Archive - 2006

March 22nd

Run multiple snort daemons in one engine

In snortcenter 2, it says "Once Sensor Agent can handle multiple snort daemons if the system has multiple network interfaces". In the case you even need to run multiple daemons in one engine on one interface, you seem to be out of luck.

Snortcenter agent will use the parameters passed by curl from snortcenter to construct two files, one for the config and another for the command line options. These two files need to be different for different daemons. After review the source code, I found there is one parameter passed to snortcenter agent called r_option which is taken from the sensor command line option tag after -R. The -R tag is used in snort to create distinct PID file and this tag after -R is used by snortcenter agent to construct those two file names too.

So the way to run multiple snort daemons in one engine on one interface is:

  1. Use different sensor names for different daemons.
  2. Use "-R tag" at the end of command line option when define the sensor in snortcenter.

One of the usage for this is to run multiple daemons for multiple policy sets. For example, one daemon to check policy violation while the other one to check the intrusion signatures for valid traffic.

A security risk management tool from Skybox

I came across Skybox for Risk Management suit which can integrate network/firewall/servers into one view to analysis the overall security. It can help you put together regulation/standard requirement, vulnerabilities, network security etc. Here is the snippet:

Skybox's award-winning product, Skybox Viewâ„¢ creates a virtual Integrated Security Model (ISM) in order to understand IT network security risks, control dependencies and proposed changes within the context of your overall network design.

This virtual model can be safely attacked, changed, and analyzed for the purpose
of improving the security profile of the network as well as verifying security control compliance with defined policies.

The result is a more secure network, operational efficiency and reduced IT workload. This is achieved through continuous evaluation of an organization network security risk and connectivity profile.

March 12th

Travel to Orlando Disney World

Today we started our bus tour with TourEast for Orlando Disney World. I decided for bus tour just because it's much cheaper in March break and I want to check out more places as it's the first time I get into USA.
The bus went through Peace Bridge US custom, then take highway 90-79-19-77

Along HW19, there are at least 2 Peiking buffet. We had dinner at the one in Beckley. The food was good.

Night stay at around 11:30PM in Comfort Inn .It's in Jonesville of North Carolina and it has free wireless Internet access, tried the connectivity is good.

I can almost get my blackberry connected everywhere. Noticed the provider is changing from time to time. They are Cingular, AT&T, 1-80?? etc.

What a long trip. Tired and I will sure have a good sleep.

March 10th

Use PEBuilder to build a live WinXP CD

It's called "Bart's Preinstalled Environment (BartPE) bootable live windows CD/DVD" but it's actually a tool to create live cd out of your windows xp installation files. The native NTFS support and live cd approach make it a best candidate to do virus cleaning, rescure files etc.
The created basic live system is a little bit too simple but the tool give you the power to add applications by plugin into this live cd so it's really up to you to extend the usage of your live cd.

There are a lot plugin repositories available with applications from hard disk partitioning to wireless hacking. So you can create a Anti-Virus/Spyware, Rescure CD as well as a network security cd.
I created one live xp with firefox, explor2fs and putty. Good enough for my daily work.

Tips: You need to enable "RpcSS needs to launch DComLaunch Service first - SP2 only" in plugin, otherwise disk management will not work.

March 8th

Nortel VPN Client Split Tunneling Control

Disable split tunneling works.

Noticed that the client changed routing table so I tried to break it by modifying the routing table. I can manipulate routing table without noticed by the client software but can not establish communication to other destinations. The sniffer data proved that UDP packet was sent out but not ICMP/TCP. I can see returning UDP data packets but can not see it from application in the host. It's possible that vpn client software also implemented filtering in the stack plus the routing change for split tunneling control.

March 7th

Microsoft VPC Config file for virtual machine

The VMC file is XML file contains all the config info. I noticed this by trying to figure out why the share folder is not working then found out you have to setup the folder share when the vm is running. :-)

What a mistake I had.

BTW, my colleague just showed me how to  use VPN to get around the split tunneling control in one physical machine. He uses a vm to connect vpn which has split tunneling control so he can still use the host machine to do things as he wants. He can also transfer files between his host to the machines in the tunnel using this folder sharing provided by VPC. Smart. Remind me I have done this similar thing before for another vpn client software.

February 28th

Phone service quick reference

Rogers call forwarding:

  • To Activate: *21*(Receiving phone number)#SEND
  • To Deactivate: #21#SEND

StillSecure release free version ID/PS-Strata Guard

We are pleased to announce that StillSecure (www.stillsecure.com, www.stillsecure.org) has made available for general release a freeware version of our award winning Intrusion Detection / Prevention System, Strata Guard.

This version is free to use for individuals and organizations. Strata Guard is a snort based, IDS/IPS that is extremely easy to use with full reporting, automatic updates against the latest attacks, quick tune wizards and false positive reduction.

Click read more for links...

It can be run in out of band and in-line mode. I invite everyone to test it out for yourselves:

http://www.stillsecure.org

Support is available via message boards on site but full context sensitive help is built in. If you have used Snort before and are looking for something a little more commercially polished or if pure Snort was a little too much to manage, Strata Guard could be perfect for you.

We are grateful to the community for all of the help and support we have received over the years and want to give something back. Enjoy and please let us know your comments.

February 24th

NAT advantage compare to routing approach in a typical e-commerce data center

1. Higher security, less noise: The traffic will not deliever to your network if you have not defined that ip. No matter it's tcp/udp/icmp etc.

14:33:05.062277 arp who-has 209.*.*.50 tell 209.*.*.61
14:33:05.065794 arp who-has 209.*.*.56 tell 209.*.*.61
14:33:05.066148 arp who-has 209.*.*.59 tell 209.*.*.61
14:33:05.066506 arp who-has 209.*.*.51 tell 209.*.*.61
14:33:05.066859 arp who-has 209.*.*.53 tell 209.*.*.61
14:33:05.067207 arp who-has 209.*.*.52 tell 209.*.*.61
14:33:05.067552 arp who-has 209.*.*.54 tell 209.*.*.61
14:33:05.068195 arp who-has 209.*.*.55 tell 209.*.*.61
14:33:05.068782 arp who-has 209.*.*.57 tell 209.*.*.61

2. Help with the layered data center design approach instead of using subnets for different layers which has a router in the center of all subnets.

To be continued...

February 22nd

About

About me

Information security professional with 15+ years IT experience and over 7 years in information security field. Focus on security architect and process integration which involve people,process and technologies. Expert in leveraging both open source and commercial tools to fullfill the business goals.

My Specialties:

1. Security architecture
2. Open source security tools integration
3. Create security process and put into operation

My family

I live with my two kids and wife in Toronto,Canada. We like outdoor activities,movie and music. My daughter is proudly a member of the champion soccer team-Richmond Hill Rep.

Contact

email: jli@jlisbz.com

MSN: jliworks@hotmail.com