wikileaks wardiary in the news
Youtube: http://bit.ly/b0jLGS
AlJazeeraEnglish Inside Story – War zones under the spotlight
GoogleNews: http://bit.ly/bxh1Eo
Twitter: http://bit.ly/99lE3X
Archive > July 2010
the militarization of cyberspace
Among the intelligence and part of the info-sec community the rumbling word is Cyber War, some of the most prominent cyber war mongers are arguing the 2009 attack that targeted Google and at least 20 other major corporations can be considered the cyber 9/11. I’m hearing a lot about cyber war insanity, such cyber war non-proliferation. Does it mean that some cyber command can send a drone and blow up my bedroom since they discover that I’m writing an exploit ? Will be illegal to install and use nmap? Tools like metasploit will be considered weapons of mass destruction? The “Kill Switch” would give power to the US president to turn off the domestic internet, considering that the main root name servers are hosted inside the USA, what would be the consequences for the worldwide internet traffic?
The sad true is that this cyber hysteria will be used to lock down the freedom on the internet and give to the military unlimited power in the fifth domain.
Quoting Mr. Bruce Schneier, i advise everyone to Refuse to be Terrorized from such creepy and sensational news such this:
You achieve security only with real security !
Scridb filterSuricata 1.0.0 setup on Ubuntu 10.04
A few days ago was released Suricata 1.0.0 the new open source-based intrusion detection system (IDS). The main feature of this IDS is the multi-threaded engine, this feature is very usefull when you have to monitor a high speed links, having a multi-core monster machine allow you to use all the cores available. Other IDSs use only a signle core with with the risk to be ineffective by dropping packets due the CPU overload. Other feaures present on Suricata are: IpReputation, MultiPacketMatching, HardwareAccelerationSupport.
In this short How-To I’m going to cover an easy and effective way to compile and install Suricata on Ubuntu Server 10.04.
Add the suricata user and prepare the required folders:
useradd suricata -s /bin/false -c suricata_user
mkdir /etc/suricata
mkdir /var/log/suricata/
chown suricata.suricata /var/log/suricata/
Install the packages needed for compiling:
apt-get install libpcre3-dev libpcap-dev libyaml-dev zlib1g-dev libnet1 libnet1-dev libcap-ng-dev libhtp1 libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0 build-essential checkinstall
Get suricata and decompress:
cd /tmp/
wget http://openinfosecfoundation.org/download/suricata-1.0.0.tar.gz
tar xvfz suricata-1.0.0.tar.gz
cd suricata-1.0.0
Run ./configure –help to see all the build options.
This will build suricata with IPS capabilities
./configure –enable-nfqueue
Suricata Configuration:
NFQueue support: yes
IPFW support: no
PF_RING support: no
Prelude support: no
Unit tests enabled: no
Debug output enabled: no
Debug validation enabled: no
CUDA enabled: no
DAG enabled: no
Profiling enabled: no
GCC Protect enabled: no
GCC march native enabled: yes
GCC Profile enabled: no
Unified native time: no
Non-bundled htp: no
make
checkinstall
**********************************************************************
Done. The new package has been installed and saved to
/tmp/suricata-1.0.0/suricata_1.0.0-1_i386.deb
You can remove it from your system anytime using:
dpkg -r suricata
**********************************************************************
Install suricata with dpkg -i suricata_1.0.0-1_i386.deb
Copy the configuration files
cp classification.config suricata.yaml /etc/suricata/
Edit the configuration file suricata.yaml according to your need. In the file are present some main sections to be configured.
Logging section, where you can define which kind of output is suitable, plain text, unified2-alert to be used with Barnyard2
The network interface, where you can define the network interface/s where you are runnin suricata, eth,wlan,br.
The rule-path, where suricata will look for the rules. In my case I’m sharing the same rules used by snort /etc/snort/rules
The HOME_NET, where you need to define the local addresses of your system/network.
The libhtp config, where is possible to configure the web servers variables.
To start suricata:
suricata -D -c /etc/suricata/suricata.yaml -s /etc/suricata/classification.config -i eth0
This is Suricata version 1.0.0
CPUs Summary:
CPUs online: 1
CPUs configured 1
Output module “AlertFastLog” registered.
Output module “AlertDebugLog” registered.
Output module “AlertUnifiedLog” registered.
Output module “AlertUnifiedAlert” registered.
Output module “Unified2Alert” registered.
Output module “LogHttpLog” registered.
You can tail the suricata log to check if is working, and run Inundator to create some allerts. So far so good.
tail -f /var/log/suricata/fast.log
[1:2001219:18] ET SCAN Potential SSH Scan [**]
[Classification: Attempted Information Leak]
[Priority: 3] {6} 173.244.197.210:27041 -> victim_ip
[1:2002911:4] ET SCAN Potential VNC Scan 5900-5920
[**] [Classification: Attempted Information Leak]
[Priority: 3] {6} 173.244.197.210:27041 -> victim_ip
Thanks to all the Suricata developers for all the efforts placed to meet the 1st July deadline.
Scridb filterInundator: anonymous IDS evasion
Inundator is and IDS evasion tool that can generate an overwhelming number of false positives while you are performing the attack in order to minimize the detection. One of the main features of inundator is the possibility to send false attacks anonymously via SOCKS proxy, the use of Tor is strongly recommended. Other features are multithread, queue-driven and multiple targets support. The concept beyond Inundator is to read the snort rules and generate packets or traffic from each rule previously parsed, the key of success is the IDS configuration on the target machine, a good configuration will determine if our false attacks are detected or not.
to get and install Inundator go to inundator.sourceforge.net
I tried Inundator against Suricata, and I was amazed to see the false positive attacks filling the Suricata IDS log.
Example:
inundator -r /etc/snort/rules -p localhost:9050 victim_ip
where -r is the path to the snort rules location
where -p is the SOCKS proxy configuration
and the last argument is the victim ip
On the suricata IDS sensor:
[1:2001219:18] ET SCAN Potential SSH Scan [**]
[Classification: Attempted Information Leak]
[Priority: 3] {6} 173.244.197.210:27041 -> victim_ip
[1:2002995:6] ET SCAN Rapid IMAPS Connections – Possible Brute Force Attack
[**] [Classification: Misc activity]
[Priority: 3] {6} 173.244.197.210:27041 -> victim_ip
[1:2002911:4] ET SCAN Potential VNC Scan 5900-5920
[**] [Classification: Attempted Information Leak]
[Priority: 3] {6} 173.244.197.210:27041 -> victim_ip
Just to double check that the attack was coming from a TOR
exit node i searched the ip 173.244.197.210 on this list.
Not always is a good idea to be quiet.
Scridb filter
