'IT'에 해당되는 글 215건

  1. 2008.10.14 [3] Snort Configuration : Refinement by CEOinIRVINE 1
  2. 2008.10.14 [2] Snort Configuration : Rule Installation by CEOinIRVINE
  3. 2008.10.14 Snort Configuration [1] by CEOinIRVINE
  4. 2008.10.14 Snort Location by CEOinIRVINE
  5. 2008.10.10 Snort Installation on CentOS 4.6 by CEOinIRVINE
  6. 2008.10.07 Apple's Brick: A Radical New Laptop? by CEOinIRVINE
  7. 2008.10.05 Samsung's Superior Series 6 LCD TV by CEOinIRVINE
  8. 2008.10.04 Tech Addicts by CEOinIRVINE
  9. 2008.10.04 Steve Job by CEOinIRVINE
  10. 2008.10.04 Co-Founder of Facebook to Leave Firm by CEOinIRVINE

[3] Snort Configuration : Refinement

IT 2008. 10. 14. 06:41

Rule Refinements

This section is the fun part of tweaking specific rules to match your environment. We recommend a regular strategy of nosing through your Snort output. As time passes, the composition of your network changes, and the minefield of vulnerabilities expands.

Trimming the fat

Likely the first refinement that any IDS guru recommends, almost to the point of being a broken record, is to reduce your false positives by stripping the dead wood from your rules files.

We recommend that you sit down with a map of your network and a list of your network connected assets (operating systems and exposed services are the most critical) and build a table of your computer resources that can be attacked. From there you comment out those rules that just don’t matter. If you have ten Windows NT servers running MS Project Server and nothing else, there’s little need for a thousand Linux/Unix rules.

Commenting out unneeded rules is a simple matter: Just edit the file containing the rule and place a “#” before the first character of the rule type (generally “alert”).

Chapter 9 includes more tuning methods that reduce false positives and the reasons why removing the extra noise keeps your Snort a-snorting.

Making adjustments

Small changes to the rules files of your setup can keep your Snort installation running at peak efficiency. By refining the rules that you are already running with Snort, you generate better reports, waste less time reviewing them, and react faster.

 Warning   Before editing any Snort rule file, it’s highly recommended that you do the following:

  • Always make a backup of that rule file.

  • Make sure that you use a plain text editor that doesn’t add any funky formatting or characters when you save the file. The vi program in Linux and Notepad in Windows are good examples.

Start by finding a rule that can use some tweaking. Maybe this DNS rule was misclassed: 

alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"DNS SPOOF query response 
PTR with TTL\: 1 min. and no authority"; content:"|85800001000100000000|"; content:
"|c00c000c00010000003c000f|"; classtype:bad-unknown; sid:253; rev:2;)

Out of the box, it’s classified as a “bad-unknown” alert. Maybe it should be reclassified as a reconnaissance or information probe, consistent with an “attempted-recon” tag. To change the rule, just edit the dns.rules (the file that contains the rule we’re modifying) and change it to something like 

alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"DNS SPOOF query response 
PTR with TTL\: 1 min. and no authority"; content:"|85800001000100000000|"; content:
"|c00c000c00010000003c000f|"; classtype:attempted-recon; sid:253; rev:3;)

 Technical Stuff  We bumped up the revision number to 3 so that another person can see that something’s changed.

 Tip  If you plan on making lots of changes to the base rules that come with Snort, keep a local backup copy of the original version outside of the directory that Snort uses to manage its configuration. If you upgrade Snort without keeping copies of all your custom tweaking, you may accidentally overwrite the whole lot with one punch of the enter key!

Building a rule from whole cloth

In some cases, a new rule is needed. Situations that might require a new rule include:

  • Some sort of odd behavior on the network has been noticed: Maybe an abnormal amount of data is transferred on the network after hours, or a particular server is rebooting for no apparent reason. An investigation begins to determine what these oddities mean, and based on captured network data, you can create a rule that matches the odd event.

  • A new attack hits the Internet. There are no existing Snort rules that match the attack, so you decide to create a rule on your own.

 Tip  For almost all configurations, the standard set of rules (if regularly updated) can be just what the doctor ordered. The need to build a whole rule from scratch isn’t an everyday occurrence.

Here’s a real-world situation that we can use as an example. While on-site at a customer’s facility, we heard that its network was acting irrationally and that the customer needed our help in isolating the cause of it. After an hour of tracking back a huge amount of network bandwidth coming from two workstation computers, we found that they were infected with some sort of virus. We diagnosed a virus by running a packet sniffer and capturing all of those workstations’ network communications.

All of that techno-sleuthing work we did can be best summarized into a packet capture, or at least a fair approximation of one. What follows is a snippet of what we were looking at:

15:30:05.000913 10.3.232.38.1522 > 192.168.4.81.1434: udp 376

0x0000   4500 0194 bec2 0000 6d11 d406 d963 055d        E.......m....c.]
0x0010   d8ab 0224 1069 059a 0180 6b52 0401 0101        ...$.i....kR....
0x0020   0101 0101 0101 0101 0101 0101 0101 0101        ................
0x0030   0101 0101 0101 0101 0101 0101 0101 0101        ................
0x0040   0101 0101 0101 0101 0101 0101 0101 0101        ................
0x0050   0101 0101 0101 0101 0101 0101 0101 0101        ................
0x0060   0101 0101 0101 0101 0101 0101 0101 0101        ................
0x0070   0101 0101 0101 0101 0101 0101 01dc c9b0        ................
0x0080   42eb 0e01 0101 0101 0101 70ae 4201 70ae        B.........p.B.p.
0x0090   4290 9090 9090 9090 9068 dcc9 b042 b801        B........h...B..
0x00a0   0101 0131 c9b1 1850 e2fd 3501 0101 0550        ...1...P..5....P
0x00b0   89e5 5168 2e64 6c6c 6865 6c33 3268 6b65        ..Qh.dllhel32hke
0x00c0   726e 5168 6f75 6e74 6869 636b 4368 4765        rnQhounthickChGe
0x00d0   7454 66b9 6c6c 5168 3332 2e64 6877 7332        tTf.llQh32.dhws2
0x00e0   5f66 b965 7451 6873 6f63 6b66 b974 6f51        _f.etQhsockf.toQ
0x00f0   6873 656e 64be 1810 ae42 8d45 d450 ff16        hsend....B.E.P..
0x0100   508d 45e0 508d 45f0 50ff 1650 be10 10ae        P.E.P.E.P..P....
0x0110   428b 1e8b 033d 558b ec51 7405 be1c 10ae        B....=U..Qt.....
0x0120   42ff 16ff d031 c951 5150 81f1 0301 049b        B....1.QQP......
0x0130   81f1 0101 0101 518d 45cc 508b 45c0 50ff        ......Q.E.P.E.P.
0x0140   166a 116a 026a 02ff d050 8d45 c450 8b45        .j.j.j...P.E.P.E
0x0150   c050 ff16 89c6 09db 81f3 3c61 d9ff 8b45        .P........<a...E
0x0160   b48d 0c40 8d14 88c1 e204 01c2 c1e2 0829        ...@...........)
0x0170   c28d 0490 01d8 8945 b46a 108d 45b0 5031        .......E.j..E.P1
0x0180   c951 6681 f178 0151 8d45 0350 8b45 ac50        .Qf..x.Q.E.P.E.P
0x0190   ffd6 ebca                                      ....

That same sequence of bytes was being repeated ad nauseum by the two busted computers. What we didn’t know at the time was that a new worm outbreak had just started to infest the Internet. What we were seeing with that hex dump was the MS-SQL worm (also known as Slammer) in its replication stage. To bandage the situation, we unplugged the two offending computers and ran to our Snort installation, where we chopped a few bytes out of this trace to build a signature and ultimately a Snort rule to catch any more of these instances.

To illustrate, here’s a string of 16 bytes that can represent this novel worm:

c050 ff16 89c6 09db 81f3 3c61 d9ff 8b45

Line number “0x0150” is an example of a segment made into a signature. Now, on to the fun part of making a Snort rule out of that gunk! The first goal is to build an appropriate header. A review of the first line of the trace dump gives all the necessary network information you need to construct a header. 

15:30:05.000913 10.3.232.38.1522 > 192.168.4.81.1434: udp 376

Table 8-6 identifies the meaning of each of the preceding line’s component elements.

Table 8-6: Components of Packet Trace

Description

Value

Time packet was sent

15.30:05.000913

Source address

10.3.232.38

Source port

1522

Destination address

192.168.4.81

Destination port

1434

Protocol

UDP

Packet size (bytes)

376

All that’s needed from Table 8-6 are the protocol and the destination port. The source IP address, source port, and destination IP address show up differently when coming from and going to different systems. Remember, we’re looking for new instances of this worm, not the infected systems we already know about. Coupled with the signature that was scissored from that big block of packet data, that’s the complete makings of a fledgling Snort rule. All the pieces fit together like this: 

alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"New MSSQL Worm A-Multiplyin’";
 content:"|c050 ff16 89c6 09db 81f3 3c61 d9ff 8b45|"; sid:1000001; rev:1;)

 Technical Stuff  The preceding example highlights the following best-practices in creating a Snort rule:

  • We followed the path of the good Snort administrator and made the Snort ID equal to 1,000,000.

  • The revision is marked as 1, meaning that this attempt was our first at drafting a rule to achieve the wanted results.

After testing, if our signature isn’t right or other elements need tweaking, we can make the changes and increase the rev number to reflect the changes.

'IT' 카테고리의 다른 글

[5] Snort Tuning: Reduce False Positives  (0) 2008.10.14
[4] Snort Configuration: preprocessing punk packets : preprocessor  (0) 2008.10.14
[2] Snort Configuration : Rule Installation  (0) 2008.10.14
Snort Configuration [1]  (0) 2008.10.14
Snort Location  (0) 2008.10.14
Posted by CEOinIRVINE
l

[2] Snort Configuration : Rule Installation

IT 2008. 10. 14. 04:10

Rule Installation

Snort comes with more than enough rules to satiate your diet. We’re always surprised to learn about new rules that inventive people have made from all over the world; many have been added to the public domain.

Our goals in building a well-tuned IDS installation is to first enable most, if not all, of the rules that come with Snort. This enabling produces a ton of output (most is likely irrelevant to your network environment), but it gives you a great introduction to the type and frequency of the alerts pounding on your front door. From there, tuning Snort is like Goldilocks faced with her choices: Start with the bed that’s way too big and then keep refining until it’s “jusssst right.”

This section delves into those messy-looking rules files.

How the rules files are organized

Snort’s rules directory sorts hundreds of rules into rules files according to their purpose. Although the rules are cataloged a few different ways and some of the rule categories have overlapping domains, there’s certainly a method to the madness.

Rules files fit into eight major categories:

  • Low-level protocols (icmp, netbios, tcp, udp)

  • High-level protocols (http, ftp, dns, pop3, imap)

  • Web server specific (web-attack, web-cgi, web-client)

  • Exploit specific (shellcode, backdoor, exploit)

  • Service impacting (dos, ddos)

  • Policy specific (policy, info, misc, porn)

  • Scanning and probing activities (scan, bad-traffic)

  • Viruses, worms, and other malware (virus)

An in-depth rule structure

The best way to find out how the whole rule system works is to get your hands dirty with a typical example:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"WEB-IIS CodeRed v2 root.exe access"; flow:to_server,established; 
uricontent:"/root.exe"; nocase; classtype:web application-attack; 
reference:url, www.cert.org/advisories/CA-2001 19.html; sid:1256;  rev:7;)

This rule demonstrates many of the options that you’re likely to encounter with your own setup. We picked the Code Red worm alert from the web-iis.rules file as our starting point.

 Tip  Here’s a piece-by-piece explanation of that Code Red worm rule, which appeared earlier in this section:

  • The alert directive (in bold in the following alert snippet) tells Snort that if the packet matches this rule, then the rule should send its output through the alert facility. 

    alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS...

    The overwhelming majority of Snort’s rules use the alert facility, although optionally, you can use the log facility. Chapter 6 explains the difference between these two facilities.

  • The tcp keyword is an argument that identifies which network protocols the rule applies to. The following alert snipped shows the tcp keyword in bold: 

    alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS...

    Because the tcp keyword is specified, Snort knows to match this rule only to network traffic using the TCP protocol (other protocols, such as UDP) will be ignored.

  • The network source and destination arguments are highlighted in bold in the following statement:

    alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS...

    The preceding network source and destination arguments (including port numbers) tell Snort to alert on any traffic that is either

    • From the $EXTERNAL_NET on any port

    • To any of our Web servers on the defined Web ports.

     Technical Stuff  The network source and destination arguments use the variables established at the beginning of the snort.conf file (the arguments beginning with the $). These substitutions provide convenience and readability for managing a large collection of rules, which can easily top a few thousand entries.

  • The last part of the rule gets even more granular with information the rule should match on, as well as what Snort should do if the rule does match . The following snippet shows what this looks like:

    (msg:"WEB-IIS CodeRed v2 root.exe access"; flow:to_server,established; 
uricontent:"/root.exe"; nocase; classtype:web application-attack; reference:url, 
www.cert.org/advisories/CA-2001-19.html; sid:1256;  rev:7;)

    • A few other tests tucked away in that last section must be passed before an alert is generated. The flow: and uricontent: keywords further refine the rule. In this case, if the uricontent (URI stands for universal resource identifier) contains the text "/root.exe". The flow says that the connection should be going to the server and should already be established. IP listed in your var HTTP_SERVERS section of snort.conf, then an alert is generated with the message "WEB-IIS CodeRed v2 root.exe access".

    Snort also identifies the type of attack by classifying it as a "web applications-attack." It further identifies the exact nature of the alert setting the "sid" (Snort IDentification) field to 1256. Sids are unique identifiers to Snort. They can nail down an offense to exactly one alert. The reference: keyword provides a log entry regarding any other information that’s known about the nature of the attack. References are often URLs to security-related Web sites, such as CERT, Whitehats, or SecurityFocus, which provide advisories on what the attack is and how to patch for it (if possible). In our Code Red example, we point to the CERT Web site with the following URL: 

    http://www.cert.org/advisories/CA-2001-19.html

Figure 8-1 shows a graphical overview of how a Snort rule is laid out. In it, you see many of the bits and pieces of a rule.

Image from book
Figure 8-1: The Snort rules layout. Click to collapse

Flow or direction operators represent how traffic is traversing the network. Their use is pretty straightforward:

  • The > operator tells Snort that the network on the left should be regarded as the source, and the one on the right should be the destination.

     Technical Stuff  There isn’t a <- operator. All instances using it are written by flip-flopping the arguments around the > command.

  • The <> operator will match any traffic between the network on the left and the network on the right, regardless of which network originated the traffic.

     Warning   The directionless operator (<>) can sometimes cause a bit of confusion with its use. It seems to makes sense that you would inspect traffic flowing both ways from one computer or network to another, but that inspection happens infrequently. Most Snort rules look something like this: 

    $EXTERNAL_NET any -> (internal host / port)

    A rule that matches too broadly (which the preceding rule would do if it contained <>) produces a huge Snort log and unduly burdens the processing engine as it inspects everything that passes by.

Elements of the rule header

Sifting through the directory of rules shows that all the rules contain header information, though most have a jumble of different items in their bodies. The header is just a front-end filter that separates out traffic by using five key sifting factors: source IP address, destination IP address, source port, destination port, and protocol.

Rule actions

Snort comes built-in with five different rule actions. Each gives you a lot of power in building your arsenal.

 Tip  Before changing the default behavior of your Snort rules, spend some time watching it operate in your environment and use its output to help you reduce noisy false positives.

Here are Snort’s five rule actions:

  • The log action merely logs the offending packets to the output logging that we set up when the Snort sensor was configured. The output plug-ins options are many and varied, giving you a rich set of choices. A per-rule log directive lets you customize logging down to a remarkable level.

  • The alert action can print a log entry and post a notification when some event is associated with a higher priority and probably needs a personal touch.

     Technical Stuff  The alert action is the default action for most rules that come with Snort. Snort’s job, after all, is to alert us of an attack on our network!

  • The pass action can ignore a matched packet and continue processing.

    The pass action is useful when you’re tuning your rules and need to disable some of the noisier ones so that you can actually see the output of what you’re working with.

  • The most powerful of the Snort actions is the activate keyword. Activate operates in concert with the dynamic action by triggering an alert and running what’s specified by the associated dynamic rule.

     Technical Stuff  The activate/dynamic pair is ideal for catching a complex series of attacks that may otherwise go unnoticed.

  • The dynamic action is associated with a rule that shouldn’t run until another event is encountered. You combine the dynamic action with the activate action to set up a second level of processing in certain circumstances.

     Technical Stuff  The activate/dynamic pair isn’t often used in common Snort setups, but it can be a handy tool for advanced intrusion detection.

Protocols

Snort, as a network IDS, must operate on the lowest level of the network to do its job. Snort grabs Ethernet frames directly from the wire. Inside of those frames are the four protocols that the free version of Snort normally scans: IP, ICMP, TCP, and UDP.

 Technical Stuff  Snort’s developers are attempting include other protocols, such as HTTP, 802.11, and ARP. The keywords for building your rules should include only one of the original four.

For example, let’s say employees aren’t allowed to use the eBay auction Web site on the job. A particular employee has been reprimanded for spending hours browsing eBay, and HR wants to monitor his behavior. The following rule logs all Web traffic that contains ebay.com coming from the host 192.168.1.18 with the message eBaying: 

log tcp 192.168.1.18/32 any -> any 80 (msg:"eBaying"; uricontent:"ebay.com";)

Source/destination

The last part of a well-formed Snort rule is probably the most important piece of configuration data: The two IP address ranges that are involved with the communication. The source and destination networks are identified in a rule that takes this form:

(source network) (port) -> (destination network) (port)

 Tip  CIDR (Classless Inter Domain Routing) notation is used for the network arguments. CIDR notation is that funny way of expressing an IP address using a / and another number — for example, 10.35.24.0/24, which means a Class C network of 254 hosts on network 10.35.24.0 (plus the first and last addresses that are reserved for the network address and the broadcast address, namely 10.35.24.0 and 10.35.24.255).

For the Snort rules files, you really deal with only two types of entries:

  • Networks (which contain a /)

  • Hosts (which omit /)

    Omitting / is a shorthand way of saying, "Just the single IP address, if you please." For example, the address 10.35.24.66 indicates just one host for matching against.

You can also enter ranges of port numbers, similar to ranges of IP addresses. Most of the examples that we cover in this chapter are single ports, such as 80 for the Web port, 443 for the encrypted Web port, and 25 for sendmail. The entire range of available ports extends from 0 to 65535.

For a range of ports, you just place a colon between the two ports. The following rule looks for any traffic containing “ebay.com” occuring on any TCP port between 1 and 1023.

log tcp 192.168.1.18/32 any -> any 1:1023 (msg:"eBaying"; uricontent:
"ebay.com";)

You can also include the maximum and minimum ports ranges by simply leaving off a number. For example :1023 means a range of ports from 0–1023, and 1024: refers to a range of 1024–65535.

Wildcards

Wildcards simplify rules. Wildcards work just like those “splat” asterisks that you can type into a DOS window or Unix shell to list only certain files. In Snort, the any keyword is the most powerful wildcard — and it’s all over the place. You’re allowed to use the any wildcard in both the network and port configurations: any matches everything for the category you placed it in.

 Tip  In the preceding section, we used the any wildcard in a couple of places. When the host 192.168.1.18 tries to start a communication on any port with any host on ports 1–1023 with the text "ebay.com" as part of a URI, then . . . bingo! That’s a match, and the message eBaying appears in the logs.

Elements of the rule body

After being mangled by the pre-processors and whittled down by the filters of the rule’s header, the rule’s body contains a virtual cornucopia of tests.

The most powerful test is pattern-matching what slips through for either specific keywords, phrases, or strings of binary data. Often, this inspection is the most critical, because what’s being searched for is the “fingerprint” of the attack itself.

Many of the most powerful features of Snort’s detection engine reside in the body of the rule. Each feature has a different style, syntax, and set of options. This flexibility can make rule management somewhat complicated, but very worthwhile.

The layout of the rule body

Snort’s rule body must follow this specific structure:

  • The body section of a rule is always wrapped by one set of parentheses.

  • Body options (keywords, instructions, tests, and commands) are within the parentheses.

  • Each body option is separated by a semicolon.

  • Each body option usually conforms to this format (the value is wrapped in double quotes):

    item: "value";

  • The entire line is terminated with a semicolon.

While the structure contains a lot of punctuation, it helps keeps things straight for both Snort and the person managing it.

The “content” option

Content analysis flushes out specific attack signatures within the packet. The particulars of the content option is applied to each and every packet that matches the header of the rule and can be expressed in either plain text form (ASCII) or geek-speak (Hexadecimal).

Worms, viruses, and server cracks are normally transmitted onto your network as raw machine code, which, to the naked eye, looks like gobbledy-gook, but is in fact a series of instructions that harm your computers and servers.

 Tip  Content matching is typically done at the application layer (Layer 7) of the OSI networking model.

Text content matching (ASCII)

As a simple scenario for demonstration purposes, let’s say you’re concerned about employees trading computer hacking information within your organization. You can create a rule that generates an alert whenever an e-mail is sent to your primary mail server (the mail server’s IP address is 172.16.30.7) containing the word "hacking". The mail port is 25; most mail is transmitted using the TCP protocol, so the following rule illustrates how we can use the content keyword to craft a rule to meet our goal. 

alert tcp $EXTERNAL_NET any -> 172.16.30.7 25 (msg:"Found hacking reference 
in e-mail"; content:"hacking";)

 Technical Stuff  Content analysis (by either text or hexadecimal matching) is used in more than two-thirds of the rules that come with Snort.

Hexadecimal content matching

Hexadecimal (hex) content, although expressed differently than ASCII text, is ultimately treated the same as ASCII by the Snort processing engine. In both cases, the text is reduced to what the computer deals with best: bits, which is then matched against the data streaming across your network. Hex is just a shorthand way of representing the zeros and ones of binary machine code.

 Tip  Hexadecimal is like a numerical alphabet that is 16 characters long, as compared with English (which has 26 letters) or decimal math (which has 10 numerals). Hexadecimal is often referred to as base-16 because the “alphabet” it uses has only 16 “letters” (0,1,2,3,4,5,6,7,8,9,A,B,C,D,E,F). Hexadecimal strings entered into a Snort rule body contain only those characters and none others. If you create a hexadecimal string with nonhex characters, expect that Snort will turn up its nose.

Here’s a real example right out of the rules directory:

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow 
filler"; flow:to_server,established; content:"|00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00|"; reference:bugtraq,2347; reference:cve,CVE-2001-0144; 
classtype:shellcode-detect; sid:1325;  rev:3;)

To use a hex match for content searching, wrap the hexadecimal characters to find with the pipe symbols (|). White space can separate out single bytes of hexadecimal data (“00 00”). Snort ignores the white space, which is only there to preserve the readability to the rule crafter.

The preceding rule is meant to watch for an attempted exploitation of the Secure Shell server application (sshd) by scanning traffic coming from anywhere on the external network and destined for your home network on port 22 (the sshd port). The content search is a long series of binary zeros (18 sets of two, to be exact). How can a pattern of zeros be unique? A pattern of zeros is frequently found in attack code and is often a give-away that someone is doing something you don’t like.

Mixing it up

You can mix and match the style of content searching without confusing Snort. As long as the binary data you want to search for has the bookends of the pipe characters, that block of text can be intermingled with other, plain ASCII text. What follows is a good example from the back-door.rules file.

alert tcp $EXTERNAL_NET any -> $HOME_NET 12345:12346 (msg:"BACKDOOR netbus 
getinfo"; flow:to_server,established; content:"GetInfo|0d|"; 
reference:arachnids,403; classtype:misc-activity; sid:110; rev:3;)

Notice how the content search string is constructed: GetInfo|0d|. This string tells Snort’s pattern matching subsystem to watch for the text phrase GetInfo with a carriage return at the end. Pretty nifty, eh? Inserting hex into a plain text string is useful for representing characters that can’t be represented by plain text, such as a carriage return. You can drift between text and binary content all within the same search string.

The “depth” option

It would be nice if malicious content always occurred at the beginning or end of a packet. Unfortunately, malicious content can occur almost anywhere in a packet. The depth option specifies how many bytes into a packet the Snort processor should look before moving on to the next rule.

The main reason for using the depth option is to restrict the search to the most likely places where a match is found, without wasting valuable processor resources to search the entire packet. For example, if you want to find the HTTP protocol version as part of a Web site communication, look in the first few hundred bytes. Because a packet may be as large as 1,500 bytes (less the header overhead), it makes a lot of sense to give Snort a break, especially if what it must look through are millions upon millions of packets.

The following rule from the web-misc.rules file reveals that you need only 15 bytes to catch the sadmind worm. Hence, the content GET x http/1.0 is always encountered at the very beginning of the packet. 

web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
 (msg:"WEB-MISC sadmind worm access"; flow:to_server,established; content:"GET x 
HTTP/1.0"; offset:0; depth:15; classtype:attempted-recon; 
reference:url,www.cert.org/advisories/CA-2001-11.html; sid:1375;  rev:5;)

The “nocase” option

The nocase option, which appears in more than a third of the rules that ship with Snort, basically says to ignore the case of the characters submitted for searching. Because the nocase directive takes no arguments, it’s normally just used with a terminating semicolon. The following example from the info.rules file finds the text LOGIN FAILED or LoGIn FaIlEd on a telnet session port. 

alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"INFO TELNET Bad Login"; 
content: "Login failed";  nocase; flow:from_server,established; 
classtype:bad-unknown; sid:492; rev:6;)

The “offset” option

Another tool that gives us a more precise scope on where in the packet to look is the offset option. Offset works by skipping over the number of bytes supplied to the right of the colon. So, offset:90 skips the first 90 bytes of the packet and then begins searching for the string given as part of the content keyword. Offset and depth work nicely together to make the search area of a packet limited to a window that is bracketed by the two. Basically, if you know where to look and what to look for, you can use these two options to help Snort get a fast grip on where to spend its time.

The Uniform Resource Identifier (URI) option

You can use the uricontent option to conduct a similar type of content searching. Its purpose is similar to the depth and offset options: to reduce the overall processing burden on Snort as it watches for more attacks to effectively do its job.

The uricontent option works much like the content one, except it restricts its searching to only URIs in the payload of the packet. URIs (Uniform Resource Identifiers) in Snort can specify other protocols than http, such as ftp, gopher, rsync, and https.

The uricontent option only searches for the given text in URIs that is found in the packet. If URIs aren’t present, no match occurs. URI searching is good for catching malicious commands that are readily evident as they often appear in the location request to a Web server. The following rule from the web-iis.rules file shows an exploit attempt against the IIS server using both content and uricontent analysis: 

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS 
.asa HTTP header buffer overflow attempt"; flow:to_server,established; content:
"HTTP|2F|"; nocase; uricontent:".asa"; nocase; content:"|3A|"; content:"|0A|"; 
content:"|00|"; reference:bugtraq,4476; classtype:web-application-attack; 
sid:1802; rev:4;)

A couple of interesting characteristics about this rule are worth discussing:

  • When nocase follows a string, its effect is upon the content string immediately prior.

  • The nocase option has no effect upon binary search strings. Leaving it off of those strings just helps the overall flow of the rule.

Classification

The classification options provide an overall description of a rule, along with other helpful information about the rule, that can be used by the Snort program itself and a system administrator. These options include the Snort ID, the alert message to appear in the alert log, the rule revision number, the alert priority, the alert classification, and external references for the exploit or vulnerability that triggered the alert.

Snort IDs

Quite a few options help organize and classify detected alerts. The Snort ID (sid) option is unique to the Snort system and a good way to get a handle on classifications.

The format of the Snort ID value is the same as it as other classification options. For example, a proper usage is as follows:

sid:<ID_VALUE>;

 Warning   When you get the hang of building your own sets of rules, assign each custom rule a unique sid number somewhere above the 1,000,000 mark. That way, updates to the Snort rule base won’t accidentally collide with your custom rule. Table 8-1 gives you a breakdown of the uses for sid ranges.

Table 8-1: Snort ID (sid) Values

Range of Values

Usage

1–100

Reserved for future use

100–1,000,000

For use within the www.snort.org distribution network

1,000,000 +

For use in customizing your own Snort rules

Priority

Snort has a built-in numerical rating for many of the rules that it ships with: The lower the priority number, the higher the risk posed by the attack that tripped the rule. By using the priority option, you can override Snort’s default level and rate how important or impacting a particular rule is to your unique environment. For example, the following command assigns the rule associated with it the highest priority: 1. 

priority:1;
Classtype

The classtype option can organize rules into major groups. A few dozen different classification types are spread over three priority levels, which are described in Tables 8-2, 8-3 and 8-4. For inclusion in a rule, the syntax is 

classtype:<CLASS_TYPE_NAME>;
Table 8-2: Priority 1 Classifications (Critical Severity)

classtype

Description

attempted-admin

Attempted privilege escalation to an Administrator level

attempted-user

Attempted privilege escalation to a User level

shellcode-detect

Discovered executable code

successful-admin

Achieved successful privilege escalation to an Administrator level

successful-user

Achieved successful privilege escalation to a User level

trojan-activity

Discovered software code of a Trojan Network Attack

unsuccessful-user

Failed privilege escalation to a User level

web application attack

Identified an attack upon a Web server’s application software

Table 8-3: Priority 2 Classifications (Intermediate Severity)

classtype

Description

attempted-dos

Attempted denial-of-service attack

attempted-recon

Attempted information collection (reconnaissance)

   

bad-unknown

Potentially bad traffic seen (malformed)

denial-of-service

Denial-of-service attack possibly underway

misc-attack

A catch-all category

non-standard-protocol

Detection or use of a nonstandard protocol

rpc-portmap-decode

Portmap decode detected

successful-dos

Denial of service detected

successful –recon- largescale

Large-scale information collection (reconnaissance)

successful –recon- limited

Limited information collection (reconnaissance)

suspicious-filename- detect

Strange or unusual filename was detected

suspicious-login

Strange username was found attempting to login

suspicious-call-detect

System call was detected

unusual-client-port- connection

A client was abnormally using a network port

web-application- activity

Access was made to a potentially vulnerable web-app

Table 8-4: Priority 3 Classifications (Low Severity)

classtype

Description

icmp-event

A “ping” packet was detected

misc-activity

Some behavior was detected that may be considered a policy warning

network-scan

A host or network was being scanned

non-suspicious

Regular usage activity was detected

protocol-command-decode

A protocol instruction was decoded

string-detect

A pattern of specific bytes was detected

unknown

Unknown or unclassified traffic

Revision and versions

The Snort people thought ahead and even included a way to keep a version tracking on each individual rule. The software industry uses many version management schemes because the field is so fluid and so dynamic that tight change control is almost a necessity. The format of the option is

rev:<#>;

 Technical stuff  Very few rules that come with Snort (less than 10 percent) have a revision number of only 1. Busy enterprise networks are sometimes hostile and fast-paced environments. Sometimes, rules are quickly added during the heat of a malicious event so that immediate visibility is provided to the security managers who must monitor the attack. After some analysis and a firmer understanding of the events takes shape, Snort’s rules are then revised (often only subtly) to reflect what’s known about the event.

Messaging and output

The mesg option creates a customized output message that can be included with any logs, alerts, and data dumps processed by the detection engine. By looking through the rules directory, you can see that the fabricators of the rules file have added messages to almost all the entries that they include. The following is an example of the format of the mesg directive in use: 

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 5.5.5
 exploit"; flow:to_server,established; content:"mail from|3a20227c|"; nocase; 
reference:arachnids,119; classtype:attempted-admin; sid:662; rev:4;)

See how cleverly the Snort makers had the output of this mail exploit attempt reported as “SMTP sendmail 5.5.5 exploit”? Describing the nature of an attack in plain English helps you in the long run (especially when you’re searching through logs at trying to track down a breach).

External references

The second most powerful (and widely used) feature within a Snort rule is the external reference option. You can reference Web-based resources that provide you with tons of additional data on an attack or probe right in the Snort logs.

A few different formats are used. Nearly all are Web site front-ends that look up an attack based on a unique identifier. For example, using the example in the preceding section, we find the following: reference:arachnids,119;

Thanks to this command, when Snort encounters this Sendmail attack, it provides a URL where the user can find out more about the Sendmail attack. Table 8-5 gives a list of Snort’s external references.

Table 8-5: Snort’s External References

Keyword

URL Base

bugtraq

http://www.securityfocus.com/bid/

cve

http://cve.mitre.org/cgi-bin/cvename.cgi?name=

arachNIDS

http://www.whitehats.com/info/IDS

McAfee

http://vil.nai.com/vil/content/v_

Nessus

http://cgi.nessus.org/plugins/dump.php3?id=

url

http:// (a general URL that’s passed straight through)

Proper use of the external keyword takes this form:

Reference: <SYSTEM> <VALUE>

 Technical Stuff  You can tie together any number of reference options as long as they’re separated by a semicolon.

Advanced options and deep dark secrets

The advanced options give you a peek into the dark side: the stuff of the geek-chic and the wizards of computer security.

Flow control

The flow control option lets you define the direction of a network stream. All network communications have two endpoints and a direction, so Snort can be configured to alert whenever one of many other triggers is tripped. Snort’s internal engine must do some fancier processing for the flow control (including some on-the-fly packet reconstruction), but it’s certainly worth the overhead because it lets you know whether an attack actually worked or not.

Regular expressions

A regular expression (regex in computer-nerd circles) is the incredibly powerful voodoo of using wildcards to match substrings within other strings. Without jumping into the deep end of this black art, a regular expression combined with a Snort rule makes for powerful mojo!

Protocol options

Because of Snort’s primary function to act as a low-level packet trap and filtering device, it can make lots of specific selections based on granular network protocol components. For example, sometimes hackers use specialized or fragmented packets to tease at the edge of networks for information about what they may find if they break in. These probing and recon expeditions may otherwise go unnoticed by a system administrator or a security package not configured to watch for such errant behavior. Snort’s native IP rules options put a huge amount of power at your fingertips.

How does Snort deal with all those rules?

Managing the files and their contents, let alone keeping a huge decision tree running, is a fine programmatic accomplishment.

Snort keeps track of all those intricate rules (some with more than 20 different options) with some fancy data processing internally. Without getting too bogged down, the process of reading in a particular rule is governed by a string parser, which cuts apart the rule into its component parts, which are then stored into a series of linked lists.

 Remember  Snort is a busy, complex, and low-level application. Every small or subtle error that goes undetected or that causes minor annoyances can snowball into a huge performance issue under certain circumstances. Although it doesn’t happen often, a misplaced command or configuration option can cause downtime or data loss.

'IT' 카테고리의 다른 글

[4] Snort Configuration: preprocessing punk packets : preprocessor  (0) 2008.10.14
[3] Snort Configuration : Refinement  (1) 2008.10.14
Snort Configuration [1]  (0) 2008.10.14
Snort Location  (0) 2008.10.14
Snort Installation on CentOS 4.6  (0) 2008.10.10
Posted by CEOinIRVINE
l

Snort Configuration [1]

IT 2008. 10. 14. 04:04

The Center of Snort’s Universe

You’ve already had some modest exposure to the snort.conf configuration file if you installed and configured Snort to run in your shop. It looks long, complicated, and riddled with hieroglyphics, but it isn’t nearly as bad as it seems.

Picking apart the snort.conf file

First off, the snort.conf file is divided into handy sections and organized very logically, even for nontechnoids. (The makers of Snort won’t have poorly built configuration files with their software.) The Snort makers break down your most likely edits into four basic steps, which they conveniently refer to at the top of the file. You’re interested in the Rules section, which is the last step in the snort.conf file.

 Tip  A simple four-step process can manage the configuration parameters in the snort.conf file:

  1. Be like a Boy Scout: Be prepared by having a plan-of-action for what changes you want to make to snort.conf before touching the snort.conf file itself.

 Tip  Keep a notes file of any changes (both made and proposed) and settings you’re working with.

  1. Back up the snort.conf file before you edit it.

    We call ours snort.conf.bak and typically keep it in the same directory as the original snort.conf configuration file.

  2. Use your favorite text editor to make your changes.

  3. Run Snort with the “-T” flag to check snort.conf.

    At the command prompt, run snort by typing the following:

    snort -T

    Running Snort with “-T” tests your snort.conf configuration file and rules for errors and tells you where the problems are. Testing your configuration and rules files before restarting Snort lets you correct errors before restarting Snort, thus keeping you from missing any alerts!

 Technical Stuff  Once you’ve made changes to snort.conf (or any configuration files), restart the Snort application (which geek-types affectionately refer to as "bouncing," "sig-hupping," or even "tickling" the running snort process). If you make changes without completing this step, nothing may happen until the next time you start your computer because Snort hasn’t re-read the configuration files and found the changes.

Playing by the rules

The rules section is the real meat of the snort.conf file. (Or should we say, "The real bacon"?) The snort.conf file has two important configuration entries for proper rule setup:

  • The location of the rules directory, configured under the snort.conf file’s main variable initialization section (Step 1).

    In Step 1, the variable $RULE_PATH must be set to the location of Snort’s rules — for example /usr/local/snort/rules on Linux or D:\snortapps\rules on Windows.

  • Near the end of the snort.conf file, in Step 4, where line after line of rule reference is placed. Here’s a snippet of a few items in our list: 

    include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules

 Warning   Many of the configuration file’s parameters and settings have analogous command-line switches. When Snort is faced with two opposing instructions (for example, when you pass the "–fast" logging argument to Snort, but have the alert_full output module configured in the snort.conf file), Snort ignores the configuration file and executes according to what was present on the command line. For testing and isolated sensor installation, command-line options work well, but for larger deployments, use the configuration files to make the management, editing, and distribution far easier to handle.

'IT' 카테고리의 다른 글

[3] Snort Configuration : Refinement  (1) 2008.10.14
[2] Snort Configuration : Rule Installation  (0) 2008.10.14
Snort Location  (0) 2008.10.14
Snort Installation on CentOS 4.6  (0) 2008.10.10
Apple's Brick: A Radical New Laptop?  (0) 2008.10.07
Posted by CEOinIRVINE
l

Snort Location

IT 2008. 10. 14. 03:59

Location, location, location

What Snort monitors depends on where it is on your network. A diagram of a typical network is shown in Figure 2-1. Like most, this network uses a firewall to split Internet facing servers into a DMZ, and keeps end-user workstations and internal servers in a NAT network.

  • A DMZ (De-Militarized Zone) network is a kind of limbo, a neither here nor there zone that has tight controls on what network traffic goes in and what comes out. Traditionally, it’s a semi-trusted network where publicly facing Internet servers reside.

  • NAT stands for Network Address Translation, a way to hide multiple machines using private IP space behind a much smaller chunk of public IP space. With NAT, your end-user workstations and internal file servers can initiate outgoing Internet connections, but other hosts on the Internet can’t initiate connections the other way.

Keeping servers in a DMZ keeps your NAT network secure. If one of your Internet-facing servers in your DMZ is cracked, the damage should be limited because the hacker can’t get out of the DMZ to your internal network.

Covering your assets

If your network is for a business or other organization that uses the Internet, network Internet access probably is critical to your business operating smoothly. Even e-mail can be vital to day-to-day operations, so keeping these servers safe is key. If you have publicly facing Internet servers in a DMZ, watch here for trouble: Internet access to your servers means that you can tell the entire world about www.yoursite.com, but the entire world can poke, prod, and tickle your servers, too.

 Remember  Any place you have publicly facing Internet servers is a place for Snort.

If you use a separate DMZ network, you must do the following:

  • Designate a port on your DMZ switch as a monitoring port.

  • Tell your snort.conf file that you want to monitor this subnet.

    After watching this traffic for a while, you start to see alerts for Web server attacks and attempts to squeeze your servers for network information. Keep an eye on Snort’s alerts and start trimming your configuration to reduce false positives (we cover this in Chapter 9).

    Monitoring your DMZ alerts you when someone attacks a server and tells you whether an already compromised server is attacking other servers in the DMZ. This information is critical to network forensics (covered in Chapter 10).

    Seeing who isn’t on the guest list

    In almost every case, you should monitor unfiltered Internet traffic. This traffic is directed at your network, but hasn’t had a chance to be rejected by your firewall. Though most bad traffic gets the boot from your firewall and never touches the protected parts of your network, it’s nice to see that traffic is. If your boss ever wants stats on how well your firewall is doing its job, this is one great resource.

    Figure 2-1 shows a switch in between the router and firewall. Although this isn’t necessary, it’s usually helpful to have unfiltered IP space for network troubleshooting. If there’s a switch in front of your firewall, but you can’t designate a monitoring port on it, throw a hub between your router and switch. This lets you plug your Snort sensor in front of the firewall; for many sites, it won’t introduce any bottlenecks. (A T1 line is only 1.54 Mbps, and even the cheapest hub handles 10 Mbps.)

    If you monitor unfiltered Internet traffic, you see a lot of alerts. You should see a slew of such attack alerts as

    • Port scans that never make it past your firewall

    • Random worm activity directed at hosts that don’t exist

    This data is proof that your firewall is doing its job.

    Keeping tabs on the inside

    Although it seems logical that you’d want to use Snort to monitor your internal NAT network filled with end-users and file servers, we don’t recommend it until you’ve gained some experience scaling and tuning your Snort system for a couple of reasons:

    • Bandwidth: Internal LANs typically run at 100 Mbps to ensure fast access to internal file servers or databases. Compare this to the size of the pipe from the Internet to your DMZ. If every host on your internal network has a 100 Mbps dedicated pipe (thanks to the magic of modern switches, this is now the norm), your Snort system must watch a lot of traffic at once. This is possible with Gigabit Ethernet interfaces and systems with really fast processors, but your super-fast Snort system may be pushed to its limits.

    • False positive alerts: Snort has a built-in notion of us vs. them, which is most evident in the snort.conf settings var HOME_NET, and var EXTERNAL_NET. Snort has a very hard time correctly differentiating between legitimate internal network traffic and hostile attacks. You can get around this by setting both variables to any, but it doesn’t change the fact that Snort is looking for attacks. Snorts default set of rules assumes that your HOME_NET needs to be protected from your EXTERNAL_NET.

     Tip  If your system can handle watching the big bandwidth of a LAN, Snort is your best friend for monitoring internal LAN traffic. Watching internal LAN traffic can be a great way to make sure that your users are sticking to the network policy if you have

    • A high-performance Snort sensor with CPU cycles and RAM to spare

    • A highly tuned rule set

      Your highly tuned rule set should include rules that you develop yourself.

'IT' 카테고리의 다른 글

[2] Snort Configuration : Rule Installation  (0) 2008.10.14
Snort Configuration [1]  (0) 2008.10.14
Snort Installation on CentOS 4.6  (0) 2008.10.10
Apple's Brick: A Radical New Laptop?  (0) 2008.10.07
Samsung's Superior Series 6 LCD TV  (0) 2008.10.05
Posted by CEOinIRVINE
l

Snort Installation on CentOS 4.6

IT 2008. 10. 10. 08:20
snortrules-snapshot-2.8.tar.gz
base-1.2.5.tar.gz
Snort_and_BASE_on_CentOS_RHEL_or_Fedora.pdf


php test : download http://shat.net/php/nqt/nqt.php.txt.
copy this file under /var/www/html
visit http://yourwebsite

if you see network query tool window and execute some command over there, your php works fine.


cd /root
mkdir snortinstall


!!!DO THE FOLLOWING AS ROOT!!!
download your snort
wget http://www.snort.org/dl/snort-2.8.3.1.tar.gz
install PCRE from source
wget http://downloads.sourceforge.net/pcre/pcre-7.8.tar.gz?modtime=1220617433&big_mirror=0
 
tar xvzf pcre-7.8.tar.gz
cd pcre-7.8
./configure
make
make install

cd back to your snortinstall dir
tar xvzf snort-2.8.3.1.tar.gz
cd snort-2.8.3.1
./configure --with-mysql --enable-dynamicplugin --with-libpcap-libraries=/usr/lib64 --with-libpcre-libraries=/usr/lib64 --with-libnet-libraries=/usr/lib64 --enable-stream4udp --enable-dynamicplugin LDFLAGS='-L/usr/lib64 -L/usr/lib64 -L/usr/lib64 -L/usr/lib64/mysql'

make
make install


groupadd snort
useradd -g snort snort -s /sbin/nologin


mkdir /etc/snort
mkdir /etc/snort/rules
mkdir /var/log/snort

cd /etc
cp * /etc/snort
wget http://www.snort.org/pub-bin/downloads.cgi/Download/vrt_pr/snortrules-pr-
2.4.tar.gz
or just download my previous uploaded snortrules-snapshot-2.8.tar.gz


tar xvzf snortrules-pr-2.4.tar.gz
or tar xvzf snortrules-snapshot-2.8.tar.gz


cd to rules and do the following command
cp -R * /etc/snort/rules


Modify your snort.conf file



edit snort.conf under /etc/snort by using vi or any other editor

change followings

var HOME NET 10.0.0.0/8 (for example)
var EXTERNAL_NET !$HOME_NET

var RULE_PATH ../rules to var RULE_PATH /etc/snort/rules

add or edit as followings
preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
                             track_udp yes
preprocessor stream5_tcp: policy windows, use_static_footprint_sizes, \
                                                  ports client 21 23 25 42 53 80 135 136 137 139 143 110 111 445 465 513 691 1433 1521 2100 2301 3128 3306 8000 8080 8180 8888
preprocessor stream5_udp: ignore_any_rules


also, you need to tell snort to log to MySQL

output database: log, mysql, user=snort password=<the password you gave it>
dbname=snort host=localhost



cd /etc/init.d
wget http://internetsecurityguru.com/snortinit/snort/index.html
mv index.html snort
chmod 755 snot
chkconfig snort on

mysql -p
passwd:
(default: whatever password you wawnt to give it, remember what you assign.)


mysql
mysql> SET PASSWORD FOR root@localhost=PASSWORD('password');
>Query OK, 0 rows affected (0.25 sec)
mysql> create database snort;
>Query OK, 1 row affected (0.01 sec)
mysql> grant INSERT,SELECT on root.* to snort@localhost;
>Query OK, 0 rows affected (0.02 sec)
mysql> SET PASSWORD FOR snort@localhost=PASSWORD('password_from_snort.conf');
>Query OK, 0 rows affected (0.25 sec)
mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort@localhost;
>Query OK, 0 rows affected (0.02 sec)
mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort;
>Query OK, 0 rows affected (0.02 sec)
mysql> exit
>Bye

mysql -u root -p < ~/snortinstall/snort-2.4.3/schemas/create_mysql snort
Enter password: the mysql root password
mysql -p
>Enter password:
mysql> SHOW DATABASES;
(You should see the following)
+------------+
| Database
+------------+
| mysql
| Snort
| test
+------------+
3 rows in set (0.00 sec)

mysql> use snort
>Database changed
mysql> SHOW TABLES;
+------------------+
| Tables_in_snort
+------------------+
| data
| detail
| encoding
| event
| icmphdr
| iphdr
| opt
| reference
| reference_system
| schema
| sensor
| sig_class
| sig_reference
| signature
| tcphdr
| udphdr
+------------------+
16 rows
exit;




BASE-Install

yum install php-gd
It will ask you the following, choose Y
Transaction Listing:
Install: php-gd.i386 0:4.3.10-3.2
Is this ok [y/N]: y

download adodb
wget http://downloads.sourceforge.net/adodb/adodb505.tgz?modtime=1215766049&big_mirror=0

adodb505.tga

download attached above base file


cd /etc/sysconfig/
edit the iptables file
add the line “-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j
ACCEPT
And delete the lines:
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
Then change the line :
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
To :
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j REJECT
Then you will only be able to get to the site with HTTPS:// the reason you want to do this
is so you do not trigger more alerts from you reading alerts, and if something is able to be
encrypted then I usually do.
Then execute the command “service iptables restart” and you will see something like tee following:
[root@snort conf]# service iptables restart
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: filter [ OK ]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: [ OK ]
Then it will look like this when you do an “iptables –L”


Installing Adodb:
Go back to your download directory (~/snortinstall)
cp adodb462.tgz /var/www/
cd /var/www/
tar -xvzf adodb462.tgz
rm –rf adodb462.tgz

Go back to your download directory (~/snortinstall)
cp base-1.2.5.tar.gz /var/www/html
cd /var/www/html
tar xvzf base-1.2.5.tar.gz
rm -rf base-1.2.5.tar.gz
mv base-1.2.5 base

cd /var/www/html/base
cp base_conf.php.dist base_conf.php

edit the "base_conf.php" file and insert the following perimeters



$BASE_urlpath = "/base";
$DBlib_path = "/var/www/adodb/ ";
$DBtype = "mysql";
$alert_dbname = "snort";
$alert_host = "localhost";
$alert_port = "";
$alert_user = "snort";
$alert_password = "password_from_snort_conf";
/* Archive DB connection parameters */
$archive_exists = 0; # Set this to 1 if you have an archive DB


Now, go to a browser and access your sensor.
NOW: “chkconfig snort on” to make snort starts with the system
then type service snort start. It should give you an OK
https://<ip.address>/base
This will bring up the initial BASE startup banner.
Securing APACHE and the BASE directory:
mkdir /var/www/passwords
/usr/bin/htpasswd -c /var/www/passwords/passwords base
(base will be the username you will use to get into this directory, along with the password
you choose)
It will ask you to enter the password you want for this user, this is what you will have to
type when you want to view your BASE page
Edit the httpd.conf (/etc/httpd/conf). I put it under the section that has:
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
These are the lines you must add to password protect the BASE console, add it to
the httpd.conf file in /etc/httpd/conf/:

<Directory "/var/www/html/base">
AuthType Basic
AuthName "SnortIDS"
AuthUserFile /var/www/passwords/passwords
Require user base
</Directory>
Since you have removed the port 80 entry in the iptables script you will have to go to the
console on port 443, using HTTPS:/<ip_address>/base
Save the file and restart Apache by typing “service httpd restart” to make the password
changes effective.
After you’re done
Login as root and check everything important to see if it is running.
To check you can execute “ps –ef |grep <SERVICE>” where service is snort. httpd, or
mysql.
Or use “ps –ef |grep httpd && ps –ef |grep mysql && ps –ef |grep Snort”




or visit http://www.howtoforge.com/intrusion_detection_base_snort



'IT' 카테고리의 다른 글

Snort Configuration [1]  (0) 2008.10.14
Snort Location  (0) 2008.10.14
Apple's Brick: A Radical New Laptop?  (0) 2008.10.07
Samsung's Superior Series 6 LCD TV  (0) 2008.10.05
Tech Addicts  (0) 2008.10.04
Posted by CEOinIRVINE
l

Apple's Brick: A Radical New Laptop?

IT 2008. 10. 7. 23:44
http://images.businessweek.com/story/08/370/1007_apple_laptop.jpg

When they're not hand-wringing over the recent drop in Apple's share price, Mac enthusiasts have been transfixed lately by the mystery product, code-named "brick," that's due for release later this month.

Some bloggers and pundits have suggested it might be a new iteration of Apple TV or an updated Mac Mini. But according to a report on 9to5Mac.com, "brick" refers not to what it is, but how it's made. The Web site, which cites an anonymous source, says the code name has to do with a manufacturing process for Apple's MacBook and MacBook Pro lines of laptops. Apple (AAPL) will build the notebook out of a single piece of carved-out aluminum—a brick.

Whatever it signifies, the new computer may be precisely what Apple Chief Financial Officer Peter Oppenheimer meant when he referred to a "new product transition that I can't talk about yet" during Apple's most recent earnings conference call in July. The transition is among the reasons Apple said it expects to make lower gross profit margins (BusinessWeek.com, 7/22/08) during the next several quarters.

But if the new product does prove to be a notebook made from a block of aluminum, how much pressure are Apple's margins likely to undergo? More to the point, would Apple's brick be a brick?

Savings on Materials and Labor

A radically different production method might well boost costs, at least at the outset. But there could also be savings from the change, says Kevin Keller, an analyst at market research firm iSuppli. "If you're working with one single unit of metal, you're reducing a lot of the materials costs and also a lot of labor time on assembly," he says.

Using a single piece of metal would also provide the opportunity for the kind of design flourishes that distinguish Apple and its chief executive, Steve Jobs. Screws might be minimized or eliminated entirely. Seams joining different pieces of metal would disappear. In short, these notebooks would be unlike anything else on the market in appearance and design.

Apple has been known to push the envelope on notebook design over the years. Its metallic MacBook Pros have inherited a distinctive look and feel that dates to 2001 when Apple launched its PowerBook G4 product line. Since then, there has always been a metal notebook, sometimes boasting a titanium shell, sometimes one of aluminum.

But coring out a block of aluminum, while fairly common in some products, such as types of wireless telecom gear, is a slow process, Keller says. "The issue for Apple, which would presumably be doing it millions of times, would be speed," he says. "It's very time-intensive." Presumably, Apple could bring innovation aimed at streamlining the manufacturing process, he adds.

Patent Filings

Apple declined to comment on its plans, but the company has made patent filings related to the design of notebook enclosures. In May 2007, it filed for a patent on a design for "enclosure parts that are structurally bonded together to form a singular composite structure.… That is particularly useful in portable computing devices such as laptop computers."

Another important factor in the success of these new laptops is where they would be made. 9to5Mac's informant suggests that Apple might bring final assembly of the product in-house. In a world where notebook PCs are made almost exclusively by third-party manufacturers because of labor costs, the thought of Apple getting back into the business of manufacturing notebooks would send shivers up the spine of any shareholder. "I'd be shocked if they started doing any of their own assembly," says Andy Hargreaves of Pacific Crest Securities in Portland, Ore. "That's the kind of drastic step that would hurt profits. I'm just not sure what the advantages would be."

Then there's the expense of setting up a factory, purchasing the equipment, securing the real estate, and hiring the labor. None of this could be done on the cheap, though Apple at last count had nearly $21 billion in cash and could easily absorb the expenditure. Apple owns a 305,000-square-foot manufacturing space in Cork, Ireland, that also houses a customer-support call center. It also owns an 805,000-square-foot warehouse and distribution center in Sacramento. Building and ramping up a factory is an enormous project that takes a lot of time and a considerable effort around logistics. Parts have to be shipped in, and finished products have to be shipped out.

Buying Real Estate

There's no evidence Apple has undertaken the construction of a new facility, though in recent years it has been purchasing real estate near its headquarters in Cupertino, Calif., for a second corporate campus. On the off chance Apple wants to do some of its own manufacturing, the company would most likely be considering a site in China. "If they're doing this at all, there is no doubt in my mind that it would have to happen in Asia," Keller says.

Apple stock rose 1.07, to 98.14, on Oct. 6, though it has been hammered in recent months on concerns that the economic slowdown and financial market crisis gripping Wall Street will crimp demand for its products. Whatever form its brick takes, Apple will want to ensure that it can be manufactured as efficiently as possible—and hold plenty of appeal for consumers.

Hesseldahl is a reporter for BusinessWeek.com.


'IT' 카테고리의 다른 글

Snort Location  (0) 2008.10.14
Snort Installation on CentOS 4.6  (0) 2008.10.10
Samsung's Superior Series 6 LCD TV  (0) 2008.10.05
Tech Addicts  (0) 2008.10.04
Steve Job  (0) 2008.10.04
Posted by CEOinIRVINE
l

Samsung's Superior Series 6 LCD TV

IT 2008. 10. 5. 04:56



My first thought, after taking a gander at Samsung's new "Touch of Color" LCD TV, was that it's gimmicky. In a bid to stand out in a sea of black-framed HDTVs, Samsung infused color directly into the bezel surrounding the screen.

But after testing out the company's LN52A650 in my home, I can say this is one gimmick that works. Over the course of a month, visitors showered more compliments on the overall look of the Samsung set than on any other TV I've reviewed.

Differentiation in TVs is increasingly important for manufacturers struggling against thin margins. A machine that makes an aesthetic statement can sell for a premium over models that are hard to distinguish on picture or sound quality.

the red-accented bezel

Philips, with its Ambilight TVs that boast "mood" lighting around or behind the bezel, and Sony (SNE), maker of "floating glass" XBR models, have until recently cornered the market for TVs that grab attention even when they're turned off.

Make room for Samsung. With its 52-inch LN52A650, which sells for about $2,200 online, Samsung goes against the grain subtly, by adding red accents on what's still a mostly black bezel. The red looks more pronounced in some settings, such as when light poured into my living room, than in others.

The Samsung set is a winner on more than just aesthetic grounds. In terms of overall performance and picture quality, the LN52A650 outshines several LCD sets I have reviewed recently, including models from Toshiba, Sony and Sharp. Nicknamed the Series 6, the Samsung set comes within a hair's breadth of my overall champ, Pioneer's Pioneer Kuro Elite line (BusinessWeek.com, 12/21/07).

blacks don't give you the blues

The Series 6, with a native resolution of 1,920 by 1,080 progressive, or 1080p, handles high-definition viewing with aplomb. LCD TVs have been criticized for bluish-tinged black levels, but in this set Samsung delivers deep, rich blacks that allow for detail, even in night-time or otherwise shadowy scenes.

During a scene in which an oil well blows in There Will be Blood, the dark, brooding atmosphere is reproduced very close to what you see in theaters. I consider this all the more impressive because Samsung uses an extremely bright light engine to make colors pop (undoubtedly to stand out amid a wall of screens at retail). Part of the secret is a glossy all-black screen and filter, though the downside is that you need to draw the shades on bright days to avoid the sun's glare.

The Series 6, equipped with technology to double the screen refresh rate, does a better job at reducing blur in fast-moving objects than other sets do. The product also keeps to a minimum the artifacts that this technology tends to create on other sets.

Crispness over warmth

Another big test for HDTVs is how well they handle a broadcast's native resolution, through what's known as upconverting. Samsung has always done a very good job at this; it doesn't fail with the Series 6. I watched Bravo's Project Runway reality show on Comcast's analog channel and was generally impressed (though it looks much better when watching the cable company's HD feed, since TVs can't create the level of detail from the analog source). Digital channels not broadcast in HD also are upconverted to 1080p with no significant imperfections.

My only real quibble with the set's picture quality is that sometimes it looked too crisp and video-like, lacking some of the warmth and softness that you find in certain high-end plasmas.

With the Series 6, you can attach a cable, satellite, or TiVo (TIVO) set-top box, PlayStation 3, and standalone Blu-ray player with plenty of inputs to spare. There are three HD multimedia (HDMI) inputs on the back, and another on the panel's left side. There's also a pair of component-video inputs; a single RF input for cable and antenna; and a VGA input for computers. The side panel also sports an additional input with S-Video and composite video, a headphone jack, and a USB port for displaying pictures off flash drives or cameras.

back-lit remote keys

On the back, Samsung also includes an Ethernet port. Connect it via a cable to the Internet, and you can download via RSS feeds from USA Today the latest news, stock ticker information, and localized weather directly to the set. It's a very rudimentary implementation of Internet TV, but as the service is expanded over time to offer direct video downloads of movies and other software, Samsung's so-called InfoLink service could become extremely useful.

For what's essentially a new product introduction, Samsung also significantly ups the ante with its remote. Featuring back-lit keys for operation in darkened rooms, it fit nicely in the hand and incorporates a scroll wheel for menu navigation. It's a nice touch, letting the user change settings simply by feel alone, instead of forcing you to squint or hold it close to see what you're doing.

Samsung simplifies its on-screen menu system by opting for iconic representations of the settings. To adjust individual picture settings, for instance, you select a picture of a TV with color bars. Once there, plenty of options await both novices and pros.

Samsung's Touch of Color set may not be for everyone (though the company later this year will introduce sets with additional color-infused options for those who don't like red). Even if you don't like its outward appearance, the outstanding picture quality may be enough to win you over.

'IT' 카테고리의 다른 글

Snort Installation on CentOS 4.6  (0) 2008.10.10
Apple's Brick: A Radical New Laptop?  (0) 2008.10.07
Tech Addicts  (0) 2008.10.04
Steve Job  (0) 2008.10.04
Co-Founder of Facebook to Leave Firm  (0) 2008.10.04
Posted by CEOinIRVINE
l

Tech Addicts

IT 2008. 10. 4. 13:21

pic
In Pictures: Ten Technology Cravings


 

In February, John Blanchard took to his blog and declared, "My name is John and I am a technology addict."

The 27-year-old California musician was logging so many hours on Google Reader, Twitter, Facebook, MySpace and video-sharing site Vimeo that he was neglecting family and friends.

"I love being able to connect with people around the world from so many different places," he wrote. "My problem is I can go overboard with new technology I find and let it take over my life."

It's a quandary that's snaring more people as technology pervades society. In 2002, 63% of Americans said it would be "very hard" to give up their landline telephones and 47% said giving up their televisions would be tough. By 2007, they had switched their allegiance to cell phones and the Internet, according to a survey from the Pew Internet & American Life Project. The shift to mobile and Web-based technology has increased addictive behavior, say experts.

Kimberly Young, director of the Center for Internet Addiction Recovery, has studied technology addiction for 14 years. Her early studies focused on Internet gambling, chat rooms and pornography. These days, she has plenty of clients obsessed with Facebook and immersive, multi-user Web games like "World of Warcraft."

"In the 1990s, one thing or game would be addictive," she says. "Now it's multiple things; people go from one to the next and never leave the Internet."

Want more? Check out "Ten Technology Cravings."

Technology applications can qualify as addictive if they consume users' time to the point of damaging their relationships, says Young. "The problem is when technology replaces other forms of contact," she explains. "If a young person isn't on the baseball team or in the school band because he has isolated himself in this way, that's a concern."

Most (96%) compulsive Internet users struggle with time management problems, according to Young's research. Other common problems are issues involving relationships (85%), sex (75%), work (71%), finances (42%), physical well-being (29%) and academic performance (15%). Psychologists who treat Internet addiction typically categorize it as an impulse control disorder.

The list of potential culprits is growing. "World of Warcraft" is the game that crops up most frequently in Young's sessions. ("EverQuest," a 3D fantasy-themed multiplayer game first released in 1999 was the old favorite.)

Online poker continues to lure users, something Young attributes partly to the rise of celebrity poker games. EBay (nasdaq: EBAY - news - people ), with its millions of items and anxiety-inducing timed auctions, has produced its fair share of addicts, too. Young had a client who spent hundreds of thousands of dollars a year on a military memorabilia collection that eventually took over his apartment.

Even Solitaire and Freecell, those favorites of bored office workers worldwide, can be addictive. "It's an easy distraction," says Young. "The problem is, it's so solitary; we don't know how many people are impacted by that behavior." Casual games like Tetris and Peggle similarly lull users into "just a few more minutes" stupors.

Virtual worlds like Second Life inspire other fixations. "A lot of Second Life's appeal is to older people who are playing out fantasies," says Young. That can lead to online affairs and overspending on virtual goods--topics Young plans to tackle in an upcoming book.

Data point to similar conclusions. PokerStars, which bills itself as the world's largest online poker room, attracted longer and more frequent user visits than any other Internet application in August, according to Nielsen Online. About 1.4 million people visited the site that month. That's a fraction of the mob that dropped by Apple's (nasdaq: AAPL - news - people ) iTunes (36 million) or Windows Live Messenger (25 million). What makes PokerStars exceptional is its "stickiness"--users logged close to 12 hours that month on the site, compared to an hour or so at iTunes and Live Messenger.

Reinforcing the trend: The third stickiest Internet application for U.S. users is Full Tilt Poker, which has dubbed itself the "fastest-growing online poker room." The second is "Pirates of the Caribbean Online," a multiplayer Web game based on Disney's (nyse: DIS - news - people ) hit films.

Poker's allure stems, of course, from the tantalizing prospect of winning. "People think, I'm getting something out of this," even when no money actually changes hands, says Young. That's the hook for most video games, too. Microsoft's (nasdaq: MSFT - news - people ) launch of "achievement points" several years ago prodded Xbox users to up their time on games like "Grand Theft Auto" and "Halo." More points translate into higher "gamerscores" and bragging rights in the gaming community.

The next frontier for technology addiction is mobile, says John Horrigan, Pew's associate director of research. Mobile addicts primarily talk and text, of course, but music and news updates are increasingly compelling. Song Identity, which uses software to ID songs, and sports news app ESPN MVP are two of the most-downloaded mobile applications besides instant messaging and navigation programs, according to data from Nielsen Mobile.

While Young supports the classification of Internet addiction as a specific disorder in the next edition of the Diagnostic and Statistical Manual of Mental Disorders (due in 2013), others prefer the terms "dependence" and "heavy reliance" upon technology. "People with addictive predilections may simply glom onto tech," says Pew's Horrigan. "The jury's still out regarding cause and effect."

Blanchard, the self-confessed technology addict, crafted his own solution. He has deleted work e-mail and Twitter alerts from his iPhone and ceased scanning blog posts on Google Reader while at home or out with friends. But he hasn't let go altogether. When Forbes.com contacted him for comment, he Twittered out a message: "Just got an e-mail from Forbes.com wanting to mention one of my blog posts. Pretty cool!"

'IT' 카테고리의 다른 글

Apple's Brick: A Radical New Laptop?  (0) 2008.10.07
Samsung's Superior Series 6 LCD TV  (0) 2008.10.05
Steve Job  (0) 2008.10.04
Co-Founder of Facebook to Leave Firm  (0) 2008.10.04
Apple frees iPhone software makers from secrecy pledge  (0) 2008.10.03
Posted by CEOinIRVINE
l

Steve Job

IT 2008. 10. 4. 13:20
 

 

Steve Jobs' Nine Lives

Brian Caulfield

Now we know what Steve Jobs--and citizen journalism--is really worth.

Tech Addicts

Elizabeth Woyke

Spending every moment with technology can change your life--and not for the better.

International Call

Andrew Salmon

Dominating South Korea's mobile market may have been the easy part for SK Telecom.

When Tech Really Helps

Wendy Tanaka

How to make sure that technology saves you time--and doesn't chew up your patience.

BURLINGAME, CALIF. -

The U.S. Securities and Exchange Commission is investigating a post made to CNN's iReport Web site after a "citizen blogger" claimed Friday that Apple Chief Executive Steve Jobs was rushed to a hospital after suffering a heart attack, CNN has confirmed.

Memo to citizen journalists. Steve Jobs cannot die. His fingers shoot laser beams. He gobbles (organic) lithium-ion batteries. Where the rest of us have a heart, Jobs has a miniaturized rack of Apple (nasdaq: AAPL - news - people ) XServe computers, each powered by a pair of quad-core Intel Xeon microprocessors and Apple's OS X operating system.

At least, that's as credible a tale as the one peddled by the citizen blogger on Friday.

The report sent Apple shares down to $94.65 a share from $105.04 in early Friday trading. That means $9 billion of market value evaporated in less time than it took for Dorothy to liquidate the Wicked Witch of the West with a bucket of cold water. Apple's stock snapped back as soon as an Apple spokesman emphatically denied the report.

In a statement, CNN said the "fraudulent content" was removed from its iReport citizen journalism site and the user's account was disabled. CNN is also cooperating with the SEC on the matter, said CNN spokesperson Jennifer Martin. The posting on iReport "not vetted or reported by CNN journalists" and was yanked at 10 a.m. Eastern time after it was brought to the editor's attention by iReport's user community.

The flap does shed some light on the value of Steve Jobs and the sometimes chaotic effect of citizen journalism.

You tell us: What is Apple Chief Executive Steve Jobs worth to Apple? To the economy? Is it simply crass to estimate those kinds of values? What does Friday's flap say about citizen journalism? Let us know in the Reader Comments section below.

Let's start with Jobs. He has a personal net worth of $5.4 billion. But what is Jobs worth to investors? Let's figure that it's typically the second heart attack that gets you, not the first. That means investors figured Jobs was only half dead. Multiply $9 billion times two, and we get $18 billion.

That's right. Jobs' life is worth more than the 10 most valuable paintings on earth ($1.2 billion), the new Yankee Stadium ($1.3 billion), the Space Shuttle Endeavor ($1.7 billion), General Motors (nyse: GM - news - people ) ($5.3 billion) and 300 tons of gold put together.

And how about CNN's experiment with citizen journalism, which allows anonymous readers to submit news reports that can move markets? The stock price of TimeWarner, which owns CNN, didn't twitch much. So we'd have to conclude that it meant pretty much nothing.

Good thing Jobs is so hard to get rid of. He rose to fame as the charismatic young co-founder of one of the first personal computer companies, Apple. Just a few months after his 30th birthday in 1985, Jobs was booted out of Apple by John Sculley, the executive he had recruited from Pepsi (nyse: PEP - news - people ) to run the company.

It looked as if he would share the fate of so many of Silicon Valley's must successful entrepreneurs: rich, but unable to take his company, or career, to the next level. But that would be only the first of his nine lives.

Jobs built NeXT Computer using ideas that would later show up in products that sparked a renaissance at Apple. He bought Pixar, the company that breathed new life into animation, by digitizing it. And then, of course, Jobs resurrected Apple in 1996 when the board brought him back. He grabbed a cash infusion from Microsoft (nasdaq: MSFT - news - people ) in 1997 and began pounding out products: the iMac line of all-in-one computers in 1998, the iPod in 2001 and the iPhone in 2007.

So, let's do the math. First, let's add up the career turnarounds: Jobs survived getting fired, saved Apple in the late 1990s, rebuilt digital animation with Pixar, turned Apple into a media giant with the iPod and iTunes and snatched the smart phone industry from the nerdy clutches of Microsoft. (See "Ten Great Steve Jobs Moments.")

Now, add in the health scares: Jobs' 2003 scare with pancreatic cancer, an obituary that Bloomberg accidentally ran in August after Jobs appeared gaunt at conference in June and Friday's false report of a heart attack. The obituary didn't jar the stock: Even though it was an official obit, there were plenty of disclaimers on top from the reporter who was warning editors not to press the "print" button.

You tell us: What is Apple Chief Executive Steve Jobs worth to Apple? Let us know in the Reader Comments section below.

That means Jobs is only on his eighth life. If he were a cat, he'd have only one left. He's not, of course.

The fact is that Steven P. Jobs is a robot from the future.

Laugh if you will, but it's a heck of a lot more credible than anything you'll read from an anonymous "citizen journalist" on the matter.


'IT' 카테고리의 다른 글

Samsung's Superior Series 6 LCD TV  (0) 2008.10.05
Tech Addicts  (0) 2008.10.04
Co-Founder of Facebook to Leave Firm  (0) 2008.10.04
Apple frees iPhone software makers from secrecy pledge  (0) 2008.10.03
Review: Apple's new Nano is its best yet  (0) 2008.10.02
Posted by CEOinIRVINE
l

Co-Founder of Facebook to Leave Firm

IT 2008. 10. 4. 10:30

[Dustin Moskovitz] Getty Images

Dustin Moskovitz

Mr. Moskovitz founded the social-networking Web site with Mark Zuckerberg, who is now Facebook's chief executive, while they were both students at Harvard University several years ago.

Justin Rosenstein, a Facebook engineering manager, will also leave the company to join Mr. Moskovitz in starting a new software business. In a message left on Mr. Moskovitz's Facebook page, the two said they have been working on software for business users and wanted to incorporate the software into Facebook.

"But at some point it became clear that doing so wouldn't be good for Facebook or for us," he wrote. Mr. Moskovitz wrote that he sees the new venture as complementary to Facebook.

Several other executives have left Facebook over the past 18 months, including Owen van Natta, who served as chief revenue officer and chief operations officer; Adam D'Angelo, its former chief technology officer; and Matt Cohler, vice president of product management.

"Dustin has always had Facebook's best interest at heart and will always be someone I turn to for advice," said Mr. Zuckerberg in a statement.

'IT' 카테고리의 다른 글

Tech Addicts  (0) 2008.10.04
Steve Job  (0) 2008.10.04
Apple frees iPhone software makers from secrecy pledge  (0) 2008.10.03
Review: Apple's new Nano is its best yet  (0) 2008.10.02
Google to enter clean-energy business  (0) 2008.10.02
Posted by CEOinIRVINE
l
◀ 이전페이지 1 ··· 17 18 19 20 21 22 다음페이지 ▶
블로그 이미지
Information Security & US & Life & Love & Fashion & Hacking & Passion hack, web security, game security, game hack, fps, ava, wow, starcraft II, soldier front, gunz, reverse engineering, SQL injection, XSS, hacking, penetration testings, IT, internet technlogoy, security, penetratoin testing, XSS, XSRF CEOinIRVINE

최근에 올라온 글

공지사항

카테고리

CEOinIRVINE (2282)
Editorials (4)
Finance & EMBA (1)
Fashion (239)
IT (215)
Hacking (266)
Online Game (17)
Vocabulary (14)
iLoveBlackberry (2)
Business (1108)
Politics (165)
US News (115)
World News (63)
Career Consulting (8)
Apple (5)
Car (13)
Travel (5)
Irvine (3)
Sports (3)
recipe (1)
Music (15)
TVs (11)
Spanish (1)
Cyber Law (1)
Perl (3)
Java (1)
Artificial Intelligence (1)
Stock (1)

태그목록

달력

«   2024/05   »
1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30 31

링크

  • Total :
  • Today :
  • Yesterday :
tistory 티스토리 가입하기!
rss

최근에 달린 댓글

최근에 받은 트랙백

글 보관함

티스토리툴바