Friday, January 26, 2007

Testing Snort 2.7.0 Beta 1

After reading a news from Snort website, I grab the latest beta version of Snort 2.7.0 beta1.

Then I build the RPM packages from it using the following command :

$ rpmbuild --with mysql -ta snort-2.7.0.beta1.tar.gz

Next, I install it to my system :

# rpm -Fvh rpms/RPMS/i586/snort-2.7.0.beta1-1.i586.rpm \
rpms/RPMS/i586/snort-mysql-2.7.0.beta1-1.i586.rpm

Preparing... ########################################### [100%]
1:snort warning: /etc/snort/sid-msg.map created as /etc/snort/sid-msg.map.rpmnew
warning: /etc/snort/snort.conf created as /etc/snort/snort.conf.rpmnew
########################################### [ 50%]
2:snort-mysql ########################################### [100%]

I rename the existing conf file and the new one :

# cd /etc/snort/
# mv snort.conf snort.conf.old
# mv snort.conf.rpmnew snort.conf

I do self-test for the new snort :

# snort -T -c /etc/snort/snort.conf
Running in Test mode with config file: /etc/snort/snort.conf
Running in IDS mode

--== Initializing Snort ==--
Initializing Output Plugins!
Var 'any_ADDRESS' defined, value len = 15 chars, value = 0.0.0.0/0.0.0.0
Var 'lo_ADDRESS' defined, value len = 19 chars, value = 127.0.0.0/255.0.0.0
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /etc/snort/snort.conf

...

--== Initialization Complete ==--

,,_ -*> Snort! <*-
o" )~ Version 2.7.0.beta1 (Build 7) i386
'''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html
(C) Copyright 1998-2006 Sourcefire Inc., et al.

Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.6
Preprocessor Object: SF_SSH Version 1.0
Preprocessor Object: SF_SMTP Version 1.0
Preprocessor Object: SF_DNS Version 1.0
Preprocessor Object: SF_FTPTELNET Version 1.0
Preprocessor Object: SF_DCERPC Version 1.0

Snort sucessfully loaded all rules and checked all rule chains!
Frag3 statistics:
Total Fragments: 0
Frags Reassembled: 0
Discards: 0
Memory Faults: 0
Timeouts: 0
Overlaps: 0
Anomalies: 0
Alerts: 0
FragTrackers Added: 0
FragTrackers Dumped: 0
FragTrackers Auto Freed: 0
Frag Nodes Inserted: 0
Frag Nodes Deleted: 0
===============================================================================
Final Flow Statistics
,----[ FLOWCACHE STATS ]----------
Memcap: 10485760 Overhead Bytes 16400 used(%0.156403)/blocks (16400/1)
Overhead blocks: 1 Could Hold: (0)
IPV4 count: 0 frees: 0
low_time: 0, high_time: 0, diff: 0h:00:00s
finds: 0 reversed: 0(%0.000000)
find_success: 0 find_fail: 0
percent_success: (%0.000000) new_flows: 0
Snort exiting

I hope I have spare time to test the new processor.

Testing Snort 2.6.x

Download the latest snort tarball, then I create snort RPMS :

$ rpmbuild -tb snort-2.6.x.tar.gz --with mysql
...
Wrote: /home/tedi/rpms/RPMS/i586/snort-2.6.x-1.i586.rpm
Wrote: /home/tedi/rpms/RPMS/i586/snort-mysql-2.6.x-1.i586.rpm
...

Next, I registered to Snort community to be able to download Snort rules.

Then I extract the rules and move all of the files in rules/ directory to /etc/snort/rules directory :

# mv rules/* /etc/snort/rules/

# mv /etc/snort/rules/sid-msg.map /etc/snort/

I found out that there are two snort.conf files. The first one from the RPM package and the other one from the rule file. I want to check what are the differences between them :

$ diff /etc/snort/snort.conf /etc/snort/rules/snort.conf

2c2
< # http://www.snort.org Snort 2.6.0 config file --- > # http://www.snort.org Snort current Ruleset
5c5
< # $Id$ --- > # $Id: snort.conf,v 1.167 2006/06/09 15:14:08 mwatchinski Exp $
111c111
<> var RULE_PATH ../rules
182c182
<> dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
192c192
<> dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
852c852
<> # include $RULE_PATH/virus.rules
855a856
> # include $RULE_PATH/spyware-put.rules

Most of the differences are related to path. The last difference is very interesting, the new snort.conf commented out virus.rules and spyware-put.rules

Then I test my snort configuration :

# snort -T -c /etc/snort/snort.conf
Running in Test mode with config file: /etc/snort/snort.conf
Running in IDS mode

--== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /etc/snort/snort.conf

...

--== Initialization Complete ==--

,,_ -*> Snort! <*- o" )~ Version 2.6.0 (Build 59) i386 '''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html (C) Copyright 1998-2006 Sourcefire Inc., et al. Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.5
Preprocessor Object: SF_SMTP Version 1.0
Preprocessor Object: SF_FTPTELNET Version 1.0

Snort sucessfully loaded all rules and checked all rule chains!
Frag3 statistics:
Total Fragments: 0
Frags Reassembled: 0
Discards: 0
Memory Faults: 0
Timeouts: 0
Overlaps: 0
Anomalies: 0
Alerts: 0
FragTrackers Added: 0
FragTrackers Dumped: 0
FragTrackers Auto Freed: 0
Frag Nodes Inserted: 0
Frag Nodes Deleted: 0
===============================================================================
Final Flow Statistics
,----[ FLOWCACHE STATS ]----------
Memcap: 10485760 Overhead Bytes 16400 used(%0.156403)/blocks (16400/1)
Overhead blocks: 1 Could Hold: (0)
IPV4 count: 0 frees: 0
low_time: 0, high_time: 0, diff: 0h:00:00s
finds: 0 reversed: 0(%0.000000)
find_success: 0 find_fail: 0
percent_success: (%0.000000) new_flows: 0
Snort exiting

Monday, January 22, 2007

SQL in Chocolate Cover

I got the following picture from Jeremiah Grossman's blog.


I highligthed the SQL code for your easy reading. :D

Link : Beyond The CPU: Cheating Hardware Based RAM Forensics

Joanna Rutkowska posted a blog about "Beyond The CPU: Cheating Hardware Based RAM Forensics".

Here is the main point of the blog :

The whole idea behind hardware based RAM acquisition is that the process of reading the memory is using Direct Memory Access (DMA) to read the physical memory. DMA, as the name suggests, does not involve CPU in the process of accessing memory. So, it seems to be a very reliable way for reading the physical memory…

But it is not! At least in some cases...
I look forward to read her presentation about this after her BlackHat DC conference.

Blog's Template Updated

Finally, after a long and hot discussion with my friend (Ai_Zeus), I got the blog layout like I wanted. Now in the archives, we can see how many post available.

To get this layout is very easy, just update your blog template to the latest version. Last time, I forgot to update it when I updated my blog site. :D

Enjoy the new template and please don't hesitate to give me suggestions.

PS :
I still need to figure out how to put another features on the new layout. (done)

Friday, January 19, 2007

Nessus 3.0.5

Tenable Network Security has released Nessus version 3.0.5. It fixes several "features" available in the 3.0.4 version. The fixes include :

  • Faster startup time, especially on laptops
  • Improved the performance of the SYN port scanner
  • Fixed a memory leak in the Mac OS X client
  • Vista compatibility improved
  • Various minor bugs fixed in the NASL engine
  • Better chasing of zombie processes
You can read more information about this in Tenable Blog.

0trace : A Tool to Trace Behind The Firewall

Michal Zalewski has just released a new security tool called 0trace. Here is a brief description about it :

This tool enables the user to perform hop enumeration ("traceroute") within an established TCP connection, such as a HTTP or SMTP session.

This is opposed to sending stray packets, as traceroute-type tools usually do.

Here is the benefit of using the mechanism applied by 0trace "such traffic is happily allowed through by many stateful firewalls and other defenses without further inspection (since it is related to an entry in the connection table)".

But it also has limitations. According to the announcement information, the tool will not produce interesting results in the following situations:

  • Target's firewall drops all outgoing ICMP messages,
  • Target's firewall does TTL or full-packet rewriting,
  • There's an application layer proxy / load balancer in the way (Akamai, in-house LBs, etc),
  • There's no notable layer 3 infrastructure behind the firewall.
You can get more information about this from LWN article.

Monday, January 15, 2007

Disable Preferences Menu in Ampache 3.3.2.1

A friend of mine (you know who you are :D) asked me about how to disable preferences menu in Ampache 3.3.2.1.I thought this should be easy, there should be a config that we can turn off or turn on to set this item. Unfortunately, my thought was wrong. There is no configuration for that.

Then I download Ampache tarball and look through it. I am very eager to solve this problem, because it will also refresh my rusty PHP programming skills. At the first round, I couldn't find where Ampache store the preferences menu. The programming style is quiet hard to understand, may be that's because I have never done PHP programming anymore for years.:D

Next, I use "grep" to search for "preferences" words in the whole Ampache package :

grep -r "preferences.php" *

I check the results one by one. One result turn my light on :
templates/sidebar.inc.php.

I open up that file (sidebar.inc.php) and read the code. And it is the correct one.

My first plan was to disable the whole references to "preferences.php" and it was very easy to do.

But later I thought, wouldn't it be better if I only disable "preferences" for ordinary users.

So then I create this simple patch.

To apply this patch, put the patch on the ampache/templates directory. Here is the setting in
my system (in ampache/templates directory) :

...
$ ll sidebar.*
-rw-r--r-- 1 tedi users 1010 2007-01-15 23:14 sidebar.inc.patch
-rw-r--r-- 1 tedi users 8800 2007-01-15 23:11 sidebar.inc.php
..

Then type the following command (make sure you are in the templates):

$ patch -p0 < sidebar.inc.patch
patching file sidebar.inc.php

Here are some screenshots after I apply the patch. I login as "user" and "admin". You should see the differences. :D

Friday, January 12, 2007

Compile Atheros Driver in OpenSUSE 10.x

I just bought an atheros-based card, it's a NetGear WPN511. For this card, I can use madwifi as its driver.

At madwifi site, they also provide the RPM for OpenSUSE, but I sometime like to compile the software myself, so I can adjust it to my needs.

Without further ado, here are the steps to compile the driver :

- extract the tarball :

$ tar xvjpf madwifi-0.9.2.1.tar.bz2

- build the driver :

$ cd madwifi-0.9.2.1/
$ make
Checking requirements... ok.
Checking kernel configuration... ok.
make -C /lib/modules/2.6.16.13-4-default/build SUBDIRS=/home/tedi/madwifi-0.9.2.1 modules
make[1]: Entering directory `/usr/src/linux-2.6.16.13-4-obj/i386/default'
make -C ../../../linux-2.6.16.13-4 O=../linux-2.6.16.13-4-obj/i386/default modules
CC [M] /home/tedi/madwifi-0.9.2.1/ath/ah_osdep.o
HOSTCC /home/tedi/madwifi-0.9.2.1/ath/uudecode
UUDECODE /home/tedi/madwifi-0.9.2.1/ath/i386-elf.hal.o
CC [M] /home/tedi/madwifi-0.9.2.1/ath/if_ath.o
CC [M] /home/tedi/madwifi-0.9.2.1/ath/if_ath_pci.o
LD [M] /home/tedi/madwifi-0.9.2.1/ath/ath_pci.o
LD [M] /home/tedi/madwifi-0.9.2.1/ath/ath_hal.o
CC [M] /home/tedi/madwifi-0.9.2.1/ath_rate/sample/sample.o
LD [M] /home/tedi/madwifi-0.9.2.1/ath_rate/sample/ath_rate_sample.o
CC [M] /home/tedi/madwifi-0.9.2.1/net80211/if_media.o
CC [M] /home/tedi/madwifi-0.9.2.1/net80211/ieee80211.o
CC [M] /home/tedi/madwifi-0.9.2.1/net80211/ieee80211_beacon.o
CC [M] /home/tedi/madwifi-0.9.2.1/net80211/ieee80211_crypto.o
CC [M] /home/tedi/madwifi-0.9.2.1/net80211/ieee80211_crypto_none.o
CC [M] /home/tedi/madwifi-0.9.2.1/net80211/ieee80211_input.o
CC [M] /home/tedi/madwifi-0.9.2.1/net80211/ieee80211_node.o
CC [M] /home/tedi/madwifi-0.9.2.1/net80211/ieee80211_output.o
CC [M] /home/tedi/madwifi-0.9.2.1/net80211/ieee80211_power.o
CC [M] /home/tedi/madwifi-0.9.2.1/net80211/ieee80211_proto.o
CC [M] /home/tedi/madwifi-0.9.2.1/net80211/ieee80211_scan.o
CC [M] /home/tedi/madwifi-0.9.2.1/net80211/ieee80211_wireless.o
CC [M] /home/tedi/madwifi-0.9.2.1/net80211/ieee80211_linux.o
CC [M] /home/tedi/madwifi-0.9.2.1/net80211/ieee80211_monitor.o
CC [M] /home/tedi/madwifi-0.9.2.1/net80211/ieee80211_acl.o
CC [M] /home/tedi/madwifi-0.9.2.1/net80211/ieee80211_crypto_ccmp.o
CC [M] /home/tedi/madwifi-0.9.2.1/net80211/ieee80211_scan_ap.o
CC [M] /home/tedi/madwifi-0.9.2.1/net80211/ieee80211_scan_sta.o
CC [M] /home/tedi/madwifi-0.9.2.1/net80211/ieee80211_crypto_tkip.o
CC [M] /home/tedi/madwifi-0.9.2.1/net80211/ieee80211_crypto_wep.o
CC [M] /home/tedi/madwifi-0.9.2.1/net80211/ieee80211_xauth.o
LD [M] /home/tedi/madwifi-0.9.2.1/net80211/wlan.o
LD [M] /home/tedi/madwifi-0.9.2.1/net80211/wlan_wep.o
LD [M] /home/tedi/madwifi-0.9.2.1/net80211/wlan_tkip.o
LD [M] /home/tedi/madwifi-0.9.2.1/net80211/wlan_ccmp.o
LD [M] /home/tedi/madwifi-0.9.2.1/net80211/wlan_acl.o
LD [M] /home/tedi/madwifi-0.9.2.1/net80211/wlan_xauth.o
LD [M] /home/tedi/madwifi-0.9.2.1/net80211/wlan_scan_sta.o
LD [M] /home/tedi/madwifi-0.9.2.1/net80211/wlan_scan_ap.o
Building modules, stage 2.
MODPOST
CC /home/tedi/madwifi-0.9.2.1/ath/ath_hal.mod.o
LD [M] /home/tedi/madwifi-0.9.2.1/ath/ath_hal.ko
CC /home/tedi/madwifi-0.9.2.1/ath/ath_pci.mod.o
LD [M] /home/tedi/madwifi-0.9.2.1/ath/ath_pci.ko
CC /home/tedi/madwifi-0.9.2.1/ath_rate/sample/ath_rate_sample.mod.o
LD [M] /home/tedi/madwifi-0.9.2.1/ath_rate/sample/ath_rate_sample.ko
CC /home/tedi/madwifi-0.9.2.1/net80211/wlan.mod.o
LD [M] /home/tedi/madwifi-0.9.2.1/net80211/wlan.ko
CC /home/tedi/madwifi-0.9.2.1/net80211/wlan_acl.mod.o
LD [M] /home/tedi/madwifi-0.9.2.1/net80211/wlan_acl.ko
CC /home/tedi/madwifi-0.9.2.1/net80211/wlan_ccmp.mod.o
LD [M] /home/tedi/madwifi-0.9.2.1/net80211/wlan_ccmp.ko
CC /home/tedi/madwifi-0.9.2.1/net80211/wlan_scan_ap.mod.o
LD [M] /home/tedi/madwifi-0.9.2.1/net80211/wlan_scan_ap.ko
CC /home/tedi/madwifi-0.9.2.1/net80211/wlan_scan_sta.mod.o
LD [M] /home/tedi/madwifi-0.9.2.1/net80211/wlan_scan_sta.ko
CC /home/tedi/madwifi-0.9.2.1/net80211/wlan_tkip.mod.o
LD [M] /home/tedi/madwifi-0.9.2.1/net80211/wlan_tkip.ko
CC /home/tedi/madwifi-0.9.2.1/net80211/wlan_wep.mod.o
LD [M] /home/tedi/madwifi-0.9.2.1/net80211/wlan_wep.ko
CC /home/tedi/madwifi-0.9.2.1/net80211/wlan_xauth.mod.o
LD [M] /home/tedi/madwifi-0.9.2.1/net80211/wlan_xauth.ko
make[1]: Leaving directory `/usr/src/linux-2.6.16.13-4-obj/i386/default'
make -C ./tools all || exit 1
make[1]: Entering directory `/home/tedi/madwifi-0.9.2.1/tools'
gcc -o athstats -g -O2 -Wall -include ../include/compat.h -I. -I../hal -I.. -I../ath athstats.c
gcc -o 80211stats -g -O2 -Wall -include ../include/compat.h -I. -I../hal -I.. 80211stats.c
gcc -o athkey -g -O2 -Wall -include ../include/compat.h -I. -I../hal -I.. athkey.c
gcc -o athchans -g -O2 -Wall -include ../include/compat.h -I. -I../hal -I.. athchans.c
gcc -o athctrl -g -O2 -Wall -include ../include/compat.h -I. -I../hal -I.. athctrl.c
gcc -o athdebug -g -O2 -Wall -include ../include/compat.h -I. -I../hal -I.. athdebug.c
gcc -o 80211debug -g -O2 -Wall -include ../include/compat.h -I. -I../hal -I.. 80211debug.c
gcc -o wlanconfig -g -O2 -Wall -include ../include/compat.h -I. -I../hal -I.. wlanconfig.c
make[1]: Leaving directory `/home/tedi/madwifi-0.9.2.1/tools'

After that I install the driver to the system using "make install".

Then I put the card in the PCMCIA slot, and do "dmesg" :

ath_hal: module not supported by Novell, setting U taint flag.
ath_hal: 0.9.17.2 (AR5210, AR5211, AR5212, RF5111, RF5112, RF2413, RF5413)
wlan: module not supported by Novell, setting U taint flag.

wlan: 0.8.4.2 (0.9.2.1)

ath_rate_sample: module not supported by Novell, setting U taint flag.

ath_rate_sample: 1.2 (0.9.2.1)

ath_pci: module not supported by Novell, setting U taint flag.

ath_pci: 0.9.4.5 (0.9.2.1)

PCI: Enabling device 0000:03:00.0 (0000 -> 0002)

ACPI: PCI Interrupt 0000:03:00.0[A] -> Link [C0C4] -> GSI 10 (level, low) -> IRQ 10

wifi0: 11b rates: 1Mbps 2Mbps 5.5Mbps 11Mbps

wifi0: 11g rates: 1Mbps 2Mbps 5.5Mbps 11Mbps 6Mbps 9Mbps 12Mbps 18Mbps
24Mbps 36Mbp 48Mbps 54Mbps

wifi0: turboG rates: 6Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps

wifi0: H/W encryption support: WEP AES AES_CCM TKIP

wifi0: mac 7.9 phy 4.5 radio 5.6

wifi0: Use hw queue 1 for WME_AC_BE traffic

wifi0: Use hw queue 0 for WME_AC_BK traffic

wifi0: Use hw queue 2 for WME_AC_VI traffic

wifi0: Use hw queue 3 for WME_AC_VO traffic

wifi0: Use hw queue 8 for CAB traffic

wifi0: Use hw queue 9 for beacons

wlan_scan_sta: module not supported by Novell, setting U taint flag.

wifi0: Atheros 5212: mem=0x38000000, irq=10


From the information above, I know that my wifi card is detected and the driver is working.

In the next post, I will describe some simple wireless activities.

Thursday, January 11, 2007

Running IE on Linux

If you have time to spare, you may want to look at the IEs4Linux site.

You may want to ask, what is IEs4Linux. Here is the answer I took from the webpage :

IEs4Linux is the simpler way to have Microsoft Internet Explorer running on Linux (or any OS running Wine).

No clicks needed. No boring setup processes. No Wine complications. Just one easy script and you'll get three IE versions to test your Sites. And it's free and open source.

The stable version only supports IE 5, 5.5, and 6. If you want to try IE 7, you may want to take a look at WebExpose article "Internet Explore 7 On Linux" first. IE7 is supported in IEs4Linux beta version. So beware.

If you have tried it, please let me know. Because I don't think I will be running IE on Linux in the near future. I better stick with other browsers. :D

Friday, January 05, 2007

UXSS in Adobe Acrobat Reader Plugin

At the beginning of new year, I am surprised by the disclosed of multiple vulnerabilities in Adobe Acrobat Reader Plugin.

These vulnerabilities can cause the followings :

  • Universal CSRF / session riding (tested on Mozilla Firefox, Internet Explorer, Opera + Acrobat Reader plugin)
  • UXSS in #FDF, #XML e #XFDF (tested on Mozilla Firefox + Acrobat Reader plugin)
  • Possible Remote Code Execution (tested on Mozilla Firefox + Acrobat Reader plugin)
  • Denial of Service (tested on Internet Explorer + Acrobat Reader plugin)
To anticipate scary things, I use FoxitReader to read PDFs and I also install PDFDownload Plugin for Firefox.

Here are several resources if you want to know more about this thing :

Thursday, January 04, 2007

Happy New Year 2007

I just want to say "Happy New Year 2007" to you, my kind readers.

Let's hope this new year bring us more happiness, more joys and more health.

Have a wonderful new year.

PS :
I will blogging again after I have solved several problems. :D