyard2 -D -U -d /nsm/r200a -f snort.unified2
-c /usr/local/etc/nsm/barnyard2.conf

In ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r words, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 script has this now:

. /etc/rc.subr

name="barnyard2"
load_rc_config $name
rcvar=`set_rcvar`
# set some defaults
: ${barnyard2_enable="NO"}
: ${barnyard2_conf="/usr/local/etc/barnyard2.conf"}
: ${barnyard2_flags="-D"}

command="/usr/local/bin/barnyard2"
command_args="-c ${barnyard2_conf}"

run_rc_command "$1"

I made changes to some ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r startup scripts and needed to commit cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m via Git. I did it this way.

richard@macmini:~/taosecurity_freebsd_sguil$ git status
# On branch master
# Changes to be committed:
# (use "git reset HEAD ..." to unstage)
#
# new file: pcap_agent
# new file: sancp_agent
# new file: sguild
# new file: snort_agent
#

richard@macmini:~/taosecurity_freebsd_sguil$ git add pcap_agent sancp_agent sguild snort_agent

richard@macmini:~/taosecurity_freebsd_sguil$ git commit -am "Added new startup scripts."
Created commit 296687e: Added new startup scripts.
4 files changed, 145 insertions(+), 0 deletions(-)
create mode 100755 pcap_agent
create mode 100755 sancp_agent
create mode 100755 sguild
create mode 100755 snort_agent

richard@macmini:~/taosecurity_freebsd_sguil$ git push origin master
taosecurity@taosecurity.git.sourceforge.net's password:
Counting objects: 7, done.
Compressing objects: 100% (6/6), done.
Writing objects: 100% (6/6), 1.89 KiB, done.
Total 6 (delta 3), reused 0 (delta 0)
To ssh://taosecurity@taosecurity.git.sourceforge.net/gitroot/taosecurity/taosecurity
9cad54a..296687e master -> master

Thanks again for your help!

Now I'm watching commits to https://github.com/firnsy/barnyard2 to see if Barnyard2 is updated to work with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new Snort event types that kills it.

Saturday, November 13, 2010

Calling FreeBSD Startup Script Experts

Has anyone encountered this situation? I've found several startup scripts on FreeBSD that result in duplicate arguments passed during startup. For example:

vm# uname -a
FreeBSD vm.taosecurity.com 7.3-RELEASE FreeBSD 7.3-RELEASE #0:
Sun Mar 21 06:15:01 UTC 2010
root@walker.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386

vm# pkg_info
sancp-1.6.1_3 A network connection profiler

vm# cat /etc/rc.conf

# -- sysinstall generated deltas -- # Fri Nov 12 16:36:42 2010
# Created: Fri Nov 12 16:36:42 2010
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 overrides from /etc/defaults/rc.conf.
defaultrouter="10.10.1.1"
hostname="vm.taosecurity.com"
ifconfig_em0="inet 10.10.1.13 netmask 255.255.255.0"
sshd_enable="YES"
sancp_enable="YES"
sancp_interface="em0"

vm# cat /usr/local/etc/rc.d/sancp
#!/bin/sh
#

# PROVIDE: sancp
# REQUIRE: DAEMON
# BEFORE: LOGIN
# KEYWORD: shutdown

# Add cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following lines to /etc/rc.conf to enable sancp:
# sancp_enable (bool): Set to YES to enable sancp
# Default: NO
# sancp_flags (str): Extra flags passed to sancp
# Default: -D
# sancp_conf (str): Sancp configuration file
# Default: /usr/local/etc/sancp.conf
# sancp_interface (str): Default: none - MUST BE SET
#
...edited, all comments...

. /etc/rc.subr

name="sancp"
rcvar=`set_rcvar`

command="/usr/local/bin/sancp"

start_precmd=start_precmd

start_precmd()
{
if [ -z "${sancp_interface}" ]; cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n
err 1 "sancp_interface must set."
fi
}

# set some defaults
load_rc_config $name

: ${sancp_enable="NO"}
: ${sancp_flags="-D"}
: ${sancp_conf="/usr/local/etc/sancp.conf"}
: ${sancp_interface=""}

command_args="${sancp_flags} -c ${sancp_conf} -i ${sancp_interface}"

run_rc_command "$1"

Now look what happens when I start sancp:

vm# /usr/local/etc/rc.d/sancp start
Starting sancp.
(4287) sancp daemonized successfully!

vm# ps -auxww | grep sancp
root 4287 0.0 0.9 4420 2264 ?? Ss 9:53PM 0:00.00
/usr/local/bin/sancp -D -D -c /usr/local/etc/sancp.conf -i em0

That's right, TWO instances of "-D".

I think it has something to do with this, extracted from sh -x output when starting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 script anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r time:


+ _rc_conf_loaded=true
+ [ -f /etc/rc.conf.d/sancp ]
+ : YES
+ : -D
+ : /usr/local/etc/sancp.conf
+ : em0
+ command_args=-D -c /usr/local/etc/sancp.conf -i em0
+ run_rc_command start
+ _return=0
+ rc_arg=start
+ [ -z sancp ]
+ shift 1
+ rc_extra_args=
+ _rc_prefix=
+ eval _override_command=$sancp_program
+ _override_command=
+ command=/usr/local/bin/sancp
+ _keywords=start stop restart rcvar
+ rc_pid=
+ _pidcmd=
+ _procname=/usr/local/bin/sancp
+ [ -n /usr/local/bin/sancp ]
+ [ -n ]
+ _pidcmd=rc_pid=$(check_process /usr/local/bin/sancp )
+ [ -n rc_pid=$(check_process /usr/local/bin/sancp ) ]
+ _keywords=start stop restart rcvar status poll
+ [ -z start ]
+ [ -n ]
+ eval rc_flags=$sancp_flags
+ rc_flags=-D
...edited...
+ echo Starting sancp.
Starting sancp.
+ [ -n ]
+ _doit=/usr/local/bin/sancp -D -D -c /usr/local/etc/sancp.conf -i em0
+ [ -n ]
+ [ -n ]
+ _run_rc_doit /usr/local/bin/sancp -D -D -c /usr/local/etc/sancp.conf -i em0
+ debug run_rc_command: doit: /usr/local/bin/sancp -D -D -c /usr/local/etc/sancp.conf -i em0
+ eval /usr/local/bin/sancp -D -D -c /usr/local/etc/sancp.conf -i em0
+ /usr/local/bin/sancp -D -D -c /usr/local/etc/sancp.conf -i em0
(4075) sancp daemonized successfully!

That "rc_flags=-D" looks suspicious to me.

So what, two instances of -D, you might think. The problem is with more complicated scripts I'm seeing lots of command line arguments duplicated. It's not "clean" and I want to know what this is happening.

Incidentally, I get similar behavior on FreeBSD 8.1. I tried 7.3 here to see if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re was a difference.

Any ideas? I've been looking at /etc/rc.subr to see if I can figure out how _run_rc_doit gets built.

For reference, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 /usr/local/etc/sancp.conf file is stock:

vm# grep -v ^# /usr/local/etc/sancp.conf

# snort pcap filter format # description
var ip 8 # ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r proto 0x0800 # ip traffic
var arp 1544 # ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r proto 0x0806 # arp traffic
var loopback 144 # ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r proto 0x9000 # Loopback: used to test ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rnet interfaces
var 802.3 1024 # ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r proto 0x0004 # IEEE 802.3 traffic

var pixfw1 10.10.10.1
var pixfw2 10.10.10.2
var webserver1 10.10.11.24
var webserver2 10.10.11.25
var webserver3 10.10.11.26
var dnsserver1 10.10.11.27
var dnsserver2 10.10.11.28
var mailserver1 10.10.11.29
var mailserver2 10.10.11.30
var proxyserver 10.10.11.30
var ntpserver 210.121.2.64

var icmp 1
var tcp 6
var udp 17

var http 80
var https 443
var ssh 22
var telnet 23
var irc_ports 6665-6667
var dns 53
var highports 1024-65535

known_ports tcp http,https,ssh,telnet,irc_ports,dns
known_ports udp dns

default realtime=log

default stats=log

default pcap=log

default limit=0

default timeout=120

default tcplag=0 # after a tcp connection would normally be considered closed

default rid=0

default status=0

default node=2

default strip-80211=enable

ip any any icmp any any, realtime=pass, pcap=pass, status=1, rid=23, timeout=1500 # test rule

arp any any any any any, ignore # ignore arp traffic
loopback any any any any any, ignore # ignore local ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rnet loopback test packets
802.3 any any any any any, ignore # ignore IEEE 802.3 traffic on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 switch

ip pixfw1 pixfw2 105 0 0, pcap pass, realtime=pass, status=100, rid=1 #2003-12-14 18:21:53

ip pixfw1 ntpserver 17 123 123, realtime=pass, status=200, rid=2 #2003-12-14 18:21:53
ip pixfw2 ntpserver 17 123 123, realtime=pass, status=200, rid=3 #2003-12-14 18:21:53

ip pixfw2 any tcp highports 80, realtime=pass, status=201, rid=4 #2003-12-14 18:21:53
ip pixfw2 any udp highports 443, realtime=pass, status=202, rid=6 #2003-12-14 18:21:53
ip pixfw2 any udp highports 53, realtime=pass, status=203, rid=5 #2003-12-14 18:21:53

ip proxyserver any tcp highports any, realtime=pass, status=299, rid=8 #2003-12-14 18:21:53

ip any webserver1 6 any 80, realtime=pass, status=301, rid=9 #2003-12-14 19:19:27
ip any webserver1 6 any 443, realtime=pass, status=302, rid=10 #2003-12-14 19:19:27

ip any webserver2 6 any 80, realtime=pass, status=301, rid=11 #2003-12-14 19:19:27
ip any webserver2 6 any 443, realtime=pass, status=302, rid=12 #2003-12-14 19:19:27

ip any webserver3 6 any 80, realtime=pass, status=301, rid=13 #2003-12-14 19:19:27
ip any webserver3 6 any 443, realtime=pass, status=302, rid=14 #2003-12-14 19:19:27

ip any dnsserver1 17 any 53, realtime=pass, status=303, rid=15 #2003-12-14 19:19:27
ip any dnsserver2 17 any 53, realtime=pass, status=303, rid=16 #2003-12-14 19:19:27

ip any mailserver1 6 any 25, realtime=pass, status=304, rid=17 #2003-12-14 19:19:27
ip mailserver1 any 6 any 25, realtime=pass, status=204, rid=18 #2003-12-14 19:19:27

ip any mailserver2 6 any 25, realtime=pass, status=304, rid=19 #2003-12-14 19:19:27
ip mailserver2 any 6 any 25, realtime=pass, status=204, rid=20 #2003-12-14 19:19:27


Wednesday, November 10, 2010

Two New Tools in Snort

No sooner do I get Snort 2.9.0.1 running than something breaks. However, thanks to Niels Horn I know a little more about two new tools included with Snort.

First is u2spewfoo, which reads Unified2 output files and outputs cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m as text.

[sguil@r200a /nsm/r200a]$ u2spewfoo snort.unified2.1289360307 | head -20

(Event)
sensor id: 0 event id: 1 event second: 1289360859 event microsecond: 881345
sig id: 2011032 gen id: 1 revision: 4 classification: 3
priority: 2 ip source: 192.168.2.107 ip destination: 172.16.2.1
src port: 44597 dest port: 3128 protocol: 6 impact_flag: 0 blocked: 0

Packet
sensor id: 0 event id: 1 event second: 1289360859
packet second: 1289360859 packet microsecond: 881345
linktype: 1 packet_length: 1168
00 15 17 0B | 7D 4C 00 13 | 10 65 2F AC | 08 00 45 00
04 82 C2 E3 | 40 00 3F 06 | 03 6E C0 A8 | 02 6B AC 10
02 01 AE 35 | 0C 38 73 6F | 02 7F 12 37 | D9 A8 80 18
03 EA 6D 85 | 00 00 01 01 | 08 0A 01 2A | 34 44 75 11
33 8C 41 46 | 69 72 73 74 | 25 32 43 25 | 32 30 49 25
32 30 74 65 | 73 74 65 64 | 25 32 30 6D | 79 25 32 30
6F 6C 64 25 | 32 30 73 63 | 72 69 70 74 | 73 25 32 30
6F 6E 25 32 | 30 46 72 65 | 65 42 53 44 | 25 32 30 37
2E 78 25 32 | 43 25 32 30 | 61 6E 64 25 | 32 30 6E 6F

I guess that's good for troubleshooting. It feels a little like 1999!

The second tool is u2boat, which transforms cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 pcap data in a Unified2 output file into a normal pcap file.

[sguil@r200a /nsm/r200a]$ u2boat snort.unified2.1289360307
Usage: u2boat [-t type]
[sguil@r200a /nsm/r200a]$ u2boat snort.unified2.1289360307 snort.unified2.1289360307.pcap
Defaulting to pcap output.
[sguil@r200a /nsm/r200a]$ file snort.unified2.1289360307.pcap
snort.unified2.1289360307.pcap: tcpdump capture file (little-endian)
- version 2.4 (Ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rnet, capture length 65535)
[sguil@r200a /nsm/r200a]$ tcpdump -n -r snort.unified2.1289360307.pcap
reading from file snort.unified2.1289360307.pcap, link-type EN10MB (Ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rnet)
22:47:39.881345 IP 192.168.2.107.44597 > 172.16.2.1.3128: Flags [P.],
ack 305650088, win 1002, options [nop,nop,TS val 19543108 ecr 1964061580], length 1102

So those are great, but fortunately unless I fix Barnyard2 or a fix is committed, Barnyard2 is going to die when it encounters record types from Snort that Barnyard2 doesn't recognize, e.g.:

r200a# barnyard2 -U -d /nsm/r200a -f snort.unified2 -c /usr/local/etc/nsm/barnyard2.conf
Running in Continuous mode

--== Initializing Barnyard2 ==--
Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/usr/local/etc/nsm/barnyard2.conf"
Log directory = /var/log/barnyard2
sguil: sensor name = r200a
sguil: agent port = 7735
sguil: Connected to localhost on 7735.

--== Initialization Complete ==--

______ -*> Barnyard2 <*-
/ ,,_ \ Version 2.1.8 (Build 251)
|o" )~| By cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SecurixLive.com Team: http://www.securixlive.com/about.php
+ '''' + (C) Copyright 2008-2010 SecurixLive.

Snort by Martin Roesch & The Snort Team: http://www.snort.org/team.html
(C) Copyright 1998-2007 Sourcefire Inc., et al.

Using waldo file '/nsm/r200a/waldo':
spool directory = /nsm/r200a
spool filebase = snort.unified2
time_stamp = 1289360307
record_idx = 4
Opened spool file '/nsm/r200a/snort.unified2.1289360307'
ERROR: Unknown record type read: 110
Fatal Error, Quitting..

The good news is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 alerts will continue to be logged to disk, and can be processed once Barnyard2 can read cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m.

Tuesday, November 09, 2010

Using Git with FreeBSD Sguil Scripts

Before today I never committed anything using Git. Previously I used CVS, but never got around to trying something more modern like SVN. However, I know several developers at work use Git, so I figured I would try committing my FreeBSD Sguil scripts (lame as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are) to Git at Sourceforge. This would allow me to keep track of changes and get cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 code out of my own repository for sharing and safekeeping.

I started by cleaning up cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 directory where I kept cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 scripts.

After following cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 instructions to enable Git, I took cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se actions.


richard@macmini:~/taosecurity_freebsd_sguil$ git init
Initialized empty Git repository in /home/richard/taosecurity_freebsd_sguil/.git/

richard@macmini:~/taosecurity_freebsd_sguil$ git config user.name "Richard Bejtlich"

richard@macmini:~/taosecurity_freebsd_sguil$ git config user.email \
"taosecurity@users.sourceforge.net"

richard@macmini:~/taosecurity_freebsd_sguil$ git remote add origin \
ssh://taosecurity@taosecurity.git.sourceforge.net/gitroot/taosecurity/taosecurity

richard@macmini:~/taosecurity_freebsd_sguil$ git config branch.master.remote origin

richard@macmini:~/taosecurity_freebsd_sguil$ git config branch.master.merge refs/head/master

richard@macmini:~/taosecurity_freebsd_sguil$ git push origin master

taosecurity@taosecurity.git.sourceforge.net's password:
error: src refspec master does not match any.
fatal: The remote end hung up unexpectedly
error: failed to push some refs to 'ssh://taosecurity@taosecurity.git.sourceforge.net/gitroot \
/taosecurity/taosecurity'

That was unfortunate. I didn't see that error in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Sourceforge guide, but after checking here I found that trying to add all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 files might be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 right step.


richard@macmini:~/taosecurity_freebsd_sguil$ git add *

richard@macmini:~/taosecurity_freebsd_sguil$ git commit -am "Message"

Created initial commit bd18669: Message
28 files changed, 1400 insertions(+), 0 deletions(-)
create mode 100755 README
create mode 100644 SguildLoaderd.tcl.patch
create mode 100644 SguildMysqlMerge.tcl.patch
create mode 100755 barnyard2
create mode 100644 barnyard2.conf
create mode 100644 barnyard2.conf.patch
create mode 100644 log_packets.sh.crontab
create mode 100644 log_packets.sh.patch
create mode 100644 pcap_agent.conf.patch
create mode 100755 prep_platform.sh
create mode 100644 rc-adds.txt
create mode 100755 rc-conf.sh
create mode 100755 sancp
create mode 100644 sancp.conf.patch
create mode 100644 sancp_agent.conf.patch
create mode 100644 sensor_agent.conf.patch
create mode 100755 sguil_database_install_pt1.sh
create mode 100755 sguil_database_install_pt2.sh
create mode 100755 sguil_sensor_install.sh
create mode 100755 sguil_sensor_install_patch.sh
create mode 100644 sguil_sensor_users.txt
create mode 100755 sguil_server_install.sh
create mode 100644 sguild.conf.patch
create mode 100755 sguild_adduser.sh
create mode 100755 snort
create mode 100644 snort.conf.patch
create mode 100644 snort_agent.conf.patch
create mode 100755 snort_src_install.sh

richard@macmini:~/taosecurity_freebsd_sguil$ git push origin master
taosecurity@taosecurity.git.sourceforge.net's password:

Counting objects: 30, done.
Compressing objects: 100% (29/29), done.
Writing objects: 100% (30/30), 17.31 KiB, done.
Total 30 (delta 4), reused 0 (delta 0)
To ssh://taosecurity@taosecurity.git.sourceforge.net/gitroot/taosecurity/taosecurity
* [new branch] master -> master

That did it. I found that if I didn't make a change but tried to note one, nothing happened (as expected).


richard@macmini:~/taosecurity_freebsd_sguil$ git commit -am "Commit scripts using Git"
# On branch master
nothing to commit (working directory clean)

richard@macmini:~/taosecurity_freebsd_sguil$ git push origin
mastertaosecurity@taosecurity.git.sourceforge.net's password:
Everything up-to-date

Next I made some fixes and committed those.

richard@macmini:~/taosecurity_freebsd_sguil$ vi README
richard@macmini:~/taosecurity_freebsd_sguil$ git commit -am "Modify README to reflect changing ExtNet."
Created commit 2ef21f3: Modify README to reflect changing ExtNet.
1 files changed, 3 insertions(+), 1 deletions(-)

richard@macmini:~/taosecurity_freebsd_sguil$ git push origin mastertaosecurity@taosecurity.git.sourceforge.net's password:
Counting objects: 5, done.
Compressing objects: 100% (3/3), done.
Writing objects: 100% (3/3), 413 bytes, done.
Total 3 (delta 2), reused 0 (delta 0)
To ssh://taosecurity@taosecurity.git.sourceforge.net/gitroot/taosecurity/taosecurity
bd18669..2ef21f3 master -> master

Checking out files is pretty easy, assuming Git is installed.

richard@neely:~$ mkdir gittest

richard@neely:~$ cd gittest

richard@neely:~/gittest$ git clone git://taosecurity.git.sourceforge.net/gitroot/taosecurity/taosecurity

Initialized empty Git repository in /home/richard/gittest/taosecurity/.git/
remote: Counting objects: 30, done.
remote: Compressing objects: 100% (29/29), done.
remote: Total 30 (delta 4), reused 0 (delta 0)
Receiving objects: 100% (30/30), 17.25 KiB, done.
Resolving deltas: 100% (4/4), done.

richard@neely:~/gittest$ cd taosecurity

richard@neely:~/gittest/taosecurity$ ls

barnyard2 sguild_adduser.sh
barnyard2.conf sguil_database_install_pt1.sh
barnyard2.conf.patch sguil_database_install_pt2.sh
log_packets.sh.crontab sguild.conf.patch
log_packets.sh.patch SguildLoaderd.tcl.patch
pcap_agent.conf.patch SguildMysqlMerge.tcl.patch
prep_platform.sh sguil_sensor_install_patch.sh
rc-adds.txt sguil_sensor_install.sh
rc-conf.sh sguil_sensor_users.txt
README sguil_server_install.sh
sancp snort
sancp_agent.conf.patch snort_agent.conf.patch
sancp.conf.patch snort.conf.patch
sensor_agent.conf.patch snort_src_install.sh

So, now my scripts are available for me to add changes and for anyone who might be interested to retrieve cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m.

Updates to Sguil on FreeBSD Scripts

Early last year I posted Notes on Installing Sguil Using FreeBSD 7.1 Packages where I examined using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 various FreeBSD ports for Sguil. In that post I showed that a lot of work was required to deploy Sguil, even if you used cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ports or packages. Previously I've written about a set of scripts I maintain for deploying Sguil platforms in my lab. I decided to take a look at those scripts and update cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m for a modern environment, since a lot has happened in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 almost two years since I last used cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 scripts.

First, I tested my old scripts on FreeBSD 7.x, and now 8.x is common. Second, Snort 2.9.0.1 is available, and with it cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new DAQ mechanism for accessing network traffic. Third, Barnyard has been deprecated in favor of Barnyard2, thanks to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 guys at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NSMNow project. There have been a lot of changes with rules and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r areas. I also wanted to try running a 64 bit environment on a Dell R200 as my primary lab sensor. Finally, I decided to switch from using CVS at Sourceforge to Git at Sourceforge. I'll explain that in a separate post.

The end result of my work is available now at http://taosecurity.git.sourceforge.net. Please remember that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se scripts are basically a way for me to document how I installed certain versions of various NSM applications on a specific FreeBSD platform. There's no error checking, and no support available. Basically, if you want to see how I deploy all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 non-client parts of Sguil on FreeBSD 8.1, feel free to check out cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 scripts.

One aspect of this that might be helpful is that by reading cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 scripts you can follow how to go from a basic FreeBSD installation to a completely functioning, all-in-one (minus cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 client) Sguil platform.