Snort 2.9.0.2 on FreeBSD i386 the easy way!

This is a quick posting to help you get Snort 2.9.0.x up and running on your FreeBSD!

I can't make it much easier than this, I have created new ports for Snort 2.9.0.2 and DAQ 0.4 (and subsequently packages) that you can install directly.  The ports are submitted so look for the following in your ports tree:

updated: /usr/ports/security/snort
new: /usr/ports/security/daq


Components required:

• Fresh FreeBSD Install
• Miminal (i386)
• Access to the internet from said BSD boxen
• Basic knowledge of Snort

Once you have the above handled, you can issue the following command:

$ pkg_add -r http://www.rootedyour.com/enhanced/snort/snort-2.9.0.2.tbz

Output from the command on a Freshly installed FreeBSD Mimimal system:

$ pkg_add -r http://www.rootedyour.com/enhanced/snort/snort-2.9.0.2.tbz

Fetching http://www.rootedyour.com/enhanced/snort/snort-2.9.0.2.tbz... Done.

Fetching http://www.rootedyour.com/enhanced/All/libpcap-1.1.1.tbz... Done.

Fetching http://www.rootedyour.com/enhanced/All/libdnet-1.11_3.tbz... Done.

Fetching http://www.rootedyour.com/enhanced/All/daq-0.4.tbz... Done.

Some checksums for your reviewing pleasure:

• MD5 (daq-0.4.tbz) = 249d2d79fc03eb2d4e2e133da505d146
• MD5 (libdnet-1.11_3.tbz) = b861399b4710825419240a6443ec0eb9
• MD5 (libpcap-1.1.1.tbz) = 678ec713419066c884ceda82ebcfe66f
• MD5 (pcre-8.10.tbz) = 03cc8232b4ea9ecb968eb67211246f20
• 
  
• SHA256 (daq-0.4.tbz) = f8e60e09c0ab4acc1726f180b2e9d58c7f557b4736a3e53e137d8cb186d71984
• SHA256 (libdnet-1.11_3.tbz) = 92f731313eea3867ab36ad789d938a66b83dda282e293a5a3d830f138c56b6f1
• SHA256 (libpcap-1.1.1.tbz) = fe7991735055bb92bc38a2550d6428200eb7491e0152fa59d75db1569918c4a4
• SHA256 (pcre-8.10.tbz) = e9517918174e4b569d9b4d1b3c902db529e0c3bd67a4a4ae7f1b830aac66e7b1

The above packages were build with the following configuration options: --enable-dynamicplugin --enable-flexresp3 --enable-ipv6 --enable-gre --enable-targetbsed --enable-decoder-preprocessor-rules --enable-zlib --enable-reload --enable-active-response --enable-normalizer --enable-react --enable-perfprofiling

I will likely be updating the ports / packages, so keep an eye out!

JJC

InProtect 1.00.0 Beta_2 VMWare Image

Given recent developments that the team has made on the InProtect project and the many emails that I see floating about on the lists, I decided to create a VMware image of an "almost" fully functioning InProtect installation. I say "almost" because, of course, like the LiveUSB that I released some time ago, I can't put the latest version of Nessus on the VM due to licensing restrictions imposed by Tenable. Note that I did not include greatly detailed instructions on the use of InProtect, I may do this later but haven't the time right now.

Please try to remember that this is a BETA, and as such may not be fully functional... if you find bugs or the like, please feel free to file them at the sf site or hit us up !

So, the quick and dirty of it is that all you will need to do is go to the Nessus website and download the latest Nessus tarball from them, upload it to the VM (scp), install it (pkg_add), start it, register it and run the /opt/Inprotect/sbin/updateplugins_1.00.pl script! Whew, that was one long runon sentence!. For everything to match up, create a user "inprotect" with password "inprotect" in your Nessus daemon. Once you have completed the aforementioned steps, you are all set and should be able to scan, note that if you want to scan outside of the VM, you will need to modify the configuration of the interface to be bridged etc... The interface is set for DHCP and everything will startup just fine with any address that you assign it or that it receives.


You will also need to throw the jpgraph stuff in /opt/Inprotect/html if you want the nifty graphs to work... but I'll probably speak more to this in an upcoming post.

I essentially used the install script to install in /opt/Inprotect on, you guessed it, FreeBSD 7.1R but of course had to make a few minor adjustments (it's not always 100% out of the gate) to get everything working together. That being said, you can probably do the same on your own distro.

some important info that you will (or may) need, i.e. username/password/medium

inprotect/inprotect/shell
root/root/console
root/root/mysql
admin/password/inprotect web interface

phpMyAdmin is installed: http://ipofyourvm/phpmyadmin/ for your mysqling pleasure.

To access InProtect simply browse to the ip of your VM: http://ipofyourvm

If you want nmap, build it from ports: /usr/ports/security/nmap

Get the VMWare Image Here
MD5
SHA256

Cheers,
JJC

HeX 2.0R Released!

After much adeau, HeX 2.0R is out... the improvements are numerous and include:


1. FreeBSD 7 Stable
2. Unionfs
3. NSM Console updates
4. Tons of analysis alias and scripts
5. Tons of NSM tools' signatures
6. Firefox - Useful websites bookmark
7. Liferea - Security rss feeds


For more info: http://us.rawpacket.org

Thanks to the rest of the HeX team for diligent and hard work on this.... more to come!

J

FreeBSD USB Booting Issues (BTX)

Since we have been building LiveUSB tools that were based on FreeBSD there has historically been an issue with several makes of laptop/hardware on boot. This problem has manifested in many ways but always yields the same result; a non-working LiveUSB tool for the system owner. This problem had to do with the BTX Loader not playing well with the specific hardware in question and not loading/running properly via USB.

The good news is that recently a patch was released that should rectify this issue! I will be applying this patch to all FreeBSD based LiveUSB releases going forward. Thanks for all of the community feedback and support on all of this.

For those that may be curious, here is the patch: http://people.freebsd.org/~jhb/patches/btx_real.patch. Moving forward (post 7.0R) all releases will be patched from the freebsd folks direclty.

Cheers,
JJC

HeX 1.0.3 LiveUSB Final (Bug Fixes)

I just finished the bugfix version of the HeX 1.0.3 Live (CNY Release) image.

You can get it (in torrent form) from the Security Torrent Depot at http://www.redsphereglobal.com:88/torrent.html?info_hash=77f31dbc8d641500530760e62f17d1a08e433b96 or you can get it from the below direct download site.

USA Site
MD5 (HeX-i386-1.0.3-final-usb.img.gz) = 5fb1498b3437fada0b38602324d8f5e0

Usage instructions are simple:

dd if=/path/to/HeX-i386-1.0.3-final-usb.img of=/path/to/usbstick/device bs=1M

Look for the new HeX 2.0 to be out soon, all based on FreeBSD 7.0R!

Note that some usb sticks will be smaller than others (even if it's "2G") and that even if you write it and dd produces an error saying that not enough space is available... this is OK and your HeX LiveUSB will still work fine.

Cheers,
JJC

FreeBSD 7.0 Released

I am pleased to announce (a few days late) that FreeBSD 7.0R has been released as of Feb 27, 2008! More info here on the release.

You might (I hope not) wonder why this is exciting? Really, aside from the dramatic and significant enhancements to the overall functionality and stability of the operating system, it means that several OSS projects will be moving forward with new development work based on the 7.0 Release. Specifically, we will now begin work on HeX 2.0 with new nifty features to suit your packet loving needs! I also suspect that we will see some additional traction from the freesbie folks.

Further, I will be releasing a new version of the InProtect LiveUSB that will be based on FreeBSD 7.0 Release as soon as the build finishes!

InProtect LiveUSB 0.80.3 Beta!

Though the InProtect project has not made a large number of public postings lately (beta releases and the like...) we have been quite busy. We will soon be releasing a tarball of the latest 0.80.3RC1. That is not, however, the purpose of this article but rather I am releasing a liveUSB image that is an entirely self-contained and functioning installation of InProtect on a FreeBSD 6.3-Current system.

I came up with the idea to create the InProtect LiveUSB when someone requested that I build one for another project that I am an active member of (HeX). Unfortunately it has taken me several months to get the time put together to actually build this tool. Having said that, I am quite pleased with the outcome and functionality of the tool. Placing this tool onto a USB thumb drive gives the user extreme versatility from the perspective of security. Obviously the nature of a USB thumb drive is not terribly secure; we can put them in our pocket and have them fall out in a parking lot where anyone could conceivably pick it up and snag the data off of it and multiple other scenarios. I am more talking about the security of the location or client that may have a sensitive environment with sensitive data and the like. In this scenario the USB device could be taken in and left with the organization, post scan, that has such sensitive data. Again though, the primary purpose of this build is to allow for a solid demo of the InProtect system.

As I said earlier, the system was built using FreeBSD 6.3-Current, ontop of this I built fluxbox (and several applications such as firefox), mysql51, apache22, php5 and several perl modules that are InProtect dependencies. I manually configured all of the components to work with InProtect, the installer currently does not work on freebsd though I am in the process of building a port. In-short, and as stated earlier, this is a fully functional InProtect scanner with a few things that need to be completed by the end-user; Nessus 3.0.x install and jpgraph for php5 install.

The Nessus and jpgraph items are not included in this image due to their licensing restrictions (not GPL). It is for this reason they must be manually installed.

First you will need to download the InProtect LiveUSB 0.80.3 image here:

http://www.redsphereglobal.com/data/tools/security/live/inprotect-i386-0.80.3-beta.usb.img.gz
MD5 (inprotect-i386-0.80.3-beta.usb.img.gz) = 605a5b20d754ea7e6305922695f301ba
SHA256 (inprotect-i386-0.80.3-beta.usb.img.gz) = 1d562d17db0ef4e3afefcca18fd40932b7faecdddd673910c3ad11a4aab4434b

After obtaining the image and gunzipping it you will want to use dd to write it to a 2G or larger USB thumb drive. NOTE that you want to write it to the device itself and NOT to a specific partition on the device. Also, if you didn't figure it out... this will overwrite anything that you may currently have on your thumb drive.

dd if=/path/to/foo/inprotect-i386-0.80.3-beta.usb.img of=/dev/da0 bs=1M

Your output file path may be different than /dev/da0 (this is mine on a freebsd boxen). The key is that you are writing directly to the device address and NOT to a partition, that will NOT work. Assuming that you have a thumb drive and computer capable of USB2.0 this process should take around 10 minutes to write all of the data.

At this point you should be able to boot from your new shiny LiveUSB thumbdrive. The initial login details are simple (these ARE case sensitive so pay attention!):

Username: InProtect
Password: inprotect

Once logged in type startx to get into fluxbox. From here, if you are not familiar suggest playing around just a little bit. A few tips, this isn't windoze, you access the main menuwith fluxbox, I by right clicking anywhere on the desktop. The image to the right shows the menu of the InProtect LiveUSB. The highlighted option will take you to the Nessus and jpgraph installation instructions.

Even before you install Nessus or jpgraph you will be able to login to the local instance of InProtect by selecting the InProtect menu option as displayed below. Once you have selected the InProtect menu item, you will be able to use admin / admin for the login and password to access the local instance of InProtect.

Note that until you install Nessus you will not be able to run any scans.

In this image I have already created a default scan zone and default scanner so that once Nessus is installed and the Nessus user created, as noted in the instructions contained on the image, the system is fully functional and scans can be immediately created and executed.

As always please feel free to contact me or leave any comments, criticisms, suggestions or otherwise that you might have.

Cheers,
JJC

HeX 1.0.3 LiveUSB (CNY Release)

After much adeau, here it is! Instructions for usage are quite simple, dd it to your usb thumb drive (the drive, not a partition or it will NOT work). This image includes all of the same features as our mainline HeX 1.0.3 release but is on USB not CD, the filesystem is therefore also writable. You will need a minimum of a 2G Thumb Drive or Memory Stick to write this. I say "Memory Stick" because I have heard rumor of some people using SD rather than USB Thumb Drives to use this tool.

So for example on my freebsd system I would dd as follows:

dd if=/path/to/foo/hex-i386-1.0.3.usb.img of=/dev/da0 bs=1M

command is simple... if is the Input File, output is the Output File (in this case it is the da0 device) and bs=1M is setting the block size to 1mb - this helps to speed up the write process.

Downloads:
USA Site (521MB)
USA MD5 Verification
USA SHA256 Verification

Malaysia Mirrors to be populated soon, I'll post them when they are.

Cheers,
JJC

HeX 1.0.3, the CNY Release

I am pleased to announce the release of HeX 1.0.3, release info is below. Thanks to the entire development team for their dedication and hard work. This release has been dubbed the CNY, or Chinese New Year release.

With the recent release of FreeBSD 7.0 RC2, we anticipate an actual 7.0 release in the near future. When the Release version of 7.0 becomes available we will begin working on the new HeX 2.0 project.

Get HeX 1.0.3 Here:
US Mirrors:
https://secure.redsphereglobal.com/data/tools/security/live/hex-i386-1.0.3.iso
https://secure.redsphereglobal.com/data/tools/security/live/hex-i386-1.0.3.iso.md5
https://secure.redsphereglobal.com/data/tools/security/live/hex-i386-1.0.3.iso.sha256

Malaysia Mirrors:
http://bsd.ipv6.la/hex-i386-1.0.3.iso
http://bsd.ipv6.la/hex-i386-1.0.3.iso.md5
http://bsd.ipv6.la/hex-i386-1.0.3.iso.sha256

Fixed:
- pkg_info works after installation
- ping works without sudo
- procfs is correctly mounted on /proc at boot

Upgraded:
1. NSM Console 0.6-DEVEL
Features:
- 'dump' command added, you can now dump packet payloads into a binary
file for later analysis
- Significant speedups in the harimau module and 'checkip' command if
wget is installed
- tcpxtract configuration file changed to extract more types of files
- Added foremost module
- Added clamscan module (Thanks JohnQPublic)
- Argus and tcptrace have reverse dns turned off by default now, it
was causing the module to hang for extremely large pcap files. Can be
switched on by changed the module options
- rot13 encoding and decoding added :)
Bugfixes:
- alias command
- urlescape (en|de)coding
- file existence check
- many other things
All the other enhancements, bugfixes and additions since the 0.2
release (there have been many!)

New Application Packages:
- xplot
- uni2ascii
- vnc
- vsftpd
- samplicator
- sflowtool
- pmacct
- ming
- ploticus
- tcpick
- bvi
- elinks
- feh
- tftpgrab
- arpwatch

Misc:
- New wallpapers with different color schemes

The LiveUSB image will be out shortly, it is undergoing a quick regression test currently.

Cheers,
JJC

HeX and NSM-Console Writeup in ISSA Journal

Russ McRee has written a nice piece about the HeX Live project and the included NSM-Console in his 'toolsmith' section of the ISSA Journal. This 3.5 page writeup has clearly captured our intent behind HeX and the NSM-Console created by Mathew Lee Hinman.

If you are not an ISSA subscriber, you can access the writeup at Russ McRee's column or here in the form of pdf.

I would like to thank the community for their continued support and feedback on this project.

Cheers,
JJC

HeX 1.0.2 LiveUSB Update

Unfortunately, the previous HeX 1.0.2 LiveUSB image was not the proper release, thanks to those that pointed this out. This has since been remediated, the original links are still valid, I will re-post here for your downloading pleasure.

For additional information on the project, please read my earlier post at: http://global-security.blogspot.com/2008/01/hex-102r-liveusb-release.html

https://secure.redsphereglobal.com/data/tools/security/live/HeX-i386-1.0.2.img.gz
https://secure.redsphereglobal.com/data/tools/security/live/HeX-i386-1.0.2.img.gz.md5
https://secure.redsphereglobal.com/data/tools/security/live/HeX-i386-1.0.2.img.gz.sha256

Cheers,
JJC

Ubuntu Bashing Continued

It has been a while since I upgraded and subsequently wrote about my experience of upgrading Ubuntu 7.04 to Ubuntu 7.10. I gave Ubuntu 7.10 the good old college try, but have to report that I am now back to my FreeBSD Laptop.

The primary issues that I had with Ubuntu 7.10 had to deal with wireless networking. The connection speed would never exceed 23mbps and even when the driver stated that it was connected at 23mbps I could not achieve throughput of more than 5mbps, even with the laptop sitting 5' from the AP. The second, and most irritating, issue with the wireless networking setup of Ubuntu 7.10 was the consistent disconnects and intermittent reconnects. Often it would not reconnect and I would have to reboot and piss with it for 30 minutes before it would inexplicably reconnect. Of course this started to remind me of M$ reboots and I had to immediately remediate the situation with ufs and FreeBSD!


At first I thought that this was potentially related to the Broadcom 43XX chipset in the test laptop. I then tested with different Intel (non proprietary) wireless cards and different APs. An additional reason that I tested with different access points was due to the range limitation that I was experiencing with Ubuntu 7.10. I was only able to get to roughly 30' from the AP before I would lose signal.

The combination of these three wireless issues, in addition to the upgrade pain, led me to flatten the system and slap FreeBSD 6.2 REL onto it. That said, I am now back into my comfort zone of *BSD. I will also say that I have loaded the Broadcom 43xx windows driver using ndis and that I now have full 54mbps connectivity and a range of greater than 50' from the same APs that I had less than 30' with Ubuntu 7.10.

So, to conclude and finish this mild rant, I think that the new Ubuntu 7.10 is a decent distro overall "for the click brigade" but I also think that more time should have been put into the guts as opposed to the shininess of the whole thing. Of course, if you read some of my previous postings about the shininess setup issues that I experienced out of the box with Ubuntu 7.10....then perhaps they should have put more time into that as well.

Previous articles:
Ubuntu 7.04 to 7.10 Upgrade Notes Pt. 1
Ubuntu Upgrade to 7.10 Strike 2
Ubuntu Upgrade....or not (with compiz)

Cheers,
JJC

managing snort rulesets cont...

I need to amend my previous posting about the usage of Oinkmaster to automate and manage your Snort rules. I had added in the simple script a command that updates the sid-msg.map in a fairly unclean way. There is, infact, included within the /contrib of Oinkmaster a nifty little script called create-sidmap.pl. This script reads all of the rules from the rules path that you specify and generates sid-msg.map output that can be redirected into a clean sid-msg.map file.

The location in my original posting that should be changed is highlighted here:

secure2# vi /usr/local/bin/autooinkall.sh
#! /bin/sh
#
# simple script to run oinkmaster and obtain bleeding threat updates
# in addition to the regular snort.org updates
#
/usr/local/bin/oinkmaster -o /usr/local/etc/snort/rules/
/usr/local/bin/oinkmaster -C /usr/local/etc/oinkmaster-bleeding.conf -o /usr/local/etc/snort/rules/
cat /usr/local/etc/snort/rules/bleeding-sid-msg.map >> /usr/local/etc/snort/rules/sid-msg.map
/bin/kill -HUP `cat /var/run/snort_em1.pid`
/bin/kill -HUP `cat /var/run/by.pid`

This should be changed to /path/to/your/create-sidmap.pl /path/to/rules/ > /usr/local/etc/snort/rules/sid-msg.map so that the whole thing looks like the following:

secure2# vi /usr/local/bin/autooinkall.sh
#! /bin/sh
#
# simple script to run oinkmaster and obtain bleeding threat updates
# in addition to the regular snort.org updates
#
/usr/local/bin/oinkmaster -o /usr/local/etc/snort/rules/
/usr/local/bin/oinkmaster -C /usr/local/etc/oinkmaster-bleeding.conf -o /usr/local/etc/snort/rules/
/usr/lobal/bin/create-sidmap.pl /usr/local/etc/snort/rules > /usr/local/etc/snort/rules/sid-msg.map
/bin/kill -HUP `cat /var/run/snort_em1.pid`
/bin/kill -HUP `cat /var/run/by.pid`

Regards,
JJC

HeX 1.0.1R LiveUSB Image

After receiving numerous requests to create a HeX Live USB Key Image, I have completed it. This image includes all of the standard tools that you will find on HeX and is writable; so you can update things (signatures etc), make changes and so on.

To use this tool, simply download it from the below location, decompress it and use dd to place it onto your USB Key. If you are not familiar with the dd syntax it's quite simple really; dd if=/path/to/extracted/hex-i386-1.0.1.usb.img of=/dev/da0 (your USB device). Note, that you should not dd this to a mounted partition, it will not work. You need to dd onto a USB Key that you don't mind losing the data on, because this will overwrite everything on that key. You can create a small partition after the dd (this of course assumes that you know how to do this, leaving the existing partition in-place) and have that to write data to etc...

This image does require a minimum 2G key (actually uses 1.75G), and has no minimum memory requirements (other than standard fbsd and X requirements).

https://secure.redsphereglobal.com/data/tools/security/live/hex-i386-1.0.1.usb.img.gz
http://secure.redsphereglobal.com:8080/data/tools/security/live/hex-i386-1.0.1.usb.img.gz
MD5 (hex-i386-1.0.1.usb.img.gz) = cd7489ba0a2a1fe824d286c72eee6842
SHA256 (hex-i386-1.0.1.usb.img.gz) = ffbb428145e0184d3848e45afee0d10ba41a4d9177688db10befc943dd4058f5

Please test this out and let me know how it works for you, or let the entire team at rawpacket.org know.

Regards,
JJC

FreeBSD jabberd port mysql bug

As a quick post (esp since I have not been posting much lately) I recently ran into another issue with jabberd on freebsd. I say another, if you will remember a previous post concerning sasl - http://global-security.blogspot.com/2007/08/pidgin-on-linux-w-jabberd2-on.html.

This has more to do with cleaning up some of the errors that seem to exist in the mysql schema. Specifically, if you install jabberd2 from the ports tree "/usr/ports/net-im/jabberd" and configure it to use mysql as it's storage engine, you will receive several errors in your stdout our log files (depending on your configuration). These errors are generated when a users status changes, i.e. login, logout, away etc... I have included a quick snapshot of the errors below.

Nov 26 14:48:48 secure2 jabberd/sm[1629]: mysql: sql delete failed: Table 'jabberd2.status' doesn't exist
Nov 26 14:50:26 secure2 jabberd/sm[1629]: mysql: sql delete failed: Unknown column 'collection-owner' in 'where clause'
Nov 26 14:51:10 secure2 jabberd/sm[1629]: mysql: sql select failed: Unknown column 'object-sequence' in 'order clause'
Nov 26 14:51:10 secure2 jabberd/sm[1629]: mysql: sql insert failed: Unknown column 'status' in 'field list'
Nov 26 14:52:17 secure2 jabberd/sm[1629]: mysql: sql insert failed: Unknown column 'show' in 'field list'
Nov 26 14:52:58 secure2 jabberd/sm[1629]: mysql: sql insert failed: Unknown column 'last-login' in 'field list'
Nov 26 14:55:46 secure2 jabberd/sm[1629]: mysql: sql insert failed: Unknown column 'last-logout' in 'field list'
Nov 26 14:59:46 secure2 jabberd/c2s[1631]: [7] [192.168.1.2, port=3746] disconnect jid=user@test.com/Home, packets: 15
Nov 26 14:59:46 secure2 jabberd/sm[1629]: session ended: jid=user@test.com/Home
Nov 26 15:00:05 secure2 jabberd/c2s[1631]: [7] [192.168.1.2, port=3932] connect
Nov 26 15:00:05 secure2 jabberd/c2s[1631]: [7] SASL authentication succeeded: mechanism=DIGEST-MD5; authzid=user@test.com
Nov 26 15:00:05 secure2 jabberd/c2s[1631]: [7] bound: jid=user@test.com/Home
Nov 26 15:00:05 secure2 jabberd/c2s[1631]: [7] requesting session: jid=user@test.com/Home
Nov 26 15:00:05 secure2 jabberd/sm[1629]: session started: jid=user@test.com/Home

To remediate this, simply run the following against your jabberd2 mysql database:

CREATE TABLE `status` (
`collection-owner` varchar(256),
`object-sequence` bigint,
`status` text NOT NULL,
`show` text,
`last-login` int DEFAULT '0',
`last-logout` int DEFAULT '0',
PRIMARY KEY (`collection-owner`));

This will get ya going, I'm not gonna go into what's wrong with the script that is included in the jabberd2 install, I think that it's pretty straight forward.

Also note, I will try to post more regularly now but it's been a hectic few weeks for me (new job, family visiting etc...)

Cheers,
JJC

HeX-VA (Virtual Security Appliance)

I am pleased to announce the release of the HeX Virtual Appliance!

To facilitate quick and easy use of the tools that are built into the HeX Live CD, we have installed the Live CD on four Virtual Machines to create four Security Virtual Appliance Images. These images are intended to aide in the rapid deployment and usability of the HeX Live Toolkit and we are dubbing it HeX-VA. The images are designed for use with Parallels, Qemu, VMware and Virtualbox virtualization technologies. If you have any problems using these images or have any suggestions, please feel free to contact us or stop by #rawpacket on freenode.

Thanks to geek00l for the screenshots and continued hard work on this project! I have included the US Mirrors below for your downloading pleasure. If you are not US based, there are other Malaysian mirrors listed on the official rawpacket.org site under the Virtual Appliance project section.

HeX-Paralleles | md5 | sha256
HeX-Qemu | md5 | sha256
HeX-VMware | md5 |sha256
HeX-Virtualbox | md5 |sha256

I'll be posting some detailed directions shortly on the usage of NTop and some specifics on tuning it for your environment (by request).

Cheers,
JJC

Screenshots of various HeX-VAs:

HeX 1.0.1 Release (Bug Fixes)

So, due to several flaws that people were experiencing with HeX 1.0R we are releasing an updated version (1.0.1). The fixes in this version include increased bootup speed; during the extraction and loading of the data into mfs /var, the IO process of several different system types was causing an apparent system hang, this has been resolved.

Another major issue that was occurring was with the msfweb not loading properly or not functioning when loaded. It turns out that this was actually a firefox related issue; deleting ~/.mozill/firefox and using the global Firefox configuration fixed the problem (note that this also fixed javascript issues in ntop and darkstat).

As geek00l says, we are "shamelessly" releasing this fixed version. As always please give it a roll and let us know if you experience any issues. You can report bugs using our Trac interface, the Mailing List or via IRC in #rawpacket on freenode.

Download URLs:

• hex-i386-1.0.1.iso
• hex-i386-1.0.1.iso.md5
• hex-i386-1.0.1.iso.sha256

Cheers,
JJC

HeX Live Pending Release

For all of you anxious packet monkeys out there, the HeX LiveCD 1.0R will soon be available. We are running through extensive tests and bug fixing excersizes right now, but anticipate releasing this new version within the next week. I'll post an update once released, as well as the standard US mirrors.

This project has also been gaining a good amount of momentum and continued community support. I would like to thank all involved, esp geek00l and chfl4gs_ (the core founders)!

If you want some additional information concerning this project, please check out www.rawpacket.org!

Cheers,
JJC

InProtect Update, It Lives!

Just to give a quick update about the InProtect project, it is up and alive again and we now have 12 people actively working on the project!

We are in the process of developing a roadmap and evaluating several forks to determine what should be used or adopted into the upcoming version.

As of the time of this post, we have established the team and decided that we will be converting to sourceforge's SVN repo rather than the CVS and have started evaluating the forks...some screenshots are attached below.

It's also been nice to see people continuing to use this tool and support it. If you get a free moment or need some assistance, please feel free to swing by #inprotect on irc.freenode.net and say hi.

---

Customizable Dashboard (thx Heath!)

---

Anti-aliased graphs!

---

Added reports and report sorting functionality

There are certainly more features that are in the works or have been added, but I won't steal the teams thunder. Please check back here or at the InProtect site http://inprotect.sourceforge.net regularly for updates.

Cheers,
JJC

Network Security Toolkit Pt 1 (using snort with barnyard, apache, mysql, php and BASE)

So, as the title implies this is the first in a multi-part series discussing a network security toolkit built on Open Source. The system that I am using to create this is FreeBSD 6.2 RELEASE. We will be building tools mostly from the ports tree, but a few are not yet ported, so we will manually install those as needed.

Assumptions:

1. You have installed and somewhat adequately secured FreeBSD
2. You have a basic knowledge of the FreeBSD OS and have network connectivity on this system
3. If you don't know this / have your system setup, you know how to RTFM (Google)
   
4. You have updated your ports tree prior to building this stuff

Ok, now that we have established the assumptions, let's go over the software that we are going to use for this implementation:


Requirements:

1. Apache22 - Core webserver to serve up your base /usr/ports/www/apache22
2. MySQL 50 - Database server to house your snort data /usr/ports/databases/mysql50-server/ (also -client and -scripts)
3. php5 - php support for apache22 /usr/ports/lang/php5
4. base - your snort alert and event viewing tool /usr/ports/security/base
5. barnyard - the tool that takes the unified snort logs and puts them into your MySQL database /usr/ports/security/barnyard
6. snort - your IDS engine /usr/ports/security/snort
7. oinkmaster - snort rule updater /usr/ports/security/oinkmaster
   

Optional:

• phpmyadmin a GUI tool to help you manage your MySQL databases /usr/ports/databases/phpmyadmin

Installation:

Apache22 - install and edit httpd.conf then start and test

secure2# cd /usr/ports/www/apache22 && make install clean
.
.
.
secure2# vi /usr/local/etc/apache22/httpd.conf
.
secure2# /usr/local/sbin/apachectl start
.
.
you should now be able to browse to http://ipofinstalledhost/ and receive the "It Works!" message.

MySQL 50 - install and set a password for root user

secure2# cd /usr/ports/databases/mysql50-server/ && make install clean
.
.
.
secure2# cd /usr/ports/databases/mysql50-scripts/ && make install clean
.
.
.
secure2# cd /usr/ports/databases/mysql50-client/ && make install clean
.
.
.
secure2# /usr/local/etc/rc.d/mysql-server start
secure2# mysqladmin -u root password "passwordwithouquoteshere"
secure2# mysqladmin -u root -h localhost password "passwordwithouquoteshere"
secure2# mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 88965
Server version: 5.0.45-log FreeBSD port: mysql-server-5.0.45

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)

mysql>

php5 - php5 install be sure to select apache when asked for configuration options!

secure2# cd /usr/ports/lang/php5 && make install clean
.
.
.
secure2# vi /usr/local/etc/apache22/httpd.conf
.
.# insure that the following is in your httpd.conf
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
.
.
secure2# apachectl restart

BASE - install and prepare base for use

secure2# cd /usr/ports/security/base && make install clean
.#be sure to select MySQL support...PDF is optional
.
.
. #configure apache22 to serve base
secure2# vi /usr/local/etc/apache22/httpd.conf
.
##place this at the bottom of httpd.conf
Alias /base/ "/usr/local/www/base/"
##save
secure2# apachectl restart
chown -R www:www /usr/local/www/base/
mysql -u root -p
mysql> create database base_demo;
Query OK, 1 row affected (0.00 sec)
secure2# mysql -u root -p base_demo < /usr/local/www/base/sql/create_base_tbls_mysql.sql

Now that we have setup the previous components we can access BASE by browsing to http://ipofinstalledhost/base/ where you should see the following BASE configuration screen:

We will be going through this setup process in a bit, first we need to get snort with barnyard up and running.

snort - install and configure the system to use snort.

secure2# cd /usr/ports/security/snort/ && make install clean
#be sure to Enable MySQL support
.
#add tables to the database...
secure2# mysql -u root -p base_demo < /usr/local/share/examples/snort/create_mysql #configure snort.conf secure2# vi /usr/local/etc/snort/snort.conf #modify this file as needed for your network.... . #configure logging only for unified..i.e. the following lines output alert_unified: filename snort.alert, limit 128 output log_unified: filename snort.log, limit 128 #I'll write more about tuning SNORT rules later, but for now this will get you started. #before we can start snort to test, we will need to get the latest signatures using oinkmaster!

oinkmaster - magical snort rule updater?

secure2# cd /usr/ports/security/oinkmaster/ && make install clean
.
.
secure2# vi /usr/local/etc/oinkmaster.conf
#get your registration code from snort.org and plug it into the Snort 2.4 download url in the oinkmaster file....

barnyard - log unified snort output to database

secure2# cd /usr/ports/security/barnyard/ && make install clean
#be sure to Enable MySQL support
.
secure2# vi /usr/local/etc/barnyard.conf
#configure your barnyard to log the data..the following lines are important
# set the hostname (currently only used for the acid db output plugin)
config hostname: secure2
# set the interface name (currently only used for the acid db output plugin)
config interface: em1
# Converts data from the dp_log plugin into an approximation of Snort's
# "ASCII packet dump" mode. Argument:

output log_dump
# password database connect trash
output alert_acid_db: mysql, sensor_id 1, database base_demo, server 127.0.0.1, user root, password passwordhere
output log_acid_db: mysql, sensor_id 1, database base_demo, server 127.0.0.1, user root, password passwordhere detail full

Putting it all together and starting it up.

secure2# oinkmaster -o /usr/local/etc/snort/rules/
secure2# /usr/local/bin/snort -c /usr/local/etc/snort/snort.conf -i em1 -u root -D > /dev/null -n
secure2# /usr/local/bin/barnyard -c /usr/local/etc/barnyard.conf -g /usr/local/etc/snort/gen-msg.map -s /usr/local/etc/snort/rules/sid-msg.map -d /var/log/snort/ -f snort.log -w /var/log/snort/barnyard.waldo -p /usr/local/etc/snort/rules/classification.config

once all of this is done, your snort should be logging the unified data, barnyard reading it and slapping it into your database.

Now, let's get back to our configuration for BASE. Browse to http://ipofinstalledhost/base/ and select the continue option. The next few screens are filled with the configuration options to connect you to the base database(s). Simply input the information for the db, dbuser, dbpass and you will be all set!

Congratulations, you now have a functioning SNORT install using barnyard, MySQL and BASE. I did not cover the install of phpmyadmin, but you should be able to Google it and figure it out...

I'll be following this post up with the addition of bleeding snort rules, how to properly tune your snort configuration, the use of SGUIL (TRUE NSM) and several other goodies relating to network security... so stay posted.

Cheers,
JJC