03.30.10
Posted in Information, OpenSourceSoftware, Security at 12:53 pm by Edward Bjarte Fjellskål
I just had to comment on this…
Read the advisory here.
My short comment; If you install any type of Software, or use any kind of mechanical devices, or do anything in life, be sure too know what you are doing.
If you buy a car, and the car door is not locked when you are handed the keys, do still lock the doors if you don’t want people to come into your car!
Snippets from the advisory:
“In order to completely protect against the vulnerability (in the short term), Nth Dimension recommend turning off the server and replacing it with another reverse proxy such as Squid.”
That would be like stepping out of a Ferrari and crawling into twelve old Tractors… I don’t think people will do that Mr. Brown…
“Should this not be possible, Nth Dimension would strongly recommend that users confirm that the master process is not listening on an external network interface.”
This is so much easier to do than migrate to Squid or alike? And the right thing to do if you are not in a trusted environment. Again, do lock your car door.
“In the latter case, users should confirm that only trusted users have SSH access to the system.”
As a rule of thumb: You should NEVER have untrusted users on your systems if you value your data on it or the data accessible from it.
There are tons of information on how to harden a Operating System (OS). One of the first and most common step is to make sure the system does not listen on network ports that you don’t want it too. I feel that the advisory is bogus because it is a feature of Varnish.
The advisory should have been aimed at the distributions that have packages that don’t implement “non-clue friendly defaults”.
That said, there is nothing stopping me from sending out my passwords via email once I have installed a browser and I manage to log into my gmail account…
Subject: “Medium security hole in Mozilla Firefox”
Body: “I’ve identified a couple of security flaws affecting Mozilla Firefox (All versions) which may allow privilege escalation….”
“Grumpy day”
Permalink
03.28.10
Posted in Information, OpenSourceSoftware, Linux Distributions, Debian, Ubuntu, Security, Sguil at 3:04 pm by Edward Bjarte Fjellskål
As Ubuntu 10.04 (Lucid Lynx) is the next LTS (Long Time Support) version of Ubuntu that is coming out soon (April 29, 2010), I have started to look at how sguil and my dot deb packages will work.
I installed Lucid Lynx yesterday and installed my server and sensor debs on it.
Some first notes:
* MySQL is not eating the create_sguildb.sql (Just remove the comments)
* Lucid (and Karmic) does not ship with tclx8.3 
(Installing the Hardy version worked just fine)
(I filled a bug report to Ubuntu, hoping to get tclx8.3 into the final release…)
So, from my first tests, it seems to work fine!
I have yet to test the sguil-client on Lucid, and also I did not get to test with extensive amount of traffic and operations on the Lucid test server.
So, looking promising 
Permalink
03.24.10
Posted in Information, OpenSourceSoftware, Security, Snort, PRADS at 11:18 am by Edward Bjarte Fjellskål
It has been a long journey, but after about two years, I finally got a way to populate Snorts host attribute table, automagically(tm)!
When I started this, my first option was to use nmap to scan the network to populate the information. This was scratched, as my goal was to be non intrusive and always up to date (The minute a new host popped up, I want to know). Scanning 65535 ports times two for each of the hosts Im monitoring is not an options also… I started to look at the Open Source tools out there, on which to use to get the information from. As I was familiar with p0f and PADS, I saw that they could do the job, but they needed some band-aid to work together, and they where lacking active development… p0f has a DB patch/version, and I already had PADS hooked up in Sguil, so I had the info in a DB, but not in the way I wanted it. So I started out on a journey to merge the two projects, enhance them, and try to speed things up a bit.
The project is still in development, but the main parts are done. It is useful in the way that it will print out information about detected hosts, like this in verbose mode (And yes, it also does IPv6):
2a02:c0:1002:100:21d:72ff:fe92:728,[syn:S4:64:1:40:M1440,S,T,N,W7:Z],[Linux:2.6 (newer, 7) IPv6],[link:IPv6/IPIP],[uptime:2hrs],[distance:0]
2a02:c0:1002:10::2,[synack:5712:63:1:40:M1440,S,T,N,W7:ZAT],[Linux:2.6 (newer, 7) IPv6],[link:IPv6/IPIP],[uptime:4069hrs],[distance:1]
2a02:c0:1002:100:21d:72ff:fe92:728,[ack:45:64:1:*:N,N,T:ZAT],[Linux:2.6],[uptime:2hrs],[distance:0]
2a02:c0:1002:10::2,[service:OpenSSH 5.1p1 (Protocol 2.0):22:6],[distance:1]
2a02:c0:1002:10::2,[ack:45:63:1:*:N,N,T:ZAT],[Linux:2.6],[uptime:4069hrs],[distance:1]
2a02:c0:1002:100:21d:72ff:fe92:728,[client:OpenSSH 5.1p1 (Protocol 2.0):22:6],[distance:0]
At the moment, it also makes a file in your /tmp/ dir, /tmp/prads-asset.log, which presents the info in the following way:
2a02:c0:1002:100:21d:72ff:fe92:728,0,56268,6,SYN,[S4:64:1:40:M1440,S,T,N,W7:Z:Linux:2.6 (newer, 7) IPv6:link:IPv6/IPIP:uptime:2hrs],0,1269420770
2a02:c0:1002:10::2,0,22,6,SYNACK,[5712:63:1:40:M1440,S,T,N,W7:ZAT:Linux:2.6 (newer, 7) IPv6:link:IPv6/IPIP:uptime:4069hrs],1,1269420770
2a02:c0:1002:100:21d:72ff:fe92:728,0,56268,6,ACK,[45:64:1:*:N,N,T:ZAT:Linux:2.6:uptime:2hrs],0,1269420770
2a02:c0:1002:10::2,0,22,6,SERVER,[ssh:OpenSSH 5.1p1 (Protocol 2.0)],1,1269420770
2a02:c0:1002:10::2,0,22,6,ACK,[45:63:1:*:N,N,T:ZAT:Linux:2.6:uptime:4069hrs],1,1269420770
2a02:c0:1002:100:21d:72ff:fe92:728,0,22,6,CLIENT,[ssh:OpenSSH 5.1p1 (Protocol 2.0)],0,1269420770
Input from the community on how to present the information/output for a best possible way for integration with other applications are welcome.
To try it out, this is what I believe is necessary to install on my Ubuntu machine to run it:
$ sudo aptitude install build-essential git-core libpcre3-dev libpcap0.8-dev
$ git clone http://github.com/gamelinux/prads.git
$ cd prads/src/ && make
$ # then to start it
$ sudo ./prads -i ethX -v
For populating the Snort host attribute table, there is a script in the tools dir, prads2snort.pl, which takes the prads-asset.log file and processes it.
Example:
$ perl prads2snort.pl -i prads-asset.log -o hosts_attribute.xml -v -f
The -v (verbose) mode prints out some details, which can be good to check to see if stuff seems to be detected correctly.
Snort supports reloading of the attribute table if you give it the signal 30. (kill -30 <snort-pid>). This means, that if you discover a difference in your host attribute table (Say you got a new http service some where, or a host has changed OS), you can swap out the attribute file with a new updated one, and tell snort to reload its attribute file without restarting snort! Darn cool if you ask me
You can read more about Snort and its host attribute table here, and you can read about another tool called Hogger here. Also, you should read the Snort documentation section 2.7 (around page 104/105) “Host Attribute Table”.
I would once again like to thank Michal Zalewski and Matt Shelton for their work on p0f and pads. I would also like to thank Martin Roesch & The Snort Team (And all the contributers) for a great application and all the effort they have put into Snort and its surroundings. (Virtually giving you the price for best Open Source security application 2000 - 2010!).
Attribute Table Loaded with 980 hosts
…
Attribute Table Reload Thread Starting…
Attribute Table Reload Thread Started, thread 363022672 (15333)
…
$ /bin/kill -30 15333
…
Swapping Attribute Tables.
…
$ /bin/kill 15333
…
===========================================
Attribute Table Stats:
Number Entries: 980
Table Reloaded: 1
===========================================
…
Permalink
03.03.10
Posted in Information, OpenSourceSoftware, Linux Distributions, Ubuntu, Security, Sguil, PRADS, PADS at 12:02 pm by Edward Bjarte Fjellskål
Saturday 18 Jun 2005 Matthew J. Shelton released PADS. PADS is a great tool, and the security industry really needs a good open source passive asset tool. But since 2005, PADS development has stopped, and there are no place to send new signature or patches/bugs too, and hope that they will get added/fixed. Also, logical, there are no new features being added…
I have used PADS in my Sguil setup, but have seen that it lacks stuff that I wanted to have there, and also, there has been some problems running PADS on newer operation systems. I have a copy of the pads-1.2-sguil-mods.tar.gz, and I added it to github yesterday, fixed some issues when writing data to the FIFO file for Sguil, added some patches, among vorants vlan patch. I compiled it on Ubuntu Hardy and Jaunty (x86_64), and it has been running fine for 12+ hours.
If you try out my version of PADS and have issues, I will try to solve them. I see there are some, in stuff that I don’t use, and if I one day find the urge, I’ll fix them on my own.
I should probably also mention, shamelessly again, that there is a project that takes PADS to the next level and then some more….
You can read about PRADS here and what more it can do for you.
Permalink
