Monday, July 5, 2010
Xplico, Internet Traffic Decoder. Network Forensic Analysis Tool (NFAT)
About
The goal of Xplico is extract from an internet traffic capture the applications data contained.
For example, from a pcap file Xplico extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP), FTP, TFTP, and so on. Xplico isn’t a network protocol analyzer. Xplico is an open source Network Forensic Analysis Tool (NFAT).
Xplico is released under the GNU General Public License (see License for more details).
Features:
* Protocols supported: HTTP, SIP, IMAP, POP, SMTP, TCP, UDP, IPv6, …;
* Port Independent Protocol Identification (PIPI) for each application protocol;
* Multithreading;
* Output data and information in SQLite database or Mysql database and/or files;
* At each data reassembled by Xplico is associated a XML file that uniquely identifies the flows and the pcap containing the data reassembled;
* Realtime elaboration (depends on the number of flows, the types of protocols and by the performance of computer -RAM, CPU, HD access time, …-);
* TCP reassembly with ACK verification for any packet or soft ACK verification;
* Reverse DNS lookup from DNS packages contained in the inputs files (pcap), not from external DNS server;
* No size limit on data entry or the number of files entrance (the only limit is HD size);
* IPv4 and IPv6 support
* Modularity. Each Xplico component is modular. The input interface, the protocol decoder (Dissector) and the output interface (dispatcer) are all modules
* The ability to easily create any kind of dispatcer with which to organize the data extracted in the most appropriate and useful to you
Thursday, June 24, 2010
Guardian Active Response for Snort IDS
Overview:
Guardian is a security program which works in conjunction with Snort to automaticly update firewall rules based on alerts generated by Snort.
The updated firewall rules block all incoming data from the IP address of the attacking machine (the machine which caused Snort to generate an alert.
There is also logic in place which pervents blocking important machines, such as DNS servers, gateways, and whatever else you want.
Here is a link you might want to read: http://online.securityfocus.com/infocus/1540 .. I found it very interesting on why you should use this software with great caution.
New Stuff/Changes
* New block/unblock scripts! Checkpoint firewall and Pix firewall scripts. Download them below. Thanks goes out to Markwalder Philip (pm at ibp.ch) and Roland Gafner (roland.gafner at gmx.net). Awesome work guys :)
* Better syslog parsing! Now guardian should work regardless of how your syslog/snortlib reports the attacks (as long as the attacker's IP address is first). The new code is much cleaner, and should be a bit faster as well.
* Added support for watching for more than one IP address. To do this, a new option has been added to the guardian.conf file:
TargetFile /etc/guardian.target
The file should contain a list of IP addresses which are local IP addresses. The format is the same as the IgnoreFile. This is useful for people who are hosting several IP addresses from one machine. It might also be useful for poeple who are running snort/guardian on a firewall.
This will also only place a block on the interface which is defined in the guardian.conf .. I should also add that this is experimental.
* Bug fix: guardian now catches portscans as reported by the portscan modules
Block/Unblock Scripts
* ipchains (Block / Unblock)
* iptables (Block / Unblock)
* ipfwadm (Block / Unblock)
* FreeBSD using IPFW (Block / Unblock)
* ipfilter (courtesy of Wes Sonnenreich (sonny at alum.mit.edu) (Block / Unblock)
* New! Null Route for Linux systems with no other packet filter software (Block / Unblock)
This is a hack. Please read the file.. It works by adding a route to your routing table when an attack is detected. The route is invalid, and specific to the attacker, so while the route exists, your machine won't send anything back to the attacker. I have no idea what this does to performace.
* Checkpoint Firewall (Thanks Markwalder Philip and Roland Gafner)(Block / Unblock)
* Pix Firewall (Thanks Markwalder Philip and Roland Gafner)(Block / Unblock / Required perl script (also requires ssh perl module))
Misc Stuff
* Here is a readme file that explains how to have guardian/snort running on one machine, and applying blocks to your firewall on a diffrent machine. This was written by Roland Gafner (roland.gafner at gmx.net)
Downloads
* Current Version: 1.7 (Download here)
o Better syslog parsing
o TargetFile to watch multiple IP addresses
o Bug Fix for catching portscans
* Version: 1.6.2 (Download here)
o Support added for syslog rotation. Previously, guardian would not reopen the syslog file if it got rotated. This does not mean that there is support for rotating the guardian log itself. This will be supported in a future version.
o Added block/unblock script for ipfwadm (useful for older linux kernels)
o Bug fixes. Thanks to brian at unearthed.org for pointing them out.
* Version: 1.6.1 (Download here)
o Bug fix for newer snortlibs and syslog
o Added block/unblock scripts for ipfwadm
* Version: 1.6 (Download here)
o Now calls an external script for blocking ip addresses.
o Added a timelimit feature.
o Removes all blocks upon exit
* Version: 1.5 beta (Download here)
Many bug fixes, FreeBSD support added, syslog support added, IPtables support added
* Original release: 1.0 (Download here)
TODO
* Support for other Network Intrusion Detection systems
* Write block/unblock scripts for other OSs
* Do something with the Priority codes that come with newer snort-libs
* Include changes from unofficial guardian releases..
* More stuff later on..
Thursday, June 17, 2010
DRBD-data storage replication for HA clusters(useful for Disaster Recovery)
DRBD® refers to block devices designed as a building block to form high availability (HA) clusters. This is done by mirroring a whole block device via an assigned network. DRBD can be understood as network based raid-1.
In the illustration above, the two orange boxes represent two servers that form an HA cluster. The boxes contain the usual components of a Linux™ kernel: file system, buffer cache, disk scheduler, disk drivers, TCP/IP stack and network interface card (NIC) driver. The black arrows illustrate the flow of data between these components.
The orange arrows show the flow of data, as DRBD mirrors the data of a high availably service from the active node of the HA cluster to the standby node of the HA cluster.
The upper part of this picture shows a cluster where the left node is currently active, i.e., the service's IP address that the client machines are talking to is currently on the left node.
The service, including its IP address, can be migrated to the other node at any time, either due to a failure of the active node or as an administrative action. The lower part of the illustration shows a degraded cluster. In HA speak the migration of a service is called failover, the reverse process is called failback and when the migration is triggered by an administrator it is called switchover.
Feature List
* May be used to add redundancy to existing deployments
* Fully synchronous, memory synchronous or asynchronous modes of operation
* Masking of local IO errors
* Shared secret to authenticate the peer upon connect
* Bandwidth of background resynchronization tunable
* Automatic recovery after node, network, or disk failures
* Efficient resynchronization, only blocks that were modified during the outage of a node.
* Short resynchronization time after the crash of an active node, independent of the device size.
* Automatic detection of the most up-to-date data after complete failure
* Integration scripts for use with Heartbeat
* Dual primary support for use with GFS/OCFS2
* Configurable handler scripts for various DRBD events
* Online data verification
* Optional data digests to verify the data transfer over the network
* Integration scripts for use with Xen
* Usable on LVM's logical volumes. Usable as physical volume for LVM
* Integration scripts for LVM to automatically take a snapshot before a node becomes the target of a resynchronization
* Dependencies to serialize resynchronization, in case of default all devices in parallel
* Heartbeat integration to outdate peers with broken replication links, avoids switchovers to stale data
* Many tuning parameters allow to optimize DRBD for specific machines, networking hardware, and storage subsystem
* Integration scripts for use with RedHat Cluster (excl. the GUI tools)
* Existing file systems can be integrated into new DRBD setups without the need of copying
* Support for a third, off-site node for disaster recovery (since 8.3)
* Support for compression of the bitmap exchange (since 8.3.2, keyword: use-rle)
* Support for floating peers (since 8.3.2) in drbdadm
* Feature complete OCF Heartbeat/Pacemeker resource agent (since 8.3.2)
* Resource level fencing script, using Pacemaker's constraints (since 8.3.2)
* Supports TCP/IP over Ethernet, SuperSockets over Dolphin NICs (8.3.2) and SDP over Infiniband (8.3.3)
Friday, June 11, 2010
Network Intrusion Detection System (IDS) - Sax2
Ax3soft Sax2 is a professional intrusion detection and prevention system (IDS) used to detect intrusion and attacks, analyze and manage your network which excels at real-time packet capture, 24/7 network monitor, advanced protocol analysis and automatic expert detection.
With insight into all operations in your network, Sax2 makes it easy to isolate and solve your network security problems - detect network vulnerabilities, identify network security threats, catch actions against of security strategy and signs of been attacked. Finally, intercept and stop these connections.
Sax2 offers many kinds of intrusion analysis reports, such as events, type, source address and destination address of attacks, and many crossover reports and compositive reports. Furthermore, sax2 allows customize the time range which administrator will flexible monitor and evaluate the network security.
Sax2, enhanced detection, analysis, response and management features, supports almost all common used protocols, self-contained and high speed update event database. It will compose an active detection as the core of dynamic Security Defense System with other network security software, such as Firewall and anti-virus.
Key Features:
Intrusion Detection and Prevention
Detects variety of complex attacks in your network, including pre-attack detection, password guessing, denial of service attacks (DoS/DDoS), buffer overflow attacks, CGI/WWW attacks, windows vulnerabilities attacks, Unix vulnerabilities attacks, unauthorized access, SQL inject attacks, worms, backdoor Trojans, ARP spoof, and so on. And then, Sax2 intrusion detection system will initiatively stop the dangerous behavior to prevent your whole network.
Real-Time Alert and Response.
Multiple response modes - send console message, logs, e-mail inform, real-time cut off the connection, flexible logs.
Stable performance.
Sax2 works in 7/24/365 with stable performance.
Real-time monitor analyze and alarm.
Besides real-time monitor network communication, Sax2 also offers analyze and alarm in real time to protect your network security.
Huge data storage.
Sax2 supports many database, such as SQL Server, Access and so on, which let user to store the huge data flexibly.
Plenty reports
With the plenty reports, administrator will easily to monitor attacks and evaluate network security with Sax2.
Customize Security Policy
According to your own network, IT professional may customize the security policy to improve the accuracy of intrusion detection.
Network Based
Sax2 intrusion detection system is a network-based IDS. It collects, filters, and analyzes traffic that passes through a specific network location. A single Sax2 monitor, strategically placed at a key network junction, can be used to monitor all incoming and outgoing traffic for the entire site. Sax2 does not use or require installation of client software on each individual, networked computer.
Other Features
Name Table
The name table allows you to make or edit alias for addresses, ports and protocols, you may also specify the text color for a selected item. This useful feature can make packet-related information familiar and intelligible.
support multi-adapters..
If you have more than one adapters installed on the local machine, Sax2 intrusion detection system can capture the traffic on all the adapters.
In-depth Packet Decoding
Provides detail packet decoding information.
Conversation & Packet Stream.
Monitor all conversations and reconstruct packet stream.
Logs of Events
Records the actions and sensitive events in whole network, including the WEB browse, Email transmission, FTP transfers and instant message - MSN to help network administrators identify potential threats.
Who Needs Intrusion Detection Systems (IDS) - Sax2?
Want to monitor and prevent hacker attacks, Protect network & business from internal threats!
Wanted to log the websites that your users were visiting.
Needed to monitor corporate communications, both in email messages and on instant messaging platforms.
Wanted a network monitoring solution that did not require client installation at individual workstations.
Subscribe to:
Posts (Atom)