Robin Gruyters: September 2007 Archives
Today I’ve been busy to add new hardware. A Netoptics Slim-TAP to monitor the external network of our Head Office.
Ones I’d connected everything, I started to configure the monitoring interface using the following instructions.
nsm# kldload ng_ether
nsm# ifconfig sf0 -arp promisc up
nsm# ifconfig sf1 -arp promisc up
nsm# ngctl mkpeer . eiface hook ether
nsm# ngctl mkpeer ngeth0: one2many lower one
nsm# ngctl connect sf0: ngeth0:lower lower many0
nsm# ngctl connect sf1: ngeth0:lower lower many1
nsm# ifconfig ngeth0 monitor up
When I checked the interface status, I noticed that their where output errors on the outgoing interface, which shouldn’t be happing!
Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Coll
ngeth 1500 <Link#14> 00:00:00:00:00:00 0 0 0 7443 0
After searching the Internet on the same issue, I came across a problem report from FreeBSD.
When using netgraph to “bond” two syskonnect gige interfaces together for a packet capture application, we see output errors on the pseudo interface that is the sum of the number of packets input on the two syskonnect NICs. Examination of the code reveals that this is because the packets cannot be transmitted out the pseudo interface.
Hmm, this sounds familiar! When I’d patched, rebuild the kernel and rebooted the problem was solved.
Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Coll
ngeth 1500 <Link#14> 00:00:00:00:00:00 153 0 0 0 0
If you have similar problems, check out the problem report.
There are some performance issues with my site. My hosting provider is working on it.
Sorry for the inconvenience…
UPDATE: Should be fixed now.
A few months back Bamm from Sguil has included PADS (Passive Asset Detection System) into Sguil to assist in network asset discovery passively. Although this is a great adding to Sguil, unfortunately PADS is no longer maintained by the original author.
Geek00l has written a nice article about converting PADS signature into Bro-NIDS signature.
To convert the PADS signature to Bro-NIDS signature, he is using egrep, awk and sed to get this done.
For me that is too much hassle, so I have written a small Perl to get the same thing done.
Recently Bleeding Edge added a new rulesets to their list of rules, to detect connection attempts to known compromised hosts. This is quite handy, although it will increase the load of each Snort process on each sensor, and even to the point of dropping packets.(!!)
When I was checking some sites, I came across this post on Eating Security
He posted an article on extracting the IPs from the rulesets and cross reference them against session data, which in my case against sancp.
To extract each IP from the ruleset, he’s using the following Perl script. Then import the extracted IP list into a table and then cross reference the extracted IP list with sancp session data.
To import the data into MySQL version 5.x database.
CREATE TABLE compromised (dst_ip int(10) unsigned NULL);
LOAD DATA LOCAL INFILE '/tmp/output' INTO TABLE compromised (@col1) SET dst_ip = INET_ATON(@col1);
Then query the sancp session data for connections going to any of the IP addresses.
SELECT sancp.sid,INET_NTOA(sancp.src_ip),sancp.src_port,INET_NTOA(sancp.dst_ip), sancp.dst_port,sancp.start_time FROM sancp INNER JOIN compromised ON (sancp.dst_ip = compromised.dst_ip) WHERE sancp.start_time >= DATE_SUB(UTC_DATE(), INTERVAL 24 HOUR) AND sancp.dst_port = '80';
Finally you can run this from a cronjob and mail the output every day to your email address.
