Saturday, March 29, 2008

Pads: Nginx Sig

I read about misuse of nginx web/proxy server in Emerging Threats here. Jonkman has added the snort signature for it but I think I can write the Pads signature for it. After some testing it seems I have the signature written and works pretty well. Here it is -

www,v/Nginx/$1//,\x0d\x0aServer: nginx\/([\S]+)\x0d\x0a

I added this signature to pads-signature-list, then run Pads -

shell>sudo pads -i le0 -n 192.168.1.0/24 -c pads.conf
pads - Passive Asset Detection System
v1.2 - 06/17/05
Matt Shelton

[-] Filter: (null)
[-] Listening on interface eth1

[*] Asset Found: IP Address - 192.168.1.100 / MAC Address - 0:1B:77:5B:F4:3F
[*] Asset Found: Port - 80 / Host - 192.168.1.100 / Service - www / Application - nginx/0.5.26

It able to track the version of nginx that I run as well, this is pretty useful if you discover there's nginx server running in your network. One interesting thing I have figured is that nginx supports gzip encoding so you can't see the web contents in plain text and this maybe one of the reason why it is used by the blackhats.

Cheers (;])

Friday, March 28, 2008

Sancp: Pcap Index

We have been having discussion in #snort-gui regarding pcap indexing lately which will allow us to retrieve the network data based on the index quickly. I have learned about this feature during the use of time machine which will be integrated with Bro-IDS, I especially like their time machine framework which is illustrated here.

Sancp 1.6.2 beta has quite a few new features, one of them is actually in discussion I mentioned above - pcap index. We are actually looking forward for pcap index so that we can retrieve the pcap data based on index instead of doing it manually with tcpdump or other tools. Hopefully the future sguil will support this so we can just right click and obtain the pcap from sancp record.

I was not so sured how to do it with sancp when I took the first look at 1.6.2 beta, after emails exchange with my friend John, I finally have the idea of how to do it. Here's the simple howto -

shell>mkdir sancp-output

shell>echo "default index log" > sancp-pcapindex.conf

shell>echo "format index delimiter=| sancp_id output_filename start_pos stop_pos src_ip_dotted dst_ip_dotted ip_proto src_port dst_port" >> sancp-pcapindex.conf

shell>sancp -i eth0 -c sancp-pcapindex.conf -d sancp-output

The index file is created in sancp-output along with the pcap data. Basically the index file looks like this -

5177639571328195257|sancp-output/pcap.eth1.1205513154|24|114|
192.168.1.101|121.35.19.76|6|51570|80
5177639571328196206|sancp-output/pcap.eth1.1205513154|114|204|
192.168.1.101|86.1.191.36|6|50397|13322
5177639571328204971|sancp-output/pcap.eth1.1205513154|204|294|
192.168.1.101|219.77.117.51|6|35860|6881
5177639571328205574|sancp-output/pcap.eth1.1205513154|294|384|
192.168.1.101|219.90.206.228|6|53729|55265
5177639571328206646|sancp-output/pcap.eth1.1205513154|384|474|
192.168.1.101|76.122.33.223|6|45014|22100
5177639571328208237|sancp-output/pcap.eth1.1205513154|474|1984|
220.140.112.45|192.168.1.101|6|20315|60025
Output truncated ...

To extract the pcap based on its index, you can use getpcapfromsancpindex.pl which is also written by Jlcurry. Download it first -

shell>wget http://metre.net/file/getpcapfromsancpindex.pl

Now you can grep the index and extract its corresponded data by executing -

shell>fgrep "5177639571328208237|sancp-output/pcap.eth1.1205513154|474|
1984|220.140.112.45|192.168.1.101|6|20315|60025" sancp-output/index | ./getpcapfromsancpindex.pl 220-140-112-45


Lets examine the file -

shell>file 220-140-112-45
220-140-112-45: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 65535)

Read it with tcpdump -

shell>tcpdump -ttttnnr 220-140-112-45
reading from file 220-140-112-45, link-type EN10MB (Ethernet)
2008-03-15 00:45:54.396653 IP 220.140.112.45.20315 > 192.168.1.101.60025: . 4279573104:4279574532(1428) ack 1270973978 win 65535

John(Jlcurry) has put up his own note of how to use getpcapfromsancpindex.pl here -

http://metre.net/getpcapfromsancpindex.html

You can also read the interesting interview of me with John about Sancp here.

Enjoy (;])

FreeBSD: Updating ports with csup

I learned about csup during the development of HeX, thanks to chfl4gs_ for that. Now we no longer need to use cvsup to update the source or software packages as csup is the replacement of cvsup which is written in C. In fact, I feel that it is much faster after testing it.

To update the FreeBSD ports, I just need to do the following

shell>cp /usr/share/examples/cvsup/ports-supfile /usr

Edit the ports-supfile by adding the fastest mirror for you(remember nearest is not always the fastest), I choose Taiwan mirror here -

*default host=cvsup.tw.FreeBSD.org

Now run the csup to update the ports

shell>csup -L 2 /usr/ports-supfile

Once the update is done, you will read Finished successfully at the end of message.

Peace ;]

USM: Industry Talk

This Monday, I was glad to be able to present at University Science Malaysia. I always have good feeling when back to Penang and thanks everyone for coming. Our main audience is student so we try to present it in light manner.

I presented about -

- Dive Into Infosec Industry
- HeX System Introductory

And Mel(Spoonfork) presented

- Honeynet Foundation
- Malaysia Distributed Honeynet Project

Mel was with me and hopefully he enjoyed the trip to the North. Thanks to Sara as he linked us up with the USM. We also thank to CW(one of my friend) who has responsible for the arrangement here.

On the other hand, we just knew that this week is ICT week in USM.

Cheers ;]

Wednesday, March 26, 2008

Sguil 0.7.0 Unleashed

After longggggg period, finally Sguil 0.7.0 is here! Check it out at

- http://sguil.sourceforge.net/news.html

Thanks to the hard work of all the #snort-gui NSM gang!

Enjoy (;])

Sunday, March 23, 2008

Ubuntu: Unicornscan Installation

I hate to remember simple thing these days, and the only way to prevent myself to remember simple thing is to write it down so I can refer later. This is Unicornscan installation steps on Ubuntu 7.10, I hope it helps someone if he/she want to try out Unicornscan on Ubuntu. If you don't know what Unicornscan is, here's the description from the Unicorn site -

Unicornscan is a new information gathering and correlation engine built for and by members of the security research and testing communities. It was designed to provide an engine that is Scalable, Accurate, Flexible, and Efficient.

Lets start the installation -

shell>sudo apt-get install libpcap0.8-dev

shell>sudo apt-get install libgeoip-dev

shell>sudo apt-get install libltdl3-dev

shell>wget \
http://www.unicornscan.org/releases/unicornscan-0.4.7-2.tar.bz2

shell>tar xvjf unicornscan-0.4.7-2.tar.bz2

shell>cd unicornscan-0.4.7-2

shell>./configure --prefix=/usr/local/stow/unicornscan-0.4.7-2

shell>make

shell>sudo make install

Simple as it is, time to dive into Unicornscan. In fact they have blog now.

Peace ;]

SinFP: Reading the Signatures

I learned about SinFP from when I first read it in taosecurity blog here, then today I read that it is integrated into Nessus in tenable blog here. Therefore it raises my interest to look at it. Basically SinFP is available in HeX, instead of trying its features, I'm particularly curious about its signature database. I download the latest signature database from its home site -

shell>wget http://www.gomor.org/files/sinfp-latest.db

My habit is using file command to identify what file type it is before openning, and I'm surprised it is not in plain text format like other tools, it's the SQLite 3.x database file.

shell>file sinfp-latest.db
sinfp-latest.db: SQLite 3.x database

Now this is killing me, I'm worse than beginner and totally have no experience in SQLite. I go to its main site and figure there are many big companies using it and it tells how popular it is here. So I need to try it out, the manual really helps but I don't want to read it for casual use, so I need to write it down for my reference in my blog. Below are what I have gone through.

To show the current default setting value -

shell>sqlite3 sinfp-latest.db ".show"
echo: off
explain: off
headers: off
mode: list
nullvalue: ""
output: stdout
separator: "|"
width:

To list the name and file of the database -

shell>sqlite3 sinfp-latest.db ".databases"
seq name file
--- --------------- ----------------------------------------------------------
0 main /home/geek00l/Desktop/sinfp-latest.db

To show all the tables in the database -

shell>sqlite3 sinfp-latest.db ".table"
IpVersion OsVersionFamily PatternTcpOptions Vendor
Os PatternBinary PatternTcpWindow
OsVersion PatternTcpFlags Signature
OsVersionChildren PatternTcpMss SystemClass

Then select everything from the table Os, you can see what OS is available -

shell>sqlite3 sinfp-latest.db "select * from Os"
1|FreeBSD
2|Linux
3|NetBSD
4|OpenBSD
5|SunOS
6|Windows
7|IOS
Output truncated ...

You can also select everything from multiple tables at the same time with comma, I pipe it to less for navigation purpose -

shell>sqlite3 sinfp-latest.db "select * from Os ,OsVersionFamily, Vendor, PatternBinary, Signature;" | less

You can also dump the signature into raw file and examine it later since it is in plain text form, here I dump it to sinfp-raw.sig file -

shell>sqlite3 sinfp-latest.db "select * from signature" > sinfp-raw.sig

The sqlite3 command line is quite flexible, you can turn on or off its setting in command line directly, as I want to see the header(title of the column) and table in column form, I add -header and -column when running it, for the sql syntax, you can see I use limit 5, this is quite basic stuff for experience SQL database administrator -

shell>sqlite3 -header -column sinfp-latest.db "select * from Os limit 5"
idOs os
---------- ----------
1 FreeBSD
2 Linux
3 NetBSD
4 OpenBSD
5 SunOS

You can also turn it into CSV format using -separator ',' -

shell>sqlite3 -header -separator ',' sinfp-latest.db "select * from Os, Signature limit 5"
idOs,os,idSignature,trusted,idIpVersion,idSystemClass,idVendor,idOs,
idOsVersion,idOsVersionFamily,idP1PatternBinary,idP1PatternTcpFlags,
idP1PatternTcpWindow,idP1PatternTcpOptions,idP1PatternTcpMss,
idP2PatternBinary,idP2PatternTcpFlags,idP2PatternTcpWindow,
idP2PatternTcpOptions,idP2PatternTcpMss,idP3PatternBinary,
idP3PatternTcpFlags,idP3PatternTcpWindow,idP3PatternTcpOptions,
idP3PatternTcpMss
1,FreeBSD,1,1,2,1,1,1,1,1,1,1,1,1,1,1,1,1,2,1,2,2,2,3,2
1,FreeBSD,2,1,2,1,1,1,3,2,1,1,1,1,1,1,1,1,4,1,2,2,2,3,2
1,FreeBSD,3,1,2,2,1,2,5,3,3,1,3,1,1,3,1,4,5,1,2,2,2,3,2
1,FreeBSD,4,1,2,2,1,2,7,4,3,1,3,1,1,3,1,4,6,1,2,2,2,3,2
1,FreeBSD,5,1,2,1,1,3,9,5,3,1,5,1,3,3,1,5,7,3,4,2,2,3,2

If you want to learn how the data is inserted to the database, using .dump to dump them in SQL text format. I figure this is useful especially to beginner like me -

shell>sqlite3 sinfp-latest.db ".dump Os"

shell>sqlite3 sinfp-latest.db ".dump Signature"

Of course this is not something I'm really good at, but learning something new is always fun, I think if you are SQL database administrator or developer, you can take advantage of SQLite quickly. I learn MySQL while using Sguil and now I take a brief look at SQLite while trying out Sinfp, all I can say is you always learn something else.

Enjoy ;]

Thursday, March 20, 2008

raWPacket: More Papers

While discussing with Hol about fl0p, I came out the idea of writing this paper - Basic Fl0p Signature Writing Guide to compliment his paper which I will put up soon. If you don't know what is fl0p, check out its description from Michal Zalewski himself -

Fl0p is a passive L7 flow fingerprinter that does not examine packet payloads, only their relative sizes, the sequence of client-server traffic, and its timing. The tool can be thus used to peek into encrypted tunnels, automatically tell users from robots, and far more.

On the other hand, dakrone has also published his first paper - An Introduction To NSM Console. The paper will cover the underlying concept of NSM Console and its functionalities.

I hope all the raWPacket team members can contribute more papers so we have richer documentation to share with the world as we have benefit from others papers too.

Enjoy ;]

Wednesday, March 19, 2008

Argus 3: Tips & Tricks

I have labeled all my argus 3 blog post to make it easy for people who are interested in it. You can find them at -

http://geek00l.blogspot.com/search/label/Argus3

If you are using argus, and would like to know how to use certain client tools and you think it might be useful, feel free to email me as well and maybe I can put up the tips and tricks for it.

Peace ;]

Monday, March 17, 2008

HITB Conference and Training in Dubai

Again this time, me and mel(spoonfork) will be going to conduct Structured Network Threat Analysis and Forensics training in HITB Conference Dubai. The training is more of how you can perform packet examination, analysis and threat detection using various Open Source tools with effective methodologies, we are going to use HeX liveCD for the training if you ask me.

Besides I hope to meet speakers and UAE folks who are involved in network security operation, that's going to be fun.

I'm now thinking of developing another training contents, most properly about network flow analysis and how can you apply it in real world network deployment. What do you think?

Cheers ;]

Sunday, March 16, 2008

Argus 3: Audit Trail with HGWL

I have discussed about the Harimau Global Watchlist here, initially one of the reason Spoonfork developes HGWL is to put all the malicious IP addresses in one place so that it can be used with argus. In fact it can be used with any network flow technology but I'm going to show how you can use HGWL and argus 3 to perform trail auditing.

Obtaining the Harimau Global Watchlist -

shell>wget http://watchlist.security.org.my/all.txt

Generate IP addresses list from argus data(shit.arg3) -

shell>racluster -M rmon -m saddr -r shit.arg3 -s saddr - ip > IP.list

I use -M rmon to convert argus biflow data to uniflow, the source and destination doesn't matter now, with that I just need to specify it to show source address by using -s saddr and I will be able to obtain all the IP address. The -m saddr is used here to cluster source address field only so the same IP is only shown once.

Filtering out suspected IP addresses -

shell>for host in `cat IP.list`; \
do egrep $host all.txt >> Suspect.list; done

61.187.72.70, http://www.dshield.org/ipsascii.html, Dshield: Top IPs, dshield-top-ips, 2008/03/16 00:00:08
61.193.128.171, http://www.dshield.org/ipsascii.html, Dshield: Top IPs, dshield-top-ips, 2008/03/16 00:00:08
65.160.238.180, http://www.dshield.org/ipsascii.html, Dshield: Top IPs, dshield-top-ips, 2008/03/16 00:00:08
66.45.254.244, www.emergingthreats.net/rules/bleeding-rbn.rules, ET RBN Known Russian Business Network Monitored Domains (15), rbn, 2008/03/16 00:03:31
195.161.8.1,http://www.senderbase.org/home/detail_spam_source,senderbase-spam-source,2008/03/16 00:28:34
202.58.85.15, http://www.dshield.org/ipsascii.html, Dshield: Top IPs, dshield-top-ips, 2008/03/16 00:00:08
217.175.134.217, http://www.dshield.org/ipsascii.html, Dshield: Top IPs, dshield-top-ips, 2008/03/16 00:00:08
218.30.19.40, http://www.dshield.org/ipsascii.html, Dshield: Top IPs, dshield-top-ips, 2008/03/16 00:00:08
221.6.4.67, http://www.dshield.org/ipsascii.html, Dshield: Top IPs, dshield-top-ips, 2008/03/16 00:00:08
221.237.161.186, http://www.dshield.org/ipsascii.html, Dshield: Top IPs, dshield-top-ips, 2008/03/16 00:00:08

Most of the time we start doing audit trail when IDS is giving us pointer. Now we can start querying the IP addresses in Suspect.list from argus data when there's matching and tracing its network activities. For example -

shell>ra -nr data.arg3 - host 195.161.8.1
StartTime Flgs Proto SrcAddr Sport Dir DstAddr Dport TotPkts TotBytes State
13:00:58.918872 e tcp 195.161.8.1.10424 -> 192.168.42.109.25 16 1559 RST
13:00:59.275570 e tcp 192.168.42.109.28457 -> 195.161.8.1.113 1 60 REQ
13:02:03.314641 e d tcp 195.161.8.1.24113 -> 192.168.42.109.25 8 698 RST
13:02:03.815631 e tcp 192.168.42.109.28493 -> 195.161.8.1.113 1 60 REQ
Output truncated ....

End for this.

The new client tool - rastream is included in argus 3 lately as argus data stream block processor, I'm thinking of using it to perform HGWL matching operation automatically once the argus data is generated so that we can catch near real time suspected host to watch possible ongoing malicious actions, maybe I will discuss about rastream in future blog post.

Updates: My friend scholar01 has shown me useful trick, instead of using for host in `cat IP.list`; do egrep $host all.txt >> Suspect.list; done, it is better to use fgrep -f IP.list all.txt as fgrep has advance engine for matching static strings at once. Thanks.

Enjoy (;])

Wednesday, March 12, 2008

Message to network device vendors

These days command line interface(CLI) becomes not so popular to manage network devices such as routers, switches and etc anymore, the replacement is the "not so shiny" web graphical user interface(GUI).

Basically I have no complaint about the usability of web GUI, it provides really easy to use interface for new users and good kickstart to manage the network devices especially when you are not familiar with specific network devices, but I really have one rant here. There are many vendors producing web GUI that only works well on certain web browser especially Internet Explorer, and there's no access through CLI, this is annoying to network administrators that are using open source softwares.

To the vendors, if you can't produce the web GUI that works across multiple web browser platforms, then just give us CLI(ssh preferred) and we can work it out instead of seeing your ugly GUI which is non-productive.

Thanks ;]

Sunday, March 09, 2008

raWPacket: New Members

We are now welcome two new members joining raWPacket team. They are -

- Hol(Rob Floodeen)

- Saravanan

Hol is contributing few interesting papers which I will put it up in rawpacket site soon. Saravanan is the maintainer for our own version of fl0p and he will also involve in Ular FVS project which lead by Zarul.

On the other hand, Guti who is our web master since day 1, will be involving in honeynet and HeX sensor project.

Kudos (;])

Saturday, March 08, 2008

FreeBSD ldconfig

In orde to configure the shared library cache for ELF format on FreeBSD, you can add all the directories that contain the shared libraries to /etc/ld-elf.so.conf.

shell>cat /etc/ld-elf.so.conf
/lib
/usr/lib
/usr/lib/compat
/usr/local/lib
/usr/local/lib/compat
/usr/local/lib/compat/pkg
/usr/local/lib/graphviz
/usr/local/lib/mysql
/usr/local/lib/nss
/usr/local/lib/pth
/usr/local/share

Then run -

shell>ldconfig -elf /etc/ld-elf.so.conf

Now you can check the hints file -

shell>strings /var/run/ld-elf.so.hints
Ehnt
/lib:/usr/lib:/usr/lib/compat:/usr/local/lib:/usr/local/lib/compat:
/usr/local/lib/compat/pkg:/usr/local/lib/graphviz:
/usr/local/lib/mysql:/usr/local/lib/nss:
/usr/local/lib/pth:/usr/local/share


All of them are added now. If you have shared object missing or not found error when you launch certain application next time, please add the directories that containing its shared library in /etc/ld-elf.so.conf and follow the steps above will do.

Peace ;]

Friday, March 07, 2008

HeX BitTorrent

Enhanced is kind enough to put up HeX in his Security Torrent Depot which you can find at -

- http://www.redsphereglobal.com:88/

Instead of using http/ftp mirror, now you can download HeX using BitTorrent. If you want to contribute to HeX project, the easiest way is seeding ;).

Enjoy ;]


Sunday, March 02, 2008

Updates

Idle is bad for a blogger, here's the update for most of the things I have been following -

- FreeBSD 7 is released

- Wireshark 0.99.8 is released

- Ourmon 2.8 is released

You can find the FreeBSD 7 release note here and interesting interview here to study what are the features and fixes offered by them. For wireshark, read this one. I'm particularly interested in the ntar(next generation pcap) and rpcap support. Last but not least, check out the new features that are included in Ourmon 2.8 here! It is now supporting threads and people with multiple cpus(quad core!) most likely will benefit from it, I'm also looking into blacklisting feature and maybe it can integrate with our Harimau Watchlist.

I'm busy with my personal thingy so I won't be very active until mid of March, anyway with the release of FreeBSD 7, HeX 2.x engineering begins!

Cheers ;]