I wanted to evaluate Suricata in its recommended configuration, using libpcap linked against the pf_ring library. But there are a lot of READMEs out there, a lot of them referring to older versions of pf_ring, and the pf_ring documentation itself isn’t very clear.
It took me some digging around and experimenting, but this blog post has a comment by Wil Metcalf that made it all much easier for me.
Succinctly: check out pf_ring revision 4079, then build the kernel modules, then the userland/lib stuff. You may need to add /usr/local/lib to /etc/ld.so.conf. I had troubles with the latest version of pf_ring on my RHEL 5.5 installation. YMMV by this point, of course.
You may also find this post to be useful, although it still talks about patching kernel sources.
Tangentially but also useful if you’re relatively new to RHEL and kernel sources, you might find this post also to be helpful – I did, but there’s probably nothing new there for experienced RedHat admins.
Once you have pf_ring going, you’ll want to rebuild libpcap to link against pf_ring. I used vanilla source for this, and it was no problem with a straight ./configure && make. And now suricata:
./configure –enable-pfring –with-libpfring-libraries=/usr/local/lib –with-libpfring-includes=/usr/local/include
And that was pretty much it for me.
While examining flow records for a compromised host, I observed several connection attempts from various Chinese IPs, all in the same /24. The source port was always 80, the destination port always 33824. I don’t see anything obvious on the googles or sites like the Internet Storm Centre, so now there will (eventually) at least be something Google-able. I’d appreciate hearing from any other ITSec types about what this might be, either specifically or in general. My suspicion is this is probing for some botnet or another, with source port 80 to try to get by stupid firewalls, but I lack full content data to prove or disprove this theory.
Joel Rosenblatt describes methodology used at Columbia for tracking abuse complaints as automatically as possible.
Developuction: when a service or host intended for development gets pressed into production. Usually this is done in a reaction to some external event, and nearly always results in fail somewhere down the road. If sysadmins are lucky, it just means the service collapses under a load it wasn’t designed to handle. If they’re not lucky, it means that somebody took a shortcut that compromised security somewhere, and the box gets well and thoroughly pwned. This is nearly always the fault of the sysadmin and not the developer who wrote the code, or the manager who caused the service to be pressed into production.
Developuction is a fact of life for many system administrators, and points to one or more serious issues in their shops. For instance, they could lack professionalism. This is generally ignorance, which is sometimes willful. They could be not granted any authority over technical decisions, in which case management needs to understand why it is that professionals are hired. But ultimately, it’s a sign that short-term answers are favoured over sustainable long-term stability. Sometimes shops get lucky with developuction, and later they run into trouble when this luck is confused with competence.
We’ve all done developuction at some point or another. Sometimes it really is the best way to solve a problem. The key is understanding when it’s acceptable, and being able to properly analyze the risks involved. It helps if you’ve not treated the development machines as a place where processes don’t matter because “it’s just a dev box.”
Actual conversation I just had with a new Windows XP box:
XP: O HAI U R NOT UPDATIN
me: yeah, I’d like to go upd-
XP: OH HAI U R NOT UPDATIN AND U HAZ NO AV
me: yeah, I was about to –
XP: O HAI, WOULD YOU LIKE ME TO UPDATE?
me: ok, so go upd-
XP: O HAI WOULD YOU LAIK A TOUR?
Dealing with Windows is just like dealing with an ADHD child who also has HIV and you have the cure except you can’t inject it into the kid because it’s whirling around in a circle showing you the new dance it just made up.
And then when you’ve just about caught it, some dude in a black hat walks in and shoots your ADHD HIV+ kid in the head and the kid turns into a zombie and tears your throat out just before turning all your other kids into zombies too.
Life with Windows: like life with zombies, only infinitely more exciting.