FUG-BR / Grupo Brasileiro de Usuarios de FreeBSD

07.01

Inicio

Todas Categorias

Principal

Contador Usuários FUG

DOC-BR (FUG BR)

+ Noticias

Sem conta? Crie uma

Todas as Categorias de Noticas Externas
Web site Grupo Brasileiro de Usuarios FreeBSD
Noticias do Web site FUG-BR

Lançado o FreeBSD 7.1-RELEASE O Time de Engenharia de Versões do FreeBSD tem o prazer em anunciar a disponibilidade do FreeBSD 7.1-RELEASE. Este é o segundo release do branch 7-STABLE, que aumenta a funcionalidade do FreeBSD 7.0 e introduz alguns novos recursos. Vejamos algumas: O escalonador ULE é agora padrão no kernel GENERIC para arquiteturas i386 e amd64. O escalonador ULE aumenta significativamente a performance em sistemas multiprocessador de alta demanda.Suporte a DTRACE embutido no kernel importado do OpenSolaris. DTrace é um poderoso framework de tracing dinâmico.Um novo e bastante melhorado cliente NLM (NFS Lock Manager).Mudanças no Boot loader permite, além de outras coisas, bootar de um dispositivo USB e bootar de dispositivos GPT-labeled.A chamada de sistema cpuset(2) e o comando cpuset(1) foram adicionados, fornecendo uma API para thread por CPU binding e recurso de CPU para agrupamento e atribuição.KDE foi atualizado para 3.5.10, e GNOME foi atualizado para 2.22.3.Mídia tamanho-DVD para arquiteturas i386 e amd64.Para uma lista completa de novos recursos e problemas conhecidos, por gentileza veja as notas de versão online e a lista de errata, disponível em:http://www.FreeBSD.org/releases/7.1R/relnotes.html (http://www.FreeBSD.org/releases/7.1R/relnotes.html) http://www.FreeBSD.org/releases/7.1R/errata.html (http://www.FreeBSD.org/releases/7.1R/errata.html) Para mais informações sobre as atividades de engenharia do FreeBSD, por gentileza veja:http://www.FreeBSD.org/releng/ (http://www.FreeBSD.org/releng/) Lançado o FreeBSD 7.1-RC2 O último dos candidatos a RELEASE foi lançado no dia 25 de Dezembro em 2008. A menos que seja encontrado algum motivo significativo, dentre no máximo duas semanas deverá sair o esperado FreeBSD 7.1-RELEASE. O atraso foi devido ao último Security Advisory divulgado, mas segundo Ken Smith, apartir da próxima semana já começa a construção da nova versão.NOTAS: Se for atualizar de um FreeBSD 7.0 ou superior, deverá notar mudanças na nomenclatura de algumas placas intel, por favor consulte a entrada 20080811 em /usr/src/UPDATING para mais detalhes, apenas três placas deverão ter seus nomes de em(4) para igb(4).Leia o anúncio oficial:http://lists.freebsd.org/pipermail/freebsd-stable/2008-December/047203.html (http://lists.freebsd.org/pipermail/freebsd-stable/2008-December/047203.html) iPod A1285 com GTKPod no FreeBSD. Esse pequeno tutorial (http://www.mavetju.org/weblog/html/00272.html) ensina como fazer modificacões no iPod para o GTKPod reconhecer o A1285 no FreeBSD.Provavelmente funciona em qualquer outra versão do iPod que o GTKPod não reconheça sozinho. FreeBSD agora com suporte a processadores Geode LX. FreeBSD suporta os processadores AMD Geode praticamente desde que existem. Contudo uma nova série, Fit-PC (http://www.fit-pc.com/new/specifications.html) é montado. Já é possível usar FreeBSD nesses dispositivos, e praticamente tudo, inclusive aceleração criptográfica por hardware, ja está disponível.A única exceção é o suporte a áudio; porém, já tem o dispositivo funcional, e assim que incorporado [ref (http://fixunix.com/freebsd/540374-re-re-hardware-support-amd-geode-cs5536-audio.html)] no -CURRENT, entrará também no RELENG_7 (provavelmente meados do 7.1-STABLE) através de MFC. Acompanhe discussão na lista da FUG a esse respeito [ref (historico/html/freebsd/2008-12/msg00352.html)]. Contribuindo com I18N do pfSense e PC-BSD (Pootle). Muita gente se interesse em ajudar o Projeto FreeBSD ou projetos associados ao FreeBSD, e muitas vezes procura saber sobre como contribuir com a FUG ou a comunidade brasileiro. Normalmente sempre indicamos que, se o interesse for técnico, pode começar adotando um port (content/view/247/9/) ou submetendo patches e enviando send-pr(1). Alguns que se interessam por contribuir com o DOC-BR (http://doc.fug.com.br) ficam desmotivados quando descobrem que tem que aprender SGML (não é pra menos, desmotiva até o mais bem intencionado).Então eis uma forma de ajudar, alguns projetos como pfSense e PC-BSD tem a internacionalizacão padronizada em gettext. Dessa forma é fácil traduzir os arquivos de mapa do gettext através dos servidores Pootle. Então se você quer contribuir com aquele 5 minutinhos livre que você tem por dia, eis a dica: se registre nos servidores Pootle dos projetos e sempre que puder, sugira ou submeta uma traducão de uma (ou mais, se der tempo) sentenças.http://www.pfsense.com:8080/ (http://www.pfsense.com:8080/) http://www.pcbsd.org:8080/pt_BR/pcbsd/ (http://www.pcbsd.org:8080/pt_BR/pcbsd/%20) No Brasil o principal contribuidor com a internacionalizacão para pt-br do pfSense é o Luiz Gustavo; se desejar entre em contato com ele (http://www.luizgustavo.pro.br/doku.php?id=contato). Assim sendo fica a chamada: Nessas férias, traduza uma frase por dia. Lançado PC-BSD 7.0.2 baseado no FreeBSD 7.1-PRERELEASE. O PC-BSD 7.0.2 foi lançada há alguns dias; a nova versão traz como principal mudança de núcleo ser baseado agora no FreeBSD 7.1-PRERELEASE e a interface gráfica agora está com KDE 4.1.3.O PC-BSD 7.0.2 tem uma série de modificacões em uma atualizacão de 570MB, a lista completa de mudanças pode ser lida aqui (content/view/90/30/). As modificacões mais importantes são:KDE 4.1.3;Melhoria na performance de ambiente Desktop com placas de vídeo Nvidia;Melhorado suporte à escrita no NTFS;Melhorias e correções na Camada de Acesso a Hardware;Correções de bugs do instalador e atualizador;A versão mais recente do PC-BSD pode ser baixada por download (content/view/21/11/) ou se você já tem PC-BSD 7.0.1 pode fazer atualização através da Ferramenta de Atualizacão do Sistema ou baixando o PBI de atualizacão. (http://www.pbidir.com/bt/pbi/163/system_update_7_0_2) A atualizacão automatizada é o método recomendado. Pessoalmente já fiz a atualizacão em múltiplos ambientes, todos sem qualquer problema. O processo é demorado, cerca de 30 minutos após o boot, sem contar o download. A atualização é grande (570MB) não é a toa, a mudança é drástica, praticamente o CD1 inteiro, uma vez que inclui o próprio KDE e o FreeBSD inteiro. A atualizacão apesar da demora (justificável pelo tamanho da mudança) é transparente. Você conhece o SCTP (Stream Control Transmission Protocol)? FreeBSD 7 é uma grande oportunidade. SCTP (Stream Control Transmission Protocol) é um novo protocolo de transporte de dados sobre IP. Foi criado por um consórcio de empresas e orgãos que se batiza The Internet Society, composto da Cisco Systems, da Siemens, da Universidade de Berkeley Califórnia, da Universidade de Los Angeles Califórnia, da Motorola, Nortel e outras. É definida inicialmente na RFC 2960 (já temos drafts complementares), e tem como principal autor Randall Steward, da Cisco Systems que coordenou o trabalho de pesquisa e desenvolvimento, produziu o rascunho que deu origem ao Draft formal que se tornou a RFC em questão. É também o desenvolvedor chefe por trás da primeira implementacão formal pública, financiada pela Cisco: a do FreeBSD. Disponível desde o FreeBSD 7 -CURRENT e inclusa por padrão no FreeBSD 7.0-RELEASE (no kernel padrão inclusve).Bem na verdade existiram anteriormente versões do SCTP para FreeBSD desde meados do FreeBSD 5 -CURRENT, iniciativa de Randall Stewart. Depois, em 2001 ele criou o LKSCTP (http://lksctp.sf.net) ou Linux Kernel SCTP. Também iniciativa do mesmo Stewart, que manteve foco de seu trabalho no FreeBSD, até que em acordo com a Cisco, em Setembro de 2006 se tornou src commiter [ref (http://lists.freebsd.org/pipermail/cvs-all/2006-September/186610.html)] sob aprovacão direta do Core Team e mentorado por George V. Neville-Neil (membro do Core Team), e passou a trabalhar formalmente na primeira (e principal) implementacão formal do protocolo.Historia à parte, vamos aos fatos: o protocolo SCTP tem sua principal motivacão ser um protocolo de transporte mais confiável e robusto que o TCP e o UDP. Certo, frase genérica essa. Na prática a comunicacão de voz e vídeo em seus primórdios apontaram logo uma série de fragilidades e limitaćões nos protocolos TCP e UDP que já eram conhecidas, mas amenizadas e até mesmo transpostas, possíveis de se conviver, com outros protocolos. Mas que com voz e vídeo tem se mostrado cada vez mais críticas. A idéia por trás do SCTP é por em prática tudo que apredemos com o TCP e UDP e criar uma evolucão direta destes, que resolva os problemas e as limitacões conhecidas e que amenize impacto de problemas que ainda não identificamos.O protocolo SCTP cedo ou tarde (espero que não na mesma toada do IPv6) se tornará o protocolo de transporte padrão, substituindo ambos TCP e UDP. Isso mesmo o protocolo foi criado para substituir se não o coracão, as artérias da Internet: os protocolos de transporte mais conhecidos, e os mais populares orientados à porta (ao lado do DDP - ok DDP não é popular...). De fato o SCTP tem sido testado nesse sentido, e temos resultados muito bons enquanto sob algumas condicões o TCP ainda tem performance melhor. Seja como for para um protocolo recém nascido SCTP já apresenta ótimos resultados na maioria dos cenários testados. Lembra-se de quando você lia o What's Cooking for FreeBSD 7 e lá estava: SCTP. Pois bem, ele está ai, efetivo, estável e pronto. Isso quer dizer que passou da hora de você conhecer mais a respeito. Aos estudantes, professores e alunos universitários: passou da hora de pesquisar, testar e escrever a respeito. Por enquanto SCTP parece tema limitado a trabalhos de pós, mestrado e afins. Está na hora de populariza-lo.Eu estou sendo co-orientador de graduacão em uma universidade local sobre SCTP. Tenho um amigo pessoal (hoje funcionário da Microsoft, em Seattle) que fez seu mestrado desenvolvendo aplicacões em SCTP e realizando testes comparativos de performance. Mas para ai o que sei sobre brasileiros envolvidos.Então é hora de conhecer mais o protocolo, comecando por:Paper sobre SCTP do Randall Stewart, BSDCan 2008. (http://www.bsdcan.org/2008/schedule/attachments/44_bsdcan_sctp.pdf)Resumo da Apresentacão por Jeremy Reed (NetBSD / BSD Certification). (http://kerneltrap.org/FreeBSD/BSDCan_2008_Stream_Control_Transmission_Protocol)Tag Permanente do Projeto FreeBSD sobre SCTP. (http://www.freebsd.org/multimedia/tag-sctp.html)SCTP na Wikipedia. (http://en.wikipedia.org/wiki/Stream_Control_Transmission_Protocol)Introducão ao SCTP - Bluecat Journal. (http://my.opera.com/blu3c4t/blog/2008/10/10/sctp-protocol-and-its-implementation-at-freebsd-networking-stack-briefly)SCTP sobre NAT no FreeBSD 7.0 - Anúncio (http://www.mail-archive.com/freebsd-ipfw@freebsd.org/msg01810.html) do CAIA e SONATA - resultado (http://caia.swin.edu.au/urp/sonata/downloads.html). Traduzindo TCP para SCTP por Ryan Bikhart da Cisco, Euro BSDCon 2007 (http://2007.eurobsdcon.org/talk-tcp-sctp-translation-shim.html).Versão customizada do Apache 2 com suporte SCTP. (http://www.sctp.org/apache2043.tar.gz)E do lado cliente, versão do Mozilão com SCTP para acessar o Apache acima. (http://www.sctp.org/mozilla.tar.gz)Ahh não gosta do Mozilão e prefere Firefox? Firefox com SCTP aqui, junto com leitura recomendada de pesquisa e benchmarking. (http://www.cis.udel.edu/%7Eleighton/)Site oficial da iniciativ SCTP. (http://www.sctp.org/)Artigo Introdutório no Linux Journal. (http://www.linuxjournal.com/article/9748)Implementando protocolo FTP com SCTP. (http://whitepapers.techrepublic.com.com/abstract.aspx?docid=330985)Artigo que discute porque SCTP é necessário num mundo com TCP e UDP. (http://www.isoc.org/briefings/017/)Tutorial de Introducão ao SCTP do IEC. (http://www.iec.org/online/tutorials/sctp/index.asp) O trabalho que estou coordenando envolve como produto de pesquisa e testes uma reimplementacão do qmail-smtpd.c e do qmail-remote.c com suporte a SCTP. Ficarei feliz em compartilhar os resultados e novidades tão logo tenhamos resultados concretos. Mas lógico, você não vai esperar para comecar correr atrás e conhecer esse novo protocolo de transporte. Adicionando suporte a D-Link DWL-G650+ (todas elas) no FreeBSD. Ao longo desse artigo vamos adicionar suporte no FreeBSD a placa wireless 802.11g D-Link DWL-G650+, conhecida como DLink Airplus Extreme G+, que usam algum chipset da Texas Instrument. Vamos observar que é uma loteria descobrir que placa você tem em mãos.O artigo serve também como dica para se pensar bem antes de adquirir uma placa DLink. Não que seja ruim, nem boa. É que você não tem a menor garantia do que esta comprando.Ao final do artigo teremos uma acx0 funcionam e sendo controlada. PBI: Entendendo como funciona o formato de pacotes do PC-BSD. Ao longo desse arquivo damos uma olhada mais detalhada no principal componente que constituo o PC-BSD: os arquivos PBI (instaladores automáticos de aplicacões do PC-BSD). O PC-BSD usa uma abordagem inteligente e muito funcional, que gera um resultado muito prático, mas tem alguns efeitos colaterais.Esse é um artigo com uma (bem pequena) dosagem técnica, e portanto menos voltado para o usuário doméstico convencional. Vamos entender como se constitui, como funciona, e qual é o resultado final gerado por uma aplicacão instalada a partir de um PBI. PC-BSD: Todo o Poder de uma Estacão de Trabalho BSD Unix, voltado ao Usuário Doméstico. Nesse pequeno artigo você acompanhará uma introducão ao PC-BSD, o FreeBSD customizado para Desktop, focado no usuário doméstico comum. Ao longo do artigo apresento minhas impressões pessoais, depois de alguns dias de uso intenso do PC-BSD. O PC-BSD tem elementos de amigáveis e torna a experiência com um Desktop Workstation Unix simples e práticas, e acima disso, o fato de ser FreeBSD, torna a experiência com níveis de estabilidade, performance e seguranca que devem ser observados por qualquer pessoa que queira um sistema fácil de usar, sem precisar se preocupar com muitos detalhes técnicos.Esse artigo é focado a novos usuários BSD e a usuários Linux, e também a quem tem considerado opcões ao Windows, seja por motivos financeiros ou técnicos, e tem testado distribuicões Linux, considere testar também o PC-BSD.

[Voltar]

FUG-BR - Espalhando BSD

Dicas Rápidas:

# split -b 1m grande parte
Quebra o arquivo em partes de 1mb

# split -b 1500k grande parte
Quebra o arquivo em partes de 1.5mb

Wallpapers

Fontes Externas

FreeBSD Multimedia Resources List FreeBSD Multimedia Resources
bsdtalk - Michael Lauth from iXsystems - MP3 version

Michael Lauth from iXsystems - MP3 version
From: bsdtalk
Tags: bsdtalk, interview, ixsystems, michael lauth, mp3
Interview with Michael Lauth, CEO of iXsystems. We talk about his experiences with running a business using BSD.

bsdtalk - Michael Lauth from iXsystems - Ogg version

Michael Lauth from iXsystems - Ogg version
From: bsdtalk
Tags: bsdtalk, interview, ixsystems, michael lauth, ogg
Interview with Michael Lauth, CEO of iXsystems. We talk about his experiences with running a business using BSD.

Nederlandse Linux Gebruikers Group - Een historisch overzicht van BSD - Hans van de Looy - PDF version

Een historisch overzicht van BSD - Hans van de Looy - PDF version
From: Nederlandse Linux Gebruikers Group
Tags: nllgg, bsd, history, hans van de looy, pdf

Hans zal een historisch overzicht geven van het ontstaan van *BSD vanaf de oorsprong van UNIX tot aan de nu bekende *BSD varianten. Hij zal daarbij met name ingaan wat de oorsprong en het ontstaan van een aantal *BSD-projecten zijn. Hierbij zal hij zeer kort ingaan op de verschillende licentieproblemen die we in het verleden gezien hebben en worden een aantal bekende personen en data weer eens even op de kaart geplaatst.

Hans van de Looy is oprichter van Madison Gurkha. Een bedrijf dat gespecialiseerd is op het gebied van het uitvoeren van technische ICT-beveiligingsonderzoeken, in de media ook wel aangeduid met Etisch Hacken. Tijdens dergelijke onderzoeken maakt hij ook regelmatig gebruik van op BSD* gebaseerde systemen.

YouTube bsdconferences channel - May 2008 developer Vimage report - Flash

May 2008 developer Vimage report - Flash
From: YouTube bsdconferences channel
Tags: youtube, freebsd, vimage, marko zec, julian elischer, flash
A sneak peak into the FreeBSD development process.
Warning 2 hours! filmed over 2 days. (The schedule worked out was optimistic to say the least but it's still looking ok...)
Marko Zec and Julian Elischer report back to the developers at BSDCan on the progress on virtualizing the network stack in FreeBSD. This has been a long term project but at the time of this recording was just reaching the point of feasibility. In this video you can see some of the dynamics of the group as developers become familiar with the project and discussions take place regarding such things as maintainability, ABI compatibility, and even what to call the feature. In this video you can see the decision being made by a "quorum" of developers to take this project mainstream.
The sound is less that perfect, but it's what we have.
This is a montage of 3 video sources, one of which is a lower resolution, but at times it was the only camera capturing the action. (the other ran out of tape for a while)
Thanks to Ed Maste for the added footage.
I will be doing more editing later and will be substituting in better footage in some places.
clive URL: http://au.youtube.com/watch?v=Px-pSXm32dE

YouTube bsdconferences channel - Isilon and FreeBSD - Flash

Isilon and FreeBSD - Flash
From: YouTube bsdconferences channel
Tags: youtube, freebsd, isilon, zach loafman, flash
Zach Loafman explains how Isilon uses FreeBSD and how the company adds to it and interacts with the FreeBSD community.
clive URL: http://au.youtube.com/watch?v=OlMocIwM5QU

Nederlandse Linux Gebruikers Group - Van FreeBSD Documentatie projectleider tot FreeBSD Developer - Remko Lodder - PDF version

Van FreeBSD Documentatie projectleider tot FreeBSD Developer - Remko Lodder - PDF version
From: Nederlandse Linux Gebruikers Group
Tags: nllgg, freebsd, documentation, nederlands, remko lodder, pdf

In 2004 ben ik begonnen met het FreeBSD Dutch Documentation Project, een project dat inmiddels bijna het complete handboek vertaald heeft. Sinds die tijd zijn er vele wegen geweest die ik behandeld heb, van documentatie projectleider naar Security Team-lid tot aan FreeBSD Developer.

Remko Lodder is momenteel 25 jaar en werkt als Unix Engineer voor het bedrijf Snow B.V. waar hij zich momenteel met name bezig houd met security (firewalls etc). Hij is sinds 2004 lid van het FreeBSD Development team en is momenteel 1 van de meest actieve developers binnen het team.

I've been an infrequent yet admiring user of Metasploit for about four years, but I've never tried it on Windows. It strikes me as being something I "just shouldn't do," like running Nmap on Windows or (shudder) Snort on Windows. However, while preparing labs for my upcoming class, I thought I would give version 3.2 a try. It worked very well, at least for the simple test I ran.

After installing the .exe and launching the new app, I saw this window:

I decided to try exploiting a vulnerable Samba server:

When I set the parameters I ran the exploit:

When I got my session I interacted with a root shell on the victim.

By identifying the process started on the victim (PID 2216) and running lsof, you can see the vulnerable service which Metasploit attacked.

Incidentally, my take on why having these sorts of tools available is In Defense of HD Moore, from three years ago.

Great work Metasploit team!

Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates.

Recommendation for an Introduction to Unix

A regular blog reader asked me for recommendations on books to learn Unix, and which Unix to learn. I still remember asking my "Unix and Solaris Fundamentals" instructor in 1997 to recommend a book on Unix for me. I thought I would share my response here.

I think, as a beginner, you have to decide what you want to learn. I'll try to keep this description generic yet answer the reader's question. The person who asked the question requested an emphasis on the command line, rather than administration using GUIs.

As you might have guessed, I recommend trying FreeBSD. In fact FreeBSD 7.1 was released today. FreeBSD is a great OS for beginners, especially those who want to rely on the command line.

I am reluctant to suggest trying to learn a new OS without a good reference, but luckily a modern and thorough book arrived a little over a year ago. Michael Lucas' book Absolute BSD, 2nd Ed is probably the best pure introductions to Unix administration available. (I mean that of all the books out there, regardless of OS, Michael's book is the best, especially for beginners.)

Four years ago I posted reasons I like FreeBSD, if you want to see my overall thoughts on the OS.

After reading Michael's book, I suggest deploying services by reading Building a Server with FreeBSD 7
by Bryan J. Hong. Brian wrote a cookbook for building various servers on FreeBSD 7.x.

I don't recommend running FreeBSD on the desktop. I prefer my desktop to "just work," and I work in a GUI environment (although I tend to install software via command line anyway). I used to run FreeBSD on my laptop, but now I use Ubuntu. For me, Ubuntu "just works." I don't worry about anything. That's what I want in a more fluid environment like a desktop. PC-BSD is an option on the desktop, but I don't run it.

If you're more inclined to use Linux everywhere, then I suggest Debian on servers and Ubuntu on your desktop. The nice aspect of pairing these two is that Ubuntu is essentially Debian underneath. Ubuntu (or even Debian) is also more likely to be natively supported for many desktop applications, whereas FreeBSD might be a little less supported.

Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates.

IPv6 Tunnel on Windows XP Using Freenet6

Almost two years ago I described testing IPv6 using Freenet6 on FreeBSD. This morning I decided to try the same on Windows XP and document the process here.

I needed to use a tunnel method like Freenet6 because the test host is behind NAT.

First, visit go6.net and click "Free IPv6 Connectivity with Freenet6". Register yourself a user account. To install on my Windows XPSP3 32-bit system I downloaded "Gateway6 Client 6.0-BETA4 Windows Installer 32-bit". I installed and accepted the defaults:

When I first tried installing the software I got an error which denied installing the TUN driver. I had to back out of the installation and change this local group policy key using gpedit.msc:

I changed "Do not allow installation" to "Warn but allow installation" under Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> Devices: Unsigned driver installation behavior.

Once The Freenet6 client was running I configured it with the username and password I registered, and I set broker.freenet6.net as my Gateway6 address. Once I connected I could visit ipv6.google.com, and even check my IPv6 address online.

You may notice I installed the ShowIP Firefox addon. I learned about that from Command Information. It's a good way to try to keep track of the IP address you're using to access IPv4 or IPv6 sites.

I was also able to access sites from cmd.exe, using ping6 to ping ipv6.google.com and ftp to connect to the IPv6-only FTP server at ftp6.netbsd.org.

I think the Freenet6 client is a good way for people behind NAT (or in the case of the test VM here, two NATs) to access IPv6-enabled sites.

Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates.

BGPMon On Illegitimate Route Announcement

In November I posted BGPMon on BGP Table Leak by Companhia de Telecomunicacoes do Brasil Central. A lot of people saw that activity but the overall effect was negligible to nonexistent.

Yesterday I received a more personalized alert from BGPMon:


You Receive this email because you are subscribed to BGPmon.net.
For more details about these updates please visit:
http://bgpmon.net/showupdates.php

====================
WithDraw of More Specific (Code: 23)
2 number of peer(s) detected this updates for your prefix 3.0.0.0/8:
Update details: 2009-01-01 08:33 (UTC)
3.3.3.3/32
====================
Possible Prefix Hijack (Code: 11)
2 number of peer(s) detected this updates for your prefix 3.0.0.0/8:
Update details: 2009-01-01 08:31 (UTC)
3.3.3.3/32
Announced by: AS15475 (NOL)
Transit AS: 8452 (TEDATA TEDATA)
ASpath: 29073 9009 19151 4788 8452 15475

Checking WHOIS data for AS15475 shows:


% Information related to 'AS15475'

aut-num:        AS15475
as-name:        NOL
descr:          Nile Online
descr:          Giza,Egypt
descr:          For any abuse complain contact abuse@nile-online.com

So, an ISP in Giza, Egypt announced a 3.3.3.3/32 route to the Internet. That looks like some kind of test. I used to be amazed to see a /32 route appear like this in global BGP tables, but now that I know most ISPs don't filter anything I am not so surprised anymore. Previously I would have thought one of the AS in the AS path would have filtered this.

Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates.

Predictions for 2009

I better get with the program and post my 2009 predictions before any more of the new year slips by. I plan to build on my Predictions for 2008 in Hindsight and add a few new thoughts.

Expect greater government involvement in assessing the security of private sector networks. I wasn't inventing this a year ago, and I'm not inventing it now. I'm extrapolating from a trend line. My post Letters You Will Need to Know: 201 CMR 17.00 is just the latest example of increasingly aggressive government involvement in private sector security matters.

Expect to start learning about IPv6, or be confused quickly. 2009 is not the year of IPv6, but we're getting there. The US Department of Defense is already grappling with IPv6, despite the compliance charade of mid-2008. Wider adoption of Microsoft Vista and its tunnel mechanisms, along with IPv6-active consumer devices, are driving IPv6 in one form or the other into our lives.

Expect at least one cloud security incident to affect something you value. This is not the great Cloud Security blog, but I know many of us are already depending on cloud services. In 2007 and 2008 we started suffering denial when services suffered problems of availability. Next will be disclosure and then degradation. For more on these terms read First They Came for Bandwidth...

Expect network security to matter again. I may be a little late on this one, given problems we had with DNS, BGP, and even SSL in 2008. I think these sorts of problems demonstrate that there's lots of vulnerability left outside the platform, operating system, and applications. As IPv6 becomes more important this one is going to the top of the list, probably in 2010.

Expect to buy fewer "new" security products. We need to get back to basics by answering the sorts of questions that appeared in my post Marcus Ranum on Network Security. In tough economic times, managers are not going to spend on new equipment if they still don't know what the stuff you just bought does. Spend more time on consolidation and specialization and less time on looking for the next security silver bullet.

Good luck in 2009 everyone. It's going to be a good year -- "fine in '09"!

Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates.

Predictions for 2008 in Hindsight

In late 2007 I posted Predictions for 2008, my first foray into the world of prognostication. I'd like to review what I said to see how those ideas panned out.

Expect greater government involvement in assessing the security of private sector networks. This is happening but not to the extent I expected. I predict more of this in 2009.

Expect greater military involvement in defending private sector networks. This also started to happen, as noted in my post Predictions Panning Out. I now think this point will happen more slowly than #1.

Expect increased awareness of external threats and less emphasis on insider threats. I nailed this one. In my posts More on 2008 Predictions and Insider Threat Prediction Materializing I documented several cases. Looking to a recent Jeremiah Grossman post as well, I doubt all those Web app hackers are insiders!

Expect greater attention paid to incident response and network forensics, and less on prevention. You can't expect people to stop thinking about prevention, but detection and especially response are huge right now. Check out the results of the SANS coolest security jobs survey. IR and forensics are at the top.

Expect talk of an "IPv6 gap," especially with respect to China. I missed this one. I really expected the Chinese to brag about their IPv6 network and for our politicians to push for some kind of upgrade to "catch" them. I wonder if President Obama will advocate IPv6 as part of his Internet infrastructure initiatives?

Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates.

Best Book Bejtlich Read in 2008

If I read and reviewed a book you wrote in 2008, this was one of the better years to win my Best Book Bejtlich Read award. I only read and reviewed 20 books this year, compared to 17 in 2000, 42 in 2001, 24 in 2002, 33 in 2003, 33 in 2004, 26 in 2005, 52 in 2006, and 25 in 2007.

My 2007 and 2006 winners are posted too. Although I've been reviewing books seriously since 2000 and blogging since 2003, I only started listing my favorite books in 2006.

I did not spend enough time "hanging in the sky" (to quote John Denver) reading a book, and too much of my day job spilled into my evening reading hours. I prefer to avoid long-haul air travel, so I don't expect to read more on planes in 2009. Regarding work-life balance, I have more help at work for detection and response duties. We'll see how 2009 fares with respect to reading overall.

My ratings for 2008 can be summarized as follows:

5 stars: 7 books

4 stars: 8 books

3 stars: 4 books

2 stars: 1 book

1 star: 0 books

Here's my overall ranking of the five star reviews; this means all of the following are excellent books.

7. Beginning Perl, 2nd Ed by James Lee. Lee's book is excellent from start to finish. I found his explanations very clear and his writing style lively. He covered just about everything I hoped to read in a book of roughly 400 pages.

6. OSSEC HIDS by Rory Bray, Daniel Cid and Andrew Hay. I have to congratulate the author team for OHG. Writing a book for Syngress with many contributors is usually a recipe for disaster. OHG features three lead authors, four contributors, and one foreword author -- and they don't step on each others' toes.

5. Virtual Honeypots: From Botnet Tracking to Intrusion Detection by Niels Provos and Thorsten Holz. If you are at all interested in potentially deceiving intruders, buy and read Virtual Honeypots. You'll learn about more than VMware (QEMU, UML, etc.) as well as numerous open source tools you can download and try for free.

4. Googling Security: How Much Does Google Know About You? by Greg Conti. There's no question that Greg Conti writes excellent books. Last year's Security Data Visualization book earned 5 stars, and I put Googling Security in the same league. Conti takes a thorough and methodical look at the privacy consequences of Google's services, incorporating technical realities and thoughtful analysis.

3. Nmap Network Scanning by Gordon "Fyodor" Lyon. If you are looking for *the* book on Nmap, the search is over: NNS is a winner.

2. Applied Security Visualization by Raffy Marty. I think ASV is a great book on security visualization, but it will also help general security practitioners.

And, the winner of the Best Book Bejtlich Read in 2008 award is...

1. Malware Forensics: Investigating and Analyzing Malicious Code by Cameron H. Malin, Eoghan Casey, and James M. Aquilina. Malware Forensics is an awesome book. Last year Syngress published Harlan Carvey's 5-star Windows Forensic Analysis, and now we get to enjoy this new title. I should disclose that I co-wrote a forensics book with Curtis Rose, and I just delivered a guest lecture in a class taught by Eoghan Casey. However, I still call books as I see them, regardless of the author.

I can confidently say that anyone interested in learning how to analyze malware, or perform incident response, will benefit from reading Malware Forensics. The authors even maintain a Web site -- malwareforensics.com -- to support the book.

Looking at the publisher count, top honors in 2008 go to Addison-Wesley for 3 titles, followed by Syngress with 2, and finally Apress and a self-published title, each with one. Thank you to all publishers who sent me books in 2008. I have plenty more to read in 2009.

Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates.

Bejtlich Speaking at DC BSDCon 2009

Jason Dixon just announced that I will be speaking at DC BSDCon 2009, either 5 or 6 February 2009. I'm looking forward to this conference since it's local and thus easier to attend. I'll be discussing something about Network Security Monitoring that applies to FreeBSD.

Registration ends 31 Jan 09 and is limited to the first 150 attendees.

Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates.

Installing Sguil Using NSMNow

In my post NSM-Friendly VMware Lab Setup I mentioned wanting to use NSMNow to install Sguil on Ubuntu 8.04 for student use in my next class. I had tried the Securix-NSM live CD but I had not tried installing Sguil using the same project's NSMNow scripts. I just did it:


root@twsu804:/usr/local/src# wget http://www.securixlive.com/download/nsmnow/NSMnow-1.1.1.tar.gz
--22:14:38--  http://www.securixlive.com/download/nsmnow/NSMnow-1.1.1.tar.gz
           => `NSMnow-1.1.1.tar.gz'
Resolving www.securixlive.com... 202.191.61.156
Connecting to www.securixlive.com|202.191.61.156|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 164,613 (161K) [application/x-gzip]

100%[====================================>] 164,613       53.85K/s             

22:14:42 (53.80 KB/s) - `NSMnow-1.1.1.tar.gz' saved [164613/164613]

root@twsu804:/usr/local/src# tar -xzvf NSMnow-1.1.1.tar.gz 
NSMnow-1.1.1/
NSMnow-1.1.1/NSMnow-core
NSMnow-1.1.1/RELEASE.NOTES
NSMnow-1.1.1/templates/
NSMnow-1.1.1/templates/lib/
NSMnow-1.1.1/templates/lib/lib-console-utils
NSMnow-1.1.1/templates/init/
NSMnow-1.1.1/templates/init/sancpd
NSMnow-1.1.1/templates/init/snortl-newday
NSMnow-1.1.1/templates/init/snortu
NSMnow-1.1.1/templates/init/pcap_agent
NSMnow-1.1.1/templates/init/barnyard2
NSMnow-1.1.1/templates/init/sguild
NSMnow-1.1.1/templates/init/snort_agent
NSMnow-1.1.1/templates/init/snortl
NSMnow-1.1.1/templates/init/sancp_agent
NSMnow-1.1.1/templates/rules/
NSMnow-1.1.1/templates/rules/pop3.rules
NSMnow-1.1.1/templates/rules/finger.rules
NSMnow-1.1.1/templates/rules/dos.rules
NSMnow-1.1.1/templates/rules/shellcode.rules
NSMnow-1.1.1/templates/rules/dns.rules
NSMnow-1.1.1/templates/rules/attack-responses.rules
NSMnow-1.1.1/templates/rules/local.rules
NSMnow-1.1.1/templates/rules/icmp-info.rules
NSMnow-1.1.1/templates/rules/policy.rules
NSMnow-1.1.1/templates/rules/web-cgi.rules
NSMnow-1.1.1/templates/rules/ddos.rules
NSMnow-1.1.1/templates/rules/mysql.rules
NSMnow-1.1.1/templates/rules/oracle.rules
NSMnow-1.1.1/templates/rules/other-ids.rules
NSMnow-1.1.1/templates/rules/icmp.rules
NSMnow-1.1.1/templates/rules/experimental.rules
NSMnow-1.1.1/templates/rules/chat.rules
NSMnow-1.1.1/templates/rules/info.rules
NSMnow-1.1.1/templates/rules/web-attacks.rules
NSMnow-1.1.1/templates/rules/nntp.rules
NSMnow-1.1.1/templates/rules/telnet.rules
NSMnow-1.1.1/templates/rules/scan.rules
NSMnow-1.1.1/templates/rules/rservices.rules
NSMnow-1.1.1/templates/rules/web-php.rules
NSMnow-1.1.1/templates/rules/bad-traffic.rules
NSMnow-1.1.1/templates/rules/snmp.rules
NSMnow-1.1.1/templates/rules/web-coldfusion.rules
NSMnow-1.1.1/templates/rules/tftp.rules
NSMnow-1.1.1/templates/rules/ftp.rules
NSMnow-1.1.1/templates/rules/misc.rules
NSMnow-1.1.1/templates/rules/multimedia.rules
NSMnow-1.1.1/templates/rules/web-frontpage.rules
NSMnow-1.1.1/templates/rules/imap.rules
NSMnow-1.1.1/templates/rules/porn.rules
NSMnow-1.1.1/templates/rules/web-client.rules
NSMnow-1.1.1/templates/rules/netbios.rules
NSMnow-1.1.1/templates/rules/p2p.rules
NSMnow-1.1.1/templates/rules/rpc.rules
NSMnow-1.1.1/templates/rules/web-misc.rules
NSMnow-1.1.1/templates/rules/backdoor.rules
NSMnow-1.1.1/templates/rules/pop2.rules
NSMnow-1.1.1/templates/rules/exploit.rules
NSMnow-1.1.1/templates/rules/sql.rules
NSMnow-1.1.1/templates/rules/virus.rules
NSMnow-1.1.1/templates/rules/x11.rules
NSMnow-1.1.1/templates/rules/smtp.rules
NSMnow-1.1.1/templates/rules/deleted.rules
NSMnow-1.1.1/templates/rules/web-iis.rules
NSMnow-1.1.1/LICENCE
NSMnow-1.1.1/NSMnow.conf
NSMnow-1.1.1/libs/
NSMnow-1.1.1/libs/barnyard2.pm
NSMnow-1.1.1/libs/utils.pm
NSMnow-1.1.1/libs/sguilsensor.pm
NSMnow-1.1.1/libs/sguilclient.pm
NSMnow-1.1.1/libs/utils.sh
NSMnow-1.1.1/libs/mysql.pm
NSMnow-1.1.1/libs/sguiltools.pm
NSMnow-1.1.1/libs/tcl.pm
NSMnow-1.1.1/libs/os.pm
NSMnow-1.1.1/libs/buildessential.pm
NSMnow-1.1.1/libs/sguilserver.pm
NSMnow-1.1.1/libs/os.sh
NSMnow-1.1.1/libs/snort.pm
NSMnow-1.1.1/libs/sancp.pm
NSMnow-1.1.1/README
NSMnow-1.1.1/INSTALL
NSMnow-1.1.1/NSMnow.log
NSMnow-1.1.1/run-init
NSMnow-1.1.1/NSMnow
NSMnow-1.1.1/README.apparmor
NSMnow-1.1.1/MANUAL

root@twsu804:/usr/local/src# cd NSMnow-1.1.1/

root@twsu804:/usr/local/src/NSMnow-1.1.1# ls
INSTALL  MANUAL       NSMnow-core  README.apparmor  templates
libs     NSMnow       NSMnow.log   RELEASE.NOTES
LICENCE  NSMnow.conf  README       run-init

root@twsu804:/usr/local/src/NSMnow-1.1.1# ./NSMnow -i

Allow pre-checks to install requisite packages [Y]: 
[2008/12/29 22:18:05] #1 - Performing NSMnow pre-checks.
[2008/12/29 22:21:06] #1 - Pre-checks completed successully
[2008/12/29 22:21:06] #1 - Detected platform: UBUNTU
[2008/12/29 22:21:06] #1 - Action: Installing package(s).

Download Directory
Path where all downloaded files will be saved to
 [./source]: 

Source Directory
Path where all source tarballs will be extracted to
 [./source]: 

Sensor Name
A unique name given to deliniate sensors from one another
 [sensor1]: twsu804a

Sensor Interface
Enter the interface that this sesnor will be monitoring
 [eth0]: eth1

Configuration Path
Path to where all sensor related configuration files will be stored
 [/etc/nsm]: 

Sensor Data Path
Path to where all sensor captured information will be stored
 [/nsm/sensor_data]: 

Server Host
Hostname or IP of the server component that this sensor will connect to
 [localhost]: 

Server Name
A unique name given to deliniate servers from one another
 [server1]: 

Server Data Path
Path to where all server collected information will be stored
 [/nsm/server_data]: 

Server Database Name
Name of the sguil database which will store all sguil correlated information.
 [sguildb]: 

Server Database User
Name of the user who will have access rights to the sguil database.
 [sguil]: 

Server Database Password
Password of the user who will have access rights to the sguil database.
 [password]: sguil

Client User
Name of the sguil client user who will have access the sguil server.
 [sguil]: 

Client Password
Password of the sguil client user who will have access to the sguil server.
 [password]: sguil

Server Host
Hostname or IP of the server component that this client will connect to
 [localhost]: 
[2008/12/29 22:23:16] #1 - Installing package: mysql
[2008/12/29 22:23:16] #1 -   Installing with: apt-get -y install mysql-server
[2008/12/29 22:28:22] #1 - Installing package: tcl
[2008/12/29 22:28:22] #1 -   Installing with: apt-get -y install tcl8.3
 itcl3 mysqltcl tcltls tcllib tcl8.3-dev iwidgets4 tclx8.4 itk3 tcl8.4 tk8.4
[2008/12/29 22:29:23] #1 - Installing package: buildessential
[2008/12/29 22:29:23] #1 -   Installing with: apt-get -y install libpcre3-dev
 libpcap0.8-dev build-essential
[2008/12/29 22:29:43] #1 - Installing package: snort
Download snort tarball? [Y]: y
[2008/12/29 22:39:37] #1 -   Configuring with: ./configure --enable-perfprofiling
[2008/12/29 22:40:29] #1 -   Compiling with: make
[2008/12/29 22:43:50] #1 -   Installing with: make install
[2008/12/29 22:44:02] #1 - Installing package: barnyard2
Download barnyard2 tarball? [Y]: y
[2008/12/29 22:44:29] #1 -   Configuring with: ./configure --with-tcl=/usr/lib/tcl8.3
[2008/12/29 22:44:54] #1 -   Compiling with: make
[2008/12/29 22:45:10] #1 -   Installing with: make install
[2008/12/29 22:45:10] #1 - Installing package: sancp
Download sancp tarball? [Y]: y
[2008/12/29 22:45:18] #1 -   Compiling with: make linux
[2008/12/29 22:45:37] #1 -   Installing with: cp sancp /usr/local/bin
[2008/12/29 22:45:37] #1 - Installing package: sguilsensor
Download sguil-sensor (sguil) package(s)? [Y]: y
[2008/12/29 22:46:09] #1 -   Installing sguil-sensor binaries
[2008/12/29 22:46:10] #1 - Installing package: sguilclient
[2008/12/29 22:46:10] #1 -   Installing sguil-client library files
[2008/12/29 22:46:10] #1 -   Installing sguil-client binary
[2008/12/29 22:46:10] #1 - Installing package: sguilserver
[2008/12/29 22:46:10] #1 -   Installing sguil-server library files
[2008/12/29 22:46:10] #1 -   Installing sguil-server binary
[2008/12/29 22:46:10] #1 - Installing package: sguiltools
[2008/12/29 22:46:10] #1 -   Installing with: apt-get -y install wireshark p0f tcpflow tcpdump
[2008/12/29 22:47:24] #1 - Configuring package: mysql
 * Stopping MySQL database server mysqld                                 [ OK ] 
 * Stopping MySQL database server mysqld                                 [ OK ] 
Reloading AppArmor profiles : done.
 * Starting MySQL database server mysqld                                 [ OK ] 
 * Checking for corrupt, not cleanly closed and upgrade needing tables.
[2008/12/29 22:48:07] #1 - Configuring package: tcl
[2008/12/29 22:48:10] #1 - Configuring package: buildessential
[2008/12/29 22:48:10] #1 - Configuring package: snort
[2008/12/29 22:48:10] #1 -   Generating snort config file: /etc/nsm/twsu804a/snort.conf
[2008/12/29 22:48:11] #1 - Configuring package: barnyard2
[2008/12/29 22:48:11] #1 -   Generating barnyard2 config file: /etc/nsm/twsu804a/barnyard2.conf
[2008/12/29 22:48:12] #1 - Configuring package: sancp
[2008/12/29 22:48:12] #1 -   Generating sancp config file: /etc/nsm/twsu804a/sancp.conf
[2008/12/29 22:48:12] #1 - Configuring package: sguilsensor
[2008/12/29 22:48:12] #1 -   Generating sensor agent config file(s)
[2008/12/29 22:48:12] #1 - Configuring package: sguilclient
[2008/12/29 22:48:12] #1 -   Generating sguil-client config file: /etc/sguil/sguil.conf
[2008/12/29 22:48:12] #1 - Configuring package: sguilserver
[2008/12/29 22:48:12] #1 -   Configuring AppArmor profile
[2008/12/29 22:48:12] #1 -     Ensure you restart AppArmor to apply changes
[2008/12/29 22:48:12] #1 -   Generating sguil-server config file: /etc/sguild/sguild.conf
[2008/12/29 22:48:13] #1 -   Updating sguild init file: /etc/init.d/sguild
Copy default rules file(s)? [Y]: y
What Sensor name is to be associated with these rules [sensor1]: twsu804a
[2008/12/29 22:49:20] #1 -   Creating the CA certificate
[2008/12/29 22:49:22] #1 -   Creating certificate request for: server1
[2008/12/29 22:49:22] #1 -   Signing server certificate for: server1
[2008/12/29 22:49:22] #1 -   Adding client user "sguil" to sguil server ACL.
[2008/12/29 22:49:22] #1 -   Creating database and initial user.

You will need the mysql root password.
Enter password: 
[2008/12/29 22:49:29] #1 - Configuring package: sguiltools
[2008/12/29 22:49:29] #1 - Completed installing package(s) successfully.

NOTE: Snort can log in either UTC or the localtime, so firstly make sure that all machines
 are synced together.Secondly, either set the timezone on all machines to UTC or set the
 timezone on all machines to the same andremove the $UTC variable from the OPTIONS variable
 in both /etc/init.d/snortu and /etc/init.d/snortl

I decided to comment out the $UTC variable in the two scripts. Then I started the programs.


root@twsu804:/usr/local/src/NSMnow-1.1.1# ./run-init start
Starting - sguil server (sguild)                                       [  OK  ]
Starting - sguil: sensor snort_agent (snort_agent)                     [  OK  ]
Starting - sguil: sensor pcap_agent (pcap_agent)                       [  OK  ]
Starting - sguil: sensor sancp_agent (sancp_agent)                     [  OK  ]
Starting - snort: IDS mode, unified output (snort_unified)             [  OK  ]
  * output in /nsm/sensor_data/twsu804a, /ssn_logs, /portscans
Starting - barnyard2 (barnyard2)                                       [  OK  ]
  * created directory: /var/log/barnyard2
  * created directory: /var/log/barnyard2/twsu804a
Starting - sancp: session logging (sancpd)                             [  OK  ]
  * output in /nsm/sensor_data/twsu804a/sancp
Starting - snort: logging mode (snort_packetlogging)                   [  OK  ]
  * output in /nsm/sensor_data/twsu804a/dailylogs/2008-12-30
  * created directory: /nsm/sensor_data/twsu804a/dailylogs
  * created directory: /nsm/sensor_data/twsu804a/dailylogs/2008-12-30
  * disk space currently at 43%
root@twsu804:/usr/local/src/NSMnow-1.1.1#

At this point I could start a user terminal, type sguil.tk, and start using the Sguil console. The only real change I made was to alter the default fonts. I would probably consolidate the three panels into 1 as well.

Very impressive! Great work guys.

Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates.

NSM-Friendly VMWare Lab Setup

I'm working on labs for my all-new TCP/IP Weapons School 2.0 class (early registration ends Wednesday). Almost the whole class is labs; I'll have between 10 and 12 scenarios for students to investigate.

As you might imagine, network traffic will play a key role. I wanted to set up a VM running Ubuntu that could watch traffic involving other VMs. (Why not FreeBSD? Ubuntu is easier for students to use, and NSMnow makes it easy to get Sguil running. FreeBSD has also never seemed to run well in VMs due to some weird timing issues that have never been resolved.)

The problem, as I noted in Using VMware for Network Security Monitoring last year, is that modern versions of VMware Server (I run 1.0.8 now) act as switches and not hubs. That means each VM is connected to a virtual switch, effectively sheltered from other traffic. This is good for performance but bad for my monitoring needs.

Monitoring on the VMware server itself is not an option. Although it can see the traffic, I want to distribute a VM to the students that was running and capturing the traffic using Sguil and other tools as necessary.

Incidentally, here are two options for sniffing on the VMware server itself, for reference. VMware mentions its vmnet-sniffer, which is a console-output application with basically no features used only for troubleshooting:


richard@neely:~$ sudo vmnet-sniffer -e /dev/vmnet1

len   98 src 00:0c:29:7f:d6:a1 dst 00:0c:29:0a:0f:c1 IP src 10.1.1.3       
 dst 10.1.1.4        ICMP ping request - len=64 type=8
  00:0c:29:7f:d6:a1 08 00 88 e6 c0 17 00 01 ae 85 59 49 b5 2e 07 00 08
  09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 
  20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35 36
  37 

len   98 src 00:0c:29:0a:0f:c1 dst 00:0c:29:7f:d6:a1 IP src 10.1.1.4       
 dst 10.1.1.3        ICMP ping reply

You could just as easily run Tcpdump or any other sniffer of your choice:


richard@neely:~$ sudo tcpdump -n -i vmnet1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vmnet1, link-type EN10MB (Ethernet), capture size 96 bytes
20:41:51.272555 IP 10.1.1.3 > 10.1.1.4: ICMP echo request, id 49175, seq 1, length 64
20:41:51.273469 IP 10.1.1.4 > 10.1.1.3: ICMP echo reply, id 49175, seq 1, length 64

One note: vmnet-sniff can watch /dev/vmnet0 even though vmnet0 is not listed by ifconfig. vmnet0 is the bridged interface so you just watch it directly (e.g., eth0, etc.) with Tcpdump.

What to do? I decided that I could deploy the NSM sensor VM as a gateway, and put any hosts which I want to monitor as legs on that gateway. Consider this three-host scenario:

NSM sensor VM / gateway with 1) eth0 as 172.16.99.3, default gateway is 172.16.99.2, the VMware NAT /dev/vmnet8 gateway; 2) eth1 as 192.168.230.3, on a random subnet; and 3) eth2 as 10.1.1.3, on another random subnet

Windows victim with interface 192.168.230.4, default gateway 192.168.230.3

Linux attacker with interface 10.1.1.4, default gateway 10.1.1.3

I configured the NSM sensor to be a gateway, and told it to NAT connections outbound to the VMware server NAT interface:


root@tws-u804:~# echo "1" > /proc/sys/net/ipv4/ip_forward
root@tws-u804:~# iptables -t nat -A POSTROUTING -s 192.168.230.0/24 -o eth0 -j MASQUERADE
root@tws-u804:~# iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -o eth0 -j MASQUERADE

Why this "second" level of NAT via MASQUERADE? It turns out that if you send traffic from, say, 10.1.1.4 through a gateway that doesn't NAT, when that gateway sends the traffic with source IP 10.1.1.4 to the NAT interface on the VMware server, the VMWare server doesn't know how to handle the replies. I saw the traffic exit properly (i.e., it was NATed out), but when the reply arrived the VMware server didn't know how to return it to 10.1.1.4. With this "second" NAT on the NSM sensor / gateway, the VMware server thinks the gateway is originating all traffic, so the hosts can reach the Internet.

With this setup I can now monitor traffic from 10.1.1.4 to 192.168.230.4, because the traffic is routed through the NSM sensor / gateway.

This seems kludgy, and I wish there were a way to just configure VMware Server to act like a hub and have all hosts see all traffic. If anyone knows how to do that, please let me know.

Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates.

Daemonic Dispatches Musings from Colin Percival
AWS signature version 1 is insecure

The important bit first: If you are making Query (aka REST) requests to Amazon SimpleDB, to Amazon Elastic Compute Cloud (EC2), or to Amazon Simple Queue Service (SQS) over HTTP, and there is any way for an attacker to provide you with data which you use to construct your request, switch to HTTPS or start using AWS signature version 2 now. For example, if you allow users to add arbitrary "tags" to documents, and you use SimpleDB to store those tags, this means you. (Amazon Flexible Payments Service (FPS) and Amazon Devpay also use the same insecure signature method, but they already require the use of HTTPS. Amazon S3 and other services use different signature methods.)

I've been sitting on this blog post since May 1st, when I was reading documentation in preparation for writing the accounting code for my tarsnap online backup service and I first noticed that AWS signature version 1 was insecure; but now that the cat is out of the bag thanks to Amazon announcing the new signature version, it's time to publish the details of how their signature version 1 is broken.

How Tarsnap uses Amazon Web Services

Regular readers of these Daemonic Dispatches will no doubt have noticed that I have mentioned Amazon Web Services on many occasions, and it's no secret that my tarsnap online backup service is built on top of Amazon Web Services. Over the month since tarsnap reached public beta, a number of people have asked me questions about AWS and how tarsnap uses it, so I think now is a good time to provide some insight into how the tarsnap service works behind the scenes.

Spammed by TimeBridge

I recently received an email, allegedly from someone I knew:

I'd like to add you to my network on TimeBridge.

Get started by checking out my calendar:
http://app.timebridge.com/user/availability/<CENSORED>

- <CENSORED>

A short time later, I received an email which actually was from this person, telling me (as I suspected) that he did not, in fact, want to add me to his network on TimeBridge. Three things went badly wrong here.

Tarsnap public beta

Tarsnap is an implementation of my idea of a perfect online backup service. After many months in private beta testing, tarsnap is now publicly available for BSD, Linux, and other UNIX-like operating systems.

Wuala's improved security

Last year I wrote about the poor security of the Wuala online storage and file-sharing startup. Over the following eight months, the people at Wuala made significant improvements, and four months ago Dominik Grolimund asked me to update my blog concerning their now-improved security. Unfortunately bronchitis and and wrist pain delayed this substantially; but here's my belated reassessment of Wuala's security: Much better, but still lacking in some respects.

FreeBSD on EC2

FreeBSD doesn't run on Amazon's Elastic Compute Cloud service right now. I want to change this. I need to talk to other wannabe FreeBSD-on-EC2 users. If this describes you, please contact me.

Hacking the Amazon S3 SLA

The Simple Storage Service (S3) provided by Amazon comes with a Service Level Agreement: If the Monthly Uptime Percentage is between 99% and 99.9%, you get a 10% refund; if the Monthly Uptime Percentage is below 99%, you get a 25% refund. The Monthly Uptime Percentage is computed in a fairly straightforward manner: Divide the month into 5-minute intervals and compute the Error Rate (failed requests divided by total requests, treating 0/0 as 0) for each interval; compute the average Error Rate over all the 5-minute intervals in the month; and subtract this value from 100%.

If the probability of a request failing during the n th 5-minute interval is p(n), and the number of requests issued during the n th interval is determined solely by p(n), the expected value of the Monthly Uptime Percentage is 100% minus the average value of p(n) over all the intervals; put another way, you can't cheat by waiting for a high p(n) and then quickly running up the failure count by issuing lots and lots of requests. However, this uncheatability applies only if the number of requests issued is independent of the success or failure of individual requests; if we can see whether one request succeeded before issuing the next one, we can cheat the SLA -- quite extravagently, in fact.

Canadian election results trivia.

After the last Canadian federal election, I posted here with some election results trivia; since Elections Canada has again helpfully provided the (preliminary) results in CSV format, I've now done the same for the 40th Canadian federal election:

Canadian Federal election polling

In December 2005, during the last Canadian federal election, I wrote about the discrepancies between polls and how they could be partly explained by different notions of what the population of Quebec was. In the 2008 election, there are even larger polling discrepancies -- on October 6th, Nanos reported 6% support for the Green party while Harris-Decima reported 13% support; and once again, certain pollsters consistently disagree with their colleagues.

UBC Election Stock Market

On September 8th, I invested $25 into the Election Stock Market being run by the University of British Columbia for the 2008 Canadian Federal election. When the market closed, at 10PM PDT on Monday evening, I had increased that to $88.70 (I decided to end up with a cash-only position).