Tuesday, September 22, 2009

Mac OSX: Sguil Client

My pal Spoonfork has written about how to get sguil client works on Mac OSX previously here, however some of readers reported it won't work on Mac OSX 10.5 or later as tclX is failed to compile. If you really want to get sguil client up and running on Mac OSX, here are the steps -

Download ActiveState TCL for Mac OSX platform from the link below, you can choose either version 8.4.x or 8.5.x as both work -

https://www.activestate.com/activetcl/downloads/

Then what you need to do is click click install, once you are done, obtain sguil client 0.7 from -

http://sourceforge.net/projects/sguil/files/

I choose sguil-client-0.7.0.tar.gz, follow the steps below once you have it downloaded -

shell>tar xvzf sguil-client-0.7.0.tar.gz

shell>cd sguil-0.7.0/client

shell>wish8.5 sguil.tk

You should be good going by now, enjoy playing with sguil client console! If you install Activetcl version 8.4.x, then just run wish8.4 sguil.tk instead.

Cheers (;])

Sunday, September 20, 2009

Mac OSX: Nmap 5.0

Many people write about Nmap 5.0 when it is released, here's how I get it work on Mac OSX. If you are installing Nmap 5.0 using MacPorts, then you won't be having zenmap in your pocket, you will only get ncat, ndiff and nmap. Therefore it is best if you can obtain the nmap installation package for OSX from Nmap website and follow the instruction here to get it installed.

Once you have the package installed, you may figure zenmap will not work properly even though you can run it. In fact you need the following software installed to satisfy the dependencies.

shell>sudo port install py25-gtk

shell>sudo port install py25-py2app-devel

It might take a while to get them compiled and installed as they require some of the libraries from X11 as well, if you can get through this stage, then you should be able to run zenmap now -

shell>open /Applications/Zenmap.app


Of course Nmap is rocking in da house -

shell>nmap -V

Nmap version 5.00 ( http://nmap.org )

Peace (;])

Tuesday, September 15, 2009

Mac OSX: NetGrok

I like security visualization tools, and it helps you to interpret computer events easily. Here's how I get NetGrok running in my apple laptop -

Download and install Jpcap -

shell>wget http://netresearch.ics.uci.edu/kfujii/jpcap/jpcap-0.7.tar.gz

shell>tar xvzf jpcap-0.7.tar.gz


shell>cd jpcap-0.7/src/c

shell>make


shell>cp libjpcap.jnilib /Library/Java/Extensions/


shell>cp ../../jpcap.jar /Library/Java/Extensions/


Download and run NetGrok

shell>wget http://netgrok.googlecode.com/files/netgrok20080928.zip

shell>unzip netgrok20080928.zip


shell>cd Netgrok


There's problem with the file groups.ini, you have to change this line

Private1=Wireless=192.168.0.0/16

To -

Private1-Wireless=192.168.0.0/16

Now you can run netgrok without problem -

shell>java -jar netgrok20080928.jar

Below are two screenshots I took -



You might want to check it out, it definitely supports pcap format file! For more information you can check out at NetGrok site.

Cheers (;])

Saturday, September 12, 2009

Argus 3: Situational Awareness(ratop)

You need to know the current state of the network, who is probing your network and services, who is consuming your bandwidth, what are the stuffs running in your network, the main question remains - How much you know about your network?

Then people talk about Situational Awareness, in fact Wikipedia has well-versed explanation about it where you can find here.

As network security operator, we look at Network Situational Awareness, in fact you can use Argus 3 for this purpose, I'm going to discuss about it here. There are few argus client tools that can be used for near Real Time Network Situational Awareness -

- ratop
- rasql/rasqlinsert
- ralabel

Ratop works just like top, it can connect to argus monitor and show network flow data in near real time view, it also offers vi-like feature, where you can use / to search for flows, and : as command mode to perform various actions such as network flow record filtering/sorting, flow record field reordering, or even extract flow record based on certain timespan in real time. To run ratop, you must have argus monitor running first -

shell>argus -mAJZRU 128 -P 561

Use ratop to connect to the argus monitor -

shell>ratop -S localhost:561

Here's the ratop screenshot -


To quit ratop, it is similar to exiting vi editor, just type :q and you will disconnect from argus monitor. You can see that ratop is very useful when comes to monitor your network in real time, while it doesn't offer you insightful information, it gives quick view of the layer2/3 network conversation. Other features such as sorting can be toggled on with :s, or filtering with :f.

This is considered part 1 which I have ratop covered, and for part 2 I'm going to discuss about rasql/rasqlinsert, then I will introduce ralabel in part 3. All of them are very effective tools for Network Situational Awareness.

Enjoy (:])

OpenDPI


I just came across this Open Source Deep Packet Inspection Engine, while I haven't tried it out, this project seems to be interesting. I just want to mention it in my blog so that I can search next time in case I forget -

http://opendpi.org/

You can check out it's manual and source code which is hosted at Google Code here.

Cheers (;])

Friday, September 11, 2009

Argus 3: OpenWRT Binary Blob

Here's the argus 3 binary blob that will work on OpenWRT KamiKaze 8.09(Linksys WRT54GL MIPS platform), if you are lazy to compile your own, and want to check it out, please do give it a try. Thanks to guti for hosting it -

http://gutizz.com/scripts/argusbinary/argus3-mips.tar.bz2

http://gutizz.com/scripts/argusbinary/argus3-mips.tar.bz2.md5.txt

All you need to do is download, verify, decompress, upload it to your OpenWRT, and run!

Enjoy (;])

Argus 3: Database Support

If you have followed argus mailing list, you should have known that Carter has implemented argus database client(rasql/rasqlinsert) to read/write/bla network flow records to database. I'm currently testing this feature and here's the preview for you -


Currently it seems to work on my testing machine. I will introduce more about the new argus client tools such as ralabel, rasql, rasqlinsert and etc in my coming posts.

Cheers (;])

Mac OSX: MYSQL Community Server

This is quick one to get Mysql Community Server running on OSX, download it from -

http://dev.mysql.com/downloads/mysql/5.1.html#macosx-dmg

Choose the dmg package which works for your platform and OSX version. In my case, I choose Mac OS X 10.5 (x86). So after you have it downloaded, it's all about click click install. Remember to install both Mysql server and its startup item package. You also need to copy the MySQL.prefPane to the right location so that it will show up in your System Preferences -

shell>sudo sudo cp -fR /Volumes/mysql-5.1.38-osx10.5-x86/MySQL.prefPane /Library/PreferencePanes/

To start Mysql server, run -

shell>sudo /Library/StartupItems/MySQLCOM/MySQLCOM start

To stop Mysql server, run -

shell>sudo /Library/StartupItems/MySQLCOM/MySQLCOM stop

To uninstall Mysql Community Server -

shell>sudo rm -rf /Library/StartupItems/MySQL*
shell>sudo rm -rf /Library/PreferencePanes/MySQL*
shell>sudo rm -rf /Library/Receipts/mysql-*
shell>sudo rm /usr/local/mysql
shell>sudo rm -rf /usr/local/mysql-*

And finally remove this line in /etc/hostconfig

MYSQLCOM=-YES-

All for now, I have been idle for a while and hopefully this is come back to be active me.

Cheers ;)