Saturday, September 30, 2006

PgOSS Meetup - Continued

Thanks to surface for recording the talk in mp3 format so that we can share the PgOSS presentation with others. Here's the second presentation that done by Vicky -

And for anyone who stay around Pulau Penang, and you would like to join us in the next meetup, you can find the information @t

By the way I'm looking for anyone who would like to share their OSS expereience and skills in the meetup, please email me and I would like to hear from you. My email is as the same as always geek00L[at]

Enjoy :]

PgOSS Meetup

This is the first official meetup for Penang Open Source Software Meetup, you can find the initial meetup announcement @t

The meetup is over, I know many of you are looking for me in the meetup since I'm one of organizer, however I were not be able to attend the meetup due to some personal issue, fortunately there are aizat and surface who are willing to help, aizat was down from Kuala Lumpur to Penang and I'm glad that he makes his way here :)

Anyway thanks to everyone that coming to the meetup, especially Dr. Dhanesh who has helped organizing the meetup.

I hope that we can organize the meetup again next month and looking forward to see everyone in the meetup if possible. For more information regarding the meetup, I think aizat and surface will blog the wrap-up.

This is not a hardcore OSS meetup, and PgOSS guys have captured the scene to share and you can download it via

Have fun with OSS!!!!!

Cheers :]

P/S: For whoever think I'm coming, I'm cheating for good intention :P

Thursday, September 28, 2006

Snort and ModSec2Sguil

I know I haven't been posting in my blog for quite sometimes, lots of things in my mind that I have to get it done. However for those who is snort lover, the snort 2.6.1 beta2 is already out for quite sometimes, and I just noticed it. Lots of decoders are added to solve the detection issue. I hope I can spare my time to test those preprocessors but this is not the case, maybe next month or when snort 2.6.1 releases.

For Sguil Lovers, check out -

Mod_Security Logs now can be managed and analyzed thru Sguil, thanks to Victorj who has written ModSec2Sguil. I hope it will be added as extra features for Sguil. This is good news for serious and heavy users of Mod_Security. You can have centralized center to perform analysis on Mod_Sec Logs now.

I will try my best to write more about NSM stuffs when I have time, currently I'm still testing OpenBSD PF layer 2 filtering stuffs and hopefully I can blog about it when I have time.

Cheers :]

Saturday, September 23, 2006

HITB Conference 2006

Finally everything is over, I'm glad that the training class was going fine for the first time me and mel conducting it together.

For the Capture The Flags Hacking Competition. While it is not perfect, we all learnt something from the setup and improvement can be done in future, thanks to all the CTF Crews, speakers who submitted the daemons as well as the volunteers who doing the cabling job.

I don't have much time to get into any speaker's talk but Philippe Biondi, since I use Scapy a lot and his talk was really interesting including the tricks and tips on toying with IPv6.

Finally thanks to all the HITB members to make this conference successful.

Again, I'm glad to work with you guys - mel, takizo, rd, xwings, ditesh, adli, y0muds and some other cool guys. You all just r0x0r5!!!!!

Special thanks to mel for his clothes, takizo who offers me his place to stay while I'm homeless..... and his kindness for donating so much $$$$$ to NCC.

Cheers :]

Saturday, September 16, 2006

Short Note

FreeBSD gtk theme for user is located at ~/.gtk-2.0 but the global one is at /usr/X11R6/share/themes. Change the theme as you wish or you can download those themes from whatever look - gnome-look, kde-look, and so forth.

By the way, for user who are not using gnome or kde, if you want to change your gtk setting, try

Nice little tool indeed.

Anyway I will be heading to Kuala Lumpur for HackInTheBox Conference, geek party will be launched soon!!!!!

Enjoy :]

Monday, September 11, 2006

TCPstat: Detecting SYN DOS?

shell>tcpstat -i fxp0 -o "PPS\=%p\ TCP\=%T\n"
PPS=1505.20 TCP=6850
PPS=1642.80 TCP=7540
PPS=1492.60 TCP=7020
PPS=1565.20 TCP=7384
PPS=1500.00 TCP=6958
PPS=1649.80 TCP=7724
PPS=1622.80 TCP=7505
PPS=1653.20 TCP=7658
PPS=1791.40 TCP=8443

shell>tcpstat -i fxp0 -o "PPS\=%p\ TCP-SYN\=%T\n" -f "tcp[13]=2"
PPS=42.40 TCP-SYN=212
PPS=44.00 TCP-SYN=220
PPS=40.40 TCP-SYN=202
PPS=38.20 TCP-SYN=191
PPS=42.00 TCP-SYN=210
PPS=38.60 TCP-SYN=193
PPS=49.60 TCP-SYN=248
PPS=38.80 TCP-SYN=194
PPS=34.80 TCP-SYN=174

I'm running them in parallel, with ratio you can easily detect SYN DOS. Just mindless idea here :P

Happy monitoring (:])

TCPstat - Report your NIC statistic

Just come across this network interface statistic reporting tool, while most of the tools just offer links accounting, this tools can do protocol breakdown on the fly. The default mode of tcpstat reports

shell>tcpstat -i fxp0
Time:1157911172 n=7049 avg=607.08 stddev=659.37 bps=6846924.80
Time:1157911177 n=6614 avg=632.79 stddev=668.06 bps=6696438.40
Time:1157911182 n=7242 avg=648.16 stddev=677.81 bps=7510414.40
Time:1157911187 n=6533 avg=555.01 stddev=651.15 bps=5801387.20
Time:1157911192 n=1417 avg=588.38 stddev=659.08 bps=1333964.80

You can tweak the output format to display per protocol basis,

shell>tcpstat -i fxp0 -o "TotalPackets\=%n\ ARP\=%A\ IP\=%I\ ICMP\=%C\ TCP\=%T\ UDP\=%U\n"
TotalPackets=6482 ARP=10 IP=6466 ICMP=37 TCP=5858 UDP=570
TotalPackets=5423 ARP=13 IP=5406 ICMP=33 TCP=4710 UDP=662
TotalPackets=6288 ARP=18 IP=6261 ICMP=36 TCP=5462 UDP=762
TotalPackets=6271 ARP=11 IP=6256 ICMP=37 TCP=5451 UDP=767
TotalPackets=6466 ARP=12 IP=6449 ICMP=34 TCP=5669 UDP=744
TotalPackets=6909 ARP=6 IP=6898 ICMP=42 TCP=6197 UDP=658
TotalPackets=6530 ARP=13 IP=6512 ICMP=43 TCP=5824 UDP=644
TotalPackets=6629 ARP=7 IP=6617 ICMP=42 TCP=5805 UDP=769
TotalPackets=7382 ARP=8 IP=7367 ICMP=44 TCP=6448 UDP=874
TotalPackets=5904 ARP=9 IP=5891 ICMP=42 TCP=5128 UDP=720
TotalPackets=5991 ARP=8 IP=5977 ICMP=35 TCP=5140 UDP=801
TotalPackets=5959 ARP=10 IP=5945 ICMP=41 TCP=5195 UDP=708
TotalPackets=5439 ARP=8 IP=5425 ICMP=34 TCP=4880 UDP=510

By the way, this tools support BPF expression filtering, neat!

Enjoy ;]

TCPdstat Graphing & P0f 2 New Release

Just have some interesting read on graphing network statistic using tcpdstat. I think sometimes visualization helps in traffics analysis. Check it out @

By the way for people who hasn't noticed, P0f-2.0.8 is out, the tool is re-written and better now however one have to relearn P0f signatures writing since it is completely different now. Check out all the interesting features here -

Cheers :]

Friday, September 08, 2006

! Computer

Having sticking with computer too much, I come to realize I need sports. Apparently it is not healthy to sit in front of computers without experience other activities. Today I decide to do swimming, and yes I decide to do it maybe twice a week because it is refreshing me, especially now I'm kind of braindead. Sport is helping, especially when you are stucked with computer too much.

By the way I may buy basketball as well, been a while I haven't played basketball and I need the sound - sop!

Let's kick ass without computing, cheers!!!!!

Thursday, September 07, 2006

OpenBSD 4.0 BPF

I read this in OpenBSD Current(4.0) Daily changelog .....

- Allow bpf(4) to ignore packets based on their direction.

I tag this down so that I will test it out when OpenBSD 4.0 is ready. Sound like a feature to analyzt.

Cheers :]

Friday, September 01, 2006

The Art Of Network Stegno Detection

Dealing with network covert channel, it would be seriously hard to detect by using purely signature based detection methodologies, you will come to realize that when you can't fingerprint it, you'll have to characterize it. What I mean by characterize is "To be a distinctive trait or mark of; distinguish"(definition from To be even clear about how it can be done, think behavioural and statistical analysis. I'm coming to this conclusion when I have almost finished reading the papers in the link below -

I most properly agree that covert channel detection can occur by luck when you are monitoring large network. But in small and medium network, you will have higher chance of detecting covert channel if you are implemeting the following -

- Tighten Network Access Control

- Client & Server Services Profiling

- Network Traffic Profiling

Most of the covert channels will try to act as normal legitimate traffics, or it will be more of protocol over protocol tunneling. It doesn't break the protocol, however it will introduce different behaviour in the protocol, the most obvious will be long and continuatious traffic of http, odd sequence numbers usage and so forth. Keep in mind that the attribute of protocol fields may change and the connection states as well.

Tightening network access control can prevent network noise, we are not using network access control to block against covert channel(as you can never block this type of stealthy connections that looks like legitimate one). Client service profiling is defined as what kind of services are allowed to be used by client such as http, https, pop3 and all(outgoing). Server service profiling should be the services that are accessible to the world(incoming). Depends on your network environment, services profiling is a must to identify covert channel because the covert channel will mostly carry over the legitimate services(as I said it bypasses network access control). The network traffic profiling will be the protocol break down and each protocol usages, this is mostly done by using flow/session data collectors, it will generate the statistic of the network flows that allowing you to identify the weird connections by protocols, this is the lead to analysis of covert channels.

There's a little tool to demonstrate statistical covert channel detection which is called tcpstatflow written by fryxar, you can download it here -

While I don't get it to compiled on FreeBSD, I have luck with Ubuntu. Here's what I have done

geek00l@hell:~/Desktop/Covert-Tools$ cd tcpstatflow/
geek00l@hell:~/Desktop/Covert-Tools/tcpstatflow$ make
geek00l@hell:~/Desktop/Covert-Tools/tcpstatflow$ ls
datalink.c datalink.o flow.c flow.o main.c main.o Makefile README tcpflow.h tcpip.c tcpip.o tcpstatflow util.c util.o
geek00l@hell:~/Desktop/Covert-Tools/tcpstatflow$ ./tcpstatflow
./tcpstatflow[29633]: no suitable device found
geek00l@hell:~/Desktop/Covert-Tools/tcpstatflow$ ./tcpstatflow -h
./tcpstatflow version 1.1 by Fryxar (thanks Jeremy Elson!)

usage: ./tcpstatflow [-hpvD] [-d debug_level] [-f tcptimeout]
[-i iface] [-t statistics_time] [-x bytes_threshold]
[-y time_threshold] [-z packets_threshold] [expression]

-d: debug level; default is 1
-D: start as daemon (log to syslog)
-h: print this help message
-i: network interface to listen
(type "ifconfig -a" for a list of interfaces)
-f: TCP timeout in seconds; default is 7200
-p: don't use promiscuous mode
-v: verbose operation equivalent to -d 10
-t: statistics time; default is 3600, use 0 to disable
-x: cummulative bytes in both senses threshold to report an alarm; default is 50000
-y: duration (in seconds) threshold to report an alarm; default is 86400
-z: cummulative packets in both senses threshold to report an alarm; default is 1000000
expression: tcpdump-like filtering expression

Running my own simple but fast ssh sock proxy channel(Dynamic port forwarding)

geek00l@hell:~/Desktop/Covert-Tools/hcovert-0.5$ ssh -ND 5555 root@ -p 2222

On the other hand, I also run corkscrew which allowing tunneling ssh through http proxy that I have setup at port 8080. You can install corkscrew by using apt-get on Ubuntu and pkg_add on FreeBSD.

Now I have run the sock proxy and ssh over http proxy, I also connect my browser and other applications to use the sock proxy as well as scp through the http proxy.

Here's the result of my tcpstatflow,

geek00l@hell:~/Desktop/Covert-Tools/tcpstatflow$ sudo ./tcpstatflow -i eth0
./tcpstatflow[29651]: listening on eth0
Potencial tunnel => packets rx=1860 tx=1135, bytes rx=1808079 tx=50182, seconds=234
Stats= mallocs: 9, cleans: 8, reuses: 0, flows: 1, Packets: 4219 drops: 707 (16%)
Potencial tunnel => packets rx=3425 tx=4741, bytes rx=50023 tx=5204157, seconds=228

That's pretty neat, but I'm running tcpstatflow in default mode, you can tweak the threshold when coming to detect different kind of covert channels, while you may think that icmp covert channel can bypass this tool, it may be true since this is only for tcp connection, but I believe that icmp covert channel can be restricted with your network access control(Only allow icmp ping echo and reply) and the detection of icmp covert channel can be done via its bytes transfer per flow easily when you have your flow collector in place.

You may check out one of sguil aliance - Victorj, using his mysql-fu, to detect icmp tunnel via Sguil

I have mentioned that monitoring large network can be very headache for covert channel detection, but guess what? Try ourmon!

Now you know why NSM emphasizes on statistical data as well!!!!!

Enjoy (:])