'Hacking'에 해당되는 글 266건

  1. 2010.04.23 Malware Analysis by CEOinIRVINE
  2. 2010.04.02 Computer Security Consulting by CEOinIRVINE
  3. 2010.03.04 Update Snort by CEOinIRVINE
  4. 2010.03.04 BASE 2010.3.3. Wed by CEOinIRVINE 1
  5. 2010.03.04 Snort IDS Installation by CEOinIRVINE
  6. 2009.11.20 TMAC V5 R3 MAC CHANGE by CEOinIRVINE
  7. 2009.11.05 d3d9 coding by CEOinIRVINE
  8. 2009.10.28 Hacking by CEOinIRVINE
  9. 2009.10.08 What tools do you use to test applications? by CEOinIRVINE
  10. 2009.10.08 How much does a penetration test cost? by CEOinIRVINE

Malware Analysis

Hacking 2010. 4. 23. 17:53

Submission Summary:

  • Submission details:
    • Submission received: 22 April 2010, 21:45:06
    • Processing time: 7 min 30 sec
    • Submitted sample:
      • File MD5: 0x504CB0E268EAB6F47BD35780C537BCB1
      • File SHA-1: 0x8EA44DC3C9B379A0E580074C5C325797BFEE83B6
      • Filesize: 95,819 bytes
      • Alias:
  • Summary of the findings:

What's been found Severity Level
Downloads/requests other files from Internet.
Creates a startup registry entry.
Registers a 32-bit in-process server DLL.
Registers a Browser Helper Object (Microsoft's Internet Explorer plugin module).
Contains characteristics of an identified security risk.

 

Technical Details:

 

Possible Security Risk
  • Attention! Characteristics of the following security risks were identified in the system:

Security Risk Description
Trojan-PWS.Magania.AHIW Trojan-PWS.Magania.AHIW is threat that tries to monitors user activities in hopes to obtain valuable information from the affected user, specifically gaming login informations.
Trojan.Generic Common Components that may be used by Trojans Small, DRSN Search, Binet, Euniverse, Adrotator and Dloader among others.

  • Attention! The following threat categories were identified:

Threat Category Description
A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
A program that downloads files to the local computer that may represent security risk

 

File System Modifications
  • The following files were created in the system:

# Filename(s) File Size File Hash Alias
1 %Windir%\AhnRpta.exe 69,120 bytes MD5: 0x388B8FBC36A8558587AFC90FB23A3B99
SHA-1: 0xED55AD0A7078651857BD8FC0EEDD8B07F94594CC
(not available)
2 %System%\anhdo.exe 159,024 bytes MD5: 0xA7A748E6017E471FC36E9332627C147C
SHA-1: 0x1FDF53F443BA029941D14BD3DB566FA0F7C069A5
Worm:Win32/Taterf.B [Microsoft]
packed with PE_Patch [Kaspersky Lab]
3 %System%\ansb10.dll
%System%\ansb11.dll
64,598 bytes MD5: 0x34503D6515C78FE759986E73F2482B06
SHA-1: 0xB0D9857230D10193DC0BCE290866266248AADFC2
PWS:Win32/Frethog.gen!G [Microsoft]
packed with PE_Patch [Kaspersky Lab]
4 %System%\ansb20.dll 78,270 bytes MD5: 0x58DBD396A3DF3E1FB0B54EA57242555A
SHA-1: 0x30597FA342034EB381EE117941F1BA343207BD91
PWS:Win32/OnLineGames.AH [Microsoft]
packed with PE_Patch [Kaspersky Lab]
5 [file and pathname of the sample #1] 95,819 bytes MD5: 0x504CB0E268EAB6F47BD35780C537BCB1
SHA-1: 0x8EA44DC3C9B379A0E580074C5C325797BFEE83B6
Trojan.Gen [Symantec]
Trojan-GameThief.Win32.Magania.dbxc [Kaspersky Lab]
New Malware.bx [McAfee]
TrojanDropper:Win32/Frethog.K [Microsoft]
Dropper/Killav.95819 [AhnLab]
6 %System%\softqq0.dll 64,521 bytes MD5: 0x39D3F8C3E522F07803A629E68D0B2E35
SHA-1: 0x4C5CE618A8DF1C1E70EC579BB58BA12C2842B391
Downloader [Symantec]
TrojanDownloader:Win32/Frethog.C [Microsoft]
Win-Trojan/Killav.64521 [AhnLab]
packed with PE_Patch [Kaspersky Lab]

  • Notes:
    • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
    • %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

 

Memory Modifications
  • There was a new process created in the system:

Process Name Process Filename Main Module Size
AhnRpta.exe %Windir%\ahnrpta.exe 81,920 bytes

  • The following modules were loaded into the address space of other process(es):

Module Name Module Filename Address Space Details
softqq0.dll %System%\softqq0.dll Process name: explorer.exe
Process filename: %Windir%\explorer.exe
Address space: 0x1E80000 - 0x1EA8000
ansb10.dll %System%\ansb10.dll Process name: explorer.exe
Process filename: %Windir%\explorer.exe
Address space: 0x22A0000 - 0x22D1000
softqq0.dll %System%\softqq0.dll Process name: dllhost.exe
Process filename: %System%\dllhost.exe
Address space: 0x2530000 - 0x2558000
softqq0.dll %System%\softqq0.dll Process name: IEXPLORE.EXE
Process filename: %ProgramFiles%\internet explorer\iexplore.exe
Address space: 0x1500000 - 0x1528000
softqq0.dll %System%\softqq0.dll Process name: AhnRpta.exe
Process filename: %Windir%\ahnrpta.exe
Address space: 0x10000000 - 0x10028000
softqq0.dll %System%\softqq0.dll Process name: VMwareUser.exe
Process filename: %ProgramFiles%\vmware\vmware tools\vmwareuser.exe
Address space: 0x10000000 - 0x10028000
softqq0.dll %System%\softqq0.dll Process name: AhnRpta.exe
Process filename: %Windir%\ahnrpta.exe
Address space: 0x890000 - 0x8B8000

  • Notes:
    • %ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

 

Registry Modifications
  • The following Registry Keys were created:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\NOD32KVBIT
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B03A4BE6-5E5A-483E-B9B3-C484D4B20B72}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B03A4BE6-5E5A-483E-B9B3-C484D4B20B72}\InprocServer32
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B03A4BE6-5E5A-B9B3-483E-C484D4B20B72}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C8414FA0-BA90-4600-B7EA-0CEFAF5A0636}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C8414FA0-BA90-4600-B7EA-0CEFAF5A0636}\InprocServer32
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C8414FA0-BA90-4600-B7EA-0CEFAF5A0636}\ProgID
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C8414FA0-BA90-4600-B7EA-0CEFAF5A0636}\Programmable
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C8414FA0-BA90-4600-B7EA-0CEFAF5A0636}\VersionIndependentProgID
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C8414FA0-BA90-4600-B7EA-0CEFAF5A0636}
  • The newly created Registry Values are:
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\NOD32KVBIT]
      • KVBIT_2 = "xxxkkmm"
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B03A4BE6-5E5A-483E-B9B3-C484D4B20B72}\InprocServer32]
      • (Default) = "%System%\softqq0.dll"
      • ThreadingModel = "Apartment"
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B03A4BE6-5E5A-B9B3-483E-C484D4B20B72}]
      • VcbitExeModuleName = "[file and pathname of the sample #1]"
      • VcbitDllModuleName = "%System%\softqq0.dll"
      • VcbitSobjEventName = "CVBASDDOOPADSAMN_0"
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C8414FA0-BA90-4600-B7EA-0CEFAF5A0636}\VersionIndependentProgID]
      • (Default) = "IEHlprObj.IEHlprObj"
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C8414FA0-BA90-4600-B7EA-0CEFAF5A0636}\ProgID]
      • (Default) = "IEHlprObj.IEHlprObj.1"
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C8414FA0-BA90-4600-B7EA-0CEFAF5A0636}\InprocServer32]
      • (Default) = "%System%\ansb20.dll"
      • ThreadingModel = "Apartment"
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C8414FA0-BA90-4600-B7EA-0CEFAF5A0636}]
      • (Default) = "IEHlprObj Class"
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer]
      • (Default) = "IEHlprObj.IEHlprObj.1"
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj]
      • (Default) = "IEHlprObj Class"
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID]
      • (Default) = "{C8414FA0-BA90-4600-B7EA-0CEFAF5A0636}"
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1]
      • (Default) = "IEHlprObj Class"
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
      • {B03A4BE6-5E5A-483E-B9B3-C484D4B20B72} = "hook dll rising"
    • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
      • anhdo = "%System%\anhdo.exe"

      so that anhdo.exe runs every time Windows starts

 

Other details
  • Analysis of the file resources indicate the following possible country of origin:

China

  • There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host Port Number
114.31.57.82 80

  • The data identified by the following URLs was then requested from the remote web server:
    • http://bebehouse.geniemom.com/images_old/board/play.txt
    • http://bebehouse.geniemom.com/images_old/board/copy.rar

 

 

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2010 ThreatExpert. All rights reserved.


'Hacking' 카테고리의 다른 글

Java Applet Security Model  (0) 2010.04.23
SSH JAVA APPLET http://javassh.org/space/start  (1) 2010.04.23
Computer Security Consulting  (0) 2010.04.02
Update Snort  (0) 2010.03.04
BASE 2010.3.3. Wed  (1) 2010.03.04
Posted by CEOinIRVINE
l

'Hacking' 카테고리의 다른 글

SSH JAVA APPLET http://javassh.org/space/start  (1) 2010.04.23
Malware Analysis  (0) 2010.04.23
Update Snort  (0) 2010.03.04
BASE 2010.3.3. Wed  (1) 2010.03.04
Snort IDS Installation  (0) 2010.03.04
Posted by CEOinIRVINE
l

Update Snort

Hacking 2010. 3. 4. 09:05
2010.3.3 Wed

Once Snort is installed, It is required to install the Snort signature rules and keep them up-to-date.
By chance, there is a perl script that will give us some precious help: Oinkmaster.

#apt-get install oinkmaster
Install or update the rules.

To downlaod the Snort rules, we need to create a free account on the Snort website.
The Snort rules are made by Sourcefire and you can get them for free a few days after the commercial subscription release.

Once you are logged into your Snort account, you can get a code at the bottom of the page.

site web snort code oinkmaster

We need this code in the /etc/oinkmaster.conf file.

You need first to know which Snort version you have:

# snort -V
which generates the following output on our test machine:

,,_ -*> Snort! <*-
o" )~ Version 2.3.2 (Build 12)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html
(C) Copyright 1998-2004 Sourcefire Inc., et al.


Modify the "url" settings in the /etc/oinkmaster.conf file as below:

url = http://www.snort.org/pub-bin/oinkmaster.cgi/yourcode_here/
snortrules-snapshot-2.3.tar.gz
This will download the snortrules-snapshot-2.4.tar.gz file. The version number in the file name changes depending on the Snort version you have. (2.0, 2.1, 2.2, 2.3, 2.4)

If you have a 2.6.x Snort version, you need to configure the "url" setting as below:

url = http://www.snort.org/pub-bin/oinkmaster.cgi/yourcode_here/
snortrules-snapshot-CURRENT.tar.gz
Let's create a backup folder.

#mkdir /etc/snort/backup
Let us now update the rules. We must be careful not to run oinkmaster as root particularly if your are not in a test environment.
So let's add a user called oinkmaster.

#useradd oinkmaster
Change some permissions to let oinkmaster user run the oinkmaster software:

#chown -R oinkmaster /etc/snort/backup
#chown -R oinkmaster /etc/snort/rules
#chown -R oinkmaster /var/run/oinkmaster
#chmod 644 /etc/snort/snort.conf
Now, it's time to test the oinkmaster perl script under the oinkmaster user.

#su oinkmaster
oinkmaster#oinkmaster -o /etc/snort/rules -b /etc/snort/backup 2>&1
The last instruction means that we call the oinkmaster perl script, we put the new rules in the /etc/snort/rules folder and if there is a change in the new rules, the current /etc/snort/rules will be backed up in the /etc/snort/backup folder.

Here is a example of our backup folder after running oinkmaster:

#dir /etc/snort/backup
rules-backup-20060205-163627.tar.gz

The crontab

Since we are quite lazy, we don't want to manually run this script every day.
A little cron will help us.

crontab -e -u oinkmaster
30 00 * * * oinkmaster -o /etc/snort/rules -b /etc/snort/backup 2>&1 >> /dev/null 2>&1
This will update the rules each day at 00:30
(The crontab command will update the /var/spool/cron/crontabs/oinkmaster file)

crontab -e will open nano by default. If you want to open vi instead just type:
#export EDITOR=vi

'Hacking' 카테고리의 다른 글

Malware Analysis  (0) 2010.04.23
Computer Security Consulting  (0) 2010.04.02
BASE 2010.3.3. Wed  (1) 2010.03.04
Snort IDS Installation  (0) 2010.03.04
TMAC V5 R3 MAC CHANGE  (0) 2009.11.20
Posted by CEOinIRVINE
l

BASE 2010.3.3. Wed

Hacking 2010. 3. 4. 09:03

BASE is a graphical interface written in PHP used to display the logs generated by the Snort IDS and sent into the database. It stands for Basic Analysis and Security Engine.
You can find the BASE website here: http://base.secureideas.net/



1. DOWNLOAD BASE:

Download the latest version.

We now have to uncompress the files and put them in the correct folder:

#tar -xvf base-1.4.4.tar.gz
#mv /home/user/Desktop/base-1.4.4 /var/www/base/


2. CONFIGURE BASE:

We need ADOdb (Active Data Objects Data Base) for BASE. AdOdb is in fact a database abstraction library for PHP.
Informations about ADOdb can be found here: http://adodb.sourceforge.net/

Download "ADOdb for PHP": http://adodb.sourceforge.net/#download
Again we now have to uncompress the files and put them in the correct folder:

#tar -xvf adodb504.tgz
#mv /home/user/Desktop/adodb /var/www/base
There are two ways to configure BASE:
Either you use a wizard or you change the config file by yourself.

A) Using the wizard

#chown -R www-data /var/www/base/
The change above will be needed to let the web server user (www-data) write in the BASE directory. Open a web browser and select the BASE directory:
http://localhost/base

Here you are entering a wizard:

Step 0: Check if everything is okay to begin the wizard.

Tutorial setup BASE settings Basic Analysis Security Engine Snort

Step 1: Language and path to ADOdb: /var/www/base/adodb/ .

Tutorial setup BASE step 1  Basic Analysis Security Engine Snort

Step 2: MySQL settings.

Tutorial setup BASE step 2  Basic Analysis Security Engine Snort

Step 3: BASE authentification settings.

Tutorial setup BASE step 3  Basic Analysis Security Engine Snort

Step 4: Create the MySQL database and tables (click on Create BASE AG).

Tutorial setup BASE step 4  Basic Analysis Security Engine Snort

B) Change the config file

It's not mandatory to use the wizard, you can do everything manually.
The first thing to do is to set the file base_conf.php.dist.
Open base_config.php.dist in the BASE directory and change the lines as shown below.

$DBlib_path="./adodb";

$DBtype="mysql";

$alert_dbname = snort;
$alert_host = localhost;
$alert_port = "";
$alert_user = snortuser;
$alert_password = snortpassword;

$archive_dbname = snort;
$archive_host = localhost;
$archive_port = "";
$archive_user = snortuser;
$archive_password = snortpassword;
Then you must rename the file from base_conf.php.dist to base_conf.php

#mv /var/www/base/base_conf.php.dist /var/www/base/base_conf.php
Second thing to do is to import the BASE MySQL tables into the snort database:

# mysql -u root -p snort < /var/www/base/sql/create_base_tbls_mysql.sql


3. CONNECT TO BASE:

Just access the BASE web link:
http://localhost/base
You will be prompted for a new password for the admin user.



4. BASE GRAPHS:

First we have to install the graphics library php5-gd for handling graphics directly from PHP scripts.

# apt-get install php5-gd
Then restart the apache webserver:

# /etc/init.d/apache2 restart
Second thing to do is to download three php PEAR libraries.
PEAR stands for "PHP Extension and Application Repository".

To download and install the librairies easily, the best thing to do is to install the php-pear package:

# apt-get install php-pear
Then we have to install the following packages:
Image_Graph, Image_color and Image_Canvas.

#pear install --force Image_Color
#pear install --force Image_Canvas
#pear install --force Image_Graph
Since there are some dependencies, you need to install the scripts in the order above.
Now, you have access to the graphs ...

Here are two typical error messages:

1 - Php5-gd is not installed:

PHP ERROR: PHP build incomplete: the prerequisite GD support required to generate graphs was not build into PHP. Please recompile PHP with the necessary library (--with-gd).

BASE  Basic Analysis Security Engine Snort PHP ERROR: PHP build incomplete
2 - Php-pear and/or its extensions are not installed correctly:

Error loading the Graphing library:
Check your Pear::Image_Graph installation!
Image_Graph can be found here:at http://pear.veggerby.dk/. Without this library no graphing operations can be performed.


BASE  Basic Analysis Security Engine Snort Image_Graph can be found here:at http://pear.veggerby.dk/


5. BASE OPTIONAL SETTINGS:

To customize the BASE tool, edit /var/www/base/base_config.php

There are two useful settings to activate:

A/Enabling DNS resolution

$resolve_IP= 1;
B/ Enabling colored alerts
Strangely, it seems that when you use the wizard procedure, the lines concerning the colored alerts are lost.
So if you used the manual install procedure, just active the $colored_alerts variable, or (ie: you used the wizard procedure) copy the lines below in your base_config.php file.

/**
* This option is used to set if BASE will use colored results
* based on the priority of alerts
* 0 : no
* 1 : yes
*/
$colored_alerts = 1;

// Red, yellow, orange, gray, white, blue
$priority_colors = array ('FF0000','FFFF00','FF9900','999999','FFFFFF','006600');

'Hacking' 카테고리의 다른 글

Computer Security Consulting  (0) 2010.04.02
Update Snort  (0) 2010.03.04
Snort IDS Installation  (0) 2010.03.04
TMAC V5 R3 MAC CHANGE  (0) 2009.11.20
d3d9 coding  (0) 2009.11.05
Posted by CEOinIRVINE
l

Snort IDS Installation

Hacking 2010. 3. 4. 08:59
2010.3.3.Wed

Download Snort and uncompress it.

#tar -xvf snort-2.8.3.3.tar.gz
Create two directory, one to store the configuration files, the other one to store the Snort rules.

#mkdir /etc/snort
#mkdir /etc/snort/rules
Copy the Snort configuration files inside the /etc/snort/ directory.

#cp snort_inline-2.8.3.3/etc/* /etc/snort/
Copy two files inside our new /etc/snort/rules directory:
- classification.config: defines URLs for the references found in the rules.
- reference.config: includes information for prioritizing rules.

#cp snort-2.8.3.3/etc/classification.config /etc/snort_inline/rules/
#cp snort-2.8.3.3/etc/reference.config /etc/snort_inline/rules/
Create a user called snort to launch Snort:

#useradd snort -d /var/log/snort -s /bin/false -c SNORT_IDS
Create a log directory owned by the snort user:

#mkdir /var/log/snort
#chown -R snort /var/log/snort
You need first to use the "configure" command to check the dependancies and prepare Snort to be compiled for MySQL.

#cd snort_inline-2.8.3.3
#./configure --with-mysql
If you installed all the dependencies correcty, the "configure" command must end without any error!
If you have an error message, See below.

Then we compile and install Snort.

#make
#checkinstall
See the CheckInstall page for more details about this command.
Below the output on our test system:

checkinstall 1.6.0, Copyright 2002 Felipe Eduardo Sanchez Diaz Duran
This software is released under the GNU GPL.

*****************************************
**** Debian package creation selected ***
*****************************************

This package will be built according to these values:

0 - Maintainer: [ root@ubuntu ]
1 - Summary: [ Package created with checkinstall 1.6.0 ]
2 - Name: [ snort ]
3 - Version: [ 2.6.1.3 ]
4 - Release: [ 1 ]
5 - License: [ GPL ]
6 - Group: [ checkinstall ]
7 - Architecture: [ i386 ]
8 - Source location: [ snort-2.6.1.3 ]
9 - Alternate source location: [ ]
10 - Requires: [ ]

Error messages you can get after the "./configure --with-mysql" command:

Build-essential is not installed

root@ubuntu:/home/po/Desktop/snort-2.6.1.3# ./configure --with-mysql
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for gawk... no
checking for mawk... mawk
checking whether make sets $(MAKE)... no
checking whether to enable maintainer-specific portions of Makefiles... no
checking for style of include used by make... none
checking for gcc... no
checking for cc... no
checking for cc... no
checking for cl... no
configure: error: no acceptable C compiler found in $PATH
See `config.log' for more details.


Libnet1-dev is not installed

ERROR! Libpcap library/headers not found, go get it from
http://www.tcpdump.org
or use the --with-libpcap-* options, if you have it installed
in unusual place


Libpcap0.8-dev is not installed

ERROR! Libpcap library/headers not found, go get it from
http://www.tcpdump.org
or use the --with-libpcap-* options, if you have it installed
in unusual place


Libpcre3-dev is not installed

ERROR! Libpcre header not found, go get it from
http://www.pcre.org


Libmysqlclient12-dev is not installed

**********************************************
ERROR: unable to find mysql headers (mysql.h)
checked in the following places
/usr/include
/usr/include/mysql
/usr/local/include
/usr/local/include/mysql
**********************************************



2 - CONFIGURE THE SQL DATABASE

Add a password for the MySQL root user:

#mysqladmin -u root password new_root_password
Create the MySQL database and tables in order to receive the Snort logs:

#mysql -u root -p
>create database snort;
Since it is dangerous to access the database with the root user, we need to create a user who has only permissions on the snort database:

>grant all on snort.* to snortuser@localhost identified by 'snortpassword';
reload mysql privileges:

>flush privileges;
>exit;
Now we have to create the tables inside the snort database:
By chance the tables are already created and we just have to find and import them into the Sql server:

Packaged installation

Find the tables: dpkg -L snort-mysql
We are looking for the create_mysql.gz file, it is normally located in the /usr/share/doc/snort-mysql folder.
Then we have to unzip the file:

#gzip –d /usr/share/doc/snort-mysql/create_mysql.gz
Import the MySql tables:

#mysql -u root -p snort < /usr/share/doc/snort-mysql/create_mysql
Manual installation

#mysql -u root -p snort < schemas/create_mysql



3 - CONFIGURE SNORT FOR SQL

We now have to forward the logs into the MySql database:
This is already done by installing the snort-mysql package, we just need only to configure the username and password to access the snort database.
In the /etc/snort/snort.conf file, we have to change the line between (#DBSTART#) and (#DBEND#):

output database: log, mysql, user=snortuser password=snortpassword dbname=snort host=localhost
Always in the same file, uncomment the following lines:

ruletype redalert
{
type alert
output alert_syslog: LOG_AUTH LOG ALERT
output database: log, mysql, user=snortuser password=snortpassword dbname=snort host=localhost
}
Let's start Snort !!

snort –u snort –c /etc/snort/snort.conf
It means that Snort is started under the snort user and will load the config stored in the /etc/snort/snort.conf file. For security reasons it's always better to run programs without the root user.

If you see the Snort banner, it means that Snort is correctly loaded, if not, carefully read the error message.

We have to add a line inside the /etc/crontab file to start Snort automatically after a reboot:

@reboot root snort -u snort -c /etc/snort/snort.conf >> /dev/null
The first part of the tutorial is over!
This means Snort should be installed along with the programs needed to support it. Now we will need to read the logs generated by Snort and forwarded into the Mysql database. For this we will use the BASE php script and follow its tutorial.

'Hacking' 카테고리의 다른 글

Update Snort  (0) 2010.03.04
BASE 2010.3.3. Wed  (1) 2010.03.04
TMAC V5 R3 MAC CHANGE  (0) 2009.11.20
d3d9 coding  (0) 2009.11.05
Hacking  (0) 2009.10.28
Posted by CEOinIRVINE
l

TMAC V5 R3 MAC CHANGE

Hacking 2009. 11. 20. 10:31

'Hacking' 카테고리의 다른 글

BASE 2010.3.3. Wed  (1) 2010.03.04
Snort IDS Installation  (0) 2010.03.04
d3d9 coding  (0) 2009.11.05
Hacking  (0) 2009.10.28
What tools do you use to test applications?  (0) 2009.10.08
Posted by CEOinIRVINE
l

d3d9 coding

Hacking 2009. 11. 5. 07:55
http://www.gamerzplanet.net/forums/soldier-front-hack-downloads/337656-d3d-coding-s-43.html

'Hacking' 카테고리의 다른 글

Snort IDS Installation  (0) 2010.03.04
TMAC V5 R3 MAC CHANGE  (0) 2009.11.20
Hacking  (0) 2009.10.28
What tools do you use to test applications?  (0) 2009.10.08
How much does a penetration test cost?  (0) 2009.10.08
Posted by CEOinIRVINE
l

Hacking

2009. 10. 28. 01:46 by CEOinIRVINE

보호되어 있는 글입니다.
내용을 보시려면 비밀번호를 입력하세요.


Ethereal : Capturing the traffic http://www.ethereal.com/distribution/win32/
Nikto : Comprehensive tests against web servers for multiple vulnerabilities http://www.cirt.net/nikto2
Nessus : Remote vulnerability scanner/fingerprinting the OS http://www.nessus.org/nessus/
Winhex : Check Memory Contents http://www.winhex.com/winhex/index-m.html
WebScarab : Web PRoxy: http://www.owasp.org/index.php/Category:OWASP_Project

'Hacking' 카테고리의 다른 글

d3d9 coding  (0) 2009.11.05
Hacking  (0) 2009.10.28
How much does a penetration test cost?  (0) 2009.10.08
AVA Hacks  (1) 2009.10.02
Regarding Online Game Security  (0) 2009.10.02
Posted by CEOinIRVINE
l

How much does a penetration test cost?

The cost of a pen test depends on the skill of the testers you engage and the size of the application.

Having said that, we have seen wide variation in pricing – from $5,000 to $50,000. And the higher prices don’t always mean higher quality.

At Plynt, we constantly strive to reduce our costs and pass on part of those benefits to you. Drop us a mail or contact me to get a quote for a security test.

'Hacking' 카테고리의 다른 글

Hacking  (0) 2009.10.28
What tools do you use to test applications?  (0) 2009.10.08
AVA Hacks  (1) 2009.10.02
Regarding Online Game Security  (0) 2009.10.02
Flaw In Sears Website Left Database Open To Attack  (0) 2009.09.04
Posted by CEOinIRVINE
l