Sunday, July 15, 2012

HeX 3: On the way

We are in the development of HeX 3, this is for real. HeX 3 will be based on FreeBSD 9 and we are looking to create more FreeBSD ports for network security tools. Most of existing tools are compiled successfully in FreeBSD 9, we will provide two platforms this time, either i386 or x64.

We would like to list down all the new network security tools that are going to be included in HeX 3, currently I have 3 in mind -

- NetworkMiner
- Prads
- PassiveDNS
- Pcapfix

Thanks to Erik(NetworkMiner developer) for sending the installation guide to me, that saves my works ;)

Here's the screenshot of NetworkMiner running on upcoming HeX 3 -


If you are aware of any network security tools(especially for packet analysis) and would like us to add it to HeX 3, kindly let me know.

Cheers (;])

Thursday, July 12, 2012

FreeBSD: Netmap

High speed network, big data technology are related terms, they are developed to meet the challenge of application demand today. We always see a lot of works for Linux regarding high speed network(10G and up) but not so much on BSD side. I reported FreeBSD ringmap in my previous blog post, Robert Watson has also implemented zero copy bpf buffers for FreeBSD. And thanks to the friends in #snort-gui, I just found netmap that is going to be part of FreeBSD 10, it seems promising to me and thanks Luigi and his team for the effort to improve the performance of network stack.

Right now there's nothing much we can do to test netmap, however if you want to try it out, you can basically download the images from the netmap website and play around with them, or install FreeBSD Current using the snapshot image which you can find here - http://pub.allbsd.org/FreeBSD-snapshots/

Here are few steps I did after FreeBSD current is installed -

shell>cd /usr/src/sys/modules/netmap
shell>make
shell>kldload ./netmap.ko
shell>kldstat
shell>ls -la /dev/netmap
shell>dmesg

Everything is there but you need to play around with them, so download -

http://info.iet.unipi.it/~luigi/netmap/20120608-netmap.tgz

After untar it, you can start play around with the pkt-gen and other binaries provided in there. Currently netmap is still under development and testing, hopefully when it reaches stable stage, we will be able to see a lot of network security monitoring tools ported to work with netmap since it will be in native FreeBSD system. For most of the detail stuffs, do check out the presentation slide and other information in netmap website.

Cheers ;]

Flocon 2012: Argus Training Slide

If you are looking for detail information about latest argus development and offering, look no further -

http://www.qosient.com/argus/presentations/Argus.FloCon.2012.Tutorial.pdf

The slide is made by Carter and it contains a lot of information for state of the art flow analysis tool - argus. Though a long time argus user, I still learn something new from the slide.

Cheers (;])

Thursday, June 21, 2012

Inter VM NSM

Cloud is everywhere now, and I have been playing with OpenVSwitch for a while, it looks like a critical solution to provide network security monitoring to virtualization technology. If you want to know more about OpenVSwitch, information can be found in the website below -

http://openvswitch.org

The OpenVSwitch is not just a virtual switch, it offers many network traffic monitoring features such as span, rspan, netflow and sflow, I have tried out many features in OpenVSwitch and they are useful depending on your monitoring need.

Traditional network traffic monitoring is not going to help here, you can't simply deploy a network tap or port mirroring to monitor the traffic in the cloud server farms, of course you can still monitor when the virtual machines are talking to outside world, however you can't really see the conversation between virtual machines. For example, when vm1 performs network scanning on other virtual machines in the same cloud server.

More thoughts need to be put into cloud network security monitoring since it becomes a trend and widely used in enterprise world, I have encountered couple of times where performing forensics operation is much harder in the cloud.

OpenVSwitch seems to be promising, hopefully with the inclusion of OpenVSwitch in Linux 3.3 kernel, it will become more popular and widely used.

http://blog.sflow.com/2012/03/linux-33-released.html

Cheers ;]

Saturday, January 14, 2012

FreeBSD 9.0 Release is OUT!

If you haven't noticed yet, FreeBSD 9.0 Release is out, grab it while it is still hot. The announcement can be found at

http://www.freebsd.org/releases/9.0R/announce.html

You can check out the release note at -

http://www.freebsd.org/releases/9.0R/relnotes.html

I'm glad to see the driver improvement for network adapters especially intel based cards, and the netgraph ng_netflow supports NetFlow V9 export. Another interesting feature is usbdump which can be used to dump packets over usb controller. As always ipfw is improved in almost every FreeBSD release just like pf in OpenBSD. The FreeBSD team has also made a lot of improvement on file system wise. Finally we see new installer for FreeBSD ;)

With FreeBSD 9.0 Release is officially out, time to work on HeX 3!

Cheers ;]


Wednesday, January 11, 2012

Argus 3: Some hardly used scripts

There are couple of perl scripts come with argus 3 to process argus data, in case you haven't used them, do try them out, I will just show the result generated by those scripts -

shell>perl ./raips -r ~/pcap-repo/anubis.arg3
187.45.196.28
187.45.241.156
192.168.0.1
192.168.0.2

Raips will generate all unique IP addresses that are seen in the argus data.

shell>perl ./rahosts -r ~/pcap-repo/anubis.arg3
192.168.0.2: (3) 187.45.196.28, 187.45.241.156, 192.168.0.1

Rahosts will generate host report, and telling you the hosts that initiate network connection(transmitter) and also destination hosts that are probed(receiver), you may get an array of IP addresses in the same network if it is network scanning or worm outbreak activity.

shell>perl ./raports -r ~/pcap-repo/anubis.arg3
187.45.241.156 tcp: (1) 80
192.168.0.1 udp: (1) 53
187.45.196.28 tcp: (1) 1433

Raports will generate the port report, however only on server side, which means those ports that are probed by any host.

If you are not satisfied with the result generated by those scripts, you are free to modify them to fit your needs, basically Carter is just demonstrating what you can do with argus data using some scripting capabilities.

Cheers (;])

Large Scale Pcap Analysis

It seems that the storage is not much an issue when comes to packet capture anymore, looking at terabytes become general everywhere, and many network analysis tools seem to gear toward large scale pcap data analysis, bro-ids has extended their functionality by using tons of community hardware and timemachine to capture and  analyze network data, and now I just come to read about people in RIPE NCC are doing this using apache hadoop -

https://labs.ripe.net/Members/wnagele/large-scale-pcap-data-analysis-using-apache-hadoop

As we know as well, pcapr is also making use of cloud technology to share and analyze pcap data for internet community.

Enjoy ;]

Monday, January 09, 2012

Picviz on Windows

I never know that someone has actually ported picviz to Windows OS platform for a while until I'm working on picviz stuffs and googling some information, you can find here if you are interested -

http://berise.blogspot.com/2011/01/picviz-for-win32-port.html

Open source really opens up many unknown possibilities ...

Cheers ;]