Network Security Blog

tcpip.pdf (application/pdf Object)

This is a handy pocket reference from the SANS Institue for those of us who use tcpdump fairly often, but not often enough to memorize all the switches. More importantly, it covers quite a few of the basic packet types and what the different fields mean.

Thanks to the folks at the Opensourceweblog for posting this link

The great intrusion prevention debate | InfoWorld | Point/Counterpoint | 2005-05-09 | By InfoWorld staff

I found a link to this article at the TaoSecurity blog. Reading Richard Bejtlich’s review of the article, I have to say I was expecting a lot more from the article.

Summed up, this is a 5 minute conversation between Marty Roesch of Sourcefire/Snort and Marc Willebeek-LeMair of TippingPoint. I got to the end of the article and was left wondering where the other half of it was. Of course, reading into the tone of the last couple of comments, maybe it’s better they quit while the conversation was still civil. Mr. Roesch got the better part of the dialogue, but I still feel the conversation was cut off in the middle.

In-depth investigation of the “Cabir-in-Cars” myth

The guys at F-Secure got their hands on a blue-tooth enabled Toyota Prius to test the Cabir virus on. How cool is that?

I’ve recently been trying to implement a solution that leverages Snort sensors with a Sourcefire Defense Controller. This involves placing agents on the Snort boxes which scrape the events off of the Snort unified logs and send the information to the DC. I’ve run into a number of caveats that have really bothered me.

I want to start off by saying, this is not a bash against Sourcefire. I love Snort, and I’m impressed with the capabilities of Sourcefire, especially the information gathering capabilities of the RNA agent. But there are a number of issues I’ve run into recently concerning interoperability between the Snort engine and Sourecfire Defense Controllers. If you’ve integrated Sourcefire with an existing Snort installation, please drop me a line, martin_at_mckeay.net. For the record, Sourcefire technical support is excellent and knowledgable, but there are some times where they just say ‘You can try that, but it’s not supported’.

First and foremost, Sourcefire does not support the SFagent for any versions of Snort 2.3 or higher. This was not in the documentation, and only something that we learned after a calling technical support. Even the Sourcefire engineer working with us didn’t know that. I thought the same engineers worked on the Snort and Sourcefire engines, but I guess I was wrong. I was very disappointed by this.

Second, Sourcefire doesn’t support the Linux 2.6 kernel. They support Redhat 7, 8 and 9, but not any of the enterprise builds i.e. Redhat ES 3.0 or 4.0. Since Redhat ES 3.0 is built on the 2.4 kernel it works as expected, but ES 4.0 is problematic. We found a workaround, but it was a kludge.

The other major issue we ran into was that you can have either a Snort agent or a RNA agent on a server, not both. This is apparently due to the data channels in use to communicate between the sensor and the DC. I haven’t found a workaround for this issue yet.

Sourcefire makes no bones about a the fact that they consider their agent and Snort being viewed as a stop gap measure until you can purchase the Sourcefire sensors. I can respect that, but I would have been much happier if the caveats in using a Snort sensor with a Sourcefire DC had been revealed up front. I knew that a Snort sensor wouldn’t provide nearly as much information as a Sourcefire sensor would, I just didn’t know there would be so many limitations.

Schneier on Security: REAL ID

Real ID is something to be seriously worried about. Bruce Schneier does a better job of summing up the major points than I could do, so this is mostly just a pointer to his article to get others to read it. I do have one or two opinions of my own to express, but he does an excellent job of explaining the problems and pitfalls of the REAL ID act.

Our Federal government is getting out of control. While State’s rights have been questionable since the Civil War, the last couple of months have seen some real abuses by the Federal government. The Terri Schiavo case was just one of the most glaring examples of the federal government (mostly the Bush administration, but also a number of members of Congress were involved) trying to impose their will on what was clearly a state issue. Now they’re trying to quietly impose a national ID standard by tying it to a military spending bill. Sneaky, very sneaky.

Write, call or email your Senator and Representative. Talk about this with your friends, spouse and family. Maybe a national ID is needed, but this is something that needs to be discussed in a national forum, with all the implications thought out before anything is implemented.

Anyone know where I can buy a RFID blocking wallet? Tin foil is just so gauche.

I recently received a trackback ping on one of my posts that led me to an article where the author claims most of the security professionals out there are nothing but big, fat idiots. I think the author went to every security blog out he could find and put in the trackback so we could go read his article insulting us. Now he’s blogging about how much he’s stirred up the community and how he has the answer all things security related. I think it’s all a ploy aimed at getting his own blog more readership. I’m not going to link to his article, since it really didn’t say anything other than ‘Your idiots, I’m great, so there!”. Find the article yourself if you want to read it, it’s not too hard.

The author does have a valid point: most security blogs are nothing more than links to the latest news on viruses and vulnerabilities, or articles on other sites. I admit to falling into this category most days. But, quite frankly, this is something I do when I have a couple of minutes to spare, and is not supposed to be some great, awe-inspiring tribute to my ego. I would love to have the time to post more original work, but with a full time job and two small children, I don’t have the time.

Occasionally, I will have an original thought and post it here. If you get some small value out of that, great. But most of the time, I’m content to just post links and my own take on whatever article I’m linking to. If you find this valuable, I’m happy and I hope you come back. If you don’t, then keep in mind, I’m writing mostly for my own fun, amusement and education, and I don’t care if I don’t have a mind blowing revelation for you on a daily (or even weekly or monthly) basis.

Thanks for stopping by,

Martin