Recently in Security Category

Finally, CS Lee from Geek00l and Matt Jonkman from Emerging Threats (ET) have started a new project named Emerging Bro.

In short, the project is all about merging Snort signatures to Bro. Although Bro is more focused on policy and analysis script development, it is still or can be quite handy to use the Bro signature matching engine.

Anyway, if you want to use it, check the ET website for more information.

Last week Bamm has made Sguil version 0.7.0 final and released it on Sguil website.

When you are using a Network TAP (e.g. NetOptics), and want to bond the interfaces on a FreeBSD, then you have a new way to do this.

Since FreeBSD 6.3 they have introduced a new device called lagg(4). Lagg is a link aggregation and link failover interface.

With lagg you can easily bond two interfaces together.

# ifconfig lagg0 create
# ifconfig lagg0 laggproto fec laggport bge0 laggport bge1 monitor up

Default it uses failover protocol, which you don’t want to use when bonding interfaces. The best protocol for this would be Cisco EtherChannel.

Scott J. Roberts from Vulnerable Minds has come up with a great website to bring all the important security related topic to one central place and call it Pulse.

What a great idea! Why I haven't come up with it.

Here is the full story about why and how.

A few months back Bamm from Sguil has included PADS (Passive Asset Detection System) into Sguil to assist in network asset discovery passively. Although this is a great adding to Sguil, unfortunately PADS is no longer maintained by the original author.

Geek00l has written a nice article about converting PADS signature into Bro-NIDS signature.

To convert the PADS signature to Bro-NIDS signature, he is using egrep, awk and sed to get this done.

For me that is too much hassle, so I have written a small Perl to get the same thing done.

Recently Bleeding Edge added a new rulesets to their list of rules, to detect connection attempts to known compromised hosts. This is quite handy, although it will increase the load of each Snort process on each sensor, and even to the point of dropping packets.(!!)

When I was checking some sites, I came across this post on Eating Security

He posted an article on extracting the IPs from the rulesets and cross reference them against session data, which in my case against sancp.

To extract each IP from the ruleset, he’s using the following Perl script. Then import the extracted IP list into a table and then cross reference the extracted IP list with sancp session data.

To import the data into MySQL version 5.x database.

CREATE TABLE compromised (dst_ip int(10) unsigned NULL);

LOAD DATA LOCAL INFILE '/tmp/output' INTO TABLE compromised (@col1) SET dst_ip = INET_ATON(@col1);

Then query the sancp session data for connections going to any of the IP addresses.

SELECT sancp.sid,INET_NTOA(sancp.src_ip),sancp.src_port,INET_NTOA(sancp.dst_ip), sancp.dst_port,sancp.start_time FROM sancp INNER JOIN compromised ON (sancp.dst_ip = compromised.dst_ip) WHERE sancp.start_time >= DATE_SUB(UTC_DATE(), INTERVAL 24 HOUR) AND sancp.dst_port = '80';

Finally you can run this from a cronjob and mail the output every day to your email address.