BjOG – Bjou’s Blog, that is!

Having to work with Netflow data for my Diploma Thesis I invested quite some time into the following challenge:
Our Routers export Cisco Netflow Data to HOST A, where we do accounting. I want to use HOST B for several Netflow-related tests. The Routers only support one target for their netflow export (as mentioned, this target is HOST A).

Problem: How is it possible to clone the incoming stream of packets at HOST A and forward one copy into HOST A’s userspace (for accounting applications) and the other copy to HOST B’s userspace (for testing purposes)?
The specific challenge is that I do not want a simple FORWARD to HOST B, but a FORWARD of a copy, so that I can work with the data on both machines. This leads to the next problem: Packets arriving at HOST B have the Destination IP address of HOST A in their IP header. We need to rewrite this IP at HOST B so that userspace applications are able to process these packets (which they are not, if the packets are not destined to HOST B’s address).

Read the rest of this entry »

My study thesis is finally completed. It deals with different Intrusion Detection approaches consisting mainly of sniffers and honeypots and their implementation in the University’s campus network. Basically, I have deployed several heterogenous sensors in different subnets/VLANs and enabled all of them to report to one centralized console for further investigations and automated incident forwarding to the appropriate persons in charge. This is the abstract:

Computer systems and -networks connected to the Internet are exposed to a large array of malicious activities. Computers throughout the world are continuously being scanned for vulnerabilities, exploited and finally compromised by humans or by autonomously spreading malicious software, called malware. To stem this thread, the University of Karlsruhe has deployed an Intrusion Detection System (IDS) consisting of the Intrusion Prevention module ”IntruShield” and some other quarantine automation modules. The purpose of this study thesis is to ensure deeper security by extending this IDS according to the ”Defense in Depth” strategy. Therefore, several sensors have been deployed into the core- and user network to extend the current setup to a distributed Intrusion Detection System. The heterogeneity of these sensors aid to cover different kinds of attacks: Sniffers for network traffic examination, honeypots for network-host specific operations and host-based IDSs (HIDS) for hostspecific activities. As this heterogeneity leads to a large amount of different data to be analyzed, it has been decided to implement a hybrid Intrusion Detection framework, which enables all the different security applications, i.e. sensors, to report to a centralized console which performs automatic aggregation of the distributed data and correlation between the various events, presented to the security analyst through a web interface.
This work gives an introduction to the basic principles, approaches and securityrelated software technologies used throughout this study thesis. Moreover, it describes the current security concept of the University of Karlsruhe as well its proposed enhancements. In detail, this thesis evinces the campus-wide implementation of the previously mentioned distributed Intrusion Detection architecture and concludes with its evaluation and a future outlook. The thesis shows that the commissioning of this approach results not only in a better automated, but also in a more structured, more unified and a more accelerated security process.

Link: Intrusion Detection with Heterogenous Sensors, 86 pages, 3.5 MB.

Wer schon immer mal seinen Computer durch simples Pfeifen steuern wollte, wie es in diesem Youtube Video gemacht wird, sollte dieses kleine Tutorial lesen. Es sollte mit Debian und Ubuntu funktionieren. Read the rest of this entry »

Working on my student research project, I have to monitor a quite large network. Therefore, I have configured one of the main switches to mirror the traffic to my hi-end sniffing machine. Trying to capture the traffic with software depending on libpcap, I encountered massive packet loss almost immediately using libpcap-0.8 on Debian (which is version 0.9.5-1). Now I have commited a whole day in trying to decrease the amount of dropped packets. There are some promising solutions, namely mmap’ed libpcap, NAPI (polling-enabled Network Driver) and PF_RING, the latter being the most promising, after having read “Improving Passive Packet Capture: Beyond Device Polling“. Now theory sounds great and is one thing, but getting it to run without any useful documentation almost killed me. Now here is how I finally did it…
Read the rest of this entry »

Dieses kleine Howto soll kurz erklären, wie die genannten Programme reibungslos Hand in Hand arbeiten und so einen IMAP-Dienst mit Spamfilterung und Mailverteilung realisieren können. Das Tutorial basiert auf dem Artikel “Mailhamster mit FreeBSD” und erweitert ihn um die Konfiguration von Spamassassin und Procmail. User, die noch mit sendmail arbeiten, sollten auf postfix umstellen. Ein simples Howto dazu gibt es hier.
Read the rest of this entry »

This little guide is not supposed to be an introduction to SNMP, RRDtool or MRTG though I will give a very tiny look into these programs. The true intension of this tutorial is a properly configured MRTS that, of course, goes along with a correct installation of MRTG, RRDtool and SNMP. So most of the time we will have to configure these three programs. Moreover this tutorial is based on a FreeBSD system, i am running 6-STABLE. I presume that you have Apache installed and configured properly for the use with PHP. If not, do so! I won’t explain that here. The following chapter will give a short overview over the programs we need for setting up MRTS. The programm summaries are the ones that can be found on the corresponding official websites along with other detailed information on that specific program. So let’s get started. Read the rest of this entry »

Da Flo’s und mein Vorhaben, doch noch irgendwie an WM-Tickets zu kommen, durch das dämliche FIFA-System vor kurzem jäh zerstört wurde, musste eine Idee her. Laut FIFA wird “In der bis zum 15. April andauernden Periode [...] das Angebot immer wieder durch neu eingestellte Ticket-Kontingente aktualisiert“. Ständig selbst die Seite aufzurufen ist umständlich, außerdem muss man Glück haben, zufällig rechtzeitig vorbeizuschauen. In der freeX 1/06 hatte ich ein Shellscript gefunden, welches automatisch Bookmarks auf Änderungen überwacht und dann ne Mail abschickt. Das war allerdings sehr komplex und lief auf meinem System nicht richtig rund. Eine weitere Möglichkeit ist der WM’2006 Ticket Alarm von mainhattensoftware.de, allerdings ist der nur für Windows und nicht kostenlos. Also musste was eigenes her -> Weiterlesen…
Read the rest of this entry »

Dass Canon nicht wirklich Vorreiter ist, wenn es um Druckunterstützung für Linux und *BSD geht, wusste ich schon vor dem Kauf des Druckers, trotzdem wollte ich es mit diesem Gerät versuchen, da es Preis-/Leistungsmäßig doch recht viel hergibt. Auf das Rumgemurkse mit den japanischen Linuxtreibern hatte ich allerdings keine Lust, außerdem kann man so die Duplexeinheit sowieso nicht nutzen (geschweigedenn die CD Bedruck-Funktion, aber ob ich die jemals brauchen werde ist ohnehin eine andere Sache). Turboprint soll (leider gegen Lizenz, die sich aber lohnt) sehr gute Treiber für die Pixma Serie bieten, also wollte ich das mal testen. Wunschkonfiguration: FreeBSD 6.0 (ohne X11) als Druckserver mit den Turboprint Treibern. Meine Erfahrungen habe ich zu einem kleinen Howto zusammengefasst, der interessierte Leser möge weiterlesen

Vorab-Info: Wer nicht direkt vom Server aus drucken möchte, kann darauf verzichten, Turboprint auf diesem zu installieren, dann reicht es, eine RAW-Queue über CUPS einzurichten und die Treiber auf den Clients zu installieren.
Read the rest of this entry »