[Full-disclosure] Sagan 0.1.8 release | SEIM tool
,-._,-.Sagan [http://sagan.softwink.com] \/)"(\/By Champ Clark III & The Softwink Team: http://www.softwink.com (_o_) Copyright (C) 2009-2011 Softwink, Inc., et al. / \/) (|| ||) oo-oo Softwink, Inc. [https://www.softwink.com] is proud to release Sagan version 0.1.8 [http://sagan.softwink.com]. What is Sagan? Sagan is multi-threaded, real-time system- and event-log monitoring software, but with a twist. Sagan uses a "Snort" like rule set for detecting nefarious events happening on your network and/or computer systems. If Sagan detects a "bad thing" happening, it can do a number of things with that information. For example, Sagan can store the information to a Snort MySQL database for viewing with utilities like Snorby [http://www.snorby.org], it can send e-mail(s) about the event to the appropriate personnel, it can store to a Prelude back end, it can also spawn external utilities, as well as numerous other things. Sagan can also correlate the events with your Intrusion Detection/Intrusion Prevention (IDS/IPS) system and basically acts like an SIEM (Security Information & Log Management) system. What's new in Sagan? * Unified2 output. [src/output-plugins/sagan-unified2.c] This allows Sagan to work in conjunction with programs like Barnyard2 [http://www.securixlive.com/barnyard2/] or Snoge [http://leonward.wordpress.com/snoge/]. Via Barnyard, Sagan can also access output formats such as: - MySQL, PostgreSQL, MS-SQL, Oracle (Which can give you access to Sagan data alongside your IDS/IPS data using consoles like Snorby [http://www.snorby.org] or BASE.) - The Prelude framework - Sguil - ..and many more.. * Liblognorm functionality Liblognorm is a log normalization library that Sagan can use to extract useful information from logged messages; including, TCP/IP information, user-names, uid, etc. This library/project was started by Rainer Gerhards of "Rsyslog" fame and is being designed from the Mitre CEE (Common Event Expression) standard (not released/complete). For more information, please see: http://www.liblognorm.com/news/introducing-liblognorm and http://cee.mitre.org. * "PLOG" support [src/sagan-plog.c] This is a syslog based sniffer created from Marcus J. Ranum's "plog" work. Sagan can spawn a thread that will "sniff" the wire for syslog traffic. If traffic is seen, it is re-injected into /dev/log for Sagan to analyze and/or archive. This is handy for environments resistant to changes. * Many, many bug fixes. Other Sagan features: * Native threaded output support to Snort databases (MySQL/PostgreSQL) * Native threaded Prelude plug in * Threaded libesmtp support (SMTP/e-mail triggered events) based on rule criteria or general Sagan configuration * Native threaded Logzilla support (MySQL/PostgreSQL) * 'Snort' like rule set making Sagan compatible with rule management utilities like oinkmaster and pulled pork * Sagan can spawn external programs when events get triggered. This way, you can write your own "plugin" in the language you choose (perl, C, python, ruby, etc). For more information, please see: http://sagan.softwink.com Thank!, Champ Clark III -- Champ Clark III | Softwink, Inc | 800-538-9357 x 101 http://www.softwink.com GPG Key ID: 58A2A58F Key fingerprint = 7734 2A1C 007D 581E BDF7 6AD5 0F1F 655F 58A2 A58F If it wasn't for C, we'd be using BASI, PASAL and OBOL. pgpvVBqBPzm6i.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Building wireless IDS system (article) | Sagan with Prelude
Hello All, I've released a new article I've been working on for a bit. Its title is, "Building wireless IDS systems using open source". The idea of this article is to use open source solutions (Snort, Kismet, Sagan, hostapd) to build wireless IDS systems that report back to a unified/single console for threat analysis. It has a bit of a different 'twist' from previous wireless IDS articles. Let me know what you think about it. It can be found at: http://sagan.softwink.com/papers/wireless-ids I've also released a new version of Sagan (0.1.7) that supports the Prelude frame work. I'm pretty excited about Sagan's Prelude output format. This gives Sagan IDMEF output and can log to a Prelude back end for viewing with Prelude's "Prewikka".Of course, all the standard Sagan to Snort logging (MySQL/PostgreSQL) are still there :) For more information on Sagan, please check out: http://sagan.softwink.com Screen shots of Prelude, Snorby and BASE can be found at: http://sagan.softwink.com/screenshots.html -- Champ Clark III | Softwink, Inc | 800-538-9357 x 101 http://www.softwink.com GPG Key ID: 58A2A58F Key fingerprint = 7734 2A1C 007D 581E BDF7 6AD5 0F1F 655F 58A2 A58F If it wasn't for C, we'd be using BASI, PASAL and OBOL. pgp26nF7NfJ6p.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Charter.net Security Contact.
Does any one have a _good_ security contact @ Charter Cable (ISP - charter.net). ab...@charter.net and phone calls have yielded nothing but an endless loop of clueless-ness. -- Champ Clark III | Softwink, Inc | 800-538-9357 x 101 http://www.softwink.com GPG Key ID: 58A2A58F Key fingerprint = 7734 2A1C 007D 581E BDF7 6AD5 0F1F 655F 58A2 A58F If it wasn't for C, we'd be using BASI, PASAL and OBOL. pgp3pn7eU9OM4.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] encrypt the bash history
Bash supports sending the bash history to a remote syslog server.This way, even if the commands are cleared, the history is sent (in real time) to the remote, hopefully secured, syslog system which can be used for analysis. -- Champ Clark III | Softwink, Inc | 800-538-9357 x 101 http://www.softwink.com GPG Key ID: 58A2A58F Key fingerprint = 7734 2A1C 007D 581E BDF7 6AD5 0F1F 655F 58A2 A58F If it wasn't for C, we'd be using BASI, PASAL and OBOL. pgpsV3vC6gQPI.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [TOOL] The 'Snort like' Sagan way of deal with system logs.
Sagan release version 0.1.0 http://sagan.softwink.com Written by Champ Clark (AKA 'Da Beave') and the Softwink, Inc team Date: 06/24/2010 Softwink announces the release of Sagan, the ultimate in Syslog monitoring. Sagan can alert you when events are occurring in your syslogs that need your attention right away, in real time! Sagan is a multi-threaded, real time system- and event-log monitoring system, but with a twist. Sagan uses a "Snort" like rule set for detecting "bad things" happening on your network and/or computer systems. If Sagan detects a "bad thing" happening, that event can be stored to a Snort database (MySQL/PostgreSQL) and Sagan will correlate the event with your Snort Intrusion Detection/Intrusion Prevention (IDS/IPS) system. Sagan is meant to be used in a 'centralized' logging environment, but will work fine as part of a standalone Host IDS system for workstations. Sagan is fast: Sagan is written in C and is a multi-threaded application. Sagan is threaded to prevent blocking Input/Output (I/O). For example, data processing doesn't stop when an SQL query is needed. It is also meant to be as efficient as possible in terms of memory and CPU usage. Sagan uses a "Snort" like rule set: If you're a user of "Snort" and understand Snort rule sets, then you already understand Sagan rule sets. Essentially, Sagan is compatible with Snort rule management utilities, like "oinkmaster" for example. Sagan can log to Snort databases: Sagan will operate as a separate "sensor" ID to a Snort database. This means that your IDS/IPS events from Snort will remain separate from your Sagan (syslog/event log) events. Since Sagan can utilize Snort databases, using Snort front-ends like BASE and Snorby will not only work with your IDS/IPS event, but also with your syslog events as well! Sagan output formats: You don't have to be a Snort user to use Sagan. Sagan supports multiple output formats, such as a standard output file log format (similar to Snort), e-mailing of alerts (via libesmtp), Logzilla support and externally based programs that you can develop using the language you prefer (Perl/Python/C/etc). Sagan is actively developed: Softwink, Inc. actively develops and maintains the Sagan source code and rule sets. Softwink, Inc. uses Sagan to monitor security related log events on a 24/7 basis. Other Features: - Sagan is meant to be easy to install. The traditional, "./configure && make && make install" works for many installations, depending on the functionality needed and configuration. - Thresholding of alerts. Uses the same format as Snort in the Sagan rule set. - Attempts to pull TCP/IP addresses, port information, and protocol of rule set that was triggered. This leads to better correlation. - Can be used to monitor just about any type of device or system (Routers, firewalls, managed switches, IDS/IPS systems, Unix/Linux systems, Windows event logs, wireless access points, much more). - Works 'out of the box' with Snort front ends like BASE, Snorby, proprietary consoles, various Snort based reporting systems. - Sagan is 'open source' and released under the GNU/GPL version 2 license. For more information about Sagan, please see: Sagan web site: http://sagan.softwink.com -- Champ Clark III | Softwink, Inc | 800-538-9357 x 101 http://www.softwink.com GPG Key ID: 58A2A58F Key fingerprint = 7734 2A1C 007D 581E BDF7 6AD5 0F1F 655F 58A2 A58F If it wasn't for C, we'd be using BASI, PASAL and OBOL. pgpStVtGvY9NL.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Should nmap cause a DoS on cisco routers?
On Fri, Jul 02, 2010 at 09:45:20AM +, Florian Weimer wrote: > > On Jul 1, 2010, at 11:12 PM, Florian Weimer wrote: > >> And it's certainly a bug worth fixing. > > > > I doubt it's a 'bug' which can be 'fixed', just the same as sending > > enough legitimate HTTP requests to a Web server to bring it to its > > knees isn't a 'bug' which can be 'fixed', but rather a DoS which > > must be mitigated via a variety of mechanisms. > > I was referring to single-packet (or single-request) crashers. > Reputable vendors still ship devices that have those bugs in 2010. > > Chances are that Shang Tsung's nmap run triggered one of those. As I > wrote, it happened before. The nmap command line posted further > uptrhead does not actually cause a high pps flood. Such level of SNMP > scanning is quite common in enterprise networks because some printer > drivers use it to locate printers, so your network devices are better > prepared to handle that. One environment that I've noticed this is 'acceptable', in the eyes of the network management, is VoIP installations. I've done assessments in several large scale, production level VoIP installations and in many cases, you'll run into the same potential DoS when using tools like nmap. I've noticed that even if the orginazation has a very capable security staff, in many cases, they don't get to touch the VoIP network due to it's 'magical' properties (IMHO). I won't even go into the obvious lack of security practices (no IDS/IPS, very out of date systems, etc) in such networks due to the 'magic' of these networks. It sometimes seems that no matter how lightly you try to tread, you'll find these things. Be it due to the lack of security within the network or a actual vendor problem. I've seen this across the board. Cisco, Avaya (Nortel) installations down to out-of-date Asterisk based installations. In one case, we found a potential DoS condition with a vendors product. Getting the vendor to look into it was no problem. Getting the _client_ to work with the vendor on addressing the issue was a complete pain! The response from the client was, 'just don't run any scanners (nmap included) within the network'. Yes, put that in the /etc/motd so that attackers know not to do that :) Somehow, I don't find that acceptable. Again, it's a environment that's 'magical' and not well understood so once it's 'working', don't touch anything! > And even if you applied control plane protection, you still need to > monitor those devices from your management network. The brittleness > described in this thread makes this an extremely risky endeavor: one > typo in your Perl script, and your network is gone, even if the > monitoring station never had the credentials for enable access. > Those bugs might not be security-relevant, but they can be very > annyoing nevertheless. Couldn't agree with you more. _When_ and _if_ they apply control plane protection. I don't know what the rest of the lists experience is with VoIP networks, but in many cases they seem to be stuck in the way-back-machine in reguards to network security. Not always, but a heck of a lot. Accidental 'DoS' conditions seem to pop-up a lot in these environments, IMHO. -- Champ Clark III | Softwink, Inc | 800-538-9357 x 101 http://www.softwink.com GPG Key ID: 58A2A58F Key fingerprint = 7734 2A1C 007D 581E BDF7 6AD5 0F1F 655F 58A2 A58F If it wasn't for C, we'd be using BASI, PASAL and OBOL. pgptnHMsSheeR.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Should nmap cause a DoS on cisco routers?
On Fri, Jul 02, 2010 at 01:31:07PM +0200, Christian Sciberras wrote: > > I've noticed that even if the orginazation has a > very capable security staff > > Again, it's a environment that's 'magical' and not well > understood so once it's 'working', don't touch anything! > > If you call that "capable security staff" I'd expect you to call Windows a > "unix-like" os... Hah. I probably didn't make my point properly. They _have_ a capable security staff that was instructed by "upper management" _not_ to touch the VoIP network. They _wanted_ to, but where instructed to 'stay away!'. Sad state. -- Champ Clark III | Softwink, Inc | 800-538-9357 x 101 http://www.softwink.com GPG Key ID: 58A2A58F Key fingerprint = 7734 2A1C 007D 581E BDF7 6AD5 0F1F 655F 58A2 A58F If it wasn't for C, we'd be using BASI, PASAL and OBOL. pgpSlHsP9oFTO.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
