Stephen Reese

Network Traffic Capture in Virtual Enviroments

2018-01-15T12:00:00-05:00

This post demonstrates how you mirror interfaces on a virtual private server (VPS) in a cloud environment, e.g. virtual machine (VM) on a hypervisor where you do not have access to network or virtualization infrastructure where a network TAP or SPAN port would be available. This technique is used to forward packets to a collection point for aggregation and/or analysis. A scenario may be monitoring network traffic for security threats with a central security stack running tools such a Snort, Suricata and/or Bro IDS. Example cloud providers are Linode, Digital Ocean and AWS.

While a single network interface will work and is used in our examples, the client node being monitored should have two network interfaces, one for production traffic and the second interface for sending traffic to your collection node, e.g. your cloud based security stack or where you want to store the packet captures. This is for performance reasons as you are essentially doubling the traffic on a single interface. You will need to be cognizant of the amount of data you are sending to your aggregation point (collection node) as it may become saturated as well if you send traffic from too many client nodes that exceed the collection node interface capacity. Sending traffic from 20 client nodes with 1Gbs interfaces to one capture node that has a 10Gbs will obviously drop packets depending on how much traffic is being forwarding from clients. Note that many providers do provide greater bandwidth internally, e.g. support 1Gbs public interfaces but 10+Gbs internally. Another mitigation would be shape the traffic using tc or something similar in order minimize this from the client nodes. You must also consider either encrypting the tunnel using IPSec or using a trusted transport network. We do not address the security or performance implications in this post but instead its implementation.

We will provide three examples using IPTables and two using tc (Traffic Control) over both VXLAN and GRE tunnels. The examples are performed on Ubuntu 16.04 hosts in AWS. From my experiments, I found VXLAN (example four) to be quite useful in that I did not have to specify remote endpoints on the collection node. This allows multiple clients to forward traffic over a multiple tunnels to one collection node interface which allows for easy capture and analysis. GRE tunnels are point-to-point which make capture and aggregation a difficult task for many client nodes which result in an interface per tunnel. If you are aware of a workaround for this, please let me know.

The first example is the easiest to configure but has a caveat that MAC addresses will appear from the client tunnel interface verse the actual source interface due to IPTables. This may be okay for one off usage but if using for a large deployment you will likely want the hardware address for performing analysis and traceability from the interface traffic is traversing verse having to track which virtual interface is associated with which client node.

Create VXLAN tunnel on collection node. VXLAN is used in this example but we will provide a second IPTables example where GRE is used

ip link add name vxlan42 type vxlan id 42 dev eth0 local 172.31.108.76 dstport 4789
ip address add 172.20.100.10/24 dev vxlan42
ip link set up vxlan42

Create VXLAN tunnel on client to collection node

ip link add name vxlan42 type vxlan id 42 dev eth0 local 172.31.102.153 remote 172.31.108.76 dstport 4789
ip address add 172.20.100.1/24 dev vxlan42
ip link set up vxlan42

Use IPTables on client node to forward traffic over tunnel to the collection node

iptables -I PREROUTING -t mangle -j TEE --gateway 172.20.100.10
iptables -I POSTROUTING -t mangle -j TEE --gateway 172.20.100.10
iptables -A POSTROUTING -t mangle -p tcp --tcp-flags SYN,RST SYN -o tun0 -j TCPMSS --clamp-mss-to-pmtu

On the collection node you will now see all the traffic traversing eth0 on the client node using a tool such as tcpdump, e.g. tcpdump -i tun0 -en. You can filter using IPTables on the client node in order to reduce traffic sent to collection node, e.g. only send traffic you care about storing or analyzing.

The second example uses gretap GRE tunnel but we have to establish a point-to-point link which requires multiple interfaces on the collection node if we want to support multiple client nodes. As you can imagine, if you had ten client nodes you were trying to capture from, you need to listen to ten interfaces, not a great solution for security monitoring. This solution allows us to maintain the MAC header over a GRE tunnel but in this example, we are still using IPTables to forward traffic over the tunnel therefore the MAC header is still associated with the tunnel verse actual interface as discussed in the first example.

Create GRE tunnel on collection node

ip link add tun0 type gretap local 172.31.108.76 remote 172.31.102.153
ip link set tun0 up
ip addr add 172.20.100.10/24 dev tun0

Create tunnel on client to collection node

ip link add tun0 type gretap local 172.31.102.153 remote 172.31.108.76
ip link set tun0 up
ip addr add 172.20.100.2/24 dev tun0

Use IPTables on client node to forward traffic over tunnel to the collection node

iptables -I PREROUTING -t mangle -j TEE --gateway 172.20.100.10
iptables -I POSTROUTING -t mangle -j TEE --gateway 172.20.100.10
iptables -A POSTROUTING -t mangle -p tcp --tcp-flags SYN,RST SYN -o tun0 -j TCPMSS --clamp-mss-to-pmtu

The third example uses an ip tunnel GRE point-to-point link which requires multiple interfaces on the collection node if we want to support multiple client nodes just as the case in the above gretap example. I am including this as some folks may not care about including the MAC header and the lack of it may provide a small performance improvement as the overall packet size is reduced.

Create GRE tunnel on collection node

modprobe ip_gre
lsmod | grep ip_gre
ip tunnel add tun0 mode gre local 172.31.108.76 remote 172.31.102.153 ttl 255
ip link set tun0 up
ip addr add 172.20.100.10/24 dev tun0

Create tunnel on client to collection node

modprobe ip_gre
lsmod | grep ip_gre
ip tunnel add tun0 mode gre local 172.31.102.153 remote 172.31.108.76 ttl 255
ip link set tun0 up
ip addr add 172.20.100.2/24 dev tun0

Use IPTables on client node to forward traffic over tunnel to the collection node

iptables -I PREROUTING -t mangle -j TEE --gateway 172.20.100.10
iptables -I POSTROUTING -t mangle -j TEE --gateway 172.20.100.10
iptables -A POSTROUTING -t mangle -p tcp --tcp-flags SYN,RST SYN -o tun0 -j TCPMSS --clamp-mss-to-pmtu

The fourth example uses tc in order to capture and forward traffic. tc offers a very rich set of tools for managing and manipulating the transmission of packets. We can forward packets or flows of our choice over the tunnel to the analysis node. In researching how to setup remote sensors in cloud computing environments, I learned that tc will not readily forward egress traffic over a tunnel interface. The solution is to forward the traffic we care about to our loopback adapter, then forward the ingress loopback traffic flow to the tunnel so we are then able to see the ingress and egress packets on our collection node. The use of tc allows us to maintain our original MAC header where as IPTables did not. For this example we start again using VXLAN which allows us to send multiple client tunnels to one interface on our collection node. A win for easily aggregating and analyzing traffic from multiple client nodes on one collection node.

Capture node

ip link add name vxlan42 type vxlan id 42 dev eth0 local 172.31.108.76 dstport 4789
ip address add 172.20.100.10/24 dev vxlan42
ip link set up vxlan42

Sending node

ip link add name vxlan42 type vxlan id 42 dev eth0 local 172.31.102.153 remote 172.31.108.76 dstport 4789
ip address add 172.20.100.2/24 dev vxlan42
ip link set up vxlan42

Send ingress traffic to tunnel

tc qdisc add dev eth0 ingress
tc filter add dev eth0 parent ffff: \
    protocol all \
    u32 match u8 0 0 \
    action mirred egress mirror dev vxlan42

Since loops are not hard to create in the egress qdiscs, we push to loopback and then the tunnel

tc qdisc add dev eth0 handle 1: root prio
tc filter add dev eth0 parent 1: \
    protocol all \
    u32 match u8 0 0 \
    action mirred egress mirror dev lo

Select all traffic

tc qdisc add dev lo ingress
tc filter add dev lo parent ffff: \
    protocol all u32 \
    match u8 0 0 \
    action mirred egress mirror dev vxlan42

Then drop VXLAN traffic so we do not see it again on the collection node

tc filter add dev lo parent ffff: \
   protocol ip u32 \
   match ip dst 172.31.108.76/32 \
   match ip dport 4789 0xffff \
   action drop

The fifth and last example uses gretap along with tc. This allows us to maintain the MAC header over a GRE tunnel but in this example, remember we are still using IPTables therefore the MAC header is still associated with the tunnel verse actual interface.

Create GRE tunnel on collection node

ip link add tun0 type gretap local 172.31.108.76 remote 172.31.102.153
ip link set tun0 up
ip addr add 172.20.100.10/24 dev tun0

Create tunnel on client to collection node

ip link add tun0 type gretap local 172.31.102.153 remote 172.31.108.76
ip link set tun0 up
ip addr add 172.20.100.2/24 dev tun0

Send ingress traffic to tunnel

tc qdisc add dev eth0 ingress
tc filter add dev eth0 parent ffff: \
    protocol all \
    u32 match u8 0 0 \
    action mirred egress mirror dev tun0

Since loops are not hard to create in the egress qdiscs, we push to loopback and then the tunnel

tc qdisc add dev eth0 handle 1: root prio
tc filter add dev eth0 parent 1: \
    protocol all \
    u32 match u8 0 0 \
    action mirred egress mirror dev lo

Select all traffic

tc qdisc add dev lo ingress
tc filter add dev lo parent ffff: \
    protocol all u32 \
    match u8 0 0 \
    action mirred egress mirror dev tun0

Then drop GRE traffic so we do not see it again on the collection node

 tc filter add dev lo parent ffff: \
    protocol ip u32 \
    match ip dst 172.31.108.76/32 \
    match ip protocol 0x2f 0xff \
    action drop

There you have it. Please leave a comment if you have any questions.

Network Traffic Capture on Linux using OpenvSwitch

2017-10-25T12:00:00-04:00

This post demonstrates how you can mirror interfaces on a Linux server in an environment where you may not have physical network taps or SPAN ports. We can use OpenvSwitch in order to forward traffic between nodes, even if we are not using virtualization. Each node being monitored needs two interfaces, one for production traffic and the other being an internal or mirrored interface where you send traffic to be aggregated and analyzed by your cloud based security stack. You will need to be cognizant of the amount of data you are sending to your aggregation point as it may become saturated if you send traffic from multiple nodes that exceeds the receiving nodes capacity.

On VM to have a monitored interface:

Ensure the host has two network interfaces and determine which one is production verse management. The management interface will be used to send traffic to your aggregation or collection node as previously described above. For this example, eth0 and eth1 are production and management respectively.

Install OpenvSwitch:

$ sudo apt-get install openvswitch-switch

Bring up the secondary interface, we will use this as the bridge interface, i.e. the interface that sends mirrored eth0 traffic:

$ sudo ifconfig eth1 172.31.3.110 netmask 255.255.240.0

Configure bridge and set remote IP to your collection node which is a different network (interface) then that which is being mirrored:

$ sudo ovs-vsctl add-br br0
$ sudo ovs-vsctl add-port br0 eth1
$ sudo ovs-vsctl add-port br0 gre0 -- set interface gre0 type=gre options:remote_ip=172.31.10.151 -- --id=@p get port gre0 -- --id=@m create mirror name=m0 select-all=true output-port=@p -- set bridge br0 mirrors=@m

The following steps will disconnect you from eth0 so may be ideal to connect to eth1 at this point or respectively your bridge interface. Null the network address to be mirrored and set the IP to that of the bridge interface as well as updating the gateway. We also assign the bridge interface to the MAC address of eth0 as some environments may not allow traffic to/from interfaces hardware addresses they do not know about.

$ sudo ifconfig br0 172.31.11.64 netmask 255.255.240.0 
$ sudo ifconfig eth0 0
$ sudo ifconfig br0 hw ether 0a:74:0c:89:fb:70
$ sudo route add default gw 172.31.0.1 br0

We can now view the mirrored traffic on the host defined at the remote IP, packets are encapsulated but you may see protocol unreachable ICMP messages. This is because br0 drops responses. The next step fixes this by completing/terminating the tunnel on the remote host which will unencapsulate the GRE tunnel. Here, we again use eth0 and eth1 as production and management networks but we do not have to. We could just have one interface that accepts traffic from the clients forwarding us their network traffic but if it becomes saturated it may be difficult to connect to the host.

$ sudo ifconfig eth1 172.20.1.7 netmask 255.255.255.240
$ sudo modprobe ip_gre
$ sudo lsmod | grep ip_gre
$ sudo ip tunnel add mon0 mode gre local 172.20.1.7 remote 
$ sudo ip addr add 1.1.1.1/30 dev mon0
$ sudo ip link set mon0 up

Now you can monitor interface mon0 using tools like tcpdump or simply capture network traffic for retroactive analysis.

If you need to, remove the bridge and port using the following commands:

$ sudo ovs-vsctl clear bridge br0 mirrors
$ sudo ovs-vsctl del-port br0 gre0

Benchmarking Websites with ab and tsung

2017-10-10T12:00:00-04:00

Everyone enjoys responsive websites and being that I host a few, look for ways to improve their speed. Previously, I was interested in, HTTP, HTTPS, and HTTP/WAF, I now primarily focus on HTTPS. Browsers and third-party online services may be used in order to benchmark page performance but began to look at other solutions. Two online services are Pingdom Website Speed Test and PageSpeed Insights.

The first tool I leveraged was Apache Bench, commonly known as ab. This allows me to run a quick test in order to determine the max requests per second (req/s). While fun, it is not a practical metric as there a a number of factors that must be considered when benchmarking a web-service and understanding where weaknesses may present themselves.

HTTPS requests with keep-alives, connection reuse provides significant speedup:

$ ab -k -n 60000 -c 100 -f TLS1.2 -H "Accept-Encoding: gzip,deflate" https://www.rsreese.com/web-stack/
This is ApacheBench, Version 2.3 <$Revision: 1757674 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/

Server Software:        nginx
Server Hostname:        www.rsreese.com
Server Port:            443
SSL/TLS Protocol:       TLSv1.2,ECDHE-RSA-AES256-GCM-SHA384,2048,256
TLS Server Name:        www.rsreese.com

Document Path:          /web-stack/
Document Length:        2575 bytes

Concurrency Level:      100
Time taken for tests:   7.124 seconds
Complete requests:      60000
Failed requests:        0
Keep-Alive requests:    59447
Total transferred:      220557235 bytes
HTML transferred:       154500000 bytes
Requests per second:    8422.57 [#/sec] (mean)
Time per request:       11.873 [ms] (mean)
Time per request:       0.119 [ms] (mean, across all concurrent requests)
Transfer rate:          30235.32 [Kbytes/sec] received

Connection Times (ms)
              min  mean[+/-sd] median   max
Connect:        0    1   8.0      0     172
Processing:     0   11   5.5     11      55
Waiting:        0   11   5.4     10      45
Total:          0   12  10.5     11     203

Percentage of the requests served within a certain time (ms)
  50%     11
  66%     13
  75%     15
  80%     16
  90%     18
  95%     21
  98%     26
  99%     28
 100%    203 (longest request)

While Apache Bench provides a quick analysis of some of our page speed, tsung is benchmark tool that can provide additional performance insights through its advanced configuration options. The configuration states that we are running tsung locally, the target host, the interval for this phase (yes, you can have more), user agent in which we have two with a ratio defined, and finally the session, which in this case will cause tsung to send as many requests as it can. Again, this is not realistic, just fun.

<?xml version="1.0"?><tsung loglevel="notice" version="1.0">
  <clients>
    <client host="localhost" use_controller_vm="true" maxusers="10000"/>
  </clients>
  <servers>
<server host="www.rsreese.com" port="443" type="ssl"/>
</servers>
  <load>
  <arrivalphase phase="1" duration="1" unit="minute">
     <users maxnumber="10000" interarrival="0.05" unit="second"/>
   </arrivalphase>
</load>
  <options>
   <option type="ts_http" name="user_agent">
    <user_agent probability="80">Mozilla/5.0 (Windows NT 6.1; rv:34.0) Gecko/20100101 Firefox/34.0</user_agent>
    <user_agent probability="20">Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36</user_agent>
   </option>
  </options>
 <sessions>
<session name="web-stack" probability="100" type="ts_http">
   <for from="1" to="10000" var="i">
    <request><http url="/web-stack/" version="1.1" method="GET"/></request>
   </for>
  </session>
 </sessions>
</tsung>

Run tsung and generate the reports. Optionaly, multiple reports can be combined. You may have to sudo depending your systems permissions.

$ tsung -f origin.xml start
$ cd results-directory
$ /usr/lib/tsung/bin/tsung_stats.pl
$ tsplot "HTTP" 20150418-1658/tsung.log "HTTPS" 20150418-1712/tsung.log -d combine2/

tsung provides useful reports and graphics. For the sake of brivety, I will not include the report but just a few charts.

With this baseline, you can tailor the tsung configuration to include phases of increasing user load along with multiple pages and actions. See the tsung documention for details and leave a comment below if you have any questions about this post.

Detecting Tor traffic with Bro network traffic analyzer

2016-01-16T12:00:00-05:00

This entry is a post in a series in order to identify Tor (the onion router) network traffic and usage using Bro Network Security Monitor. To learn more about both projects, please visit the aforementioned links. This post is not to argue the merits of allowing Tor to run on a network. Due to malware variants taking advantage of Tor for its botnet command and control (C2), I wanted to be able to effectively identify Tor usage in hopes of identifying hosts that may be using Tor for C2 purposes.

A method folks often use to identify communication with Tor relays is to compare the current list of known Tor servers with the traffic from their network. While this does work, some relays may host other legitimate services which could introduce false-positives. The goal was to find a method to augment the parsing network traffic for Tor server matches which is sometimes done retrospectively.

If we take a look at the Tor certificates, we see an interesting pattern for the Issuer and Subject ID form a pattern.

Using tshark, it the Issuer and Subject ID patterns are a little more apparent.

$ tshark -r tor.pcap -T fields -R "ssl.handshake.certificate" -e x509af.utcTime -e x509sat.uTF8String 
13-10-15 00:00:00 (UTC),14-02-11 23:59:59 (UTC) www.axslhtfqq.com,www.hkkch64skp7am.net
13-12-30 18:32:48 (UTC),14-12-30 18:32:48 (UTC) www.igdpzct5tauwgyqs.com,www.4tdznzbrfuv.net
13-10-04 00:00:00 (UTC),14-04-22 00:00:00 (UTC) www.3pxivyds.com,www.nolspqtib3ix.net
13-11-17 00:00:00 (UTC),14-06-22 00:00:00 (UTC) www.3pzqe4en5.com,www.glk3fwiz6.net
13-06-19 00:00:00 (UTC),14-04-20 00:00:00 (UTC) www.5orbut4ufhohm5rlj47.com,www.orutxjqwf.net
13-06-15 00:00:00 (UTC),14-02-04 00:00:00 (UTC) www.7wdf4rkj5mew.com,www.sd5mkmsmo.net
13-11-19 00:00:00 (UTC),14-02-05 23:59:59 (UTC) www.75ba5lymxpbhw3a2kb.com,www.rnspic4yus5crf6w.net
13-12-30 19:54:02 (UTC),14-12-30 19:54:02 (UTC) www.s5rc22gpzrwt4e.com,www.qzsg2ioaoplbs2gaha5.net
13-08-12 00:00:00 (UTC),14-04-16 23:59:59 (UTC) www.2fwld67ac2.com,www.6suxdq3miwwewq4.net
13-12-18 00:00:00 (UTC),14-02-14 23:59:59 (UTC) www.npmxal2ohuefme26yf.com,www.c7kriuquvh.net
13-10-18 00:00:00 (UTC),14-06-16 00:00:00 (UTC) www.s426lumoi7.com,www.ouzbot23a6lw3vvmszx.net
13-12-31 00:00:00 (UTC),14-02-01 23:59:59 (UTC) www.vywbff5wkza6npkd5l.com,www.ugdrrog5ro5wdfddj.net
13-11-27 00:00:00 (UTC),14-08-13 00:00:00 (UTC) www.ozsx22b4nda.com,www.lr7s5k3n6ber.net
13-03-31 00:00:00 (UTC),14-01-06 23:59:59 (UTC) www.plgx26wgyroot37x3ysj.com,www.xwx5gpj5t2msq3.net
13-12-18 00:00:00 (UTC),14-02-20 00:00:00 (UTC) www.gempmzrnwnk.com,www.6lrz7wtwprz.net
13-08-16 00:00:00 (UTC),14-01-26 23:59:59 (UTC) www.rxy4jiw4wk.com,www.g66mipkcyhjwumywk4h.net
13-12-30 19:07:41 (UTC),14-12-30 19:07:41 (UTC) www.o5qzqtbs.com,www.bnymkm3nk7jtz3.net
13-07-27 00:00:00 (UTC),14-01-18 00:00:00 (UTC) www.rtqtkopfct767ai.com,www.facp2b2y5wjffbo5ioy.net
13-09-09 00:00:00 (UTC),14-02-26 00:00:00 (UTC) www.lvv4l6sx3qafei2s5u.com,www.vznlngjz7a2fpg.net
13-12-21 00:00:00 (UTC),14-02-08 00:00:00 (UTC) www.mbrdx4tz2ob5wlvazlr.com,www.shxl35n3zt.net
13-12-12 00:00:00 (UTC),14-01-15 00:00:00 (UTC) www.4jvdpoo5wcklhd3usu.com,www.f4uxyorx2h.net
13-10-17 00:00:00 (UTC),14-05-05 00:00:00 (UTC) www.zcgg5yiwzajal4.com,www.55a4kx5jrqxezvk.net
13-05-18 00:00:00 (UTC),14-04-07 23:59:59 (UTC) www.3eexfeaw.com,www.iedhzej4tie4egm.net
13-12-23 00:00:00 (UTC),14-01-22 23:59:59 (UTC) www.5m6ywj2w7zs.com,www.iolbr3jbfs.net
13-03-09 00:00:00 (UTC),14-01-01 23:59:59 (UTC) www.hbwpqbx4zimtptui.com,www.77wneeix55t.net
13-12-26 00:00:00 (UTC),14-04-19 00:00:00 (UTC) www.pxznjv3t75.com,www.wuqq77l634eogfm.net
13-12-07 00:00:00 (UTC),14-03-17 23:59:59 (UTC) www.6pp7bfbdywvcaicqmfq.com,www.g6oa3qdobmdgl5tprm.net
13-12-30 19:42:49 (UTC),14-12-30 19:42:49 (UTC) www.twngp3xrqgo4p.com,www.znskvp5k5pns22y2.net
13-02-14 00:00:00 (UTC),14-01-14 00:00:00 (UTC) www.spx5a4e5eyhkdtpt2xj.com,www.6phyovjhggkfm.net

So with this knowledge I started looking to see if there were any current methods of identifying the anomalous certificate identifiers. Lucky for Bro users, Seth Hall created a detect-tor.bro script to do just that. I downloaded the latest Bro 2.4 source package and built it on my Ubuntu VM. I also pulled down the aforementioned detect-tor.bro script. I was greeted with a warning and did not see the expected logs:

$ sudo /usr/local/bro/bin/bro -r tor.pcap detect-tor.bro
warning in /usr/local/bro/share/bro/base/misc/find-checksum-offloading.bro, line 54: Your trace file likely has invalid TCP checksums, most likely from NIC checksum offloading.  By default, packets with invalid checksums are discarded by Bro unless using the -C command-line option or toggling the 'ignore_checksums' variable.  Alternatively, disable checksum offloading by the network adapter to ensure Bro analyzes the actual checksums that are transmitted.

This was quickly fixed by including the -C toggle in order to ignore checksums.

$ sudo /usr/local/bro/bin/bro -C -r tor.pcap detect-tor.bro

After parsing the Tor traffic collected via Wireshark or tcpdump, Bro should have generated some logs. At first glace, we see an alert from the detect-tor.bro script. While the event is pretty self explanatory, note the destination IP addresses are not included because Tor will usually have multiple servers, i.e. destination IP addresses.

$ more notice.log
#separator \x09
#set_separator  ,
#empty_field    (empty)
#unset_field    -
#path   notice
#open   2014-01-03-14-12-05
#fields ts      uid     id.orig_h       id.orig_p       id.resp_h       id.resp_p       fuid    file_mime_type  file_desc       proto   note    msg     sub     src  dst      p       n       peer_descr      actions suppress_for    dropped remote_location.country_code    remote_location.region  remote_location.city    remote_locatio
n.latitude      remote_location.longitude
#types  time    string  addr    port    addr    port    string  string  string  enum    enum    string  string  addr    addr    port    count   string  table[enum]  interval bool    string  string  string  double  double
1388434821.597322       -       -       -       -       -       -       -       -       -       DetectTor::Found        10.0.0.126 was found using Tor by connecting t
o servers with at least 10 unique weird certs   -       10.0.0.126      -       -       -       bro     Notice::ACTION_LOG      3600.000000     F       -       -    --       -
#close  2014-01-03-14-12-05

We can cut down column noise by specifying only what we want to see:

$ cat notice.log|/usr/local/bro/bin/bro-cut -c -d note msg src dst actions suppress_for dropped
#separator \x09
#set_separator  ,
#empty_field    (empty)
#unset_field    -
#path   notice
#open   2014-01-03-14-12-05
#fields note    msg     src     dst     actions suppress_for    dropped
#types  string  string  addr    addr    table[enum]     interval        bool
DetectTor::Found        10.0.0.126 was found using Tor by connecting to servers with at least 10 unique weird certs     10.0.0.126      -       Notice::ACTION_LOG   3600.000000      F

After seeing the alert in the notice.log, we look in the ssl.log file as well in order to determine what traffic caused the alert to fire.

$ more ssl.log
#separator \x09
#set_separator  ,
#empty_field    (empty)
#unset_field    -
#path   ssl
#open   2014-01-03-14-12-05
#fields ts      uid     id.orig_h       id.orig_p       id.resp_h       id.resp_p       version cipher  server_name     session_id      subject issuer_subject  not_va
lid_before      not_valid_after last_alert      client_subject  client_issuer_subject
#types  time    string  addr    port    addr    port    string  string  string  string  string  string  time    time    string  string  string
1388434821.514935       CwRHlF31djcMrO7Z98      10.0.0.126      51191   199.36.221.196  9001    TLSv10  TLS_DHE_RSA_WITH_AES_256_CBC_SHA        www.wplgkqpnteb.com  -CN=www.ri6ufvqioii5se5tzbgt.net CN=www.dyyp6enzivlm46.com       1388447336.000000       1419983336.000000       -       -       -
1388434821.482053       Ck1Mgy4ubChMFyneFc      10.0.0.126      38946   198.27.97.223   443     TLSv10  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA      www.p65b.com    -    CN=www.hkkch64skp7am.net CN=www.axslhtfqq.com    1381809600.000000       1392181199.000000       -       -       -
1388434821.533291       CZOEio3mxlQgpmVD2i      10.0.0.126      36715   149.9.0.60      9001    TLSv10  TLS_DHE_RSA_WITH_AES_256_CBC_SHA        www.dpvdl3n6yzwv.com -CN=www.anojueopqlpgsj.net       CN=www.u2rsltgpogir6t.com       1384405200.000000       1398830399.000000       -       -       -
1388434821.484476       CnU0VyJcJHaeCaxh8       10.0.0.126      49341   66.18.12.197    443     TLSv10  TLS_DHE_RSA_WITH_AES_256_CBC_SHA        www.6kyx72vjlrwxcmxnj4
we7n.com        -       CN=www.4tdznzbrfuv.net  CN=www.igdpzct5tauwgyqs.com     1388446368.000000       1419982368.000000       -       -       -
1388434821.484255       Cc00yR3kKWb2GstwXf      10.0.0.126      40742   64.62.249.222   443     TLSv10  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA      www.de5v2whiex3xxy.com
        -       CN=www.glk3fwiz6.net    CN=www.3pzqe4en5.com    1384664400.000000       1403409600.000000       -       -       -
1388434821.583284       CuVFNK14saFKjGVhfh      10.0.0.126      54393   50.115.122.68   9001    TLSv10  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA      www.ojj4rbje7z7.com  -CN=www.qexiojanju56.net CN=www.nnfslkrseh.com   1387342800.000000       1390280400.000000       -       -       -
1388434821.482585       CROLl5Vd0jUzvvwn        10.0.0.126      46797   212.83.140.45   443     TLSv10  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA      www.esd7jqvwpbwebf.com
        -       CN=www.nolspqtib3ix.net CN=www.3pxivyds.com     1380859200.000000       1398139200.000000       -       -       -
1388434821.597288       CXemGQ4G0PFf5DvUf       10.0.0.126      34887   72.52.91.30     5901    TLSv10  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA      www.igyewbs5.com     -CN=www.bnlln35al.net    CN=www.henq76fjat2ozl2537.com   1376020800.000000       1403841600.000000       -       -       -
1388434821.597322       CFrNiH22BOLl917zjl      10.0.0.126      56135   144.76.109.178  9081    TLSv10  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA      www.57xl.com    -    CN=www.3rvuayihf4t35h.net        CN=www.viw7rvktu36ov.com        1386651600.000000       1388811600.000000       -       -       -
1388434821.489984       CxEp7Xmn9AOlkxn0e       10.0.0.126      44997   31.7.186.228    443     TLSv10  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA      www.ewrk2xtmr.com    -CN=www.orutxjqwf.net    CN=www.5orbut4ufhohm5rlj47.com  1371614400.000000       1397966400.000000       -       -       -

Again, we can select the fields we want to see in order to minimize output.

$ cat ssl.log|/usr/local/bro/bin/bro-cut -c -d ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher server_name subject issuer_subject not_valid_before not_valid_after
#separator \x09
#set_separator  ,
#empty_field    (empty)
#unset_field    -
#path   ssl
#open   2014-01-03-14-12-05
#fields ts      uid     id.orig_h       id.orig_p       id.resp_h       id.resp_p       version cipher  server_name     subject issuer_subject  not_valid_before     not_valid_after
#types  string  string  addr    port    addr    port    string  string  string  string  string  time    string
2013-12-30T15:20:21-0500        CwRHlF31djcMrO7Z98      10.0.0.126      51191   199.36.221.196  9001    TLSv10  TLS_DHE_RSA_WITH_AES_256_CBC_SHA        www.wplgkqpnteb.com   CN=www.ri6ufvqioii5se5tzbgt.net CN=www.dyyp6enzivlm46.com       2013-12-30T18:48:56-0500        2014-12-30T18:48:56-0500
2013-12-30T15:20:21-0500        Ck1Mgy4ubChMFyneFc      10.0.0.126      38946   198.27.97.223   443     TLSv10  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA      www.p65b.com CN=www.hkkch64skp7am.net CN=www.axslhtfqq.com    2013-10-15T00:00:00-0400        2014-02-11T23:59:59-0500
2013-12-30T15:20:21-0500        CZOEio3mxlQgpmVD2i      10.0.0.126      36715   149.9.0.60      9001    TLSv10  TLS_DHE_RSA_WITH_AES_256_CBC_SHA        www.dpvdl3n6yzwv.com  CN=www.anojueopqlpgsj.net       CN=www.u2rsltgpogir6t.com       2013-11-14T00:00:00-0500        2014-04-29T23:59:59-0400
2013-12-30T15:20:21-0500        CnU0VyJcJHaeCaxh8       10.0.0.126      49341   66.18.12.197    443     TLSv10  TLS_DHE_RSA_WITH_AES_256_CBC_SHA        www.6kyx72vjlrwxcmxnj4we7n.com        CN=www.4tdznzbrfuv.net  CN=www.igdpzct5tauwgyqs.com     2013-12-30T18:32:48-0500        2014-12-30T18:32:48-0500
2013-12-30T15:20:21-0500        Cc00yR3kKWb2GstwXf      10.0.0.126      40742   64.62.249.222   443     TLSv10  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA      www.de5v2whiex3xxy.com        CN=www.glk3fwiz6.net    CN=www.3pzqe4en5.com    2013-11-17T00:00:00-0500        2014-06-22T00:00:00-0400
2013-12-30T15:20:21-0500        CuVFNK14saFKjGVhfh      10.0.0.126      54393   50.115.122.68   9001    TLSv10  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA      www.ojj4rbje7z7.com   CN=www.qexiojanju56.net CN=www.nnfslkrseh.com   2013-12-18T00:00:00-0500        2014-01-21T00:00:00-0500
2013-12-30T15:20:21-0500        CROLl5Vd0jUzvvwn        10.0.0.126      46797   212.83.140.45   443     TLSv10  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA      www.esd7jqvwpbwebf.com        CN=www.nolspqtib3ix.net CN=www.3pxivyds.com     2013-10-04T00:00:00-0400        2014-04-22T00:00:00-0400
2013-12-30T15:20:21-0500        CXemGQ4G0PFf5DvUf       10.0.0.126      34887   72.52.91.30     5901    TLSv10  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA      www.igyewbs5.com      CN=www.bnlln35al.net    CN=www.henq76fjat2ozl2537.com   2013-08-09T00:00:00-0400        2014-06-27T00:00:00-0400
2013-12-30T15:20:21-0500        CFrNiH22BOLl917zjl      10.0.0.126      56135   144.76.109.178  9081    TLSv10  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA      www.57xl.com CN=www.3rvuayihf4t35h.net        CN=www.viw7rvktu36ov.com        2013-12-10T00:00:00-0500        2014-01-04T00:00:00-0500
2013-12-30T15:20:21-0500        CxEp7Xmn9AOlkxn0e       10.0.0.126      44997   31.7.186.228    443     TLSv10  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA      www.ewrk2xtmr.com     CN=www.orutxjqwf.net    CN=www.5orbut4ufhohm5rlj47.com  2013-06-19T00:00:00-0400        2014-04-20T00:00:00-0400
2013-12-30T15:20:21-0500        CwzpD92UikR0USUErj      10.0.0.126      58912   91.121.113.70   9001    TLSv10  TLS_DHE_RSA_WITH_AES_256_CBC_SHA        www.dv2nzruzkuf2ncqzpxh5vpg.com       CN=www.an2nldahkafrkz6qx.net    CN=www.ejybbncghc3qjraztwpr.com 2013-12-30T19:35:37-0500        2014-12-30T19:35:37-0500
2013-12-30T15:20:21-0500        CqAdrg1JryZY3kTrZ5      10.0.0.126      46649   5.135.187.167   9001    TLSv10  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA      www.3h2eyn3jwsjkggg3.com      CN=www.mt5unawhy.net    CN=www.nexscb2bdms.com  2013-12-16T00:00:00-0500        2014-01-10T23:59:59-0500
2013-12-30T15:20:21-0500        CWYgR82bEI9IjcHp7a      10.0.0.126      37960   212.83.158.5    443     TLSv10  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA      www.w5wtl.comCN=www.6suxdq3miwwewq4.net       CN=www.2fwld67ac2.com   2013-08-12T00:00:00-0400        2014-04-16T23:59:59-0400
2013-12-30T15:20:21-0500        CpGUEo3d5jBpzI6L04      10.0.0.126      50935   212.83.158.50   443     TLSv10  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA      www.lm6zdbm5w2jd5wxtmsfpkn.com        CN=www.ouzbot23a6lw3vvmszx.net  CN=www.s426lumoi7.com   2013-10-18T00:00:00-0400        2014-06-16T00:00:00-0400
2013-12-30T15:20:21-0500        CYocU22O3RREM4dfnl      10.0.0.126      49609   88.159.20.120   443     TLSv10  TLS_DHE_RSA_WITH_AES_256_CBC_SHA        www.exr2poqlv774jn4ddyvf5vvv.com      CN=www.qzsg2ioaoplbs2gaha5.net  CN=www.s5rc22gpzrwt4e.com       2013-12-30T19:54:02-0500        2014-12-30T19:54:02-0500
2013-12-30T15:20:21-0500        CxG1gw2N7G5uvDpiD2      10.0.0.126      57656   95.211.225.167  443     TLSv10  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA      www.mwqdszwnojnepwmw4souyw.com        CN=www.rnspic4yus5crf6w.net     CN=www.75ba5lymxpbhw3a2kb.com   2013-11-19T00:00:00-0500        2014-02-05T23:59:59-0500
2013-12-30T15:20:21-0500        CcVZHF3a5TkT9byG2e      10.0.0.126      60680   80.100.45.156   443     TLSv10  TLS_DHE_RSA_WITH_AES_128_CBC_SHA        www.emqfcc55o7a4u4ecq3w63.com CN=www.c7kriuquvh.net   CN=www.npmxal2ohuefme26yf.com   2013-12-18T00:00:00-0500        2014-02-14T23:59:59-0500

Pretty straight forward process to identify Tor usage on a network. This could be coupled with matching the destination addresses with the Tor server list available servers or here in order to provide further validation of Tor traffic.

SiLK Network Traffic Analysis Visualization with R and Rayon

2015-11-07T12:00:00-05:00

In this post, the process for retroactively identifying and graphing a HTTPS DDoS of service condition is described. Why do we care about graphing, because it can be a great way to describe data to folks that may not be interested in looking at it in a tabular form, e.g. leadership. The specific example will use data collected from the server this blog is hosted on. If you are following along, this post assumes you have SiLK deployed in some manner and are collecting HTTP or similar traffic. Technically a DDoS condition did not occur (only two hosts were making a large number of requests) but blitz.io was used to exceed the network traffic this website typically experiences for sake of example. If a true DoS condition occurred, it would appear differently as the sensor is hosted on the same node therefore it would not record the surge in traffic. In order to record a true DoS, the sensor would ideally be placed upstream in the carrier or somewhere that exceeds the devices being monitored capacity. I would like to thank network defense analyst Geoffrey Sanders for providing R langauge as well as statistical recommendations in order to improve data analysis and graphical representations.

If we would like to retroactively search for anomaly in traffic volume, we can query a number of days and look for unusual spikes:

for DAY in {1..31}; do
    if [ ${DAY} -le 9 ]; then
        DAY=0${DAY}
    fi

    RESULT=$(rwfilter --start-date=2015/07/${DAY} --end-date=2015/07/${DAY} --dport=443 --pass=stdout --type=all|rwuniq --fields=dport,proto -
-values=records --no-col --no-final-del --no-title --packets=20-)

    echo "2015/07/${DAY}|${RESULT}" >> http.out

done

On the 21st, we see a large number of requests that significantly exceed other days:

2015/07/01|443|6|1443|33287
2015/07/02|443|6|1271|30583
2015/07/03|443|6|1776|32622
2015/07/04|443|6|1498|28316
2015/07/05|443|6|1124|34428
2015/07/06|443|6|1672|36113
2015/07/07|443|6|1298|31087
2015/07/08|443|6|1629|40990
2015/07/09|443|6|42005|750922
2015/07/10|443|6|1656|54450
2015/07/11|443|6|1464|40205
2015/07/12|443|6|1279|22251
2015/07/13|443|6|1884|40887
2015/07/14|443|6|1724|49821
2015/07/15|443|6|1635|37133
2015/07/16|443|6|1653|33433
2015/07/17|443|6|1695|37580
2015/07/18|443|6|1301|24899
2015/07/19|443|6|1445|29230
2015/07/20|443|6|1314|40543
2015/07/21|443|6|70533|817855
2015/07/22|443|6|1909|42257
2015/07/23|443|6|1462|47961
2015/07/24|443|6|1705|37581
2015/07/25|443|6|1150|27093
2015/07/26|443|6|1208|21267
2015/07/27|443|6|1597|32414
2015/07/28|443|6|1714|45208
2015/07/29|443|6|1702|35607
2015/07/30|443|6|1710|46748
2015/07/31|443|6|1514|47915

We can use a similar query broken down by hour for the questionable day:

for HOUR in {0..23}; do if [ ${HOUR} -le 9 ]; then
        HOUR=0${HOUR}
    fi

    RESULT=$(rwfilter --start-date=2015/07/21:${HOUR} --end-date=2015/07/21:${HOUR} --dport=443 --pass=stdout --type=all|rwuniq --fields=dport
,proto --values=records --no-col --no-final-del --no-title --packets=20-)

    echo "${HOUR}|${RESULT}" >> http-hour.out

done

The results from the hourly query clearly depict when the surge of HTTPS traffic volume occurred. From here, an analyst may run more specific queries to determine if it is indeed a distributed attack or sourced from only a few nodes.

00|443|6|72|1392
01|443|6|48|3203
02|443|6|151|2605
03|443|6|173|1612
04|443|6|125|2318
05|443|6|149|2622
06|443|6|72|1450
07|443|6|71|1294
08|443|6|73|1524
09|443|6|76|1881
10|443|6|67|1412
11|443|6|823|6720
12|443|6|60|1639
13|443|6|65|1511
14|443|6|72|2987
15|443|6|121|2061
16|443|6|69|2135
17|443|6|67562|722727
18|443|6|203|3222
19|443|6|112|4004
20|443|6|99|1526
21|443|6|122|44746
22|443|6|94|2129
23|443|6|54|1135

We can represent the tabular data from the daily and hourly queries using R Project and ggplot2. For the daily plot example, add a header day|dPort|protocol|Records|Packets to the dataset and run Rscript filename.r dataset.dat replacing the command directives with the script below and your dataset:

library(ggplot2)
library(reshape2)

options("scipen"=100, "digits"=4)
fname <- commandArgs(trailingOnly = TRUE)[1]
flowrecs <- read.table(fname, header = TRUE, sep = "|")
flowrecs$day <- as.Date(flowrecs$day, "%Y/%m/%d")
test_data_long <- melt(flowrecs, id.vars=c("day", "dPort", "protocol"))

flow.plot <- ggplot(data=test_data_long,
    aes(x=day, y=value, colour=variable)) 
    geom_line() + geom_point() + xlab("Day") + ylab("Flow Records with 20+ Packets") 
    ggtitle(paste("Flow Records by Destination Port"))

png("plot.png", width=1200, height=400)
plot(flow.plot)
dev.off()

Which should provide a graphical representation similar to:

Similarly, we can do the same thing with the hourly plot by specifying the correct header of hour|dPort|protocol|Records|Packets and rerunning Rscript in the same manner as the daily plot.

library(ggplot2)
library(reshape2)

options("scipen"=100, "digits"=4)
fname <- commandArgs(trailingOnly = TRUE)[1]
flowrecs <- read.table(fname, header = TRUE, sep = "|")
flowrecs$hour <- factor(flowrecs$hour, levels=unique(flowrecs$hour))
test_data_long <- melt(flowrecs, id.var=c("hour", "dPort", "protocol"))

flow.plot <- ggplot(data=test_data_long,
    aes(x=hour, y=value, colour=variable, group=variable)) + 
    geom_line() + geom_point() + xlab("Hour") + ylab("Flow Records with 20+ Packets") 
    ggtitle(paste("Flow Records by Destination Port"))

png("plot.png", width=1200, height=400)
plot(flow.plot)
dev.off()

This depicts the two large sets of requests we had in the single day:

We can use rwstats in order to take a look at our top talkers if we are aware of congestion or other signs that the uniformity of visitors has changed. This query is a little artificial though. It is very possible that the source attacks may come from hundreds or even thousands of bots or some reflection mechanism depending on the service. If that is the case, we may have to look at other tuples or the actual request in order to determine a similarity between the distributed attack sources.

$ rwfilter --start-date=2015/7/21 --end-date=2015/7/21 --dport=443 --pass=stdout --type=all|rwstats --fields=sip --count=10 --no-col --no-final-del
INPUT: 70533 Records for 551 Bins and 70533 Total Records
OUTPUT: Top 10 Bins by Records
sIP|Records|%Records|cumul_%
54.173.173.209|33704|47.784725|47.784725
54.86.98.210|33698|47.776218|95.560943
162.243.196.54|742|1.051990|96.612933
180.76.15.142|97|0.137524|96.750457
68.180.230.230|75|0.106333|96.856790
180.76.15.140|37|0.052458|96.909248
72.80.60.139|31|0.043951|96.953199
66.249.67.118|31|0.043951|96.997150
180.76.15.136|24|0.034027|97.031177
63.254.26.10|23|0.032609|97.063786

We can append rwresolve in order resolve a specific IP field. We see two Amazon hosts whom are likely the Blitz.io bots as they comprise 96% of the traffic for the defined time threshold:

$ rwfilter --start-date=2015/7/21 --end-date=2015/7/21 --dport=443 --pass=stdout --type=all|rwstats --fields=sip --count=10 --no-col --no-final-del|rwresolve --ip-fields=1
INPUT: 70533 Records for 551 Bins and 70533 Total Records
OUTPUT: Top 10 Bins by Records
sIP|Records|%Records|cumul_%
ec2-54-173-173-209.compute-1.amazonaws.com|33704|47.784725|47.784725
ec2-54-86-98-210.compute-1.amazonaws.com|33698|47.776218|95.560943
162.243.196.54|742|1.051990|96.612933
baiduspider-180-76-15-142.crawl.baidu.com|97|0.137524|96.750457
b115504.yse.yahoo.net|75|0.106333|96.856790
baiduspider-180-76-15-140.crawl.baidu.com|37|0.052458|96.909248
pool-72-80-60-139.nycmny.fios.verizon.net|31|0.043951|96.953199
crawl-66-249-67-118.googlebot.com|31|0.043951|96.997150
baiduspider-180-76-15-136.crawl.baidu.com|24|0.034027|97.031177
mail.oswaldcompanies.com|23|0.032609|97.063786

Both of the graphs above describe the anomalous traffic but our normal traffic is no longer clear. One way we can provide a more clarification is to use statistics in order to more effectively describe the data because of the significant outliers. In order to achieve this, we will first use a log function in order to describe the data volumes. We use the same scripts as earlier, but change y=value to y=log(value).

While using a log function provided an improvement, it may not provide an accurate representation of volume data types. Next, we will take a look at percentiles with R. Our data frame is composed of three days. The middle being the 21st which contains our fictitious DoS attack.

> mydata
      [,1]   [,2] [,3]
 [1,] 1252   1392 1551
 [2,] 1347   3203 1969
 [3,]  749   2605 1642
 [4,] 2232   1612 1432
 [5,]  707   2318 1531
 [6,]  552   2622 1175
 [7,] 1072   1450 1981
 [8,]  487   1294 1606
 [9,] 1448   1524  959
[10,]  867   1881 1763
[11,]  903   1412 1283
[12,]  911   6720 3055
[13,] 1125   1639 3609
[14,] 1511   1511 1977
[15,] 1792   2987 2476
[16,]  912   2061 1722
[17,] 1114   2135  655
[18,]  424 722727 1338
[19,] 3888   3222 4038
[20,] 3646   4004 1765
[21,] 9281   1526 1650
[22,] 1590  44746 1190
[23,] 1131   2129 1190
[24,] 1602   1135  700

Here is how we get to our graph in the R console:

mydata <- matrix(ncol=24, nrow=3)
mydata <- matrix(df$Packets, ncol=3, nrow=24)
dataout <- apply(mydata, 1, quantile, probs=c(0.05, 0.5, 0.90))
ylim=range(500,5000)
plot(seq(ncol(dataout)), dataout[1,], t="l", lty=2, ylim=ylim, main="Flow Percentiles", xlab="Hour", 
ylab="Packets") #5%
lines(seq(ncol(dataout)), dataout[2,], lty=1, lwd=2) #50%
lines(seq(ncol(dataout)), dataout[3,], lty=2, col=2)  #90%
legend("topleft", legend=rev(rownames(dataout)), lwd=c(1,2,1), col=c(2,1,1), lty=c(2,1,2))

The 90th percentile really stands out here but having to use y limit to see our lower percentiles prevents us from seeing the whole picture. Let us graph both again but splitting our lower and upper bounds.

mydata <- matrix(ncol=24, nrow=3)
mydata <- matrix(df$Packets, ncol=3, nrow=24)
dataout <- apply(mydata, 1, quantile, probs=c(0.01, 0.05, 0.5))
ylim=range(100,4200)
plot(seq(ncol(dataout)), dataout[1,], t="l", lty=2, ylim=ylim, main="Flow Percentiles", xlab="Hour", ylab="Packets") #1%
lines(seq(ncol(dataout)), dataout[2,], lty=1, lwd=2) #5%
lines(seq(ncol(dataout)), dataout[3,], lty=2, col=2)  #50%
legend("topleft", legend=rev(rownames(dataout)), lwd=c(1,2,1), col=c(2,1,1), lty=c(2,1,2))

mydata <- matrix(ncol=24, nrow=3)
mydata <- matrix(df$Packets, ncol=3, nrow=24)
dataout <- apply(mydata, 1, quantile, probs=c(0.90, 0.95))
ylim=range(dataout)
plot(seq(ncol(dataout)), dataout[1,], t="l", lty=2, ylim=ylim, main="Flow Percentiles", xlab="Hour", ylab="Packets") #90%
lines(seq(ncol(dataout)), dataout[2,], lty=1, lwd=2) #95%
legend("topleft", legend=rev(rownames(dataout)), lwd=c(1,2,1), col=c(2,1,1), lty=c(2,1,2))

This is a better analytical view. We can infer that if we see traffic at the 90 percentile, likely something is off. For the heck of it, let us see how the percentiles compare to the mean and median, the former not being necessary as we already included it in the percentile two examples above but nevertheless.

ylim=range(500,5000)
mydata <- matrix(ncol=24, nrow=3)
mydata <- matrix(df$Packets, ncol=3, nrow=24)
meandata <- apply(mydata, 1, mean)
mediandata <- apply(mydata, 1, median)
plot(meandata, t="l", lty=2, ylim=ylim, main="Flows", xlab="Hour", ylab="Packets")
lines(mediandata, lty=1, lwd=2)
legend("topleft", legend=c("Mean", "Median"), lwd=c(1,2), col=c(1,1), lty=c(2,1))

The tabular data outliers are obvious but we will graph it. Based on this, we could leverage around 5 to 10 percentile for normal traffic but much larger sampling would need to take place as we only used three days.

> meandata
 [1]   1398.333   2173.000   1665.333   1758.667   1518.667   1449.667
 [7]   1501.000   1129.000   1310.333   1503.667   1199.333   3562.000
[13]   2124.333   1666.333   2418.333   1565.000   1301.333 241496.333
[19]   3716.000   3138.333   4152.333  15842.000   1483.333   1145.667
> mediandata
 [1] 1392 1969 1642 1612 1531 1175 1450 1294 1448 1763 1283 3055 1639 1511 2476
[16] 1722 1114 1338 3888 3646 1650 1590 1190 1135

Last but not least, we are going to take a look at a tool the NetSA team has developed for graphically representing data named Rayon. I will provide a quick reference, but you can find more details here and here. As with R language, the outliers distort the graph so we use log functions for the second and third graphs in order to minimize the outlier effects. First, grab the data we are interested in:

$ rwfilter --start-date=2015/7/21 --end-date=2015/7/21 --dport=443 --proto=6 --type=inweb --pass=httpsin.bin
$ rwfilter --start-date=2015/7/21 --end-date=2015/7/21 --dport=443 --proto=6 --type=outweb --pass=httpsout.bin

Next, export the values we need, we provide a snippet of our data:

$ rwcount --bin-size=300 --no-titles --delimited httpsin.bin|awk -F\| '{printf("%s|%s|in\n", $1, $3)}' > 2-top.txt
--snip--
2015/07/21T00:00:00|5003.00|in
2015/07/21T00:05:00|16677.47|in
2015/07/21T00:10:00|4814.53|in
2015/07/21T00:15:00|4951.00|in
2015/07/21T00:20:00|1440.00|in
2015/07/21T00:25:00|10055.00|in
2015/07/21T00:30:00|5410.06|in
2015/07/21T00:35:00|1356.94|in
2015/07/21T00:40:00|4346.32|in
2015/07/21T00:45:00|10125.04|in
2015/07/21T00:50:00|7178.64|in
2015/07/21T00:55:00|16766.00|in
--snip--

$ rwcount --bin-size=300 --no-titles --delimited httpsout.bin|awk -F\| '{printf("%s|%s|out\n", $1, $3)}' > 2-btm.txt
--snip--
2015/07/21T00:00:00|60615.00|out
2015/07/21T00:05:00|317387.87|out
2015/07/21T00:10:00|214138.13|out
2015/07/21T00:15:00|60527.00|out
2015/07/21T00:20:00|3500.00|out
2015/07/21T00:25:00|76385.00|out
2015/07/21T00:30:00|77113.44|out
2015/07/21T00:35:00|32326.56|out
2015/07/21T00:40:00|39375.58|out
2015/07/21T00:45:00|96888.67|out
2015/07/21T00:50:00|30598.75|out
2015/07/21T00:55:00|313460.00|out
--snip--

We graph the values with rwtimeseries. As expected, the incoming traffic is less than the outgoing HTTPS response. We adjusted the scale of the second and third graph using log, and the last Rayon graph describes data between the 95 and 100 percentiles.

$ cat 2-top.txt 2-btm.txt | rytimeseries --style=filled_lines --output-path=2.png --top-filter="[2]==in" --bottom-filter="[2]==out" --top-column=1 --bottom-column=1 --annotate-max --value-tick-label-format=metric --value-units=B --title="Traffic to/from Web Servers" --value-scale=linear

$ cat 2-top.txt 2-btm.txt | rytimeseries --style=filled_lines --output-path=2.png --top-filter="[2]==in" --bottom-filter="[2]==out" --top-column=1 --bottom-column=1 --annotate-max --value-tick-label-format=metric --value-units=B --title="Traffic to/from Web Servers" --value-scale=log --`fix-scale-min=1

$ cat 2-top.txt 2-btm.txt | rytimeseries --style=filled_lines --output-path=2.png --top-filter="[2]==in" --bottom-filter="[2]==out" --top-column=1 --bottom-column=1 --annotate-max --value-tick-label-format=metric --value-units=B --title="Traffic to/from Web Servers" --value-scale=clog

$ cat 2-top.txt 2-btm.txt | rytimeseries --style=filled_lines --output-path=2.png --top-filter="[2]==in" --bottom-filter="[2]==out" --top-column=1 --bottom-column=1 --annotate-max --value-tick-label-format=metric --value-units=B --title="Traffic to/from Web Servers" --value-scale=linear --value-min-pct=90 --value-max-pct=95

There you go. A quick and dirty way to identify traffic surges to whatever services you have sitting behind your collector. Please leave any questions you have regarding this post below.

Online Information Security Analysis Tools and Resources

2015-10-18T12:00:00-04:00

A list of sites that analysts may find useful in their day-to-day analysis of indicators and threats. While verifying and searching for new sources, I came across Links and resources for malware samples, Malware Analysis and Incident Response Tools for the Frugal and Lazy, and Free Online Tools for Looking Up Potentially Malicious Websites which may also be helpful. Please let me know if you feel something is missing or broken by leaving a comment or contacting me.

IP/ISP/Domain, and WHOIS look-ups

https://www.robtex.com - IP/DNS/WHOIS look-ups
http://centralops.net/co/ - IP/DNS/WHOIS look-ups
http://www.yougetsignal.com/tools/web-sites-on-web-server/ - Reverse lookup
http://www.dshield.org/ipinfo.html?ip=8.8.8.8 - Internet Storm Center DShield
http://www.ipchecking.com - IP/DNS/WHO-IS GEOGRAPHIC IP look-up
http://www.isup.me - Check to see if site is up
https://isc.sans.edu/port.html?port=8080 - Port details and usage statistics
http://www.traceroute.org/#USA
https://www.net.princeton.edu/tools - Traceroute
http://www.projecthoneypot.org/list_of_ips.php - IPs obtained from honeypots
http://whois.arin.net - IP Whois lookup
http://whois.domaintools.com - Reverse Whois and Whois History
http://www.webconfs.com/domain-age.php - Domain age
http://www.dnsstuff.com - IP/DNS/WHO-IS look-ups
http://www.dnscolos.com/free-dns-report.html - DNS Report
https://dnshistory.org - The history of IP/DNS Records for domains
http://www.dnsdigger.com
http://www.bfk.de/bfk_dnslogger_en.html - Passive DNS
https://www.dnsdb.info - IP/DNS/Passive look-ups

IP and Domain analysis for malware or web-based threats

http://www.mcafee.com/us/threat-center.aspx - IP and Domain threat intel
http://www.siteadvisor.com/sites/rsreese.com - McAfee Site Advisor
https://safeweb.norton.com - Norton Safe Web
https://www.virustotal.com/#url - Analyzes suspicious files and URLs/detects malware
http://www.projecthoneypot.org/search_ip.php - Inspect an IP by Project Honey Pot
http://urlquery.net - Detailed information about actions a browser takes while visiting a site
http://www.dtrackr.com - Domain activity tracking
http://www.ipvoid.com - Scans an IP address against IP blacklists
http://www.urlvoid.com - Scans a domain address for its reputation
http://minotauranalysis.com - Check against secure DNS providers and determine whether they block/redirect a hostname
http://www.malwareurl.com/listing-urls.php - Scans a domain address for its reputation
https://sitecheck.sucuri.net - Check the site for malware, blacklisting status, and out-of-date software
http://www.avgthreatlabs.com/ww-en/website-safety-reportsk - Check the safety of a URL or web page by scanning it for threats
http://global.sitesafety.trendmicro.com - Latest tests indicate that this website contains no malicious software and shows no signs of fraud
http://urlblacklist.com/?sec=search - Find out if a URL is in the blacklist
http://www.senderbase.org - Cisco IP and domain blacklist check

Open-source Threat Reports, IP and Domain Blacklists

http://www.sophos.com/en-us/threat-center.aspx - Malware reports
http://www.symantec.com/security_response/ - Threats, risks, and vulnerabilities
http://www.spamhaus.org/lookup/ - Database of IPs reporting email spam abuse
http://hosts-file.net - Community managed host file to protect against malicious
http://www.phishtank.com - PhishTank
http://www.malwaredomainlist.com/mdl.php - Malicious domains/IPs and malware
http://malc0de.com/database/ - Database of malicious domains/IPs and malware
http://www.malwaregroup.com - Feed of malware reports from multiple sites
http://www.mywot.com - Tells you reputation of a website from public reports
http://www.malwaredomains.com - Malware Prevention through Domain Blocking
http://multirbl.valli.org - Free multiple DNSBL/RBL lookup and FCrDNS check tool
http://toolbar.netcraft.com/stats/countries - Phishiest hosting countries
http://www.dcwg.org/detect/ - Detect DNS Changer infection
http://stopmalvertising.com - Investigate distribution of malware exploits through online advertising networks

Malware Binary Analysis

https://www.virustotal.com/en/ - Analyze suspicious binaries
http://anubis.iseclab.org - ANUBIS ANalyzing Unknown BInarieS
http://wepawet.iseclab.org - Analyze Flash, JavaScript, and PDFs
http://jsunpack.jeek.org - JavaScript Unpacker/ Decode De-Obfuscated JavaScript
http://minotauranalysis.com - Hash value search
http://www.threatexpert.com/filescan.aspx - Analyze suspicious binaries
http://www.threattracksecurity.com/resources/sandbox-malware-analysis.aspx

Malware Samples

HTTP Agent sniffers, Decode De-Obfuscate JavaScript and Base 64

http://web-sniffer.net - Analysis of HTTP Request and Response Headers
http://builtwith.com - Determine services running on target
http://www.rexswain.com/httpview.html - See exactly what an HTTP request returns to your browser
http://gsitecrawler.com/tools/Server-Status.aspx Sever redirect checker
http://www.unmaskcontent.com - Unmask Content
http://www.yellowpipe.com/yis/tools/encrypter - encode/decode or encrypt/decrypt your documents in various formats such as: ASCSII, Binary, Base 64,HTML/text/JavaScript Escaping
http://scriptasylum.com/tutorials/encode-decode.html - HTML/text/JavaSript Escaping/Encoding Script
http://ln.hixie.ch/?start=1073090889&count=1 - Unicode decoder tools
http://www.crypo.com - Encode or Decode strings, email and other messages
http://spyonweb.com - Determine what sites are sharing Google analytic code
http://www.netdemon.net/decode.html - obfuscated URL Decoder

BotNet Tracking

http://botlab.org - Spam ranking, botnet & C2 tracking
https://palevotracker.abuse.ch - Palevo Tracker
https://zeustracker.abuse.ch - ZeuS Tracker
https://spyeyetracker.abuse.ch - SpyEye Tracker
http://atlas.arbor.net/summary/fastflux - ATLAS Summary Report
http://www.cert.pl/news/4711/langswitch_lang/en - ZeuS – P2P+DGA variant

Site History

https://archive.org - Wayback Machine Internet Archive
http://www.spiderfoot.net - Spider Indexing

Google Hacking

http://www.exploit-db.com/google-dorks/ - Google Hacking Database (GHDB) by HfC
http://ghh.sourceforge.net - Google Hack Honeynet
http://www.edge-security.com

Graphing Namebench Spreadsheet Data with R

2015-07-11T12:00:00-04:00

In the previous post, I described the process of benchmarking domain name servers for a website domain with a modified version of Namebench. Namebench generates graphs using the Google chart API. This left me wanting a little more therefore decided to explore the data using the R Project. This post makes the assumption you are using our data set in order to follow along or else YMMV.

First, remove trailing commas from each row:

$ sed 's/,[[:space:]]*$//' namebench_2015-07-14_1952.csv > data.csv

Next, we read in the data from the CSV file into the R buffer assuming you are already in the R console:

> data <- read.table(file="data.csv",header=TRUE,sep=",",row.names=NULL)

If you get errors about a line not having 9 elements, you likely had timeouts in your DNS queries. You can either re-run the test until you do not experience any timeouts or remove the Timeout error message lines. Something like grep -v Timeout data.csv >a.out and copy back to data.csv or whatever filename you would like to work with.

As an aside, we can also export our data back out:

> write.table(data, 'a.txt', col.names=NA)

Which results in:

"" "IP" "Name" "Test_Num" "Record" "Record_Type" "Duration" "TTL" "Answer_Count" "Response"
"1" "2600:3c01::a" "Linode 2 IPv6" 0 "www.rsreese.com." "A" 76.2228965759277 86400 1 "74.207.234.79"
"2" "2600:3c01::a" "Linode 2 IPv6" 0 "www.rsreese.com." "A" 73.7550258636475 86400 1 "74.207.234.79"
"3" "2600:3c01::a" "Linode 2 IPv6" 0 "www.rsreese.com." "A" 73.4801292419434 86400 1 "74.207.234.79"
"4" "2600:3c01::a" "Linode 2 IPv6" 0 "www.rsreese.com." "A" 76.7168998718262 86400 1 "74.207.234.79"
"5" "2600:3c01::a" "Linode 2 IPv6" 0 "www.rsreese.com." "A" 73.2970237731934 86400 1 "74.207.234.79"
"6" "2600:3c01::a" "Linode 2 IPv6" 0 "www.rsreese.com." "A" 73.3959674835205 86400 1 "74.207.234.79"
"7" "2600:3c01::a" "Linode 2 IPv6" 0 "www.rsreese.com." "A" 72.7560520172119 86400 1 "74.207.234.79"
"8" "2600:3c01::a" "Linode 2 IPv6" 0 "www.rsreese.com." "A" 76.8599510192871 86400 1 "74.207.234.79"
"9" "2600:3c01::a" "Linode 2 IPv6" 0 "www.rsreese.com." "A" 72.8960037231445 86400 1 "74.207.234.79"
"10" "2600:3c01::a" "Linode 2 IPv6" 0 "www.rsreese.com." "A" 74.0060806274414 86400 1 "74.207.234.79"
--snip--

Now that R has our data, we can take a quick look to ensure the columns make sense:

> options(width=150)
> head(data,n=10)
> head(data,n=10)
             IP          Name Test_Num           Record Record_Type Duration   TTL Answer_Count      Response
1  2600:3c01::a Linode 2 IPv6        0 www.rsreese.com.           A 76.22290 86400            1 74.207.234.79
2  2600:3c01::a Linode 2 IPv6        0 www.rsreese.com.           A 73.75503 86400            1 74.207.234.79
3  2600:3c01::a Linode 2 IPv6        0 www.rsreese.com.           A 73.48013 86400            1 74.207.234.79
4  2600:3c01::a Linode 2 IPv6        0 www.rsreese.com.           A 76.71690 86400            1 74.207.234.79
5  2600:3c01::a Linode 2 IPv6        0 www.rsreese.com.           A 73.29702 86400            1 74.207.234.79
6  2600:3c01::a Linode 2 IPv6        0 www.rsreese.com.           A 73.39597 86400            1 74.207.234.79
7  2600:3c01::a Linode 2 IPv6        0 www.rsreese.com.           A 72.75605 86400            1 74.207.234.79
8  2600:3c01::a Linode 2 IPv6        0 www.rsreese.com.           A 76.85995 86400            1 74.207.234.79
9  2600:3c01::a Linode 2 IPv6        0 www.rsreese.com.           A 72.89600 86400            1 74.207.234.79
10 2600:3c01::a Linode 2 IPv6        0 www.rsreese.com.           A 74.00608 86400            1 74.207.234.79
> summary(data$Duration)
   Min. 1st Qu.  Median    Mean 3rd Qu.    Max. 
  1.455   2.582   3.836  24.430  47.640 780.500

We can create an aggregated table of the data based on mean values:

> aggregate(data$Duration, by=list(data$Name), FUN=mean)
         Group.1         x
1        CF Erin  3.752344
2         CF Ram  6.141772
3           HE 1  2.563629
4           HE 2  2.494576
5      HE 2 IPv6  2.677688
6           HE 3  5.510935
7      HE 3 IPv6  3.057263
8           HE 4  2.982669
9      HE 4 IPv6  2.626012
10          HE 5  2.642891
11     HE 5 IPv6  2.736038
12      Linode 1 49.536158
13 Linode 1 IPv6 48.098648
14      Linode 2 75.840130
15 Linode 2 IPv6 76.885061
16      Linode 3 25.727819
17 Linode 3 IPv6 26.703984
18      Linode 4  8.020208
19 Linode 4 IPv6  7.908908
20      Linode 5 82.185041
21 Linode 5 IPv6 76.434550

Lets see how a boxplot looks. The graph is representative of the third command listed here, others are for reference/tinkering:

> plot(data$Duration ~ data$Name, horizontal=TRUE, par(las=1))
> boxplot(data$Duration ~ data$Name, horizontal=TRUE, par(las=1), col=rainbow(10))
> boxplot(data$Duration ~ data$Name, ylim=c(0,100), horizontal=TRUE, par(las=1), col=rainbow(10))

If we zoom in a little more, the distribution of the more responsive name servers becomes apparent. I believe this graph is the best representation of the fastest name servers in the dataset:

> boxplot(data$Duration ~ data$Name, ylim=c(0,10), horizontal=TRUE, par(las=1), col=rainbow(10))

Alternatively, we can plot using ggplot2 if available:

> library(ggplot2)
> ggplot(data=data, aes(x=Duration, y=Name, group=Name, colour=Name)) + geom_line() + geom_point()

Display horizontal bar graph. I did not do a great job with the axis labels here but you get the idea:

> agg <- aggregate(data$Duration, by=list(data$Name), FUN=mean)
> sorted <- agg[with(agg, order(x)), ]
> mymat <- t(sorted[-1])
> colnames(mymat) <- sorted[, 1]
> barplot(mymat, horiz=TRUE, col=c("blue"), las=1)

Finally, we will graph a group of values from the set and display them. We also limit the range so the graph is readable:

> plot(ecdf(data$Duration[data$Name=="Linode 1"]), xlim=c(45,55), ylim=c(0,1))

Please leave any questions you have regarding this post below.

Benchmarking Website Domain Name Servers

2015-06-14T12:00:00-04:00

This post evaluates a few methods to benchmark name servers that provide resolution of your websites domain name to its respective IP address. While DNS resolution for you domain is a small piece of the process for a user to retrieve a page, it is still important to provide the fastest experience possible, regardless of where they are connecting from. There are several methods to benchmark: from a dedicated host, or VPS or a last-mile end-point such as a residential connection. Dedicated host benchmark examples would include DNSPerf and TurboBytes Pulse. While the metrics provided by these assessments may be consistent, they may not necessarily represent realistic last-mile performance the end-user would typically experience. This is because these agents are typically on backbone internet connections that have peering agreements with very low latency providers. An exception to Pulse is some of the agents are hosted at locations that would be considered last-mile but at this time the results are averaged into the mean result.

DNSPerf:

TurboBytes Pulse:

Last-mile metrics provide us with an idea of what our site users first request for a DNS lookup will be. Specifically, a request for a record that is not cached by the system performing the lookup e.g. browser, OS, local network DNS forwarder, etc. Depending on the users geographic location and network connection (latency considerations), this could be the difference of several hundred milliseconds for an initial lookup. A few ways to examine last mile DNS are via browser, visitor analytics, or scripts. All have their pro and cons just as backbone tests do. Examples include:

Chrome Browser Console:

Pingdom:

WebPagetest:

Google Analytics:

The aforementioned tools provide some solid metrics but I wanted a way to assess my domains name servers with a large number of DNS requests from locations of my choosing. I modified Googles Namebench code available here to allow for on demand name server benchmarks of the specified domain(s) verse its original purpose of benchmarking name servers for general DNS lookups. Next I setup the zone I wanted to examine at other DNS providers, Hurricane Electric (HE) and CloudFlare (CF). While these two hosts are not authoritative for my domain, i.e. they are not the name servers registered with my domain registrar, they will still respond if I have setup DNS records. In this case I am testing www.rsreese.com from a Digital Ocean host. Again, this is not realistic as we are testing from a host on optimal network and route conditions but merely to show the output.

Fastest individual response (in milliseconds):
----------------------------------------------
HE 3             ## 1.45507
HE 5             ## 1.56093
HE 5 IPv6        ## 1.58811
HE 3 IPv6        ## 1.61195
HE 4             ## 1.62816
HE 2             ## 1.63388
HE 4 IPv6        ## 1.66416
HE 1             ## 1.66702
HE 2 IPv6        ## 1.70302
CF Ram           ## 1.98388
CF Erin          ## 1.98603
Linode 4         ### 4.05502
Linode 4 IPv6    ### 4.06694
Linode 3         ############### 19.89603
Linode 3 IPv6    ################ 21.06285
Linode 1 IPv6    ################################ 42.38200
Linode 1         ################################# 43.81895
Linode 5 IPv6    ################################################### 69.63682
Linode 2 IPv6    #################################################### 70.39404
Linode 2         ##################################################### 71.63501
Linode 5         ##################################################### 72.44182

Mean response (in milliseconds):
--------------------------------
HE 2             ## 2.49
HE 1             ## 2.56
HE 4 IPv6        ## 2.63
HE 5             ## 2.64
HE 2 IPv6        ## 2.68
HE 5 IPv6        ## 2.74
HE 4             ## 2.98
HE 3 IPv6        ## 3.06
CF Erin          ## 3.75
HE 3             ### 5.51
CF Ram           ### 6.14
Linode 4 IPv6    ########## 21.88
Linode 4         ########## 21.99
Linode 3         ############ 25.73
Linode 3 IPv6    ################## 40.60
Linode 1         ###################### 49.54
Linode 1 IPv6    ########################### 61.91
Linode 2         ################################# 75.84
Linode 2 IPv6    ####################################### 90.58
Linode 5 IPv6    ################################################### 117.52
Linode 5         ##################################################### 123.20

A similar test run from a residential internet connection providing more realistic metrics for a broadband connection:

Fastest individual response (in milliseconds):
----------------------------------------------
CF Erin          ######## 13.67188
CF Ram           ######## 13.88907
HE 1             ########### 18.39805
HE 5             ########### 18.72587
HE 2             ########### 18.76688
HE 4             ########### 18.77284
HE 3             ########### 18.92185
Linode 4         ############# 21.31605
Linode 3         ################# 28.21493
Linode 1         ############################ 48.61617
Linode 2         ################################################# 83.48799
Linode 5         ##################################################### 92.02409

Mean response (in milliseconds):
--------------------------------
HE 3             ############## 27.24
HE 4             ############## 27.68
HE 1             ############### 28.58
HE 5             ############### 28.58
HE 2             ############### 28.89
Linode 4         ################ 31.83
CF Erin          ################### 38.02
Linode 3         ########################## 51.06
CF Ram           ########################## 51.32
Linode 1         #################################### 71.66
Linode 5         ################################################### 102.22
Linode 2         ##################################################### 106.29

Based on the results that I tested from a number of locations, Hurricane Electric and Cloudflare were consistently faster than Linode, whom hosts my authoritative name servers, i.e. the servers that will respond if no one upstream has the answer cached. Lastly, the Namebench tool does have some built in graphing capability as shown below (not representative of the tabular data above):

If you find yourself wanting a little more in the way of graphs then what the Google chart API provides, Namebench provides us a handy spreadsheet that we can use for graphing in R which we demonstrate in the next blog post. Until then, please leave any questions you have regarding this post below or file an issue on the Github page relevant to the issue you are having with the customized Namebench tool.

Building Apache and ModSecurity from source

2015-02-27T08:00:00-05:00

This entry describes settting up ModSecurity on a node in order to protect a few WordPress sites I host. There are a slew of guides out there describing ModSecurity builds but I wanted to leverage the latest ModSecurity and Apache MPM Event packages which typically are not included in most Linux distribution repositories. We use a proxy node that passes requests to the backend (origin) server hosting the web application. You may just as easily build ModSecurity on the same host that is serving your content verse using a reverse proxy, i.e. there are a number of ways to architect the setup. In the figure below, a request is first received by the proxy with ModSecurity enabled, and then passed to the origin host serving the actual content if ModSecurity does not intervene. We use Debian but other distributions should be similar.

Install prerequisite packages:

$ sudo apt-get install gcc libpcre3-dev libxml2-dev libcurl4-gnutls-dev

Download, Build, and Install SSL (enable shared if on 64bit):

$ mkdir install
$ ./config shared --prefix=/root/openssl-1.0.2a/install/
$ make depend
$ make
$ make test
$ make install

Download latest Apache, APR, and APR Util packages. Extract APR and APR Util, copy both to Apache src directory, build and install Apache:

$ cp -R apr-util-1.5.4 httpd-2.4.12/srclib/apr-util/
$ cp -R apr-1.5.1 httpd-2.4.12/srclib/apr/
$ ./configure --with-included-apr --enable-ssl --enable-ssl-staticlib-deps --with-ssl=/root/openssl-1.0.2/install/ --enable-proxy --with-mpm=event
$ make
$ sudo make install

Download, Build and install ModSecurity (optionally install LUA if desired):

$ tar xzf modsecurity-2.9.0.tar.gz
$ cd modsecurity-2.9.0/
$ ./configure --with-apxs=/usr/local/apache2/bin/apxs --with-apr=/root/httpd-2.4.12/srclib/apr/ --with-apu=/root/httpd-2.4.12/srclib/apr-util/ --with-lua=/usr/lib/x86_64-linux-gnu/pkgconfig/
$ make
$ sudo make install

Grab a rule-set. You may also choose to use GIT to download.

$ wget https://github.com/SpiderLabs/owasp-modsecurity-crs/tarball/master
$ mv master master.tar.gz
$ cp -R SpiderLabs-owasp-modsecurity-crs-ebe8790/ /usr/local/apache2/conf/crs/
$ cd /usr/local/apache2/conf/crs/
$ mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
$ ln -s /usr/local/apache2/conf/crs/modsecurity_crs_10_setup.conf activated_rules/
$ for f in `ls base_rules/` ; do ln -s /usr/local/apache2/conf/crs/base_rules/$f activated_rules/$f ; done
$ for f in `ls optional_rules/` ; do ln -s /usr/local/apache2/conf/crs/optional_rules/$f activated_rules/$f ; done
$ mkdir /etc/modsec
$ cd
$ cp modsecurity-2.9.0/modsecurity.conf-recommended /etc/modsec/modsecurity.conf
$ cp modsecurity-2.9.0/unicode.mapping /etc/modsec/
$ vim /etc/modsec/whitelist.conf

Setup your Apache site, virtual host, or use proxy pass in order to fetch from a back-end origin node. Add ModSecurity directives to Apache conf file:

LoadModule unique_id_module modules/mod_unique_id.so
LoadModule security2_module modules/mod_security2.so
<IfModule security2_module>
Include /etc/modsec/modsecurity.conf
Include conf/crs/activated_rules/*.conf
Include /etc/modsec/whitelist.conf
SecRule ARGS "mod_security_test" "t:normalisePathWin,id:99999,severity:4,msg:'Drive Access'"
</IfModule>

Start Apache and test to validate rules are logging and optionally being enforced. You should see a 403 forbidden response meaning that the malicious requests were blocked. Now you can move to tuning the ruleset to your web application:

http://waf.rsreese.com/?test=mod_security_test

If something is not clear, leave a comment below.

Redirect HTTP to HTTPS using Varnish

2014-12-30T08:00:00-05:00

I recently enabled HTTPS on this site and wanted to use a 301 redirect in order to correctly re-route guests from HTTP to HTTPS (HTTP to SSL/TLS). I originally performed all of my rewrites in Apache which acts as my backend. While Apache handled the typical non-www to www redirects with ease, it created a redirect loop when attempting to redirect users from HTTP to HTTPS. I decided to let Varnish Cache 4 rather than the Apache backend handle the redirect.

The documentation on the on the Varnish site is for Varnish 3 which is not compatible for Varnish 4 as of this writing:

sub vcl_recv {
    if ( (req.http.host ~ "^(?i)somesite.org" || req.http.host ~ "^(?i)www.somesite.org")
         && req.http.X-Forwarded-Proto !~ "(?i)https") {
        set req.http.x-Redir-Url = "https://www.somesite.org" + req.url;
        error 750 req.http.x-Redir-Url;
    }
}

sub vcl_error {
    if (obj.status == 750) {
        set obj.http.Location = obj.response;
        set obj.status = 302;
        return (deliver);
    }

After some research, I found a redirect example that was similar to what I was trying to achieve in Varnish 4:

sub vcl_recv {
        if ( (req.http.host ~ "^(?i)www.domain.com" || req.http.host ~ "^(?i)domain.com") && req.http.X-Forwarded-Proto !~ "(?i)https") {
                return (synth(750, ""));
        }
}

sub vcl_synth {
    if (resp.status == 750) {
        set resp.status = 301;
        set resp.http.Location = "https://www.domain.com" + req.url;
        return(deliver);
    }
}

Now non-HTTPS requests to domains listed in the vcl_recv should redirect to the respective HTTPS version of your site.

Making WordPress Fast

2014-12-15T12:00:00-05:00

This site previously used WordPress as a CMS platform. Quite a bit of time was spent tuning in order to get page load times that were consistently less then 500ms although usually closer to 200 to 300ms. The WordPress site was able to burst to around to 2000 users per blitz.io although there was an error here or there. I speculate that is a limitation on the outgoing bandwidth of the VPS as the system resources appeared stable. The largest improvements were made by caching, Varnish prevented repeat Apache, PHP and MySQL requests. Real world saturation is a different scenario but not too bad when compared to a stock LAMP setup. A stock LAMP setup on my VPS would handle around 50 req/sec before services started to hang up. I have since migrated to a new platform but wanted to keep this around for reference.

Note that the process flow in the following diagram is approximate and does not necessarily accurate.

Hosted with Linode on a Xen Hypervisor.
Debian Linux Operating System
Apache MPM worker - Multi-Processing Module implementing a hybrid multi-threaded multi-process web server
Google PageSpeed Apache module backed by Memcached
PHP-FPM (FastCGI Process Manager)
Varnish Cache - a web application accelerator AKA a caching HTTP reverse proxy
Memcached memory object caching system
WordPress running 2010 template
Batcache plugin using Object Cache backed by Memcached

If you are looking for a solid do it yourself hosting provider, I recommend you checkout Linode and use my referral link if you sign up which helps support this site.

Parsing Microsoft DNS Server Logs

2014-12-14T12:00:00-05:00

This is a quick post about one of many ways you may want to parse Microsoft DNS server logs. I this case, I simply wanted to know the top talkers. We use shell and Python in this entry on a Linux host. We follow-up with an all inclusive Python script if you want to skip to the end.

Here is the example data or you can follow along with your own:

DNS Server log file creation at 6/15/2014 6:11:48 PM UTC
Log file wrap at 6/15/2014 5:00:23 PM

Message logging key (for packets - other items use a subset of these fields):
        Field #  Information         Values
        -------  -----------         ------
           1     Date^M
           2     Time^M
           3     Thread ID
           4     Context
           5     Internal packet identifier^M
           6     UDP/TCP indicator^M
           7     Send/Receive indicator^M
           8     Remote IP^M
           9     Xid (hex)^M
          10     Query/Response      R = Response^M
                                     blank = Query^M
          11     Opcode              Q = Standard Query^M
                                     N = Notify^M
                                     U = Update^M
                                     ? = Unknown^M
          12     [ Flags (hex)^M
          13     Flags (char codes)  A = Authoritative Answer^M
                                     T = Truncated Response^M
                                     D = Recursion Desired^M
                                     R = Recursion Available^M
          14     ResponseCode ]^M
          15     Question Type^M
          16     Question Name^M

20140816 16:08:57 588 PACKET  019B99F0 UDP Rcv 192.168.0.2 80fd   Q [0001   D   NOERROR] A     (3)www(1)l(6)google(3)com(0)

20140816 16:08:57 588 PACKET  019CEFF0 UDP Snd 192.168.0.2 622d   Q [0001   D   NOERROR] A     (3)www(1)l(6)google(3)com(0)

20140816 16:08:57 588 PACKET  01C61480 UDP Rcv 192.168.0.2 622d R Q [8081   DR  NOERROR] A     (3)www(1)l(6)google(3)com(0)

20140816 16:08:57 588 PACKET  01C61480 UDP Snd 192.168.0.2 80fd R Q [8081   DR  NOERROR] A     (3)www(1)l(6)google(3)com(0)

20140816 15:51:47 588 PACKET  02131B00 UDP Snd 192.168.0.2 1b77   Q [0001   D   NOERROR] A     (9)messaging(9)microsoft(3)com(0)

20140816 15:51:47 588 PACKET  0242BD70 UDP Rcv 192.168.0.2 1b77 R Q [8081   DR  NOERROR] A     (9)messaging(9)microsoft(3)com(0)

20140816 16:28:56 588 PACKET  02447E50 UDP Rcv 192.168.0.2 6a24   Q [0001   D   NOERROR] A     (10)akamaiedge(3)net(0)

20140816 16:28:56 588 PACKET  01E8B070 UDP Snd 192.168.0.2 f11d   Q [0001   D   NOERROR] A     (10)akamaiedge(3)net(0)

20140816 16:28:56 588 PACKET  01BDA5A0 UDP Rcv 192.168.0.2 f11d R Q [8081   DR  NOERROR] A     (10)akamaiedge(3)net(0)

20140816 16:28:56 588 PACKET  01BDA5A0 UDP Snd 192.168.0.2 6a24 R Q [8081   DR  NOERROR] A     (10)akamaiedge(3)net(0)

Since there is a header, cut the 28 header lines.

$ sed '1,29d' log

Convert log from Windows to Unix format to handle pesky line returns:

$ awk '{ sub("\r$", ""); print }' log > log.wintounix

Get rid of blank lines:

$ sed '/^$/d' log.wintounix > log.nolines

Python code we are going to use to parse the file we have cleaned up.

import re
from collections import Counter
with open('log.nolines') as f:
    c = Counter('.'.join(re.findall(r'(\w+\(\d+\))',line.split()[-1])[-2:]) for line in f)

for domain, count in c.most_common():
    print domain,count

Sort the values returned from the Python script above, modify the key as needed.

$ sort -t" " -k3 -n -r parsed > parsed.sorted

That was a lot of work to parse a file. Lets make it a little easier. Run the following with an input file: parseMSDNS.py log

#!/usr/bin/env python
import re
import sys
import fileinput
import operator
import time
ret = {}

filename = sys.argv[1]
myfile = open(filename,'r')

start_time = time.time()
with myfile as theFile:
    for line in theFile:
        # normalize newlines
        #line = line.replace('\r\n', '\n').line.replace('\r', '\n')
        # match pattern returns true of false
        match = re.search(r'Q \[.+\].+\(\d+\)([^\(]+)\(\d+\)([^\(]+)',line.strip())
        if match != None:
            # if a match, determine the value
            key = ' '.join(match.groups())
            # calculate the number of key
            if key not in ret.keys():
                ret[key] = 1
            else:
                ret[key] += 1

for k in sorted(ret.keys(), key=lambda k:ret[k], reverse=True):
    print "{:15} - {}".format(k, ret[k])

print time.time() - start_time, "seconds"

That should do it. Leave a comment if something is not working as expected.

Parsing Netflow using Kibana via Logstash to ElasticSearch

2014-03-18T02:40:00-04:00

This blog entry shows how to easily insert flow data into an ElasticSearch instance using Logstash and view the data using Kibana. To keep the example simple, we will use Kibana that is integrated in LogStash. We will not use the ElasticSearch that is bundled with LogStash. Instead, we will run latest stable version of ElasticSearch. Testing for this entry was done using Ubuntu 12.04 but most Linux or similar distributions should work fine.

First, I needed the ability to generate network flow. Softflowd provided a simple solution for my purposes. You skip the flow generation installation if you already have a v5 or v9 netflow source you could point to your LogStash instance. My testing was done with netflow version 9, but it appears the the LogStash netflow codec will also support 5. Softflowd required, byacc which you can get from here.

$ ./configure
$ make
$ sudo make install

Next, setup the netflow daemon that will create flow records from traffic on an interface that is designated. You can download the Softflowd source from here.

$ ./configure
$ make
$ sudo ./softflowd -i eth0 -n 127.0.0.1:12345 -v 9 -d

Before running ElasticSearch or LogStash, you will need Java. The latest 7.0 Java version should work just fine. You can confirm your Java version:

$ java -version

Before we run LogStash, grab the latest ElasticSearch version from the 0.90.x train. While ElasticSearch 1.x is out, I do not believe LogStash is yet compatible. If need be, you can edit the memory requirements in the following configuration file:

$ vim ./elasticsearch-0.90.12/bin/elasticsearch.in.sh

Next start the ElasticSearch instance:

$ sudo ./elasticsearch-0.90.12/bin/elasticsearch

Pull the latest LogStash JAR, before trying to run it, you will need a netflow configuration file. This configuration file says that we expect to receive network flow on UDP port 12345. Secondly, we output to STDOUT and the ElasticSearch entry, the former output is for testing.

input {
  udp {
    port => 12345
    codec => netflow
  }
}
output {
  stdout { }
  elasticsearch { host => "127.0.0.1" }
}

Next, we begin collecting netflow:

$ sudo java -jar ./Downloads/logstash-1.3.3-flatjar.jar agent -f logstash/netflow.conf -- &

After a minute or two, you should start seeing some entries via STDOUT in the terminal you started LogStash in. While you could start Kibana with the previous entry by adding the web toggle, I preferred separate instances for my evaluation:

$ sudo java -jar ./Downloads/logstash-1.3.3-flatjar.jar agent web -- &

Lastly, the fun part, you should be able to cruise over to either localhost or whatever IP address the systems as appending by port 9292 and starting tinkering:

http://127.0.0.1:9292

Here are three dashboards I quickly put together. Not only is Logstash a good way to quickly parse netflow, the dashboard shiny:

Leave a comment below if you have any questions.

Detecting Tor network traffic with YaF and Python

2014-02-19T03:36:00-05:00

This entry continues a series of posts on identifying Tor network traffic and usage. The entry will demonstrate how to parse the output of YaF records via mediator using a Python script in order to determine if the SSL certificate values match the pattern of Tor certificates. It is assumed you have downloaded, compiled and installed YaF, mediator, and libfixbuf. Please see prior posts on this topic or the respective documentation for installation help if needed.

We first generate the YaF records from the PCAP we acquired. You can grab the example PCAP from cloudshark.

$ yaf --in tor.pcap --out tor.yaf

Next, parse the YaF output using mediator to disk in a format that we can parse. Alternatively, we could output to MySQL verse flat text files.

$ yaf_file_mediator-1.1.0/yaf_file_mediator --input tor.yaf --output tor.txt
**** Total flow count is 29 ****
**** Stats Total Count is 1 ****

Using Python, we can parse the records for patterns that match Tor SSL certificates.

#!/usr/bin/python

import re
import sys

filename = sys.argv[1]
myfile = open(filename,'r')
sourceIP = 'Source IP:'
destIP = 'Destination IP:'
issuerID = 'Issuer ID:'
subjectID = 'Subject ID:'
for line in myfile.readlines():
    line = line.strip()
    if line.startswith(sourceIP):
        sourceIPline = line
    elif line.startswith(destIP):
        destIPline = line
    elif line and line.startswith(issuerID):
        issuerDomain = re.search(r'www.\w+.com', line)
    elif line and line.startswith(subjectID):
        subjectDomain = re.search(r'www.\w+.net', line)
        if issuerDomain and subjectDomain:
            print (sourceIPline)
            print (destIPline)
            print issuerDomain.group()
            print subjectDomain.group()
            print
myfile.close

The following is an example output from the example PCAP provided earlier in this post. The Python regular expression ignores other SSL certificate values as they traditionally do not match the pattern that Tor certificates use, the inclusion of a domain for the Issuer and Subject IDs. That said, false-positives could be introduced.

$ tor-ssl-parser.py tor.txt
Source IP: 10.0.0.126
Destination IP: 198.27.97.223
www.axslhtfqq.com
www.hkkch64skp7am.net

Source IP: 10.0.0.126
Destination IP: 96.127.153.58
www.rtqtkopfct767ai.com
www.facp2b2y5wjffbo5ioy.net

Source IP: 10.0.0.126
Destination IP: 192.151.147.5
www.5m6ywj2w7zs.com
www.iolbr3jbfs.net

Source IP: 10.0.0.126
Destination IP: 66.18.12.197
www.igdpzct5tauwgyqs.com
www.4tdznzbrfuv.net

Source IP: 10.0.0.126
Destination IP: 64.62.249.222
www.3pzqe4en5.com
www.glk3fwiz6.net

Source IP: 10.0.0.126
Destination IP: 212.83.158.173
www.lvv4l6sx3qafei2s5u.com
www.vznlngjz7a2fpg.net

Source IP: 10.0.0.126
Destination IP: 212.83.155.250
www.mbrdx4tz2ob5wlvazlr.com
www.shxl35n3zt.net

Source IP: 10.0.0.126
Destination IP: 212.83.140.45
www.3pxivyds.com
www.nolspqtib3ix.net

Source IP: 10.0.0.126
Destination IP: 212.83.158.50
www.s426lumoi7.com
www.ouzbot23a6lw3vvmszx.net

Source IP: 10.0.0.126
Destination IP: 212.83.158.40
www.3eexfeaw.com
www.iedhzej4tie4egm.net

Source IP: 10.0.0.126
Destination IP: 212.83.158.5
www.2fwld67ac2.com
www.6suxdq3miwwewq4.net

Source IP: 10.0.0.126
Destination IP: 31.7.186.228
www.5orbut4ufhohm5rlj47.com
www.orutxjqwf.net

Source IP: 10.0.0.126
Destination IP: 216.66.85.146
www.6pp7bfbdywvcaicqmfq.com
www.g6oa3qdobmdgl5tprm.net

Source IP: 10.0.0.126
Destination IP: 178.254.35.132
www.hbwpqbx4zimtptui.com
www.77wneeix55t.net

Source IP: 10.0.0.126
Destination IP: 188.40.98.96
www.ozsx22b4nda.com
www.lr7s5k3n6ber.net

Source IP: 10.0.0.126
Destination IP: 80.100.45.156
www.npmxal2ohuefme26yf.com
www.c7kriuquvh.net

Source IP: 10.0.0.126
Destination IP: 91.143.91.174
www.zcgg5yiwzajal4.com
www.55a4kx5jrqxezvk.net

Source IP: 10.0.0.126
Destination IP: 85.17.122.80
www.plgx26wgyroot37x3ysj.com
www.xwx5gpj5t2msq3.net

Source IP: 10.0.0.126
Destination IP: 88.159.20.120
www.s5rc22gpzrwt4e.com
www.qzsg2ioaoplbs2gaha5.net

Source IP: 10.0.0.126
Destination IP: 37.59.150.178
www.vywbff5wkza6npkd5l.com
www.ugdrrog5ro5wdfddj.net

Source IP: 10.0.0.126
Destination IP: 91.219.237.229
www.twngp3xrqgo4p.com
www.znskvp5k5pns22y2.net

Source IP: 10.0.0.126
Destination IP: 95.211.225.167
www.75ba5lymxpbhw3a2kb.com
www.rnspic4yus5crf6w.net

Source IP: 10.0.0.126
Destination IP: 82.96.35.7
www.spx5a4e5eyhkdtpt2xj.com
www.6phyovjhggkfm.net

Source IP: 10.0.0.126
Destination IP: 83.140.59.2
www.o5qzqtbs.com
www.bnymkm3nk7jtz3.net

Source IP: 10.0.0.126
Destination IP: 82.96.35.8
www.7wdf4rkj5mew.com
www.sd5mkmsmo.net

Source IP: 10.0.0.126
Destination IP: 93.180.156.45
www.rxy4jiw4wk.com
www.g66mipkcyhjwumywk4h.net

Source IP: 10.0.0.126
Destination IP: 81.218.109.195
www.gempmzrnwnk.com
www.6lrz7wtwprz.net

Source IP: 10.0.0.126
Destination IP: 31.172.30.4
www.4jvdpoo5wcklhd3usu.com
www.f4uxyorx2h.net

Source IP: 10.0.0.126
Destination IP: 50.7.194.122
www.pxznjv3t75.com
www.wuqq77l634eogfm.net

Please leave a comment if you have any questions.

Detecting Tor network traffic with SiLK

2014-01-09T04:33:00-05:00

This entry continues a series of posts on identifying Tor network traffic and usage. This post is not to argue the merits of allowing Tor to run on a network. However, the entry will demonstrate how to create a set of Tor server IP addresses to parse network flow using SiLK (System for Internet-Level Knowledge) in order to determine if the network flow is a match. It is assumed you have downloaded, compiled and installed SiLK, YaF, and libfixbuf. Please see prior posts on this topic or the respective documentation for installation help if needed.

We need to obtain the current list of Tor servers and place them in a file. We will then parse the destination IP addresses which will be placed into a SiLK set using the SiLK rwsetbuild command. Creating an IP set will allow us to use rwfilter to specify what IP addresses should match outgoing network traffic. A Perl script from here makes quick work of downloading the current Tor server list.

#!/usr/bin/perl
#
# Fetch the list of known Tor servers (from an existing Tor server) and
# display some of the basic info for each router.

use LWP::Simple;

# Hostname of an existing Tor router.  We use one of the directory authorities
# since that's pretty much what they're for.
$INITIAL_TOR_SERVER = "193.23.244.244";   # http://dannenberg.ccc.de/tor/status/all
$DIR_PORT = 80;

# Fetch the list of servers
$content = get("http://$INITIAL_TOR_SERVER:$DIR_PORT/tor/status/all");
@lines = split /\n/,$content;

foreach $router (@lines) {
    if($router =~ m/^r\s+(\S+)\s+(\S+)\s+(\S+)\s+(\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2})\s+(\S+)\s+(\d+)\s+(\d+)$/) {
        ($name, $address, $or_port, $directory_port, $update_time) =
            ($1, $5, $6, $7, $4);
        print "$name | $address | $or_port | $directory_port | $update_time\n";
    }
}

Now that we have the current Tor server list, we can parse the Tor IP addresses. While you can modify the Perl script to only display the Tor server IP addresses, I still like to sort and parse for unique addresses as there are could be duplicates. You could also specify what type of Tor IP addresses you would like, i.e. exit, active, etc. Further, it is not bad to have a reference to determine what ports are associated with which addresses. Useful for more advanced queries.

$ awk -F "|" '{ print $2 }' exit-addresses | awk '{sub(/^[ \t]+/, "")};1' |sort|uniq > tor.txt

We convert the file containing the Tor server IP addresses to a set using the following command:

$ rwsetbuild tor.txt tor-servers.set

Typically, network flow would have already been captured for retrospective analysis, but for example sake, we will use a packet capture which already contains Tor traffic. We first convert our captured traffic to a YaF formatted file. This example PCAP may be downloaded from CloudShark.

$ /usr/local/bin/yaf --in tor.pcap --out ~/tor.yaf --filter="port 443" --applabel --applabel-rules=/usr/local/etc/yafApplabelRules.conf --max-payload=4000 --plugin-name=/usr/local/lib/yaf/dpacketplugin.la --plugin-opts="443" --lock &

Next, we convert the YaF format file to an IPFIX formatted file.

$ rwipfix2silk --silk-output=tor.rw tor.yaf

This rwfilter query parses for the data we are looking for and places in a binary file. We can write to standard out but I usually end up running additional queries using tools such as rwcut and rwstats so it is much faster to work from the smaller binary file, verse running the original query again.

$ rwfilter --start-date=2013/12/30 --end-date=2013/12/30  --dipset=tor-servers.set --proto=0- --type=all --pass=tor2.bin tor.rw

We parse the SiLK records we are interested in seeing to standard out via the rwcut command. Note the use of the cut command to minimize the white-space prefixing the output.

$ rwcut tor2.bin|cut -c26-
           sIP|                                    dIP|sPort|dPort|pro|   packets|     bytes|   flags|                  sTime| duration|                  eTime|sen|
    10.0.0.126|                          198.27.97.223|38946|  443|  6|        30|      8497|FS PA   |2013/12/30T20:20:21.336|   76.182|2013/12/30T20:21:37.518| S0|
 198.27.97.223|                             10.0.0.126|  443|38946|  6|        32|     28802|FS PA   |2013/12/30T20:20:21.381|   76.137|2013/12/30T20:21:37.518| S0|
    10.0.0.126|                          96.127.153.58|42529|  443|  6|        27|      8341|FS PA   |2013/12/30T20:20:22.190|   75.341|2013/12/30T20:21:37.531| S0|
 96.127.153.58|                             10.0.0.126|  443|42529|  6|        30|     26678|FS PA   |2013/12/30T20:20:22.232|   75.299|2013/12/30T20:21:37.531| S0|
    10.0.0.126|                          192.151.147.5|44384|  443|  6|        14|      3502|FS PA   |2013/12/30T20:20:26.486|   71.052|2013/12/30T20:21:37.538| S0|
 192.151.147.5|                             10.0.0.126|  443|44384|  6|        14|      4819|FS PA   |2013/12/30T20:20:26.535|   71.003|2013/12/30T20:21:37.538| S0|
    10.0.0.126|                           66.18.12.197|49341|  443|  6|        28|      8475|FS PA   |2013/12/30T20:20:21.426|   76.125|2013/12/30T20:21:37.551| S0|
  66.18.12.197|                             10.0.0.126|  443|49341|  6|        29|     26805|FS PA   |2013/12/30T20:20:21.471|   76.080|2013/12/30T20:21:37.551| S0|
    10.0.0.126|                          64.62.249.222|40742|  443|  6|        30|      8159|FS PA   |2013/12/30T20:20:21.375|   76.208|2013/12/30T20:21:37.583| S0|
 64.62.249.222|                             10.0.0.126|  443|40742|  6|        32|     28493|FS PA   |2013/12/30T20:20:21.461|   76.122|2013/12/30T20:21:37.583| S0|
    10.0.0.126|                         212.83.158.173|40825|  443|  6|        28|      8394|FS PA   |2013/12/30T20:20:22.079|   75.506|2013/12/30T20:21:37.585| S0|
212.83.158.173|                             10.0.0.126|  443|40825|  6|        31|     28867|FS PA   |2013/12/30T20:20:22.180|   75.405|2013/12/30T20:21:37.585| S0|
    10.0.0.126|                         212.83.155.250|55603|  443|  6|        29|      8454|FS PA   |2013/12/30T20:20:22.196|   75.389|2013/12/30T20:21:37.585| S0|
212.83.155.250|                             10.0.0.126|  443|55603|  6|        31|     27840|FS PA   |2013/12/30T20:20:22.290|   75.295|2013/12/30T20:21:37.585| S0|
    10.0.0.126|                          212.83.140.45|46797|  443|  6|        29|      8455|FS PA   |2013/12/30T20:20:21.342|   76.245|2013/12/30T20:21:37.587| S0|
 212.83.140.45|                             10.0.0.126|  443|46797|  6|        30|     26648|FS PA   |2013/12/30T20:20:21.439|   76.148|2013/12/30T20:21:37.587| S0|
    10.0.0.126|                          212.83.158.50|50935|  443|  6|        31|      8567|FS PA   |2013/12/30T20:20:21.396|   76.191|2013/12/30T20:21:37.587| S0|
 212.83.158.50|                             10.0.0.126|  443|50935|  6|        30|     26145|FS PA   |2013/12/30T20:20:21.492|   76.095|2013/12/30T20:21:37.587| S0|
    10.0.0.126|                          212.83.158.40|33170|  443|  6|        29|      8459|FS PA   |2013/12/30T20:20:22.088|   75.506|2013/12/30T20:21:37.594| S0|
 212.83.158.40|                             10.0.0.126|  443|33170|  6|        33|     28930|FS PA   |2013/12/30T20:20:23.199|   74.395|2013/12/30T20:21:37.594| S0|
    10.0.0.126|                           212.83.158.5|37960|  443|  6|        27|      8342|FS PA   |2013/12/30T20:20:21.415|   76.187|2013/12/30T20:21:37.602| S0|
  212.83.158.5|                             10.0.0.126|  443|37960|  6|        32|     26758|FS PA   |2013/12/30T20:20:21.517|   76.085|2013/12/30T20:21:37.602| S0|
    10.0.0.126|                           31.7.186.228|44997|  443|  6|        26|      8294|FS PA   |2013/12/30T20:20:21.377|   76.227|2013/12/30T20:21:37.604| S0|
  31.7.186.228|                             10.0.0.126|  443|44997|  6|        34|     29440|FS PA   |2013/12/30T20:20:21.486|   76.118|2013/12/30T20:21:37.604| S0|
    10.0.0.126|                          216.66.85.146|50817|  443|  6|        15|      3379|FS PA   |2013/12/30T20:21:34.492|    3.114|2013/12/30T20:21:37.606| S0|
 216.66.85.146|                             10.0.0.126|  443|50817|  6|        15|      6866|FS PA   |2013/12/30T20:21:34.590|    3.016|2013/12/30T20:21:37.606| S0|
    10.0.0.126|                         178.254.35.132|50724|  443|  6|        20|      5347|FS PA   |2013/12/30T20:20:33.494|   64.117|2013/12/30T20:21:37.611| S0|
178.254.35.132|                             10.0.0.126|  443|50724|  6|        23|     16358|FS PA   |2013/12/30T20:20:33.595|   64.016|2013/12/30T20:21:37.611| S0|
    10.0.0.126|                           188.40.98.96|54796|  443|  6|        30|      8565|FS PA   |2013/12/30T20:20:21.380|   76.231|2013/12/30T20:21:37.611| S0|
  188.40.98.96|                             10.0.0.126|  443|54796|  6|        32|     27966|FS PA   |2013/12/30T20:20:21.494|   76.117|2013/12/30T20:21:37.611| S0|
    10.0.0.126|                          80.100.45.156|60680|  443|  6|        30|      8578|FS PA   |2013/12/30T20:20:21.386|   76.228|2013/12/30T20:21:37.614| S0|
 80.100.45.156|                             10.0.0.126|  443|60680|  6|        31|     28447|FS PA   |2013/12/30T20:20:21.496|   76.118|2013/12/30T20:21:37.614| S0|
    10.0.0.126|                          91.143.91.174|39275|  443|  6|        23|      8209|FS PA   |2013/12/30T20:20:22.185|   75.435|2013/12/30T20:21:37.620| S0|
 91.143.91.174|                             10.0.0.126|  443|39275|  6|        33|     28626|FS PA   |2013/12/30T20:20:22.312|   75.308|2013/12/30T20:21:37.620| S0|
    10.0.0.126|                           85.17.122.80|43989|  443|  6|        29|      8457|FS PA   |2013/12/30T20:20:21.418|   76.202|2013/12/30T20:21:37.620| S0|
  85.17.122.80|                             10.0.0.126|  443|43989|  6|        32|     28409|FS PA   |2013/12/30T20:20:21.539|   76.081|2013/12/30T20:21:37.620| S0|
    10.0.0.126|                          88.159.20.120|49609|  443|  6|        31|      8633|FS PA   |2013/12/30T20:20:21.412|   76.208|2013/12/30T20:21:37.620| S0|
 88.159.20.120|                             10.0.0.126|  443|49609|  6|        34|     29194|FS PA   |2013/12/30T20:20:21.513|   76.107|2013/12/30T20:21:37.620| S0|
    10.0.0.126|                          37.59.150.178|47658|  443|  6|        30|      8516|FS PA   |2013/12/30T20:20:21.399|   76.223|2013/12/30T20:21:37.622| S0|
 37.59.150.178|                             10.0.0.126|  443|47658|  6|        33|     29412|FS PA   |2013/12/30T20:20:21.513|   76.109|2013/12/30T20:21:37.622| S0|
    10.0.0.126|                         91.219.237.229|35498|  443|  6|        15|      3616|FS PA   |2013/12/30T20:21:34.489|    3.134|2013/12/30T20:21:37.623| S0|
91.219.237.229|                             10.0.0.126|  443|35498|  6|        14|      7664|FS PA   |2013/12/30T20:21:34.614|    3.009|2013/12/30T20:21:37.623| S0|
    10.0.0.126|                         95.211.225.167|57656|  443|  6|        27|      8359|FS PA   |2013/12/30T20:20:21.345|   76.280|2013/12/30T20:21:37.625| S0|
95.211.225.167|                             10.0.0.126|  443|57656|  6|        33|     27948|FS PA   |2013/12/30T20:20:21.475|   76.150|2013/12/30T20:21:37.625| S0|
    10.0.0.126|                             82.96.35.7|58655|  443|  6|        15|      3563|FS PA   |2013/12/30T20:21:34.486|    3.147|2013/12/30T20:21:37.633| S0|
    82.96.35.7|                             10.0.0.126|  443|58655|  6|        13|      7445|FS PA   |2013/12/30T20:21:34.629|    3.004|2013/12/30T20:21:37.633| S0|
    10.0.0.126|                            83.140.59.2|45720|  443|  6|        22|      8160|FS PA   |2013/12/30T20:20:21.745|   75.888|2013/12/30T20:21:37.633| S0|
   83.140.59.2|                             10.0.0.126|  443|45720|  6|        30|     27422|FS PA   |2013/12/30T20:20:21.887|   75.746|2013/12/30T20:21:37.633| S0|
    10.0.0.126|                             82.96.35.8|42995|  443|  6|        28|      8414|FS PA   |2013/12/30T20:20:21.339|   76.302|2013/12/30T20:21:37.641| S0|
    82.96.35.8|                             10.0.0.126|  443|42995|  6|        33|     28927|FS PA   |2013/12/30T20:20:21.479|   76.162|2013/12/30T20:21:37.641| S0|
    10.0.0.126|                          93.180.156.45|47282|  443|  6|        33|      8671|FS PA   |2013/12/30T20:20:21.421|   76.223|2013/12/30T20:21:37.644| S0|
 93.180.156.45|                             10.0.0.126|  443|47282|  6|        39|     31370|FS PA   |2013/12/30T20:20:21.562|   76.082|2013/12/30T20:21:37.644| S0|
    10.0.0.126|                         81.218.109.195|60000|  443|  6|        29|      8460|FS PA   |2013/12/30T20:20:21.383|   76.277|2013/12/30T20:21:37.660| S0|
81.218.109.195|                             10.0.0.126|  443|60000|  6|        32|     27852|FS PA   |2013/12/30T20:20:21.535|   76.125|2013/12/30T20:21:37.660| S0|
    10.0.0.126|                            31.172.30.4|35914|  443|  6|        36|      8922|FS PA   |2013/12/30T20:20:22.146|   75.538|2013/12/30T20:21:37.684| S0|
   31.172.30.4|                             10.0.0.126|  443|35914|  6|        34|     32082|FS PA   |2013/12/30T20:20:22.271|   75.413|2013/12/30T20:21:37.684| S0|
    10.0.0.126|                           50.7.194.122|38522|  443|  6|        20|      5384|FS PA   |2013/12/30T20:20:33.487|   64.202|2013/12/30T20:21:37.689| S0|
  50.7.194.122|                             10.0.0.126|  443|38522|  6|        17|      9223|FS PA   |2013/12/30T20:20:33.671|   64.018|2013/12/30T20:21:37.689| S0|

With the next query, we adjust the type of traffic we want to look at to only outgoing traffic to the Tor servers instead of the previously displayed bi-directional traffic.

$ rwfilter --dipset=tor-servers.set --proto=0- --type=out --pass=tor.bin tor.rw

Again, we parse the SiLK records. Again, note the use of the cut command to minimize the white-space prefix the first column of data. The reason for this is there are additional columns of data not displayed by default. Checkout the rwcut man page for other columns data that may be of interest.

$ rwcut tor.bin |cut -c30-
       sIP|                                    dIP|sPort|dPort|pro|   packets|     bytes|   flags|                  sTime| duration|                  eTime|sen|
10.0.0.126|                          198.27.97.223|38946|  443|  6|        30|      8497|FS PA   |2013/12/30T20:20:21.336|   76.182|2013/12/30T20:21:37.518| S0|
10.0.0.126|                          96.127.153.58|42529|  443|  6|        27|      8341|FS PA   |2013/12/30T20:20:22.190|   75.341|2013/12/30T20:21:37.531| S0|
10.0.0.126|                          192.151.147.5|44384|  443|  6|        14|      3502|FS PA   |2013/12/30T20:20:26.486|   71.052|2013/12/30T20:21:37.538| S0|
10.0.0.126|                           66.18.12.197|49341|  443|  6|        28|      8475|FS PA   |2013/12/30T20:20:21.426|   76.125|2013/12/30T20:21:37.551| S0|
10.0.0.126|                          64.62.249.222|40742|  443|  6|        30|      8159|FS PA   |2013/12/30T20:20:21.375|   76.208|2013/12/30T20:21:37.583| S0|
10.0.0.126|                         212.83.158.173|40825|  443|  6|        28|      8394|FS PA   |2013/12/30T20:20:22.079|   75.506|2013/12/30T20:21:37.585| S0|
10.0.0.126|                         212.83.155.250|55603|  443|  6|        29|      8454|FS PA   |2013/12/30T20:20:22.196|   75.389|2013/12/30T20:21:37.585| S0|
10.0.0.126|                          212.83.140.45|46797|  443|  6|        29|      8455|FS PA   |2013/12/30T20:20:21.342|   76.245|2013/12/30T20:21:37.587| S0|
10.0.0.126|                          212.83.158.50|50935|  443|  6|        31|      8567|FS PA   |2013/12/30T20:20:21.396|   76.191|2013/12/30T20:21:37.587| S0|
10.0.0.126|                          212.83.158.40|33170|  443|  6|        29|      8459|FS PA   |2013/12/30T20:20:22.088|   75.506|2013/12/30T20:21:37.594| S0|
10.0.0.126|                           212.83.158.5|37960|  443|  6|        27|      8342|FS PA   |2013/12/30T20:20:21.415|   76.187|2013/12/30T20:21:37.602| S0|
10.0.0.126|                           31.7.186.228|44997|  443|  6|        26|      8294|FS PA   |2013/12/30T20:20:21.377|   76.227|2013/12/30T20:21:37.604| S0|
10.0.0.126|                          216.66.85.146|50817|  443|  6|        15|      3379|FS PA   |2013/12/30T20:21:34.492|    3.114|2013/12/30T20:21:37.606| S0|
10.0.0.126|                         178.254.35.132|50724|  443|  6|        20|      5347|FS PA   |2013/12/30T20:20:33.494|   64.117|2013/12/30T20:21:37.611| S0|
10.0.0.126|                           188.40.98.96|54796|  443|  6|        30|      8565|FS PA   |2013/12/30T20:20:21.380|   76.231|2013/12/30T20:21:37.611| S0|
10.0.0.126|                          80.100.45.156|60680|  443|  6|        30|      8578|FS PA   |2013/12/30T20:20:21.386|   76.228|2013/12/30T20:21:37.614| S0|
10.0.0.126|                          91.143.91.174|39275|  443|  6|        23|      8209|FS PA   |2013/12/30T20:20:22.185|   75.435|2013/12/30T20:21:37.620| S0|
10.0.0.126|                           85.17.122.80|43989|  443|  6|        29|      8457|FS PA   |2013/12/30T20:20:21.418|   76.202|2013/12/30T20:21:37.620| S0|
10.0.0.126|                          88.159.20.120|49609|  443|  6|        31|      8633|FS PA   |2013/12/30T20:20:21.412|   76.208|2013/12/30T20:21:37.620| S0|
10.0.0.126|                          37.59.150.178|47658|  443|  6|        30|      8516|FS PA   |2013/12/30T20:20:21.399|   76.223|2013/12/30T20:21:37.622| S0|
10.0.0.126|                         91.219.237.229|35498|  443|  6|        15|      3616|FS PA   |2013/12/30T20:21:34.489|    3.134|2013/12/30T20:21:37.623| S0|
10.0.0.126|                         95.211.225.167|57656|  443|  6|        27|      8359|FS PA   |2013/12/30T20:20:21.345|   76.280|2013/12/30T20:21:37.625| S0|
10.0.0.126|                             82.96.35.7|58655|  443|  6|        15|      3563|FS PA   |2013/12/30T20:21:34.486|    3.147|2013/12/30T20:21:37.633| S0|
10.0.0.126|                            83.140.59.2|45720|  443|  6|        22|      8160|FS PA   |2013/12/30T20:20:21.745|   75.888|2013/12/30T20:21:37.633| S0|
10.0.0.126|                             82.96.35.8|42995|  443|  6|        28|      8414|FS PA   |2013/12/30T20:20:21.339|   76.302|2013/12/30T20:21:37.641| S0|
10.0.0.126|                          93.180.156.45|47282|  443|  6|        33|      8671|FS PA   |2013/12/30T20:20:21.421|   76.223|2013/12/30T20:21:37.644| S0|
10.0.0.126|                         81.218.109.195|60000|  443|  6|        29|      8460|FS PA   |2013/12/30T20:20:21.383|   76.277|2013/12/30T20:21:37.660| S0|
10.0.0.126|                            31.172.30.4|35914|  443|  6|        36|      8922|FS PA   |2013/12/30T20:20:22.146|   75.538|2013/12/30T20:21:37.684| S0|
10.0.0.126|                           50.7.194.122|38522|  443|  6|        20|      5384|FS PA   |2013/12/30T20:20:33.487|   64.202|2013/12/30T20:21:37.689| S0|

Lastly, we take a look at the reverse entries. As you can see, it is apparent that some of the hosts have Tor tertiary domain names which suggests that some of the flows may be destined for Tor servers.

$ rwcut tor.bin |rwresolve |cut -c30-
       sIP|                                    dIP|sPort|dPort|pro|   packets|     bytes|   flags|                  sTime| duration|                  eTime|sen|
10.0.0.126|198.27.97.223.vpsrealm.com|38946|  443|  6|        30|      8497|FS PA   |2013/12/30T20:20:21.336|   76.182|2013/12/30T20:21:37.518| S0|
10.0.0.126|xxviii.example.tld|42529|  443|  6|        27|      8341|FS PA   |2013/12/30T20:20:22.190|   75.341|2013/12/30T20:21:37.531| S0|
10.0.0.126|tor.koehn.com|44384|  443|  6|        14|      3502|FS PA   |2013/12/30T20:20:26.486|   71.052|2013/12/30T20:21:37.538| S0|
10.0.0.126|                           66.18.12.197|49341|  443|  6|        28|      8475|FS PA   |2013/12/30T20:20:21.426|   76.125|2013/12/30T20:21:37.551| S0|
10.0.0.126|hecustomer.10gigabitethernet8-1.core1.pao1.he.net|40742|  443|  6|        30|      8159|FS PA   |2013/12/30T20:20:21.375|   76.208|2013/12/30T20:21:37.583| S0|
10.0.0.126|n5.servbr.net|40825|  443|  6|        28|      8394|FS PA   |2013/12/30T20:20:22.079|   75.506|2013/12/30T20:21:37.585| S0|
10.0.0.126|n15.servbr.net|55603|  443|  6|        29|      8454|FS PA   |2013/12/30T20:20:22.196|   75.389|2013/12/30T20:21:37.585| S0|
10.0.0.126|212-83-140-45.rev.poneytelecom.eu|46797|  443|  6|        29|      8455|FS PA   |2013/12/30T20:20:21.342|   76.245|2013/12/30T20:21:37.587| S0|
10.0.0.126|n13.servbr.net|50935|  443|  6|        31|      8567|FS PA   |2013/12/30T20:20:21.396|   76.191|2013/12/30T20:21:37.587| S0|
10.0.0.126|n12.servbr.net|33170|  443|  6|        29|      8459|FS PA   |2013/12/30T20:20:22.088|   75.506|2013/12/30T20:21:37.594| S0|
10.0.0.126|n10.servbr.net|37960|  443|  6|        27|      8342|FS PA   |2013/12/30T20:20:21.415|   76.187|2013/12/30T20:21:37.602| S0|
10.0.0.126|                           31.7.186.228|44997|  443|  6|        26|      8294|FS PA   |2013/12/30T20:20:21.377|   76.227|2013/12/30T20:21:37.604| S0|
10.0.0.126|hecustomer.10gigabitethernet1-2.core1.ams1.he.net|50817|  443|  6|        15|      3379|FS PA   |2013/12/30T20:21:34.492|    3.114|2013/12/30T20:21:37.606| S0|
10.0.0.126|v37433.1blu.de|50724|  443|  6|        20|      5347|FS PA   |2013/12/30T20:20:33.494|   64.117|2013/12/30T20:21:37.611| S0|
10.0.0.126|static.188-40-98-96.clients.your-server.de|54796|  443|  6|        30|      8565|FS PA   |2013/12/30T20:20:21.380|   76.231|2013/12/30T20:21:37.611| S0|
10.0.0.126|a80-100-45-156.adsl.xs4all.nl|60680|  443|  6|        30|      8578|FS PA   |2013/12/30T20:20:21.386|   76.228|2013/12/30T20:21:37.614| S0|
10.0.0.126|91.143.91.174|39275|  443|  6|        23|      8209|FS PA   |2013/12/30T20:20:22.185|   75.435|2013/12/30T20:21:37.620| S0|
10.0.0.126|                           85.17.122.80|43989|  443|  6|        29|      8457|FS PA   |2013/12/30T20:20:21.418|   76.202|2013/12/30T20:21:37.620| S0|
10.0.0.126|120-20-159-88.business.edutel.nl|49609|  443|  6|        31|      8633|FS PA   |2013/12/30T20:20:21.412|   76.208|2013/12/30T20:21:37.620| S0|
10.0.0.126|37-59-150-178.static-ip.hostplanet.me|47658|  443|  6|        30|      8516|FS PA   |2013/12/30T20:20:21.399|   76.223|2013/12/30T20:21:37.622| S0|
10.0.0.126|sa0111.azar-a.net|35498|  443|  6|        15|      3616|FS PA   |2013/12/30T20:21:34.489|    3.134|2013/12/30T20:21:37.623| S0|
10.0.0.126|greendale.badexample.net|57656|  443|  6|        27|      8359|FS PA   |2013/12/30T20:20:21.345|   76.280|2013/12/30T20:21:37.625| S0|
10.0.0.126|luftgitarr.mooo.se|58655|  443|  6|        15|      3563|FS PA   |2013/12/30T20:21:34.486|    3.147|2013/12/30T20:21:37.633| S0|
10.0.0.126|kimya.mooo.se|45720|  443|  6|        22|      8160|FS PA   |2013/12/30T20:20:21.745|   75.888|2013/12/30T20:21:37.633| S0|
10.0.0.126|junis.mooo.se|42995|  443|  6|        28|      8414|FS PA   |2013/12/30T20:20:21.339|   76.302|2013/12/30T20:21:37.641| S0|
10.0.0.126|tor.b0red.de|47282|  443|  6|        33|      8671|FS PA   |2013/12/30T20:20:21.421|   76.223|2013/12/30T20:21:37.644| S0|
10.0.0.126|195.ab4.interhost.co.il|60000|  443|  6|        29|      8460|FS PA   |2013/12/30T20:20:21.383|   76.277|2013/12/30T20:21:37.660| S0|
10.0.0.126|tor21.anonymizer.ccc.de|35914|  443|  6|        36|      8922|FS PA   |2013/12/30T20:20:22.146|   75.538|2013/12/30T20:21:37.684| S0|
10.0.0.126|torsrvl.snydernet.net|38522|  443|  6|        20|      5384|FS PA   |2013/12/30T20:20:33.487|   64.202|2013/12/30T20:21:37.689| S0|

Or we can use the rwuniq command to list the unique destinations, again piping through rwresolve:

$ rwuniq --fields=2 --no-columns tor.bin |rwresolve
dIP|Records|
luftgitarr.mooo.se|1|
tor.b0red.de|1|
junis.mooo.se|1|
31.7.186.228|1|
tor21.anonymizer.ccc.de|1|
xxviii.example.tld|1|
tor.koehn.com|1|
n15.servbr.net|1|
a80-100-45-156.adsl.xs4all.nl|1|
n13.servbr.net|1|
120-20-159-88.business.edutel.nl|1|
91.143.91.174|1|
195.ab4.interhost.co.il|1|
37-59-150-178.static-ip.hostplanet.me|1|
sa0111.azar-a.net|1|
static.188-40-98-96.clients.your-server.de|1|
n5.servbr.net|1|
torsrvl.snydernet.net|1|
198.27.97.223.vpsrealm.com|1|
66.18.12.197|1|
v37433.1blu.de|1|
hecustomer.10gigabitethernet1-2.core1.ams1.he.net|1|
212-83-140-45.rev.poneytelecom.eu|1|
kimya.mooo.se|1|
85.17.122.80|1|
n12.servbr.net|1|
greendale.badexample.net|1|
n10.servbr.net|1|
hecustomer.10gigabitethernet8-1.core1.pao1.he.net|1|

In conclusion, using SiLK we can provide retrospective analysis to determine if traffic may be destined for Tor servers. While not a definitive method of detection as there could be false-positives due to hosting of legitimate services on Tor servers, it is a quick method to get some insight. As usual, please leave a comment below if you have any questions or comments.

Resizing Xen guest parition based filesystems

2013-07-03T14:27:00-04:00

This post assumes you are running the Xen hypervisor and are using a partitions based filesystems for you Xen guest you would like to re-size. I have previously written on Installing Xen on CentOS 6 from source and another blog entry that describes how to create partition based Xen guests on Creating Debian guests on Xen using partition based filesystem if you would like to see how to get started running Xen.

To resize, first shutdown the guest instance:

$ sudo xm shutdown Wheezy
$ sudo lvresize /dev/VolGroup00/Wheezy -L +10GB
Extending logical volume Wheezy to 20.00 GiB
Logical volume Wheezy successfully resized
$ sudo lvdisplay
--- Logical volume ---
LV Path                /dev/VolGroup00/Wheezy
LV Name                Wheezy
VG Name                VolGroup00
LV UUID                jQqEFZ-sd39-siY6-kqCZ-l8Lq-UWWk-3f4oh5
LV Write Access        read/write
LV Creation host, time host.localdomain, 2013-05-14 12:32:00 -0400
LV Status              available
# open                 0
LV Size                20.00 GiB
Current LE             5120
Segments               1
Allocation             inherit
Read ahead sectors     auto
- currently set to     256
Block device           253:0

I would first backup the partition that is going to be modified. This is going to sound weird; but this process uses fdisk to delete and recreate the partition.

List you partition:

$ sudo fdisk -l /dev/VolGroup00/Wheezy

Disk /dev/VolGroup00/Wheezy: 21.5 GB, 21474836480 bytes
255 heads, 63 sectors/track, 2610 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00081c29

Device Boot      Start         End      Blocks   Id  System
/dev/VolGroup00/Wheezy1               1          63      498688   82  Linux swap / Solaris
Partition 1 does not end on cylinder boundary.
/dev/VolGroup00/Wheezy2              63        1306     9985024   83  Linux

When trying to directly re-size, an error occurs.

$ sudo resize2fs /dev/VolGroup00/Wheezy
resize2fs 1.41.12 (17-May-2010)
resize2fs: Bad magic number in super-block while trying to open /dev/VolGroup00/Wheezy
Couldn't find valid filesystem superblock.

We are now going to delete the partition, as warned before, make sure you have backups.

$ sudo fdisk /dev/VolGroup00/Wheezy

WARNING: DOS-compatible mode is deprecated. It's strongly recommended to
switch off the mode (command 'c') and change display units to
sectors (command 'u').

Command (m for help): p

Disk /dev/VolGroup00/Wheezy: 21.5 GB, 21474836480 bytes
255 heads, 63 sectors/track, 2610 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00081c29

Device Boot      Start         End      Blocks   Id  System
/dev/VolGroup00/Wheezy1               1          63      498688   82  Linux swap / Solaris
Partition 1 does not end on cylinder boundary.
/dev/VolGroup00/Wheezy2              63        1306     9985024   83  Linux

Command (m for help): d
Partition number (1-4): 2

Command (m for help): p

Disk /dev/VolGroup00/Wheezy: 21.5 GB, 21474836480 bytes
255 heads, 63 sectors/track, 2610 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00081c29

Device Boot      Start         End      Blocks   Id  System
/dev/VolGroup00/Wheezy1               1          63      498688   82  Linux swap / Solaris
Partition 1 does not end on cylinder boundary.

Recreate the partition with the new size.

Command (m for help): n
Command action
e   extended
p   primary partition (1-4)
p
Partition number (1-4): 2
First cylinder (63-2610, default 63):
Using default value 63
Last cylinder, +cylinders or +size{K,M,G} (63-2610, default 2610):
Using default value 2610

Command (m for help): p

Disk /dev/VolGroup00/Wheezy: 21.5 GB, 21474836480 bytes
255 heads, 63 sectors/track, 2610 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00081c29

Device Boot      Start         End      Blocks   Id  System
/dev/VolGroup00/Wheezy1               1          63      498688   82  Linux swap / Solaris
Partition 1 does not end on cylinder boundary.
/dev/VolGroup00/Wheezy2              63        2610    20465113   83  Linux

Command (m for help): w
The partition table has been altered!

Calling ioctl() to re-read partition table.

WARNING: Re-reading the partition table failed with error 22: Invalid argument.
The kernel still uses the old table. The new table will be used at
the next reboot or after you run partprobe(8) or kpartx(8)
Syncing disks.

The follow command splits the partitions apart as using the simple Debian partitioning scheme may combine them.

$ sudo kpartx -a /dev/VolGroup00/Wheezy
$ cd /dev/mapper/
$ ls
control  VolGroup00-Wheezy  VolGroup00-Wheezy1  VolGroup00-Wheezy2

Next, check the filesystem for errors.

$ sudo e2fsck -f VolGroup00-Wheezy2
e2fsck 1.41.12 (17-May-2010)
Pass 1: Checking inodes, blocks, and sizes
Pass 2: Checking directory structure
Pass 3: Checking directory connectivity
Pass 4: Checking reference counts
Pass 5: Checking group summary information
VolGroup00-Wheezy2: 29159/624624 files (0.2% non-contiguous), 224352/2496256 blocks

We can now re-size the filesystem.

$ sudo resize2fs VolGroup00-Wheezy2
resize2fs 1.41.12 (17-May-2010)
Resizing the filesystem on VolGroup00-Wheezy2 to 5116278 (4k) blocks.
The filesystem on VolGroup00-Wheezy2 is now 5116278 blocks long.

Reattach the filesystems that were previously split.

$ sudo kpartx -d /dev/VolGroup00/Wheezy
$ ls
control  VolGroup00-Wheezy

A quick look at the logical volume and we can see we grew from 10 to 20 Gigabytes.

$ sudo lvscan
ACTIVE            '/dev/VolGroup00/Wheezy' [20.00 GiB] inherit

You should now be able to boot the guest using the larger file system.

To delete the guest filesystem:

sudo vgremove lvmxen
sudo pvremove /dev/sdb1
sudo parted /dev/sdb
(parted) rm 1
(parted) quit

Creating Debian guests on Xen using parition based filesystem

2013-06-29T17:47:00-04:00

This guide describes how to create a filesystem and guest for the Xen hypervisor. This assumes you have a working Xen install with Dom U. I have described setting up a Xen hypervisor from source in another posted titled Installing Xen on CentOS 6 from source.

Create a partition to store virtual machines on. We want to use a partition based verse file based file-system for our guests as the performance is much better.

$ sudo parted /dev/sdb
mklabel gpt
(parted) unit GB
(parted) mkpart VolGroup00 0GB 400GB
(parted) set 1 lvm on
(parted) quit
(parted) p
Model: DELL PERC 6/i (scsi)
Disk /dev/sdb: 3999GB
Sector size (logical/physical): 512B/512B
Partition Table: gpt
Number  Start   End    Size   File system  Name        Flags
1      1049kB  400GB  400GB               VolGroup00  lvm

Create a partition for the first virtual machine.

$ sudo pvcreate /dev/sdb1
$ sudo vgcreate VolGroup00 /dev/sdb1
$ sudo vgdisplay
--- Volume group ---
VG Name               VolGroup00
System ID
Format                lvm2
Metadata Areas        1
Metadata Sequence No  1
VG Access             read/write
VG Status             resizable
MAX LV                0
Cur LV                0
Open LV               0
Max PV                0
Cur PV                1
Act PV                1
VG Size               372.53 GiB
PE Size               4.00 MiB
Total PE              95367
Alloc PE / Size       0 / 0
Free  PE / Size       95367 / 372.53 GiB
VG UUID               hdCkfh-twnj-Nu2V-FsTe-RsQg-PzlE-5w4QGR

Create a logical volume for the virtual machine.

$ sudo lvcreate -L 10GB -n Wheezy VolGroup00
$ sudo lvdisplay
--- Logical volume ---
LV Path                /dev/VolGroup00/Wheezy
LV Name                Wheezy
VG Name                VolGroup00
LV UUID                jQqEFZ-sd39-siY6-kqCZ-l8Lq-UWWk-3f4oh5
LV Write Access        read/write
LV Creation host, time host.localdomain, 2013-05-14 12:32:00 -0400
LV Status              available
# open                 0
LV Size                10.00 GiB
Current LE             2560
Segments               1
Allocation             inherit
Read ahead sectors     auto
- currently set to     256
Block device           253:0

Get the latest Debian hd-media. Specify these parameters in the virtual machine configuration that will be used for the first start-up, i.e. the install of your guest. A second configuration will be used for booting the guest post-install.

kernel = "/scratch/debian/wheezy/vmlinuz"
ramdisk = "/scratch/debian/wheezy/initrd.gz"
extra = "debian-installer/exit/always_halt=true -- console=hvc0"
memory = 512
name = "Wheezy"
vif = ['bridge=br0']
disk = ['phy:/dev/VolGroup00/Wheezy,xvda,w']

Connect to the new guest with a console and perform the installation.

$ sudo xl create -c /etc/xen/install-debian.cfg

Start a guest without a console.

$ sudo xl create /etc/xen/debian.cfg

Leave the console.

$ "Ctrl+]"

List the instances.

$ sudo xl list
Name                                        ID   Mem VCPUs      State   Time(s)
Domain-0                                     0  2048     1     r-----    237.4
Wheezy                                      11   512     1     -b----      6.8

Connect to the console.

$ sudo xl console Wheezy

Leave the console.

$ "Ctrl+]"

If you have any questions or feel something is missing, leave a comment below.

Installing Xen on CentOS 6 from source

2013-06-29T17:33:00-04:00

I recently had a need to install Xen hypervisor on CentOS and most of the guides covered using the package maintainers version. Further, RHEL distributions favor using KVM. I did come across HowTo: Install XEN Dom0 on CentOS 6 from source but the domain was blocked (Google cache made quick work of getting around that issue) and there were a few steps that felt unclear. I took that guide and made a few changes which are reflected below. You may want to also reference the Xen Wiki CenOS 6.2, Xen 4.2.1, and Kernel version 3.9.2 were used in this example but newer and older versions should be similar.

First install dependencies:

yum groupinstall "Development Libraries"
yum groupinstall "Development Tools"
yum install transfig wget tar less texi2html libaio-devel dev86 glibc-devel e2fsprogs-devel gitk mkinitrd iasl xz-devel bzip2-devel
yum install pciutils-libs pciutils-devel SDL-devel libX11-devel gtk2-devel bridge-utils PyXML qemu-common qemu-img mercurial texinfo
yum install libidn-devel yajl yajl-devel ocaml ocaml-findlib ocaml-findlib-devel python-devel uuid-devel libuuid-devel openssl-devel
yum install glibc-devel.i686
yum install
libvirt python-virtinst

Download the latest Xen source package.

$ tar xzf xen-4.2.1.tar.gz
$ cd xen-4.2.1
$ ./configure
$ make xen && make tools && make stubdom
$ sudo make install xen
$ sudo make install xen-tools
$ sudo make install stubdom

Prevent the screen from powering off:

$ sudo sh -c "echo '/usr/bin/setterm -powersave off' >> /etc/rc.local"

Define the resources for domain 0:

$ sudo sh -c "echo 'xl sched-credit -d Domain-0 -w 512' >> /etc/xendom0caps"
$ sudo chmod +x /etc/xendom0caps

Start the services at boot:

sudo ln -s /etc/init.d/xendomains /etc/rc0.d/S10xendomains
sudo ln -s /etc/init.d/xendomains /etc/rc6.d/S10xendomains
sudo ln -s /etc/init.d/xendomains /etc/rc3.d/S98xendomains
sudo ln -s /etc/init.d/xencommons /etc/rc3.d/S98xencommons
sudo ln -s /etc/xendom0caps /etc/rc3.d/S97xendom0caps

Optionally for those that want to use the xm commands.

sudo ln -s /etc/init.d/xend /etc/rc3.d/S98xend

Make sure everything is going to start at the correct runlevel. Note that xend is optional

$ chkconfig --list |grep xen
xencommons      0:off   1:off   2:off   3:on    4:off   5:off   6:off
xend            0:off   1:off   2:off   3:on    4:off   5:off   6:off
xendomains      0:on    1:off   2:off   3:on    4:off   5:off   6:on

Make sure the weight is setup, this may vary depending your needs/resources available.

$ sudo xl sched-credit
Cpupool Pool-0: tslice=30ms ratelimit=1000us
Name                                ID Weight  Cap
Domain-0                             0    512    0
Wheezy                               3    256    0

Download the latest kernel version you would like to use and extract the contents of the archive. You can try pulling your configuration via “make oldconfig“, so your old settings are migrated and only new or changed options are presented to you to select. Then to make sure everything is ok, run “make menuconfig” or “make xconfig” to determine if the feature/module setting are appropriate for you. I left everything alone with the exception of enabling the Xen features as described below. make oldconfig is clever, it can do its job between different versions of kernel although just issuing a “make menuconfig” is probably also fine.

$ cd linux-3.9.2
$ make oldconfig
scripts/kconfig/conf --oldconfig Kconfig
#
# configuration written to .config
#

Alternatively just use the defaults and add the required Xen features:

$ cd linux-3.9.2
$ make menuconfig

Location:
-> Processor type and features
-> Paravirtualized guest support
Select all features.

Location:
-> Device Drivers
-> Block devices
Select the two features “Xen virtual block device support” and “Xen block-device backend driver”

Location:
-> Device Drivers
-> Xen driver support
Select all features.

Location:
-> Device Drivers
-> Network device support
Select the two features “Xen network device frontend driver” and “Xen backend network device”

Lastly, you can search using “/” when at the root menu to see what you have enabled:

Which will provide you a list of features that have been selected but it may be easier to grep through the .config as shown in the next command.

You can use “grep” to ensure you should have similar values for your Xen settings after running menu config.

$ grep XEN .config
CONFIG_XEN=y
CONFIG_XEN_DOM0=y
CONFIG_XEN_PRIVILEGED_GUEST=y
CONFIG_XEN_PVHVM=y
CONFIG_XEN_MAX_DOMAIN_MEMORY=500
CONFIG_XEN_SAVE_RESTORE=y
CONFIG_XEN_DEBUG_FS=y
CONFIG_PCI_XEN=y
CONFIG_XEN_PCIDEV_FRONTEND=y
CONFIG_XEN_BLKDEV_FRONTEND=y
CONFIG_XEN_BLKDEV_BACKEND=y
CONFIG_NETXEN_NIC=m
CONFIG_XEN_NETDEV_FRONTEND=y
CONFIG_XEN_NETDEV_BACKEND=y
CONFIG_INPUT_XEN_KBDDEV_FRONTEND=y
CONFIG_HVC_XEN=y
CONFIG_HVC_XEN_FRONTEND=y
# CONFIG_XEN_WDT is not set
CONFIG_XEN_FBDEV_FRONTEND=y
CONFIG_XEN_BALLOON=y
CONFIG_XEN_BALLOON_MEMORY_HOTPLUG=y
CONFIG_XEN_SCRUB_PAGES=y
CONFIG_XEN_DEV_EVTCHN=y
CONFIG_XEN_BACKEND=y
CONFIG_XENFS=y
CONFIG_XEN_COMPAT_XENFS=y
CONFIG_XEN_SYS_HYPERVISOR=y
CONFIG_XEN_XENBUS_FRONTEND=y
CONFIG_XEN_GNTDEV=y
CONFIG_XEN_GRANT_DEV_ALLOC=y
CONFIG_SWIOTLB_XEN=y
CONFIG_XEN_PCIDEV_BACKEND=y
CONFIG_XEN_PRIVCMD=y
CONFIG_XEN_ACPI_PROCESSOR=y
CONFIG_XEN_MCE_LOG=y
CONFIG_XEN_HAVE_PVMMU=y

If all of the Xen features are enabled, move on to compiling.

$ make bzImage
$ make modules
$ sudo make modules_install

Copy the images to the appropriate locations.

$ sudo cp -a arch/x86/boot/bzImage /boot/vmlinuz-3.9.2
$ sudo cp -a System.map /boot/System.map-3.9.2
$ sudo cp -a .config /boot/config-3.9.2
$ sudo depmod -a
$ sudo mkinitrd /boot/initrd.img-3.9.2 3.9.2

Add a grub entry to /etc/grub.conf, make sure it is the first entry but leave an existing distribution kernel entry to fall back to if there are problems:

title Xen 4.2.1 / Kernel 3.9.2
root (hd0,0)
kernel /xen.gz
module /vmlinuz-3.9.2
module /initrd.img-3.9.2

Reboot the system and you should be able to run the following command to verify that your efforts have paid off.

$ sudo xl list
Name                                        ID   Mem VCPUs      State   Time(s)
Domain-0                                     0  2048     1     r-----     941.4

Now you can move on to setting up a guest as described in Creating Debian guests on Xen using parition based filesystem.

If you are unable to reboot using your new kernel, revert back to a distro kernel and double check that you have done everything as described. If something is not clear or could be improved upon, let me know by leaving a comment below.

Passive DNS collection and analysis using YaF and Mediator

2013-05-20T11:12:00-04:00

Passive DNS is a useful tool for any analysts teams toolbox, I have noted several public sensors here but they only see data (queries and responses) that transverse their sensors. I have been working on setting up passive DNS using Yet another Flowmeter (YaF) and Mediator (YaF to MySQL) to fill the gap where third-party sensors may not be providing the coverage I would like. Passive DNS can provide tremendous insight and analytics upon DNS queries that users and/or malware may beperforming. A few items of interest:

Hostnames that have a large number of IP addresses associated with them in a short time period and they have only been visited by very few hosts host on the network.
Tertiary name usage associated with a specific domain?
When was the domain first resolved on the network and further, how often is it being resolved and by whom?
A recently accessed/registered domain with short time to live (TTLs) often associated with new IP addresses may indicate malicious activity, or a CDN.
Queries for TLDs that you typically do not interact with may be worth looking into.
Users using non-approved DNS servers

Passive DNS may be also helpful in tracking infections using Fast-fluxwhich make blocking the C2 difficult as the attackers will create algorithms to rotate the IP addresses and even the hostnames in the case of double-flux. (TorPig) The list goes on but in a nutshell, I wanted to be able to perform this activity without having to rely on having all of the DNS server logs in a centralized location, especially since users may reconfigure their DNS settings to use non-approved servers, e.g. BYOD.

This entry demonstrates how to build and setup YaF and Mediator both of which are available from the CERT NetSA site and should be considered complementary to the documentation the NetSA team have already provided for each of the respective tools. This setup was tested on CentOS 6.4 but most Linux distributions should work fine.

Have site reconfigure interfaces on all hosts. eth0 should be management interface and eth1 should be the tap OR whatever makes sense, this need to happen every time the host comes up, i.e.

sudo ifconfig eth1 up promisc

Ensure development libraries/dependencies are installed. Some may require enabling the optional software channel

sudo yum install glib2-devel lzo  gcc-c++ libpcap-devel pcre-devel

Install libfixbuf

cd libfixbuf-1.3.0
./configure
make
sudo make install

Install YaF

cd yaf-2.3.3
export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig/
./configure --with-libpcap --enable-applabel --enable-plugins
make
sudo make install

Edit ld

sudo echo "/usr/local/lib" >> /etc/ld.so.conf
sudo /sbin/ldconfig
sudo /sbin/ldconfig -v | grep libzmq # should rebuild the cache including zmq too.

export PATH=$PATH:/usr/local/lib
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/lib

Configure cmake

cd cmake-2.8.10.2
./configure
gmake

Optionally, configure YaF to File output for testing purposes.

export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig/
cd yaf_file_mediator-1.1.0/
./configure
../cmake-2.8.10.2/bin/cmake .
make

Configure YaF to MySQL

export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig/
cd yaf_silk_mysql_mediator-1.4.0
../cmake-2.8.10.2/bin/cmake .
./configure --with-mysql
make

Next, populate create a database and respective tables:

./yafMySQL -o localhost -n username -p password -d eflows

Setup YaF to start capturing. Here we are only capture DNS traffic and rotating the files written to disk after 5 minutes. Originally set to 10 minutes but yaf_silk_mysql_mediator would segmentation fault because MySQL would close the connection before all of the data would insert. We have a continuous method that works a little better which we should a little later. We lock the file so that another process cannot take the file that is currently being written to.

sudo /usr/local/bin/yaf --live pcap --in eth1 --out /data/ipfix/ --rotate 600 --filter="port 53" --applabel --applabel-rules=/usr/local/etc/yafApplabelRules.conf --max-payload=1000 --plugin-name=/usr/local/lib/yaf/dpacketplugin.la --plugin-opts="53" --lock --become-user=nobody --become-group=nobody &

Testing the output of a YaF

yaf_file_mediator-1.1.0/yaf_file_mediator --input /data/ipfix/filename.yaf --output test.txt

After a few minutes, you should be able to parse the filename.yaf that was first written (in this case 5 minutes). The contents of test.txt should be similar to the following:

-------------------------------
Template ID is 45841
Application Label: 53
Source IP: 192.168.0.5
Destination IP: 8.8.8.8
Source Port: 53855
Dest Port: 53
Flow Attributes: 1
Rev Flow Attributes: 0
flowStartTime: 2013-04-24 23:53:43
flowEndTime: 2013-04-24 23:58:02
flowEndReason: 1
Protocol: 17
Octet Total Count: 120
Rev Octet count: 244
Packet Total Count: 2
Rev Packet Total Count: 2
DNS ID: 32852 Type: 28 RR Section: 0 TTL: 0 Query: www.google.com.
DNS ID: 32852 Type: 28 RR Section: 1 TTL: 204 RRName: www.google.com. AAAA: 2607:f8b0:400c:0c04::0069

-------------------------------
Template ID is 45841
Application Label: 53
Source IP: 192.168.0.5
Destination IP: 8.8.8.8
Source Port: 50845
Dest Port: 53
flowStartTime: 2013-04-24 23:58:02
flowEndTime: 2013-04-24 23:58:02
flowEndReason: 1
Protocol: 17
Octet Total Count: 60
Rev Octet count: 156
Packet Total Count: 1
Rev Packet Total Count: 1
DNS ID: 21141 Type: 1 RR Section: 0 TTL: 0 Query: www.google.com.
DNS ID: 21141 Type: 1 RR Section: 1 TTL: 208 RRName: www.google.com. A: 74.125.26.103
DNS ID: 21141 Type: 1 RR Section: 1 TTL: 208 RRName: www.google.com. A: 74.125.26.99
DNS ID: 21141 Type: 1 RR Section: 1 TTL: 208 RRName: www.google.com. A: 74.125.26.105
DNS ID: 21141 Type: 1 RR Section: 1 TTL: 208 RRName: www.google.com. A: 74.125.26.104
DNS ID: 21141 Type: 1 RR Section: 1 TTL: 208 RRName: www.google.com. A: 74.125.26.106
DNS ID: 21141 Type: 1 RR Section: 1 TTL: 208 RRName: www.google.com. A: 74.125.26.147

After you have confirmed that your YaF entries contain records, adda little automation. This will scoop up the files in the directory where the YaF files are being written, place them in the MySQL DBMS and delete the file. Note, if you start seeing “Segmentation Fault” then MySQL maybe closing the connection before all of the records from the YaF file could be written to the DBMS. You can try modifying MySQL parameters or reduce the the size of YaF files being written to disk in order to try mitigating this symptom if it occurs in your environment.

for i in $( ls /data/ipfix/*.yaf ); do /home/user/silk-installs/yaf_silk_mysql_mediator-1.4.0/yaf_silk_mysql_mediator --in-file $i --mysql-host localhost --name username --pass password --database eflows && sudo rm $i; done

Here is our first query, lets see who has recently made requests for www.google.com.

mysql> SELECT rrname,rrval,srcip4,dstip4,flowStartMilliseconds FROM dns d, flows f WHERE f.id = d.id AND rrname LIKE "www.google.com." GROUP by rrval ORDER BY f.id DESC LIMIT 50;
+-----------------+---------------------------+------------+-----------+-----------------------+
| rrname          | rrval                     | srcip4     | dstip4    | flowStartMilliseconds |
+-----------------+---------------------------+------------+-----------+-----------------------+
| www.google.com. | 2001:4860:4001:0802::1012 | 3232235525 | 134744072 | 2013-05-03 17:47:24   |
| www.google.com. | 2001:4860:4001:0801::1014 | 3232235525 | 134744072 | 2013-05-03 15:35:32   |
| www.google.com. | 2001:4860:4001:0802::1014 | 3232235525 | 134744072 | 2013-05-03 11:28:42   |
| www.google.com. | 2001:4860:4001:0801::1010 | 3232235525 | 134744072 | 2013-05-02 16:48:31   |
| www.google.com. | 2001:4860:4001:0802::1011 | 3232235525 | 134744072 | 2013-05-02 13:33:57   |
| www.google.com. | 2001:4860:4001:0803::1010 | 3232235525 | 134744072 | 2013-05-02 12:01:56   |
| www.google.com. | 2607:f8b0:4004:0801::1012 | 3232235525 | 134744072 | 2013-05-01 21:36:55   |
| www.google.com. | 2001:4860:4001:0802::1010 | 3232235525 | 134744072 | 2013-05-01 12:44:52   |
| www.google.com. | 74.125.239.80             | 3232235525 | 134744072 | 2013-05-01 10:45:04   |
| www.google.com. | 74.125.239.83             | 3232235525 | 134744072 | 2013-05-01 10:45:04   |
| www.google.com. | 74.125.239.82             | 3232235525 | 134744072 | 2013-05-01 10:45:04   |
| www.google.com. | 74.125.239.81             | 3232235525 | 134744072 | 2013-05-01 10:45:04   |
| www.google.com. | 74.125.239.84             | 3232235525 | 134744072 | 2013-05-01 10:45:04   |
| www.google.com. | 2607:f8b0:4004:0802::1010 | 3232235525 | 134744072 | 2013-04-29 19:54:00   |
| www.google.com. | 2607:f8b0:4005:0802::1010 | 3232235525 | 134744072 | 2013-04-28 15:52:00   |
| www.google.com. | 2607:f8b0:4004:0803::1013 | 3232235525 | 134744072 | 2013-04-28 15:05:53   |
| www.google.com. | 2607:f8b0:4005:0802::1011 | 3232235525 | 134744072 | 2013-04-27 14:45:35   |
| www.google.com. | 2607:f8b0:4004:0801::1013 | 3232235525 | 134744072 | 2013-04-26 18:53:45   |
| www.google.com. | 2607:f8b0:4005:0802::1012 | 3232235525 | 134744072 | 2013-04-26 13:55:51   |
| www.google.com. | 2607:f8b0:4005:0802::1013 | 3232235525 | 134744072 | 2013-04-26 12:35:18   |
| www.google.com. | 74.125.239.145            | 3232235525 | 134744072 | 2013-04-26 12:03:10   |
| www.google.com. | 74.125.239.148            | 3232235525 | 134744072 | 2013-04-26 12:03:10   |
| www.google.com. | 74.125.239.146            | 3232235525 | 134744072 | 2013-04-26 12:03:10   |
| www.google.com. | 74.125.239.147            | 3232235525 | 134744072 | 2013-04-26 12:03:10   |
| www.google.com. | 74.125.239.144            | 3232235525 | 134744072 | 2013-04-26 12:03:10   |
| www.google.com. | 2607:f8b0:4005:0802::1014 | 3232235525 | 134744072 | 2013-04-26 11:31:59   |
| www.google.com. | 74.125.228.112            | 3232235525 | 134744072 | 2013-04-25 16:25:39   |
| www.google.com. | 74.125.228.114            | 3232235525 | 134744072 | 2013-04-25 16:25:39   |
| www.google.com. | 74.125.228.113            | 3232235525 | 134744072 | 2013-04-25 16:25:39   |
| www.google.com. | 74.125.228.115            | 3232235525 | 134744072 | 2013-04-25 16:25:39   |
| www.google.com. | 74.125.228.116            | 3232235525 | 134744072 | 2013-04-25 16:25:39   |
| www.google.com. | 2607:f8b0:4004:0802::1012 | 3232235525 | 134744072 | 2013-04-25 11:29:45   |
| www.google.com. | 2607:f8b0:4004:0803::1014 | 3232235525 | 134744072 | 2013-04-24 20:33:42   |
| www.google.com. | 2607:f8b0:400e:0c04::006a | 3232235525 | 134744072 | 2013-04-24 18:04:19   |
| www.google.com. | 2607:f8b0:400e:0c02::006a | 3232235525 | 134744072 | 2013-04-24 15:26:22   |
| www.google.com. | 74.125.228.20             | 3232235525 | 134744072 | 2013-04-24 12:05:43   |
| www.google.com. | 74.125.228.16             | 3232235525 | 134744072 | 2013-04-24 12:05:43   |
| www.google.com. | 74.125.228.18             | 3232235525 | 134744072 | 2013-04-24 12:05:43   |
| www.google.com. | 74.125.228.19             | 3232235525 | 134744072 | 2013-04-24 12:05:43   |
| www.google.com. | 74.125.228.17             | 3232235525 | 134744072 | 2013-04-24 12:05:43   |
| www.google.com. | 2607:f8b0:4004:0801::1014 | 3232235525 | 134744072 | 2013-04-23 20:43:26   |
| www.google.com. | 74.125.228.50             | 3232235525 | 134744072 | 2013-04-23 20:38:43   |
| www.google.com. | 74.125.228.51             | 3232235525 | 134744072 | 2013-04-23 20:38:43   |
| www.google.com. | 74.125.228.52             | 3232235525 | 134744072 | 2013-04-23 20:38:43   |
| www.google.com. | 74.125.228.48             | 3232235525 | 134744072 | 2013-04-23 20:38:43   |
| www.google.com. | 74.125.228.49             | 3232235525 | 134744072 | 2013-04-23 20:38:43   |
| www.google.com. | 2607:f8b0:4004:0801::1011 | 3232235525 | 134744072 | 2013-04-23 18:38:52   |
| www.google.com. | 2607:f8b0:400e:0c01::0067 | 3232235525 | 134744072 | 2013-04-23 15:57:45   |
| www.google.com. | 2607:f8b0:4004:0801::1010 | 3232235525 | 134744072 | 2013-04-23 15:07:59   |
| www.google.com. | 2607:f8b0:400e:0c01::0069 | 3232235525 | 134744072 | 2013-04-23 12:30:28   |
+-----------------+---------------------------+------------+-----------+-----------------------+

Here is a similar query but we want to see any tertiary youtube.com domains and sort by the lookup returned.

mysql> SELECT qr,type,auth,nx,ttl,rrname,rrval from dns WHERE rrname LIKE "%.youtube.com." GROUP BY rrval LIMIT 50;
+------+------+------+------+------+--------------------------------+----------------+
| qr   | type | auth | nx   | ttl  | rrname                         | rrval          |
+------+------+------+------+------+--------------------------------+----------------+
|    0 |    1 |    0 |    0 |    0 | www.youtube.com.               |                |
|    1 |    1 |    0 |    0 |  300 | v17.lscache2.c.youtube.com.    | 12.216.80.12   |
|    1 |    1 |    0 |    0 | 1800 | r2.sn-5uu-vgqe.c.youtube.com.  | 12.216.80.13   |
|    1 |    1 |    0 |    0 | 1800 | r3.sn-5uu-vgqe.c.youtube.com.  | 12.216.80.14   |
|    1 |    1 |    0 |    0 | 1800 | r4.att-ord1.c.youtube.com.     | 12.216.80.15   |
|    1 |    1 |    0 |    0 | 1800 | r6.sn-5uu-vgqe.c.youtube.com.  | 12.216.80.17   |
|    1 |    1 |    0 |    0 | 1714 | r8.sn-5uu-vgqe.c.youtube.com.  | 12.216.80.19   |
|    1 |    1 |    0 |    0 | 1741 | r1.sn-5uu-vgql.c.youtube.com.  | 12.216.80.44   |
|    1 |    1 |    0 |    0 | 1800 | r2.sn-5uu-vgql.c.youtube.com.  | 12.216.80.45   |
|    1 |    1 |    0 |    0 | 1800 | r3.sn-5uu-vgql.c.youtube.com.  | 12.216.80.46   |
|    1 |    1 |    0 |    0 | 1279 | r4.sn-5uu-vgql.c.youtube.com.  | 12.216.80.47   |
|    1 |    1 |    0 |    0 | 1800 | r6.sn-5uu-vgql.c.youtube.com.  | 12.216.80.49   |
|    1 |    1 |    0 |    0 | 1800 | r7.sn-5uu-vgql.c.youtube.com.  | 12.216.80.50   |
|    1 |    1 |    0 |    0 | 1739 | r8.sn-5uu-vgql.c.youtube.com.  | 12.216.80.51   |
|    1 |    1 |    0 |    0 | 1800 | r12.sn-hp576nes.c.youtube.com. | 173.194.17.17  |
|    1 |    1 |    0 |    0 | 1800 | r20.sn-hp576nes.c.youtube.com. | 173.194.17.25  |
|    1 |    1 |    0 |    0 | 1800 | r6.sn-q4f7dnel.c.youtube.com.  | 173.194.24.11  |
|    1 |    1 |    0 |    0 | 1800 | r1.dfw06s08.c.youtube.com.     | 173.194.24.134 |
|    1 |    1 |    0 |    0 | 1800 | r15.sn-q4f7dn7r.c.youtube.com. | 173.194.24.148 |
|    1 |    1 |    0 |    0 | 1800 | r18.sn-hp576n7d.c.youtube.com. | 173.194.29.119 |
|    1 |    1 |    0 |    0 | 1800 | r9.sn-hp576n7z.c.youtube.com.  | 173.194.29.46  |
|    1 |    1 |    0 |    0 | 1800 | r5.sn-ab5e6ner.c.youtube.com.  | 173.194.31.10  |
|    1 |    1 |    0 |    0 | 1800 | r1.sn-ab5e6nle.c.youtube.com.  | 173.194.31.102 |
|    1 |    1 |    0 |    0 |  640 | r2.sn-ab5e6nle.c.youtube.com.  | 173.194.31.103 |
|    1 |    1 |    0 |    0 | 1800 | r3.sn-ab5e6nle.c.youtube.com.  | 173.194.31.104 |
|    1 |    1 |    0 |    0 | 1800 | r4.sn-ab5e6nle.c.youtube.com.  | 173.194.31.105 |
|    1 |    1 |    0 |    0 | 1800 | r5.sn-ab5e6nle.c.youtube.com.  | 173.194.31.106 |
|    1 |    1 |    0 |    0 | 1800 | r6.sn-ab5e6nle.c.youtube.com.  | 173.194.31.107 |
|    1 |    1 |    0 |    0 | 1800 | r7.sn-ab5e6nle.c.youtube.com.  | 173.194.31.108 |
|    1 |    1 |    0 |    0 | 1800 | r8.sn-ab5e6nle.c.youtube.com.  | 173.194.31.109 |
|    1 |    1 |    0 |    0 |  705 | r6.sn-ab5e6ner.c.youtube.com.  | 173.194.31.11  |
|    1 |    1 |    0 |    0 | 1800 | r9.sn-ab5e6nle.c.youtube.com.  | 173.194.31.110 |
|    1 |    1 |    0 |    0 | 1800 | r10.sn-ab5e6nle.c.youtube.com. | 173.194.31.111 |
|    1 |    1 |    0 |    0 |  292 | r11.sn-ab5e6nle.c.youtube.com. | 173.194.31.112 |
|    1 |    1 |    0 |    0 | 1800 | r12.sn-ab5e6nle.c.youtube.com. | 173.194.31.113 |
|    1 |    1 |    0 |    0 |  178 | r13.sn-ab5e6nle.c.youtube.com. | 173.194.31.114 |
|    1 |    1 |    0 |    0 | 1800 | r14.sn-ab5e6nle.c.youtube.com. | 173.194.31.115 |
|    1 |    1 |    0 |    0 | 1800 | r15.sn-ab5e6nle.c.youtube.com. | 173.194.31.116 |
|    1 |    1 |    0 |    0 | 1800 | r16.sn-ab5e6nle.c.youtube.com. | 173.194.31.117 |
|    1 |    1 |    0 |    0 | 1800 | r17.sn-ab5e6nle.c.youtube.com. | 173.194.31.118 |
|    1 |    1 |    0 |    0 | 1800 | r18.sn-ab5e6nle.c.youtube.com. | 173.194.31.119 |
|    1 |    1 |    0 |    0 | 1653 | r7.sn-ab5e6ner.c.youtube.com.  | 173.194.31.12  |
|    1 |    1 |    0 |    0 | 1800 | r19.sn-ab5e6nle.c.youtube.com. | 173.194.31.120 |
|    1 |    1 |    0 |    0 | 1800 | r20.sn-ab5e6nle.c.youtube.com. | 173.194.31.121 |
|    1 |    1 |    0 |    0 | 1800 | r8.sn-ab5e6ner.c.youtube.com.  | 173.194.31.13  |
|    1 |    1 |    0 |    0 |   81 | r1.sn-ab5e6nll.c.youtube.com.  | 173.194.31.134 |
|    1 |    1 |    0 |    0 | 1800 | r2.sn-ab5e6nll.c.youtube.com.  | 173.194.31.135 |
|    1 |    1 |    0 |    0 | 1800 | r3.sn-ab5e6nll.c.youtube.com.  | 173.194.31.136 |
|    1 |    1 |    0 |    0 | 1800 | r4.sn-ab5e6nll.c.youtube.com.  | 173.194.31.137 |
|    1 |    1 |    0 |    0 | 1800 | r5.lga15s22.c.youtube.com.     | 173.194.31.138 |
+------+------+------+------+------+--------------------------------+----------------+
50 rows in set (22.17 sec)

An alternative method is to write YaF records directly to mediator, and further the MySQL DBMS rather then writing files to disk although youcan still do this with the appropriate toggles. Here is example usage to start the processes:

$ ./silk-installs/yaf_silk_mysql_mediator-1.4.0/yaf_silk_mysql_mediator --in-host=127.0.0.1 --in-port=18000 --mysql-host=localhost --name=username --pass password --database eflows
$ sudo /usr/local/bin/yaf --live pcap --in eth1 --out 127.0.0.1 --ipfix-port=18000 --ipfix tcp --log=/var/log/yaf.log --filter="port 53" --applabel --applabel-rules=/usr/local/etc/yafApplabelRules.conf --max-payload=1000 --plugin-name=/usr/local/lib/yaf/dpacketplugin.la --plugin-opts="53" &

Ensure YaF and mediator are connected:

$ sudo netstat -tupan|grep yaf
tcp        0      0 127.0.0.1:18000             0.0.0.0:*                   LISTEN      6497/yaf_silk_mysql
tcp        0      0 127.0.0.1:47417             127.0.0.1:18000             ESTABLISHED 6513/yaf
tcp        0      0 127.0.0.1:18000             127.0.0.1:47417             ESTABLISHED 6497/yaf_silk_mysql

You may use the following MySQL query to see when the table was last updated to ensure records are being inserted on a regular basis:

mysql> SHOW TABLE STATUS in eflows;

After a few minutes of collection, query a domain that has been recently resolved and you should see it in the DBMS.

mysql> SELECT rrname,rrval from dns WHERE rrname LIKE "%rsreese.com." GROUP BY rrval LIMIT 10;
+--------------+--------------------------------+
| rrname       | rrval                          |
+--------------+--------------------------------+
| rsreese.com. |                                |
| rsreese.com. | 2600:3c02::f03c:91ff:fe96:f7bd |
| rsreese.com. | 74.207.234.79                  |
| rsreese.com. | ns1.linode.com.                |
| rsreese.com. | ns2.linode.com.                |
| rsreese.com. | ns3.linode.com.                |
| rsreese.com. | ns4.linode.com.                |
| rsreese.com. | ns5.linode.com.                |
+--------------+--------------------------------+
8 rows in set (18.26 sec)

There are a number of different fields available for query so I leave it to you to come up with whatever is most useful for you. Further, think of how you could write a shiny front-end for analysts to use rather then having to use the MySQL command line interface. Hope you found this useful and leave a comment if you did or have any questions.

Running Moloch

2013-03-16T18:19:00-04:00

This is an overview of installing and running Moloch on a single host. After seeing the 2013 ShmooCon presentation, I have been looking forward to giving the tool a test-drive. Per the documentation, “Moloch is a open source large scale IPv4 full PCAP capturing, indexing and database system”. It is fast and has a pretty nice interface to boot. Although it does not contain the same feature-set as some commercial over the shelf (COTS) products, I see Moloch fitting into a similar space where COTS products such might sit. When analysts are made aware of anomaly-based alerts from signature/misuse based intrusion detection systems (IDS), e.g. Snort, or anomalous activity from network flow, e.g. SiLK, the analyst can obtain packet capture (PCAP) for further investigation. The existing commercial tool suites are expensive PCAP indexing tools if that is all they are being used for, especially if you are locked into their storage mechanism. A budget conscious security operation center (SOC) can setup Moloch for a fraction of the maintenance cost of commercial offerings and instead use the funds for additional hardware (longer retention), maintenance, and even some Moloch development contribution.

Although the developers have provided a script to get Moloch going, I had a few hiccups so I figured I would document them in the event they help someone else out. I used a CentOS release 6.4 (Final) x86_64 base bare-metal install. I imagine you could run it in a virtual environment for testing purposes. After you get the operating system (OS) installed and patched, pull down the latest Oracle Java for your distribution. Untar the package and create a symbolic in a directory that Moloch will be able to find.

$ sudo cp -R jre1.7.0_17/ /usr/bin/
$ sudo  ln -s /usr/bin/jre1.7.0_17/bin/java /usr/bin/java

Next, pull down the latest moloch build. I just grabbed the ZIP but it is hosted on GitHub. You might want to take a look at the install script to see if everything is ideal for you. Run the easy installer which should pull down the prerequisites needed, build and install.

$ cd moloch-master/
$ sudo ./easybutton-singlehost.sh

If everything went smoothly, the script will try starting the three Moloch components being elasticsearch, capture, and viewer. The latter process did not start and this was probably for the better as I required me to take a closer look at what the install script was doing and the default configuration files (config.ini and elaseticsearch.yml). The configuration files are located in:

# ls -l /data/moloch/etc/
total 4680
-rw-r--r--. 1 root root    6766 Mar 14 17:21 config.ini
-rw-r--r--. 1 root root    6551 Mar 13 22:30 config.ini.template
-rw-r--r--. 1 root root   12545 Mar 14 22:54 elasticsearch.yml
-rw-r--r--. 1 root root 3360134 Mar  6 15:10 GeoIPASNum.dat
-rw-r--r--. 1 root root 1358092 Mar  5 21:48 GeoIP.dat
-rw-r--r--. 1 root root    1249 Mar 13 22:31 moloch.crt
-rw-r--r--. 1 root root    1029 Mar 13 22:31 moloch.csr
-rw-r--r--. 1 root root    1704 Mar 13 22:31 moloch.key
-rw-r--r--. 1 root root   10875 Mar 13 22:31 openssl.cnf
-rw-r--r--. 1 root root   10909 Mar 13 22:30 openssl.cnf.template

First, I had to sort out what was preventing the viewer from starting so I took a look at the viewer.log.

Mar 13 23:13:04 http.c:245 moloch_http_connect(): Connecting 0x7f6e0d19b010
Mar 13 23:13:04 http.c:276 moloch_http_connect(): 0x7f6e0d19b010: Error: Error connecting: Address family not supported by protocol
Couldn't connect to elastic search at 'localhost:9200'

Log files are located in:

# ls -l /data/moloch/logs/
total 6047776
-rw-r--r--. 1 root root 6180585472 Mar 15 23:44 capture.log
-rw-r--r--. 1 root root   12062720 Mar 14 17:22 capture.log.old
-rw-r--r--. 1 root root          0 Mar 13 22:31 Moloch_index_indexing_slowlog.log
-rw-r--r--. 1 root root          0 Mar 13 22:31 Moloch_index_search_slowlog.log
-rw-r--r--. 1 root root        163 Mar 15 20:00 Moloch.log
-rw-r--r--. 1 root root       2943 Mar 13 23:27 Moloch.log.2013-03-13
-rw-r--r--. 1 root root      35410 Mar 14 23:34 Moloch.log.2013-03-14
-rw-r--r--. 1 root root     208487 Mar 15 23:06 viewer.log
-rw-r--r--. 1 root root       1668 Mar 15 09:06 viewer.log.old

I had to change the directive in the config.ini from localhost to 127.0.0.1, otherwise the viewer would not connect to the elasticsearch instance in CentOS. Probably due to the initial IPv6 look-up, just a guess. Also added a Berkley packet filter (BPF) to prevent the capture and indexing of internal-to-internal traffic.

elasticsearch=127.0.0.1:9200
bpf=not src net (10.0.0.0/8) and dst net (10.0.0.0/8)

While I was adjusting the configuration, I decided to adjust the elasticsearch memory usage from what I originally specified in the installer script. You might want to take a look at their hardware requirements but I was able to run with a less powerful node:

$ sudo vim /data/moloch/bin/run_es.sh

ES_HEAP_SIZE=2G bin/elasticsearch -Des.config=${TDIR}/etc/elasticsearch.yml

The viewer would now start (the capture and viewer process were already running but had gracefully killed them). Here are the commands to start each process based on the default installation criteria.

$ sudo nohup /data/moloch/bin/run_es.sh
$ sudo nohup /data/moloch/bin/run_capture.sh &
$ sudo nohup /data/moloch/bin/run_viewer.sh &

Sessions page screen-shot after capturing some traffic, not including session listing:

Stats page screen-shot:

I noticed the mention of two plugins to keep tabs on the elasticsearch memory usage and to maintain session data. This is pretty important as I determined if you remove PCAP and the session data remained, think metadata, users that attempted to drill-down on the aforementioned session data for the missing PCAP would cause the viewer process to die. In my case, I setup Putty to tunnel my connection to the locally listening plug-in interfaces and delete the offending session data:

ElasticSearch maintenance screenshot located at http://127.0.0.1:9200/_plugin/head/ after tunneling via Putty. I was able to drop the session via this interface.

Node statistics screen-shot accessed at http://127.0.0.1:9200/_plugin/bigdesk/ after correctly configuring Putty. Note that we want to keep an eye on the heap memory to ensure it does not approach the maximum specified value. There are many more statistics not shown in this screen-shot.

Here is a Youtube video featuring Moloch in actions. As usual, if you have trouble installing or running Moloch, please leave a comment below, and do not forget to check out the Moloch FAQ.

Increment IP packet timestamp

2013-03-13T02:48:00-04:00

I recently had a need to specify and increment the IP timestamp values of packets in a PCAP. In this example, the starting second value is specified and we increment the microsecond value. This requires the use of Scapy. If you have any questions or recommendations for improvement, please leave a comment below.

#!/usr/bin/python
# Script to parse a PCAP and modify timestamps
# Requires Scapy
# 0.1 - 03012012
# Stephen Reese

from scapy.all import *
import sys

# Get input and output files from command line
if len(sys.argv) < 2:
        print "Usage: rewritetimestamp.py inputpcapfile"
        sys.exit(1)

# Assign variable names for input and output files
infile = sys.argv[1]

def process_packets():
    pkts = rdpcap(infile)
    cooked=[]
    timestamp = 1234567890.000000
    for p in pkts:
        p.time = timestamp
        timestamp += 0.000001
        pmod=p
        p.time
        cooked.append(pmod)

    wrpcap("out.pcap", cooked)

process_packets()

Running SnortAD

2013-01-10T03:00:00-05:00

I recently fired up a Snort Anomaly Detection instance provided by the SnortAD project and wanted to share my experience for those who might be interested in trying it on your network. SnortAD is the third generation anomaly detection preprocessor for Snort and is a little different than its predecessors but don’t take my word for it, check out their site.

First you need to create a log file based on your network, the log file will contain a profile of your network traffics characteristics. Although a log file has been provided with the SnortAD virtual machine (VM) that contains null entries it will not do you much good aside from alerting on everything. In order to characterize your network, you will need to create a log file with enough data to be statistically relevant. For the impatient, you can create a day or two worth of data and duplicate the data. Duplicating the data will have adverse effects though. Think about a university in which a majority of classes occur on Monday and Wednesday. If you only create a profile for Monday and duplicate it for the rest of the week, you can quickly understand how your results might be skewed.

To get going, use the snort.conf included on SnortAD VM and begin creating a log file but remember to backup or remove the original log file in the event you need it for reference. Also, always backup your configuration files before making changes for good measure.

Configure the snort.conf file to log. Something like the following should work fine:

preprocessor AnomalyDetection: LogPath /var/log/snort log time 60

Next, run Snort to generate log data. As mentioned, you should create enough data to make it statistically relevant. The evaluator script expects three weeks. As an alternate, you might be able to use tcpreplay to replay existing PCAP if you have enough data.

$ sudo /usr/local/bin/snort -c /etc/snort.conf -i eth0

You should start seeing messages to stdout that look like the following:

Loged transfer between 06-01-13 15:33:52 - 06-01-13 15:34:52
Loged transfer between 06-01-13 15:34:52 - 06-01-13 15:35:52

Now you should have a log with a number of entries saved in /var/log/snort. The profile generation script is next run. In this example we specify a week rather than opt for the three week default but again, YMMV and you made need to adjust these values. Also, make sure you check the help of the profile generator as there are other algorithms, five to be specific: Moving average (default), Naive method, Autoregressive time series model, Holt-Winters model, and HW model with Brutlag’s confidence band.

/usr/local/src/profilegenerator/ad_profilegenerator.r -m AVG --avg 'WEEKLY,1' -l Log_Data.txt -p profile.txt -e evaluator.txt -P pattern.txt

The previous command creates the profile.txt file which is a CSV file, i.e. you could respectively name it profile.csv. The CSV file will be used by your updated snort.conf file. In order to enable anomaly detection, we need to download or create a few Snort configuration files:

$ ls -l /etc/snort
total 4200
-rw-r--r--. 1 root root    3621 Jan  5 15:35 classification.config
-rw-r--r--. 1 root root   29596 Jan  5 15:35 gen-msg.map
-rw-r--r--. 1 root root    7897 Jan  5 15:35 preprocessor.rules
-rw-r--r--. 1 root root 1484013 Jan  5 15:35 profile.csv
-rw-r--r--. 1 root root     746 Jan  5 15:35 reference.config
-rw-r--r--. 1 root root 2696705 Jan  5 15:35 sid-msg.map
-rw-r--r--. 1 root root     255 Jan  5 15:35 snort.conf
-rw-r--r--. 1 root root    2556 Jan  5 15:35 threshold.conf
-rw-r--r--. 1 root root   53841 Jan  5 15:35 unicode.map

I found it simplest to pull down the latest Snort signature as they have the additional required files that are not included in the provide SnortAD build. You can pull down the needed preprocessor.rules from one of the authors bitbucket. The snort.conf was populated with the following contents:

include classification.config
include reference.config
include preprocessor.rules
preprocessor AnomalyDetection: ProfilePath /etc/snort/profile.csv LogPath /var/log/snort alert log time 60

If you have everything in the /etc/snort directory, you should be able to run Snort and see alerts when anomalies are detected:

$ sudo /usr/local/bin/snort -c /etc/snort/snort.conf -i eth0

Here are some sample alerts from some early testing. It will probably take some tuning to begin seeing useful alerts:

[**] [1000100:1000101:1] AD_UNUSUALLY_HIGH_TCP_TRAFFIC [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
01/06-20:59:04.308505 10.0.0.116 -> 8.8.8.8
ICMP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:84 DF
Type:8  Code:0  ID:30537   Seq:1  ECHO

[**] [1000100:1000107:1] AD_HIGH_LAN_TCP_TRAFFIC [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
01/06-20:59:04.308505 10.0.0.116 -> 8.8.8.8
ICMP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:84 DF
Type:8  Code:0  ID:30537   Seq:1  ECHO

[**] [1000100:1000108:1] AD_UNUSUALLY_LOW_UDP_TRAFFIC [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
01/06-20:59:04.308505 10.0.0.116 -> 8.8.8.8
ICMP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:84 DF
Type:8  Code:0  ID:30537   Seq:1  ECHO

[**] [1000100:1000114:1] AD_LOW_LAN_UDP_TRAFFIC [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
01/06-20:59:04.308505 10.0.0.116 -> 8.8.8.8
ICMP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:84 DF
Type:8  Code:0  ID:30537   Seq:1  ECHO

[**] [1000100:1000134:1] AD_LOW_ARP_REQUEST_NUMBER [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
01/06-20:59:04.308505 10.0.0.116 -> 8.8.8.8
ICMP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:84 DF
Type:8  Code:0  ID:30537   Seq:1  ECHO

[**] [1000100:1000138:1] AD_LOW_NOT_TCP_IP_TRAFFIC [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
01/06-20:59:04.308505 10.0.0.116 -> 8.8.8.8
ICMP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:84 DF
Type:8  Code:0  ID:30537   Seq:1  ECHO

[**] [1000100:1000140:1] AD_LOW_OVERALL_PACKET_NUMBER [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
01/06-20:59:04.308505 10.0.0.116 -> 8.8.8.8
ICMP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:84 DF
Type:8  Code:0  ID:30537   Seq:1  ECHO

If you have any questions, leave a comment and/or check out the authors Readme.txt for some additional usage insight.

Mailing Lists

2012-11-10T04:27:00-05:00

Here are a few technology and information security related mailing-lists that I subscribe to in no particular order. Leave a comment if you think I missed one.

asterisk-users.lists.digium.com
beginners.perl.org
snort-users.lists.sourceforge.net
nessus.list.nessus.org
pauldotcom.mail.pauldotcom.com
samurai-devel.lists.sourceforge.net
ptk-forensics-mail.lists.sourceforge.net
gcfa.lists.sans.org
framework-hackers.spool.metasploit.com
framework.spool.metasploit.com
secureideas-base-user.lists.sourceforge.net
python-list.python.org
nexpose-users.lists.rapid7.com
winquisitor-beta.googlegroups.com
securitybsides.googlegroups.com
datarecoverycertification.googlegroups.com
full-disclosure.lists.grok.org.uk
scap_interest.ietf.org
cipp.news.infracritical.com
scadasec.news.infracritical.com
debian-security-announce.lists.debian.org
bugtraq.list-id.securityfocus.com
ietf.ietf.org
dfir.lists.sans.org
webappsec.list-id.securityfocus.com
sleuthkit-users.lists.sourceforge.net
vol-users.volatilesystems.com
emerging-sigs.emergingthreats.net

Podcasts

2012-09-10T04:29:00-04:00

Here is a list of information technology and security podcasts. Some are technical, others are higher level so YMMV. A source of information to keep me up to date on what is going on in the information technology realm. If you think of something I have missed, leave a commment. Some of these may be explicit so please use discretion and they are in no particular order.

The CyberJungle
Tech Talk
The Digital Underground Podcast
The Linux Action Show! MP3
Packet Pushers Podcast
The Silver Bullet Security Podcast
Social-Engineer.Org PodCast
The Southern Fried Security Podcast
Internet Storm Center Threat Update
RB2
NPR Topics: Technology Podcast
Security Weekly
Sophos Podcasts
Risky Business
Eurotrash Security Podcast: Security with funny accents
SecuraBit
The Security Catalyst
CERT Podcast Series: Security for Business Leaders
My Hard Drive Died - w/Scott Moulton
OWASP Security Podcast
Crypto-Gram Security Podcast
Cisco TAC Security Podcast Series
Off The Hook: high-bitrate MP3 feed
An Information Security Place Podcast
Security Insider - Podcast Edition
Wall Street Journal Tech News Briefing
The 404 (MP3)
Click
Security.Exe powered by The CISO Group with Alan Shimel
FLOSS Weekly
The Stack Exchange Podcast
Down the Security Rabbithole
AuditCasts with David Hoelzer
CERIAS Security Seminar Podcast

Decoding XOR payload using first few bytes as key

2012-07-24T04:07:00-04:00

I recently came across the need to decode an exclusive or (XOR) payload. In my case, the key to de-obfuscating the traffic was the first three bytes of each packets payload. While it is trivial to decode each payload, it was not reasonable for a large number of packets.

For testing purposes, create a packet:

$ scapy
Welcome to Scapy (2.1.0)
>>> p = (IP(ttl=10)/TCP(sport=1024,dport=443,flags="S")/"   WHATSTHESECRET0000ABCD0000ABCD0000ABCD")
>>> wrpcap("p.pcap", p)
>>> quit()

Should see something similar to this:

04:29:31.255470 IP 127.0.0.1.1024 > 127.0.0.1.443: Flags [S], seq 0:41, win 8192, length 41
        0x0000:  4500 0051 0001 0000 0a06 b2a4 7f00 0001  E..Q............
        0x0010:  7f00 0001 0400 01bb 0000 0000 0000 0000  ................
        0x0020:  5002 2000 751d 0000 2020 2057 4841 5453  P...u......WHATS
        0x0030:  5448 4553 4543 5245 5430 3030 3041 4243  THESECRET0000ABC
        0x0040:  4430 3030 3041 4243 4430 3030 3041 4243  D0000ABCD0000ABC
        0x0050:  44                                       D

Next, the payload is XOR using the first three bytes of the payload for the entire payload. If you note the first tcpdump, the three bytes of the payload were left empty, here I am placing the key that will be used to XOR the rest of the payload within the first three bytes of the payload.

The payload has been obfuscated using the key ‘the’.

Next we can use the script below or here to decode all of the packets. The script is not intelligent enough to know which need to be de-obfuscated so it is best to probably filter these into a new PCAP. Secondly, the script requires Scapy to be installed.

#!/usr/bin/python
# Script to parse a PCAP and XOR data based on a byte offset
# Requires Scapy
# 0.1 - 07172012
# Default is two bytes, change at line 35
# Stephen Reese and Chris Gragsone
#
# todo: add two more args, offset length and static offset option

from scapy.all import *
import sys

# Get input and output files from command line
if len(sys.argv) < 2:
        print "Usage: decodexorpayload.py [input pcap file]"
        sys.exit(1)

# Assign variable names for input and output files
infile = sys.argv[1]

def many_byte_xor(buf, key):
    buf = bytearray(buf)
    key = bytearray(key)
    key_len = len(key)
    for i, bufbyte in enumerate(buf):
        buf[i] = bufbyte ^ key[i % key_len]
    return str(buf)

def process_packets():
    pkts = rdpcap(infile)
    cooked=[]
    for p in pkts:
        # You may have to adjust the payload depth here:
        # i.e. p.payload.payload.payload
        pkt_payload = str(p.payload.payload)
        pkt_offset = str(p.payload.payload)[:3]
        if pkt_payload and pkt_offset:
              pmod=p
              # You may have to adjust the payload depth here:
              p.payload.payload=many_byte_xor(pkt_payload, pkt_offset)
              cooked.append(pmod)

    wrpcap("dump.pcap", cooked)

process_packets()

After script completion, viewing the packet does indeed show the de-obfuscated packet:

reading from file dump.pcap, link-type RAW (Raw IP)
04:24:44.415262 IP 127.0.0.1.1024 > 127.0.0.1.443: Flags [S], seq 0:41, win 8192, length 41
        0x0000:  4500 0051 0001 0000 0a06 b2a4 7f00 0001  E..Q............
        0x0010:  7f00 0001 0400 01bb 0000 0000 0000 0000  ................
        0x0020:  5002 2000 751d 0000 0000 0057 4841 5453  P...u......WHATS
        0x0030:  5448 4553 4543 5245 5430 3030 3041 4243  THESECRET0000ABC
        0x0040:  4430 3030 3041 4243 4430 3030 3041 4243  D0000ABCD0000ABC
        0x0050:  44                                       D

There are a number of features that could be added and of course the code can probably be improved upon. Have some ideas? Leave a comment below.

World IPv6 Day

2012-06-07T01:29:00-04:00

World IPv6 Day on June 8th 2012 is rapidly approaching. It is an exciting and scary reality. For my personal assets, there was a small investment on my part to get everything up to par. My internet provider Comcast is dual-stack ready which is nice because I experienced some serious latency from time to time when using a tunnel-broker (note that other factors probably contributed). You can see more information about the Comcast IPv6 trial and preparation here. First, I had to invest in a new cable-modem as my old Motorola SB1000 was not up to the task. Comcast has created a hardware compatibility list. From the list I decided to go with the Motorola SB6121 as I have had pretty good success with their modems in the past. Secondly you need a device that is capable of filtering and distributing addresses to your internal devices. I am not going into details here, but a Cisco ASA5500 or a home-brew Linux device usually will work quite nicely. The most important part to read into is that you are also filtering v6 IP traffic along with the v4 so you do not have evil-doers sneaker-netting into your network. Your network devices will not hide behind network address translation (NAT). Lastly, keep the images, firmware, or distributions patched and monitor your traffic from time to time. Kind of like a cavity, you usually do not know you have one until it is too late.

My blog has also moved to a dual-stack (Linode awesome service and support) from a tunnel-broker! This was really straightforward to implement as Linode provides some great documentation in their library. As with any setup, you need to filter unwanted traffic from entering/exiting your node(s), Iptables makes quick work of this. In this scenario, I am going with a deny-by-default posture and log everything that is dropped. This is by no means definitive but just a place to get started.

*filter
# Drop everything
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

# Allow the loopback
-A INPUT -i lo -j ACCEPT
-A INPUT -d ::1/128 ! -i lo -j REJECT --reject-with icmp6-port-unreachable

# All returning connections
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Let the web server respond
-A INPUT -p tcp --sport 1024:65535 --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -p tcp --sport 1024:65535 --dport 443 -m state --state NEW -j ACCEPT

# All SSH session but limit attempt, also see fail2ban
-A INPUT -p tcp --sport 1024:65535 --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 1/min --limit-burst 3 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j DROP

# Allow ICMP but need to restrict based on type
-A INPUT -p ipv6-icmp -j ACCEPT

# Drop everything else and log it
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "ipv6 input denied: " --log-level 7

# Respective outbound rules
-A OUTPUT -p ipv6-icmp -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m limit --limit 3/min -j LOG --log-prefix "ipv6 output denied: " --log-level 7
COMMIT

How-to setup an Upside-Down-Ternet

2012-02-11T03:07:00-05:00

In an effort to replicate the amusing idea of a transparent proxy that manipulates traffic in a fun way found here and made even better with some great scripts that you can pull down from here. A Debian box was stood up with two network cards; one connects to the internal LAN and the other connected to an access-point which your guests connect to. I chose to post this how-to as the initial idea did not provide a complete reference on how to setup the needed components.

First, we are using an access-point we take care of the DHCP and DNS duties but the access-point or another host could perform these duties if they support said services. I choose to install the following DHCP service:

$ sudo apt-get install isc-dhcp-server

The following configuration provides the scope for the clients. We only define a scope for the client side which will use a 192.168.0.0 network for the example purposes.

$ grep ^[^#] /etc/dhcp/dhcpd.conf
ddns-update-style none;
default-lease-time 600;
max-lease-time 7200;
log-facility local7;
subnet 192.168.0.0 netmask 255.255.255.0 {
  range 192.168.0.100 192.168.0.200;
  option domain-name-servers 192.168.0.1;
  option domain-name "kittenwar.com";
  option routers 192.168.0.1;
  option broadcast-address 192.168.0.255;
  default-lease-time 600;
  max-lease-time 7200;
}

Secondly, the guests are going to need some resolution, rather than have their queries pass through the network, lets setup a simple resolver for them using BIND:

$ sudo apt-get install bind9

Setup some forwarders and the interface we want to listen on, for example sake, the same subnet servicing the clients:

$ grep ^[^#] /etc/bind/named.conf.options
options {
        directory "/var/cache/bind";
        version "tbd";
        forwarders { 8.8.8.8; 8.8.4.4; };
        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { none; };
        listen-on { 192.168.0.1; 127.0.0.1; };
};

Some of the fun scripts require a HTTP service to serve up flipped images and all sorts of other goodness so Apache and ImageMagick are needed:

$ sudo apt-get install apache2
$sudo apt-get -y install imagemagick

The last service is Squid caching proxy. Install version 3 was installed from the repositories:

$ sudo apt-get install squid3

Edit the Squid configuration, this is a default configuration but the acl for the clients has been enabled along with interception mode (read transparent) and finally call the script via url_rewrite_program:

$ grep ^[^#] /etc/squid3/squid.conf
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3128 intercept
hierarchy_stoplist cgi-bin ?
coredump_dir /var/spool/squid3
url_rewrite_program /home/us3r/squidScripts/flipImages.pl
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

Execute the following to create some protection from the subnet being advertised and furthermore forces all of the web request to use the Squid cache. The rule-set is by no means perfect or definitive, feel free to tailor to your needs and provide feedback.

$ grep ^[^#] fw-script
PATH=/sbin
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i eth2 -p tcp --dport 3128 -j ACCEPT
iptables -A INPUT -i eth2 -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -i eth2 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth2 -p udp --dport 53 -j ACCEPT
iptables -A INPUT -i eth2 -p udp --dport 67 -j ACCEPT
iptables -A OUTPUT -o eth2 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 8000 -j ACCEPT
iptables -A INPUT -i eth1 -p udp --dport 68 -j ACCEPT
iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth1 -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -o eth1 -p udp --dport 67 -j ACCEPT
iptables -A OUTPUT -o eth1 -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -o eth1 -p udp --dport 443 -j ACCEPT
iptables -A OUTPUT -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I INPUT -j LOG --log-prefix "iptables denied: " --log-level 7
iptables -I OUTPUT -j LOG --log-prefix "iptables denied: " --log-level 7
iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j DNAT --to-destination 192.168.0.1:3128
iptables -t nat -A POSTROUTING -o eth2 -s 192.168.0.0/24 -d 192.168.0.1 -j SNAT --to 192.168.0.1
iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j REDIRECT --to-port 3128

You can down pull down a script from the Google code repository mentioned above which you have referenced in the Squid configuration. There are variables in the top of the scripts that you downloaded earlier. The variables need to be updated to reflect your system. A few Perl module prerequisites are also listed in the top of said scripts, access CPAN and install them:

$ sudo perl -MCPAN -e shell

After the required Perl modules are installed, you should be able to place a client on the guest network and they will retrieve sites, although it will not take long for to notice that in this case all of the images are inverted. Do not forget to checkout the other scripts.

Lots of fun! If I missed something or you have some feedback, use the comment form below.

Block Command and Control requests using ASA 5500

2011-12-10T02:26:00-05:00

I recently came across a blog post demonstrating how to use the Emerging Threats rule sets in order to block malware calls to command and control (C&C) hosts. Using the script referenced in the blog post may work fine, but I want to review and update when I feel like it via SSH. Per the Emerging Threats wiki these rules probably only need to be updated once a week but YMMV.

Setup the ASA (one time):

configure terminal 
access-list dynamic-filter_acl extended permit ip any any 
dynamic-filter enable interface outside classify-list dynamic-filter_acl 
dynamic-filter drop blacklist interface outside 
dynamic-filter blacklist

Download the C&C list from Emerging Threats:

$ wget http://rules.emergingthreats.net/fwrules/emerging-PIX-CC.rules

Convert the list to the required format:

$ sed 's/ET-drop/ET-cc/g' emerging-PIX-CC.rules | egrep "^access-list ET-cc deny"   
emerging-PIX-CC.rules | sed 's/access-list ET-cc deny ip/address/g;s/host //g;s/any   
/255.255.255.255/g' | awk '{print $1,$2,$3}' > emerging-PIX-CC.rules.asa

Paste the list using Putty or similar. At current there are around 3000 rules so it takes a minute:

configure terminal
no dynamic-filter blacklist
blacklist dynamic-filter blacklist
address x.x.x.x y.y.y.y

Finally, it is important to note that there could be performance implications with implementing too many rules. Be warned you may shun legitimate sites on shared hosting providers and the like.

Amazon S3 Server-Side Encryption using GSUtil

2011-10-29T14:39:00-04:00

If you would like to enable server-side encryption which is a relatively new feature for your Amazon S3 data using GSUtil then you need specify the header value when pushing files to their cloud.

$ gsutil -h "x-amz-server-side-encryption: AES256" cp /backups/files* s3://bucket

Note that server-side encryption protects your data at rest and that Amazon is managing the keys on your behalf by default, see post here. A better practice is to provide the encryption and decryption before and after you send and receive your data from S3.

Block IRC and other communications with McAfee VirusScan

2011-10-15T05:01:00-04:00

After seeing some suspicious activitiy in my McAfee antivirus logs, I learned the Access Protection functionality, specifically IRC communication setting may be able to thwart some of the aforementioned activity. There are a number of useful setting to log or even block attempts that are not enable by default. A test environment was setup using a IRC daemon on Remnux and a Nmap plug-in called irc-info.nse. An initial baseline scan/connect is made to confirm that the service residing in the virtual guest was working as advertised.

The host indeed had a IRC server running. We do not want our host communicating with IRC daemons so we can leverage McAfee to help us block the communication attempts. First, open up the Auto Protect settings in the VirusScan console.

Next, “Prevent IRC communication” was enabled. This hosts processesshould not be making outgoing requests. If there were such requests from a process it could be indicative of malicious software contacting a C&C.

Now the policy is being enforced, we again test the ability to connect the remote hosts IRC service.

Nmap is able to elicit responses from the host but is unable to complete a connection to interact with the IRC server. The last screen shot depicts log entries reporting, and a blocking and reporting entry.

Be cautious of shunning all processes for a specific check as some applications may inadvertently use a port that a malicious process would typically use. Instead, consider white-listing those or one selecting known evil.

Variance in rwfilter results from netflow v5 and YaF

2011-10-03T14:04:00-04:00

Looking over some netflow data I notice some variance between the two sensors. Sensor s0 is v5 netflow data from a Cisco switch, s1 is from a network tap listening between a Router on a Stick and said Cisco switch. The latter is a capture from YaF listening on a promiscuous network interface. I needed some data so a movie streaming took care of this for me. Here is the first difference between the two data sources.

$ rwfilter --start-date=$today --end-date=$today --proto=0-255 --pass=stdout --sensor=s0 | rwstats --protocol --top --count=5 --flows
INPUT: 675 Records for 1 Bin and 675 Total Records
OUTPUT: Top 5 Bins by Records
pro|   Records|  %Records|   cumul_%|
  6|       675|100.000000|100.000000|
$ rwfilter --start-date=$today --end-date=$today --proto=0-255 --pass=stdout --sensor=s1 | rwstats --protocol --top --count=5 --flows
INPUT: 2640 Records for 3 Bins and 2640 Total Records
OUTPUT: Top 5 Bins by Records
pro|   Records|  %Records|   cumul_%|
 17|      1927| 72.992424| 72.992424|
  6|       712| 26.969697| 99.962121|
  1|         1|  0.037879|100.000000|

The difference between the flow data here is the v5 data only shows TCP connections at this point where as the tap is seeing ICMP, TCP and UDP. The next set of queries are from a streaming movie which the output has been cut for brevity.

$ rwfilter --start-date=$today --end-date=$today --sensor=s0 --type=all --proto=1,6,17 --pass=stdout --daddress=172.16.0.10 | rwsort --fields=bytes | rwcut --fields=sip,sport,dip,dport,bytes
                           69.241.37.66|   80|                            172.16.0.10|65184|  57713601|
                           69.241.37.66|   80|                            172.16.0.10|65183|  58666986|
                           69.241.37.66|   80|                            172.16.0.10|65183| 146904926|
                           69.241.37.66|   80|                            172.16.0.10|65184| 153098218|

$ rwfilter --start-date=$today --end-date=$today --sensor=s1 --type=all --proto=1,6,17 --pass=stdout --daddress=172.16.0.10 | rwsort --fields=bytes | rwcut --fields=sip,sport,dip,dport,bytes
                           69.241.37.66|   80|                            172.16.0.10|65183| 110759034|
                           69.241.37.66|   80|                            172.16.0.10|65184| 111370758|
                           69.241.37.66|   80|                            172.16.0.10|65183| 148760315|
                           69.241.37.66|   80|                            172.16.0.10|65184| 150597449|

The item to note here is the v5 netflow is reporting more bytes than the network tap for similar source and IP addresses for the respective destination IP addresses. Same results with the next filter.

$ rwfilter --start-date=$today --end-date=$today --protocol=1,6,17 --sensor=s0 --type=all --pass=stdout --saddress=69.241.37.66 --daddress=172.16.0.10 | rwstats --count=10 --fields=sip,dip,scc,bytes,sport
INPUT: 4 Records for 4 Bins and 4 Total Records
OUTPUT: Top 10 Bins by Records
                                    sIP|                                    dIP|scc|     bytes|sPort|   Records|  %Records|   cumul_%|
                           69.241.37.66|                            172.16.0.10| us| 111370758|   80|         1| 25.000000| 25.000000|
                           69.241.37.66|                            172.16.0.10| us| 150597449|   80|         1| 25.000000| 50.000000|
                           69.241.37.66|                            172.16.0.10| us| 110759034|   80|         1| 25.000000| 75.000000|
                           69.241.37.66|                            172.16.0.10| us| 148760315|   80|         1| 25.000000|100.000000|
$ rwfilter --start-date=$today --end-date=$today --protocol=1,6,17 --sensor=s1 --type=all --pass=stdout --saddress=69.241.37.66 --daddress=172.16.0.10 | rwstats --count=10 --fields=sip,dip,scc,bytes,sport
INPUT: 4 Records for 4 Bins and 4 Total Records
OUTPUT: Top 10 Bins by Records
                                    sIP|                                    dIP|scc|     bytes|sPort|   Records|  %Records|   cumul_%|
                           69.241.37.66|                            172.16.0.10| us|  57713601|   80|         1| 25.000000| 25.000000|
                           69.241.37.66|                            172.16.0.10| us| 153098218|   80|         1| 25.000000| 50.000000|
                           69.241.37.66|                            172.16.0.10| us| 146904926|   80|         1| 25.000000| 75.000000|
                           69.241.37.66|                            172.16.0.10| us|  58666986|   80|         1| 25.000000|100.000000|

The output difference between the two sensors are minimal in most cases and a large portion could be due to traffic that the tap may have better insight to report though more analysis needs to be done using tcpdump or Wireshark. Nevertheless this should be considered when determine the senor requirements and the type of data that you would like to view reporting for. That said, any reporting is be better than none.

Configure YAF on Linux for NetFlow collection from a network tap or SPAN

2011-08-26T21:27:00-04:00

In a previous post SiLK was setup on a Debian host using NetFlow v5 from a Cisco switch. This worked well but I also have a network tap and said Cisco switch is capable of capturing data via SPAN port(s). This got me thinking about what difference I may see between the two NetFlow sources. This guide walks through setting up YAF on a Debian Linux host to receive data from a network tap or Switched Port Analyzer (SPAN) and converting it using Yet Another Flowmeter (YAF).

First, your host will need to obtain data from your network tap or SPAN port. I have two network interface cards in my box so I connected the non-management interface to the tap and started the interface without an IP in promiscuous mode. If you would like to use a SPAN port seek guidance here.

Note that this guide assumes that you already have compiled and successfully built SiLK. If not checkout this [post][].

You first need libfixbuf - IPFIX Protocol Library. Before building IPFIX will need glib2 and its respective development libraries, I did not have the latter so a little APT action takes care of that for me.

$ sudo apt-get install libglib2-dev

Building libfixbuf is straigtforward once the prerequetes are in place.

$ ./configure --prefix=/usr
$ make
$ make install

Next we are going to build YAF is Yet Another Flowmeter which has several prerequisites. libpcap needs to be installed along with its respective development libraries. I also installed the required PCRE required libraries for application labeling.

$ sudo apt-get install libpcap-dev
$ sudo apt-get install libpcre3-dev

Next we can build YAF.

$ ./configure --prefix=/usr --enable-applabel
$ make
$ sudo make install

Now that everything is ready to go we have a little housekeeping to do on the YAF configuration files. I placed the YAF configuration file in /etc/silk/yaf.conf. This file contains all of the setting such as which interface to listen on, IPFIX port, etc.

## ------------------------------------------------------------------------
## yaf.conf
## YAF daemon startup script configuration file
## ------------------------------------------------------------------------
## Copyright (C) 2007-2011 Carnegie Mellon University. All Rights Reserved.
## ------------------------------------------------------------------------
## Authors: Brian Trammell
## ------------------------------------------------------------------------
## GNU General Public License (GPL) Rights pursuant to Version 2, June 1991
## Government Purpose License Rights (GPLR) pursuant to DFARS 252.227-7013
## ------------------------------------------------------------------------

# Must be non-empty to start YAF
ENABLED=yes

##### Capture Options ##########################################################

# Live capture type. Must be pcap, or dag for Endace DAG if YAF was built
# with libdag.
YAF_CAP_TYPE=pcap

# Live capture interface name.
YAF_CAP_IF=eth0

##### Export Options ###########################################################

# IPFIX transport protocol to use for export. Must be one of tcp or udp, or
# sctp if fixbuf was built with SCTP support.
YAF_IPFIX_PROTO=tcp

# Hostname or IP address of IPFIX collector to export flows to.
YAF_IPFIX_HOST=localhost

# If present, connect to the IPFIX collector on the specified port.
# Defaults to port 4739, the IANA-assigned port for IPFIX
YAF_IPFIX_PORT=18000

##### Logging and State Options ################################################

# Path to state location directory; contains the log and pidfiles unless
# modified by the following configuration parameters.
# Defaults to ${prefix}/var.
#YAF_STATEDIR=

# Path to PID file for YAF. Defaults to YAF_STATEDIR/yaf.pid
#YAF_PIDFILE=

# File or syslog facility name for YAF logging. If file, must be an absolute
# path to a logfile. Defaults to YAF_STATEDIR/yaf.log
#YAF_LOG=

# File or syslog facility name for YAF airdaemon logging. If file, must be an
# absolute path to a logfile. Defaults to YAF_STATEDIR/airdaemon-yaf.log
#YAF_DAEMON_LOG=

##### Miscellaneous Options ####################################################

# If present, become the specified user after starting YAF
#YAF_USER=

# Additional flags to pass to the YAF process. Use --silk --ip4-only for
# export to SiLK rwflowpack or SiLK flowcap.
YAF_EXTRAFLAGS="--silk"

Made sure there was a sensor definition in the /netflow/silk.conf.

sensor 0 s0    "v5 netflow from router"
sensor 1 s1    "YAF converted from tap"

class all
    sensors s0 s1
end class

The /etc/silk/sensor.conf configuration file also need to be updated with the new sensor definition. In this case s1 is our tap.

probe s0 netflow-v5
    listen-on-port 9990
    protocol udp
    accept-from-host 172.16.0.1
end probe

sensor s0
    netflow-v5-probes s0
    internal-ipblocks 172.16.0.0/24
    external-ipblocks remainder
end sensor

probe s1 ipfix
    listen-on-port 18000
    protocol tcp
    accept-from-host 127.0.0.1
end probe

sensor s1
    ipfix-probes s1
    internal-ipblocks 172.16.0.0/24
    external-ipblocks remainder
end sensor

Lastly, start YAF assuming that you have rwflowpack running from the SiLK package per the previous [post][].

$ sudo yaf --silk --ipfix=tcp --live=pcap --in=eth0 --out=127.0.0.1 --ipfix-port=18000 &

You should now be capturing data and converting into a format that SiLK can process via YAF.

Configure SiLK on Linux for NetFlow collection from a Cisco router

2011-08-15T00:43:00-04:00

This guide walks through configuring SiLK from a source install on a Debian 6 host in order to collect NetFlow data from a Cisco router. The guides here and here written by CERT NetSA are quite good but lack some detail specific to the Debian distribution which required a bit of mucking about to get everything functioning correctly. This assumes that you have a Cisco router to send NetFlow data to a host on your network, in this case, a Debian host.

Installation:

First install a prerequisite.

$ sudo apt-get install libpcap-dev

Next untar and change into the SiLK directory. For Debian I found that using the /usr directory worked well. By default the configure script uses /usr/local in which it places the binaries, libraries, etc outside of Debians default paths.

$ ./configure --prefix=/usr --sysconfdir=/etc/silk --enable-data-rootdir=/netflow   
--enable-ipv6 --enable-output-compression

Your output should be something along the following:

    * Configured package:           SiLK 2.4.5
    * Host type:                    x86_64-unknown-linux-gnu
    * Source files ($top_srcdir):   .
    * Install directory:            /usr
    * Root of packed data tree:     /netflow
    * Packing logic:                via run-time plugin
    * Timezone support:             UTC
    * Default compression method:   SK_COMPMETHOD_ZLIB
    * IPv6 support:                 YES
    * IPFIX collection support:     YES (-pthread -lfixbuf -lgthread-2.0 -lrt -lglib-2.0)
    * Transport encryption support: NO (gnutls not found)
    * IPA support:                  NO
    * LIBPCAP support:              YES (-lpcap)
    * ADNS support:                 NO
    * Python support:               NO
    * Build analysis tools:         YES
    * Build packing tools:          YES
    * Compiler (CC):                gcc
    * Compiler flags (CFLAGS):      -I$(srcdir) -I$(top_builddir)/src/include -I$(top_srcdir)/src/include -DNDEBUG -O3 -fno-strict-aliasing -Wall -W -Wmissing-prototypes -Wformat=2 -Wdeclaration-after-statement -Wpointer-arith
    * Linker flags (LDFLAGS):
    * Libraries (LIBS):             -lz -ldl -lm

Lastly:

$ make
$ sudo make install

Configuration:

Example files are available in the tarball that you extracted. Modified versions or notes for Debian and similar architectures available below.

/netflow/silk.conf in your data directory, the default is /data but I used /netflow as you can see in the configure toggle above. The changes I made were to reduce the number of sensors.

# The syntactic format of this file
#    version 2 supports sensor descriptions, but otherwise identical to 1
version 2

sensor 0 s0    "Description for sensor S0"
sensor 1 s1

class all
    sensors s0 s1
end class

# Editing above this line is sufficient for sensor definition.

/etc/silk/sensor.conf is the definition for the data coming in from your Cisco router:

probe s0 netflow-v5
    listen-on-port 9990
    protocol udp
    accept-from-host 172.16.0.1
end probe

sensor s0
    netflow-v5-probes s0
    internal-ipblocks 172.16.0.0/24
    external-ipblocks remainder
end sensor

/etc/silk/rwflowpack.conf:

### Packer configuration file  -*- sh -*-
##
## The canonical pathname for this file is /usr/local/etc/rwflowpack.conf
##
## RCSIDENT("$SiLK: rwflowpack.conf.in 16306 2010-09-15 18:14:41Z mthomas $")
##
## This is a /bin/sh file that gets loaded by the init.d/rwflowpack
## wrapper script, and this file must follow /bin/sh syntax rules.

# Set to non-empty value to enable rwflowpack
ENABLED=yes

# These are convenience variables for setting other values in this
# configuration file; their use is not required.
statedirectory=/var/lib/rwflowpack

# If CREATE_DIRECTORIES is set to "yes", the directories named in this
# file will be created automatically if they do not already exist
CREATE_DIRECTORIES=yes

# Full path of the directory containing the "rwflowpack" program
BIN_DIR=/usr/sbin

# The full path to the sensor configuration file.  Used by
# --sensor-configuration.  YOU MUST PROVIDE THIS (the value is ignored
# when INPUT_MODE is "respool").
SENSOR_CONFIG=/etc/silk/sensor.conf

# The full path to the root of the tree under which the packed SiLK
# Flow files will be written.  Used by --root-directory.
DATA_ROOTDIR=/netflow

# The full path to the site configuration file.  Used by
# --site-config-file.  If not set, defaults to silk.conf in the
# ${DATA_ROOTDIR}.
SITE_CONFIG=/netflow/silk.conf

# Specify the path to the packing-logic plug-in that rwflowpack should
# load and use.  The plug-in provides functions that determine into
# which class and type each flow record will be categorized and the
# format of the files that rwflowpack will write.  When SiLK has been
# configured with hard-coded packing logic (i.e., when
# --enable-packing-logic was specified to the configure script), this
# value should be empty.  A default value for this switch may be
# specified in the ${SITE_CONFIG} site configuration file.  This value
# is ignored when INPUT_MODE is "respool".
PACKING_LOGIC=

# Data input mode.  Valid values are:
#  * "stream" mode to read from the network or from probes that have
#    poll-directories
#  * "fcfiles" to process flowcap files on the local disk
#  * "respool" to process SiLK flow files maintaining the sensor and
#    class/type values that already exist on those records.
INPUT_MODE=stream

# Directory in which to look for incoming flowcap files in "fcfiles"
# mode or for incoming SiLK files in "respool" mode
INCOMING_DIR=${statedirectory}/incoming

# Directory to move input files to after successful processing.  When
# in "stream" mode, these are the files passed to any probe with a
# poll-directory directive.  When in "fcfiles" mode, these are the
# flowcap files.  When in "respool" mode, these are the SiLK Flow
# files.  If not set, the input files are not archived but are deleted
# instead.
ARCHIVE_DIR=${statedirectory}/archive

# When using the ARCHIVE_DIR, normally files are stored in
# subdirectories of the ARCHIVE_DIR.  If this variable's value is 1,
# files are stored in ARCHIVE_DIR itself, not in subdirectories of it.
FLAT_ARCHIVE=0

# Directory to move an input file into if there is a problem opening
# the file.  If this value is not set, rwflowpack will exit when it
# encounters a problem file.  When in "fcfiles" mode, these are the
# flowcap files.  When in "stream" mode, these are the files passed to
# any probe with a poll-directory directive.
ERROR_DIR=  #${statedirectory}/error

# Data output mode.  Valid values are "local" and "remote".  "local"
# writes the hourly data files to the local disk.  "remote" creates
# small files (called incremental files) that must be processed by
# rwflowappend to create the hourly files.
OUTPUT_MODE=local

# Directory in which the incremental files are written when the
# OUTPUT_MODE is "remote".  Typically there is an rwsender deamon that
# polls this directory for new incremental files.
SENDER_DIR=${statedirectory}/sender-incoming

# Temporary directory in which to build incremental files prior to
# handing them to rwsender.  Used only when OUTPUT_MODE is "remote".
INCREMENTAL_DIR=${statedirectory}/incremental


# The type of compression to use for packed files.  Left empty, the
# value chosen at compilation time will be used.  Valid values are
# "best" and "none".  Other values are system-specific (the available
# values are listed in the description of the --compression-method
# switch in the output of rwflowpack --help).
COMPRESSION_TYPE=best

# Interval between attempts to check the INCOMING_DIR or
# poll-directory probe entries for new files, in seconds.  This may be
# left blank, and will default to 15.
POLLING_INTERVAL=

# Interval between periodic flushes of open SiLK Flow files to disk,
# in seconds.  This may be left blank, and will default to 120.
FLUSH_TIMEOUT=

# Maximum number of SiLK Flow files to have open for writing
# simultaneously.  This may be left blank, and will default to 64
FILE_CACHE_SIZE=

# Whether rwflowpack should use advisory write locks.  1=yes, 0=no.
# Set to zero if messages like "Cannot get a write lock on file"
# appear in rwflowpack's log file.
FILE_LOCKING=1

# Whether rwflowpack should include the input and output SNMP
# interfaces and the next-hop-ip in the output files.  1=yes, 0=no.
# The default is no, and these values are not stored to save disk
# space.  (The input and output fields contain VLAN tags when the
# sensor.conf file contains the attribute "interface-values vlan".)
PACK_INTERFACES=0


###

# The type of logging to use.  Valid values are "legacy" and "syslog".
LOG_TYPE=syslog

# The lowest level of logging to actually log.  Valid values are:
# emerg, alert, crit, err, warning, notice, info, debug
LOG_LEVEL=info

# The full path of the directory where the log files will be written
# when LOG_TYPE is "legacy".
LOG_DIR=/var/log

# The full path of the directory where the PID file will be written
PID_DIR=${LOG_DIR}

# The user this program runs as; root permission is required only when
# rwflowpack listens on a privileged port.
USER=root
#USER=`whoami`  # run as user invoking the script

# Extra options to pass to rwflowpack
EXTRA_OPTIONS=

/etc/init.d/rwflowback directory, the only change was to line 38 in order to change to the configuration specified in the configure statement.

SCRIPT_CONFIG_LOCATION="/etc/silk"

With everything installed in their respective locations it is time to move on to setting up the Cisco device.

Router(config)# ip cef 
Router(config)# ip flow-export source Loopback0 
Router(config)# ip flow-export version 5 
Router(config)# ip flow-export destination x.x.x.x 9990 
Router(config)# interface  f1/0 
Router(config-if)# ip flow ingress 
Router(config-if)# ip flow egress

I hope this helps. If you have any comments or questions, leave a comment below.

Setting Google Storage object ACL for authenticated downloads

2011-07-17T03:06:00-04:00

Google’s gsutil is a great tool for pushing, retrieving and setting permissions on objects uploaded to Google Storage. I was reviewing the documentation on the Sharing and Collaboration page, specifically the Authenticated Browser Download section and realized there were a couple of small mistakes, err typos. I wanted to give someone read privileges to an object via their email address. The correct format is posted in this Paste.

The EmailAddress tag needs to be closed and the Permission tags need to be moved outside of the Scope tag. With all of this said I later came across Access Control page which is documented correctly. Go figure.

Running NIX Retina and Nessus vulnerability scans with least privileges

2011-06-17T02:46:00-04:00

When you are running those vulnerability scans of Linux and UNIX hosts I hope that you are following best practices for keeping a host secure during the process. Both Retina and Nessus rely upon SSH in order to connect to a remote host and run a number of commands to compare the querys to their respective databases of known issues, vulns and configuration faults. Removing the directive in the sshd_config file to enable root login is definitely not best practice, and is borderline “hacking naked”. Lucky for us both Tenable and eEye have documented the methods for running scans with su or sudo (the latter preferred).

As the Retina publication states, you may want to limit the commands that the sudo user may run. To do this you can look at the Retina logs on your Windows client; or after a successful scan with take a peek at the NIX user history in order to determine what commands were run. This could also be useful for scripting up a self-scan for a host that may lack a SSH service. Another method may beside reviewing the scanners logs might be to check the history of the secure or messages log to determine what commands were run and successfully returned a response.

After determining what commands the host needs to correctly run a credentialed scan you can limit the users sudo privileges in the /etc/sudoers file. This allows users bob and alice to execut cmd0, cmd1 and cmdn, though disables su and the ability to change to a shell that may not log correctly.

Cmnd_Alias    SHELLS = /usr/bin/sh,  /usr/bin/csh,   
/usr/bin/ksh, /usr/local/bin/tcsh,   
/usr/bin/rsh, /usr/local/bin/zsh
Cmnd_Alias    RETINA = /usr/sbin/cmd0, /usr/sbin/cmd1, /usr/sbin/cmdn
User_Alias    RETINA_USERS = alice, bob
RETINA_USERS  ALL = !/usr/bin/su, !SHELLS, RETINA

As usual, YMMV so let me know if this is helpful or misinforming.

Use Facebook CDN to host website photo gallerys

2011-04-19T23:23:00-04:00

I was thinking about how to retrieve photos from Facebook photo gallery’s and came across a number of solutions. Most of the solutions were for blog or CMS and furthermore required caching your credentials in a database along with a few other hoops in order to access your albums and display them on a third party site. I thought this was a bit odd as if you want to share photos on your blog or site you should be able to just make the album public and use Facebooks API to connect since they are going to be public at that point. After poking around this ended up being much easier than expected and it works with Facebook Fan Pages which is where I think this would be most useful.

You need to create a Facebook application account which will provide you with your appId and secret.
Next you need to get the PHP SDK from GitHub. All you need is the facebook.php page but feel free to grab the ZIP and explore. There is an example to experiment with.
Lastly you can use the code provided on Google Code as a basic start to implementing a photo gallery on your site.

The code displays thumbnails, source images along with name’s (caption’s) below each image that have them and finally the source which you can use to derive other goodies that you might want to use in you gallery. Some examples are different size thumbnails, id, comments, etc.

*Note that the script does not parse double quotes in photo captions well at this point.

If you notice any issues, room for improvement or features feel free to leave a comment or post an issue over at the Google Code page.

Blocking evil with the Enhanced Mitigation Experience Toolkit EMET

2011-01-29T03:18:00-05:00

While experimenting with EMET I decided to put together a little presentation demonstrating how it can be used to prevent exploitation of a known threat to Acrobat Reader. The presentation first demonstrates the exploit using Metasploit, provides some high level analysis and then goes on to describe how EMET can mitigate the vulnerability. It may be a little choppy to follow so feel free to provide any constructive feedback. The presentation is available via PDF.

Pseudo Gmail address obfuscation

2011-01-10T02:35:00-05:00

I was hunting around for a way to create email aliases for mailing-lists and whatnot. It is a little disappointing to learn that there is not away to create true aliases with Google’s Gmail. You can create aliases if using Google’s hosted application service but I do not use this for my personal mail. Here are three interesting item’s I came across; Google’s mail servers ignore period’s for the username context, googlemail.com may be used instead of gmail.com and finally you can append notes after a plus symbol.

firstname.lastname@gmail.com may be written as first.name.last.name@gmail.com

firstname.lastname@gmail.com may be written as firstname.lastname@googlemail.com

firstname.lastname@gmail.com may be written as firstname.lastname+sometext@gmail.com

It’s not really obfuscation but it may help confuse someone not the wiser. Maybe one day Gmail will allow for true alias creation.

Insecure Library Loading Could Allow Remote Code Execution

2010-11-23T21:26:00-05:00

Note this is an older post that I am migrating from another blog I previously maintained.

Metasploit has already provide a nice write up of the pwning, I mean testing the vector http://blog.metasploit.com/2010/08/exploiting-dll-hijacking-flaws.html. It does involve a bit of prep work but I tested it on a fully patched Windows XP sp3 host and it does provide you with the same privileges as the user who executes the exploit remotely giving the attacker access to the system.

So we want to be concerned with how to prevent evil doers from exploiting this vector.

\1. Do not open any network shares or websites that you are unfamiliar with, furthermore avoid executing unknown files from either. 2. Decide which workaround you would like to use per http://www.microsoft.com/technet/security/advisory/2269637.mspx.

Workaround #1 Disabling and stopping the Webclient services is the easiest method to prevent the attack but may cause other problems.
Workaround #2 Blocking ports 139 and 445 may not be ideal to block due to file sharing and other problems that may arise.
Workaround #3 Download and install the tool from Microsoft that allows control of the DLL search path algorithm from http://support.microsoft.com/kb/2264107 for your specific Microsoft distribution, i.e. Windows XP. Modify the registry key that turns on, off or specifies the action per http://support.microsoft.com/kb/2264107 section “Example 1: How to disable loading DLLs from a WebDAV share for all applications that are installed on your local computer”.

Okay, so in short there are two ideal ways to disable to attack, disable the Webclient service or install the tool and modify the specific registry key.

Note many of us run docked and undocked, therefore we need to modify both controlset001 and controlset002 to cover both situations.

http://blog.metasploit.com/2010/08/exploiting-dll-hijacking-flaws.html

Keeping your hardware safe and avoiding the evil maid

2010-11-23T21:17:00-05:00

This installment is about keeping your notebook and other technology items safe. I was recently asked what the Defcon locks were for that I have been distributing with the new notebooks. I jokingly said to keep people from taking your monitor and chair from your desk while your on travel but there is a better reason I distribute them.

People assume having your hardware stolen is the ultimate way to compromise your data. An adversary that is smart enough will know better though. A system running TrueCrypt or similar encryption is a near impossible target if powered off while you are away but a system running encryption that powered on on, not so much. Passwords and keys to most encryption are stored in memory while the system is running. Recovering said keys is not an easy task but is possible. If you cannot break the habit of leaving your device on when not around or putting it standby because you cannot stand the boot up time then make sure you are using strong passwords that a difficult to guess to avoid giving the attacker the chance to use tools to capture memory and parse it for your super secret pass-phrase.

Even this has it’s downfalls though, there have been attacks that can thwart the password mechanism on a device and run an attack such as stealing the pass-phrase. An example is the Firewire attack which provides direct hardware access from some devices to your system. If the attacker can do this then it is game over for your data as they can use a tool to crack your system password. Fix, do not let an attacker walk away with your device still powered on, i.e. use a lock when at clients or at a hotel room.

The evil maid attack is often not thought of. You are supporting a remote client, come back to your room to check your mail and leave for dinner leaving your notebook. While gone the evil-doer aka evil maid visits your room to fluff your pillows and notices your notebook on the table. Whether it’s on or off a device that you probably won’t notice is plugged into your system and it records your pass-phrase when you type it in. The evil maid returns to then steal the notebook as they now have the passphrase to get your data. To avoid this one, pay attention to rogue devices plugged into your hardware. Sounds simple but who would check for a small USB device plugged into the back their host. Also use a lock to keep the evil-doer from stealing the hardware after obtaining the key after such an attack.

What am I trying to say here?

Use encryption, the performance hit is very small and the newest notebooks with the “i” series chipsets use hardware encryption.
Avoid leaving your device running if not around when at foreign locations, i.e. hotels, clients, etc…
Use a lock to attach the notebook to a desk, chair, whatever. I know these are not exactly Fort Knox but it is a deterrent.
Epoxy ports (warning this may not be an available option for a corporate assets). Yes this is extreme but why do you think some companies enforce this on their desktop systems and/or servers.

Creating VMware VMDK files from DD images using Live View

2010-11-07T01:18:00-05:00

While watching some Florida football today I decide to figure out how to mount/run a DD image in VMware Workstation. My image mounting skills were a little lacking so Google it was. I found a ton of great examples that seemed like they should work but the steps seemed a little incomplete. To further complicate the task was I was trying to run two partitions from the same disk.

The first method I found was to manually create the VMDK file from scratch. This seemed promising when I found [http://sanbarrow.com/vmdk/disktypes.html#partitionedDevice][] and even better an AppSpot application http://www.schatzforensic.com.au/2006/p2v/ to produce the configuration for me but determining the CHS values were not going very well with the images I was working with so I kept looking.

ProDiscover looked rather promising https://irhowto.wordpress.com/2010/07/05/booting-a-dd-image-with-vmware/ but the VMDK files generated for the images did not seem correct and sure enough the guest system would not fire.

Live View was the next tool to try. Initial attempts to use it on a Windows 7 x64 host failed so I moved the image and required tools to a Windows XP host. There are several prerequisites for Live View which it will prompt you for so heads up.

VMware Workstation or Server
Java or compatible JRE
Virtual Disk Development Kit (VDDK)
Live View

You will need to create a VMDK for each image that you want to use even if it is for the same VM guest. The coolest part of it all is that you can use the DD image in a read-only state and all write are saved to a separate state/snapshot file. Very nice as it keeps from trashing the original image.

How I got started in information technology

2010-08-17T14:29:00-04:00

Every once in a while someone asks me how I got started in working in the information technology realm. Usually someone that is not in the industry or they are interested in working with computers as a career and are not really sure where to start. I do not think I have been able to come up with a great answer but here is how it has worked for me thus far.

I have always had a mechanical inclination. I was one of those kids that would rather take apart their toys (read break) then play with them. I originally had a love affair with cars, especially engines. I would have one of my parent’s take me to the junk yard (before I could drive) just so I could pull old V8’s and bring them home to disassemble them. This was entertaining but then our family got a new computer. I had worked with friend’s computers but was careful not to break them as I knew their cost. You can imagine my dad’s face when he brought home our first computer and shortly thereafter I had the internals of it laid out across the floor. Lucky for me I somehow was able to put it back together and it still worked. I was hooked as there seemed like an endless amount of possibilities to keep me occupied.

I continued on my quest of learning more by installing other operating systems such as Redhat 6 besides the Windows 95 install as a dual boot installation. Not a very interesting feat now but at the time it was amazing for me. Fast forward a few years and I had gotten various jobs working for firms setting up and maintaining computer systems. I eventually got bit but the security bug while working at a university. I find the aspect of securing computer systems quite interesting as not only are you concerned with how information systems are implemented but also what vectors may be used to attack them and so much more. Enough about that here’s what I told the last person that was interested in getting into the technology scene. Opinions vary greatly here.

It depends upon what you see yourself doing in 10, 20 years from now. Computer Science (CS) degrees are great and they usually cover the spectrum when it comes to the world of computing. I was going to get a CS degree but was undecided the first two years and by the time I pulled it together I realized I would need two years of Calculus and Physics before most universities would even consider me for their programs. I instead went the Computer Information Science (CIS) route. This worked well for me as they are well recognized and the prerequisites were less demanding and time consuming.

Many universities now offer a number of programs such as Decision Information Science (DIS), this example focuses on more of the business perspective. I know one person whom has gone this route but they have done well. Most jobs will say they want a technology oriented degree though are not always specific. Regardless do your research. This ultimately depends upon what you expect to do and where you want to work. If you know the type of position you might see yourself in then look a position descriptions and figure out what the firms desire in that field. There are plenty of jobs out there but just more competition for them.

Due to competition in the market I would definitely recommend three things. One, if feasible, regardless of the bachelors program get a masters, these seems to open more doors and some schools have 3/2 programs that allow you to pretty much get a masters and bachelors at almost the same time. Two, get an internship and/or job working with computers, helpdesk at a university or work for a small company maintaining their network, etc. Besides education, experience is highly regarded in the industry regardless of your concentration and this will help you figure out what you want to do career wise. Three, look into certifications such as a CCNA, Security+, MCSA. Even entry level certifications may help get you in the door though this is debatable by some.

I will state that I know people that rely purely upon their experience and others that are more academically focused. I do not think there is a sure fire method but for me a combination of both has worked fairly well.

Finally migrated from Blogger to WordPress

2010-05-23T18:35:00-04:00

I haven’t posted in a while because Blogger finally did away with their FTP/SCP publishing ability meaning if I wanted to continue using Google’s Blogger platform I would have to allow them to host my content for me. I don’t mind this except there are small annoyances such as having to still use a third party host for files that are not part of a blog post. I have also never been a real fan of their themes. I’m not much of a designer when it comes to websites, my focus is usually on the technical operations and not making things aesthetically pleasing. WordPress has Blogger beat hands down in this department as there are thousands of freely available themes and plug-ins for their platform.

The flip-side is securing WordPress. There are countless known vulnerabilities to the WordPress platform. There are ways to stay on top of these. First use the general lock-down suggestions provided by WordPress and other sites. Secondly or maybe primarily, stay up on new releases that fix bugs and security vulnerabilities by subscribing to the mailing-list or keeping an eye on their blog. Overall I look forward to the new platform and hope you enjoy the content to come.

Redirect Blogger URL using Mod Rewrite and shell scripting fu

2010-02-13T01:07:00-05:00

Blogger is doing away with the option to host your blog via your own host and migrating everything to the cloud. I wanted to have the option to continue hosting my blog on my own server even though as of now I am still hosting with Blogger. The main concern I had was redirecting URLs that blogger had created to a new blogging platform such as WordPress. I looked around and found several methods here, here, and here for redirecting one URL to another. The two primary method were HTTP redirects by modifying the page header or Apaches [mod_rewrite][]. I like Apache so I opted for the latter.

I only had about 60 posts so creating a few mod_rewrite rules is not a big deal. There were a number bloggers had complaints about Blogger removing FTP/SFTP publishing capabilities and they were considering a migration away from Blogger. This got me thinking about how to help others in transferring thousands blog entries.

I decided to try to automate this process somewhat with a little scripting fu. This could be scripted into a single script and if there is enough interest, I will make it happen.

The first step is to import your Blogger posts into your WordPress database. Blogger can export its posts but WordPress does not have a native plug-in for importing the posts in the XML format that Blogger is capable of exporting. WordPress can however import posts and comments from a Blogger Blogspot hosted profile. Create a Blogspot host and import the posts that you have backed up from your main profiles XML file. Make sure to disable search engine indexing for the temporary site so that you do not hurt your SEO.

The second step is to import the posts into WordPress. This is relatively easy to do, basically login to your WordPress administrative tools and import the blogger posts from your Blogspot profile that you created in the first step. I tried using the recommended tools per WordPress and a third party tool but they did not work very well for me.

Now your WordPress install should have all of your content and comments and your WordPress install is working correctly. This tutorial also assumes you are using the following permalink format for your WordPress posts, if not you will have to adjust this tutorial to your liking:

/%year%/%monthnum%/%postname%/

You will notice that your URL conforms to the WordPress install and not to Bloggers. This means that when you migrate your DNS to point at your shiny WordPress install all of the links that users have bookmarked and the search engines have crawled will no longer be valid. Worse, this could hurt your search engine rankings as it will take time for search engines to realize the new content and during that time you will have duplicate content floating around. Not an ideal situation.

Third step is to determine all of the URLs that your Blogger account was using the XML file that you exported from your Blogger blogs profile. This will produce a file with your Blogger file names. It should be the same as the number of posts you have published on Blogger or in other words imported to WordPress. Note you will need to change the XML file name and domain name to match your settings:

# Produces blogger file names.
sed "s/\(href='[^']*'\)/\1\n/g" blog-02-04-2010.xml |   
grep "href='http://www.rsreese.com/20.*html'" |   
sed "s+.*href='http://www.domain.com/\(20[^']*\)'.*+\1+" |   
sort -ut/ -k3 | xargs -I{} basename {} | sort -u > /tmp/blogger.txt

Next you want to generate a similar listing from your WordPress install that is populated with all of your Blogger content. This involves logging into your MySQL install and exporting a little data.

mysql -u wordpress_user -p
mysql> USE wordpress_db;
mysql> SELECT post_name FROM wp_posts INTO OUTFILE '/tmp/wp.txt';

Next you want to ensure that your post line up from the two files. In my case I had some that were not sorted exactly right, this basically let me know how much manipulating I would have to do. Paste this into a file on your Linux and provide executable permissions such as ‘chmod +x filename’. Then run the file ‘/filename’. Note you will need to specify the paths to your wp.txt and blogger.txt in the small script.

paste blogger.txt wp.txt | while read Line
do set $Line
echo "This is from FileA: " $1
echo "This is from FileB: " $2
done

Lastly lets actually generate the mod_rewrite rules for Apache. Again when this runs the sort function may not match up the file names exactly right so you may have to do some manual manipulation.

paste blogger.txt wp.txt | while read Line
do set $Line
echo 'RewriteRule ^([0-9]{4})/([0-9]{1,2})/'$1'$ $1/$2/'$2'/ [NC,R=301,L]'
done

You probably want to redirect the output to a file so you can go in and fix the values that have not sorted correctly.

The last part of the configuration here is a section from my Apache configuration file. I have also included a little bit to redirect the feeds though for me this was not very important as I syndicate through FeedBurner allowing me to modify my feed without effect subscribers.

# This has two of my rewrite rules, I have many more but kept it brief for readability.
<Directory /var/www/apache2-default/wordpress/>
RewriteEngine OnRewriteBase /wordpress/
RewriteRule ^atom.xml$ feed/ [NC,R=301,L]
RewriteRule ^rss.xml$ feed/ [NC,R=301,L]
RewriteRule ^([0-9]{4})/([0-9]{1,2})/adding-character-to-line-using-perl.html$ $1/$2/adding-a-character-to-a-line-using-perl/ [NC,R=301,L]
RewriteRule ^([0-9]{4})/([0-9]{1,2})/authenicating-kerberos-against-active.html$ $1/$2/authenicating-kerberos-against-active-directory/ [NC,R=301,L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /wordpress/index.php [L]</Directory>

Finally you should test your setup to determine that all of the links redirect.

sed "s/\(href='[^']*'\)/\1\n/g" blog-02-07-2010.xml|   
grep "href='http://www.rsreese.com/20.*html'" |   
sed "s+.*href='\([^']*\)'.*+\1+" |   
sort -ut/ -k3 > /tmp/full_blogger_urls.txt

Next you can use wget to test the URLs to make sure they all redirect correctly.

wget -i /tmp/full_blogger_urls.txt

This tutorial is not an end all solution is not perfect by any means. It still requires some manipulation of data but if you have a large number of URLs to redirect then you may find it useful. Your mileage may vary though if you have problems or recommendations than drop a comment…

A few tools that may help rid of malware

2010-02-09T03:22:00-05:00

These tools may help rid a computer system of malware but be warned they can be very destructive to your system. In other words if you don’t know what you’re doing then backup what you can and take it to a professional.

Ad-Aware - This seems to be a popular click and point tool
Spybot - Search & Destroy - Same as above
RootkitRevealer - Older tool but still useful
GMER - Great manual tool but can cause more damage than good if you do not know what you are doing.
HijackThis - Similar to above, if you do not know what to remove manually then be careful as you could damage your system.
McAfee Labs Stinger - Detection tool from McAfee
Sophos Anti-Rootkit - Requires sign-up to download, annoying to say the least

Of course keep your current anti-spyware and virus installs and definitions up2date.

Setting up maildrop with Courier MTA

2010-02-08T05:05:00-05:00

Setting up maildrop with Courier MTA

Before I get into the maildrop here are a few notes to myself for setting up Courier.

Before running ./configure you should add ssl bin directory to your path
To receive local mail indifferent of caps touch {your/etc/courier/dir}locallowercase

Account postmaster@ HAS to be set up as well in the /usr/lib/courier/etc/aliases/system file

To tell courier about hosted domains,

add domain to, /etc/courier/hosteddomains

then,as root, run makehosteddomains

and to tell courier to accept esmtp connections for the domain

add domains to /etc/courier/esmtpacceptmailfor.dir/domains

then,as root, run makeacceptmailfor

Also, the email account postmaster@ HAS to be set up as well.

Here is the maildrop stuff:

Edit the “/usr/lib/courier/etc/maildroprc” to have “| /usr/lib/courier/bin/maildrop” as your delivery method
Create a “$HOME/.mailfilter” file to be read by maildrop, there is no need for the most part of a “.courier” since mail drop is already being used!
Make sure your “/usr/lib/courier/etc/maildroprc” doesn’t kill the install IE:

#attempt at a maildroprc file...  
if ( $SIZE < 26144 )  
{  
exception {  
xfilter "/usr/bin/spamassassin"  
}  
}  
if (/\^X-Spam-Flag: \*YES/)  
{  
exception {  
to "$HOME/Maildir/.Trash/"  
}  
}  
\#else  
\#{  
\# exception {  
\# to "$HOME/Maildir/"  
\# }  
\#}

The commented out part is no good since your “.mailfilter” will never be read so DON’T specifiy the default delivery since no matter what unless specified other wise by an exit command will courier deliver to the default “$HOME/Maildir” also goes for the .mailfilter, no matter where u send the mail to there is no need to send it to the default location unless you have some crazy kaos going on that is beyond my lame howto =)

\4. The contents of your “.mailfilter should be something like the following:

“| /usr/lib/courier/bin/mailbot -t autoresponse -s ‘AutoGoAwayMessage’ -A ‘From: test@prcdigital.com’ /usr/sbin/sendmail -f “

A “autoresponse” file should be created and placed in the same $HOME directory as the “.mailfilter” is located, though a universal file can be created from multiple users to access if desired.

\5. “chmod 600 .mailfilter autoresponse”

Also the same user:group that is owner of the Maildir should also own these two files so “chown user:group .mailfilter autoresponse”

or Once you get to maildrop, you don’t want to bounce it. Your best bet is to just drop it. Also, I would suggest using spamc/spamd if at all possible. This is what I would do:

  if ( $SIZE < 204800 )  {      exception {          xfilter "/usr/bin/spamc"      }  }

  if ((/^X-Spam-Flag: YES/))  {      if ((/^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*/))      {          echo "***** Dropping 15+ Spam *****"          EXITCODE = 0          exit      }      else      {          to "$HOME/Maildir/.Trash/"      }  }  to "$HOME/Maildir/"

You can get rid of the echo if you don’t want an entry in the log when it drops an email.

if ((/^X-Spam-Flag: YES/))

Why double parentheses? This is what I am using and it is not working, though it seemed to work until recently:

if (/^X-Spam-Level: *\*\*\*\*\*\*\*/){      exception {              to "/dev/null"      }}

Migrating from Blogger to WordPress

2010-02-04T01:06:00-05:00

Blogger is removing the functionality to host your own “Blogger” content by disabling the FTP/SFTP functionality from their system. I’m considering their hosting solution or migrating to a WordPress solution.

If I stick with Google’s Blogger hosting then bandwidth should not ever be an issue as they have a distributed computing system. The only downfall is that I’ll probably have to use a sub-domain to host any static files. If I move to hosting my own WordPress then I’ll probably have to increase my virtual host resources since PHP and MySQL will be required therefore using more system resources. This also increases my hosts vulnerability footprint. Not only am I essentially increasing adding two services but WordPress has had its fair share of security issues.

If you want to stick with Blogger the simple alternative is just to migrate to a hosted Blogspot and use custom domains. You can simply point your DNS host domain.com or sub.domain.com to Google’s DNS servers and within a short amount of time you will be up and running again. With this said there are a number of variables that come into play.

Google’s Blogspot does not support subfolders, one alternative is to use a URL redirection to point to the new host which means you will need to search around for the code to insert into the header of your template to accomplish this. Per the migration tool there is no sub-folder support.

domain.com/blog/ —> blog.domain.com

Since Google would hosting your blog there really isn’t a wonderful way to handle this as there is not a provision to use Mod_Rewrite or something similar though with the number of complaints Google has received on their blog they may implement a feature.

If you are considering hosting with another solution such as Wordpress then you have more options available to you depending on your hosting solution. Wordpress has an integrated import function to import other Blogging but you must first convert you existing hosted Blogger account to a Blogspot solution. Blogger does have an export function but it seems broken per these posts. Wordpress also has custom URL functionality so it would be easier to match the format that blogger was using especially if you can utilize Mod_Rewrite.

Personally, I’m still undecided…

God Mode - Give Windows users an easier way to destory their computers

2010-01-06T03:45:00-05:00

Windows 7 and Vista (latter can be buggy) has an interesting feature that allows quick access to allow kinds of administrative tools.

To create God Mode simply create a new folder on your desktop and name it the following:

GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}

Now you will have a quicker way to change settings that will probably lead to the demise of your operating system. Have fun.

Google namebench helps find happy nameservers

2009-12-15T03:22:00-05:00

I was recently checking name servers that I was using to resolve hosts on a network. After using tools such as ping, traceroute, and dig I decided to search around and found Google has a new tool called namebench. Intrigued I decided to give it a shot. There is support for several platforms including Linux and Microsoft Windows. I pulled down a NIX copy and fired up the python script. By default in CLI the tool tests the top 10000 Alexa sites, as a note the GUI tool can test sites from your browsers cache. The tool compares your DNS hosts to several top resolvers around the net including their own. This was neat but I found the real usefulness was the ability to only specify the name servers you want to test. Very cool IMO.

$ ./namebench.py -O 68.87.73.242 68.87.68.162 68.87.74.162 8.8.8.8 8.8.4.4 208.67.220.220
namebench 1.0.5 - data/alexa-top-10000-global.txt (weighted) on 2009-12-14 22:09:40.248541
threads=40 tests=200 runs=1 timeout=2.0 health_timeout=4.0 servers=10
------------------------------------------------------------------------------
- Checking connection quality...
- Connection appears healthy (latency 55.15ms)
- Building initial DNS cache for 6 nameservers [40 threads]
- Waiting for health check threads for 6 servers: 0/6.6/6
.- 6 of 6 name servers are healthy
- Waiting for wildcard check threads: 1/6.....6/6
.- Waiting 4s for TTLs to decrement.
- Waiting for cache collusion threads: 0/30.30/30
30
Final list of nameservers considered:
------------------------------------------------------------------------------
68.87.68.162    68.87.68.162     48  ms |
208.67.220.220  208.67.220.220   59  ms | www.google.com. hijacked (google.navigation.opendns.com.), NXDOMAIN Hijacking
68.87.73.242    68.87.73.242     62  ms |
68.87.74.162    68.87.74.162     78  ms |
8.8.8.8         8.8.8.8          86  ms |
8.8.4.4         8.8.4.4          88  ms |

- Reading test data from data/alexa-top-10000-global.txt
- Benchmarking 6 server(s), run 1 of 1: 1/200.........10.........20.........30.........40.........50.........60.........70.........80.........90.........100.........110.........120.........130.........140.........150.........160.........170.........180.........190.........200/200
200
- Rendering template: ascii.tmpl
- Saving rendered ascii output
Fastest individual response (in milliseconds):
----------------------------------------------
68.87.68.162     ############################ 32.37295
68.87.73.242     ################################# 38.33604
208.67.220.220   ################################# 39.38794
68.87.74.162     ########################################## 49.34692
8.8.4.4          ##################################################### 63.43389
8.8.8.8          ##################################################### 63.49301

Mean response (in milliseconds):
--------------------------------
8.8.4.4          ########################## 67.35
68.87.73.242     ################################## 90.54
8.8.8.8          #################################### 95.24
68.87.68.162     #################################### 95.31
208.67.220.220   ######################################### 108.85
68.87.74.162     ##################################################### 142.74

Response Distribution Chart URL (200ms):
----------------------------------------
http://chart.apis.google.com/chart?cht=lxy&chs=720x410&chxt=x,y&chg=10,20&chxr=0,0,200|1,0,100&chd=t:0,20,20,20,21,21,21,24,27,49,59,67,116|0,1,12,40,57,63,69,73,77,80,84,87,91|0,16,17,17,18,19,25,26,29,35,39,51,77,95,102|0,1,14,28,48,53,56,60,65,69,72,76,80,83,87|0,19,20,20,20,21,21,23,24,26,36,56,69,90,112|0,1,8,30,45,50,54,61,64,70,73,77,80,84,87|0,25,25,25,26,27,45,46,49,51,57,71,77,91,116|0,1,5,33,39,47,50,54,58,62,65,69,73,77,80|0,32,32,32,33,33,34,34,35,38,48,53|0,1,7,28,55,65,80,88,91,95,98,100|0,32,32,32,33,33,34,34,34,37,41,50,63,78,126|0,1,7,28,44,54,66,70,74,77,81,85,89,92,96&chco=ff9900,1a00ff,80ff00,ff00e6,00e6ff,fae30a&chxt=x,y,x,y&chxl=2:||Duration+in+ms||3:||%25|&chdl=208.67.220.220|68.87.68.162|68.87.73.242|68.87.74.162|8.8.4.4|8.8.8.8

Response Distribution Chart URL (Full):
---------------------------------------
http://chart.apis.google.com/chart?cht=lxy&chs=720x410&chxt=x,y&chg=10,20&chxr=0,0,1333|1,0,100&chd=t:0,3,3,3,3,3,3,4,4,7,9,10,17,23,62,100|0,1,12,40,57,63,69,73,77,80,84,87,91,94,98,100|0,2,2,3,3,3,4,4,4,5,6,8,12,14,15,19,22,24,60|0,1,14,28,48,53,56,60,65,69,72,76,80,83,87,90,94,97,100|0,3,3,3,3,3,3,3,4,4,5,8,10,13,17,20,23,25,32|0,1,8,30,45,50,54,61,64,70,73,77,80,84,87,91,94,98,100|0,4,4,4,4,4,7,7,7,8,9,11,11,14,17,19,22,25,28,45,67|0,1,5,33,39,47,50,54,58,62,65,69,73,77,80,84,88,91,95,98,100|0,5,5,5,5,5,5,5,5,6,7,8|0,1,7,28,55,65,80,88,91,95,98,100|0,5,5,5,5,5,5,5,5,6,6,8,9,12,19,55,69|0,1,7,28,44,54,66,70,74,77,81,85,89,92,96,99,100&chco=ff9900,1a00ff,80ff00,ff00e6,00e6ff,fae30a&chxt=x,y,x,y&chxl=2:||Duration+in+ms||3:||%25|&chdl=208.67.220.220|68.87.68.162|68.87.73.242|68.87.74.162|8.8.4.4|8.8.8.8

Recommended configuration (fastest + nearest):
----------------------------------------------
nameserver 8.8.4.4         # 8.8.4.4
nameserver 68.87.68.162    # 68.87.68.162
nameserver 68.87.73.242    # 68.87.73.242

Problem with RAID volume larger then 2TB on Dell workstations

2009-10-21T14:35:00-04:00

I ran into a interesting issue this weekend. I was setting up a RAID volume on a Optiplex and Precision workstations, which have three 1.5 Terabyte (TB) drives. I tried creating a single large RAID 5 volume but the Intel Matrix storage manger (8.5.2) would not set the array to bootable. After much trial I found I could create smaller volume 160 Gigabyte (GB) for the system which was bootable and another utilizing the rest of the storage. My original plan was to create a large volume and partition it using the OS but this worked just as well, so instead I had two RAID 5 volumes. The only difference is the large volume is not bootable and requires the small one with the OS on it to first be mounted.

Python File Uploader

2009-10-17T14:21:00-04:00

I recently had a need to upload large files to a server via HTTP. Most of the solutions required tweaking the web server or PHP. Instead, I found a Python script that would write the data in chunks so it could handle large files. I modified the script to include a few additional features which include reporting a hash to the user, appending a date and revision to the file. I did my testing with Apache so your mileage may very with other httpd instances. The script is released under to GNUv3 so feel free to download a copy for your use or destruction. You can find the script at Github.

Trouble accessing Gmail or internal chat client

2009-09-10T01:58:00-04:00

I have been in a couple of places which I needed to access my email and chat so here is a little fix to get around DNS fixes that redirect hosts to the localhost.

Modify your hosts file to look like the following:

C:\Windows\System32\drivers\etc\hosts

127.0.0.1       localhost
74.125.79.17    mail.google.com
66.102.1.189    chatenabled.mail.google.com        #or 74.125.19.189 for non-Comcast.

# A friend recommended these, YMMV.
#209.85.135.17    mail.google.com
#72.14.204.189   chatenabled.mail.google.com
#72.14.204.189   talk.google.com
#72.14.204.189    talkx.l.google.com
#72.14.204.189    hostedtalkgadget.google.com
#72.14.204.189   talkgadget.google.com

This basically tell your system where these services are located instead of relying on a third party to instead let you know.

Facebook gets linked account support

2009-05-20T03:04:00-04:00

Now you can logon to your Facebook account through several providers such as Google, Myspace and OpenId which IMO is great (I’m lazy). Just go to Settings, Account Settings and Linked Accounts. You can even pick multiple providers. One cool part is my openID provider VeriSign can be setup to use two factor authentication to help provide a little more security amongst all of the chaos. See https://pip.verisignlabs.com

Update 1 - As of now Google as a Linked Account is not logging me in though pip.verisignlabs.com is still working well.

Update 2 - My Google account will log me into FaceBook once I have authenticated via Gmail.

Installing Sun Java on Debian Lenny

2009-05-15T15:04:00-04:00

The Sun Java JDK is available in the Debian Lenny non-free repository, therefore you must modify /etc/apt/sources.list:

$ sudo vi /etc/apt/sources.list

Add non-free to the Debian Lenny repositories:

deb http://mirrors.kernel.org/debian/ lenny main non-freedeb-src http://mirrors.kernel.org/debian/ lenny main non-free
deb http://security.debian.org/ lenny/updates main non-freedeb-src http://security.debian.org/ lenny/updates main non-free

Run

$ sudo apt-get update

Install the Java JDK as follows:

$ sudo apt-get install sun-java6-jdk

Make it available system wide:

$ sudo update-java-alternatives -s java-6-sun echo 'JAVA_HOME="/usr/lib/jvm/java-6-sun"' | tee -a /etc/environment

Debian Backup Script

2009-03-02T01:30:00-05:00

The script is located here. It can update the software repository, backup the file system, and send the backup to another machine via SSH. Feel free to try it out and let me know if you have any issues.

Shell script to update Debian system via APT.
Backup systems and send the backups to remote systems
MySQL backup
Encrypted backups available
System information like disc usage, network traffic
Log file output from syslog

A few simple computing tips

2009-02-10T01:46:00-05:00

Here’s a short list of safe computing tips that may help you stay safe.

\1. Passwords, use complex passwords and do not use the same password for MySpace/Facebook as you do for your banking website. This is an easy habit to get into so try to break the mold and use something complex that uses numbers, letters, and special characters.

\2. Encryption, this is a must for notebooks and other portable devices. Most individuals do not think about it until the worst happens but how bad would it suck to have your notebook or whatever stolen and then the thief happen to be intelligent enough to data mine through you drive to find credit card numbers or whatever other goodies they could use to steal your identity. There are some good free encryption software packages out there so do a little research.

\3. Avoid intercepted data. Most people do not think about how the data gets from their web browser to it’s destination but I can tell you a majority of the time your data that is trans-versing networks that you have no control over is probably unencrypted therefore not secure and up for being intercepted. Pay attention to what you say over instant messaging and other forms of communication as you would be very surprised as to whom might be listening and worse capturing your information.

\4. Backups, the medium in which your data resides on more then likely has a shelf life so a little thought in regards to backing up your data can go a long way if data becomes corrupt, drive failure, or by malicious means.

New RSS feed

2009-01-23T04:19:00-05:00

Tinkering as usual I was check out my FeedBurner feeds for accuracy since I have heard through the grapevine that a number of users are having problems with incorrect feed statistics when using FeedBurner. My statistics seem to be fine (not like anyone subscribes anyhow :-). It was interesting that Google has acquired FeedBurner and are planning on migrating the FB user base to Google though I have yet to receive any notification which was disappointing… The migration was painless enough and if you feel inclined my new feed is available at: http://feedproxy.google.com/rsreese.

TrueCrypt on my Dell notebook

2008-12-19T00:23:00-05:00

So I recently acquired a new notebook and I of course wanted the notebook to be secure. When I say secure I’m not just talking about preventing someone from exploiting the notebook from the wild but the problem of physical security with regards to someone stealing it. There are a number of commercial tools out there to provide whole disk encryption (WDE) but I really did not want to spend the money so I decided to get TrueCrypt a shot. I’ve been using it for sometime to encrypt data on a few backup drives I have but never a system drive. The process is completely painless. I decided to stick with the AES algorithm since it’s less hardware intense but be aware there are stronger encryption schemes available from the product. I also recommend making a backup disk and testing it! Secondly do NOT lose your key or you will not get into the system so it may be ideal to make backups and place them on another medium just in case…

At this point I’m rather happy with TrueCrypt the performance is great and how cool is it having the piece of mind that if someone decides to take your hardware, it is currently impossible for them to retrieve your data.

Using session-monitor to span ports as an aggregation tap

2008-10-17T20:13:00-04:00

Like most I do not have the funds to purchase a $1000 port aggregation tap for my IDS to monitor traffic so instead I just used a 2950 Cisco Switch:

!
interface FastEthernet0/1
switchport access vlan 100
duplex full
!
interface FastEthernet0/2
switchport access vlan 100
duplex full
!
interface FastEthernet0/3
!

so the first two ports are where the traffic comes in and back out to the destination device, the third will go to my network sensor. Next let us setup the port spanning.

!
monitor session 1 source interface Fa0/1
monitor session 1 destination interface Fa0/3

Note that you may check other options such as spanning multiple ports or even vlans.

Using metasploit to pwn MS06-067

2008-10-10T00:02:00-04:00

In a graduate course I was taking, our professor wanted us to tool around with the Metasploit project. This tool makes quick work of exploiting vulnerabilities. After the client takes the opens the link, I ran ‘ipconfig’ to ensure I had remote connectivity.

Here a shell that I ran ‘ipconfig’ on just to confirm the operation.

Erase slack space on Microsoft Vista

2008-10-03T04:34:00-04:00

A lot of information may be stored on a drives slack space. If you want to get rid of these artifacts then run the usual tools to clean up the system like ‘Disk Cleanup’, ‘Defrag’, etc.. and then run the following command.

C:\Users\Crypto>cipher.exe /w:C:  
To remove as much data as possible, please close all other applications while
running CIPHER /W.
Writing 0x00...................................................................................................
Writing 0xFF...................................................................................................
Writing Random Numbers.........................................................................................

Gentoo Linux auto update script

2008-09-08T04:14:00-04:00

A script that I had been using for sometime to update my Gentoo servers needed a few additions in my opinion. I spoke to the original developer of the script and he allowed me to make additions to the script and post them here on Google’s code hosting server. The following is a basic description of the script. So if you’re looking for something to update your Gentoo boxes then cruise over and pickup a copy.

“Shell script for Gentoo Linux to preform nightly system administration tasks from a cron job. This is reminiscent of OpenBSD’s /etc/daily, weekly, monthly scripts. Includes auto updating for Nikto, Snort sigs, and Nessus plugins. Also includes MySQL dump support, file system backups, and remote backups via SSH/rysnc.”

Mounting drives/volumes read-only in Microsoft Windows (Vista)

2008-08-05T21:35:00-04:00

I needed to analyze a drive for a company that suspects an ex-employee may have taken corporate material (training exercise or else I would use a hardware write blocker and follow a chain of custody). I do not have a write blocker and rather then fire up a copy of Helix or a similar tool a my spare machine (which is painfully slow) I would rather perform analysis on my workstation. Most of this information was derived from this post.

First step is to disable auto mounting of devices in Microsoft Vista by running ‘cmd’ in an administrative user context and then execute ‘mountvol /N’ to enable readonly mounting of newly attached drives and volumes.

Here is how to list the drives and volumes:

DISKPART> list disk
Disk ###  Status      Size     Free     Dyn  Gpt
--------  ----------  -------  -------  ---  ---
Disk 0    Online       233 GB      0 B
Disk 1    Online       932 GB      0 B        *
Disk 2    Online       932 GB      0 B        *
Disk 3    No Media        0 B      0 B
Disk 4    Online      3911 MB      0 B

DISKPART> list vol
Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
----------  ---  -----------  -----  ----------  -------  ---------  --------
Volume 0     E                       DVD-ROM         0 B  No Media
Volume 1     H   BLACK_DAHLI  UDF    DVD-ROM     3214 MB  Healthy
Volume 2     F   U3 System    CDFS   CD-ROM         8 MB  Healthy
Volume 3     C                NTFS   Partition    233 GB  Healthy    System
Volume 4     D   data         NTFS   Partition    931 GB  Healthy
Volume 5                             Partition    931 GB  Healthy
Volume 6     G                       Removable       0 B  No Media
Volume 7     I                FAT32  Removable   3911 MB  Healthy

So I decided to try a spare drive in the system and I found that when attempting to mount a TrueCrypt volume I got an error telling me that auto-mount is not support and I would have to re-enable it.

Continuing on my quest I was able to mount a spare hard drive volume read only, note you may also set the whole disk to read only.

DISKPART> select volume 5

Volume 5 is the selected volume.

DISKPART> att vol set readonly

Volume attributes set successfully.

DISKPART> detail vol

Disk ###  Status      Size     Free     Dyn  Gpt
--------  ----------  -------  -------  ---  ---
* Disk 2    Online       932 GB      0 B        *

Read-only              : Yes
Hidden                 : No
No Default Drive Letter: Yes
Shadow Copy            : No
Dismounted             : Yes
BitLocker Encrypted    : No

The next step will clear the read only status.

DISKPART> att vol clear readonly
Volume attributes cleared successfully.

Do not forget you may want to enable auto mounting again.

C:\Windows\system32>mountvol /N

A second and much easier alternative for USB devices is a small application that changes a registry entry called ThumbScrew. It alters a registry entry and though there is no guarantee that windows still will not access the drive it is a quick fix for this scenario. My plan is to use both methods. First disable the registry setting and then using drive part set the read only flag.

If you have any ideas about mounting drives in a Windows environment then please feel free to contact me and tell me about it.

Converting Microsoft OS to VMWare Guest

2008-07-30T01:03:00-04:00

A friend had two notebooks running Microsoft XP Home and Professional editions in which the notebooks were no longer functional but the hard drives were in good shape so I recommend running them in a VM guest. I knew I could use VMWare converter tool that was freely available and it supports converting from live hosts and images created from several software programs. I was disappointed to find that VMWares converter would not convert from Ghost enterprise (*.gho) images, but the latest version of Symantec Norton Ghost 14.0 would so I created images of the drives.

After the images were created I next fired up VMWares converter and let perform its magic.

This operation performed flawlessly. I ran both notebook images with two hitches, I had to reactivate both XP installations because running the guests inside VMWare workstation caused the operating system to assume it was running a different hardware but this wasn not a big deal. The second problem was trying to run the guest operating systems in VMWares free server product. I received an error message that the guest were created with more capabilities then what VMWare server could handle so the friend decided to purchase the workstation product in order to run the products.

Converting Microsoft Vista from one version to another

2008-07-19T04:37:00-04:00

A desktop that I had which was used for work recently would not activate because it required connectivity to the companies KMS server which I would connect to via VPN to complete but since I no longer work there that is out of the question. Since the Vista OS was an enterprise version I had no way to purchase a license for it. I did however have a Vista Business license that is legit so I wanted to migrate to it from the version of Vista Enterprise.

First make sure that everything near and dear is backed up in case something goes screwy.

Before inserting the Windows Vista CD
Go to, Start, Run: and type: regedit.exe
Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
Change the key : ProductName from “Windows Vista ™ Enterprise” to “Windows Vista ™ Business”
Change the key: EditionID from “Enterprise” to “Business”

Do not restart

Now insert Windows Vista CD and start upgrading (the option Upgrade will not be graded out anymore)

A copy of program/drivers had to be reinstalled but much easier solution for me then reinstalling everything which is usually a week long process it seems like now.

Domain registrars spamming sub-domains?

2008-07-03T02:31:00-04:00

In the process of setting up some virtual servers (slices) from www.slicehost.com I had to move the name servers around along with a migration to Google web apps. A user called complaining that they could not access the web-mail service. The user was trying to access www.mail.domain.com instead of mail.domain.com which a DNS record had yet to be setup for and we weren’t planning on it. To our surprise there was a page there though, a place holder with some nasty pop-ups. We immediately added a record for this entry to kill it but it makes me wonder how many other sub-domains have been compromised? The registrar was www.godaddy.com, we will be migrating to a new one very soon.

Encrypting a secondary drive (PGP or TrueCrypt)

2008-05-15T00:05:00-04:00

In this post I am going to share my experiences with encrypting a secondary drive in a Windows Vista environment.

The hardware is a Dell Optiplex core 2 duo. I will be encrypting a 1 terabyte Hitachi drive which I use primarily for storage.

The first piece of software I tried is PGP Desktop. When setting up the drives the first thing I noticed when partitioning them through windows is I have a choice of boot record formats. As of this post PGP Desktop did not even see a partition when a drive was initialized as GPT though it did not have a problem with the standard MBR type. I also attempted encrypting as a MBR type and then converting it to GPT. PGP Desktop removed its encryption status when I did this therefore I would not recommend trying that ;-). This concerned me since I am planning on implementing a raid solution and do not want to be limited to 2 terabytes by the drive table type. Regardless I went with the MBR style in order to allow PGP Desktop to play nicely. I imagine their product will support the newer format in the future. Encrypting a terabyte of data took all of the 12 hours for AES-256 which is what the tell-tell meter said it would. Once encrypted it acted just like a regular drive and upon restarting the Vista OS it prompted for a pass-phrase. Pretty simple and clean.

On a side note when I broke PGP desktop encryption on the drive I had to do the following to remove the bootguard since it resides on the boot drive:

Decrypting from a Command Line

From the command line, type pgpwde —decrypt —disk 0 (or the disk in question) —passphrase “enter passphrase here within double quotes” and press the enter key. The disk will then decrypt. The PGP Whole Disk status icon will be turning around in the system tray to show you decryption is in progress:
Once decryption is complete, see if the disk is still instrumented by bootguard by typing the —status command listed above. If the drive is not encrypted, the hard drive should boot normally. If the drive is still instrumented, but no highwater, proceed to the next steps.

Truecrypt was my next contestant. This appeals because of the great support that many open source solutions provide from the community. There are several algorithm options with TrueCrypt. I decide to go with the AES-Serpent combination but benchmark was a little off though. When creating the volume it also took around 10 hours for the terabyte volume averaging about 25 MB/s which means the AES solo algorithm probably would have taken half of the time.

I had some problems with the Truecrypt setup as well. The first round I was warned about existing partitions so I deleted everything and let TC encrypt the device (drive) instead of a partition which didn’t work so well. I learned it is recommended to encrypt a partition instead of the whole physical drive so I used the disk management snap-in via Vista’s Administrative Tools to first create the partition using the GPT style partition and let TrueCrypt format the drive using NTFS.

I have decided to stick with TrueCrypt over PGP Desktop because it’s free and it let me use the GPT style partitioning scheme. There are benefits to using PGP’s suite because it also includes email and instant messaging encryption tools amongst others but there is a fee for using the software beyond the demo period.

Force Outlook to open all email in plain text

2008-02-12T03:51:00-05:00

For reference.

Strip HTML email in Outlook into plain text Content: First, this is secure as many of the worms and bugs rely on HTML script code. One good example could be the needless advertisements or images sent inside spam (junk) emails. When you so much as view an email inside your email software, the senders webserver gets a timestamp of you having accessed the image. This of course does not happen with plain text, because there’s no image, so there is no inadvertent access?.

Second, it is also a bit faster to download and view email that doesn’t have all the unnecessary frills of HTML email (tables, bold, italics etc).

Start | Run | regedit Find this key: HKEY_CURRENT_USER\Software\Microsoft\Office\
10.0\Outlook\Options\Mail On the Edit menu, point to New, and then click DWord Value. With the new Dword value selected, type ReadAsPlain. Double-click the new value to open it. In the Value Data box, type 1, and then click OK. Click OK, and then quit Registry Editor. Just to be sure, close Outlook and restart it. From now on, all your HTML email messages will show up as simple text. After you turn on the Read as Plain Text? feature, users notice the following changes:

The changes are applied to the preview pane and open messages. Pictures become attachments to avoid loss. Digitally signed messages are not affected.

Disable fast user switching on Vista

2008-02-12T03:49:00-05:00

In Vista (unlike Windows XP), Fast User Switching works if you’re on a network domain. To turn off Fast User Switching, choose Start, type gpedit.msc in the Search box, and then press Enter. (If a security prompt appears, type an administrator password or confirm the action.) In the Group Policy Object Editor, choose

Local Computer Policy > Computer Configuration > Administrative Templates > System > Logon > enable Hide Entry Points for Fast User Switching > OK.

To find out who else is logged on to your computer: 1. Right-click an empty area of the taskbar and choose Task Manager. or Press Ctrl+Shift+Esc. 2. Click the Users tab to view users and their status

Kicking a user off a linux system

2008-02-12T03:46:00-05:00

This might break something the user is doing. You have been warned.

last -i1 baduser | awk '{print $3;exit}' | xargs -p --replace iptables -A INPUT -s {} -j drop if [ "`who | grep $1`" != "" ] ; then sid=`ps -jU $1 | awk '{print $3}' | tail -1`" kill -HUP $sid echo "$1 was logged in. Just booted $1 out." fi ps -u username | grep -v PID | awk '{print $1}' | xargs kill kill $(ps -u username | grep -v PID | awk '{print $1}')

Authenicating kerberos against active directory

2008-02-12T03:37:00-05:00

Your /etc/pam.d/system-auth is created with the command “authconfig” on a RHEL5 machine though you may have to manually edit it with other distributions:

#%PAM-1.0# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so like
auth nullokauth sufficient /lib/security/$ISA/pam_krb5.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so broken_shadow
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_krb5.so
account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_krb5.so use_authtok
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/$ISA/pam_krb5.so

Your /etc/krb5.conf should look something like this. Your system time must be accurate or else it will not work correctly.

[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log[libdefaults] default_realm = AD.DOMAIN.EDUclockskew = 300 dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes[realms]UFL.EDU = { kdc = DC01.AD.DOMAIN.EDU default_domain = DOMAIN.EDU }AD.DOMAIN.EDU = { kdc = ad.domain.edu admin_server = ad.domain.edu }[domain_realm] .domain.edu = DOMAIN.EDU domain.edu = DOMAIN.EDU[kdc] profile = /var/kerberos/krb5kdc/kdc.conf[appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }

Next you need run kinit to make sure that you can contact the kerberos server, if it returns nothing then you should be good.

$ kinitPassword for rsreese@AD.DOMAIN.EDU: blahblah

Next setup two cron entries to keep the time up to date and kinit alive:
$ sudo crontab -e

0 23 * * 1,3,5 /usr/sbin/ntpdate time.nrc.ca0 */4 * * * kinit -R

The /etc/samba/smb.conf file needs to be setup.

# grep -Ev '#|;|^$' /etc/samba/smb.conf[global] workgroup = UFAD realm = AD.DOMAIN.EDU server string = SRVV-SERV hosts allow = 10.242. 10.228. load printers = no log file = /var/log/samba/%m.log max log size = 50 security = ads idmap uid = 10000 - 20000 idmap gid = 10000 - 20000winbind enum users=yeswinbind enum groups=yes template homedir = /home/%U template shell = /bin/bashclient use spnego = yes winbind use default domain = no encrypt passwords = yes smb passwd file = /etc/samba/smbpasswd socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 local master = no dns proxy = no[homes] comment = %U Home Directory browseable = no path = %H valid users = %U writable = yes create mode = 0664 directory mode = 0775[printers] comment = All Printers path = /var/spool/samba browseable = no guest ok = no writable = no printable = yes

Now add the computer object to the domain via the Active directory “Users and Computers”

You need to join the linux machine to the domain. First create an account on the domain for the machine as mentioned in the beginning or this will fail.
# net ads join -U administrator

SElinux needs to be told to let Samba play nicely
# setsebool -P samba_enable_home_dirs=1

\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~NOT NEEDED\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~
The /etc/ldap.conf looks like this:

host 10.241.28.100
base dc=domain,dc=edu
uri ldap://ad.domain.edu/
binddn rsreese@domain.edu
bindpw
scope sub
pam_filter objectclass=User
pam_login_attribute sAMAccountName
pam_lookup_policy yes
nss_base_passwd dc=edu?sub
nss_base_shadow dc=edu?sub
nss_base_group dc=edu?sub
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_attribute uid sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowLastChange pwdLastSet
nss_map_objectclass posixGroup group
nss_map_attribute uniqueMember member
pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password ad
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5

\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~NOT NEEDED\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~
Next I edit the /etc/nsswitch.conf to add ldap support:

passwd: files ldap
shadow: files
group: files ldap
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files
publickey: nisplus
automount: files
aliases: files nisplus

Configuring sendmail to accept mail

2008-02-12T03:34:00-05:00

if you get ( doing a netstat -an more )

tcp 0 0 127.0.0.1:25 0.0.0.0:\* LISTEN

Then your sendmail server is configured to accept connections from localhost only.

To change this behavior, you need to edit /etc/mail/sendmail.mc. Find the line that starts with DAEMON_OPTIONS ( suggest vi +/DAEMON_OPTIONS sendmail.mc ) and edit the field Addr= to change it to your IP Address.

Then go down approx. 7 lines and comment out the line that reads:

FEATURE(\`accept\_unresolveable\_domains')dnl

Next, exit vi (or whatever editor you use) and do…

m4 /etc/mail/sendmail.mc \> /etc/sendmail.cf

Restart sendmail, and you should be able to receive mail from other mhosts

Edit group policy on remote computer

2008-02-12T03:32:00-05:00

Want to open up the MMC of a local Group Policy on a remote machine?

Simply go to Start Run and type:

gpedit.msc /gpcomputer: Computername

Running processes in the background on Linux

2008-02-12T03:30:00-05:00

If you just want your program to simply run in the background, launch it with a “&” at the end of the command from the shell. However, if it expects to use stdout, stdin, or stderr, it will stop — so these must all be redirected to files or pipes.

This will still leave it attached to the terminal and process group of the shell, however. Thus you will not be able to log out of the command prompt with the background jobs unless you detach them. To get around this you can use the “nohup” and/or “setsid” commands when launching it.

If you want your program to daemonize itself (rather than relying on the user to do it when invoking it), then you will have to read some unix programming books about the steps involved. For example, Perl’s Proc::Daemon does the following:

Fork a child and exit the parent process.
Become a session leader (which detaches the program from the controlling terminal).
Fork another child process and exit first child. This prevents the potential of acquiring a controlling terminal.
Change the current working directory to “/”.
Clear the file creation mask.
Close all open file descriptors.

Adding a character to a line using Perl

2008-02-04T06:46:00-05:00

perl -p -i -e 's/(.)$/$1$1/g' filename This changed my nonsense file: ghggk dethaks gjfkdld fyduftsdu flkgjd kflgjlk flkgjl f into a slightly different nonsense file: ghggkk dethakss gjfkdldd fyduftsduu flkgjd kflgjlk flkgjl ff

Getting Samba to play nicely with SELinux on RHEL

2008-02-04T06:31:00-05:00

This helpful bit was written by Don Meyer.

I am a little too stubborn for a quick fix like this, so I went the
route of adding the specific rules needed to allow SMB/Winbindd to
run without throwing AVC errors. I am doing this on RHEL4 boxes,
which install with SElinux enforcing targeted by default — this
allows me to leave SElinux active for its additional protections.

Doing it this way requires a little extra work, though…

First, you need to install the selinux-policy-targeted-sources
package, if not already installed.

When I build the RPMs from the source tarball, the first upgrade from
the default RHEL4 packages changes the tdb directory from
/var/cache/samba/ to /var/lib/samba/. This is accomplished by
creating /var/lib/samba/ — Naturally, this royally mucks up the
SElinux labelings/permissions. So, immediately after the first
upgrade from RHEL4 samba packages, (before starting either smb or
winbind) I need to do the following:

#chcon -Rt samba_var_t /var/lib/samba
#mkdir /var/lib/samba/winbindd_privileged/
#chcon -t winbind_var_run_t /var/lib/samba/winbindd_privileged/

Then, I drop the following file into the directory
/etc/selinux/targeted/src/policy/domains/misc/:

winbind_add.te:

allow winbind_t etc_runtime_t:file read;
allow winbind_t proc_t:file read;
allow winbind_t etc_t:file write;
allow winbind_t samba_etc_t:file write;
allow winbind_t initrc_t:process { signal signull };
allow winbind_t initrc_var_run_t:file { lock read };
allow winbind_t var_lib_t:dir { search getattr };
allow winbind_t var_lib_t:dir search;
allow winbind_t samba_log_t:dir { create setattr };
allow winbind_t unconfined_t:fifo_file read;
allow winbind_t var_lib_t:dir search;

This file is what I currently need to add to the default SElinux
configuration to get Samba 3.0.23pre1 to work. What is needed seems
to change with each new version of Samba… (The default SElinux
ruleset for 3.0.10-1.3E.6 can be found in
“/etc/selinux/targeted/src/policy/domains/program/winbind.te”.)

Finally, after this “extra” policy file is in place, you should chdir
to “/etc/selinux/targeted/src/policy/”, and run the following command:

#make load

After this, you should be able to start/restart the smb & winbind
services without complaints.

Now, some might ask “How do you derive these additional rules?”

On a clean install, I install the packages, make the necessary mods,
and then set SElinux to non-enforcing:

#setenforce 0

I then start “tail -f /var/log/messages > /tmp/samba_avc.log” in a
separate console.

Next, I start the smb & winbind services and get the running
properly. Running in non-enforcing mode allows all the error
messages to be generated in the logs, but the operations are allowed
to complete successfully. Once the services are running, I do a
couple user queries to prime the winbind system and have it sync with
the AD, etc. I then terminate the tail in the other console, and run
the following command:

#audit2allow -i /tmp/samba_avc.log

This outputs (to stdout) the additional rules necessary to allow all
of the operations that generated AVC error messages in the log
excerpt. This should be what is necessary to get everything running
— I copy these rules into the file I call winbind_add.te in
“/etc/selinux/targeted/src/domains/misc/”, and run the “make load”
command to force the system to reload the SElinux rules.

Finally, I can shut down the smb & winbind services, run “setenforce
1” to re-enable SElinux enforcing mode, and then restart smb &
winbind. If all goes well, this should not generate any AVC errors…

Remove index.php from wiki URL

2008-02-04T06:22:00-05:00

In httpd.conf:

Alias /wiki/index.php /home/rsreese/richardsreese/htdocs/w/index.php  
Alias /wiki /home/rsreese/richardsreese/htdocs/w/index.php

In Localsetting.php:

$wgScriptPath = "/w";  
$wgScript = "$wgScriptPath/index.php";  
$wgRedirectScript = "$wgScriptPath/redirect.php";

# For more information on customizing the URLs please see:  
# http://meta.wikimedia.org/wiki/Eliminating\_index.php\_from\_the\_url  
# If using PHP as a CGI module, the ?title= style usually must be used.  

#$wgArticlePath = "$wgScript/$1";  
$wgArticlePath = "/wiki/$1";

Courier Vacation Notice

2008-02-04T06:09:00-05:00

cc "| /usr/lib/courier/bin/mailbot -t autoresponse -s 'AutoAwayMessage' -A 'From: test@somedomain.com' /usr/sbin/sendmail -f ''"cc "!user@somedomain.edu"cc "./Maildir"
EXITCODE = 0
exit

Compare Directory Contents on Linux computer

2008-02-01T02:02:00-05:00

#/bin/bash
DIR_1=$1
DIR_2=$2

#check dir diffs

ls -1 $DIR_1 >/tmp/diff.1
ls -1 $DIR_2 >/tmp/diff.2

echo "Check Dir differences:"
diff /tmp/diff.1 /tmp/diff.2 && echo "Dir's have the same files"

#check files differences

echo "check files differences:"
for file in `cat /tmp/diff.1 /tmp/diff.2|uniq`; do
diff $DIR_1/$file $DIR_2/$file 2>/dev/null
done

rm /tmp/diff.1 /tmp/diff.2

NFS howto with static ports

2008-01-31T06:43:00-05:00

First I am going to edit the /etc/sysconfig/nfs to specify the ports I want to run on.

STATD_PORT=4000
STATD_OUTGOING_PORT=4004
LOCKD_TCPPORT=4001
LOCKD_UDPPORT=4001
MOUNTD_PORT=4002

Next I want to edit the /etc/hosts.allow to only allow specific hosts to access the resource.

nfs:192.168.1.

Finally lets allow some stuff to come in through our IP tables rules at /etc/sysconfig/iptables

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
#-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 137:139 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 4000:4004 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 55443 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT

Multi-Touch Techonolgy - The new interface of computing

2007-05-30T17:08:00-04:00

This video shows some of the capabilities of this system.

SQL injection attack on a PostgreSQL database (t_jiaozhu)

2007-03-28T15:22:00-04:00

A web server running Apache 2 and PostgreSQL was successfully compromised using a SQL injection vulnerability. I first noticed there was a new table in one of our PostgreSQL databases named ‘t_jiaozhu’.

public t\_jiaozhu table postgres

The table wasn not something that myself or our developer had created so I immediately went into WTF mode. First I googled for the term ‘t_jiazhu’ and found that there was only one English result that mentioned SQL injection attacks with the previously mentioned table name. At this point we searched the PostgreSQL log files but did not turn up much but with the advice of our local security engineer. We checked out the Apache web server log files and found the attack.

# grep t\_jiaozhu \*fred-access\_log:219.153.131.99 - - [25/Mar/2007:11:59:32 -0400] "HEAD /showemploymentopportunity.php?id=38;create%20table%20t\_jiaozhu(jiaozhu%20varchar(200)) HTTP/1.1" 200 - "-" "Mozilla/3.0 (compatible; Indy Library)"

The engineer also came up with a possibility that the IP in which the attack came from may have been a bot using an IDS.

“After the table was created, there were several hits from that IP that had the following user agent “Mozilla/3.0 (compatible; Indy Library)”. A little digging shows that it might be a Chinese spambot.”

Our developer quickly discovered that we were not checking variables that were being passed. A quick addition of code fixed the problem.

if (!is\_numeric($id))  
  $id = 0;

Running UAC and some other tricks to keep your computer running smoothly

2007-03-07T04:47:00-05:00

Most users I know run Microsoft products. A few of you may benefit from some basic tips to keep your computer out of BestBuy or your local computer vendor for repairs. The first and probably most important is also the most difficult to get people to abide by. Use UAC (user access controls). By default Windows XP uses the administrator account which is convenient when an operating system is first loaded but most users load all of their programs on a PC in just a short time. After you get everything installed run as a ‘user’ account and not an administrative context. This will prevent most spy ware and viruses from trashing your system. Even if you accidentally download some malware it will most likely at the worst trash the user profile but not the system which is a pretty easy fix.

Vista by default has UAC turned on. This is annoying at first but is a positive action by Microsoft in order to cut down on end-users trashing their systems. UAC may be disabled but I wouldn’t recommend it. A majority of computers that become compromised with spy ware is because malware or viruses entered through a profile that had administrative privileges and then self installed.

Antivirus must be installed. Most computers I come across don’t have it installed or it’s so out of date it might as well not be installed. It’s a small fee to pay or even free to avoid the headache of infecting your computer or worse other computers.

Scripting attacks may be prevented by staying out of crappy sites. One problem is some popular sites still seem to host ads from vendors that are known to install malware. Using a registry based block lists is a quick and free way to avoid these pitfalls.

Peer2Peer software is another way to trash a system. Installing poorly written software for the purpose of downloading music and whatnot is a pretty sure fire way to hose a system. While in college most of the computers I have seen that run poorly are because a Napster type of software was installed and some of the files downloaded from the network were virus ridden. The peer sharing software themselves sometimes have ad-ware built in for the purpose of bombarding your computer with trash. So the alternative sucks but pay for it using iTunes or something along those lines.

With regards to email, if it looks too good to be true then it probably is. Do not click on links or download images from it, just delete and/or report it as spam.

Running Terminal Server on Windows 2003 Server

2007-02-08T05:33:00-05:00

Vista has been a decent Operating System so far but there are still a large number of software vendors who were not prepared for the OS. A number of statistical software packages are at this point not supported so I decided to implement a Terminal Server for users to access. The terminal server is not being deployed only as a quick fix to manufacturers short comings in software development. I have made the server available on a VPN for users to work from home where they do not have access to applications that are usually required to run on a LAN. Maintenance, licensing, and performance are some of the other benefits.

The first trick to setting up the terminal server was licensing. Since we are not running a cluster of terminal servers the license model was simple. I was able to set the terminal server to be a license server for its self which saved me from having to setup another machine to be a license server. Next was a journey over to CDW in order to purchase some terminal server licenses. When setting up the server there are two license modes, per device and per user. I went with per user because I wanted several hundred users to be able to login without having several hundred licenses.

Next was to setup security on the server so that only the groups I wanted would be able to login. Group policies were also implemented so that folder redirection and additional security features could be employed. The users must login through a vpn from remote locations though with most of our users have fast Internet connections so the vpn didn not really cause additional latency. Documentation was the final product to be constructed. As with any documentation I have gotten feedback to help write enough information so that all of the users are able to be instructed how to connect to our server and run applications remotely.

Using Common Sense to Secure your Information

2006-12-20T05:53:00-05:00

Every day technology creates efficiency for millions of people. With all of the benefits that technology provides there are also many pitfalls that come with convenience. Online vendors make it easy for people to purchase goods at reasonable prices when compared to brick and mortar stores. There are many good companies to do business with but there are also a lot of shady vendors. There are some pretty easy ways to spot the malicious vendors.

A site that looks poorly designed can be a sign of a site that was put together with haste just to be taken down shortly after a few people are ripped off. Searching for reviews of the company that people have expressed there opinions similar to what eBay has in the form of feedback may help you decide. Also companies that are serious about business will no doubt have thoroughly thought about security and usually their reputation.

Do not use sites from SPAM or other illegitimate sources. Phishing sites are a sure fire way to have your identity stolen and you do not want that to happen. Make sure the site uses an SSL certificate in order to encrypt your information, this is a must have. Do not use the same password for your various logins at different sites. Use at least 8 characters if not more and make sure to include some random characters which make cracking a password much more difficult. Know that there are sites that you may login to that may not use SSL certificates so your password may be picked up using a traffic sniffer. Also wireless networks are an easy way to lose information. Be weary of people listening on the wire with traffic sniffers. Do not send important information via email and instant messengers since they are almost always sent in clear text. Review you credit at least once a year, you may not even know that you a victim of online or identity theft until it has already happened.

There are a number of resources online to help you from online fraud. A simple Google search can help you find these resources.

Microsoft Vista and Office 2007 Initial Review

2006-12-12T03:58:00-05:00

I recently got my hands on a copy of Microsoft’s latest offering in the form of desktop software, Vista and Office 2007. I have also acquired some new 64 bit Core 2 Duo Dell computers in order to test the new software for deployment though I have also been testing the new offerings on older hardware in order to determine which machines will need to be depreciated in the next year or two.

First I went ahead installed Office 2007 on my Windows XP desktop. As with most Office installs I was able to customize an install file so that I can skip on the license agreements, serial number and all of the other annoying stuff. I’m pretty impressed overall with the office install. The look of Office has been improved to use a ‘ribbon’ interface which is to improve productivity. Many users have already had issues using the “Office Button” which incorporates many of the functions that “file” button previously did. This is a common hang up with major releases from a software vendor; end-users will have to take time to become acclimated with the new functions. A trick feature I just picked up on recently was just hitting the “alt” key will highlight the shortcut’s to all of the current functions on the “ribbon” toolbar.

Vista was next on the list for testing. From the start I figured the install would be large since we had to rip the ISO image to a DVD. We started off with a 1.8 AMD with 512 MB of system memory. I knew running a video card with 64 MB of memory would limit the operating systems’ capability graphics wise but I needed a real world baseline in which Vista could run without aggrevating end-users with slowly responding applications. The install was very simple although I did provide a answer file so I wouldn’t have to bother with serial numbers and whatnot. Once Vista was up and running I was happy with the performance overall for the base install. Next I added a beta version of McAfee antivirus for Vista, Office 2007, and some statistical software such as SAS, Gams, Guass, and Limdep. The machine did slowdown somewhat mainly due to background services and the lack of memory didn’t help things much but this did give me a baseline for which machines would be able to handle Vista performance wise.

Next was the 64 bit Vista install on 2.4 GHz Core 2 Duo chips, 1 gigabyte of memory, and 512 MB of video memory. These machines are amazing, Vista of course allows for the full blown user interface including Aero which provides for some pretty cool eye candy. I was able to load this machine down and it wasn’t phased at all. For a $1000 dollars (not including monitor) these machines are going to be the way to go for user’s that want the full Vista experience.

The final test to make Vista useable was to add it to the domain. I was able to add the machines to the domain without a hiccup. Setting up Outlook with the Exchange server was even easier since it picked up the domain credentials from the currently logged in user. That is where the fun ended. Vista employs User Access Controls (UAC) so the domain policy’s made software installation rather annoying at least. The lab computers were even worse because we log users in as guests so profiles are not stored eating up drive space. Vista applies the group policies to all accounts, even accounts that are not on the domain so the only fix was to move a computer out of the organizational unit (OU) before installing software so the restrictions aren’t there and then moving it back in when done.

In summary I am impressed with Vista (with the right hardware) but have a lot of tooling to do in order to find all of the benefits. I figure a desktop computer with a 2 GHz processor, 512 Mb system memory, and 128 Mb video memory should be the baseline for us.

Copyrighted Music and Movies

2006-10-18T05:06:00-04:00

Ever since the Napster rise and fall there has been an on going debate in regards to copyrighted material being shared across networks with peer to peer (P2P) applications and popular social networking websites. I know from my school and work that technology exists that may analyze network traffic and determine what content travels through a connection. The content may be stopped if deemed a violation of copyrighted materials. For example, if a student is transferring a song or video from home to their email account so they may upload it to their Ipod. Corporate employees may be exempt from many of the free speech debates that arise. Universitys on the other hand, at least public universitys have large student bodies to please, and furthermore these students have rights. The technology can be very expensive if a third party is used to thwart sharing of copyrighted materials.

Another hot topic are the social networking sites such as myspace.com and youtube.com which contain quite a bit of copyrighted material. The content is placed on the sites and shared by the person users but ultimately the site is distributing the music. The music and videos help a lot of newer bands that are just starting gain popularity without spending tons of money on advertising. The same technology that may be used on college and corporate network may also be used on the networks that have web servers that distribute non-copyrighted material in order to find items that should not be shared.

A final interesting note for those who do not pay attention to the news (of any sort), google.compurchased youtube.com. This move for Google is a huge step since they spent 1.85 billion dollars on youTube which is already having issues due to the amount of copyrighted material that the artists are complaining about.

What is Web 2.0

2006-04-18T19:24:00-04:00

An article describing the slow migration to what some call Web 2.0

Botnets that make money but at whos expense

2006-03-22T19:08:00-05:00

Witlog claims he do not use his botnet for illegal purposes, only “for fun.” I found that claim pretty hard to believe given a) the income he could make installing ad-serving software on each computer under his control, combined with b) the risk he is taking of getting caught breaking into so many computers. The kid I wrote about in the Post magazine story on the connection between botnets and spyware was making $6,000 to $10,000 per month installing adware on a botnet half the size of the one Witlog claims to have.

New phishing techniques to fool online users

2006-02-14T07:04:00-05:00

People are becoming aware of the insecurities posed by online shopping, browsing, and even messaging. The days of email that are obviously spam due to misspelled words and links that contain ip addresses instead of dns names are moving to a new level. The following post describes the process in which a SSL certificate was used to trick users into entering confidential information, a tatic previously not used before.