Irregular Expressions

March 18, 2010  9:57 PM

System Virtualization

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

For the last few years I have been using VirtualBox for running my vm’s. I prefer applications that will run on any of the operating systems that I use, and the more consistent the UI the better.

VirtualBox will run on Windows, Linux, FreeBSD ( not sure about any other UNIX ) and OS-X. It is also capable of virtualizing a large number of operating systems, the most notable feature that I find is that it has the ability to do a EFI BIOS and run a OSX virtual machine.

Like other virtualization products it has the ability to do snap shots, and allows for unified interfaces.
The performance of the VM’s seems to be the same as with other solutions, and the performance tweaks are about the same. VM’s will do far more with less then they would if a physical machine.

The main thing that VirtualBox lacks is a server setup as VMWare and Xen do, though this may be why it’s such a strong desktop solution.

I use vm’s for testing system penetration and software solutions, they can make quick targets for your Metasploit installations ( As practice of course ).

You can get it here

March 18, 2010  8:54 PM

Protecting system state

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

Sometimes you need to run an application that you really just don’t know what it will do to your system.

This is a great utility to sandbox your application, the running application will think that it’s editing the system but you have the ability to delete the contents of the sandbox and revert the system back.

Specifically I think this is great for using IE, any of the little nasties that you can pick up on the internet can just disappear when you are done.

This is something that would be a good install for any users that really like to click on every link that appears on the screen or play their favorite online “free” games.

There is a small list of know conflicts listed on the site.

There is a few niceties that you can have with the registered version but with a little determination you should be able to get this running perfectly for your self or your users.

March 10, 2010  3:48 PM

Energizer Malware

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

This is far too interesting not to post, US-CERT has analysis of malware discovered in Energizer battery chargers USB software.  When the charging software is installed it drops two DLL’s on the system, one of which is Arucer.dll. Arucer.dll is the backdoor, it creates a listening socket on TCP port 7777, if you are running Windows XP SP2 or higher you will get a prompt from the firewall to allow or block access.

When installed it will allow the remote user to list, send, receive and execute files on the system.

US-CERT has snort signatures listed on the link provided below if you have a sensor in your environment.

You can get full details here

There is a CVE for this CVE-2010-0103.

Security Focus has a metasploit plugin

Also there is an update for NMAP out to detect this.

March 10, 2010  3:13 PM

Installing Suricata on FreeBSD – Part 7

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

To get the unified2 events coming out of Suricata into the database that was setup, you will need to install something to open that file format.

One of the choices listed is barnyard2, it’s a large install and needs to have snort installed as a dependency but it will do the job.

cd /usr/ports/security/barnyard2/
make install clean

I am not going to rehash the setup of barnyard2 there is plenty of sites that can guide you through the setup.

The next thing I will be attempting to install is OpenVAS on FreeBSD 8.0 or 7.2, I am not sure if it will run on either at this point.

March 8, 2010  10:02 PM

Mark Zuckerberg postings on

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

This is really interesting, you might suspect that someone at facebook had looked into files that they should have not.  But the fact that it’s the founder of the company doing it, and that it does not seem to be a rumor and that there is more then one person that is backing up the claims.  The one incident you could think that there really might not be any substance behind the claims or evidence.  But with a second claim of the same thing happening again, I wonder how many other times that this has been done in-between or since.

There has to be someone at facebook that knows what happened and what information was accessed by who.  With the information that is kept in the databases at facebook, I can’t believe that there is no audit trail of what user has accessed the information.

March 7, 2010  8:57 PM

Updates to BIND

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

There has been a new release of BIND.

DNS is one of those services that should really be patched sooner than later, the fixed bug list of the release is here.

--- 9.6.2 released ---

2850.	[bug]		If isc_heap_insert() failed due to memory shortage
the heap would have corrupted entries. [RT #20951]

2849.	[bug]		Dont treat errors from the xml2 library as fatal.
[RT #20945]

2846.	[bug]		EOF on unix domain sockets was not being handled
correctly. [RT #20731]

2844.	[doc]		notify-delay default in ARM was wrong.  It should have
been five (5) seconds.

--- 9.6.2rc1 released ---

2838.	[func]		Backport support for SHA-2 DNSSEC algorithms,
RSASHA256 and RSASHA512, from BIND 9.7.  (This
incorporates changes 2726 and 2738 from that
release branch.) [RT #20871]

2837.	[port]		Prevent Linux spurious warnings about fwrite().
[RT #20812]

2831.	[security]	Do not attempt to validate or cache
out-of-bailiwick data returned with a secure
answer; it must be re-fetched from its original
source and validated in that context. [RT #20819]

2828.	[security]	Cached CNAME or DNAME RR could be returned to clients
without DNSSEC validation. [RT #20737]

2827.	[security]	Bogus NXDOMAIN could be cached as if valid. [RT #20712]

2825.	[bug]		Changing the setting of OPTOUT in a NSEC3 chain that
was in the process of being created was not properly
recorded in the zone. [RT #20786]

2823.	[bug]		rbtdb.c:getsigningtime() was missing locks. [RT #20781]

2819.	[cleanup]	Removed unnecessary DNS_POINTER_MAXHOPS define
[RT #20771]

2818.	[cleanup]	rndc could return an incorrect error code
when a zone was not found. [RT #20767]

2815.	[bug]		Exclusively lock the task when freezing a zone.
[RT #19838]

2814.	[func]		Provide a definitive error message when a master
zone is not loaded. [RT #20757]

March 4, 2010  8:38 PM

Installing Suricata on FreeBSD – Part 6

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

Once the configuration of php + apache is completed you should be able to get the first setup screen of BASE up.

Follow along with the setup, once you get to the database section you will need to get some sql schema from the snort installation tarball. The needed file is called ( I used PostgresQL, the other database server schema’s are located in the same place ) create_postgresql, this is assuming that you have created a db and user for your events.

As your db user apply the schema to the database you created for the events.

psql ids < /path/to/create_postgresql

There is just a couple more screens left to go at this point, you can setup authentication and then the installer should create a few more entries in the database.

Once you have completed the setup you should end up at a pretty plain screen, we still need to get the information from Suricata into the database for BASE to read.

March 3, 2010  8:36 PM

Installing Suricata on FreeBSD – Part 5

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

Once the install of BASE is completed you also need to install apache or some other web server.

cd /usr/ports/www/apache22/
make install clean

Once installed you will need to allow apache to start.

vi /etc/rc.conf

There is also some post installation stuff to do to base, that came up after the installation.

Please read the README file located at:


for how to configure /usr/local/www/base/base_conf.php after

To make BASE accessible through your web site, you will need to add
the following to your Apache configuration file:

    Alias /base/ "/usr/local/www/base"

In order for the graphing functions to work in BASE, make sure you
include PEAR in your /usr/local/etc/php.ini configuration file, like:

    include_path = ".:/usr/local/share/pear"

If you built BASE with PDF support, make sure you include the FPDF
path in your /usr/local/etc/php.ini configuration file, like:

    include_path = ".:/usr/local/share/pear:/usr/local/share/fpdf"

Almost done setting up BASE.

March 2, 2010  10:45 AM

Installing Suricata on FreeBSD – Part 4

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

Now that we have something to control Suricata make sure to set the configuration variables for Suricata.

Ensure your HOME_NET is correct or your results are not going to be so great.

  # Holds the address group vars that would be passed in a Signature.
  # These would be retrieved during the Signature address parsing stage.

    HOME_NET: "[,,]"







    AIM_SERVERS: any

  # Holds the port group vars that would be passed in a Signature.
  # These would be retrieved during the Signature port parsing stage.

    HTTP_PORTS: "80"


    ORACLE_PORTS: 1521

    SSH_PORTS: 22

Now that Suricata is is configured and runs we can install something to manage the events being generated by it.

BASE is listed in the as something that is supported.

cd /usr/ports/security/base/
make install clean

BASE has a long list of dependencies to install, so go grab a coffee.

February 23, 2010  12:44 AM

Installing Suricata on FreeBSD – Part 3

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

Now that Suricata will start it’s time to create a rc script to control the service.

( Lets put it somewhere nice )

vi /usr/local/etc/rc.d/suricata
# By Dan OConnor
# PROVIDE: suricata
. /etc/rc.subr
load_rc_config $name
: ${suricata_enable="NO"}
suricata_start() {
        ${suricata_bin} -D -c $suricata_conf -i $suricata_int
suricata_stop() {
        killall -INT suricata
run_rc_command "$1"
chmod +x /usr/local/etc/rc.d/suricata

You can get fancy if you want with the rc script, but this basic one will allow you to start,stop and restart the service as needed.

Add the needed lines to /etc/rc.conf so we can start the service and pass our variables in.

vi /etc/rc.conf

And give it a test run.

test# /usr/local/etc/rc.d/suricata start
Warning: Invalid global_log_level assigned by user.  Falling back on the default_log_level "Info"
Warning: Invalid global_log_format supplied by user or format length exceeded limit of "128" characters.  Falling back on default log_format "[%i] %t - (%f:%l)  (%n) -- "
Warning: Output_interface not supplied by user.  Falling back on default_output_interface "Console"
[100121] 23/2/2010 -- 05:52:14 - (suricata.c:567)  (main) -- This is Suricata version 0.8.1
[100121] 23/2/2010 -- 05:52:14 - (util-cpu.c:150)  (UtilCpuPrintSummary) -- CPUs Summary: 
[100121] 23/2/2010 -- 05:52:14 - (util-cpu.c:152)  (UtilCpuPrintSummary) -- CPUs online: 1
[100121] 23/2/2010 -- 05:52:14 - (util-cpu.c:154)  (UtilCpuPrintSummary) -- CPUs configured 1
[100121] 23/2/2010 -- 05:52:14 - (output.c:42)  (OutputRegisterModule) -- Output module "AlertFastLog" registered.
[100121] 23/2/2010 -- 05:52:14 - (output.c:42)  (OutputRegisterModule) -- Output module "AlertDebugLog" registered.
[100121] 23/2/2010 -- 05:52:14 - (output.c:42)  (OutputRegisterModule) -- Output module "AlertUnifiedLog" registered.
[100121] 23/2/2010 -- 05:52:14 - (output.c:42)  (OutputRegisterModule) -- Output module "AlertUnifiedAlert" registered.
[100121] 23/2/2010 -- 05:52:14 - (output.c:42)  (OutputRegisterModule) -- Output module "Unified2Alert" registered.
[100121] 23/2/2010 -- 05:52:14 - (output.c:42)  (OutputRegisterModule) -- Output module "LogHttpLog" registered.

test# /usr/local/etc/rc.d/suricata stop

Needs to be cleaned up a bit but we can now start and stop it.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: