Well Said

Let me begin by saying that I've be a big fan of Richard Bejtlich's TaoSecurity blog for quite a while. If you've never visited his site, go there now. Truly excellent information from a man who clearly knows what he's talking about.

I started this morning as I do every morning: by reading about 2 dozen security related RSS feeds. After glancing at the latest crop of exploits and vulnerabilities, I saw that there was a new post on TaoSecurity. Bejtlich does a fantastic job of responding to a number of posts made on the DailyDave list. In short, he responds to a number of assertions that traditional IDS (particularly Snort) is of no value.

<rant>
My feeling is that if you think it is of no value, it is probably because you aren't using it correctly, aren't using it in the proper manner, and/or aren't using it in the correct location. It reminds me of when I was a kid and used to try to help my dad when he was working on the car or the lawnmower or whatever. I remeber him telling me that "a lot of it boils down to using the right tool for the right job." Can you just throw a Snort sensor any ol' place on your network and expect it to do everything? Of course not. You place them strategically, significantly modifying the rules policy based on where you're placing them and what you intend the primary purpose of the sensor to be. Should you use Snort or Bro or SHADOW exclusively? Again, of course not. The key here is an integrated approach, using a number of different tools that cover a lot of different potential attack vectors and have all of the logs and alerts sent back to a central aggregation point for detailed analysis. Event correlation using something like OSSEC (see my previous post) can go an awfully long way toward providing accurate detection of anomolies.
</rant>

Thanks, Richard, for a great, thought-provoking post on your blog.

Link

Tools of the Trade, Part II

Since I just posted Part I yesterday, I'll keep this one brief. I just found a great new tool (well....new to me, anyway), so I thought I'd make a quick update.

• Keyfinder (http://www.magicaljellybean.com/). Portable! Need to find out the key that was used to register Windows or Office on a particular machine? Keyfinder is the tool to use.
• AbiWord (http://www.abisource.com). Portable! A great, cross-platform simple word processor. If you need something more heavy duty, you'll want to use Open Office, but if you just need a relatively simple, solid word processor, look no further.
  

Before I forget...

Be sure to check out the blog of a friend of mine, Integrity IT Solutions. His blog is more Windows-centric than mine, but like it or not, we live in a Windows world. (At least for the time being....I patiently await the day when Linux finally rises to slay the great Redmond dragon.) Great stuff and definitely worth a look.

Tools of the Trade, Part I

Things have been a little slow of late, so I thought I'd start a recurring feature: Tools of the Trade. I'll go over the tools that I use and things that I like to keep on hand. I'm a big fan of squirreling things away for later use. The trick is, of course, to remember what you've squirreled away so you can use it when the time comes. Some of these tools are portable (i.e. you can run them from a USB drive), and of course, some aren't. I'll try to identify which tools are portable, because if you're at all like me, you like to keep a nice supply of heavy-duty tools at the ready. In my experience, it pays to be prepared. During the course of this series, I'll also mention non-software tools and items that you'll want to keep around. Some are obvious (a screwdriver, for example) and some aren't (nail polish, for example......I'll go over that one another time). Also, these tools are in no particular order. That being said, let's dive in.

• Nmap (http://insecure.org). This is one of those tools that I simply can't function without. If you aren't familiar with nmap, learn it. If you're already familiar with it, read the docs again. Seriously. I make it a point to re-read the docs fairly regularly, partly because it changes a little bit from version to version, but also because it does so many things, I can't remember them all.
• Perl (http://www.perl.com). Ok, technically it doesn't have to be perl. Really any serious scripting language will do. (Ruby, Python, etc., etc.) The point is that you'll want to be very proficient in at least one cross-platform scripting language. It has saved my bacon more times than I can count.
• Notepad++ (http://notepad-plus.sourceforge.net). Portable! A very robust text editor. If you're looking for a fancy word processor, you're looking in the wrong place. Notepad++ is a great editor that supports having multiple documents open simultaneously (I curse you, Windows Notepad) and it knows how to handle both Windows and *NIX line endings (again, I curse you, Windows Notepad). It supports syntax highlighting for lots of languages and is easily enhanced by way of plugins.
  
• Subversion (http://subversion.tigris.org). Version control. Why version control, you ask? Personally, I hate ever having to do the same work twice, so any time I have a config file or script or something that I've put some effort into, it goes under version control. That way, if I manage to fubar the file (any SysAdmin or programmer who tells you they've never done that is lying), I can retrieve any previous version with no effort.
• WinMerge (http://www.winmerge.org). Portable! Have two text files that you want to compare for differences? WinMerge is the tool for you. In my opinion, the best Windows-based comparison program.

If you have any tools that you think should be added to the list, email me at sifukurt AT yahoo DOT com.

Argus + GraphViz = Very Cool

Sometimes, it is really handy to be able to get a bird's eye view of your network traffic. I've used (and continue to use) ntop and I love it. It provides great reporting, but sometimes the bird's eye view is necessary. That's where Argus and GraphViz come into play. Here is the description of Argus from the website:

Argus is a fixed-model Real Time Flow Monitor designed to track and report on the status and performance of all network transactions seen in a data network traffic stream. Argus provides a common data format for reporting flow metrics such as connectivity, capacity, demand, loss, delay, and jitter on a per transaction basis. The record format that Argus uses is flexible and extensible, supporting generic flow identifiers and metrics, as well as application/protocol specific information.

The data that it collects on your network traffic (and it can monitor multiple interfaces simultaneously) is impressive. Argus runs as a daemon process and then you can use the client tools to extract the data from the Argus log. You can either dump the entire log or you can use filter the results for a specifc time period, or a specific host, or for a specific type of traffic. This data, then, you can feed to GraphViz to generate your graphs. The image below is generated using a Perl script that I wrote (using the Perl's GraphViz module, available at any CPAN mirror) using Argus data over a 1 hour period.


I color coded the arrows (or "edges" in GraphViz terms). The blue edges are TCP traffic, red is UDP, green is ICMP, and magenta is ARP. For TCP and UDP traffic, I've labeled the edges with the destination port. The only potential downside is that the resulting image can be a little large. Since Argus tracks all of your network traffic, this could be an invaluable tool in the face of some sort of security incident or virus outbreak.

OSSEC Host-based Intrusion Detection

I've used a lot of different file integrity monitoring programs (Samhain, Osiris, and Tripwire just to name a few), and I've messed with a number of different programs for log parsing and event correlation. Then I found OSSEC, which takes all of these things to an entirely new level. Now instead of having to manage multiple different softare packages, I can do it in one. But that's not the coolest thing. OSSEC will allow you to monitor syslog and Windows event logs as well as Apache, IIS, Snort, and numerous other logs from a single location, and it has a very robust set of rules to do event correlation. If you are so inclined, you can even take advantage of the Active Response option and have OSSEC disable accounts, drop in firewall rules, etc., etc. Plus it does file integrity monitoring on top of it all.

The server must be installed on a Linux or UNIX box, but the agent installs on just about anything, including the ubiquitous Windows platform. The agents can be configured to encrypt all of their communication with the server, or for systems that you can't install the agent (networking gear, for example), you can configure syslog on these devices to forward their syslog entries to the OSSEC server. OSSEC then seemlessly integrates all of these and creates a single, cohesive alerts file as well as breaking down alerts into daily files for easy review. Overall, very impressive. My only complaint is the reporting. The alerts file is fairly straight forward, but it is a flat text file. OSSEC comes with a few contrib scripts that will generate some text reports for you, but again, just flat text files. Ideally, I'd like to see a way to generate HTML reports (both summary and detailed reports) that are much better for sending to management and/or those who are less technically inclined. I suspect I'll probably end up writing such a tool myself as I have been unable to find one.

At any rate, OSSEC is very powerful and very cool. It does a lot of stuff very effectively, very thoroughly, and relatively easily. Check it out.

Link

Gratuitous Self-Promotion

I've had several occasions over the last couple weeks to refer people to a paper that I wrote that is published at Infosecwriters.com. The paper is entitled "Securing Network Communication with Stunnel, OpenSSH, and OpenVPN." If you have need to secure your communication on a small or even modestly large basis, take a look at it. I included configs that you can copy and paste. The paper is compiled from many hours of tinkering with configs for various purposes. It doesn't take the place of the full docs for these tools, but it'll get you up and running in short order.

The Metasploit Project

I love Metasploit, and it just keeps getting better and better. If you haven't already done so, head over to Metasploit and check it out.

Read more at www.metasploit.com/

Top 100 Security Tools

Not exactly the cutting edge of new information, but I was just combing through this list again today so I thought I'd mention it here. If you haven't already, you really owe it to yourself to check out the Top 100 Security Tools. Great list of tools and well worth your time.

SnortSam, where have you been all my life?

I have been using Snort for years and years. A couple years ago I started messing with Snort_inline. Great concept, works beautifully. The downside is that Snort only works in inline mode when used in conjunction with iptables. Recently I was tinkering with a Linux box in VMware's Virtual Server and I was trying to get Snort_inline to work, alas to no avail. (Side note: if you haven't played with Virtual Server, you don't know what you're missing. Go get it now and download some of the Virtual Appliances. You won't be disappointed.) So I decided to take a look at SnortSam, a tool that I've had on my list of things to mess with for ages, but I just never got around to it. One word: wow. The possibilities for things you can do with Snort and SnortSam are nearly endless. It took a few minutes to get configured correctly and there were a couple of failed attempts on my part before I finally got it configured the way I wanted. All told about 20 minutes. It affords the opportunity to leverage just about any existing infrastructure and quickly create a full-blown IPS network. SnortSam is now on my short list of invaluable tools.