Game Console Hard Drives

Back in 2005, I bought an Xbox 360 that had a 20GB hard disk.  A few years after purchase, I bought a refurbished 120GB drive from Microcenter.com for $90...it was a nice upgrade.  I swapped out the little drive for the bigger one and continued to play my games (putting the 20GB drive in my parts bin...I never throw anything away when it comes to computer parts).

Later, the Xbox 360 experienced the Red Ring of Death (RRD).  I took it apart with the idea that maybe the CPU needed new thermal paste.  It did, as the old paste was pretty much done.  I removed the old and put on some new paste, but this didn't solve the issue.  I think by the time it experienced the RRD, the CPU was cooked.  So I bought a new hard drive.

I transferred my data from the old drive to the new drive and put the 120GB into the parts bin.

Around the RRD issue, the PS3 also died.  It was an original PS3 (80GB drive version).  The Blu-Ray stopped reading, which meant that I couldn't play any games, since it couldn't read disks.  We put the system to the side and bought a new one.  Well, maybe 2 months ago, I decided to trash the system (removed the drive for privacy reasons).  I've decided to keep the drive.

So, I've three (3) hard drives from 3 different gaming systems.  The 20GB is probably next to useless, but I'll  probably end up using it somewhere (somehow).  I might be able to use the 160GB drive (a WD unit) in my Macbook, since it only has an 80GB drive and I keep maxing it out.  Or, I can use it as a backup drive instead.  Same with the 80GB Seagate that was in the PS3.

Now, did you see what I just stated?  Did you notice that I stated in the first paragraph that the Xbox 360 had a 120GB drive and in the paragraph above, I stated that it was a 160GB drive?  Well, surprise.  I opened the HDD case, which was labeled "120GB HDD", and found that the drive is actually 160GB in size!  It has model WD16000BEVT on the label, and a big "160GB" in bold.

I just need to find out which cabling I need to turn these into external drives, which means I'll need some external HDD cases, as well.

I love my toys.  :)

Apple Disables Java

http://mac-security.blogspot.com/2013/01/apple-disables-java-7-in-response-to.html

and

http://www.kb.cert.org/vuls/id/625617

Wow!  Apple outright disabled Java.  This was also something that DHS recommended, but to have a software vendor broadly disable it...that's crazy, but in a good way.  Java has always had it's issues, so maybe this will force them to take a deeper look into their security issues.

PSAD

I decided to give PSAD a spin on the Linode since I've never tried it before.  I'm impressed at the features of  it.  I've been running it maybe a bit over a month.  I get alerts whenever PSAD detects a scan or when it logs and drops specific traffic, so I'm aware of what's going on (instead of having to check my firewall logs).  One of the main reasons I decided to give PSAD a spin is because my fwanalog setup stopped working due to a code bug that affects Ubuntu v12.04.

One of the things I've been doing (I used to do this in the past) is I send my dropped logs to Dshield.org (or isc.sans.org).  One of PSAD's features enables me to send the logs, vs. using third-party or Dshield apps.

I noticed when sending my logs that I'm catching bidirectional traffic and my server IP is being flagged as a result.  Why?  I was blocking 118.0.0.0/8 (a large segment of APAC).  I was not only blocking but sending resets, which requires my firewall to send resets when means my IP is talking back, even though it's ending the session.  My firewall logs it as a drop.  To fix this, I just configured the firewall to drop the traffic, although I could've just changed the --log-prefix tag to something other than DROP, which by default PSAD looks for.  I'll monitor the Dshield logs to see how PSAD is now reporting.

w32.changeup

I was at work this week and a teammate mentioned that w32.changeup might be a concern to our client base.  We try to proactively alert our clients on what could affect them without needlessly spamming them (we try to weed through the hype as well).  The vendors already have the technical write-ups, so I'll spare the readers my thoughts on that.  But I will say that the worm was first discovered a year ago...it's an older worm but the new variants appear to be enhanced, and there's a large spike in infections across the world.  As well, the worm is apparently difficult to remove if not using AV tools.

In my research, I discovered the following:

• When using Symantec as a resource, it is difficult to determine which variant is being discussed, which leads to confusion and not being fully aware of possible impact.  There are 32 variants of this worm and in most of Symantec's articles, knowledge-base entries, and blog/forum posts, the authors rarely mention the variants that could negatively affect users.  

• As well, there aren't many other vendors that can detect and/or remove infections, so it is critical that rare resources be accurately documented (as much as possible, at least).

• I became curious if any other vendor could detect (and/or remove) the worm, but because I didn't know a common name for this worm that the industry was collectively using, it was difficult to find additional details.  Finally, I stumbled across this:  http://www.symantec.com/connect/blogs/w32changeup-worm-any-other-name, which is the Symantec Blog.  It lists several vendor names of the worm.  It is highly annoying that I had to visit Symantec's site to find what McAfee named the worm.

I hate researching worms and viruses because there's no real standards that the AV industry follows.

*Resources:

http://www.symantec.com/security_response/writeup.jsp?docid=2009-081806-2906-99
http://www.symantec.com/security_response/writeup.jsp?docid=2012-112709-5049-99&tabid=2
http://www.symantec.com/security_response/writeup.jsp?docid=2012-112709-5049-99&om_rssid=sr-latestthreats30days
http://www.symantec.com/connect/blogs/w32changeup-worm-any-other-name
http://www.symantec.com/connect/blogs/w32changeup-threat-profile
https://kc.mcafee.com/corporate/index?page=content&id=KB76807
http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=1607456

Skype and Adobe

It's been awhile since I've done this, but here it is:

First, Skype.  Apparently, Microsoft fixed an issue with Skype accounts being vulnerable to hijacking.  It only took them three (3) months to address the issue...

https://isc.sans.edu/diary/Skype+account+hijack+vulnerability+fixed/14512

http://countermeasures.trendmicro.eu/skype-vulnerability/

Next, there's been another password disclosure breach, this time affecting Adobe and connectusers.com users.  The compromise occurred via a SQL injection attack.

https://isc.sans.edu/diary.html?storyid=14515

http://arstechnica.com/security/2012/11/adobe-breach-reportedly-spills-easy-to-crack-password-hashes/ 


Note (LONG):

I posted the notifications on Facebook, as my friends and family use Skype.  I'm going to throw this out there right now:  I hate OSS zealots.  I had an acquaintance stir up some crap about "why are you using Skype", "why are you using Windows", "why are you giving the corporations your money/data".

Life is SHORT.  That goes for everyone, including the zealots.  I'm a fan of open source software, but I don't live the life of "down with M$".  Microsoft has a place in my life.  I game...a LOT.  I play the types of games that don't do well within virtual environments...there are no Linux equivalents of these games.  As well, complicated software that is difficult to keep running properly in Windows tends to be even more cumbersome on *nix.  

I know how to administer *nix and know it's strong points as well as weak points.  I know *nix very well.  I've never solely administered *nix for a living (I'm multi-disciplined), but I know it well enough to where I've been running *nix servers remotely without issue for YEARS.  I also tend to focus on security hardening on my *nix machines, moreso than the average *nix administrator (I'm a security consultant by trade).  So I know what I'm doing...I'm seasoned enough to know what to do and what not to do.

Now, I love *nix.  But there are different types of such love.  I love it but I also love gaming.  *nix won't do what I desire when it comes to the types of games I play, so in that regard it fails me.  You don't have to agree or disagree, because it won't matter what you think when it comes to *ME* and my computing usage.

As well, *nix can be high maintenance, depending on what's broken and your experience level.  I've told several of my relatives that have an interest in trying different operating systems that Linux could give them some freedom.  If they try it and find that it's not for them, I'm not going to continue pushing it down their throats.  That's not me.  I don't try to convince people (but I might nudge them if they're showing a serious interest)...that's the job of the product.  Also, the person doing the trying has to be open-minded and willing to learn new things.  I can help with that but I'm already pinged constantly, since most people think I'm a general tech support guy that they can call/e-mail at any time...I'm not going to administer their box for them. If you don't have the drive to help yourself a little and be willing to learn, *nix is NOT for you.

And, sometimes I just want stuff to work when I install it...without me fiddling with config files.  Remember, I've been working as a consultant the last 10 years in sometimes grueling or archaic work environments.  I do  NOT want to come home to the same crap.

Yes, I love smartphones.  Yes, I love Mac systems.  Yes, I'm OK with using Windows 7. 

This smacks of socialism (pushing people to adopt your version of the greater good...sharing everything, having extreme hate for commercialism).  Maybe I'm generalizing, but this is not the first time I've had someone berate me or try to push me to not use MS/this product/that company...like there's some code I'm supposed to be following as a *nix user.  For those that have issues with *nix guys using "M$" software, are you really going to bust a blood vessel worrying about what I'm using on *MY* LAN?

Lastly, regarding the "corporations are bad and will share your data as well as backdoor all apps and even the OS".  Bullshit.  Believe that crap if you want.  While I won't willingly give out my private data, I'm not going to live like an Amish person.  I won't live like I'm in a cave.  I'll lock down my data as much as I can, but I will not believe that all corporations are bad.  If you believe that, I guess you keep your life savings in your mattress....good for you if you do, but that's not me.

Postfix Install, OSSIM, Slack 14, Ubuntu, and VPNs

This isn't really a technical post, but I did want to share that I have Postfix running on my server.  I'd never had the need to run my own mail server until I moved my wigglit.com domain.  It was initially hosted at 1and1.com, but I got fed up with their service (or lack thereof).  I had several e-mail accounts set up there and still needed them to stay active, so I was pretty much forced to migrate the accounts as well as the domain.  The domain migration was pretty simple.  The Postfix install was much more difficult, even when using Webmin to set it up.  I used a Ubuntu tutorial (searched on 'webmin', 'ubuntu', 'postfix', and 'configuration') and used it exclusively to set up the server.  I think I have it tuned  pretty well so far, only I found some bounced e-mails going back maybe a month or so...I fixed those today.  Those weren't actually related to Postfix, though.  When I stood up the new server and domain, I forgot to adjust the scripts that kicked off the e-mails (cronjobs).  I'll double-check tomorrow, but I think I've fixed those (was able to test the cronjob successfully...generated a test e-mail).  I've since been editing the main.cf file to make configuration changes (and restarting the mail server afterward).

I've also been trying to use OSSIM, but I think I need a dedicated machine.  I tried to use an install of it within VirtualBox, with very limited success.  It seems it needs considerable resources and doesn't run well on a virtual instance with limited CPU/memory resources.  I ran VirtualBox on my M17xR3...that machine definitely has enough horsepower, but only has 8GB of RAM...it may need a bit more so that I can give OSSIM ample memory.  As well, my RAID 0 drive set may be hindering OSSIM.  I got a taste of it, though, and like it much better than Aanval.  Unfortunately, I don't have a good spare box at the moment, otherwise I'd be running it already.  That was my first time using VirtualBox, also...it's not that much different than VMware...much simpler, though.

So, Slackware v14.0 was released not long ago.  I took the liberty of installing it within VirtualBox.  It runs very nice!  I'm in the process of evaluating it and will soon upgrade my two v12.0 machines.  No, I'm not using Slackware on my public server.  I opted to use Ubuntu (v12.04) instead.  While I love Slack, I needed something less high-maintenance on the public server.  No complaints so far and it's been about a year since I flushed it and gave Ubuntu a try...no complaints whatsoever.  KISS is where it's at.

Lastly, since I've had success with Postfix, I plan to eventually start evaluating security tools again.  I've been out of the loop for awhile and need to push myself to continue to be familiar with Linux and security.  I've never used any of the VPN software before, so I plan to establish a VPN conduit between my LAN and my public server.  We'll see how that goes soon.

Engineering Stories

On the way to work today, I remembered an occasion where a team member who'd left the company had been stockpiling 1U rackmount servers in storage.  He'd reimaged each server with a common image (each had different passwords, though).  I had a listing of passwords for each server, but the listed password for one particular server wasn't working and we needed to get access to that machine.  I couldn't just reimage the machine since, even though it shared a common image, it was prepped for deployment to a certain location and was configured for that specific site.  While I had a copy of the site-specific information, I just did not have the time to reimage the machine and reconfigure it...I saved that as a "last resort" option.

After a bit of research, was able to log in successfully.

I knew the BIOS wasn't locked down, so I went into the BIOS and enabled booting from CDROM.  I had a copy of a Linux CD which I put into the CDROM tray.  I then power-cycled the system.  I was able to use the live-CD to boot up the box.  I mounted the drive within the system and removed the encrypted password within /etc/passwd using 'vipw'.  I then shut the box down, removed the live-CD, then started the system.  I was immediately given a shell.  I then reset the password to what was on the passwords list for that particular system then finished the pre-deployment steps.

This is why I love Linux.  There's always an option.  I could NOT do this with one of the backup Windows servers we had.  That case was similar:  the system was a cold backup and was racked but powered down...it was a new system with a new image but customized for a specific role...it had yet to be used, though.  The password that we had for the device was apparently incorrect.  I even tried to crack the SAM file...that didn't work and I eventually had to reinstall (not reimage) Windows Server (forgot which version) onto the system again.  What made this much worse was that there wasn't an original cloning image to use, as well as the fact that the previous engineer hadn't maintained directions on how he configured the device.  So I had to use the trial-and-error method.  I eventually configured the OS properly and installed and configured the proper software (it was a CA eTrust AV server).  The whole time, the lead client was pestering, badgering, and being overly hostile.

In another case, another contractor had left the company.  He'd been administering a Nessus server that he installed on top of OpenBSD.  This contractor chose OpenBSD and was comfortable with working within a terminal session (as was I).  And really, the box didn't really have an abundance of resources anyways, so it was probably more robust without the GUI enabled.  I understood something of OpenBSD and was aware of how to conduct scans and how to view/store the scan results.  I even had a cron job running that would conduct the scans during maintenance windows.  Everything was working fine.  The same client lead couldn't operate the system because his *nix skills were seriously lacking.  Instead of asking for help/guidance, he directed another contractor to wipe the machine and install Red Hat with the GUI enabled so that he could operate the machine.  Data was not backed up.  The scanning data as well as configuration man-hours were wasted.

Another time, I was working a deployment issue where client remote hands were my remote hands/eyes.  They'd received our Snort sensor that we'd imaged, customized, and configured and had just finished racking and powering it up.  The remote hands did not know anything of how to operate within a terminal session.  I walked him through the process, spelling out the commands he needed to type.  The problem?  We built the machine and while testing it before we shipped, had logged into the machine via SSH.  When the machine was at the remote location, I could not establish an SSH session because the host key had changed.  In order for me to regain access, the remote hands had to remove the existing host key that was tied to the IP of my work machine...the host key resided on the Snort sensor that I was trying to log into.  What made me feel good was that one of the clients was logged into the bridge call and was listening.  After the call, she praised me for my knowledge of guiding the remote hands through the whole process without ever being able to view what was on his screen.  She also commented on how I guided him in what to type.  In this case, I could care less how much they were paying me (which wasn't really all that much)...I was happy that I was able to be of assistance and value.  That was payment enough.  That was one of the few bright days in working with that particular organization.  I soon took a dignified stance and left that contract.  To this day, I will not recommend any person I know to work at that particular location without giving them ample warning.

But the main reason for this post is to share that I love *nix (and why)!

BSD machine fixed!

So, I swapped a known working motherboard into the BSD machine.  It now works.  I also decided to use a quad core AMD AM2+ CPU that I had sitting around.  That's all I changed.

I'd originally thought the problem was related to the hard disk.  So, I decided the night before to disconnect the drives (it has two SATA drives), to determine if it were the real issue.  It still experienced the same symptoms after boot-up attempts, which told me it wasn't a hard disk issue.  I also swapped out the RAM with a known working chip with the same results when trying to boot-up.

So, either the the old CPU (a dual-core AMD...I forget the model) died or something on the motherboard died (or maybe there was a short somewhere?).  I left it running a live instance of Linux Mint, just to see if it stays stable over the next 24 hours.

Next, I need to reinstall FreeBSD (wondering if I should try some others as well, such as OpenBSD or Mint).  I wiped the drive, thinking that there was some corruption issue...shouldn't have done that.

BSD machine still not fixed; Slackware bullet-proof as usual...

So, I've had some time to play with my Slackware install.  I should actually upgrade to the latest, but I think I might try to get that BSD system back up this weekend.  I did upgrade firefox on the Slack machine, though...it was running a VERY old version (v2.x.x, I believe).  I'm running v12.0 now via my regular user account.

I'm tempted to install phpBB3 onto this machine (that's why I want to get into that BSD box...I'd just installed phpBB3 and had a very nice site that contained all my system and sysadmin notes that I've collected over the years...been using that software as a data repository since 2003 or so, on a very old system that runs phpBB2).

I've no real plans this weekend or maybe even the next (no autocross scheduled until next weekend and I'm opting out of that).  That should give me time to delve into the BSD issue as well as wiping the replacement system and installing the latest Slack.

Slackware Reunited!

Well, I'm back to using Slackware.  I don't know if that's actually proper to say, since I still use Slackware as an IDS for my LAN, but that box is pretty much just monitoring the network...nothing else.  I had an issue with my new FreeBSD box (it won't boot properly) and I needed another box, so I powered up an old machine that had Slackware v12 on it.  Yes, I'll upgrade to the latest as soon as I can, since everything seems to be out-of-date, such as my browsers and such.

I was able to get onto irc.freenode.net (was previously logging in via Xchat-aqua using my Macbook), but had a problem with D-bus:

ron@slackbox:~$ xchat
process 7948: D-Bus library appears to be incorrectly set up; failed to read machine uuid: Failed to open "/usr/local/var/lib/dbus/machine-id": No such file or directory
See the manual page for dbus-uuidgen to correct this issue.
  D-Bus not built with -rdynamic so unable to print a backtrace
Aborted

No, I don't use irssi or BitchX (I used to, awhile back).  Found that I could kickstart D-bus with the following command:

dbus-uuidgen --ensure

Dunno why this was an issue, since I didn't have the issue before I powered off the machine...maybe something broke during the power-down cycle of that last shutdown?  Dunno.

I'm glad to be delving in Slackware again...I love tinkering with different environments, but I'm pretty spread thin with Windows 7 (necessary evil to do my hardcore gaming), FreeBSD, Ubuntu (my colo server), and now Slackware...been meaning to reactivate an old box with OpenBSD on it also.  We'll see how I can cope with with all this.  :)

FreeBSD Pains

My 'new' BSD machine (FreeBSD 8.2) crapped out again.  Actually, I think either my wife or one of my kids accidentally shut it down.  Now it tries to boot up and immediately shuts down during the boot-up process.  I can't look at logs because it keeps shutting down.  I tried single mode and it does the same thing.  I've been trying to see the last line of the boot-up process before it shuts down...that's like trying to capture (with your mind) one frame of a film...very hard to do.  Well, it looks like it can't mount the root partition (just from what I've seen the milli-second before it shuts down).  I need to run fsck on it but I can't do that if it's not booting up properly into single mode.

I cheated and tried to boot up live install of Linux Mint, Ubuntu (both of the latter are on USB sticks), and FreeBSD (on DVD)...they must be trying to mount the drive that the FreeBSD install is on, because they all shut down too.  So, I'm going to try a rescue version of FreeBSD (for memory sticks).

Once I fix this, I'm sure there's a rc.conf setting that I'll need to set to force an fsck during boot-up if needed.  This has happened ever since I installed FreeBSD and I'm a bit irritated...this should be enabled by default so that someone doesn't get 'locked' out of their system.  :/

Missing me some Slackware...

I haven't played with Slackware in quite awhile.  I still run a server through Linode.com but I no longer have Slackware installed as an OS (I'm using Ubuntu for ease of use...yes, it is easier to maintain compared to Slackware and I've not run into any 'gotchas' yet).  I run one machine that has Slackware installed (it's sorely in need of an update, though) and it is being used as a NIDS system.  I've another machine with Slack on it that hasn't been turned on in months (it's OS version is even older than the other system).  I'll probably turn on this system and begin to use it again, but it is in very sore need of cleaning (it has 4-5 hard disks with data ALL over the place).

I'm trying to resist the urge to run Slackware in a VM on my Alienware system.  It will require me to probably get more RAM (I'm trying to resist that idea for now).  I do not want to attempt a native install, as I don't feel like experimenting to get Slack to work on that system.  The integrated and dedicated GPUs will probably be an immediate issue, as well as the fact that my system is running two 750GB drives in RAID0.  And, that is also my gaming system.  There's no real need for me to install Slackware natively on my system.  But, I will definitely install Cygwin, since I can leverage it's tools (such as GnuPG) without having to open a shell and have an internet connection.  Cygwin is the less complicated of the aforementioned options.

But I am missing using Slackware, which is why I've been trying to be more active at ##slackware on irc.freenode.net.  The thing is, I also have a fetish for Open- and FreeBSD, so I've been focusing on both of those the past few years.

Power Outages

There have been power outages here that have been taking down my lab equipment. This affected my new BSD machine. The drive became borked due to an unclean shutdown. After a few days, I got it back up again. It was a simple fix but one of the other machines kept me busy until I got to the BSD machine. The old BSD machine had an IP conflict with one of the Verizon set top boxes...I thought I'd set it to a static IP and when I checked, I had, but the damned router gave the set top box the same IP. I had to run around the house at 11PM trying to figure out which box it was (I've five of them). The last one I checked was the one I was looking for...go figure. A quick power-cycle and it got another IP. I wouldn't have figured this out if I hadn't used ARP. I kept pinging the BSD machine's IP but wasn't seeing return traffic...I telnet'd to port 22 and 80 and didn't get a response, either. So, I looked at the ARP results and saw that another machine had the IP...in fact, the set top box had two of them, but the MAC addresses were wrong on one (this was the BSD box entry...the MAC matches that machine). Very weird but hopefully it won't happen again.

I'll be looking to invest in a UPS soon. I need one that will be able to power down 3 *nix machines or at least keep them running for 5 minutes or so. Dunno if I should also ensure that there's room for the router...

Snortreport install

I remember running snortreport awhile back and liked it. I want to try to use it again, but I was having issues installing it in FreeBSD.

It appears that the FreeBSD port of snortreport requires php4. I'm currently using php5 and want to run snortreport with minimal fuss. I do not want to try to run both php5 (for Apache and phpBB3) and php4, as it will break the server. There are several tutorials on how to run both but as I said, I don't want any fuss.

So, I delved a bit into the ports and makefiles. I looked at the makefile for snortreport and decided to remove the php check that stops me from installing the port. It then choked on jpgraph (a dependency)...it appears that jpgraph is actually the port that requires php4. I was going to edit the makefile for jpgraph to allow the install (by commenting out the line that checks for php4), but saw that there is another version of jpgraph called jpgraph2. I looked at that port's makefile and it didn't check for php4 (it did check for php5). I went ahead and installed jpgraph2 instead, then installed snortreport without any warning/error messages.

So, for those of you that want snortreport on FreeBSD and want to leverage the ports system, you can get around the php4 dependency issue by just installing jpgraph2.

Of course, I still have to fully get snortreport up and running before I claim 100% success, right? ;)

Trying to upgrade/revamp my lab

I'm trying to retire some of my older equipment in my lab.  The biggest move will be in migrating my old FreeBSD server to a new one.  Both are currently up and running.

The old:

FreeBSD 6.2-RELEASE #0: Fri Jan 12 11:05:30 UTC 2007
CPU: Pentium II/Pentium II Xeon/Celeron (447.69-MHz 686-class CPU)
Origin = "GenuineIntel" Id = 0x652 Stepping = 2
Features=0x183fbff
real memory = 268427264 (255 MB)
avail memory = 252989440 (241 MB)
FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs
cpu0 (BSP): APIC ID: 0
cpu1 (AP): APIC ID: 1

The new:

FreeBSD 8.2-RELEASE-p3 #0: Tue Sep 27 18:45:57 UTC 2011
CPU: AMD Athlon(tm) 64 X2 Dual Core Processor 4400+ (2210.20-MHz K8-class CPU)
Origin = "AuthenticAMD" Id = 0x60fb2 Family = f Model = 6b Stepping = 2
Features=0x178bfbff
Features2=0x2001
AMD Features=0xea500800
AMD Features2=0x11f
TSC: P-state invariant
real memory = 1073741824 (1024 MB)
avail memory = 1002987520 (956 MB)
FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs
FreeBSD/SMP: 1 package(s) x 2 core(s)
cpu0 (BSP): APIC ID: 0
cpu1 (AP): APIC ID: 1

I've a LOT of data on the old system that I need to somehow offload and retain onto the new one.  I also have to stand up updates services (mysql, ssh, httpd) and apps (phpbb3, BASE).  I already have the new phpbb3 running (it is NICE), but still have to install BASE (although Snort is installed).

I'll keep you all updated on this.

Moving my older domains

So I had wigglit.com hosted at 1and1.com, but ran into issues with them that appear to be recurring.  I previously purchased MobileMe for my mac machines (I can archive data as well as use it's e-mail system and web page authoring), but since Apple is killing MM and migrating to iCloud, some of those capabilities are disappearing.  I decided to host my pages myself, using 1and1.com, but apparently they are idiots.  I sometimes need to shell into the 1and1.com environment to make changes and I've been trying to pipe the data hosted on MM to 1and1.com but they keep locking my account.  I've sent several nastygrams asking them to lessen the lockout threshold on their shell accounts, but they keep blaming the user and not really investigating, sending cookie-cutter responses and such.  So I told them I'm going to discontinue their services as soon as I migrate the data.

So far, I've moved wigglit.com over to my Linode account.  I've moved my SV1000 blog and site to sv1000s.wigglit.com, and my Apple blog was moved to apple.wigglit.com.  I'd never used subdomains before, so that was new to me.  I also had never delved in DNS, as I had to map my subdomains to my Linode account.  Using the Linode tools and a bit of research, I was able to do this seamlessly.  I now have functional subdomains.

I'm going to eventually have everything consolidated on the Linode.  The big one will be migrating my e-mail to my Linode system...I think that's going to be painful.

I will move the rest of the data soon and discontinue using 1and1.com's services within 30 days.

Note that this has nothing to do with Slackware in itself, but I wanted to capture this move in one of my blogs.

Snort and Thresholding Noisy Alerts

I'm trying to stay sharp as a security techie, so I've been trying to contribute to Linux and security forums.  There's a guy who was asking how to use bpf.conf with Snort.  I suggested he use threshold.conf instead.  I actually referenced this (I love TaoSecurity) to help him.  He was being flooded with "SHELLCODE x86 inc ecx NOOP" alerts.  The assistance thread is here, at LinuxQuestions.org.

Connection Tracking and IPTables

Conntrack entries

I'm making a point of trying to read through this Iptables document. The connection tracking function is pretty cool, though. I was aware of the functionality but had never seen the logs at /proc/net/ip_conntrack until this morning.

BASE and Snorby: packet captures

Noticed that someone on the interwebz stated that Snorby captures full payload while BASE doesn't.  I read this as a comment on the Snorby pages.  Unless I'm totally off-base here, that's not the case, unless they're taking about something like netflows or something akin to it.  I believe one of the dev guys stated that only Snorby and Sguil offer full packet capturing.  That does NOT sound right and I believe he should clarify.

I'll dig up the link later, but it should be very apparent on their pages (it was to me, when I was perusing).

So, I pulled up my BASE console and looked at a sample packet.  To look at payload/packets within BASE, you go to a line item then click on the "ID", which would look akin to "2-278900". 

BASE capture view:

Snorby capture view:

Now, I don't see either lacking in that regard.  This is enough for the analyst to determine a false positive vs. a real attack/concern.

Now, if I wanted to further investigate, I can (in BASE), go to a listing, then click the offending IP (or the other IP...doesn't matter).  Then I click "Unique alerts" or "Unique IP links" under "Summary Statistics":

 

Unique alerts

This is basic stuff here.  It shows the history of that particular IP...it shows everything that was ever recorded from that IP, and you can dig down from there.  Source/Destination would show bidirectional traffic between the offending IP and whatever it was communicating with.  I'll get payload every time, IF (BIG IF HERE) the Snort signature is designed to capture payload and if the traffic even has payload.

I don't understand the argument of saying that BASE doesn't capture full payload.  Of course, BASE won't.  It's just a SEM.  Snort would actually do the capturing.  It would also totally depend on who sets up Snort and their requirements.  The admin that configures Snort may not even have all the sigs enabled.  But, BASE will show any payload that Snort does capture.

At this point, Snorby's search and analytical functionality is lacking.  I've said this before and got ridiculed by one of the Snorby developers.  We all know Snorby is relatively new when comparing it to BASE, but until the Snorby dev team enables better query functionality and better ways to quickly track activity, I'm going to stick to my guns.  A pretty (and even simplified) interface is one thing, but when it comes to the meat and potatoes, candy apples doesn't cut it.  As an analyst, I'd not want to lose any type of query features, as this will make a sometimes frustrating job all the more frustrating (been there, done that).

Lastly, I will NOT HAVE A PISSING MATCH over this.  I've been doing such comparisons for YEARS and am fully capable of judging what is acceptable and what is not regarding most security tools (that's why I get paid the big bucks), although I'm always objective in my opinions.  I definitely know what "best of breed" entails.  I'm going to put it out there:  Snorby is NOT best of breed.  I'd love it to be, but right now, it is NOT.  It has to help me sort/organize/filter information that helps me catch malware and such...much more that what it currently offers.  Right now, with Snorby, there's no such thing as digging down or simplifying the search through thousands of potentially bad security events.  "Packet capture options/Customer" isn't going to cut it.  It is good for the small investigation but not for the bigger tasks.  Let's be grown-ups about this topic and offer objective opinions.  If you can't do that, don't even try to leave some nasty comment on this blog.  Comments moderation is enabled.  Yes, I do require clarification on what is considered "full payload analysis", as I feel that's not enough of a description and could actually be relating to something else entirely different that the above (I doubt it, though).

GUIs for Snort

GUIs for Snort --

http://blog.snort.org/2011/01/guis-for-snort.html

Some of these might appeal to you, the network/security administrator, depending on your organization's needs. Note: there is NO best in breed tool...it totally depends on your organization's needs, which will vary when comparing org X to org Y.