I recently received a question via the blog email. Email read:
"I'm a new Snort user in a IDS class and I'm getting the following error message about my bad traffic rule. however, if I comment out this rule it still appears in every successive rule. I have also open the bad traffic rule file and I see no "!any" syntax. Can you give some more advice?
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
ERROR: c:\snort\rules/bad-traffic.rules(27) => !any is not allowed
Fatal Error, Quitting..
C:\Snort\bin>
Additionally, I get this error message if I'm trying to run a custom rule named testing.rule:
ERROR: Unable to open rules file:
c:\snort\rules/TESTING.rules or C:\snort\etc\c:\snort\rules/TESTING.rules
Fatal Error, Quittting...
Any advice here also?"
Now, this looks like two separate problems. Let's look at the first one.
The (27) in Bold above tells you exactly what line you have the error on. You can find this in vi by starting vi like this: "vi +27 bad-traffic.rules". This will open the file bad-traffic.rules at exactly line 27. Well, I asked the guy, "What is line 27?"
"alert tcp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"BAD-TRAFFIC tcp port 0 traffic"; flow:stateless; classtype:misc-activity; sid:524; rev:8;)"
Okay, so the error is "!any is not allowed". The only "any" I see here is the any after EXTERNAL_NET. So that tells me that something is screwed in the Snort.conf. So, how do you have your variables configured I asked.
"var HOME_NET 192.168.0.0/24
var HOME_NET any
var EXTERNAL_NET !$HOME_NET"
Was the answer I got. Well what happens here is Snort reads the variables in the snort.conf file from top to bottom, so the last HOME_NET that was configured is "any". Then EXTERNAL_NET is read "!any". Which you can't do. What happens is the header of the rule winds up being:
"alert tcp !any any <> any 0" See how that doesn't work?
Now, for the second question..
Looks like a simple misconfiguration of the RULE_PATH variable. The RULE_PATH variable is by default "../rules" so it just looks like testing.rules isn't in that area. So, you either have to reset that to the correct path, or put your rules in the RULE_PATH directory.
I posted these hints and this email with permission from the guy who wrote the question in to me, with the promise that I remove his name. No problem. Thanks.
If you have questions, feel free to write me. However, as I will tell you in #snort on IRC, and as I will tell you in forums. We are not here to help you do your homework. Every year at the same time we start getting a ton of really basic questions from users in IRC and on the Snort-Users list. There has to be a class at a University out there somewhere that is giving assignments.
Last year we got a classic one on the snort-users list. It was a direct copy and paste of the assignment asking us to answer his questions for him.
I'm definitely not saying that this guy that wrote me is in a class like that, since this kind of question happens all the time, it just happens to be that time of year.
Showing posts with label irc. Show all posts
Showing posts with label irc. Show all posts
Saturday, February 16
Thursday, January 24
Getting Things Done (GTD), Mutt, and Vim
I've Googled about 100 articles in the past couple days detailing how people best use Mutt to implement their theory of how GTD works for them. I found alot of good articles, but many implemented alot of scripts and extra headers, and tagging... yuck. Way too much!
Subscribe in a reader
The point of GTD is to make the world and your email in particular work for you, not you work for it. I don't want to manually have to edit a "X" header everytime I want to tag an email with "Defer" or "Reply". I want to just hit a one or two keystroke combination and be done with it.
The major point of GTD is to navigate through life easier, not have alot of things pending in your mind. Get it out of your mind and get it on paper, (or whatever) and be done with
thinking about it. Just have it in a trusted bucket where you can store stuff.
So I have a different theory. First off let me preface this by saying that I do not keep my To-Do list and "Next Actions" list in Mutt. I use a VIM outline. This is an excellent way for me to keep up on how things are going with my actions simply by looking at them. I know what needs
to be done next, I know what things I am waiting on, all at a glance. This is how I envisioned it.
My contexts are simple:
@home -- All the tasks that could be done at home, Cleaning the Garage, organizing the basement, getting the taxes together, being an awesome dad. You get the picture.
@work -- All the tasks that could be (should be, have to be) accomplished at work. Doing Timesheets, filing bug reports, answering email, talking with a coworker about a project.
@waiting -- Stuff I am waiting on someone else for. Do I need to ping them? No, but I reguarily review my @waiting list to make sure that people get back to me on items, and if they don't then I make a next action item to ping them back @work or @home.
@someday -- Someday/Maybe. All the things I'd like to accomplish someday. Clean out my Closet, Finish that Snort paper i've been working on.
@review -- Weekly/Daily tasks. This is usually the first thing I check. Things I need to do "today". If I need to do something on a particular day, I'll make an appt in iCal to do it. Nothing goes on the calendar unless it WILL get done that day. The Calendar is sacred territory. Then I make a reminder in iCal to alert me. Things I need to accomplish that are "next action items" in @home or @work, I'll simply say "check @work" in my @review list. Simple.
@phone -- Phone calls I need to make. These can be done anywhere. Whenever I have a chance to do them, I'll make a couple phone calls. Things rarely go in there because I basically loathe talking on the phone. I'd rather do everything through IRC, IM, or email. I keep records of stuff this way.
That's it. Under the contexts, if I have a particular project I'll indent it. For example.
@home
Clean Garage
-- Go to Lowe's
-- Buy Shelves
-- Assemble Shelves
-- Make time to clean Garage
-- Clean Garage
Simple enough. When I indent once, it's a project, any indents under the project are next action items. Now, next to the Next action items, I have lines. "--". Let me define my lines.
-- To do.
++ Cancelled.
\- Done
-> Deferred or assigned to someone else
?- Waiting on this.
That's it. No need to get tricky. Now I can easily glance at my list and tell what needs to be done, what has been done, and what I am waiting on.
KISS principle. Keep It Simple Stupid!
Now, for the other part. Email, mutt (or muttng -- which I use) and how I have it implemented.
Before I started the GTD philsophy, I used the folder method. You know the one.. "All email from Sourcefire goes in the Sourcefire folder." "All email from snort-users list goes in the snort-users list folder." What do you wind up with? A hundred folders! This isn't the most
efficient way to do anything. So I had to get away from that. I started thinking, what is the most efficient way of sorting email? I got a hold of a friend of mine Emory, and asked him what he did (he's a big GTD guy as well), and he gave me a couple thoughts. So I took his ideas, combined them with a couple of my ideas, and here we are.
I made 4 folders.
_Read -- Emails I have read.
_Reply -- Emails I need to reply to, but it will take me over 2 minutes to do so. (GTD's philosophy is, if it takes >2 minutes to do something, you need to alot some time to do it. If it takes <2>
_Waiting -- Emails that I am waiting on someone else to get back to me about the contents on.
_Defer -- Emails that I assigned to someone else but I need to stay in on until completion (things rarely go here).
I have another folder called "lists" that I already had. Under the folder lists I had about 20 subfolders with all the listservers I subscribe to. This.. was too much for easy sorting.
First thing I did was move all the email from all the subfolders under "lists" and put it in "lists". Of course, I wound up with about 13,000 emails in here, but who cares? It's all in context and it will make more sense in a second.
Second thing I did was change all my procmail recipes (or rules) to instead of putting everything in subfolders of "lists", just dump it all in "lists".
Third thing I did was get rid of all the auto-processing rules to sort emails by sender. I had rules in there, if they came from sourcefire.com to put into a folder called sourcefire. If it came from apple.com or mac.com, put it in apple. Too much. Put it all in the inbox. Pretty
simple so far.
The next thing I did, since I am going to have more email coming into my inbox now, is to have a way to easily process it. I wanted to be able to read an email, mark it, and know exactly where it is. "Hey that email from Billy-bob, is it in sourcefire? is it in snort-users? In defer? Where
the hell did I put that". Spotlight on the mac makes this very nice, however, I am using mutt. So I needed a better way. Finally I came up with my answer. Macros. I wanted to be able to mash a key or two and have my email sort automatically after I get done reading it. So I made
some muttng macros.
macro index,pager \
macro index,pager \
macro index,pager \
macro index,pager \
macro index,pager \
macro index,pager \
Now, when I mash "esc 1" the email is copied to _Read and marked for deletion in Inbox. No selecting the folder, no hitting "yes" no hitting enter. I just mash Esc-1. Done.
Same thing with 2, 3, 4, 5, and 6. I don't have to change headers or anything. They are sorted by folder, and I don't have to worry about it. I use the sidebar patch (built into muttng) to see how many emails I have in each folder at a glance. If you use mutt and you don't use the
sidebar, I suggest a look. Very handy.
That's it. In my sidebar I have 6 folders. Now my workflow is simple.
Email comes in, do I need to respond, or assign it to someone else? Yes or No? If yes, will the response take longer than two minutes. If Yes, file to _Reply, if No, respond. If I do not need to respond file to _Read. If I need to assign it to someone else, forward it. If I need to
track it, the email goes to _defer until tracking is done, then it goes to _read.
All listserv traffic goes to lists. I check this a couple times a day just to skim through.
The spam folder is for spam (duh). And I get ALOT of spam. Fortunately for me, I have built some really bullet-proof spam rules in procmail and they do 95% of the sorting for me. However. Everyone once in awhile, a real email will get sent to spam (empty subjects, people who write in all caps, people who send me subjects with all Caps, or a whole bunch of
!!!!!).
The only other folder that is automatically filed is a folder called "big". All emails that have attachments that are over 3 mb/s in size go to this folder. This rarely happens and 100% of the time people will ask me "Hey I just sent you an email with a bunch of pictures in it, did you get it?" I'll go check big. Done.
I think this system will work for me. Let me know if any of it works out for you.
Subscribe in a readerGetting Things Done (GTD), Mutt, and Vim
I've Googled about 100 articles in the past couple days detailing how people best use Mutt to implement their theory of how GTD works for them. I found alot of good articles, but many implemented alot of scripts and extra headers, and tagging... yuck. Way too much!
The point of GTD is to make the world and your email in particular work for you, not you work for it. I don't want to manually have to edit a "X" header everytime I want to tag an email with "Defer" or "Reply". I want to just hit a one or two keystroke combination and be done with it.
The major point of GTD is to navigate through life easier, not have alot of things pending in your mind. Get it out of your mind and get it on paper, (or whatever) and be done with thinking about it. Just have it in a trusted bucket where you can store stuff.
So I have a different theory. First off let me preface this by saying that I do not keep my To-Do list and "Next Actions" list in Mutt. I use a VIM outline. This is an excellent way for me to keep up on how things are going with my actions simply by looking at them. I know what needs
to be done next, I know what things I am waiting on, all at a glance. This is how I envisioned it.
My contexts are simple:
@home -- All the tasks that could be done at home, Cleaning the Garage, organizing the basement, getting the taxes together, being an awesome dad. You get the picture.
@work -- All the tasks that could be (should be, have to be) accomplished at work. Doing Timesheets, filing bug reports, answering email, talking with a coworker about a project.
@waiting -- Stuff I am waiting on someone else for. Do I need to ping them? No, but I reguarily review my @waiting list to make sure that people get back to me on items, and if they don't then I make a next action item to ping them back @work or @home.
@someday -- Someday/Maybe. All the things I'd like to accomplish someday. Clean out my Closet, Finish that Snort paper i've been working on.
@review -- Weekly/Daily tasks. This is usually the first thing I check. Things I need to do "today". If I need to do something on a particular day, I'll make an appt in iCal to do it. Nothing goes on the calendar unless it WILL get done that day. The Calendar is sacred territory. Then I make a reminder in iCal to alert me. Things I need to accomplish that are "next action items" in @home or @work, I'll simply say "check @work" in my @review list. Simple.
@phone -- Phone calls I need to make. These can be done anywhere. Whenever I have a chance to do them, I'll make a couple phone calls. Things rarely go in there because I basically loathe talking on the phone. I'd rather do everything through IRC, IM, or email. I keep records of stuff this way.
That's it. Under the contexts, if I have a particular project I'll indent it. For example.
@home
Clean Garage
-- Go to Lowe's
-- Buy Shelves
-- Assemble Shelves
-- Make time to clean Garage
-- Clean Garage
Simple enough. When I indent once, it's a project, any indents under the project are next action items. Now, next to the Next action items, I have lines. "--". Let me define my lines.
-- To do.
++ Cancelled.
\- Done
-> Deferred or assigned to someone else
?- Waiting on this.
That's it. No need to get tricky. Now I can easily glance at my list and tell what needs to be done, what has been done, and what I am waiting on.
KISS principle. Keep It Simple Stupid!
Now, for the other part. Email, mutt (or muttng -- which I use) and how I have it implemented.
Before I started the GTD philsophy, I used the folder method. You know the one.. "All email from Sourcefire goes in the Sourcefire folder." "All email from snort-users list goes in the snort-users list folder." What do you wind up with? A hundred folders! This isn't the most
efficient way to do anything. So I had to get away from that. I started thinking, what is the most efficient way of sorting email? I got a hold of a friend of mine Emory, and asked him what he did (he's a big GTD guy as well), and he gave me a couple thoughts. So I took his ideas, combined them with a couple of my ideas, and here we are.
I made 3 folders.
Archive -- Emails I have read.
Listservs -- Emails from Listservers, I don't read these as often and all the listserv traffic is put into this folder on the server.
Waiting -- Emails that I am waiting on someone else to get back to me about the contents on.
First thing I did was move all the email from all the lists under "listservs". Of course, I wound up with about 13,000 emails in here, but who cares? It's all in context and it will make more sense in a second.
Second thing I did was change all my procmail recipes (or rules) to instead of putting everything in subfolders of "lists", just dump it all in "listservs".
Third thing I did was get rid of all the auto-processing rules to sort emails by sender. I had rules in there, if they came from sourcefire.com to put into a folder called sourcefire. If it came from apple.com or mac.com, put it in apple. Too much. Put it all in the inbox. Pretty
simple so far.
The next thing I did, since I am going to have more email coming into my inbox now, is to have a way to easily process it. I wanted to be able to read an email, mark it, and know exactly where it is. "Hey that email from Billy-bob, is it in sourcefire? is it in snort-users? In defer? Where the hell did I put that". Spotlight on the mac makes this very nice, however, I am using mutt. So I needed a better way. Finally I came up with my answer. Macros. I wanted to be able to mash a key or two and have my email sort automatically after I get done reading it. So I made some muttng macros.
macro index,pager \e1 "<copy-message>=Archive\ny<delete-message>" "Save Message to Archive"
macro index,pager \e2 "<copy-message>=Listservs\ny<delete-message>" "Save Message to Listservs"
macro index,pager \e3 "<copy-message>=Waiting\ny<delete-message>" "Save Message to Waiting"
Now, when I mash "esc 1" the email is copied to Archive and marked for deletion in Inbox. No selecting the folder, no hitting "yes" no hitting enter. I just mash Esc-1. Done.
Same thing with 2, 3, 4, 5, and 6. I don't have to change headers or anything. They are sorted by folder, and I don't have to worry about it. I use the sidebar patch (built into muttng) to see how many emails I have in each folder at a glance. If you use mutt and you don't use the
sidebar, I suggest a look. Very handy.
That's it. In my sidebar I have 6 folders. Now my workflow is simple.
Email comes in, do I need to respond, or assign it to someone else? Yes or No? If yes, will the response take longer than two minutes. If Yes, file to Archive, if No, respond. If I do not need to respond file to Archive. If I need to assign it to someone else, forward it. If I need to
track it, the email goes to Archive and I create a todo in Omnifocus to track it until tracking is done, then it goes to Archive.
All listserv traffic goes to listservs. I check this a couple times a day just to skim through.
The spam folder is for spam (duh). And I get ALOT of spam. Fortunately for me, I have built some really bullet-proof spam rules in procmail and they do 95% of the sorting for me. However. Everyone once in awhile, a real email will get sent to spam (empty subjects, people who write in all caps, people who send me subjects with all Caps, or a whole bunch of "!!!!!").
I think this system will work for me. Let me know if any of it works out for you.
Subscribe in a reader
The point of GTD is to make the world and your email in particular work for you, not you work for it. I don't want to manually have to edit a "X" header everytime I want to tag an email with "Defer" or "Reply". I want to just hit a one or two keystroke combination and be done with it.
The major point of GTD is to navigate through life easier, not have alot of things pending in your mind. Get it out of your mind and get it on paper, (or whatever) and be done with thinking about it. Just have it in a trusted bucket where you can store stuff.
So I have a different theory. First off let me preface this by saying that I do not keep my To-Do list and "Next Actions" list in Mutt. I use a VIM outline. This is an excellent way for me to keep up on how things are going with my actions simply by looking at them. I know what needs
to be done next, I know what things I am waiting on, all at a glance. This is how I envisioned it.
My contexts are simple:
@home -- All the tasks that could be done at home, Cleaning the Garage, organizing the basement, getting the taxes together, being an awesome dad. You get the picture.
@work -- All the tasks that could be (should be, have to be) accomplished at work. Doing Timesheets, filing bug reports, answering email, talking with a coworker about a project.
@waiting -- Stuff I am waiting on someone else for. Do I need to ping them? No, but I reguarily review my @waiting list to make sure that people get back to me on items, and if they don't then I make a next action item to ping them back @work or @home.
@someday -- Someday/Maybe. All the things I'd like to accomplish someday. Clean out my Closet, Finish that Snort paper i've been working on.
@review -- Weekly/Daily tasks. This is usually the first thing I check. Things I need to do "today". If I need to do something on a particular day, I'll make an appt in iCal to do it. Nothing goes on the calendar unless it WILL get done that day. The Calendar is sacred territory. Then I make a reminder in iCal to alert me. Things I need to accomplish that are "next action items" in @home or @work, I'll simply say "check @work" in my @review list. Simple.
@phone -- Phone calls I need to make. These can be done anywhere. Whenever I have a chance to do them, I'll make a couple phone calls. Things rarely go in there because I basically loathe talking on the phone. I'd rather do everything through IRC, IM, or email. I keep records of stuff this way.
That's it. Under the contexts, if I have a particular project I'll indent it. For example.
@home
Clean Garage
-- Go to Lowe's
-- Buy Shelves
-- Assemble Shelves
-- Make time to clean Garage
-- Clean Garage
Simple enough. When I indent once, it's a project, any indents under the project are next action items. Now, next to the Next action items, I have lines. "--". Let me define my lines.
-- To do.
++ Cancelled.
\- Done
-> Deferred or assigned to someone else
?- Waiting on this.
That's it. No need to get tricky. Now I can easily glance at my list and tell what needs to be done, what has been done, and what I am waiting on.
KISS principle. Keep It Simple Stupid!
Now, for the other part. Email, mutt (or muttng -- which I use) and how I have it implemented.
Before I started the GTD philsophy, I used the folder method. You know the one.. "All email from Sourcefire goes in the Sourcefire folder." "All email from snort-users list goes in the snort-users list folder." What do you wind up with? A hundred folders! This isn't the most
efficient way to do anything. So I had to get away from that. I started thinking, what is the most efficient way of sorting email? I got a hold of a friend of mine Emory, and asked him what he did (he's a big GTD guy as well), and he gave me a couple thoughts. So I took his ideas, combined them with a couple of my ideas, and here we are.
I made 3 folders.
Archive -- Emails I have read.
Listservs -- Emails from Listservers, I don't read these as often and all the listserv traffic is put into this folder on the server.
Waiting -- Emails that I am waiting on someone else to get back to me about the contents on.
First thing I did was move all the email from all the lists under "listservs". Of course, I wound up with about 13,000 emails in here, but who cares? It's all in context and it will make more sense in a second.
Second thing I did was change all my procmail recipes (or rules) to instead of putting everything in subfolders of "lists", just dump it all in "listservs".
Third thing I did was get rid of all the auto-processing rules to sort emails by sender. I had rules in there, if they came from sourcefire.com to put into a folder called sourcefire. If it came from apple.com or mac.com, put it in apple. Too much. Put it all in the inbox. Pretty
simple so far.
The next thing I did, since I am going to have more email coming into my inbox now, is to have a way to easily process it. I wanted to be able to read an email, mark it, and know exactly where it is. "Hey that email from Billy-bob, is it in sourcefire? is it in snort-users? In defer? Where the hell did I put that". Spotlight on the mac makes this very nice, however, I am using mutt. So I needed a better way. Finally I came up with my answer. Macros. I wanted to be able to mash a key or two and have my email sort automatically after I get done reading it. So I made some muttng macros.
macro index,pager \e1 "<copy-message>=Archive\ny<delete-message>" "Save Message to Archive"
macro index,pager \e2 "<copy-message>=Listservs\ny<delete-message>" "Save Message to Listservs"
macro index,pager \e3 "<copy-message>=Waiting\ny<delete-message>" "Save Message to Waiting"
Now, when I mash "esc 1" the email is copied to Archive and marked for deletion in Inbox. No selecting the folder, no hitting "yes" no hitting enter. I just mash Esc-1. Done.
Same thing with 2, 3, 4, 5, and 6. I don't have to change headers or anything. They are sorted by folder, and I don't have to worry about it. I use the sidebar patch (built into muttng) to see how many emails I have in each folder at a glance. If you use mutt and you don't use the
sidebar, I suggest a look. Very handy.
That's it. In my sidebar I have 6 folders. Now my workflow is simple.
Email comes in, do I need to respond, or assign it to someone else? Yes or No? If yes, will the response take longer than two minutes. If Yes, file to Archive, if No, respond. If I do not need to respond file to Archive. If I need to assign it to someone else, forward it. If I need to
track it, the email goes to Archive and I create a todo in Omnifocus to track it until tracking is done, then it goes to Archive.
All listserv traffic goes to listservs. I check this a couple times a day just to skim through.
The spam folder is for spam (duh). And I get ALOT of spam. Fortunately for me, I have built some really bullet-proof spam rules in procmail and they do 95% of the sorting for me. However. Everyone once in awhile, a real email will get sent to spam (empty subjects, people who write in all caps, people who send me subjects with all Caps, or a whole bunch of "!!!!!").
I think this system will work for me. Let me know if any of it works out for you.
Subscribe in a readerTuesday, January 22
Mailing lists and "Botnets: How they are getting better"
I am subscribed to a couple dozen security type mailing lists. It's one of the best way for sharing of information. A small list:
Incident list (although, i think this one is dead)
fedtalk (An Apple list for people that work for .gov/.mil)
53L (An army.mil list for people in the computer profession)
botnet list
(various internal Sourcefire lists)
Now, I am a member on several more, however, those I am not at liberty to discuss... so anyway, moving on.
I got an email on one of my lists today detailing a web-gui for managing a botnet. Yes, seriously. You can go to this website (I am assuming it's hacked as well) login to this website and manage your botnets point & click style!
Remember the days when you could manage your botnets via IRC? Well, if you want to do things the old school way, fine. But we are Web 2.0 now!
This website is great, it allows you to login, select which targets you want to DDOS (or run other commands as well), even allows you to pick which bots you want to use to perform the attack! (all? Bots that have a ping time < X?) How handy is this?
In the new age of managing your bots. For fun and profit. Welcome.
Subscribe in a reader
Wednesday, December 19
Mac versus Windows vulnerability stats for 2007
byte_bucket over in the #pauldotcom IRC channel turned me onto this article, simply because I am a self proclaimed Apple fanboy. Sounds good, I don't mind, I like it when people point me to articles. I read alot of news during the day, but sometimes I don't get to see all the news articles.
UPDATE: From the comments: iamnowonmai says "I would like to see a list of all the vulnerabilities in Xthe third-party software that people commonly use on XP. Since Acrobat is not a part of the OS, it doesn't count? Or Word? Outlook? And at least the third-party software gets updated on a Mac. How many fools are out there still using Acrobat version 4?"
Brings up a good point. Windows doesn't have to patch all the "other" software that is on it's system. Apple does. Apple includes alot of software to make their user experience better and more seamless. Windows relies on 3rd party developers for this. Say what you will, but these are things you need to take into thought when you read this article.
Anyway, George Ou writes on zdnet.com an article comparing the amount of vulnerabilities for XP, Vista, and OSX. At first glance we look at this column comparison and say "holy crap, osx had a hell of alot more vulnerabilities than Vista or XP combined!"
True. Now, in my usual Microsoft punditry and OSX defender stance, let me point out the less obvious in these three operating systems.
1) OSX hasn't had to deal with a bunch of hackers before, now that it's being increasingly targeted, especially Quicktime, Apple is dealing with it.
2) XP and Vista are closed platforms. Apple, save for their internal binaries, is pretty much open. You can see how it all works.
3) and probably the most critical, OSX is built, and contains a TON of open source software. Cups, apache, pcre, mysql, the list goes on and on and on.
So not only does Apple have to patch their own stuff, but they have to wait for the open source community to patch, then get the communities patch, tie it into their products, test test test test and test, then release their own patch. Makes sense so far right? OSX Server even contains software owned by my company. Sourcefire. OSX Server contains ClamAV.
Are there more vulnerabilities in OSX then there are in Windows? Yes. But you are comparing apples (no pun intended, okay, well, slightly) and oranges. Windows has 94% marketshare! Just one vulnerability for Windows has the potential to cause alot more damage than 30 vulnerabilities for OSX.
Then you have to look at the security models of the two. OSX, most everything runs in "userland". Whereas in Windows, applications and services run at alot of different permissions, system, admin, user, etc...
One thing I don't like about Leopard is the same thing I didn't like about Tiger. The firewall. There is no "DENY ALL". There is a "Deny all, um.. except stuff that will break osx". Which is fine, as long as there aren't any vulnerabilities in things like mDNSResponder. (port 5353) But, there have been remote vulns in mDNSResponder! The other thing I don't like about the Leopard firewall? It's OFF by default. Granted, there is only one port open by default in OSX (5353), as opposed to Windows where there are at least 3.
So, yes, OSX has more vulnerabilities then Windows, but does it matter?
UPDATE: From the comments: iamnowonmai says "I would like to see a list of all the vulnerabilities in Xthe third-party software that people commonly use on XP. Since Acrobat is not a part of the OS, it doesn't count? Or Word? Outlook? And at least the third-party software gets updated on a Mac. How many fools are out there still using Acrobat version 4?"
Brings up a good point. Windows doesn't have to patch all the "other" software that is on it's system. Apple does. Apple includes alot of software to make their user experience better and more seamless. Windows relies on 3rd party developers for this. Say what you will, but these are things you need to take into thought when you read this article.
Monday, November 5
Google Phone, Apple Stock, and other Random Blatherings
Today’s news has just been a buzz with Google’s announcement of their “gphone”. Wait...
Google’s phone is NOT a PHONE! It’s Open Software, FOR phones. Google isn’t making a phone (yet), and no products have been announced. So at this point, this is ‘releaseware’. Other phone companies (Motorola, Sony, Nokia, and the like) have to want to put Google’s software on their phones. Will they do that? When they have a significant investment in their own OS’es on their phones now? Time will tell.
Apple’s Stock Price --
I can’t complain. Everytime Apple’s stock price levels out and doesn’t go anywhere for awhile, they introduce something new. iPhone, iPod Nano, iPod Touch, 3rd Quarter earnings, new laptops... just keep on going Apple, keep on going.
Trolls--
I’ve noticed as of late alot of trolls in some IRC channels that I am in. Why would you come into a product channel and say “your product sucks because”? Do I jump into the #windows channel and say “Control Panel sucks, therefore the whole OS sucks!” No!, because that’s called “Trolling”! Why would you pop in one of my channels, where clearly, there are alot of people that know more about the product then you and say something insane like.. “You can’t achieve >1 Gig speeds with your product!”.
Sorry, just needed to vent.
For those reading this blog looking for leopard feedback, here you go. I like it. There are only a couple things I can’t get to work. Back to my Mac for one (probably because of some firewall setting I have), local lan browsing always doesn’t work, and my laptop battery power really really sucks now. I can drain my whole laptop battery in about 10 minutes. Something isn’t right.
I really like Time machine, it’s great. I like alot of their new features, even though, I admit, leopard could have used a bit more testing before release.
Hopefully they release a fix-it pack soon. But I still like it!
Google’s phone is NOT a PHONE! It’s Open Software, FOR phones. Google isn’t making a phone (yet), and no products have been announced. So at this point, this is ‘releaseware’. Other phone companies (Motorola, Sony, Nokia, and the like) have to want to put Google’s software on their phones. Will they do that? When they have a significant investment in their own OS’es on their phones now? Time will tell.
Apple’s Stock Price --
I can’t complain. Everytime Apple’s stock price levels out and doesn’t go anywhere for awhile, they introduce something new. iPhone, iPod Nano, iPod Touch, 3rd Quarter earnings, new laptops... just keep on going Apple, keep on going.
Trolls--
I’ve noticed as of late alot of trolls in some IRC channels that I am in. Why would you come into a product channel and say “your product sucks because
Sorry, just needed to vent.
For those reading this blog looking for leopard feedback, here you go. I like it. There are only a couple things I can’t get to work. Back to my Mac for one (probably because of some firewall setting I have), local lan browsing always doesn’t work, and my laptop battery power really really sucks now. I can drain my whole laptop battery in about 10 minutes. Something isn’t right.
I really like Time machine, it’s great. I like alot of their new features, even though, I admit, leopard could have used a bit more testing before release.
Hopefully they release a fix-it pack soon. But I still like it!
Tuesday, May 8
The Snort Book
Finally got my copies of my book today from the publisher. (Only took them a month!) There are alot of comments I could make about the book, positive and negative, but overall, it’s a great resource. In particular the preprocessors chapter (i know, I wrote it) has some good tuning steps and hints that you won’t find elsewhere.
Some chapters are better than others. Some chapters have errors in them (even mine! I mean, really, who begins a TCP conversation with a FIN, ACK? I swear, it was correct in the proof copy!)
I make mention of Stream5 in my chapter at one point, saying that we ‘took a peek at it’, even though I didn’t discuss it at all. At the time of writing Stream5 wasn’t out yet, so I couldn’t really put much in there about it since it was still in beta. I originally had some stuff in there about UDP session tracking being in Stream5, but I took it out. Hence why I “refer” back to it later.
I edited/rewrote another chapter in the book (which shall remain unknown for now), but none of my edits got in the book. When I asked the publisher why, turns out the publisher for this particular book quit in the middle of the book’s publish, so alot of edits didn’t get in there. Hm.. That sucks. Maybe they’ll do an edition two to add in that stuff.
I really like the book overall, I really liked the writing experience, however next time, if asked to write a book, or if I write my own book... i’d like more control over it. Our editors, did a GREAT job with the task that was set before them. I wrote my chapter on my laptop on flights and in hotels. I always got interesting looks when people would look over in a plane and see me just goin to TOWN on the keyboard. (You know how some people just work on excel spreadsheets and what not, it’s always interesting to see people going nuts on their keyboard.)
Go buy the book. You’ll learn alot. I promise. If you read the book, alot of the most common questions are answered. If that doesn’t work, then pop into #snort on irc.freenode.net and ask your question, or pop onto the snort-users mailing list. Chances are, your question not only has been asked already, but we’ll get you the answer right away. See you online!
Addendum --
It was pointed out in a blog comment here that my title was neither “Director” nor did I “develop” an IDS at my last job. (As listed in my bio.) Both true. I’ll admit it. The commenter even went so far as to call me a LIAR. (Yes all in caps). Let me correct/clarify. As I most definitely didn’t mean to ‘lie’.
There was no such thing as “Director” in my last job. My title was “Section Manager”. Originally the title given me at my was “Section Lead”, however, in the politics that ensued after I was ‘promoted’ to the position, it was pointed out to me that “Lead” was reserved for Government employees. I was a contractor. When I sent my bio to a couple of people for proofread, I also sent it to the publisher because of a deadline we had to meet. When the people I sent it to for proofread pointed out “Director”, I said, ‘ah yes’ and emailed the publisher with the correction. Why did I write it in there? In my present job, the equivalent title of the position would have been Director. No one knows what ‘Section Manager’ is. It’s not a real title. ‘Manager’ is a real title, ‘Section Manager’ is one of those made up Government titles. What were my responsibilities? I attended a weekly ‘managers’ meeting, and compiled a weekly report of what the guys did who ‘worked’ for me did. First of all, the guys that worked for me were on a different contract, so I couldn’t tell them what to do anyway. You didn’t get into our section unless you didn’t need to be managed. (You had to be self-sustainable) So, the title really meant nothing. Second of all, no one had one boss. Working on one project, a friend named Jamey was the lead on, Working for the section, I was the lead on, but then my contract lead (Joe) was my boss and wrote my reviews, except he didn’t give me my jobs, another person named Harry did that, his title was “Lead Contractor”, and he was everyones boss, but everyone reported to him directly. Then on top of all that, our Government rep at the office was our boss as well and she was over everyone. After I left, it just got worse with one more layer of boss in the middle there somewhere. As I said, the title didn’t mean much.
That’s what causes people to get other jobs. Some of the best employees I know have left that place because of all the politics.
As to the second point -- Developing an IDS. I did NOT develop an IDS. I DID develop a IDS system of tools that worked together (yes, of course, with some assistance from a couple of friends, mainly on the db side), for passive os fingerprinting, full traffic capture, and then yes, the IDS. Which was Snort. I developed how the tools worked together, and automated all the pieces and parts to keep them all up and running on the multiple sensors I had. When I was asked to help develop the system that is currently in place on a much much larger scale at a sister office, I did. That system is still in place today exactly how I designed it (at the sister office).
The system I developed at my home office has been dismantled and pieced apart and not all the pieces on it are running anymore, mainly because no one knew how it all worked after I left. Why? I am not sure. It was all documented. For the best comparison that I can make to the system I made is sguil. Except without the tcl/tk frontend.
Did I write ‘Director’? Yes. I sure did. To make myself look better and over-inflated and to lie? No, that was not the intention. The intention was to convert my ‘made up’ title into a commercial equivalent. When it was pointed out to me, I did make the correction, and the correction wasn’t published. (add that to the list of things that didn’t get corrected)
Now, the thing that concerns me is, only a few people knew the exact nature of my title while at the RCERT, and out of those people, only a couple would be rude enough to try and bust me out publicly. On my own blog nonetheless. All of those people, both the people I think it is, and the rest of the people at the RCERT have my email address and could have wrote me an email telling me the deal. Everyone has my email address. Hell, it’s on the front page of this blog.
I didn’t appreciate it, even though you were correct, it was rude.
Some chapters are better than others. Some chapters have errors in them (even mine! I mean, really, who begins a TCP conversation with a FIN, ACK? I swear, it was correct in the proof copy!)
I make mention of Stream5 in my chapter at one point, saying that we ‘took a peek at it’, even though I didn’t discuss it at all. At the time of writing Stream5 wasn’t out yet, so I couldn’t really put much in there about it since it was still in beta. I originally had some stuff in there about UDP session tracking being in Stream5, but I took it out. Hence why I “refer” back to it later.
I edited/rewrote another chapter in the book (which shall remain unknown for now), but none of my edits got in the book. When I asked the publisher why, turns out the publisher for this particular book quit in the middle of the book’s publish, so alot of edits didn’t get in there. Hm.. That sucks. Maybe they’ll do an edition two to add in that stuff.
I really like the book overall, I really liked the writing experience, however next time, if asked to write a book, or if I write my own book... i’d like more control over it. Our editors, did a GREAT job with the task that was set before them. I wrote my chapter on my laptop on flights and in hotels. I always got interesting looks when people would look over in a plane and see me just goin to TOWN on the keyboard. (You know how some people just work on excel spreadsheets and what not, it’s always interesting to see people going nuts on their keyboard.)
Go buy the book. You’ll learn alot. I promise. If you read the book, alot of the most common questions are answered. If that doesn’t work, then pop into #snort on irc.freenode.net and ask your question, or pop onto the snort-users mailing list. Chances are, your question not only has been asked already, but we’ll get you the answer right away. See you online!
Addendum --
It was pointed out in a blog comment here that my title was neither “Director” nor did I “develop” an IDS at my last job. (As listed in my bio.) Both true. I’ll admit it. The commenter even went so far as to call me a LIAR. (Yes all in caps). Let me correct/clarify. As I most definitely didn’t mean to ‘lie’.
There was no such thing as “Director” in my last job. My title was “Section Manager”. Originally the title given me at my was “Section Lead”, however, in the politics that ensued after I was ‘promoted’ to the position, it was pointed out to me that “Lead” was reserved for Government employees. I was a contractor. When I sent my bio to a couple of people for proofread, I also sent it to the publisher because of a deadline we had to meet. When the people I sent it to for proofread pointed out “Director”, I said, ‘ah yes’ and emailed the publisher with the correction. Why did I write it in there? In my present job, the equivalent title of the position would have been Director. No one knows what ‘Section Manager’ is. It’s not a real title. ‘Manager’ is a real title, ‘Section Manager’ is one of those made up Government titles. What were my responsibilities? I attended a weekly ‘managers’ meeting, and compiled a weekly report of what the guys did who ‘worked’ for me did. First of all, the guys that worked for me were on a different contract, so I couldn’t tell them what to do anyway. You didn’t get into our section unless you didn’t need to be managed. (You had to be self-sustainable) So, the title really meant nothing. Second of all, no one had one boss. Working on one project, a friend named Jamey was the lead on, Working for the section, I was the lead on, but then my contract lead (Joe) was my boss and wrote my reviews, except he didn’t give me my jobs, another person named Harry did that, his title was “Lead Contractor”, and he was everyones boss, but everyone reported to him directly. Then on top of all that, our Government rep at the office was our boss as well and she was over everyone. After I left, it just got worse with one more layer of boss in the middle there somewhere. As I said, the title didn’t mean much.
That’s what causes people to get other jobs. Some of the best employees I know have left that place because of all the politics.
As to the second point -- Developing an IDS. I did NOT develop an IDS. I DID develop a IDS system of tools that worked together (yes, of course, with some assistance from a couple of friends, mainly on the db side), for passive os fingerprinting, full traffic capture, and then yes, the IDS. Which was Snort. I developed how the tools worked together, and automated all the pieces and parts to keep them all up and running on the multiple sensors I had. When I was asked to help develop the system that is currently in place on a much much larger scale at a sister office, I did. That system is still in place today exactly how I designed it (at the sister office).
The system I developed at my home office has been dismantled and pieced apart and not all the pieces on it are running anymore, mainly because no one knew how it all worked after I left. Why? I am not sure. It was all documented. For the best comparison that I can make to the system I made is sguil. Except without the tcl/tk frontend.
Did I write ‘Director’? Yes. I sure did. To make myself look better and over-inflated and to lie? No, that was not the intention. The intention was to convert my ‘made up’ title into a commercial equivalent. When it was pointed out to me, I did make the correction, and the correction wasn’t published. (add that to the list of things that didn’t get corrected)
Now, the thing that concerns me is, only a few people knew the exact nature of my title while at the RCERT, and out of those people, only a couple would be rude enough to try and bust me out publicly. On my own blog nonetheless.
I didn’t appreciate it, even though you were correct, it was rude.
Thursday, December 28
The Snort Top 10
I work with SNORT®..... constantly. It's my job to do so. I've been using Snort for many years, I teach classes on how to configure it, I teach classes on how to write Snort rules. I've been using Snort and setting up Sourcefire and Snort devices on hundreds of different networks for years on end now.
I am frequently asked questions, many of the questions are the same things over and over again, and I always see the same mistakes being made when setting it up. So, i've compiled a list of the top ten mistakes and commonly misconfigured or overlooked things when configuring everyone's favorite IDS.
None of these override the necessity to read the Snort manual, however. The manual supersedes all Snort books, because as great as these books are, they can't keep up with the fast-paced updates at which Snort is updated. So here goes...
1. The Snort.conf file.
Almost all your options are set in this file. This file should be read line by line, from top to bottom, taking the time to fully understand what each one of the configuration options are. 90% of all the questions I get can be answered by just reviewing the documentation in the snort.conf file.
2. Variables.
At the very top of the Snort.conf file there are variables to be set. The very least of which is "HOME_NET". HOME_NET should ALWAYS be configured. Depending on the placement of your IDS, your HOME_NET is loosely interpreted as "whatever the Snort box is protecting". For instance, on my network, it's 192.168.1.0/24. The whole network is controlled by my router, and no other IP addresses should be on the network unless it has this range. If I *had* other IP's pop on my network, I would definitely not want them treated as mine! Common settings for HOME_NET may be your whole internal network range, such as any RFC 1918 addresses. Depending upon the placement of your sensor (such as at your border) you many want to have your public IP address space in your HOME_NET as well. Remember that only CIDR notation is accepted within the variable notation. 192.168.1.1:254 won't work, neither will 192.168.1.1-254. Only 192.168.1.0/24 will. Another big thing to note is your setting for EXTERNAL_NET. By default, EXTERNAL_NET is set to "any". "Any" includes your HOME_NET. In order to make Snort treat traffic that is NOT in your HOME_NET as EXTERNAL, you can set your EXTERNAL_NET to "!$HOME_NET". Which setting applies to you is dependent upon the placement of your sensor.
3. Frag3 preprocessor.
Snort is able to avoid many different types of evasions. One of the big ones that people think they can slip by on any IDS is through IP fragmentation, or using malicious overlapping and underlapping fragments in order to slip the payload past your IDS's, but have it reassembled correctly on the target.
Okay.. I realized I may have just thrown a big ball at you... Let's back up.
IP fragmentation is when Packet A on Network A is too big to go onto Network B. So the router on the Network A side splits Packet A into Packet A.1, A.2, A.3, and so on, so it's able to fit onto Network B. However, these smaller packets aren't put back together until they reach the final destination IP. Still with me so far right? Cool...
The problem with that is, different operating systems put fragmented packets back together in different orders depending on the type of operating system. (and you thought they were all the same!) Well, the problem with IDS's is, they have absolutely not idea what the Operating Systems are that they are protecting. Frag3 allows you to tell it. Now, without writing a book about the subject, you need to go into the docs/ directory that is enclosed with your Snort tarball and read the README on frag3. (As well as the accompanying section in the Snort manual.)
However, in order to FULLY understand what I am talking about, go read the whitepaper written by Judy Novak. (You have to register to download it) She's one of the authors of the SANS 503 IDS course, one of the designers behind frag3, and currently a Vulnerability Research Team (VRT) employee at Sourcefire.
4. HTTP Inspection preprocessor.
The most misunderstood preprocessor there is. This preprocessor analyzes, normalizes, and alerts on http traffic. The thing to remember is, it's SERVER based. It's meant to analyze traffic coming inbound to your http SERVERS. It basically has two settings, the "global default" setting, which you should set to the majority of your web servers. For instance, are most of your web servers IIS, on port 80? Then you need to set that to the global setting. If only some of your web servers are not IIS, or only some of them are not on port 80, then those need to be specified INDIVIDUALLY, by IP! Does that mean you will have to create a separate line for each of your "non-standard" web servers? Yes! That's the way it's SUPPOSED to work!
5. Portscan preprocessor.
Also very mis-understood piece of code. You need to read the README for the "sfportscan" preprocessor in the docs/ directory. There is no better explanation on how to configure this preprocessor.
6. The rest of the preprocessors, to include the new "dynamic" preprocessors.
All of the preprocessors have configuration lines. Each need to be configured to the networks you are protecting with Snort. Review the documentation for each of them extensively. All the documentation is well written, and is written with the user in mind.
7. Rules.
The Rules in Snort are key. At the bottom of the Snort.conf you will see a bunch of "include" lines. "include $RULE_PATH/web-iis.rules" for example. This line will call the rules file web-iis.rules and load it in at runtime. Alot of people ask "what is the best ruleset to run?" Well, by far the first and foremost ruleset to run the VRT ruleset available after registration here. However, does this mean that you need to run every rule in that ruleset? NO! Take a look at the categories.. pop3.rules, imap.rules, oracle.rules, web-coldfusion.rules, pop2.rules, mysql.rules.. etc... Do you run these services on your network? Do you run pop3? Do you run pop2? Do you run imap? No? Then turn the rule category off! There is no sense in running rules that have no application to your network! All you are doing is potentially creating more work for yourself through false positives, as well as making the Snort engine work harder then it needs to.
"But I hear there are other rulesets besides the VRT set!" YES! There are. There are basically two. The BleedingThreats set available at www.bleedingthreats.com and the Community ruleset. Each of these rulesets is contributed to regularly by YOU the Snort community and each have their own pros and cons. Should you run all three rulesets? Sure! However, you need to go through each rule file, and turn on/off what you are not interested in or what does not apply to your network. For example, do you have Vertias on your network? No? Then go into exploit.rules and shut off the Veritas rules.
8. Output.
Snort can output to syslog, to pcap format (default), to a database, or lastly, to Unified. The "official" recommendation is to unified. The unified file format is the fastest output format coming out of the backend of Snort. Especially when you are trying to output to database! When Snort has to output to a database directly, it has to perform an INSERT into the db... doing so is CPU intensive. Do you want your IDS to be an IDS? Or a database insertion tool? So use Unified! Well, the problem with unified is, you need something that reads unified file format and outputs it into the db, or tcpdump file format you want....
9. Barnyard (or FLoP)
Barnyard reads the unified file format and inserts what it finds into a db, or outputs into tcpdump file format. FLoP is another tool that also reads Snort's output (albeit in a different method) and does what you want with it. Both are excellent tools and both need to be checked out and use the one that's appropriate to you.
10. Rule updates.
However you choose to update your rules is up to you, I recommend Oinkmaster. Nice perl proggie to keep your rules up to date. Just don't forget to register on Snort.org and get your oinkmaster code if you wish to download the VRT registered user set.
Notice that I didn't put a recommendation for any type of Snort log reviewing tool. BASE, Sguil, Placid, etc.. all have their merits and you will want to check out the one that is most appropriate to your situation. However, I do have one recommendation that I will make here... and it's turning into more of a "RULE" now. Do NOT use ACID. Don't get me wrong, ACID was great for it's day, however, with over 200+ bug fixes, feature implementations, and the fact that ACID hasn't been updated in.. going on 4 years now... go with BASE if all you are looking for is an Alert browser. BASE works with your existing ACID db, and is very easy to upgrade to.
So there you go. I hope this helps a bit to get you started down the correct path of tuning Snort. Don't forget to hit the mailing list archives, post to the mailing lists with any questions, look for your local Snort User Group, visit the Snort Forums, or even write into us here at the ISC (several of us use Snort constantly, not just me).. or drop into irc.freenode.net into #snort and say hello! Thanks!
Stay tuned for another article on Snort in the future.. If you have suggestions about what I should write about as far as Snort goes, feel free to write in!
/** Joel Esler **/
Sourcefire and Snort are registered trademarks of Sourcefire.
I am frequently asked questions, many of the questions are the same things over and over again, and I always see the same mistakes being made when setting it up. So, i've compiled a list of the top ten mistakes and commonly misconfigured or overlooked things when configuring everyone's favorite IDS.
None of these override the necessity to read the Snort manual, however. The manual supersedes all Snort books, because as great as these books are, they can't keep up with the fast-paced updates at which Snort is updated. So here goes...
1. The Snort.conf file.
Almost all your options are set in this file. This file should be read line by line, from top to bottom, taking the time to fully understand what each one of the configuration options are. 90% of all the questions I get can be answered by just reviewing the documentation in the snort.conf file.
2. Variables.
At the very top of the Snort.conf file there are variables to be set. The very least of which is "HOME_NET". HOME_NET should ALWAYS be configured. Depending on the placement of your IDS, your HOME_NET is loosely interpreted as "whatever the Snort box is protecting". For instance, on my network, it's 192.168.1.0/24. The whole network is controlled by my router, and no other IP addresses should be on the network unless it has this range. If I *had* other IP's pop on my network, I would definitely not want them treated as mine! Common settings for HOME_NET may be your whole internal network range, such as any RFC 1918 addresses. Depending upon the placement of your sensor (such as at your border) you many want to have your public IP address space in your HOME_NET as well. Remember that only CIDR notation is accepted within the variable notation. 192.168.1.1:254 won't work, neither will 192.168.1.1-254. Only 192.168.1.0/24 will. Another big thing to note is your setting for EXTERNAL_NET. By default, EXTERNAL_NET is set to "any". "Any" includes your HOME_NET. In order to make Snort treat traffic that is NOT in your HOME_NET as EXTERNAL, you can set your EXTERNAL_NET to "!$HOME_NET". Which setting applies to you is dependent upon the placement of your sensor.
3. Frag3 preprocessor.
Snort is able to avoid many different types of evasions. One of the big ones that people think they can slip by on any IDS is through IP fragmentation, or using malicious overlapping and underlapping fragments in order to slip the payload past your IDS's, but have it reassembled correctly on the target.
Okay.. I realized I may have just thrown a big ball at you... Let's back up.
IP fragmentation is when Packet A on Network A is too big to go onto Network B. So the router on the Network A side splits Packet A into Packet A.1, A.2, A.3, and so on, so it's able to fit onto Network B. However, these smaller packets aren't put back together until they reach the final destination IP. Still with me so far right? Cool...
The problem with that is, different operating systems put fragmented packets back together in different orders depending on the type of operating system. (and you thought they were all the same!) Well, the problem with IDS's is, they have absolutely not idea what the Operating Systems are that they are protecting. Frag3 allows you to tell it. Now, without writing a book about the subject, you need to go into the docs/ directory that is enclosed with your Snort tarball and read the README on frag3. (As well as the accompanying section in the Snort manual.)
However, in order to FULLY understand what I am talking about, go read the whitepaper written by Judy Novak. (You have to register to download it) She's one of the authors of the SANS 503 IDS course, one of the designers behind frag3, and currently a Vulnerability Research Team (VRT) employee at Sourcefire.
4. HTTP Inspection preprocessor.
The most misunderstood preprocessor there is. This preprocessor analyzes, normalizes, and alerts on http traffic. The thing to remember is, it's SERVER based. It's meant to analyze traffic coming inbound to your http SERVERS. It basically has two settings, the "global default" setting, which you should set to the majority of your web servers. For instance, are most of your web servers IIS, on port 80? Then you need to set that to the global setting. If only some of your web servers are not IIS, or only some of them are not on port 80, then those need to be specified INDIVIDUALLY, by IP! Does that mean you will have to create a separate line for each of your "non-standard" web servers? Yes! That's the way it's SUPPOSED to work!
5. Portscan preprocessor.
Also very mis-understood piece of code. You need to read the README for the "sfportscan" preprocessor in the docs/ directory. There is no better explanation on how to configure this preprocessor.
6. The rest of the preprocessors, to include the new "dynamic" preprocessors.
All of the preprocessors have configuration lines. Each need to be configured to the networks you are protecting with Snort. Review the documentation for each of them extensively. All the documentation is well written, and is written with the user in mind.
7. Rules.
The Rules in Snort are key. At the bottom of the Snort.conf you will see a bunch of "include" lines. "include $RULE_PATH/web-iis.rules" for example. This line will call the rules file web-iis.rules and load it in at runtime. Alot of people ask "what is the best ruleset to run?" Well, by far the first and foremost ruleset to run the VRT ruleset available after registration here. However, does this mean that you need to run every rule in that ruleset? NO! Take a look at the categories.. pop3.rules, imap.rules, oracle.rules, web-coldfusion.rules, pop2.rules, mysql.rules.. etc... Do you run these services on your network? Do you run pop3? Do you run pop2? Do you run imap? No? Then turn the rule category off! There is no sense in running rules that have no application to your network! All you are doing is potentially creating more work for yourself through false positives, as well as making the Snort engine work harder then it needs to.
"But I hear there are other rulesets besides the VRT set!" YES! There are. There are basically two. The BleedingThreats set available at www.bleedingthreats.com and the Community ruleset. Each of these rulesets is contributed to regularly by YOU the Snort community and each have their own pros and cons. Should you run all three rulesets? Sure! However, you need to go through each rule file, and turn on/off what you are not interested in or what does not apply to your network. For example, do you have Vertias on your network? No? Then go into exploit.rules and shut off the Veritas rules.
8. Output.
Snort can output to syslog, to pcap format (default), to a database, or lastly, to Unified. The "official" recommendation is to unified. The unified file format is the fastest output format coming out of the backend of Snort. Especially when you are trying to output to database! When Snort has to output to a database directly, it has to perform an INSERT into the db... doing so is CPU intensive. Do you want your IDS to be an IDS? Or a database insertion tool? So use Unified! Well, the problem with unified is, you need something that reads unified file format and outputs it into the db, or tcpdump file format you want....
9. Barnyard (or FLoP)
Barnyard reads the unified file format and inserts what it finds into a db, or outputs into tcpdump file format. FLoP is another tool that also reads Snort's output (albeit in a different method) and does what you want with it. Both are excellent tools and both need to be checked out and use the one that's appropriate to you.
10. Rule updates.
However you choose to update your rules is up to you, I recommend Oinkmaster. Nice perl proggie to keep your rules up to date. Just don't forget to register on Snort.org and get your oinkmaster code if you wish to download the VRT registered user set.
Notice that I didn't put a recommendation for any type of Snort log reviewing tool. BASE, Sguil, Placid, etc.. all have their merits and you will want to check out the one that is most appropriate to your situation. However, I do have one recommendation that I will make here... and it's turning into more of a "RULE" now. Do NOT use ACID. Don't get me wrong, ACID was great for it's day, however, with over 200+ bug fixes, feature implementations, and the fact that ACID hasn't been updated in.. going on 4 years now... go with BASE if all you are looking for is an Alert browser. BASE works with your existing ACID db, and is very easy to upgrade to.
So there you go. I hope this helps a bit to get you started down the correct path of tuning Snort. Don't forget to hit the mailing list archives, post to the mailing lists with any questions, look for your local Snort User Group, visit the Snort Forums, or even write into us here at the ISC (several of us use Snort constantly, not just me).. or drop into irc.freenode.net into #snort and say hello! Thanks!
Stay tuned for another article on Snort in the future.. If you have suggestions about what I should write about as far as Snort goes, feel free to write in!
/** Joel Esler **/
Sourcefire and Snort are registered trademarks of Sourcefire.
Tuesday, September 19
0-day
Okay. I've been receiving emails like mad through isc.sans.org internal lists, full-disclosure, security, irc, jabber rooms I'm in, blah blah...
About all these "0-day's" in MS Windows. (As if we were surprised!?). I am just ranting to the point of... I am REALLY getting tired of hearing "0-day" every three seconds, frankly, it's getting annoying.
Please security professionals, I know that 0-day gets your bosses attention, because 0day has went from 'hax0r' term to freaking Marketing. bleh. Marketing (Yes, I know it has a purpose.. I just don't like it sometimes)
So... security guys... lets develop a new term. 0-day is dead.
P.S. It's pronounced "ZERO-DAY" not "O-day" like in the "O-jays". get it right.
About all these "0-day's" in MS Windows. (As if we were surprised!?). I am just ranting to the point of... I am REALLY getting tired of hearing "0-day" every three seconds, frankly, it's getting annoying.
Please security professionals, I know that 0-day gets your bosses attention, because 0day has went from 'hax0r' term to freaking Marketing. bleh. Marketing (Yes, I know it has a purpose.. I just don't like it sometimes)
So... security guys... lets develop a new term. 0-day is dead.
P.S. It's pronounced "ZERO-DAY" not "O-day" like in the "O-jays". get it right.
Wednesday, June 21
denyhosts is in python.. but it still works
For awhile now i've been running a nice program by the name of 'denyhosts'. For those of you that have a server somewhere on the internet with port 22 open, you know what I am talking about when I say 'see all those brute force ssh attacks?!'.
People use the brute force ssh method to try and gain access to your machine. I did it once, just to see what would happen, on a honeypot, and they put an irc controlling bot on there. ghey.
denyhosts works by monitoring your /var/log/secure (or whatever file on your OS, it's /secure on mine -- running Fedora on this box), for brute force attacks to one of two things, either brute force to accounts that don't exist, or brute force to the root account.
The root account gets ONE bad try. (you can set these thresholds in the /usr/local/denyhosts/denyhosts.cfg), after that one bad try you are added to the /etc/hosts.deny file and are forever ignored. Unknown accounts, by default, get 5 bad tries, well I thought that was too much, so I changed that a bit).
After they are added to the /etc/hosts.deny, you can either configure 'denyhosts' to ignore them for all services "all:" or, by default just ssh "ssh:". It will then (if you tell it to, it doesn't do this by default), sync with some master denyhosts server, where, if you choose to, will upload your entry, and download all of their entries for inclusion into your /etc/hosts.deny. Denying all the hosts that others have uploaded as well. I have this option enabled, and now with:
# wc -l /etc/hosts.deny
2380 /etc/hosts.deny
2380 lines (figure some of that is commenting, so, maybe 2300+ hosts) are denied here. (that's alot of hosts)
You can also have it purge old hosts. after 'x' number of days (again, set in the cfg file) it will expire the old host. If they come back, they'll be readded.
It will send you an email as well to whatever account you want it to, to tell you tha someone has tried an attempt against your machine, and therefore has been denied, why last night I received this email:
From: DenyHosts
To: root@localhost.localdomain
Subject: DenyHosts Report
Date: Tue, 20 Jun 2006 19:51:18 -0400
Added the following hosts to /etc/hosts.deny:
58.6.117.217 (dsl-58-6-117-217.qld.westnet.com.au)
This system seems to work pretty well. Give it a shot.
People use the brute force ssh method to try and gain access to your machine. I did it once, just to see what would happen, on a honeypot, and they put an irc controlling bot on there. ghey.
denyhosts works by monitoring your /var/log/secure (or whatever file on your OS, it's /secure on mine -- running Fedora on this box), for brute force attacks to one of two things, either brute force to accounts that don't exist, or brute force to the root account.
The root account gets ONE bad try. (you can set these thresholds in the /usr/local/denyhosts/denyhosts.cfg), after that one bad try you are added to the /etc/hosts.deny file and are forever ignored. Unknown accounts, by default, get 5 bad tries, well I thought that was too much, so I changed that a bit).
After they are added to the /etc/hosts.deny, you can either configure 'denyhosts' to ignore them for all services "all:
# wc -l /etc/hosts.deny
2380 /etc/hosts.deny
2380 lines (figure some of that is commenting, so, maybe 2300+ hosts) are denied here. (that's alot of hosts)
You can also have it purge old hosts. after 'x' number of days (again, set in the cfg file) it will expire the old host. If they come back, they'll be readded.
It will send you an email as well to whatever account you want it to, to tell you tha someone has tried an attempt against your machine, and therefore has been denied, why last night I received this email:
From: DenyHosts
To: root@localhost.localdomain
Subject: DenyHosts Report
Date: Tue, 20 Jun 2006 19:51:18 -0400
Added the following hosts to /etc/hosts.deny:
58.6.117.217 (dsl-58-6-117-217.qld.westnet.com.au)
This system seems to work pretty well. Give it a shot.
Tuesday, March 21
Monday, July 11
PowerMac G5 Review
Okay, I've had my PowerMac for about 2 weeks now, and I thought I'd go ahead and write my opinion.
First, let me give you a rundown on the product I own:
PowerMac PPC Dual 2.0 G5 Processors (64 bit processors)
512 MB of RAM
9650 AGP ATI Video Card
Sony DVD RW (Writes DVD's and CD's)
Dual Firewire, Triple USB 2.0
Max OS X 10.4.1 Tiger
So, it's a pretty high speed machine.
First things first.. This thing is fast. This is easily the fastest computer I have ever used. When I click on something, it appears. The only thing that takes a bit of a minute to start is "America's Army" (The Game).. but.. it's a 3-D Game!!
Okay..
MOUSE:
I ditched the Apple single button mouse. That thing stinks. It's touch sensitive, you can't rest your hand on it, it will click. Kinda stinks. So I had a spare USB logitech mouse sitting around here, plugged it into the back of the Apple Keyboard and it worked immediately.
KEYBOARD:
It's the typical Mac keyboard that comes with every Tower Mac. It's a bit wierd to type on, as they keys are soft. It's rather uncomfortable as well, but then again, I'm about full-blown carpal tunnel too. So I really need to think about getting one of those high speed Ergonomic keyboards.
MONITOR:
I had an 18" MAG Innovision display. It's VGA, and the Mac by nature is DVI. But Apple gives you a nice converter. Doesn't matter, I still want the Apple Display, it's HD, and DVI. That's so nice.
Video Card:
I opted for the 9650 with 256 MB of RAM. It's a fast card... But mainly bought it because it has two DVI outs. (This is the card you have to have to run the 30 inch display)... But I'll never get the 30 in display unless they come down off their price a bit. Otherwise I'm quite happy with the 20 monitor I want to get.
Networking:
I plugged it in, it immediately had an IP, and I could go to "Network" and view all the other Windows and Mac machines I have on my network. It was nice.
iPhoto: Works great. I continue to add my photos in there.
iTunes: I just copied my Tunes from my iBook on over, work great.
Dashboard: Pretty cool!
Spotlight: This WILL revolutionize how we use our computers. Smart Folders too. That's nice.
I used my .mac account to sync everything between the iBook and the PowerMac, works great.
Installs:
I installed my Tools for managing my UPS (came with the UPS), works.
Adium (Multi-IM'ing Program)
Bittorrent (So I could download America's Army)
Fink & Fink Commander
MacTheRipper (DVD Ripper)
X-Chat Aqua (IRC program)
Windows Media Player
Transparent Dock
First, let me give you a rundown on the product I own:
PowerMac PPC Dual 2.0 G5 Processors (64 bit processors)
512 MB of RAM
9650 AGP ATI Video Card
Sony DVD RW (Writes DVD's and CD's)
Dual Firewire, Triple USB 2.0
Max OS X 10.4.1 Tiger
So, it's a pretty high speed machine.
First things first.. This thing is fast. This is easily the fastest computer I have ever used. When I click on something, it appears. The only thing that takes a bit of a minute to start is "America's Army" (The Game).. but.. it's a 3-D Game!!
Okay..
MOUSE:
I ditched the Apple single button mouse. That thing stinks. It's touch sensitive, you can't rest your hand on it, it will click. Kinda stinks. So I had a spare USB logitech mouse sitting around here, plugged it into the back of the Apple Keyboard and it worked immediately.
KEYBOARD:
It's the typical Mac keyboard that comes with every Tower Mac. It's a bit wierd to type on, as they keys are soft. It's rather uncomfortable as well, but then again, I'm about full-blown carpal tunnel too. So I really need to think about getting one of those high speed Ergonomic keyboards.
MONITOR:
I had an 18" MAG Innovision display. It's VGA, and the Mac by nature is DVI. But Apple gives you a nice converter. Doesn't matter, I still want the Apple Display, it's HD, and DVI. That's so nice.
Video Card:
I opted for the 9650 with 256 MB of RAM. It's a fast card... But mainly bought it because it has two DVI outs. (This is the card you have to have to run the 30 inch display)... But I'll never get the 30 in display unless they come down off their price a bit. Otherwise I'm quite happy with the 20 monitor I want to get.
Networking:
I plugged it in, it immediately had an IP, and I could go to "Network" and view all the other Windows and Mac machines I have on my network. It was nice.
iPhoto: Works great. I continue to add my photos in there.
iTunes: I just copied my Tunes from my iBook on over, work great.
Dashboard: Pretty cool!
Spotlight: This WILL revolutionize how we use our computers. Smart Folders too. That's nice.
I used my .mac account to sync everything between the iBook and the PowerMac, works great.
Installs:
I installed my Tools for managing my UPS (came with the UPS), works.
Adium (Multi-IM'ing Program)
Bittorrent (So I could download America's Army)
Fink & Fink Commander
MacTheRipper (DVD Ripper)
X-Chat Aqua (IRC program)
Windows Media Player
Transparent Dock
Sunday, June 12
OS X for x86 already in the wild? - Engadget - www.engadget.com
OS X for x86 already in the wild? - Engadget - www.engadget.com: "....in the wild on P2P and IRC networks. Supposedly it can be installed on just about any PC box, and Rosetta and the iLife suite are fully operational..."
Where's the torrent for that?
Where's the torrent for that?
Subscribe to:
Posts (Atom)