Friday, March 31, 2006

March 2006 (IN)SECURE Magazine Posted

Issue 1.6 (March 2006) (.pdf) of (IN)SECURE Magazine is now available for download. This is a great online magazine that covers a wide variety of security topics. Consider submitting an article.

Controlling Bots with Steganography

My friend John Ward posted a discussion of controlling bots with steganography:

So basically, all this does is open a Bitmap file, decode the stenography message, and pass the resulting message to the protocol class for handling. More sophisticated techniques can be employed, and steganography has grown as a field, so different graphics formats, MP3 files, or even specially encoded HTML headers can contain the message.

This deviates from the traditional botnet where the client connects to an IRC channel or some other central media to receive commands in real time. In this method, the attacker loses real-time response and gains stealth. With a reasonable interval of time set for the clients, the attacker can have their nefarious commands executed in a short amount of time.

By combining this code with some disguised distribution method, lets say an image thumb-nail browser for an online graphics catalog, the program can be distributed widely, and its online image grabbing behavior would never be suspect until the mass traffic adding to a DDOS attack came from the client machine. And even if it were, your normal Net-Sec analyst would only see an image file and have no clue that the image file contained a steganography-encoded message.


Neat idea John -- is anyone seeing this in the wild?

Wednesday, March 29, 2006

Tom Gallagher Responds to Blog Post

Tom Gallagher, author of the forthcoming Hunting Security Bugs, sent the following in reply to my Microsoft Is Getting It post:


Hello Richard. Last weekend I read your blog about Microsoft BlueHat and our security books and thought you might be interested in some more information about these topics.

I joined the company almost 7 years ago. In that time, I've seen some major changes happen around how the company views security. As you are aware, the company didn't focus much on security back then. I was one of the few people at the company who did fulltime penetration testing. I worked on a small product team within Microsoft Office and was responsible for testing only it. Today things are very different. In Office's vision document for the release, the first tenet is about the importance of security. Unlike when I started, security is now the responsibility of everyone creating the software - not just the person writing the code, but also the people who design, test, and document it. Other products across the company do similar things. We're certainly not perfect, but are working harder and harder to get better.

As you noticed, we proactively try to learn about security issues from external researchers and bring them to Redmond to present to the product teams. The cool thing about this is it allows many people to get direct exposure to the information. For example, I can't justify sending everyone on my team to a security conference twice a year, but I can send them to BlueHat that often. We continue to send people to external conferences too. Since security is everyone's responsibility, people who don't work on security fulltime also attend BlueHat. It is unlikely that those people would attend external security conferences often.

I'm one of the authors of an upcoming MSPress title (Hunting Security Bugs). This book allows feature testers to understand how to find security bugs in their product. Writing Secure Code is for developers to understand how to create secure software; the testing book teaches testers how to ensure that carefully probing for vulnerabilities. Both books cover a wide variety of topics. And of course testers aren't limited to the people who work on the team creating the software.


If you have any questions for Tom, please post them here.

Sunday, March 26, 2006

Review of Protect Your Windows Network Posted

Amazon.com just posted my five star review of Protect Your Windows Network by Jesper Johansson and Steve Riley. I loved this book. It's another must-read, but check out my comments. From the extensive review:

I received a copy of Protect Your Windows Network (PYWN) almost one year ago, and I immediately put it aside. I figured it was another "security configuration guide," with lots of descriptions of settings and other tweaks that makes for boring reading. Recently I decided to give PYWN another look, and I am exceedingly glad I did. PYWN is one of the best security books I have ever read, and that includes nearly 200 titles over the last six years. Incredibly, even non-Windows users will find plenty of sound advice for their enterprise. Although the book is highly opinionated (and at times perhaps not on my side of the issues) I strongly recommend reading PYWN.

Friday, March 24, 2006

FISMA Is a Joke

Thanks to SANS Newsbites I read the article FISMA Fizzles. I've written about FISMA before. The new article points me to a potential wise man who understands that FISMA is a joke: ex-Energy Department CIO Bruce Brody. This comment cut straight to the problem with FISMA:

OMB's FISMA implementation basically boils security down to paperwork exercises, and score card pressure ensures it stays that way. But that's not how cybersecurity works; it requires real-time monitoring, updating and patching, Brody says, which isn't necessarily reducible to a paper trail. (emphasis added)

Did I read "real-time monitoring"? Wow. Mr. Brody "gets it." Consider the alternative point of view:

FISMA has its defenders. An agency fully compliant with FISMA is a secure agency, says Scott Charbo, Homeland Security Department CIO. The law and cybersecurity are "the same thing in my mind," he says.

I see. Reading the DHS' grade history shows they have a perfect F record for the last three years. Just because DHS is in a sorry state and its scores are an F doesn't mean that an agency with straight A's is secure!

Let's get back to monitoring. Mr. Brody has correctly recognized that the absolute first priority for a security program is to figure out what is happening. If you have no idea what is happening in your enterprise, how can you expect to "secure" it? It doesn't even make sense to figure out what systems you have before you start monitoring. When you start watching traffic, intruders will show you your systems. The most vulnerable and/or interesting targets will get the most attention from the adversary, and you should address those first.

If you are a federal agency and you want to learn more about implementing monitoring, please contact me: richard at taosecurity dot com. I can teach you what to do, efficiently and cheaply. I may not be wearing my blue uniform any more, but I want to do my part. FISMA is not helping.

New Sguil VM Available for Testing

Using the scripts I described yesterday, I built a new Sguil VM. It is available here:

freebsd54-sguil-24mar06-pub1.tar.bz2 (310 MB)

SHA256 (freebsd54-sguil-24mar06-pub1.tar.bz2) =
a18bcd8114c4f40e43f777dc3f34ca917a44093e16f72a720f1ff6183e66f434

The VM is in bzip2 format. Windows users can extract it with bsdtar for Windows.

The OS is FreeBSD 5.4 with the latest security patches. Sguil 0.6.1 is set up with all components on the same system. This VM is similar to my two old VMs using FreeBSD 6.0 and Sguil 0.6.0p1.

I tried to address issues people discussed. I could not build the disks using SCSI because FreeBSD did not recognize them. I know the VM works in VMware Workstation and VMware Server Beta. I did not yet test it in VMware Player. VMware ESX Server probably doesn't work because it doesn't like IDE disks. This VM uses a 6 GB virtual disk. I gave the /nsm partition 2 GB space so you can try collecting more traffic.

I built the VM with two interfaces. As configured they are both bridging vmnet0 (the default interface). I personally change this before running the VM "in production," such that lnc0 bridges to a management interface (vmnet0 and eth0) and lnc1 bridges to a sniffing interface (vmnet2 and eth1). Yes, I am running this VM on Linux and VMware Server Beta.

Here are the accounts on the VM in (system) name: password; comment format.

  • (FreeBSD) sguil: sguil; not in wheel group

  • (FreeBSD) analyst: analyst; in wheel group

  • (FreeBSD) root: r00t

  • (MySQL) sguil: sguil

  • (MySQL) root: r00t

  • (Sguil) sguil: sguil


To get everything running:

  1. Boot the VM. Log in as user analyst. Run 'startx' to open an X session.

  2. Open an xterm. su - root. Run 'sancp_start.sh', 'snort_start.sh', '/usr/local/bin/log_packets.sh restart'.

  3. Open a second xterm. su - sguil. Run 'sguild_start.sh', 'sensor_agent_start.sh', 'barnyard_start.sh'.

  4. Open a third xterm. Run 'sguil_client_start.sh'.

  5. The Sguil client window will appear. Use server 'localhost', port '7734', user 'sguil', password 'sguil'.

  6. Select sensor 'taosecurity' when given the option.

  7. Congratulations. You are running Sguil!


When all components are running, 'sockstat -4' output will look something like this:

sguil barnyard 4502 11 tcp4 127.0.0.1:53438 127.0.0.1:7735
sguil tclsh8.4 4464 3 tcp4 127.0.0.1:50811 127.0.0.1:7736
sguil tclsh8.4 4464 4 tcp4 127.0.0.1:7735 *:*
sguil tclsh8.4 4464 5 tcp4 127.0.0.1:7735 127.0.0.1:53438
sguil tclsh8.4 4429 11 tcp4 *:7734 *:*
sguil tclsh8.4 4429 12 tcp4 127.0.0.1:7736 *:*
sguil tclsh8.4 4429 13 tcp4 127.0.0.1:7736 127.0.0.1:50811
mysql mysqld 1845 10 tcp4 127.0.0.1:3306 *:*


The Sguil client connects to port 7734 TCP, where the server is listening. Barnyard connects to port 7735 TCP. The sguild server listens on port 7736 TCP for connections from sensor_agent.tcl. MySQL listens on port 3306 TCP. Note in this deployment everything is listening on localhost except for MySQL. I usually don't have port 7734 TCP listening on public IPs. I instead use SSH port forwarding to tunnel the client communications:

ssh -L 7734:localhost:7734 analyst@sensor_mgt_ip

When I start my client I then connect to localhost, port 7734.

The easiest way to test the whole setup is to netcat to port 22 TCP on a system watched by the sensor. Enter the text 'GOBBLES' when connected to port 22 TCP. There is a Snort rule that fires when Snort sees this text on port 22 TCP.

You should see an alert appear in the Sguil console.

If you have any questions, please post them here as comments. You may also get help posting them via email to sguil-users at lists dot sourceforge dot net.

Bejtlich Quoted Regarding Check Point and Sourcefire

Joe Brockmeier from Newsforge interviewed me via phone today for his article Check Point withdraws from Sourcefire acquisition. I think Joe did a good job relaying my thoughts on the matter. He read my earlier post and decided to call.

Forensic Pre-Review

My friends at Sybex, a division of Wiley, sent me a review copy of EnCase Computer Forensics -- The Official EnCE: EnCase Certified Examiner Study Guide by Steve Bunting and William Wei. This looks like a good introductory book for Guidance Software's products, especially those that are host-based. I plan to read this book in tandem with Brian Carrier's File System Forensic Analysis.

Speaking of Guidance Software, I am speaking at their 2006 Computer and Enterprise Investigations Conference in LAs Vegas on Thursday, 4 May 2006 from 1400-1530 on Network Forensics.

Check Point Acquisition of Sourcefire Cancelled

According to Sourcefire's press release:

Sourcefire, Inc., the world leader in intrusion prevention, today announced that, with the consent of the US government, Sourcefire and Check Point Software Technologies have opted to withdraw their merger filing with the Committee on Foreign Investment in the United States (CFIUS). Sourcefire will continue to operate as the industry's largest private Intrusion Prevention System (IPS) vendor.

According to Check Point's press release:

The companies have determined that it would be more effective to create a customer focused business partnership. "We've decided to pursue alternative ways for Check Point and Sourcefire to partner in order to bring to market the most comprehensive security solutions," said Gil Shwed, Check Point's CEO.

Check Point and Sourcefire will continue to create and distribute the best security solutions in their respective spaces. They will work together on formulating a partnership strategy moving forward and will keep customers and partners updated as new plans are developed.


Their FAQ says this:

Is the Sourcefire acquisition cancelled?

We can still pursue the acquisition but at this point we will explore other opportunities. We will also focus on running our business and delivering the best solutions for customers.


Wow, it's cancelled -- despite what Check Point says. I thought this deal would go through, albeit with restrictions.

Thursday, March 23, 2006

New Sguil Scripts and VM

I have not been happy with the performance of FreeBSD 6.0 under VMware Workstation or VMware Server Beta. I thought some workarounds helped, but that wasn't really the case.

Also, since releasing my original Sguil installation script, I've wanted to break it into scripts for the Sguil sensor, database, server, and client.

I decided today to kill two birds with one stone. First, I broke the master script into the following smaller scripts.


All of them are available in this archive: sguil_install_scripts.tar.gz.

These are not pretty. There is no error checking. There is no interaction. You will have to make modifications to get them to work flawlessly in your environment.

Important: As written these scripts download packages for FreeBSD 5, not 6. You can modify this.

These will work best "out of the box" if you want to install all Sguil components on a single host. This is the case because I did not make any adjustments to have MySQL listen on a public interface, for example.

So what good are these? Well, you can now see exactly what software is required for each Sguil component. It's possible I may have erred on the side of including one too many packages for a certain component, but I believe this configuration will work. I did some testing to iron out bugs, but I can't guarantee success.

Using these scripts, I created a new Sguil 0.6.1 complete (sensor/database/server/client) VM on FreeBSD 5.4 RELEASE. The following shows how I invoked the scripts, and the adjustments I made to get the patches to work on this VM.

First I downloaded the script collection.

taosecurity:/root# fetch http://www.bejtlich.net/sguil_install_scripts.tar.gz
sguil_install_scripts.tar.gz 100% of 2552 B 1716 kBps
taosecurity:/root# tar -xzvf sguil_install_scripts.tar.gz
x scripts
x scripts/sguil_client_install.sh
x scripts/sguil_sensor_install.sh
x scripts/sguil_server_install.sh
x scripts/sguil_sensor_install_patch.sh
x scripts/sguil_database_install_pt2.sh
x scripts/sguil_database_install_pt1.sh
taosecurity:/root#
taosecurity:/root# cd scripts/
taosecurity:/root/scripts# ls
sguil_client_install.sh sguil_sensor_install.sh
sguil_database_install_pt1.sh sguil_sensor_install_patch.sh
sguil_database_install_pt2.sh sguil_server_install.sh
taosecurity:/root/scripts# chmod +x *.sh

Next I started with the sensor installation.

taosecurity:/root/scripts# ./sguil_sensor_install.sh
Starting Sguil sensor installation.
...edited...
Sguil server installation finished.

You must modify the following patches in /usr/local/etc/nsm
to match your environment.

sensor_agent.conf.patch
snort.conf.patch
barnyard.conf.patch
sancp.conf.patch
log_packets.sh.patch

When done, run sguil_sensor_install_patch.sh

Next, modify the start scripts to match your environment.

These are in the /home/sguil directory:

barnyard_start.sh sensor_agent_start.sh

You'll notice the end of the script suggests making changes to patches to match your environment. Here are the common changes:

  • sensor_agent.conf.patch: change hostname from 'gruden' to 'your_hostname'

  • snort.conf.patch: change 'var RULE_PATH /nsm/rules/gruden' to 'nsm/rules/your_hostname'

  • barnyard.conf.patch: change hostname from 'gruden' to 'your_hostname'; change interface from 'lnc1' to whatever your system uses

  • sancp.conf.patch: probably no changes

  • log_packets.sh.patch: change hostname from 'gruden' to your_hostname; change interface from 'lnc1' to whatever your system uses


Once I made changes I needed, I ran sguil_sensor_install_patch.sh.

taosecurity:/root/scripts# ./sguil_sensor_install_patch.sh
Patching Sguil sensor configuration and logging scripts.

Hmm... Looks like a unified diff to me...
The text leading up to this was:
--------------------------
|--- sensor_agent.conf Wed Dec 28 14:57:30 2005
|+++ sensor_agent.conf.diff Wed Dec 28 14:58:33 2005
--------------------------
Patching file sensor_agent.conf using Plan A...
Hunk #1 succeeded at 13.
Hunk #2 succeeded at 22.
Hunk #3 succeeded at 55 (offset 6 lines).
done
Hmm... Looks like a unified diff to me...
The text leading up to this was:
--------------------------
|--- snort.conf Wed Dec 28 14:30:42 2005
|+++ snort.conf.diff Wed Dec 28 15:07:23 2005
--------------------------
Patching file snort.conf using Plan A...
Hunk #1 succeeded at 107.
Hunk #2 succeeded at 621.
done
Hmm... Looks like a unified diff to me...
The text leading up to this was:
--------------------------
|--- barnyard.conf Wed Dec 28 14:30:42 2005
|+++ barnyard.conf.diff Wed Dec 28 15:00:38 2005
--------------------------
Patching file barnyard.conf using Plan A...
Hunk #1 succeeded at 23.
Hunk #2 succeeded at 38.
Hunk #3 succeeded at 133.
done
Hmm... Looks like a unified diff to me...
The text leading up to this was:
--------------------------
|--- sancp.conf Wed Dec 28 14:30:42 2005
|+++ sancp.conf.diff Wed Dec 28 15:01:49 2005
--------------------------
Patching file sancp.conf using Plan A...
Hunk #1 succeeded at 45.
done
Hmm... Looks like a unified diff to me...
The text leading up to this was:
--------------------------
|--- log_packets.sh Wed Dec 28 20:11:54 2005
|+++ log_packets.sh.diff Wed Dec 28 20:12:39 2005
--------------------------
Patching file log_packets.sh using Plan A...
Hunk #1 succeeded at 28.
done

The sensor installation provides several start scripts that must also be adjusted for your environment:

  • /root/snort_start.sh: change 'gruden' to 'your_hostname' and 'lnc1' to your sniffing interface

  • /root/sancp_start.sh: change 'gruden' to 'your_hostname' and 'lnc1' to your sniffing interface

  • /home/sguil/barnyard_start.sh: change 'gruden' to 'your_hostname'


At this point I was ready to install the Sguil database. I broke this into two scripts because I needed a delay to ensure MySQL was running before taking certain actions.

taosecurity:/root/scripts# ./sguil_database_install_pt1.sh
Starting Sguil database installation, part 1.
...edited...
The latest information about MySQL is available on the web at
http://www.mysql.com
Support MySQL by buying support/licenses at https://order.mysql.com
Run sguil_database_install_pt2.sh after MySQL is running.
taosecurity:/root/scripts# Starting mysqld daemon with databases from /var/db/mysql
taosecurity:/root/scripts# sockstat -4 | grep 3306
mysql mysqld 1187 10 tcp4 *:3306 *:*

Now I start part 2 of the database installation after checking to be sure MySQL is listening on port 3306. Note that the script edits /etc/rc.conf to make MySQL listen on localhost on port 3306. You can also do the following:

# mysqladmin -p shutdown
Enter password:

To restart the server:

mysqld_safe --bind-address=127.0.0.1 --user=mysql &



taosecurity:/root/scripts# ./sguil_database_install_pt2.sh
Starting Sguil client installation, part 2.

+-------------------+
| Tables_in_sguildb |
+-------------------+
| history |
| nessus |
| nessus_data |
| portscan |
| sensor |
| sessions |
| status |
| user_info |
| version |
+-------------------+
Sguil database installation complete.

The sensor and database are done. On the the Sguil server. You'll notice I install mysqltcl from the ports tree. I am no longer hosting a package for this. You'll also be prompted to enter a password for the Sguil client. This is proof that mysqltcl and sguild are working.

taosecurity:/root/scripts# ./sguil_server_install.sh
Starting Sguil server installation.
...edited...
=> Attempting to fetch from http://www.xdobry.de/mysqltcl/.
mysqltcl-3.01.tar.gz 100% of 164 kB 62 kBps
===> Extracting for mysqltcl-3.01
=> MD5 Checksum OK for mysqltcl-3.01.tar.gz.
===> Patching for mysqltcl-3.01
===> Applying FreeBSD patches for mysqltcl-3.01
===> mysqltcl-3.01 depends on shared library: tcl84 - found
===> mysqltcl-3.01 depends on shared library: mysqlclient.15 - found
===> Configuring for mysqltcl-3.01
===> Building for mysqltcl-3.01
...edited...
Create a Sguil client user password when prompted.
Please enter a passwd for sguil:
Retype passwd:
User 'sguil' added successfully
SGUILD: Exiting...
Sguil server installation finished.

You must modify /usr/local/etc/nsm/sguild.conf.patch
to match your environment.

When done, apply it:

patch -p0 < sguild.conf.patch

As the end of the script notes, you should patch /usr/local/etc/nsm/sguild.conf. The /usr/local/etc/nsm/sguild.conf.patch by default should work as is for those with a local installation.

taosecurity:/root/scripts# cd /usr/local/etc/nsm/
taosecurity:/usr/local/etc/nsm# patch -p0 < sguild.conf.patch
Hmm... Looks like a unified diff to me...
The text leading up to this was:
--------------------------
|--- sguild.conf Wed Dec 28 16:29:21 2005
|+++ sguild.conf.diff Wed Dec 28 16:30:34 2005
--------------------------
Patching file sguild.conf using Plan A...
Hunk #1 succeeded at 1.
Hunk #2 succeeded at 30.
Hunk #3 succeeded at 42.
Hunk #4 succeeded at 71.
done

At last we are ready to install the client. It's fairly simple.

taosecurity:/root/scripts# ./sguil_client_install.sh
Starting Sguil client installation.
...edited...
Sguil client installation finished.

I'd like to share a few words on requirements for running these scripts.

  • Make sure you have users sguil and analyst on the system.

  • With FreeBSD 5.4, I applied the User installation. I manually extracted the ports tree by downloading it from ftp://ftp.freebsd.org/pub/FreeBSD/ports/ports-current/ports.tar.gz and extracting it in /usr. I did that because the ports tree on the CD is 10 months old.

  • If you create a system with DHCP, make sure you have an entry in /etc/hosts for 127.0.0.1 and the name of your sensor, like 'taosecurity taosecurity.taosecurity.com'.


Here are the open ports on a system where all components are running. I omit sshd.

taosecurity:/home/analyst$ sockstat -4 | grep -v sshd
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
sguil barnyard 717 12 tcp4 127.0.0.1:51062 127.0.0.1:7735
sguil tclsh8.4 701 3 tcp4 127.0.0.1:53610 127.0.0.1:7736
sguil tclsh8.4 701 4 tcp4 127.0.0.1:7735 *:*
sguil tclsh8.4 701 6 tcp4 127.0.0.1:7735 127.0.0.1:51062
sguil tclsh8.4 672 12 tcp4 *:7734 *:*
sguil tclsh8.4 672 13 tcp4 127.0.0.1:7736 *:*
sguil tclsh8.4 672 14 tcp4 127.0.0.1:7736 127.0.0.1:53610
mysql mysqld 505 10 tcp4 127.0.0.1:3306 *:*
root sendmail 430 3 tcp4 127.0.0.1:25 *:*
root syslogd 315 6 udp4 *:514 *:*
root dhclient 247 4 udp4 *:68 *:*

I plan to post the new VM when I get a chance.

Promiscuous Mode on Linux VMware Server Beta

I've been writing about deploying VMware Server Beta on Debian. Today I tried my Sguil VM and found I could not sniff all traffic on lnc1. I could only see broadcast traffic (ARP, DHCP, etc.). That indicated lnc1 was not seeing the physical interface in promiscuous mode.

I have the lnc1 interface corresponding to /dev/vmnet2, which is bridged to eth1 on the Linux host. After checking to be sure eth1 was up and could see all traffic as I expected, I couldn't think of a reason why lnc1 wouldn't see the same. I did not have this problem on Windows when I wrote about it.

Luckily I found this GSX document which said:

GSX Server does not allow the virtual Ethernet adapter to go into promiscuous mode unless the user running GSX Server has permission to make that setting. This follows the standard Linux practice that only root can put a network interface into promiscuous mode.

Well, I have the VMware Server components running as root.

If you want all users to be able to set the virtual Ethernet adapter (/dev/vmnet0 in our example) to promiscuous mode, you can simply run the following command on the host operating system as root.

chmod a+rw /dev/vmnet0

That sounded promising. I looked at my /dev/vmnet* first:

donato:/dev# ls -al vmnet*
crw------- 1 root root 119, 0 Mar 23 08:21 vmnet0
crw------- 1 root root 119, 1 Mar 23 08:21 vmnet1
crw------- 1 root root 119, 2 Mar 23 08:22 vmnet2
crw------- 1 root root 119, 3 Mar 23 08:21 vmnet3
crw------- 1 root root 119, 4 Mar 23 08:21 vmnet4
crw------- 1 root root 119, 5 Mar 23 08:21 vmnet5
crw------- 1 root root 119, 6 Mar 23 08:21 vmnet6
crw------- 1 root root 119, 7 Mar 23 08:21 vmnet7
crw------- 1 root root 119, 8 Mar 23 08:21 vmnet8
crw------- 1 root root 119, 9 Mar 23 08:21 vmnet9

Following the article's advice:

donato:/dev# chmod a+rw /dev/vmnet2
donato:/dev# ls -al vmnet*
crw------- 1 root root 119, 0 Mar 23 08:21 vmnet0
crw------- 1 root root 119, 1 Mar 23 08:21 vmnet1
crw-rw-rw- 1 root root 119, 2 Mar 23 08:22 vmnet2
crw------- 1 root root 119, 3 Mar 23 08:21 vmnet3
crw------- 1 root root 119, 4 Mar 23 08:21 vmnet4
crw------- 1 root root 119, 5 Mar 23 08:21 vmnet5
crw------- 1 root root 119, 6 Mar 23 08:21 vmnet6
crw------- 1 root root 119, 7 Mar 23 08:21 vmnet7
crw------- 1 root root 119, 8 Mar 23 08:21 vmnet8
crw------- 1 root root 119, 9 Mar 23 08:21 vmnet9

Success. Now I can sniff all traffic in promiscuous mode on lnc1.

Reprinting BSD History

William and Lynne Jolitz issued a press release announcing the reprinting of their 1991-1992 series of articles Porting UNIX to the 386. From the press release: "The series covered all aspects of the project, from its inception in mid-1989 as a personal project done under the auspices of the University of California at Berkeley to its first complete operational open source release on March 17th, 1992 of 386BSD Release 0.0 -- 386BSD releases are officially 14 years old today [17 March]."

Anyone interested in Unix and BSD history will like these articles. Thus far two are online, with more to come.

Wednesday, March 22, 2006

Short Note Regarding VMware Server Beta and VMware Server Console

Yesterday I posted experiences with VMware Server Beta. I repeated the installation process on a normal Intel laptop running Debian and I had no problems, save one. When I tried to connect to the VMware Server using the VMware Server Console (running on Windows 2000), I could never see the VM screen appear. The VM seemed to be running fine, but I had the same problem as described in this forum thread. Luckily, the fix in the thread worked for me too; I set the permissions on the .vmx file to 755 and I was able to see the VM screen in VMware Server Console.

The only unfortunate aspect of the endeavor was the limitations of my hardware. Although everything runs, a 366 MHz PII laptop with 287 MB (?) RAM does not a good VMware Server make.

Also: /usr/lib/vmware-mui/apache/bin/apachectl controls VMware's httpd server.

Another note: I had to rerun vmware-config.pl to change networking options. When I did that, I lost httpd. To restore it, I had to run vmware-config-mui.pl.

Tuesday, March 21, 2006

VMware Server Beta on Debian Status Report

I previously reported running FreeBSD 6.0 on my Hacom Lex Twister VIA 1 GHz Nehemiah. Today I decided to install Debian on it. I will warn you now that the majority of this post is documentation for my own reference, and the hope it might help someone else. If you're looking for short, pithy security insights, today is not your day.

I used a USB-connected external CD burner as my installation source. The Hacom is very temperamental with it. I had to disable all booting sources except the USB-CD. Next I booted the Hacom with the USB-CD off. Once I got an error from the BIOS about a lack of bootable devices, I then turn on the USB-CD and press to try booting again.

Installing Debian on the Hacom was fairly painless. I did not add any packages with aptitude during the installation. That meant the following packages were installed.

hacom:~# dpkg --list
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad)
||/ Name Version Description
+++-==============-==============-============================================
ii adduser 3.63 Add and remove users and groups
ii apt 0.5.28.6 Advanced front-end for dpkg
ii apt-utils 0.5.28.6 APT utility programs
ii aptitude 0.2.15.9-2 terminal-based apt frontend
ii at 3.1.8-11 Delayed job execution and batch processing
ii base-config 2.53.10 Debian base system configurator
ii base-files 3.1.2 Debian base system miscellaneous files
ii base-passwd 3.5.9 Debian base system master password and group
ii bash 2.05b-26 The GNU Bourne Again SHell
ii bsdmainutils 6.0.17 collection of more utilities from FreeBSD
ii bsdutils 2.12p-4sarge1 Basic utilities from 4.4BSD-Lite
ii console-common 0.7.49 Basic infrastructure for text console config
ii console-data 2002.12.04dbs- Keymaps, fonts, charset maps, fallback table
ii console-tools 0.2.3dbs-56 Linux console and font utilities
ii coreutils 5.2.1-2 The GNU core utilities
ii cpio 2.5-1.3 GNU cpio -- a program to manage archives of
ii cramfsprogs 1.1-6 Tools for CramFs (Compressed ROM File System
ii cron 3.0pl1-86 management of regular background processing
ii dash 0.5.2-5 The Debian Almquist Shell
ii debconf 1.4.30.13 Debian configuration management system
ii debconf-i18n 1.4.30.13 full internationalization support for debcon
ii debianutils 2.8.4 Miscellaneous utilities specific to Debian
ii dhcp-client 2.0pl5-19.1 DHCP Client
ii diff 2.8.1-11 File comparison utilities
ii discover1 1.7.7 hardware identification system
ii discover1-data 1.2005.01.08 hardware lists for libdiscover1
ii dpkg 1.10.28 Package maintenance system for Debian
ii dselect 1.10.28 a user tool to manage Debian packages
ii e2fslibs 1.37-2sarge1 ext2 filesystem libraries
ii e2fsprogs 1.37-2sarge1 ext2 file system utilities and libraries
ii ed 0.2-20 The classic unix line editor
ii eject 2.0.13deb-8sar ejects CDs and operates CD-Changers under Li
ii exim4 4.50-8 metapackage to ease exim MTA (v4) installati
ii exim4-base 4.50-8 support files for all exim MTA (v4) packages
ii exim4-config 4.50-8 configuration for the exim MTA (v4)
ii exim4-daemon-l 4.50-8 lightweight exim MTA (v4) daemon
ii fdutils 5.4-20040228-1 Linux floppy utilities
ii findutils 4.1.20-6 utilities for finding files--find, xargs, an
ii gcc-3.3-base 3.3.5-13 The GNU Compiler Collection (base package)
ii gettext-base 0.14.4-2 GNU Internationalization utilities for the b
ii grep 2.5.1.ds1-4 GNU grep, egrep and fgrep
ii groff-base 1.18.1.1-7 GNU troff text-formatting system (base syste
ii grub 0.95+cvs200406 GRand Unified Bootloader
ii gzip 1.3.5-10sarge1 The GNU compression utility
ii hostname 2.13 A utility to set/show the host name or domai
ii hotplug 0.0.20040329-2 Linux Hotplug Scripts
ii ifupdown 0.6.7 high level tools to configure network interf
ii info 4.7-2.2 Standalone GNU Info documentation browser
ii initrd-tools 0.1.81.1 tools to create initrd image for prepackaged
ii initscripts 2.86.ds1-1 Standard scripts needed for booting and shut
ii ipchains 1.3.10-15 Network firewalling for Linux 2.2.x
ii iptables 1.2.11-10 Linux kernel 2.4+ iptables administration to
ii iputils-ping 20020927-2 Tools to test the reachability of network ho
ii kernel-image-2 2.4.27-10sarge Linux kernel image for version 2.4.27 on 386
ii kernel-pcmcia- 2.4.27-10sarge Mainstream PCMCIA modules 2.4.27 on 386
ii klogd 1.4.1-17 Kernel Logging Daemon
ii libacl1 2.2.23-1 Access control list shared library
ii libattr1 2.4.16-1 Extended attribute shared library
ii libblkid1 1.37-2sarge1 block device id library
ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries and Timezone
ii libcap1 1.10-14 support for getting/setting POSIX.1e capabil
ii libcomerr2 1.37-2sarge1 common error description library
ii libconsole 0.2.3dbs-56 Shared libraries for Linux console and font
ii libdb1-compat 2.1.3-7 The Berkeley database routines [glibc 2.0/2.
ii libdb3 3.2.9-22 Berkeley v3 Database Libraries [runtime]
ii libdb4.2 4.2.52-18 Berkeley v4.2 Database Libraries [runtime]
ii libdiscover1 1.7.7 hardware identification library
ii libgcc1 3.4.3-13 GCC support library
ii libgcrypt11 1.2.0-11.1 LGPL Crypto library - runtime library
ii libgdbm3 1.8.3-2 GNU dbm database routines (runtime version)
ii libgnutls11 1.0.16-13.1 GNU TLS library - runtime library
ii libgpg-error0 1.0-1 library for common error values and messages
ii liblocale-gett 1.01-17 Using libc functions for internationalizatio
ii liblockfile1 1.06 NFS-safe locking library, includes dotlockfi
ii liblzo1 1.08-1.2 A real-time data compression library
ii libncurses5 5.4-4 Shared libraries for terminal handling
ii libnewt0.51 0.51.6-20 Not Erik's Windowing Toolkit - text mode win
ii libopencdk8 0.5.5-10 Open Crypto Development Kit (OpenCDK) (runti
ii libpam-modules 0.76-22 Pluggable Authentication Modules for PAM
ii libpam-runtime 0.76-22 Runtime support for the PAM library
ii libpam0g 0.76-22 Pluggable Authentication Modules library
ii libpcap0.7 0.7.2-7 System interface for user-level packet captu
ii libpcre3 4.5-1.2sarge1 Perl 5 Compatible Regular Expression Library
ii libpopt0 1.7-5 lib for parsing cmdline parameters
ii libsigc++-1.2- 1.2.5-4 type-safe Signal Framework for C++ - runtime
ii libss2 1.37-2sarge1 command-line interface parsing library
ii libssl0.9.7 0.9.7e-3sarge1 SSL shared libraries
ii libstdc++5 3.3.5-13 The GNU Standard C++ Library v3
ii libtasn1-2 0.2.10-3 Manage ASN.1 structures (runtime)
ii libtext-charwi 0.04-1 get display widths of characters on the term
ii libtext-iconv- 1.2-3 Convert between character sets in Perl
ii libtext-wrapi1 0.06-1 internationalized substitute of Text::Wrap
ii libtextwrap1 0.1-1 text-wrapping library with i18n - runtime
ii libusb-0.1-4 0.1.10a-9.sarg userspace USB programming library
ii libuuid1 1.37-2sarge1 universally unique id library
ii libwrap0 7.6.dbs-8 Wietse Venema's TCP wrappers library
ii locales 2.3.2.ds1-22 GNU C Library: National Language (locale) da
ii login 4.0.3-31sarge5 system login tools
ii logrotate 3.7-5 Log rotation utility
ii mailx 8.1.2-0.200405 A simple mail user agent
ii makedev 2.3.1-77 creates device files in /dev
ii man-db 2.4.2-21 The on-line manual pager
ii manpages 1.70-1 Manual pages about using a GNU/Linux system
ii mawk 1.3.3-11 a pattern scanning and text processing langu
ii modutils 2.4.26-1.2 Linux module utilities
ii mount 2.12p-4sarge1 Tools for mounting and manipulating filesyst
ii nano 1.2.4-5 free Pico clone with some new features
ii ncurses-base 5.4-4 Descriptions of common terminal types
ii ncurses-bin 5.4-4 Terminal-related programs and man pages
ii net-tools 1.60-10 The NET-3 networking toolkit
ii netbase 4.21 Basic TCP/IP networking system
ii netkit-inetd 0.10-10 The Internet Superserver
ii nvi 1.79-22 4.4BSD re-implementation of vi
ii passwd 4.0.3-31sarge5 change and administer password and group dat
ii pciutils 2.1.11-15 Linux PCI Utilities
ii pcmcia-cs 3.2.5-10 PCMCIA Card Services for Linux
ii perl-base 5.8.4-8 The Pathologically Eclectic Rubbish Lister
ii ppp 2.4.3-20050321 Point-to-Point Protocol (PPP) daemon
ii pppconfig 2.3.11 A text menu based utility for configuring pp
ii pppoe 3.5-4 PPP over Ethernet driver
ii pppoeconf 1.7 configures PPPoE/ADSL connections
ii procps 3.2.1-2 The /proc file system utilities
ii psmisc 21.5-1 Utilities that use the proc filesystem
ii sed 4.1.2-8 The GNU sed stream editor
ii slang1a-utf8 1.4.9dbs-8 The S-Lang programming library with utf8 sup
ii sysklogd 1.4.1-17 System Logging Daemon
ii sysv-rc 2.86.ds1-1 Standard boot mechanism using symlinks in /e
ii sysvinit 2.86.ds1-1 System-V like init
ii tar 1.14-2 GNU tar
ii tasksel 2.24 Tool for selecting tasks for installation on
ii tcpd 7.6.dbs-8 Wietse Venema's TCP wrapper utilities
ii telnet 0.17-29 The telnet client
ii usbutils 0.70-8 USB console utilities
ii util-linux 2.12p-4sarge1 Miscellaneous system utilities
ii wget 1.9.1-12 retrieves files from the web
ii whiptail 0.51.6-20 Displays user-friendly dialog boxes from she
ii zlib1g 1.2.2-4.sarge. compression library - runtime

That's pretty sparse. No SSH, no FTP client!

Here's my partioning scheme:

hacom:~# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/hda1 250M 52M 186M 22% /
tmpfs 245M 0 245M 0% /dev/shm
/dev/hda3 4.6G 33M 4.4G 1% /home
/dev/hda8 361M 8.1M 334M 3% /tmp
/dev/hda5 4.6G 122M 4.3G 3% /usr
/dev/hda6 2.8G 77M 2.6G 3% /var
/dev/hda4 216G 33M 205G 1% /vmware

The first packaged I added was SSH:

hacom:~# apt-get install ssh

After answering some sensible curses-based questions, I had SSH listening on port 22.

At this point I'm going to post my dmesg output here for those of you who want to know how the internals are recognized.

Linux version 2.4.27-2-386 (horms@tabatha.lab.ultramonkey.org)
(gcc version 3.3.5 (Debian 1:3.3.5-13)) #1 Wed Aug 17 09:33:35 UTC 2005
BIOS-provided physical RAM map:
BIOS-e820: 0000000000000000 - 000000000009fc00 (usable)
BIOS-e820: 000000000009fc00 - 00000000000a0000 (reserved)
BIOS-e820: 00000000000f0000 - 0000000000100000 (reserved)
BIOS-e820: 0000000000100000 - 000000001eff0000 (usable)
BIOS-e820: 000000001eff0000 - 000000001eff3000 (ACPI NVS)
BIOS-e820: 000000001eff3000 - 000000001f000000 (ACPI data)
BIOS-e820: 00000000ffff0000 - 0000000100000000 (reserved)
495MB LOWMEM available.
On node 0 totalpages: 126960
zone(0): 4096 pages.
zone(1): 122864 pages.
zone(2): 0 pages.
ACPI: RSDP (v000 CLE266 ) @ 0x000f69b0
ACPI: RSDT (v001 CLE266 AWRDACPI 0x42302e31 AWRD 0x00000000) @ 0x1eff3000
ACPI: FADT (v001 CLE266 AWRDACPI 0x42302e31 AWRD 0x00000000) @ 0x1eff3040
ACPI: DSDT (v001 CLE266 AWRDACPI 0x00001000 MSFT 0x0100000e) @ 0x00000000
Kernel command line: root=/dev/hda1 ro
No local APIC present or hardware disabled
Initializing CPU#0
Detected 1002.300 MHz processor.
Console: colour VGA+ 80x25
Calibrating delay loop... 1998.84 BogoMIPS
Memory: 496364k/507840k available (1069k kernel code, 11088k reserved, 459k data, 96k init, 0k highmem)
Dentry cache hash table entries: 65536 (order: 7, 524288 bytes)
Inode cache hash table entries: 32768 (order: 6, 262144 bytes)
Mount cache hash table entries: 512 (order: 0, 4096 bytes)
Buffer cache hash table entries: 32768 (order: 5, 131072 bytes)
Page-cache hash table entries: 131072 (order: 7, 524288 bytes)
CPU: L1 I Cache: 64K (32 bytes/line), D cache 64K (32 bytes/line)
CPU: L2 Cache: 64K (32 bytes/line)
CPU: After generic, caps: 0381b83f 00000000 00000000 00000000
CPU: Common caps: 0381b83f 00000000 00000000 00000000
CPU: Centaur VIA Nehemiah stepping 08
Enabling fast FPU save and restore... done.
Enabling unmasked SIMD FPU exception support... done.
Checking 'hlt' instruction... OK.
Checking for popad bug... OK.
POSIX conformance testing by UNIFIX
ACPI: Subsystem revision 20040326
ACPI: Interpreter disabled.
PCI: PCI BIOS revision 2.10 entry at 0xfb400, last bus=3
PCI: Using configuration type 1
PCI: Probing PCI hardware
PCI: ACPI tables contain no PCI IRQ routing entries
PCI: Probing PCI hardware (bus 00)
PCI: Using IRQ router VIA [1106/3177] at 00:11.0
Linux NET4.0 for Linux 2.4
Based upon Swansea University Computer Society NET3.039
Initializing RT netlink socket
Starting kswapd
VFS: Disk quotas vdquot_6.5.1
devfs: v1.12c (20020818) Richard Gooch (rgooch@atnf.csiro.au)
devfs: boot_options: 0x0
pty: 256 Unix98 ptys configured
Serial driver version 5.05c (2001-07-08) with HUB-6 MANY_PORTS MULTIPORT SHARE_IRQ SERIAL_PCI enabled
ttyS00 at 0x03f8 (irq = 4) is a 16550A
COMX: driver version 0.85 (C) 1995-1999 ITConsult-Pro Co.
RAMDISK driver initialized: 16 RAM disks of 8192K size 1024 blocksize
Initializing Cryptographic API
NET4: Linux TCP/IP 1.0 for NET4.0
IP: routing cache hash table of 4096 buckets, 32Kbytes
TCP: Hash tables configured (established 32768 bind 65536)
Linux IP multicast router 0.06 plus PIM-SM
RAMDISK: cramfs filesystem found at block 0
RAMDISK: Loading 3692 blocks [1 disk] into ram disk... done.
Freeing initrd memory: 3692k freed
VFS: Mounted root (cramfs filesystem).
Freeing unused kernel memory: 96k freed
NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
Uniform Multi-Platform E-IDE driver Revision: 7.00beta4-2.4
ide: Assuming 33MHz system bus speed for PIO modes; override with idebus=xx
ide: late registration of driver.
VP_IDE: IDE controller at PCI slot 00:11.1
VP_IDE: chipset revision 6
VP_IDE: not 100% native mode: will probe irqs later
ide: Assuming 33MHz system bus speed for PIO modes; override with idebus=xx
VP_IDE: VIA vt8235 (rev 00) IDE UDMA133 controller on pci00:11.1
ide0: BM-DMA at 0xee00-0xee07, BIOS settings: hda:DMA, hdb:pio
ide1: BM-DMA at 0xee08-0xee0f, BIOS settings: hdc:pio, hdd:pio
hda: WDC WD2500SB-01KBC0, ATA DISK drive
blk: queue df825b60, I/O limit 4095Mb (mask 0xffffffff)
ide0 at 0x1f0-0x1f7,0x3f6 on irq 14
hda: attached ide-disk driver.
hda: 488397168 sectors (250059 MB) w/8192KiB Cache, CHS=30401/255/63, UDMA(33)
Partition check:
/dev/ide/host0/bus0/target0/lun0: p1 p2 < p5 p6 p7 p8 > p3 p4
Journalled Block Device driver loaded
kjournald starting. Commit interval 5 seconds
EXT3-fs: mounted filesystem with ordered data mode.
Adding Swap: 1502036k swap-space (priority -1)
EXT3 FS 2.4-0.9.19, 19 August 2002 on ide0(3,1), internal journal
SCSI subsystem driver Revision: 1.00
kjournald starting. Commit interval 5 seconds
EXT3 FS 2.4-0.9.19, 19 August 2002 on ide0(3,3), internal journal
EXT3-fs: mounted filesystem with ordered data mode.
kjournald starting. Commit interval 5 seconds
EXT3 FS 2.4-0.9.19, 19 August 2002 on ide0(3,8), internal journal
EXT3-fs: mounted filesystem with ordered data mode.
kjournald starting. Commit interval 5 seconds
EXT3 FS 2.4-0.9.19, 19 August 2002 on ide0(3,5), internal journal
EXT3-fs: mounted filesystem with ordered data mode.
kjournald starting. Commit interval 5 seconds
EXT3 FS 2.4-0.9.19, 19 August 2002 on ide0(3,6), internal journal
EXT3-fs: mounted filesystem with ordered data mode.
kjournald starting. Commit interval 5 seconds
EXT3 FS 2.4-0.9.19, 19 August 2002 on ide0(3,4), internal journal
EXT3-fs: mounted filesystem with ordered data mode.
Linux Kernel Card Services 3.1.22
options: [pci] [cardbus] [pm]
PCI: Found IRQ 11 for device 00:0c.0
PCI: Sharing IRQ 11 with 00:08.0
PCI: Sharing IRQ 11 with 00:10.0
PCI: Found IRQ 5 for device 00:0c.1
PCI: Sharing IRQ 5 with 00:09.0
PCI: Sharing IRQ 5 with 00:10.1
Yenta ISA IRQ mask 0x0008, PCI irq 11
Socket status: 30000006
Yenta ISA IRQ mask 0x0008, PCI irq 5
Socket status: 30000006
irda_init()
Intel(R) PRO/1000 Network Driver - version 5.2.52-k3
Copyright (c) 1999-2004 Intel Corporation.
PCI: Found IRQ 11 for device 00:08.0
PCI: Sharing IRQ 11 with 00:0c.0
PCI: Sharing IRQ 11 with 00:10.0
e1000: eth0: e1000_probe: Intel(R) PRO/1000 Network Connection
PCI: Found IRQ 5 for device 00:09.0
PCI: Sharing IRQ 5 with 00:0c.1
PCI: Sharing IRQ 5 with 00:10.1
e1000: eth1: e1000_probe: Intel(R) PRO/1000 Network Connection
PCI: Found IRQ 10 for device 00:0a.0
PCI: Sharing IRQ 10 with 00:10.2
PCI: Sharing IRQ 10 with 00:11.5
e1000: eth2: e1000_probe: Intel(R) PRO/1000 Network Connection
Via 686a/8233/8235 audio driver 1.9.1-ac3
PCI: Found IRQ 10 for device 00:11.5
PCI: Sharing IRQ 10 with 00:0a.0
PCI: Sharing IRQ 10 with 00:10.2
via82cxxx: Six channel audio available
PCI: Setting latency timer of device 00:11.5 to 64
ac97_codec: AC97 Audio codec, id: VIA97 (Unknown)
via82cxxx: board #1 at 0xEF00, IRQ 10
usb.c: registered new driver usbdevfs
usb.c: registered new driver hub
usb-uhci.c: $Revision: 1.275 $ time 09:50:48 Aug 17 2005
usb-uhci.c: High bandwidth mode enabled
PCI: Found IRQ 11 for device 00:10.0
PCI: Sharing IRQ 11 with 00:08.0
PCI: Sharing IRQ 11 with 00:0c.0
usb-uhci.c: USB UHCI at I/O 0xeb00, IRQ 11
usb-uhci.c: Detected 2 ports
usb.c: new USB bus registered, assigned bus number 1
hub.c: USB hub found
hub.c: 2 ports detected
PCI: Found IRQ 5 for device 00:10.1
PCI: Sharing IRQ 5 with 00:09.0
PCI: Sharing IRQ 5 with 00:0c.1
usb-uhci.c: USB UHCI at I/O 0xec00, IRQ 5
usb-uhci.c: Detected 2 ports
usb.c: new USB bus registered, assigned bus number 2
hub.c: USB hub found
hub.c: 2 ports detected
PCI: Found IRQ 10 for device 00:10.2
PCI: Sharing IRQ 10 with 00:0a.0
PCI: Sharing IRQ 10 with 00:11.5
usb-uhci.c: USB UHCI at I/O 0xed00, IRQ 10
usb-uhci.c: Detected 2 ports
usb.c: new USB bus registered, assigned bus number 3
hub.c: USB hub found
hub.c: 2 ports detected
usb-uhci.c: v1.275:USB Universal Host Controller Interface driver
PCI: Found IRQ 7 for device 00:10.3
ehci_hcd 00:10.3: VIA Technologies, Inc. USB 2.0
ehci_hcd 00:10.3: irq 7, pci mem df9f5000
usb.c: new USB bus registered, assigned bus number 4
ehci_hcd 00:10.3: USB 2.0 enabled, EHCI 1.00, driver 2003-Dec-29/2.4
hub.c: USB hub found
hub.c: 6 ports detected
irda_init()
uhci.c: USB Universal Host Controller Interface driver v1.1
pci_hotplug: PCI Hot Plug PCI Core version: 0.5
shpchp: acpi_shpchprm:get_device PCI ROOT HID fail=0x1001
pci_hotplug: PCI Hot Plug PCI Core version: 0.5
pciehp: acpi_pciehprm:get_device PCI ROOT HID fail=0x1001
e1000: eth0: e1000_watchdog: NIC Link is Up 100 Mbps Full Duplex
Real Time Clock Driver v1.10f
cs: IO port probe 0x0100-0x04ff: excluding 0x170-0x177 0x370-0x377 0x4d0-0x4d7
cs: IO port probe 0x0800-0x08ff: clean.
cs: IO port probe 0x0c00-0x0cff: clean.
cs: IO port probe 0x0a00-0x0aff: clean.

With that out of the way, we can talk about why I'm installing Debian on this box. I'd like to run VMware Server Beta on it. Sure, Debian is not an officially supported platform, but I read this post from a few days ago and thought "this can work."

The original post that gave me hope to run VMware Server Beta on Debian mentioned the requirement to add several packages. I added the following. Note that I use the correct package names, while the post does not.

hacom:~# apt-get install kernel-source-2.4.27
hacom:~# apt-get install kernel-headers-2.4.27-2-386
hacom:~# apt-get install build-essential

With these packages installed, I set up the kernel files as outlined in the post.

hacom:/usr/src# bzip2 -d kernel-source-2.4.27.tar.bz2
hacom:/usr/src# tar -xf kernel-source-2.4.27.tar
hacom:/usr/src# ln -s kernel-source-2.4.27 linux
hacom:/usr/src# mv /usr/src/kernel-source-2.4.27/include /usr/src/kernel-source-2.4.27/include.orig
hacom:/usr/src# ln -s /usr/src/kernel-headers-2.4.27-2-386/include /usr/src/kernel-source-2.4.27/include

Now I was ready to extract the VMware archives and try installing them.

hacom:/tmp# cd /usr/local/src
hacom:/usr/local/src# ls
VMware-mui-e.x.p-22088.tar.gz VMware-server-e.x.p-22088.tar.gz
hacom:/usr/local/src# tar -xzf VMware-server-e.x.p-22088.tar.gz
hacom:/usr/local/src# cd vmware-server-distrib/
hacom:/usr/local/src/vmware-server-distrib# ls
FILES bin doc etc installer lib man sbin vmware-install.pl
hacom:/usr/local/src/vmware-server-distrib# ./vmware-install.pl
Creating a new installer database using the tar3 format.

Installing the content of the package.

In which directory do you want to install the binary files?
[/usr/bin]

What is the directory that contains the init directories (rc0.d/ to rc6.d/)?
[/etc]

What is the directory that contains the init scripts?
[/etc/init.d]

In which directory do you want to install the daemon files?
[/usr/sbin]

In which directory do you want to install the library files?
[/usr/lib/vmware]

The path "/usr/lib/vmware" does not exist currently. This program is going to
create it, including needed parent directories. Is this what you want? [yes]

In which directory do you want to install the manual files?
[/usr/share/man]

In which directory do you want to install the documentation files?
[/usr/share/doc/vmware]

The path "/usr/share/doc/vmware" does not exist currently. This program is going
to create it, including needed parent directories. Is this what you want?
[yes]

The installation of VMware Server e.x.p build-22088 for Linux completed
successfully. You can decide to remove this software from your system at any
time by invoking the following command: "/usr/bin/vmware-uninstall.pl".

Before running VMware Server for the first time, you need to configure it by
invoking the following command: "/usr/bin/vmware-config.pl". Do you want this
program to invoke the command for you now? [yes]

The correct version of one or more libraries needed to run VMware Server may be
missing. This is the output of ldd /usr/bin/vmware:
libm.so.6 => /lib/libm.so.6 (0x4001a000)
libdl.so.2 => /lib/libdl.so.2 (0x4003c000)
libpthread.so.0 => /lib/libpthread.so.0 (0x4003f000)
libX11.so.6 => not found
libXtst.so.6 => not found
libXext.so.6 => not found
libXt.so.6 => not found
libICE.so.6 => not found
libSM.so.6 => not found
libXrender.so.1 => not found
libz.so.1 => /usr/lib/libz.so.1 (0x40092000)
libc.so.6 => /lib/libc.so.6 (0x400a4000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)

This program cannot tell for sure, but you may need to upgrade libc5 to glibc
before you can run VMware Server.

Hit enter to continue.

At this point I knew I had a problem. I didn't like seeing all of those "not found" messages, so I aborted and added the necessary packages.

hacom:~# apt-get install libx11-6
hacom:~# apt-get install libxtst6
hacom:~# apt-get install libxt6
hacom:~# apt-get install libxrender1

When I later ran into trouble starting the Web-based interface to the server, I realized I needed to add these packages too:

hacom:~# apt-get install libdb2
hacom:~# apt-get install libxi6

Now I was ready to try installing VMware Server again.

hacom:/usr/local/src/vmware-server-distrib# ./vmware-install.pl

Installing the content of the package.

In which directory do you want to install the binary files?
[/usr/bin]

What is the directory that contains the init directories (rc0.d/ to rc6.d/)?
[/etc]

What is the directory that contains the init scripts?
[/etc/init.d]

In which directory do you want to install the daemon files?
[/usr/sbin]

In which directory do you want to install the library files?
[/usr/lib/vmware]

The path "/usr/lib/vmware" does not exist currently. This program is going to
create it, including needed parent directories. Is this what you want? [yes]

In which directory do you want to install the manual files?
[/usr/share/man]

In which directory do you want to install the documentation files?
[/usr/share/doc/vmware]

The path "/usr/share/doc/vmware" does not exist currently. This program is going
to create it, including needed parent directories. Is this what you want?
[yes]

The installation of VMware Server e.x.p build-22088 for Linux completed
successfully. You can decide to remove this software from your system at any
time by invoking the following command: "/usr/bin/vmware-uninstall.pl".

Before running VMware Server for the first time, you need to configure it by
invoking the following command: "/usr/bin/vmware-config.pl". Do you want this
program to invoke the command for you now? [yes]

Making sure services for VMware Server are stopped.

Stopping VMware services:
Virtual machine monitor done
Bridged networking on /dev/vmnet0 done
DHCP server on /dev/vmnet1 done
Host-only networking on /dev/vmnet1 done
Bridged networking on /dev/vmnet2 done
Bridged networking on /dev/vmnet3 done
DHCP server on /dev/vmnet8 done
NAT service on /dev/vmnet8 done
Host-only networking on /dev/vmnet8 done
Virtual ethernet done

You must read and accept the End User License Agreement to continue.
Press enter to display it.
...omitted...
Do you accept? (yes/no) yes

Thank you.

Configuring fallback GTK+ 2.4 libraries.

In which directory do you want to install the mime type icons?

Do you accept? (yes/no) yes

Thank you.

Configuring fallback GTK+ 2.4 libraries.

In which directory do you want to install the mime type icons?
[/usr/share/icons]

The path "/usr/share/icons" does not exist currently. This program is going to
create it, including needed parent directories. Is this what you want? [yes]

What directory contains your desktop menu entry files? These files have a
.desktop file extension. [/usr/share/applications]

In which directory do you want to install the application's icon?
[/usr/share/pixmaps]

Trying to find a suitable vmmon module for your running kernel.

None of the pre-built vmmon modules for VMware Server is suitable for your
running kernel. Do you want this program to try to build the vmmon module for
your system (you need to have a C compiler installed on your system)? [yes]

Using compiler "/usr/bin/gcc". Use environment variable CC to override.

What is the location of the directory of C header files that match your running
kernel? [/lib/modules/2.4.27-2-386/build/include]

Extracting the sources of the vmmon module.

Building the vmmon module.

Using standalone build system.
make: Entering directory `/tmp/vmware-config0/vmmon-only'
make[1]: Entering directory `/tmp/vmware-config0/vmmon-only'
make[2]: Entering directory `/tmp/vmware-config0/vmmon-only/driver-2.4.27-2-386'
make[2]: Leaving directory `/tmp/vmware-config0/vmmon-only/driver-2.4.27-2-386'
make[2]: Entering directory `/tmp/vmware-config0/vmmon-only/driver-2.4.27-2-386'
make[2]: Leaving directory `/tmp/vmware-config0/vmmon-only/driver-2.4.27-2-386'
make[1]: Leaving directory `/tmp/vmware-config0/vmmon-only'
make: Leaving directory `/tmp/vmware-config0/vmmon-only'
The module loads perfectly in the running kernel.

You have already setup networking.

Would you like to skip networking setup and keep your old settings as they are?
(yes/no) [yes]

I'm cheating here because I don't have output from my first run, where I set up networking. All I originally did was set up eth0 as a bridge for vmnet0. I set up eth1 as a bridge for vmnet2, and I also bridged eth2.

Extracting the sources of the vmnet module.

Building the vmnet module.

Using standalone build system.
make: Entering directory `/tmp/vmware-config0/vmnet-only'
make: Leaving directory `/tmp/vmware-config0/vmnet-only'
The module loads perfectly in the running kernel.

/etc/init.d/httpd.vmware: line 120: status: command not found
Please specify a port for remote console connections to use [902]

Restarting internet superserver: inetd.
Configuring the VMware VmPerl Scripting API.

Building the VMware VmPerl Scripting API.

Using compiler "/usr/bin/gcc". Use environment variable CC to override.

Installing the VMware VmPerl Scripting API.

The installation of the VMware VmPerl Scripting API succeeded.

Do you want this program to set up permissions for your registered virtual
machines? This will be done by setting new permissions on all files found in
the "/etc/vmware/vm-list" file. [no]

Generating SSL Server Certificate

In which directory do you want to keep your virtual machine files?
[/vmware]

Do you want to enter a serial number now? (yes/no/help) [no]

Starting VMware services:
Virtual machine monitor done
Virtual ethernet done
Bridged networking on /dev/vmnet0 done
Host-only networking on /dev/vmnet1 (background) done
Bridged networking on /dev/vmnet2 done
Bridged networking on /dev/vmnet3 done
Host-only networking on /dev/vmnet8 (background) done
NAT service on /dev/vmnet8 done
Starting VMware virtual machines... done

The configuration of VMware Server e.x.p build-22088 for Linux for this running
kernel completed successfully.

Now I was ready to set up the VMware Management Interface.

hacom:/usr/local/src/vmware-server-distrib# cd ..
hacom:/usr/local/src# ls
VMware-mui-e.x.p-22088.tar.gz VMware-server-e.x.p-22088.tar.gz vmware-mui-distrib vmware-server-distrib
hacom:/usr/local/src# cd vmware-mui-distrib/
hacom:/usr/local/src/vmware-mui-distrib# ls
bin console-distrib doc etc mui vmware-install.pl
hacom:/usr/local/src/vmware-mui-distrib# ./vmware-install.pl
A previous installation of VMware software has been detected.

The previous installation was made by the tar installer (version 3).

Keeping the tar3 installer database format.

Uninstalling the tar installation of VMware Management Interface.

Shutting down http.vmware: done

This program previously created the directory /var/log/vmware-mui, and was about
to remove it. Since there are files in that directory that this program did not
create, it will not be removed.

The removal of VMware Management Interface e.x.p build-22088 for Linux completed
successfully. Thank you for having tried this software.

You must read and accept the End User License Agreement to continue.
Press enter to display it.
...omitted...
Do you accept? (yes/no) yes

Thank you.

Installing the content of the package.

In which directory do you want to install the binary files?
[/usr/bin]

What is the directory that contains the init directories (rc0.d/ to rc6.d/)?
[/etc]

What is the directory that contains the init scripts?
[/etc/init.d]

In which directory do you want to install the VMware Management Interface files?
[/usr/lib/vmware-mui]

The path "/usr/lib/vmware-mui" does not exist currently. This program is going
to create it, including needed parent directories. Is this what you want?
[yes]

In which directory would you like to install the documentation files?
[/usr/lib/vmware-mui/doc]

The path "/usr/lib/vmware-mui/doc" does not exist currently. This program is
going to create it, including needed parent directories. Is this what you want?
[yes]

The installation of VMware Management Interface e.x.p build-22088 for Linux
completed successfully. You can decide to remove this software from your system
at any time by invoking the following command:
"/usr/bin/vmware-uninstall-mui.pl".

Before running VMware Management Interface for the first time, you need to
configure it by invoking the following command: "/usr/bin/vmware-config-mui.pl".
Do you want this program to invoke the command for you now? [yes]

Configuring httpd.conf to run Apache as:
User: www-data and Group: nogroup

Set the number of minutes before a http session times out. (This is the length
of time before someone connecting to VMware Management Interface will be logged
out) [60]

Generating SSL Server Certificate

Starting httpd.vmware: done

Installation of VMware Management Interface was successful

The configuration of VMware Management Interface completed successfully.

Now I had the VMware components running:

hacom:~# netstat -natup
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:902 0.0.0.0:* LISTEN 3192/inetd
tcp 0 0 0.0.0.0:8333 0.0.0.0:* LISTEN 1528/httpd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1443/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1409/exim4
tcp 0 0 0.0.0.0:8222 0.0.0.0:* LISTEN 1528/httpd
tcp 0 300 192.168.2.18:22 192.168.2.5:1957 ESTABLISHED2580/sshd: richard

hacom:~# ps -ef | grep vm
www-data 1528 1 0 13:52 ? 00:00:02 /usr/lib/vmware-mui/apache/bin/httpd
-DSSL -DSSL_ONLY -DGSX -d /usr/lib/vmware-mui/apache
root 3322 1 0 15:05 pts/0 00:00:00 /usr/bin/vmnet-bridge
-d /var/run/vmnet-bridge-0.pid /dev/vmnet0 eth0
root 3330 1 0 15:05 pts/0 00:00:00 /usr/bin/vmnet-bridge
-d /var/run/vmnet-bridge-2.pid /dev/vmnet2 eth1
root 3334 1 0 15:05 pts/0 00:00:00 /usr/bin/vmnet-bridge
-d /var/run/vmnet-bridge-3.pid /dev/vmnet3 eth2
root 3342 1 0 15:05 ? 00:00:00 /usr/bin/vmnet-natd
-d /var/run/vmnet-natd-8.pid -m /var/run/vmnet-natd-8.mac
-c /etc/vmware/vmnet8/nat/nat.conf
root 3348 1 1 15:05 ? 00:00:02 /usr/sbin/vmware-serverd -s -d
root 3413 1 0 15:05 pts/0 00:00:00 /usr/bin/vmnet-netifup
-d /var/run/vmnet-netifup-vmnet1.pid /dev/vmnet1 vmnet1
root 3421 1 0 15:05 pts/0 00:00:00 /usr/bin/vmnet-netifup
-d /var/run/vmnet-netifup-vmnet8.pid /dev/vmnet8 vmnet8
root 3437 1 0 15:05 ? 00:00:00 /usr/bin/vmnet-dhcpd
-cf /etc/vmware/vmnet1/dhcpd/dhcpd.conf -lf /etc/vmware/vmnet1/dhcpd/dhcpd.leases
-pf /var/run/vmnet-dhcpd-vmnet1.pid vmnet1
root 3439 1 0 15:05 ? 00:00:00 /usr/bin/vmnet-dhcpd
-cf /etc/vmware/vmnet8/dhcpd/dhcpd.conf -lf /etc/vmware/vmnet8/dhcpd/dhcpd.leases
-pf /var/run/vmnet-dhcpd-vmnet8.pid vmnet8

When I tried to start a VM, however, I saw the following in /var/log/vmware/vmware-serverd.log:

Mar 21 12:14:37: app| Attempting to launch vmx : /vmware/sguil0-6-0p1_freebsd6-0_1024mb/FreeBSD.vmx
Mar 21 12:14:38: app| New connection on socket server-vmxvmdb from host
localhost (ip address: local) , user: root
Mar 21 12:14:38: app| Connection from : /vmware/sguil0-6-0p1_freebsd6-0_1024mb/FreeBSD.vmx
Mar 21 12:14:38: app| Setting up autoDetect info.
Mar 21 12:14:38: app| VMServerdConnect: connecting to /vmware/sguil0-6-0p1_freebsd6-0_1024mb/FreeBSD.vmx
Mar 21 12:14:38: app| VMControl: Unexpected response from vmware-authd
(Error connecting to /usr/lib/vmware/bin/vmware-vmx process.)
Mar 21 12:14:38: app| vmserverd: Could not connect to virtual machine
/vmware/sguil0-6-0p1_freebsd6-0_1024mb/FreeBSD.vmx:
Unexpected response from vmware-authd:
Error connecting to /usr/lib/vmware/bin/vmware-vmx process.
Mar 21 12:14:38: app| Failed to connect to vm:
/vmware/sguil0-6-0p1_freebsd6-0_1024mb/FreeBSD.vmx
Mar 21 12:14:38: app| VmsdCmd Command error: Operation failed to change
the VM to the expected power state

Oh for Pete's sake. What could be wrong?

I looked closer at the logs and saw this:

Mar 21 12:07:45: app| HOSTINFO: Unknown CPU vendor "CentaurHauls" seen.
Mar 21 12:07:45: app| Failed to get information about CPUs.

In dmesg output I saw something similar:

/dev/vmmon[3301]: VMMON CPUID: Unrecognized CPU

This gave me enough for a better search in the VMware forums, where I found this post. Basically, VMware Server does not run on the Nehemiah CPU in the Hacom.

Here's my /proc/cpuinfo:

hacom:/var/log/vmware# cat /proc/cpuinfo
processor : 0
vendor_id : CentaurHauls
cpu family : 6
model : 9
model name : VIA Nehemiah
stepping : 8
cpu MHz : 1002.300
cache size : 64 KB
fdiv_bug : no
hlt_bug : no
f00f_bug : no
coma_bug : no
fpu : yes
fpu_exception : yes
cpuid level : 1
wp : yes
flags : fpu vme de pse tsc msr sep mtrr pge cmov pat mmx fxsr sse xstore
bogomips : 1998.84

At this point my project is stalled. I don't see a workaround. Maybe the final version will run on this box.

Monday, March 20, 2006

Bejtlich/Bianco ShmooCon Video Online

If you didn't want to buy the ShmooCon DVD of my Sguil talk from ShmooCon 2006, you can now download the video in .mp4 format. It's about 84 MB, and when I grabbed it the download was fairly quick.

Flyer for Only Public NSO Class in 2006 Posted

I've posted the flyer and registration form (.pdf) for my only public Network Security Operations class in 2006. It will takes place 13-16 June 2006 in Fairfax, Virginia.

If you refresh your browser or clear you're cache you'll notice the new banner for the class at the top of the blog. All you RSS and Atom readers are missing out!

For more details, please see the flyer and this blog post. There's only 20 seats. 2 are filled by the agency hosting the class, and the rest are filling. Please contact me soon, especially if you want to save money on registration! Thank you.

Sunday, March 19, 2006

Review of Silence on the Wire Posted

Amazon.com just posted my four star review of Silence on the Wire by Michal Zalewski. I liked this book, although reading it was not as pleasant as I expected. From the review:

I received Silence on the Wire (SOTW) almost one year ago. When I first tried reading the book, I couldn't get past Ch 1. In fact, I didn't try reading anything for three months, hoping I could re-engage SOTW. Eventually I put SOTW aside and read other books, only to return to SOTW this week. I'm glad I gave SOTW a second chance. There's plenty to like in this book if you look for the details that interest you.

Friday, March 17, 2006

Review of Perfect Passwords Posted

Amazon.com just posted my four star review of Perfect Passwords. This brings my dozen-Syngress-book reading drive to an end. Note that I read the first several books on flights over the Atlantic or waiting in airports. That gave me a jump on the reviews. From the review:

I never thought I would find a whole book about passwords to be interesting, but I really like Mark Burnett's Perfect Passwords. This short book (134 pages without the appendices, which can be ignored) is remarkably informative. I recommend anyone developing password policies or security awareness training reading Perfect Passwords.

Four Pre-Reviews

My friends at Pearson sent me four new books from their various imprints. The first is Penetration Testing and Network Defense by Andrew Whitaker and Daniel Newman. This book has received high marks at Amazon.com and it seems more coherent than a similar book I just reviewed. This is my first Cisco Press security book. The last Cisco Press book I reviewed was Cisco Router Firewall Security.

Next is VPNs Illustrated: Tunnels, VPNs,, and IPsec by Jon C. Snader. This book is unique in that it looks and communicates like Richard Stevens' TCP/IP Illustrated, Volume 1: The Protocols. I wanted to read this book after seeing the diagrams, code snippets, and Tcpdump traces. I've also never found a really satisfying analysis of IPsec, which is covered by this book. The Amazon.com reviews are mixed, but I am hopeful.

The next book is High-Assurance Design: Architecting Secure and Reliable Enterprise Applications by Clifford J. Berg. This is a book of design principles and patterns to build high-assurance applications. I like books on security engineering, and I plan to read this book in concert with Security Patterns: Integrating Security and Systems Engineering.

Last but definitely not least is the new edition of Counter Hack Reloaded: A Step-by-Step Guide to Computer Attacks and Effective Defenses, 2nd Ed by Ed Skoudis with Tom Liston. I loved the first edition of this book, which was on my list of favorite 10 books from the past 10 years. This is the perfect book for anyone starting the information security career, because it covers all of the significant technical issues which a security operator should know.

Thinking about Ed's book made me consider the following point. To the degree that the CISSP has any value at all, it should be a management-oriented certification focusing on broad security themes. As I wrote previously, I believe the CISSP should be based on NIST SP 800-27, Rev. A (.pdf), Engineering Principles for Information Technology Security (A Baseline for Achieving Security).

If someone wanted to build a real technical information security certification, they should base it on Counter Hack.

On a related note, someone asked me recently if my first book was "CISSP compliant". After calming myself, I replied that the CISSP should be compliant with best practices -- best practices should not "comply" with the CISSP. That sort of question raised problems with teaching and learning "for the test," instead of teaching and learning the best material. I am not opposed to teaching and learning for the test if the test is sound. Unfortunately, as I've written before, I think the CISSP test is utterly worthless.

Thursday, March 16, 2006

Microsoft is Getting It

I learned through Slashdot that Microsoft held its third Blue Hat Security Briefings. They also have a Blue Hat Blog. Reading this article, and considering that this is the third Blue Hat, it sounds to me like Microsoft is taking security seriously. It's been over over four years since Bill Gates issued his famous security memo. What's happened since then?


With Blue Hat, Microsoft is listening to the top public security researchers who are breaking Windows. Halvar Flake at Black Hat Federal 2006 says it is getting tougher to find vulnerabilities in Windows. I reported that a talk I saw on Vista at RSA 2006 impressed me. The company is incorporating good security practices like least privilege and privilege separation, already found in Unix OS' and tools. Microsoft is publishing books like Writing Secure Code, 2nd Ed, Hunting Security Bugs, and The Security Development Lifecycle. The company has a group which has the power to stop shipment of software due to security concerns, and it has exercised that power already.

All of these factors are going to make a difference when Vista is released. I plan to buy a new laptop running Vista (and dual-booting FreeBSD) when the new OS is available. I am optimistic, but we'll have to see what sorts of security advisories Microsoft releases once Vista ships.

I believe that threats are going to shift their attention to the infrastructure surrounding Microsoft. We've already seen that with attacks on applications. The next target will be network infrastructure, especially so-called embedded devices and appliances. These products suffer the sorts of vulnerabilities seen in Microsoft products of the past. I saw Barnaby Jack's latest presentation and his compromise of an embedded consumer grade router scared the heck out of me.

Stay tuned.

Review of Penetration Tester's Open Source Toolkit Posted

Amazon.com just published my three star review of Penetration Tester's Open Source Toolkit. From the review:

I am not sure why Penetration Tester's Open Source Toolkit (PTOST) was published. If you have no other security assessment books, you may find PTOST helpful. Otherwise, I don't believe this book offers enough value to justify purchasing it. Other books -- some published by Syngress -- cover some of the same ideas, and 5 of PTOST's chapters are published in other books anyway.

Marty Roesch Speaking Tour

I just signed up to see Marty Roesch from Sourcefire speak on Wednesday 29 March 2006 in Washington, DC. The topic is Redefining Federal Network Security - Protecting Against Threats, from All Vectors, at All Times. That sounds ambitious. Marty might be coming to a city near you -- check the calendar and register. If you're going to attend the DC event, say hello -- I'll be wearing a TaoSecurity polo.

Argus 3.0 Will Be Released Soon

I found a sign of the Apocalypse will reading the Argus mailing list. Long-time Blog readers should know that Argus is a stand-alone NSM session data program that I profiled in Tao. The relevant message by Argus developer Carter Bullard is here. In brief, Carter will be releasing a beta of Argus 3.0 "in 2-3 weeks".

This is an incredible development. The last publicly posted Argus version is available at ftp://ftp.qosient.com/dev/argus-2.0/. The server and client programs are argus-2.0.6.fixes.1 and argus-clients-2.0.6.fixes.1, respectively. These files are almost two years old, and Argus mailing list users recommend adding patches that are only available on the mailing list!

For the sake of proper version management alone, I can't wait to see Argus 3.0 released. Carter reports that Argus 3.0 "adds IPv6 support, better encapsulation parsing, 64-bit support, Cygwin support and 64 bit counters, as well as a hundred thousand little nits and small changes that will probably drive everyone crazy." Unfortunately, Argus 3.0 "has the same SASL problems as argus-2.0." (I'm not familiar with this issue.)

When I get to try Argus 3.0 BETA, I will report my findings.

Wednesday, March 15, 2006

Review of Nessus, Snort, and Ethereal Power Tools Posted

Amazon.com just posted my four star review of the fourth book in Jay Beale's Open Source Security Series, Nessus, Snort, and Ethereal Power Tools. From the review:

I've read and reviewed the three previous books in Jay Beale's Open Source Security Series -- Snort 2.1, Nessus Network Auditing, and Ethereal Packet Sniffing. I liked all three of those books, and I'm glad to say that this fourth book -- Nessus, Snort, and Ethereal Power Tools (NSAEPT), is a worthy continuation of Jay's series. NSAEPT is a unique resource for anyone who wants to extend Nessus, Snort, and Ethereal. The book could save programmers hours of work, and it should be the first step for those looking to contribute to the development of all three projects.

Update: Andrew Williams from Syngress provided this feedback concerning the problems with FI and FL characters being mangled. Those who register can download a PDF of the book.

This PDF fixes the code problems you referenced. Readers can register and download the completed, fixed PDF from our Web site at www.syngress.com/solutions.

I'm hoping as many readers as possible take advantage of this. It was incredibly frustrating for us to have this problem introduced during pre-press.

Review of Securing IM and P2P Applications for the Enterprise Posted

Amazon.com just posted my four star review of Securing IM and P2P Applications for the Enterprise. From the review:

I had high hopes for Securing IM and P2P Applications for the Enterprise (SIAPAFTE), and thankfully this book delivers. SIAPAFTE is a modern, well-written, thorough guide to instant messaging (IM), peer-to-peer (P2P), and Internet Relay Chat (IRC) networks and related security issues. I recommend all network and security administrators read this book.

Monday, March 13, 2006

Review of Sarbanes-Oxley IT Compliance Using COBIT and Open Source Tools Posted

Amazon.com just posted my four star review of Sarbanes-Oxley IT Compliance Using COBIT and Open Source Tools. From the review:

I read Sarbanes-Oxley IT Compliance Using COBIT and Open Source Tools (SOICUCAOST) to learn more about compliance issues. I am a security engineer who thankfully has not had to suffer through a SOX audit. I am glad I read SOICUCAOST, however. The book is clear, well-written, and makes innovative use of a live CD. While the book is not the answer to SOX compliance (no book is), small-to-medium-sized businesses will find SOICUCAOST a valuable guide.

Bejtlich Teaching NSM at USENIX 2006 in Boston

If you'd like to see me teach material related to my first book, please register for USENIX 2006 (the Annual Technical Conference). I'll be presenting Network Security Monitoring with Open Source Tools all day on Friday, 2 June 2006 in Boston, MA.

I'll probably fly in the previous day, then attend Gerald Carter's half-day presentation Ethereal and the Art of Debugging Networks. I may stay for Dan Geer's class on Saturday -- Measuring Security.

Seats are filling for my only public Network Security Operations class in Fairfax, VA, 13-16 June 2006. Contact me via email (richard at taosecurity dot com) before 1 April to get the best rate!

Review of Security Log Management Posted

Amazon.com just posted my three star review of Security Log Management. From the review:

When I received a review copy of Security Log Management (SLM) last month, I was eager to read it. I saw two very powerful but seldom discussed tools -- Argus and Bro -- mentioned in the table of contents. This indicated some original thinking, which I appreciate. Unfortunately, SLM did not live up to my expectations. When you strip out the pages of scripts and code and the three reprinted chapters, you're left with a series of examples of output from the author's deployment of several tools. Aside from a few examples mentioned in this review, I don't think readers will learn much from SLM.

Sunday, March 12, 2006

Two Pre-Reviews

Two new books arrived at TaoSecurity last week. The first is Software Security: Building Security In by Gary McGraw. This book is available alone or in a boxed set with Exploiting Software and Building Secure Software. I've read the second book, so I may try to read Software Security right away. The new book is the third in the Addison-Wesley Software Security Series.

At RSA in February Gary told me he wanted Building Secure Software to begin that series, but instead it ended up in the Addison-Wesley Professional Computing Series. The other book in the Software Security Series is Rootkits, a book I'm waiting to read. I'd like a little more programming knowledge before trying that one. The second book added to my reading queue is Anti-Hacker Toolkit, 3rd Ed. I reviewed the 2nd Ed in June 2004 and the 1st Ed in August 2002. I sat down with the 2nd and 3rd editions and did a cursory examination of changes. The major difference is a new chapter, 26, on reverse engineering binaries. Aside from that, the 3rd Ed is structurally identical to the 2nd Ed. A few tools have been added and some have been deleted. Co-authors Chris Davis, Aaron Philipp, and David Cowen have stepped in to help lead author Mike Shema, although material from original authors Keith Jones and Brad Johnson is still present. (Mike Shema is the third original author, meaning he, Keith, and Brad wrote the 1st Ed.)

I have a feeling that my recommendation for the 3rd Ed will be the same as for the 2nd Ed -- if you don't have a copy, get one. Security pros should know how to use most if not all of the tools in Anti-Hacker Toolkit. Employers -- asking about tools in this book is a great way to start a dialogue with candidate employees. If you have the 2nd or even the 1st Ed, however, you probably won't be able to financially justify the upgrade.

Review of Skype Me! Posted

Amazon.com just posted my five star review of Skype Me!. From the review:

Skype Me! is the perfect introduction to Skype for users of all skill levels. It could serve as an example of how to write a product-centric book that delivers real value. The text is well written, clear, and focused. The material becomes progressively complex as the reader moves from learning about Skype, to installing it, to using it, to extending it into areas I hadn't previously considered. Anyone who wants to get the most out of Skype should read Skype Me!

Sound Familiar?

I found the following quote in this story about problems at the CIA:

"[Y]ou're getting into the problem of very junior, inexperienced people, which a lot of veteran CIA people feel now is part of the problem. Porter Goss has to double the number of operational people in an environment where there are no mentors. Who's going to train these people?"

This reminded me of the problems in information technology. There is far too much infrastructure being operated by far too many inexperienced people who have no mentors.

Review of InfoSec Career Hacking Posted

Amazon.com just posted my two star review of InfoSec Career Hacking. This write-up is for those of you who say I don't write enough negative reviews. I was particularly upset to see 3 of the book's 12 chapters are reprints. This is a disturbing trend. Syngress is using chapters from older books as filler for new titles that can't stand on their own. From the review:

InfoSec Career Hacking (ICH) is a confused, directionless book. It's a collection of contributions by various authors, three of which were previously published. The main text never states the goal of the text, so I turned to the description on the back cover: "A technical guide to landing (and keeping) a job in the information security field... If you want to refine those skills to land a top InfoSec job and employer-funded trip to Vegas next year, you've come to the right place." It sounds like ICH wants to be a sort of employment guide for "hackers," but it ends up as a muddle of some useful original material and recycled chapters from older Syngress titles.