When {Puffy} Meets ^RedDevil^

FreeBSD 9.0 Release is OUT!

noreply@blogger.com (C.S.Lee) — Fri, 13 Jan 2012 09:20:35 PST

If you haven't noticed yet, FreeBSD 9.0 Release is out, grab it while it is still hot. The announcement can be found at

http://www.freebsd.org/releases/9.0R/announce.html

You can check out the release note at -

http://www.freebsd.org/releases/9.0R/relnotes.html

I'm glad to see the driver improvement for network adapters especially intel based cards, and the netgraph ng_netflow supports NetFlow V9 export. Another interesting feature is usbdump which can be used to dump packets over usb controller. As always ipfw is improved in almost every FreeBSD release just like pf in OpenBSD. The FreeBSD team has also made a lot of improvement on file system wise. Finally we see new installer for FreeBSD ;)

With FreeBSD 9.0 Release is officially out, time to work on HeX 3!

Cheers ;]

Argus 3: Some hardly used scripts

noreply@blogger.com (C.S.Lee) — Wed, 11 Jan 2012 04:25:31 PST

There are couple of perl scripts come with argus 3 to process argus data, in case you haven't used them, do try them out, I will just show the result generated by those scripts -

shell>perl ./raips -r ~/pcap-repo/anubis.arg3
187.45.196.28
187.45.241.156
192.168.0.1
192.168.0.2

Raips will generate all unique IP addresses that are seen in the argus data.

shell>perl ./rahosts -r ~/pcap-repo/anubis.arg3
192.168.0.2: (3) 187.45.196.28, 187.45.241.156, 192.168.0.1

Rahosts will generate host report, and telling you the hosts that initiate network connection(transmitter) and also destination hosts that are probed(receiver), you may get an array of IP addresses in the same network if it is network scanning or worm outbreak activity.

shell>perl ./raports -r ~/pcap-repo/anubis.arg3
187.45.241.156 tcp: (1) 80
192.168.0.1 udp: (1) 53
187.45.196.28 tcp: (1) 1433

Raports will generate the port report, however only on server side, which means those ports that are probed by any host.

If you are not satisfied with the result generated by those scripts, you are free to modify them to fit your needs, basically Carter is just demonstrating what you can do with argus data using some scripting capabilities.

Cheers (;])

Large Scale Pcap Analysis

noreply@blogger.com (C.S.Lee) — Tue, 10 Jan 2012 21:43:16 PST

It seems that the storage is not much an issue when comes to packet capture anymore, looking at terabytes become general everywhere, and many network analysis tools seem to gear toward large scale pcap data analysis, bro-ids has extended their functionality by using tons of community hardware and timemachine to capture and analyze network data, and now I just come to read about people in RIPE NCC are doing this using apache hadoop -

https://labs.ripe.net/Members/wnagele/large-scale-pcap-data-analysis-using-apache-hadoop

As we know as well, pcapr is also making use of cloud technology to share and analyze pcap data for internet community.

Enjoy ;]

Picviz on Windows

noreply@blogger.com (C.S.Lee) — Mon, 09 Jan 2012 06:40:38 PST

I never know that someone has actually ported picviz to Windows OS platform for a while until I'm working on picviz stuffs and googling some information, you can find here if you are interested -

http://berise.blogspot.com/2011/01/picviz-for-win32-port.html

Open source really opens up many unknown possibilities ...

Cheers ;]

Digital Forensics Tools For Linux

noreply@blogger.com (C.S.Lee) — Sun, 18 Dec 2011 02:44:51 PST

If you are using Fedora Linux Distro to perform Forensics works, you may want to look into this -

http://www.cert.org/forensics/tools/

CERT also provides vmware forensics appliance where you find at the link above.

Enjoy ;]

Re-look: Security Operation Tools

noreply@blogger.com (C.S.Lee) — Sat, 17 Dec 2011 22:18:47 PST

I haven't kept track of my favorite tools for awhile, and it's time to pay attention to them again -

- Bro-ids
- Splunk
- Suricata
- Argus
- Ntop

All of them have new version released and it seems there are numerous changes that worth re-look into ;)

High Tech Fix For "Nokia N900: All telephony functions are disabled" issue

noreply@blogger.com (C.S.Lee) — Thu, 15 Dec 2011 20:59:56 PST

Last week, my Nokia N900 phone suddenly popped up with the message -

All telephony functions, including emergency calls, are disabled due to communication error. To recover, you might have to reboot the device

You will see something like a sim card icon on the top panel when this message appears.

Awesome, it seems I couldn't make or receive call after this message is shown, I rebooted my phone and it works again ... until this week, the phone is dead, I can't use it as a phone but small tablet. Maybe I should try google to see if there's any solution and here's what I have found -

http://discussions.europe.nokia.com/t5/Maemo-and-MeeGo-Devices/N900-All-telephony-functions-are-disabled-and-No-IMEI/td-p/915441

http://talk.maemo.org/showthread.php?t=60881

Basically the solution is to claim the warranty and Nokia replaces a new one for you, what if you are out of warranty, just someone like me? Nokia has no answer for that, thank you Nokia ;)

I was thinking "Sim card icon and communication error", maybe it is sim card slot issue? I don't know, but here's what I try -

0. Switch off N900

1. Open up N900 case at the back(battery part)

2. Take out battery

3. Take out sim card from the slot, clean it

4. Put the sim card back to the slot

5. Tighten the slot

6. Take the toilet paper, yes I say toilet paper because it was on my desk when I was trying to fix this

7. Try to tear the toilet paper and make it thicker by layering them

8. Make the toilet paper slightly same size(square) as the sim card slot

9. Put the toilet paper on top of the sim card slot and push in a bit

10. Put back your battery and press it little hard, the toilet paper will be underneath

11. Close the case

12. Switch on your phone

The phone works automagically, don't ask me why, it's really high tech fix if you ever encounter this issue.

Have fun with N900 again, by the way no fun since not much apps for it(Thank you Nokia), BUT it works as PHONE again!

Cheers ;]

p/s: By the way let me know if this solves your problem, I would like to hear about it!

Time to Kill Bill

noreply@blogger.com (C.S.Lee) — Sat, 17 Dec 2011 18:36:07 PST

For all Malaysia IT people, do read this and spread out the words, it's time to kill Bill, what Bill? Computing Professionals Bill 2011!

http://www.scribd.com/doc/75107593/CPB2011-Draft

Do read it in detail! Currently it is in drafting processing, thanks to my best pal - Mel to share this nonsense bill. By the way, if you have facebook, support this -

https://www.facebook.com/pages/Malaysians-Against-Board-of-Computing-Professionals-Bill/289002177811647

I will constantly update this post if there's any progress regarding the matter, voice out while you can regarding CPB2011 to the document below -

https://docs.google.com/document/d/14E05jHZKQA0y6rP07n2PYtR4obBLEpiiK7OO1iQQ0PA/edit?hl=en_US

Mosti has put up their latest working draft which you can find here -

http://www.mosti.gov.my/mosti/images/stories/pdf/2011/ruu_bcpm_v17.pdf?PHPSESSID=b5a0a3c0faa9f630065896d7694435a1

Please review it and make your voice loud and clear!

Some opinions from the individual who works in IT industry ;)

http://www.youtube.com/watch?v=lCDHiWh6Ky4&feature=channel_video_title

Petition!

https://www.change.org/petitions/mosti-stop-computing-professionals-bill-2011-cpb2011

Follow the Tweets regarding CPB2011

https://twitter.com/#!/search?q=%23CPB2011

Flip-flop, uncertainty?

http://www.themalaysianinsider.com/malaysia/article/it-bill-may-be-dumped-says-mosti/

Makes yourself certified criteria?

http://www.mncc.com.my/members.htm

Mosti is just facilitator?

http://www.lowyat.net/v2/index.php?option=com_content&task=view&id=5849&Itemid=1

Role model of CPB 2011, seriously?

http://allafrica.com/stories/201107061218.html

Interview of Malaysia Deputy Minister Of Science, Technology And Innovation, Datuk Fadillah Yusoft by Astro Awani, if only you know Malay Language -

https://www.facebook.com/photo.php?v=10150460323294820&set=vb.11726505964&type=2&permPage=1

From Tony Pua, member of Parliament -

http://www.youtube.com/watch?v=6ilM5bKokkw&feature=youtu.be

While they can't define what is CNII properly during open meeting, now they want to include more sectors in this undefined crap? Seriously if the government sector has failed to deliver security all these years, that means PRISMA that was initiated to protect government ICT agency by our government is a big failure(so much money wasted and now this)? By the way if you read carefully at the last few paragraphs, you will notice "What we can do at CyberSecurity Malaysia is to continue to provide more training and capability building in cyber security, says CyberSecurity malaysia Chieft Executive Officer(CEO) Lt Col Prof Datuk Husin Jazri."

To me, that basically sounds like if this bill is passed, he can make big money by selling training and certification program, now we know who is really pushing this AGENDA at the back ;)

http://thestar.com.my/news/story.asp?file=%2F2011%2F12%2F18%2Fnation%2F10119744&sec=nation

Discussion about CPB 2011 on BFM radio station -

http://bfm.my/geeksquawks_ep53.html

The TeAM(The Technopreneuers Association Of Malaysia) objects to CPB 2011 -

http://techcentral.my/news/story.aspx?file=/2011/12/14/it_news/20111214141030&sec=IT_News

Speak out loud, geeks!

http://thestar.com.my/news/story.asp?file=%2F2011%2F12%2F18%2Fnation%2F10105092&sec=nation

No cheers this time, F it!

Intel X520

noreply@blogger.com (C.S.Lee) — Mon, 05 Dec 2011 21:43:17 PST

I want this for my Christmas present ;]

http://www.intel.com/content/www/us/en/network-adapters/gigabit-network-adapters/ethernet-x520.html

I never thought 10G network adapter can go very cheap, really need to get one for development and testing!

Virtual PF_Ring

noreply@blogger.com (C.S.Lee) — Mon, 05 Dec 2011 06:22:04 PST

Ntop development team has always developed high performance packet capture solutions that I would like to take a look into it -

http://www.ntop.org/products/pf_ring/vpf_ring/

Virtual PF_RING can only be used with KVM, with this it will bypass many copy operations and capture packets in line rate. I think I will test it on my Linux box and see how it goes. By the way you need to donate to obtain it.

Cheers ;]

RIP - Dennis Ritchie

noreply@blogger.com (C.S.Lee) — Sun, 16 Oct 2011 06:07:02 PDT

Sorry for the belated one.

Nothing much I can say but truly from my heart - Rest In Peace, Mr. Dennis Ritchie.

FreeBSD: Ringmap Quick Testing

noreply@blogger.com (C.S.Lee) — Wed, 12 Jan 2011 20:22:07 PST

I have mentioned about FreeBSD ringmap here, and now I will share how I get ringmap installed quickly. As the developer of ringmap(Alex) has ported it to FreeBSD stable, here's what you can do -

Download FreeBSD 8.1 stable iso -

shell>wget -c ftp://ftp.jp.freebsd.org/pub/FreeBSD/snapshots/201011/FreeBSD-8.1-STABLE-201011-i386-disc1.iso

Install FreeBSD 8.1 stable on VirtualBox using the iso(Standard Install and make sure you include the source), you can do this quickly without issue if you are familiar with FreeBSD installation. The reason why I choose VirtualBox because VirtualBox can virtualize the following six types of networking hardware:

- AMD PCNet PCI II (Am79C970A)
- AMD PCNet FAST III (Am79C973, the default)
- Intel PRO/1000 MT Desktop (82540OEM)
- Intel PRO/1000 T Server (82543GC)
- Intel PRO/1000 MT Server (82545EM)
- Paravirtualized network adapter (virtio-net)

The ringmap implementation supports Intel 8254x network cards which you can find in the list above, therefore it's the ideal VM solution to use. Make sure you use any of the Intel 8254x in the list.

After I have FreeBSD stable installed on VirtualBox, then proceed to recompile the kernel without device em.

shell>cd /usr/src/sys/i386/conf
shell>mkdir /root/kernels
shell>cp GENERIC /root/kernels/RINGMAP
shell>ln -s /root/kernels/RINGMAP

Edit /root/kernels/RINGMAP by commenting out this line

# device em # Intel PRO/1000 Gigabit Ethernet Family

To recompile and install the custom kernel -

shell>cd /usr/src
shell>make buildkernel KERNCONF=RINGMAP
shell>make installkernel KERNCONF=RINGMAP

It will take a while and once you got it done, reboot the system. After the system is up, add these two lines to /etc/make.conf(if the file not exists, you can just create it) -

EM_RINGMAP=yes
LIBPCAP_RINGMAP=yes

Download ringmap source and install -

shell>fetch http://ringmap.googlecode.com/files/ringmap_freebsd_8.1_1.1.0.bz2
shell>tar xvjf ringmap_freebsd_8.1_1.1.0.bz2
shell>cd FreeBSD_8/scripts
shell>chmod 755 *
shell>./build_ringmap.sh

To enable the ringmap -

shell>./set_ringmap.sh

To make sure you can run any packet capture tool, you need to turn on monitor mode for the network interface -

shell>ifconfig em0 monitor up

For quick testing just run tcpdump and listen to em0 interface -

shell>tcpdump -ttttnni em0

That's all for ringmap testing, I haven't done any benchmarking yet until I get the real hardware for testing but you definitely can find more information about ringmap in its own page here -

http://code.google.com/p/ringmap/

Cheers (;])

Ubuntu: Daemonlogger

noreply@blogger.com (C.S.Lee) — Wed, 12 Jan 2011 03:43:48 PST

To install daemonlogger on Ubuntu 10.10, you can follow me here -

Install all the required dependencies -

shell>sudo apt-get install libpcap-dev libdumbnet1 libdumbnet-dev

As the libdnet files are renamed to dumb names, we need to create soft link for them so that daemonlogger can find them, otherwise you can install libdnet from source which I want to avoid here -

shell>cd /usr/lib

shell>sudo ln -s libdumbnet.a libdnet.a

shell>sudo ln -s libdumbnet.so libdnet.so

shell>sudo ln -s libdumbnet.so.1.0.1 libdnet.so.1.0.1

shell>sudo ln -s libdumbnet.so.1 libdnet.so.1

shell>sudo ln -s libdumbnet.la libdnet.la

shell>cd /usr/include/

shell>sudo ln -s dumbnet.h dnet.h

Install daemonlogger -

shell>wget -c http://www.snort.org/users/roesch/code/daemonlogger-1.2.1.tar.gz

shell>tar xvzf daemonlogger-1.2.1.tar.gz

shell>cd daemonlogger-1.2.1

shell>./configure

shell>make

shell>sudo make install

There you go, now you have daemologger installed on Ubuntu and ready to capture packets.

Enjoy (;])

Happy New Year 2011

noreply@blogger.com (C.S.Lee) — Fri, 31 Dec 2010 18:51:00 PST

Good bye 2010, and here comes 2011!

Happy new year everyone, and hopefully myself will be more active in blogging this year!

Cheers & Enjoy (;])

FreeBSD: High Performance Packet Capture

noreply@blogger.com (C.S.Lee) — Thu, 23 Dec 2010 23:38:20 PST

I'm not sure how many of you have heard about this project, however I found FreeBSD ringmap implementation when I was googling and it seems to be interesting to me, I suggest you visit the link and read up the documentation/presentation.

I'm going to try it out whenever possible, right now it is ported to FreeBSD 8.1 stable, you can actually download the source code and test it out yourself.

http://code.google.com/p/ringmap/

You can also find a lot of information about high performance packet capture from the link below as well, I usually use the setting that is recommended over there for my FreeBSD sensor setup.

http://www.net.t-labs.tu-berlin.de/research/hppc/

By the way, FreeBSD already has zero copy bpf implemented, thanks to Robert Watson for that since he has done a lot of background works on it. To know more about zero copy bpf you can check the presentation slide here -

http://www.watson.org/~robert/freebsd/2007asiabsdcon/20070309-devsummit-zerocopybpf.pdf

Cheers (;])

FreeBSD: Virtual Network Switch

noreply@blogger.com (C.S.Lee) — Thu, 23 Dec 2010 23:19:42 PST

In the previous post, I have mentioned about I'm going to cover Open vSwitch and Vde implementation. However I think it is also interesting to cover how you can setup virtual switch with FreeBSD native system. As we all know bridging is actually software switching, therefore we can make use of bridge interface to achieve this. I will explain the 6 ports virtual network switch setup that is illustrated in the diagram below -

shell>ifconfig bridge0 create

shell>ifconfig tap0 create

shell>ifconfig tap1 create

shell>ifconfig tap2 create

shell>ifconfig tap3 create

shell>ifconfig tap4 create

shell>ifconfig tap5 create

shell>ifconfig bridge0 addm tap0 addm tap1 addm tap3 addm tap4 addm tap5 up

By now you have exact setup like what is shown in the diagram above, to make it permanent/persistent you need to add the following lines to /etc/rc.conf -

cloned_interfaces="bridge0 tap0 tap1 tap2 tap3 tap4 tap5"
ifconfig_bridge0="addm tap0 addm tap1 addm tap2 addm tap3 addm tap4 addm tap5 up"

Also add the following lines to /etc/sysctl.conf -

net.link.tap.up_on_open=1
net.link.tap.user_open=1

Once you have everything done, you can check if it is setup properly -

shell>ifconfig bridge0
bridge0: flags=8843 metric 0 mtu 1500
ether 0e:a5:28:73:f9:3b
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
member: tap5 flags=143
ifmaxaddr 0 port 9 priority 128 path cost 2000000
member: tap4 flags=143
ifmaxaddr 0 port 8 priority 128 path cost 2000000
member: tap3 flags=143
ifmaxaddr 0 port 7 priority 128 path cost 2000000
member: tap2 flags=143
ifmaxaddr 0 port 6 priority 128 path cost 2000000
member: tap1 flags=143
ifmaxaddr 0 port 5 priority 128 path cost 2000000
member: tap0 flags=143
ifmaxaddr 0 port 4 priority 128 path cost 2000000

To undo everything, just run

shell>ifconfig bridge0 deletem tap0 deletem tap1 deletem tap2 deletem tap3 deletem tap4 deletem tap5

shell>ifconfig tap0 destroy

shell>ifconfig tap1 destroy

shell>ifconfig tap2 destroy

shell>ifconfig tap3 destroy

shell>ifconfig tap4 destroy

shell>ifconfig tap5 destroy

The setup is complete, in the next blog post, I will talk about how you can setup similar virtual switch using FreeBSD ng_bridge implementation. Plus releasing the FreeBSD VM for you to try out the setup yourself.

Enjoy (;])

Virtual Network Switch

noreply@blogger.com (C.S.Lee) — Fri, 17 Dec 2010 02:26:44 PST

Many people have talked about hypervisor, and playing around with virtual machines. There are many solutions available today, either open source or commercial one. We have VMware, Xen, Virtualbox, Qemu, KVM, Parallel, Virtual PC, and others that I may not know.

What I would like to discuss here is virtual network switching, many of us have used a piece of hardware call network switch, which allows the end point to talk to each other. For the hardware network switch, we have many companies that are producing it, for example Cisco, Juniper, 3Com, DLink, NetGear and etc.

The virtual machine lives inside single operating system, which means we can have many virtual machines running inside a piece of hardware, so with virtual network switch we also can run many network switches inside a piece of hardware, and using them to connect virtual machines, and get them to talk to each other.

However, how many solutions are there for virtual network switch? As far as I know, not many. Cisco has produced one which is called Cisco Nexus 1000 Series. If you do know any other commercial solution, please comment.

How about open source solution for that? Yes, here are two that I found very interesting, again if you know any other open source solution, please let me know.

- Open vSwitch
- Vde

This is just simple writeup for what I'm going to cover in the future which I will discuss about how you can setup virtual network switch, and leverage on them. Most of my posts will be discussing about both Open vSwitch and Vde while Virtualbox and Qemu will be used to connect to the switch.

Enjoy (;])

Virtualization Insanity

noreply@blogger.com (C.S.Lee) — Wed, 15 Dec 2010 21:29:04 PST

I have been poking around with virtualization technologies, and this is one of the screenshot I have taken when multiple qemu vm talking to multiple virtualbox vm.

I will cover a lot about this topic soon, for my own note, and also for sharing purpose.

Cheers ;]

4REN6 VM Mirror

noreply@blogger.com (C.S.Lee) — Wed, 15 Dec 2010 05:13:07 PST

Thanks to Digital Forensics Framework(DFF) team to provide mirror for 4REN6 vm where you can find here -

http://ftp.digital-forensic.org/mirror/4ren6.radiobandit.org/

I'm still looking for more download mirrors, please let me know if you can host it.

Enjoy ;]

Cloud Technology

noreply@blogger.com (C.S.Lee) — Wed, 15 Dec 2010 03:07:03 PST

I need to tag this post as it contains the list of Cloud solutions so I can check them out whenever necessary -

http://slash4.de/tutorials/Cloud_computing_technologies_overview_and_comparison

Cheers ;]

Virtualization tools

noreply@blogger.com (C.S.Lee) — Tue, 14 Dec 2010 03:40:37 PST

I mentioned about ovftool in my previous post, and I also found xenconvert here -

http://www.citrix.com/lang/English/lp/lp_1688624.asp

By the way another fun tool to mention is imvirt which you can find here -

http://micky.ibh.net/~liske/imvirt.html

Enjoy ;]

Good Reference For Linux /dev

noreply@blogger.com (C.S.Lee) — Tue, 14 Dec 2010 03:37:05 PST

I came across this link while playing around with tun/tap device in Linux, and it's worth sharing -

http://www.lanana.org/docs/device-list/devices-2.6+.txt

You can use mknod to play around with the /dev on Linux, for tun/tap you can use tunctl or openvpn to create them.

Enjoy ;]

sFlow Resources

noreply@blogger.com (C.S.Lee) — Tue, 14 Dec 2010 01:21:55 PST

I need to keep track of what I have read and tested, currently I'm looking into sFlow stuffs for network visibility. If you are interested about sFlow as well, feel free to check out the links below -

http://www.ietf.org/rfc/rfc3176.txt

http://www.sflow.org/SFLOW-DATAGRAM5.txt

http://www.juniper.net/techpubs/en_US/junos9.3/topics/example/sflow-configuring-ex-series.html

If you have more sFlow stuffs to share, feel free to comment.

Cheers ;]

VMware ovftool

noreply@blogger.com (C.S.Lee) — Wed, 08 Dec 2010 07:11:08 PST

I just found out this tool and want to keep track of it, it's best to just post in my blog so that I can search through it next time, basically it is a command-line utility that allows you to import and export OVF packages to and from a wide variety of VMware platform products.

http://www.vmware.com/support/developer/ovf/

Cheers ;]

4REN6 VM Download

noreply@blogger.com (C.S.Lee) — Tue, 30 Nov 2010 07:58:59 PST

Finally ...

Thanks to Niresh for hosting 4REN6 VM. Now you can download the VM via

http://4ren6.radiobandit.org/

If you would like to help out by hosting the VM for download, please let me know. I will update the VM once Ubuntu releases version 10.10. If you try out the VM and have any feature request, feel free to email me.

Cheers ;]