Archive for the ‘News’ Category

HeX 2.0 - The Bonobo Released

Tuesday, October 7th, 2008

Finally, after months of efforts, HeX development team has released HeX 2.0 Live CD, codename The Bonobo. This new release includes various applications update and additional features, which you can check it out at raWPacket website.

We have already synced all the ISO images to various mirror sites, so you are able to get it asap. Other than the 3 mirror sites in HeX 2.0 Release page, you can also download the Live CD from additional mirror sites below:

Malaysia: (thanks to Zamri)
http://archive.mmu.edu.my/hex/hex-i386-2.0.iso
http://archive.mmu.edu.my/hex/hex-i386-2.0.iso.md5
http://archive.mmu.edu.my/hex/hex-i386-2.0.iso.sha256

US: (thanks to enhanced)
https://secure.redsphereglobal.com/data/tools/security/live/HeX/hex-i386-2.0.iso
https://secure.redsphereglobal.com/data/tools/security/live/HeX/hex-i386-2.0.iso.md5
https://secure.redsphereglobal.com/data/tools/security/live/HeX/hex-i386-2.0.iso.sha256

Also don’t forget our new 2 very own HeX wallpapers, which can be downloaded here!

Join our mailing list http://groups.google.com/group/HeX-liveCD or IRC #rawpacket on Freenode if you wish to ask questions, contribute ideas, and have fun with HeX users.

HeX 2.0R Preview

Monday, October 6th, 2008

We are uploading HeX 2.0 Release image to mirror sites now, it is going to be released in another few hours. I won’t reveal much information here, for the time being, check out the preview images.

HeX 2.0 preview

By the way, if you have not updated your Wordpress installation to version 2.6.2, you should do it now. The hacking attempts are in the wild. This is the screen shot I had taken before I updated it weeks ago.

HeX 2.0 preview

Ourmon and Snort 2.8.1 Released

Friday, April 4th, 2008

I noticed Ourmon 2.8.1 is quietly released on 21 March 2008. This bug-fix release fixes the bugs that I have reported previously, and my name is in the release note. The IP blacklist config takes 3 argument now, this helps when you have multiple blacklists, so you immediately tell which blacklist caused the message, but I am yet to test this feature.
For example in ourmon.conf:

blist_include "irc"  /home/mrourmon/etc/ipblacklist.txt

Snort LogoSnort, an open source network intrusion prevention and detection system, releases version 2.8.1. I got a 404 error while I was trying to download Snort 2.8.0.2 yesterday and noticed the file was not there anymore. Within few minutes, the Snort download page was refreshed and replaced with new v2.8.1 package. Coincidentally, the release version number is same with Ourmon latest bug-fix release. In v2.8.1, one of the new additions is the ability to read multiple pcaps from the command line, which I have usually done with Argus. Here is the sample:

[root@nsm /]# snort -dv -r irc1.pcap -r irc2.pcap | less
Running in packet dump mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Verifying Preprocessor Configurations!
TCPDUMP file reading mode.
Reading network traffic from "irc1.pcap" file.
snaplen = 65535

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.8.1 (Build 28)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/team.html
           (C) Copyright 1998-2008 Sourcefire Inc., et al.
           Using PCRE version: 7.6 2008-01-28

Not Using PCAP_FRAMES
07/11-08:00:32.312306 192.168.128.86:6667 -> 10.1.2.177:32793
TCP TTL:40 TOS:0x0 ID:51682 IpLen:20 DgmLen:91 DF
***AP*** Seq: 0xB368B2EB  Ack: 0xE79F2A5  Win: 0xB50  TcpLen: 32
TCP Options (3) => NOP NOP TS: 2184210158 757152
3A 62 6D 77 30 37 21 34 76 71 74 71 74 34 40 38  :bmw07!4vqtqt4@8
32 2E 37 39 2E 38 37 2E 37 39 20 4A 4F 49 4E 20  2.79.87.79 JOIN
23 61 6C 62 61 0D 0A                                               #alba..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Sguil 0.70 and Wireshark 1.0.0 Released

Monday, March 31st, 2008

Sguil LogoIt seems a bit late to announce both releases. After a long development process and beta testing, Sguil 0.7.0 has finally been released. It does not take long for modsec2sguil to work with the latest release as well. I have not upgraded my Sguil installation to 0.70 yet, but it won’t take a long time for me to do that because I plan to upgrade the hard disk as well, so every thing will be fresh installation, including the OS - FreeBSD 7.0.

Wireshark LogoIn my opinion, every network analysts should get familiar with these 2 tools, especially Wireshark. In this new version, Wireshark team has fixed few security vulnerabilities, and there is an experimental package for Mac OSX Intel as well.

Other than these releases, I have done a small upgrade from FreeBSD 6.2R to FreeBSD 6.3R recently, which I refer to here. This is only applicable if you are running GENERIC FreeBSD kernel.

[root@nsm /]# fetch http://people.freebsd.org/~cperciva/freebsd-update-upgrade.tgz

[root@nsm /]# fetch http://people.freebsd.org/~cperciva/freebsd-update-upgrade.tgz.asc

[root@nsm /]# gpg --verify freebsd-update-upgrade.tgz.asc freebsd-update-upgrade.tgz

[root@nsm /]# tar -xf freebsd-update-upgrade.tgz

[root@nsm /]# sh freebsd-update.sh -f freebsd-update.conf -r 6.3-RELEASE upgrade
Looking up update.FreeBSD.org mirrors... 1 mirrors found.
Fetching metadata signature for 6.2-RELEASE from update1.FreeBSD.org... done.
Fetching metadata index... done.
Fetching 1 metadata files... done.
Inspecting system... done.

WARNING: This system is running a "nsm-smpkernel-generic" kernel, which is not a
kernel configuration distributed as part of FreeBSD 6.2-RELEASE.
This kernel will not be updated: you MUST update the kernel manually
before running "freebsd-update.sh install".

The following components of FreeBSD seem to be installed:
src/base src/bin src/contrib src/crypto src/etc src/games src/gnu
src/include src/krb5 src/lib src/libexec src/release src/rescue src/sbin
src/secure src/share src/sys src/tools src/ubin src/usbin world/base
world/catpages world/manpages

The following components of FreeBSD do not seem to be installed:
kernel/generic kernel/smp world/dict world/doc world/games world/info
world/proflibs

Does this look reasonable (y/n)? y

Fetching metadata signature for 6.3-RELEASE from update1.FreeBSD.org... done.
Fetching metadata index... done.
Fetching 1 metadata patches. done.
Applying metadata patches... done.
Fetching 1 metadata files... done.
Inspecting system... done.
Preparing to download files... done.
Fetching 6233 patches.....10....20....30.................6230. done.
Applying patches... done.
Fetching 647 files... done.

The following files will be removed as part of updating to 6.3-RELEASE-p1:
/usr/share/examples/netgraph/bluetooth/rc.bluetooth
/usr/share/man/cat3/archive_read_set_bytes_per_block.3.gz
/usr/share/man/cat3/archive_write_prepare.3.gz
/usr/share/man/cat4/kame.4.gz
/usr/share/man/man3/archive_read_set_bytes_per_block.3.gz
/usr/share/man/man3/archive_write_prepare.3.gz
/usr/share/man/man4/kame.4.gz
/usr/share/zoneinfo/Africa/Asmera
......

[root@nsm /]# sh freebsd-update.sh -f freebsd-update.conf install
[root@nsm /]# shutdown -r now

[root@nsm /]# sh freebsd-update.sh -f freebsd-update.conf install
[root@nsm /]# shutdown -r now

Linux or FreeBSD is faster now

Saturday, March 8th, 2008

I wrote about FreeBSD 7 Release on the other day and mentioned it has 15% better performance than best performing Linux kernel when run on multicore systems. There is a report from Slashdot that mentioned “Linux kernel developer Nick Piggin reran the benchmark today and came to a different conclusion.” Ok, which one is faster now? Do we really care about that?

Sysbench was used to do the benchmark, and mySQL was used for the test.
Enjoy the benchmark result here.