Razorback is a framework for an intelligence driven security solution. It consists of a Dispatcher at the core of the system, surrounded by Nuggets of varying types.
-
I posted to delicious.com
Razorback
http://labs.snort.org/razorback/
July 28 2010, 12:38am | Comments »
-
I posted to delicious.com
Scapy
http://www.secdev.org/projects/scapy/
July 28 2010, 12:37am | Comments »
-
I posted to 10500bc.org
Nagios – Notify via Prowl
http://www.10500bc.org/archive/2010/01/07/nagios-notify-via-prowl/
If your not familiar with Prowl, then check it out. It allows your growl notifications to be sent to your iPhone via push. I use this in several different ways on my home computer to notifications when I’m out at about. You can also access the prowl service directly with its API, so no need to even have it go to growl first. I like using Prowl (in addition to Growl) with nagios. This allows me to get my notifications anywhere as long as I have my iphone. Just like with the growl notifications, the prowl notifications are just as easy to setup. It is very well documented here at the Reluctant Hacker.
- Tags:
- software
January 7 2010, 9:58pm | Comments »
-
I posted to 10500bc.org
Nagios – Notify via Growl
http://www.10500bc.org/archive/2010/01/06/nagios-notify-via-growl/
There are several different ways to get notified by nagios when there is a problem. The most common way is via email. This is usally just fine, except when the service that goes down is the mailserver. There are ways to mitigate this of course. One simple was is to get your notifications via growl. I really like this, it lets me know almost instantly when some is going on and I don’t have to worry about keeping my eyes on my email program while I’m busy on something else. The way I implemented it was from a great script and good write up on the Nagios-users mailing list, you can see it all right here: Notify via Growl
- Tags:
- software
January 6 2010, 9:50pm | Comments »
-
I posted to 10500bc.org
Checking the snort process from nagios
http://www.10500bc.org/archive/2010/01/05/checking-the-snort-process-from-nagios/
I’m checking the snort basically like i’m checking most processes, if you’ve been following allong then you’ll already have a check_procs setup. So I simply edit my localhost.cfg and add: define service{ use generic-service host_name localhost service_description Snort check_command check_snort_procs!1:1!snort } Edit the commands.cfg and add: define command{ command_name check_snort_procs command_line $USER1$/check_procs -c $ARG1$ -C $ARG2$ } reload nagios and thats it.
January 5 2010, 1:40am | Comments »
-
I posted to 10500bc.org
My BASE (for Snort) Install Notes for OSX
http://www.10500bc.org/archive/2010/01/04/my-base-for-snort-install-notes-for-osx/
To get base up and going with snort already installed I did the following. 1. Downlaod ADOdb (database abstraction library for PHP) : http://sourceforge.net/projects/adodb/files/ The version I got was adodb510.tgz 2. Unzip and untar the file tar -xvzf adodb510.tgz 3. Move the folder I did: cp -R adodb5/ /Library/WebServer/Documents/adodb5/ 4. Download base: http://sourceforge.net/projects/secureideas/ The version I got was: base-1.4.4.tar.gz 5. Unzip and tar the file tar -xvzf base-1.4.4.tar.gz 6. You should now have a folder: base-1.4.4/ cd base-1.4.4/ 7. Copy the base folder to your webserver folder cp base-1.4.4/ /Library/WebServer/Documents/base/ change the owner on the folder sudo chown -R _www:_www /Library/WebServer/Documents/base/ *NOTE* With this version there was a known problem with the file: base_state_citems.inc.php on some setups, mine included. So I had to download the fixed version from CVS You can also download it from the website, follow the link from here: http://secureideas.cvs.sourceforge.net/viewvc/secureideas/base-php4/includes/base_state_citems.inc.php?view=log it goes in your /base/templates/ 8. Now install the needed pear extensions for graphs to work in base On my system it was as follows: First I had to update pear to the rest of the packages would work: sudo /usr/local/php5/bin/pear install PEAR-1.9.0 Then the following packages: sudo /usr/local/php5/bin/pear install Image_Color sudo /usr/local/php5/bin/pear install Image_Canvas-0.3.2 sudo /usr/local/php5/bin/pear install Image_Graph-0.7.2 9. Open up base in your browser: http://localhost/base/setup/index.php You should get the page up with the settings, if you have any errors you need to fix them first with their suggestions. Once you answer all the setup questions you should have a working base install.
January 4 2010, 1:22am | Comments »
-
I posted to 10500bc.org
My Snort on OSX Install Notes
http://www.10500bc.org/archive/2010/01/03/my-snort-on-osx-install-notes/
1 Download Snort2 Download pcre 3 Untar pcre 4 Cd to pcre 5 ./configure make make install (NOTE: Install prefix ……………… : /usr/local) 6 Untar Snort 7 CD to snort 8 ./configure -enable-dynamicplugin –with-mysql –with-mysql-includes=/opt/local/include/mysql5/ –with-mysql-libraries=/opt/local/lib/mysql5/mysql/ 9 make 10 sudo make install /usr/bin/install -c -m 644 ‘./snort.8′ ‘/usr/local/man/man8/snort.8′ test -z “/usr/local/lib/pkgconfig” || /bin/sh ./mkinstalldirs “/usr/local/lib/pkgconfig” /usr/bin/install -c -m 644 ’snort.pc’ ‘/usr/local/lib/pkgconfig/snort.pc’ 11. Get the rules from the snort site and untar them I used snorttemp as the folder 12. Make a folder for the rules mkdir /opt/local/etc/snort/ mkdir /opt/local/etc/snort/rules/ 13. Copy the rules over cd ~/snorttemp/rules/ cp * /opt/local/etc/snort/rules/ I also copied over the etc folder cd ~/snorttemp/etc/ cp * /opt/local/etc/snort/ 14. Edit the Snort configuration vi /opt/local/etc/snort/snort.cfg change “var HOME_NET any” to “var HOME_NET 192.168.0.0/24″ or whatever your home network is change “var EXTERNAL_NET any” to “var EXTERNAL_NET !$HOME_NET” This is everything except your home network change “var RULE_PATH ../rules” to “var RULE_PATH /opt/local/etc/snort/rules” goto the line that starts with “# output database: log, mysql, user=” and remove the # from the begining of the line enter your user password and db name 15. mysql setup log in to mysql as root mysql -u root -p create a snort database mysql> create database snort; create a user and password to match your mysql setup in the snort config: mysql> CREATE USER ’snort’@'localhost’ IDENTIFIED BY ’somepassword’; give that user access to the database mysql> GRANT ALL PRIVILEGES ON snort.* TO ’snort’@'localhost’; mysql> exit Import the snort schema into the database. mysql -D snort -u root -p < /schemas/create_mysql 16. Start it up snort -c /opt/local/etc/snort/snort.conf If it works it should look something like: –== Initialization Complete ==– ,,_ -> Snort! <- o” )~ Version 2.8.5.1 (Build 114) ”” By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team You can use ctrl+c to stop it.
January 3 2010, 7:32pm | Comments »
-
I posted to 10500bc.org
Debian Boot Thumb drive from OSX
http://www.10500bc.org/archive/2009/12/30/debian-boot-thumb-drive-from-osx/
Last week I had a need to create a debian boot disk. The computer I needed to use it on doesn’t have a CD and I didn’t feel like purchasing a USB CD reader just for the purpose of loading debian, and I didn’t feel like waiting until I could go to down or have it shipped. So I had to make a boot disk. I’ve done it in Linux several times before but never from OSX. So the commands aren’t exactly the same, here are my notes taken from a couple places on the web, which should serve as a reminder for the next time I have do to it. First I downloaded the debian image I wanted to use from there site. Next I stuck the thumb drive in the box. from the termial (I use iTerm)
diskutil list
mine was listed as /dev/disk1
diskutil unmountDisk /dev/disk1
bzcat debian.img | dd of=/dev/disk1
diskutil eject /dev/disk1
It was a simple as that. To test i stuck it in my handy netbook and reboot and I was at the lovely command prompt. Then of course other things happened that required my attention so I haven’t gotten back to that project of getting the box installed yet.
December 30 2009, 10:23pm | Comments »
-
I posted to 10500bc.org
Checking the Splunk Process from Nagios
http://www.10500bc.org/archive/2009/12/27/checking-the-splunk-process-from-nagios/
Now its time to have Nagios check to make sure that splunk is running. For version 3 of Splunk there was a app / plugin you could get for Splunk that would work with Nagios. It appears to be gone. But I did find a snippet that some one posted here. Several things have changed so that script doesn’t work 100% out by cut and paste, but it was an excellent jumping off point and it took very few modifications to get going. Due to the fact that there is a copy right on this script, then I can’t put it here with out permission. But I will note that you can do the same thing almost by using the default nagios check_procs command. So copy that script as check_splunk and stick it in your libexec folder. If your playing along with my setup thats: /opt/local/libexec/nagios Once you have it downloaded you can ./check_splunk ports or procs I didn’t worry about checking or trying to edit the search portion as for what I’m doing I don’t really need it right now, but I will revisit it if the need arises. Now you have the script, its time todo the normal nagios setup stuff. 1. Add it to your commands vi /opt/local/etc/nagios/objects/commands.cfg define command { command_name check_splunk command_line $USER1$/check_splunk $ARG1$ } 2. Add it to your localhost vi /opt/local/etc/nagios/objects/localhost.cfg define service{ use generic-service host_name localhost service_description Splunk Port check_command check_splunk!ports } define service{ use generic-service host_name localhost service_description Splunk Procs check_command check_splunk!procs } Now restart nagios and you should be good to go
December 27 2009, 11:01pm | Comments »
-
I posted to 10500bc.org
Adding Cacti Logs to Splunk
http://www.10500bc.org/archive/2009/12/23/adding-cacti-logs-to-splunk/
This basically the same process as adding the nagios logs, but I’ll put it up anyway. 1. Click Manager in the upper right-hand corner of Splunk Web. 2. Under System configurations, click Data Inputs. 3. Click Files and directories. 4. Click New to add an input I choose Monitor a file or directory 6. Specify the path to the file: With my setup it is: /Library/WebServer/Documents/cacti/log/cacti.log 7. Under Host Heading I choose constant value 8. Under Source Type I choose Automatic 9. Click Save Thats it now your cacti logs show up in splunk.
December 23 2009, 9:09pm | Comments »
-
I posted to 10500bc.org
Checking the OSSEC Processes from Nagios
http://www.10500bc.org/archive/2009/12/22/checking-the-ossec-processes-from-nagios/
There are several OSSEC processes that are running at once. So I’ll add some simple process checking to nagios to make sure I know they are running. One note is that if you haven’t enabled the ossec-csyslogd to run (I did that to talk to splunk) then you won’t need that one. So here we go, its easy. 1. Add it to your commands (Note I’m adding a new command for this instead of using the command already there so I can pass some different information, plus I like to keep all my modifications separate to make things easier to reproduce on other boxes) vi /opt/local/etc/nagios/objects/commands.cfg
‘check_ossec_procs’ command definition
define command{ command_name check_ossec_procs command_line $USER1$/check_procs -c $ARG1$ -C ARG2$ } 2. Add it to your localhost vi /opt/local/etc/nagios/objects/localhost.cfg define service{ use generic-service host_name localhost service_description OSSEC csyslogd check_command check_ossec_procs!1:1!ossec-csyslogd } define service{ use generic-service host_name localhost service_description OSSEC maild check_command check_ossec_procs!1:1!ossec-maild } define service{ use generic-service host_name localhost service_description OSSEC execd check_command check_ossec_procs!1:1!ossec-execd } define service{ use generic-service host_name localhost service_description OSSEC analysisd check_command check_ossec_procs!1:1!ossec-analysisd } define service{ use generic-service host_name localhost service_description OSSEC logcollector check_command check_ossec_procs!1:1!ossec-logcollector } define service{ use generic-service host_name localhost service_description OSSEC monitord check_command check_ossec_procs!1:1!ossec-monitord } Now just reload nagios and you should be able to tell if you ossec process is there or not.
December 22 2009, 11:45pm | Comments »
-
I posted to 10500bc.org
Adding OSSEC Alerts to Splunk
http://www.10500bc.org/archive/2009/12/21/adding-ossec-alerts-to-splunk/
Next up I want to add my OSSEC Alerts to Splunk. This is slightly more complicated then adding the nagios logs, but well document. The main part of this comes from the OSSEC Wiki Here. And the rest from the forums. But I’ll put it all here for my reference. 1. Edit your ossec.conf (If you’ve installed it like I have its located at: /var/ossec/etc/ossec.conf) add the following block: <syslog_output> <server>172.10.2.3</server> <port>10002</port> </syslog_output> 2. Enable syslog_output module and restart OSSEC:
/var/ossec/bin/ossec-control enable client-syslog
/var/ossec/bin/ossec-control restart
On restart you’ll see ossec-csyslogd starting up. On the Splunk Side 1. Goto Manager 2. Goto Data Inputs 3. On UDP click Add New 4. On my setup the UPD Port is 10002 5. Set sourcetype is Manual 6. Source type is ossec 7. Save Now since things have changed in Splunk 4 the rest of the wiki entry doesn’t help. But there is more information on this Forum Thread. So download that file and extract it to your splunk directory as stated. Restart splunk and bingo your OSSEC alerts plus lots of nice menu options to access that data.
December 21 2009, 10:15pm | Comments »
-
I posted to 10500bc.org
Adding Nagios Logs to Splunk
http://www.10500bc.org/archive/2009/12/20/adding-nagios-logs-to-splunk/
Now that we have all these systems working correctly under OSX its time to start making them work together a little. First up I want to add the nagios logs to splunk. This is very easy, you can get this off the splunk site here. But I’ll recap exactly what I did for my setup here. 1. Click Manager in the upper right-hand corner of Splunk Web. 2. Under System configurations, click Data Inputs. 3. Click Files and directories. 4. Click New to add an input I choose Monitor a file or directory 6. Specify the path to the file: With my setup it is: /opt/local/var/nagios/nagios.log 7. Under Host Heading I choose constant value 8. Under Source Type I choose Automatic 9. Click Submit Thats it now your nagios logs show up in splunk. Pretty easy stuff.
December 20 2009, 8:50pm | Comments »
-
I posted to delicious.com
Ryan`s Software
http://www.ryansapplesoftware.com/
September 16 2009, 5:59pm | Comments »
-
I posted to 10500bc.org
Customer Weather Notifications with Growl
http://www.10500bc.org/archive/2009/09/11/customer-weather-notifications-with-growl/
Last night I download Prowl on my iPhone and setup my growl to work with it. It’s very cool stuff together, i’ve been using growl forever. Anyway tonight I was reading in this thread in the prowl forum where one poster is using growl notifications for weather. Not just any weather but really local weather. Now if you live in or around a big town, most weather apps are pretty accurate for you area. But when you live out in the sticks like I do, they are only close most of the time. Anyway tonight I set up this excellent pair of perl scripts as outlined here from IBM: Develop your own weahter maps and alerts. Which is a very cool script that will allow you pinpoint your location. I used Photoshop to create the base map from the layers. Once followed all the instructions, some things are not exactly clear at first, but if your familiar with perl reading the code sorts it all out. I setup the notify scripts to send the messages to growl via the growlnotify command. Now once that was all setup I created a simply bash script that would delete the old Radar overlay, pull the current Radar overlay needed and run the perl weather scripts. I then stuck that script in my crontab. So if I’m at my computer I get notified and if i’m away from my computer i get a push notification to my phone. Very cool stuff. Of course I could just look outside to see if it is raining
September 12 2009, 12:25am | Comments »
-
I posted to delicious.com
OBD GPS Logger for Linux and OSX
http://icculus.org/obdgpslogger/
September 6 2009, 1:43am | Comments »
-
I posted to 10500bc.org
Splunk on OSX
http://www.10500bc.org/archive/2009/08/30/splunk-on-osx/
Another tool that I like use is Splunk. Now we use a different set of tools for log monitoring and management at work, but I enjoy using splunk at home. The good thing about Splunk on OSX is that they provide you with a .dmg to download and .pkg to install. Takes longer to download than to install. Once the install is done just start it up and log in.
August 31 2009, 12:54am | Comments »
-
I posted to 10500bc.org
OSSEC on OSX
http://www.10500bc.org/archive/2009/08/30/ossec-on-osx/
Next up for reinstall is OSSEC. OSSEC is an Open Source Host-basted Intrusion Detection System. I also had this installed before the i reinstalled OSX. To install OSSEC just follow the default instructions and everything works out just fine. Note, you’ll have to start this manual after each reboot, I’m sure there is a way to add it to autostart, but I haven’t gotten there yet. To install the OSSEC-WUI follow the instructions up to the point before running the setup.sh script, it will not work on OSX (client anyway, not sure about server). All you need to do to get it working is first change the permission on the whole folder and files to _www. Then you need to add the _www user to the ossec group. That is done with the following command: sudo dscl . -append /Groups/ossec GroupMembership _www Thats it now its up and running and you have a nice interface for it.
August 30 2009, 11:53pm | Comments »
-
I posted to 10500bc.org
Cacti on OSX
http://www.10500bc.org/archive/2009/08/30/cacti-on-osx/
To continue on with monitoring my home network environment with the some of the tools I use to monitor my work environment I’m reinstalling Cacti. Now before the reload of my mac I had cacti running and graphs for at least 3 years. Now while I don’t mind losing that historical data i do mind loosing all the custom scripts that I had written to monitor so of the now SNMP devices on my network, I will probably pull that drive out and copy the data over soon. Note to self include all these config files in my future backup plan. My first run at installing Cacti was via Macports, which I’ve never tried before. What I discovered is that, the version on macports wouldn’t install with the plugins support. So I did the way I normally do an installed from source. No special notes for osx here, it just works. Same goes for adding the plugin support, worked out of the box, following there install instructions. So all I can recommend is following the install instructions and install from ports and you’ll be in business. The only thing that I think doesn’t work is the Localhost memory usage. But I’ll be digging into that soon and getting it sorted out with the mac version.
August 30 2009, 10:36pm | Comments »
-
I posted to 10500bc.org
VIM and Nagios
http://www.10500bc.org/archive/2009/08/30/vim-and-nagios/
I edit just about all my nagios files at the command line. I have found a nagios.vim file that highlights the syntax and really helps when working with the files. First you can get it here: nagios syntax Next simply follow the install details listed. I made the following changes to fit my nagios installation on osx via macports: on the line that starts au BufNew, i changed the line to: au BufNewFile,BufRead /opt/local/etc/nagios/objects/*.cfg set filetype=nagios Another note, just in case you haven’t already done so you can auto enable the syntax for vim buy putting the following line in your .vimrc :syntax enable
August 30 2009, 10:20pm | Comments »
1 2
