Wednesday, February 21, 2007

Applications Font

When I first installed ktorrent and keepassx on my laptop, the font seems to be very small, I tried to figure out where to change the font but seems unable to find any solid solution except this -

http://www.digikam.org/?q=node/160

However once I have changed the font type and size using kcontrol, the changes only applied to ktorrent, keepassx is still using very small font that hurts my eyes. Since most of the kde based apps are written using qt toolkit, I decided to run qt and tab to see if any application are available to change qt setting, I found there is qtconfig and decided to run it -

shell>qtconfig


In fact qtconfig is the gui configuration for qt, I tried to change the font type and size again this time. And running keepassx again, the font has changed based on the configuration I applied. I'm not kde user but since I have used some of kde based applications, I think this is good trick to share. For users who want to change their GTK applications attributes, you can try out gtk-chtheme.

Peace ;]

Gentoo Truecrypt

I would like to encrypt my usb pen drive, not because I'm paranoid enough but usb pen drive is small and it is very easy that you might forget to bring it along somewhere and lost it. I decided to use truecrypt so that it is accessible on both Windows/Unix platform. In fact getting truecrypt to work on Gentoo is pretty straight forward.

Installing truecrypt -

shell>emerge -v truecrypt


Load it as kernel module at boot -

shell>sudo echo "truecrypt" /etc/modules.autoload.d/kernel-2.6

shell>sudo modprobe truecrypt

When I plugged in my usb pen drive, I checked the dmesg output -
usb 1-3: new high speed USB device using ehci_hcd and address 5
usb 1-3: configuration #1 chosen from 1 choice
scsi2 : SCSI emulation for USB Mass Storage devices
usb-storage: device found at 5
usb-storage: waiting for device to settle before scanning
scsi 2:0:0:0: Direct-Access USB DISK Pro PMAP PQ: 0 ANSI: 0 CCS
SCSI device sdb: 4012032 512-byte hdwr sectors (2054 MB)
sdb: Write Protect is off
sdb: Mode Sense: 23 00 00 00
sdb: assuming drive cache: write through
SCSI device sdb: 4012032 512-byte hdwr sectors (2054 MB)
sdb: Write Protect is off
sdb: Mode Sense: 23 00 00 00
sdb: assuming drive cache: write through
sdb: sdb1
sd 2:0:0:0: Attached scsi removable disk sdb
sd 2:0:0:0: Attached scsi generic sg1 type 0
usb-storage: device scan complete

Creating truecrypt volume for the whole usb pen drive -

shell>sudo truecrypt --type normal -c /dev/sdb1
Filesystem:
1) FAT
2) None
Select [1]:

Hash algorithm:
1) RIPEMD-160
2) SHA-1
3) Whirlpool
Select [1]:

Encryption algorithm:
1) AES
2) Blowfish
3) CAST5
4) Serpent
5) Triple DES
6) Twofish
7) AES-Twofish
8) AES-Twofish-Serpent
9) Serpent-AES
10) Serpent-Twofish-AES
11) Twofish-Serpent
Select [1]: Blowfish

Enter password for new volume '/dev/sdb1':
Re-enter password:
Passwords do not match.

Enter password for new volume '/dev/sdb1':
Re-enter password:
Enter keyfile path [none]:

TrueCrypt will now collect random data.

Is your mouse connected directly to computer where TrueCrypt is running? [Y/n]: Y

Please move the mouse randomly until the required amount of data is captured...
Mouse data captured: 100%

Done: 1957.09 MB Speed: 3.27 MB/s Left: 0:00:00
Volume created.

Or you can just run this command to create the volume without interaction, choose the encryption method you want to use -

shell>sudo truecrypt --type normal --encryption Blowfish --hash RIPEMD-160 --filesystem FAT -c /dev/sdb1

After you have created the truecrypt volumne. Then umount all mapped truecrypt volume and mounting it to directory you want -

shell>sudo truecrypt -d

shell>sudo mkdir /mnt/tc-usbmini

shell>sudo truecrypt -u /dev/sdb1 /mnt/tc-usbmini


Done. Now your data in the usb drive won't be revealed by average people who have taken or stolen it.

Enjoy (;])

Sunday, February 18, 2007

Decoding JS

I haven't done anything on decoding Java Scripts heavily yet, and this link appears to be very interesting and helpful to me.

http://isc.sans.org/diary.html?storyid=2268


If anyone know other methods, that would be good to share it out loud.

Cheers ;]

Gentoo: Mounting UFS2

The other day I have problem when mounting my USB pendrive and I have no time to check and fix it. Then I decide to take a look today. I plug in my new USB pendrive, and run dmesg -

usb 1-3: new high speed USB device using ehci_hcd and address 4
usb 1-3: configuration #1 chosen from 1 choice
scsi2 : SCSI emulation for USB Mass Storage devices
usb-storage: device found at 4
usb-storage: waiting for device to settle before scanning
scsi 2:0:0:0: Direct-Access USB DISK Pro PMAP PQ: 0 ANSI: 0 CCS
SCSI device sdb: 4012032 512-byte hdwr sectors (2054 MB)
sdb: Write Protect is off
sdb: Mode Sense: 23 00 00 00
sdb: assuming drive cache: write through
SCSI device sdb: 4012032 512-byte hdwr sectors (2054 MB)
sdb: Write Protect is off
sdb: Mode Sense: 23 00 00 00
sdb: assuming drive cache: write through
sdb: sdb1
sd 2:0:0:0: Attached scsi removable disk sdb
sd 2:0:0:0: Attached scsi generic sg1 type 0
usb-storage: device scan complete

Since I have formatted it to UFS2 file system, I need to mount it with the command line below -

shell>mount -t ufs /dev/sdb1 /mnt/usbmini


It seems unlikely that I can mount it properly, checking the dmesg again, I got this -

ufs was compiled with read-only support, can't be mounted as read-write
You didn't specify the type of your ufs filesystem

mount -t ufs -o ufstype=sun|sunx86|44bsd|ufs2|5xbsd|old|hp|nextstep|nextstep-cd|openstep ...

>>>WARNING<<< ufstype="old" style="font-weight: bold;">shell>mount -t ufs -o ufstype=ufs2 /dev/sdb1 /mnt/usbmini

It fails again and I got the dmesg below -

ufs_read_super: bad magic number
ufs was compiled with read-only support, can't be mounted as read-write

Thus I tried with -

shell>mount -t ufs -o ufstype=ufs2,ro /dev/sdb1 /mnt/usbmini


Now it can be mounted successfully with read-only capability, however I want it to be able to read and write the file system. It is reported that ufs is compiled with read-only support in kernel, so what I can do now is checking my kernel config

shell>egrep -i 'ufs' /usr/src/linux-2.6.19-gentoo-r5/.config
CONFIG_UFS_FS=y
# CONFIG_UFS_FS_WRITE is not set
# CONFIG_UFS_DEBUG is not set


There it goes, I just need to modify the value for CONFIG_UFS_FS_WRITE

CONFIG_UFS_FS_WRITE=y

Recompiling kernel can be done in a glance -

shell>make && make modules_install && make modules_install install

Reboot the Operating System and try again -

shell>mount -t ufs -o ufstype=ufs2 /dev/sdb1 /mnt/usbmini


Checking the mount status -

shell>mount | grep sdb1
/dev/sdb1 on /home/geek00l/mnt/usb-mini type ufs (rw,ufstype=ufs2)

Hopefully you have fun, actually I'm testing this in case if I need to perform forensic on BSD operating system.

Enjoy (;])

Saturday, February 17, 2007

Gentoo Openntpd Client Setup

I prefer to use Openntp to synchronize my time, it appears to be very easy to setup indeed. Here's how I get it to work with just few steps.

Installing openntpd -

shell>emerge -v openntpd


Adding two lines to /etc/ntpd.conf

shell>echo "server ntp.jaring.my" >> /etc/ntpd.conf


shell>echo "server ntp1b.jaring.my" >> /etc/ntpd.conf


Then just start it up -

shell>sudo /etc/init.d/ntpd start


Remember to change this entry in the file /etc/conf.d/clock from

CLOCK="UTC"

to

CLOCK="local"

Done.That's pretty quick and normally you just need to change the ntp server to your preferred one.

Enjoy :]

Friday, February 16, 2007

Gentoo is NOW

I'm switching to Gentoo Linux, but that's only my workstation(laptop), I have never thought that I will be using Gentoo but things happened where I unable to get FreeBSD 6.2 installed on my lappy thus I'm switching to use Linux, interestingly I unable to boot into Ubuntu OS as well when using the installation CD. After all I decided to give Gentoo a tried and installation is done without much issues. It seems that Gentoo is very flexible and suits my need. However I will be still using BSD for my router and server when possible.Here's my first screenshot of my Gentoo analyzt workstation.


Seriously I need to thank to Mel because he has offered many helps in the process of learning Gentoo, I'm very satisfied with this distro at the moment and application maintenance can be done easily once one understand how Gentoo portage works. Swicthing from BSD to Linux now and I will start to test Linux L7-Filter, ipp2p, snort-inline and other network security applications.

Now I guess Red Devil, Puffy and Gentoo are meeting each others, what should I say?

~When BSD meets Linux~

Cheers ;]

Wednesday, February 14, 2007

Windows Vista?

I'm switching my laptop Operating System, yes, it's not Windows Vista anyway. However here I would like to show you the upcoming greatest OS -

http://pacificprince.googlepages.com/

Please READ the description carefully!!!!!

With the specific hardware requirements, the most low end is great for -

Booting the Operating System, without running applications or games.

Do you call this GREAT?????

I'm idle for quite sometimes, I will be writing more posts when I have time. By the way, Happy Chinese New Year and Holidays to everyone around the world.

Enjoy :]

Tuesday, February 06, 2007

Sancp Insight

Security Analyst Network Connection Profiler(SANCP) - the network tool that is designed for the purpose of network traffic profiling, trail auditing, and historical analysis with the capabilities to collect statistical/flow/pcap data. For further information regarding sancp, you can check out its main site -

http://www.metre.net/sancp.html

Many of us never heard of Sancp until we come across Sguil where Sancp is merged into it to feed the flow/session data. I'm also one of those until I find out that there are actually lots of interesting features and functions in Sancp.

Thanks to John Curry who spared his precious time discussing about sancp with me, while the conversation went like an interview and some insights about sancp, I have permission to post this to my blog and share it with everyone -

geek00l> hey
jlcurry> hey geek00l I want to say thanks for your comment last week about graphviz
jlcurry> i've been playing around with connection stats
jlcurry> it's not really good for lots of connections - but works nice to show a snapshot of current activity
jlcurry> the images get pretty insanely large
geek00l> :)
geek00l> jlcurry, :)
jlcurry> anyway, I wasn't sure if you had worked with it in that way much
geek00l> jlcurry, actually i was playing a lot with sancp tuning
jlcurry> sweet
jlcurry> I'm gonna blog about what I do with it
geek00l> jlcurry, do u have rss
jlcurry> I have nothing yet
jlcurry> I'm going to setup a blogger.com account
geek00l> that's great
geek00l> jlcurry, i remember you said that sancp will see the first packet and putting the source ip as the host that starting the connection
geek00l> jlcurry, and in the sancp config, how to improve its direction sensitiveness
geek00l> jlcurry, i read the defining the services port
jlcurry> back
jlcurry> are those questions?
jlcurry> I hope things are working as I explained ;)
jlcurry> I believe you are referring to the 'know_ports' option
jlcurry> err 'known_ports'
* jlcurry goes to look it up
geek00l> yeah
geek00l> i'm refering to that
jlcurry> you can do something like: known_ports 6 8734, 22, 25, 80, 443, 53, 993, 933, 8734, 110
jlcurry> var tcp 6
jlcurry> known_ports tcp 8734, 22, 25, 80, 443, 53, 993, 933, 8734, 110
jlcurry> that is usually easier to read
geek00l> jlcurry, yes, but i wanna know how it improves the direction guessing
jlcurry> oh, well - in the case of UDP - it will swap the dest and source of the connection if the source port is in the known_ports 17 list
jlcurry> oh, well - in the case of TCP - it gets complicated
jlcurry> in the case of TCP - it will swap the dest and source of the connection if the source port is in the known_ports 6 list AND the first packet is NOT in the known_ports list.
jlcurry> basically when sancp is uncertain about the direction of a TCP connection, it consults the known_ports 6 list
geek00l> jlcurry, so if the port is defined in the known ports, so it won't be the one that starting the connection instead it is the one that receiving the packet first when sancp is uncertain about it?
jlcurry> sometime sancp gets a TCP packet mid-session- if it happens to come from the destination - since this is the first packet sancp sees, it will assume it is from the source
jlcurry> in such a case, no tcpflags are present that can help deduce the direction
geek00l> jlcurry, no tcpflags?
jlcurry> my bad, - without a 'SYN', or 'SYN+ACK' tcpflag combination - sancp must rely on the first packet - or secondly on the known_ports matching on the 'dest port' (in the packet recieved).
geek00l> read you now
geek00l> jlcurry, have you done performance benchmarking on sancp regarding its pcap logging
jlcurry> unfortunately no, any ideas on how you would do this reliably?
geek00l> jlcurry, not yet, but i'm interested in this - bytes of pcap data to collect per connection
geek00l> jlcurry, i think it is great feature to reduce the full content data
jlcurry> fyi - the alpha version supports logging the first X bytes of payload data from the source and dest separately to stats (in filtered ascii or hex notation)
jlcurry> those will be a fun fields to work with
geek00l> jlcurry, interesting
geek00l> jlcurry, the first X bytes of payload separately, i thought it is defined to log how many bytes per connection
jlcurry> geel00l, this feature is memory hungry - pcap limit affects pcap logging - sample_src_ascii (for example) is a stats output field (so packet data payload can go to stats output)
jlcurry> pcap limit is separate from the sampling that I am referring to now
geek00l> jlcurry, same with bro-ids time machine, it is mem hungry :)
jlcurry> you can control how much data is sample from each end
jlcurry> this helps collect things like URI's which occurr early in the packet and don
jlcurry> don't require pcap (nessarily) to confirm nature
I really don't like talking - I usually find faults in my statements (i.e. most browsers send more than one request per connection, some attacks do the same, some attacks start with a normal request)
geek00l> jlcurry, just to confirm with you, if i just want to log the first X bytes of payload data, pcap limit is the one i need to tune?
jlcurry> yes this is correct for logging data to pcap
jlcurry> SANCP will still count statistics on all packets
geek00l> jlcurry, what's the recommended range for pcap limit
geek00l> jlcurry, yup, that's to reduce full content data while retain the session/flow data
jlcurry> I use full content logging - and yes I use the pcap limit to reduce pcap files I want to archive a little longer - but I don't need the wasted data (i.e. 1500bytes of the FTP binary is fine for me)
geek00l> jlcurry, thanks
geek00l> jlcurry, can i post our conversation to my blog?
jlcurry> geek00l you're welcome
jlcurry> yes
geek00l> cool :)

I have edited the conversations so that it looks cleaner while retain the contents. I hope this dialog can give you some insights about sancp and feel free to download, install and play with it now.

Thanks again, John!

Cheers ;]

Monday, February 05, 2007

Red Alerts



The image above shows my home OpenBSD router that serving me for years. However the network interfaces is now in the process of degradation(led in red). I still don't have much network issue yet(it's not heavy anyway) so I plan to buy a new network cards for replacement in case it down the other day.

That seriously explains why we need sensor stuff.

Peace ;]

Thursday, February 01, 2007

FreeBSD Snort-2.7 Beta1

If you want to try out Snort 2.7 Beta 1 on FreeBSD 6.2, here's the straight forward installation process -

shell>pkg_add -vr libdnet

shell>pkg_add -vr libnet10

shell>./configure --enable-stream4udp \
--enable-dynamicplugin --enable-timestats \
--enable-perfprofiling --enable-flexresp2 \
--enable-react --enable-gre \
--prefix=/usr/local/stow/snort-2.7b1 \
--with-dnet-includes=/usr/local/include \
--with-dnet-libraries=/usr/local/lib


shell>make && make install

As usual I always install all the testing applications under /usr/local/stow so that I can make use of stow for software management. The demo server will run snort beta for testing purpose.

Peace ;]