Saturday, October 27, 2007

HeX: Virtual Appliances Offering

In order to make sure HeX is in good shape, we have actually tested it on various applications that offering virtualization technology. Here are the lists, the screenies speak for themselves -

HeX on VMware Player

HeX on VMware Fusion

HeX on Parallels

HeX on Qemu

HeX on VirtualBox

We are proud to release HeX virtual appliance for different flavors of virtualization softwares. Most people prefer to try or test the stuffs before real deployment, and I think by offering different types of HeX virtual appliance(VMware, VirtualBox, Qemu, Parallels), people can easily load them to their preferred application. This virtual appliance is based on HeX 1.0.1 with the default installation set(sudo installer). We have tested it on all of them and it boots from zero to fluxbox fully loaded in less than a minute with 256MB of RAM. All of the virtual appliances can be found at -

- http://bsd.ipv6.la/hex-images

For direct download, just click here will do -

- HeX VMware Virtual Appliance
- MD5 Hash
- SHA256 Hash

- HeX VirtualBox Virtual Appliance
- MD5 Hash
- SHA256 Hash

- HeX Qemu Virtual Appliance
- MD5 Hash
- SHA256 Hash

- HeX Parallels Virtual Appliance
- MD5 Hash
- SHA256 Hash

Enjoy (;])

Friday, October 26, 2007

HeX 1.0.1 Release

Yes, we thought we could have stopped the development of HeX after 1.0R but we were wrong, we have encountered the boot issue with HeX on certain hardware and also on vmware when mounting the CD. Me and chfl4gs_ have tried to track down the problem and it seems that the problem is caused by the data that need to be copied from CD to memory in order to mount it using mfs( the /var which is about 32Mb). This IO process has caused the liveCD can't boot properly in certain machines and finally we find the workaround.

Another problem that we have encountered is the msfweb not loading properly, and after trying out the ntop and darkstat, we figure even if we enable java script in the firefox browser, it still didn't seem to show the graph in the browser and we tried to delete ~/.mozill/firefox and use the global configuration for firefox instead. With that we solved msfweb problem too(in fact it is caused by browser oddness).

With all the problems solved now, we are shamelessly releasing HeX 1.0.1 which is more shiny as the boot up performance is much improved and most of the hardcore issue which we can't fix is most properly gone now. Please try out the new release and as usual if you have problem, make use of the HeX trac, mailing list or even join the IRC freenode rawpacket channel will do. Anyway here's the download links -

- HeX 1.0.1 Release ISO

- HeX 1.0.1 Release MD5

- HeX 1.0.1 Release SHA256

Enjoy (;])

HeX: Trac & Wiki

Thanks to spoonfork and now we have the trac and wiki -

https://trac.security.org.my/hex/wiki


With that we can manage the HeX project efficiently and if you have any tips or tricks that want to share, just let me know and I will put it into the wiki. For the bugs management, use trac.

Users need to register in order to do bug report, sorry for the hassle but we are not spam lovers.

Peace ;]

Thursday, October 25, 2007

HeX: Using Darkstat & Ntop

If you are using HeX, you can track your network statistic easily with the use of both darkstat and ntop, and here I will show you the simple way of doing it. Both darkstat and ntop are accessible through the right click menu -> NSM-Toolkit -> Session -> Darkstat or Ntop.

It is pretty straighforward to get darkstat to run -

shell>sudo darkstat -i lnc0 -b 127.0.0.1 -p 5555

To run ntop -

Set the admin password so that you can access to the web interface -

shell>sudo ntop -u nobody --set-admin-password=whatever

shell>sudo chmod 777 /var/db/ntop

In order to make it start on boot, I add this part to the file - /etc/rc.conf

ntop_enable="YES"
ntop_flags="-i lnc0 -w 127.0.0.1:3000 -d --use-syslog=daemon"

Then I start it -

shell>/usr/local/etc/rc.d/ntop start

Now you can access the web gui by typing this in your browser -

Darkstat
http://127.0.0.1:5555

Ntop
http://127.0.0.1:3000

If you are opening this via localhost, you may figure firefox browser won't be displaying the graphs properly even you have java script enabled in the browser, here's simple trick to fix it, just do -

shell>rm -rf ~/.mozilla/firefox

Restart your firefox and you are done.

Some screenies below -








I will continue to write the tips and tricks for the HeX liveCD, if you find any network security monitoring tools that listed in the menu you want to use but don't know how, feel free to email me and I will post the write up. In fact I'm thinking of doing screencast tutorial, let me know what do you guys think about that?

Enjoy (;])

Thursday, October 18, 2007

HeX liveCD: 1.0 Release

After six months of heavy developments, HeX development team is proud to present you the first and foremost Network Security Monitoring & Network Based Forensics Centric liveCD - HeX version 1.0 Release.

- Big Shout to chfl4gs_, thanks for everything
- Shout to pauls, thanks for all the ports
- Shout to guti, our web master
- Shout to vickz, our graphic designer
- Shout to tenner, thanks for your Fluxbox styles
- Shout to enhancer, mirror mirror on the net
- Shout to hol, thanks for the writeup editing
- Shout to spoonfork, thanks for your input
- Shout to whoever uses it and the feedbacks/suggestions

Great works to all the members in the team and thanks for the feedbacks. Inline with the 1.0 Release, we have also printed total 50 copies of CD labels(15 peace monkey and 35 fierce monkey) to be distributed. Here are the samples -

We will stop the development of HeX after 1.0 release, and only release bug fix version if any major bug found. We need some rest now, the next development cycle will be started again after FreeBSD 7.0 Released. We are currently planning for next project which will be announced soon.

For more details, check out its own page here -

http://www.rawpacket.org/projects/hex-livecd/version-10-release


May the force be with you!

Enjoy (;])

Tuesday, October 16, 2007

PADS: Call For Testing

If you are using PADS, we would like to have you testing for 2 patches which are available at sourceforge, my friend David Bianco has been running PADS with his own patches which fixed the daemon mode bugs and added vlan support. You can find the patches under his InstantNSM project here -

http://instantnsm.cvs.sourceforge.net/instantnsm/instantnsm/instantnsm/patches/


On the other hand, David has also added vlan support for tcpflow. If any of you are interested, feel free to test it out and send the feed back to me.

Thanks.

Peace ;]

Sunday, October 14, 2007

Happy Festival & Holidays

To my muslim friends, Selamat Hari Raya Aidilfitri.

To my non-muslim friends, Selamat Bercuti.

Check out the wiki if you don't know what I mean.

Enjoy ;]

Thursday, October 11, 2007

PADS: About Signatures Writing

I have written short write-up at security.org.my about how to write PADS signatures from the scratch, it's nothing to do with the regex matching but more to obtaining the correct data you need in order to proceed.

Lets go ->

http://security.org.my/index.php?/archives/PADS-Efficient-Signature-Writing.html

Enjoy ;]

Wednesday, October 10, 2007

HeX liveCD: Packet Trace File Conversion

I have spent some times to analyze the packet trace files which are freely available in Wireshark wiki and packet-level.com using HeX liveCD. While I'm having great fun with the packet traces, I encounter this -

shell>tshark -nr tcpshake.cap
1 0.000000 130.57.20.10 -> 130.57.20.1 TCP 1026 > 524 [SYN] Seq=0 Len=0 MSS=1460
2 0.004942 130.57.20.1 -> 130.57.20.10 TCP 524 > 1026 [SYN, ACK] Seq=0 Ack=1 Win=32768 Len=0 MSS=1460
3 0.005894 130.57.20.10 -> 130.57.20.1 TCP 1026 > 524 [ACK] Seq=1 Ack=1 Win=8760 Len=0

I want to compare the output of tshark and tcpdump, then I run -

shell>tcpdump -ttttnnr tcpshake.cap
tcpdump: bad dump file format

Fine, lets check what it is -

shell>file tcpshake.cap
tcpshake.cap: NetXRay capture file - version 002.001 (Ethernet)

It seems Wireshark suite supports NetXRay file format,

shell>man wireshak
Output truncated .....
Wireshark can read / import the following file formats:
* Cinco Networks NetXRay captures
Output truncated .....

Maybe I can convert it using editcap? Right click to launch the HeX main menu -> Pcap-Editor -> Editcap, to convert it from NetXRay capture format to libpcap format, I run -

shell>editcap -F libpcap tcpshake.cap tcpshake.pcap

shell>tcpdump -ttttnnr tcpshake.pcap
reading from file tcpshake.pcap, link-type EN10MB (Ethernet)
1999-11-08 06:31:23.090125 IP 130.57.20.10.1026 > 130.57.20.1.524: S 12952:12952(0) win 8192
1999-11-08 06:31:23.095067 IP 130.57.20.1.524 > 130.57.20.10.1026: S 2744080:2744080(0) ack 12953 win 32768
1999-11-08 06:31:23.096019 IP 130.57.20.10.1026 > 130.57.20.1.524: . ack 1 win 8760

That's great.

I figured that if you prefer gui, you can use the freeware which support more different capture formats - ProConvert. With wine, I have successfully installed in on Ubuntu 7.04. And here's the screenshot -


I try to compare both files that converted from different tools with diff command and they seems to have no differences, including both have same file size as well.

shell>ls -la tcpshake_cap.dmp tcpshake.pcap
-rw-r--r-- 1 geek00l geek00l 252 2007-10-10 14:41 tcpshake_cap.dmp
-rw-r--r-- 1 geek00l geek00l 252 2007-10-10 15:00 tcpshake.pcap

I haven't tried wine on HeX(FreeBSD), maybe it's about time to do it too.

Enjoy (;])

Tuesday, October 09, 2007

Finally ..... Fluxbox 1.0 Stable Release

After marathon type of development, finally Fluxbox reaches the great milestone - 1.0 Stable Release. While I'm not involving in Fluxbox development, I'm quite a long time user of it and even our HeX liveCD uses it as our default Window Manager for its simplicity and clean style. You can find the latest changelog here.

If you are new to Fluxbox, no worry as Fluxbox community has setup very useful wiki for you.

Anyway, greeting to Fluxbox development team!!!!!

RealTime Log Visualization

Visualization is getting popular these days, I came across this site -

http://www.fudgie.org/

This is much easy to read/watch .....

Enjoy ;]

Monday, October 08, 2007

PADS: The Future

As PADS is now integrated to Sguil, I would assume the usage of it might be increasing. PADS is known to passively identify the network assets running on your network and further assisting in network assets profiling. However the main developer(Matt Shelton) of PADS is no longer actively maintaining it. Together with David Bianco, we have taken the initiative to maintain the PADS but this is more to NSM community efforts instead of doing it solely. If you are using PADS, feel free to do the following -

- bug report

- send us patches

- test our patches

- contribute PADS signatures

Matt Shelton has delegated us the admin access to PADS source tree, however we will take careful step to further testing all the patches and signatures before committing to it.

Cheers ;]

Sunday, October 07, 2007

Hub, Span or Tap

I must say I enjoy reading this because it is well explained, you should read this if you are currently involved in network security monitoring implementation and deployment stage -

http://www.lovemytool.com/blog/2007/08/span-ports-or-t.html

http://www.lovemytool.com/blog/2007/09/aggregation-tap.html

I enjoy reading other posts as well since I can learn about some commercial products that I haven't used before. Progressive learning is always good .....

Peace ;]

HeX liveCD: The Graphic Designer

We have assigned Vickson as our main graphic designer because we all like his sense of art and ability to craft. It's been quite sometimes he has setup his own blog that discussing about art and design which I think it's worth mentioning, check out the link -

http://vickz.com

Hereby I would like to thank for his contribution to the HeX liveCD. We all appreciate it!

Cheers ;]

The light & easy

Today is Sunday, and lets share something that is light and easy. Here's the list of softwares I use lately on my Ubuntu desktop -

- Pcmanfm

- Tracker

- Deluge

- Miro

Pcmanfm is another nifty file manager, tracker is great indexing and searching tool, deluge is better than any other bit torrent clients out there, miro is your wanted video player. No sneak peaks here because you can find them in their respected site.

Enjoy ;]

Saturday, October 06, 2007

Bro - Tips & Tricks

I figured simple way to find all the tips and tricks about Bro-Nids that written by me and spoonfork. Check them out here -

- My blog

- Malaysia Network Security Blog

Other than us, you would be able to find all the good things in the bro wiki.

Enjoy ;]

Digital Forensics Research Workshop

I'm always interested about digital forensics technology, while I'm not really into that field. I just learn about this site when googling around, and it's good to share with everyone -

http://www.dfrws.org/index.shtml

From the site -

DFRWS is dedicated to the sharing of knowledge and ideas about digital forensics research.

This is what we really need, the knowledge sharing!

Friday, October 05, 2007

HeXtra Changes

Along with the upcoming release of HeX liveCD, there will be couple of changes in HeXtra. Thanks to Paulh as most of the tools that packaged in HeXtra 1.0 Beta are already ported to FreeBSD port system. Therefore we will only distribute HeXtra 1.0R with the following -

- latest sguil client in cvs

- snort configuration files and signatures

- latest argus 3

I have received few requests about the adding of honeysnap to the HeX liveCD. If any of you would like to port it to FreeBSD for the sake of HeX, please feel free to contact me.

Wednesday, October 03, 2007

Sguil: Minor DB Issue

I remember I have this problem previously and it forces me to create the sguil sensor name without "-" instead to resolve it. And I haven't taken note of this but today when I read this information at Knoppix-NSM faq, they have clear answer so I think it's good to take note of it, from the link -

http://www.securixlive.com/knoppix-nsm/faq.php

Sensor is running but no data in sguil console?

If you have used the - (minus/dash) character in your sensor name than this could be the cause. When a new sensor is created new tables, based on the sensor name, are also created for storring data. MySQL does not allow you access to tables that has the - character in the name. Change the sensor name and this should fix the problem.

It's minor issue, seriously. But it can crack your head to figure it out sometimes.

Peace ;]

Tuesday, October 02, 2007

HeX liveCD: Pre 1.0R

Nothing much happens, but we are making progress bit by bit. We are currently testing the private version of HeX to make sure everything in HeX working properly.

As for today, we decide to release the last build of HeX before the major version 1.0 Release. Feel free to join our mailing list as the initial announcement is there.

Here's the announcement from chfl4gs -

geek00L and I are proud to present latest build of Hex for group peer review. My apology for not making this post possible earlier and circulation of versions of Hex for wouldn't be merely between two of us.

Here you can grab the iso for testing.

http://bsd.ipv6.la/hex-i386-1.0RC2-20071002.iso
http://bsd.ipv6.la/hex-i386-1.0RC2-20071002.iso.md5
http://bsd.ipv6.la/hex-i386-1.0RC2-20071002.iso.sha256

Some of the known issue i.e. msfweb shows "Application Error" without error : RubyOnRails related memory handling issue. msfweb runs fine if you allocate more memory. 256MB on qemu is not sufficient for msfweb.

This version is a major bug fix release and we planned to go for 1.0-R if everything else is stable and functional. As usual, feedback, both good and bad, are most welcome. Please post to this group if you have any questions/bug reports/fix to share.

Thank You.

Yes, most of the bugs that we have found and reported are fixed, and we even tested all the Network Security Monitoring based tools and it goes well.

One of the script I have added is NBF-Offline.sh where you can find under ~/rp-NSM directory, it is Network Based Forensics automation script to assist analyzt to perform network data carving. Most of the stuffs in HeXtra are already merged to it as well, except the argus 3 and NSM-Offline.sh, which we have thought of adding to the 1.0R.

In order to summarize the Objective of our liveCD, we are actually trying to develop the first and foremost Network Security Monitoring & Network Based Forensics Centric liveCD. Therefore we welcome all the practitioners to try it out!!!!!

Enjoy ;]