Monday, July 21, 2008

Unimas: Open Source Security Tools Talks


First of all, thanks for the invitation from Unimas, and En. Ahmad who has put the effort to make it happen, me and Mel will be going to University Malaysia Sarawak (Unimas) tomorrow to give talks about Open Source Security Tools and how it can be very useful, either for corporate, or educational environment.

If you are interested in the topic, and you are currently studying in Unimas. Feel free to join us!

Enjoy ;]

Tuesday, July 15, 2008

Ubuntu: Netdude Manual Installation

I use netdude for pcap file editing, it's simple and straightforward since it is gui based, however the ubuntu package is rather old(0.3.x) and I need to use the latest version, here's quick way to get the latest version of netdude installed on Ubuntu 8.04.

Download the latest version of netdude, libpcapnav and libnetdude from here -

http://netdude.sourceforge.net/download.html

Then install all the necessary packages -

shell>sudo apt-get install stow

shell>sudo apt-get install build-essential

shell>sudo apt-get install libgtk1.2-dev

shell>sudo apt-get install libpcap0.7-dev

Decompress netdude, libpcapnav and libnetdude, and install them following the sequence - libpcapnav, libnetdude and netdude. It should be prety quick to get it done.

Enjoy ;]

Sunday, July 13, 2008

EmergingBro: HowTo

First of all, make sure you have Bro installed on your machine, or you can download it at http://bro-ids.org. If you are using HeX, Bro is installed by default. Once installed, you may find the directory structure of Bro looks like this -

shell>ls -la
total 34
drwxr-xr-x 15 analyzt wheel 512 Jul 10 17:36 ./
drwxr-xr-x 3 root wheel 512 Jul 10 07:51 ../
drwxr-xr-x 2 analyzt wheel 512 Jul 10 07:51 archive/
drwxr-xr-x 2 analyzt wheel 512 Jul 10 17:35 bin/
drwxr-xr-x 2 analyzt wheel 512 Jul 10 17:39 etc/
drwxr-xr-x 2 analyzt wheel 512 Jul 10 17:35 include/
drwxr-xr-x 2 analyzt wheel 512 Jul 10 17:35 lib/
drwxr-xr-x 3 analyzt wheel 1024 Jul 10 18:01 logs/
drwxr-xr-x 3 analyzt wheel 512 Jul 10 17:36 perl/
drwxr-xr-x 3 analyzt wheel 5120 Jul 10 17:59 policy/
drwxr-xr-x 2 analyzt wheel 512 Jul 10 07:51 reports/
drwxr-xr-x 2 analyzt wheel 512 Jul 10 17:36 scripts/
drwxr-xr-x 4 analyzt wheel 512 Jul 10 07:51 share/
drwxr-xr-x 2 analyzt wheel 512 Jul 11 22:50 site/
drwxr-xr-x 2 analyzt wheel 512 Jul 10 07:51 var/

Please take note on few important directories -

policy directory contains all the policy and analysis scripts with the file extension .bro.

site directory contains site policy files which you can define or configure for specific site.

logs directory contains all the log files that are generated by bro.

etc directory contains bro configuration files, for start up and bro environment variable settings.

Obtain the latest signatures from Emerging Bro -

shell>cvs -d:pserver:anonymous@cvs.emergingthreats.net:/cvsroot/bro co emerging-bro

shell>cd emerging-bro

shell>ls -l
total 14
drwxr-xr-x 7 analyzt wheel 512 Jul 10 07:58 ./
drwxr-xr-x 4 analyzt wheel 512 Jul 10 07:55 ../
drwxr-xr-x 2 analyzt wheel 512 Jul 10 11:23 CVS/
drwxr-xr-x 3 analyzt wheel 512 Jul 10 07:58 CVSROOT/
drwxr-xr-x 3 analyzt wheel 1024 Jul 10 18:24 rules/
drwxr-xr-x 4 analyzt wheel 512 Jul 10 18:28 scripts/
drwxr-xr-x 17 analyzt wheel 512 Jul 10 11:23 sigs/

sigs directory contains all the individual signature in different category

rules directory contains main signature file for each category. For example emerging-bro-malware.sig contains all the signatures for MALWARE category.

scripts directory contains all the policy and analysis scripts that are contributed by the community members.

To perform quick test, you can use invoke the signature file using command line option -

Set Bro environment variables -

shell>. bro.cfg

Execute Bro -

shell>bro -s emerging-bro-all.sig -r whatever.pcap `hostname`

If you plan to run it in long term, it's best to edit the file generated during make install-brolite. The file name starts with your hostname, for example it is raWPacket.bro in HeX liveCD since my hostname is raWPacket. Just edit the following section in the file -

-----------------------------------------------------------------------
# To run signatures, uncomment the following line.
# @load brolite-sigs

@ifdef ( use_signatures )
# Load Bro signatures. This is the default file containing Bro
# signatures.
redef signature_files += "signatures";
@endif
-----------------------------------------------------------------------

To this -

@load brolite-sigs

redef signature_files += "emerging-bro-all.sig"

Please do note that other policy scripts must be loaded in order to have signatures invoked properly especially brolite.bro.

Enjoy ;]

Wednesday, July 09, 2008

DefCraft: Official Launching

After long consideration, I decide to start a company that focuses on security research, development and consultancy. The company name is straightforward - Defensive Craft (DefCraft).

The company offers a wide range of consulting services for specific domains, here's the list -
  • Network and Web Application Security Assessment
  • Network Security Architecture Planning & Deployment
  • Network Security Monitoring Implementation
  • Network Security Architecture Auditing
  • Network Device Testing & Evaluation
  • Network Based Forensics
  • Network Profiling Operation
  • Incident Response & Handling
  • Digital Security Training
If you have any inquiry, please feel free to contact me.

Contact Number: 016 415 9873
Contact Email: defcraft at gmail dot com

For more information, you can check out at -

http://www.defcraft.net

The company has its own blog too which we will blog about what we do behind the lab -

http://blog.defcraft.net

On the other hand, I will still contribute my free time to various open source projects that I'm working on since this is part of company principle I'm emphasizing.

Saturday, July 05, 2008

Emerging Bro

I'm sured not many have heard of Bro comparing to Snort in NIDS arsenal, while both are actually applying different approach in intrusion detection, they are the Open Source NIDS I like to use to complement each others in different setup and deployment.

I'm now working closely with Matt Jonkman from EmergingThreats(ET) to start the new project calls Emerging-Bro, basically the project is about converting set of latest signatures from Snort to Bro so that Bro operators can take advantage of it. You can find more information from the announcement here -

http://www.emergingthreats.net/content/view/80/1/

If you are Bro operators, you might have question of why I'm doing this as Bro is more focused on policy and analysis script development to detect network event(be it normal or abnormal) instead of relying on signatures matching in byte stream. There are reasons why I'm doing this and I'm going to explain here -

Edge
Emerging-Bro will only focus on latest or critical signatures from ET, therefore the project is basically more concerning about latest/critical attacks because most networks are more vulnerable to newly discovered attacks than the old one, therefore detecting and preventing them at network boundary is much important. Currently there are about 100 latest signatures converted from ET to Emerging-Bro, and if you think certain Snort signature should be included, please do let me know.

Leverage
The signature set that is developed by EmergingThreats usually give little time window for attacker and reduce the outbreak period significantly, hence you can pretty quick in detecting initial stage of new attacks. Bro operators can take advantage of this if they can monitor the new attack in time and quickly develope more complete detection scheme with Bro policy scripts.

Requests
Yes, according to Matt, there are requests about it, on and off there are people in Bro mailing list asking about the availability of Bro signatures, so why not doing it to help the community?

I think these gives enough reasons for me to work on the project. But providing latest signatures is not the end of Emerging-Bro, I greatly appreciate the help from Seth Hall to step up and discuss with me about the direction of the project and we both agree that it should be the platform for people to share or contribute their policy/analysis scripts as well. Currently he has his own development repository here and I will import them to Emerging-Bro.

For the moment, you can access and download all the signatures at -

http://www.emergingthreats.net/bro/

Enough for now, and this project is also part of the reason why I'm not much blogging last two weeks as I have paid my free time to it. I would like to thank Matt and Seth for the collaboration works, and also Bro developers for their endorsement!

Cheers (;])

Wednesday, July 02, 2008

Davix: Review

From Davix's main site -

DAVIX, a live CD for data analysis and visualization, brings the most important free tools for data processing and visualization to your desk. There's no hassle with installing an operating system or struggle to build the necessary tools to get started with visualization. You can completely dedicate your time to data analysis.

The clause above is definitely right above Davix liveCD!!!!!

When people ask me which liveCD I use frequently, I always advocate these 3 -

1. HeX liveCD (Network Based Forensics)
2. BackTrack liveCD (Penetration Testing)
3. Helix liveCD (Digital Forensics)

I have mentioned many times that I prefer liveCD which focuses on specific domain very well, and Davix is really one of those. Undoubtedly I would love to include Davix to my CD folder.

Before I start anything serious, lets view the screenshot after startup from the liveCD -


It's based on SLAX, and I guess most of people know how good SLAX is after trying out BackTrack, DAVIX takes advantage of SLAX modularity, stability and hardware supports, I have tested it with my own hardwares and it works pretty well.

If you are familiar with linux desktop solution, you will definitely recognize that it is using KDE from the screenshot. Though I'm not fan of KDE, but KDE is always simple and easy to use for general users. Many of system configuration can be done via gui so it saves a lot of hassle figuring how to get the system working for you.

On top of that, DAVIX offers very informative resources for users to have great kickstart in learning data capturing, processing and visualization by providing a set of firefox bookmark toolbars, you can easily access all the information requires to study the topic, this can reduce time in studying certain tools and learning visualization techniques, and it also saves you from googling hassle. I like the idea of toolbars organization in firefox.

On the other hand, DAVIX also comes with its own manual which is about 108 pages, you can access it via KDE menu -> DAVIX -> DAVIX Manual. If you are serious about learning data visualization with DAVIX, I suggest you to start with its manual instead of playing around with the desktop without knowing what to do. It contains the basic guide of how to use all the tools that are delivered in DAVIX, the best part is you can follow the manual and learn it practically with all the tools available in DAVIX.

There are 3 main categories listed in Kde menu, they are Capture, Process, and Visualize. The Capture contains tools for you to perform data logging, especially network data. The Process contains tools to perform data processing so that the output of data processed can be parsed by visualization tools. The Visualize mainly contains all the tools for you to visualize the data set by generating different kind of images, diagrams or graphs. As I have mentioned you can just learn all the tools shipped by DAVIX with the comprehensive manual itself.

So what are the tools shipped with DAVIX, there are way too many that I can cover here, however here are my favourites -

1. Rumint
2. Tnv
3. Afterglow
4. Inetvis
5. Etherape
6. Gnuplot
7. Rrdtools
8. Mrtg
9. Wireshark

This is more to preference thingy as I have used those tools previously and familiar with them, I will need to explore the potential of other tools which I never use before. If you want to learn how those tools work, you can actually refer to the DAVIX manual, and then refer to the data set example which you can properly find in /usr/local/share/*, different tools may support different kind of data formats so that may require some learning curves. But the real question lies in what kind of visualization techniques should be applied to the data set you have so that it makes most sense.

After talking about all the good things, I still think there are few things worth improved.

1. Log sample
As this is the liveCD for data analysis and visualization, except that it has the example data set in /usr/local/share/*, it should provide a set of sample logs(apache, postfix, exim, proftpd and etc). Then demonstrating how to format them to feed those visualization tools will be great.

2. Fat taskbar
You may notice in the screenshot that the taskbar is quite big(double taskbar), this is nothing wrong, but if I have to offer a liveCD for visualization purpose, I would prefer to have everything slicker to give bigger space to display the images that I have generated from the data.

3. Unified keyboard shortcut
This is just my idea, when I work with images, I always like to zoom in and out. Zooming in allows you to focus on detail, zooming out on the other hand can improve macro view to understand the ratio or distribution of data. I do know different tools have always defined different keyboard shortcut layout. If zoom(in/out) uses same set of shortcut key settings across all the tools in DAVIX, that would be really great. I'm glad DAVIX offers gqview as the main application to display images as that's my favorite one with its ease of use interface.

4. Installer
Currently it comes with BackTrack Installer which is quite experimental, it needs some works to get it installed, I have tested the installer and it works fine(if you know what you are doing), I'm looking forward for easy installer in future.

By the way, one might ask why should I use DAVIX, simple enough. Take the old cliche "A Picture Is Worth A Thousand Words". Using correct visualization techniques to process your thousand lines log files, to be honest you can do more with less, it saves your times and brain power to focus on something more important.

Guess I should end my review about DAVIX here, in case you are interested to try out DAVIX -

DAVIX is also part of Raffael's upcoming book Applied Security Visualization which will be published by Addision Wesley.

Currently, DAVIX is only available to beta testers. To participate in testing, please contact jan.monsch at iplosion.com

Thanks to DAVIX development team for allowing me to participate in beta testing, later is better than never. I do know developing a liveCD require hard works if you want to build a solid one, kudos!

Update Note:
DAVIX developer Jan. P. Monsch has informed me that he has actually making the taskbar more slicker now in new version of Davix, thanks for taking positively on my input.

Enjoy (;])

Tuesday, July 01, 2008

Snort 3.0 Beta

If you are interested to check out what's offered by latest Snort, now you have it. Kudos to snort development team!!!!!

http://www.snort.org/dl/snortsp/

I haven't tried that out personally yet, but you should!

Enjoy ;]

Tuesday, June 24, 2008

Earthquake? or Storm .....

The terrible disaster .....



The beijing.exe is actually the storm variant, I thought they are making use of festivals only, it seems they don't even let any single chance going with the use of disaster(popularity counts), that's going too far from humanity.

If you run it, it's really disaster!

Peace :[

Sunday, June 22, 2008

For Real?

It's year 2008 now, but .....

ZzZzzzz .....

Peace ;]

Friday, June 20, 2008

Good Read on Bro's Signature Engine

The ICIR blog is always informative, and I'm quite please with the latest post about Bro's Signature Engine.

I just learned few things that I don't know from the post, and it appears that Bro uses flex's regular expression syntax. It is important to understand which condition to use when writing the signature .

Otherwise, take the good read on Things To Keep In Mind When Writing Signatures, that section is particularly useful if you are interested to write Bro sigs.

Peace ;]

Wednesday, June 18, 2008

Forensics Tools

I have to do some forensics work, and the tools below are very handy -

http://www.afflib.org/

http://www.pyflag.net/cgi-bin/moin.cgi


http://ftimes.sourceforge.net/FTimes/

http://p2pmarshal.atc-nycorp.com/

Cheers ;]

M$: Server Hardening & Auditing

Don't laugh, sometimes you have to deal with this whether you like it or not.

I'm looking for tools to perform M$ Windows Server Hardening & Auditing, I know Microsoft Baseline Security Analyzer and IIS Lockdown but are there other tools you use to assist you in Hardening & Auditing operation such as hardening regedit keys, auditing Active Directory and so forth.

If your job is managing M$ Server Farm, how do you perform your task to make sure all servers have same set of configuration and policy, and they are all monitored properly?

I would like to hear from you, and recommend me good tools and methods of doing these. There's no real secure OS, there's only capable or bullshit sysadmin!

Wake up sysadmin, system security is part of your job .....

Enjoy ;]

Tuesday, June 17, 2008

HeX 021: Learning PCRE and its performance

PCRE stands for Perl Compatible Regular Expressions, it is mainly used for pattern matching. If you want to learn more about PCRE, take a good read of its manual -

shell>man pcre

shell>man pcrematching

shell>man pcrepartial

shell>man pcrepattern

shell>man pcreperform

So why do you need to learn regular expressions(regex), here's the answer -

http://geek00l.blogspot.com/2006/12/regex-magic-for-netsexcanalyst.html

Next look at the tool that comes with pcre - pcretest, as the name implies, you can use pcretest to test your regex. Lets go -

shell>pcre --help
Usage: pcretest [options] [input file [output file]]

Input and output default to stdin and stdout.
This version of pcretest is not linked with readline().

Options:
-b show compiled code (bytecode)
-C show PCRE compile-time options and exit
-d debug: show compiled code and information (-b and -i)
-dfa force DFA matching for all subjects
-help show usage information
-i show information about compiled patterns
-m output memory used information
-o set size of offsets vector to
-p use POSIX interface
-q quiet: do not output PCRE version number at start
-S set stack size to megabytes
-s output store (memory) used information
-t time compilation and execution
-t time compilation and execution, repeating times
-tm time execution (matching) only
-tm time execution (matching) only, repeating times

If you have already read the man pages above, you should be able to understand some of the options, I normally use the option -C to check the compiles-time option first -

shell>pcretest -C
PCRE version 7.7 2008-05-07
Compiled with
UTF-8 support
Unicode properties support
Newline sequence is LF
\R matches all Unicode newlines
Internal link size = 2
POSIX malloc threshold = 10
Default match limit = 10000000
Default recursion depth limit = 10000000
Match recursion uses stack

Other option I usually use is -t to test on the time compilation and execution of particular regex I write.

shell>pcretest -t
PCRE version 7.7 2008-05-07

re>

So you may see the prompt goes to interactive mode - re>, it is for you to define your regex, bear in mind that your regex must use forward slash as delimeter, for example -

re>/[a-z0-9]+/

This means your regex is [a-z0-9]+, once you enter you will see this -

Compile time 0.0028 milliseconds
data>

You may notice the compile time for this regex is 0.0028 milliseconds, now you try to put any data to see if they match the regex,

data>ABC

Once you hit the enter, you will see this -

Execute time 0.0008 milliseconds
No match

The execution time is 0.0008 milliseconds and there's no match, lets change the data -

data> abc
Execute time 0.0004 milliseconds
0: abc

We can now see the execution time is 0.0004 milliseconds and the data seems to match the regex.

You can also figure out multiple regex compile time on the fly by defining them in a file instead of using interactive mode. For example I write the lines below to a file - pcre-testing.txt

/\d{,10000}/

/([a-z0-9]+)?/i

Do remember that if you want to test multi regex at once, you have to split them with a blank line, you can't do like this and it will incur errors -

/\d{,10000}/
/([a-z0-9]+)?/i

Now we can run this -

shell>pcretest -t pcre-testing
PCRE version 7.7 2008-05-07

/\d{,10000}/
Compile time 0.0032 milliseconds

/([a-z0-9]+)?/i
Compile time 0.0054 milliseconds

There are other options that you may want to try out, but I think I have given you enough guide to carry on, you may be interested in reading some of my related posts here -

http://geek00l.blogspot.com/2007/11/regex-learning-tool-kregexpeditor.html

http://geek00l.blogspot.com/2007/07/visualregexp-nice-regex-learning-tool.html

I advocate pcretest because it comes with pcre and available in HeX, and you can evaluate the performance of the regex quickly.

Enjoy (;])

Wednesday, June 11, 2008

HeX 2.0: Sneak Peak

We bring you the HeX 2.0 quick preview(it's really just view)!!!!!

FreeBSD 7.0-STABLE, is it real?

Sguil Client 0.7 is here!

Where's the monkey, morphing into lobster?

Stop snorting, oink oink!!!!!

Don't you think it is sexy when shark is on the wire?

Ask for more? Be patient!!!!!

Cheers (;])

Monday, June 09, 2008

MSN IM -> Blogspot -> Pr0ning

I came across this seductive message, and it contains the link that I can't resist to click since it is asked by horny ladies, the link must be legitimate -

http://cux7850mdmk.blogspot.com

Once you click on it, that blog will bring you to another site which is -

http://66.111.45.170/cams/1/

You can see below what is loaded when you go to the blog that is setup with malicious purpose -

The cut-down zoom in version -

META http-equiv="refresh" content="0;URL=http://66.111.45.170/cams/1/"

I manually check http://66.111.45.170/cams, and you might enjoy the screenshot -


Lets see what is in http://66.111.45.170/cams/1/, the content location is actually at -

http://66.111.45.170/cams/1/index.htm

And the index.htm contains -

meta http-equiv="refresh" content="0; URL=http://www.xxxblackbook.com/?s=register&r=lc129795"

Now you should be happy to land at this page, and lets register as a member.


It's rather easy to get someone to click on "look legitimate" link than from the email spam these days. We see the use of meta http-equiv="refresh", and you can find the information about it here -

http://www.html-reference.com/META_httpequiv_refresh.htm

During discussion at freenode #rawpacket, my friend scholar pointed me out related information here -

http://spamtrackers.eu/wiki/index.php?title=Blogspot

Enjoy ;]

Sunday, June 01, 2008

Network Flow: Uni-Directional VS Bi-Directional

If you are working on network flow research, you should have heard about Uni-Directional and Bi-Directional Network Flow. I will try to explain what are they here. Lets take the quick look of what network flow is first -

Network Flow is the sequence of packets or a packet that belonged to certain network session(conversation) between two end points but delimited by the setting of flow generation tool. To cut it short, it provides network traffic summarization by metering or accounting certain attributes in the network session.

The endpoints here are defined as below -

Layer 2 Endpoint - Source Mac Address | Destination Mac Address
Layer 3 Endpoint - Source IP Address | Destination IP Address
Layer 4 Endpoint - Source Port | Destination Port

Before we dive into understanding of UniFlow and BiFlow, lets look at the definition of Uni and Bi here -

http://www.yourdictionary.com/uni-prefix

http://www.yourdictionary.com/bi-prefix

Uni - one; having or consisting of one only; regarded as a single entity

Bi - using two or both; joining two, combining or involving two

In the context of Uni/Bi Directional Flow, Uni means single, Bi means both. Now, let make it more clearer.

Uni-Directional = Single Directional

Bi-Direction = Both Directional

I put up the illustration in the diagram below.

Uni-Directional Flow


Bi-Directional Flow

Now I will make a simple example, host A sends 90 bytes to host B and host B replies with 120 bytes. Here's the output -

Uni-Directional Network Flow
Srcaddr Direction Dstaddr Total Bytes
Host A -> Host B 90
Host B -> Host A 120

Bi-Directional Network Flow
Srcaddr Direction Dstaddr Total Bytes Src Bytes Dst Bytes
Host A <-> Host B 210 90 120

The Srcaddr and Dstaddr are the endpoints here. In Uni-Directional Flow, you only see the total bytes that sent by Host A(attribute of Host A) but nothing about Host B in the first flow record. Then the next record shows Host B sends 120 bytes to Host A(attribute of Host B). The total bytes is accounted from single endpoint(either Host A or B) only. But in BiFlow, you can see that Host A sends 90 bytes(Source Bytes) and Host B replies with 120 bytes(Destination Bytes). The total bytes is the accumulation of source and destination bytes. To summarize them -

Uni-Directional Network Flow Model - One direction at a time, every flow record contains the attribute of single endpoint only.

Bi-Directional Network Flow Model - Both direction at a time, every flow record contains the attribute of both endpoints.

Theory is tough sometime, here's the practical sample -

Cisco NetFlow uses Uni-Directional model for flow generation

Argus uses Bi-Directional model for flow generation

To draw good picture of Uni-Directional and Bi-Directional Network Flow, it's best to do comparison of them.

1. Network Flow data which is generated by Argus 3 natively
2. Network Flow data which is generated by Cisco NetFlow version 5

The flow records below are generated from the same network session. You can examine closely by clicking on them.

Cisco NetFlow(UniFlow):


Argus(BiFlow):


Flow record property:
SrcAddr = Source Address
Sport = Source Port
Dir = Direction
DstAddr = Destination Address
Dport = Destination Port
SrcPkts = Source Packets
DstPkets = Destination Packets
TotPkts = Total Packets
SrcBytes = Source Bytes
DstBytes = Destination Bytes
TotBytes = Total Bytes

Sometimes I like to think that UniFlow is stateless and BiFlow is stateful.

I will continue writing this Network Flow series, and I hope you enjoy it. Stay tuned for the next one - Traffic Matrix. And of course the HeX 021 series too.

Argus 3 Tip:
You can convert Argus BiFlow to UniFlow by using -M rmon option.

Peace (;])

Friday, May 30, 2008

Network Flow: TopN

There are a lot of questions popping up on and off in argus mailing list regarding how to generate TopN output from argus data, but frequently you may find the questions are too rough to give complete answer.

I'm going to discuss about TopN this time, TopN is the technique that widely used in many industries, what is it for?

TopN is used to retrieve the first N records from the data based on certain object and ordered by its property. Since I'm talking about Network Flow, I would like to make the example using it.

Data: Network Flow Record
Object: Protocol, Network, IP(host), Port, etc
Object Property: Packet Count, Byte Count, etc

Bear in mind that I'm avoiding the use of Flow terminology but layman one so that this example can be understood easily.

If you want to use TopN technique to generate information from the network flow data, first you need to know what you are looking for. Lets go with a simple one -

I want to find out Top 5 IP ordered by Total Packet Count

Total Packet Per IP(host) = (packet send + packet receive) Per IP(host)

Now you run the argus client command to parse the data and generate exactly the result which looks like this -

shell>racluster -M rmon -m saddr -nr testing.arg3 -w - | \
rasort -m pkts -w - | \
ra -L0 -N 5 -s saddr pkts

SrcAddr TotPkts
172.16.1.108 993
193.231.236.41 824
211.185.125.124 178
172.16.1.103 56
211.180.229.190 36

The command above is to generate Top 5 IP ordered by Packet Count. Don't ask me about the command line, it looks complicated for now but that's not my point here, look at the output instead. Host 172.16.1.108 sends or receives 993 pakcets, followed by 193.231.236.41 and so forth.

Now if you want to locate Top 5 IP ordered by Byte Count. You can just run -

shell>racluster -M rmon -m saddr -nr testing.arg3 -w - | \
rasort -m bytes -w - | \
ra -L0 -N 5 -s saddr bytes

SrcAddr TotBytes
172.16.1.108 599949
193.231.236.41 579050
211.185.125.124 18901
172.16.1.103 4964
216.168.224.69 3458

You want to use TopN, you should draft out the TopN output you are looking for, I have seen questions like this -

1. Which is the most active network?
2. Who is the most active sender?
3. Who is the most active receiver(got ddos?)

Or worse,

How can I find out the top talkers?

These kind of questions are too loose, you should at least specify the property, such as most active sender that is ordered by packet count, or most active network that is ordered by byte count and so forth. You have to bear in mind that packet and byte are not going inline, you can have one host sending many small size packets which won't hit TopN byte count at all.

With this kind of idea in mind, you can build the list of TopN which can draw you a good picture of network activeness to solve different issues.

For the next round, I will introduce Traffic Matrix, stay tuned!

Enjoy (;])

Thursday, May 29, 2008

Laptop: Alternatives For Security Road Warrior

Which laptop model are you using? This is my question today. I have been looking for laptop of choice for myself, as a security road warrior, I prefer it to be -

1. Lightweight(small/medium size and compact)

2. Black and solid look

3. Miminum 150G of Disk and 4G of Rams

4. Great keyboard touch build(old thinkpad?)

5. 12-14inch display

6. Good battery life

7. FreeBSD/Linux Compatible or I will use VMware/VirtualBox

Currently there are 3 laptop models I have in my mind -

1. Macbook Black

2. Thinkpad T61

3. Dell Xps m1330

What do you think and what's your favorite laptop if you work in security industry, and you need to travel frequently? I'm looking forward for any good suggestion and sharing. Thanks!

Peace ;]

Wednesday, May 28, 2008

HeX 021 Series

I will start this HeX Zero To One(021) Series in my blog while HeX 2.0 is in active development, and all of them will be imported to HeX Handbook. In future you will see my post with the title prefix of HeX 021: belongs to the series.

Enjoy ;]

HeX: From Zero To One

These days, I have encountered questions like this,

1. How can I be an efficient network security analyst?

2. Is there a quick path or short cut to be one?

3. I'm just system administrator/programmer and don't know crap about security, I'm interested in it but don't know where to start?

4. There are so many resources in the internet, what's the specific knowledge required to be network security analyst so that I can be more focusing on particular subjects?

If you are a student, or just starting to work as network security analyst, I hope this post will shade some lights for you -

I would like to point out 3 posts that I have written -

http://geek00l.blogspot.com/2008/05/hex-handbook.html

http://geek00l.blogspot.com/2007/07/hex-livecd-analogy.html

http://geek00l.blogspot.com/2007/03/netsecanalyst-handbook.html

The HeX System that we are developing is the key to answer almost all your questions, but you might not be able to know where to look at if I throw you HeX liveCD without giving you hints or tips. The HeX Handbook which is derived from my own Network Security Analyst Handbook is actually designed to lead you to the right path.

If you read my post about HeX liveCD analogy, I mentioned this -

The HeX liveCD can only make up to this part(see below) -

Obtain Network Based Data -> Utilizing NSM Based Tools -> Generate Output

The rest depends on how analyst able to perform it -

Output Interpretation -> Output Analysis -> Output Summarization -> Report

Clearly enough, the HeX itself can't do everything for you, you have to help yourself starting from Output Interpretation process.

If you apply the reverse thinking, what are the obstacle you have encountered during Output Interpretation? You have used the tools to generate the output for you, for example - snort, bro-ids or even simple tcpdump. Apparently if you find yourself can't understand those output, you can't interpret them correctly. Now the important question is "Why can't you understand those output?" There are few answers to it -

1. You may not have enough network protocol knowledge.

2. You may not familiar with the tools because different tools tend to generate the output in different ways or results.

3. You may not update yourself with current security trends(follow bug traq, cve and so forth)

4. You are being lazy

Now I flash back again to my Network Security Analyst Handbook post, I have put the book into four sections -

Sec 1 - Net Sec Analyst: The RoadMap
Sec 2 - Net Sec Analyst: The Workflows
Sec 3 - Net Sec Analyst: The Tools
Sec 4 - Net Sec Analyst: The Case Study

For the Section 1 and Section 2, I have elaborated them as -

Network Security Analyst: The RoadMap
What are good foundations and technical knowledge that should be acquired to become good network security analyst? I hope The RoadMap can answer question like that, until now I haven 't seen any books discussing about this topic yet.

Network Security Analyst: The WorkFlows
What are the methodologies and mechanisms that are used by network security analyst to handle their tasks? The routine daily tasks, the automated and manual process of performing analysis, situation handling and so forth.
This is more of how to think or work like a network security analyst. I will try to standardize the common work flows but you are free to extend it to your own way.

If you have gone through Section 1 and 2, you should be able to do this -

Output Interpretation -> Output Analysis -> Output Summarization -> Report

Unfortunately we don't offer these in HeX version 1.x, but this is going to change, we are currently working on integrating things that are discussed in Section 1 and 2 into HeX version 2.x which will be released sometime around June. As Section 3 is already integrated into HeX, you should be able to complete Section 1-3 with HeX, all you need is discipline!

This is not a myth, the HeX Handbook will guide you to complete Section 1-3 using HeX System itself, you don't need more.

For the Section 4, I already have other plan and maybe you can see them in HeX 3.x, who knows.

If you want to learn to be a competent network security analyst, you can start with HeX. It will take you from 0 to 1.

Now I start to think that University should offer this kind of course for students, as far as I know country like Philippine has their Universities offering malware analysis course and therefore you can see a lot of them working in AntiVirus Industry, if our country want to produce competent network security analyst, they should offer security related courses in University. Not wait until they are out of school and busy with works.

Enjoy ;]