Monday, July 21, 2008

Unimas: Open Source Security Tools Talks

First of all, thanks for the invitation from Unimas, and En. Ahmad who has put the effort to make it happen, me and Mel will be going to University Malaysia Sarawak (Unimas) tomorrow to give talks about Open Source Security Tools and how it can be very useful, either for corporate, or educational environment.

If you are interested in the topic, and you are currently studying in Unimas. Feel free to join us!

Enjoy ;]

Tuesday, July 15, 2008

Ubuntu: Netdude Manual Installation

I use netdude for pcap file editing, it's simple and straightforward since it is gui based, however the ubuntu package is rather old(0.3.x) and I need to use the latest version, here's quick way to get the latest version of netdude installed on Ubuntu 8.04.

Download the latest version of netdude, libpcapnav and libnetdude from here -

Then install all the necessary packages -

shell>sudo apt-get install stow

shell>sudo apt-get install build-essential

shell>sudo apt-get install libgtk1.2-dev

shell>sudo apt-get install libpcap0.7-dev

Decompress netdude, libpcapnav and libnetdude, and install them following the sequence - libpcapnav, libnetdude and netdude. It should be prety quick to get it done.

Enjoy ;]

Sunday, July 13, 2008

EmergingBro: HowTo

First of all, make sure you have Bro installed on your machine, or you can download it at If you are using HeX, Bro is installed by default. Once installed, you may find the directory structure of Bro looks like this -

shell>ls -la
total 34
drwxr-xr-x 15 analyzt wheel 512 Jul 10 17:36 ./
drwxr-xr-x 3 root wheel 512 Jul 10 07:51 ../
drwxr-xr-x 2 analyzt wheel 512 Jul 10 07:51 archive/
drwxr-xr-x 2 analyzt wheel 512 Jul 10 17:35 bin/
drwxr-xr-x 2 analyzt wheel 512 Jul 10 17:39 etc/
drwxr-xr-x 2 analyzt wheel 512 Jul 10 17:35 include/
drwxr-xr-x 2 analyzt wheel 512 Jul 10 17:35 lib/
drwxr-xr-x 3 analyzt wheel 1024 Jul 10 18:01 logs/
drwxr-xr-x 3 analyzt wheel 512 Jul 10 17:36 perl/
drwxr-xr-x 3 analyzt wheel 5120 Jul 10 17:59 policy/
drwxr-xr-x 2 analyzt wheel 512 Jul 10 07:51 reports/
drwxr-xr-x 2 analyzt wheel 512 Jul 10 17:36 scripts/
drwxr-xr-x 4 analyzt wheel 512 Jul 10 07:51 share/
drwxr-xr-x 2 analyzt wheel 512 Jul 11 22:50 site/
drwxr-xr-x 2 analyzt wheel 512 Jul 10 07:51 var/

Please take note on few important directories -

policy directory contains all the policy and analysis scripts with the file extension .bro.

site directory contains site policy files which you can define or configure for specific site.

logs directory contains all the log files that are generated by bro.

etc directory contains bro configuration files, for start up and bro environment variable settings.

Obtain the latest signatures from Emerging Bro -

shell>cvs co emerging-bro

shell>cd emerging-bro

shell>ls -l
total 14
drwxr-xr-x 7 analyzt wheel 512 Jul 10 07:58 ./
drwxr-xr-x 4 analyzt wheel 512 Jul 10 07:55 ../
drwxr-xr-x 2 analyzt wheel 512 Jul 10 11:23 CVS/
drwxr-xr-x 3 analyzt wheel 512 Jul 10 07:58 CVSROOT/
drwxr-xr-x 3 analyzt wheel 1024 Jul 10 18:24 rules/
drwxr-xr-x 4 analyzt wheel 512 Jul 10 18:28 scripts/
drwxr-xr-x 17 analyzt wheel 512 Jul 10 11:23 sigs/

sigs directory contains all the individual signature in different category

rules directory contains main signature file for each category. For example emerging-bro-malware.sig contains all the signatures for MALWARE category.

scripts directory contains all the policy and analysis scripts that are contributed by the community members.

To perform quick test, you can use invoke the signature file using command line option -

Set Bro environment variables -

shell>. bro.cfg

Execute Bro -

shell>bro -s emerging-bro-all.sig -r whatever.pcap `hostname`

If you plan to run it in long term, it's best to edit the file generated during make install-brolite. The file name starts with your hostname, for example it is raWPacket.bro in HeX liveCD since my hostname is raWPacket. Just edit the following section in the file -

# To run signatures, uncomment the following line.
# @load brolite-sigs

@ifdef ( use_signatures )
# Load Bro signatures. This is the default file containing Bro
# signatures.
redef signature_files += "signatures";

To this -

@load brolite-sigs

redef signature_files += "emerging-bro-all.sig"

Please do note that other policy scripts must be loaded in order to have signatures invoked properly especially brolite.bro.

Enjoy ;]

Wednesday, July 09, 2008

DefCraft: Official Launching

After long consideration, I decide to start a company that focuses on security research, development and consultancy. The company name is straightforward - Defensive Craft (DefCraft).

The company offers a wide range of consulting services for specific domains, here's the list -
  • Network and Web Application Security Assessment
  • Network Security Architecture Planning & Deployment
  • Network Security Monitoring Implementation
  • Network Security Architecture Auditing
  • Network Device Testing & Evaluation
  • Network Based Forensics
  • Network Profiling Operation
  • Incident Response & Handling
  • Digital Security Training
If you have any inquiry, please feel free to contact me.

Contact Number: 016 415 9873
Contact Email: defcraft at gmail dot com

For more information, you can check out at -

The company has its own blog too which we will blog about what we do behind the lab -

On the other hand, I will still contribute my free time to various open source projects that I'm working on since this is part of company principle I'm emphasizing.

Saturday, July 05, 2008

Emerging Bro

I'm sured not many have heard of Bro comparing to Snort in NIDS arsenal, while both are actually applying different approach in intrusion detection, they are the Open Source NIDS I like to use to complement each others in different setup and deployment.

I'm now working closely with Matt Jonkman from EmergingThreats(ET) to start the new project calls Emerging-Bro, basically the project is about converting set of latest signatures from Snort to Bro so that Bro operators can take advantage of it. You can find more information from the announcement here -

If you are Bro operators, you might have question of why I'm doing this as Bro is more focused on policy and analysis script development to detect network event(be it normal or abnormal) instead of relying on signatures matching in byte stream. There are reasons why I'm doing this and I'm going to explain here -

Emerging-Bro will only focus on latest or critical signatures from ET, therefore the project is basically more concerning about latest/critical attacks because most networks are more vulnerable to newly discovered attacks than the old one, therefore detecting and preventing them at network boundary is much important. Currently there are about 100 latest signatures converted from ET to Emerging-Bro, and if you think certain Snort signature should be included, please do let me know.

The signature set that is developed by EmergingThreats usually give little time window for attacker and reduce the outbreak period significantly, hence you can pretty quick in detecting initial stage of new attacks. Bro operators can take advantage of this if they can monitor the new attack in time and quickly develope more complete detection scheme with Bro policy scripts.

Yes, according to Matt, there are requests about it, on and off there are people in Bro mailing list asking about the availability of Bro signatures, so why not doing it to help the community?

I think these gives enough reasons for me to work on the project. But providing latest signatures is not the end of Emerging-Bro, I greatly appreciate the help from Seth Hall to step up and discuss with me about the direction of the project and we both agree that it should be the platform for people to share or contribute their policy/analysis scripts as well. Currently he has his own development repository here and I will import them to Emerging-Bro.

For the moment, you can access and download all the signatures at -

Enough for now, and this project is also part of the reason why I'm not much blogging last two weeks as I have paid my free time to it. I would like to thank Matt and Seth for the collaboration works, and also Bro developers for their endorsement!

Cheers (;])

Wednesday, July 02, 2008

Davix: Review

From Davix's main site -

DAVIX, a live CD for data analysis and visualization, brings the most important free tools for data processing and visualization to your desk. There's no hassle with installing an operating system or struggle to build the necessary tools to get started with visualization. You can completely dedicate your time to data analysis.

The clause above is definitely right above Davix liveCD!!!!!

When people ask me which liveCD I use frequently, I always advocate these 3 -

1. HeX liveCD (Network Based Forensics)
2. BackTrack liveCD (Penetration Testing)
3. Helix liveCD (Digital Forensics)

I have mentioned many times that I prefer liveCD which focuses on specific domain very well, and Davix is really one of those. Undoubtedly I would love to include Davix to my CD folder.

Before I start anything serious, lets view the screenshot after startup from the liveCD -

It's based on SLAX, and I guess most of people know how good SLAX is after trying out BackTrack, DAVIX takes advantage of SLAX modularity, stability and hardware supports, I have tested it with my own hardwares and it works pretty well.

If you are familiar with linux desktop solution, you will definitely recognize that it is using KDE from the screenshot. Though I'm not fan of KDE, but KDE is always simple and easy to use for general users. Many of system configuration can be done via gui so it saves a lot of hassle figuring how to get the system working for you.

On top of that, DAVIX offers very informative resources for users to have great kickstart in learning data capturing, processing and visualization by providing a set of firefox bookmark toolbars, you can easily access all the information requires to study the topic, this can reduce time in studying certain tools and learning visualization techniques, and it also saves you from googling hassle. I like the idea of toolbars organization in firefox.

On the other hand, DAVIX also comes with its own manual which is about 108 pages, you can access it via KDE menu -> DAVIX -> DAVIX Manual. If you are serious about learning data visualization with DAVIX, I suggest you to start with its manual instead of playing around with the desktop without knowing what to do. It contains the basic guide of how to use all the tools that are delivered in DAVIX, the best part is you can follow the manual and learn it practically with all the tools available in DAVIX.

There are 3 main categories listed in Kde menu, they are Capture, Process, and Visualize. The Capture contains tools for you to perform data logging, especially network data. The Process contains tools to perform data processing so that the output of data processed can be parsed by visualization tools. The Visualize mainly contains all the tools for you to visualize the data set by generating different kind of images, diagrams or graphs. As I have mentioned you can just learn all the tools shipped by DAVIX with the comprehensive manual itself.

So what are the tools shipped with DAVIX, there are way too many that I can cover here, however here are my favourites -

1. Rumint
2. Tnv
3. Afterglow
4. Inetvis
5. Etherape
6. Gnuplot
7. Rrdtools
8. Mrtg
9. Wireshark

This is more to preference thingy as I have used those tools previously and familiar with them, I will need to explore the potential of other tools which I never use before. If you want to learn how those tools work, you can actually refer to the DAVIX manual, and then refer to the data set example which you can properly find in /usr/local/share/*, different tools may support different kind of data formats so that may require some learning curves. But the real question lies in what kind of visualization techniques should be applied to the data set you have so that it makes most sense.

After talking about all the good things, I still think there are few things worth improved.

1. Log sample
As this is the liveCD for data analysis and visualization, except that it has the example data set in /usr/local/share/*, it should provide a set of sample logs(apache, postfix, exim, proftpd and etc). Then demonstrating how to format them to feed those visualization tools will be great.

2. Fat taskbar
You may notice in the screenshot that the taskbar is quite big(double taskbar), this is nothing wrong, but if I have to offer a liveCD for visualization purpose, I would prefer to have everything slicker to give bigger space to display the images that I have generated from the data.

3. Unified keyboard shortcut
This is just my idea, when I work with images, I always like to zoom in and out. Zooming in allows you to focus on detail, zooming out on the other hand can improve macro view to understand the ratio or distribution of data. I do know different tools have always defined different keyboard shortcut layout. If zoom(in/out) uses same set of shortcut key settings across all the tools in DAVIX, that would be really great. I'm glad DAVIX offers gqview as the main application to display images as that's my favorite one with its ease of use interface.

4. Installer
Currently it comes with BackTrack Installer which is quite experimental, it needs some works to get it installed, I have tested the installer and it works fine(if you know what you are doing), I'm looking forward for easy installer in future.

By the way, one might ask why should I use DAVIX, simple enough. Take the old cliche "A Picture Is Worth A Thousand Words". Using correct visualization techniques to process your thousand lines log files, to be honest you can do more with less, it saves your times and brain power to focus on something more important.

Guess I should end my review about DAVIX here, in case you are interested to try out DAVIX -

DAVIX is also part of Raffael's upcoming book Applied Security Visualization which will be published by Addision Wesley.

Currently, DAVIX is only available to beta testers. To participate in testing, please contact jan.monsch at

Thanks to DAVIX development team for allowing me to participate in beta testing, later is better than never. I do know developing a liveCD require hard works if you want to build a solid one, kudos!

Update Note:
DAVIX developer Jan. P. Monsch has informed me that he has actually making the taskbar more slicker now in new version of Davix, thanks for taking positively on my input.

Enjoy (;])

Tuesday, July 01, 2008

Snort 3.0 Beta

If you are interested to check out what's offered by latest Snort, now you have it. Kudos to snort development team!!!!!

I haven't tried that out personally yet, but you should!

Enjoy ;]