Saturday, April 28, 2007

Deleting zer0 size files & Renaming files with '-' prefix

I didn't notice that my research honeypot has its partition full when collecting malwares, hence it generates a lot of malware files with 0 size as there's no room for it. Since I have all of them collected under /var/nepenthes/binaries, I just execute the command below to delete all of the files with 0 size -

shell>cd /var/nepenthes/binaries

shell>find ./ -type f -size 0 -exec rm -rf '{}' \; -print

Then I list the all the files again -

shell>ls -la
total 808
drwxr-xr-x 2 root wheel 3584 May 4 19:49 .
drwxr-xr-x 7 root wheel 512 Jan 28 22:46 ..
-rw-r--r-- 1 root wheel 48808 Jan 29 20:31 06b6cd8fc0333df6a96a66910f0a285d
-rw-r--r-- 1 root wheel 8192 Jan 29 23:43 314b889b16b11886656c901656ffa847
-rw-r--r-- 1 root wheel 8192 Feb 1 20:05 579ab2f7e55c8ddc074603b82bb73ee4
-rw-r--r-- 1 root wheel 64464 May 4 19:49 6df903d10f7ad3ad688d90dba9380d3c
-rw-r--r-- 1 root wheel 58325 Jan 29 17:28 703a8118b285f85622db82e7350c16da
-rw-r--r-- 1 root wheel 40884 May 4 19:46 706e697ed520cc32027a525a645be1dd
-rw-r--r-- 1 root wheel 8192 Feb 1 05:54 a2628d55e482fac6448801187c0ce836
-rw-r--r-- 1 root wheel 158720 Jan 29 19:42 a4ed429c882f382b994b0860c5a9ced2
-rw-r--r-- 1 root wheel 8192 Feb 2 11:52 bc6595eff1398227ab0d4aa13acc20f4

I think I will need to write a script to automate the process, by moving all the files under this directory to another partition when /var partition is full or else I will need to do it manually which wasting my time.

Sometimes it is fun to poke with shell commands especially dealing a tricky one, to rename all the files in the directory with the prefix of '-' so that '-' get discarded, you can try the command below.

shell>for i in `ls -la | awk '{ print $9 }' | grep '^-.*'`; \
do mv -- $i `echo $i | cut -f 2 -d '-'`; done

I was asked about how to do this and think the commands crafted above should do the job. Have fun.

Peace ;]

Friday, April 27, 2007

TCPdump: Privilege Dropping & Passive OS Fingerprinting

I never really notice about this until today, I think OpenBSD has done a lot of modifications on tcpdump, privilege dropping is just one of the feature, you can check out all the change logs of OpenBSD to date here -

In fact you navigate on the changes from Release to Release, searching for tcpdump keyword and you may find what were improved and fixed.

Another interesting feature is passive operating system fingerprinting is built into pf and tcpdump(both ipv4 and ipv6 wise), you can now turn it on by using -o option in tcpdump -

shell>tcpdump -o -nni em0
01:57:33.265112 > S (src OS: unknown) 1591369098:1591369098(0) win 5840 (DF)
01:57:38.819585 > S (src OS: Windows XP SP1, Windows 2000 SP4) 2701955957:2701955957(0) win 65535 (DF)
01:57:41.343984 > S (src OS: Windows XP SP1, Windows 2000 SP4) 360732020:360732020(0) win 65535 (DF)
01:57:44.057512 > S (src OS: Windows XP SP1, Windows 2000 SP4) 645056554:645056554(0) win 65535 (DF)
01:57:44.342456 > S (src OS: Windows XP SP1, Windows 2000 SP4) 360732020:360732020(0) win 65535 (DF)
01:57:44.438020 > S (src OS: Windows XP SP1, Windows 2000 SP4) 416546610:416546610(0) win 65535 (DF)
01:58:03.762505 > S (src OS: Windows 2000 RFC1323, Windows XP RFC1323) 478012651:478012651(0) win 65535 (DF)

It is making use of p0f database but only perform the fingerprinting on tcp packet with syn flag set(In fact p0f is more powerful as it works with packets with other flags as well). Anyway tcpdump should be able to give you a quick glance of the remote operating sytem that trying to probe to you.

Kudos to OpenBSD team about it. By the way, I bet you all can't wait for this -

Peace ;]

Thursday, April 26, 2007

Open Source Compatible Handheld Device

I haven't bought any handheld device(handphone not counted), interestingly my friend sent me this link, and I start to think maybe I need one of these toy -

If you know any reference regarding handheld devices that are OSS compatible, please do let me know. Thanks.

Cheers ;]

Saturday, April 21, 2007

NetSecAnalyst: The Handbook

Yeah, there are people asking me about the progress of my book - Network Security Analyst: The Handbook.

My initial idea is to have all my blog posts regarding usages of network security tools to be included and packaged into the book, but I realize that this won't make it a good book for Network Security Analyst. I have more thoughts about the book lately hence I can't have it shipped sooner. There are four primary sections for the book which I think very important for network security analyst wannabe -

Network Security Analyst: The RoadMap
What are good foundations and technical knowledge that should be acquired to become good network security analyst? I hope The RoadMap can answer question like that, until now I haven 't seen any books discussing about this topic yet.

Network Security Analyst: The WorkFlows
What are the methodologies and mechanisms that are used by network security analyst to handle their tasks? The routine daily tasks, the automated and manual process of performing analysis, situation handling and so forth.

This is more of how to think or work like a network security analyst. I will try to standardize the common work flows but you are free to extend it to your own way.

Network Security Analyst: The Tools
What are the tools that are commonly used by Network Security Analyst and how they use them? I believe this part should be demonstrating the NSM based tools usage, one should understand this is not the real meat of network security analyst, this is more of helper section to show various examples in using the network security tools. This section will usually be updated as I will import it from my blog and modify it to be more organized and readable. I suggest you read this book to get yourself ready when comes to using most of network security tools -

I truly believe that learning to use tools itself won't make you a good analyst, the right thing to do should be study on how to interpret the results that generated by the tools, this is always not been emphasized but I would see most of analysts will agree with me.

Network Security Analyst: The Case Study
How Network Security Analyst handles the (Intrusion/Extrusion)incidents in real world?

This will load up few incident scenarios and how Network Security Analyst starts his analysis process, examination, escalation and confirmation to decision making. This will make a good round up of what have been studied from previous three sections, and applying it to the real world scenario. One of the site that I suggest you look at should be -

There are many challenges offered by honeynet community, knowledge sharing is always interesting.

I think this is the final layout for my handbook, hopefully I won't dream of any new ideas for the book again -

Sec 1 - Net Sec Analyst: The RoadMap
Sec 2 - Net Sec Analyst: The Workflows
Sec 3 - Net Sec Analyst: The Tools
Sec 4 - Net Sec Analyst: The Case Study

All the sections are actually correlated, everyone are welcomed to give me suggestions and inputs, what do you think? I don't have skill to write, but no one can stop me from writing anyway.

P/S: For the book, ayoi will be one of the contributor. I would love to spare my time to develop Network Security Analyst LiveCD(we called it raWPacket LiveCD) using freesbie and ship it together with the release of the book, time is always constraint. However I'm glad that I have chfl4gs with me now in developing the liveCD. Stay tuned!!!!!

Btw, I'm looking for non-paid editor(this is free ebook) as I don't know good english. If you would like to help, please let me know.

Peace (;])

Argus: Passive FTP Data Channel Extraction

When dealing with passive ftp instead of active ftp, I used to examine the network traffics manually especially to reconstruct all the data channels as it initials ephemeral ports(usually ports > 1024) for both client and server end dynamically and not like active ftp where fix port(20) is used at server side. After looking into how passive ftp actually works(for both over ipv4 and ipv6 and ftp server implementations), I decided to write a bash shell script to extract all the passive ftp data channel for the ftp flow from argus data. Again if you read my paper that I have used argus for botnet detection, this shell script will make use of argus client tools - ragrep again to extract all the necessary flow and its associated data channel. Here's the interesting result when I execute my script -

IPv4 Illustration
Input your argus data file, specify absolute path!
Please specify source and destination IP and source PORT to locate associated passive ftp data channel .....
1. Source IP
2. Destination IP
3. Source Port

Passive FTP Data Channel

Gotcha, here's the ftp data channel that being announced by ftp server for client to connect to - 61703 and 64897.

IPv6 Illustration
Input your argus data file, specify absolute path!
Please specify source and destination IP and source PORT to locate associated passive ftp data channel .....
1. Source IP
2. Destination IP
3. Source Port

Passive FTP Data Channel

Works on ftp over IPv6 too, the ftp data channels are 64534, 60801 and 60199.

You can now running argus client tool(ra) to locate all the passive ftp flows by filtering those ports. Though I have only tested this script on FreeBSD and Gentoo Linux, it should work on other *nixes platform flawlessly as long as you have bash shell and argus clients installed. Again here I demonstrate the interesting example of using argus client tools.

Thanks to Richard for his ipv6 pcap file that he has sent me or else I won't be able to examine ftp over IPv6 lately.

I plan to include this script in the liveCD that we(me and chfl4gs) are developing actively, if any of you are interested to have fun with the script, feel free to let me know.

Enjoy (;])

Yes, I advocate open source. I support anyone who really want to push on open source stuffs. But I'm not doing enough as I don't involve in open source development or coding part. But do you really need to be almighty programmer in order to involve in open source movement? I bet not, there are many ways to promote open source. I believe every little piece of support and effort is important, whether you are testing the software, submit bug, writing documentation or etc.

My friend surface took different approach, he decided to promote open source usage by examples, and now it seems the site growing and there are many tips and tricks that are very useful. You can check it out at -

I'm surprised when I see this site too -

Well done, surface! May the force be with you!!!!!

Cheers ;]

Thursday, April 19, 2007

Argus: Practical BotNet Detection

I use argus for my daily task, like I mentioned argus client tools are easy to use but hard to master, it is trivial to work with it sometimes. However I believe experience may make you wiser when dealing with complex tools, I really appreciate Hanashi's work on BIRT for sguil report generation. As Hanashi is working on sancp session data, I'm more of looking into argus flow data. Here's very short paper that I have written in using argus client tools(ragrep and radump) to perform botnet detection.

The reason why I don't want to post this in blog because it may look cluttered, I welcome any feedbacks and idea about this short paper.

Enjoy ;]

Tuesday, April 17, 2007

FreeBSD: Ourmon 2.7

I'm looking into ourmon as it seems to be very powerful tool when building network baselining, anomaly detection and so forth, I have found that there's ourmon port available on FreeBSD which is version 2.5, after looking around with google. I got to know that Ourmon developers have updated the ourmon port for FreeBSD to version 2.7, since I don't want to touch anything on port as I'm using release for the moment and I'm lazy, I decide to download the port manually where you can find here -

To download it -

shell>mkdir /usr/ports/net-mgmt/ourmon27

shell>cd /usr/ports/net-mgmt/ourmon27

shell>wget -r -nH -nd -np

shell>rm -rf index.*

I have put everything under /usr/ports/net-mgmt/ourmon27, and run -

shell>make install

Everything is built properly, and it comes to this configuration part -

Next we determine the ourmon config/filter file to use. By default, we use the local /usr/local/mrourmon/etc/ourmon.conf to provide input filters to ourmon.
WARNING: you should read/edit/understand ourmon.conf!
Do you want to use another ourmon.conf file in some other directory than /usr/local/mrourmon/etc? [n]

Next we suggest one modification to the ourmon.conf file.

If this is a default install, you should change the following config directive:

topn_syn_homeip network/netmask

and set it to your home network and mask (A.B.C.D/maskbits style)
Do you want to change the topn_syn home network address? [y] y
note: the home net address may be a subnet or host address (/32).
enter a home net address and mask. []

Do you want to install the ourmon startup script in the ourmon bin? [y]
WARNING: the default for the interface may not be what you want.
WARNING: use #ifconfig -a to determine interfaces.
Please enter the input interface name to sniff from: [xl0]
input interface is xl0

Please enter directory for probe output files (mon.lite, etc.): [/usr/local/mrourmon/tmp]
probe output directory name is: /usr/local/mrourmon/tmp

Creating bin/ driver for startup of ourmon. placed in ourmon bin for ourmon front-end/probe startup
./ start

copy the startup script (bin/ to /usr/local/etc/rc.d for boot startup? [y] y
ourmon front-end install complete
ourmon front-end build worked

You should now run /usr/local/mrourmon/bin/ to start ourmon

e.g., # /usr/local/mrourmon/bin/ start

You can use stop to stop ourmon

part 2: install the back-end,, etc. (web part)? [y]
Back-end configuration phase started ######################################
We need a local web directory for generated web output.
hint: the webpath given here is a guess: give the CORRECT base web directory with /ourmon at the end
enter absolute web server web path directory: [/usr/local/www/data/ourmon]
your output web path is: /usr/local/www/data/ourmon

Do you want to create the web directory for ourmon?
HINT: good idea if it doesn't exist. [y]
cp bard/* /usr/local/www/data/ourmon/bard
cp /usr/local/mrourmon/bin
cp ombatch*.pl /usr/local/mrourmon/bin
cp /usr/local/mrourmon/bin
cp /usr/local/mrourmon/bin
chmod +x /usr/local/mrourmon/bin/*.sh
chmod +x /usr/local/mrourmon/bin/*.pl

INFO only: also setting up logging directory (if needed)
creating log rrddata tmp dirs in /usr/local/mrourmon
hit CR to continue:

If different, enter front-end output file directory absolute path: [/usr/local/mrourmon/tmp]
probe output file path (back-end input/s) is /usr/local/mrourmon/tmp

Now we copy supplied .html files to the web directory for later editing
do you want to copy base web files to the web directory? [y]

INFO only: setting up local rrdbase directory at /usr/local/mrourmon/rrddata
your runtime rrds get stored in this directory, along with the rrd error log file
if you create new BPF filters, check rrdbase/ourmon.log for errors.
hit CR to continue:

We need a UDP weight threshold for UDP scan alerts
what should the weight be (default is given): [10000000]

Install backend crontab commands in /etc/crontab (default answer y)?: [y]

ourmon system config complete
see INSTALL for post-config sanity checking
Ourmon is installed in /usr/local

For the FreeBSD port, we assume


is the base directory, although that can be overridden with the port Makefile.

Read the INSTALL file in the ourmon base directory.

If you want to uninstall ourmon, read "uninstall.txt" in the base directory.

Be sure and inspect and modify the basic config file, at /usr/local/mrourmon/etc/ourmon.conf. In particular set the notion of topn_syn home IP in the config file


to your home subnet and netmask. If you are installing
ourmon to watch a host you can put in a slash 32
address like

After setting the config file up properly, in order to start the front-end probe process, named "ourmon", you must cd to the base directory and run the ourmon probe from the start shellscript.

# cd /usr/local/mrourmon/bin
# ./ start

===> Registering installation for ourmon-2.7

shell>pkg_info | grep ourmon
ourmon-2.7 A libpcap-based network monitoring and anomaly detection sy

shell>cd /usr/local/mrourmon/bin

shell>./ start
net.bpf.bufsize: 4096 -> 8388608
net.bpf.maxbufsize: 524288 -> 8388608
warning: ourmon: xl0: no IPv4 address assigned

shell>ps auxww | grep ourmon
root 12359 0.0 0.4 1708 976 ?? Is 6:25PM 0:00.01 /bin/sh -c /usr/local/mrourmon/bin/
root 12361 0.0 0.4 1716 988 ?? S 6:25PM 0:00.02 /bin/sh /usr/local/mrourmon/bin/
root 12411 0.0 3.0 16088 7620 p6 S 6:25PM 0:00.06 /usr/local/mrourmon/bin/ourmon -a 30 -s 256 -f /usr/local/mrourmon/etc/ourmon.conf -i xl0 -D /usr/local/mrourmon/tmp

Now I have ourmon running, this is pretty simple setup as I don't even look at the web setup, I'm looking forward to tune on the bpf and other related configurations when I have time to look into it.

In fact one of the good reason why I look at ourmon is because I want to make the comparison between ourmon and argus as both are open source based and maybe able to construct the similar idea using argus instead as it is currently heavily used by me. Seriously I would love if someone who have good experience with arbor and other commercial products that doing network flow analysis can tell me more about it since I have no chance to use them.

Anyway I plan to buy this book as it's the only book that introducing ourmon -

Thanks to Kamal who has pointed me about this entry in wormblog which looks interesting too -

Cheers (;])

Monday, April 16, 2007

Ragraph - DNS Graph

This is for my own note as I can't really remember everything in argus. It is definitely a beast as it needs some tinkering to fully understand how it works and getting the output you need. Anyway I just blog it here in case someone interested.

Ragraph is one of argus clients to create graph out of argus data, in fact argus comes with a lot of client tools that are very powerful, all the client tools are easy to use but hard to master. The 'Hard to Master' part really kills a lot of people including me.

Here's the graph that showing dns traffics, for both source and destination bytes. You may notice that changing the time mode makes huge different. The first graph with -M 1s shows the data in second and therefore it looks more detail, the second graph is generated using -M 1m which is 1 minute and therefore it looks more coarser as it spans to 1 minute time data. I first saw this kind of graph generated in argus site and not really understand it until I tried it myself.

shell>ragraph bytes -M 1s -fill -stack -r argus-test.arg - udp and port 53

shell>ragraph bytes -M 1m -fill -stack -r argus-test.arg - udp and port 53

I used -fill so that it won't fill the color for the data area, this make it like a line graph and I prefer it to be displayed that way.

Enjoy ;]

Saturday, April 14, 2007

Windows - Sec & User Tools

There are few tools that I would like to try out but it is only available on Windows platform. Guess I need to install Windows in VMware for testing. I haven't really touch anything on Windows lately except for Windows Server 2003. Anyway here are the lists of tools that seems to be interesting to me -

- Winfingerprint

- Showtraf

- Proconvert

- Dataecho

- Liveview

- Sipp

- DaD

- Inferno

- Pedorosa

- Console

- Launchy

- VirtualWin

- EmergeDesktop

- Mewa

I'm not promoting Windows OS here, but most of the tools here are freely available and open source and it makes no harm to try them out. Anyway if you have experiences in any of these tools, I would like to hear some feedbacks from you as I'm in the lazy moods to try them out.

Cheers ;]

Thursday, April 12, 2007

NSM - The History

Yes, this is not what I write, in fact I have stolen the post from

Read it up ->>>>>

I would love to know the background of the technology that I live with all the while. I bet you will find it informative and understand more about Network Security Monitoring.

Enjoy ;]

Wednesday, April 11, 2007

Welcome to Malaysia Botnets

Thanks to my friend who has sent me this link, it is about the survey that has been done by Symantec Malaysia. It has stated that 96% of the computers are zombies. I'm wondering whether they are trying to generate fears so that more people will buy their anti-virus solution or this is true, I'm probably happy to see we are top 7 in the list since that really shows Malaysia Can spirit.

Another interesting result from them should be 84 percent of emails from Malaysia are classified as spam, I'm really curious of how they are able to identify this portion as there's no perfect solution to identify or classify email with unsolicited intentions. Plus they are actually setting up decoy emails(honeypot alike) for this kind of identification which I don't think it can be any accurate.

"This and the high number of zombie machines in Malaysia is tarnishing the country's image". This is way too much of emphasizes, they are playing a big blames on the users, and most of the users not even know what is happening out there. They are just using the internet for surfing, doing some transactions and so forth.

"It said copies of pirated software sometimes contained trojans and other hidden malicious programs, and these are surreptitiously planted into computer systems when users installed the software". This is not the case, in my opinion as most of the users in Malaysia are using pirated softwares, it leads to a more of vulnerabilities in the applications softwares and operating systems itself as they can't patch it since they are not using the licensed or commercial version. That's what most malicious attackers targeting over the networks instead of just distribute it via the softwares/pirated CD that they buy which is more of blind attacks.

"An antivirus program is not enough, said Symantec. Users need a security solution that combines antivirus, firewall and intrusion detection capabilities". Okay, it is still back to the marketing sense, I expected that. But the truth is users are still vulnerable even with all those solutions been utilized, malicious attackers are way smarter to bypass most of them. You are trying to reduce the risk for users, however that won't work once internet browsers itself becoming victim as well. Combining with some social engineering tricks, users tend to be fooled without them knowing. And some of them just gotcha from USB thumb drives.

"Computer users should also be careful about disclosing confidential, personal or financial information online unless they know that the request for such is legitimate, cautioned Symantec". I doubt users will listen to this, this reminds me the presentation from Mikko - Education usually won't work.

Enough rant for now, thanks to Symantec for doing this kind of survey.

Enjoy ;]

Snort 3.0 Pre Alpha

Marty has recently released snort 3.0 pre alpha version, I'm curious to see what has been implemented in it so far, it should be worth to spend some times looking into it. To get snort 3.0 to installed on FreeBSD, it is kind of quicky.

Getting all the dependencies -

shel>pkg_add -vr libdnet

shell>pkg_add -vr lua51

Download snort 3.0 and install -


shell>tar xvzf snort-03.0.0.a1.4.tar.gz

shell>cd snort-03.0.0.a1.4

shell>./configure --prefix=/usr/local/stow/snort-03a14

shell>make && make install

Then copy the configuration files to the prefix directory manually -

shell>cp -fR etc ./usr/local/stow/snort-03a14

Running snort -

shell>cd /usr/local/stow/snort-03a14/bin

[*] DAQ Modules Loaded...
[*] Loading decoder modules
[+] Loaded ethernet
[+] Loaded null
[+] Loaded arp
[+] Loaded ip
[+] Loaded tcp
[+] Loaded udp
[+] Loaded icmp
[+] Loaded icmp6
[+] Loaded gre
[+] Loaded mpls
[+] Loaded 8021q
[+] Loaded ipv6
[+] Loaded ppp
[+] Loaded pppoe
[+] Loaded raw
[*] Decoder initialized...
[*] Flow manager initialized...
[*] Data source subsystem loaded
[*] Engine manager initialized
[*] Loading command interface
[!] Loading sfips command metatable
[!] Loading data source command metatable
[!] Loading engine command metatable
,,_ -*> Snort! <*- o" )~ Version 03.0.0.a1.4 (Build 7) [PRE-ALPHA] '''' By Martin Roesch & The Snort Team: (C) Copyright 2006 Sourcefire Inc. Load its configuration file and you will get the snort CLI -

> dofile("../etc/snort.lua")


Looking for helps for the operation of snort 3 system?

[*] SFIPS Commands:
set_log_level( [debug|info|notice|warn|error|critical] )

Shut it down gracefully

snort> sfips.shutdown()

I suggest you check out other useful functions at -

There will be some significant changes in snort 3.0 comparing to 2.x, thus it's good to get your hand dirty with it early. Lua scripting language seems to be interesting to learn.

Happy snorting! Oink oink ...

Cheers (;])

Thursday, April 05, 2007


Finally HITB SEC CONF 2007 in Dubai is over .....

I haven't have time to update my blog till today, the first two day before Conference, I was running a training with mel in Dubai, interestingly I have mix kind of people in my training class. I met guys from US Army and they are really cool folks, and most of people in the class are involved in network security field and that makes it more easy to run and involved.

Anyway the training was over, so the first day of conference topics cover various kind of areas. The keynote speech from Mikko(F-Secure) was decent, he has demonstrated F-Secure technology and how the online criminals can be operated via different kind of technologies and tricks around, I haven't really get into all the other talks but those should be interesting to listen to, I plan to download the presentation videos instead and watch it when I'm free. Anyway we have Capture The Flags Game going on simultaneously, there are totally 7 levels in the game and unfortunately no one has cracked the 0 level in the first but we think this is kind of fun. The game has nothing to do with network hacking but more on reverse engineering, looking for bugs in application(buffer/heap overflow, format strings and so forth), all the binaries will soon be published and anyone are welcomed to have fun with it.

The second day of conference started by the keynote speech from Lance Spitzner(if you don't know this guy and apparently you are not into information security world), he talked about honeypot technology. Another talk that I have listened to is Kernel Hacking: If I really know I can hack from Hc2c guys, Rodrigo Rubira Branco and Domingo Montanaro are really cool folks and both of them talked about Kernel IDS stuff, I got chance to talk with them and they are pretty interested in our CTF game as well. I'm looking forward to go to HC2Conference in Brazil if possible.

The CTF games end up without winners as no one has broken 4 levels in the game, however I guess this is good learning experience for everyone and thanks to all the participants and hopefully they have fun. Credits go to Mel, xWings and Rd who making the game happened.

While Rd can't make it to Dubai, we all love you!

Kudos to all HITB crews to make the event successful again.

Cheers ;]