Posted by Wordmobi
Red 7
Intrusion Detection, Analysis & Prevention
I have been recently searching for a decent WordPress platform for my Nokia E71. I have tried a fair few options along the way but have now settled for WordMobi – so far I’m very impressed & I’m currently using it to post this entry. A simple, yet powerful and effective tool for any blogger. One thing to note is Python is required for WordMobi to work.
Just a quick note for anyone who may be having issues with Ubuntu 8.04 and Twonky auto-rescanning their content directories – seems to be a bug in 8.04. Upgrading to 8.10 or 9.04 fixes the issue. I’m thinking its an issue with the inotify kernel module as recompiling from vanilla and building the inotify module also fixes it.
I have recently been doing a fair bit of work trying to find a replacement for my Acid/BASE frontend of Snort. This has been proving somewhat difficult, the closest I have come to a usable solution was modifying Splunk to use custom filters etc, however, although Splunk is an incredibly powerful analysis tool, it seems to be somewhat overkill for just monitoring Snort events. I’d like to point out that I hold no gripes with the Sguil/BASE development, they are great tools, just under-developed! (I know Bamm has recently said he will continue development on Sguil once more, however I will wait to see that his promise comes to fruition before delving further)
After playing around with various options, and test environments I was getting fed up with clunky interfaces and over-complicated scenarios when I happened to come across Snorby…
Snorby, as described by @mephux, is a new and modern Snort IDS front-end. The basic fundamental concepts behind Snorby are simplicity and power. The project goal is to create a free, open source and highly competitive application for network monitoring for both private and enterprise use.
After downloading a recently created VMware appliance with a configured version of Snort, Barnyard, Apache (or maybe webrick I can’t quite remember) and Snorby all ready to go, I was eager to get it running and hammer it with some traffic. I had some initial issues binding to the NIC in my VM as I was using a host only vmnet and the default install comes pre-configured with a static IP and for some unknown reason was scripted to bring up eth0 however in my VM the only NIC available was eth1. No problem, I just changed the /etc/network/interfaces file to reflect my changes and get an address via dhcp. The snorby startup script is configured to bind to all available interfaces and works out of the box.
Now came the fun bit. After modifying the snort.conf file to reflect the NIC changes and bind to the correct interface I sent it some nmap port scanning activity and a few random metasploit payloads to generate some alerts. All seemed well and now came the time to view the hits using Snorby. First impressions upon loading the interface were great – finally, a Snort frontend that actually looks great! A look at a typical dashboard layout seems to have potential & plenty of eye-candy!
So far I am incredibly excited about the prospects this has, it is written in ruby, is completely open source and is, well, damn sexy! I hope Dustin continues development and I have offered my help in the project as I really would like to see this take off and go on to high places, it certainly has the potential to be something big.
Let begin with a recap of the definition of SIEM, SIM & SEM – Security (Information & Event) Management. The parentheses are deliberate – their contents are actually irrelevant when dealing with this definition. IMHO the term was developed to cater for the security vendors and has since been misused, much like many other security acronyms throughout the years, hacker, cracker, etc. SIEM has become a collection of letters to allow a vendor to sell a one-for-all solution to your security monitoring needs – this, as in most cases is merely a pipe dream making someone out there millions. You may be thinking I have some sort of personal vendetta against security vendors, maybe I do, however I think there are some valid points to be made with regards to one size fits all flashy boxes. SIEM just doesn’t work – When it does, I’ll be the first to get down on my knees and hail the almighty solution to all our problems.
Continue reading ‘The Problem With SIEM (and I don’t mean the product…)’
Worthy of a quick mention, Digininja – friend & author of Jaseger, The Interceptor and many other weird and wonderful apps has been sharing his learning experiences via twitter. Searching for #secvidofday returns a collection of daily tweets with a security video link. There are some great finds in there and I hope he carries it on!
Before I start this post, I’d like to point out that I am far, far from a programmer, and have very little, if any ‘real’ knowledge on this subject, so forgive my (lack of) ‘technical’ descriptions from now on!
After my previous post on Powershell scripting, I have been honing my skills and automating everything I can think of! – Building on the earlier example script I have been playing with Primal Forms from Sapien Technologies, building a pretty sweet GUI for the aforementioned script. This, however brought a previously unknown issue to my attention – threading. Now,again, I’m no programmer, I can’t code to save my life and to be honest have no intention in learning, but I know enough to get by. Powershell, as far as I can gather from various sources (namely this expert to expert podcast) Powershell is a single threaded application, in that all the building blocks for a given script are loaded into the Powershell engine together in a single thread & executed as such.
The reason I was prompted to look into threads within Powershell is whilst building the GUI for the automation script in the earlier post I hit some issues when calling external programs into the mix. The GUI would hang when an external program was running for a certain amount of time with no noticeable outcome (ie, it was waiting for something to complete) – I believe this is a Windows form issue really, within Powershell, however I have have varying success in defining my functions outside of the runspace that the GUI uses…
See this link for a better understanding.
Using this method however slightly overcomplicates the coding and for now I have left it as it was (with the addition of a status message on the GUI stating “Window may stop responding….” 
– It does the job and its not a production release.
To clarify, I believe there has been some extensive work with this on Powershell 2.0 as far as I can see from the CTP however I am still using 1.0 with this particular project and unfortunately have no upgrade path. I will be experimenting with the CTP and threading on a forthcoming project which I will talk about shortly.
About Me
Hi. I'm Matt Newham, 23 years old. I'm a network security engineer, specializing in Intrusion Detection.
