BLUG meeting Thursday June 5th
06/05/2008 at 12:00 AM
Thursday June 5th will be our regular
BLUG meeting at BTC, in room D5, from 7pm til 9pm.
Mark Ashworth has volunteered to present on:
Title: Exporting data as Open Office spreadsheets using Java and Python.
“Design a template doc in Open Office and save it as odt (word processor) or ods (spreadsheet). The result is a zip file that contains content.xml along with a bunch of formatting files, definitions, images etc. You can create new documents on the fly by extracting the contents of the zip file, modifying just content.xml and writing it all back to a new file or output stream.
I’ll show examples in both Java and Python that query a database and insert content to create a new OO spreadsheet or document and compare some of the code side by side. The Java example delivers from a web server and the Python example is a command line utility but the methods are very similar once you get past the difference in language syntax.
One of my motivations for this was to learn some Python so be prepared to look at some code.”
We’ll also have our regular Q&A and Linux in the news time.
BLUG Mtg post LFNW install fest
05/01/2008 at 12:00 AM
Install fest for people who were introduced to Linux at LFNW 2008 and want to put it on their machines. Pass out completed surveys in batches to volunteers for data entry.
2nd to last DotOrg meeting before LinuxFest!
04/17/2008 at 12:00 AM
Very important meeting of BLUG’s DotOrg Committee Thursday, April 17th, at our regular location, from 7 til 9pm. This is the 2nd to last meeting before LinuxFest Northwest! Watch the blug-list for other details.
BLUG Meeting Thursday Apr 3
04/03/2008 at 12:00 AM
The regular meeting of BLUG will be held Thursday Apr 3,from 7pm til 9pm, at BTC in room D5. For directions: http://www.btc.ctc.edu/welcome/CampusDirectory.html
We’ll have our regular Q&A discussion, so bring your questions as none go unanswered.
Adrian Klaver will present on DABO. See: http://dabodev.com/
We will also have some discussion about LFNW-08, which is happening the 26th and 27th of this month.
Blug mtg Feb 7 – OLPC/XO laptop
02/06/2008 at 12:00 AM
OLPC/XO laptop demo. Iain brought his XO laptop to the last org meeting and was asked to do a BTC presentation so other people could see it too. He is currently working with the laptop.org in some capacity. Find out more at the meeting. 7PM in room D5.
BLUG Meeting Dec 6th
12/06/2007 at 12:00 AM
Thursday Dec 6th, 7-9pm, in room D5 at BTC
will be the next regular monthly meeting of BLUG.
Wesley Taylor will facilitate this month’s meeting.
Bring your most useful system administration commands and your
questions about using them to the next BLUG meeting.
We will review the “ten most useful” sysadmin commands and
also look at some GUI’s for some sysadmin commands
Much of the time is still open so if you have something you
want to discuss, or ask, or show off, we’ll do that too.
BLUG mtg Thursday, Nov 1
11/01/2007 at 12:00 AM
This coming Thursday, on Nov 1st, from 7pm til 9pm,
at BTC, in room D5, will be our regular meeting of BLUG.
This month we’ll have two presentations =8’0
As well as, our regular agenda of Q&A, Linux news, etc.
See the presentation descriptions below:
1) The IS team at Northwest Indian College
(our own Bob Potter and Carl Symons) will present on:
Meraki and wireless mesh networking
Meraki got its start in 2003 providing Internet access around MIT as
an experimental network called “Roofnet”. Currently, Meraki wireless
equipment and the associated open source software are used in more
than 25 countries around the world. Meraki has top venture funding;
its use has spread largely by word of mouth into dense urban areas, as
well as villages in India and Africa. Meraki’s mission is to bring
affordable Internet access to the next billion people.
The IS team at Northwest Indian College has installed a small Meraki
network. Their presentation will feature tiny equipment, slick
web-based management interface and big plans.
2) John Blanford will present on:
Countering SSH Brute Force Attacks with DenyHosts
SSH brute force break in attempts are the digital equivalent of trying
to break into houses by trying every door knob until finding one that is
unlocked. They try various user and password combinations looking for
easy to guess passwords.
John will talk about this annoying type of attack, show an attack script
harvested from a cracked system, and discuss one way of countering this
type of attack, a log monitoring script called DenyHosts
BLUG mtg MythTV Presentation
10/04/2007 at 12:00 AM
Remember this Thursday, Oct 4th, from 7pm til 9pm,
in room D5, will be the regular meeting of BLUG.
We will have a presentation on MythTV by Henri,
as well as our general Q&A, Linux news and latest
LinuuxFest Northwest info.
Snort presentation notes
09/08/2007 at 12:00 AM
Here are the notes from our 9/6/07 BLUG meeting
presentation submitted by Jeremiah Gray
for posting to the BLUG list.
IDS & IPS with Snort
Intrusion detection and intrusion prevention have been popular topics of
computer security, and many of those conversations probably involve Snort at
some point or another. Snort is a highly configurable intrusion detection
system, that can work as either a host-based or network-based IDS or IPS.
The key difference between an IPS and an IDS is that an IDS generates
sophisticated logs based on rules regarding attack signatures, but it does
not take action against the attackers. An IPS, on the other hand, can be
used to rewrite firewall rules on the fly to keep out traffic that has been
detected as malicious. Snort is a popular open source application that is
used by over 100,000 businesses worldwide and has portions of its code
embedded into no less than 45 commercially-available appliances.
An IDS monitors network traffic and will generally work in one of the
– Signature detection – where it inspects packets and compares them to a
list of known attack signatures. Because Signature detection systems check
against an existing list of attack signatures, it is more likely that new
and innovative attacks can pass through the IDS undetected. This is called
a false negative.
– Anomaly detection – where the software learns what is “normal” on your
network and alert you to abnormal traffic. Anomaly detection will more
often result in producing false positives, which is to say you will be
alerted about normal activity.
Snort uses Signature detection, with rules available in various locations:
http://snort.org/pub-bin/downloads.cgi – ($, sub, unsub)
* Oinkmaster (perl script) recommended for rules management
An IDS will generally be deployed in one of two fashions:
– Host-based IDS
– Monitors incoming packets and compares against rules to determine
– Examine system logs for unusual entries such as repeated login
attempts (with statefulness)
– Verifies filesystem integrity
– Network-based IDS
– Monitors all subnet traffic, requiring the NIC to be in promiscuous
mode (achieved with libpcap)
– Generates real-time alerts for attacks
– Writes log files to help with the subsequent exploitation
– Expects CIDR notation (ie class c ip 192.168.1.0 with subnet
255.255.255.0 becomes 192.168.1.0/24)
Path of a Packet in IDS System:
1. PCAP sends unprocessed data link frame from NIC to Snort
2. Packet Decoder decodes data link, then network, then transport layers
3. Preprocessor plugins operate on network (IP) layer and initially divert
packets away from detection engine – statefulness comes from these
– Preprocessors include:
– Stream4 – TCP stream reassembly & stateful analysis, combats
“stick” and “snot” attack tools
– frag2 – Similar to Stream4 but for protecting against fragmented
– SnortSam – plugin that allows sophisticated targeting based on IP
4. Detection engine performs the main task which is to determine what gets
marked as what and why
– Snort has the following output modules:
– alert_syslog – writes alert out to /var/log/messages
– alert_fast – writes single lines to a designated file
– alert_full – slow and not recommended for production use
– log_tcpdump – writes to binary file, accessible like other tcpdump
– database – logs file to user-configured database
– Snort’s Detection Engine has the following Rules which apply to icmp,
ip, tcp, and udp:
– alert – generates an alert and logs the packet
– log – logs the packet
– activate – alert and then turn on a dynamic rule
– dynamic – like a log rule but only when activated by activate rule
– Snort Rules have the following Options:
– meta-data – provide info about rule but don’t affect detection
– payload – look for data in packet payload
– non-payload – look for non-payload data
– post-detection – rule-specific triggers that happen after rule
– A Snort rule might look like this:
– drop tcp $EXTERNAL_NET 27374 -> $HOME_NET any (msg:”BACKDOOR
subseven 22″; flow:to_server,established;content:”|0D 0A|[RPL]002|0D 0A|”;
classtype:misc-activity; sid:103; rev:7;)
* Note, do not run Snort as root.
** You will need to run Snort as root if you run IPS mode (inline) and
therefore should probably have a dedicated snort box – a dedicated Snort
sensor generally runs ~130 processes total.
Visual presentation apps: Sguil, ACID
Snort Inline as Intrusion Prevention System
Snort can also be used in conjunction with libipq instead of libpcap in
order to rewrite iptables rules as needed to divert malicious packets.
Snort Inline used to be a separate app, but is now included as part of
snort. Obviously you have to be careful to not lock yourself out, and
moreover, to patch all of your code because however handy Snort is, once
you’re exploited, it’s working against you. As such, using a preprocessor
like SnortSAM and whitelisting a specific IP you can always reach might not
be a bad idea.
– Need iptables with install-devel which loads libipq and allows QUEUEing in
– Need LibNet from packetfactory.net
Inline Rules slightly different – as such rules will need to change:
– drop – iptables drops packet, normal snort log
– reject – iptables drops packet, TCP reset sent and if that fails, UDP
– sdrop – iptables drops, no log entry
Snort Inline allows for replacing packet payload but the content must of the
Preprocessor options slightly different. For example, Streatm4 option
“inline_state” drops TCP packets not associated with existing TCP sessions
outright. Also, because we’re dealing with iptables for input, we lose
layer 2 data and are left with network and up.
Snort is a useful part of a security strategy; it does not protect against
exploits in your other apps and it does not detect anomalies. For
information on exploits and patching them, check out:
Regular BLUG mtg with Scribus
07/05/2007 at 12:00 AM
This Thurs, July 5th, from 7pm til 9pm,
in D bldg (usually room D-5), at BTC, will be the
regular monthly meeting of BLUG.
Carl Symons will be presenting Scribus:
“There’s more to open source Desktop Publishing than meets the eye.
Professional quality printed materials, eye-catching graphics. High-end page
layout capability on a par with Adobe and Quark.”
His presentation will include:
a Demo, Free samples, Color management, Gamma correction, and Scripting.
We’ll also have our usual Q&A and Linux news sessions, as well
as our open discussion.
See you there,