Monday, May 26, 2008

Training: Practical Network Flow Analysis

This time, me and spoonfork will bring you our new and upcoming training which is -

Understanding Network Conversations:
Practical Network Flow Analysis

Here's the description of our training -

Network Flow data represents a summary of conversation between two end points. It provides valuable information to assist investigation and analysis of network and security issues. Unlike deep packet inspection, flow data does not rely on packet payloads. Instead the analyst relies on information gathered from packet headers and its associated metrics. This provides the analyst a neutral view of network traffic flow by tracking network sessions between multiple endpoints simultaneously. In addition, having network flow data will provide a better visibility of network events without having the need to perform payload analysis.

With the implementation and deployment of Network Flow technologies, an analyst can discover different types and classes of network activities, be it normal or abnormal. In this training we will show you how to interpret Network Flow data and perform practical Network Flow Analysis.

While high level theory explanations are extremely useful, hands-on exercises are even better. Each chapter is accompanied by practical hands-on exercises such as exporting network flow data from Unix and Cisco-based routers, performing simple operations such as IP accounting, network baselining, and identifying different kinds of network anomalies and attacks.

Who should attend?

Network Security Analyst
Network Administrator
ISP Network Architect
System Administrator

Bonus

+ First 10 registrants get free seat for HITB Conference Kuala Lumpur in October 2008

+ Human Resources Development Fund(HRDF) Claimable

For more information, check it out at -

http://training.hitb.org/flowanalysis/

Cheers (;])

Posted by C.S.Lee(geek00L) at 5/26/2008 11:02:00 PM 1 comments
Labels:

Friday, May 23, 2008

HeX: Handbook

While we are in the active development of HeX 2.0, we will start a side project mainly for documentation purpose. We call it HeX Handbook, the link is here -

https://trac.security.org.my/hex/wiki/HeXHandbook

Currently there's nothing yet, but I will import all the contents from my incomplete Network Security Analyst Handbook to there, and I'm now trying to design the standard template so that whoever want to contribute can follow the template.

If you are using HeX, and you know different way of doing analysis using the tools in HeX, we would like to hear from you. By the way, if you are good in language translation, please do let me know.

Thanks to scholar who always gives me very fruitful input!

Cheers (;])

Posted by C.S.Lee(geek00L) at 5/23/2008 11:54:00 AM 0 comments
Labels: , ,

Como: Installation on Ubuntu

I found this without intention while searching for tool that can convert pcap format to netflow v5 format, its name is Como, the project which is developed by Intel people. If you want to know more about Como, check out their publications here -

http://como.sourceforge.net/publications.php

Here's the quick way to get it installed on Ubuntu -

shell>sudo apt-get install cmake

shell>wget \
http://como.sourceforge.net/download/como-1.5.tar.gz

shell>tar xvzf como-1.5.tar.gz

shell>mkdir build-como

shell>cd build-como/

shell>cmake -DCMAKE_INSTALL_PREFIX=/usr/local/stow/como-1.5 ../como-1.5

shell>make

shell>sudo make install

Once you have it installed, you can run it via command line interface but make sure you have configured its paths and modules. The configuration file is como.conf which can be found under directory /usr/local/stow/como-1.5/etc/como, you can also enable its module in run time. Here's the available modules -

shell>ls -la /usr/local/stow/como-1.5/libexec/como-1.0/
total 596
drwxr-xr-x 2 root root 4096 2008-05-23 10:34 .
drwxr-xr-x 3 root root 4096 2008-05-23 10:34 ..
-rw-r--r-- 1 root root 21281 2008-05-23 10:34 apps.so
-rw-r--r-- 1 root root 18778 2008-05-23 10:34 assoc.so
-rw-r--r-- 1 root root 23131 2008-05-23 10:34 autofocus.so
-rw-r--r-- 1 root root 15151 2008-05-23 10:34 dhcp.so
-rw-r--r-- 1 root root 21425 2008-05-23 10:34 ethtypes.so
-rw-r--r-- 1 root root 25640 2008-05-23 10:34 ewma.so
-rw-r--r-- 1 root root 16434 2008-05-23 10:34 flowcount.so
-rw-r--r-- 1 root root 27356 2008-05-23 10:34 flow-reassembly.so
-rw-r--r-- 1 root root 16169 2008-05-23 10:34 frames.so
-rw-r--r-- 1 root root 20629 2008-05-23 10:34 hwtm.so
-rw-r--r-- 1 root root 14416 2008-05-23 10:34 ipssi.so
-rw-r--r-- 1 root root 14736 2008-05-23 10:34 macssi.so
-rw-r--r-- 1 root root 13290 2008-05-23 10:34 nfexlist.so
-rw-r--r-- 1 root root 16080 2008-05-23 10:34 pattern-search.so
-rw-r--r-- 1 root root 20117 2008-05-23 10:34 protocol.so
-rw-r--r-- 1 root root 27098 2008-05-23 10:34 scanner-detector.so
-rw-r--r-- 1 root root 17405 2008-05-23 10:34 ssid.so
-rw-r--r-- 1 root root 21645 2008-05-23 10:34 superaddr.so
-rw-r--r-- 1 root root 25659 2008-05-23 10:34 topaddr.so
-rw-r--r-- 1 root root 25433 2008-05-23 10:34 tophwaddr.so
-rw-r--r-- 1 root root 21516 2008-05-23 10:34 topports.so
-rw-r--r-- 1 root root 15122 2008-05-23 10:34 trace.so
-rw-r--r-- 1 root root 19080 2008-05-23 10:34 traffic.so
-rw-r--r-- 1 root root 27192 2008-05-23 10:34 tuple.so
-rw-r--r-- 1 root root 20970 2008-05-23 10:34 unknown-ports.so
-rw-r--r-- 1 root root 39547 2008-05-23 10:34 worm-signature.so

To enable any of module at run time, you can just execute -

shell>/usr/local/stow/como-1.5/bin/como topports

It also provides http access to the data but I keep getting the error below while connect to http://localhost:44444 -

Module "" not found in the current configuration

I believe I have the modules configured properly but I can't get rid of the error, anyway that's all for Como and I will write more about it after some testings.

Peace ;]

Posted by C.S.Lee(geek00L) at 5/23/2008 11:25:00 AM 0 comments
Labels:

Tuesday, May 20, 2008

Argus 3 Release

This is nothing new, argus 3 is finally released after long testing period. Thanks to everyone who involves in the argus 3 development and testing cycle especially Carter. You can download it at -

- http://qosient.com/argus/downloads.htm

If you are using FreeBSD, good new is argus 3 port is available now and you can check out the information about it here -

- http://www.freshports.org/net-mgmt/argus3/
- http://www.freshports.org/net-mgmt/argus3-clients/

I will try out the argus 3 ports on FreeBSD and see how it goes, have fun!

Enjoy ;]

Posted by C.S.Lee(geek00L) at 5/20/2008 11:09:00 PM 0 comments
Labels:

HeX: Hardware Compability List

We started this list a while ago, and if you have tried out HeX and for the basic part it works properly, please update the list or at least email me about it.

https://trac.security.org.my/hex/wiki/Hardwares

So what are the basic things that must work in order to be included in the list, here you go -

- boot properly
- display properly
- ethernet adapter is supported

Please help out to improve the list, thanks!!!!!

Cheers ;]

Posted by C.S.Lee(geek00L) at 5/20/2008 03:27:00 PM 1 comments
Labels:

Sunday, May 11, 2008

SecurityDistro: Interview

Thanks to Dakrone who has committed HeX to SecurityDistro which I don't know myself, and interestingly Josh from SecurityDistro sent me the interview questions via email and here's the interview result -

http://securitydistro.com/articles/407/Interview-with-CS-Lee-creator-of-HeX.php

Thanks to Josh for his kindness and free promotion from SecurityDistro.

I would like to thank to all the team members for progressive HeX development, and feel great to have you guys working together with me.

Cheers ;]

Posted by C.S.Lee(geek00L) at 5/11/2008 09:12:00 PM 1 comments
Labels:

Network Flow Analysis: The Tools

I need to keep track of all the network flow analysis tools and study their offerings, this link contains many tools which may be useful for that purpose -

http://www.switch.ch/network/projects/completed/TF-NGN/floma/software.html

Enjoy ;]

Posted by C.S.Lee(geek00L) at 5/11/2008 08:52:00 PM 2 comments
Labels:

Blog: Quick Update

I haven't been updating my blog lately, here's the quick one.

- I'm not in the mood of blogging but learning.

- I'm preparing myself for many things now which I can't tell yet.

- I'm learning network protocols that I'm not familiar with.

- I'm learning the advance usage of wireshark, and I'm glad the presentation slides of Sharkfest are available online here.

- I will spend 2 months of my free time on non-tech stuffs soon, which means I will still online but more for casual browsing, email checking and light reading. I need to be more focus!

- I will still blog even though the mood is not with me.

Cheers ;]

Posted by C.S.Lee(geek00L) at 5/11/2008 03:27:00 AM 0 comments
Labels:

Thursday, May 01, 2008

CERT: Vulnerability Analysis Blog

CERT has launched its Vulnerability Analysis Blog which you can find at -

http://www.cert.org/blogs/vuls/

Another useful resource for security professional.

Cheers ;]

Posted by C.S.Lee(geek00L) at 5/01/2008 11:24:00 AM 0 comments
Labels:

Wednesday, April 30, 2008

Dnstop: Statistical Tool for DNS Traffics

I learn about dnstop when reading rolland's presentation slide, thanks to his comment in my blog.

You can find his presentation at -

http://homepage.mac.com/roland.dobbins/FileSharing5

The presentation title is Listening to the Network: Utilizing Telemetry to Detect and Classify Network Traffic, I enjoy reading it as I have learned some new tricks or two from his presentation. One of the tool he has mentioned in the presentation is dnstop and I figure it is available in either Ubuntu packages repository or FreeBSD ports, I decide to try it out.

Just like the top command in Unix based system, it can run as real time monitor for your dns traffic by listening to the network device or it can also do post processing by reading the pcap file. The command option for dnstop is pretty straight forward and you can find them in man dnstop. It also provides a set of run time option to show different results from the statistical analysis output. To perform real time monitoring of dns traffic, you can listen to the device -

shell>sudo dnstop -4 lnc0

It looks pretty straightforward, you can also read the pcap file by specifying them -

shell>dnstop -4 -b ip -l 9 testing.pcap
Queries: 1005 new, 34812 total Wed Apr 30 18:10:46 2008

Sources Count %
-------------- --------- ------
192.168.42.149 3644 10.5
192.168.42.56 1965 5.6
192.168.42.33 1791 5.1
192.168.42.78 1790 5.1
192.168.42.163 1530 4.4
.....

I truncated the output here, then if you press 1, it will show the first level query names -

Queries: 44 new, 34856 total Wed Apr 30 18:11:55 2008

Query Name Count %
------------ --------- ------
com 13200 37.9
in-addr.arpa 8843 25.4
my 5950 17.1
org 3145 9.0
net 2630 7.5
biz 223 0.6
de 92 0.3
.....

If you press 3, it shows third level query names -

Queries: 0 new, 34856 total Wed Apr 30 18:13:10 2008

Query Name Count %
----------------------------- --------- ------
waumail.com 2805 8.0
208.218.in-addr.arpa 1883 5.4
excitedd.com.my 1388 4.0
sharishit.com.my 1112 3.2
sbl-xbl.spamhaus.org 938 2.7
.....

If you press !, it will show the sources that are performing first level query names -

Queries: 0 new, 34856 total Wed Apr 30 18:15:14 2008

Source Query Name Count %
-------------- ------------ --------- ------
192.168.42.149 in-addr.arpa 3007 8.6
192.168.42.78 in-addr.arpa 1009 2.9
192.168.42.56 in-addr.arpa 845 2.4
192.168.60.253 com 833 2.4
192.168.125.201 my 697 2.0
.....

There are many other options which you can figure it out yourself and this is really great tool for dns traffic analysis. For more information, you can find at its home page -

http://dns.measurement-factory.com/tools/dnstop/

Btw, I like the use of the word 'telemetry' here and enjoy some dns voodoo .....

Cheers (;])

Posted by C.S.Lee(geek00L) at 4/30/2008 05:43:00 PM 0 comments
Labels: , ,

Thinking: Enumerating Goodness & Security Through Obscurity

I read about this and this.

Enumerating Goodness has its own weakness though, the mimic attacks that look legit will create false negative and be categorized as Goodness.

Security through obscurity is not a great idea and to certain people it sounds dumb as if the application/software that you are trying to protect is vulnerable, you will be eventually exploited, however it does asist for defensive side because it helps to prevent against automated tools and also requires offensive side to perform more steps to achieve what they are trying to do and this leaves more footprints to be examined and traced by the defensive side. It can be considered as early warning of its kind if you know how to make use of it.

This is just my personal thought and feel free to discuss about the topic. There's no perfect model or principle.

Posted by C.S.Lee(geek00L) at 4/30/2008 01:51:00 PM 0 comments
Labels:

Monday, April 28, 2008

Export Cisco NetFlow in Single Screenshot

I'm digging into network flow analysis for a while. The single screenshot below is to show how to export Cisco Netflow version 5 to the flow monitor at 172.16.1.55, simple and straightforward. The router model is Cisco 7200 series.


Note to myself.

Cheers ;]

Posted by C.S.Lee(geek00L) at 4/28/2008 02:07:00 PM 3 comments
Labels:
Subscribe to: Posts (Atom)