BLUG Meeting Dec 6th
Thursday Dec 6th, 7-9pm, in room D5 at BTC
will be the next regular monthly meeting of BLUG.
Wesley Taylor will facilitate this month’s meeting.
Bring your most useful system administration commands and your
questions about using them to the next BLUG meeting.
We will review the “ten most useful” sysadmin commands and
also look at some GUI’s for some sysadmin commands
Much of the time is still open so if you have something you
want to discuss, or ask, or show off, we’ll do that too.
BLUG mtg Thursday, Nov 1
This coming Thursday, on Nov 1st, from 7pm til 9pm,
at BTC, in room D5, will be our regular meeting of BLUG.
This month we’ll have two presentations =8’0
As well as, our regular agenda of Q&A, Linux news, etc.
See the presentation descriptions below:
1) The IS team at Northwest Indian College
(our own Bob Potter and Carl Symons) will present on:
Meraki and wireless mesh networking
Meraki got its start in 2003 providing Internet access around MIT as
an experimental network called “Roofnet”. Currently, Meraki wireless
equipment and the associated open source software are used in more
than 25 countries around the world. Meraki has top venture funding;
its use has spread largely by word of mouth into dense urban areas, as
well as villages in India and Africa. Meraki’s mission is to bring
affordable Internet access to the next billion people.
The IS team at Northwest Indian College has installed a small Meraki
network. Their presentation will feature tiny equipment, slick
web-based management interface and big plans.
2) John Blanford will present on:
Countering SSH Brute Force Attacks with DenyHosts
SSH brute force break in attempts are the digital equivalent of trying
to break into houses by trying every door knob until finding one that is
unlocked. They try various user and password combinations looking for
easy to guess passwords.
John will talk about this annoying type of attack, show an attack script
harvested from a cracked system, and discuss one way of countering this
type of attack, a log monitoring script called DenyHosts
BLUG mtg MythTV Presentation
Remember this Thursday, Oct 4th, from 7pm til 9pm,
in room D5, will be the regular meeting of BLUG.
We will have a presentation on MythTV by Henri,
as well as our general Q&A, Linux news and latest
LinuuxFest Northwest info.
Snort presentation notes
Here are the notes from our 9/6/07 BLUG meeting
presentation submitted by Jeremiah Gray
for posting to the BLUG list.
IDS & IPS with Snort
Intrusion detection and intrusion prevention have been popular topics of
computer security, and many of those conversations probably involve Snort at
some point or another. Snort is a highly configurable intrusion detection
system, that can work as either a host-based or network-based IDS or IPS.
The key difference between an IPS and an IDS is that an IDS generates
sophisticated logs based on rules regarding attack signatures, but it does
not take action against the attackers. An IPS, on the other hand, can be
used to rewrite firewall rules on the fly to keep out traffic that has been
detected as malicious. Snort is a popular open source application that is
used by over 100,000 businesses worldwide and has portions of its code
embedded into no less than 45 commercially-available appliances.
An IDS monitors network traffic and will generally work in one of the
– Signature detection – where it inspects packets and compares them to a
list of known attack signatures. Because Signature detection systems check
against an existing list of attack signatures, it is more likely that new
and innovative attacks can pass through the IDS undetected. This is called
a false negative.
– Anomaly detection – where the software learns what is “normal” on your
network and alert you to abnormal traffic. Anomaly detection will more
often result in producing false positives, which is to say you will be
alerted about normal activity.
Snort uses Signature detection, with rules available in various locations:
http://snort.org/pub-bin/downloads.cgi – ($, sub, unsub)
* Oinkmaster (perl script) recommended for rules management
An IDS will generally be deployed in one of two fashions:
– Host-based IDS
– Monitors incoming packets and compares against rules to determine
– Examine system logs for unusual entries such as repeated login
attempts (with statefulness)
– Verifies filesystem integrity
– Network-based IDS
– Monitors all subnet traffic, requiring the NIC to be in promiscuous
mode (achieved with libpcap)
– Generates real-time alerts for attacks
– Writes log files to help with the subsequent exploitation
– Expects CIDR notation (ie class c ip 192.168.1.0 with subnet
255.255.255.0 becomes 192.168.1.0/24)
Path of a Packet in IDS System:
1. PCAP sends unprocessed data link frame from NIC to Snort
2. Packet Decoder decodes data link, then network, then transport layers
3. Preprocessor plugins operate on network (IP) layer and initially divert
packets away from detection engine – statefulness comes from these
– Preprocessors include:
– Stream4 – TCP stream reassembly & stateful analysis, combats
“stick” and “snot” attack tools
– frag2 – Similar to Stream4 but for protecting against fragmented
– SnortSam – plugin that allows sophisticated targeting based on IP
4. Detection engine performs the main task which is to determine what gets
marked as what and why
– Snort has the following output modules:
– alert_syslog – writes alert out to /var/log/messages
– alert_fast – writes single lines to a designated file
– alert_full – slow and not recommended for production use
– log_tcpdump – writes to binary file, accessible like other tcpdump
– database – logs file to user-configured database
– Snort’s Detection Engine has the following Rules which apply to icmp,
ip, tcp, and udp:
– alert – generates an alert and logs the packet
– log – logs the packet
– activate – alert and then turn on a dynamic rule
– dynamic – like a log rule but only when activated by activate rule
– Snort Rules have the following Options:
– meta-data – provide info about rule but don’t affect detection
– payload – look for data in packet payload
– non-payload – look for non-payload data
– post-detection – rule-specific triggers that happen after rule
– A Snort rule might look like this:
– drop tcp $EXTERNAL_NET 27374 -> $HOME_NET any (msg:”BACKDOOR
subseven 22″; flow:to_server,established;content:”|0D 0A|[RPL]002|0D 0A|”;
classtype:misc-activity; sid:103; rev:7;)
* Note, do not run Snort as root.
** You will need to run Snort as root if you run IPS mode (inline) and
therefore should probably have a dedicated snort box – a dedicated Snort
sensor generally runs ~130 processes total.
Visual presentation apps: Sguil, ACID
Snort Inline as Intrusion Prevention System
Snort can also be used in conjunction with libipq instead of libpcap in
order to rewrite iptables rules as needed to divert malicious packets.
Snort Inline used to be a separate app, but is now included as part of
snort. Obviously you have to be careful to not lock yourself out, and
moreover, to patch all of your code because however handy Snort is, once
you’re exploited, it’s working against you. As such, using a preprocessor
like SnortSAM and whitelisting a specific IP you can always reach might not
be a bad idea.
– Need iptables with install-devel which loads libipq and allows QUEUEing in
– Need LibNet from packetfactory.net
Inline Rules slightly different – as such rules will need to change:
– drop – iptables drops packet, normal snort log
– reject – iptables drops packet, TCP reset sent and if that fails, UDP
– sdrop – iptables drops, no log entry
Snort Inline allows for replacing packet payload but the content must of the
Preprocessor options slightly different. For example, Streatm4 option
“inline_state” drops TCP packets not associated with existing TCP sessions
outright. Also, because we’re dealing with iptables for input, we lose
layer 2 data and are left with network and up.
Snort is a useful part of a security strategy; it does not protect against
exploits in your other apps and it does not detect anomalies. For
information on exploits and patching them, check out:
Regular BLUG mtg with Scribus
This Thurs, July 5th, from 7pm til 9pm,
in D bldg (usually room D-5), at BTC, will be the
regular monthly meeting of BLUG.
Carl Symons will be presenting Scribus:
“There’s more to open source Desktop Publishing than meets the eye.
Professional quality printed materials, eye-catching graphics. High-end page
layout capability on a par with Adobe and Quark.”
His presentation will include:
a Demo, Free samples, Color management, Gamma correction, and Scripting.
We’ll also have our usual Q&A and Linux news sessions, as well
as our open discussion.
See you there,
Tomorrow, Thurs June 7th, from 7pm til 9pm,
in D bldg (usually room D-5) at BTC, will be the
regular monthly meeting of BLUG.
Jim will be presenting on “system disaster recovery”.
An overview of DOS disk segmentation, and partition tables.
Issues having to do with the capture of information from a hard disk as
related to disaster recovery
How to backup and record information on optical media from the command line
A description of the SystemRescue rescue disk distribution and its
A demo of some scripts written in bash shell script for the purpose of
We’ll have our usual Q&A and Linux news sessions, as well
as open discussion.
See you there,
Dot Org Mtg at Marks Thursday 19th
This Thursday the 19th is the special meeting of Blug’s Fest Dot Org Committee.
A lot of last minute stuff has yet to be accomplished to pull this Fest off.
It’s this Thurs the 19th, 7pm till 9pm, at Mark’s house.
I’ll still have some of the large posters available.
If you’d like to attend and need directions contact Mark at xxxx
see you there,
bill at blug dot org
Jim Armstrong’s talk has been re-scheduled for another month.
Instead we will talk about plans for the Linuxfest coming up at the end of the month, and I will demo an open source hardware emulation system called QEMU http://fabrice.bellard.free.fr/qemu/index.html
QUEM is a virtual machine similar to Vmware that can be used to run virtual computers on a Linux host system.
Linux Virtualization with OpenVZ
John Blandford will be presenting: Linux Virtualization with OpenVZ
OpenVZ is an Operating System level server virtualization system
recently released under the GPL by SWsoft.
An OS level virtualization scheme runs a single OS kernel. It provides
resource isolation and management to divide up the system into multiple
virtual servers. These virtual servers look to their users like full
physical servers, but are really just containers of normal processes and
files in the underlying OS. This lite weight approach lets these
systems run hundreds of virtual servers on common hardware.
John will talk a bit about virtualization, and then show OpenVZ in action.
For more information, take a look at:
Blug BTC Meeting – Slackware
Aaron Miller will demonstrate a new version of Slackware. John will marvel at how much it has changed since the old days.