Showing posts with label snmp. Show all posts
Showing posts with label snmp. Show all posts

Friday, June 25, 2010

Dealing with Security Instrumentation Failures

I noticed three interesting blog posts that address security instrumentation failures.

First, security software developer Charles Smutz posted Flushing Out Leaky Taps:

How many packets does your tapping infrastructure drop before ever reaching your network monitoring devices? How do you know?

I’ve seen too many environments where tapping problems have caused network monitoring tools to provide incorrect or incomplete results. Often cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se issues last for months or years without being discovered, if ever...

One thing to keep in mind when worrying about loss due to tapping is that you should probably solve, or at least quantify, any packet loss inside your network monitoring devices before you worry about packet loss in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 taps. You need to have strong confidence in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 accuracy of your network monitoring devices before you use data from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m to debug loss by your taps. Remember, in most network monitoring systems cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are multiple places where packet loss is reported...

I’m not going to discuss in detail cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 many things that can go wrong in getting packets from your network to a network monitoring tool... I will focus largely on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 resulting symptoms and how to detect, and to some degree, quantify cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m. I’m going to focus on two very common cases: low volume packet loss and unidirectional (simplex) visibility.


Read Charles' post to learn ways he deals with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se issues.

Next I'd like to point to this post by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 West Point Information Technology Operations Center on Misconfiguration Issue of NSA SPAN Port:

Thanks to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 input we have already received on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 2009 CDX dataset, we have identified an issue in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 way cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NSA switch was configured. Specifically, we believe cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 span port from which our capture node was placed was configured for unidirectional listening. This resulted in our capture node only "hearing" received traffic from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 red cell.

Doh. This is a good reminder to test your captures, as Charles recommends!

Finally, Alec Waters discusses weaknesses in SIEMs in his post Si(EM)lent Witness:

[H]ow can we convince someone that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 evidence we are presenting is a true and accurate account of a given event, especially in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 case where cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is little or no evidence from ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r sources...

D]idn’t I say that vendors went to great lengths to prevent tampering? They do, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se measures only protect cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 information on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 device already. What if I can contaminate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 evidence before it’s under cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SIEM’s protection?

The bulk of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 information received by an SIEM box comes over UDP, so it’s reasonably easy to spoof a sender’s IP address; this is usually cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sole means at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SIEM’s disposal to determine cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 origin of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 message. Also, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 messages cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365mselves (syslog, SNMP trap, netflow, etc.) have very little provenance – cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re’s little or no sender aucá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ntication or integrity checking.

Both of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se mean it’s comparatively straightforward for an attacker to send, for example, a syslog message that appears to have come from a legitimate server when it’s actually come from somewhere else.

In short, we can’t be certain where cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 messages came from or that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir content is genuine.


Read Alec's post for additional thoughts on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 validity of messages sent to SIEMs.

Saturday, May 08, 2010

Papers Not PowerPoint, Plus Tips for Improvement

Recently I railed against PowerPoint. In this post I'd like to congratulate Black Hat and some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir Briefings speakers for submitting white papers, not just PowerPoint presentations.

This evening while cleaning out a tmp directory I noticed a copy of a white paper by IBM's Tom Cross from Black Hat DC 2010 titled Exploiting Lawful Intercept to Wiretap cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet. The paper describes Tom's analysis of Cisco's implementation of CALEA for law enforcement-directed wiretaps. The paper is 18 pages, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last 3 are basically citations. It's a great piece of work which I wish I had read earlier.

For me, this paper emphasized how much of a failure it is to try to deliver complicated information in PowerPoint form. I got more out of taking 20 minutes to read Tom's 15 pages of material than I could have trying to make sense out of his 41 slides. Tom is a good writer whose paper delivers solid arguments. Racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r than just praise cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 paper and slam cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 PowerPoint, I'd like to show how Tom did use PowerPoint well so that I keep cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se ideas in mind when I need to brief audiences.

A speaker I listened to earlier this week said you can't expect an audience to take away more than one point from any slide, so why bocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r? In fact, if you adapt cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ideas of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 great Tufte, you should use PowerPoint only as a delivery mechanism for charts, diagrams, and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r visuals.

Using this approach, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 figure at right which appears in Tom's PowerPoint deck for Black Hat is just cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 kind of material that should appear in a PowerPoint presentation. You could imagine this diagram being in a handout given to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 audience, but during cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 briefing Tom would no doubt want to point towards specific elements of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 diagram while cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 audience watched. This justifies displaying cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 figure via PowerPoint, because it is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most effective medium for communicating cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 information.

I think cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SNMP MIB extract displayed at left, also from Tom's PowerPoint, is justified as appearing in a slide. Tom isn't asking cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 audience to pay attention to every line on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 slide, like someone might expect an audience to do with a slide full of bullets. Racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r, Tom has highlighted two important excerpts, showing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m as proof that within this MIB cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are two elements which expose information to attackers. This information could also appear on a handout given to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 audience. However, here I like seeing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 information to prove Tom's point. It's almost like a "technical figure" for me.

On a related point, I did not see any PowerPoint posted for HD Moore's talk Metasploit and Money. However, HD posted a great 9 page white paper, which is archived. I think I already mentioned via Twitter that I enjoyed this paper, and I wonder if no slides were presented?

To summarize, if you're presenting complicated material, slides are generally not an effective delivery mechanism. At best cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y can supplement a briefing by being a vehicle for displaying figures or ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r visuals, but bullets are generally a waste of time. For details why, please see my posts on PowerPoint.

Monday, December 29, 2008

Installing Sguil Using NSMNow



In my post NSM-Friendly VMware Lab Setup I mentioned wanting to use NSMNow to install Sguil on Ubuntu 8.04 for student use in my next class. I had tried cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Securix-NSM live CD but I had not tried installing Sguil using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same project's NSMNow scripts. I just did it:


root@twsu804:/usr/local/src# wget http://www.securixlive.com/download/nsmnow/NSMnow-1.1.1.tar.gz
--22:14:38-- http://www.securixlive.com/download/nsmnow/NSMnow-1.1.1.tar.gz
=> `NSMnow-1.1.1.tar.gz'
Resolving www.securixlive.com... 202.191.61.156
Connecting to www.securixlive.com|202.191.61.156|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 164,613 (161K) [application/x-gzip]

100%[====================================>] 164,613 53.85K/s

22:14:42 (53.80 KB/s) - `NSMnow-1.1.1.tar.gz' saved [164613/164613]

root@twsu804:/usr/local/src# tar -xzvf NSMnow-1.1.1.tar.gz
NSMnow-1.1.1/
NSMnow-1.1.1/NSMnow-core
NSMnow-1.1.1/RELEASE.NOTES
NSMnow-1.1.1/templates/
NSMnow-1.1.1/templates/lib/
NSMnow-1.1.1/templates/lib/lib-console-utils
NSMnow-1.1.1/templates/init/
NSMnow-1.1.1/templates/init/sancpd
NSMnow-1.1.1/templates/init/snortl-newday
NSMnow-1.1.1/templates/init/snortu
NSMnow-1.1.1/templates/init/pcap_agent
NSMnow-1.1.1/templates/init/barnyard2
NSMnow-1.1.1/templates/init/sguild
NSMnow-1.1.1/templates/init/snort_agent
NSMnow-1.1.1/templates/init/snortl
NSMnow-1.1.1/templates/init/sancp_agent
NSMnow-1.1.1/templates/rules/
NSMnow-1.1.1/templates/rules/pop3.rules
NSMnow-1.1.1/templates/rules/finger.rules
NSMnow-1.1.1/templates/rules/dos.rules
NSMnow-1.1.1/templates/rules/shellcode.rules
NSMnow-1.1.1/templates/rules/dns.rules
NSMnow-1.1.1/templates/rules/attack-responses.rules
NSMnow-1.1.1/templates/rules/local.rules
NSMnow-1.1.1/templates/rules/icmp-info.rules
NSMnow-1.1.1/templates/rules/policy.rules
NSMnow-1.1.1/templates/rules/web-cgi.rules
NSMnow-1.1.1/templates/rules/ddos.rules
NSMnow-1.1.1/templates/rules/mysql.rules
NSMnow-1.1.1/templates/rules/oracle.rules
NSMnow-1.1.1/templates/rules/ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r-ids.rules
NSMnow-1.1.1/templates/rules/icmp.rules
NSMnow-1.1.1/templates/rules/experimental.rules
NSMnow-1.1.1/templates/rules/chat.rules
NSMnow-1.1.1/templates/rules/info.rules
NSMnow-1.1.1/templates/rules/web-attacks.rules
NSMnow-1.1.1/templates/rules/nntp.rules
NSMnow-1.1.1/templates/rules/telnet.rules
NSMnow-1.1.1/templates/rules/scan.rules
NSMnow-1.1.1/templates/rules/rservices.rules
NSMnow-1.1.1/templates/rules/web-php.rules
NSMnow-1.1.1/templates/rules/bad-traffic.rules
NSMnow-1.1.1/templates/rules/snmp.rules
NSMnow-1.1.1/templates/rules/web-coldfusion.rules
NSMnow-1.1.1/templates/rules/tftp.rules
NSMnow-1.1.1/templates/rules/ftp.rules
NSMnow-1.1.1/templates/rules/misc.rules
NSMnow-1.1.1/templates/rules/multimedia.rules
NSMnow-1.1.1/templates/rules/web-frontpage.rules
NSMnow-1.1.1/templates/rules/imap.rules
NSMnow-1.1.1/templates/rules/porn.rules
NSMnow-1.1.1/templates/rules/web-client.rules
NSMnow-1.1.1/templates/rules/netbios.rules
NSMnow-1.1.1/templates/rules/p2p.rules
NSMnow-1.1.1/templates/rules/rpc.rules
NSMnow-1.1.1/templates/rules/web-misc.rules
NSMnow-1.1.1/templates/rules/backdoor.rules
NSMnow-1.1.1/templates/rules/pop2.rules
NSMnow-1.1.1/templates/rules/exploit.rules
NSMnow-1.1.1/templates/rules/sql.rules
NSMnow-1.1.1/templates/rules/virus.rules
NSMnow-1.1.1/templates/rules/x11.rules
NSMnow-1.1.1/templates/rules/smtp.rules
NSMnow-1.1.1/templates/rules/deleted.rules
NSMnow-1.1.1/templates/rules/web-iis.rules
NSMnow-1.1.1/LICENCE
NSMnow-1.1.1/NSMnow.conf
NSMnow-1.1.1/libs/
NSMnow-1.1.1/libs/barnyard2.pm
NSMnow-1.1.1/libs/utils.pm
NSMnow-1.1.1/libs/sguilsensor.pm
NSMnow-1.1.1/libs/sguilclient.pm
NSMnow-1.1.1/libs/utils.sh
NSMnow-1.1.1/libs/mysql.pm
NSMnow-1.1.1/libs/sguiltools.pm
NSMnow-1.1.1/libs/tcl.pm
NSMnow-1.1.1/libs/os.pm
NSMnow-1.1.1/libs/buildessential.pm
NSMnow-1.1.1/libs/sguilserver.pm
NSMnow-1.1.1/libs/os.sh
NSMnow-1.1.1/libs/snort.pm
NSMnow-1.1.1/libs/sancp.pm
NSMnow-1.1.1/README
NSMnow-1.1.1/INSTALL
NSMnow-1.1.1/NSMnow.log
NSMnow-1.1.1/run-init
NSMnow-1.1.1/NSMnow
NSMnow-1.1.1/README.apparmor
NSMnow-1.1.1/MANUAL

root@twsu804:/usr/local/src# cd NSMnow-1.1.1/

root@twsu804:/usr/local/src/NSMnow-1.1.1# ls
INSTALL MANUAL NSMnow-core README.apparmor templates
libs NSMnow NSMnow.log RELEASE.NOTES
LICENCE NSMnow.conf README run-init

root@twsu804:/usr/local/src/NSMnow-1.1.1# ./NSMnow -i

Allow pre-checks to install requisite packages [Y]:
[2008/12/29 22:18:05] #1 - Performing NSMnow pre-checks.
[2008/12/29 22:21:06] #1 - Pre-checks completed successully
[2008/12/29 22:21:06] #1 - Detected platform: UBUNTU
[2008/12/29 22:21:06] #1 - Action: Installing package(s).

Download Directory
Path where all downloaded files will be saved to
[./source]:

Source Directory
Path where all source tarballs will be extracted to
[./source]:

Sensor Name
A unique name given to deliniate sensors from one anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r
[sensor1]: twsu804a

Sensor Interface
Enter cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 interface that this sesnor will be monitoring
[eth0]: eth1

Configuration Path
Path to where all sensor related configuration files will be stored
[/etc/nsm]:

Sensor Data Path
Path to where all sensor captured information will be stored
[/nsm/sensor_data]:

Server Host
Hostname or IP of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 server component that this sensor will connect to
[localhost]:

Server Name
A unique name given to deliniate servers from one anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r
[server1]:

Server Data Path
Path to where all server collected information will be stored
[/nsm/server_data]:

Server Database Name
Name of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sguil database which will store all sguil correlated information.
[sguildb]:

Server Database User
Name of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 user who will have access rights to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sguil database.
[sguil]:

Server Database Password
Password of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 user who will have access rights to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sguil database.
[password]: sguil

Client User
Name of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sguil client user who will have access cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sguil server.
[sguil]:

Client Password
Password of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sguil client user who will have access to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sguil server.
[password]: sguil

Server Host
Hostname or IP of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 server component that this client will connect to
[localhost]:
[2008/12/29 22:23:16] #1 - Installing package: mysql
[2008/12/29 22:23:16] #1 - Installing with: apt-get -y install mysql-server
[2008/12/29 22:28:22] #1 - Installing package: tcl
[2008/12/29 22:28:22] #1 - Installing with: apt-get -y install tcl8.3
itcl3 mysqltcl tcltls tcllib tcl8.3-dev iwidgets4 tclx8.4 itk3 tcl8.4 tk8.4
[2008/12/29 22:29:23] #1 - Installing package: buildessential
[2008/12/29 22:29:23] #1 - Installing with: apt-get -y install libpcre3-dev
libpcap0.8-dev build-essential
[2008/12/29 22:29:43] #1 - Installing package: snort
Download snort tarball? [Y]: y
[2008/12/29 22:39:37] #1 - Configuring with: ./configure --enable-perfprofiling
[2008/12/29 22:40:29] #1 - Compiling with: make
[2008/12/29 22:43:50] #1 - Installing with: make install
[2008/12/29 22:44:02] #1 - Installing package: barnyard2
Download barnyard2 tarball? [Y]: y
[2008/12/29 22:44:29] #1 - Configuring with: ./configure --with-tcl=/usr/lib/tcl8.3
[2008/12/29 22:44:54] #1 - Compiling with: make
[2008/12/29 22:45:10] #1 - Installing with: make install
[2008/12/29 22:45:10] #1 - Installing package: sancp
Download sancp tarball? [Y]: y
[2008/12/29 22:45:18] #1 - Compiling with: make linux
[2008/12/29 22:45:37] #1 - Installing with: cp sancp /usr/local/bin
[2008/12/29 22:45:37] #1 - Installing package: sguilsensor
Download sguil-sensor (sguil) package(s)? [Y]: y
[2008/12/29 22:46:09] #1 - Installing sguil-sensor binaries
[2008/12/29 22:46:10] #1 - Installing package: sguilclient
[2008/12/29 22:46:10] #1 - Installing sguil-client library files
[2008/12/29 22:46:10] #1 - Installing sguil-client binary
[2008/12/29 22:46:10] #1 - Installing package: sguilserver
[2008/12/29 22:46:10] #1 - Installing sguil-server library files
[2008/12/29 22:46:10] #1 - Installing sguil-server binary
[2008/12/29 22:46:10] #1 - Installing package: sguiltools
[2008/12/29 22:46:10] #1 - Installing with: apt-get -y install wireshark p0f tcpflow tcpdump
[2008/12/29 22:47:24] #1 - Configuring package: mysql
* Stopping MySQL database server mysqld [ OK ]
* Stopping MySQL database server mysqld [ OK ]
Reloading AppArmor profiles : done.
* Starting MySQL database server mysqld [ OK ]
* Checking for corrupt, not cleanly closed and upgrade needing tables.
[2008/12/29 22:48:07] #1 - Configuring package: tcl
[2008/12/29 22:48:10] #1 - Configuring package: buildessential
[2008/12/29 22:48:10] #1 - Configuring package: snort
[2008/12/29 22:48:10] #1 - Generating snort config file: /etc/nsm/twsu804a/snort.conf
[2008/12/29 22:48:11] #1 - Configuring package: barnyard2
[2008/12/29 22:48:11] #1 - Generating barnyard2 config file: /etc/nsm/twsu804a/barnyard2.conf
[2008/12/29 22:48:12] #1 - Configuring package: sancp
[2008/12/29 22:48:12] #1 - Generating sancp config file: /etc/nsm/twsu804a/sancp.conf
[2008/12/29 22:48:12] #1 - Configuring package: sguilsensor
[2008/12/29 22:48:12] #1 - Generating sensor agent config file(s)
[2008/12/29 22:48:12] #1 - Configuring package: sguilclient
[2008/12/29 22:48:12] #1 - Generating sguil-client config file: /etc/sguil/sguil.conf
[2008/12/29 22:48:12] #1 - Configuring package: sguilserver
[2008/12/29 22:48:12] #1 - Configuring AppArmor profile
[2008/12/29 22:48:12] #1 - Ensure you restart AppArmor to apply changes
[2008/12/29 22:48:12] #1 - Generating sguil-server config file: /etc/sguild/sguild.conf
[2008/12/29 22:48:13] #1 - Updating sguild init file: /etc/init.d/sguild
Copy default rules file(s)? [Y]: y
What Sensor name is to be associated with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se rules [sensor1]: twsu804a
[2008/12/29 22:49:20] #1 - Creating cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CA certificate
[2008/12/29 22:49:22] #1 - Creating certificate request for: server1
[2008/12/29 22:49:22] #1 - Signing server certificate for: server1
[2008/12/29 22:49:22] #1 - Adding client user "sguil" to sguil server ACL.
[2008/12/29 22:49:22] #1 - Creating database and initial user.

You will need cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 mysql root password.
Enter password:
[2008/12/29 22:49:29] #1 - Configuring package: sguiltools
[2008/12/29 22:49:29] #1 - Completed installing package(s) successfully.

NOTE: Snort can log in eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r UTC or cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 localtime, so firstly make sure that all machines
are synced togecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r.Secondly, eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r set cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 timezone on all machines to UTC or set cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365
timezone on all machines to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same andremove cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 $UTC variable from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 OPTIONS variable
in both /etc/init.d/snortu and /etc/init.d/snortl

I decided to comment out cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 $UTC variable in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 two scripts. Then I started cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 programs.

root@twsu804:/usr/local/src/NSMnow-1.1.1# ./run-init start
Starting - sguil server (sguild) [ OK ]
Starting - sguil: sensor snort_agent (snort_agent) [ OK ]
Starting - sguil: sensor pcap_agent (pcap_agent) [ OK ]
Starting - sguil: sensor sancp_agent (sancp_agent) [ OK ]
Starting - snort: IDS mode, unified output (snort_unified) [ OK ]
* output in /nsm/sensor_data/twsu804a, /ssn_logs, /portscans
Starting - barnyard2 (barnyard2) [ OK ]
* created directory: /var/log/barnyard2
* created directory: /var/log/barnyard2/twsu804a
Starting - sancp: session logging (sancpd) [ OK ]
* output in /nsm/sensor_data/twsu804a/sancp
Starting - snort: logging mode (snort_packetlogging) [ OK ]
* output in /nsm/sensor_data/twsu804a/dailylogs/2008-12-30
* created directory: /nsm/sensor_data/twsu804a/dailylogs
* created directory: /nsm/sensor_data/twsu804a/dailylogs/2008-12-30
* disk space currently at 43%
root@twsu804:/usr/local/src/NSMnow-1.1.1#

At this point I could start a user terminal, type sguil.tk, and start using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Sguil console. The only real change I made was to alter cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 default fonts. I would probably consolidate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 three panels into 1 as well.

Very impressive! Great work guys.


Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best rates.

Friday, July 25, 2008

DNS and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Cyber TARDIS Problem

It's been 16 days since I responded to public notification of DNS problems in Thoughts on Latest Kaminsky DNS Issue, and 4 days since Halvar Flake's post On Dan's request for "no speculation please". Apparently cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tubes are still working, since I presume you're reading this post via cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet and not carrier pigeon. It's still been a remarkable period, characterized by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 acronymn in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 title of this post.

I'm not referring to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 TARDIS of Doctor Who, although centrality of "Time" is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 reason I used cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 TARDIS cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365me. I mean Time and Relative Data in Security. Time and Relative Data were cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 key issues in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 DNS issue. Who knew more about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem, and when? Halvar understood this in his post, when he estimated that a savvy attacker would need 1/4 cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time of a normal security person to understand cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 nature of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 DNS problem, given cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same starting point.

Since Halvar's speculation, Matasano's confirmation, Metasploit's weaponization, and Dan's elaboration, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re's been a flurry of offensive and defensive activity. It reminds me somewhat of Y2k: am I still able to use cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet because DNS administrators have been patching, or are not enough bad guys trying to bocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r me? It would be nice to see some academics query whatever data (hint) cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y can find on recent DNS activity to produce some practical research, racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r than trying to decipher five year old worm data or yet anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r port scan. According to this Arbor Networks Blog post by Jose Nazario, his group might have some data to share soon.

I'd like to highlight some of my favorite thoughts from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 past few days. I liked FX's post Perception of Vulnerabilities:

The Kaminsky DNS attack is definitively regarded as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most important vulnerability this year. This, I find highly interesting , as we have seen two ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r gigantic security failures already in 2008. Debian's NRNG (non-random number generator) is most certainly one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m. But honestly, raise your hands if you have even noticed SNMPv3... SNMPv3 is used to manage routers - cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 routers that forward all your traffic around cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 world, including your DNS queries. Managing a router means being able to configure it; a.k.a. super user access. Attackers who can configure a router in your path can redirect everything, without you knowing, not just traffic that relies on name resolution.

The weaponization discussion has been great. On one side are people like Hoff and Rich Mogull, who believe cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Metasploit team was wrong to weaponize cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 exploit. I place myself on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r side. I agree with a lot of Andre Gironda's argument in comments on Rich Mogull's post. I think it's important to be able to test if your DNS implementation is vulnerable, as noted by Ron Gula in But I patched our DNS servers ....

With cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 growing importance of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cloud, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 customer's increasingly reliance on software he/she doesn't control, are we to be satisifed with promises of applied patches, or even cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 effectiveness of said patches? If you always believe your vendor (i.e., you're naive), answer yes. If you trust but verify, answer no -- and start testing. Metasploit (exercised via a pre-existing, contractual agreement that permits such customer testing) is one way to see if your vendor really is as safe as it claims to be.

People who care about reality -- facts on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ground -- care about testing. Such people also care about monitoring. Prior to Halvar's speculation, probably cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best place to try to figure out how to detect what "might" be coming was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Daily Dave mailing list. Since Halvar's post, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re's been a lot of monitoring discussions on Emerging-Threats. Monitoring types have been trying to work around implementation challenges in popular tools like Snort, with alternatives like Bro getting more attention. Some historical articles on DNS intracies have helped people understand DNS better, now that we know exactly what to observe.

I believe cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 actions of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 past week have been for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 better. Sure, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bad guys have a tool now, but as Druid noted in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Metasplot blog:

I was personally aware of multiple exploits in various levels of development before, during, and after HD and I wrote ours, so we felt at this point publishing working exploit code was fair game.

Poke around for five minutes and you'll find ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r implementations of exploit code beyond Metasploit anyway, never mind cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 private ones.

Public speculation followed by weaponization has elevated cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 issue for those who had to produce "proof" in order to justify patching, as well as helping level cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 knowledge field. Those of you who object have got to understand this point: real bad guys always win in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Time and Relative Data arena. Their paid job is to find ways to exploit targets. They have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time and knowledge to identify vulnerabilities in DNS regardless of what Dan Kaminsky says or doesn't say. I know whole teams of people who avoid cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most elite public conferences because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y don't learn anything new.

Defensive-minded security person -- how do you spend your time? Are you like me, balancing operations, planning, meetings, family, and so on, across thousands of systems, with hundreds of classes of vulnerabilities, and nowhere near enough time or resources to mitigate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m? Do you know as much about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 latest attacks and defenses as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 people who discover and exploit cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m, for a living? Probably not.

Even assuming such adversaries do not know about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 DNS problem prior to Dan's disclosure, as soon as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y acquire cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 scent that problems exist (and especially if patches are released), cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y point cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir collective noses at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 newest victim and tear into it. Halvar's N/4 estimate was very conservative, although he recognized real bad guys probably work a lot faster than that.

I think Dave Aitel put it best:

The motto of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 week is that you can't hint at bugs or people will just find cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m. Eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r full disclosure or no-disclosure wins, because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re's no point doing anything else.

Friday, July 18, 2008

Vulnerabilities in Perspective

It's been nine days since Dan Kaminsky publicized his DNS discovery. Since cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n, we've seen a Blackberry vulnerability which can be exploited by a malicious .pdf, a Linux kernel flaw which can be remotely exploited to gain root access, Kris Kaspersky promising to present Remote Code Execution Through Intel CPU Bugs this fall, and David Litchfield reporting "a flaw that, when exploited, allows an unaucá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365nticated attacker on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet to gain full control of a backend Oracle database server via cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 front end web server." That sounds like a pretty bad week!

It's bad if you think of R only in terms of V and forget about T and A. What do I mean? Remember cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 simplistic risk equation, which says Risk = Vulnerability X Threat X Asset value. Those vulnerabilities are all fairly big V's, some bigger than ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs depending on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 intruder's goal. However, R depends on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 values of T and A. If cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re's no T, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n R is zero.

Verizon Business understood this in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir post DNS Vulnerability Is Important, but There’s No Reason to Panic:

Cache poisoning attacks are almost as old as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 DNS system itself. Enterprises already protect and monitor cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir DNS systems to prevent and detect cache-poisoning attacks. There has been no increase in reports of cache poisoning attacks and no reports of attacks on this specific vulnerability...

The Internet is not at risk. Even if we started seeing attacks immediately, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 reader, Verizon Business, and security and network professionals cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 world-over exist to make systems work and beat cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 outlaws. We’re problem-solvers. If, or when, this becomes a practical versus cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365oretical problem, we’ll put our heads togecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r and solve it. We shouldn’t lose our heads now.

However, this doesn’t mean we discount cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 potential severity of this vulnerability. We just believe it deserves a place on our To-Do lists. We do not, at this point, need to work nights and weekends, skip meals or break dates any more than we already do. And while important, this isn’t enough of an excuse to escape next Monday’s budget meeting.

It also doesn’t mean we believe someone would be silly to have already patched and to be very concerned about this issue. Every enterprise must make cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir own risk management decisions. This is our recommendation to our customers. In February of 2002, we advised customers to fix cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir SNMP instances due to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 BER issue discovered by Oulu University, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re have been no widespread attacks on those vulnerabilities for nearly six years now. We were overly cautious. We also said cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Debian RNG issue was unlikely to be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 target of near-term attacks and recommended routine maintenance or 90 days to update. So far, it appears we are right on target.

There have been no increase in reports of cache poisoning attempts, and none that try to exploit this vulnerability. As such, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 threat and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 risk are unchanged.


I think cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 mention of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 2002 SNMP fiasco is spot on. A lot of us had to deal with people running around thinking cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 end of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 world had arrived because everything runs SNMP, and everything is vulnerable. It turns out hardly anything happened at all, and we were watching for it.

Halvar Flake was also right when he said:

I personally think we've seen much worse problems than this in living memory. I'd argue that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Debian Debacle was an order of magnitude (or two) worse, and I'd argue that OpenSSH bugs a few years back were worse.

Looking ahead, I thought this comment on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Kaspersky CPU attacks was interesting: CPU Bug Attacks: Are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y really necessary?:

But every year, at every security conference, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are really interesting presentations and lot of experienced people talking about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365orically serious threats. But this doesn't necessarily mean that an exposed PoC will become a serious threat in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 wild. Many of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se PoCs require high levels of skill (which most malware authors do not have) to actually make cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m work in ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r contexts.

And, I feel sorry to say this, but being in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security industry my thoughts are: do malware writers really need to develop highly complex stuff to get milions of pcs infected? The answer is most likely not.


I think that insight applies to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 current DNS problems. Are those seeking to exploit vulnerable machines so desperate that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y need to leverage this new DNS technique (whatever it is)? Probably not.

At cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 end of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 day, those of us working in production networks have to make choices about how we prioritize our actions. Evidence-based decision-making is superior to reacting to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 latest sensationalist news story. If our monitoring efforts demonstrate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 prevalance of one attack vector over anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r, and our systems our vulnerable, and those systems are very valuable, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n we can make decisions about what gets patched or mitigated first.

Friday, November 23, 2007

Examining cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 MPAA University Toolkit

I learned about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 MPAA University Toolkit at Brian Krebs' always-excellent SecurityFix blog. If you want to know more about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 user experience, please check out that post. Here I take a look at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 monitoring software, focusing on Snort, operating on this application.

I downloaded cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 534 MB peerwatch-1.2-RC5.iso and started it in a VMware Server session. I used ctrl-c and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n 'sudo bash' to exit from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 initial script presented within X, set a root password, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n used 'apt-get ssh install' to install OpenSSH and thus enable root access. From this point forward I accessed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 system using OpenSSH remotely to facilitate copying information into this blog post.

First, this looks like Ubuntu (Xubuntu, if you really care) Feisty Fawn, or 7.04.

root@ubuntu:~# uname -a
Linux ubuntu 2.6.20-15-generic #2 SMP Sun Apr 15 07:36:31 UTC 2007
i686 GNU/Linux

I was most interested in learning about Snort on this toolkit. I saw this version installed.

root@ubuntu:~# snort -V

,,_ -*> Snort! <*-
o" )~ Version 2.3.3 (Build 14)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html
(C) Copyright 1998-2004 Sourcefire Inc., et al.

Wow, that's old. It's probably patched base on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 changelog. This is Snort installed via Debian/Ubuntu package:

root@ubuntu:~# dpkg --list | grep snort
rc snort 2.3.3-9
Flexible Network Intrusion Detection System
ii snort-common 2.3.3-9
Flexible Network Intrusion Detection System
ii snort-mysql 2.3.3-9
Flexible Network Intrusion Detection System
ii snort-rules-default 2.3.3-9
Flexible Network Intrusion Detection System

Let's see what cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 snort.conf looks like.

root@ubuntu:/etc/snort# cat snort.conf
var HOME_NET any
var EXTERNAL_NET !$HOME_NET
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET

var HTTP_PORTS 80

var RULE_PATH /etc/snort/rules

preprocessor flow: stats_interval 0 hash 2
preprocessor frag2
preprocessor stream4: disable_evasion_alerts detect_scans
preprocessor stream4_reassemble

# preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000

# (#DBSTART#)
output database: log, mysql, user=snort password=snort dbname=snort host=localhost
# (#DBEND#)

include classification.config
include reference.config

config flowbits_size: 256

include $RULE_PATH/bleeding-p2p.rules
include $RULE_PATH/local-ftp.rules
include $RULE_PATH/local-http.rules
include $RULE_PATH/local-smb.rules
include $RULE_PATH/p2p.rules

include threshold.conf

Excellent, anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r Snort installation where Snort is logging directly to a MySQL database. That must be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 default provided by Debian/Ubuntu. Ouch. Thresholding and suppression are also enabled but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 entire contents are commented out in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 threshold.conf file.

Let's get a look at those rules.

bleeding-p2p.rules looks like an old copy of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bleeding-p2p.rules, perhaps from mid-year? I think cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are 38 rules.

p2p.rules is a really old rule set:

# $Id: p2p.rules,v 1.17.2.1 2004/10/13 20:25:57 bmc Exp $

You may recognize cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r Snort distributed-rules as being those that accompanied Snort 2.3.3, which pre-dates cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new license for Snort rules.

local-ftp.rules is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first rule set written by whomever assembled this toolkit.

# cat local-ftp.rules
# 1 000 500 - 1 000 699

# active
alert tcp any 20 -> any any (msg: "FTP Download - MPEG Movie File - B2"; \
content: "|00 00 01 B2|"; depth: 6; rawbytes; \
sid: 1000501; rev: 1; \
)

alert tcp any 20 -> any any (msg: "FTP Download - MPEG Movie File - B3"; \
content: "|00 00 01 B3|"; depth: 6; rawbytes; \
sid: 1000502; rev: 1; \
)

alert tcp any 20 -> any any (msg: "FTP Download - MPEG Movie File - BA"; \
content: "|00 00 01 BA|"; depth: 6; rawbytes; \
sid: 1000503; rev: 1; \
)

alert tcp any 20 -> any any (msg: "FTP Download - MPEG Movie File - BB"; \
content: "|00 00 01 BB|"; depth: 6; rawbytes; \
sid: 1000504; rev: 1; \
)

alert tcp any 20 -> any any (msg: "FTP Download - MPEG-4 Video File"; \
content: "|00 00 00 18 66 74 79 70 6D 70 34|"; depth: 15; rawbytes; \
sid: 1000505; rev: 1; \
)

alert tcp any 20 -> any any (msg: "FTP Download - Quicktime Movie File - MOOV"; \
content: "|6D 6F 6F 76|"; depth: 10; rawbytes; \
sid: 1000506; rev: 1; \
)

alert tcp any 20 -> any any (msg: "FTP Download - Quicktime Movie File - MDAT"; \
content: "|6D 64 61 74|"; depth: 10; rawbytes; \
sid: 1000507; rev: 1; \
)

alert tcp any 20 -> any any (msg: "FTP Download - Audio Video Interleave (AVI) File - AVI"; \
content: "|41 56 49 20|"; depth: 6; rawbytes; \
sid: 1000508; rev: 1; \
)

alert tcp any 20 -> any any (msg: "FTP Download - Audio Video Interleave (AVI) File - RIFF"; \
content: "|52 49 46 46|"; depth: 6; rawbytes; \
sid: 1000509; rev: 1; \
)

alert tcp any 20 -> any any (msg: "FTP Download - Real Media File"; \
content: "|2E 52 4D 46|"; depth: 6; rawbytes; \
sid: 1000510; rev: 1; \
)

alert tcp any 20 -> any any (msg: "FTP Download - Windows Media File"; \
content: "|30 26 B2 75 8E 66 CF 11 A6 D9 00 AA 00 62 CE 6C|"; depth: 20; rawbytes; \
sid: 1000511; rev: 1; \
)

# passive
alert tcp any 1024: -> any 1024: (msg: "FTP PASV Download - MPEG Movie File - B2"; \
content: "|00 00 01 B2|"; depth: 6; rawbytes; \
sid: 1000512; rev: 1; \
)

alert tcp any 1024: -> any 1024: (msg: "FTP PASV Download - MPEG Movie File - B3"; \
content: "|00 00 01 B3|"; depth: 6; rawbytes; \
sid: 1000513; rev: 1; \
)

alert tcp any 1024: -> any 1024: (msg: "FTP PASV Download - MPEG Movie File - BA"; \
content: "|00 00 01 BA|"; depth: 6; rawbytes; \
sid: 1000514; rev: 1; \
)

alert tcp any 1024: -> any 1024: (msg: "FTP PASV Download - MPEG Movie File - BB"; \
content: "|00 00 01 BB|"; depth: 6; rawbytes; \
sid: 1000515; rev: 1; \
)

alert tcp any 1024: -> any 1024: (msg: "FTP PASV Download - MPEG-4 Video File"; \
content: "|00 00 00 18 66 74 79 70 6D 70 34|"; depth: 15; rawbytes; \
sid: 1000516; rev: 1; \
)

alert tcp any 1024: -> any 1024: (msg: "FTP PASV Download - Quicktime Movie File - MOOV"; \
content: "|6D 6F 6F 76|"; depth: 10; rawbytes; \
sid: 1000517; rev: 1; \
)

alert tcp any 1024: -> any 1024: (msg: "FTP PASV Download - Quicktime Movie File - MDAT"; \
content: "|6D 64 61 74|"; depth: 10; rawbytes; \
sid: 1000518; rev: 1; \
)

alert tcp any 1024: -> any 1024: (msg: "FTP PASV Download - Audio Video Interleave (AVI) File - AVI"; \
content: "|41 56 49 20|"; depth: 6; rawbytes; \
sid: 1000519; rev: 1; \
)

alert tcp any 1024: -> any 1024: (msg: "FTP PASV Download - Audio Video Interleave (AVI) File - RIFF"; \
content: "|52 49 46 46|"; depth: 6; rawbytes; \
sid: 1000520; rev: 1; \
)

alert tcp any 1024: -> any 1024: (msg: "FTP PASV Download - Real Media File"; \
content: "|2E 52 4D 46|"; depth: 6; rawbytes; \
sid: 1000521; rev: 1; \
)

alert tcp any 1024: -> any 1024: (msg: "FTP PASV Download - Windows Media File"; \
content: "|30 26 B2 75 8E 66 CF 11 A6 D9 00 AA 00 62 CE 6C|"; depth: 20; rawbytes; \
sid: 1000522; rev: 1; \
)

Anyone who has written Snort rules is probably going to question cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 false positive rate on this rule set, especially cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "tcp any 1024: -> any 1024:" group. These are straight content matches, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 smaller strings like "|2E 52 4D 46|" are probably going to fire quite a bit on unintended traffic.

Here is local-http.rules.

root@ubuntu:/etc/snort/rules# cat local-http.rules
# 1 000 100 - 1 000 299

alert tcp any 80 -> any any (msg: "HTTP Download > 100M - MPEG Movie File - B2"; \
flow: established,from_server; \
content: "HTTP"; depth: 5; nocase; \
content: "200"; within: 8; \
content: "Content-Length\: "; within: 300; nocase; \
pcre: "/^[0-9]{9,}\r\n/R"; \
content: "|0d 0a 0d 0a|"; within: 100; \
content: "|00 00 01 B2|"; within: 6; \
sid: 1000101; rev: 1; \
)

alert tcp any 80 -> any any (msg: "HTTP Download > 100M - MPEG Movie File - B3"; \
flow: established,from_server; \
content: "HTTP"; depth: 5; nocase; \
content: "200"; within: 8; \
content: "Content-Length\: "; within: 300; nocase; \
pcre: "/^[0-9]{9,}\r\n/R"; \
content: "|0d 0a 0d 0a|"; within: 100; \
content: "|00 00 01 B3|"; within: 6; \
sid: 1000102; rev: 1; \
)

alert tcp any 80 -> any any (msg: "HTTP Download > 100M - MPEG Movie File - BA"; \
flow: established,from_server; \
content: "HTTP"; depth: 5; nocase; \
content: "200"; within: 8; \
content: "Content-Length\: "; within: 300; nocase; \
pcre: "/^[0-9]{9,}\r\n/R"; \
content: "|0d 0a 0d 0a|"; within: 100; \
content: "|00 00 01 BA|"; within: 6; \
sid: 1000103; rev: 1; \
)

alert tcp any 80 -> any any (msg: "HTTP Download > 100M - MPEG Movie File - BB"; \
flow: established,from_server; \
content: "HTTP"; depth: 5; nocase; \
content: "200"; within: 8; \
content: "Content-Length\: "; within: 300; nocase; \
pcre: "/^[0-9]{9,}\r\n/R"; \
content: "|0d 0a 0d 0a|"; within: 100; \
content: "|00 00 01 BB|"; within: 6; \
sid: 1000104; rev: 1; \
)

alert tcp any 80 -> any any (msg: "HTTP Download > 100M - MPEG-4 Video File"; \
flow: established,from_server; \
content: "HTTP"; depth: 5; nocase; \
content: "200"; within: 8; \
content: "Content-Length\: "; within: 300; nocase; \
pcre: "/^[0-9]{9,}\r\n/R"; \
content: "|0d 0a 0d 0a|"; within: 100; \
content: "|00 00 00 18 66 74 79 70 6D 70 34|"; within: 15; \
sid: 1000105; rev: 1; \
)

alert tcp any 80 -> any any (msg: "HTTP Download > 100M - Quicktime Movie File - MOOV"; \
flow: established,from_server; \
content: "HTTP"; depth: 5; nocase; \
content: "200"; within: 8; \
content: "Content-Length\: "; within: 300; nocase; \
pcre: "/^[0-9]{9,}\r\n/R"; \
content: "|0d 0a 0d 0a|"; within: 100; \
content: "|6D 6F 6F 76|"; within: 10; \
sid: 1000106; rev: 1; \
)
alert tcp any 80 -> any any (msg: "HTTP Download > 100M - Quicktime Movie File - MDAT"; \
flow: established,from_server; \
content: "HTTP"; depth: 5; nocase; \
content: "200"; within: 8; \
content: "Content-Length\: "; within: 300; nocase; \
pcre: "/^[0-9]{9,}\r\n/R"; \
content: "|0d 0a 0d 0a|"; within: 100; \
content: "|6D 64 61 74|"; within: 10; \
sid: 1000107; rev: 1; \
)

alert tcp any 80 -> any any (msg: "HTTP Download > 100M - Audio Video Interleave (AVI) File - AVI"; \
flow: established,from_server; \
content: "HTTP"; depth: 5; nocase; \
content: "200"; within: 8; \
content: "Content-Length\: "; within: 300; nocase; \
pcre: "/^[0-9]{9,}\r\n/R"; \
content: "|0d 0a 0d 0a|"; within: 100; \
content: "|41 56 49 20|"; within: 6; \
sid: 1000108; rev: 1; \
)

alert tcp any 80 -> any any (msg: "HTTP Download > 100M - Audio Video Interleave (AVI) File - RIFF"; \
flow: established,from_server; \
content: "HTTP"; depth: 5; nocase; \
content: "200"; within: 8; \
content: "Content-Length\: "; within: 300; nocase; \
pcre: "/^[0-9]{9,}\r\n/R"; \
content: "|0d 0a 0d 0a|"; within: 100; \
content: "|52 49 46 46|"; within: 6; \
sid: 1000109; rev: 1; \
)

alert tcp any 80 -> any any (msg: "HTTP Download > 100M - Real Media File"; \
flow: established,from_server; \
content: "HTTP"; depth: 5; nocase; \
content: "200"; within: 8; \
content: "Content-Length\: "; within: 300; nocase; \
pcre: "/^[0-9]{9,}\r\n/R"; \
content: "|0d 0a 0d 0a|"; within: 100; \
content: "|2E 52 4D 46|"; within: 6; \
sid: 1000110; rev: 1; \
)

alert tcp any 80 -> any any (msg: "HTTP Download > 100M - Windows Media File"; \
flow: established,from_server; \
content: "HTTP"; depth: 5; nocase; \
content: "200"; within: 8; \
content: "Content-Length\: "; within: 300; nocase; \
pcre: "/^[0-9]{9,}\r\n/R"; \
content: "|0d 0a 0d 0a|"; within: 100; \
content: "|30 26 B2 75 8E 66 CF 11 A6 D9 00 AA 00 62 CE 6C|"; within: 20; \
sid: 1000111; rev: 1; \
)

That's 11 rules. There are 22 more. The middle 11 have port 80 replaced by 3128. The final 11 have port 8080. What does that tell you? It means that you can avoid being detected by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se rules if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 remote Web server runs on a port ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r than 80, 3128, or 8080. Note also that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 original snort.conf doesn't enable cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 http_inspect or http_inspect_server preprocessors. These rules are more raw content matches, although cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir specificity will reduce cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 number of times cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y fire. They also introduce more evasion options.

Finally, let's check out local-smb.rules.

root@ubuntu:/etc/snort/rules# cat local-smb.rules
# 1 000 300 - 1 000 499

alert tcp any 445 -> any any (msg: "SMB-445 Download > 100M - MPEG Movie File - B2"; \
flow: established,from_server; \
content: "SMB|2E|"; offset: 5; within: 4; nocase; \
content: "|00 00 01 B2|"; distance: 54; within: 4; \
sid: 1000301; rev: 1; \
)

alert tcp any 445 -> any any (msg: "SMB-445 Download > 100M - MPEG Movie File - B3"; \
flow: established,from_server; \
content: "SMB|2E|"; offset: 5; within: 4; nocase; \
content: "|00 00 01 B3|"; distance: 54; within: 4; \
sid: 1000302; rev: 1; \
)

alert tcp any 445 -> any any (msg: "SMB-445 Download > 100M - MPEG Movie File - BA"; \
flow: established,from_server; \
content: "SMB|2E|"; offset: 5; within: 4; nocase; \
content: "|00 00 01 BA|"; distance: 54; within: 4; \
sid: 1000303; rev: 1; \
)

alert tcp any 445 -> any any (msg: "SMB-445 Download > 100M - MPEG Movie File - BB"; \
flow: established,from_server; \
content: "SMB|2E|"; offset: 5; within: 4; nocase; \
content: "|00 00 01 BB|"; distance: 54; within: 4; \
sid: 1000304; rev: 1; \
)

alert tcp any 445 -> any any (msg: "SMB-445 Download > 100M - MPEG-4 Video File"; \
flow: established,from_server; \
content: "SMB|2E|"; offset: 5; within: 4; nocase; \
content: "|00 00 00 18 66 74 79 70 6D 70 34|"; distance: 54; within: 15; \
sid: 1000305; rev: 1; \
)

alert tcp any 445 -> any any (msg: "SMB-445 Download > 100M - Quicktime Movie File - MOOV"; \
flow: established,from_server; \
content: "SMB|2E|"; offset: 5; within: 4; nocase; \
content: "MOOV"; distance: 54; within: 8; nocase; \
sid: 1000306; rev: 1; \
)

alert tcp any 445 -> any any (msg: "SMB-445 Download > 100M - Quicktime Movie File - MDAT"; \
flow: established,from_server; \
content: "SMB|2E|"; offset: 5; within: 4; nocase; \
content: "MDAT"; distance: 54; within: 4; nocase; \
sid: 1000307; rev: 1; \
)

alert tcp any 445 -> any any (msg: "SMB-445 Download > 100M - Audio Video Interleave (AVI) File - AVI"; \
flow: established,from_server; \
content: "SMB|2E|"; offset: 5; within: 4; nocase; \
content: "AVI_"; distance: 54; within: 4; nocase; \
sid: 1000308; rev: 1; \
)

alert tcp any 445 -> any any (msg: "SMB-445 Download > 100M - Audio Video Interleave (AVI) File - RIFF"; \
flow: established,from_server; \
content: "SMB|2E|"; offset: 5; within: 4; nocase; \
content: "RIFF"; distance: 54; within: 4; nocase; \
sid: 1000309; rev: 1; \
)

alert tcp any 445 -> any any (msg: "SMB-445 Download > 100M - Real Media File"; \
flow: established,from_server; \
content: "SMB|2E|"; offset: 5; within: 4; nocase; \
content: "|2E 52 4D 46|"; distance: 54; within: 4; \
sid: 1000310; rev: 1; \
)

alert tcp any 445 -> any any (msg: "SMB-445 Download > 100M - Windows Media File"; \
flow: established,from_server; \
content: "SMB|2E|"; offset: 5; within: 4; nocase; \
content: "|30 26 B2 75 8E 66 CF 11 A6 D9 00 AA 00 62 CE 6C|"; distance: 54; within: 16; \
sid: 1000311; rev: 1; \
)

Notice all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 port 445 instances? You can evade cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se if your SMB session uses port 139 TCP.

I thought it might be fun to test cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se rules. I decided to download a 108 MB .avi file to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 toolkit host itself and see if would be observed.

file robert-morris.avi
robert-morris.avi: RIFF (little-endian) data, AVI, 640 x 480, 30.00 fps,
video: Motion JPEG, audio: uncompressed PCM (mono, 11024 Hz)

Hmm, no alerts. I have Sguil running on my gateway. Let's see what cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 start of a transcript for this session looks like.

Sensor Name: hacom
Timestamp: 2007-11-23 21:32:47
Connection ID: .hacom_5136151961070210685
Src IP: 69.255.105.234 (c-69-255-105-234.hsd1.va.comcast.net)
Dst IP: 164.106.251.250 (Unknown)
Src Port: 58172
Dst Port: 80
OS Fingerprint: 69.255.105.234:58172 - UNKNOWN
[S4:61:1:60:M1460,S,T,N,W4:.:?:?] (up: 3 hrs)
OS Fingerprint: -> 164.106.251.250:80 (link: ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rnet/modem)

SRC: GET /docs/netsec/robert-morris.avi HTTP/1.0
SRC: User-Agent: Wget/1.10.2
SRC: Accept: */*
SRC: Host: 164.106.251.250
SRC: Connection: Keep-Alive
SRC:
SRC:
DST: HTTP/1.1 200 OK
DST: Date: Fri, 23 Nov 2007 21:38:16 GMT
DST: Server: Apache/2.0.52 (Red Hat)
DST: Last-Modified: Tue, 23 Aug 2005 21:46:31 GMT
DST: ETag: "37804f-6bfad96-ba9f7bc0"
DST: Accept-Ranges: bytes
DST: Content-Length: 113225110
DST: Connection: close
DST: Content-Type: video/x-msvideo
DST:
DST:
DST: RIFF....AVI LISTF...hdrlavih8...5...D.&......................I..
LISTt...strlstrh8...vidsmjpg............5...@B...........I...'..............
strf(...(...............MJPG....................LIST\...strlstrh8...auds....
.................+......\
DST: ..+...'..............strf.........+...+......IDIT....
FRI JUL 29 15:54:43 2005
DST: .LIST....INFOISFT....CanonMVI02..JUNK~...

After cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 HTTP response you see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 download begin for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 .avi. Presumably this would match, this rule?

"HTTP Download > 100M - Audio Video Interleave (AVI) File - RIFF"

Let's look at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 two most important packets in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 full content pcap file.

16:32:47.335530 IP 164.106.251.250.80 > 69.255.105.234.58172:
P 1:268(267) ack 133 win 1716
0x0000: 4520 013f e980 4000 3006 0fca a46a fbfa E..?..@.0....j..
0x0010: 45ff 69ea 0050 e33c f12d d653 a3ca 374e E.i..P.<.-.S..7N
0x0020: 8018 06b4 ce3b 0000 0101 080a 80f7 4ef2 .....;........N.
0x0030: 0013 7372 4854 5450 2f31 2e31 2032 3030 ..srHTTP/1.1.200
0x0040: 204f 4b0d 0a44 6174 653a 2046 7269 2c20 .OK..Date:.Fri,.
0x0050: 3233 204e 6f76 2032 3030 3720 3231 3a33 23.Nov.2007.21:3
0x0060: 383a 3136 2047 4d54 0d0a 5365 7276 6572 8:16.GMT..Server
0x0070: 3a20 4170 6163 6865 2f32 2e30 2e35 3220 :.Apache/2.0.52.
0x0080: 2852 6564 2048 6174 290d 0a4c 6173 742d (Red.Hat)..Last-
0x0090: 4d6f 6469 6669 6564 3a20 5475 652c 2032 Modified:.Tue,.2
0x00a0: 3320 4175 6720 3230 3035 2032 313a 3436 3.Aug.2005.21:46
0x00b0: 3a33 3120 474d 540d 0a45 5461 673a 2022 :31.GMT..ETag:."
0x00c0: 3337 3830 3466 2d36 6266 6164 3936 2d62 37804f-6bfad96-b
0x00d0: 6139 6637 6263 3022 0d0a 4163 6365 7074 a9f7bc0"..Accept
0x00e0: 2d52 616e 6765 733a 2062 7974 6573 0d0a -Ranges:.bytes..
0x00f0: 436f 6e74 656e 742d 4c65 6e67 7468 3a20 Content-Length:.
0x0100: 3131 3332 3235 3131 300d 0a43 6f6e 6e65 113225110..Conne
0x0110: 6374 696f 6e3a 2063 6c6f 7365 0d0a 436f ction:.close..Co
0x0120: 6e74 656e 742d 5479 7065 3a20 7669 6465 ntent-Type:.vide
0x0130: 6f2f 782d 6d73 7669 6465 6f0d 0a0d 0a o/x-msvideo....
16:32:47.336654 IP 164.106.251.250.80 > 69.255.105.234.58172:
. 268:1636(1368) ack 133 win 1716 #60;nop,nop,timestamp 2163691250 1274738#62;
0x0000: 4520 058c e982 4000 3006 0b7b a46a fbfa E.....@.0..{.j..
0x0010: 45ff 69ea 0050 e33c f12d d75e a3ca 374e E.i..P.<.-.^..7N
0x0020: 8010 06b4 b5f8 0000 0101 080a 80f7 4ef2 ..............N.
0x0030: 0013 7372 5249 4646 8ead bf06 4156 4920 ..srRIFF....AVI.
0x0040: 4c49 5354 4601 0000 6864 726c 6176 6968 LISTF...hdrlavih
0x0050: 3800 0000 3582 0000 44d0 2600 0000 0000 8...5...D.&.....
0x0060: 1000 0100 0e07 0000 0000 0000 0200 0000 ................
0x0070: c649 0100 8002 0000 e001 0000 0000 0000 .I..............
0x0080: 0000 0000 0000 0000 0000 0000 4c49 5354 ............LIST
0x0090: 7400 0000 7374 726c 7374 7268 3800 0000 t...strlstrh8...
0x00a0: 7669 6473 6d6a 7067 0000 0000 0000 0000 vidsmjpg........
0x00b0: 0000 0000 3582 0000 4042 0f00 0000 0000 ....5...@B......
0x00c0: 0e07 0000 c649 0100 1027 0000 0000 0000 .....I...'......
0x00d0: 0000 0000 8002 e001 7374 7266 2800 0000 ........strf(...
0x00e0: 2800 0000 8002 0000 e001 0000 0100 1800 (...............
0x00f0: 4d4a 5047 0010 0e00 0000 0000 0000 0000 MJPG............
0x0100: 0000 0000 0000 0000 4c49 5354 5c00 0000 ........LIST\...
0x0110: 7374 726c 7374 7268 3800 0000 6175 6473 strlstrh8...auds
0x0120: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0130: 0100 0000 102b 0000 0000 0000 5c20 0a00 .....+......\...
0x0140: 102b 0000 1027 0000 0100 0000 0000 0000 .+...'..........
0x0150: 0000 0000 7374 7266 1000 0000 0100 0100 ....strf........
0x0160: 102b 0000 102b 0000 0100 0800 4944 4954 .+...+......IDIT
0x0170: 1a00 0000 4652 4920 4a55 4c20 3239 2031 ....FRI.JUL.29.1
0x0180: 353a 3534 3a34 3320 3230 3035 0a00 4c49 5:54:43.2005..LI
0x0190: 5354 1800 0000 494e 464f 4953 4654 0c00 ST....INFOISFT..
0x01a0: 0000 4361 6e6f 6e4d 5649 3032 0000 4a55 ..CanonMVI02..JU
0x01b0: 4e4b 7e06 0000 0000 0000 0000 0000 0000 NK~.............
...truncated...

Do you see it? The HTTP response code and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Content-Length statement appear in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first packet. The .avi begins in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 second packet with RIFF. Snort doesn't fire an alert because all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 matches needed for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rule are not present in a single packet.

Technically, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re's not much to worry about here -- at least not yet. I do worry about putting monitoring tools in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hands of people who don't know what cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y're doing and seeing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m act on misconceptions. It's also important to identify cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fact that this activity could violate wiretap and privacy laws.

Wednesday, September 12, 2007

NSA IAM and IEM Summary

Two years ago I wrote Thoughts on NSA IAM Course. That post is still in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 top ten Google search results for NSA IAM, which is sad because that means cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re isn't much about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 program online. IAM stands for INFOSEC Assessment Methodology. (Ugh, I hate "INFOSEC".)

The only real material about IAM (beyond cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 public slides used to teach cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 classes appears in Security Assessment: Case Studies for Implementing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NSA IAM by Russ Rogers, Greg Miles, Ed Fuller, Ted Dykstra. The Syngress sample chapter nicely summarizes cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IAM purpose and compares it to alternatives.

The National Security Agency (NSA) Information Security (INFOSEC) Assessment Methodology (IAM) is a detailed and systematic method for examining security vulnerabilities from an organizational perspective as opposed to a only a technical perspective. Often overlooked are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 processes, procedures, documentation, and informal activities that directly impact an organization’s overall security posture but that might not necessarily be technical in nature. The IAM was developed by experienced NSA and commercial INFOSEC assessors and has been in practice within cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 U.S. government since 1997. It was made available commercially in 2001.

NSA developed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IAM to give organizations that provide INFOSEC assessments a repeatable framework for conducting organizational types of assessments as well as provide assessment consumers appropriate information on what to look for in an assessment provider. The IAM is also intended to raise awareness of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 need for organizational types of assessment versus cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 purely technical type of assessment. In addition to assisting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 government and private sectors, an important result of supplying baseline standards for INFOSEC assessments is fostering a commitment to improve an organization’s security posture.


The following chart from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sample chapter explains how NSA differentiates security activities:



So what are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 general steps proposed by NSA IAM? There are three general phases:

  1. Pre-Assessment


    • Determine and manage cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 customer’s expectations

    • Gain an understanding of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 organization’s information criticality

    • Determine customer’s goals and objectives

    • Determine cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 system boundaries

    • Coordinate with customer

    • Request documentation


  2. On-Site Assessment


    • Conduct opening meeting

    • Gacá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r and validate system information (via interview, system demonstration, and document review)

    • Analyze assessment information

    • Develop initial recommendations

    • Present out-brief


  3. Post-Assessment


    • Additional review of documentation

    • Additional expertise (get help understanding what you learned)

    • Report coordination (and writing)



NSA IAM emphasizes creating a Technical Assessment Plan (TAP) which includes cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following:

  • Point of Contact

  • Mission

  • Organizational Information Criticality

  • System Information Criticality

  • Customer Concerns and Constraints

  • System Configuration

  • Interviews

  • Documents

  • Timeline of Events


In brief, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NSA IAM is a giant interview, demonstration, and documentation review that preceeds any kind of technical review. The IAM spends a good chunk of time determining Organizational Information Criticality and System Information Criticality via brainstorming and customer interviews. The idea is to narrow cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 scope of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 assessment to something that customers care about. IAM (and IEM) sources clearly point out that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir methodologies are not audits, inspections, or risk assessments. One of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 course slides provides this (sort of) summary:



That's cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IAM. What is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IEM [INFOSEC Evaluation Methodology]? Again, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best resource is a Syngress book -- Network Security Evaluation Using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NSA IEM by Russ Rogers, Ed Fuller, Greg Miles, Matcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365w Hoagberg, Travis Schack, Chuck Little, Ted Dykstra, and Bryan Cunningham. Quoting from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first chapter:

The IEM is a follow-on methodology to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NSA IAM. It provides cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 technical evaluation processes that were intentionally missing from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IAM. The IEM is a hands-on methodology, meaning you'll be actively interacting with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 customer's technical environment. As such, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NSA intended for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IAM and IEM processes to work hand in hand...

Whereas cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IAM provides us with an understanding of organizational security as it relates to policies and procedures, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IEM offers a comprehensive look into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 actual technical security at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 organization.


The IEM is divided into phases as well:

  1. Pre-Evaluation Phase


    • Pull information from IAM Pre-Assessment

    • Coordination with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 customer to determine acceptable Rules of Engagement (ROE)

    • Give cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 team an understanding of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 perceived system components

    • Define customer expectations

    • Define customer constraints or concerns

    • Legal Requirements

    • Develop cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Technical Evaluation Plan (TEP)


  2. On-Site Evaluation Phases


    • Evaluation In-Brief

    • Tool Introduction and System Evaluation


      • Port Scanning

      • SNMP Scanning

      • Enumeration & Banner Grabbing

      • Wireless Enumeration

      • Vulnerability Scanning

      • Host Evaluation

      • Network Device Analysis

      • Password Compliance Testing

      • Application Specific Scanning

      • Network Sniffing


    • Evaluation Out Brief


  3. Post Evaluation Phase


    • Analyze cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 evaluation raw data

    • Conduct additional vulnerability research

    • If necessary, seek additional expertise

    • Develop recommendations

    • Coordinate final report authoring with team members

    • Deliver final report to customer



Like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IAM's TAP, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IEM directs creation of a Technical Evaluation Plan, or TEP:
  1. Points of Contact

  2. Methodology Overview


    • Purpose of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IEM

    • Description of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IEM

    • Evaluation Tools to Be Used


  3. Criticality Information (Organizational Criticality Matrices and System Criticality Information)

  4. Detailed Network Information

  5. Customer Concerns

  6. Customer Constraints

  7. Rules of Engagement

  8. Coordination Agreements


    • Level of Detail of Recommendations

    • List of Agreed-On Deliverables

    • The Coordination Agreements Section: A Catchall


  9. Letter of Authorization

  10. Timeline of Events


There's more to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IEM but those are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 parts I want to have available for personal reference.

The following shows how cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IAM and IEM can work togecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r.



Is this rocket science? Of course not. Are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 10 "evaluation" activities naive and incomplete? Yes. The idea is you can build on this sort of methodology with your own approaches. I actually liked cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IAM class and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 structure of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IEM TEP, but I found cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IEM class itself laughable.

If you want more details on really conducting evaluations, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n a review of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 latest Open Source Security Testing Methodology Manual (OSSTMM) is probably worthwhile.

Monday, August 06, 2007

Black Hat Final Thoughts

Based on my summaries of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 talks I saw on day one and two of Black Hat USA 2007, some of you have called me "depressed" or "negative." I call it realistic and largely historic. Nothing I described was brand new cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 day I saw it. Most if not all of everything I saw was already discussed in public forums or private groups. Sometimes it takes a live explanation by a real expert to syncá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365size and demonstrate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 technique to make it come to life and help attendees connect cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 dots. This was certainly cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 case for me and I expect ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r people too.

I've spent almost my whole career watching defenses fail and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n trying to contain and remove cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 mess. The fact that nothing has reduce my workload during cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last decade indicates our approach to this problem is not working. I attend Black Hat so I can get semi-clued-in to attack techniques, and I recommend everyone else who cares about how cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are already being abused attend or ask someone who attended to summarize what he or she learned.

The fact that you do not know you are being compromised does not mean it is not happening. This is a fundamental problem with digital security. Consider cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 analog world.

  • If a house is robbed by amateurs while cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 owner is away, upon return even cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most ignorant person will likely notice cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 breach.

  • If a house is bugged by professionals while cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 owner is away, upon return even cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most vigilant person will likely miss cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 breach.


Consider cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 digital equivalent.

  • If a digital asset is compromised by amateurs while cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 owner is away, upon return cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ignorant person will definitely not notice cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 breach, and a vigilant person might notice cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 breach.

  • If a digital asset is compromised by professionals while cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 owner is away, upon return even cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most vigilant person will be hard pressed to notice cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 breach. Everyone else is hopeless.


Observe a key element of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se observations is vigilance. I liked Tate Hansen's post Attackers will win so what can you do? because it alludes to this thought. Here are my three recommendations.

  1. Monitor everything you can, within cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bounds of legal, political, and technical means. The absolute first priority for any digital security operation is to know what is happening. Bruce Schneier was so right in 2001 when he wrote Monitoring First. If you think I am hopeless but you believe in Bruce, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n read what he wrote. It's as relevant today as ever.

    Monitoring is to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 digital world as accounting is to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 financial world. How can any company expect to stay in business if its bleeding money? Similarly, how can any enterprise preserve confidentiality, integrity, and availability of digital assets if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 state of those assets is unknown?

    When I talk of monitoring, keep in mind three data sources; cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se are terms I'm using from here forward.

    • First order monitoring observes cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 attack as it happens. It's difficult if not impossible to accomplish this. Because you can't stop what you can't see, preventing intrusions is increasingly impossible for all or most cases.

    • Second order monitoring observes continuation of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 incident. These are signs following compromise, like installation and use of a back door, command-and-control, exfiltration of data, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 like. This is difficult to detect but potentially not as difficult as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first order case.

    • Third order monitoring observes consequences of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 incident. This includes discovery of your company's IPs in botnet command-and-control channels or Web sites, finding sensitive company documents on p2p networks, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 release by your competitor of a new product based on your design, and related events. These are easier to detect but usually difficult to tie to a specific incident.


    My final comment on monitoring is this: monitoring helps prioritize resources. If you instrument your platforms, OS, applications, and data, you can see how cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are being abused. Then you direct resources to mitigate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most pressing problems.

    Consider cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 2002 CERT advisory on SNMP vulnerabilities. At cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time it looked like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 end of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 world because everyone was vulnerable. My clients basically didn't care, because I was watching for any SNMP traffic to or from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir sites. Guess what -- I hardly saw anything (and SNMP is easy to see if you're wondering.) Because I didn't see recon or exploitation, I advised my clients to concentrate on problems I did see being probed or attacked.

    It's cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same situation a battlefield commander faces. Without on-scene situational awareness, how do you know if you need to reinforce your flank or commit your reserves to defending cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 center? If you have no clue and you guess wrong, you lose. Let's manage by fact instead of belief if we want to win.

  2. Force vendors to ship feature-disabled applications by default. I don't want my Flash viewer to initiate sockets to hosts on my internal network. Alternatively, let my security team, IT department, or PC vendor decide how my machine should be configured, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n let me make changes if I decide I do want Flash to initiate connections. Let's face it: cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Web browser is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new operating system. Securing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 OS is great but it's all about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 features and configuration of your Web browser and its embedded rich media content rendering applications. Reducing our application exposure will limit cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 risk.

  3. Force our governments to focus on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 threat. Techies like technical solutions. This is not working. We have to take cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fight to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 enemy by removing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 threat, not countering cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir tools.

    We cannot code, block, or patch our way out of this situation. We have to deter, investigate, apprehend, prosecute, and incarcerate threats. It's cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 only approach that has ever had a chance to work in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 real world. As cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 digital world continues to resemble and in some ways surpass cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 analog world, why do we think we are smart enough to reject 3,000 years of human history and rely on technical means to solve this problem?

    If you don't believe me, please read my next post.

Tuesday, January 16, 2007

Comments on ISSA Journal Article

It's been 2 1/2 years since my first book was published, although I've been writing and speaking about Network Security Monitoring (NSM) for at least five years. I'm starting to see ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r people cite my works, which is neat. It also means people are starting to criticize what I wrote, so I need to elaborate on some ideas.

The December 2006 ISSA Journal includes an article by Robert Graham titled Detection Isn’t Optional: Monitoring-in-depth. (No, it's not cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Robert Graham of Black Ice/ISS fame. This is a different person.)

The implication of this article is that NSM is insufficient because it does not integrate SNMP data, event logs, and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r sources. I do not disagree with this assessment. The reason I focus on NSM is that I start from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 premise of self-reliance. In many enterprises, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security team does not have access to SNMP data from infrastructure devices. That belongs to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 networking team. They also might not have access to event logs, since those are owned by system administrators. In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se situations, security analysts are left analyzing whatever data cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y can collect independently -- hence NSM.

Granted, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NSM definition I proposed is far too wide to apply strictly to traffic-centric monitoring. As I wrote previously I'm going to revise cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NSM definition prior to writing a second edition of Tao. I think it makes sense to think of monitoring within this skeleton framework:

  • Enterprise Monitoring


    • Performance Monitoring

    • Fault Monitoring

    • Security Monitoring


      • Network- (i.e., traffic) centric

      • Infrastructure-centric

      • Host-centric

      • Application-centric


    • Compliance Monitoring



Here you see that I consider NSM to be a single part of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security aspect of enterprise situational awareness. NSM is not cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 be-all, end-all approach to solving enterprise problems. If I had tried to tackle this entire issue my first book could have been 2400 pages instead of 800. If you've read my blog for a while you'll remember seeing me review books on Nagios and host integrity monitoring and also commenting on SNMP. I do all this because I recognize cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 value of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r data sources.

Wednesday, October 04, 2006

Notes on Net Optics Think Tank

Last week I attended and spoke at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 latest Net Optics Think Tank. I've presented for Net Optics twice before, but this was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first event held in norcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rn Virginia.

The first half of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 event consisted of two briefings. The first discussed tap technology. This was supposed to be a basic introduction but I learned quite a bit, especially with regards to fiber optics. Specifically, I learned of some cases where customers reverse cables when plugging in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir taps, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365reby causing lots of tough-to-troubleshoot problems. Furcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rmore, as customers move from Gigabit over fiber to 10 Gigabit over fiber, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are encountering cabling issues. Gigabit is much more forgiving than 10 Gig. At 10 Gig, you apparently have to pay close attention to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 specifications, such as core size.

I learned that Net Optics is considering ways to "tag" or "label" packets collected by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir link aggregator taps. When discussing matrix switches, it occurred to me that those devices are a great way to implement on-demand monitoring while keeping true to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tenets of Visiblel Ops. Racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r than monkeying around with a switch SPAN port, risking making a problematic change, you tell cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 matrix switch which port you want to monitor. The switch is never touched.

The same idea applies to bypass switches. Net Optics (and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir customers) basically convinced me that it's a bad idea to ship an appliance with a bypass switch embedded as a NIC in a security appliance. It's far better (if you have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rack space) to have a separate bypass switch. This allows you to completely power down and remove cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "inline" security appliance with no effect on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network. This isn't possible with an integrated bypass NIC. The second briefing covered cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Net Optics iTap product line, which I covered several months ago. Dennis Carpio (pictured at left) gave that briefing. Basically Net Optics is moving this "intelligent Tap" functionality into all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir products. I told cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m I would like to see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tap inspect and classify cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 traffic it sees, namely by doing port independent protocol identification. I would also like to see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 iTaps support 802.1X, IPv6, SNMPv3, and a HTTPS Web interface.

The iTap might also support filtering at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 monitoring ports. This would reduce cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 load of a sensor on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tap. For example, you could tell cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 iTap not to pass ARP or non-IP traffic to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sensor. Besides continuing to add features to taps without adding cost, Net Optics is also reducing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir size. They will be able to fit six taps into 1U. They're also moving to replacing fixed ports with SFPs.

During cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 second half of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 day Net Optics shared ideas for future products. I'll keep this to myself, since this was not exactly meant for broadcast on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet. Basically, if you have a network traffic access requirement you're trying to meet, get in contact with me. I can put you in touch with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 right people at Net Optics and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y will be able to meet your demands. I am not getting any kind of referral fee -- I just trust cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 people at this company to do cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 right thing.

Expect to see more reporting on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir gear as I get demo products to test.

Monday, September 25, 2006

Review of The TCP/IP Guide Posted

Amazon.com just posted my 4 star review of The TCP/IP Guide. From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 review:

Right away I must state that I did not read "The TCP/IP Guide" (TTG) cover-to-cover. I doubt anyone will, which raises interesting issues. This review is based on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sections I did read and my comparisons with ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r protocol books.

Protocol books should be divided into two eras. The first is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "Stevens era" meaning those written around cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time Richard Stevens' "TCP/IP Illustrated, Vol 1: The Protocols" was published. For six years (1994-2000) Stevens' book was clearly cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best protocol book, and it taught legions of networking pros TCP/IP. The second is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "modern era," beginning in 2000 and continuing to today. TTG fits in this group.

I question cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 approach taken by TTG. The book contains extremely basic information (what is networking, why use layers, what is a protocol, etc.) and extremely obscure information (PPP Link Control Protocol Frame Types and Fields, SNMPv2 PDU Error Status Field Values, Interpretation of Standard Telnet NVT ASCII Control Codes, etc.). If TTG were an introductory book, it wouldn't need cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 obscure material. If TTG were a reference, it wouldn't need cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 introductory material.


At 1616 pages and nearly 5 pounds, we should be dropping cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se books out of B-2s!

Monday, September 04, 2006

MIB Browser

While reading a book on Nagios, I learned of net-mgmt/mbrowse, pictured above. It's not fancy -- just a graphical SNMP v1 MIB browser.

Saturday, September 02, 2006

Working SNMP v3 Trap Using Net-SNMP Tools 5.1.2

I managed to get a SNMP v3 trap to work when sending cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 trap with Debian.

This is important because it confirms a bug was introduced into snmptrap somewhere in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 5.2.x line of Net-SNMP tools.

The version of snmptrap installed by Debian stable is 5.1.2. Here is what I set up.

The Debian host is macmini. I created /etc/snmp/snmpd.conf with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following.

createUser doit MD5 doitpassword DES doitpassword

When I ran snmpd, I saw cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 user created along with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 engine ID for this host.

macmini:~# snmpd -f -Lo -Dusm
usmUser: created a new user doit at 80 00 07 E5 80 54 D7 15 E8 44 FA 12 65
Warning: no access control information configured.
It's unlikely this agent can serve any useful purpose in this state.
Run "snmpconf -g basic_setup" to help you configure cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 snmpd.conf file for this agent.
NET-SNMP version 5.1.2

This step also created /var/lib/snmp/snmpd.conf with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following:

usmUser 1 3 0x800007e58054d715e844fa1265 0x646f697400 0x646f697400 NULL .1.3.6.1.6.3.10.1.1.2
0x7118d87274c4aa4e22c27c003bf92add .1.3.6.1.6.3.10.1.2.2 0x7118d87274c4aa4e22c27c003bf92add ""
engineBoots 1
oldEngineID 0x800007e58054d715e844fa1265

0x800007e58054d715e844fa1265 is my engine ID. I need this when I set up snmptrapd.conf on hacom, which simulates a NMS using snmptrapd.

On hacom I create /usr/local/etc/snmp/snmptrapd.conf with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following:

createUser -e 0x800007e58054d715e844fa1265 doit MD5 doitpassword DES doitpassword

Next I start snmptrapd on hacom.

hacom:/root# snmptrapd -f -Lo -Dusm
usmUser: created a new user doit at 80 00 07 E5 80 54 D7 15 E8 44 FA 12 65
2006-09-02 19:25:10 NET-SNMP version 5.2.2 Started.

Finally I can send a trap from macmini to hacom.

richard@macmini:~$ snmptrap -Ddumph_send,dumpv_send,usm -v 3
-e 0x800007e58054d715e844fa1265
-u doit -a MD5 -A doitpassword -l authNoPriv 192.168.2.18 ''
SNMPv2-SMI::enterprises.3.1
dumph_send: SNMPv3 Message
dumph_send: PDU-TRAP2
dumph_send: VarBind
dumph_send: Value ObjID: SNMPv2-SMI::enterprises.3.1
dumph_send: Name ObjID: SNMPv2-MIB::snmpTrapOID.0
dumph_send: VarBind
dumph_send: Value UInteger: 637099911 (0x25F95F87)
dumph_send: Name ObjID: SNMPv2-MIB::sysUpTime.0
dumph_send: error index Integer: 0 (0x00)
dumph_send: error status Integer: 0 (0x00)
dumph_send: request_id Integer: 209733159 (0xC804627)
dumph_send: ScopedPdu
dumph_send: contextName String: [NULL]
dumph_send: contextEngineID String: ...å.J4..Dú.Z
dumph_send: msgSecurityModel Integer: 3 (0x03)
dumph_send: msgFlags String: .
dumph_send: msgMaxSize Integer: 65507 (0xFFE3)
dumph_send: msgID Integer: 29075524 (0x1BBA844)
dumph_send: SNMP Version Number Integer: 3 (0x03)
dumph_send: SM msgSecurityParameters
usm: USM processing has begun (offset 76)
usm: getting user doit
dumph_send: msgPrivacyParameters String: [NULL]
dumph_send: msgAucá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365nticationParameters String: ............
dumph_send: msgUserName String: doit
dumph_send: msgAuthoritativeEngineTime Integer: 637099911 (0x25F95F87)
dumph_send: msgAuthoritativeEngineBoots Integer: 1 (0x01)
dumph_send: msgAuthoritativeEngineID String: ...å.T×.èDú.e
usm: USM processing completed.

Here is what snmptrapd saw.

usm: USM processing begun...
usm: Verification succeeded.
usm: USM processing completed.
2006-09-02 19:26:50 macmini.taosecurity.com [UDP: [192.168.2.12]:34061]:
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (637099911) 73 days, 17:43:19.11
SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.3.1

Here is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 packet that was sent.

Simple Network Management Protocol
msgVersion: snmpv3 (3)
msgGlobalData
msgID: 29075524
msgMaxSize: 65507
msgFlags: 01
.... .0.. = Reportable: Not set
.... ..0. = Encrypted: Not set
.... ...1 = Aucá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365nticated: Set
msgSecurityModel: USM (3)
msgAuthoritativeEngineID: 800007E58054D715E844FA1265
1... .... = Engine ID Conformance: RFC3411 (SNMPv3)
Engine Enterprise ID: U.C. Davis, ECE Dept. Tom (2021)
Engine ID Format: Reserved/Enterprise-specific (128): UCD-SNMP Random
Engine ID Data: 54D715E8
Engine ID Data: Creation Time: Sep 26, 2023 11:35:32
msgAuthoritativeEngineBoots: 1
msgAuthoritativeEngineTime: 637099911
msgUserName: doit
msgAucá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365nticationParameters: 90E951108773145325537BF0
msgData: plaintext (0)
plaintext
contextEngineID: 800007E5804A34181044FA135A
data: sNMPv2-Trap (7)
sNMPv2-Trap
request-id: 209733159
error-status: noError (0)
error-index: 0
variable-bindings: 2 items
Item
name: 1.3.6.1.2.1.1.3.0 (SNMPv2-MIB::sysUpTime.0)
valueType: value (0)
value: simple (4294967295)
value: simple (4294967295)
application-wide: timeticks-value (3)
timeticks-value: 637099911
Item
name: 1.3.6.1.6.3.1.1.4.1.0 (SNMPv2-MIB::snmpTrapOID.0)
valueType: value (0)
value: simple (4294967295)
simple: objectID-value (2)
Value: OID: SNMPv2-SMI::enterprises.3.1

0000 00 40 48 b1 5c db 00 14 51 17 6a b2 08 00 45 00 .@H.\...Q.j...E.
0010 00 b3 00 00 40 00 40 11 b4 cb c0 a8 02 0c c0 a8 ....@.@.........
0020 02 12 85 0d 00 a2 00 9f de 3d 30 81 94 02 01 03 .........=0.....
0030 30 11 02 04 01 bb a8 44 02 03 00 ff e3 04 01 01 0......D........
0040 02 01 03 04 30 30 2e 04 0d 80 00 07 e5 80 54 d7 ....00........T.
0050 15 e8 44 fa 12 65 02 01 01 02 04 25 f9 5f 87 04 ..D..e.....%._..
0060 04 64 6f 69 74 04 0c 90 e9 51 10 87 73 14 53 25 .doit....Q..s.S%
0070 53 7b f0 04 00 30 4a 04 0d 80 00 07 e5 80 4a 34 S{...0J.......J4
0080 18 10 44 fa 13 5a 04 00 a7 37 02 04 0c 80 46 27 ..D..Z...7....F'
0090 02 01 00 02 01 00 30 29 30 10 06 08 2b 06 01 02 ......0)0...+...
00a0 01 01 03 00 43 04 25 f9 5f 87 30 15 06 0a 2b 06 ....C.%._.0...+.
00b0 01 06 03 01 01 04 01 00 06 07 2b 06 01 04 01 03 ..........+.....
00c0 01 .

If I want to send cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 trap encrypted, I do cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following.

richard@macmini:~$ snmptrap -Ddumph_send,dumpv_send,usm -v 3
-e 0x800007e58054d715e844fa1265
-u doit -a MD5 -A doitpassword -x DES -X doitpassword -l authPriv 192.168.2.18 ''
SNMPv2-SMI::enterprises.3.1
dumph_send: SNMPv3 Message
dumph_send: PDU-TRAP2
dumph_send: VarBind
dumph_send: Value ObjID: SNMPv2-SMI::enterprises.3.1
dumph_send: Name ObjID: SNMPv2-MIB::snmpTrapOID.0
dumph_send: VarBind
dumph_send: Value UInteger: 637119304 (0x25F9AB48)
dumph_send: Name ObjID: SNMPv2-MIB::sysUpTime.0
dumph_send: error index Integer: 0 (0x00)
dumph_send: error status Integer: 0 (0x00)
dumph_send: request_id Integer: 472573359 (0x1C2AE5AF)
dumph_send: ScopedPdu
dumph_send: contextName String: [NULL]
dumph_send: contextEngineID String: ...å.ox¿9Dú..
dumph_send: msgSecurityModel Integer: 3 (0x03)
dumph_send: msgFlags String: .
dumph_send: msgMaxSize Integer: 65507 (0xFFE3)
dumph_send: msgID Integer: 56841470 (0x36354FE)
dumph_send: SNMP Version Number Integer: 3 (0x03)
dumph_send: SM msgSecurityParameters
usm: USM processing has begun (offset 76)
usm: getting user doit
String: æ/Øá:ë......⡯Qlpª.z.u.Á?ó8t5b_$V.Rq.ð³¥3..¦ºIÏnÇ.
?.¥ó·}Û?».c.YPü÷Ã_I®èö.Î...§m
usm: Encryption successful.
dumph_send: msgPrivacyParameters String: ....ÜF..
dumph_send: msgAucá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365nticationParameters String: ............
dumph_send: msgUserName String: doit
dumph_send: msgAuthoritativeEngineTime Integer: 637119304 (0x25F9AB48)
dumph_send: msgAuthoritativeEngineBoots Integer: 1 (0x01)
dumph_send: msgAuthoritativeEngineID String: ...å.T×.èDú.e
usm: USM processing completed.

Here is what snmptrapd sees.

2006-09-02 19:30:05 macmini.taosecurity.com [UDP: [192.168.2.12]:34061]:
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (637119304) 73 days, 17:46:33.04
SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.3.1

Here is what cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 trace looks like.

Simple Network Management Protocol
msgVersion: snmpv3 (3)
msgGlobalData
msgID: 56841470
msgMaxSize: 65507
msgFlags: 03
.... .0.. = Reportable: Not set
.... ..1. = Encrypted: Set
.... ...1 = Aucá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365nticated: Set
msgSecurityModel: USM (3)
msgAuthoritativeEngineID: 800007E58054D715E844FA1265
1... .... = Engine ID Conformance: RFC3411 (SNMPv3)
Engine Enterprise ID: U.C. Davis, ECE Dept. Tom (2021)
Engine ID Format: Reserved/Enterprise-specific (128): UCD-SNMP Random
Engine ID Data: 54D715E8
Engine ID Data: Creation Time: Sep 26, 2023 11:35:32
msgAuthoritativeEngineBoots: 1
msgAuthoritativeEngineTime: 637119304
msgUserName: doit
msgAucá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365nticationParameters: 2BBB80DD5668B46281AFDF39
msgPrivacyParameters: 00000001DC469993
msgData: encryptedPDU (1)
encryptedPDU: E62FD8E13AEB7F088B0B111EE2A1AF516C70AA177A9E759C...

0000 00 40 48 b1 5c db 00 14 51 17 6a b2 08 00 45 00 .@H.\...Q.j...E.
0010 00 c1 00 00 40 00 40 11 b4 bd c0 a8 02 0c c0 a8 ....@.@.........
0020 02 12 85 0d 00 a2 00 ad 40 32 30 81 a2 02 01 03 ........@20.....
0030 30 11 02 04 03 63 54 fe 02 03 00 ff e3 04 01 03 0....cT.........
0040 02 01 03 04 38 30 36 04 0d 80 00 07 e5 80 54 d7 ....806.......T.
0050 15 e8 44 fa 12 65 02 01 01 02 04 25 f9 ab 48 04 ..D..e.....%..H.
0060 04 64 6f 69 74 04 0c 2b bb 80 dd 56 68 b4 62 81 .doit..+...Vh.b.
0070 af df 39 04 08 00 00 00 01 dc 46 99 93 04 50 e6 ..9.......F...P.
0080 2f d8 e1 3a eb 7f 08 8b 0b 11 1e e2 a1 af 51 6c /..:..........Ql
0090 70 aa 17 7a 9e 75 9c c1 3f f3 38 74 35 62 5f 24 p..z.u..?.8t5b_$
00a0 56 8a 52 71 01 f0 b3 a5 33 91 14 a6 ba 49 cf 6e V.Rq....3....I.n
00b0 c7 1e 3f 7f a5 f3 b7 7d db 3f bb 18 63 7f 59 50 ..?....}.?..c.YP
00c0 fc f7 c3 5f 49 ae e8 f6 1a ce 14 13 1e a7 6d ..._I.........m

I am so glad I can get this to work. Everyone recommends using SNMP v3 but it's frustrating to figure it out when facing a bug in snmptrapd. Net-SNMP tools are really powerful, though.

The next challenge is figuring out cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 access control model in Net-SNMP 5.3.x. Apparently it's different from 5.2.x.

When 5.2.4 is released I plan to test out snmptrap on FreeBSD as well.