09.08.09
Posted in Information, OpenSourceSoftware, Security, Sguil, Snort, daemonlogger, fpcgui at 6:13 pm by Edward Bjarte Fjellskål
I was on a seminar today, where one of the key focus was full packet capture of network traffic.
It was rather strange to me, that it seem to be presented as something new, exiting and “must have”…
IDS/IPS without full packet capture - is time consuming if you try to investigate an incident. All analysts knows that, and there is nothing new about that. Richard Bejtlich has preached this for years ( Read Tao of Network Security Monitoring, Beyond Intrusion Detection ).
As a happy Sguil user, I always have full packet capture of my network traffic, and can drill down in all the network data from an event. Meaning that I save tons of time investigating events, and can better tune down my false positives also. Most commercial vendors don’t integrate any “full packet capture appliances”, and don’t even support 3rd parties packet capture services. In my earlier days, I brought this to among IBM and Juniper, where they just look strangely at me and replied more or less the same - “Full packet capture is just to much data to handle… you need big disk and lots of CPU/RAM… We are not sure how to integrate this…”
Well, there is a free and open source way to implement such a device. A standard Linux host with daemonlogger is one example. (There are other tools that also does packet capture, but daemonlogger really aim just at packet capture, and nothing more, and does it in a way that I want it.)
Now that you can get 67 terabyte of storage for about $7,800 USD, there should not be a problem storing your data 
You can split up sguil to run different services on different hardware, so if you have a Network Tap that can mirror traffic to more than one devices, you can run IDS on one server, pcap on another, network statistics on a third and asset detection on a forth example vis. Basic overview of Sguil with all services running on one sensor:
If you want to, or need more juice from your snort sensor etc. you can split it up, so that one sensor takes the traffic from X most used services, and the other sensor take the rest. Or even split it up more!
Since I started using Sourcefire 3D system, I have planed to make a way for me to easily integrate my package capture server with the Defense Center. My thoughts are on using Firefox with Greasemonkey and some perl-cgi on the pcap server to carve out the the right portion of the pcaps. Capture has some nice ideas and I might reuse some code from there. If Sourcefire don’t beat me to it, I might have something of my own in a near future…
If you don’t capture packets today, you should look into a way of doing it. It saves you time, and it saves you lots of work. I would not be without mine
Permalink
09.07.09
Posted in Information, OpenSourceSoftware, Debian, Security at 4:00 pm by Edward Bjarte Fjellskål
After installing “[SECURITY] [DSA 1871-1] New wordpress packages fix several vulnerabilities” from 23. of August 2009, I quickly saw that there was something wrong in the logs:
PHP Fatal error: Call to undefined function absint() in /usr/share/wordpress/wp-includes/functions.php on line 2008.
I looked over the DSA, and identified the fix for CVE-2008-4769 that broke this. Then I emailed Steffen Joeris, who released the DSA and notified him about my findings. Two hours later, Giuseppe Iuculano sent me an update which I installed and confirmed worked, and which I could not find any regressions to it.
I looked at the CVE-2008-4769 and at the Secunia advisory, which claims that the vulnerability is only working on Windows platform. This probably explains why Debian has waited so long for including the fix. The original CVE is from 2008-04-25, so this is old news btw…
From advisories:
“It was discovered that the get_category_template function is prone to a directory traversal vulnerability, which could lead to the execution of arbitrary code. This can be exploited to include arbitrary PHP files from local resources via directory traversal attacks. Successful exploitation allows execution of arbitrary PHP code, but requires privileges to store PHP files on an affected system and that WordPress is installed on a Windows platform.”
I have only registered generic attacks in the wild against the ‘cat’ parameter in my gamelinux.org and other web logs (dating back to Dec 2006). No requests seems to aim at exploiting this vulnerability specifically.
An example of an URL that was supposed to work (Not confirmed):
http://www.gamelinux.org/?cat=1.php/../searchform?
The DSA regression was released 4 days after the original DSA BTW.
Permalink
09.04.09
Posted in Information, OpenSourceSoftware, Debian at 8:00 am by Edward Bjarte Fjellskål
For 898,- NOK (right around £100) down at Clas Ohlson here in Norway, you get a nice little NAS server (AID 38-2447). Straight out of the box, its a low-end NAS, but I bought this, in spirit of installing a full blown Linux distro on to it. And so I did.
It took me about 30 minutes from I started to read the howtos, downloading and preparing the image to the hard drive and flashing the initrd of the Dual NAS, until it was up and running.
My notes:
* When you connect to the telnet boot menu, ping the NAS in one console, and when it starts answering, you have about one second to connect to it via telnet in another console.
* It needs a DHCP server to obtain an IP address after Debian is booted…
* The Debian Etch image from Felix Mellmann is rather old…(21. Nov. 2007) so you need to upgrade it (contains weak ssh keys etc.)
* It seems that it will not work with Debian Lenny (Complaining about old kernel)
If anyone has any insight into how to compile and install a newer working kernel for this hardware, I would be interested
Also the link to the original source of the kernel which comes default with this NAS would be great (I saw it yesterday, but I cant seem to find it again).
Mean while, I fully recommend this buy for a small cheap home server.
Permalink
09.02.09
Posted in Information, OpenSourceSoftware, Security at 10:50 am by Edward Bjarte Fjellskål
I was posted a link today, which I found fun to read. It compares the H1N1 (aka Swine Flu) to computer viruses.
Read the blog post here.
Slashdot here.
“It’s humbling that I could be killed by 3.2kbytes of genetic data. Then again, with 850 Mbytes of data in my genome, there’s bound to be an exploit or two.”
Permalink
09.01.09
Posted in Information, Security at 2:06 pm by Edward Bjarte Fjellskål
Yesterday (Monday 31. of August 2009) the Norwegian police department presented their new and more user friendly website.
It has been a big joke on the Internet today, and it seems like the developers has done lots of classic mistakes…
I wont go into details, but here are some friendly URLS:
The cops used 28Mil NOK (about ~3 Mil Euros) on the new site
Cops Suck!
milw0rm
Oracle-Application-Server-10g/10.1.3.4.0 Oracle-HTTP-Server Server at pdm-oas03.osl.basefarm.net Port 7777
—
Update 1. September 21:30:
The police has taken down the links that I posted, do they no longer work.
(and I didnt make screenshots :/)
Permalink
