I’ve been using Snort has a host-based IDS on my laptop for quite a while now and rather than expanding my attack surface by installing a database server for logging, I am simply logging to the standard flat file format. In this format all snort alerts are logged to an alert.ids file in the C:/Snort/log directory. In previous instances I’ve just reviewed this log frequently but I’ve had the desire for quite some time to have something a bit more realtime. I’m not sure if I’ve found the best solution, but I’m currently using RainMeter to display the most recent Snort alerts on my desktop.


I did run into one problem which had a solution I think others might be interested in. Snort logs the newest alerts it recieves at the bottong of the alert.ids file, which makes gathering the most recent alerts via perl regular expressions a bit of a complicated task. I brought this problem to my analysis team at EWA and Jason Smith, who has just started learning Perl,  developed a script that alleviates this problem. The script takes the last alert in the alert.ids file and places it at the top of a new “parsed” file. The second to last alert in the alert.ids file is then placed as the second alert in the parsed file, and so on and so forth. Also, as a bit of expanded functionality the script only grabs the first four lines of every alert which gives the alert name, classification, priority, and basic packet information. This makes for a more condensed and concise output.


You can download the script here: snort_parser.zip


As for implementation, I have setup a scheduled task that runs the script every 5 minutes so that the RainMeter on my desktop is updated very frequently. One small issue I noticed was that when this task ran it would pop up a command prompt window momentarily which was quite annoying. In order to combat this I created a VBS script that runs the perl script in the background. Rather than running the perl script, the scheduled task runs the VBS script which calls the perl script as an argument so that the process is invisible to me.


You can download the VBS script here: silent_launcher.vbs


Feel free to download, use, and distribute these files as you see fit.

I’m going to be out and about a few different places the early part of this year. If you are going to be at any of these events and want to get together and talk shop or have a bite to eat, give me a shout.

• ShmooCon, Washington DC – Feb 5-7
• SANS 2010, Orlando FL – Mar 6-15

I’m also planning on attending HOPE [Tentative] (NYC), Phreaknic (Nashville), Defcon (Vegas), and Black Hat (Vegas) this year.

I’ve recently been accepted into the SANS Institute mentor program and will be mentoring my first course next spring in the Bowling Green, KY area.

Please join Mentor Chris Sanders starting on March 18 for Security 504: Hacker Techniques, Exploits and Incident Handling.

Experience this local class and SANS award winning security training first hand in the popular Mentor format!

Chris Sanders will be leading this 36 CPE credit class in Bowling Green, KY.

For complete course details and registration information, please click on http://www.sans.org/info/52263.

About the course:

By helping you understand attackers’ tactics and strategies in detail, giving you hands-on experience in finding vulnerabilities and discovering intrusions, and equipping you with a comprehensive incident handling plan, the in-depth information in this course helps you turn the tables on computer attackers. This course addresses the latest cutting-edge insidious attack vectors and the “oldie-but-goodie” attacks that are still so prevalent, and everything in between. Instead of merely teaching a few hack attack tricks, this course includes a time-tested, step-by-step process for responding to computer incidents; a detailed description of how attackers undermine systems so you can prepare, detect, and respond to them; and a hands-on workshop for discovering holes before the bad guys do. Additionally, the course explores the legal issues associated with responding to computer attacks, including employee monitoring, working with law enforcement, and handling evidence.

Students study SANS Hacker Techniques, Exploits & Incident Handling course books at their own pace. Each week, students meet with SANS Local Mentor, who will lead class discussions, provide hands-on demonstrations, point out the most salient features, and answer questions. The Mentor’s goal is to help students grasp the more difficult material, master the exercises, and prepare them for GCIH certification.

This challenging course is particularly well suited to individuals who lead or are a part of an incident handling team. Furthermore, general security practitioners, system administrators, and security architects will benefit by understanding how to design, build, and operate their systems to prevent, detect, and respond to attacks.

These courses are great for folks who want SANS level training but don’t have the travel budget to go to a conference for a week. I’m very excited to bring something like this to my area…security training around here is slim pickins! Bowling Green is very centrally located and is only an hour from Nashville, TN, two hours from Louisville, KY, two hours from Lexington, KY, and two hours from Paducah, KY.

Also, I will be donating 20% of my teaching fee to the Rural Technology Fund, a 501(c)(3) non-profit organization which provides scholarships to high school students pursuing technical majors.

Free free to e-mail me with any questions, or visit the course website here: http://www.sans.org/info/52263.

I attended the Kentuckiana ISSA Louisville InfoSec conference on the 8^th of this month and I wanted to be sure and put something up about what a great event it was.

I participated in the CTF event that was put together by Adrian “Irongeek” Crenshaw (http://www.irongeek.com and @irongeek_adc). This is only the second CTF I’ve participated in (the first being the SANS Sec 504 CTF in San Diego) and I was really pleased with it.

You can view a write up and a brief video on the technical details of the CTF here: http://www.irongeek.com/i.php?page=videos/louisville-infosec-ctf-2009.

My team ended up coming in fourth. The winning team was led by Dave Kennedy (http://securestate.blogspot.com/) who won by a pretty good margin, and the second, third, and fourth place teams all finished within about ten minutes or so of each other.

This was the second event I’ve attended that involved the Kentuckiana ISSA and Adrian and I’ve really enjoyed being involved. I think I’ll be joining ISSA in the very near future.

I wasn’t able to attend many of the talks due to being involved with the CTF but my colleagues who did spoke very highly of all of the speakers.

A big thanks to Adrian and the Kentuckiana ISSA for organizing this! I can’t wait until next year!

I haven’t exactly kept this one a complete secret, but I’ve confirmed with the great folks over at No Starch Press and have begun work on the second edition of Practical Packet Analysis. The second edition will contain over 60% new content including ALL new scenarios and capture files, a very unique take on security at the packet level, much more detailed coverage of wireless packet analysis, and even VoIP! A target release date has not been officially set, but expect something in Q1-Q2 2010.

Howdy Folks,

I wanted to take a moment and link a pair of recent articles I’ve written for WindowsSecurity.com.

September 2nd – Securing Application Execution with Microsoft AppLocker

September 23rd – Maintaining, Mandating, and Mitigating Privacy in Internet Explorer 8

Enjoy!

The fine folks over at GFI were kind enough to send me a copy of the latest release of their LANguard product which is currently at version 9.0. As a disclaimer, GFI does advertise on my site, but this is not a paid advertisement, and our business relationship is has no influence on my review of the product.

I’ve used various GFI products for several years and remember using LANguard many years ago while working for the Department of Education. As I have taken on a more security-focused role in my new position with EWA GSI I have found myself using LANguard again and am enjoying the newest version of the product just as much as I did the older versions.

The big three features LANguard boasts are vulnerability management, patch management, and network auditing. I’ll address each of those individually.

Vulnerability Management

My primary use of LANguard has always been in this category. Some of my earliest learning experiences with network security were centered on LANguard security scans and in my current security role I’m making use of it right where I left off.

The scanning engine boasts over 15,000 scanning signatures and does seem to be quite thorough. I compared GFI LG scans side by side with Nessus scans on the same hosts and found the reporting from the LG scans were picking up quite a few more items of interest when it came to Windows hosts. The scanning options are quite robust and the reporting and remediation interface couldn’t be much better. 

Patch Management

I’ve previously always used WSUS for patch management. However, if you’ve used WSUS you know that it can sometimes be unreliable and the reporting and troubleshooting features associated with it are still greatly lacking. I’m no longer directly managing a network so I evaluated the patch management features of LG on my home network and was pleasantly surprised.

I ran several scans against the devices on my networks and some of the virtual machines in my test networks that I had purposely halted automatic updates on. LG reported the missing updates on these machines and I was able to efficiently deploy those updates to the machines. I’ve always thought OS updates should be something that “just works” and LG fit the bill on this.

Network Auditing

There is a LOT of competition in this area but I was really impressed with what LG could offer here. I think a network auditing solutions biggest weak point is usually the reporting interface, and just as with the other areas of LG, the reporting is pristine. Not only can you perform on the spot audits, but you can also check for things such as illegal software installations by running comparisons against baseline audits.

Pricing

GFI has released a full-featured FREE version of LANguard to be used for up to 5 IPs. After that, pricing is done on a per-IP basis with prices starting from around $32USD per IP for a 10-24 IP block.

Conclusion

I’ve always thought GFI was a great company with some really great products and LANguard 9.0 only helps to reinforce this opinion. I will continue to use the product alongside Nessus for my security scanning needs and would fully recommend it for network management and auditing.

You can check out LANguard and other GFI products at http://www.gfi.com.

The newest issue of (In)Secure Magazine has been released today. This issue contains an article I’ve written entitled “Using Wireshark to Capture and Analyze Wireless Traffic”.

Article Introduction:

The tricky thing about a wireless network is that you can’t always see what you’re dealing with. In a wireless network, establishing connectivity isn’t as simple as plugging in a cable, physical security isn’t nearly as easy as just keeping unauthorized individuals out of a facility, and troubleshooting even trivial issues can sometimes result in a few expletives being thrown in the general direction of an access point. That being said, it shouldn’t come as a surprise that analyzing packets from a wireless network isn’t as uninvolved as just firing up a packet sniffer and hitting the capture button.

 
In this article I’m going to talk about the differences between capturing traffic on a wireless network as opposed  to a wired network. I’ll show you how to capture some additional wireless packet data that you might not have known was there, and once you know how to capture the right data, I’m going to jump into the particulars of the  802.11 MAC layer, 802.11 frame headers, and the different 802.11 frame types.

The goal of this article is to provide you with some important building blocks necessary for properly analyzing wireless communications.

 

 

You can view the full article in the (In)Secure Magainze June issue, which can be obtained here: http://www.net-security.org/insecuremag.php.

The great folks over at the TechGenix website WindowsSecurity.com have published my article on Locking Down Windows Server 2008 Terminal Services. This article is a fairly detailed list of things you can do to make sure your Terminal Server infrastructure is more secure.

You can view the article here:

http://www.windowsecurity.com/articles/Locking-Down-Windows-Server-2008-Terminal-Services.html

I wanted to take a moment and link over to a project I have been working on for quite some time. I’ve recently founded a 501(c)(3) non-profit organization called the Rural Technology Fund. Coming from a small rural area that really lacked in opporunities for those interested in technology, I know how challenging it can be to pursue a career in that field. The goal of the RTF is to provide opportunities to students from rural areas pursuing education in computer technology.

There are two main ways this is done -

Scholarships – This year the RTF is giving away two $500 scholarships. Hopefully we can give away much much more next academic year.

The Genesis program – Working with county youth service centers and local businesses, this program aims to utilize area volunteers to refurbish donated business PC’s for donation to students who do not have computers at home. The Genesis program gives birth to opportunities for these students and their families.

How can you help?

Packet Analysis Training - A portion of the income from EVERY training program I do goes directly to the RTF. This includes live training downloadable videos (coming soon).

Monetary Donations – The RTF is accepting donations, and all of those donations are tax deductible.

Computer and Equipment Donations – The Genesis Program is accepting donated computers to be refurbished and donated to students in needs. These computers should be in fairly decent condition and at least have a functioning motherboard and processor. We are also accepting monitor, keyboard, mouse, and software donations.

For more information on the Rural Technology Fund, check out www.ruraltechfund.org.