An alchemists view from the bar

Network Security Alchemy

Archive for May 2010

OpenFPC 0.1a – Installation and usage

with 2 comments

Firstly, I need to vent my anger at WordPress’s post formatting breakage. It is impossible for me to format this post using the Visual editor, and the HTML generated is so unbelievably ugly I can’t follow it.  So when the formatting of the text below doesn’t look correct blame wordpress not me.

I have uploaded a tarball of OpenFPC-0.1a to Googlecode, and as there isn’t any real documentation yet for OpenFPC I thought I would provide a few tips for people who want to try it out.

Firstly a word of warning: OpenFPC could be changing in the near future. I’m meeting up with ebf0 the author of FPCGui in June for a beer. Because duplicating effort is never a smart thing to do, and as both projects have similar goals it may make sense to pool some resources. Anyway, for the people who emailed me after my last post wanting to know how to get started with OpenFPC here are some tips.

The below is being performed on Ubuntu 10.04 LTS.

1) Check for requirements

OpenFPC depends on a few libraries and tools that need to be installed on the server you decide to dedicate for traffic collection. These include:

  • TCPdump
  • tshark (Part of the wireshark project)
  • mergecap (Part of the wireshark project)
  • daemonlogger (Version 1.2.1 or greater)
  • Perl
  • Perl Getopt::Long

On Ubuntu 10.04 LTS, all of these applications and librariers can be installed via apt without any real challenges. If they are not available in your Operating System’s package manager, you will have to go download and install them yourself.

lward@UbuntuDesktop:~$ sudo apt-get install tcpdump tshark daemonlogger

2) Install OpenFPC

Once those packages are installed, go download OpenFPC from here. This document was written for version 0.1a, but if there is a later release on the download list it’s best to use that. Once you have the tarball, extract it to somewhere in your home directory.

lward@UbuntuDesktop:~$ tar -zxvf openfpc-0.1a.tgz

If your dependencies are all satisfied, installation should be as simple as running the installer. And that should be it!

OpenFPC installs itself into /opt/openfpc, and looks for a configuration file in /openfpc.conf /etc/openfpc/openfpc.conf, /opt/openfpc/openfpc.conf (first config file found wins).
I suggest you start off by editing the file /opt/openfpc/openfpc.conf. Pay close attention to the FILE_SIZE and DISK_SPACE values. You will want to increase the FILE_SIZE value to over 10M for a production environment, it’s that default because of my testing on a VM. 1G or 2G would probably make more sense.
DISK_SPACE equates to a percentage of disk space to use on the capture partition. All other values should be pretty much obvious.
Once you’re happy with the values you have set, start up openfpc.

TIP: Because openfpc looks for a .conf file in your current working directory, be careful where you start/stop/extract pcap files from. I think I may change this behaviour in the future, but this is how it is for now.

lward@UbuntuDesktop:~$ /etc/init.d/openfpc status
[*] Reading configuration file /opt/openfpc/openfpc.conf
[!] No current buffers found in /var/tmp/openfpc – Have you started it yet?

lward@UbuntuDesktop:~$ sudo /etc/init.d/openfpc start
[sudo] password for lward:
[*] Reading configuration file /opt/openfpc/openfpc.conf
[-] Daemon mode set
[-] Interface set to eth0
[-] Logpath set to /var/tmp/openfpc
[-] Log filename set to “openfpc-pcap”
[-] Pidfile configured to “openfpc-dl”
[-] Pidpath configured to “/var/run”
[-] Rollover configured for 10 megabytes
[-] Rollover configured for 0 none
[-] Pruning behavior set to oldest IN DIRECTORY

DaemonLogger Version 1.2.1
By Martin Roesch
(C) Copyright 2006-2007 Sourcefire Inc., All rights reserved
Checking partition stats for log directory “/var/tmp/openfpc/.”
50% max disk utilization = 2467159 blocks free (out of 4934317)
 Blocksize = 4096
Rollsize = 2560 blocks
[-] It looks like daemonlogger has started successfully
[*] Traffic buffer (Daemonlogger) started on Tue May 25 17:16:28 BST 2010

Currently pcaps need to be requested locally using the tool, and only Snort-syslog, Snort alert_fast, Sourcefire3D, and Exim4 log entries are supported. If you would like support for another log format added that you use right now, send me samples via email (<myfirstname> Please only ask for log file formats that you are in a position to use and test, don’t just suggest nice-to-have.

So once you have a log entry you want to extract, run the command. I have one of my Snort instances writing events to syslog. I don’t make use of a nice Snort event UI like Snorby, Sguil, or Base on this device but when an event is triggered I want some more packet data.Here is an alert Ill use as an example (IP address’ are censored of course):

May 26 08:36:45 XXXXX snort: [1:2020:5] RPC mountd TCP unmount request [Classification: Attempted Information Leak] [Priority: 2]: {TCP} X.X.X.X:991 -> Y.Y.Y.Y:41208

To extract the session based on this log message, I will pass the -a “<LOG LINE>” arguments to

leon@rancid:~$ -a “May 26 08:36:45 rancid snort: [1:2020:5] RPC mountd TCP unmount request [Classification: Attempted Information Leak] [Priority: 2]: {TCP} ->”
*  – Part of the OpenFPC Project *
Leon Ward –
– Searching for traffic..
– Merging …
– Created /tmp/extracted-1274864016.pcap (1.1K Bytes)

I now have the complete session in the file /tmp/extracted-1274864016.pcap.
If you want to create your own wrapper scripts around ofpc-extract, you could use the -q (quiet) flag e.g.

leon@rancid:~$ FILENAME=$( -a “May 26 08:36:45 rancid snort: [1:2020:5] RPC mountd TCP unmount request [Classification: Attempted Information Leak] [Priority: 2]: {TCP} ->” -q)
*  – Part of the OpenFPC Project *
Leon Ward –
leon@rancid:~$ echo $FILENAME

Good luck with your sniffing!

Written by leonward

May 26, 2010 at 10:15 am

Introducing OpenFPC – An Open Full Packet Capture Framework for Network Traffic Recording

with 6 comments

I’m writing this post in order to introduce a project I’ve been thinking about for years and started working on a couple of months back. OpenFPC.


Update: Aug/2010: OpenFPC now has a new home: Go there for more info.

OpenFPC is designed as an add-on capability for other network communication and security technologies, it provides those technologies (open source or comercial) with something that their users often demand but the system doesn’t or can’t deliver on. The complete network traffic associated with a network security event. OpenFPC provides a central interface where full traffic session data can be automatically (or manually) requested from a distributed recording infrastructure, and then deliveries it back to the requester in a .pcap file or as a href to the .pcap file.

So what makes,or will make OpenFPC different from other tools available that provide similar functionality?

  • Distributed framework – With a central user interface and request point.
  • Quick and simple to set-up and start functioning. No expert knowledge required
  • Automated extraction of sessions (Syn-to-fin) of known to be “interesting” events for longer-term storage
  • Traffic is requested in the context if the requesting device, system or process
  • No database requirement for traffic/session data indexes
  • Optimised session searching over large traffic archives
  • Web UI, command line, and automated-process interfaces all provided

The above points are in no particular order, but to introduce the project I would like to focus on one feature in particular. In further posts and as the code develops I plan to expand on many of the above with functioning examples.

“Traffic is requested in the context if the requesting device, system or process”

A wise man once said that a picture is worth a thousand words, maybe the below examples will provide the same result and save me a load of typing.

Example 1) Mail log context

Problem: My mail log shows an entry that I have further interest in, this transmission is suspected to contain some malware. I would like to inspect the complete network traffic session to get hold of the malicious stuff if it actually exists.

leon@rancid:~$ tail -n 1 /var/log/exim4/mainlog

2010-05-16 11:35:27 1ODbBv-0008UQ-20 <= [] P=smtp S=1019

Solution: Extract the session based on the Exim4 (my mail daemon) log line. Below is the log entry that I’m interested in.

leon@rancid:~$ -a 22010-05-16 11:35:27 1ODbBv-0008UQ-20 <= [] P=smtp S=1019
*  – Part of the OpenFPC Project *
Leon Ward –
– Searching for traffic…..
– Merging …
– Created /tmp/extracted-1274006391.pcap (3.4K Bytes)
Now I have the complete session to inspect and perform analysis on.
Example 2) IPS Context
Problem: Looking through my central log manager I spot the following IPS event that was passed to my log manager over Syslog. Because the event was uploaded to my screen via syslog i’ve lost all packet data.
May 16 11:49:05 rancid snort: [1:1951:7] RPC mountd TCP mount request [Classification: Attempted Information Leak] [Priority: 2]: {TCP} ->
I would like to extract the complete session to perform further investigation into the event.
leon@rancid:~$ -a “May 16 11:49:05 rancid snort: [1:1951:7] RPC mountd TCP mount request [Classification: Attempted Information Leak] [Priority: 2]: {TCP} ->
*  – Part of the OpenFPC Project *
Leon Ward –
– Searching for traffic.
– Merging …
– Created /tmp/extracted-1274006982.pcap (1.2K Bytes)
Example 3) Arbitrary extraction
Of course you don’t need to format a request like  a log file message for a session, simply search. Here are the command line options.
leon@rancid:~$ --help
*  - Part of the OpenFPC Project *
  Leon Ward -
- Usage:
  --mode     or -m <at|window> At a specific time, or search in a window
  --src-addr or -s           Source IP
  --dst-addr or -d           Destination IP
  --src-port or -u           Source Port
  --dst-port or -r           Destination Port
  --write    or -w           Output file
  --http     or -l                      Output in HTML for download
  --verbose  or -v                      Verbose output
  --debug                               Debug output
  --quiet                               Return only a filename or an error
  --all                                 Check in all buffers not just current sniff buffer
  ***** Operation Mode Specific Stuff *****
  "At" mode.
  --each-way or -e         Number of pcaps each-way Default: 1
  --event    or -a         Parse a supported event log line e.g. Snort, Sourcefire, Exim etc
  --timestamp or -t                     Event mode - Look each way of this epoch value
  --sf                                  Timestamp in SF format, convert it
 "Window" mode.
  --start    or -b                      Start timestamp for searching in absolute mode
  --end      or -j                      End timestamp for searching is absolute mode
If you are still reading this post, I assume that this project is something that may interest you and can guess you have a couple of questions:
  • What log formats are currently supported?
    Right now not many, this is a preview release after all. Snort Fast alert, Snort Syslog, Exim4, and Sourcefire 3D Defense Center, Sourcefire 3D Sensor.
  • When can I expect the central manager / WebUI
    Don’t hold your breath right now 🙂 But seriously, I’m working on it and had some ghetto code working that I’m too shamed of to share.
  • What’s next? When can I expect something stable?
    This is the most important question. I’m aiming for a stable non-distributed release without the manager in the next couple of weeks. I think it’s best to get a small but stable feature-set into the community rather than one big buggy release in a couple of months time.
  • Can I help?
    What a wonderful question!? Yes you can! Right now I need to find problems and iron out some bugs. In a couple of weeks Ill be looking for someone who can write a simple web UI for me, my un-themed s don’t look great
  • How do I install, configure and get this preview release running?
    Keep your eyes open for a blog posting in a couple of days talking you through an install on Ubuntu
  • What are the requirements to run? Do you use sancp or anything like that?
    daemonlogger (Thanks Marty!), tcpdump, perl
  • When’s the automated extraction bit coming?
    I’m not sure if this will be before or after the webUI. I have a day job after all!
  • Will you support <foo> log file format?
    Maybe, I want to have built-in support for most common log formats, tell me what you need and send samples.
  • Where can I get the code from?
    Stay tuned for an alpha release this week on

Happy Sniffing!

Written by leonward

May 17, 2010 at 8:00 am

Leon’s ten rules for improved network security

with 12 comments

Last week I was asked to comment on a top ten list of the “rules of network security”, and unsurprisingly I disagreed with many of them :p

This probably isn’t a shock and it’s not to say that the other list was wrong, it’s just the nature of such a subjective list. Nevertheless, I thought I would share my response here in case it stimulates thought.

Prerequisite :  Hire smart people, and trust them to do their job.

I think that’s key to getting anything done in business and not specific to network security at all, however it’s worth considering before you do any of the below.

1) Management and user education

Without educating management to the risks associated with modern network connectivity, insufficient effort and budget will be assigned to the task. This directly leads to fail. Network security education must also be presented in an enabling way, for example, “This is how to do stuff safely”, or “Implementing this security measure will allow us to conduct business with this partner while maintaining our security posture”, rather than a disabling “Don’t do that it’s naughty”.

This first point includes the education associated with AUP (Acceptable usage policies) for network connectivity and resource usage. Without defining acceptable and unacceptable usage of resources users will never know if they are misbehaving.

2) Enforce sensible access controls

This point exists at many layers within the network, including user account management (with good passwords) via role based access (RBAC) and network access controls (and by network access controls, I refer to Firewalls not a NAC-like deployment).

Firewalls should be configured to only allow the required ingress and egress ports for communication through network segments while controlling the direction of trust.

3) Patch, patch, patch, and then patch again.

Always keep up to date with security specific software updates, and automate this process wherever possible.

4) Harden systems that do not operate in a “secure by default” model.

Make sure systems that operate in areas of high risk have the appropriate lock down applied to them including

  • Disabling non-required services
  • Remove/rename system or default user accounts
  • Remove un-required applications

5) Enable logging, audit system, network and user behaviour in the context of the AUP. Monitor and react to violations and security events.

Central and sane event logging and its management is key to accomplishing this goal. Intrusion detection / Network security monitoring also fit in with this point as they are key to detecting the misuse or security violations on the network.

6) Anti-ware (the modern equivalent of Anti-virus)

This is a must on user desktops and servers (where appropriate). Even though some AV software has lower than desirable virus detection rates, having something is better than nothing as long as it’s kept up to date (see point 3)!

7) Segment the network into trust zones

Every network should be made up of multiple zones with differing functions, e.g Management, Public DMZ, Servers, Clients. VLAN’s can be used to implement much of this segregation, and firewalls should be used to route data between those networks.

8) Physical security

Make sure that the correct physical security controls are in place in your data-center. Consider and mitigate the risk of when a user’s laptop get stolen or “lost” after a four-hour business meeting in a high-class wine bar.

9) Take Backups and test them!

Not taking and checking the quality of your backups *will* cause a lot of pain. Fact. Loosing data could mean losing the company, and therefore loosing your job.

10) Use the correct tools to do the job.

If budget is tight (and it always is), look for lower cost software alternatives. There is an amazing resource of high quality open source security software available that can help address many of the security points above. Make sure you research select good tools that your are comfortable with and can scale to meet future requirements.


Written by leonward

May 11, 2010 at 4:07 pm

Posted in Uncategorized