Friday, November 28, 2003

Snort Add-Ons

Over the last few days I've reviewed several add-ons for Snort. First, everyone using Snort knows about Barnyard. Barnyard processes the output from the spo_unified plugin, which Marty first described in June 2001. spo-unified creates two log files.

To paraphrase Marty, the alert file contains event data (generator, sid, rev, classification, priority, event_reference), timestamp, source IP, destination IP, source port, destination port, protocol, and TCP flags (if applicable). The log file contains the event data, flags that indicate the nature of the stored packet (reassembled fragment, etc.) and the raw binary packet.

Barnyard reads unified output and sends the results to other plugins. In most cases those are database plugins.

MudPit is an alternative to Barnyard. Mudpit was written to overcome the fact that receiving either alert or log data can be insufficient to validate an event, but receiving both simultaneously is wasteful.

At the Sguil project we use our own version of unified output with a modified Barnyard process and new database schema.

Dragos Ruiu wrote Cerebus to read unified output and displays the results in a text-based GUI.

I learned today via this post of the Fast LOgging Project for Snort (Freshmeat site). FLoP doesn't use unified logging at all. It sends Snort output via UNIX domain sockets.

On a slightly different note, I've noticed a few more ambitious projects. For several years CERT has maintained the AirCERT project as a means to share alert data among sensors. I read about the Open Source Security Information Management (OSSIM), Monitoring, Intrusion Detection, Administration System (MIDAS), and Crusoe IDS (announced here) projects, which each bring together data from multiple tools to improve event detection. This is different from Sguil's approach, where we let Snort provide alert data and we provide context using sessions, full content, and eventually statistical data. I know of at least one vendor, Endace, who sells a product featuring data from multiple open source tools.

Voice-Based Fraud Detection

The Register reports on the latest in fraud detection:

"Online insurer Esure is to use technology that recognises when a speaker is under stress in a bid to detect fraud. The company hopes using voice risk analysis (VRA) technology will speed genuine claims, cut fraud and make its claims process more efficient... VRA - which identifies micro changes in the voice that can occur when a speaker is showing higher levels of stress - will be used by esure from 4 December.

The company is keen to emphasise that the technology is a 'stress detector' not a lie detector. When a speaker experiences stress when answering a question or recounting an exaggerated or false statement, the frequency of their voice changes, according to studies originally conducted in Israel. It is this factor that VRA registers and assesses. The system compares responses to particular questions with baseline responses, answers to simple questions that can only be answered truthfully."

Let's consider this for a moment. Say I suffer a car accident. I am going to be very stressed. If I were calling to report the accident, will I trip "VRA"? Of course my voice pattern will differ from earlier calls made to check my deductible or get a new statement mailed. Here's a case where false positives will result in Esure losing business. Still, fraud reduction is a worthy goal.

Thursday, November 27, 2003

According to Reuters, a 38 year old Home Depot worker was arrested for stealing laptops from Wells Fargo. From the article:

"Police recovered the equipment at Krastof's home, along with equipment used for scanning identity cards and checks, he said. 'He is a low-level ID theft kind of guy,' White said of Krastof. Krastof told police that he did not know that sensitive data was on the computer, according to [policeman] White.

Wells Fargo will be able to keep the $100,000 reward it had offered in the case, since the arrest was made from regular police work and not a tip, White said.

Investigators traced the computer to Krastof when he logged onto his own America Online account at home through one of the stolen computers, White said. That enabled authorities to connect the computer's Internet Protocol address, a number that identifies a computer on the Internet, to Krastof's home address through his AOL account, White said."

The article glosses over an important point: how was the stolen computer identified? Wells Fargo may have deployed one of the "Lojack for laptops" solution discussed recently by SC Magazine that send a beacon announcing their presence. Also, why would Krastof say "he did not know that sensitive data was on the computer" when he's an identity thief?

Update: This Slashdot thread alerted me to a second story whose AOL usage description is different:

"A break in the case came in recent days when Krastof plugged one of the computers into a wall socket and turned it on. 'He logged onto an (America Online) account that was registered on that computer and we traced it back to his phone number and address,'' White said."

Ah ha. The original article said "Krastof... logged onto his own America Online account." Obviously if he logged in using the AOL account native to the laptop, AOL could watch for those logins and report them to law enforcement. Case closed. I gave the "analyst" too much credit for thinking "phone home" software might have been used.

Wednesday, November 26, 2003

Ron Gula Replies to Information Security Review of NeVO

You may have read the fairly critical Information Security review of NeVO by Tenable Security. CTO Ron Gula posted a response to the focus-ids group which makes for good reading:

"Since NeVO is on 'all' of the time and it matches for specific vulnerabilities, that means that the vulnerability and IDS correlation which occurs at the Lightning Console is that much more accurate. Our concern at Tenable is that doing correlation based on 'old' vulnerability data (like on a month old Nessus scan) or 'relavent' vulnerability data (like all of the IIS security holes) can produce false correlations."

Monday, November 24, 2003

Tepatche - Automatic OpenBSD System Patcher

I continue to watch for tools to keep BSD systems up-to-date. I learned of a new application for OpenBSD called Tepatche. The author wrote this article for next month's Sys Admin magazine. He also mentions the openbechede package management project.

Incidentally, Colin Percival reports he's attained the $1000 mark needed to buy a new box to provide freebsd-update binary updates. Hopefully we'll see them available for the 5.X tree soon.

While poking around I found a new BSD book will be published in the spring: FreeBSD and OpenBSD Security Solutions.
Wells Fargo Offers $100,000 For Info Leading to Conviction of Laptop Thief

ZDNet reports the following:

"Wells Fargo said on Friday it had offered a $100,000 reward for information leading to the arrest and conviction of the burglar who stole a bank consultant's computer that had sensitive customer information on it. The computer was one of several stolen earlier this month from the office of an analyst for the bank in Concord, California, the bank said. The stolen PC contained names, addresses, bank account numbers and social security numbers for customers who had taken out personal lines of credit that are used for consumer loans and overdraft protection, according to Wells Fargo. No passwords or personal identification numbers were among the stolen data and no other Wells Fargo customers were affected, the bank said... The bank alerted affected customers this week [and] was also monitoring customer accounts, changing account numbers and paying for a year's subscription to a credit monitoring service."

This tells me that the "bank consultant's computer" didn't employ encryption to protect the customer data. It may have taken the physical theft of a computer to stress the importance of California's new privacy laws.

Finding the Name of FreeBSD Packages to Install

I usually install FreeBSD applications using the ports system, but I wanted to know how to use the package collection as well. I wondered how to quickly locate the name and URL of a package so I could pass them as a parameter to pkg_add -r. Using this command FreeBSD fetches the package specified and installs any dependencies automatically.

I found the answer at the FreeBSD Ports Changes page. Here you can query for a package (or port) by name, and more importantly, specify which distribution you want. For example, if you wanted to install Nessus, you could choose from:

  • FreeBSD 4.9 RELEASE: packages created when 4.9 REL was announced

  • FreeBSD 4.x STABLE: the most up-to-date packages built for FreeBSD 4-stable

  • FreeBSD 5.1 RELEASE: packages created when 5.1 REL was announced

  • FreeBSD 5.x CURRENT: the most up-to-date packages built for FreeBSD 5-current

Let's say I wanted to install Nessus. What do these packages look like for the i386 architecture?

Essentially you have to recognize what version of FreeBSD you're running, and then select the appropriate package. Let's say I'm maintaining a FreeBSD 4.9 RELEASE system and want to install Nessus as if the package was installed from the 4.9 REL CD-ROM. In that case I'd choose the nessus-2.0.7.tgz package for FreeBSD 4.9 RELEASE. I use this option when I create installation instructions for Sguil, to simulate building a server using only the CD-ROM packages.

Most people want to run the newest edition of any application. If I wanted the latest and greatest version of Nessus on my 4.9 RELEASE system 'janney', I'd install nessus-2.0.8a.tgz. The second option looks like this:

janney# pkg_add -r
packages-4-stable/All/nessus-2.0.8a.tgz... Done.
packages-4-stable/All/nessus-libraries-2.0.8a.tgz... Done.
packages-4-stable/All/nessus-libnasl-2.0.8a.tgz... Done.

To simulate installing Nessus as a package on a FreeBSD 5.1 RELEASE system 'moog' from a 5.1 REL CD-ROM, I'd add the old nessus-2.0.5_1.tbz package. To get the very latest version of Nessus on a FreeBSD 5.1 system I'd add nessus-2.0.8a.tbz. The second option looks like this:

moog# pkg_add -r
packages-current/All/nessus-devel-2.0.8a.tbz... Done.
packages-current/All/nessus-libraries-devel-2.0.8a.tbz... Done.
packages-current/All/nessus-libnasl-devel-2.0.8a.tbz... Done.

Notice the different package compression schemes -- .tgz for the 4.9 system and .tbz for the 5.1 system. Also see that I passed the entire package URL as an argument to 'pkg_add -r'. The '-r' switch tells pkg_add the package is "remote." For each installation I chose "" rather than simply "". This made pkg_add use one of the mirror sites rather than pound the main FTP server.

In each case I got the appropriate URL from the FreeBSD Ports Changes page. What if I didn't specify the URL, but only the package name?

On a FreeBSD 4.9 system, this happens:

bourque# pkg_add -r nessus
packages-4.9-release/Latest/nessus.tgz... Done.
packages-4.9-release/All/nessus-libraries-2.0.7.tgz... Done.
packages-4.9-release/All/nessus-libnasl-2.0.7.tgz... Done.

On a FreeBSD 5.1 system, this happens:

moog# pkg_add -r nessus
packages-5.1-release/Latest/nessus.tbz... Done.
packages-5.1-release/All/nessus-libraries-2.0.5_1.tbz... Done.
packages-5.1-release/All/nessus-libnasl-2.0.5_1.tbz... Done.

Notice in each case the packages built for the RELEASE are installed by default. There is probably a way to change this behavior to automatically retrieve the latest edition, but I haven't found it yet.

Here's another example. I chose this one so you could see how the package installation process solves dependency issues. Here I install darkstat, a lightweight alternative to ntop.

bourque# pkg_add -r
packages-4-stable/All/darkstat-2.6.tgz... Done.
packages-4-stable/All/libiconv-1.9.1_3.tgz... Done.
packages-4-stable/All/gettext-0.12.1.tgz... Done.

Keep in mind that package installation bypasses all of the benefits of installing the source code through the ports system.

If you want to install a slew of packages at the same time, check out POPS: "Package Of the PackageS" for FreeBSD. This is a ~600 MB CD-ROM .iso with various packages selected by the POPS creator. He likens POPS to a "Linux distribution" in the sense that most FreeBSD installations are fairly minimal.

On a related note, the other king of software installation, Debian, released 3.0r2 last week. The Slashdot thread was informative. I learned of useful sites like and, as well as tools like apt-secure and aptitude.

Friday, November 21, 2003

Tim O'Reilly on Computer Books

Tim O'Reilly of O'Reilly publishing answered questions on the economics of writing on computer topics. I found this excerpt interesting:

"Your choice of publisher helps [a book be successful]. The clearest lesson from Bookscan (to refer to the data that started this thread) is that the market is consolidating. Fully 80 percent of the market shown by Bookscan (about 65-70 percent of U.S. domestic retail sales, including online accounts) is owned by Pearson, Wiley, O'Reilly, and Microsoft Press, in that order. If you add Osborne and Sybex, you get to 90 percent. (Pearson is a conglomerate owning many individual imprints--AW, PH, Peachpit, Sams, New Riders, Brady, Cisco Press, Adobe Press, Macromedia Press, etc.--so the market looks more diverse than it actually is.) Having been a small publisher who worked my way up over many years, I won't say it [success of a book sold by a small publisher] can't be done. But I think it's a lot harder than it was in the '80s and '90s. In short, being part of an established series at an established publishing house is, unfortunately, very important."

I'm glad my publisher is Pearson's Addison-Wesley!

Wednesday, November 19, 2003

Other Tidbits on SSH, IRC, and other Topics

I needed to bounce through a couple systems while working on a hostile classroom network this week. I found this book excerpt which explains how to chain SSH connections.

I started using the EPIC IRC client on FreeBSD and I wanted to use a customization script. I remembered using Splitfire and found it to be useful. In #snort-gui we've been using Pastebot to provide chunks of text via HTTP rather than IRC on homefries.

Rob Lee's domain registration apparently expired and was scooped by someone else. You can access Rob's site via IP address at

Anyone using Secure Instant Messaging Protocol?

Jamil Farshchi published this article on wireless IDS.

PostgreSQL 7.4 Released. Watch Out For MySQL "Gotchas"

PostgreSQL 7.4 was released this week. We use MySQL in the Sguil project but we used PostgreSQL with older NSM tools. I learned about this MySQL "gotchas" site showing odd MySQL behavior. This could prompt a war between the MySQL and PostgreSQL communities.

Speaking of wars, I ran across a site which claims to benchmark various UNIX operating systems. The results caused a crazy thread among OpenBSD users.

What Makes For Credible Certifications?

Peter Stephenson contributed to a SC Magazine article that featured criteria for credible certifications. I found his comments worthwhile:

"The major question to be asked about certifications and their value is: 'Where does the cert come from and what are its objectives?'

A good industry certification will have several recognizable components if it is to be credible:

  • It is based upon an accepted common body of knowledge that is well understood, published and consistent with the objectives of the community applying it.

  • It requires ongoing training and updating on new developments in the field.

  • There is an an examination (the exception is grandfathering, where extensive experience may be substituted).

  • Experience is required.

  • Grandfathering is limited to a brief period at the time of the founding of the certification.

  • It is recognised in the applicable field.

  • It is provided by an organization or association operating in the interests of the community, usually non-profit, not a training company open to independent peer review.

There are credible certifications that are not money-grabs. However, as with anything that promises to improve the acquirer’s status, it is always a case of 'buyer beware.'"

Peter Stephenson is the executive director of the International Institute for Digital Forensic Studies. His organization's new Certified Information Forensics Investigator Certification (CIFI) follows these guidelines.

On a related note, Peter Denning wrote an article (.pdf) two years ago where he defined a profession as having four components:

  1. A durable domain of human concerns

  2. A codified body of principles (conceptual knowledge)

  3. A codified body of practices (embodied knowledge including competence)

  4. Standards for competence, ethics and practice

Tuesday, November 18, 2003

Network Security Monitoring Saves My Bacon

Long-time readers of this blog know I subscribe to a security theory called network security monitoring. Two of NSM's principles are "some intruders are smarter than you" and "intruders are unpredictable." Believing these principles changes the way defenders look at watching their networks. If you assume a smart, unpredictable enemy, you have to take as many defensive actions as possible in the remote hope of catching a bad guy.

This morning I tested these principles not against an intruder, but against a piece of software that took an unexpected action. I was looking for an IRC proxy and found the Night-light IRC proxy. I installed it through the FreeBSD ports system without a problem. I then checked my sockstat output to see what was listening. I found the following unexpected entry:

root getty 534 0 tcp4 censored:50396

This looks like my system just connected to on port 25 TCP. I did an nslookup on the destination IP and got these results:

moog# nslookup


So apparently my box spoke to I assumed this was a mail server for the domain, but I checked this with nslookup:

-bash-2.05b$ nslookup
Default Server:
> set type=mx
Non-authoritative answer: preference = 5, mail exchanger =
Authoritative answers can be found from: nameserver = nameserver = nameserver = internet address = internet address = internet address =

Note I could have connected to port 25 on directly. However, one of the NSM principles is to never touch the source of suspicious activity, to avoid notifying the intruder of your investigation.

I also looked at the output of the installation and saw this:

Sending compilation report to

The ircproxy has compiled successfully. To install it type 'make install',
if you choose the root option, remember to 'su root' first.

So, the question is "Now what?" The event didn't trigger any Snort alerts. After all, this is probably just my system sending email. But what did the email contain? Did this new application mail the contents of my password file to the developer? Can I trust this developer?

There's two ways to proceed. A host-based approach involves checking the system hosting the new application for odd activity. This includes checking the source code of the application for the routines that created the socket with

A network-based -- or NSM -- approach involves checking alert, session, full content, and statistical data for clues. Luckily I had tcpdump data available, so I rebuilt the session and found the following:

moog# tcpflow -c -r snoop.lpc
220 ESMTP Sendmail 8.12.6/8.12.6;
Tue, 18 Nov 2003 16:43:36 +0100 (CET)
Hello [censored], pleased to meet you
250 HELP
MAIL From: SIZE=11475
553 5.1.8 ...
Domain of sender address
does not exist
221 2.0.0 closing connection

The email was never sent. rejected the attempt because it didn't recognize the sender. While this doesn't tell me exactly what the email would have contained, I know I did not leak any data as a result of this incident.

Saturday, November 15, 2003

TruSecure: "k3wl ," Like "Hackweiser and G-force Pakistan"

The BBC wrote an article about the threat intelligence group, "codename IS/Recon (Information Security Reconnaissance)." They're TruSecure's "moles" -- people who befriend the "underground" and acquire information on their intentions and capabilities. The national intelligence community calls that "human intelligence," or HUMINT.

The article claims TruSecure "currently tracks more than 11,000 individuals in about 900 different hacking groups and gangs." It also states they collect "200 gigabytes of information a day," which "has enabled the team to help out with 54 investigations by law enforcement agencies. IS/Recon gave the FBI over 200 documents about the Melissa virus author after they were asked to get closer to suspects."

Friday, November 14, 2003

Mapping the Internet on a Dare

Slashdot reported on the Opte Project. It's a single guy who's mapping the Internet using code he wrote. Commercial companies like Lumeta provide much more enhanced functionality, but this is still a cool hack.

The Slashdot thread features commentary by Hal Burch and Fyodor, and a useful summary of similar projects. The image at left is supposedly "1/5 of the Internet," but as one Slashdot reader mentioned, it looks a lot like a brain! Given Google has replaced the brain of many people, I imagine this image is appropriate. :)

Trying Fedora Core 1

Today I installed Fedora Core Release 1 in a VMWare session on my laptop. I was unable to using the CD-ROMs I burned and got the same error as described in this thread. I ended up installing the OS using the three .iso files on my laptop hard drive. I installed a default desktop into a 4 GB partition. Here are the daemons listening, the filesystem stats, and the uname output:
[root@localhost root]#netstat -natup

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address   Foreign Address  State      PID/Program name

tcp        0      0*        LISTEN     1665/rpc.statd

tcp        0      0*        LISTEN     1830/xinetd

tcp        0      0*        LISTEN     1645/portmap

tcp        0      0*        LISTEN     1814/sshd

tcp        0      0*        LISTEN     1777/cupsd

tcp        0      0*        LISTEN     1851/sendmail: acce

tcp        1      0    CLOSE_WAIT 2103/eggcups

udp        0      0*                   1665/rpc.statd

udp        0      0*                   1665/rpc.statd

udp        0      0*                   1645/portmap

udp        0      0*                   1777/cupsd

[root@localhost root]#df -h

Filesystem            Size  Used Avail Use% Mounted on

/dev/sda2             3.6G  1.9G  1.6G  54% /

/dev/sda1              99M  6.3M   88M   7% /boot

none                   62M     0   62M   0% /dev/shm

[root@localhost root]#uname -a

Linux localhost.localdomain 2.4.22-1.2115.nptl #1

 Wed Oct 29 15:42:51 EST 2003 i686 i686 i386 GNU/Linux

The coolest thing in my opinion was trying the yum (Yellow dog Updater, Modified) program. When was down this afternoon I followed these instructions to add a backup source for yum. I then used yum to add nmap. It worked like a charm:
[root@localhost root]# yum install nmap

Gathering header information file(s) from server(s)

Server: Fedora Core 1 - i386 - Base

Server: Fedora Core 1 -- Fedora US mirror

Server: Fedroa Linux (stable) for Fedora Core 1 -- Fedora US mirror

Server: Fedora Core 1 updates -- Fedora US mirror

Server: Fedora Core 1 - i386 - Released Updates

Finding updated packages

Downloading needed headers

Resolving dependencies

Dependencies resolved

I will do the following:

[install: nmap 2:3.48-1.i386]

Is this ok [y/N]: y

Getting nmap-3.48-1.i386.rpm

nmap-3.48-1.i386.rpm      100% |=========================| 368 kB    00:02

Running test transaction:

Test transaction complete, Success!

nmap 100 % done 1/1

Installed:  nmap 2:3.48-1.i386

Transaction(s) Complete

Unfortunately, since no package of ettercap was available, I couldn't try adding it. I then gave up2date a try. I used it too update packages on the system.
[root@localhost root]# up2date-nox -u

Fetching package list for channel: fedora-core-1...



Fetching package list for channel: updates-released...



Fetching Obsoletes list for channel: fedora-core-1...

Fetching Obsoletes list for channel: updates-released...

Fetching rpm headers...


Name                                    Version        Rel


glibc                                   2.3.2          101.1               i686

glibc-common                            2.3.2          101.1               i386

nscd                                    2.3.2          101.1               i386

Testing package set / solving RPM inter-dependencies...


glibc-2.3.2-101.1.i686.rpm: ########################## Done.

glibc-common-2.3.2-101.1.i3 ########################## Done.

nscd-2.3.2-101.1.i386.rpm:  ########################## Done.

Preparing              ########################################### [100%]


   1:glibc-common           ########################################### [100%]

   2:glibc                  ########################################### [100%]

Stopping sshd:[  OK  ]

Starting sshd:[  OK  ]

   3:nscd                   ########################################### [100%]

[root@localhost root]#

up2date worked well too. I think I could like this distro.

I got an email from Red Hat explaining the new status of their products. From the email:

"Get Enterprise Linux in three ways:

--> Enterprise Linux WS: for desktop/client systems.
Starting at $179
--> Enterprise Linux ES: for small/mid-range servers.
Starting at $349
--> Enterprise Linux AS: for high-end and mission-critical systems.
Starting at $1499

>>compare all three:$LDAJPSNNAOmLYvAK7ybs-q/utbn2"

Wow, those prices are amazing! I'll be interested to see who adopts this product.

Let Freedom Ring...Not

The so-called "hacker" who "defaced" was sentenced yesterday to 1000 hours of community service and a $2000 fine, according to stories by and Reuters.

The intruder, a "Web designer," "posed as an Al Jazeera employee." presumably to Verisign, the registry for the .net domain.

This far more informative article has technical details on the "hack." Apparently the perpetrator convinced Verisign to change its listing for's domain servers to a system controlled by the intruder.

The DoJ reports the perp also "re-routed all e-mail traffic to an account he had created on MSN Hotmail using the name of the Al Jazeera systems administrator." was also hit by denial of service attacks during the second Gulf War.

Stephen Northcutt Hints at New 2004 SANS Courses

I received an email from Stephen Northcutt discussing various SANS initiatives. I found the last paragraph interesting. As this was a mass-mailing I'd like to share what he said:

"We do have other tracks in development if the writers and researchers stay on track in the second half of 04 we hope to complete a track on content and email security and a six day legal track designed primarily for attorneys. We have an advanced windows operations and advanced windows audit track in the works. On the unix side of the house we are
working on a Linux, Apache, MySQL, and Perl course designed to help you field and maintain a secure working Internet ecommerce presence. Finally, we have started development on Oracle security. Creating a six day track is a huge amount of work, if you are an expert in any of these topics, there may be a spot for you on the development team. If you think you might be interested, drop me a line,

Warm Regards,
Stephen Northcutt"

SANS already has 12 tracks and it's good to see they are considering others.

Thursday, November 13, 2003

While reading this OSNews thread on FreeBSD, I learned of the portsman tool. It's a curses-based front end to the FreeBSD ports tree. It offers similar functionality to portupgrade but through a menu system. I found it interesting that it was hosted at berlios and not at SourceForge like most open source projects.

One adjustment I made to use portsman was to change the default TERM value from 'xterm' to 'xterm-color' so I could see the menu better in an SSH session using root's default csh (actually tcsh) shell. Just edit the .cshrc value in root's home directory and then execute 'source .cshrc' to change the variable. To only change the TERM variable for the session, execute

setenv TERM xterm-color

It's different for sh or bash. There, run

export TERM

Wednesday, November 12, 2003

21st Century Pilotless Airwolf Stolen

OK, it's obviously not Airwolf. According to this Israeli newspaper the Steadicopter was recently stolen a few days after the completion of its test program and final test flights. According to the article:

"Steadicopter CEO Tuvia Scgl told 'Globes' today that he had no doubt that industrial espionage was behind the theft. "We're convinced that the thief was working for our competitors, because he went directly to the helicopter's location, and broke only the guardrails to that room.

'The helicopter is unique. No other company in the world has succeeded in operating such a flying machine, capable of independent flying without remote control. Many companies have tried, but none of their tests worked.'"

Criminals Extort Companies With DoS Attacks

I learned at Slashdot of an article at Financial Times about criminals extorting companies by subjecting them to denial of service attacks. From the article:

"More than a dozen offshore gambling sites serving the US market were hit by the so-called Distributed Denial of Service attacks and extortion demands in September and the tactic is now spreading. Sites have been asked to pay up to $50,000 to ensure they are free from attacks for a year. Police are urging any victims not to give in to blackmail and report the crime."

This is a lot easier than breaking into a victim and extorting them for theft of credit cards or intellectual property. Just have your home users and university machines blast away at a victim and collect the cash.

New Sguil 0.3.0 Install Doc for FreeBSD 4.9 REL

I just published a new installation guide for Sguil 0.3.0. Sguil is an interface to Snort which operates using Network Security Monitoring principles. This means it is dedicated to answering the "now what?" question that faces analysts who receive IDS alerts. Sguil provides alert, session, and full content data with a minimum of mouse clicks, window changes, and keystrokes.

Users not familiar with FreeBSD should have no problems following the instructions. I provide dozens of screen shots and step-by-step comments to get the OS and all needed applications installed.

The document is available in .pdf form here (.pdf).

The new guide uses FreeBSD 4.9 RELEASE as the server platform and Windows 2000 or XP as the analyst workstation.

Please send comments on the guide to sguil at taosecurity dot com. I plan to incorporate as many suggestions for improvement as humanly possible.

Update:I'm collaborating with Soup4You2 from BSDHound on an expanded document.

Tuesday, November 11, 2003

More BSD Stuff

I found a new FreeBSD-based bootable CD-ROM firewall called NetBoz. I haven't tried it yet, but someone put a lot of thought into the logo!

I'm often asked why I like FreeBSD. I think the FreeBSD's ports tree is the best of the three BSD's, with over 9000 applications available. FreeBSD offers the FreshPorts site to track updates and changes to ports. OpenBSD has, and This post puts the OpenBSD port count at over 2000 as of May 2003. OpenBSD's "higher standards" keeps the count down compared to FreeBSD. NetBSD offers over 3000 packages and a new Web interface to them.

The Game of 'Life' in PostScript

Do you know the game of "Life"? The game was created by mathematician John Conway and described in this 1970 Scientific American article. Based on a small set of rules, the game looks at the initial configuration of a set of counters (representing "organisms") and moves them forward through time. Certain arrangements result in life, while others perish. The coolest implementation of this game is one in PostScript. Remember PostScript is a programming language, although it's mainly used to format documents. There's a Java version and another here. Provides Info on Quiet PCs

I'm thinking of building my own firewall appliance. It would be nice to have a "quiet" PC. I found offers reviews, forums, and news on the quiet PC scene.

Sunday, November 09, 2003

My C-64 Rides Again

Thanks to a RR-Net kit, my Commodore 64 is now on the Internet. I browsed using the Contiki Web browser and I served Web pages sing the Contiki Web server. It's slow, but really amazing to think a machine that hasn't been used in 13 years is now on the Internet! There's also a version of VNC which I haven't tried yet.

I still need to try downloading software and getting it to the C-64. The RR-Net package arrived with a 5 1/4 floppy containing Contiki.

Update: The Web server doesn't seem too stable. Twice I've left the box running in the basement only to find Contiki exited several hours later. Oh well, that's why I run FreeBSD.

Friday, November 07, 2003

Using fastest_cvsup and freebsd-update Tools

While reading a OSNews thread on FreeBSD 4.9, I heard of a tool called fastest_cvsup. You use it in conjunction with cvsup on FreeBSD, NetBSD, and OpenBSD to find the "fastest" source distribution site. I use it in a shell script to update one of my boxes like this:

# Ports updater by Richard Bejtlich
# 0925 07 Nov 03
SERVER=`fastest_cvsup -q -c us`

echo "cvsup -g -L 2 -h $SERVER /usr/local/etc/ports-supfile"
cvsup -g -L 2 -h $SERVER /usr/local/etc/ports-supfile

echo "cd /usr/ports; make index"
cd /usr/ports
make index

echo "portsdb -u"
portsdb -u

echo "cd /var/db"
cd /var/db

echo "pkgdb -F"
pkgdb -F

echo "portversion -v"
portversion -v

echo "portupgrade -PrRva"
portupgrade -PrRva

echo "Done updating ports tree at `/bin/date`."

I changed my portsdb instruction after reading this thread. This article and this thread have tips too.

I also gave freebsd-update a try. It's a way to perform binary updates on FreeBSD systems that have not rebuilt the 'world' after installing a fresh RELEASE. I used freebsd-update on a 4.8 RELEASE system using these commands:

pkg_add -r

cp /usr/local/etc/freebsd-update.conf.sample /usr/local/etc/freebsd-update.conf

mkdir /usr/local/freebsd-update


freebsd-update -v fetch

freebsd-update -v install

freebsd-update warned me "Don't forget to rebuild any statically linked ports to use the updated libraries after you install them." Colin gave me some background on this:

"Most applications from the ports tree (and packages) are dynamically linked, but a few aren't.
On my system, the only static binaries I have installed from the ports tree are bash and m3build.
If you have portupgrade installed, the following script will locate any static binaries which might be
out of date and run portupgrade interactively to rebuild them." Note this script should have backslashes
at the end of lines 2-5, but Blogger is removing them:

find /usr/local -type f -perm +111 ! -newer
/usr/lib/`ls -art /usr/lib | tail -1` -print0 |
xargs -0 file | grep "statically linked" | cut -f 1 -d ':' |
xargs pkg_which | grep -v '^\?$' | sort -u |
while read x; do portupgrade -fi $x < /dev/tty; done

Colin continues: "Unfortunately, there isn't any easy way to determine if packages distributed from have been rebuilt with new libraries; in general, it's better to install the ports tree (and keep it up to date by using cvsup) and build everything locally."

Right now the freebsd-update maintainer, Colin Percival, only has the resources to provide binary updates for FreeBSD 4.7, 4.8, and 4.9. He's accepting donations via PayPal so he can support the 5.x tree. As of this morning he's got pledges and donations of $915, so I sent him $20 to show my support. Please consider matching my donation to get Colin above the $1000 level, where he'll build a new system to provide binary updates for the 5.x tree. Thank you!

This is an amazing tool. It only took minutes rather than the hours it might take to do everything from source. The major drawback is that it only supports the GENERIC kernel. This is fine for a project like the Sguil on FreeBSD appliance for which I wrote the documentation. However, people with multi-processor systems who need to add SMP support by rebuilding their kernel cannot use the current version of freebsd-update. When FreeBSD 5.2 is released, this will not be a problem. Colin told me "FreeBSD 5.2 is going to be an ideal target for FreeBSD Update, in fact, since the 'SMP problem' will be gone -- jhb committed code to -CURRENT a few days ago which eliminates the uniprocessor/multiprocessor distinction for kernels, so having more than one processor will no longer require that the kernel be recompiled."

One more tip: if you want to create a package when installing a port, use 'make package' after 'make'. If you want to create the associated dependencies when creating a package, use 'make package-recursive'.

Thursday, November 06, 2003

Testers for DRAFT Sguil on FreeBSD Installation Guide Needed

I announced the availability of Sguil 0.3.0, so I've been working on a new installation guide. I'm not a big Linux fan so I've been wanting to move my document to reflect FreeBSD. Today I completed the install guide and posted it at If you're so inclined, download the installation doc and try it out.

I used FreeBSD 4.9 RELEASE only to have access to that distro's packages. These are the same as would be found on the 4.9 CD-ROM. The only package I used from the section was OpenSSL, as version 0.9.7c was the latest. It appeared in the stable tree as

The reason I used the packages and not the ports tree was ease of installation. It can take quite a while to build some ports from source, so I opted for package installations for everything except Sguil, Snort, and Barnyard. The guide uses Snort 2.0.3 which was just released. Thankfully everything worked out fine.

I appreciate any comments people might have on the doc. I'd like to declare the guide "FINAL" by Monday.

Wednesday, November 05, 2003

Snort 2.0.3 Released

Yesterday Marty released Snort version 2.0.3, which contains a few bug fixes. Last week Bamm announced the release of Sguil version 0.3.0. I still need to update the documentation. I had already planned a FreeBSD-only installation guide, even before all the turmoil with Red Hat Linux. I hope to have the guide done by next week.

A few weeks ago a good thread on snort-users discussed hardware for Snort and ways to avoid dropping packets.

Do You Bluejack?

Here's a great example of creative minds taking advantage of new technology. Those crafty, meddling kids in the United Kingdom have popularized a way to send text messages to unsuspecting owners of Bluetooth-enabled phones and PDAs. The BluejackQ (or "Bluejack You") site, apparently run by a 13 year old English girl, has all the details. Her site has been hammered recently by visitors, but she reports it's weathered the storm. Netcraft reports she's running Apache on Linux, so good for her!

A poorly edited by technically informative Slashdot post describes the underlying mechanics of the system used to send messages. As another Slashdot poster mentions, Bluetooth isn't like the Internet. If you get an unsolicited Bluetooth message, turn around. The sender can't be more than a few dozen yards away!

Tuesday, November 04, 2003

Wireless IDS "All the Rage"

Researching my book I came across this fairly informative article on wireless IDS. It's useful as it spells out three ways to accomplish the task. The article publisher, Unstrung, has written about Joshua Wright's attacks on LEAP, the vendor's response, and wireless IDS services.

Security Hole in Ethereal; Upgrade Now

The Ethereal project makes the finest open source protocol analyzer available. Yesterday they announced a vulnerability affecting at least Ethereal 0.9.15. They recommend upgrading to 0.9.16 right away. From the advisory:


Potential security issues have been discovered in the following protocol dissectors:

  • An improperly formatted GTP MSISDN string could cause a buffer overflow.
  • A malformed ISAKMP or MEGACO packet could make Ethereal or Tethereal crash.
  • The SOCKS dissector was susceptible to a heap overlfow.


It may be possible to make Ethereal crash or run arbitrary code by injecting a purposefully malformed packet onto the wire, or by convincing someone to read a malformed packet trace file.


Upgrade to 0.9.16.

If you are running a version prior to 0.9.16 and you cannot upgrade, you can disable the GTP, ISAKMP, MEGACO, and SOCKS protocol dissectors by selecting Edit->Protocols... and deselecting them from the list.

Beyond the security fixes, you've got to see the new toolbar! Wow, Ethereal is looking good.

Monday, November 03, 2003

I read today on Slashdot that Red Hat will discontinue maintenance and errata support for all versions of Red Hat Linux through 9.0 by 30 April 2004, and produce no other products in that line. Everyone looking for a "free" version of "Red Hat" will have to check out their Fedora Project as Red Hat now focuses on its Red Hat Enterprise Linux line.

Those wishing to try the "Fedora Core" are directed to a download page mentioning the Red Hat beta OS severn. Looking at the Fedora release schedule, the Fedora offering is called cambridge and was due today. It has been delayed and will be released "as soon as possible."

I haven't yet seen a "Red Hat is Dead" post like the "BSD is dead" posts left by Slashdot trolls, so I made the observation myself.

NewsForge has more details on this story. I found their mention of the 10 major Linux distros at Distrowatch interesting. How can anyone say the BSD world is fragmented when there are 10 "major" Linux distros?

Sunday, November 02, 2003

Threat Matrix Chart Clarifies Definition of "Threat"

I ran across this chart at the Kentucky government security page, of all places. They must have reproduced it from a Department of Homeland Security briefing. It shows the five components used to judge a threat: existence, capability, history, intentions, and targeting. My earlier definitions focuses on capability and intentions, as I believe existence is taken for granted once you begin a threat assessment. You can easily wrap history into intentions. Targeting is a "special form" of intentions, meaning current intelligence suggesting plans for imminent attack against specific targets. As an enemy meets more of the criteria, the threat rating increases from "low" to "severe."

Update:A blog visitor asked if publication of this chart was a sarcastic move. While I don't think this matrix represents the ultimate in threat assessment, I reproduced it here to show some of the elements used to assess threats. They include the five components mentioned earlier. The choice of words "severe, high," etc., don't fit with any threat model I've used in the military. We had THREATCONs which used words like "normal, alpha, bravo," etc. THREATCONs became Terrorist Force Protection Conditions (FPCON) in 2001.

I'm looking forward to the first Cyber Threat Matrix by Echo CCT.

FreeBSD 5.2 RELEASE Due 2 Dec

read the new FreeBSD release schedule today and learned FreeBSD 5.2 is due 2 Dec 03, with FreeBSD 5.3 scheduled for 29 Mar 04. FreeBSD 5.2 will still be a "new technology" release, and 5.3 will be the first released to be considered "stable." Currently, FreeBSD 4.9 is the newest "stable" release.

I also learned that Robert Watson, one of the brains behind FreeBSD, has posted a Web-browsable interface to BSD and Linux source code. Do you want to see sys/net/bpf_filter.c? Look here for FreeBSD 5.1 or here for FreeBSD 4.9.

Here's if_wi.c, the driver for Prism wireless cards. According to this post it has had problems due to bugs in the card's firmware. Here's a how-to for flashing Prism cards; more info here. Those with Orinoco cards can find firmware here.

Are you interested in knowing the status of ports in FreeBSD? Visit Mark Linimon's Package building logs and errors for the bento cluster. You can get all sorts of reports such as querying for one port of interest, like bro or nmap.

Update: This reports a 16 Dec release for 5.2.
Last Thursday DeMarc announced its acquisition of the Sentaurus IDS from Silicon Defense. In June I listed various companies selling Snort-based IDS appliances. It looks like Silicon Defense's support for its Windows version of Snort continues at This appears to be different from the binaries available at (I didn't check the WinSnort version because downloads there require registration.) DeMarc was famous for its GUI for Snort alerts, which no longer appears as a Snort add-on. However, it's now called PureSecure Personal and is free for "home use." Downloading it requires registration.

Saturday, November 01, 2003

Reviews of C Primer Plus, 4th Ed, The Myth of Homeland Security, and Beyond Fear Posted just publishes three new reviews. First, from the five star review of C Primer Plus, 4th Ed by Stephen Prata:

"Stephen Prata's C Primer Plus, 4th Ed (CPP4E) is an excellent book. I took a close look at the competition and even started reading O'Reilly's Practical C Programming before realizing CPP4E was the book for me. I had no C programming background, but had the knowledge of C-64 BASIC, Pascal, and other languages shared by many kids born in the 1970s. If you're looking for a well-conceived introduction to C, Prata's book is for you."

I plan to read books on secure coding and socket programming next, as these are my real interests. I also have books on C++, Java, and C# waiting. I'm reading these to gain familiarity with these languages for purposes of security, not contributing code to FreeBSD (yet).

Next are two more controversial reviews. Although I gave each book four stars, I make specific critiques of each book. From my four star review of The Myth of Homeland Security by Marcus Ranum:

"Let's set the record straight. This book is a 231 page political rant, regardless of the author's claim on p. 31 to be 'nonideological.' I have the slightly odd benefit of reading this book with a master's degree in public policy on the wall, but I work as a hands-on, FreeBSD-running computer security consultant. I imagine many readers are also members of the technical community, yet are unaware of books addressing similar topics. "The Myth of Homeland Security" cannot compare to a serious book like James Q. Wilson's Bureaucracy: What Government Agencies Do and Why They Do It. I'll tell you why and conclude with my rationale for 4 stars, nonetheless...

So why do I give The Myth 4 stars? At least somebody is raising important issues. Ranum may be the crazy guy yelling crude remarks at a quiet moment during a political rally, but thank goodness he's there. It's great to see someone realize what a mess our appropriations process has become, and decide to join the fray. Political scientists spend their entire lives chipping away at the same problems. Welcome to the party, Mr. Ranum, and thanks for your work. "

Finally, from my four star review of Beyond Fear by Bruce Schneier:

"Beyond Fear is a good book, but don't turn to it for proper definitions of security terms. Steer clear of this book's misuse of the words 'threat' and 'risk.' While I appreciate Schneier's overall discussion of security issues, I expect a book aimed at the layman to be more accurate...

I loved Secrets and Lies, and every time I see the author speak I learn something new. Am I off base with this review? You be the judge. I still gave it 4 stars, since the book's vignettes are informative and its scope impressive. Given the large number of reviewers I expected someone to challenge the author's terminology. Yes, this is semantics, but shouldn't a book by an expert set the record straight? I don't think my expectations are unrealistic, either; Schneier is a previously published 'thought leader,' and he deserves to be held to the highest possible standards."

Reading the full text of each review, especially those on Ranum and Schneier, will make these points clearer. As of the time of writing this report, has published an incorrectly edited version of the Schneier review missing the word "a" in the first sentence. I expect that to be fixed soon.

I'm sure I'm opening myself up to criticism by publishing these reviews, especially for Schneier's book. All the other reviews rave about it, so anything less than five stars will single me out. Nevertheless, I believe it's important to take a close look at Schneier's work in the interest of improving whatever comes next. Since so many people in the community pay attention to what he says, I want to make sure his message is clear.