November 16th, 2008 by firnsy
Consider this a small digression from a software update and an opportunity for a little venting of frustration and discontent at our current webhosting provider.
You may or may not have noticed some peculiarities with the website in the past 24 hours. Let me provide you some of the context behind these shenanigans.
Last night during a small development session and our NSMnow-1.2 branch, I noticed that some packages were not being retrieved from our website. No dramas, it’s probably my router crapping out again. It’s a good time for a break and the router will correct itself shortly.
15 minutes later …
So I’m watching “An American Haunting” with my girl and get a text from coops indicating the website is down for him as well. Hmmm … maybe this is more serious. So I open firefox and directly navigate to the page. It’s not there … Arrggh!!!
Coops calls and it appears as if the DNS has changed. That’s weird our webhost didn’t let us know they were changing. We manage webhosting separately to our DNS and were certain we would get some notification of any changes. Continuing on, a nslookup on the new webhost IPs and name server IPs and reflecting them on our DNS provider a short time later had the site back up and running. Sweet!
How wrong were we, the server that was hosting was only current as of Oct 15, 2008. That’s a month of work missing. WTF?!
Jumping on the phone to get some answers we were very displeased with some of the following answers:
- “We didn’t inform you because there was no downtime on our hosting servers”
- “I’m sorry Sir, we cannot access the old servers to copy your information across”
Bloody Help Desk! … Serenity Now!! … Serenity Now!!!
Fortunately our backup regime is reasonably frequent so now things should be back to normal. We aplogise for any inconvenience.
Thanks for listening, I feel better now.
Posted in Other | No Comments »
November 12th, 2008 by firnsy
Ooops!
We have identified what we consider to be a significant issue, regarding sancp, to work its way into the 1.0 release. We regard it significant because it removes a key peice of information (session data) that should be available to an NSM analyst.
More detail can be found in the NSMnow-1.1.1 update post.
One positive aspect of this stability update is that we are very happy with the Securix-NSM development framework that allows us to easily generate updates to our ISO. This translates to quicker turnarounds on stablility fixes and more frequent updates.
Now that can only be a good thing. Enjoy!
Posted in Securix-NSM | 2 Comments »
November 12th, 2008 by firnsy
Recently a rather significant issue with sancp 1.6.2 (release.C) was identified which prevented sguil client users being able to perform queries on the sancp data.
Whilst the data was being captured by sancp it, unfortunately it was not making its way to the sguil server. its data being flush at the expected intervals. The only way to force sancp to flush its information to file was to force a close process and restart it. This is not the ideal solution and so we have reverted to 1.6.1 which we have confirmed works as expected.
It was also a good time to update barnyard2 to a recent 2-0.5 version so that made its way into this stability update.
Enjoy!
Posted in Network Security Monitoring | No Comments »
November 11th, 2008 by firnsy
Given that all our work is typically built on a Debian system and tested on at least Debian/Ubuntu systems we don’t always expect them to work on others straight out of the box. We’ve had some feedback recently of the efforts to compile barnyard2 on FreeBSD machines and with a little TLC we’ve applied the appropriate patches for it work.
In addition we tracked down a peculiar bug with relatively addressed filenames in batch mode, which should now work as expected.
And finally the parameter parsing of the spo_sguil output plugin has been modified to align with the spo_database output plugin and now expects “key=value” pairs in the configuration file instead of the old “key value” pairs.
Enjoy!
Posted in Barnyard2 | No Comments »
November 9th, 2008 by firnsy
With the large amount of feedback we received from the Knoppix-NSM distribution we thought how would we do this if we had the time to do it again. What we’ve been working on over the past few months is a number of foundation applications, namely barnyard2 and NSMnow, that will aid the integration of security applications to provide a stable NSM framework.
Even with the simplicity of NSMnow some people will still rather test out the features of something new via the easiest means possible. By todays standards that means is typically the live CD or live USB mediums.
Securix-NSM is the direct successor of Knoppix-NSM, based on a more pure Debian system, giving you all the benefits of the most used NSM applications pre-configured and ready to go. From our perspective this is the best mechanism for presenting NSM related applications on the Debian platform.
If you have any feedback or would even like to become involved with improving the Securix-NSM platform then by all means let us know.
So head over to the Securix-NSM project page to grab a copy. We’ll also keep the Knoppix-NSM links a live for sometime until we’re happy that all documentation has be ported across and that a full transition has been completed.
Posted in Securix-NSM | No Comments »
October 15th, 2008 by firnsy
With paying jobs eating up a lot of our time this release has been a welcome relief from the daily slog. Whilst it’s primarily a cosmetic release, a lot of code has been cleaned making way for some additional features in the near future.
A small description of the changes are:
- To accomodate the rapid release cycles of Snort additional fall back URLs are now provided.
- Unified status messaging in the init scripts
- Init scripts code undergone some significant restructuring
- Cronjob entries moved from cron.daily to crontab
- Additional error trapping and fault tolerance in the downloading of source tarballs.
Clearly a minor increment was well deserved given all these changes. Head to the project page and check out the new version.
Posted in Network Security Monitoring | No Comments »
September 26th, 2008 by firnsy
With the significant additions and changes to YubiPAM recently, some things were broken on Debian Etch systems. This update fixes an issue where pam_syslog() is not uniformly available over all systems. I personally blame my relatively newb status on the automake toolset. We appreciate all the feedback to keep this project evolving.
Head to the project page for the new version.
Posted in Yubikey | No Comments »
September 24th, 2008 by firnsy
It’s encouraging to know that our YubiPAM authentication module is getting some air time for people. Even better is the positive feedback we get from those using it.
We recently received a patch from Geoff Hoff that extended its functionality across all services. It now follows the model of the pam_unix module allowing lesser privileged services such as gnome-screensaver to authenticate with the database.
As a result of this there are a few additional steps that must be carried out to get the install working, including setting up an additional “yubiauth” group, set some permissions for the helper binary and the Yubikey database so make sure you at least skim over the INSTALL file.
In addition the default configuration will no longer echo in the clear and requires you setting the “verbose_otp” flag to enabling echoing of the OTP. You wouldn’t think it adds a lot of additional security considering a One Time Pad is only used … well … once. However, it does align with the better of security practices.
I’ll keep using the “verbose_otp” flag 
In the next few weeks I’ll be posting some screencasts of installing and configuring the YubiPAM module for:
- logging onto and locking a workstation, and
- SSH
So stay tuned…
Posted in Yubikey | No Comments »
September 16th, 2008 by firnsy
This is just a small update that fixes two little quirks that have recently been discovered. We are pleased with the overall stability and are currently looking at including support for other distributions (i.e. non Debian based).
The release notes summarise the updates. You can grab the new update from the download page.
Posted in Network Security Monitoring | No Comments »
September 8th, 2008 by firnsy
Some investigative work by Brian Gorka, and his mega multi-factor implementation, prompted this little release which now ensures YubiPAM stacks well with other modules in a PAM stack.
Additionally the documentation has been cleaned and refined to better get you started and provide some better guidance on configuring for troubleshooting. As YubiPAM continues to mature it is very important that everyone can assist us with ironing out the wrinkles.
This update will not affect existing database setups so feel free to use and abuse with reduced hassle.
Head to the project page.
Posted in Yubikey | No Comments »
