Showing posts with label sguil. Show all posts
Showing posts with label sguil. Show all posts

Monday, December 29, 2008

NSM-Friendly VMWare Lab Setup

I'm working on labs for my all-new TCP/IP Weapons School 2.0 class (early registration ends Wednesday). Almost cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 whole class is labs; I'll have between 10 and 12 scenarios for students to investigate.

As you might imagine, network traffic will play a key role. I wanted to set up a VM running Ubuntu that could watch traffic involving ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r VMs. (Why not FreeBSD? Ubuntu is easier for students to use, and NSMnow makes it easy to get Sguil running. FreeBSD has also never seemed to run well in VMs due to some weird timing issues that have never been resolved.)

The problem, as I noted in Using VMware for Network Security Monitoring last year, is that modern versions of VMware Server (I run 1.0.8 now) act as switches and not hubs. That means each VM is connected to a virtual switch, effectively sheltered from ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r traffic. This is good for performance but bad for my monitoring needs.

Monitoring on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 VMware server itself is not an option. Although it can see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 traffic, I want to distribute a VM to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 students that was running and capturing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 traffic using Sguil and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r tools as necessary.

Incidentally, here are two options for sniffing on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 VMware server itself, for reference. VMware mentions its vmnet-sniffer, which is a console-output application with basically no features used only for troubleshooting:

richard@neely:~$ sudo vmnet-sniffer -e /dev/vmnet1

len 98 src 00:0c:29:7f:d6:a1 dst 00:0c:29:0a:0f:c1 IP src 10.1.1.3
dst 10.1.1.4 ICMP ping request - len=64 type=8
00:0c:29:7f:d6:a1 08 00 88 e6 c0 17 00 01 ae 85 59 49 b5 2e 07 00 08
09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f
20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35 36
37

len 98 src 00:0c:29:0a:0f:c1 dst 00:0c:29:7f:d6:a1 IP src 10.1.1.4
dst 10.1.1.3 ICMP ping reply

You could just as easily run Tcpdump or any ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r sniffer of your choice:

richard@neely:~$ sudo tcpdump -n -i vmnet1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vmnet1, link-type EN10MB (Ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rnet), capture size 96 bytes
20:41:51.272555 IP 10.1.1.3 > 10.1.1.4: ICMP echo request, id 49175, seq 1, length 64
20:41:51.273469 IP 10.1.1.4 > 10.1.1.3: ICMP echo reply, id 49175, seq 1, length 64

One note: vmnet-sniff can watch /dev/vmnet0 even though vmnet0 is not listed by ifconfig. vmnet0 is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bridged interface so you just watch it directly (e.g., eth0, etc.) with Tcpdump.

What to do? I decided that I could deploy cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NSM sensor VM as a gateway, and put any hosts which I want to monitor as legs on that gateway. Consider this three-host scenario:

  1. NSM sensor VM / gateway with 1) eth0 as 172.16.99.3, default gateway is 172.16.99.2, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 VMware NAT /dev/vmnet8 gateway; 2) eth1 as 192.168.230.3, on a random subnet; and 3) eth2 as 10.1.1.3, on anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r random subnet

  2. Windows victim with interface 192.168.230.4, default gateway 192.168.230.3

  3. Linux attacker with interface 10.1.1.4, default gateway 10.1.1.3


I configured cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NSM sensor to be a gateway, and told it to NAT connections outbound to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 VMware server NAT interface:

root@tws-u804:~# echo "1" > /proc/sys/net/ipv4/ip_forward
root@tws-u804:~# iptables -t nat -A POSTROUTING -s 192.168.230.0/24 -o eth0 -j MASQUERADE
root@tws-u804:~# iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -o eth0 -j MASQUERADE

Why this "second" level of NAT via MASQUERADE? It turns out that if you send traffic from, say, 10.1.1.4 through a gateway that doesn't NAT, when that gateway sends cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 traffic with source IP 10.1.1.4 to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NAT interface on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 VMware server, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 VMWare server doesn't know how to handle cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 replies. I saw cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 traffic exit properly (i.e., it was NATed out), but when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 reply arrived cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 VMware server didn't know how to return it to 10.1.1.4. With this "second" NAT on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NSM sensor / gateway, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 VMware server thinks cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 gateway is originating all traffic, so cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hosts can reach cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet.

With this setup I can now monitor traffic from 10.1.1.4 to 192.168.230.4, because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 traffic is routed through cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NSM sensor / gateway.

This seems kludgy, and I wish cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re were a way to just configure VMware Server to act like a hub and have all hosts see all traffic. If anyone knows how to do that, please let me know.


Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best rates.

Thursday, December 04, 2008

BPF for IP or VLAN Traffic

Four years ago I did a second post on Understanding Tcpdump's -d Option, showing how you can using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 -d option to understand how Berkeley Packet Filter syntax works.

Recently my colleagues and I encountered a problem where we were monitoring traffic on a tap, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 traffic contained traffic with and without 802.1q VLAN tags. We wanted to create a BPF that would catch traffic whecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r or not it had VLAN tags. It turns out cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is a difference between cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se two BPFs:

ip or vlan

is not cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same as

vlan or ip

The first accomplishes our goal, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 second does not.

To understand why, I used Tcpdump's -d option.

$ tcpdump -d -n -r sample.pcap ip or vlan
reading from file sample.pcap, link-type EN10MB (Ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rnet)
(000) ldh [12]
(001) jeq #0x800 jt 3 jf 2
(002) jeq #0x8100 jt 3 jf 4
(003) ret #65535
(004) ret #0

That looks right. Load cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 half word at offset 12. If it's cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IP Ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rtype, you get cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 whole packet. If it's not IP, go to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next instruction. If it's a 802.1Q VLAN tag, again you get cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 whole packet. Ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rwise, return nothing.

This is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r option.

$ tcpdump -d -n -r sample.pcap vlan or ip
reading from file sample.pcap, link-type EN10MB (Ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rnet)
(000) ldh [12]
(001) jeq #0x8100 jt 4 jf 2
(002) ldh [16]
(003) jeq #0x800 jt 4 jf 5
(004) ret #65535
(005) ret #0

That doesn't work. Load cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 half word at offset 12. If it's a 802.1Q VLAN tag, you get cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 whole packet. If it's not a 802.1Q VLAN tag, load cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 half word at offset 16. If that half word is an IP Ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rtype (which it won't be), you get cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 whole packet. Ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rwise, return nothing.

For an example of how you would combine a host and port filter with this syntax, see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following:

tcpdump -n -r ip.pcap \(ip and host 1.2.3.4 and port 80\) or \(vlan and host 1.2.3.4 and port 80\)

You might see this new option appear in Sguil CVS soon.


Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best rates.

Monday, November 10, 2008

Securix-NSM 1.0 Released

Yesterday I read A successor is born... Securix-NSM 1.0. Securix-NSM is a Debian-based live CD that is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fastest way I've ever seen for a new user to try Sguil. All you have to do is download cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 280 MB .iso, boot it, and follow cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 quick start documentation.

Those steps are basically:

  1. Open a terminal.

  2. Execute 'sudo nsm start'.

  3. Double-click on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Sguil client icon.

  4. Log into Sguil.



To test Sguil, I executed 'apt-get install lynx' cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n visited www.testmyids.com. In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 screenshot you'll see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 default Sguil installation generated two alerts. I was able to generate a transcript and launch Wireshark. However, SANCP session records did not appear to be inserted into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 database although SANCP was running.

I suggest trying Securix-NSM if you'd like to try using Sguil but have no experience setting it up.

Friday, May 16, 2008

Answering Reader Questions

Thanks to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 patient readers who submitted questions while I've been on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 road for work. I'd like to post a few questions here, along with my answers. Identities of those asking questions have been preserved unless noted ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rwise, as is my policy.

How does something like Sguil relate to something like OSSIM? I find that I would love to use Sguil for analysis, but it doesn’t deal with HIDS, and I feel if I run both on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same network, I am overlapping a bit of things, as well as using a bit of resources redundantly?

I see Sguil and OSSIM as different products. Sguil is primarily (and currently) an analyst console for network security monitoring. OSSIM (from what I have seen, and from what I have heard speaking directly with developers) is more of an interface to a variety of open source tools. That sounds similar but it is somewhat different. I don't see a reason why you have to choose between cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 two.

I think it is important to realize that although OSSIM has cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 term "SIM" in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 name, it's really not a SIM. Most people consider a SIM to be a system that interprets logs from a variety of sources, correlates or ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rwise analyzes cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m, and presents more intelligence information to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 analyst. OSSIM doesn't really accept that much from ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r log sources; it relies on output from ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r open source tools. I am sure I am going to hear from a bunch of satisfied OSSIM users who claim I am ignorant, but my group decided not to use OSSIM because it was less SIM than we needed and too much portal to open source applications. If you want that, it's still helpful.

In your book you stated that Sguil is really used for real-time monitoring, but what happens when you are a small company, and don’t employ 24x7 staff? Does cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 analyst come in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next morning and work thru alerts that come thru cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 previous evening?

That is one model. In anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r model, you set Sguil to auto-categorize all alerts, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n query for something of interest. Sguil was originally built for a 24x7 SOC environment, but you don't necessarily have to use it that way.

I have been [in a new job as an analyst at a] MSSP for 3-weeks and have formed an opinion that slightly mirrors your points about MSSP's being ticket-shops; in my opinion, MSSP, and specifically cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 division that I am in is like a glorified and/or specialized help/service desk. We get tickets, we fix things, we close tickets, repeat, etc. This is like a help desk except instead of dealing with say desktops and servers, we are dealing with firewalls and IDS'.

I had a conversation with a friend who helped land me cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 job this afternoon and one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 things that he pointed out to me was that I would have to get used to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fact that our customers (government and commercial) are not interested in situational awareness or tactical traffic analyses, or NSM in general. In fact, to my company NSM is a product by [insert vendor name here]. :)

This is funny, but true. Please don't get cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 impression that I am complaining, I willingly chose to work for this company and am happy to have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 opportunity to learn new technologies (different firewalls, different IDS') from a different perspective and within many disparate networks. It's just that I have come to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 conclusion that all Information Security is NOT Information Warfare and am not sure how to cope with this. I am a packet-head and an analyst at heart, but as I have been told, our customer's do not place cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same premium on understanding cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir traffic that I do, nor does my company by that extension because it is not a salable service.


Wow, doesn't that question just punch you in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 gut? I feel your pain. MSSPs exist to make money, and differentiation by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 real issue -- detecting and ejecting intruders -- doesn't appear on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 balance sheet. If anyone disagrees, re-read MSSPs: What Really Matters and read near cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bottom: As Bamm Visscher asks, "Is your MSSP just a 'Security Device Management Provider'?" (SDMP?)

I have anecdotal evidence from a variety of sources that many companies are taking in-house some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security services cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y previously outsourced. Some are doing so because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are getting little to no value for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir MSSP dollar. Ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs realize that almost all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 MSSPs are just SDMPs, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 customer demands someone who has a better chance understanding cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir business and actually improving security. Those who retain MSSPs are usually checking PCI or ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r regulatory boxes or not clued in to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fact most MSSPs are terrible. A very small minority is happy with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir MSSP, and I can probably name cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 company or two providing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 service. (Please don't ask for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir names.) Some customers are hoping everything ends up in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cloud anyway, so security becomes someone else's problem! (Sorry!)

To specifically address your concerns -- I would do cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best you can with your situation, but if you decide you really aren't happy, I would look for alternatives. Eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r find a MSSP that operates how you would like it to, or find a company or agency with a good in-house operation. Now that you've seen how a ticket shop operates it's easy to identify one in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 future.

Do you know if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re has been any progress with FreeBSD 7.0 in coupling up Snort inline with a bridge-mode FreeBSD machine? I think that this would be a match made in heaven. The last time I did research on this, it wasn't yet possible because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 kernel can't handle divert sockets.

Sorry, I have not tried this recently.

Are you handling AV issues? I wanted to know if you had tied that into your IR plan and any lessons learned you might be able to share. Right now our AV is handled by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 systems team but when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y get an alert "IF" cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y look at it cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y typically re-run a scan or maybe some spyware tools and call it good, no traffic monitoring, no application base lining, typically my team will come along after cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fact when we see traffic that falls out of spec and question what's happened recently on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 box.

I have lobbied to now pull this into my team (Network Ops and Security), increase headcount, and I have an idea on how to handle it but wanted to see if you've already dealt with it.


Great question. Ideally antivirus is integrated into an overall Security Operations Center, since AV is both a detection and containment mechanism. However, AV often seems to be run by separate groups (a dedicated AV team, or cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 end user desktop team, or anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r batch of people). I recommend integrating access to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 AV console into your own processes. Eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r formally establish a process to involve your incident responders when notified by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 AV team of a situation cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y realize is problematic, or offer support when you observe troublesome behavior on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 AV console. Preferably cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 AV team escalates suspected compromises to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IRT, but you may have to be a little more aggressive if you want to compensate for lack of cooperation between cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 teams.

Thursday, April 24, 2008

First Issue of BSD Magazine Released

I received a copy of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new BSD Magazine yesterday by air mail from Poland, and I have to say it looks pretty cool. It contains an article I wrote explaining how to install Sguil 0.7.0 on FreeBSD 7.0. At cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time I used a CVS version of Sguil and FreeBSD 7.0-BETA4, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 article is still relevant.

One caution: I discovered a bug in MySQL, which I logged as Optimizer does table scan for select count(*) w/5.1.22, .23, not 5.0.51, 5.1.11. You will encounter this bug if you follow cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 instructions in my magazine article. The work-around is to use MySQL 5.0.51a instead of 5.1.22, as shown in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 magazine.

Dru Lavigne does a nice job detailing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 magazine's table of contents.

Monday, April 14, 2008

Run Apps on Cisco ISR Routers

Earlier this month we joked that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Sguil project was acquired by Cisco, such that Sguil would be integrated into Cisco platforms. Cisco routers already run Tcl, but now thanks to Cisco's new Application eXtension Platform, ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r possibilities are developing. According to Optimize Branch Footprint with Application Integration, Cisco says:

  • Linux-based integration environment with downloadable Software Development Kit (SDK)

  • Multiple applications support with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ability to segment and guarantee CPU, memory, and disk resources

  • Certified libraries to implement C, Python, Perl, and Java applications

  • Supported by Cisco 1841, 2800, and 3800 Series Integrated Services Route


Sun used to say The Network is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Computer. Cisco now states The Network as a Platform. In ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r words, why deploy anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r server or appliance if you can just run it on your Cisco router?

I am unsure how this will play out. I figure Cisco just wanted to add to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 confusion caused by virtualization with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir own take on consolidating platforms. At some point I see one giant box (labelled Skynet probably) with a massive antenna to which we all connect our dumb terminals via wireless.

I'd like to get a Cisco 2800 series ISR router to try this out... donations are welcome. :)

Tuesday, April 01, 2008

Sguil Project Acquired by Cisco

Three years ago I posted Cisco Routers Run Tcl, I had no idea where that development could run. Last month when I posted Sguil 0.7.0 Released, I wanted to say more about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 release, but I couldn't -- until now. I am happy to report cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following.

Cisco Announces Agreement to Acquire Sguil™ Open Source Security Monitoring Project

Acquisition Furcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs Cisco’s Vision for Integrated Security Products

SAN JOSE, Calif., and LONGMONT, Color., April 1st, 2008 – Cisco and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Sguil™ project today announced an agreement for Cisco to acquire cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Sguil™ project, a leading Open Source network security solution. With hundreds of installations world-wide, Sguil™ is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 de facto reference implementation for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Network Security Monitoring (NSM) model. Sguil™-based NSM will enable Cisco’s customer base to more efficiently collect and analyze security-related information as it traverses cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir enterprise networks. This acquisition will help Cisco to cement its reputation as a leader in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Open Source movement while at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same time furcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ring its long-held vision of integrating security into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network infrastructure.

Under terms of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 transaction, Cisco has acquired cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Sguil™ project and related trademarks, as well as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 copyrights held by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 five principal members of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Sguil™ team, including project founder Robert "Bamm" Visscher. Cisco will assume control of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 open source Sguil™ project including cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Sguil.net domain, web site and web site content and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Sguil™ Sourceforge project page. In addition, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Sguil™ team will remain dedicated to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 project as Cisco employees, continuing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir management of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 project on a day-to-day basis.

To date, Sguil™ has been developed primarily in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Tcl scripting language, support for which is already present inside many of Cisco’s routers and switches. The new product, to be known as “Cisco Embedded Monitoring Solution (CEMS)”, will be made available first in Cisco’s carrier-grade products in 3Q08, with support being phased into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rest of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Cisco product line by 4Q09. Linksys-branded device will follow cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365reafter, though cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 exact deployment schedule has yet to be announced.

“We’re extremely pleased to announce this deal,” said Cisco’s Chief Security Product Manager Cletus F. Simmons. “For some time, our customers have told us that our existing security monitoring products did not extend far enough into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir network infrastructure layer. Not only was it sometimes difficult to intercept and monitor cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 traffic, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re were often political problems at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 customer site with deploying our Intrusion Detection Systems, as management had heard several years ago that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y ere ‘dead’. Now, with Sguil™ integrated into all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir network devices, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y’ll have no choice!”

Although cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 financial details of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 agreement have not been announced, Sguil™ developer Robert Visscher will become cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new VP of Cisco Rapid Analysis Products for Security. “This deal means a lot to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Sguil™ project and to me personally,” Visscher explains. “Previously, we had to be content with simply being cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best technical solution to enable intrusion analysts to collect and analyze large amounts of data in an extraordinarily efficient manner. But now, we’ll have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 additional advantage of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 world’s largest manufacturer of networking gear shoving it down cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir customers’ throats! We will no longer have to concern ourselves with mere technical excellence. Instead, I can worry more about which tropical island to visit next, and which flavor daiquiri to order. You know, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 important things.”

About Cisco Systems

Cisco, (NASDAQ: CSCO), is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 worldwide leader in networking that transforms how people connect, communicate and collaborate. Information about Cisco can be found at http://www.cisco.com. For ongoing news, please go to http://newsroom.cisco.com.

About Sguil™

Sguil™ is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 leading Network Security Monitoring (NSM) framework. It is built for network security analysts by network security analysts. Sguil’s main component is an intuitive GUI that provides access to a wide variety of security related information, including real-time IDS alerts, network session database and full packet captures. Sguil™ was written by Robert “Bamm” Visscher, who was apparently too cheap to buy a book on Java or C.


I can't wait to see how well Sguil performs on Cisco routers. Stay tuned!

Sunday, March 30, 2008

Wireshark 1.0.0 Released

I'd like to congratulate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Wireshark team for releasing Wireshark 1.0.0. As cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 news item
says, it's been nearly 10 years in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 making. I started using Ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365real in 1999 at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 AFCERT with data collected from our ASIM sensors.

It's a great time for network security monitoring right now! With Sguil 0.7.0 released cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re's a lot of attention from high level players. It's cool.

Wednesday, March 26, 2008

Sguil 0.7.0 Released

...and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re was much rejoicing. Sguil 0.7.0 is now available for download. Sguil is an open source interface to statistical, alert, session, and full content data written by Bamm Visscher. A great way to quickly see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 differences between 0.6.1 and 0.7.0 is to visit cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NSM Wiki Sguil Overview and check out cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 diagrams near cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bottom of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 page. I've been using Sguil 0.7.0 from CVS for several weeks in production and it's working well. I plan to create a new virtual machine with Sguil 0.7.0 on FreeBSD 7.0. Shortly you will be able to buy a copy of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new BSD Magazine featuring my article Sguil 0.7.0 on FreeBSD 7.0 also. Check out cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 release announcement for more details.

Friday, March 07, 2008

Common Interface to Packets

Recently a blog reader asked me an interesting question. He wanted to know if it would be possible to replace cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 variety of network traffic inspection and analysis products with a single box running multiple applications. He was interested in some sort of common interface to packets that could perform cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 collection function and make traffic available to ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r products.

There are several ways to look at this issue. First, one can do that already using a commodity hardware platform. It is possible to run multiple traffic inspection applications against a single interface now, but one has to be careful as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 number of applications increases. We use this approach with Sguil, where Snort listens to generate alerts, SANCP listens to create session records, Daemonlogger listens to log full content data, PADS listens to generate host records, and so on.

Second, one could buy a fairly open packet capture box and create virtual interfaces which provide a traffic stream to applications. Options which come to mind include Solera Networks capture appliances and Endace Ninja platforms. These typically run Linux and act as a high-end option for packet capture.

Third, one could think of a network tap (like a Net Optics regeneration tap or a Gigamon GigaVUE as that common interface to packet data. The tap collects traffic and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n sends it to multiple products. This is a very common scenario for a simple reason: few vendors are willing to accept cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 decisions made by anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r vendor regarding packet capture. Everyone wants to collect data cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365mselves, using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir own NICs, or drivers, or libraries. That's perfectly understandable but it makes it tough for users who end up managing so many separate boxes.

What do you think?

Monday, December 31, 2007

Sguil Status

One of you wrote recently to ask about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 status of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 open source Network Security Monitoring suite called Sguil. You noticed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last release of Sguil (0.6.1) occurred in February 2006. I can assure you Sguil is not dead. In fact, just last week I wrote an article for a new BSD magazine about installing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sensor and server components of Sguil 0.7.0 (from CVS on FreeBSD 7.0.

To keep up with development read cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sguil-devel mailing list and visit #snort-gui on irc.freenode.net.

I expect to see Sguil 0.7.0 released before 13 February 2008 to avoid hitting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 two year mark.

Friday, November 23, 2007

MPAA University Toolkit Phone Home

This is a follow-up to my story Examining cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 MPAA University Toolkit.

After reading cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hysteria posted on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Slashdot story MPAA College Toolkit Raises Privacy, Security Concerns, I thought I would take a look at traffic leaving cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 box. Aside from traffic generated by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 auto-start of Firefox, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 only interesting event was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following. I captured it with my gateway Sguil sensor.

Sensor Name: hacom
Timestamp: 2007-11-23 21:27:04
Connection ID: .hacom_5136150487897024842
Src IP: 69.255.105.234 (c-69-255-105-234.hsd1.va.comcast.net)
Dst IP: 66.252.137.155 (Unknown)
Src Port: 39532
Dst Port: 80
OS Fingerprint: 69.255.105.234:39532 - UNKNOWN
[S4:61:1:60:M1460,S,T,N,W4:.:?:?] (up: 3 hrs)
OS Fingerprint: -> 66.252.137.155:80 (link: ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rnet/modem)

SRC: GET /version.txt HTTP/1.1
SRC: Accept-Encoding: identity
SRC: Host: universitytoolkit.com
SRC: Connection: close
SRC: User-Agent: Python-urllib/2.5
SRC:
SRC:
DST: HTTP/1.1 200 OK
DST: Date: Fri, 23 Nov 2007 21:27:31 GMT
DST: Server: Apache/2.0.52 (Red Hat)
DST: Last-Modified: Fri, 12 Oct 2007 14:14:45 GMT
DST: ETag: "4f4002-7-57333f40"
DST: Accept-Ranges: bytes
DST: Content-Length: 7
DST: Connection: close
DST: Content-Type: text/plain; charset=UTF-8
DST:
DST: 1.2-RC3

That's it.

Examining cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 MPAA University Toolkit

I learned about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 MPAA University Toolkit at Brian Krebs' always-excellent SecurityFix blog. If you want to know more about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 user experience, please check out that post. Here I take a look at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 monitoring software, focusing on Snort, operating on this application.

I downloaded cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 534 MB peerwatch-1.2-RC5.iso and started it in a VMware Server session. I used ctrl-c and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n 'sudo bash' to exit from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 initial script presented within X, set a root password, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n used 'apt-get ssh install' to install OpenSSH and thus enable root access. From this point forward I accessed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 system using OpenSSH remotely to facilitate copying information into this blog post.

First, this looks like Ubuntu (Xubuntu, if you really care) Feisty Fawn, or 7.04.

root@ubuntu:~# uname -a
Linux ubuntu 2.6.20-15-generic #2 SMP Sun Apr 15 07:36:31 UTC 2007
i686 GNU/Linux

I was most interested in learning about Snort on this toolkit. I saw this version installed.

root@ubuntu:~# snort -V

,,_ -*> Snort! <*-
o" )~ Version 2.3.3 (Build 14)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html
(C) Copyright 1998-2004 Sourcefire Inc., et al.

Wow, that's old. It's probably patched base on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 changelog. This is Snort installed via Debian/Ubuntu package:

root@ubuntu:~# dpkg --list | grep snort
rc snort 2.3.3-9
Flexible Network Intrusion Detection System
ii snort-common 2.3.3-9
Flexible Network Intrusion Detection System
ii snort-mysql 2.3.3-9
Flexible Network Intrusion Detection System
ii snort-rules-default 2.3.3-9
Flexible Network Intrusion Detection System

Let's see what cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 snort.conf looks like.

root@ubuntu:/etc/snort# cat snort.conf
var HOME_NET any
var EXTERNAL_NET !$HOME_NET
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET

var HTTP_PORTS 80

var RULE_PATH /etc/snort/rules

preprocessor flow: stats_interval 0 hash 2
preprocessor frag2
preprocessor stream4: disable_evasion_alerts detect_scans
preprocessor stream4_reassemble

# preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000

# (#DBSTART#)
output database: log, mysql, user=snort password=snort dbname=snort host=localhost
# (#DBEND#)

include classification.config
include reference.config

config flowbits_size: 256

include $RULE_PATH/bleeding-p2p.rules
include $RULE_PATH/local-ftp.rules
include $RULE_PATH/local-http.rules
include $RULE_PATH/local-smb.rules
include $RULE_PATH/p2p.rules

include threshold.conf

Excellent, anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r Snort installation where Snort is logging directly to a MySQL database. That must be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 default provided by Debian/Ubuntu. Ouch. Thresholding and suppression are also enabled but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 entire contents are commented out in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 threshold.conf file.

Let's get a look at those rules.

bleeding-p2p.rules looks like an old copy of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bleeding-p2p.rules, perhaps from mid-year? I think cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are 38 rules.

p2p.rules is a really old rule set:

# $Id: p2p.rules,v 1.17.2.1 2004/10/13 20:25:57 bmc Exp $

You may recognize cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r Snort distributed-rules as being those that accompanied Snort 2.3.3, which pre-dates cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new license for Snort rules.

local-ftp.rules is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first rule set written by whomever assembled this toolkit.

# cat local-ftp.rules
# 1 000 500 - 1 000 699

# active
alert tcp any 20 -> any any (msg: "FTP Download - MPEG Movie File - B2"; \
content: "|00 00 01 B2|"; depth: 6; rawbytes; \
sid: 1000501; rev: 1; \
)

alert tcp any 20 -> any any (msg: "FTP Download - MPEG Movie File - B3"; \
content: "|00 00 01 B3|"; depth: 6; rawbytes; \
sid: 1000502; rev: 1; \
)

alert tcp any 20 -> any any (msg: "FTP Download - MPEG Movie File - BA"; \
content: "|00 00 01 BA|"; depth: 6; rawbytes; \
sid: 1000503; rev: 1; \
)

alert tcp any 20 -> any any (msg: "FTP Download - MPEG Movie File - BB"; \
content: "|00 00 01 BB|"; depth: 6; rawbytes; \
sid: 1000504; rev: 1; \
)

alert tcp any 20 -> any any (msg: "FTP Download - MPEG-4 Video File"; \
content: "|00 00 00 18 66 74 79 70 6D 70 34|"; depth: 15; rawbytes; \
sid: 1000505; rev: 1; \
)

alert tcp any 20 -> any any (msg: "FTP Download - Quicktime Movie File - MOOV"; \
content: "|6D 6F 6F 76|"; depth: 10; rawbytes; \
sid: 1000506; rev: 1; \
)

alert tcp any 20 -> any any (msg: "FTP Download - Quicktime Movie File - MDAT"; \
content: "|6D 64 61 74|"; depth: 10; rawbytes; \
sid: 1000507; rev: 1; \
)

alert tcp any 20 -> any any (msg: "FTP Download - Audio Video Interleave (AVI) File - AVI"; \
content: "|41 56 49 20|"; depth: 6; rawbytes; \
sid: 1000508; rev: 1; \
)

alert tcp any 20 -> any any (msg: "FTP Download - Audio Video Interleave (AVI) File - RIFF"; \
content: "|52 49 46 46|"; depth: 6; rawbytes; \
sid: 1000509; rev: 1; \
)

alert tcp any 20 -> any any (msg: "FTP Download - Real Media File"; \
content: "|2E 52 4D 46|"; depth: 6; rawbytes; \
sid: 1000510; rev: 1; \
)

alert tcp any 20 -> any any (msg: "FTP Download - Windows Media File"; \
content: "|30 26 B2 75 8E 66 CF 11 A6 D9 00 AA 00 62 CE 6C|"; depth: 20; rawbytes; \
sid: 1000511; rev: 1; \
)

# passive
alert tcp any 1024: -> any 1024: (msg: "FTP PASV Download - MPEG Movie File - B2"; \
content: "|00 00 01 B2|"; depth: 6; rawbytes; \
sid: 1000512; rev: 1; \
)

alert tcp any 1024: -> any 1024: (msg: "FTP PASV Download - MPEG Movie File - B3"; \
content: "|00 00 01 B3|"; depth: 6; rawbytes; \
sid: 1000513; rev: 1; \
)

alert tcp any 1024: -> any 1024: (msg: "FTP PASV Download - MPEG Movie File - BA"; \
content: "|00 00 01 BA|"; depth: 6; rawbytes; \
sid: 1000514; rev: 1; \
)

alert tcp any 1024: -> any 1024: (msg: "FTP PASV Download - MPEG Movie File - BB"; \
content: "|00 00 01 BB|"; depth: 6; rawbytes; \
sid: 1000515; rev: 1; \
)

alert tcp any 1024: -> any 1024: (msg: "FTP PASV Download - MPEG-4 Video File"; \
content: "|00 00 00 18 66 74 79 70 6D 70 34|"; depth: 15; rawbytes; \
sid: 1000516; rev: 1; \
)

alert tcp any 1024: -> any 1024: (msg: "FTP PASV Download - Quicktime Movie File - MOOV"; \
content: "|6D 6F 6F 76|"; depth: 10; rawbytes; \
sid: 1000517; rev: 1; \
)

alert tcp any 1024: -> any 1024: (msg: "FTP PASV Download - Quicktime Movie File - MDAT"; \
content: "|6D 64 61 74|"; depth: 10; rawbytes; \
sid: 1000518; rev: 1; \
)

alert tcp any 1024: -> any 1024: (msg: "FTP PASV Download - Audio Video Interleave (AVI) File - AVI"; \
content: "|41 56 49 20|"; depth: 6; rawbytes; \
sid: 1000519; rev: 1; \
)

alert tcp any 1024: -> any 1024: (msg: "FTP PASV Download - Audio Video Interleave (AVI) File - RIFF"; \
content: "|52 49 46 46|"; depth: 6; rawbytes; \
sid: 1000520; rev: 1; \
)

alert tcp any 1024: -> any 1024: (msg: "FTP PASV Download - Real Media File"; \
content: "|2E 52 4D 46|"; depth: 6; rawbytes; \
sid: 1000521; rev: 1; \
)

alert tcp any 1024: -> any 1024: (msg: "FTP PASV Download - Windows Media File"; \
content: "|30 26 B2 75 8E 66 CF 11 A6 D9 00 AA 00 62 CE 6C|"; depth: 20; rawbytes; \
sid: 1000522; rev: 1; \
)

Anyone who has written Snort rules is probably going to question cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 false positive rate on this rule set, especially cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "tcp any 1024: -> any 1024:" group. These are straight content matches, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 smaller strings like "|2E 52 4D 46|" are probably going to fire quite a bit on unintended traffic.

Here is local-http.rules.

root@ubuntu:/etc/snort/rules# cat local-http.rules
# 1 000 100 - 1 000 299

alert tcp any 80 -> any any (msg: "HTTP Download > 100M - MPEG Movie File - B2"; \
flow: established,from_server; \
content: "HTTP"; depth: 5; nocase; \
content: "200"; within: 8; \
content: "Content-Length\: "; within: 300; nocase; \
pcre: "/^[0-9]{9,}\r\n/R"; \
content: "|0d 0a 0d 0a|"; within: 100; \
content: "|00 00 01 B2|"; within: 6; \
sid: 1000101; rev: 1; \
)

alert tcp any 80 -> any any (msg: "HTTP Download > 100M - MPEG Movie File - B3"; \
flow: established,from_server; \
content: "HTTP"; depth: 5; nocase; \
content: "200"; within: 8; \
content: "Content-Length\: "; within: 300; nocase; \
pcre: "/^[0-9]{9,}\r\n/R"; \
content: "|0d 0a 0d 0a|"; within: 100; \
content: "|00 00 01 B3|"; within: 6; \
sid: 1000102; rev: 1; \
)

alert tcp any 80 -> any any (msg: "HTTP Download > 100M - MPEG Movie File - BA"; \
flow: established,from_server; \
content: "HTTP"; depth: 5; nocase; \
content: "200"; within: 8; \
content: "Content-Length\: "; within: 300; nocase; \
pcre: "/^[0-9]{9,}\r\n/R"; \
content: "|0d 0a 0d 0a|"; within: 100; \
content: "|00 00 01 BA|"; within: 6; \
sid: 1000103; rev: 1; \
)

alert tcp any 80 -> any any (msg: "HTTP Download > 100M - MPEG Movie File - BB"; \
flow: established,from_server; \
content: "HTTP"; depth: 5; nocase; \
content: "200"; within: 8; \
content: "Content-Length\: "; within: 300; nocase; \
pcre: "/^[0-9]{9,}\r\n/R"; \
content: "|0d 0a 0d 0a|"; within: 100; \
content: "|00 00 01 BB|"; within: 6; \
sid: 1000104; rev: 1; \
)

alert tcp any 80 -> any any (msg: "HTTP Download > 100M - MPEG-4 Video File"; \
flow: established,from_server; \
content: "HTTP"; depth: 5; nocase; \
content: "200"; within: 8; \
content: "Content-Length\: "; within: 300; nocase; \
pcre: "/^[0-9]{9,}\r\n/R"; \
content: "|0d 0a 0d 0a|"; within: 100; \
content: "|00 00 00 18 66 74 79 70 6D 70 34|"; within: 15; \
sid: 1000105; rev: 1; \
)

alert tcp any 80 -> any any (msg: "HTTP Download > 100M - Quicktime Movie File - MOOV"; \
flow: established,from_server; \
content: "HTTP"; depth: 5; nocase; \
content: "200"; within: 8; \
content: "Content-Length\: "; within: 300; nocase; \
pcre: "/^[0-9]{9,}\r\n/R"; \
content: "|0d 0a 0d 0a|"; within: 100; \
content: "|6D 6F 6F 76|"; within: 10; \
sid: 1000106; rev: 1; \
)
alert tcp any 80 -> any any (msg: "HTTP Download > 100M - Quicktime Movie File - MDAT"; \
flow: established,from_server; \
content: "HTTP"; depth: 5; nocase; \
content: "200"; within: 8; \
content: "Content-Length\: "; within: 300; nocase; \
pcre: "/^[0-9]{9,}\r\n/R"; \
content: "|0d 0a 0d 0a|"; within: 100; \
content: "|6D 64 61 74|"; within: 10; \
sid: 1000107; rev: 1; \
)

alert tcp any 80 -> any any (msg: "HTTP Download > 100M - Audio Video Interleave (AVI) File - AVI"; \
flow: established,from_server; \
content: "HTTP"; depth: 5; nocase; \
content: "200"; within: 8; \
content: "Content-Length\: "; within: 300; nocase; \
pcre: "/^[0-9]{9,}\r\n/R"; \
content: "|0d 0a 0d 0a|"; within: 100; \
content: "|41 56 49 20|"; within: 6; \
sid: 1000108; rev: 1; \
)

alert tcp any 80 -> any any (msg: "HTTP Download > 100M - Audio Video Interleave (AVI) File - RIFF"; \
flow: established,from_server; \
content: "HTTP"; depth: 5; nocase; \
content: "200"; within: 8; \
content: "Content-Length\: "; within: 300; nocase; \
pcre: "/^[0-9]{9,}\r\n/R"; \
content: "|0d 0a 0d 0a|"; within: 100; \
content: "|52 49 46 46|"; within: 6; \
sid: 1000109; rev: 1; \
)

alert tcp any 80 -> any any (msg: "HTTP Download > 100M - Real Media File"; \
flow: established,from_server; \
content: "HTTP"; depth: 5; nocase; \
content: "200"; within: 8; \
content: "Content-Length\: "; within: 300; nocase; \
pcre: "/^[0-9]{9,}\r\n/R"; \
content: "|0d 0a 0d 0a|"; within: 100; \
content: "|2E 52 4D 46|"; within: 6; \
sid: 1000110; rev: 1; \
)

alert tcp any 80 -> any any (msg: "HTTP Download > 100M - Windows Media File"; \
flow: established,from_server; \
content: "HTTP"; depth: 5; nocase; \
content: "200"; within: 8; \
content: "Content-Length\: "; within: 300; nocase; \
pcre: "/^[0-9]{9,}\r\n/R"; \
content: "|0d 0a 0d 0a|"; within: 100; \
content: "|30 26 B2 75 8E 66 CF 11 A6 D9 00 AA 00 62 CE 6C|"; within: 20; \
sid: 1000111; rev: 1; \
)

That's 11 rules. There are 22 more. The middle 11 have port 80 replaced by 3128. The final 11 have port 8080. What does that tell you? It means that you can avoid being detected by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se rules if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 remote Web server runs on a port ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r than 80, 3128, or 8080. Note also that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 original snort.conf doesn't enable cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 http_inspect or http_inspect_server preprocessors. These rules are more raw content matches, although cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir specificity will reduce cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 number of times cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y fire. They also introduce more evasion options.

Finally, let's check out local-smb.rules.

root@ubuntu:/etc/snort/rules# cat local-smb.rules
# 1 000 300 - 1 000 499

alert tcp any 445 -> any any (msg: "SMB-445 Download > 100M - MPEG Movie File - B2"; \
flow: established,from_server; \
content: "SMB|2E|"; offset: 5; within: 4; nocase; \
content: "|00 00 01 B2|"; distance: 54; within: 4; \
sid: 1000301; rev: 1; \
)

alert tcp any 445 -> any any (msg: "SMB-445 Download > 100M - MPEG Movie File - B3"; \
flow: established,from_server; \
content: "SMB|2E|"; offset: 5; within: 4; nocase; \
content: "|00 00 01 B3|"; distance: 54; within: 4; \
sid: 1000302; rev: 1; \
)

alert tcp any 445 -> any any (msg: "SMB-445 Download > 100M - MPEG Movie File - BA"; \
flow: established,from_server; \
content: "SMB|2E|"; offset: 5; within: 4; nocase; \
content: "|00 00 01 BA|"; distance: 54; within: 4; \
sid: 1000303; rev: 1; \
)

alert tcp any 445 -> any any (msg: "SMB-445 Download > 100M - MPEG Movie File - BB"; \
flow: established,from_server; \
content: "SMB|2E|"; offset: 5; within: 4; nocase; \
content: "|00 00 01 BB|"; distance: 54; within: 4; \
sid: 1000304; rev: 1; \
)

alert tcp any 445 -> any any (msg: "SMB-445 Download > 100M - MPEG-4 Video File"; \
flow: established,from_server; \
content: "SMB|2E|"; offset: 5; within: 4; nocase; \
content: "|00 00 00 18 66 74 79 70 6D 70 34|"; distance: 54; within: 15; \
sid: 1000305; rev: 1; \
)

alert tcp any 445 -> any any (msg: "SMB-445 Download > 100M - Quicktime Movie File - MOOV"; \
flow: established,from_server; \
content: "SMB|2E|"; offset: 5; within: 4; nocase; \
content: "MOOV"; distance: 54; within: 8; nocase; \
sid: 1000306; rev: 1; \
)

alert tcp any 445 -> any any (msg: "SMB-445 Download > 100M - Quicktime Movie File - MDAT"; \
flow: established,from_server; \
content: "SMB|2E|"; offset: 5; within: 4; nocase; \
content: "MDAT"; distance: 54; within: 4; nocase; \
sid: 1000307; rev: 1; \
)

alert tcp any 445 -> any any (msg: "SMB-445 Download > 100M - Audio Video Interleave (AVI) File - AVI"; \
flow: established,from_server; \
content: "SMB|2E|"; offset: 5; within: 4; nocase; \
content: "AVI_"; distance: 54; within: 4; nocase; \
sid: 1000308; rev: 1; \
)

alert tcp any 445 -> any any (msg: "SMB-445 Download > 100M - Audio Video Interleave (AVI) File - RIFF"; \
flow: established,from_server; \
content: "SMB|2E|"; offset: 5; within: 4; nocase; \
content: "RIFF"; distance: 54; within: 4; nocase; \
sid: 1000309; rev: 1; \
)

alert tcp any 445 -> any any (msg: "SMB-445 Download > 100M - Real Media File"; \
flow: established,from_server; \
content: "SMB|2E|"; offset: 5; within: 4; nocase; \
content: "|2E 52 4D 46|"; distance: 54; within: 4; \
sid: 1000310; rev: 1; \
)

alert tcp any 445 -> any any (msg: "SMB-445 Download > 100M - Windows Media File"; \
flow: established,from_server; \
content: "SMB|2E|"; offset: 5; within: 4; nocase; \
content: "|30 26 B2 75 8E 66 CF 11 A6 D9 00 AA 00 62 CE 6C|"; distance: 54; within: 16; \
sid: 1000311; rev: 1; \
)

Notice all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 port 445 instances? You can evade cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se if your SMB session uses port 139 TCP.

I thought it might be fun to test cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se rules. I decided to download a 108 MB .avi file to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 toolkit host itself and see if would be observed.

file robert-morris.avi
robert-morris.avi: RIFF (little-endian) data, AVI, 640 x 480, 30.00 fps,
video: Motion JPEG, audio: uncompressed PCM (mono, 11024 Hz)

Hmm, no alerts. I have Sguil running on my gateway. Let's see what cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 start of a transcript for this session looks like.

Sensor Name: hacom
Timestamp: 2007-11-23 21:32:47
Connection ID: .hacom_5136151961070210685
Src IP: 69.255.105.234 (c-69-255-105-234.hsd1.va.comcast.net)
Dst IP: 164.106.251.250 (Unknown)
Src Port: 58172
Dst Port: 80
OS Fingerprint: 69.255.105.234:58172 - UNKNOWN
[S4:61:1:60:M1460,S,T,N,W4:.:?:?] (up: 3 hrs)
OS Fingerprint: -> 164.106.251.250:80 (link: ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rnet/modem)

SRC: GET /docs/netsec/robert-morris.avi HTTP/1.0
SRC: User-Agent: Wget/1.10.2
SRC: Accept: */*
SRC: Host: 164.106.251.250
SRC: Connection: Keep-Alive
SRC:
SRC:
DST: HTTP/1.1 200 OK
DST: Date: Fri, 23 Nov 2007 21:38:16 GMT
DST: Server: Apache/2.0.52 (Red Hat)
DST: Last-Modified: Tue, 23 Aug 2005 21:46:31 GMT
DST: ETag: "37804f-6bfad96-ba9f7bc0"
DST: Accept-Ranges: bytes
DST: Content-Length: 113225110
DST: Connection: close
DST: Content-Type: video/x-msvideo
DST:
DST:
DST: RIFF....AVI LISTF...hdrlavih8...5...D.&......................I..
LISTt...strlstrh8...vidsmjpg............5...@B...........I...'..............
strf(...(...............MJPG....................LIST\...strlstrh8...auds....
.................+......\
DST: ..+...'..............strf.........+...+......IDIT....
FRI JUL 29 15:54:43 2005
DST: .LIST....INFOISFT....CanonMVI02..JUNK~...

After cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 HTTP response you see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 download begin for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 .avi. Presumably this would match, this rule?

"HTTP Download > 100M - Audio Video Interleave (AVI) File - RIFF"

Let's look at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 two most important packets in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 full content pcap file.

16:32:47.335530 IP 164.106.251.250.80 > 69.255.105.234.58172:
P 1:268(267) ack 133 win 1716
0x0000: 4520 013f e980 4000 3006 0fca a46a fbfa E..?..@.0....j..
0x0010: 45ff 69ea 0050 e33c f12d d653 a3ca 374e E.i..P.<.-.S..7N
0x0020: 8018 06b4 ce3b 0000 0101 080a 80f7 4ef2 .....;........N.
0x0030: 0013 7372 4854 5450 2f31 2e31 2032 3030 ..srHTTP/1.1.200
0x0040: 204f 4b0d 0a44 6174 653a 2046 7269 2c20 .OK..Date:.Fri,.
0x0050: 3233 204e 6f76 2032 3030 3720 3231 3a33 23.Nov.2007.21:3
0x0060: 383a 3136 2047 4d54 0d0a 5365 7276 6572 8:16.GMT..Server
0x0070: 3a20 4170 6163 6865 2f32 2e30 2e35 3220 :.Apache/2.0.52.
0x0080: 2852 6564 2048 6174 290d 0a4c 6173 742d (Red.Hat)..Last-
0x0090: 4d6f 6469 6669 6564 3a20 5475 652c 2032 Modified:.Tue,.2
0x00a0: 3320 4175 6720 3230 3035 2032 313a 3436 3.Aug.2005.21:46
0x00b0: 3a33 3120 474d 540d 0a45 5461 673a 2022 :31.GMT..ETag:."
0x00c0: 3337 3830 3466 2d36 6266 6164 3936 2d62 37804f-6bfad96-b
0x00d0: 6139 6637 6263 3022 0d0a 4163 6365 7074 a9f7bc0"..Accept
0x00e0: 2d52 616e 6765 733a 2062 7974 6573 0d0a -Ranges:.bytes..
0x00f0: 436f 6e74 656e 742d 4c65 6e67 7468 3a20 Content-Length:.
0x0100: 3131 3332 3235 3131 300d 0a43 6f6e 6e65 113225110..Conne
0x0110: 6374 696f 6e3a 2063 6c6f 7365 0d0a 436f ction:.close..Co
0x0120: 6e74 656e 742d 5479 7065 3a20 7669 6465 ntent-Type:.vide
0x0130: 6f2f 782d 6d73 7669 6465 6f0d 0a0d 0a o/x-msvideo....
16:32:47.336654 IP 164.106.251.250.80 > 69.255.105.234.58172:
. 268:1636(1368) ack 133 win 1716 #60;nop,nop,timestamp 2163691250 1274738#62;
0x0000: 4520 058c e982 4000 3006 0b7b a46a fbfa E.....@.0..{.j..
0x0010: 45ff 69ea 0050 e33c f12d d75e a3ca 374e E.i..P.<.-.^..7N
0x0020: 8010 06b4 b5f8 0000 0101 080a 80f7 4ef2 ..............N.
0x0030: 0013 7372 5249 4646 8ead bf06 4156 4920 ..srRIFF....AVI.
0x0040: 4c49 5354 4601 0000 6864 726c 6176 6968 LISTF...hdrlavih
0x0050: 3800 0000 3582 0000 44d0 2600 0000 0000 8...5...D.&.....
0x0060: 1000 0100 0e07 0000 0000 0000 0200 0000 ................
0x0070: c649 0100 8002 0000 e001 0000 0000 0000 .I..............
0x0080: 0000 0000 0000 0000 0000 0000 4c49 5354 ............LIST
0x0090: 7400 0000 7374 726c 7374 7268 3800 0000 t...strlstrh8...
0x00a0: 7669 6473 6d6a 7067 0000 0000 0000 0000 vidsmjpg........
0x00b0: 0000 0000 3582 0000 4042 0f00 0000 0000 ....5...@B......
0x00c0: 0e07 0000 c649 0100 1027 0000 0000 0000 .....I...'......
0x00d0: 0000 0000 8002 e001 7374 7266 2800 0000 ........strf(...
0x00e0: 2800 0000 8002 0000 e001 0000 0100 1800 (...............
0x00f0: 4d4a 5047 0010 0e00 0000 0000 0000 0000 MJPG............
0x0100: 0000 0000 0000 0000 4c49 5354 5c00 0000 ........LIST\...
0x0110: 7374 726c 7374 7268 3800 0000 6175 6473 strlstrh8...auds
0x0120: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0130: 0100 0000 102b 0000 0000 0000 5c20 0a00 .....+......\...
0x0140: 102b 0000 1027 0000 0100 0000 0000 0000 .+...'..........
0x0150: 0000 0000 7374 7266 1000 0000 0100 0100 ....strf........
0x0160: 102b 0000 102b 0000 0100 0800 4944 4954 .+...+......IDIT
0x0170: 1a00 0000 4652 4920 4a55 4c20 3239 2031 ....FRI.JUL.29.1
0x0180: 353a 3534 3a34 3320 3230 3035 0a00 4c49 5:54:43.2005..LI
0x0190: 5354 1800 0000 494e 464f 4953 4654 0c00 ST....INFOISFT..
0x01a0: 0000 4361 6e6f 6e4d 5649 3032 0000 4a55 ..CanonMVI02..JU
0x01b0: 4e4b 7e06 0000 0000 0000 0000 0000 0000 NK~.............
...truncated...

Do you see it? The HTTP response code and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Content-Length statement appear in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first packet. The .avi begins in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 second packet with RIFF. Snort doesn't fire an alert because all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 matches needed for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rule are not present in a single packet.

Technically, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re's not much to worry about here -- at least not yet. I do worry about putting monitoring tools in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hands of people who don't know what cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y're doing and seeing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m act on misconceptions. It's also important to identify cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fact that this activity could violate wiretap and privacy laws.

Wednesday, November 14, 2007

Analyzing Protocol Hopping Covert Channel Tool

I enjoy analyzing covert channels, although my skills are far inferior to someone like Steven Murdoch. However, today via Packetstorm I learned of Protocol Hopping Covert Channel Tool by Steffen Wendzel. He wrote a text file describing his thoughts behind cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tool called Protocol Hopping Covert Channels. Quoting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 paper:

This paper describes a new way to implement covert channels. This is done by changing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 protocol of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tunnel while cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tunnel exists and even change cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 protocol on a randomized way without restarting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tunnel or reconnecting to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tunnel. A simple proof of concept tool called 'phcct' (protocol hopping covert channel tool) also known as 'takushi' (what is japanese for taxi) is available on my website http://www.doomed-reality.org. phcct implements only one (cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 easiest) version of such a randomized protocol hopping covert channel.

As soon as I read this I thought "this is so different from normal traffic, it will be easy to identify." I know that is true for manual inspection of traffic. I am not sure how automated tools would deal with it. The paper continues:

Do not forget cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 reason why doing this: It is to be stealth [sic]. Even if _one_ of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 protocols you are using is recorded, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 monitoring system will not collect ALL packets of ALL protocols in a network. This simply is a too huge amount of data. And yes, it makes cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 forensic analysis of network traffic much harder if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are multiple protocols used for a covert channel.

Apparently cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 author does not know about NSM or Sguil. Assuming you are performing this protocol hopping from a host on an enterprise network to a host on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet, a NSM sensor monitoring your Internet gateway will see and record this traffic.

I decided to give cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 author's proof of concept tool, phcct, a try. I compiled it statically on my Ubuntu laptop.

$ gcc -O -o phcct_s -fstack-protector-all -W -Wall -Wshadow -g
-ggdb *.c -lpthread -static

Next I copied cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 binary to a VM running a Ubuntu 7.10 as a live CD/.iso. I used this static version because I noticed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Ubuntu live CD did not have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 required libraries to compile from source, but run as a statically compiled binary it worked fine.

Now I started phcct on each workstation and hit return once each side was running. My laptop is neely, 192.168.2.101.

root@neely:~/phcct# ./phcct_s -a 192.168.2.115
starting phcct (a.k.a. takushi) ...
please press return if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 peer is setup up.
connecting ...
connected via http
connected via ftp-data
connected via plain proto
waiting for local connection on port 9999 ...

My VM is ubuntu, 192.168.2.115.

root@ubuntu:/home/analyst# ./phcct_s -a 192.168.2.101
starting phcct (a.k.a. takushi) ...
please press return if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 peer is setup up.
connecting ...
connected via http
connected via ftp-data
connected via plain proto
waiting for local connection on port 9999 ...

Once each side of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tunnel was activated, I used Netcat on each system to connect to port 9999 on localhost. First, neely:

richard@neely:~$ nc -v localhost 9999
localhost [127.0.0.1] 9999 (?) open

Second, ubuntu:

analyst@ubuntu:~$ nc -v localhost 9999
localhost [127.0.0.1] 9999 (?) open

Now I was ready to send traffic. For example, I typed this on neely:

This is traffic from neely to ubuntu.

and it appeared on ubuntu:

This is traffic from neely to ubuntu.

Then I did cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 reverse. I repeated this cycle four times, for a total of five exchanges or ten total messages. When done I exited each Netcat session.

During this process I captured cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 traffic using Tshark. You can download it here.

I prefer to start cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 analysis by looking at session data. Here is what Argus 2.x thought of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 traffic.

$ ra -nn -L0 -A -r ph.1.arg -s saddr daddr sport dport proto pkts bytes
SrcAddr DstAddr Sport Dport Type SrcPkt DstPkt SAppBytes DAppBytes
192.168.2.115 192.168.2.101.43598 2510 tcp 6 4 96 0
192.168.2.115 192.168.2.101.43198 80 tcp 5 3 281 0
192.168.2.115 192.168.2.101.52158 20 tcp 6 4 96 0
192.168.2.101 192.168.2.115.49586 80 tcp 4 4 281 0
192.168.2.101 192.168.2.115.45106 20 tcp 3 3 0 0
192.168.2.101 192.168.2.115.50200 2510 tcp 7 7 192 0

You can see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tool using destination ports 2510, 80 and 20. There are six sessions although one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m is empty. The five active sessions correspond to our five conversations.

Let's look at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 traffic on each using Tcpflow. In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ls output I omit cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first few fields for space purposes.

taosecurity:/home/analyst$ tcpflow -r ph.1.lpc
taosecurity:/home/analyst$ ls -al 192*
281 Nov 14 13:59 192.168.002.101.49586-192.168.002.115.00080
192 Nov 14 13:59 192.168.002.101.50200-192.168.002.115.02510
281 Nov 14 13:59 192.168.002.115.43198-192.168.002.101.00080
96 Nov 14 13:59 192.168.002.115.43598-192.168.002.101.02510
96 Nov 14 13:59 192.168.002.115.52158-192.168.002.101.00020

Notice cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 file sizes match cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 byte counts seen above. Here are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 contents of each. Note cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 use of cat -tev to

taosecurity:/home/analyst$ cat -tev 192.168.002.101.49586-192.168.002.115.00080
GET / HTTP/1.1^M$
Host: google.de^M$
User-Agent: Mozilla/5.0^M$
Accept: text/xml^M$
Accept-Language: en-us;q=0.5,en;q=0.3^M$
Accept-Encoding: gzip,deflate^M$
Accept-Charset: ISO-8859-1,utf-8^M$
Keep-Alive: 300^M$
Connection: keep-alive^M$
Cookie: GPC=2FW=0:This is traffic from neely to ubuntu.$
^M$
^M$
taosecurity:/home/analyst$ cat -tev 192.168.002.101.50200-192.168.002.115.02510
^A^B^C0 FW=0:This is traffic from neely to ubuntu.$
^A^B^C1 FW=0:This is traffic from neely to ubuntu.$
^A^B^C3 FW=0:This is traffic from neely to ubuntu.$
^A^B^C4 FW=0:This is traffic from neely to ubuntu.$

taosecurity:/home/analyst$ cat -tev 192.168.002.115.43198-192.168.002.101.00080
GET / HTTP/1.1^M$
Host: google.de^M$
User-Agent: Mozilla/5.0^M$
Accept: text/xml^M$
Accept-Language: en-us;q=0.5,en;q=0.3^M$
Accept-Encoding: gzip,deflate^M$
Accept-Charset: ISO-8859-1,utf-8^M$
Keep-Alive: 300^M$
Connection: keep-alive^M$
Cookie: GPC=4FW=0:This is traffic from ubuntu to neely.$
^M$
^M$

taosecurity:/home/analyst$ cat -tev 192.168.002.115.43598-192.168.002.101.02510
^A^B^C0 FW=0:This is traffic from ubuntu to neely.$
^A^B^C1 FW=0:This is traffic from ubuntu to neely.$

taosecurity:/home/analyst$ cat -tev 192.168.002.115.52158-192.168.002.101.00020
^A^B^C2 FW=0:This is traffic from ubuntu to neely.$
^A^B^C3 FW=0:This is traffic from ubuntu to neely.$

At cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 end of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 day we have messages exchanged using one real protocol (HTTP, with payload in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cookie field) and two pseudo-protocols (raw traffic on port 2510 TCP and attempted simulated FTP data traffic). The FTP data traffic isn't simulated properly because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SYN segments go to port 20 TCP.

$ tcpdump -n -t -r ph.1.lpc port 20
reading from file ph.1.lpc, link-type EN10MB (Ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rnet)
IP 192.168.2.115.52158 > 192.168.2.101.20:
S 2100176842:2100176842(0) win 5840
IP 192.168.2.101.20 > 192.168.2.115.52158:
S 3955486862:3955486862(0) ack 2100176843 win 5792
IP 192.168.2.115.52158 > 192.168.2.101.20: . ack 1 win 183

IP 192.168.2.101.45106 > 192.168.2.115.20:
S 3970907263:3970907263(0) win 5840
IP 192.168.2.115.20 > 192.168.2.101.45106:
S 671130558:671130558(0) ack 3970907264
IP 192.168.2.101.45106 > 192.168.2.115.20: . ack 1 win 1460
IP 192.168.2.115.52158 > 192.168.2.101.20: P 1:49(48) ack 1 win 183
IP 192.168.2.101.20 > 192.168.2.115.52158: . ack 49 win 1448
IP 192.168.2.115.52158 > 192.168.2.101.20: P 49:97(48) ack 1 win 183
IP 192.168.2.101.20 > 192.168.2.115.52158: . ack 97 win 1448
IP 192.168.2.115.52158 > 192.168.2.101.20: F 97:97(0) ack 1 win 183
IP 192.168.2.115.20 > 192.168.2.101.45106: F 1:1(0) ack 1 win 181
IP 192.168.2.101.45106 > 192.168.2.115.20: F 1:1(0) ack 2 win 1460
IP 192.168.2.101.20 > 192.168.2.115.52158: F 1:1(0) ack 98 win 1448
IP 192.168.2.115.20 > 192.168.2.101.45106: . ack 2 win 181
IP 192.168.2.115.52158 > 192.168.2.101.20: . ack 2 win 183

Real active FTP data traffic comes from port 20 TCP.

Can this technique be improved? Sure. Is it tough to analyze? Possibly. If you use a packet-by-packet approach, you can see what's happening. For example, here are a few packets containing payloads. Notice cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 use of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Tshark display filter using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 -R switch.

richard@neely:~$ tshark -r ph.1.lpc -x -R 'tcp.len >= 20'
19 62.570303 192.168.2.101 50200 192.168.2.115 2510 TCP 50200 > 2510
[PSH, ACK] Seq=1 Ack=1 Win=5840 Len=48 TSV=4768072 TSER=3038481

0000 00 13 02 4c 30 2d 00 13 02 4c 30 2d 08 00 45 00 ...L0-...L0-..E.
0010 00 64 24 88 40 00 40 06 8f e3 c0 a8 02 65 c0 a8 .d$.@.@......e..
0020 02 73 c4 18 09 ce eb e8 a2 75 28 9d e1 d0 80 18 .s.......u(.....
0030 05 b4 e3 5b 00 00 01 01 08 0a 00 48 c1 48 00 2e ...[.......H.H..
0040 5d 11 01 02 03 30 20 46 57 3d 30 3a 54 68 69 73 ]....0 FW=0:This
0050 20 69 73 20 74 72 61 66 66 69 63 20 66 72 6f 6d is traffic from
0060 20 6e 65 65 6c 79 20 74 6f 20 75 62 75 6e 74 75 neely to ubuntu
0070 2e 0a ..

21 70.543503 192.168.2.115 43598 192.168.2.101 2510 TCP 43598 > 2510
[PSH, ACK] Seq=1 Ack=1 Win=5856 Len=48 TSV=3055661 TSER=4752430

0000 00 13 02 4c 30 2d 00 13 02 4c 30 2d 08 00 45 00 ...L0-...L0-..E.
0010 00 64 13 0f 40 00 40 06 a1 5c c0 a8 02 73 c0 a8 .d..@.@..\...s..
0020 02 65 aa 4e 09 ce 7d 50 49 4a eb ba 86 09 80 18 .e.N..}PIJ......
0030 00 b7 70 7a 00 00 01 01 08 0a 00 2e a0 2d 00 48 ..pz.........-.H
0040 84 2e 01 02 03 30 20 46 57 3d 30 3a 54 68 69 73 .....0 FW=0:This
0050 20 69 73 20 74 72 61 66 66 69 63 20 66 72 6f 6d is traffic from
0060 20 75 62 75 6e 74 75 20 74 6f 20 6e 65 65 6c 79 ubuntu to neely
0070 2e 0a ..

23 84.876175 192.168.2.101 50200 192.168.2.115 2510 TCP 50200 > 2510
[PSH, ACK] Seq=49 Ack=1 Win=5840 Len=48 TSV=4773648 TSER=3053597

0000 00 13 02 4c 30 2d 00 13 02 4c 30 2d 08 00 45 00 ...L0-...L0-..E.
0010 00 64 24 89 40 00 40 06 8f e2 c0 a8 02 65 c0 a8 .d$.@.@......e..
0020 02 73 c4 18 09 ce eb e8 a2 a5 28 9d e1 d0 80 18 .s........(.....
0030 05 b4 92 56 00 00 01 01 08 0a 00 48 d7 10 00 2e ...V.......H....
0040 98 1d 01 02 03 31 20 46 57 3d 30 3a 54 68 69 73 .....1 FW=0:This
0050 20 69 73 20 74 72 61 66 66 69 63 20 66 72 6f 6d is traffic from
0060 20 6e 65 65 6c 79 20 74 6f 20 75 62 75 6e 74 75 neely to ubuntu
0070 2e 0a ..

25 88.388511 192.168.2.115 43598 192.168.2.101 2510 TCP 43598 > 2510
[PSH, ACK] Seq=49 Ack=1 Win=5856 Len=48 TSV=3060172 TSER=4770065

0000 00 13 02 4c 30 2d 00 13 02 4c 30 2d 08 00 45 00 ...L0-...L0-..E.
0010 00 64 13 10 40 00 40 06 a1 5b c0 a8 02 73 c0 a8 .d..@.@..[...s..
0020 02 65 aa 4e 09 ce 7d 50 49 7a eb ba 86 09 80 18 .e.N..}PIz......
0030 00 b7 19 c7 00 00 01 01 08 0a 00 2e b1 cc 00 48 ...............H
0040 c9 11 01 02 03 31 20 46 57 3d 30 3a 54 68 69 73 .....1 FW=0:This
0050 20 69 73 20 74 72 61 66 66 69 63 20 66 72 6f 6d is traffic from
0060 20 75 62 75 6e 74 75 20 74 6f 20 6e 65 65 6c 79 ubuntu to neely
0070 2e 0a ..

27 97.214303 192.168.2.101 49586 192.168.2.115 80 HTTP GET / HTTP/1.1

0000 00 13 02 4c 30 2d 00 13 02 4c 30 2d 08 00 45 00 ...L0-...L0-..E.
0010 01 4d e2 06 40 00 40 06 d1 7b c0 a8 02 65 c0 a8 .M..@.@..{...e..
0020 02 73 c1 b2 00 50 ec 6f 64 f6 27 b7 a8 06 80 18 .s...P.od.'.....
0030 05 b4 16 d2 00 00 01 01 08 0a 00 48 e3 1d 00 2e ...........H....
0040 5d 0f 47 45 54 20 2f 20 48 54 54 50 2f 31 2e 31 ].GET / HTTP/1.1
0050 0d 0a 48 6f 73 74 3a 20 67 6f 6f 67 6c 65 2e 64 ..Host: google.d
0060 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d e..User-Agent: M
0070 6f 7a 69 6c 6c 61 2f 35 2e 30 0d 0a 41 63 63 65 ozilla/5.0..Acce
0080 70 74 3a 20 74 65 78 74 2f 78 6d 6c 0d 0a 41 63 pt: text/xml..Ac
0090 63 65 70 74 2d 4c 61 6e 67 75 61 67 65 3a 20 65 cept-Language: e
00a0 6e 2d 75 73 3b 71 3d 30 2e 35 2c 65 6e 3b 71 3d n-us;q=0.5,en;q=
00b0 30 2e 33 0d 0a 41 63 63 65 70 74 2d 45 6e 63 6f 0.3..Accept-Enco
00c0 64 69 6e 67 3a 20 67 7a 69 70 2c 64 65 66 6c 61 ding: gzip,defla
00d0 74 65 0d 0a 41 63 63 65 70 74 2d 43 68 61 72 73 te..Accept-Chars
00e0 65 74 3a 20 49 53 4f 2d 38 38 35 39 2d 31 2c 75 et: ISO-8859-1,u
00f0 74 66 2d 38 0d 0a 4b 65 65 70 2d 41 6c 69 76 65 tf-8..Keep-Alive
0100 3a 20 33 30 30 0d 0a 43 6f 6e 6e 65 63 74 69 6f : 300..Connectio
0110 6e 3a 20 6b 65 65 70 2d 61 6c 69 76 65 0d 0a 43 n: keep-alive..C
0120 6f 6f 6b 69 65 3a 20 47 50 43 3d 32 46 57 3d 30 ookie: GPC=2FW=0
0130 3a 54 68 69 73 20 69 73 20 74 72 61 66 66 69 63 :This is traffic
0140 20 66 72 6f 6d 20 6e 65 65 6c 79 20 74 6f 20 75 from neely to u
0150 62 75 6e 74 75 2e 0a 0d 0a 0d 0a buntu......

This tool demonstrates cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 importance of a few NSM concepts. First, intruders are unpredictable. (Remember I use cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 term "intruder" to mean anyone doing something you don't like on your network, i.e., any policy violater. Second, by collecting everything and investigating once you have indicators, you can find activity not observed by existing inspection and blocking systems. Third, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is no substitute for full content. Statistics are nice, sessions are better, but only full content reveals what's really happening. Even session tools can be fooled or misguided, or at least have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir output subject to misinterpretation.

I expect to see additional iterations of this tool and technique.

Saturday, November 03, 2007

Russ McRee on Argus and NSM

Russ McRee followed his excellent discussion of NSM and Sguil in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 October InfoSecMag with a new article called Argus – Auditing network activity (.pdf), published in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 November 2007 ISSA Journal. It's anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r great read.

Monday, October 01, 2007

NSM and Sguil in October InfoSecMag

I just noticed that Russ McRee published an article on Network Security Monitoring and Sguil by discussing Knoppix-NSM in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 October 2007 Information Security Magazine titled Putting Snort to Work. I really enjoy Russ' Toolsmith articles in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ISSA Journal.

Tuesday, July 24, 2007

Recent CVS Changes

This is a note for myself, so if you're looking for uber-security insights today, please skip this post. If you do stick with me and you can suggest ways to do this better, please share your comments.

Earlier this year I posted TaoSecurity CVS at Sourceforge and Committing Changes to CVS. Since posting my Sguil on FreeBSD scripts at TaoSecurity Sourceforge I needed to make a few changes. The system hosting my original files suffered a lightning strike, so I decided to retrieve cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 files from CVS and make changes.

Checking out cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 scripts can be done anonymously without a password. (Note cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are some artificial line breaks in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r lines.)

$ cvs -d:pserver:anonymous@taosecurity.cvs.sourceforge.net:/cvsroot/taosecurity
login
Logging in to :pserver:anonymous@taosecurity.cvs.sourceforge.net:2401
/cvsroot/taosecurity
CVS password:
$ cvs -d:pserver:anonymous@taosecurity.cvs.sourceforge.net:/cvsroot/taosecurity
co -P taosecurity_sguil_scripts
cvs checkout: Updating taosecurity_sguil_scripts
U taosecurity_sguil_scripts/README
...truncated...

When I checked out cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se files cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y had headers like this:

# $Id: README,v 1.2 2007/03/22 18:40:25 taosecurity Exp $ #

These headers are added by lines like this from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 original files:

# $Id$ #

In order to turn cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se new checked out files into files that would have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 proper headers, I replaced cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se specific lines in each file with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tag # $Id$ #.

I added several files to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 scripts, but for purposes of documentation I'll show how I added one -- sguild_start.sh. I had to connect via SSH to do this.

$ export CVS_RSH=ssh
$ cvs -d:ext:user@taosecurity.cvs.sf.net:/cvsroot/taosecurity
add sguild_start.sh
user@taosecurity.cvs.sf.net's password:
cvs add: scheduling file `sguild_start.sh' for addition
cvs add: use 'cvs commit' to add this file permanently

$ cvs -d:ext:user@taosecurity.cvs.sf.net:/cvsroot/taosecurity
commit sguild_start.sh
user@taosecurity.cvs.sf.net's password:
RCS file: /cvsroot/taosecurity/taosecurity_sguil_scripts/sguild_start.sh,v
done
Checking in sguild_start.sh;
/cvsroot/taosecurity/taosecurity_sguil_scripts/sguild_start.sh,v <-- sguild_start.sh
initial revision: 1.1
done

I think I could have set a CVSROOT variable instead of specifying everything on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 command line, perhaps like:

$ export CVSROOT=:ext:user@taosecurity.cvs.sf.net:/cvsroot/taosecurity

Setting that I could ignore cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 entire -d switch.

When I add or commit files I could add a -m "Comment" line to describe cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 change.

Currently my scripts assume installation using FreeBSD 6.2, using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 packages in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 packages-6.2-release directory. The only exception is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 package for tcltls because it was not shipped with 6.2.

Friday, June 15, 2007

DHS Einstein Demonstrates Value of Session Data

If you're looking for case studies to show management to justify collecting session data, check out Einstein keeps an eye on agency networks. I've known about this program for several years but waited until a high-profile story like this to mention it in my blog. Basically:

Since 2004, Einstein has monitored participating agencies’ network gateways for traffic patterns that indicate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 presence of computer worms or ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r unwanted traffic. By collecting traffic information summaries at agency gateways, Einstein gives US-CERT analysts and participating agencies a big-picture view of bad activity on federal networks.

US-CERT’s security analysts use Einstein data to correlate cross-agency security incidents. Participating agencies can go to a secure Web portal to view cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir own network gateway data.

Einstein doesn’t eliminate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 need for intrusion-detection systems on agencies’ networks, said Mike Witt, deputy director of US-CERT. But cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 24-hour monitoring program does give individual agencies a view of activity in ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r parts of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 federal network infrastructure that could affect cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir own networks...

Ten agencies participate in Einstein, and four or five ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs have indicated cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y plan to join by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 end of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 year. Witt said DHS officials hope to have most Cabinet-level agencies in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 program by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 end of 2008. DHS will try to expand participation to more of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 midsize and small federal agencies later, he said.

“Einstein is not mandatory, so we have to do a sales job with agencies,” Witt said. Witt wouldn’t name cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 agencies that have signed up. In a public presentation last year, however, a DHS official identified eight participants. They were DHS, DOT, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 departments of State, Treasury and Education, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Federal Trade Commission, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Securities and Exchange Commission, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 U.S. Agency for International Development. The Justice Department has since joined cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 program.


This is just cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sort of project I'd like to roll out at my new job, possibly combining Argus with ArgusEye, or maybe just Sguil without Snort. The idea is to be an internal security awareness provider for business units, offering cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m better insights into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir network activity while using that data to monitor for attacks and respond to incidents more effectively.

After a pilot program to demonstrate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 value of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 approach, I would consider more robust options like an internally-developed product or a commercial option. I know of at least one large customer of mine who read my first book and built cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir own session and full content capture appliance for about $50,000, rated up to OC-48 for full content collection.

Note that Einstein is session data only, and from what I hear some people find its capabilities and data format lacking -- hence cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 desire to run something else, pairing session data with full content. Session data is very helpful but never sufficient for real investigations.

Sunday, May 27, 2007

Bejtlich Teaching Network Security Operations in Chicago

I am happy to announce that I will be teaching a three day edition of my Network Security Operations training class in Chicago, IL on 27-29 August 2007. This is a public class, although I will be speaking at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 30 August meeting of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Chicago Electronic Crimes Task Force. Please register here. The early discount applies to registrations before midnight 27 July. ISSA members get an additional discount on top of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 early registration discount.

Network Security Operations addresses cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following topics:

  • Network Security Monitoring


    • NSM cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ory

    • Building and deploying NSM sensors

    • Accessing wired and wireless traffic

    • Full content tools: Tcpdump, Ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365real/Tecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365real, Snort as packet logger, Daemonlogger

    • Additional data analysis tools: Tcpreplay, Tcpflow, Ngrep, Netdude

    • Session data tools: Cisco NetFlow, Fprobe, Flow-tools, Argus, SANCP

    • Statistical data tools: Ipcad, Trafshow, Tcpdstat, Cisco accounting records

    • Sguil (sguil.sf.net)

    • Case studies, personal war stories, and attendee participation


  • Network Incident Response


    • Simple steps to take now that make incident response easier later

    • Characteristics of intruders, such as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir motivation, skill levels, and
      techniques

    • Common ways intruders are detected, and reasons cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are often initially
      missed

    • Improved ways to detect intruders based on network security monitoring
      principles

    • First response actions and related best practices

    • Secure communications among IR team members, and consequences of negligence

    • Approaches to remediation when facing a high-end attacker

    • Short, medium, and long-term verification of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 remediation plan to keep cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365
      intruder out


  • Network Forensics


    • Collecting network traffic as evidence

    • Protecting and preserving traffic from tampering, eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r by careless
      helpers or cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 intruder himself

    • Analyzing network evidence using a variety of open source tools, based
      on network security monitoring (NSM) principles

    • Presenting findings to lay persons, such as management, juries, or judges

    • Defending cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 conclusions reached during an investigation, even in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365
      face of adversarial defense attorneys or skeptical business leaders



This is only one of two Network Security Operations courses left for 2007. Please consider attending this class if you want to understand how to detect, inspect, and eject network intruders.

Bejtlich Teaching Network Security Operations in Cincinnati

I am happy to announce that I will be teaching a three day edition of my Network Security Operations training class in Cincinnati, OH on 21-23 August 2007. The Cincinnati ISSA chapter is hosting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 class. Please register here. The early discount applies to registrations before 20 July. ISSA members get an additional discount on top of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 early registration discount.

Network Security Operations addresses cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following topics:

  • Network Security Monitoring


    • NSM cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ory

    • Building and deploying NSM sensors

    • Accessing wired and wireless traffic

    • Full content tools: Tcpdump, Ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365real/Tecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365real, Snort as packet logger, Daemonlogger

    • Additional data analysis tools: Tcpreplay, Tcpflow, Ngrep, Netdude

    • Session data tools: Cisco NetFlow, Fprobe, Flow-tools, Argus, SANCP

    • Statistical data tools: Ipcad, Trafshow, Tcpdstat, Cisco accounting records

    • Sguil (sguil.sf.net)

    • Case studies, personal war stories, and attendee participation


  • Network Incident Response


    • Simple steps to take now that make incident response easier later

    • Characteristics of intruders, such as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir motivation, skill levels, and
      techniques

    • Common ways intruders are detected, and reasons cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are often initially
      missed

    • Improved ways to detect intruders based on network security monitoring
      principles

    • First response actions and related best practices

    • Secure communications among IR team members, and consequences of negligence

    • Approaches to remediation when facing a high-end attacker

    • Short, medium, and long-term verification of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 remediation plan to keep cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365
      intruder out


  • Network Forensics


    • Collecting network traffic as evidence

    • Protecting and preserving traffic from tampering, eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r by careless
      helpers or cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 intruder himself

    • Analyzing network evidence using a variety of open source tools, based
      on network security monitoring (NSM) principles

    • Presenting findings to lay persons, such as management, juries, or judges

    • Defending cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 conclusions reached during an investigation, even in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365
      face of adversarial defense attorneys or skeptical business leaders



This is only one of two Network Security Operations courses left for 2007. Please consider attending this class if you want to understand how to detect, inspect, and eject network intruders.