Showing posts with label ubuntu. Show all posts
Showing posts with label ubuntu. Show all posts

Monday, April 08, 2019

Troubleshooting NSM Virtualization Problems with Linux and VirtualBox

I spent a chunk of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 day troubleshooting a network security monitoring (NSM) problem. I thought I would share cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem and my investigation in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hopes that it might help ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs. The specifics are probably less important than cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 general approach.

It began with ja3. You may know ja3 as a set of Zeek scripts developed by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Salesforce engineering team to profile client and server TLS parameters.

I was reviewing Zeek logs captured by my Corelight appliance and by one of my lab sensors running Security Onion. I had coverage of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same endpoint in both sensors.

I noticed that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SO Zeek logs did not have ja3 hashes in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ssl.log entries. Both sensors did have ja3s hashes. My first thought was that SO was misconfigured somehow to not record ja3 hashes. I quickly dismissed that, because it made no sense. Besides, verifying that intution required me to start troubleshooting near cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 top of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 software stack.

I decided to start at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bottom, or close to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bottom. I had a sinking suspicion that, for some reason, Zeek was only seeing traffic sent from remote systems, and not traffic originating from my network. That would account for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 creation of ja3s hashes, for traffic sent by remote systems, but not ja3 hashes, as Zeek was not seeing traffic sent by local clients.

I was running SO in VirtualBox 6.0.4 on Ubuntu 18.04. I started sniffing TCP network traffic on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SO monitoring interface using Tcpdump. As I feared, it didn't look right. I ran a new capture with filters for ICMP and a remote IP address. On anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r system I tried pinging cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 remote IP address. Sure enough, I only saw ICMP echo replies, and no ICMP echoes. Oddly, I also saw doubles and triples of some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ICMP echo replies. That worried me, because unpredictable behavior like that could indicate some sort of software problem.

My next step was to "get under" cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 VM guest and determine if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 VM host could see traffic properly. I ran Tcpdump on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Ubuntu 18.04 host on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 monitoring interface and repeated my ICMP tests. It saw everything properly. That meant I did not need to bocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r checking cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 switch span port that was feeding traffic to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 VirtualBox system.

It seemed I had a problem somewhere between cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 VM host and guest. On cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same VM host I was also running an instance of RockNSM. I ran my ICMP tests on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 RockNSM VM and, sadly, I got cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same one-sided traffic as seen on SO.

Now I was worried. If cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem had only been present in SO, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n I could fix SO. If cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem is present in both SO and RockNSM, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem had to be with VirtualBox -- and I might not be able to fix it.

I reviewed my configurations in VirtualBox, ensuring that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "Promiscuous Mode" under cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Advanced options was set to "Allow All". At this point I worried that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re was a bug in VirtualBox. I did some Google searches and reviewed some forum posts, but I did not see anyone reporting issues with sniffing traffic inside VMs. Still, my use case might have been weird enough to not have been reported.

I decided to try a different approach. I wondered if running VirtualBox with elevated privileges might make a difference. I did not want to take ownership of my user VMs, so I decided to install a new VM and run it with elevated privileges.

Let me stop here to note that I am breaking one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rules of troubleshooting. I'm introducing two new variables, when I should have introduced only one. I should have built a new VM but run it with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same user privileges with which I was running cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 existing VMs.

I decided to install a minimal edition of Ubuntu 9, with VirtualBox running via sudo. When I started cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 VM and sniffed traffic on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 monitoring port, lo and behold, my ICMP tests revealed both sides of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 traffic as I had hoped. Unfortunately, from this I erroneously concluded that running VirtualBox with elevated privileges was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 answer to my problems.

I took ownership of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SO VM in my elevated VirtualBox session, started it, and performed my ICMP tests. Womp womp. Still broken.

I realized I needed to separate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 two variables that I had entangled, so I stopped VirtualBox, and changed ownership of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Debian 9 VM to my user account. I cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n ran VirtualBox with user privileges, started cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Debian 9 VM, and ran my ICMP tests. Success again! Apparently elevated privileges had nothing to do with my problem.

By now I was glad I had not posted anything to any user forums describing my problem and asking for help. There was something about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 monitoring interface configurations in both SO and RockNSM that resulted in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 inability to see both sides of traffic (and avoid weird doubles and triples).

I started my SO VM again and looked at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 script that configured cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 interfaces. I commented out all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 entries below cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 management interface as shown below.

$ cat /etc/network/interfaces

# This configuration was created by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Security Onion setup script.
#
# The original network interface configuration file was backed up to:
# /etc/network/interfaces.bak.
#
# This file describes cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network interfaces available on your system
# and how to activate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m. For more information, see interfaces(5).

# loopback network interface
auto lo
iface lo inet loopback

# Management network interface
auto enp0s3
iface enp0s3 inet static
  address 192.168.40.76
  gateway 192.168.40.1
  netmask 255.255.255.0
  dns-nameservers 192.168.40.1
  dns-domain localdomain

#auto enp0s8
#iface enp0s8 inet manual
#  up ip link set $IFACE promisc on arp off up
#  down ip link set $IFACE promisc off down
#  post-up ethtool -G $IFACE rx 4096; for i in rx tx sg tso ufo gso gro lro; do ethtool -K $IFACE $i off; done
#  post-up echo 1 > /proc/sys/net/ipv6/conf/$IFACE/disable_ipv6

#auto enp0s9
#iface enp0s9 inet manual
#  up ip link set $IFACE promisc on arp off up
#  down ip link set $IFACE promisc off down
#  post-up ethtool -G $IFACE rx 4096; for i in rx tx sg tso ufo gso gro lro; do ethtool -K $IFACE $i off; done
#  post-up echo 1 > /proc/sys/net/ipv6/conf/$IFACE/disable_ipv6

I rebooted cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 system and brought cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 enp0s8 interface up manually using this command:

$ sudo ip link set enp0s8 promisc on arp off up

Fingers crossed, I ran my ICMP sniffing tests, and voila, I saw what I needed -- traffic in both directions, without doubles or triples no less.

So, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re appears to be some sort of problem with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 way SO and RockNSM set parameters for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir monitoring interfaces, at least as far as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y interact with VirtualBox 6.0.4 on Ubuntu 18.04. You can see in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network script that SO disables a bunch of NIC options. I imagine one or more of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 culprit, but I didn't have time to work through cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m individually.

I tried taking a look at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network script in RockNSM, but it runs CentOS, and I'll be darned if I can't figure out where to look. I'm sure it's cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re somewhere, but I didn't have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time to figure out where.

The moral of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 story is that I should have immediately checked after installation that both SO and RockNSM were seeing both sides of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 traffic I expected cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m to see. I had taken that for granted for many previous deployments, but something broke recently and I don't know exactly what. My workaround will hopefully hold for now, but I need to take a closer look at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NIC options because I may have introduced anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r fault.

A second moral is to be careful of changing two or more variables when troubleshooting. When you do that you might fix a problem, but not know what change fixed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 issue.

Saturday, January 25, 2014

Suricata 2.0beta2 as IPS on Ubuntu 12.04

Today I decided to install Suricata, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 open source intrusion detection and prevention engine from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Open Information Security Foundation (OISF), as an IPS.

I've been running Suricata in IDS mode through Security Onion on and off for several years, but I never tried Suricata as an IPS.

I decided I wanted to run Suricata as a bridging IPS, such that it did not route traffic. In ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r words, I could place a Suricata IPS between, say, a router and a firewall, or between a router and a host, and neicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r endpoint would know cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IPS was present.

Looking at available documentation across cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Web, I did not see specific mention of this exact configuration. It's entirely possible I missed something useful, but most people running Linux as a bridge weren't using Suricata.

Those running Linux as a bridge sometimes enabled an IP address for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bridge, which is something I didn't want to do. (True bridges should be invisible to endpoints.)

Of course, to administer cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bridge system itself, you ensure cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 box has a third interface and you assign that interface a management IP address.

I also noticed those using Suricata as an IPS tended to configure it as a router, giving IP addresses to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 internal and external IP addresses. I wanted an invisible bridge, not a router.

The hardware I used for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bridge was a 2003-era Shuttle small form factor system with 512 MB RAM, two NICs (eth0 and eth1), and a wireless NIC (wlan0). I installed Ubuntu Server 12.04.3 LTS. I tried installing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 64 bit version but realized cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 box was too old for 64 bit. Once I tried a 32 bit installation I was working in no time.

The first step I took was to create cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bridge. I wanted to deploy cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 system between a router and an endpoint with IP address 192.168.2.142, like this:

router <-> eth0/Linux bridge/eth1 <-> 192.168.2.142

These are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 commands to create cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bridge. This how-to was useful.

$ sudo apt-get install bridge-utils
$ sudo brctl addbr br0
$ sudo brctl addif br0 eth0
$ sudo brctl addif br0 eth1
$ sudo ifconfig eth0 0.0.0.0
$ sudo ifconfig eth1 0.0.0.0
$ sudo ifconfig br0 up

With cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bridge working, I could reach 192.168.2.142, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 endpoint host, through cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Ubuntu Linux bridge system. If I wanted to, I could watch traffic with Tcpdump on br0, eth0, or eth1.

Next I needed to install Suricata. I decided to use cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 beta packages published by OISF as described here. I also had to install python-software-properties as shown in order to have add-apt-repository available.

$ sudo apt-get install python-software-properties

$ sudo add-apt-repository ppa:oisf/suricata-beta
You are about to add cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following PPA to your system:
 Suricata IDS/IPS/NSM beta packages

http://www.openinfosecfoundation.org/
http://planet.suricata-ids.org/
http://suricata-ids.org/

Suricata IDS/IPS/NSM - Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine.

Open Source and owned by a community run non-profit foundation, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Open Information Security Foundation (OISF).
 Suricata is developed by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 OISF, its supporting vendors and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 community.

This engine is not intended to just replace or emulate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 existing tools in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 industry, but will bring new ideas
 and technologies to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 field.

This new Engine supports:

Multi-Threading - provides for extremely fast and flexible operation on multicore systems.
File Extraction, MD5 matching - over 4000 types of file recognition/extraction transmitted live over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 wire.
TLS/SSL certificate matching/logging
Automatic Protocol Detection (IPv4/6, TCP, UDP, ICMP, HTTP, TLS, FTP, SMB )
Gzip Decompression
Fast IP Matching
Hardware acceleration on CUDA and GPU cards

and many more great features -
http://suricata-ids.org/features/all-features/
 More info: https://launchpad.net/~oisf/+archive/suricata-beta
Press [ENTER] to continue or ctrl-c to cancel adding it

gpg: keyring `/tmp/tmpqk6Ubk/secring.gpg' created
gpg: keyring `/tmp/tmpqk6Ubk/pubring.gpg' created
gpg: requesting key 66EB736F from hkp server keyserver.ubuntu.com
gpg: /tmp/tmpqk6Ubk/trustdb.gpg: trustdb created
gpg: key 66EB736F: public key "Launchpad PPA for Peter Manev" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
OK

$ sudo apt-get update
Now I was ready to install Suricata and Htp, a dependency.
$ sudo apt-get install suricata htp
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  libhtp1 libnet1 libnetfilter-queue1 libnspr4 libnss3 libyaml-0-2
The following NEW packages will be installed:
  htp libhtp1 libnet1 libnetfilter-queue1 libnspr4 libnss3 libyaml-0-2
  suricata
0 upgraded, 8 newly installed, 0 to remove and 0 not upgraded.
Need to get 2,510 kB of archives.
After this operation, 8,394 kB of additional disk space will be used.
Do you want to continue [Y/n]?
...snip...
With this process done I added rules from Emerging Threats. I found Samiux's blog post helpful.
$ cd /etc/suricata
$ sudo wget https://rules.emergingthreatspro.com/open/suricata/emerging.rules.tar.gz
$ sudo tar -xzf emerging.rules.tar.gz
$ sudo mkdir /var/log/suricata
$ sudo touch /etc/suricata/threshold.config

Now I had to edit /etc/suricata/suricata.yaml. The following diff shows cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 changes I made to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 original file.

$ diff -u /etc/suricata/suricata.yaml.orig /etc/suricata/suricata.yaml
--- /etc/suricata/suricata.yaml.orig    2014-01-25 21:39:57.542801685 -0500
+++ /etc/suricata/suricata.yaml 2014-01-25 21:41:31.530801055 -0500
@@ -46,7 +46,7 @@

 # Default pid file.
 # Will use this file if no --pidfile in command options.
-#pid-file: /var/run/suricata.pid
+pid-file: /var/run/suricata.pid

 # Daemon working directory
 # Suricata will change directory to this one if provided
@@ -208,7 +208,7 @@

   # a line based information for dropped packets in IPS mode
   - drop:
-      enabled: no
+      enabled: yes
       filename: drop.log
       append: yes
       #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
@@ -337,7 +337,7 @@

 # You can specify a threshold config file by setting "threshold-file"
 # to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 path of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 threshold config file:
-# threshold-file: /etc/suricata/threshold.config
+threshold-file: /etc/suricata/threshold.config

 # The detection engine builds internal groups of signatures. The engine
 # allow us to specify cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 profile to use for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m, to manage memory on an
@@ -373,7 +373,7 @@
   - inspection-recursion-limit: 3000
   # When rule-reload is enabled, sending a USR2 signal to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Suricata process
   # will trigger a live rule reload. Experimental feature, use with care.
-  #- rule-reload: true
+  - rule-reload: true
   # If set to yes, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 loading of signatures will be made after cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 capture
   # is started. This will limit cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 downtime in IPS mode.
   #- delayed-detect: yes
Next I added cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following test rule to /etc/suricata/rules/drop.rules. The file location is arbitrary. I wrote a simple rule to alert on ICMP traffic from a test system, 192.168.2.126. All of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following is one line. I just broke it for readability.
alert icmp 192.168.2.126 any -> any any (msg:"ALERT test ICMP ping from 192.168.2.106";
 icode:0; itype:8; classtype:trojan-activity; sid:99999998; rev:1;)

Notice I have no iptables rules loaded at this point:

$ sudo iptables -vnL
Chain INPUT (policy ACCEPT 5 packets, 392 bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain FORWARD (policy ACCEPT 4 packets, 240 bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain OUTPUT (policy ACCEPT 4 packets, 496 bytes)
 pkts bytes target     prot opt in     out     source               destination

Now I was ready to see if Suricata would at least see and alert on traffic matching my ICMP test rule. First I started Suricata and told it to watch br0, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bridge interface.

$ sudo suricata -c /etc/suricata/suricata.yaml -i br0

25/1/2014 -- 22:44:13 -  - This is Suricata version 2.0beta2 RELEASE
25/1/2014 -- 22:44:16 -  - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /etc/suricata/rules/emerging-icmp.rules
25/1/2014 -- 22:44:33 -  - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file /etc/suricata/rules/dns-events.rules: No such file or directory.
25/1/2014 -- 22:44:51 -  - [ERRCODE: SC_ERR_PCAP_CREATE(21)] - Using Pcap capture with GRO or LRO activated can lead to capture problems.
25/1/2014 -- 22:44:51 -  - all 2 packet processing threads, 3 management threads initialized, engine started.
I don't care about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Warning or Error notices here. I could fix those but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are not germane to demonstrating cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 main point of this post.

On a separate system, 192.168.2.126, I pinged 192.168.2.142.

$ ping -c 2 192.168.2.142
PING 192.168.2.142 (192.168.2.142) 56(84) bytes of data.
64 bytes from 192.168.2.142: icmp_req=1 ttl=64 time=5.29 ms
64 bytes from 192.168.2.142: icmp_req=2 ttl=64 time=4.03 ms

--- 192.168.2.142 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 4.030/4.663/5.297/0.637 ms
Then I checked my Suricata logs:
$ ls -al /var/log/suricata/
total 88
drwxr-xr-x  3 root root  4096 Jan 25 22:50 .
drwxr-xr-x 11 root root  4096 Jan 25 21:38 ..
-rw-r--r--  1 root root     0 Jan 25 22:15 drop.log
-rw-r--r--  1 root root   392 Jan 25 22:50 fast.log
-rw-r--r--  1 root root     0 Jan 25 21:42 http.log
-rw-r--r--  1 root root 66008 Jan 25 22:50 stats.log
drwxr-xr-x  2 root root  4096 Jan 25 22:15 .tmp
-rw-r--r--  1 root root   388 Jan 25 22:50 unified2.alert.1390708237

$ cat /var/log/suricata/fast.log
01/25/2014-22:50:40.510124  [**] [1:99999998:1] ALERT test ICMP ping from 192.168.2.106 [**] [Classification: A Network Trojan was detected] [Priority: 1] {ICMP} 192.168.2.126:8 -> 192.168.2.142:0
01/25/2014-22:50:41.510464  [**] [1:99999998:1] ALERT test ICMP ping from 192.168.2.106 [**] [Classification: A Network Trojan was detected] [Priority: 1] {ICMP} 192.168.2.126:8 -> 192.168.2.142:0
That worked as expected. I got alerts on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ICMP traffic matching cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 test ALERT rule.

Now it was time to drop traffic!

I added a new rule to drop.rules, again broken only for readability here:

drop icmp 192.168.2.126 any -> any any (msg:"DROP test ICMP ping from 192.168.2.106";
 icode:0; itype:8; classtype:trojan-activity; sid:99999999; rev:1;)
I also disabled cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 previous ALERT rule by commenting it out.

Next I added iptables rules for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 FORWARD chain, for traffic traversing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bridge. This Documentation was helpful.

$ sudo iptables -I FORWARD -j NFQUEUE

$ sudo iptables -vnL
Chain INPUT (policy ACCEPT 32 packets, 2752 bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 NFQUEUE    all  --  *      *       0.0.0.0/0            0.0.0.0/0            NFQUEUE num 0

Chain OUTPUT (policy ACCEPT 25 packets, 2600 bytes)
 pkts bytes target     prot opt in     out     source               destination 
Finally I restarted Suricata, this time telling it to use queue 0, where NFQUEUE was waiting for packets for Suricata.
$ sudo suricata -c /etc/suricata/suricata.yaml -q 0
25/1/2014 -- 22:54:49 -  - This is Suricata version 2.0beta2 RELEASE
25/1/2014 -- 22:54:52 -  - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /etc/suricata/rules/emerging-icmp.rules
25/1/2014 -- 22:55:08 -  - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file /etc/suricata/rules/dns-events.rules: No such file or directory.
25/1/2014 -- 22:55:26 -  - all 3 packet processing threads, 3 management threads initialized, engine started.
With Suricata running in IPS mode, I tried pinging 192.168.2.142 from 192.168.2.126 as I did earlier.
$ ping -c 2 192.168.2.142
PING 192.168.2.142 (192.168.2.142) 56(84) bytes of data.

--- 192.168.2.142 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1006ms
Nothing got through! I confirmed that I could ping cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same box from anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r source IP address. In ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r words, only ICMP from 192.168.2.126 was blocked. Now check cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Suricata logs:
$ ls -al /var/log/suricata/
total 152
drwxr-xr-x  3 root root   4096 Jan 25 22:57 .
drwxr-xr-x 11 root root   4096 Jan 25 21:38 ..
-rw-r--r--  1 root root    294 Jan 25 22:57 drop.log
-rw-r--r--  1 root root    798 Jan 25 22:57 fast.log
-rw-r--r--  1 root root      0 Jan 25 21:42 http.log
-rw-r--r--  1 root root 125812 Jan 25 22:57 stats.log
drwxr-xr-x  2 root root   4096 Jan 25 22:15 .tmp
-rw-r--r--  1 root root    388 Jan 25 22:50 unified2.alert.1390708237
-rw-r--r--  1 root root      0 Jan 25 22:55 unified2.alert.1390708526
-rw-r--r--  1 root root    360 Jan 25 22:57 unified2.alert.1390708633

$ cat drop.log
01/25/2014-22:57:17.031400: IN= OUT= SRC=192.168.2.126 DST=192.168.2.142 LEN=84 TOS=0x00 TTL=64 ID=36055 PROTO=ICMP TYPE=8 CODE=0 ID=59729 SEQ=256
01/25/2014-22:57:18.038179: IN= OUT= SRC=192.168.2.126 DST=192.168.2.142 LEN=84 TOS=0x00 TTL=64 ID=36056 PROTO=ICMP TYPE=8 CODE=0 ID=59729 SEQ=512
Cool, those are our dropped ICMP packets. Checking fast.log we'll see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 original two ALERT test messages, but check out cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new DROP test messages too:
$ cat /var/log/suricata/fast.log
01/25/2014-22:50:40.510124  [**] [1:99999998:1] ALERT test ICMP ping from 192.168.2.106 [**] [Classification: A Network Trojan was detected] [Priority: 1] {ICMP} 192.168.2.126:8 -> 192.168.2.142:0
01/25/2014-22:50:41.510464  [**] [1:99999998:1] ALERT test ICMP ping from 192.168.2.106 [**] [Classification: A Network Trojan was detected] [Priority: 1] {ICMP} 192.168.2.126:8 -> 192.168.2.142:0
01/25/2014-22:57:17.031400  [Drop] [**] [1:99999999:1] DROP test ICMP ping from 192.168.2.106 [**] [Classification: A Network Trojan was detected] [Priority: 1] {ICMP} 192.168.2.126:8 -> 192.168.2.142:0
01/25/2014-22:57:18.038179  [Drop] [**] [1:99999999:1] DROP test ICMP ping from 192.168.2.106 [**] [Classification: A Network Trojan was detected] [Priority: 1] {ICMP} 192.168.2.126:8 -> 192.168.2.142:0
So that's it.

Note that with this configuration, if you stop Suricata cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 host it's "protecting" is totally unreachable. You can restore connectivity by flushing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 iptables rules via this command:

$ sudo iptables -F
Now cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 endpoint is reachable while Suricata is not running. To re-enable cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IPS, you have to set up cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NFQUEUE via iptables again as shown previously.

Following cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se directions you have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 foundation for building a bridged IPS using Suricata on Ubuntu Server 12.04. The next step would be to fix cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 configuration issues causing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 start-up error messages, make cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bridge, firewall, and Suricata components available at start-up, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n build your own set of DROP rules. There are probably also optimizations for PF_RING and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r performance features. Good luck!

Do you run Suricata as an IPS? How do you do it? Have you tried cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new 2.x beta?

Friday, January 22, 2010

Sguil 0.7.0 on Ubuntu 9.10

Today I installed a Sguil client on a fresh installation of Ubuntu 9.10.

It was really easy with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 exception of one issue I had to troubleshoot, explained below.

First notice that tcl8.4 and tk8.4 is already installed on Ubuntu 9.10.

richard@janney:~$ dpkg --list | grep -i tcl
ii tcl8.4 8.4.19-3
Tcl (cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Tool Command Language) v8.4 - run-t
ii tk8.4 8.4.19-3
Tk toolkit for Tcl and X11, v8.4 - run-time
richard@janney:~$ sudo apt-get install tclx8.4 tcllib
iwidgets4 tcl-tlsReading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
itcl3 itk3
Suggested packages:
itcl3-doc itk3-doc iwidgets4-doc tclx8.4-doc
The following NEW packages will be installed:
itcl3 itk3 iwidgets4 tcl-tls tcllib tclx8.4
0 upgraded, 6 newly installed, 0 to remove and 0 not upgraded.
Need to get 4,127kB of archives.
After this operation, 18.1MB of additional disk space will be used.
Do you want to continue [Y/n]? y
Get:1 http://us.archive.ubuntu.com karmic/universe itcl3 3.2.1-5 [99.4kB]
...truncated...

Next install wireshark via apt-get. I don't show that here.

The server I want to connect to is running Sguil 0.7.0, not cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 version currently in CVS. If you try connecting from a CVS client to a 0.7.0 server, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 client will report an error like

error writing "sock6": connection reset by peer

On cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 server side you will see Sguil die on error:

pid(37598) Client Connect: 192.168.2.194 39901 sock15
pid(37598) Validating client access: 192.168.2.194
pid(37598) Valid client access: 192.168.2.194
pid(37598) Sending sock15: SGUIL-0.7.0 OPENSSL ENABLED
pid(37598) Client Command Received: VersionInfo {SGUIL-0.7.0 OPENSSL ENABLED}
pid(37598) ERROR: Client connect denied - mismatched versions
pid(37598) CLIENT VERSION: {SGUIL-0.7.0 OPENSSL ENABLED}
pid(37598) SERVER VERSION: SGUIL-0.7.0 OPENSSL ENABLED
Error: can not find channel named "sock15"
can not find channel named "sock15"
while executing
"close $socketID"
(procedure "ClientVersionCheck" line 11)
invoked from within
"ClientVersionCheck $socketID $data1 "
("VersionInfo" arm line 1)
invoked from within
"switch -exact $clientCmd {
DeleteEventID { $clientCmd $socketID $index1 $index2 }
DeleteEventIDList { $clientCmd $socketID $data1 }
..."
(procedure "ClientCmdRcvd" line 38)
invoked from within
"ClientCmdRcvd sock15"
SGUILD: killing child procs...
SGUILD: Exiting...

If you diff cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sguil.tk from 0.7.0 against sguil.tk from CVS cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se differences explain what is happening:

richard@janney:~/sguil/client$ diff /home/richard/Downloads/sguil-0.7.0/client/sguil.tk sguil.tk
5c5
< # $Id: sguil.tk,v 1.249 2008/03/25 15:59:34 bamm Exp $ #
---
> # $Id: sguil.tk,v 1.254 2008/09/21 02:59:25 bamm Exp $ #
156,162d155
< # store $data in $origData because ctoken changes cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 var it is working on.
< #set origData $data
< #set serverCmd [ctoken data " "]
< #set data1 [string trimleft $data]
< # data1 has indices 1 on etc etc
< #set index1 [ctoken data " "]
< #set data2 [string trimleft $data]
203a197
> PassChange { $serverCmd [lindex $data 1] [lindex $data 2] }
235c229
< puts $socketID "VersionInfo $tmpVERSION"
---
> puts $socketID [list VersionInfo $tmpVERSION]
...truncated...

Finally I like to edit my sguil.conf as shown to account for Wireshark's location and to reduce cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 number of panes from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 default of 3 down to 1.

richard@janney:~/Downloads/sguil-0.7.0/client$ diff sguil.conf.orig sguil.conf
49c49
< set WIRESHARK_PATH /usr/sbin/wireshark
---
> set WIRESHARK_PATH /usr/bin/wireshark
73c73
< set RTPANES 3
---
> set RTPANES 1
78,80c78,80
< set RTPANE_PRIORITY(0) "1"
< set RTPANE_PRIORITY(1) "2 3"
< set RTPANE_PRIORITY(2) "4 5"
---
> set RTPANE_PRIORITY(0) "1 2 3 4 5"
> #set RTPANE_PRIORITY(1) "2 3"
> #set RTPANE_PRIORITY(2) "4 5"

At this point I can use cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Sguil client.

Unfortunately I continue to have a problem with DNS resolution. (I reported one a while back.)

can't read "state(reply)": no such element in array
can't read "state(reply)": no such element in array
while executing
"binary scan $state(reply) SSSSSS mid hdr nQD nAN nNS nAR"
(procedure "Flags" line 13)
invoked from within
"Flags $token flags"
(procedure "dns::name" line 3)
invoked from within
"dns::name $tok"
(procedure "GetHostbyAddr" line 47)
invoked from within
"GetHostbyAddr $srcIP"
(procedure "ResolveHosts" line 23)
invoked from within
"ResolveHosts"
invoked from within
".eventPane.pane1.childsite.detailPane.pane0.childsite.detailTabs.canvas.notebook.
cs.page1.cs.ipDataFrame.dnsDataFrame.dnsActionFrame.dnsButton invoke"
("uplevel" body line 1)
invoked from within
"uplevel #0 [list $w $cmd]"
(procedure "tk::CheckRadioInvoke" line 3)
invoked from within
"tk::CheckRadioInvoke .eventPane.pane1.childsite.detailPane.pane0.childsite.detailTabs.canvas.notebook.
cs.page1.cs.ipDataFrame.dnsDataFrame.dnsActionFr..."
(command bound to event)

I noticed a similar error on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sguil-users mailing list and tried installing libudp-tcl, but I got cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same error.

Wednesday, April 11, 2007

Burning CDs on Ubuntu

Sometimes this blog is just a place for me to take notes on tasks I want to repeat in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 future, like burning CDs. In this case I'm running Ubuntu and using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new portable Sony DRX-S50U Multi-Format DVD Burner I bought to accompany my Thinkpad x60s on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 road.

First I created an .iso of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 files I wanted on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CD-R.

richard@neely:/var/tmp$ mkisofs -J -R -o /data/shmoocon2007hack.iso shmoocon2007/
INFO: UTF-8 character encoding detected by locale settings.
Assuming UTF-8 encoded filenames on source filesystem,
use -input-charset to override.
Using shmoo000.pca;1 for /shmoocon_hack_rd2_timeadj.pcap (shmoocon_hack_rd1_timeadj.pcap)
1.68% done, estimate finish Wed Apr 11 21:23:45 2007
...truncated...

Second I asked cdrecord to find cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 burner.

richard@neely:/var/tmp$ sudo cdrecord -scanbus
Cdrecord-Clone 2.01.01a03 (i686-pc-linux-gnu) Copyright (C) 1995-2005 Joerg Schilling
NOTE: this version of cdrecord is an inofficial (modified) release of cdrecord
and thus may have bugs that are not present in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 original version.
Please send bug reports and support requests to .
The original author should not be bocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365red with problems of this version.

cdrecord: Warning: Running on Linux-2.6.17-11-generic
cdrecord: There are unsettled issues with Linux-2.5 and newer.
cdrecord: If you have unexpected problems, please try Linux-2.4 or Solaris.
Linux sg driver version: 3.5.33
Using libscg version 'debian-0.8debian2'.
cdrecord: Warning: using inofficial version of libscg (debian-0.8debian2 '@(#)scsitransp.c
1.91 04/06/17 Copyright 1988,1995,2000-2004 J. Schilling').
scsibus0:
0,0,0 0) 'ATA ' 'TOSHIBA MK6032GS' 'AS31' Disk
0,1,0 1) *
0,2,0 2) *
0,3,0 3) *
0,4,0 4) *
0,5,0 5) *
0,6,0 6) *
0,7,0 7) *
scsibus4:
4,0,0 400) 'Optiarc ' 'DVD RW AD-7540A ' '1.D0' Removable CD-ROM
4,1,0 401) *
4,2,0 402) *
4,3,0 403) *
4,4,0 404) *
4,5,0 405) *
4,6,0 406) *
4,7,0 407) *

Third I burned cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CD-R.

richard@neely:/var/tmp$ sudo cdrecord -v dev=4,0,0 driveropts=burnfree -eject
-data /data/shmoocon2007hack.iso
cdrecord: No write mode specified.
cdrecord: Asuming -tao mode.
cdrecord: Future versions of cdrecord may have different drive dependent defaults.
cdrecord: Continuing in 5 seconds...
Cdrecord-Clone 2.01.01a03 (i686-pc-linux-gnu) Copyright (C) 1995-2005 Joerg Schilling
NOTE: this version of cdrecord is an inofficial (modified) release of cdrecord
and thus may have bugs that are not present in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 original version.
Please send bug reports and support requests to .
The original author should not be bocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365red with problems of this version.

cdrecord: Warning: Running on Linux-2.6.17-11-generic
cdrecord: There are unsettled issues with Linux-2.5 and newer.
cdrecord: If you have unexpected problems, please try Linux-2.4 or Solaris.
TOC Type: 1 = CD-ROM
scsidev: '4,0,0'
scsibus: 4 target: 0 lun: 0
Linux sg driver version: 3.5.33
Using libscg version 'debian-0.8debian2'.
cdrecord: Warning: using inofficial version of libscg (debian-0.8debian2 '@(#)scsitransp.c
1.91 04/06/17 Copyright 1988,1995,2000-2004 J. Schilling').
Driveropts: 'burnfree'
SCSI buffer size: 64512
atapi: 1
Device type : Removable CD-ROM
Version : 0
Response Format: 2
Capabilities :
Vendor_info : 'Optiarc '
Identifikation : 'DVD RW AD-7540A '
Revision : '1.D0'
Device seems to be: Generic mmc2 DVD-R/DVD-RW.
Current: 0x0009
Profile: 0x002B
Profile: 0x001B
Profile: 0x001A
Profile: 0x0016
Profile: 0x0015
Profile: 0x0014
Profile: 0x0013
Profile: 0x0012
Profile: 0x0011
Profile: 0x0010
Profile: 0x000A
Profile: 0x0009 (current)
Profile: 0x0008 (current)
Profile: 0x0002
cdrecord: This version of cdrecord does not include DVD-R/DVD-RW support code.
cdrecord: See /usr/share/doc/cdrecord/README.DVD.Debian for details on DVD support.
Using generic SCSI-3/mmc CD-R/CD-RW driver (mmc_cdr).
Driver flags : MMC-3 SWABAUDIO BURNFREE
Supported modes: TAO PACKET SAO SAO/R96R RAW/R96R
Drive buf size : 890880 = 870 KB
FIFO size : 4194304 = 4096 KB
Track 01: data 583 MB
Total size: 670 MB (66:23.13) = 298735 sectors
Lout start: 670 MB (66:25/10) = 298735 sectors
Current Secsize: 2048
ATIP info from disk:
Indicated writing power: 5
Is not unrestricted
Is not erasable
Disk sub type: Medium Type A, high Beta category (A+) (3)
ATIP start of lead in: -11634 (97:26/66)
ATIP start of lead out: 359846 (79:59/71)
Disk type: Short strategy type (Phthalocyanine or similar)
Manuf. index: 3
Manufacturer: CMC Magnetics Corporation
Blocks total: 359846 Blocks current: 359846 Blocks remaining: 61111
Starting to write CD/DVD at speed 24 in real TAO mode for single session.
Last chance to quit, starting real write 0 seconds. Operation starts.
Waiting for reader process to fill input buffer ... input buffer ready.
BURN-Free is ON.
Performing OPC...
Starting new track at sector: 0
Track 01: 583 of 583 MB written (fifo 100%) [buf 100%] 8.3x.
Track 01: Total bytes read/written: 611805184/611805184 (298733 sectors).
Writing time: 523.078s
Average write speed 7.8x.
Min drive buffer fill was 100%
Fixating...
Fixating time: 42.065s
BURN-Free was never needed.
cdrecord: fifo had 9637 puts and 9637 gets.
cdrecord: fifo was 0 times empty and 9555 times full, min fill was 79%.

Last I checked cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 files on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CD.

richard@neely:/var/tmp$ ls -alh /media/cdrom0/
total 584M
drwxr-xr-x 2 richard richard 2.0K 2007-03-26 16:27 .
drwxr-xr-x 6 root root 1.0K 2007-04-05 15:33 ..
-rw-r--r-- 1 richard richard 149M 2007-03-26 16:19 shmoocon_hack_rd1_timeadj.pcap
-rw-r--r-- 1 richard richard 435M 2007-03-26 16:27 shmoocon_hack_rd2_timeadj.pcap

Looks good!

Thursday, March 29, 2007

VMware Server 1.0.2 on Ubuntu 6.10

Previously I documented installing VMware Workstation 6 Beta on my Thinkpad x60s. I decided to uninstall Workstation and install VMware Server 1.0.2. I should have used cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vmware-uninstall.pl script but even without using it directly I managed to remove cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 old Workstation installation without real trouble.

Running Server on Ubuntu 6.10 (desktop) required me to add a few packages. I found Martti Kuparinen's installation guide very helpful. I had to add cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following packages to ensure a smooth Server installation.

sudo apt-get install xinetd
sudo apt-get install libX11-dev
sudo apt-get install xlibs-dev

I did not have to install linux-kernel-headers.

I was really impressed that Martti provided a patch for two scripts that did not work correctly out of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 box. When I applied cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 patch I was able to start VMware's Web server and access it via my browser.

richard@neely:/tmp$ wget http://users.piuha.net/martti/comp/ubuntu/httpd.vmware.diff
--13:52:24-- http://users.piuha.net/martti/comp/ubuntu/httpd.vmware.diff
=> `httpd.vmware.diff'
Resolving users.piuha.net... 193.234.218.130
Connecting to users.piuha.net|193.234.218.130|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2,973 (2.9K) [text/plain]

100%[====================================>] 2,973 --.--K/s

13:52:25 (1.81 MB/s) - `httpd.vmware.diff' saved [2973/2973]

richard@neely:/tmp$ cd /
richard@neely:/$ sudo patch -b -p0 < /tmp/httpd.vmware.diff
Password:
patching file /etc/init.d/httpd.vmware
patching file /usr/lib/vmware-mui/src/lib/httpd.vmware
richard@neely:/$ sudo netstat -natup | grep vm
tcp 0 0 0.0.0.0:8333 0.0.0.0:*
LISTEN 5205/httpd.vmware
tcp 0 0 0.0.0.0:8222 0.0.0.0:*
LISTEN 5205/httpd.vmware

Thanks to this guide I made this addition to /etc/xinetd.d/vmware-authd so cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vmware console on port 902 TCP didn't listen on all interfaces:

bind = 127.0.0.1

To prevent cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Web server from starting at boot and potentially listening on a hostile network, I removed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 x bit from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 script in /etc/init.d so it would not be started at boot. I can start it manually.

richard@neely:~$ sudo chmod -x /etc/init.d/httpd.vmware
richard@neely:~$ sudo sh /etc/init.d/httpd.vmware start
Starting httpd.vmware: done

I noticed while installing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 packages cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 suggestion to run apt-get autoremove, so I did once everything was installed.

richard@neely:~$ sudo apt-get autoremove
Password:
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
libnl1-pre6 network-manager libnm-util0 dhcdbd
The following packages will be REMOVED:
dhcdbd libnl1-pre6 libnm-util0 network-manager
0 upgraded, 0 newly installed, 4 to remove and 0 not upgraded.
Need to get 0B of archives.
After unpacking 1217kB disk space will be freed.
Do you want to continue [Y/n]? y
(Reading database ... 115360 files and directories currently installed.)
Removing network-manager ...
* Stopping NetworkManager daemon [ ok ]
* Stopping NetworkManager dispatcher [ ok ]
Removing dhcdbd ...
Removing libnl1-pre6 ...
Removing libnm-util0 ...

I have VMware Server running well on Ubuntu now.

Friday, March 23, 2007

Wireless Ubuntu on Thinkpad x60s

I'm used to doing everything manually when running wireless FreeBSD on older laptops. Running Ubuntu has shielded me from some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 command-line configuration I used to perform on FreeBSD. Linux uses different commands for certain tasks. My new laptop also has a different chipset from my old laptop, so I wanted to see if I could get Kismet working on it.

If I want to find wireless networks via cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 command line I use this command.

richard@neely:~$ sudo iwlist eth1 scan
eth1 Scan completed :
Cell 01 - Address: 00:13:10:65:2F:AD
ESSID:"shaolin"
Protocol:IEEE 802.11bg
Mode:Master
Channel:1
Encryption key:on
Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 6 Mb/s; 9 Mb/s
11 Mb/s; 12 Mb/s; 18 Mb/s; 24 Mb/s; 36 Mb/s
48 Mb/s; 54 Mb/s
Quality=76/100 Signal level=-58 dBm Noise level=-58 dBm
Extra: Last beacon: 68ms ago
...truncated...

If I want to associate with that WAP using WEP I use this command.

richard@neely:~$ sudo iwconfig eth1 essid shaolin channel 1 key KEYDIGITS

I am associated now.

richard@neely:~$ iwconfig eth1
eth1 IEEE 802.11g ESSID:"shaolin"
Mode:Managed Frequency:2.412 GHz Access Point: 00:13:10:65:2F:AD
Bit Rate:54 Mb/s Tx-Power:15 dBm
Retry limit:15 RTS thr:off Fragment thr:off
Power Management:off
Link Quality=76/100 Signal level=-58 dBm Noise level=-59 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:2909 Missed beacon:0

I can grab an IP via DHCP.

richard@neely:~$ sudo dhclient eth1
Internet Systems Consortium DHCP Client V3.0.4
Copyright 2004-2006 Internet Systems Consortium.
All rights reserved.
For info, please visit http://www.isc.org/sw/dhcp/

Listening on LPF/eth1/00:13:02:4c:30:2d
Sending on LPF/eth1/00:13:02:4c:30:2d
Sending on Socket/fallback
DHCPDISCOVER on eth1 to 255.255.255.255 port 67 interval 8
DHCPOFFER from 192.168.2.1
DHCPREQUEST on eth1 to 255.255.255.255 port 67
DHCPACK from 192.168.2.1
bound to 192.168.2.103 -- renewal in 42728 seconds.

Here is ifconfig output.

richard@neely:~$ ifconfig eth1
eth1 Link encap:Ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rnet HWaddr 00:13:02:4C:30:2D
inet addr:192.168.2.103 Bcast:192.168.2.255 Mask:255.255.255.0
inet6 addr: fe80::213:2ff:fe4c:302d/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4984 errors:19 dropped:2928 overruns:0 frame:0
TX packets:239 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:5491350 (5.2 MiB) TX bytes:188020 (183.6 KiB)
Interrupt:74 Base address:0xc000 Memory:edf00000-edf00fff

I can check my gateway.

richard@neely:~$ netstat -nr -4
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
172.16.250.0 0.0.0.0 255.255.255.0 U 0 0 0 vmnet8
172.16.207.0 0.0.0.0 255.255.255.0 U 0 0 0 vmnet1
0.0.0.0 192.168.2.1 0.0.0.0 UG 0 0 0 eth1

I can change my IP from DHCP to static.

richard@neely:~$ sudo killall dhclient
richard@neely:~$ sudo ifconfig eth1 inet 192.168.2.8 netmask 255.255.255.0 up
richard@neely:~$ ifconfig eth1
eth1 Link encap:Ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rnet HWaddr 00:13:02:4C:30:2D
inet addr:192.168.2.8 Bcast:192.168.2.255 Mask:255.255.255.0
inet6 addr: fe80::213:2ff:fe4c:302d/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5625 errors:20 dropped:2929 overruns:0 frame:0
TX packets:245 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:5492954 (5.2 MiB) TX bytes:192494 (187.9 KiB)
Interrupt:74 Base address:0xc000 Memory:edf00000-edf00
ichard@neely:~$ sudo route add default gw 192.168.2.1
richard@neely:~$ netstat -nr -4
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
172.16.250.0 0.0.0.0 255.255.255.0 U 0 0 0 vmnet8
172.16.207.0 0.0.0.0 255.255.255.0 U 0 0 0 vmnet1
0.0.0.0 192.168.2.1 0.0.0.0 UG 0 0 0 eth1

Here are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 changes I made to enable Kismet after checking my wireless card.

richard@neely:~$ sudo lshw -businfo | grep eth1
pci@03:00.0 eth1 network PRO/Wireless 3945ABG Network Connection

richard@neely:~$ diff -u /etc/kismet/kismet.conf.orig /etc/kismet/kismet.conf
--- /etc/kismet/kismet.conf.orig 2007-03-23 09:53:28.000000000 -0400
+++ /etc/kismet/kismet.conf 2007-03-23 09:56:00.000000000 -0400
@@ -7,10 +7,10 @@
version=2005.06.R1

# Name of server (Purely for organizational purposes)
-servername=Kismet
+servername=neely

# User to setid to (should be your normal user)
-#suiduser=your_user_here
+suiduser=richard

# Sources are defined as:
# source=sourcetype,interface,name[,initialchannel]
@@ -19,7 +19,7 @@
# The initial channel is optional, if hopping is not enabled it can be used
# to set cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 channel cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 interface listens on.
# YOU MUST CHANGE THIS TO BE THE SOURCE YOU WANT TO USE
-source=none,none,addme
+source=ipw3945,eth1,addme

Kismet works fine. When operating eth1 is in monitor mode.

richard@neely:~$ iwconfig eth1
eth1 unassociated ESSID:"shaolin"
Mode:Monitor Frequency=2.412 GHz Access Point: 00:13:10:65:2F:AD
Bit Rate:0 kb/s Tx-Power:16 dBm
Retry limit:15 RTS thr:off Fragment thr:off
Power Management:off
Link Quality:0 Signal level:0 Noise level:0
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0

When Kismet exits I'm able to cleanly use my original connection.

Wednesday, March 21, 2007

Wine on Ubuntu

I'm finding more reasons to like running Ubuntu on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 desktop. Two of my favorite Windows applications are MWSnap (a simple screen capture tool) and Irfanview (a simple image viewer and editor). (Gimp fans, please spare me your comments. I can't stand that program. It's a bulldozer when all I need is a garden shovel.)

I poked around looking for native Linux programs that might suit my needs, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n I thought "What about using Wine to run cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Windows binaries on Linux?" I'd never used Wine before, but it was only an 'apt-get install wine' away from appearing on my Ubuntu laptop.

I first tried Irfanview, but I ran into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same issues as described here. After creating /home/richard/wine and putting mfc42.dll cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re with installation binaries for Irfanview and MWSnap, I was able to run Wine in that directory and install both programs.

Wine ended up creating cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following directory structure.

richard@neely:~/.wine/drive_c/Program Files$ ls -al
total 5
drwxr-xr-x 5 richard richard 1024 2007-03-21 11:46 .
drwxr-xr-x 4 richard richard 1024 2007-03-21 11:42 ..
drwxr-xr-x 2 richard richard 1024 2007-03-21 11:42 Common Files
drwxr-xr-x 5 richard richard 1024 2007-03-21 11:43 IrfanView
drwxr-xr-x 3 richard richard 1024 2007-03-21 11:46 MWSnap

Running each program requires something like this:

richard@neely:~$ wine .wine/drive_c/Program\ Files/IrfanView/i_view32.exe
richard@neely:~$ wine .wine/drive_c/Program\ Files/MWSnap/MWSnap.exe

Overall I am really pleased to see this working so well.