Wednesday, April 23, 2014

Argus 3: Debug & Testing

If you are testing argus 3, the best way is always compile argus source with debug mode on -

Argus -
shell>tar xvzf argus-3.0.5.tar.gz
shell>cd argus-3.0.7.5
shell>touch .devel .debug
shell>./configure --prefix=/usr/local/stow/argus-3.0.7.5
shell>sudo make && make install

Argus Clients -
shell>tar xvzf argus-clients-3.0.7.25.tar.gz
shell>cd argus-clients-3.0.7.25
shell>touch .devel .debug
shell>./configure --prefix=/usr/local/stow/argusc-3.0.7.25
shell>sudo make && make install

If argus or its client suite fails to run or behaves wrongly, you can just run them with -D 1-5 depending on the debug information you want. I'm just writing this as note to myself and hopefully it helps others who are using argus as well.

Cheers ;]

Sunday, April 20, 2014

Ubuntu Linux: Argus 3 Installation

If you want to test the latest version of argus with all the features enabled on Ubuntu Linux, here's the fastest way, just follow the steps below -

I use stow to manage argus source -

shell>sudo apt-get install stow
shell>mkdir /usr/local/stow

Install mysql server -

shell>sudo apt-get install mysql-server

Install software dependencies for argus clients -

shell>sudo apt-get install flex bison libpcap-dev libmysqlclient-dev libncurses5-dev libreadline-dev libgeoip-dev libpcre3-dev

Now download argus and its client suite -

shell>wget http://qosient.com/argus/dev/argus-3.0.7.5.tar.gz
shell>wget http://qosient.com/argus/dev/argus-clients-3.0.7.23.tar.gz

Install argus -

shell>tar xvzf argus-3.0.7.5.tar.gz
shell>cd argus-3.0.7.5
shell>./configure --prefix=/usr/local/stow/argus-3.0.7.5
shell>sudo make && make install

Install argus client -

shell>tar xvzf argus-clients-3.0.7.23.tar.gz
shell>cd argus-clients-3.0.7.23
shell>./configure --with-libpcre --prefix=/usr/local/stow/argusc-3.0.7.23
shell>sudo make && make install

Now you can use stow to link them to default PATH(/usr/local/sbin and /usr/local/bin) so that you don't need to define full path when running argus -

shell>cd /usr/local/stow
shell>sudo stow argus-3.0.7.5
shell>sudo stow argusc-3.0.7.23

Done and you can start testing argus for fun!

Tuesday, April 08, 2014

Kali/Backbox Linux: Alfa AWUS036H

After migrating from Backtrack to Kali Linux, I encountered problem with WLAN cracking using Alfa awus036h wireless adapter. The initial probem was

shell>airodump-ng wlan0
ioctl(SIOCSIWMODE) failed: Device or resource busy

ARP linktype is set to 1 (Ethernet) - expected ARPHRD_IEEE80211,
ARPHRD_IEEE80211_FULL or ARPHRD_IEEE80211_PRISM instead.  Make
sure RFMON is enabled: run 'airmon-ng start wlan0 <#>'
Sysfs injection support was not found either.

So it states that I should run airmon-ng -

shell>airmon-ng start wlan0
airmon-ng start wlan0

Found 3 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!
-e
PID    Name
2625    dhclient
2722    NetworkManager
2971    wpa_supplicant


Interface    Chipset        Driver

mon0        Realtek RTL8187L    rtl8187 - [phy0]
wlan0        Realtek RTL8187L    rtl8187 - [phy0]
                (monitor mode enabled on mon0)

We used to be able to run airodump-ng on wlan0 if we are using Backtrack, however it's not the case here, what you need to do is running airodump-ng on mon0 pseudo interface instead -

shell>airodump-ng mon0

Now everything looks good, however there's minor bug that shows the channel -1, to get everything running smoothly without the error, I run the following command instead -

shell>airodump-ng --ignore-negative-one mon0

Now you can perform the wlan cracking routine(aireplay-ng,aircrack-ng to do packet injection and cracking), but remember to run the aircrack-ng suite with argument --ignore-negative-one and everything will be fine.

Cheers (;])

p/s: If you are using another Linux distribution - Backbox, the same applies to it as well.

Sunday, March 02, 2014

Interesting Rootkit: Uroburos

My friend ebf0 has shared with me this interesting analysis report from GData Security Lab, you can find the report here -

https://public.gdatasoftware.com/Web/Content/INT/Blog/2014/02_2014/documents/GData_Uroburos_RedPaper_EN_v1.pdf

To understand why the name "Uroburos", we should refer to

http://en.wikipedia.org/wiki/Ouroboros

Doesn't matter it comes from which party, we all know Intel gathering is always there, by the time we know it it seems late by miles. Internet security community needs to work harder together to uncover them as soon as possible.

Cheers (;])

Monday, February 24, 2014

The Practice Of Network Security Monitoring

Year 2014 will most probably be a refreshing year to myself, everything is like new all over again and what should I do next is important.

NSM has been big part of my career and I'm back to the root, and I would like to discuss/share anything regarding this huge topic. The first thing I would most probably do is to grab the book that is written by my friend - Richard, The Practice Of NSM. Thank you for your effort to write this book, it is really tough to stay focused and finished a book especially for a busy person like you.

Second thing to do would be reviewing the new version of existing tools, and also new tools that kick in without me noticing - Netsniff-ng, Snort, Suricata, Bro-ids, Argus, NetworkMiner, SIFT and many more, you name it.

Third thing to do is sharing, to share what I have found and learned, in the world of IT security.

Monday, August 12, 2013

Port Span: Packet duplication

I have stumbled across this issue multiple times lately, especially if you are trying to span multiple source ports, and there are couple of solutions worth to look at -

http://blogs.cisco.com/security/span-packet-duplication-problem-and-solution/

http://myoss.belgoline.com/despan

I think the packet duplication issue should be eliminated using hardware based solution(built-in), where the switch itself able to eliminate it, while it may add the workload to the network switch, it makes real time monitoring more accurate and possible especially tools such snort/bro are not going to identify duplicate packets.

Sunday, July 15, 2012

HeX 3: On the way

We are in the development of HeX 3, this is for real. HeX 3 will be based on FreeBSD 9 and we are looking to create more FreeBSD ports for network security tools. Most of existing tools are compiled successfully in FreeBSD 9, we will provide two platforms this time, either i386 or x64.

We would like to list down all the new network security tools that are going to be included in HeX 3, currently I have 3 in mind -

- NetworkMiner
- Prads
- PassiveDNS
- Pcapfix

Thanks to Erik(NetworkMiner developer) for sending the installation guide to me, that saves my works ;)

Here's the screenshot of NetworkMiner running on upcoming HeX 3 -


If you are aware of any network security tools(especially for packet analysis) and would like us to add it to HeX 3, kindly let me know.

Cheers (;])