Brain Dump: Ubuntu 7.04 Feisty Fawn, School, Giving Back, Blogging

I recently loaded up a new vir­tual machine with Ubuntu 7.04 Feisty Fawn (32-bit) run­ning on Vista Ulti­mate (64-bit) and have had no prob­lems thus far.  Every­thing works, dual mon­i­tors, sound, net­work­ing, etc…

I’m seri­ously impressed with the qual­ity of VMWare Work­sta­tion 6.  I’ve been a user of their prod­uct since ver­sion 4, and it’s done noth­ing but improve.  I’m also impressed with Ubuntu.  It took almost zero effort in order to get a work­ing sys­tem installed to disk. After the install a sim­ple sudo apt-get install build-essential was all I needed to get what I need for development.

My rea­sons for the linux vm are 2 fold. First of all I pre­fer it to win­dows as a “safer” plat­form to do my bank­ing and such on. Sec­ondly, I’ve started another class in my Master’s pro­gram at DePaul Uni­ver­sity, and it requires a linux sys­tem.  We’ll be learn­ing assem­bler from the programmer’s point of view; that is under­stand­ing what data struc­tures, con­trol state­ments, etc look like in assem­bler as well being able to take com­piled pro­grams and debug them at the assem­bler level to find/troubleshoot bugs.

I’ve also been spend­ing some time think­ing of ways to give to the secu­rity com­mu­nity.  One of my ways was recently men­tioned in a Secu­rity Cat­a­lyst Com­mu­nity forums post.  Basi­cally, cre­ate a matrix of secu­rity con­trols and com­mon imple­men­ta­tions cross ref­er­enc­ing them with all the dif­fer­ent secu­rity stan­dards out there. A per­son could for instance check all the con­trols they already have in place. The site would then list off the stan­dards they are already com­pli­ant with.  If they wanted, they could pick a stan­dard and it would list off both what they already have and what they are lack­ing. Not easy and not quick, but useful.

I’ve also been play­ing around with some type of more use­ful way to glean data from Check­Point fire­wall logs that have been exported to ASCII with the fwm log­ex­port –i <date> –o <date>.out –n –p –m raw com­mand. Specif­i­cally, I’m look­ing for ways to visu­ally make unusual activ­ity “jump” out at the ana­lyst. I’ve been able to cre­ate graphs of port usage over time, but haven’t got­ten the code into a state where com­par­i­sion against the stan­dard divi­a­tion is viable yet.  I also haven’t come up with a solid inter­face either.  Thus far its a hodge podge of perl scripts that can print graphs if STDOUT is redi­rected to a png file :) I’m debat­ing between open source, free soft­ware, web-based stuff and C# in a Win­dows App. The devel­oper in me wants to use C# since I’m very com­fort­able with the lan­guage, but the stu­dent in me wants to use perl, mysql, and php. Oh the choices!

Another inter­est­ing thing I’ve been mulling over is file carv­ing from libp­cap files. Often I find myself want­ing to grab a file that was sent over the net­work that I have a cap­ture of. I’ve been think­ing of 2 ways to solve this: (1) write my own parser for files as I need them or (2) con­tribute to the tcpx­tract project so that it works more accurately.

Well that’s my brain dump for now.  One of my goals is to use blog­ging as Richard Bejtlich has, and that’s as a per­sonal dump­ing ground to find thoughts, arti­cles, etc in case I need to refer back to them in the future. Let see how this works out!

Detailed WMF Analysis

As a fol­low up to the pre­vi­ous post I thought it might be use­ful to give an exam­ple of how these mul­ti­ple sets of infor­ma­tion could be used.

Here’s the process:
1) Snort Alert about WMF NumOb­jects being 0
2) I’m unable to deter­mine if the machine is patched
3) I look at net­work ses­sions lead­ing up to and then after the WMF file was accessed, noth­ing I wouldn’t expect
4) Look at event logs on the affected host and con­clude there was no abnor­mal activ­ity on the host

At this point I’m pretty sure the alert was a false pos­i­tive. But I’d like to know for sure. My plan of action then becomes to pull the pull the sus­pect file out of my full con­tent col­lec­tion sys­tem onto a *nix box. From there it can be eas­ily sent to www.virustotal.com for a quick check, as well as man­u­ally ana­lyzed by me.

Here’s some com­mands I ran and their respec­tive results.

  • file attach.wmz results in attach.wmz: gzip com­pressed data, from Win/32, max speed
  • gzip –dvf –suf­fix .wmz attach.wmz replaces it with attach
  • file attach results in attach: ms-windows meta­font .wmf
  • xxd attach pro­vides the fol­low­ing out­put:
    wmf_code

From here I was able to ver­ify that the file did indeed have a (ZERO) in the Num­berO­fOb­jects field using the infor­ma­tion pro­vided at this site: http://wvware.sourceforge.net/caolan/ora-wmf.html

Didier Stevens kindly pro­vided some assis­tance through the Secu­rity Cat­a­lyst Com­mu­nity by pro­vid­ing a tem­plate for the 010 Edi­tor. The tem­plate along with my analy­sis of the file is coming…