Monday, November 26, 2007

MyOSS: December Meetup

Yeah, we are going to have the local meetup again on December. More information can be found at -

http://foss.org.my/projects/meetups/december-2007/december-2007-meetup/view

For whoever came to the November Meetup for the craps that presented by me and chfl4gs_, all I can say is thanks for coming, your present are much appreciated.

Hopefully the meetup is gaining momentum again!!!!!

Enjoy :]

Youtube is down?

Before I head to sleep, I was thinking to check if there's additional video for todays new(hint, hint), but I got this -


It seems that the youtube servers are still running but returning service unavailable. Anyone has any idea? By the way time to sleep, it's 2am here.

Peace ;]

Sunday, November 25, 2007

Resources about Data Visualization

I think it is great to share what I have came across and learned along the way. Here are 3 interesting resources about data visualization with great information.

- Infovis

- Vizsec

- Secviz

If you like data visualization(human being tend to watch than read), you should find them fruitful.

Enjoy ;]

Regex Learning Tool: Kregexpeditor

I have introduced the application to help you in learning regular expressions previously which you can find here. Here's another similar application called kregexeditor.


Referring to the screenshot above, you may see a lot of symbols in the tool bar below the title bar. Each of them represents certain type of regular expression where you can point to them and read the description of each symbol. In order to choose them, you can left click on them, and left click again on the grey pane below the tool bar in order to add them as part of regular expressions you want to build. For example you can click on Beginning of line symbol and left click again to the grey pane, then you will see the regex inserted into the ASCII syntax which is ^.

Some of the symbols in the grey pane can be edited by right clicking and choose Edit so this is very flexible when you want to modify it to fit your need. You may notice the second row of the tool bars is quite useful when you want to copy, paste and save the regex you have built too.

In order to make sure the regex match what you want, you should just type in whatever characters or digits into the big white pane on the right. Once it matches, it will show in Red Color instead of black(shown in the screenshot) so that way you can make sure the regex works as expected.

Anyway I think this is great tool to learn how regex works in practical way, together with the cheat sheet that I have blogged previously here. Before I forget, you can get kregexpeditor easily with apt-get on Ubuntu.

Enjoy ;]

Saturday, November 24, 2007

The Art Of Statistic & Probability

I came across this site when googling for network packet sampling and one of the paper is about Sampling For Passive Internet Measurement.

I start to love Statistic and Probability after I came across network statistic and flow analysis(Thanks to NSM), and I seem to become addict to it now. However my lack of knowledge in math always push me back and I need to spend time to understand them. Anyway this is not what I want to tell here, it's more about the Project Euclid. I especially like their mission statement.

Project Euclid's mission is to advance scholarly communication in the field of theoretical and applied mathematics and statistics. Project Euclid is designed to address the unique needs of low-cost independent and society journals. Through a collaborative partnership arrangement, these publishers join forces and participate in an online presence with advanced functionality, without sacrificing their intellectual or economic independence or commitment to low subscription prices. Full-text searching, reference linking, interoperability through the Open Archives Initiative, and long-term retention of data are all important components of the project.

The end result is a vibrant online information community for independent and society journals. This will assure that mathematics and statistics will continue to benefit from a healthy balance of commercial enterprises, scholarly societies, and independent publishers.

This is cool, I'm about to download some of the papers and study. If you are into this field, let me know what do you think about it.

Beside this, thanks to kaeru who has lent me his math books.

Cheers ;]

HeX: The BackPort and Honeysnap Inclusion

I have got few requests about adding honeysnap to HeX liveCD, and you and I know HeX can be ran as liveCD or bump it into hard drive, most people just run it as liveCD instead unless they need to do heavy weight network data analysis. But now, you can install the packages(we call it back ports as those packages are meant for HeX 2.0[the next major version] but anyone who use 1.x can still have access to those tools that are not included by default). You can find the back ports at -

http://rawpacket.org/hex/packages

Thanks to dakrone, our new developer who has spent his precious time to create the honeysnap and its related packages and you can find his post about the honeysnap here. So here I will show you the remote installation of the honeysnap and its related packages in few step, just check out the screenshot will do as I'm lazy to copy and paste from terminal. Click ->


Thanks to the honeynet community and the developers of honeysnap. Honeysnap is in fact a very nifty tool to perform post processing on pcap data and we are proud that our liveCD includes it now.

Enjoy ;]

Bogus, Suspicious .....

Read about this and it raised my curiosity. However to me most of the statements are more to speculation. I don't have interest to give thought about the story because I'm not into it, but I'm more of digging into information gathering. This paragraph caught my eyes -

The tainted portable hard disc uploads any information saved on the computer automatically and without the owner's knowledge to www.nice8.org and www.we168.org, the bureau said.

Lets have fun with it -
shell>whois nice8.org

Domain ID:D145807509-LROR
Domain Name:NICE8.ORG
Created On:11-May-2007 07:20:24 UTC
Last Updated On:27-Sep-2007 05:57:07 UTC
Expiration Date:11-May-2008 07:20:24 UTC
Sponsoring Registrar:Xin Net Technology Corporation (R118-LROR)
Status:OK
Registrant ID:JHV8DUH7W9TIL
Registrant Name:ga ga
Registrant Organization:gaga

Registrant Street1:gagaga

Registrant Street2:
Registrant Street3:
Registrant City:gaga
Registrant State/Province:Beijing
Registrant Postal Code:126631
Registrant Country:CN
Registrant Phone:+86.2164729393
Registrant Phone Ext.:
Registrant FAX:+86.2164660456
Registrant FAX Ext.:
Registrant Email:safsafsa@ca.ca
Admin ID:JHV8DUHMSOOFB
Admin Name:ga ga
Admin Organization:gaga

Admin Street1:gagaga

Admin Street2:
Admin Street3:
Admin City:gaga
Admin State/Province:Beijing
Admin Postal Code:126631
Admin Country:CN
Admin Phone:+86.68492333
Admin Phone Ext.:
Admin FAX:+86.4660456
Admin FAX Ext.:
Admin Email:safsafsa@ca.ca
Tech ID:JHV8DUHO9XXZP
Tech Name:ga ga
Tech Organization:gaga

Tech Street1:gagaga

Tech Street2:
Tech Street3:
Tech City:gaga
Tech State/Province:Beijing
Tech Postal Code:126631
Tech Country:CN
Tech Phone:+86.68492333
Tech Phone Ext.:
Tech FAX:+86.4660456
Tech FAX Ext.:
Tech Email:safsafsa@ca.ca
Name Server:NS2.XINNETDNS.COM
Name Server:NS2.XINNET.CN

shell>whois we168.org

Domain ID:D148394330-LROR
Domain Name:WE168.ORG
Created On:02-Jul-2007 14:22:33 UTC
Last Updated On:01-Sep-2007 03:53:20 UTC
Expiration Date:02-Jul-2008 14:22:33 UTC
Sponsoring Registrar:Xin Net Technology Corporation (R118-LROR)
Status:OK
Registrant ID:JKK2LGJNFSTQQ
Registrant Name:yon gge
Registrant Organization:yongge

Registrant Street1:yongge

Registrant Street2:
Registrant Street3:
Registrant City:yongge
Registrant State/Province:Beijing
Registrant Postal Code:123000
Registrant Country:CN
Registrant Phone:+86.2164729393
Registrant Phone Ext.:
Registrant FAX:+86.2164660456
Registrant FAX Ext.:
Registrant Email:wwwgmmcc@126.com
Admin ID:JKK2LGK6TE4Y5
Admin Name:yon gge
Admin Organization:yongge

Admin Street1:yongge
Admin Street2:
Admin Street3:
Admin City:yongge
Admin State/Province:Beijing
Admin Postal Code:123000
Admin Country:CN
Admin Phone:+86.68492333
Admin Phone Ext.:
Admin FAX:+86.4660456
Admin FAX Ext.:
Admin Email:wwwgmmcc@126.com
Tech ID:JKK2LGK8GMNXM
Tech Name:yon gge
Tech Organization:yongge

Tech Street1:yongge

Tech Street2:
Tech Street3:
Tech City:yongge
Tech State/Province:Beijing
Tech Postal Code:123000
Tech Country:CN
Tech Phone:+86.68492333
Tech Phone Ext.:
Tech FAX:+86.4660456
Tech FAX Ext.:
Tech Email:wwwgmmcc@126.com
Name Server:NS2.XINNETDNS.COM
Name Server:NS2.XINNET.CN

If you look at the bold fonts, both entries have many similarities and pretty identical especially if you compare side by side. I'm still wondering if they will be taken down. By the way, check out the Beijing Postal Code here or here. Of course I don't really verify the information in those sites but that's interesting.

Peace ;]

Friday, November 23, 2007

TCP/IP Pervesion

I came across this blog post from Tyler Reguly about TCP/IP Pervesion that presented by Rares Stefan at Sector 2007. I can't find any presentation slide that are publicly available so I don't really know much about it but it looks very interesting to me because it might be giving hard time to NSM as it offers the false sense of data(This is more than evasion and now this is really unpredictable). I maybe kidding but you can check out the post here -

http://www.computerdefense.org/?p=417

Someone mind to enlighten me about this?

Thanks to Tyler Reguly for summarizing the presentation and post it up. I'm pretty eager to know more about it.

Cheers ;]

Thursday, November 22, 2007

Mix Post But Helpful

I'm trying to move to using VMware Server instead of VMware Workstation now, the installation process is pretty straightforward on Ubuntu 7.10 but I encounter the issue when trying to load the virtual appliance that I have created using VMware Workstation because of incompatibility problem. In order to fix it, I found the solution in this post -

http://communities.vmware.com/message/297502#297502

On the other hand, I found great tip in creating the FreeBSD application package from its port. I used to use make package command to create the FreeBSD packages but I think you should check out this one too -

http://forums.bsdnexus.com/viewtopic.php?id=861


Another great post I want to share here is about the network tap, many people(management sucko) don't believe this but lets listen to the expert here. This is the exactly "fail-open" that you need.

http://taosecurity.blogspot.com/2007/11/tap-vs-lightning-strike.html

That's about it, hopefully those posts help me, help you.

Peace ;]

HeX: Welcome New Team Members

This is great news, at least it is to the development of HeX liveCD. We are pleased to welcome Matthew Lee Hinman(Dakrone) and also JJ Cummings(Enhanced) to join the development of HeX liveCD.

For your knowledge, both of them are very supportive and helpful through out the development of HeX liveCD. JJ Cummings is also the co developer of Inprotect project and long time HeX liveCD mirrors provider for US area while Matthew Lee Hinman just joined us recently but helping fixing bugs, creating ports and also contributing analysis script which will be imported to HeX soon.

Hopefully with more developers now, we can have next shiny version of HeX liveCD -> 2.0!!!!!

Thanks (;])

Wednesday, November 21, 2007

Ubuntu: Rumint

I plan to buy the book - Security Data Visualization that written by Greg Conti. I'm not much into visualization field so I guess it might be good for me to learn more about it with the present of this book. If you are asking for more, you can find other resources/books that recommended by Greg here.

Greg Conti has also written the tool called rumint(room-int) to visualize network packets. However its main supported platform is Windows but no worry, we have wine to run rumint. Assuming you have wine install at the first place, here's how I get rumint running on Ubuntu 7.10.

shell>wget \
http://www.rumint.org/software/rumint/rumint_v.214.zip


shell>unzip rumint_v.214.zip

shell>cd rumint_2.14_distro/

shell>wine ./setup.exe

You need winpcap if you want to do real time processing for network packets seen by your network interfaces, however I couldn't get it working even with winpcap installed successfully. But you can still load the pcap data to rumint. To launch rumint, just run -

shell>cd ~/.wine/drive_c/Program Files/rumint; wine ./rumint_214.exe

Here's the screenshot -



In orde to load the pcap data, just click on File -> Load PCAP Dataset and choose the data you want to load, then click on the Play button. You can also tune the setting for its filters based on color or ports under Toolbars -> Filters. Once you have clicked on the Play button, it will start replay the packets and there are 7 supported view format such as Text Rainfall, Byte Frequency, Parallel Plot and etc. Check out the next two screenshots below.



Here we have more views! I like the Parallel Plot and Detail view. You can also pause, stop or fast forward the replay of the pcap data.



Currently you can only do the post processing for the pcap data if you are using wine since there's issue with winpcap. But it's good enough when you want to perform packet visualization analysis. To get a good understanding of visualization techniques that offered by rumint, check out the link below.

http://www.rumint.org/software/rumint/rumint_overview.pdf

Hopefully this post gives you the quick glance of what rumint offers and raise your interest in security data visualization field.

Enjoy (;])

Tuesday, November 20, 2007

PADS: Signature Contribution

Thanks to Kinstonian who has actually sent me PADS signatures which I would like to post it here. Credit goes to him and I will add the signatures to upcoming HeX 1.0.2, and only committing to the PADS development source tree once it is tested. Here I got the words from Kinstonian -

I've revised the signatures somewhat. I searched google images for Windows command prompts and the updated windows shell signature should detect Windows 2000, XP, 2003 and 2008 command prompts. I've tested it with netcat and it works.

ftp,v/Serv-U FTP Server/$1//,220-{0,1} {0,1}Serv-U FTP Server (v\d\.\d+) for WinSock ready

windowsshell,v/Windows $1Command Prompt//$2/,Microsoft Windows (.*)\[(.+)\]

I'd like to write more signatures, but I'd like to refresh my regex knowledge first and would need to find the time. However, I'll email you with any other signatures I write in the future.

So there are two signatures submitted by Kinstonian. One for Serv-U FTP server and the other for Windows CMD, if you are running any of them, feel free to test the signatures.

Thanks Kinstonian, we need more contributors like you.

Enjoy ;]

Now this is really bleeding .....

This is considered late post about the founder and admin of Bleeding Edge Threats - Matt Jonkman leaving Bleeding Threats which he has announced here. If you don't know what is Bleeding Edge Threats, check it out here.

First of all, I would like to thank Jonkman for his long time efforts to keep snort rules and other security related projects in sharp edge. And hope for the best of what he means as "something new" in future.

Now the question is, do we really call it Bleeding Edge anymore, I'm pretty curious what Sensory Network will come out with for the best of this project.

Anyway the good new is, Jonkman will still be with us no matter what because snort is only thing he knows how to do.

Cheers ;]

TCPDUMP VS SNOOP Cheat Sheet

I like the idea of having cheat sheet in your pocket where you can learn things quickly and in the mean time, it also serves as quick reference. I have actually spent sometime to create this TCPDUMP VS SNOOP cheat sheet and I think it's good to share it with the world.

http://rawpacket.org/anonymous/papers/tcpdumpVSsnoop-cheatsheet.pdf


The cheat sheet is not only about the comparison of these two tools but also providing some usage tips. If you think there's any technical error in the cheat sheet, feel free to correct me. Following my previous post here, I think this is great for people who want to learn using snoop from tcpdump background and the same applies to the opposition.

Cheers (;])

Monday, November 19, 2007

SunOS: Snoopy Dog

When performing network traffic sniffing, capturing or inspection, we all usually use the sniffer calls tcpdump(to me sniffer is not the correct term but lets ignore it here), Sun has developed their own sniffer which is called snoop. I think snoop is useful for people who run SunOS based servers when coming to network traffic debugging. Anyway I'm trying all these on nexenta OS that I have came across lately and hopefully this blog post is useful to myself if I need to perform reactive Network Security Monitoring Operation on SunOS in future.

Before I have done anything using snoop, I check out the man page -

shell>man snoop

If you can't find certain man page for the command you want to use, you can try this too -

shell>info snoop

Snoop also has primitive support for filter expression, it is pretty similar to bpf filtering while I don't really look into it much. Just like tcpdump -d, snoop has -C to print the code generated from the filter expression for either the kernel packet filter, or snoop's own filter. For example -

shell>sudo snoop -C ip
Kernel Filter:
0: PUSHWORD 6

1: PUSHLIT EQ
2: 129 (0x0081)

3: BRFL
4: 3 (0x0003)
5: LOAD_OFFSET

6: 2 (0x0002)

7: POP

8: PUSHWORD 6
9: PUSHLIT EQ
10: 8 (0x0008)

I don't really dig into it much to understand the code like I did for tcpdump -d here.

By default snoop will capture the whole packet unless you specify the snap length with -s(same like tcpdump), there's very good tip in using -s option which I would like to show here as it can be useful for tcpdump user too -

-s snaplen

Truncate each packet after snaplen bytes. Usually the whole packet
is captured. This option is useful if only certain packet header
information is required. The packet truncation is done within the
kernel giving better utilization of the streams packet buffer. This
means less chance of dropped packets due to buffer overflow during
periods of high traffic. It also saves disk space when capturing
large traces to a capture file. To capture only IP headers (no
options) use a snaplen of 34. For UDP use 42, and for TCP use 54.
You can capture RPC headers with a snaplen of 80 bytes. NFS headers
can be captured in 120 bytes.

That's really neat -

- Ethernet Header(14)+IP Header without option enabled(20) = 34

- Ethernet Header(14)+IP Header without option enabled(20)+UDP Header(8) = 42

- Ethernet Header(14)+IP Header without option enabled(20)+TCP Header without option enabled(20)=54

To make sure we are capturing the IP header without option enabled, we can also make use of the filter such as -

ip[0] & 0x0F = 5

Netstat -i output tells me I can log via my network interface ae0, here's what I do with snoop to log the network packets to file -

shell>sudo snoop -q -r -d ae0 -o testing.snp

By default it will print the packet count that been seen by your network interface so with -q as quiet mode it won't, you can also specify -D in case you want to monitor the count of packet dropped during capture period. This is extremely useful to make sure you don't miss any packet. The -r option just like -n in tcpdump to avoid address resolution. While the -o option is to output it to a file which is just like -w in tcpdump.

After logged to the file, I check the file format -

shell>file testing.snp
testing.snp: Snoop capture file - version 2 (Ethernet)

You can read it with -

shell>snoop -t a -r -i testing.snp
1 0.00000 172.16.47.133 -> 172.16.47.2 DNS C _nfsv4idmapdomain.localdomain. Internet TXT ?
2 0.06758 172.16.47.2 -> 172.16.47.133 DNS R Error: 3(Name Error)
3 0.00047 172.16.47.133 -> 172.16.47.2 DNS C _nfsv4idmapdomain. Internet TXT ?

I like -t a which prints the absolute time that is similar to tcpdump -tttt. The -i option is just like -r option in tcpdump in order to read the packet dump. You may notice the number of each packet that shown in the snoop output too, and you can jump to certain packet with -p option. For example -

shell>snoop -t a -r -p 2 -i testing.snp
2 11:44:3.12067 172.16.47.2 -> 172.16.47.133 DNS R Error: 3(Name Error)

Or you can specify the range such as to jump to the packets within 10-20 range, just specify -p 10,20 will do.

You can also print summary line with -V option which summarizing the packet in human readable output -

shell>sudo snoop -t a -d ae0 -V

Using device ae0 (promiscuous mode)
________________________________
10:44:44.86678 nexenta -> 192.168.1.124 ETHER Type=0800 (IP), size=98 bytes10:44:44.86678 nexenta -> 192.168.1.124 IP D=192.168.1.124 S=172.16.47.133 LEN=84, ID=24675, TOS=0x0, TTL=255
10:44:44.86678 nexenta -> 192.168.1.124 ICMP Echo request (ID: 8040 Sequence number: 0)
________________________________
10:44:44.86682 192.168.1.124 -> nexenta ETHER Type=0800 (IP), size=98 bytes10:44:44.86682 192.168.1.124 -> nexenta IP D=172.16.47.133 S=192.168.1.124 LEN=84, ID=11586, TOS=0x0, TTL=128
10:44:44.86682 192.168.1.124 -> nexenta ICMP Echo reply (ID: 8040 Sequence number: 0)

If you want the packet to be printed in side by side hexadecimal and ascii output which is like -XX in tcpdump, you just need to specify -x 0 in snoop. Here's the example command you can use -

shell>snoop -x 0 -t a -r -i testing.snp
15 11:01:37.34663 172.16.47.133 -> 172.16.47.2 ICMP Destination unreachable (UDP port 34901 unreachable)

0: 0050 56f8 6c66 000c 2999 4f2b 0800 4500 .PV.lf..).O+..E.
16: 0070 8e9d 4000 ff01 3647 ac10 2f85 ac10 .p..@...6G../...
32: 2f02 0303 0c7b 0000 0000 4500 00af 2f13 /....{....E.../.
48: 0000 8011 5483 ac10 2f02 ac10 2f85 0035 ....T.../.../..5
64: 8855 009b 69cb fb53 8180 0001 0001 0002 .U..i..S........
80: 0002 0231 3202 3432 0237 3503 3230 3207 ...12.42.75.202.
96: 696e 2d61 6464 7204 6172 7061 0000 0c00 in-addr.arpa....
112: 01c0 0c00 0c00 0100 000b ff00 1807 ..............


If you want the output looks like the tshark which prints each protocol header in details, you can use -v, the example output for single packet is shown below -

shell>snoop -v -t a -r -i testing.snp
ETHER: ----- Ether Header -----
ETHER:
ETHER: Packet 1 arrived at 11:01:25.14378
ETHER: Packet size = 98 bytes
ETHER: Destination = 0:50:56:f8:6c:66,
ETHER: Source = 0:c:29:99:4f:2b,
ETHER: Ethertype = 0800 (IP)
ETHER:
IP: ----- IP Header -----
IP:
IP: Version = 4
IP: Header length = 20 bytes
IP: Type of service = 0x00
IP: xxx. .... = 0 (precedence)
IP: ...0 .... = normal delay
IP: .... 0... = normal throughput
IP: .... .0.. = normal reliability
IP: .... ..0. = not ECN capable transport
IP: .... ...0 = no ECN congestion experienced
IP: Total length = 84 bytes
IP: Identification = 36451
IP: Flags = 0x0
IP: .0.. .... = may fragment
IP: ..0. .... = last fragment
IP: Fragment offset = 0 bytes
IP: Time to live = 255 seconds/hops
IP: Protocol = 1 (ICMP)
IP: Header checksum = 5d58
IP: Source address = 172.16.47.133, 172.16.47.133
IP: Destination address = 202.75.42.12, 202.75.42.12
IP: No options
IP:
ICMP: ----- ICMP Header -----
ICMP:
ICMP: Type = 8 (Echo request)
ICMP: Code = 0 (ID: 8122 Sequence number: 0)
ICMP: Checksum = 3bf2
ICMP:

I think that's all for the snoopy dog, in fact this post is more about tcpdump vs snoop but I think both are great so no fight between them. If any of you have better knowledge in using snoop, please do share as I still considered myself as newbie in utilizing it practically.

Enjoy (;])

Sunday, November 18, 2007

Regular Expressions: Another good resource

This is great reference for people who want to learn about regular expressions, feel free to check it out -

http://www.ilovejackdaniels.com/cheat-sheets/regular-expressions-cheat-sheet/

Thanks to Dave who has created the regex cheat sheet with straight forward explanation.

Cheers ;]


Packets -> Flows -> CSV -> Graph

Comma-Separated Values(CSV) file format is widely used and it can be easily parsed by lot of graphing tools. Here's the simple trick to generate CSV data from packet dump(pcap) with the used of upcoming argus 3 and the pipe.

Say I downloaded this slammer.pcap that available at wireshark sample capture wiki -

http://wiki.wireshark.org/SampleCaptures

shell>argus -w - -r slammer.pcap | \
ra -nnr - -c ',' -s saddr daddr dport - ip

213.76.212.22,65.165.167.86,1434

There's only one flow but you get the idea of how to generate the CSV ouput from packet dump(pcap). The next thing to do is to generate the graph, I won't show it here but you are free to use any application such as OpenOffice Spreadsheet, afterglow and etc for that purpose.

The good thing about argus is that it provides wide range of useful flow metrics so you can actually generate rich set of data for graphing purpose.

Enjoy (;])

Hub Seeker

Yeah I'm looking for ethernet hub, it is pretty hard to find network hub in Malaysia now and I know there are many companies just throw it away or put their old network hub in the store to collect dust because network switch is cheap and better and network hub is obsolete in their point of view.

This is not joking, if your company has unused network hubs lying around and produce no value at all, I would like to give them life in my research lab especially from local companies since shipment is really expensive.

If you feel that you can help me, drop me an email. Thanks!

Cheers ;]

InfoSec Technical Forum

CyberSecurity Malaysia(Previously known as MyCERT/NISER) will organize the event where you can find the detail at -

http://www.cybersecurity.org.my/infosec-my/itinenary.html

The topics sound interesting but I'm not too sured it is more business or technical oriented. As far as I know Malaysia used to have technical event but business oriented most of the time which I avoid to participate.

Anyway I might be going there to meet my friends.

Peace ;]

Ubuntu: msttcorefonts problem fixed

This is just for my own note as I have problem when installing msttcorefonts on Ubuntu Linux but anyway it is fixed, the problem is due to the wrong setting in the proxy where you can find under System -> Preferences -> Network Proxy. If you encounter the similar problem when installing other stuffs, this post may give a hint of how to fix it as well. I have been lazy to post this up but anyway here you got it -

I have encountered the problem below when installing msttcorefonts and I have tried various ways to fix(e.g. remove or fix with dpkg tool)but no luck, here's the error I got when I was trying to apt-get remove --purge msttcorefonts

Blablabla .....
dpkg: error processing msttcorefonts (--purge):
subprocess pre-removal script returned error exit status 1

These fonts were provided by Microsoft "in the interest of cross-
platform compatibility". This is no longer the case, but they are
still available from third parties.

You are free to download these fonts and use them for your own use,
but you may not redistribute them in modified form, including changes
to the file name or packaging format.

Error parsing proxy URL http://:8080/: Invalid host name.
Error parsing proxy URL http://:8080/: Invalid host name.
Error parsing proxy URL http://:8080/: Invalid host name.
Error parsing proxy URL http://:8080/: Invalid host name.
Error parsing proxy URL http://:8080/: Invalid host name.
Error parsing proxy URL http://:8080/: Invalid host name.
Error parsing proxy URL http://:8080/: Invalid host name.
Error parsing proxy URL http://:8080/: Invalid host name.
Error parsing proxy URL http://:8080/: Invalid host name.
Error parsing proxy URL http://:8080/: Invalid host name.
Error parsing proxy URL http://:8080/: Invalid host name.
Error parsing proxy URL http://:8080/: Invalid host name.
Error parsing proxy URL http://:8080/: Invalid host name.
andale32.exe: No such file or directory

All done, errors in processing 1 file(s)
dpkg: error while cleaning up:
subprocess post-installation script returned error exit status 1
Errors were encountered while processing:
msttcorefonts
E: Sub-process /usr/bin/dpkg returned an error code (1)

I tried to search the ubuntu forum but no luck, and finally I figured I can fix by commenting these two lines in /var/lib/dpkg/info/msttcorefonts.postinst -

# db_get msttcorefonts/http_proxy
# http_proxy=$RET

Now I can do

shell>sudo apt-get remove --purge msttcorefonts

Problem fixed. Now you need to get the setting of your proxy right or just remove it to use direct connection and reinstall msttcorefonts.

Cheers ;]

Thursday, November 15, 2007

MyOSS November Meetup

After idle state, MyOSS Meetup is rebooted on 22th November again, me and chfl4gs_ will represent the HeX development team and give the talk about our Open Source Project titled "HeX liveCD Development & Showcase". More information about the meetup can be found here.

For your information, MyOSS Meetup is the local monthly FOSS event and feel free to join us!

Enjoy ;]

Wednesday, November 14, 2007

MyOSS: Basketball


Been long time I haven't played basketball, and now we are going to have basketball game on tomorrow which is November 15th, welcome all the myossers to join us! The detail of the event can be found in the link below -

http://foss.org.my/projects/recreation/basketball-november-2007

Enjoy ;]

Monday, November 12, 2007

This site is dead forever?


If you can't even protect the little site, how can you protect your people?

Big disappointment!

Peace ;]

Sunday, November 11, 2007

HeX &

Yes I'm not familiar with silktools but I add it to the HeX liveCD, the reason is that silktools comes with very comprehensive documentation and I believe I might try it out someday, I know some of you may find silktools toolset missing in the HeX menu because I don't really use it practically and not too sured about the the placement of it in the menu.

Anyway I just figured some of the applications that bundled by silktools(such as rwptoflow) are broken due to the absent of lzo2 library, so I think we need to fix this.

On the other hand, thanks to the report from dakrone, chfl4gs_ has fixed the dual display devices problem in order to probe for X properly.

Couple of minor changes would be the font setting for sguil client is now predefined and you wouldn't get the ugly font any more, we have also set the mozilla firefox as default browser without interaction of users anymore. Thanks to Victorj for this.

We are not going to release anything yet, as we are still waiting for more bug reports, feel free to do so. By the way, if you have any opinion or suggestion for HeX liveCD development, you are welcomed as we are moving to HeX 2.0 development soon.

Anyway, I'm pretty glad for the progress of HeX so far and some other projects undergoing .....

Enjoy (;])

OpenBSD 4.2: Sguil Setup

Just in case you haven't noticed, my friend nikns has actually updated the NSM wiki about the Sguil setup on OpenBSD 4.2, good job nikns as I will use the guide to build the virtual appliance, by the way I'm really looking forward to the upcoming of Sguil 0.7. Here's the link -

http://www.vorant.com/nsmwiki/Setup_a_Sguil_framework_using_ports_under_OpenBSD


Enjoy ;]

Friday, November 09, 2007

Ubuntu: Qemulator

Last time when I used qemu on FreeBSD, I used the gui frontend for qemu called qemu launcher, however it ends up that qemu launcher is not good enough in my point of view, and I have found another gui frontend for qemu in Ubuntu software repo which is called Qemulator. Let's check it out -

To whoever allergy to command line interface or don't know how to read man page, you can launch qemulator, configure everything you need in the graphical interface environment. After that, you can right click on any virtual machine you have setup in My Machines tab, and choose Show Commandline which looks exactly like the screenshot above. In order to tune the setting of each virtual machine, you can click on show settings button at down there.

Once you click on the show settings button, it contains many sub tabs for you to configure almost everything such as the boot options, emulated hardwares, networks and so forth. it shouldn't be hard to configure with all those options available and you just need to point and click.

Here you can see I click on User mode in the Network tab, and you can also change the Hostname if you want in the same tab.

In the Main tab, I choose cdrom as first boot options, because I plan to boot up my HeX liveCD for packetysis(Don't bother my own word). Now everything is setup, just click on the green button with arrow.

Here you go, the shiny HeX booting up in progress. Maybe I should change that demon to monkey someday.

Cheers ;]

Thursday, November 08, 2007

Happy Deepavali

To all my friends especially those in #myoss and Mr. Saravanan, Happy Deepavali!

To find out what Deepavali is about, read this.

Enjoy ;]

Monday, November 05, 2007

NexentaOS: Gnu OpenSolaris

I'm not a big fan of Sun Solaris but I wouldn't mind to give it a try again after Solaris 9. Thanks to Sun for making OpenSolaris available(I know this is nothing new) and I chose to try out NexentaOS which you can find here -

http://www.gnusolaris.org/gswiki/Nexenta_OS

You are required to register before downloading the installation iso, and I quickly completed the registration and jumped to the download section, thanks to fast internet that I able to download it within 20 minutes.

Surprisingly it is pretty easy to get NexentaOS desktop installed, gnome appears to be the default desktop of choice. Interestingly NexentaOS is not using the standard Sun Solaris package management tools but Debian apt style for software management. You can find the apt repositories for NexentaOS at -

http://www.gnusolaris.org/gswiki/APTMirrors

Just add any of them to /etc/apt/sources.list and run the sudo apt-get update will do, debian/ubuntu users will find this familiar. Till now I haven't really look at the exciting features such as dtrace and zfs in NexentaOS while I have FreeBSD 7.0 Beta 1.5 installed for zfs testing, I'm looking forward to try them out when I have time.

Anyway here's the screenie of NexentaOS, it looks pretty ubuntu-ish -


Oops, I may need to try out the Solaris default sniffer too - the snoopy dog!

Cheers ;]

OpenBSD 4.2: ISO Ready

Don't confuse, I'm not distributing any unofficial OpenBSD iso, and I don't need to!

I used to create the OpenBSD iso myself because there's no official iso from OpenBSD team, you can find how I did it here. But with the arrival of OpenBSD 4.2, you no longer need to use mkisofs or mkhybrid to create the iso from the files that you download from any of OpenBSD download mirrors, I was stupid enough to download everything from here -

ftp://ftp.openbsd.org/pub/OpenBSD/4.2/i386

I couldn't find cdrom42.fs in this release so I can't create my own iso. In fact now what you actually need is the install42.iso, just burn it to the CD and you are ready to install OpenBSD 4.2.

It's time to install the fresh puffy!

Enjoy ;]

Sunday, November 04, 2007

OpenBSD 4.2 Release


Yes, this is another big release of OpenBSD, kudos to the OpenBSD team again for making this happen, you can find the release information at -

http://openbsd.org/42.html


Side note: Maybe it should be time to create another sguil virtual appliance based on OpenBSD 4.2, let's see.

Enjoy ;]

Friday, November 02, 2007

Russ Toolsmith

Russ McRee has published the article "Auditing Network Activity Using Argus" for the toolsmith column in November ISSA journal, you will be able to grab the article at -

http://holisticinfosec.org/toolsmith/docs/november2007.pdf

Thanks for the acknowledgment from Russ, especially he has also mentioned about the HeX liveCD and the argus paper that I have written. On the other hand, he has also mentioned about NSM wiki which you shouldn't miss if you are NSM practitioner.

NSM is getting hot!!!!!

Cheers ;]