Eclectic Security

With the new release of Spsa some technical issues have arisen. For example about how to upgrade to the version 1.5  without re installing the complete system. Christopher gave me the hint to make a workaround to this problem. A small bash script will upgrade Spsa to the latest version with a minimal interaction.

NOTE: I’d advise to try it on some testing virtual  environment  before doing any update on a production server.

At the point where postfix ask about the configuration, say “No configuration”.

This are the steps to perform the upgrade:

Download and execute the script:

wget http://bailey.st/spsa/updatespsa1.4to1.5.sh

chmod +x updatespsa1.4to1.5.sh

./updatespsa1.4to1.5.sh

Welcome to the Spsa update script

this script will upgrade the Spsa version 1.4 to the 1.5.

Disclaimer
You use this script at your own risk. There are no warranties
or guarantees of functionality or safety implied or stated whatsoever.

Are you sure to continue?

Enter yes or no:

yes

Remove executables:
rails

in addition to the gem? [Yn]

When the update script is over please:

enter your gmail credential

vim /etc/postfix/sasl_passwd

[smtp.gmail.com]:587 you_username@gmail.com:you_password

run the script: /etc/postfix/re-hash.sh

and restart postfix with /etc/init.d/postfix restart

change your email credential in  Snorby > My Settings

To test the mail delivery run :
/var/Snorby/script/runner -e production “Event.run_daily_report”

In case of problems check your syslog with :

tail -f /var/log/syslog

When I started the Spsa project I never thought going beyond the 1.0 version, since then, feedback started to flow and new ideas come across my mind. I have to admit that the version 1.0 was a bit buggy, but helped to develop a work flow for the other releases. Receiving a feedback email it is always  a gratification for the time spent, and make you feel that you’re doing something worth. Today I’m excited to announce the release of the version 1.5, the main feature is the Email reporting support, where daily, weekly and monthly report are notified via email upon completion. Other minor updates are the new snort start/stop script and snort 2.8.6.1-1.

In the upcoming months I will migrate from ubuntu 8.4 to ubuntu 10.4 and include pulled pork as default rule manager.

Meanwhile, Dustin Weber is working on the new Snorby release (2.0) that might be ready around January 2011, if you wish to help please check here: www.lookycode.com

In the meantime please feel free to download and use the iso image and send your feedback.

http://bailey.st/blog/snorby-spsa/

PS: a special mention to Rob that in the last week have provided lots of feedback and comments.

Anyway thanks to everyone !!!!!

The summer edition of “nothing will happen” is over. NWH is a series of meetings of hackers from all over former Yugoslavia. The gatherings are very informal and relaxed, non-attendance fee is required, but the informations that you  receive/exchange are invaluable. High level seminars of programming such LISP and python and the latest tricks about IPV6 and distributed computing are just an example. Again the summer edition was held in split (Croatia) inside a student dormitory, the building is located just in front of the sea, so you could take a swim between coffee breaks. This year we had an additions event inside NWH, the Outlaws & Inlaws uncoference. They have explored the two sided of free culture vs. piracy debate, and the upcoming challenge of a sustainable and equal technological development. Guest of the Outlaws & Inlaws where Bodó Balazs, Erdgeist, Benjamin Mako Hill,Jan Gerber, Paul Keller, Sebastian Lütgert, Alan Toner, members of Slovenian and Serbian pirate parties.

Despite the tight program and the temperature, I managed to give my speech, The biggest hack of history ( Defeating the (in)security of the military classified networks.), an analytic view about the latest leak of U.S classified document published by wikileaks. My analysis explored the weakness and the poor infosec culture of who is in charge to protect and monitor the military networks such SIPRNet and JWICS. I was very impressed about the level of attention, none were on twitter ,  this talk was also the chance to speak about Bradley Manning, the alleged leaker of the documents and the worldwide support network . After the closing ceremony we ended to a restaurant for the dinner and between a beer and a glass of wine, we were discussing about the winter edition of “nothing will happen”. You are invited.

Photos by playahater and dubravka

I’m a regular listener of podcasts , especially the ones related to information security and privacy protection. And the cyber jungle is one of my favorite, the two radio host (Ira Victor and Samantha Stone ) are doing an amazing job talking and discussing about the different cyber threats that can affect computers and personal data. Prominent figures from the infosec sector are often guest on the show, giving the last updates on attacks and malware defence. After at least one year I can say that is a very informative podcast and worth to be followed. Remember, “everytime you connect, is a jungle.”

Blog: https://datasecurityblog.wordpress.com/

Listen option: http://www.thecyberjungle.com/listen.php

Youtube: http://bit.ly/b0jLGS

AlJazeeraEnglish   Inside Story – War zones under the spotlight

GoogleNews: http://bit.ly/bxh1Eo
Twitter: http://bit.ly/99lE3X

http://wikileaks.org/wiki/Afghan_War_Diary,_2004-2010

Among the intelligence and part of the info-sec community the rumbling word is Cyber War, some of the most prominent cyber war mongers are arguing the 2009 attack that targeted Google and at least 20 other major corporations can be considered the cyber 9/11. I’m hearing a lot about cyber war insanity, such cyber war non-proliferation. Does it mean that some cyber command can send a drone and blow up my bedroom since they discover that I’m writing an exploit ? Will be illegal to install and use nmap? Tools like metasploit will be considered weapons of mass destruction? The “Kill Switch” would give power to the US president to turn off the domestic internet, considering that the main root name servers are hosted inside the USA, what would be the consequences for the worldwide internet traffic?

The sad true is that this cyber hysteria will be used to lock down the freedom on the internet and give to the military unlimited power in the fifth domain.

Quoting Mr. Bruce Schneier, i advise everyone to Refuse to be Terrorized from such creepy and sensational news such this:

• It is time for countries to start talking about arms control on the internet

• War in the fifth domain
  

You achieve security only with real security !

A few days ago was released Suricata 1.0.0 the new open source-based intrusion detection system (IDS). The main  feature of this IDS is the multi-threaded engine, this  feature is very usefull when you have to monitor a high speed links, having a multi-core monster machine allow you to use all the cores available. Other IDSs use only a  signle core with with the risk to be ineffective by  dropping packets due the CPU overload. Other feaures present on Suricata are: IpReputation, MultiPacketMatching, HardwareAccelerationSupport.

In this short How-To I’m going to cover an easy and effective way to compile and install Suricata on Ubuntu Server 10.04.

Add the suricata user and prepare the required folders:

useradd suricata -s /bin/false -c suricata_user
mkdir /etc/suricata
mkdir /var/log/suricata/
chown suricata.suricata /var/log/suricata/

Install the packages needed for compiling:

apt-get install libpcre3-dev libpcap-dev libyaml-dev zlib1g-dev libnet1  libnet1-dev libcap-ng-dev libhtp1 libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0 build-essential checkinstall

Get suricata and decompress:

cd /tmp/
wget http://openinfosecfoundation.org/download/suricata-1.0.0.tar.gz
tar xvfz suricata-1.0.0.tar.gz
cd suricata-1.0.0

Run ./configure –help to see all the build options.

This will build suricata with IPS capabilities

./configure –enable-nfqueue

Suricata Configuration:
NFQueue support:          yes
IPFW support:             no
PF_RING support:          no
Prelude support:          no
Unit tests enabled:       no
Debug output enabled:     no
Debug validation enabled: no
CUDA enabled:             no
DAG enabled:              no
Profiling enabled:        no
GCC Protect enabled:      no
GCC march native enabled: yes
GCC Profile enabled:      no
Unified native time:      no
Non-bundled htp:          no

make

checkinstall

**********************************************************************

Done. The new package has been installed and saved to

/tmp/suricata-1.0.0/suricata_1.0.0-1_i386.deb

You can remove it from your system anytime using:

dpkg -r suricata

**********************************************************************

Install suricata with dpkg -i suricata_1.0.0-1_i386.deb

Copy the configuration files

cp classification.config suricata.yaml /etc/suricata/

Edit the configuration file suricata.yaml according to your  need. In the file are present some main sections to be configured.

Logging section, where you can define which kind of output is suitable, plain text, unified2-alert to be used with Barnyard2
The network interface, where you can define the network interface/s where you are runnin suricata, eth,wlan,br.
The rule-path, where suricata will look for the rules. In my case I’m sharing the same rules used by snort /etc/snort/rules
The HOME_NET, where you need to define the local addresses of your system/network.
The  libhtp config, where is possible to configure the web servers variables.

To start suricata:

suricata -D  -c /etc/suricata/suricata.yaml -s /etc/suricata/classification.config -i eth0

This is Suricata version 1.0.0
CPUs Summary:
CPUs online: 1
CPUs configured 1
Output module “AlertFastLog” registered.
Output module “AlertDebugLog” registered.
Output module “AlertUnifiedLog” registered.
Output module “AlertUnifiedAlert” registered.
Output module “Unified2Alert” registered.
Output module “LogHttpLog” registered.

You can tail the suricata log to check if is working, and run Inundator to create some allerts. So far so good.

tail -f /var/log/suricata/fast.log

[1:2001219:18] ET SCAN Potential SSH Scan [**]
[Classification: Attempted Information Leak]
[Priority: 3] {6} 173.244.197.210:27041 -> victim_ip

[1:2002911:4] ET SCAN Potential VNC Scan 5900-5920
[**] [Classification: Attempted Information Leak]
[Priority: 3] {6} 173.244.197.210:27041 -> victim_ip

Thanks to all the Suricata developers for all the efforts placed to meet the 1st July deadline.

Inundator is and IDS evasion tool that can generate  an overwhelming number of false positives while you are performing the attack in order to minimize the detection. One of the main features of inundator is the possibility to send  false attacks anonymously via SOCKS proxy, the use  of Tor is strongly recommended. Other features are  multithread, queue-driven and multiple targets support. The concept beyond Inundator is to read the snort rules and generate packets or traffic from each rule previously parsed, the key of success is the IDS configuration on the target machine, a good configuration will determine if our false attacks are detected or not.

to get and install Inundator go to inundator.sourceforge.net

I tried Inundator against Suricata, and I was amazed to see the false positive attacks filling the Suricata IDS log.

Example:

inundator -r /etc/snort/rules   -p localhost:9050  victim_ip

where -r is the path to the snort rules location
where -p is the SOCKS proxy configuration
and the last argument is the victim ip

On the suricata IDS sensor:

[1:2001219:18] ET SCAN Potential SSH Scan [**]
[Classification: Attempted Information Leak]
[Priority: 3] {6} 173.244.197.210:27041 -> victim_ip

[1:2002995:6] ET SCAN Rapid IMAPS Connections – Possible Brute Force Attack
[**] [Classification: Misc activity]
[Priority: 3] {6}  173.244.197.210:27041  -> victim_ip

[1:2002911:4] ET SCAN Potential VNC Scan 5900-5920
[**] [Classification: Attempted Information Leak]
[Priority: 3] {6} 173.244.197.210:27041 -> victim_ip

Just to double check that the attack was coming from a TOR
exit node i searched the ip 173.244.197.210 on this list.

Not always is a good idea to be quiet.

Fast-Track is automated penetration testing suite developed by David Kennedy. This security suite help the penetration tester to identify and exploit servers using  various techniques. Combining the power of Metasploit Framework and the automation of the attacks, all the pen test process will result effective and time saving (where it’s OK to finish under 3 minutes). On the attempt to install Fast-Track 4.0 on ubuntu 10.04 I come across a missing python package issue, the package called pymills-3.4.tar.gz isn’t available from the location configured in the setup file. The workaround is to comment the line 80 an 81 of the setup.py file, and download manually the pymills package. Here you can find the instructions to install successfully Fast-Track 4.0 .

apt-get install subversion
svn co http://svn.thepentest.com/fasttrack/
cd fasttrack/
python setup.py install

Would you like to attempt all dependancies, yes or no: yes

tar: pymills-3.4.tar.gz: Cannot open: No such file or directory
tar: Error is not recoverable: exiting now
tar: Child returned status 2
tar: Exiting with failure status due to previous errors
mv: cannot stat `pymills-3.4′: No such file or directory
cd: 1: can’t cd to pymills/

Comment out the lines 80 and 81

# subprocess.Popen(‘wget http://pypi.python.org/packages/source/p/pymills/pymills-3.4.tar.gz;tar
-zxvf pymills-3.4.tar.gz;mv pymills-3.4 pymills;cd pymills/; python setup.py install’, shell=True).wait()
# subprocess.Popen(‘rm -rf pymills; rm -rf pymills-3.4.tar.gz’, shell=True).wait()

Download manually the missing package

wget http://pypi.inqbus.de/pymills/pymills-3.4.tar.gz

Uncompress and install pymills

tar xvfz pymills-3.4.tar.gz
mv pymills-3.4 pymills
cd  pymills
python setup.py install

Processing dependencies for pymills==3.4
Finished processing dependencies for pymills==3.4

Now you can rerun the Fast Track installation

python setup.py install

Would you like to attempt all dependencies, yes or no: yes

***********************************************
******* Performing dependency checks… *******
***********************************************

*** FreeTDS and PYMMSQL are installed. (Check) ***
*** PExpect is installed. (Check) ***
*** ClientForm is installed. (Check) ***
*** Beautiful Soup is installed. (Check) ***
*** PyMills is installed. (Check) ***
Run Fast Track with:  python fast-track.py -i

and Lets pop a box . Video Fast-Track ShmooCon 2009