tag:blogger.com,1999:blog-54433439318116412982011-07-08T03:09:55.943-07:00My disjointed thoughts on NSM and InfosecWill Metcalfhttp://www.blogger.com/profile/01336462559928749756noreply@blogger.comBlogger241100tag:blogger.com,1999:blog-5443343931811641298.post-17212242706724293312011-01-15T04:53:00.000-08:002011-01-15T06:41:13.979-08:00So <a href="http://www.microsoft.com/downloads/en/details.aspx?FamilyID=c6f0a6ee-05ac-4eb6-acd0-362559fd2f04">EMET</a> is an awesome tool, it really is. If you are floating about the Internet on a Windows machine I highly recommend it. Sure your AV software may have some similar features but the protections will probably not be as robust and/or you may not have as granular control over protections. I will include a couple of links to good articles I've found regarding configuring EMET below.<br /><br /><ol><li><a href="http://blogs.technet.com/b/srd/archive/2010/09/10/use-emet-2-0-to-block-the-adobe-0-day-exploit.aspx">Article on protection against an Adobe 0-day. Note: the problem is in a dll so the steps outlined here need to be applied to any application that loads the vulnerable dll </a></li><li><a href="http://rationallyparanoid.com/articles/microsoft-emet-2.html">Rationally Paranoid write-up on EMET.</a></li><li><a href="http://securehomenetwork.blogspot.com/2010/10/use-emet-on-windows-machines.html">James Mcquaid write-up on EMET.</a><br /></li></ol><br />One annoying thing about the command line configuration tool EMET_conf.exe is that it doesn't support file globs. So I whipped up the following batch file in a couple of minutes to deal with this. Hopefully it will save you a couple of minutes when adding executables to EMET for compatibility testing your applications. It would be nice to be able to toggle EMET options via cli as well.. Perhaps I will work on this next.<br /><blockquote><p><span style="font-size:78%;"><br /></span><span style="font-size:85%;"><span style="font-size:78%;">@echo off<br />SETLOCAL EnableDelayedExpansion EnableExtensions<br /><br />rem - change this to the path of your emet_conf executable.<br />SET EMETCMD="%PROGRAMFILES%\emet\emet_conf.exe"<br /><br />if "%1" == "" goto error_missing_action<br />if %2 == "" goto error_missing_glob<br /><br />if "%1" == "add" goto emet_add<br />if "%1" == "delete" goto emet_delete<br />echo.<br />rem - add the user_supplied glob to emet<br />:emet_add<br />echo going to add files matching glob %2 to emet<br />@echo on<br />for /f "tokens=*" %%i in ('dir /s/b/p %2') do %EMETCMD% --add "%%i"<br />@echo off<br />goto end<br /><br />rem - delete the user_supplied glob to emet<br />:emet_delete<br />echo going to delete files matching glob %2 to emet<br />@echo on<br />for /f "tokens=*" %%i in ('dir /s/b/p %2') do %EMETCMD% --delete "%%i"<br />@echo off<br />goto end<br /><br />rem - user must specify add or delete as action<br />:error_missing_action<br />echo missing action argument you must specify add or delete!<br />echo usage emet_glob.bat adddelete "%PROGRAMFILES%\adobe\*.exe"<br />goto end<br /><br />rem - user must specify a second argument of a base path to recursively search for files to add<br />:error_missing_glob<br />echo missing action argument you must specify add or delete!<br />echo "usage emet_glob.bat adddelete "%PROGRAMFILES%\adobe\*.exe"<br />goto end<br /><br />:end<br />echo.<br />echo Done.</span><br /></span><span style="font-size:85%;"><br /></span></p></blockquote><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5443343931811641298-1721224270672429331?l=node5.blogspot.com' alt='' /></div>Will Metcalfhttp://www.blogger.com/profile/01336462559928749756noreply@blogger.com0tag:blogger.com,1999:blog-5443343931811641298.post-65727605181072115832010-04-19T12:28:00.000-07:002010-04-19T12:31:11.502-07:00The release notes below say it all ;-)...<br /><br /><span style="font-size:85%;">The OISF development team is proud to introduce the 3rd beta release of<br />Suricata, the Open Source Intrusion Detection and Prevention engine. The<br />first release candidate is currently scheduled for early May, but check<br />https://redmine.openinfosecfoundation.org/projects/roadmap/suricata for<br />the up to date schedule!<br /><br />Get the new release here:<br />http://www.openinfosecfoundation.org/download/suricata-0.8.2.tar.gz<br /><br />New features<br /><br />- Support for the following keywords: detection_filter, http_client_body<br />- The HTTP parser can now set server personalities<br />- threshold.config support<br />- The experimental CUDA code now also works on x86_64<br />- IP address only rules for IPv6 are now supported as well<br />- Suricata can now write a pid file (pass --pidfile <file>)<br />- A fuzzer script was added to the code base<br />- Policy lookup for defrag module<br /><br />Improvements<br /><br />- Much better average and worstcase performance in the detection engine<br />- Memory footprint was reduced<br />- More validation at signature loading stage<br />- Libnet 1.1 is now optional<br />- Negated uricontent and http_cookie matching is now supported<br />- Lots of fixes of issues found by Valgrind's DRD, CLANG and Parfait.<br />- Threads are named now in "top" (Linux only atm).<br />- Unified1 file handling is improved<br /><br />Bugs fixed<br /><br />Many :)<br />Several segmentation faults, upgrading is highly recommended.<br /><br />See<br />https://redmine.openinfosecfoundation.org/projects/suricata/issues?fixed_version_id=6&amp;set_filter=1&amp;status_id=c<br /><br />Known issues &amp; missing features<br /><br />We have made significant progress towards reaching our first full<br />(non-beta) release of Suricata. Your feedback is always important to us<br />and we appreciate your time and effort. As always, we are doing our<br />best to make you aware of continuing development and items within the<br />engine that are not yet complete. With this in mind, please notice the<br />list we have included of known items we are working on.<br /><br />- Using the http_cookie keyword seems to cause a match on all packets.<br />- Currently we dont' support the dce option for byte_test and byte_jump.<br />- Stream reassembly is currently only performed for app-layer code.<br />- Inconsistent time stamps in http log file due to handling &amp; updating<br />of the http state.<br />- DCE/RPC over udp is not currently supported.<br />- dce_stub_data does not respect relative modifiers.<br />- Engine does not work properly on big endian platforms.<br />- Time based stats are not calculated correctly.<br /><br />See https://redmine.openinfosecfoundation.org/projects/suricata/issues<br />for an up to date list and to report new issues.</file></span><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5443343931811641298-6572760518107211583?l=node5.blogspot.com' alt='' /></div>Will Metcalfhttp://www.blogger.com/profile/01336462559928749756noreply@blogger.com0tag:blogger.com,1999:blog-5443343931811641298.post-68175664612695394252010-04-09T13:07:00.000-07:002010-04-10T08:37:27.945-07:00 <title></title> <style type="text/css"> <!-- @page { margin: 0.79in } P { margin-bottom: 0.08in } A:link { so-language: zxx } --> </style> <p style="margin-bottom: 0in;"><span style="color: rgb(0, 0, 0);"><span style="font-size:85%;">If you checkout the latest version of the suricata from it's git repo, now included is a new qa/ directory. In this directory there now lives a perl script I created called wirefuzz.pl that is a suricata specific re-implementation of the wireshark fuzzing technique described <a href="http://wiki.wireshark.org/FuzzTesting">here</a>. The script can also be used as a shortcut to running the engine through valgrind tools etc.</span></span><span style="font-size:85%;"> <br /> <br /></span><span style="color: rgb(0, 0, 0);"><span style="font-size:85%;">In it's simplest "set it and forget it form" you can leave it running and it will loop through the pcaps provided continuing to mutate them with whatever error ratio you provide, i.e. if you pass -e=0.02 there is a 2% chance that each byte will be modified in one of four different ways. It will continue to loop until a invalid exit value is detected, at which point it will try to find the a core dump, parse it and save the output to a file for further inspection.</span></span><span style="font-size:85%;"> <br /> <br /></span><span style="color: rgb(0, 0, 0);"><span style="font-size:85%;">We have found this technique to be a very effective way of discovering bugs. We have multiple instances of this script running 24/7 using an extensive collection of pcaps as ammunition. With that said we will never be able to account for the "uniqueness" that exists in real-world environments both large and small. </span></span><span style="font-size:85%;"> <br /> <br /></span><span style="color: rgb(0, 0, 0);"><span style="font-size:85%;">if you want to help the project please don't hesitate to checkout the latest version of the repo and point the fuzzer at perhaps your rotating packet capture, or a sample of your network traffic. <br /></span></span></p><p style="margin-bottom: 0in;"><span style="color: rgb(0, 0, 0);"><span style="font-size:85%;">If you have any questions please don't hesitate to ask on the oisf-users mailing list, which you can subscribe to <a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users">here</a>, or you can leave a comment and I will try to respond. Ladies and gentlemen start your fuzzers!</span></span><span style="font-size:85%;"> <br /> <br /></span><span style="font-weight: bold; color: rgb(0, 0, 0);"><span style="font-size:85%;">To check the latest development version of suricata:</span></span><span style="font-size:85%;"> <br /> <br /></span><span style="color: rgb(0, 0, 0);"><span style="font-size:85%;">git clone </span></span><a href="git://phalanx.openinfosecfoundation.org/oisf.git"><span style="color: rgb(0, 0, 0);"><span style="text-decoration: none;"><span style="font-size:85%;">git://phalanx.openinfosecfoundation.org/oisf.git</span></span></span></a></p><p style="margin-bottom: 0in; font-weight: bold;"><span style="font-size:85%;">The script relies on a couple of perl modules Capture::Tiny and Devel::GDB. Here are a couple of tips on getting them installed:</span></p> <br /><span style="font-size:85%;">Ubuntu 9.10 <br />sudo apt-get install libdevel-gdb-perl libcapture-tiny-perl <br /> <br />RedHatES/CentOS 5 <br />yum -y install cpanspec perl-Module-Build <br />cpanspec --packager OISF -v -s --follow Capture::Tiny <br />cpanspec --packager OISF -v -s --follow Devel::GDB <br />rpmbuild --rebuild *.src.rpm <br />rpm -ivh /usr/src/redhat/RPMS/noarch/perl-Devel-GDB*.rpm <br />rpm -ivh /usr/src/redhat/RPMS/noarch/perl-Capture-Tiny*.rpm <br /> <br />Fedora Core 12 <br />yum -y install perl-Capture-Tiny perl-Devel-GDB <br /> <br />Other debain based versions, try the Ubunutu instructions if this doesn't work try the following. <br />sudo apt-get install dh-make-perl <br />mkdir fuzzmodules &amp;&amp; cd fuzzmodules <br />dh-make-perl --cpan Devel-GDB --build <br />dh-make-perl --cpan Capture-Tiny --build <br />sudo dpkg -i *.deb</span><p style="margin-bottom: 0in;"><span style="font-weight: bold; color: rgb(0, 0, 0);"><span style="font-size:85%;">Output from wirefuzz.pl -h</span></span><span style="font-weight: bold;font-size:85%;" >: <br /></span><span style="color: rgb(192, 192, 192);"><span style="font-size:85%;"> <br /></span></span><span style="color: rgb(0, 0, 0);"><span style="font-size:85%;">-h or help <(this output)></span></span><span style="color: rgb(192, 192, 192);"><span style="font-size:85%;"> <br /></span></span><span style="color: rgb(0, 0, 0);"><span style="font-size:85%;">-r=<(filemask for pcaps to read)></span></span><span style="color: rgb(192, 192, 192);"><span style="font-size:85%;"> <br /></span></span><span style="color: rgb(0, 0, 0);"><span style="font-size:85%;">-n=<(optional) number of iterations or if not specified will run until error></span></span><span style="color: rgb(192, 192, 192);"><span style="font-size:85%;"> <br /></span></span><span style="color: rgb(0, 0, 0);"><span style="font-size:85%;">-s=<(optional) path to ids rules file will be passed as -s to suricata></span></span><span style="color: rgb(192, 192, 192);"><span style="font-size:85%;"> <br /></span></span><span style="color: rgb(0, 0, 0);"><span style="font-size:85%;">-e=<(optional) editcap error ratio to introduce if not specified will not fuzz. Valid range for this is 0.00 - 1.0></span></span><span style="color: rgb(192, 192, 192);"><span style="font-size:85%;"> <br /></span></span><span style="color: rgb(0, 0, 0);"><span style="font-size:85%;">-p=<(path to the suricata bin)></span></span><span style="color: rgb(192, 192, 192);"><span style="font-size:85%;"> <br /></span></span><span style="color: rgb(0, 0, 0);"><span style="font-size:85%;">-l=<(optional) log dir for output if not specified will use current directory.></span></span><span style="color: rgb(192, 192, 192);"><span style="font-size:85%;"> <br /></span></span><span style="color: rgb(0, 0, 0);"><span style="font-size:85%;">-v=<(optional) (memcheck|drd|helgrind|callgrind) will run the command through one of the specified valgrind tools.></span></span><span style="color: rgb(192, 192, 192);"><span style="font-size:85%;"> <br /></span></span><span style="color: rgb(0, 0, 0);"><span style="font-size:85%;">-y <(shuffle the array, this is useful if running multiple instances of this script.)></span></span><span style="color: rgb(192, 192, 192);"><span style="font-size:85%;"> <br /> <br /></span></span><span style="color: rgb(0, 0, 0);"><span style="font-size:85%;">Example usage:</span></span><span style="color: rgb(192, 192, 192);"><span style="font-size:85%;"> <br /></span></span><span style="color: rgb(0, 0, 0);"><span style="font-size:85%;">First thing to do is download and build suricata from git with -O0 so vars don't get optimized out. See the example below:</span></span><span style="color: rgb(192, 192, 192);"><span style="font-size:85%;"> <br /></span></span><span style="color: rgb(0, 0, 0);"><span style="font-size:85%;">git clone git://phalanx.openinfosecfoundation.org/oisf.git suricatafuzz1 &amp;&amp; cd suricatafuzz1 &amp;&amp; ./autogen.sh &amp;&amp; CFLAGS="-g -O0" ./configure &amp;&amp; make</span></span><span style="color: rgb(192, 192, 192);"><span style="font-size:85%;"> <br /> <br /></span></span><span style="color: rgb(0, 0, 0);"><span style="font-size:85%;">Second thing to do is to edit suricata.yaml to fit your environment.</span></span><span style="color: rgb(192, 192, 192);"><span style="font-size:85%;"> <br /> <br /></span></span><span style="color: rgb(0, 0, 0);"><span style="font-size:85%;">Third go ahead and run the script.</span></span><span style="color: rgb(192, 192, 192);"><span style="font-size:85%;"> <br /> <br /></span></span><span style="color: rgb(0, 0, 0);"><span style="font-size:85%;">In the example below the script will loop forever until an error is encountered will behave in the following way.</span></span><span style="color: rgb(192, 192, 192);"><span style="font-size:85%;"> <br /></span></span><span style="color: rgb(0, 0, 0);"><span style="font-size:85%;">1.-r Process all pcaps in subdirectories of /home/somepath/pcaps/</span></span><span style="color: rgb(192, 192, 192);"><span style="font-size:85%;"> <br /></span></span><span style="color: rgb(0, 0, 0);"><span style="font-size:85%;">2.-s Tell suricata to use the rules file /home/somepath/current-all.rules</span></span><span style="color: rgb(192, 192, 192);"><span style="font-size:85%;"> <br /></span></span><span style="color: rgb(0, 0, 0);"><span style="font-size:85%;">3.-y Shuffle the array of pcaps this is useful if running multiple instances of this script.</span></span><span style="color: rgb(192, 192, 192);"><span style="font-size:85%;"> <br /></span></span><span style="color: rgb(0, 0, 0);"><span style="font-size:85%;">4.-c Tell suricata to use the suricata.yaml in the current dir.</span></span><span style="color: rgb(192, 192, 192);"><span style="font-size:85%;"> <br /></span></span><span style="color: rgb(0, 0, 0);"><span style="font-size:85%;">6.-e Tell editcap to introduce a 2% error ratio, i.e. there is a 2% chance that a byte will be fuzzed see http://wiki.wireshark.org/FuzzTesting for more info.</span></span><span style="color: rgb(192, 192, 192);"><span style="font-size:85%;"> <br /></span></span><span style="color: rgb(0, 0, 0);"><span style="font-size:85%;">7.-p Use src/suricata as our suricata bin file. The script will determin if the argument passed is a bin file or a txt wrapper and will adjust accordingly.</span></span><span style="color: rgb(192, 192, 192);"><span style="font-size:85%;"> <br /> <br /></span></span><span style="color: rgb(0, 0, 0);"><span style="font-size:85%;">/usr/bin/wirefuzz.pl -r=/home/somepath/pcaps/*/* -s=/home/somepath/current-all.rules -y -c=suricata.yaml -e=0.02 -p src/suricata</span></span><span style="color: rgb(192, 192, 192);"><span style="font-size:85%;"> <br /> <br /></span></span><span style="color: rgb(0, 0, 0);"><span style="font-size:85%;">If an error is encountered a file named <fuzzedfile>ERR.txt will be created in the log dir (current dir in this example) that will contain output from stderr,stdout, and gdb.</fuzzedfile></span></span><span style="color: rgb(192, 192, 192);"><span style="font-size:85%;"> <br /> <br /></span></span><span style="color: rgb(0, 0, 0);"><span style="font-size:85%;">Take a look at the opts make it work for you environtment and from the OISF QA team thanks for helping us make our meerkat fuzzier! ;-) </span></span><span style="color: rgb(192, 192, 192);"><span style="font-size:85%;"> <br /></span></span> <br /></p> <div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5443343931811641298-6817566461269539425?l=node5.blogspot.com' alt='' /></div>Will Metcalfhttp://www.blogger.com/profile/01336462559928749756noreply@blogger.com2tag:blogger.com,1999:blog-5443343931811641298.post-15486274756968111322010-03-01T19:39:00.000-08:002010-03-01T20:01:54.955-08:00I know that I'm a little late with this but we have released a new version of Suricata version 0.8.1 which you can get <a href="http://www.openinfosecfoundation.org/index.php/download-suricata">here</a>. It is still beta quality code but we have made some significant changes/improvements which you can read about <a href="http://www.openinfosecfoundation.org/index.php/component/content/article/1-latest-news/86-suricata-081-released">here</a>. In addition to the known issues it should be noted that the PF_RING code in this version works with versions of the api prior to 4.1.2. Victor currently has a patch in his inbox that will allow it to work with later versions and for the user to specify a PF_RING load balancing type for the cluster i.e. load balanced per-packet or per-flow.<br /><br />Secondly, I met with most of the OISF team in Istanbul last week. We had some very productive meetings and I feel we really got a good grasp on what needs to be done in engine in the coming year(s). On a more personal note it was great to finally put faces with names for those individuals I had not met prior to last week. Victor and I also got the chance to speak at local<a href="http://www.owasp.org/index.php/Turkey"> OWASP</a> meeting in Instanbul along with Brian Rectanus from OISF/Breach. These were a great group of guys and despite the fact that Victor and I were totally disorganized (Jonkman was originally supposed to speak ;-)) they didn't seem to mind to much or at least they hid it well.<br /><a id="publishButton" class="cssButton" href="javascript:void(0)" target="" onclick="if (this.className.indexOf(&quot;ubtn-disabled&quot;) == -1) {var e = document['stuffform'].publish;(e.length) ? e[0].click() : e.click(); if (window.event) window.event.cancelBubble = true; return false;}"><div class="cssButtonOuter"><div class="cssButtonMiddle"><div class="cssButtonInner"><br /></div></div></div></a><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5443343931811641298-1548627475696811132?l=node5.blogspot.com' alt='' /></div>Will Metcalfhttp://www.blogger.com/profile/01336462559928749756noreply@blogger.com0tag:blogger.com,1999:blog-5443343931811641298.post-59252303039409765892009-12-31T13:47:00.000-08:002009-12-31T13:58:53.261-08:00We have done it! We have released the first version of our brand-spanking new IDP engine named Suricata. For more info please see the official release<a href="http://www.openinfosecfoundation.org/index.php/component/content/article/1-latest-news/82-suricata-beta-available"> announcement </a>on the OISF website. Everybody on the team has been working hard day and night for these last six months to get this far. <br /><br />As <a href="http://www.inliniac.net/blog/2009/12/31/suricata-released.html">Victor</a> mentioned in his post if you find a bug or have any feedback please don't hesitate to let us know via the project's <a href="https://redmine.openinfosecfoundation.org/projects/show/suricata">redmine</a> page.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5443343931811641298-5925230303940976589?l=node5.blogspot.com' alt='' /></div>Will Metcalfhttp://www.blogger.com/profile/01336462559928749756noreply@blogger.com0tag:blogger.com,1999:blog-5443343931811641298.post-28712508614581576902009-11-29T10:40:00.000-08:002009-11-29T10:52:08.645-08:00So it appears as if they have finally integrated <a href="http://www.seccuris.com/documents/whitepapers/20070517-devsummit-zerocopybpf.pdf">Zero-Copy <span class="blsp-spelling-error" id="SPELLING_ERROR_0">bpf</span></a> support into FreeBSD 8.0. I have not had any time to do any real performance tests but I thought I would just throw a few little notes up about it. Zero-Copy <span class="blsp-spelling-error" id="SPELLING_ERROR_1">BPF</span> is not enabled by default, to enable it you must do the following.<br /><br /><span class="blsp-spelling-error" id="SPELLING_ERROR_2">sysctl</span> net.bpf.zerocopy_enable=1<br /><br />Once you set this option you can fire up any <span class="blsp-spelling-error" id="SPELLING_ERROR_3">libpcap</span> based application and it should use the zero-copy functionality. It appears as if there was a patch to <span class="blsp-spelling-error" id="SPELLING_ERROR_4">netstat</span> that wasn't integrated for the 8.0 release but can be found <a href="http://www.watson.org/%7Erobert/freebsd/zcopybpf/">here</a>. A few little fixes namely converting the %<span class="blsp-spelling-error" id="SPELLING_ERROR_5">lu</span> <span class="blsp-spelling-error" id="SPELLING_ERROR_6">printfs</span> to %<span class="blsp-spelling-error" id="SPELLING_ERROR_7">llu</span> instead will give you a <span class="blsp-spelling-error" id="SPELLING_ERROR_8">netstat</span> that will produce stats about zero-copy operations.<br /><br />without zero-copy <span class="blsp-spelling-error" id="SPELLING_ERROR_9">sysctl</span> option set to zero...<br />./<span class="blsp-spelling-error" id="SPELLING_ERROR_10">netstat</span> -s -B<br /><span class="blsp-spelling-error" id="SPELLING_ERROR_11">tcpdump</span>: <span class="blsp-spelling-error" id="SPELLING_ERROR_12">pid</span> 3402 on ed0:<br /> 376 packets received<br /> 376 packets matched receive filter<br /> 0 packets dropped<br /> 0 current hold buffer size<br /> 1146 current store buffer size<br /> 0 packets written<br /> 0 packets matched write filter<br /> 0 packet writes failed<br /> 0 zero copy operations<br /><br />with zero-copy <span class="blsp-spelling-error" id="SPELLING_ERROR_13">sysctl</span> option set to 1<br /><br />FreeBSD-32-bit# ./<span class="blsp-spelling-error" id="SPELLING_ERROR_14">netstat</span> -s -B<br /><span class="blsp-spelling-error" id="SPELLING_ERROR_15">tcpdump</span>: <span class="blsp-spelling-error" id="SPELLING_ERROR_16">pid</span> 3424 on ed0:<br /> 745 packets received<br /> 745 packets matched receive filter<br /> 0 packets dropped<br /> 0 current hold buffer size<br /> 830 current store buffer size<br /> 0 packets written<br /> 0 packets matched write filter<br /> 0 packet writes failed<br /> 1490 zero copy operations<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5443343931811641298-2871250861458157690?l=node5.blogspot.com' alt='' /></div>Will Metcalfhttp://www.blogger.com/profile/01336462559928749756noreply@blogger.com0tag:blogger.com,1999:blog-5443343931811641298.post-43222422332510449922009-11-11T16:04:00.000-08:002011-01-06T14:20:16.965-08:00If you are looking for a good open source static analyzer for c/c++ you know that it is slim pickins out there. There are great tools for detecting memory issues like <a href="http://valgrind.org/">valgrind</a> and all of it's included <a href="http://valgrind.org/info/tools.html">goodies</a>. Most open source static code analyzers are out of date, are just to darn difficult to get working (cough* cough* splint), or don't scale well to large projects like flawfinder and it's hey you have a static buffer at line x you better make sure you do proper bounds checking.<br /><br />So in my search for a static code analyzer I stumbled across the clang <a href="http://clang-analyzer.llvm.org/">static-analyzer</a> and I must say that it is pretty darn amazing. While it doesn't detect buffer overflows at the time of writing, it informs the user of a ton of other issues that when resolved can lead to cleaner more efficient code. I'm just going to summarize the steps that I went through to get it up and running. Most of these steps are on the clang <a href="http://clang-analyzer.llvm.org/">static-analyzer</a> site or came from this blog <a href="http://hdante.blogspot.com/2009/04/clang-compiler-quickstart.html">post</a>.<br /><br /><span style="font-size:85%;">1. Checkout llvm using subversion<br /><br /></span><span style=";font-family:courier new;font-size:85%;" >svn co http://llvm.org/svn/llvm-project/llvm/trunk llvm<br /></span><span style=";font-family:courier new;font-size:85%;" ><br /></span><span style="font-size:85%;">2. Checkout clang using subversion<br /></span><span style=";font-family:courier new;font-size:85%;" >cd llvm/tools</span><span style="font-size:85%;"><br /></span><span style=";font-family:courier new;font-size:85%;" >svn co http://llvm.org/svn/llvm-project/cfe/trunk clang<br /><br /></span><span style="font-size:85%;">3. Build llvm and clang<br />cd ..<br /></span><span style=";font-family:courier new;font-size:85%;" >./configure --prefix=/opt/clang<br />make<br />sudo make install<br /><br />4.Clang static-analyzer isn't installed with make install so lets move it to the location where we installed everything else.<br /><br />sudo cp -Rf tools/clang/tools/scan-build /opt/clang/<br />sudo cp -Rf tools/clang/tools/scan-view /opt/clang/<br /><br />5.Add the different clang dirs to your $PATH. Usually this can be done by adding a line similar to the following in /etc/profile.<br /><br />PATH=$PATH:/opt/clang/bin:/opt/clang/libexec:/opt/clang/scan-build:/opt/clang/scan-view<br /><br />6.Go into the directory where your source code resides. If you have code that follows the normal ./configure, make, make install type of build you will want to do the following.<br /></span><span style="font-size:85%;"><span style="font-family:monospace;"><br /></span>scan-build ./configure<br />scan-build -o /var/www/html/testresults make<br /></span><span style="font-family:monospace;"><br /></span><span style="font-size:85%;"><span style="font-family:courier new;">7. Once it is completed you should see a message like "x diagnostics generated." Fire up your browser and got to the /testresults/ dir on the web server where you dumped your results. The interface is amazing as once you click on a bug it will actually walk you through the code, and do things for you like expand macros etc.</span></span><br /><br />Enjoy ;-)<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5443343931811641298-4322242233251044992?l=node5.blogspot.com' alt='' /></div>Will Metcalfhttp://www.blogger.com/profile/01336462559928749756noreply@blogger.com0tag:blogger.com,1999:blog-5443343931811641298.post-9699819911984077872009-07-07T13:01:00.000-07:002009-07-07T13:11:20.728-07:00If you want to go the group policy route here you go.... If this blows up your computer, your domain, server farm, blender, I'm not responsible... You have to enable the setting for each inside of the gpo to set the killbit.<br /><span style="font-size:78%;"><br />CLASS MACHINE<br /><br />CATEGORY VulnFixes<br /><br />POLICY "MS 972890 Activex component {011B3619-FE63-4814-8A84-15A194CE9CE3}"<br />KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{011B3619-FE63-4814-8A84-15A194CE9CE3}"<br />EXPLAIN Killit<br />VALUENAME "Compatibility Flags"<br />VALUEON NUMERIC 1024<br />VALUEOFF NUMERIC 0<br />END POLICY<br /><br />POLICY "MS 972890 Activex component {0149EEDF-D08F-4142-8D73-D23903D21E90}"<br />KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0149EEDF-D08F-4142-8D73-D23903D21E90}"<br />EXPLAIN Killit<br />VALUENAME "Compatibility Flags"<br />VALUEON NUMERIC 1024<br />VALUEOFF NUMERIC 0<br />END POLICY<br /><br />POLICY "MS 972890 Activex component {0369B4E5-45B6-11D3-B650-00C04F79498E}"<br />KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0369B4E5-45B6-11D3-B650-00C04F79498E}"<br />EXPLAIN Killit<br />VALUENAME "Compatibility Flags"<br />VALUEON NUMERIC 1024<br />VALUEOFF NUMERIC 0<br />END POLICY<br /><br />POLICY "MS 972890 Activex component {0369B4E6-45B6-11D3-B650-00C04F79498E}"<br />KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0369B4E6-45B6-11D3-B650-00C04F79498E}"<br />EXPLAIN Killit<br />VALUENAME "Compatibility Flags"<br />VALUEON NUMERIC 1024<br />VALUEOFF NUMERIC 0<br />END POLICY<br /><br />POLICY "MS 972890 Activex component {055CB2D7-2969-45CD-914B-76890722F112}"<br />KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{055CB2D7-2969-45CD-914B-76890722F112}"<br />EXPLAIN Killit<br />VALUENAME "Compatibility Flags"<br />VALUEON NUMERIC 1024<br />VALUEOFF NUMERIC 0<br />END POLICY<br /><br />POLICY "MS 972890 Activex component {0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}"<br />KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}"<br />EXPLAIN Killit<br />VALUENAME "Compatibility Flags"<br />VALUEON NUMERIC 1024<br />VALUEOFF NUMERIC 0<br />END POLICY<br /><br />POLICY "MS 972890 Activex component {15D6504A-5494-499C-886C-973C9E53B9F1}"<br />KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{15D6504A-5494-499C-886C-973C9E53B9F1}"<br />EXPLAIN Killit<br />VALUENAME "Compatibility Flags"<br />VALUEON NUMERIC 1024<br />VALUEOFF NUMERIC 0<br />END POLICY<br /><br />POLICY "MS 972890 Activex component {1BE49F30-0E1B-11D3-9D8E-00C04F72D980}"<br />KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{1BE49F30-0E1B-11D3-9D8E-00C04F72D980}"<br />EXPLAIN Killit<br />VALUENAME "Compatibility Flags"<br />VALUEON NUMERIC 1024<br />VALUEOFF NUMERIC 0<br />END POLICY<br /><br />POLICY "MS 972890 Activex component {1C15D484-911D-11D2-B632-00C04F79498E}"<br />KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{1C15D484-911D-11D2-B632-00C04F79498E}"<br />EXPLAIN Killit<br />VALUENAME "Compatibility Flags"<br />VALUEON NUMERIC 1024<br />VALUEOFF NUMERIC 0<br />END POLICY<br /><br />POLICY "MS 972890 Activex component {1DF7D126-4050-47F0-A7CF-4C4CA9241333}"<br />KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{1DF7D126-4050-47F0-A7CF-4C4CA9241333}"<br />EXPLAIN Killit<br />VALUENAME "Compatibility Flags"<br />VALUEON NUMERIC 1024<br />VALUEOFF NUMERIC 0<br />END POLICY<br /><br />POLICY "MS 972890 Activex component {2C63E4EB-4CEA-41B8-919C-E947EA19A77C}"<br />KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{2C63E4EB-4CEA-41B8-919C-E947EA19A77C}"<br />EXPLAIN Killit<br />VALUENAME "Compatibility Flags"<br />VALUEON NUMERIC 1024<br />VALUEOFF NUMERIC 0<br />END POLICY<br /><br />POLICY "MS 972890 Activex component {334125C0-77E5-11D3-B653-00C04F79498E}"<br />KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{334125C0-77E5-11D3-B653-00C04F79498E}"<br />EXPLAIN Killit<br />VALUENAME "Compatibility Flags"<br />VALUEON NUMERIC 1024<br />VALUEOFF NUMERIC 0<br />END POLICY<br /><br />POLICY "MS 972890 Activex component {37B0353C-A4C8-11D2-B634-00C04F79498E}"<br />KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{37B0353C-A4C8-11D2-B634-00C04F79498E}"<br />EXPLAIN Killit<br />VALUENAME "Compatibility Flags"<br />VALUEON NUMERIC 1024<br />VALUEOFF NUMERIC 0<br />END POLICY<br /><br />POLICY "MS 972890 Activex component {37B03543-A4C8-11D2-B634-00C04F79498E}"<br />KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{37B03543-A4C8-11D2-B634-00C04F79498E}"<br />EXPLAIN Killit<br />VALUENAME "Compatibility Flags"<br />VALUEON NUMERIC 1024<br />VALUEOFF NUMERIC 0<br />END POLICY<br /><br />POLICY "MS 972890 Activex component {37B03544-A4C8-11D2-B634-00C04F79498E}"<br />KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{37B03544-A4C8-11D2-B634-00C04F79498E}"<br />EXPLAIN Killit<br />VALUENAME "Compatibility Flags"<br />VALUEON NUMERIC 1024<br />VALUEOFF NUMERIC 0<br />END POLICY<br /><br />POLICY "MS 972890 Activex component {418008F3-CF67-4668-9628-10DC52BE1D08}"<br />KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{418008F3-CF67-4668-9628-10DC52BE1D08}"<br />EXPLAIN Killit<br />VALUENAME "Compatibility Flags"<br />VALUEON NUMERIC 1024<br />VALUEOFF NUMERIC 0<br />END POLICY<br /><br />POLICY "MS 972890 Activex component {4A5869CF-929D-4040-AE03-FCAFC5B9CD42}"<br />KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{4A5869CF-929D-4040-AE03-FCAFC5B9CD42}"<br />EXPLAIN Killit<br />VALUENAME "Compatibility Flags"<br />VALUEON NUMERIC 1024<br />VALUEOFF NUMERIC 0<br />END POLICY<br /><br />POLICY "MS 972890 Activex component {577FAA18-4518-445E-8F70-1473F8CF4BA4}"<br />KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{577FAA18-4518-445E-8F70-1473F8CF4BA4}"<br />EXPLAIN Killit<br />VALUENAME "Compatibility Flags"<br />VALUEON NUMERIC 1024<br />VALUEOFF NUMERIC 0<br />END POLICY<br /><br />POLICY "MS 972890 Activex component {59DC47A8-116C-11D3-9D8E-00C04F72D980}"<br />KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{59DC47A8-116C-11D3-9D8E-00C04F72D980}"<br />EXPLAIN Killit<br />VALUENAME "Compatibility Flags"<br />VALUEON NUMERIC 1024<br />VALUEOFF NUMERIC 0<br />END POLICY<br /><br />POLICY "MS 972890 Activex component {7F9CB14D-48E4-43B6-9346-1AEBC39C64D3}"<br />KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{7F9CB14D-48E4-43B6-9346-1AEBC39C64D3}"<br />EXPLAIN Killit<br />VALUENAME "Compatibility Flags"<br />VALUEON NUMERIC 1024<br />VALUEOFF NUMERIC 0<br />END POLICY<br /><br />POLICY "MS 972890 Activex component {823535A0-0318-11D3-9D8E-00C04F72D980}"<br />KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{823535A0-0318-11D3-9D8E-00C04F72D980}"<br />EXPLAIN Killit<br />VALUENAME "Compatibility Flags"<br />VALUEON NUMERIC 1024<br />VALUEOFF NUMERIC 0<br />END POLICY<br /><br />POLICY "MS 972890 Activex component {8872FF1B-98FA-4D7A-8D93-C9F1055F85BB}"<br />KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{8872FF1B-98FA-4D7A-8D93-C9F1055F85BB}"<br />EXPLAIN Killit<br />VALUENAME "Compatibility Flags"<br />VALUEON NUMERIC 1024<br />VALUEOFF NUMERIC 0<br />END POLICY<br /><br />POLICY "MS 972890 Activex component {8A674B4C-1F63-11D3-B64C-00C04F79498E}"<br />KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{8A674B4C-1F63-11D3-B64C-00C04F79498E}"<br />EXPLAIN Killit<br />VALUENAME "Compatibility Flags"<br />VALUEON NUMERIC 1024<br />VALUEOFF NUMERIC 0<br />END POLICY<br /><br />POLICY "MS 972890 Activex component {8A674B4D-1F63-11D3-B64C-00C04F79498E}"<br />KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{8A674B4D-1F63-11D3-B64C-00C04F79498E}"<br />EXPLAIN Killit<br />VALUENAME "Compatibility Flags"<br />VALUEON NUMERIC 1024<br />VALUEOFF NUMERIC 0<br />END POLICY<br /><br />POLICY "MS 972890 Activex component {9CD64701-BDF3-4D14-8E03-F12983D86664}"<br />KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9CD64701-BDF3-4D14-8E03-F12983D86664}"<br />EXPLAIN Killit<br />VALUENAME "Compatibility Flags"<br />VALUEON NUMERIC 1024<br />VALUEOFF NUMERIC 0<br />END POLICY<br /><br />POLICY "MS 972890 Activex component {9E77AAC4-35E5-42A1-BDC2-8F3FF399847C}"<br />KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9E77AAC4-35E5-42A1-BDC2-8F3FF399847C}"<br />EXPLAIN Killit<br />VALUENAME "Compatibility Flags"<br />VALUEON NUMERIC 1024<br />VALUEOFF NUMERIC 0<br />END POLICY<br /><br />POLICY "MS 972890 Activex component {A1A2B1C4-0E3A-11D3-9D8E-00C04F72D980}"<br />KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{A1A2B1C4-0E3A-11D3-9D8E-00C04F72D980}"<br />EXPLAIN Killit<br />VALUENAME "Compatibility Flags"<br />VALUEON NUMERIC 1024<br />VALUEOFF NUMERIC 0<br />END POLICY<br /><br />POLICY "MS 972890 Activex component {A2E3074E-6C3D-11D3-B653-00C04F79498E}"<br />KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{A2E3074E-6C3D-11D3-B653-00C04F79498E}"<br />EXPLAIN Killit<br />VALUENAME "Compatibility Flags"<br />VALUEON NUMERIC 1024<br />VALUEOFF NUMERIC 0<br />END POLICY<br /><br />POLICY "MS 972890 Activex component {A2E30750-6C3D-11D3-B653-00C04F79498E}"<br />KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{A2E30750-6C3D-11D3-B653-00C04F79498E}"<br />EXPLAIN Killit<br />VALUENAME "Compatibility Flags"<br />VALUEON NUMERIC 1024<br />VALUEOFF NUMERIC 0<br />END POLICY<br /><br />POLICY "MS 972890 Activex component {A8DCF3D5-0780-4EF4-8A83-2CFFAACB8ACE}"<br />KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{A8DCF3D5-0780-4EF4-8A83-2CFFAACB8ACE}"<br />EXPLAIN Killit<br />VALUENAME "Compatibility Flags"<br />VALUEON NUMERIC 1024<br />VALUEOFF NUMERIC 0<br />END POLICY<br /><br />POLICY "MS 972890 Activex component {AD8E510D-217F-409B-8076-29C5E73B98E8}"<br />KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{AD8E510D-217F-409B-8076-29C5E73B98E8}"<br />EXPLAIN Killit<br />VALUENAME "Compatibility Flags"<br />VALUEON NUMERIC 1024<br />VALUEOFF NUMERIC 0<br />END POLICY<br /><br />POLICY "MS 972890 Activex component {B0EDF163-910A-11D2-B632-00C04F79498E}"<br />KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{B0EDF163-910A-11D2-B632-00C04F79498E}"<br />EXPLAIN Killit<br />VALUENAME "Compatibility Flags"<br />VALUEON NUMERIC 1024<br />VALUEOFF NUMERIC 0<br />END POLICY<br /><br />POLICY "MS 972890 Activex component {B64016F3-C9A2-4066-96F0-BD9563314726}"<br />KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{B64016F3-C9A2-4066-96F0-BD9563314726}"<br />EXPLAIN Killit<br />VALUENAME "Compatibility Flags"<br />VALUEON NUMERIC 1024<br />VALUEOFF NUMERIC 0<br />END POLICY<br /><br />POLICY "MS 972890 Activex component {BB530C63-D9DF-4B49-9439-63453962E598}"<br />KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{BB530C63-D9DF-4B49-9439-63453962E598}"<br />EXPLAIN Killit<br />VALUENAME "Compatibility Flags"<br />VALUEON NUMERIC 1024<br />VALUEOFF NUMERIC 0<br />END POLICY<br /><br />POLICY "MS 972890 Activex component {C531D9FD-9685-4028-8B68-6E1232079F1E}"<br />KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C531D9FD-9685-4028-8B68-6E1232079F1E}"<br />EXPLAIN Killit<br />VALUENAME "Compatibility Flags"<br />VALUEON NUMERIC 1024<br />VALUEOFF NUMERIC 0<br />END POLICY<br /><br />POLICY "MS 972890 Activex component {C5702CCC-9B79-11D3-B654-00C04F79498E}"<br />KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C5702CCC-9B79-11D3-B654-00C04F79498E}"<br />EXPLAIN Killit<br />VALUENAME "Compatibility Flags"<br />VALUEON NUMERIC 1024<br />VALUEOFF NUMERIC 0<br />END POLICY<br /><br />POLICY "MS 972890 Activex component {C5702CCD-9B79-11D3-B654-00C04F79498E}"<br />KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C5702CCD-9B79-11D3-B654-00C04F79498E}"<br />EXPLAIN Killit<br />VALUENAME "Compatibility Flags"<br />VALUEON NUMERIC 1024<br />VALUEOFF NUMERIC 0<br />END POLICY<br /><br />POLICY "MS 972890 Activex component {C5702CCE-9B79-11D3-B654-00C04F79498E}"<br />KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C5702CCE-9B79-11D3-B654-00C04F79498E}"<br />EXPLAIN Killit<br />VALUENAME "Compatibility Flags"<br />VALUEON NUMERIC 1024<br />VALUEOFF NUMERIC 0<br />END POLICY<br /><br />POLICY "MS 972890 Activex component {C5702CCF-9B79-11D3-B654-00C04F79498E}"<br />KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C5702CCF-9B79-11D3-B654-00C04F79498E}"<br />EXPLAIN Killit<br />VALUENAME "Compatibility Flags"<br />VALUEON NUMERIC 1024<br />VALUEOFF NUMERIC 0<br />END POLICY<br /><br />POLICY "MS 972890 Activex component {C5702CD0-9B79-11D3-B654-00C04F79498E}"<br />KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C5702CD0-9B79-11D3-B654-00C04F79498E}"<br />EXPLAIN Killit<br />VALUENAME "Compatibility Flags"<br />VALUEON NUMERIC 1024<br />VALUEOFF NUMERIC 0<br />END POLICY<br /><br />POLICY "MS 972890 Activex component {C6B14B32-76AA-4A86-A7AC-5C79AAF58DA7}"<br />KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C6B14B32-76AA-4A86-A7AC-5C79AAF58DA7}"<br />EXPLAIN Killit<br />VALUENAME "Compatibility Flags"<br />VALUEON NUMERIC 1024<br />VALUEOFF NUMERIC 0<br />END POLICY<br /><br />POLICY "MS 972890 Activex component {CAAFDD83-CEFC-4E3D-BA03-175F17A24F91}"<br />KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAAFDD83-CEFC-4E3D-BA03-175F17A24F91}"<br />EXPLAIN Killit<br />VALUENAME "Compatibility Flags"<br />VALUEON NUMERIC 1024<br />VALUEOFF NUMERIC 0<br />END POLICY<br /><br />POLICY "MS 972890 Activex component {D02AAC50-027E-11D3-9D8E-00C04F72D980}"<br />KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D02AAC50-027E-11D3-9D8E-00C04F72D980}"<br />EXPLAIN Killit<br />VALUENAME "Compatibility Flags"<br />VALUEON NUMERIC 1024<br />VALUEOFF NUMERIC 0<br />END POLICY<br /><br />POLICY "MS 972890 Activex component {F9769A06-7ACA-4E39-9CFB-97BB35F0E77E}"<br />KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{F9769A06-7ACA-4E39-9CFB-97BB35F0E77E}"<br />EXPLAIN Killit<br />VALUENAME "Compatibility Flags"<br />VALUEON NUMERIC 1024<br />VALUEOFF NUMERIC 0<br />END POLICY<br /><br />POLICY "MS 972890 Activex component {FA7C375B-66A7-4280-879D-FD459C84BB02}"<br />KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{FA7C375B-66A7-4280-879D-FD459C84BB02}"<br />EXPLAIN Killit<br />VALUENAME "Compatibility Flags"<br />VALUEON NUMERIC 1024<br />VALUEOFF NUMERIC 0<br />END POLICY<br /><br />END CATEGORY<br /><br />[strings]<br />VulnFixes="VulnFixes"<br />Killit="Set kill bit"<br /></span><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5443343931811641298-969981991198407787?l=node5.blogspot.com' alt='' /></div>Will Metcalfhttp://www.blogger.com/profile/01336462559928749756noreply@blogger.com2tag:blogger.com,1999:blog-5443343931811641298.post-70078242840924464992009-04-08T09:10:00.000-07:002009-04-08T10:53:46.191-07:00I have uploaded a new version of PcapParser for all 3 of you who are probably using it ;-). It has small fixes.<br /><br />1. The last pcap file in the array wasn't being added to the search list when using argus data and the last connection time was > the pcap file timestamp.<br /><br />2. I set the default linktype to be ethernet in the bpfcompile php extension so that we could match on mac addresses. If you need it to be somthing else you will have to modify it.<br /><br /><a href="http://doc.emergingthreats.net/pub/Main/PcapParser/pcapp-0.1.tar.bz2">http://doc.emergingthreats.net/pub/Main/PcapParser/pcapp-0.1.tar.bz2</a><br />md5sum:e6d71d9a4dd0c5ee7ed033c17150d785<br /><br /><br />Additionally there was recently a question to the snort mailing list about automating extraction of sessions etc. I have upload the script that I use to automate this. Essentially it tails a barnyard generated csv file, and then runs parsep4 based on matched sids.<br /><br />I have uploaded this to the pcap parser page as well just incase you are looking for a crappy script to do this for you ;-)....<br /><br /><a href="http://doc.emergingthreats.net/pub/Main/PcapParser/sentinal.tar.bz2">http://doc.emergingthreats.net/pub/Main/PcapParser/sentinal.tar.bz2</a><br />md5sum:0be132cd3ac15b184af3e4b39ece4f1a<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5443343931811641298-7007824284092446499?l=node5.blogspot.com' alt='' /></div>Will Metcalfhttp://www.blogger.com/profile/01336462559928749756noreply@blogger.com0tag:blogger.com,1999:blog-5443343931811641298.post-15985786058197279302009-02-16T13:27:00.001-08:002009-02-16T15:22:16.001-08:00<a href="http://4.bp.blogspot.com/_nWX0FG3E2lE/SZnxURDPBVI/AAAAAAAAAA8/r6yI1attx3I/s1600-h/emergingpcapparse.jpg"><img id="BLOGGER_PHOTO_ID_5303535366682117458" style="DISPLAY: block; MARGIN: 0px auto 10px; WIDTH: 400px; CURSOR: hand; HEIGHT: 244px; TEXT-ALIGN: center" alt="" src="http://4.bp.blogspot.com/_nWX0FG3E2lE/SZnxURDPBVI/AAAAAAAAAA8/r6yI1attx3I/s400/emergingpcapparse.jpg" border="0" /></a><br /><div><a href="http://3.bp.blogspot.com/_nWX0FG3E2lE/SZntBvkh8eI/AAAAAAAAAA0/Nv4A5UYYjkk/s1600-h/emergingpcapparse.jpg"></a><br /><br /><div>I have updated my <a href="http://node5.blogspot.com/2007/08/parsep-extend-rangepl-your-friendly.html">PcapParser </a>to support more options and have included a web interface. You can download the latest version <a href="http://doc.emergingthreats.net/pub/Main/PcapParser/pcapp.tar.bz2">here</a>. The web interface uses a php extension that you must install that verifies bpf syntax that is passed as userinput. I'm using pfring so if you are not look at the README in the bpfcompile subdirectory for instructions. The perl script also now requires</div><div>Net::Pcap and Mail::Sendmail.</div><div> </div><div> </div><div>The updated version also has a configuration file that usually lives at /etc/pcapp/pcapp.conf.</div><br /><div></div><br /><div>All of the options can also be passed as command line options. Anything passed via command line overrides what is in the config file.</div></div><br /><div></div><br /><div>The pcap parser will work with or without the web interface. The conf file has to modified to fit your environment. </div><br /><div></div><br /><div>If you are using the web interface you must also modify the processpcap2_conf.php to supply the directories where your argus and pcap files are stored. These should be the same as your pcapdir and argusdir in your pcapp.conf file</div><br /><div></div><br /><div>Sample command line usage...<br /></div><br /><br />In this example we are going to use all argus files to extract sessiondata about our attacker and then use that to determine which out of all of our pcap files traffic resides in. The traffic is then merged into a single pcap and then tcpflow,chaosreader,afterglow and honeysnap are run against the pcap. The files are then md5sum'd and the output of these runs are put into a tar.bz file with a web index.<br /><br /><br />/usr/bin/parsep4.pl -ip="192.168.1.1" -netmask="32" -argusnum=0 -pcapnum=0 -dotcpflow=yes -domd5deep=yes -dochaosreader=yes -doafterglow=yes -dohoneysnap=yes<br /><br /><br /><br />This is the same as above although now we are using a bpf to see all tcp traffic that is not 80,443,20, or 21, and we are only looking through the last 1 argus file i.e. today's traffic.<br /><br />/usr/bin/parsep4.pl -bpf="tcp and not port 80 and not port 443 and not port 21 and not port 20" -argusnum=1 -pcapnum=0 -dotcpflow=yes -domd5deep=yes -dochaosreader=yes -doafterglow=yes -dohoneysnap=yes<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5443343931811641298-1598578605819727930?l=node5.blogspot.com' alt='' /></div>Will Metcalfhttp://www.blogger.com/profile/01336462559928749756noreply@blogger.com0tag:blogger.com,1999:blog-5443343931811641298.post-30503947099305755602009-02-01T15:27:00.000-08:002009-02-01T15:59:30.951-08:00Matt Jonkman over at emerging threats was nice enough to host a CentoOS5 rpm repo for me. I have created a set of i686 kernel rpms that have been patched to include <a href="http://www.ntop.org/PF_RING.html">PF_RING</a> and <a href="http://ipset.netfilter.org/">ipset</a>. I did not backport libpcap to the version included with CentOS5 so you will have to recompile your libpcap based tools if you decide to use the pf_ring/libpcap based stuff for the 0.9.7 version in the repo. I also have included rpms for the latest apache etc so I suggest if you use a file to throw into /etc/yum.repos.d/ you use the include/exclude stuff options so that you only pull the items that you need/want. There are quite a few other useful tools that have been recomipled to use libpfring.<br /><br />To use ipset you will have to remove your existing iptables version and replace it with the one in the repo.<br /><br />link to the repo..<br /><br />http://www.emergingthreats.net/emergingrepo/<br /><br />I have also modified the script created by Joshua Gimer for updating the fw rules using ipset which you can download here.<br /><br />http://doc.emergingthreats.net/pub/Main/EmergingFirewallRules/emerging-ipset-update.pl.txt<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5443343931811641298-3050394709930575560?l=node5.blogspot.com' alt='' /></div>Will Metcalfhttp://www.blogger.com/profile/01336462559928749756noreply@blogger.com7tag:blogger.com,1999:blog-5443343931811641298.post-67644888241274203312009-01-29T20:28:00.000-08:002009-01-29T22:02:27.233-08:00<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://3.bp.blogspot.com/_nWX0FG3E2lE/SYKXwN1qvXI/AAAAAAAAAAk/HZyU9LSTIso/s1600-h/blockedexe.png"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 200px; height: 158px;" src="http://3.bp.blogspot.com/_nWX0FG3E2lE/SYKXwN1qvXI/AAAAAAAAAAk/HZyU9LSTIso/s200/blockedexe.png" alt="" id="BLOGGER_PHOTO_ID_5296962966345399666" border="0" /></a><br /><div style="text-align: center;"><br /></div><span style="font-size:85%;"><br />Ok so I was talking with a consultant today who was visiting my place of employment and he was telling me about all of the troubles that he was having with fake AV software infecting clients. I remembered way back when, I was trying to figure out how to enforce policy with technical controls i.e. "you are not allowed to download anything off of the internet that is not approved" and came up with this transparent squid config to do so. It is not perfect, but it attempts stop exe downloads in http based on the following characteristics.<br /><br />1. File extension<br />2. File extension inside of <a href="http://www.ietf.org/rfc/rfc2183.txt">content-disposition</a> header<br />3. mime-type that is sent back in the reply from the server (can be spoofed)<br /><br />Maybe a fun project to work on would be a mime-sniffer similar to what <a href="http://msdn.microsoft.com/en-us/library/ms775147%28VS.85%29.aspx">IE</a> does for squid using <a href="http://en.wikipedia.org/wiki/Libmagic">libmagic</a>. Or maybe hack-up what is already in <a href="http://c-icap.sourceforge.net/">c-icap</a> as it does mime-sniffing to determine what to send to it's AV scanner. I have also hacked up <a href="http://frox.sourceforge.net/">frox</a> to forward requests to squid for ftp downloads and drop the download when we get a denied message from squid. This code needs to be cleaned up and tested more before it is published. Something else interesting to keep an eye on is the <a href="http://wiki.squid-cache.org/Features/SslBump">SSLBump</a> feature set that is being worked on in squid HEAD. Will we someday get transparent SSL MITM in Squid to filter out unwanted downloads similar to what vendors like blue-coat offer?<br /><br />Anyway let's look at how to do this... The first thing we are going to do is create a custom error page that will be displayed to users if a download is denied for some reason. Yeah I created it in Open Office it's late and I'm feeling lazy ;-)... If you wish to use the one I created you can pull it from <a href="http://doc.emergingthreats.net/pub/Main/BlockEXEWithSquidFiles/ERR_BLOCKEXE">here</a>. In this example you will need to copy this file to your squid error directory in my case the file would end up being</span><span style="font-size:78%;"><br /><br /><span style="font-size:85%;">/usr/share/squid/errors/English/ERR_BLOCKEXE<br /><span style="font-size:100%;"><br /></span></span><span style="font-size:85%;"><span style="font-size:100%;">below is the <a href="http://doc.emergingthreats.net/pub/Main/BlockEXEWithSquidFiles/squid.conf">squid.conf</a> file which you can pull from the emerging threats site as well. It is pretty self explanatory note that the deny_info page is the one that is displayed to users when the download something naughty in this case the ERR_BLOCKEXE file we created. In addition I have found it helpful to generate a simple daily report with a cron job of the blocked downloads. </span><br /><span style="font-size:78%;"><br />grep `date +%d/%b/%Y` /var/log/squid/access_log | grep "TCP_DENIED" | grep " 403 " | /bin/mail -s 'daily squid block report' someguy@somesite.com<br /><span style="font-size:85%;"></span><br /></span></span></span><pre>http_port 3128 transparent<br />visible_hostname tproxy<br /><br />#list of trusted domains that we will allow downloads from<br />acl noscan dstdomain .emergingthreats.net .blackberry.com .macromedia.com .apple.com .windowsupdate.com .hp.com .xerox.com .sw.be .centos.org .microsoft.com .adobe.com .sun.com .nai.com .symantecliveupdate.com .mcafee.com .symantec.com .vmware.com .trendmicro.com<br />no_cache deny noscan<br />always_direct allow noscan<br /><br />#cache junk<br />hierarchy_stoplist cgi-bin ?<br />acl QUERY urlpath_regex cgi-bin \?<br />no_cache deny QUERY<br />acl apache rep_header Server ^Apache<br />broken_vary_encoding allow apache<br />cache_mem 512 MB<br />cache_dir ufs /var/spool/squid 2000 16 256<br />refresh_pattern ^ftp: 1440 20% 10080<br />refresh_pattern ^gopher: 1440 0% 1440<br />refresh_pattern . 0 20% 4320<br />acl manager proto cache_object<br /><br />#various acl's<br />acl alldst dst 0.0.0.0/0.0.0.0<br />acl all src 0.0.0.0/0.0.0.0<br />acl localhost src 127.0.0.1<br />acl our_networks src 192.168.2.0/255.255.255.0<br />acl our_networks src 192.168.1.0/255.255.255.0<br /><br />#remove accept encoding to prevent gzip stuff along with range requests<br />header_access Accept-Ranges deny alldst<br />header_access Accept-Encoding deny alldst<br />header_replace Accept-Encoding identity<br />header_replace Accept-Ranges none<br /><br />#use OpenDNS servers can block adware pr0n etc..<br />#If you are using a dynamic IP ddclient works very well for<br />#keeping your account up2date with the latest IP<br />dns_nameservers 208.67.222.222 208.67.220.220<br /><br />#techmachines acl<br />#acl techmachines src 192.168.2.199<br />#acl techmachines src 192.168.2.200<br /><br />#we are only redirecting port 80 so only allow port 80 traffic.<br />acl Safe_ports port 80 # http<br />http_access deny !Safe_ports<br /><br />http_access allow manager localhost<br />http_access deny manager<br /><br />acl DENY_EXE urlpath_regex -i \.(exe|msi|scr|cab|chm|cpl|hlp|hta|ins|isp|jse|lnk|ocx|reg|sct|vbe|wsc|wsf|pif|sys|shs|zip|rar|tar|7z|torrent)\??$<br /><br />#domains we always want to block<br />acl denydomains dstdomain .ssl86.ru .ytgw123.cn .gmail-security.com perlbody.t35.com summertime.1gokurimu.com doradora.atzend.com<br />http_access deny denydomains<br /><br />#dst ips we always want to block<br />acl dstips dst 195.242.161.63 59.106.145.58<br />http_access deny dstips<br />#allow trusted domains<br />http_access allow noscan<br />http_reply_access allow noscan<br /><br />#allow your techs or whomever to pull exe's<br />#http_access allow techmachines<br />#http_reply_access allow techmachines<br /><br />#block sites with exe in the uri<br />deny_info ERR_BLOCKEXE DENY_EXE<br />http_access deny DENY_EXE<br /><br />#allow localhost and everything else<br />http_access allow localhost<br />http_access allow our_networks<br /><br /><br />#block exe downloads were the uri does not end exe but they are still sending an exe via conent-dispostion headers<br />#http://www.ietf.org/rfc/rfc2183.txt<br />acl blocked_contdisp rep_header Content-Disposition -i \.(exe|msi|scr|cab|chm|cpl|hlp|hta|ins|isp|jse|lnk|ocx|reg|sct|vbe|wsc|wsf|pif|sys|shs|zip|rar|tar|7z|torrent)\??"$<br />deny_info ERR_BLOCKEXE contdisp<br />http_reply_access deny blocked_contdisp<br /><br />#block exe mime types<br />acl mime rep_mime_type -i ^application/exe$<br />acl mime rep_mime_type -i ^application/x-exe$<br />acl mime rep_mime_type -i ^application/dos-exe$<br />acl mime rep_mime_type -i ^vms/exe$<br />acl mime rep_mime_type -i ^application/x-winexe$<br />acl mime rep_mime_type -i ^application/msdos-windows$<br />acl mime rep_mime_type -i ^application/x-msdos-program$<br />acl mime rep_mime_type -i ^application/x-msdownload$<br />acl mime rep_mime_type -i ^application/x-cab-compressed$<br />acl mime rep_mime_type -i ^application/x-oleobject$<br />acl mime rep_mime_type -i ^application/x-cabinet$<br />acl mime rep_mime_type -i ^application/x-dosexec$<br />acl mime rep_mime_type -i ^vnd.ms-cab-compressed$<br />acl mime rep_mime_type -i ^application/x-cabinet-win32-x86$<br />acl mime rep_mime_type -i ^application/x-pe-win32-x86$<br />acl mime rep_mime_type -i ^application/x-setupscript$<br />deny_info ERR_BLOCKEXE mime<br />http_reply_access deny mime<br /><br />#allow all other reply<br />http_reply_access allow all<br /><br />#get some extra logging info<br />strip_query_terms off<br />log_mime_hdrs on<br /><br />#custom log format for more information<br />logformat combined %>a %ui %un [%{%d/%b/%Y:%H:%M:%S -0600}tl] "%rm %ru HTTP/%rv" %Hs %<st>h" "%{User-Agent}>h" %Ss:%Sh %mt<br />access_log /var/log/squid/access_log combined<br />error_directory /usr/share/squid/errors/English<br />coredump_dir /var/spool/squid<br /><br />#disabled for performance<br />cache_store_log none<br />cache_log none<br /></st></pre><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5443343931811641298-6764488824127420331?l=node5.blogspot.com' alt='' /></div>Will Metcalfhttp://www.blogger.com/profile/01336462559928749756noreply@blogger.com0tag:blogger.com,1999:blog-5443343931811641298.post-72674143272828731452008-08-11T12:19:00.000-07:002008-08-11T16:36:31.476-07:00<a href="http://4.bp.blogspot.com/_nWX0FG3E2lE/SKDKl3PKDVI/AAAAAAAAAAc/iMoepgvsMAE/s1600-h/screenshot.PNG"><img id="BLOGGER_PHOTO_ID_5233405518836010322" style="DISPLAY: block; MARGIN: 0px auto 10px; CURSOR: hand; TEXT-ALIGN: center" alt="" src="http://4.bp.blogspot.com/_nWX0FG3E2lE/SKDKl3PKDVI/AAAAAAAAAAc/iMoepgvsMAE/s400/screenshot.PNG" border="0" /></a><br /><br /><div><div>Ever have issues trying to get management to try and understand log files from your proxy server, showing inappropriate user activity? As they say, a picture is worth 1000 words. If you decide to use this little <span class="blsp-spelling-error" id="SPELLING_ERROR_0">proggie</span> to monitor employee activity make sure you are within your right to do so. Also it is not very stealthy It just dumps the screenshots to a folder on the local drive or a network share. You need Admin rights to remotely install it, and you need to reboot the machine before it starts working(you can just use the shutdown command in <span class="blsp-spelling-error" id="SPELLING_ERROR_1">XP</span>). It does write to the Run key so if you have some sort of AV protection preventing this you will need an alternate way to start it.<br /><br />First go and download and install the latest version of Active <span class="blsp-spelling-error" id="SPELLING_ERROR_2">perl</span> 5.8 (5.10 currently does not work)<br /><br /><a href="http://www.activestate.com/store/activeperl/download/">http://www.activestate.com/store/activeperl/download/</a><br /><br />Next we are going to install some <span class="blsp-spelling-error" id="SPELLING_ERROR_3">deps</span> that we need for taking the screen shot's and to convert our <span class="blsp-spelling-error" id="SPELLING_ERROR_4">perl</span> script to an <span class="blsp-spelling-error" id="SPELLING_ERROR_5">exe</span> so that the target machine does not need to have <span class="blsp-spelling-error" id="SPELLING_ERROR_6">perl</span> installed.<br /><br /><span style="font-size:78%;">ppm install </span><a href="http://www.bribes.org/perl/ppm/PerlMagick.ppd"><span style="font-size:78%;">http://www.bribes.org/perl/ppm/PerlMagick.ppd</span></a><br /><span style="font-size:78%;">ppm install </span><a href="http://www.bribes.org/perl/ppm/Parse-Binary.ppd"><span style="font-size:78%;">http://www.bribes.org/perl/ppm/Parse-Binary.ppd</span></a><br /><span style="font-size:78%;">ppm install </span><a href="http://www.bribes.org/perl/ppm/Win32-EXE.ppd"><span style="font-size:78%;">http://www.bribes.org/perl/ppm/Win32-EXE.ppd</span></a><br /><span style="font-size:78%;">ppm install </span><a href="http://www.bribes.org/perl/ppm/Module-ScanDeps.ppd"><span style="font-size:78%;">http://www.bribes.org/perl/ppm/Module-ScanDeps.ppd</span></a><br /><span style="font-size:78%;">ppm install </span><a href="http://theoryx5.uwinnipeg.ca/ppms/PAR-Dist.ppd"><span style="font-size:78%;">http://theoryx5.uwinnipeg.ca/ppms/PAR-Dist.ppd</span></a><br /><span style="font-size:78%;">ppm install </span><a href="http://theoryx5.uwinnipeg.ca/ppms/PAR.ppd"><span style="font-size:78%;">http://theoryx5.uwinnipeg.ca/ppms/PAR.ppd</span></a><br /><span style="font-size:78%;">ppm install </span><a href="http://theoryx5.uwinnipeg.ca/ppms/PAR-Packer.ppd"><span style="font-size:78%;">http://theoryx5.uwinnipeg.ca/ppms/PAR-Packer.ppd</span></a><br /><span style="font-size:78%;">ppm install </span><a href="http://theoryx5.uwinnipeg.ca/ppms/Win32-Screenshot.ppd"><span style="font-size:78%;">http://theoryx5.uwinnipeg.ca/ppms/Win32-Screenshot.ppd</span></a><br /><span style="font-size:78%;">ppm install Win32::<span class="blsp-spelling-error" id="SPELLING_ERROR_7">TieRegistry</span></span><br /><span style="font-size:78%;">ppm install File-Copy-Recursive</span><br /><span style="font-size:78%;"></span><br />Make the <span class="blsp-spelling-error" id="SPELLING_ERROR_8">dir</span> to hold the files that we will transfer to the target system.<br /><span style="font-size:78%;"><span class="blsp-spelling-error" id="SPELLING_ERROR_9">mkdir</span> c:\screenshots</span><br /><br />Copy the <span class="blsp-spelling-error" id="SPELLING_ERROR_10">ImageMagick</span> <span class="blsp-spelling-error" id="SPELLING_ERROR_11">DLL's</span> into the c:\screenshots <span class="blsp-spelling-error" id="SPELLING_ERROR_12">dir</span> for some reason pp doesn't package them.<br /><span style="font-size:78%;">copy C:\Perl\site\lib\auto\Image\<span class="blsp-spelling-error" id="SPELLING_ERROR_13">Magick</span>\*.<span class="blsp-spelling-error" id="SPELLING_ERROR_14">dll</span> c:\screenshots</span><br /><span style="font-size:78%;"></span><br />Start the screenshot install build. </div><div><br />-t gives the script the target <span class="blsp-spelling-error" id="SPELLING_ERROR_15">ip</span> address<br />-w tells the screenshot <span class="blsp-spelling-error" id="SPELLING_ERROR_16">proggie</span> where to write the screen shots 2. Make sure you properly escape thing that <span class="blsp-spelling-error" id="SPELLING_ERROR_17">perl</span> needs escaped so c:\downloads\ becomes c:\\downloads\\ or <a href="file://someserver/somehidenshare/">file://someserver/somehidenshare/</a> becomes <a>\\\\<span class="blsp-spelling-error" id="SPELLING_ERROR_18">someserver</span>\\<span class="blsp-spelling-error" id="SPELLING_ERROR_19">somehiddenshare</span>\$\\</a><br />-i tells the program at what interval to take screen shots. It will not take a screen shot if nobody is logged in or the screen is locked.<br />-s tells the program what directory to copy over to the remote system. This needs to be the same <span class="blsp-spelling-error" id="SPELLING_ERROR_20">dir</span> that contains the <span class="blsp-spelling-error" id="SPELLING_ERROR_21">ImagMagick</span> <span class="blsp-spelling-error" id="SPELLING_ERROR_22">dll's</span>. In example below <span class="blsp-spelling-error" id="SPELLING_ERROR_23">wearewatching</span>.<span class="blsp-spelling-error" id="SPELLING_ERROR_24">exe</span> also gets created in this <span class="blsp-spelling-error" id="SPELLING_ERROR_25">dir</span>.<br />-d tells the <span class="blsp-spelling-error" id="SPELLING_ERROR_26">progam</span> what the <span class="blsp-spelling-error" id="SPELLING_ERROR_27">dst</span> directory should be on the remote machine. It doesn't have to be c:\windows\system32\ but it has to be somewhere in the PATH.<br />-e tells the program what executable name to give the application.<br /></div><div> </div><div>example:<br /><span style="font-size:78%;">c:\<span class="blsp-spelling-error" id="SPELLING_ERROR_28">perl</span>\bin\<span class="blsp-spelling-error" id="SPELLING_ERROR_29">perl</span> f:\\<span class="blsp-spelling-error" id="SPELLING_ERROR_30">screenshotinstaller</span>3.pl -t 127.0.0.1 -w c:\\downloads\\ -i 60 -s c:\\screenshots\\ -d c:\\windows\\system32\\ -e <span class="blsp-spelling-error" id="SPELLING_ERROR_31">wearewatching</span>.<span class="blsp-spelling-error" id="SPELLING_ERROR_32">exe</span></span><br /></div><br /><div>Once the program is built it will copy over the files to the remote machine and remotely spawn the screenshot process on it's first run. The first run will check for the registry key and add if it is not there and then exit. You will then have to manually reboot the remote machine.</div><br /><div>example:<br /><span style="font-size:78%;">shutdown -r -f -m </span><a href="file://127.0.0.1/"><span style="font-size:78%;">\\127.0.0.1</span></a></div><br /><div></div><br /><div>In this example once the user logs back in it will create a folder with the date below c:\downloads so something like <span class="blsp-spelling-error" id="SPELLING_ERROR_33">MonAug</span>112008. The program will create a new folder each day and in each folder you will have a new image every 60 seconds while a user is logged in with the format of Domain:<span class="blsp-spelling-error" id="SPELLING_ERROR_34">username</span>:date.<span class="blsp-spelling-error" id="SPELLING_ERROR_35">png</span></div><br /><div></div><br /><div>Hope somebody else finds it useful ;-).....</div><br /><div></div><br /><div><span class="blsp-spelling-error" id="SPELLING_ERROR_36">Thanx</span> to Matt J<span class="blsp-spelling-error" id="SPELLING_ERROR_37">onkman</span> at emerging threats for letting me host this file.</div><br /><div><a href="http://doc.emergingthreats.net/bin/viewfile/Main/PerlScreenCaptureProggie?rev=1;filename=ScreenShotInstaller.zip"><span class="blsp-spelling-error" id="SPELLING_ERROR_38">ScreenShotInstaller</span>.zip</a> b1830a24a9bf848bf3<span class="blsp-spelling-error" id="SPELLING_ERROR_39">bbf</span>6f37611b6d9</div><br /><div></div><br /><div><br /></div><br /><div></div><br /><div><br /><br /></div><br /><div></div><br /><div><br /><br /><br /></div><br /><div></div></div><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5443343931811641298-7267414327282873145?l=node5.blogspot.com' alt='' /></div>Will Metcalfhttp://www.blogger.com/profile/01336462559928749756noreply@blogger.com0tag:blogger.com,1999:blog-5443343931811641298.post-15134563323051675762008-03-18T14:36:00.000-07:002008-03-18T14:45:25.023-07:00I have fixed sticky-drop for snort_inline in svn for all 5 of you who are running the latest version out of trunk. As VictorJ say's check it out!!!!!<br /><br /><span style="font-size:85%;"></span>svn co https://snort-inline.svn.sourceforge.net/svnroot/snort-inline/trunk<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5443343931811641298-1513456332305167576?l=node5.blogspot.com' alt='' /></div>Will Metcalfhttp://www.blogger.com/profile/01336462559928749756noreply@blogger.com0tag:blogger.com,1999:blog-5443343931811641298.post-33132103466171317332008-01-24T08:37:00.000-08:002008-01-24T08:38:59.873-08:00After contacting another organization that was leaking auth, they had to set the following on their ASA as the virtual http command didn't work for them. From the Cisco docs....<br /><br />If you use HTTP authentication without using the aaa authentication secure-http-client command, the username and password are sent in clear text to the destination web server, and not just to the AAA server. For example, if you authenticate inside users when they access outside web servers, anyone on the outside can learn valid usernames and passwords. We recommend that you use the aaa authentication secure-http-client command whenever you enable HTTP authentication<br /><br />Add the following command to the PIX/ASA Firewall:<br /><br />aaa authentication secure-http-client<br /><br />Cisco Reference Doc: http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/fwaaa.html#wp1051298<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5443343931811641298-3313210346617131733?l=node5.blogspot.com' alt='' /></div>Will Metcalfhttp://www.blogger.com/profile/01336462559928749756noreply@blogger.com0tag:blogger.com,1999:blog-5443343931811641298.post-48540499531560886282008-01-11T15:02:00.000-08:002008-01-11T15:15:20.812-08:00I recently need to configure a load balanced <span class="blsp-spelling-error" id="SPELLING_ERROR_0">apache</span> reverse proxy with two <span class="blsp-spelling-error" id="SPELLING_ERROR_1">IIS</span> servers on the <span class="blsp-spelling-error" id="SPELLING_ERROR_2">backend</span>. I found this wonderful link on <span class="blsp-spelling-error" id="SPELLING_ERROR_3">google</span> with instructions on how to do just that. I only have one small correction to the wonderful information located at<br /><br />http://macacochefe.blogspot.com/2007/08/iis-creating-cookie-affinity-load.html<br /><br />6 – Type “<span class="blsp-spelling-error" id="SPELLING_ERROR_4">mycluster</span>.node1; path=/;” in the Custom Header Value<br /><br />In his example should be...<br /><br />6 – Type “<span class="blsp-spelling-error" id="SPELLING_ERROR_5">BALANCEID</span>=<span class="blsp-spelling-error" id="SPELLING_ERROR_6">mycluster</span>.node1; path=/;” in the Custom Header Value<br /><br />Additionally in the past when I have seen <span class="blsp-spelling-error" id="SPELLING_ERROR_7">auth</span> leaked to my <span class="blsp-spelling-error" id="SPELLING_ERROR_8">webservers</span> they normally ignore <span class="blsp-spelling-error" id="SPELLING_ERROR_9">Auth</span> string and server up the content. Apache will issue a 401 Authorization required even if no type of authentication is required and or configured for that site. If you are running a reverse proxy that does not require <span class="blsp-spelling-error" id="SPELLING_ERROR_10">auth</span> you can set the following in your virtual server <span class="blsp-spelling-error" id="SPELLING_ERROR_11">config</span> to prevent this behavior. It is probably overkill but it works.<br /><br /> <span class="blsp-spelling-error" id="SPELLING_ERROR_12">RequestHeader</span> set REMOTE_USER ""<br /> <span class="blsp-spelling-error" id="SPELLING_ERROR_13">RequestHeader</span> set X-HTTP_AUTHORIZATION ""<br /> <span class="blsp-spelling-error" id="SPELLING_ERROR_14">RequestHeader</span> set HTTP_AUTHORIZATION ""<br /> <span class="blsp-spelling-error" id="SPELLING_ERROR_15">RequestHeader</span> set AUTHORIZATION ""<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5443343931811641298-4854049953156088628?l=node5.blogspot.com' alt='' /></div>Will Metcalfhttp://www.blogger.com/profile/01336462559928749756noreply@blogger.com1tag:blogger.com,1999:blog-5443343931811641298.post-51615433959404306862008-01-11T14:29:00.000-08:002008-01-11T15:01:22.641-08:00I have worked with two organizations now that are using websense in conjunction with a pix firewall and aaa auth. If your organization is configured in such a scenario it is imperative that you specify the virtual http parameter as your users browsers might cache auth and leak it to external websites.<br /><br />http://www.cisco.com/warp/public/110/atp52.html#virtual_http<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5443343931811641298-5161543395940430686?l=node5.blogspot.com' alt='' /></div>Will Metcalfhttp://www.blogger.com/profile/01336462559928749756noreply@blogger.com0tag:blogger.com,1999:blog-5443343931811641298.post-74042027378972173412007-12-31T08:39:00.000-08:002007-12-31T09:22:19.450-08:00Working for a municipal government means that we get requests on our webserver for all kinds of information about our city from citizens, businesses, etc. A while ago the bleedingthreats project released a couple of rules to look for unencrypted basic http auth. I went ahead and deployed these rules as we should never have any webapp that takes unencrypted base64 auth and if one was ever deployed I wanted to know about it. As a side effect of deploying these rules, we found that many proxies were sending valid internal proxy authentication credentials to our webservers even though we were not prompting for any sort of auth. These are organizations such as fortune 50 financial institution's, clinical research facilities, a check verification company, a home and auto insurance company, the list goes on and on. I honestly get a couple of these a week. In most cases it is a nightmare to try and get anybody on the phone as most organiztions ARIN contact information is incorrect. I don't know how many companies I called and got a message saying press 0 to talk to an operator only to press 0 and hear the same stupid automated message in a loop. Quite a few of internal authentication credentials i received seemed to be leaked by bluecoat proxies. I contacted the guy's at <a href="http://fishnetsecurity.com/">Fishnet Security</a> as I don't have access to a bluecoat. They only thing they found was a setting that had to be set via command line and according to Jake Reynolds at Fishnet should only be set in very special reverse proxy configurations. The configuration parameter is spoof-authentication, if you are running bluecoat with this option disabled try depolying a snort box to watch it's public facing interface with the following rules to see if your proxy is leaking auth. These are prone to fp's as http is essetianlly statless but should reduce noise for statically served content. It still kills me tha t companies like ciso and oracle still use unencrypted basic http auth *sigh*.. This is a perfect oppurtunity for you to deploy full content logging in your enterprise, make the <a href="http://www.taosecurity.com/">Bejtlich</a> proud.<br /><br />alert tcp any $HTTP_PORTS -> any any (msg:"BLEEDING-EDGE POLICY Basic Auth Challenge from HTTP Server"; flow:established,to_client; content:"HTTP/1."; depth:7; nocase; content:"|20|401"; within: 5; content:"|0d 0a|WWW-Authenticate|3a 20|"; nocase; flowbits:set,httpbasicrequest; flowbits:noalert; classtype:policy-violation; sid:3000526; rev:8;)<br /><br />alert tcp any $HTTP_PORTS -> any any (msg:"BLEEDING-EDGE POLICY Proxy Auth Challenge from HTTP Server"; flow:established,to_client; content:"HTTP/1."; depth:7; nocase; content: "|20|407"; within:5; content:"|0d 0a|Proxy-Authenticate|3a 20|"; nocase; flowbits:set,httpproxyauthrequest; flowbits:noalert; classtype:policy-violation; sid:3000527; rev:8;)<br /><br />alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY Outgoing Basic Auth Base64 HTTP Password leaked"; flow:established,to_server; content:"|0d 0a|Authorization|3a 20|Basic"; nocase; content:!"YW5vbnltb3VzOg=="; within:32; flowbits:isnotset,httpbasicrequest; flowbits:isnotset,httpproxyauthrequest; classtype:policy-violation; sid:3000528; rev:8;)<br /><br />alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY Incoming Basic Auth Base64 HTTP Password leaked"; flow:established,to_server; content:"|0d 0a|Authorization|3a 20|Basic"; nocase; content:!"YW5vbnltb3VzOg=="; within:32; flowbits:isnotset,httpbasicrequest; flowbits:isnotset,httpproxyauthrequest; classtype:policy-violation; sid:3000529; rev:4;)<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5443343931811641298-7404202737897217341?l=node5.blogspot.com' alt='' /></div>Will Metcalfhttp://www.blogger.com/profile/01336462559928749756noreply@blogger.com0tag:blogger.com,1999:blog-5443343931811641298.post-18712782730179750402007-11-04T13:34:00.000-08:002007-11-04T13:38:26.225-08:00I'm in the Netherlands currently hanging out with VictorJ. My wife Lindsay and I are very sleepy but full of good Dutch food and beer. I have yet to give VictorJ a good swift kick to the nuts, but I'm sure after spending five days with hime we will never want to see each other again. Just kidding..... ;-)....<br /><br />Regards,<br /><br />Will<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5443343931811641298-1871278273017975040?l=node5.blogspot.com' alt='' /></div>Will Metcalfhttp://www.blogger.com/profile/01336462559928749756noreply@blogger.com0tag:blogger.com,1999:blog-5443343931811641298.post-78343406287422266582007-10-22T15:25:00.000-07:002007-10-22T15:37:20.108-07:00<div style="text-align: justify;">Here is an ADM template to set the killbit for the vulnerable Real Player Active X control and policy hack for Adobe to set the mail:3 stuff for 8.0. Use at your own risk, if this hoses your box and or domain don't come crying to me ;-)....<br /></div><span style="font-size:50%;"><br /></span><span style="font-size:50%;">CLASS MACHINE<br /><br />CATEGORY VulnFixes<br /><br />POLICY "Vulnerable Real Player Activex component"<br />KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{FDC7A535-4070-4B92-A0EA-D9994BCC0DC5}"<br />EXPLAIN Killit<br />VALUENAME "Compatibility Flags"<br />VALUEON NUMERIC 1024<br />VALUEOFF NUMERIC 0<br />END POLICY<br /><br /><br />POLICY "Vulnerable Adobe Acrobat Reader 8"<br />KEYNAME "SOFTWARE\Policies\Adobe\Acrobat Reader\8.0\FeatureLockdown\cDefaultLaunchURLPerms"<br />EXPLAIN "Set mail:3 per http://www.adobe.com/support/security/advisories/apsa07-04.html"<br />VALUENAME "tSchemePerms"<br />VALUEON "version:1|shell:3|hcp:3|ms-help:3|ms-its:3|ms-itss:3|its:3|mk:3|mhtml:3|help:3|disk:3|afp:3|disks:3|telnet:3|ssh:3|acrobat:2|mailto:3|file:2"<br />VALUEOFF "version:1|shell:3|hcp:3|ms-help:3|ms-its:3|ms-itss:3|its:3|mk:3|mhtml:3|help:3|disk:3|afp:3|disks:3|telnet:3|ssh:3|acrobat:2|mailto:2|file:1"<br />END POLICY<br /><br />POLICY "Vulnerable Adobe Acrobat 8"<br />KEYNAME "SOFTWARE\Policies\Adobe\Adobe Acrobat\8.0\FeatureLockdown\cDefaultLaunchURLPerms"<br />Explain "Set mail:3 per http://www.adobe.com/support/security/advisories/apsa07-04.html"<br />VALUENAME "tSchemePerms"<br />VALUEON "version:1|shell:3|hcp:3|ms-help:3|ms-its:3|ms-itss:3|its:3|mk:3|mhtml:3|help:3|disk:3|afp:3|disks:3|telnet:3|ssh:3|acrobat:2|mailto:3|file:2"<br />VALUEOFF "version:1|shell:3|hcp:3|ms-help:3|ms-its:3|ms-itss:3|its:3|mk:3|mhtml:3|help:3|disk:3|afp:3|disks:3|telnet:3|ssh:3|acrobat:2|mailto:2|file:1"<br />END POLICY<br /><br />END CATEGORY<br /><br />[strings]<br />VulnFixes="VulnFixes"<br />Killit="Set kill bit"<br /><br /><br /></span><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5443343931811641298-7834340628742226658?l=node5.blogspot.com' alt='' /></div>Will Metcalfhttp://www.blogger.com/profile/01336462559928749756noreply@blogger.com0tag:blogger.com,1999:blog-5443343931811641298.post-63674658010606718102007-10-17T06:29:00.000-07:002007-10-17T06:41:02.221-07:00Dear Fortune 50 companies,<br /><br />If your proxy appliance appears to be leaking valid internal credentials to sites that you visit on the <span class="blsp-spelling-corrected" id="SPELLING_ERROR_0">Internet</span> i.e. passing Proxy-Authorization strings, you would like to know wouldn't you? I had such a case recently and when I tried to contact the company via the phone number listed for abuse with ARIN the not so friendly switchboard operator refused to connect me stating that "IT was a restricted department and she could not put me through to anyone without a name." So instead of a five minute phone call, I had to spend 30 minutes scrubbing packet data to remove the <span class="blsp-spelling-corrected" id="SPELLING_ERROR_1">aforementioned</span> base64 encoded password to send to your abuse@ e-mail in hopes that somebody would read it. So I ask you please to make sure that your ARIN information is correct and that somebody can actually get a hold of you when they need to.<br /><br />Regards,<br /><br />Will<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5443343931811641298-6367465801060671810?l=node5.blogspot.com' alt='' /></div>Will Metcalfhttp://www.blogger.com/profile/01336462559928749756noreply@blogger.com0tag:blogger.com,1999:blog-5443343931811641298.post-8676242341198921982007-10-15T09:59:00.000-07:002007-10-16T14:15:43.196-07:00I wanted to get the msg from a snort alert into the subject line of e-mails generated by swatch. This script will parse a sid-msg.map and will output a swatch config. Yes the code is crap, and swatch eats up about 125meg with the full VRT and bleeding rulesets, but to me it's worth it. Also swatch seems to blow up if there is a # in the watchfor section of the config so those rules are skipped currently it is only skipping two bleeding MoBB rules. If anybody has a better way to do this, or knows of a different tool, I would be very interested to hear from you ;-)<br /><br />die("Usage: &lt;swatchbuilder.pl&gt; \n") unless(@ARGV);<br />foreach $file (@ARGV) {<br /><br />open(SIDMSGMAP, $file) or die( "Cannot open file: $file\n" );<br />while(&lt;SIDMSGMAP&gt;) {<br />my @line= split(/\|\|/,$_);<br />#clean up sid<br />$line[0] =~ s/\r?\n//;<br />$line[0] =~ s/^\s+//;<br />$line[0] =~ s/\s+$//;<br />#clean up msg<br />$line[1] =~ s/\r?\n//;<br />$line[1] =~ s/^\s+//;<br />$line[1] =~ s/\s+$//;<br />$line[1] =~ s/([\@\/\+\&amp;;\`'\\\|"-*?#!~<>^\(\)\[\]\{\}\$\n\r])/\\$1/g;<br />#wtf? can swatch not deal with escaped #<br />if($line[1] =~ m/#/)<br />{<br />print "\#badsid $line[0] skipping\n";<br />}<br />else<br />{<br />print "watchfor = \/$line[1]\/\n";<br />print "mail=user1\@somwhere.com:user2\@somewhere.com,subject=IDS Alarm --$line[1]--\n";<br />}<br />}<br />close(SIDMSGMAP);<br />}<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5443343931811641298-867624234119892198?l=node5.blogspot.com' alt='' /></div>Will Metcalfhttp://www.blogger.com/profile/01336462559928749756noreply@blogger.com0tag:blogger.com,1999:blog-5443343931811641298.post-81985894728430378322007-08-31T14:14:00.000-07:002007-10-08T19:54:09.489-07:00<div>Part of my job is to watch our organizations IDS/IPS sensors and respond to alerts. If you know who I am, I don't think that it will come as a surprise to you that we use snort to monitor our little corner of the metaverse.<br /><br />A problem I was continuously running into when investigating alarms generated with snort as with almost any IDS/IPS is that often times all you have to work with is payload from the single packet that triggered the alarm and maybe logs on a server. I realize that if you configure a snort rule to do so, you can tag other interesting traffic from a would-be attacker after an alarm has fired. <a href="http://sguil.sourceforge.net/">Sguil</a> provides a means for extracting an entire session based on the packet that generated the alarm via log_packets.sh. You can also use <a href="http://sguil.sourceforge.net/">sguil</a> to extract individual sessions not generated by an alert if you are logging with <a href="http://www.metre.net/sancp.html">sancp</a>.<br /><br />While this is fine it lacked some features that I really desired such as the output generated by <a href="http://www.honeynet.org/tools/honeysnap/">honeysnap</a> , <a href="http://afterglow.sourceforge.net/">afterglow</a>, <a href="http://qosient.com/argus/">argus</a> , etc. The other issue that I ran into is that even though I was performing full packet capture, tools such as ethereal and tcpdump don't support wildcard 's so if you have directory with 100 1 gig pcaps and you want to extract all traffic to/from an attacker out of these pcaps you are shit out of luck unless you pass your bpf to tcpdump one pcap at a time. The first iteration of parsep was to search every pcap that matched a given a wild card for traffic from a specified ip address /netmask, save the data to a temp file and then put it all back together into one uber-pcap using mergecap for analysis. This was fine if you only have to parse a couple of gigs of pcaps, but obviously does not scale well to a couple hundred gigs of pcaps. The latest iteration that I'm releasing optionally uses session data from argus based on time to determine in what pcaps traffic from our attacker resides. So instead of having to parse 200 gigs of pcaps you may only have to parse 1 gig of session data and based on it's output parse only the 10 1 gig pcaps that actually contain data from the attacker. Hmmm that is a really horrible description, how about we just get to some examples.<br /><br /><span style="font-size:78%;">Usage: parsep-extend-range.pl &lt;ip addy 2 find&gt; &lt;netmask&gt; argus &lt;last x number of files 2 search or 0 for all matching argusfilemask&gt; &lt;path to argus file&gt; pcap &lt;last x number of files 2 search or 0 for all matching pcapfilemask&gt; &lt;pcapfilemask&gt;</span><br /><br /><span style="font-size:78%;">Example: perl parsep-extend-range.pl 127.0.0.1 32 argus 0 /var/log/sessiondata/argusfile.* pcap 0 /var/log/fullcap/daemonlogger.*<br /></span><span style="font-size:78%;"></span></div><br /><br /><span style="font-size:78%;">./parsep-extend-range.pl 127.0.0.1 32 argus 2 /var/log/sessiondata/argusoutput.* pcap 0 /var/log/fullcap/daemonlogger.*<br /><br />removed /var/log/sessiondata/argusoutput.ra.5 from argus search list<br />removed /var/log/sessiondata/argusoutput.ra.4 from argus search list<br />removed /var/log/sessiondata/argusoutput.ra.3 from argus search list<br />removed /var/log/sessiondata/argusoutput.ra.2 from argus search list<br />removed 4 argus files out of 6 so that only last 2 remain<br />argusfile here is /var/log/sessiondata/argusoutput.ra.1 /var/log/sessiondata/argusoutput.ra<br />making dir to store data<br />not removing any files from pcap filemask array<br />finding proper pcaps from argus session data in file /var/log/sessiondata/argusoutput.ra.1<br />finding proper pcaps from argus session data in file /var/log/sessiondata/argusoutput.ra<br />file list before dup removal<br />putting file /var/log/fullcap/daemonlogger.pcap.1190640570 into new file array<br />putting file /var/log/fullcap/daemonlogger.pcap.1190640570 into new file array<br />putting file /var/log/fullcap/daemonlogger.pcap.1190640570 into new file array<br />putting file /var/log/fullcap/daemonlogger.pcap.1190640570 into new file array<br />putting file /var/log/fullcap/daemonlogger.pcap.1190647914 into new file array<br />putting file /var/log/fullcap/daemonlogger.pcap.1190647914 into new file array<br />putting file /var/log/fullcap/daemonlogger.pcap.1190647914 into new file array<br />putting file /var/log/fullcap/daemonlogger.pcap.1190647914 into new file array<br />putting file /var/log/fullcap/daemonlogger.pcap.1190647914 into new file array<br />putting file /var/log/fullcap/daemonlogger.pcap.1190648607 into new file array<br />revised file list<br />/var/log/fullcap/daemonlogger.pcap.1190640570<br />/var/log/fullcap/daemonlogger.pcap.1190647914<br />/var/log/fullcap/daemonlogger.pcap.1190648607<br />searching for 127.0.0.1/32 in file /var/log/fullcap/daemonlogger.pcap.1190640570<br />reading from file /var/log/fullcap/daemonlogger.pcap.1190640570, link-type EN10MB (Ethernet)<br />searching for 127.0.0.1/32 in file /var/log/fullcap/daemonlogger.pcap.1190647914<br />reading from file /var/log/fullcap/daemonlogger.pcap.1190647914, link-type EN10MB (Ethernet)<br />searching for 127.0.0.1/32 in file /var/log/fullcap/daemonlogger.pcap.1190648607<br />reading from file /var/log/fullcap/daemonlogger.pcap.1190648607, link-type EN10MB (Ethernet)<br />merging pcaps<br />generating connection graph using afterglow<br />reading from file 127.0.0.11190681713/127.0.0.1.pcap, link-type EN10MB (Ethernet)<br />No property file specified, using default settings.<br />Not a color:<br />generating argus file from merged pcap<br />outputing session data to text file<br />exporting tcpflowdata<br />generating honeysnap data<br />creating tarball 127.0.0.11190681713.tgz<br />removing temp data<br />we got you now sucka<br /><br /><span style="font-size:100%;">In the example above we are storing about five day's of session data with <a href="http://qosient.com/argus/">arg</a></span></span><span style="font-size:100%;"><a href="http://qosient.com/argus/">us</a> and 200 gigs of pcaps using <a href="http://www.snort.org/users/roesch/Site/Daemonlogger.html">daemonlogger</a>. I know that it is dumb but the script requires that full pcaps have a filename of something.something.date for example </span><span style="font-size:100%;">daemonlogger.pcap.1190647914 The script I use for daemonlogger is included below<br /><br /><span style="font-size:78%;">#!/bin/sh<br />. /etc/init.d/functions<br />case "$1" in<br />start)<br /> echo -n "Starting daemonlogger: "<br /> /usr/local/bin/daemonlogger -r -d -i br0 -l /var/log/fullcap/ -m 200 -S 1515<br /> touch /var/lock/daemonlogger<br /> sleep 3<br /> echo<br /> ;;<br />stop)<br /> echo -n "Stopping daemonlogger: "<br /> killproc daemonlogger<br /> rm -f /var/lock/daemonlogger<br /> echo<br /> ;;<br />restart)<br /> $0 stop<br /> $0 start<br /> ;;<br />status)<br /> status daemonlogger<br /> ;;<br />*)<br /> echo "Usage: $0 {start|stop|restart|status}"<br /> exit 1<br />esac<br /><br />exit 0<br /></span><br />The script I use for argus is below along with the logrotate file. I use this because argus doesn't have any sort of built-in ringbuffer functionality like daemonlogger or tshark. Because the logrotate file causes our older session data to be added first to the array, we flip the array to cause new session data to be moved to the front of the array.<br /><br /><span style="font-size:78%;">#!/bin/sh<br />. /etc/init.d/functions<br />case "$1" in<br />start)<br /> echo -n "Starting argus: "<br /> /usr/local/sbin/argus -d -p -c -J -w /var/log/sessiondata/argusoutput.ra -i br0<br /> touch /var/lock/argus<br /> sleep 3<br /> echo<br /> ;;<br />stop)<br /> echo -n "Stopping argus: "<br /> kill `cat /var/run/argus.pid`<br /> echo<br /> ;;<br />restart)<br /> $0 stop<br /> $0 start<br /> ;;<br />status)<br /> status argus<br /> ;;<br />*)<br /> echo "Usage: $0 {start|stop|restart|status}"<br /> exit 1<br />esac<br /><br />exit 0<br /><br /><span style="font-size:100%;">Logrotate file</span><br /><br />/var/log/sessiondata/argusoutput.ra<br />{<br /> rotate 5<br /> missingok<br /> nocompress<br /> daily<br /> postrotate<br /> /etc/init.d/argusd restart >/dev/null 2&amp;>1<br /> endscript<br />}<br /><br /><span style="font-size:100%;">I hope somebody finds this useful ;-), If not, oh well it is useful to me. If you look at the script you can see how easy it is to add support for almost any tool that you want to run the merged pcap through. If you don't understand the importance of collecting full content captures along with session data I suggest that you pickup one or all of </span></span><a href="http://taosecurity.blogspot.com/">Richard Bejtlich's</a> books on NSM. </span><span style="font-size:100%;"><span style="font-size:78%;"><span style="font-size:100%;"><br /></span><br /><span style="font-size:100%;">Matt Jonkman of bleedingthreats.net was kind enough to host the script for me. He is truly a king among men ;-)....<br /></span></span></span><span class="down" style="display: block;" id="formatbar_CreateLink" title="Link" onmouseover="ButtonHoverOn(this);" onmouseout="ButtonHoverOff(this);" onmouseup="" onmousedown="CheckFormatting(event);FormatbarButton('richeditorframe', this, 8);ButtonMouseDown(this);"></span><br />download<br /><span style="font-size:100%;"><span style="font-size:78%;"><span style="font-size:100%;"><a href="http://doc.bleedingthreats.net/bin/viewfile/Main/PcapParser?rev=1;filename=parsep-extend-range.pl.bz2"> parsep-extend-range.pl.bz2</a><br /></span></span></span><span style="font-size:100%;"><span style="font-size:78%;"><span style="font-size:100%;"><br /></span></span></span><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5443343931811641298-8198589472843037832?l=node5.blogspot.com' alt='' /></div>Will Metcalfhttp://www.blogger.com/profile/01336462559928749756noreply@blogger.com2tag:blogger.com,1999:blog-5443343931811641298.post-11195480764209130812007-08-30T15:53:00.000-07:002007-08-30T15:56:29.829-07:00I created this blog because Victor <span class="blsp-spelling-error" id="SPELLING_ERROR_0">Julien</span> (www.inliniac.net) wouldn't leave me alone, and for some reason thinks that I have something to contribute to the <span class="blsp-spelling-error" id="SPELLING_ERROR_1">INFOSEC</span> community.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5443343931811641298-1119548076420913081?l=node5.blogspot.com' alt='' /></div>Will Metcalfhttp://www.blogger.com/profile/01336462559928749756noreply@blogger.com1