Showing posts with label sguil. Show all posts
Showing posts with label sguil. Show all posts

Sunday, February 24, 2013

Recovering from Suricata Gone Wild

Recently I tried interacting with one of my lab Security Onion sensors running cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Suricata IDS. I found cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Sguil server was taking a really long time to offer services on port 7734 TCP. Since I hadn't worked with this lab system in a while, I guessed that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re might be too many uncategorized events in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Sguil database. I dusted off an old blog post titled More Snort and Sguil Tuning from 2006 and took a look at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 system.

First I stopped cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NSM applications on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 server.

sudo service nsm stop
Stopping: securityonion
  * stopping: sguil server                                [  OK  ]
Stopping: HIDS
  * stopping: ossec_agent (sguil)                         [  OK  ]
Stopping: Bro
stopping ds61so-eth1-1 ...
stopping proxy ...
stopping manager ...
Stopping: ds61so-eth1
  * stopping: netsniff-ng (full packet data)              [  OK  ]
  * stopping: pcap_agent (sguil)                          [  OK  ]
  * stopping: snort_agent (sguil)                         [  OK  ]
  * stopping: suricata (alert data)                       [  OK  ]
  * stopping: barnyard2 (spooler, unified2 format)        [  OK  ]
  * stopping: prads (sessions/assets)                     [  OK  ]
  * stopping: sancp_agent (sguil)                         [  OK  ]
  * stopping: pads_agent (sguil)                          [  OK  ]
  * stopping: argus                                       [  OK  ]
  * stopping: http_agent (sguil)                      
Next I ran a query to look for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 top uncategorized events.
$ mysql -uroot
Welcome to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 1639
Server version: 5.5.29-0ubuntu0.12.04.1 (Ubuntu)

Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r names may be trademarks of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 current input statement.

mysql> use securityonion_db;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed

mysql> SELECT COUNT(signature)as count, signature FROM event WHERE status=0 GROUP BY signature ORDER BY count DESC LIMIT 20;
+---------+----------------------------------------------------------------------------------+
| count   | signature                                                                        |
+---------+----------------------------------------------------------------------------------+
| 2299160 | SURICATA STREAM Packet with invalid ack                                          |
| 2298505 | SURICATA STREAM ESTABLISHED invalid ack                                          |
| 1777530 | SURICATA STREAM ESTABLISHED packet out of window                                 |
|   38700 | SURICATA STREAM ESTABLISHED retransmission packet before last ack                |
|   24181 | SURICATA STREAM TIMEWAIT ACK with wrong seq                                      |
|    5430 | ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management |
|    3160 | SURICATA STREAM Last ACK with wrong seq                                          |
|     753 | ET POLICY Dropbox.com Offsite File Backup in Use                                 |
|     637 | SURICATA HTTP unknown error                                                      |
|     626 | SURICATA STREAM SHUTDOWN RST invalid ack                                         |
|     505 | SURICATA STREAM FIN1 FIN with wrong seq                                          |
|     494 | SURICATA HTTP request field too long                                             |
|     448 | ET POLICY PE EXE or DLL Windows file download                                    |
|     315 | ET RBN Known Malvertiser IP (22)                                                 |
|     270 | ET POLICY iTunes User Agent                                                      |
|     266 | SURICATA STREAM CLOSEWAIT ACK out of window                                      |
|     237 | ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)                   |
|     219 | ET POLICY MOBILE Apple device leaking UDID from SpringBoard                      |
|     217 | SURICATA STREAM 3way handshake with ack in wrong dir                             |
|     151 | SURICATA STREAM FIN2 FIN with wrong seq                                          |
+---------+----------------------------------------------------------------------------------+
20 rows in set (15.24 sec)
Wow, that's a lot of SURICATA STREAM events. I need to categorize cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m as non-issues to recover cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Sguil server.

mysql> UPDATE event SET status=1, last_modified='2013-02-24 16:26:00', last_uid='sguil' WHERE event.status=0 and event.signature LIKE 'SURICATA STREAM%';
Query OK, 6443375 rows affected, 65535 warnings (3 min 4.89 sec)
Rows matched: 6443375  Changed: 6443375  Warnings: 6443375
Let's see what cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 database thinks now.
mysql> SELECT COUNT(signature)as count, signature FROM event WHERE status=0 GROUP BY signature ORDER BY count DESC LIMIT 20;
+------+-----------------------------------------------------------------------------------------+
| cnt  | signature                                                                               |
+------+-----------------------------------------------------------------------------------------+
| 5430 | ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management        |
|  753 | ET POLICY Dropbox.com Offsite File Backup in Use                                        |
|  637 | SURICATA HTTP unknown error                                                             |
|  494 | SURICATA HTTP request field too long                                                    |
|  448 | ET POLICY PE EXE or DLL Windows file download                                           |
|  315 | ET RBN Known Malvertiser IP (22)                                                        |
|  270 | ET POLICY iTunes User Agent                                                             |
|  237 | ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)                          |
|  219 | ET POLICY MOBILE Apple device leaking UDID from SpringBoard                             |
|  133 | ET INFO PDF Using CCITTFax Filter                                                       |
|  106 | ET POLICY Pandora Usage                                                                 |
|   97 | ET CHAT Facebook Chat (buddy list)                                                      |
|   93 | ET POLICY MOBILE Apple device leaking UDID from SpringBoard via GET                     |
|   58 | ET POLICY Internal Host Retrieving External IP via whatismyip.com - Possible Infection  |
|   41 | PADS New Asset - ssl TLS 1.0 Client Hello                                               |
|   39 | SURICATA HTTP response header invalid                                                   |
|   39 | ET CURRENT_EVENTS Exploit Kit Delivering Compressed Flash Content to Client             |
|   36 | ET POLICY Python-urllib/ Suspicious User Agent                                          |
|   36 | ET MALWARE Possible Windows executable sent when remote host claims to send a Text File |
|   28 | ET POLICY Http Client Body contains pw= in cleartext                                    |
+------+-----------------------------------------------------------------------------------------+
20 rows in set (0.03 sec)
That's much better.

Before restarting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NSM services, I edit cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 autocat.conf file to add cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following.

none||ANY||ANY||ANY||ANY||ANY||ANY||%%REGEXP%%^SURICATA STREAM||1
This will auto-categorize any SURICATA STREAM alerts as non-issues. I want to keep adding events to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 database for testing purposes, but I don't want to see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 console.

Now I restart cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NSM services.

sudo service nsm start
Starting: securityonion
  * starting: sguil server                                                                [  OK  ]
Starting: HIDS
  * starting: ossec_agent (sguil)                                                         [  OK  ]
Starting: Bro
starting manager ...
starting proxy ...
starting ds61so-eth1-1 ...
Starting: ds61so-eth1
  * starting: netsniff-ng (full packet data)                                              [  OK  ]
  * starting: pcap_agent (sguil)                                                          [  OK  ]
  * starting: snort_agent (sguil)                                                         [  OK  ]
  * starting: suricata (alert data)                                                       [  OK  ]
  * starting: barnyard2 (spooler, unified2 format)                                        [  OK  ]
  * starting: prads (sessions/assets)                                                     [  OK  ]
  * starting: pads_agent (sguil)                                                          [  OK  ]
  * starting: sancp_agent (sguil)                                                         [  OK  ]
  * starting: argus                                                                       [  OK  ]
  * starting: http_agent (sguil)                                                          [  OK  ]
  * disk space currently at 22%
I check to see if port 7734 TCP is listening.
sudo netstat -natup | grep 7734
tcp        0      0 0.0.0.0:7734            0.0.0.0:*               LISTEN      10729/tclsh
Now cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Sguil server is listening. I can connect with a Sguil client, even cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 64 bit Windows .exe that I just found this morning. Check it out at sourceforge.net/projects/sguil/

Wednesday, November 10, 2010

Two New Tools in Snort

No sooner do I get Snort 2.9.0.1 running than something breaks. However, thanks to Niels Horn I know a little more about two new tools included with Snort.

First is u2spewfoo, which reads Unified2 output files and outputs cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m as text.

[sguil@r200a /nsm/r200a]$ u2spewfoo snort.unified2.1289360307 | head -20

(Event)
sensor id: 0 event id: 1 event second: 1289360859 event microsecond: 881345
sig id: 2011032 gen id: 1 revision: 4 classification: 3
priority: 2 ip source: 192.168.2.107 ip destination: 172.16.2.1
src port: 44597 dest port: 3128 protocol: 6 impact_flag: 0 blocked: 0

Packet
sensor id: 0 event id: 1 event second: 1289360859
packet second: 1289360859 packet microsecond: 881345
linktype: 1 packet_length: 1168
00 15 17 0B | 7D 4C 00 13 | 10 65 2F AC | 08 00 45 00
04 82 C2 E3 | 40 00 3F 06 | 03 6E C0 A8 | 02 6B AC 10
02 01 AE 35 | 0C 38 73 6F | 02 7F 12 37 | D9 A8 80 18
03 EA 6D 85 | 00 00 01 01 | 08 0A 01 2A | 34 44 75 11
33 8C 41 46 | 69 72 73 74 | 25 32 43 25 | 32 30 49 25
32 30 74 65 | 73 74 65 64 | 25 32 30 6D | 79 25 32 30
6F 6C 64 25 | 32 30 73 63 | 72 69 70 74 | 73 25 32 30
6F 6E 25 32 | 30 46 72 65 | 65 42 53 44 | 25 32 30 37
2E 78 25 32 | 43 25 32 30 | 61 6E 64 25 | 32 30 6E 6F

I guess that's good for troubleshooting. It feels a little like 1999!

The second tool is u2boat, which transforms cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 pcap data in a Unified2 output file into a normal pcap file.

[sguil@r200a /nsm/r200a]$ u2boat snort.unified2.1289360307
Usage: u2boat [-t type]
[sguil@r200a /nsm/r200a]$ u2boat snort.unified2.1289360307 snort.unified2.1289360307.pcap
Defaulting to pcap output.
[sguil@r200a /nsm/r200a]$ file snort.unified2.1289360307.pcap
snort.unified2.1289360307.pcap: tcpdump capture file (little-endian)
- version 2.4 (Ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rnet, capture length 65535)
[sguil@r200a /nsm/r200a]$ tcpdump -n -r snort.unified2.1289360307.pcap
reading from file snort.unified2.1289360307.pcap, link-type EN10MB (Ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rnet)
22:47:39.881345 IP 192.168.2.107.44597 > 172.16.2.1.3128: Flags [P.],
ack 305650088, win 1002, options [nop,nop,TS val 19543108 ecr 1964061580], length 1102

So those are great, but fortunately unless I fix Barnyard2 or a fix is committed, Barnyard2 is going to die when it encounters record types from Snort that Barnyard2 doesn't recognize, e.g.:

r200a# barnyard2 -U -d /nsm/r200a -f snort.unified2 -c /usr/local/etc/nsm/barnyard2.conf
Running in Continuous mode

--== Initializing Barnyard2 ==--
Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/usr/local/etc/nsm/barnyard2.conf"
Log directory = /var/log/barnyard2
sguil: sensor name = r200a
sguil: agent port = 7735
sguil: Connected to localhost on 7735.

--== Initialization Complete ==--

______ -*> Barnyard2 <*-
/ ,,_ \ Version 2.1.8 (Build 251)
|o" )~| By cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SecurixLive.com Team: http://www.securixlive.com/about.php
+ '''' + (C) Copyright 2008-2010 SecurixLive.

Snort by Martin Roesch & The Snort Team: http://www.snort.org/team.html
(C) Copyright 1998-2007 Sourcefire Inc., et al.

Using waldo file '/nsm/r200a/waldo':
spool directory = /nsm/r200a
spool filebase = snort.unified2
time_stamp = 1289360307
record_idx = 4
Opened spool file '/nsm/r200a/snort.unified2.1289360307'
ERROR: Unknown record type read: 110
Fatal Error, Quitting..

The good news is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 alerts will continue to be logged to disk, and can be processed once Barnyard2 can read cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m.

Tuesday, November 09, 2010

Using Git with FreeBSD Sguil Scripts

Before today I never committed anything using Git. Previously I used CVS, but never got around to trying something more modern like SVN. However, I know several developers at work use Git, so I figured I would try committing my FreeBSD Sguil scripts (lame as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are) to Git at Sourceforge. This would allow me to keep track of changes and get cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 code out of my own repository for sharing and safekeeping.

I started by cleaning up cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 directory where I kept cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 scripts.

After following cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 instructions to enable Git, I took cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se actions.


richard@macmini:~/taosecurity_freebsd_sguil$ git init
Initialized empty Git repository in /home/richard/taosecurity_freebsd_sguil/.git/

richard@macmini:~/taosecurity_freebsd_sguil$ git config user.name "Richard Bejtlich"

richard@macmini:~/taosecurity_freebsd_sguil$ git config user.email \
"taosecurity@users.sourceforge.net"

richard@macmini:~/taosecurity_freebsd_sguil$ git remote add origin \
ssh://taosecurity@taosecurity.git.sourceforge.net/gitroot/taosecurity/taosecurity

richard@macmini:~/taosecurity_freebsd_sguil$ git config branch.master.remote origin

richard@macmini:~/taosecurity_freebsd_sguil$ git config branch.master.merge refs/head/master

richard@macmini:~/taosecurity_freebsd_sguil$ git push origin master

taosecurity@taosecurity.git.sourceforge.net's password:
error: src refspec master does not match any.
fatal: The remote end hung up unexpectedly
error: failed to push some refs to 'ssh://taosecurity@taosecurity.git.sourceforge.net/gitroot \
/taosecurity/taosecurity'

That was unfortunate. I didn't see that error in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Sourceforge guide, but after checking here I found that trying to add all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 files might be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 right step.


richard@macmini:~/taosecurity_freebsd_sguil$ git add *

richard@macmini:~/taosecurity_freebsd_sguil$ git commit -am "Message"

Created initial commit bd18669: Message
28 files changed, 1400 insertions(+), 0 deletions(-)
create mode 100755 README
create mode 100644 SguildLoaderd.tcl.patch
create mode 100644 SguildMysqlMerge.tcl.patch
create mode 100755 barnyard2
create mode 100644 barnyard2.conf
create mode 100644 barnyard2.conf.patch
create mode 100644 log_packets.sh.crontab
create mode 100644 log_packets.sh.patch
create mode 100644 pcap_agent.conf.patch
create mode 100755 prep_platform.sh
create mode 100644 rc-adds.txt
create mode 100755 rc-conf.sh
create mode 100755 sancp
create mode 100644 sancp.conf.patch
create mode 100644 sancp_agent.conf.patch
create mode 100644 sensor_agent.conf.patch
create mode 100755 sguil_database_install_pt1.sh
create mode 100755 sguil_database_install_pt2.sh
create mode 100755 sguil_sensor_install.sh
create mode 100755 sguil_sensor_install_patch.sh
create mode 100644 sguil_sensor_users.txt
create mode 100755 sguil_server_install.sh
create mode 100644 sguild.conf.patch
create mode 100755 sguild_adduser.sh
create mode 100755 snort
create mode 100644 snort.conf.patch
create mode 100644 snort_agent.conf.patch
create mode 100755 snort_src_install.sh

richard@macmini:~/taosecurity_freebsd_sguil$ git push origin master
taosecurity@taosecurity.git.sourceforge.net's password:

Counting objects: 30, done.
Compressing objects: 100% (29/29), done.
Writing objects: 100% (30/30), 17.31 KiB, done.
Total 30 (delta 4), reused 0 (delta 0)
To ssh://taosecurity@taosecurity.git.sourceforge.net/gitroot/taosecurity/taosecurity
* [new branch] master -> master

That did it. I found that if I didn't make a change but tried to note one, nothing happened (as expected).


richard@macmini:~/taosecurity_freebsd_sguil$ git commit -am "Commit scripts using Git"
# On branch master
nothing to commit (working directory clean)

richard@macmini:~/taosecurity_freebsd_sguil$ git push origin
mastertaosecurity@taosecurity.git.sourceforge.net's password:
Everything up-to-date

Next I made some fixes and committed those.

richard@macmini:~/taosecurity_freebsd_sguil$ vi README
richard@macmini:~/taosecurity_freebsd_sguil$ git commit -am "Modify README to reflect changing ExtNet."
Created commit 2ef21f3: Modify README to reflect changing ExtNet.
1 files changed, 3 insertions(+), 1 deletions(-)

richard@macmini:~/taosecurity_freebsd_sguil$ git push origin mastertaosecurity@taosecurity.git.sourceforge.net's password:
Counting objects: 5, done.
Compressing objects: 100% (3/3), done.
Writing objects: 100% (3/3), 413 bytes, done.
Total 3 (delta 2), reused 0 (delta 0)
To ssh://taosecurity@taosecurity.git.sourceforge.net/gitroot/taosecurity/taosecurity
bd18669..2ef21f3 master -> master

Checking out files is pretty easy, assuming Git is installed.

richard@neely:~$ mkdir gittest

richard@neely:~$ cd gittest

richard@neely:~/gittest$ git clone git://taosecurity.git.sourceforge.net/gitroot/taosecurity/taosecurity

Initialized empty Git repository in /home/richard/gittest/taosecurity/.git/
remote: Counting objects: 30, done.
remote: Compressing objects: 100% (29/29), done.
remote: Total 30 (delta 4), reused 0 (delta 0)
Receiving objects: 100% (30/30), 17.25 KiB, done.
Resolving deltas: 100% (4/4), done.

richard@neely:~/gittest$ cd taosecurity

richard@neely:~/gittest/taosecurity$ ls

barnyard2 sguild_adduser.sh
barnyard2.conf sguil_database_install_pt1.sh
barnyard2.conf.patch sguil_database_install_pt2.sh
log_packets.sh.crontab sguild.conf.patch
log_packets.sh.patch SguildLoaderd.tcl.patch
pcap_agent.conf.patch SguildMysqlMerge.tcl.patch
prep_platform.sh sguil_sensor_install_patch.sh
rc-adds.txt sguil_sensor_install.sh
rc-conf.sh sguil_sensor_users.txt
README sguil_server_install.sh
sancp snort
sancp_agent.conf.patch snort_agent.conf.patch
sancp.conf.patch snort.conf.patch
sensor_agent.conf.patch snort_src_install.sh

So, now my scripts are available for me to add changes and for anyone who might be interested to retrieve cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m.

Updates to Sguil on FreeBSD Scripts

Early last year I posted Notes on Installing Sguil Using FreeBSD 7.1 Packages where I examined using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 various FreeBSD ports for Sguil. In that post I showed that a lot of work was required to deploy Sguil, even if you used cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ports or packages. Previously I've written about a set of scripts I maintain for deploying Sguil platforms in my lab. I decided to take a look at those scripts and update cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m for a modern environment, since a lot has happened in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 almost two years since I last used cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 scripts.

First, I tested my old scripts on FreeBSD 7.x, and now 8.x is common. Second, Snort 2.9.0.1 is available, and with it cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new DAQ mechanism for accessing network traffic. Third, Barnyard has been deprecated in favor of Barnyard2, thanks to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 guys at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NSMNow project. There have been a lot of changes with rules and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r areas. I also wanted to try running a 64 bit environment on a Dell R200 as my primary lab sensor. Finally, I decided to switch from using CVS at Sourceforge to Git at Sourceforge. I'll explain that in a separate post.

The end result of my work is available now at http://taosecurity.git.sourceforge.net. Please remember that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se scripts are basically a way for me to document how I installed certain versions of various NSM applications on a specific FreeBSD platform. There's no error checking, and no support available. Basically, if you want to see how I deploy all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 non-client parts of Sguil on FreeBSD 8.1, feel free to check out cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 scripts.

One aspect of this that might be helpful is that by reading cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 scripts you can follow how to go from a basic FreeBSD installation to a completely functioning, all-in-one (minus cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 client) Sguil platform.

Friday, January 22, 2010

Sguil 0.7.0 on Ubuntu 9.10

Today I installed a Sguil client on a fresh installation of Ubuntu 9.10.

It was really easy with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 exception of one issue I had to troubleshoot, explained below.

First notice that tcl8.4 and tk8.4 is already installed on Ubuntu 9.10.

richard@janney:~$ dpkg --list | grep -i tcl
ii tcl8.4 8.4.19-3
Tcl (cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Tool Command Language) v8.4 - run-t
ii tk8.4 8.4.19-3
Tk toolkit for Tcl and X11, v8.4 - run-time
richard@janney:~$ sudo apt-get install tclx8.4 tcllib
iwidgets4 tcl-tlsReading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
itcl3 itk3
Suggested packages:
itcl3-doc itk3-doc iwidgets4-doc tclx8.4-doc
The following NEW packages will be installed:
itcl3 itk3 iwidgets4 tcl-tls tcllib tclx8.4
0 upgraded, 6 newly installed, 0 to remove and 0 not upgraded.
Need to get 4,127kB of archives.
After this operation, 18.1MB of additional disk space will be used.
Do you want to continue [Y/n]? y
Get:1 http://us.archive.ubuntu.com karmic/universe itcl3 3.2.1-5 [99.4kB]
...truncated...

Next install wireshark via apt-get. I don't show that here.

The server I want to connect to is running Sguil 0.7.0, not cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 version currently in CVS. If you try connecting from a CVS client to a 0.7.0 server, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 client will report an error like

error writing "sock6": connection reset by peer

On cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 server side you will see Sguil die on error:

pid(37598) Client Connect: 192.168.2.194 39901 sock15
pid(37598) Validating client access: 192.168.2.194
pid(37598) Valid client access: 192.168.2.194
pid(37598) Sending sock15: SGUIL-0.7.0 OPENSSL ENABLED
pid(37598) Client Command Received: VersionInfo {SGUIL-0.7.0 OPENSSL ENABLED}
pid(37598) ERROR: Client connect denied - mismatched versions
pid(37598) CLIENT VERSION: {SGUIL-0.7.0 OPENSSL ENABLED}
pid(37598) SERVER VERSION: SGUIL-0.7.0 OPENSSL ENABLED
Error: can not find channel named "sock15"
can not find channel named "sock15"
while executing
"close $socketID"
(procedure "ClientVersionCheck" line 11)
invoked from within
"ClientVersionCheck $socketID $data1 "
("VersionInfo" arm line 1)
invoked from within
"switch -exact $clientCmd {
DeleteEventID { $clientCmd $socketID $index1 $index2 }
DeleteEventIDList { $clientCmd $socketID $data1 }
..."
(procedure "ClientCmdRcvd" line 38)
invoked from within
"ClientCmdRcvd sock15"
SGUILD: killing child procs...
SGUILD: Exiting...

If you diff cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sguil.tk from 0.7.0 against sguil.tk from CVS cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se differences explain what is happening:

richard@janney:~/sguil/client$ diff /home/richard/Downloads/sguil-0.7.0/client/sguil.tk sguil.tk
5c5
< # $Id: sguil.tk,v 1.249 2008/03/25 15:59:34 bamm Exp $ #
---
> # $Id: sguil.tk,v 1.254 2008/09/21 02:59:25 bamm Exp $ #
156,162d155
< # store $data in $origData because ctoken changes cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 var it is working on.
< #set origData $data
< #set serverCmd [ctoken data " "]
< #set data1 [string trimleft $data]
< # data1 has indices 1 on etc etc
< #set index1 [ctoken data " "]
< #set data2 [string trimleft $data]
203a197
> PassChange { $serverCmd [lindex $data 1] [lindex $data 2] }
235c229
< puts $socketID "VersionInfo $tmpVERSION"
---
> puts $socketID [list VersionInfo $tmpVERSION]
...truncated...

Finally I like to edit my sguil.conf as shown to account for Wireshark's location and to reduce cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 number of panes from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 default of 3 down to 1.

richard@janney:~/Downloads/sguil-0.7.0/client$ diff sguil.conf.orig sguil.conf
49c49
< set WIRESHARK_PATH /usr/sbin/wireshark
---
> set WIRESHARK_PATH /usr/bin/wireshark
73c73
< set RTPANES 3
---
> set RTPANES 1
78,80c78,80
< set RTPANE_PRIORITY(0) "1"
< set RTPANE_PRIORITY(1) "2 3"
< set RTPANE_PRIORITY(2) "4 5"
---
> set RTPANE_PRIORITY(0) "1 2 3 4 5"
> #set RTPANE_PRIORITY(1) "2 3"
> #set RTPANE_PRIORITY(2) "4 5"

At this point I can use cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Sguil client.

Unfortunately I continue to have a problem with DNS resolution. (I reported one a while back.)

can't read "state(reply)": no such element in array
can't read "state(reply)": no such element in array
while executing
"binary scan $state(reply) SSSSSS mid hdr nQD nAN nNS nAR"
(procedure "Flags" line 13)
invoked from within
"Flags $token flags"
(procedure "dns::name" line 3)
invoked from within
"dns::name $tok"
(procedure "GetHostbyAddr" line 47)
invoked from within
"GetHostbyAddr $srcIP"
(procedure "ResolveHosts" line 23)
invoked from within
"ResolveHosts"
invoked from within
".eventPane.pane1.childsite.detailPane.pane0.childsite.detailTabs.canvas.notebook.
cs.page1.cs.ipDataFrame.dnsDataFrame.dnsActionFrame.dnsButton invoke"
("uplevel" body line 1)
invoked from within
"uplevel #0 [list $w $cmd]"
(procedure "tk::CheckRadioInvoke" line 3)
invoked from within
"tk::CheckRadioInvoke .eventPane.pane1.childsite.detailPane.pane0.childsite.detailTabs.canvas.notebook.
cs.page1.cs.ipDataFrame.dnsDataFrame.dnsActionFr..."
(command bound to event)

I noticed a similar error on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sguil-users mailing list and tried installing libudp-tcl, but I got cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same error.

Wednesday, December 30, 2009

Difference Between Bejtlich Class and SANS Class

A comment on my last post, Reminder: Bejtlich Teaching at Black Hat DC 2010, a reader asked:

I am trying to get my company sponsorship for your class at Black Hat. However, I was ask to justify between your class and SANS 503, Intrusion Detection In-Depth.

Would you be able to provide some advice?


That's a good question, but it's easy enough to answer. The overall point to keep in mind is that TCP/IP Weapons School 2.0 is a new class, and when I create a new class I design it to be different from everything that's currently on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 market. It doesn't make sense to me to teach cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same topics, or use cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same teaching techniques, found in classes already being offered. Therefore, when I first taught TWS2 at Black Hat DC last year, I made sure it was unlike anything provided by SANS or ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r trainers.

Beyond being unique, here are some specific points to consider. I'm sure I'll get some howls of protest from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SANS folks, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir own platform to justify cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir approach. The two classes are very different, each with a unique focus. It's up to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 student to decide what sort of material he or she wants to learn, in what environment, using whatever methods he or she prefers. I don't see anything specifically "wrong" with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SANS approach, but I maintain that a student will learn skills more appropriate for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir environment in my class.

  • TWS2 is a case-driven, hands-on, lab-centric class. SANS is largely a slide-driven class.

    When you attend my class you get three handouts: 1) a workbook explaining how to analyze digital evidence; 2) a workbook with questions for 15 cases; and 3) a teacher's guide answering all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 questions for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 15 cases. There are no slides aside from a few housekeeping items and a diagram or two to explain how cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 class is set up.

    When you attend SANS you will receive several sets of slide decks that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 instructor will show during cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 course of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 class. You will also have labs but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are not cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 focus of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 class.

  • I designed TWS2 to meet cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 needs of a wide range of students, from beginners to advanced practitioners. TWS2 attendees typically finish 5-7 cases per class, with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 remainder suitable for "homework." Students can work at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir own pace, although we cover certain cases at checkpoints during cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 class. A few students have completed all 15 cases, and I often ask if those students are looking for a new opportunity with my team!

  • TWS2 is about investigating digital evidence, primarily in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 form of network traffic, logs, and some memory captures. The focus is overwhelmingly on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 content and not cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 container. SANS spends more time on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 container and less on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 content.

    For example, if you look at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SANS course overview, you'll see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y spend cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first three days on TCP/IP headers and analysis with Tcpdump. Again, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re's nothing wrong with that, but I don't care so much about what bit in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 TCP header corresponds to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 RST flag. That was mildly interesting in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 late 1990s when that part of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SANS course was written, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 content of a network conversation has been more important this decade. Therefore, my class focuses on what is being said and less on how it was transmitted.

  • TWS2 is not about Snort. While students do have access to a fully-functional Sguil instance with Snort alerts, SANCP session data, and full content libpcap network traffic, I do not spend time explaining how to write Snort alerts. SANS spends at least one day talking about Snort.

  • TWS is not about SIM/SEM/SIEM. Any "correlation" between various forms of evidence takes place in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 student's mind, or using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 free Splunk instance containing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 logs collected from each case. If you consider dumping evidence into a system like Splunk, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n querying that evidence, to be "correlation," cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n we have "correlation." (Please see Defining Security Event Correlation for my thoughts on that subject.) SANS spends two days on fairly simple open source options for "correlation" and "traffic analysis."

  • TWS cases cover a wide variety of activity, while SANS is narrowly focused on suspicious and malicious network traffic. I decided to write cases that cover many of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sorts of activities I expect an enterprise incident detector and responder to encounter during his or her professional duties.

    I also do not dictate any single approach to investigating each case. Just like real life, I want cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 student to produce an answer. I care less about how he or she analyzed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 data to produce that answer, as long as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 chain of reasoning is sound and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 student can justify and repeat his or her methodology.


I hope that helps prospective students make a choice. I'll note that I don't send any of my analysts to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SANS "intrusion detection" class. We provide in-house training that includes my material but also focuses on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sorts of decision-making and evidence sources we find to be most effective in my company. Also please note this post concentrated on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 differences between my class and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SANS "intrusion detection" class, and does not apply to ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r SANS classes.

Saturday, December 12, 2009

Keeping FreeBSD Up-to-Date in BSD Magazine

Keep your eyes open for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 latest printed BSD Magazine, with my article Keeping FreeBSD Up-To-Date: OS Essentials. This article is something like 18 pages long, because at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last minute cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 publishers had several authors withdraw articles. The publishers decided to print cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 extended version of my article, so it's far longer than I expected! We're currently editing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 companion piece on keeping FreeBSD applications up-to-date. I expect to also submit an article on running Sguil on FreeBSD 8.0 when I get a chance to test cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 latest version in my lab.

Tuesday, October 27, 2009

Wednesday is Last Day for Discounted SANS Registration

In my off time I'm still busy organizing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SANS WhatWorks in Incident Detection Summit 2009, taking place in Washington, DC on 9-10 Dec 09. The agenda page should be updated soon to feature all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 speakers and panel participants. Wednesday is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last day to register at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 discounted rate.

I wrote cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following to provide more information on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Summit and explain its purpose.

All of us want to spend our limited information technology and security funds on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 people, products, and processes that make a difference. Does it make sense to commit money to projects when we don’t know cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir impact? I’m not talking about fuzzy “return on investment” (ROI) calculations or fabricated “risk” ratings. Don’t we all want to know how to find intruders, right now, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n concentrate on improvements that will make it more difficult for bad guys to disclose, degrade, or deny our data?

To answer this question, I’ve teamed with SANS to organize a unique event -- cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SANS WhatWorks in Incident Detection Summit 2009, on 9-10 December 2009 in Washington, DC. My goal for this two-day, vendor-neutral, practitioner-focused Summit is to provide security operators with real-life guidance on how to discover intruders in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 enterprise. This isn’t a conference on a specific commercial tool, or a series of death-by-slide presentations, or lectures by people disconnected from reality. I’ve reached out to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 people I know on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 front lines, who find intruders on a regular, daily basis. If you don’t think good guys know how to find bad guys, spend two days with people who go toe-to-toe with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 worst intruders on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 planet.

We’ll discuss topics like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following:

  • How do Computer Incident Response Teams and Managed Security Service Providers detect intrusions?

  • What network-centric and host-centric indicators yield cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best results, and how do you collect and analyze cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m?

  • What open source tools are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best-kept secrets in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security community, and how can you put cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m to work immediately in your organization?

  • What sources of security intelligence data produce actionable indicators?

  • How can emerging disciplines such as proactive live response and volatile analysis find advanced persistent threats?


Here is a sample of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 dozens of subject matter experts who will pack cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 schedule:

  • Michael Cloppert, senior technical member of Lockheed Martin's enterprise Computer Incident Response Team and frequent SANS Forensics blogger.

  • Michael Rash, Senior Security Architect for G2, Inc., author of Linux Firewalls and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 psad, fwsnort, and fwknop security projects.

  • Matt Richard, Malicious Code Operations Lead for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Raycá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365on corporate Computer Emergency Response (RayCERT) Special Technologies and Analysis Team (STAT) program.

  • Martin Roesch, founder of Sourcefire and developer of Snort.

  • Bamm Visscher, Lead Information Security Incident Handler for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 General Electric CIRT, and author of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 open source Sguil suite.


Ron Gula is scheduled to do one keynote and I'm working on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 second. We'll have guest moderators for some panels too, such as Mike Cloppert and Rocky DeStefano.

I look forward to seeing you at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 conference!

Friday, October 09, 2009

NSM in Products

A blog reader recently asked:

I've been tasked with reevaluating our current NSM / SIEM implementation, and I see that you posted about a NetFlow book you are techediting for Lucas.

My question is this, Outside of Sguil, what do you prefer/recommend in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 way of NSM products/solutions?

Our current NSM uses a modified version NetFlow and our Networking team also uses Cisco Netflow elsewhere...

While I find it useful to collect header data, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 current implementation lacks payload information. So while we may be able to turn back cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 clock to look at flows for a given duration, its not always possible to see valuable contents...

Anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r wall I have hit with NetFlow is that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 communication of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 protocol takes place in somewhat of a half duplex manner (I.E. it is possible to receive cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 response flow before you receive cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 request flow) thus making it difficult to assure a particular direction without some processing...

I have yet to see a blog post covering any consolidated comparisons to solutions regarding NSM.

I do have your NSM book on order from Amazon today if it already has cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 answers I'm looking for...

As always, thank you for your time Richard, I appreciate it greatly.


Thank you for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 question. I don't recommend specific products, but I do recommend NSM data types. That way, you can ask cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vendor which NSM data types cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y support, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n decide if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir answer is 1) correct and 2) sufficient. For reference, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 six NSM data types are:

  1. Alert: judgment made by a product ("Port scan!" or "Buffer overflow!"); eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r detect or block

  2. Statistical: high-level description of activity (protocol percentages, trending, etc.)

  3. Session: conversations between hosts ("A talked to B on Friday for 61 seconds sending 1234 bytes")

  4. Full Content: all packets on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 wire

  5. Extracted Content: rebuild elements of a session and extract metadata

  6. Transaction: generate logs based on request-reply traffic (DNS, HTTP, etc.)
2018 note: in 2013 I added "metadata" as an NSM data type, such as WHOIS data about IP addresses or domain names observed in ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r NSM data. Also note that in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "Extracted Content" column below, Bro has supported file extraction since at least 2013 (possibly earlier).

Looking at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se six types, I can make cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following general assessments of products. This is my opinion based on products I have encountered. If you find a product that performs better than cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 general categories I describe, excellent!


If you want to learn more about this, I'll be discussing it during my solo presentation at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 2009 Information Security Summit, October 29-30, 2009 at Corporate College East in Warrensville Heights, Ohio.

Wednesday, July 29, 2009

Notes from OISF Meeting in DC

This month I was pleased to attend a public meeting of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Open Information Security Foundation in Washington, DC. I got a chance to meet several people I have known for many years through cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir work with Snort, such as Matt Jonkman, Will Metcalf, Victor Julien, Frank Knobbe, and two guys from a federal agency that have extended Sguil way beyond what I knew anyone was doing! The group posted DC Brainstorming Meeting Notes, but I wanted to record a few thoughts here.

OISF is a US nonprofit, a 501c(3). Their goal is to produce a new network inspection and filtering engine (IDS/IPS) that will be released under GPLv2. They can not and will not commercialize, sell, patent, copyright, or profit from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 engine. Racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r, ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs who participate in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 OISF Consortium (listed on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir Web site) are donating coders, equipment, and financial support in exchange for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ability to commercialize cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 engine.

OISF works with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Open Source Software Institute, famous for getting FIPS validation for OpenSSL -- something everybody wanted but no one wanted to fund alone. OISF is part of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 DHS Homeland Open Security Technology (HOST) program. OISF has received legal guidance from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Software Freedom Law Center.

OISF has many goals for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir engine, outlined in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 notes I linked earlier. Most interesting is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir goal for a production release by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 end of this year. If cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are to make this goal, I think cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 project needs to severely limit cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 requirements for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first release. I would focus on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following.

  • Developing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rules language.

  • Implementing IPv6.

  • Implementing multi-threading.


Those three tasks are monumental, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y would immediately differentiate OISF from ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r options. There is talk within cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 project of semi-Snort compatible output, so you might send OISF data to a file in Snort Unified or Unified2 format to be read by Barnyard or Barnyard2.

If you want to know more about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 project, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Mailing Lists are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best option. As it develops I will discuss it here.

Tuesday, July 14, 2009

White Hat Budgeting

After publishing Black Hat Budgeting last month, several readers asked me how to spend cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same $1 million on defense. This is a more difficult question. As I wrote in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 previous post, for $1 million per year an adversary could fund a Western-salaried black hat team that could penetrate and persist in roughly any target it chose to attack. That does not hold true for defense, i.e., for $1 million per year a defender could not fund a Western-salaried white hat team that could plan, resist, detect, and respond to any $1 million black hat team.

So, if you had $1 million to spend on defense, how could you spend it? I turned to my 2008 post Defensible Network Architecture 2.0 as a guide. One interesting aspect of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 eight DNA 2.0 tenets is that half of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m are IT responsibilities (or at least I would strongly argue cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are): inventoried, claimed, minimized, current. All of that is just "good IT." Security can provide inputs, but IT should own those aspects. That leaves monitored, controlled, assessed, and measured.

With that's, let's allocate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 funding. With such a small team we would expect people to move among cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 roles so cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y don't burn out, and so cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y can grow cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir capabilities.

  • Staff. Without people, this operation goes nowhere. We allocate $850,000 of our budget to salaries and benefits to hire cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following people.


    • The team leader should have experience as an enterprise defender as a minimum. The leader can be very skilled in at least one speciality but should be familiar with all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 team's roles. The team leader needs a vision for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 team while preserving business value. Because this team is so small cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 leader has to do strategic thinking and overall management, including cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "measured" aspect of DNA 2.0. $120,000.

    • The incident response team is responsible for detecting and responding to intrusions. They perform cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "monitor" aspect of DNA 2.0. We hire three people, one with Windows expertise, one with Unix expertise, and one with infrastructure expertise. $330,000.

    • The security operator is responsible for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "controlled" aspect of DNA 2.0. He or she seeks to minimize intrusions by deploying and operating countermeasures. This person is also a utility player who can learn ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r roles and consult as necessary. $80,000.

    • The threat operator performs an advanced security intelligence and analysis role. He or she should be able to reverse engineer malware while also paying attention to underground activities and applying that knowledge to all aspects of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 team's work. $120,000.

    • The Red-Blue Team performs adversary simulation/penetration testing (red) and collaborative vulnerability assessment (blue) activities. With a team this size cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is only room for two technicians. Red-Blue handles cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "assessed" aspect of DNA 2.0. $80,000 for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 blue, $120,000 for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 red.

  • Technology. At this point we only have $150,000 left. We can spend $100,000 on technology. It should be clear that $100,000 isn't going to buy much of any commercial tools. In fact, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 $1 million security operation is going to have to rely on several realities.


    • Built-in capabilities. This team is going to have to rely on capabilities built into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 products deployed by ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r IT teams, like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 computer and networking groups. This actually makes a good amount of sense. Is it really necessary to deploy anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r host firewall on Windows if you can use IPsec policies and/or Windows firewall? With a budget that small, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 uncomfortable choices to be made.

    • Open source software. The $1 million security team should deploy a lot of open source software. Sguil could be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NSM suite of choice, for example. By spending money on staff who know cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir way around open source tools, you can go very far using what can be downloaded for free. Let cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 staff contribute back to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 community and it's a win-win situation.

    • Commodity hardware. You can't buy hardware for free, and those NSM sensors and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r open source packages need to run on something. A decent amount of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 budget will be spent on hardware.

    • Cloud hosting. The Cloud becomes an attractive place to store logs, do processing, and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r activities that don't scale well or work well on commodity hardware. Security concerns are lessened when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 alternative is no security services.

  • Miscellaneous. The last $50,000 could be spent on incidentals, training, team awards, travel, or whatever else cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 group might require to attract and retain talent.

Note I did not advocate outsourcing here. You spend too much money and probably won't receive value for it.

With such a small team, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is no concept of 24x7 support. 8x5 is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best you can get. The ability of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 team to detect and respond to intrusions in a timely manner is going to decrease as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 enterprise grows. A team of 8 security defenders will be strained once cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 company size exceeds 10,000 people, at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 largest.

I am much less comfortable building out this team, compared to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Black Hat Budgeting exercise. There are way too many variables involved in defending any enterprise. Most companies really are unique. However, this is a good point to stop to see if anyone has comments on this approach.


Richard Bejtlich is teaching new classes in Las Vegas in 2009. Late Las Vegas registration ends 22 July.

Monday, July 13, 2009

FreeBSD Pf and Tftp-proxy

Several IP-enabled devices in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 lab use TFTP to retrieve configuration files from various locations on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet. This pains me. You can probably imagine what cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se devices are. Unfortunately I don't control how cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se devices work.

I run Sguil at my lab gateway to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet. I watch traffic right before cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 gateway, before it is NAT'd. I really don't care what's on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r side. I mostly care what is leaving cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network, so I concentrate my NSM activities cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re.

I noticed one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se TFTP-enabled devices trying to retrieve a file repeatedly. I looked closer at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 traffic (thanks to Sguil I keep a record of traffic leaving for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet) and noticed I never saw any replies. Simultaneously I received an email from tech support for this device. They told me to unplug all Internet devices from my cable modem and plug cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 troublesome device into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cable modem overnight (!) My answer to that: "heck no."

I decided to run an experiment with a TFTP client inside cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 lab and a TFTP server on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet. By watching traffic on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 internal and external sides of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 gateway, I could see TFTP requests making it to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 TFTP server on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet, and TFTP replies coming from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 server back to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 gateway. However, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 TFTP replies never appeared on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 internal side of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 gateway.

I did some research and determined that FreeBSD's Pf firewall can't handle TFTP traffic by default. Here is why:

18:13:31.205435 IP my.public.ip.addr.64212 > tftp.server.public.ip.69: 17 RRQ "test.txt" octet
18:13:31.282363 IP tftp.server.public.ip.51186 > my.public.ip.addr.64212: UDP, length 29
18:13:31.284161 IP my.public.ip.addr.57880 > tftp.server.public.ip.51186: UDP, length 4

You see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 TFTP request to port 69 UDP. The reply, however, comes from port 51186 UDP to port 64212 UDP. Pf doesn't automatically know that packet 2 is associated with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 TFTP request in packet 1.

Fortunately, FreeBSD and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r operating systems ship with tftp-proxy(8). I tried following cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 example in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 man page, but I ended up adding cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 configuration file /etc/pf.conf. $local192 is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 LAN from which I expect to see TFTP requests.

no nat on $ext_if to port tftp

rdr-anchor "tftp-proxy/*"

rdr on $int_if proto udp from $local192 to port tftp -> \
$int_if port 6969

anchor "tftp-proxy/*"

I added cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following to /etc/inetd.conf.

acmsoda dgram udp wait root /usr/libexec/tftp-proxy tftp-proxy -v

acmsoda is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 name in /etc/services for port 6969.

I had to enable /etc/inetd in /etc/rc.conf.

inetd_enable="YES"
inetd_flags="-wW -C 60 -a 172.16.2.1"

Without cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 -a flag, tftp-proxy would be listening on all interfaces, and I don't want that.

Now I was ready to reload Pf and restart /etc/inetd.conf.

r200a:/root# pfctl -Fa -f /etc/pf.conf

r200a:/root# /etc/rc.d/inetd restart

I checked to ensure port 6969 UDP was listening.

r200a:/root# sockstat -4 | grep 6969
root inetd 161 5 udp4 172.16.2.1:6969 *:*

Now I was able to retrieve my test file via TFTP.

tftp> get test.txt
getting from tftp.server.public.ip:test.txt to test.txt [octet]
sent RRQ
received DATA
Received 25 bytes in 0.1 seconds [2000 bits/sec]

I wanted to note that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 man page recommended this addition to inetd.conf:

inetd(8) must be configured to spawn cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 proxy on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 port that packets
are being forwarded to by pf(4). An example inetd.conf(5) entry follows:

127.0.0.1:6969 dgram udp wait root \
/usr/libexec/tftp-proxy tftp-proxy

That didn't work for me; I saw this error in /var/log/messages.

Jul 13 17:11:56 r200a inetd[99738]: 127.0.0.1:6969/udp: unknown service

By specifying cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 port only and using -a to bind inetd where I needed it, I avoided this error. There's probably anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r way around this though.

The final step will be seeing this TFTP-enabled device updating itself during cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next 24 hours.


Richard Bejtlich is teaching new classes in Las Vegas in 2009. Late Las Vegas registration ends 22 July.

Sunday, May 31, 2009

Information Security Incident Rating


I've been trying to describe to management how close various individual information assets (primarily computers -- desktops, laptops, etc.) are to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 doomsday scenario of sensitive data exfiltrated by unauthorized parties. This isn't cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 only type of incident that worries me, but it's cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 one I decided to tackle first. I view this situation as a continuum, racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r than a "risk" rating. I'm trying summarize cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 state of affairs for an individual asset racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r than "model risk."

In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 far left column I've listed some terms that may be unfamiliar. The first three rows bear "Vuln" ratings. I list cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se because some of my businesses consider cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 discovery of a vulnerability in an asset to be an "incident" by itself. Traditional incident detectors and responders don't think this way, but I wanted to include this aspect of our problem set. For cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se first three rows, I consider cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se assets to exist without any discoverable or measurable adversary activity. In ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r words, assets of various levels of vulnerability are present, but no intruder is taking interest in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m (as far as we can tell).

The next four rows (Cat 6, 3, 2, 1) should be familiar to those of you with military CIRT background. About 7 or 8 years ago I wrote this Category Descriptions document for Sguil. You'll remember Cat 6 as Reconnaissance, Cat 3 as Attempted Intrusion, Cat 2 as User Intrusion, and Cat 1 as Root/Admin Intrusion. I've mapped those "true incidents" here. These incidents indicate an intruder is taking interest in a system, to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 degree that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 intruder gains user or root level control of it. In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 event cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 intruder doesn't need to gain control of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 asset in order to steal data, you can simply jump to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 appropriate description of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 event in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 final three rows.

The final three rows (Breach 3, 2, 1) are what you might consider "post exploitation" activities, or direct exploitation activities if no control of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 asset is required in order to accomplish cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 adversary's data exfiltration mission. They loosely map to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 reinforcement, consolidation, and pillage phases of compromise I outlined years ago. I've used cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 term "Breach" here to emphasize cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 seriousness of this aspect of an intrusion. (Gunter's recent post Botnet C&C Participation is a Corporate Data Breach reinforced my decision to use cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 term "breach" in situations like this.) Clearly Breach 3 is a severe problem. You might still be able to avoid catastrophe if you can contain cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 incident at this phase. However, intruders are likely to quickly move to Breach 2 and 1 phases, when it's Game Over.

If cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re has to be an "impact 0" rating, I would consider that to be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 absence of an information asset, i.e., it doesn't exist. Any asset whatsoever has value, so I don't see a 0 value for any existing systems.

At cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r end of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 spectrum, if we have to "crank it to 11," I would consider an 11 to be publication of incident details in a widely-read public forum like a major newspaper or online news site.

I use cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 term "impact" in this sense: what is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 negative impact of having cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 individual asset in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 state described? In ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r words, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 negative impact of having an asset with impact 1 is very low. We would all like to have assets that require an intruder to apply substantial effort to compromise cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 asset and exfiltrate sensitive data. At cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r end of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 spectrum we have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "game over" impact -- cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 intruder has exfiltrated sensitive data or is suspected of exfiltrating sensitive data based on volume, etc. Even if you can't tell exactly what an intruder exfiltrated, if you see several GBs of data leaving a system that houses or access sensitive data, you can be fairly confident cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 intruder grabbed it.

I listed some sample colors for those who understand cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 world in those terms.

I've reproduced cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 text below for future copying and pasting.

  1. Vuln 3 / Impact 1 / Intruder must apply substantial effort to compromise asset and exfiltrate sensitive data

  2. Vuln 2 / Impact 2 / Intruder must apply moderate effort to compromise asset and exfiltrate sensitive data

  3. Vuln 1 / Impact 3 / Intruder must apply little effort to compromise asset and exfiltrate sensitive data

  4. Cat 6 / Impact 4 / Intruder is conducting reconnaissance against asset with access to sensitive data

  5. Cat 3 / Impact 5 / Intruder is attempting to exploit asset with access to sensitive data

  6. Cat 2 / Impact 6 / Intruder has compromised asset with access to sensitive data but requires privilege escalation

  7. Cat 1 / Impact 7 / Intruder has compromised asset with ready access to sensitive data

  8. Breach 3 / Impact 8 / Intruder has established command and control channel from asset with ready access to sensitive data

  9. Breach 2 / Impact 9 / Intruder has exfiltrated nonsensitive data or data that will facilitate access to sensitive data

  10. Breach 1 / Impact 10 / Intruder has exfiltrated sensitive data or is suspected of exfiltrating sensitive data based on volume, etc.


What do you think of this rating system? I am curious to hear how ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs explain cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 seriousness of an incident to management.


Richard Bejtlich is teaching new classes in Las Vegas in 2009. Regular Las Vegas registration ends 1 July.

Update: Since writing this post, I've realized it is more important to think of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se events as intrusions. The word "incident" applies to a broader set of events, including DDoS, lost or stolen devices, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 like. My use of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 word "intruder" throughout cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 post indicates my real intention.

Sunday, March 22, 2009

NSM on Cisco AXP?

Last year I wrote Run Apps on Cisco ISR Routers. That was two weeks after our April Fool's joke that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Sguil Project Was Acquired by Cisco.

I am wondering if any TaoSecurity Blog readers are using Cisco AXP in production? Looking at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 data sheet for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 modules, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y appear too underpowered for NSM applications, especially at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 price point Cisco is advertising.


Richard Bejtlich is teaching new classes in Europe and Las Vegas in 2009. Online Europe registration ends by 1 Apr, and seats are filling. Early Las Vegas registration ends 1 May.

Tuesday, February 03, 2009

Notes on Installing Sguil Using FreeBSD 7.1 Packages

It's been a while since I've looked at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Sguil ports for FreeBSD, so I decided to see how cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y work.

In this post I will talk about installing a Sguil sensor and server on a single FreeBSD 7.1 test VM using packages shipped with FreeBSD 7.1.

To start with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 system had no packages installed.

After running pkg_add -vr sguil-sensor, I watched what was added to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 system. I'm only going to document that which I found interesting.

The sguil-sensor-0.7.0_2 package installed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following into /usr/local.

x bin/sguil-sensor/log_packets.sh
x bin/sguil-sensor/example_agent.tcl
x bin/sguil-sensor/pcap_agent.tcl
x bin/sguil-sensor/snort_agent.tcl
x etc/sguil-sensor/example_agent.conf-sample
x etc/sguil-sensor/pcap_agent.conf-sample
x etc/sguil-sensor/snort_agent.conf-sample
x etc/sguil-sensor/log_packets.conf-sample
x share/doc/sguil-sensor <- multiple files, omitted here
x etc/rc.d/example_agent
x etc/rc.d/pcap_agent
x etc/rc.d/snort_agent

Note that you have to copy

pcap_agent.conf-sample
log_packets.conf-sample
snort_agent.conf-sample

to

pcap_agent.conf
log_packets.conf
snort_agent.conf

and edit each, prior to starting

pcap_agent.tcl
log_packets.sh
snort_agent.tcl

via

rc.d/pcap_agent
cron
rc.d/snort_agent

Also, as noted in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 configuration options, PADS and SANCP are not installed by default, so cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 package doesn't include cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m:

===> The following configuration options are available for sguil-sensor-0.7.0_2:
SANCP=off (default) "Include sancp sensor"
PADS=off (default) "Include pads sensor"
===> Use 'make config' to modify cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se settings


The snort-2.8.2.1_1 package installed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following.

x man/man8/snort.8.gz
x bin/snort
x etc/snort/classification.config-sample
x etc/snort/gen-msg.map-sample
x etc/snort/reference.config-sample
x etc/snort/sid-msg.map-sample
x etc/snort/snort.conf-sample
x etc/snort/threshold.conf-sample
x etc/snort/unicode.map-sample
x src/snort_dynamicsrc/bitop.h
x src/snort_dynamicsrc/debug.h
x src/snort_dynamicsrc/pcap_pkthdr32.h
x src/snort_dynamicsrc/preprocids.h
x src/snort_dynamicsrc/profiler.h
x src/snort_dynamicsrc/sf_dynamic_common.h
x src/snort_dynamicsrc/sf_dynamic_meta.h
x src/snort_dynamicsrc/sf_dynamic_preproc_lib.c
x src/snort_dynamicsrc/sf_dynamic_preproc_lib.h
x src/snort_dynamicsrc/sf_dynamic_preprocessor.h
x src/snort_dynamicsrc/sf_snort_packet.h
x src/snort_dynamicsrc/sf_snort_plugin_api.h
x src/snort_dynamicsrc/sfghash.h
x src/snort_dynamicsrc/sfhashfcn.h
x src/snort_dynamicsrc/sfsnort_dynamic_detection_lib.c
x src/snort_dynamicsrc/sfsnort_dynamic_detection_lib.h
x src/snort_dynamicsrc/str_search.h
x src/snort_dynamicsrc/stream_api.h
x lib/snort/dynamicengine/libsf_engine.so
x lib/snort/dynamicengine/libsf_engine.so.0
x lib/snort/dynamicengine/libsf_engine.la
x lib/snort/dynamicengine/libsf_engine.a
x lib/snort/dynamicrules/lib_sfdynamic_example_rule.so
x lib/snort/dynamicrules/lib_sfdynamic_example_rule.so.0
x lib/snort/dynamicrules/lib_sfdynamic_example_rule.la
x lib/snort/dynamicrules/lib_sfdynamic_example_rule.a
x lib/snort/dynamicpreprocessor/lib_sfdynamic_preprocessor_example.a
x lib/snort/dynamicpreprocessor/lib_sfdynamic_preprocessor_example.la
x lib/snort/dynamicpreprocessor/lib_sfdynamic_preprocessor_example.so
x lib/snort/dynamicpreprocessor/lib_sfdynamic_preprocessor_example.so.0
x lib/snort/dynamicpreprocessor/libsf_dcerpc_preproc.a
x lib/snort/dynamicpreprocessor/libsf_dcerpc_preproc.la
x lib/snort/dynamicpreprocessor/libsf_dcerpc_preproc.so
x lib/snort/dynamicpreprocessor/libsf_dcerpc_preproc.so.0
x lib/snort/dynamicpreprocessor/libsf_dns_preproc.a
x lib/snort/dynamicpreprocessor/libsf_dns_preproc.la
x lib/snort/dynamicpreprocessor/libsf_dns_preproc.so
x lib/snort/dynamicpreprocessor/libsf_dns_preproc.so.0
x lib/snort/dynamicpreprocessor/libsf_ftptelnet_preproc.a
x lib/snort/dynamicpreprocessor/libsf_ftptelnet_preproc.la
x lib/snort/dynamicpreprocessor/libsf_ftptelnet_preproc.so
x lib/snort/dynamicpreprocessor/libsf_ftptelnet_preproc.so.0
x lib/snort/dynamicpreprocessor/libsf_smtp_preproc.a
x lib/snort/dynamicpreprocessor/libsf_smtp_preproc.la
x lib/snort/dynamicpreprocessor/libsf_smtp_preproc.so
x lib/snort/dynamicpreprocessor/libsf_smtp_preproc.so.0
x lib/snort/dynamicpreprocessor/libsf_ssh_preproc.a
x lib/snort/dynamicpreprocessor/libsf_ssh_preproc.la
x lib/snort/dynamicpreprocessor/libsf_ssh_preproc.so
x lib/snort/dynamicpreprocessor/libsf_ssh_preproc.so.0
x lib/snort/dynamicpreprocessor/libsf_ssl_preproc.a
x lib/snort/dynamicpreprocessor/libsf_ssl_preproc.la
x lib/snort/dynamicpreprocessor/libsf_ssl_preproc.so
x lib/snort/dynamicpreprocessor/libsf_ssl_preproc.so.0
x share/examples/snort/classification.config-sample <- copied to classification.config
x share/examples/snort/create_db2
x share/examples/snort/create_mssql
x share/examples/snort/create_mysql
x share/examples/snort/create_oracle.sql
x share/examples/snort/create_postgresql
x share/examples/snort/gen-msg.map-sample <- copied to gen-msg.map
x share/examples/snort/reference.config-sample <- copied to reference.config
x share/examples/snort/sid-msg.map-sample <- copied to sid-msg.map
x share/examples/snort/snort.conf-sample <- copied to snort.conf
x share/examples/snort/threshold.conf-sample <- copied to threshold.conf
x share/examples/snort/unicode.map-sample <- copied to unicode.map
x share/doc/snort <- multiple files, omitted here
x etc/rc.d/snort

These are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 configuration options for Snort.

===> The following configuration options are available for snort-2.8.2.2_2:
DYNAMIC=on (default) "Enable dynamic plugin support"
FLEXRESP=off (default) "Flexible response to events"
FLEXRESP2=off (default) "Flexible response to events (version 2)"
MYSQL=off (default) "Enable MySQL support"
ODBC=off (default) "Enable ODBC support"
POSTGRESQL=off (default) "Enable PostgreSQL support"
PRELUDE=off (default) "Enable Prelude NIDS integration"
PERPROFILE=off (default) "Enable Performance Profiling"
SNORTSAM=off (default) "Enable output plugin to SnortSam"
===> Use 'make config' to modify cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se settings

I'm glad dynamic plugin support is enabled, but disappointed to see performance profiling disabled. The --enable-timestats option isn't available via cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 port at all, apparently.

The FreeBSD port/package can't ship with rules, so you need to download your own rules from Sourcefire, along with any Emerging Threats rules you might want to enable. You cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n need to edit cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 snort.conf file to account for your HOME_NET and rule preferences.

The barnyard-sguil-0.2.0_5 package installed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following.

x bin/barnyard
x etc/barnyard.conf-sample <- copied to etc/barnyard.conf by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 port
x share/doc/barnyard <- multiple files, omitted here
x etc/rc.d/barnyard

I noticed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 barnyard.conf only contained

output sguil

Usually we need something like this:

output sguil: sensor_name sensornamegoeshere

When done cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following packages are installed:

tao# pkg_info
barnyard-sguil-0.2.0_5 An output system for Snort (patched for sguil)
mysql-client-5.0.67_1 Multithreaded SQL database (client)
pcre-7.7_1 Perl Compatible Regular Expressions library
sguil-sensor-0.7.0_2 Sguil is a network security monitoring program
snort-2.8.2.1_1 Lightweight network intrusion detection system
tcl-8.4.19,1 Tool Command Language
tclX-8.4_1 Extended TCL
tcltls-1.6 SSL extensions for TCL; dynamicly loadable

Because I want this test system to host cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Sguil server too, I decided to move to that phase of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 testing.

Before add cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sguil-server package, I need to install MySQL server 5.0. This is due to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 configuration options:

===> The following configuration options are available for sguil-server-0.7.0_2:
MYSQL50=off (default) "Install mysql50 server"
===> Use 'make config' to modify cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se settings

I assume this is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 case because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 port maintainer prefers running MySQL on one system and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Sguil server on anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r.

Therefore, I install MySQL server 5.0 using pkg_add -vr mysql50-server.

Next I stopped MySQL via /usr/local/etc/rc.d/mysql stop. This is critical for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next step in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 process.

I installed sguil-server next via pkg_add -vr sguil-server.

The sguil-server-0.7.0_2 package installed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following.

x bin/archive_sguildb.tcl
x bin/incident_report.tcl
x bin/sguild
x etc/sguil-server/autocat.conf-sample
x etc/sguil-server/sguild.access-sample
x etc/sguil-server/sguild.conf-sample
x etc/sguil-server/sguild.email-sample
x etc/sguil-server/sguild.queries-sample
x etc/sguil-server/sguild.reports-sample
x etc/sguil-server/sguild.users-sample
x lib/sguil-server/SguildAccess.tcl
x lib/sguil-server/SguildAutoCat.tcl
x lib/sguil-server/SguildClientCmdRcvd.tcl
x lib/sguil-server/SguildConnect.tcl
x lib/sguil-server/SguildCreateDB.tcl
x lib/sguil-server/SguildEmailEvent.tcl
x lib/sguil-server/SguildEvent.tcl
x lib/sguil-server/SguildGenericDB.tcl
x lib/sguil-server/SguildGenericEvent.tcl
x lib/sguil-server/SguildHealthChecks.tcl
x lib/sguil-server/SguildLoaderd.tcl
x lib/sguil-server/SguildMysqlMerge.tcl
x lib/sguil-server/SguildPadsLib.tcl
x lib/sguil-server/SguildQueryd.tcl
x lib/sguil-server/SguildReportBuilder.tcl
x lib/sguil-server/SguildSendComms.tcl
x lib/sguil-server/SguildSensorAgentComms.tcl
x lib/sguil-server/SguildSensorCmdRcvd.tcl
x lib/sguil-server/SguildTranscript.tcl
x lib/sguil-server/SguildUtils.tcl
x share/sguil-server/create_ruledb.sql
x share/sguil-server/create_sguildb.sql
x share/sguil-server/migrate_event.tcl
x share/sguil-server/migrate_sancp.tcl
x share/sguil-server/sancp_cleanup.tcl
x share/sguil-server/update_0.7.tcl
x share/sguil-server/update_sguildb_v5-v6.sql
x share/sguil-server/update_sguildb_v6-v7.sql
x share/sguil-server/update_sguildb_v7-v8.sql
x share/sguil-server/update_sguildb_v8-v9.sql
x share/sguil-server/update_sguildb_v9-v10.sql
x share/sguil-server/update_sguildb_v10-v11.sql
x share/sguil-server/update_sguildb_v11-v12.sql
x share/doc/sguil-server/CHANGES
x share/doc/sguil-server/FAQ
x share/doc/sguil-server/INSTALL
x share/doc/sguil-server/INSTALL.openbsd
x share/doc/sguil-server/LICENSE.QPL
x share/doc/sguil-server/OPENSSL.README
x share/doc/sguil-server/TODO
x share/doc/sguil-server/UPGRADE
x share/doc/sguil-server/USAGE
x share/doc/sguil-server/sguildb.dia
x etc/rc.d/sguild

What came next was very interesting. The port maintainer created a script to help set up cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 server. I'll show relevant excerpts.

Running pre-install for sguil-server-0.7.0_2..
This sguild install script creates a "turnkey" install
of sguild, including configuing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 database and conf files
and user accounts so that sguild can be started immediately.

You may have already done all this (especially if this is an upgrade)
and may not be interested in iterating through cert creation and
everything else that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 script does.

This portion of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 script creates user and group accounts named "sguil".
Would you like to opt out of this portion of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 install script
n
==> Pre-installation configuration of sguil-server-0.7.0_2
User 'sguil' create successfully.
sguil:*:1002:1002::0:0:User &:/home/sguil:/usr/sbin/nologin
...edited...
Running post-install for sguil-server-0.7.0_2..
This sguild install script creates a "turnkey" install
of sguild, including configuing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 database and conf files
and user accounts so that sguild can be started immediately.

You may have already done all this (especially if this is an upgrade)
and may not be interested in iterating through cert creation and
everything else that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 script does.

Would you like to opt out of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 entire install script
and configure sguild manually yourself?
n
There are a few things that need to be done to complete cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 install.
First, you need to create certs so that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ssl connections between server and
sensors will work, you need to create cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 database, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 account to access it and
cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tables for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 database and you need to create cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 directories where all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365
data will be stored. (You will also need to edit cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 conf files for your setup.)


If you haven't already done this, I can do it for you now.
Would you like to create certs now? (y for yes, n for no)
y
Creating /usr/local/etc/sguil-server/certs ....
First we need to create a password-protected CA cert.

(The Common Name should be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 FQHN of your squil server.)
Generating a 1024 bit RSA private key
.....++++++
.......................................++++++
writing new private key to 'privkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re will be a default value,
If you enter '.', cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:VA
Locality Name (eg, city) []:M
Organization Name (eg, company) [Internet Widgits Pty Ltd]:T
Organizational Unit Name (eg, section) []:O
Common Name (eg, YOUR name) []:R
Email Address []:o

Please enter cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following 'extra' attributes
to be sent with your certificate request
A challenge password []:sguil
An optional company name []:
Now we need to create cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 actual certificate for your server.
Signature ok
subject=/C=US/ST=VA/L=M/O=T/OU=O/CN=R/emailAddress=o
Getting CA Private Key
Enter pass phrase for privkey.pem:
Finally, we need to move cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 certs to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 '/usr/local/etc/sguil-server/certs}' directory
and clean up cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 port directory as well.
mv: rename /a/ports/security/sguil-server/sguild.key to /usr/local/etc/sguil-server/certs/sguild.key:
No such file or directory
mv: rename /a/ports/security/sguil-server/sguild.pem to /usr/local/etc/sguil-server/certs/sguild.pem:
No such file or directory
rm: /a/ports/security/sguil-server/CA.pem: No such file or directory
rm: /a/ports/security/sguil-server/privkey.pem: No such file or directory
rm: /a/ports/security/sguil-server/sguild.req: No such file or directory
rm: /a/ports/security/sguil-server/file.sr1: No such file or directory

Those errors happen because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 script was written with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 assumption that it would be run from a ports installation, not a package installation. I emailed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ports maintainer to see if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem can be fixed.

Is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 installation of mysql brand new and unaltered?
By default, when mysql is installed, it creates five accounts.
None of those accounts are protected by passwords. That needs to be corrected.
The five accounts are:
root@localhost
root@127.0.0.1
root@tao.taosecurity.com
@localhost
@tao.taosecurity.com
I can remove all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 accounts except root@localhost (highly recommended)
and I can set cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 password for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 root@localhost account. (If you get an error
don't worry about it. The account may not have been created to begin with.
Would you like me to do that now?
y
Enabling mysql in /etc/rc.conf and starting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 server.....
It appears that mysql is already enabled!

The mysql pid is ....
Starting mysql.
Deleting users from mysql......
All done deleting.......
What would you like root@localhost's password to be?
root
Would you like to bind mysql to localhost so it only listens on that address?

y
The mysql pid is 1694.....
Stopping mysql.
Waiting for PIDS: 1694.
Starting mysql.
Would you like to create cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 database to store all nsm data?

y
NOTE: If you're upgrading, you do NOT want to do this! You want to upgrade.
./+INSTALL: cannot open /work/a/ports/security/sguil-server/work/sguil-0.7.0/server/sql_scripts/create_sguildb.sql:
No such file or directory

This error is similar to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 previous error. I also emailed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 port maintainer.

Would you like to create a user "sguild@localhost" for database access?

y
Please enter cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 password that you want to use for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sguild account.

sguil
Creating account for sguild with access to sguildb.....
Would you like to create cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 data directory and all its subdirectories?

y
What do you want cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 name of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 main directory to be?
(Be sure to include cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 full path to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 directory - e.g. /var/nsm)
/var/nsm
The main directory will be named '/var/nsm'.
Creating /var/nsm ....
Creating /var/nsm/archives ....
Creating /var/nsm/rules ....
Creating /var/nsm/load ....
Would you like to enable sguild in /etc/rc.conf?

y
iWriting to /etc/rc.conf....

If cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sguild.conf file does not exist, I will create and edit it now.

Preparing to edit cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sguild.conf file......
You still need to review all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 conf files and configure sguil
per your desired setup before starting sguild. Refer to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 port docs in
/usr/local/share/doc/sguil-server before proceeding.

Right now, all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 conf files except sguild.conf are set to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 defaults.
...edited...

That ends cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 need for user input. The final step advises cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 user on ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r required changes.

***********************************
* !!!!!!!!!!! WARNING !!!!!!!!!!! *
***********************************

PLEASE NOTE: If you are upgrading from a previous version,
read cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 UPGRADE doc (in /usr/local/share/doc/sguil-server) before proceeding!!!
Some noteworthy changes in version 0.7.0:
SSL is now required for server, sensor and client.
The sguild.conf and sguild.email files have changed.
You MUST run cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 upgrade_0.7.tcl script to clean up and
prepare cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 database before running cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new version. BE SURE
TO BACK UP YOUR DATABASE BEFORE PROCEEDING!!!

If you had existing config files in /usr/local/etc/sguil-server
cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y were not overwritten. If this is a first time install, you
must copy cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sample files to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 corresponding conf file and
edit cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 various config files for your site. See cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 INSTALL
doc in /usr/local/share/doc/sguil-server for details. If this is an upgrade, replace
your existing conf file with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new one and edit accordingly.

The sql scripts for creating database tables were placed in
cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 /usr/local/share/sguil-server/ directory. PLEASE
NOTE: LOG_DIR is not set by this install. You MUST create cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365
correct LOG_DIRS and put a copy of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 snort rules you use in
LOG_DIR/rules.

The sguild, archive_sguildb.tcl and incident_report.tcl scripts
were placed in /usr/local/bin/. The incident_report.tcl
script is from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 contrib section. There is no documentation
and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 script's variables must be edited before it is used.

A startup script, named sguild.sh was installed in
/usr/local/etc/rc.d/. To enable it, edit /etc/rc.conf
per cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 instructions in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 script.

NOTE: Sguild now runs under cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sguil user account not root!

At cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 end of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 process cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 system had cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se packages installed.

tao# pkg_info
barnyard-sguil-0.2.0_5 An output system for Snort (patched for sguil)
mysql-client-5.0.67_1 Multithreaded SQL database (client)
mysql-server-5.0.67_1 Multithreaded SQL database (server)
mysqltcl-3.05 TCL module for accessing MySQL databases based on msqltcl
p0f-2.0.8 Passive OS fingerprinting tool
pcre-7.7_1 Perl Compatible Regular Expressions library
sguil-sensor-0.7.0_2 Sguil is a network security monitoring program
sguil-server-0.7.0_2 Sguil is a network security monitoring program
snort-2.8.2.1_1 Lightweight network intrusion detection system
tcl-8.4.19,1 Tool Command Language
tclX-8.4_1 Extended TCL
tcllib-1.10_1 A collection of utility modules for Tcl
tcltls-1.6 SSL extensions for TCL; dynamicly loadable
tcpflow-0.21_1 A tool for capturing data transmitted as part of TCP connec

If I wanted to go from here to actually run cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Sguil server, I would have to manually create cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 database and certificates. Once cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 script is fixed I shouldn't have to do that.

The major configuration issue that remains is ensuring that data is being written to logical locations. This primarily means pcap data is stored in a partition that can accommodate it, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 database is located in a partition that can handle growing tables.

I think it should be clear at this point that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 easiest way to try Sguil is to use NSMNow. I recommend that only for demo installations, although you can tweak cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 installation to put what you want in locations you like.


Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best rates.

Monday, December 29, 2008

Installing Sguil Using NSMNow



In my post NSM-Friendly VMware Lab Setup I mentioned wanting to use NSMNow to install Sguil on Ubuntu 8.04 for student use in my next class. I had tried cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Securix-NSM live CD but I had not tried installing Sguil using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same project's NSMNow scripts. I just did it:


root@twsu804:/usr/local/src# wget http://www.securixlive.com/download/nsmnow/NSMnow-1.1.1.tar.gz
--22:14:38-- http://www.securixlive.com/download/nsmnow/NSMnow-1.1.1.tar.gz
=> `NSMnow-1.1.1.tar.gz'
Resolving www.securixlive.com... 202.191.61.156
Connecting to www.securixlive.com|202.191.61.156|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 164,613 (161K) [application/x-gzip]

100%[====================================>] 164,613 53.85K/s

22:14:42 (53.80 KB/s) - `NSMnow-1.1.1.tar.gz' saved [164613/164613]

root@twsu804:/usr/local/src# tar -xzvf NSMnow-1.1.1.tar.gz
NSMnow-1.1.1/
NSMnow-1.1.1/NSMnow-core
NSMnow-1.1.1/RELEASE.NOTES
NSMnow-1.1.1/templates/
NSMnow-1.1.1/templates/lib/
NSMnow-1.1.1/templates/lib/lib-console-utils
NSMnow-1.1.1/templates/init/
NSMnow-1.1.1/templates/init/sancpd
NSMnow-1.1.1/templates/init/snortl-newday
NSMnow-1.1.1/templates/init/snortu
NSMnow-1.1.1/templates/init/pcap_agent
NSMnow-1.1.1/templates/init/barnyard2
NSMnow-1.1.1/templates/init/sguild
NSMnow-1.1.1/templates/init/snort_agent
NSMnow-1.1.1/templates/init/snortl
NSMnow-1.1.1/templates/init/sancp_agent
NSMnow-1.1.1/templates/rules/
NSMnow-1.1.1/templates/rules/pop3.rules
NSMnow-1.1.1/templates/rules/finger.rules
NSMnow-1.1.1/templates/rules/dos.rules
NSMnow-1.1.1/templates/rules/shellcode.rules
NSMnow-1.1.1/templates/rules/dns.rules
NSMnow-1.1.1/templates/rules/attack-responses.rules
NSMnow-1.1.1/templates/rules/local.rules
NSMnow-1.1.1/templates/rules/icmp-info.rules
NSMnow-1.1.1/templates/rules/policy.rules
NSMnow-1.1.1/templates/rules/web-cgi.rules
NSMnow-1.1.1/templates/rules/ddos.rules
NSMnow-1.1.1/templates/rules/mysql.rules
NSMnow-1.1.1/templates/rules/oracle.rules
NSMnow-1.1.1/templates/rules/ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r-ids.rules
NSMnow-1.1.1/templates/rules/icmp.rules
NSMnow-1.1.1/templates/rules/experimental.rules
NSMnow-1.1.1/templates/rules/chat.rules
NSMnow-1.1.1/templates/rules/info.rules
NSMnow-1.1.1/templates/rules/web-attacks.rules
NSMnow-1.1.1/templates/rules/nntp.rules
NSMnow-1.1.1/templates/rules/telnet.rules
NSMnow-1.1.1/templates/rules/scan.rules
NSMnow-1.1.1/templates/rules/rservices.rules
NSMnow-1.1.1/templates/rules/web-php.rules
NSMnow-1.1.1/templates/rules/bad-traffic.rules
NSMnow-1.1.1/templates/rules/snmp.rules
NSMnow-1.1.1/templates/rules/web-coldfusion.rules
NSMnow-1.1.1/templates/rules/tftp.rules
NSMnow-1.1.1/templates/rules/ftp.rules
NSMnow-1.1.1/templates/rules/misc.rules
NSMnow-1.1.1/templates/rules/multimedia.rules
NSMnow-1.1.1/templates/rules/web-frontpage.rules
NSMnow-1.1.1/templates/rules/imap.rules
NSMnow-1.1.1/templates/rules/porn.rules
NSMnow-1.1.1/templates/rules/web-client.rules
NSMnow-1.1.1/templates/rules/netbios.rules
NSMnow-1.1.1/templates/rules/p2p.rules
NSMnow-1.1.1/templates/rules/rpc.rules
NSMnow-1.1.1/templates/rules/web-misc.rules
NSMnow-1.1.1/templates/rules/backdoor.rules
NSMnow-1.1.1/templates/rules/pop2.rules
NSMnow-1.1.1/templates/rules/exploit.rules
NSMnow-1.1.1/templates/rules/sql.rules
NSMnow-1.1.1/templates/rules/virus.rules
NSMnow-1.1.1/templates/rules/x11.rules
NSMnow-1.1.1/templates/rules/smtp.rules
NSMnow-1.1.1/templates/rules/deleted.rules
NSMnow-1.1.1/templates/rules/web-iis.rules
NSMnow-1.1.1/LICENCE
NSMnow-1.1.1/NSMnow.conf
NSMnow-1.1.1/libs/
NSMnow-1.1.1/libs/barnyard2.pm
NSMnow-1.1.1/libs/utils.pm
NSMnow-1.1.1/libs/sguilsensor.pm
NSMnow-1.1.1/libs/sguilclient.pm
NSMnow-1.1.1/libs/utils.sh
NSMnow-1.1.1/libs/mysql.pm
NSMnow-1.1.1/libs/sguiltools.pm
NSMnow-1.1.1/libs/tcl.pm
NSMnow-1.1.1/libs/os.pm
NSMnow-1.1.1/libs/buildessential.pm
NSMnow-1.1.1/libs/sguilserver.pm
NSMnow-1.1.1/libs/os.sh
NSMnow-1.1.1/libs/snort.pm
NSMnow-1.1.1/libs/sancp.pm
NSMnow-1.1.1/README
NSMnow-1.1.1/INSTALL
NSMnow-1.1.1/NSMnow.log
NSMnow-1.1.1/run-init
NSMnow-1.1.1/NSMnow
NSMnow-1.1.1/README.apparmor
NSMnow-1.1.1/MANUAL

root@twsu804:/usr/local/src# cd NSMnow-1.1.1/

root@twsu804:/usr/local/src/NSMnow-1.1.1# ls
INSTALL MANUAL NSMnow-core README.apparmor templates
libs NSMnow NSMnow.log RELEASE.NOTES
LICENCE NSMnow.conf README run-init

root@twsu804:/usr/local/src/NSMnow-1.1.1# ./NSMnow -i

Allow pre-checks to install requisite packages [Y]:
[2008/12/29 22:18:05] #1 - Performing NSMnow pre-checks.
[2008/12/29 22:21:06] #1 - Pre-checks completed successully
[2008/12/29 22:21:06] #1 - Detected platform: UBUNTU
[2008/12/29 22:21:06] #1 - Action: Installing package(s).

Download Directory
Path where all downloaded files will be saved to
[./source]:

Source Directory
Path where all source tarballs will be extracted to
[./source]:

Sensor Name
A unique name given to deliniate sensors from one anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r
[sensor1]: twsu804a

Sensor Interface
Enter cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 interface that this sesnor will be monitoring
[eth0]: eth1

Configuration Path
Path to where all sensor related configuration files will be stored
[/etc/nsm]:

Sensor Data Path
Path to where all sensor captured information will be stored
[/nsm/sensor_data]:

Server Host
Hostname or IP of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 server component that this sensor will connect to
[localhost]:

Server Name
A unique name given to deliniate servers from one anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r
[server1]:

Server Data Path
Path to where all server collected information will be stored
[/nsm/server_data]:

Server Database Name
Name of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sguil database which will store all sguil correlated information.
[sguildb]:

Server Database User
Name of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 user who will have access rights to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sguil database.
[sguil]:

Server Database Password
Password of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 user who will have access rights to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sguil database.
[password]: sguil

Client User
Name of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sguil client user who will have access cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sguil server.
[sguil]:

Client Password
Password of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sguil client user who will have access to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sguil server.
[password]: sguil

Server Host
Hostname or IP of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 server component that this client will connect to
[localhost]:
[2008/12/29 22:23:16] #1 - Installing package: mysql
[2008/12/29 22:23:16] #1 - Installing with: apt-get -y install mysql-server
[2008/12/29 22:28:22] #1 - Installing package: tcl
[2008/12/29 22:28:22] #1 - Installing with: apt-get -y install tcl8.3
itcl3 mysqltcl tcltls tcllib tcl8.3-dev iwidgets4 tclx8.4 itk3 tcl8.4 tk8.4
[2008/12/29 22:29:23] #1 - Installing package: buildessential
[2008/12/29 22:29:23] #1 - Installing with: apt-get -y install libpcre3-dev
libpcap0.8-dev build-essential
[2008/12/29 22:29:43] #1 - Installing package: snort
Download snort tarball? [Y]: y
[2008/12/29 22:39:37] #1 - Configuring with: ./configure --enable-perfprofiling
[2008/12/29 22:40:29] #1 - Compiling with: make
[2008/12/29 22:43:50] #1 - Installing with: make install
[2008/12/29 22:44:02] #1 - Installing package: barnyard2
Download barnyard2 tarball? [Y]: y
[2008/12/29 22:44:29] #1 - Configuring with: ./configure --with-tcl=/usr/lib/tcl8.3
[2008/12/29 22:44:54] #1 - Compiling with: make
[2008/12/29 22:45:10] #1 - Installing with: make install
[2008/12/29 22:45:10] #1 - Installing package: sancp
Download sancp tarball? [Y]: y
[2008/12/29 22:45:18] #1 - Compiling with: make linux
[2008/12/29 22:45:37] #1 - Installing with: cp sancp /usr/local/bin
[2008/12/29 22:45:37] #1 - Installing package: sguilsensor
Download sguil-sensor (sguil) package(s)? [Y]: y
[2008/12/29 22:46:09] #1 - Installing sguil-sensor binaries
[2008/12/29 22:46:10] #1 - Installing package: sguilclient
[2008/12/29 22:46:10] #1 - Installing sguil-client library files
[2008/12/29 22:46:10] #1 - Installing sguil-client binary
[2008/12/29 22:46:10] #1 - Installing package: sguilserver
[2008/12/29 22:46:10] #1 - Installing sguil-server library files
[2008/12/29 22:46:10] #1 - Installing sguil-server binary
[2008/12/29 22:46:10] #1 - Installing package: sguiltools
[2008/12/29 22:46:10] #1 - Installing with: apt-get -y install wireshark p0f tcpflow tcpdump
[2008/12/29 22:47:24] #1 - Configuring package: mysql
* Stopping MySQL database server mysqld [ OK ]
* Stopping MySQL database server mysqld [ OK ]
Reloading AppArmor profiles : done.
* Starting MySQL database server mysqld [ OK ]
* Checking for corrupt, not cleanly closed and upgrade needing tables.
[2008/12/29 22:48:07] #1 - Configuring package: tcl
[2008/12/29 22:48:10] #1 - Configuring package: buildessential
[2008/12/29 22:48:10] #1 - Configuring package: snort
[2008/12/29 22:48:10] #1 - Generating snort config file: /etc/nsm/twsu804a/snort.conf
[2008/12/29 22:48:11] #1 - Configuring package: barnyard2
[2008/12/29 22:48:11] #1 - Generating barnyard2 config file: /etc/nsm/twsu804a/barnyard2.conf
[2008/12/29 22:48:12] #1 - Configuring package: sancp
[2008/12/29 22:48:12] #1 - Generating sancp config file: /etc/nsm/twsu804a/sancp.conf
[2008/12/29 22:48:12] #1 - Configuring package: sguilsensor
[2008/12/29 22:48:12] #1 - Generating sensor agent config file(s)
[2008/12/29 22:48:12] #1 - Configuring package: sguilclient
[2008/12/29 22:48:12] #1 - Generating sguil-client config file: /etc/sguil/sguil.conf
[2008/12/29 22:48:12] #1 - Configuring package: sguilserver
[2008/12/29 22:48:12] #1 - Configuring AppArmor profile
[2008/12/29 22:48:12] #1 - Ensure you restart AppArmor to apply changes
[2008/12/29 22:48:12] #1 - Generating sguil-server config file: /etc/sguild/sguild.conf
[2008/12/29 22:48:13] #1 - Updating sguild init file: /etc/init.d/sguild
Copy default rules file(s)? [Y]: y
What Sensor name is to be associated with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se rules [sensor1]: twsu804a
[2008/12/29 22:49:20] #1 - Creating cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CA certificate
[2008/12/29 22:49:22] #1 - Creating certificate request for: server1
[2008/12/29 22:49:22] #1 - Signing server certificate for: server1
[2008/12/29 22:49:22] #1 - Adding client user "sguil" to sguil server ACL.
[2008/12/29 22:49:22] #1 - Creating database and initial user.

You will need cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 mysql root password.
Enter password:
[2008/12/29 22:49:29] #1 - Configuring package: sguiltools
[2008/12/29 22:49:29] #1 - Completed installing package(s) successfully.

NOTE: Snort can log in eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r UTC or cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 localtime, so firstly make sure that all machines
are synced togecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r.Secondly, eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r set cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 timezone on all machines to UTC or set cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365
timezone on all machines to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same andremove cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 $UTC variable from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 OPTIONS variable
in both /etc/init.d/snortu and /etc/init.d/snortl

I decided to comment out cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 $UTC variable in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 two scripts. Then I started cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 programs.

root@twsu804:/usr/local/src/NSMnow-1.1.1# ./run-init start
Starting - sguil server (sguild) [ OK ]
Starting - sguil: sensor snort_agent (snort_agent) [ OK ]
Starting - sguil: sensor pcap_agent (pcap_agent) [ OK ]
Starting - sguil: sensor sancp_agent (sancp_agent) [ OK ]
Starting - snort: IDS mode, unified output (snort_unified) [ OK ]
* output in /nsm/sensor_data/twsu804a, /ssn_logs, /portscans
Starting - barnyard2 (barnyard2) [ OK ]
* created directory: /var/log/barnyard2
* created directory: /var/log/barnyard2/twsu804a
Starting - sancp: session logging (sancpd) [ OK ]
* output in /nsm/sensor_data/twsu804a/sancp
Starting - snort: logging mode (snort_packetlogging) [ OK ]
* output in /nsm/sensor_data/twsu804a/dailylogs/2008-12-30
* created directory: /nsm/sensor_data/twsu804a/dailylogs
* created directory: /nsm/sensor_data/twsu804a/dailylogs/2008-12-30
* disk space currently at 43%
root@twsu804:/usr/local/src/NSMnow-1.1.1#

At this point I could start a user terminal, type sguil.tk, and start using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Sguil console. The only real change I made was to alter cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 default fonts. I would probably consolidate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 three panels into 1 as well.

Very impressive! Great work guys.


Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best rates.