7/24/2012

Springer Lecture Notes in Computer Science (LNCS) style

When working on a recent paper for a conference, I was required to produce it using the Spring Lecture Notes in Computer Science (LNCS) style. Being naive, I assumed TeX would automatically download the required package... unfortunately I got the following error "LaTeX Error: File `llncs.cls' not found." So I had to install the class manually. Here are the instructions for installing it on Mac OS X for latex from macport.
  1. Download the llncs2e.zip package from the Springer website [1]
  2. Unzip the file into the tex-live distribution location for macport, i.e. /opt/local/share/texmf-texlive-dist/tex/latex
  3. Rebuild the ls-R databases using TeX by executing sudo texhash
  4. To get the bibliography style setup, change directory by using cd /opt/local/share/texmf-texlive-dist/bibtex/bst
  5. Make a directory to hold the style sudo mkdir splncs; cd splncs
  6. Either copy or link the files sudo ln -s ../../../tex/latex/llncs2e/*.bst .
TexLive
If you are using a variant of TexLive such as MacTex, then you can copy the style files (*.bst) into "/usr/local/texlive/2012/texmf-dist/bibtex/bst/splncs" and the tex files into "/usr/local/texlive/2012/texmf-dist/tex/latex/llncs" and finally to update the ls-R database use "sudo /usr/local/texlive/2012/bin/x86_64-darwin/texhash"


Makefile
My Makefile now run without issues. Here's a copy of my Makefile

PROJ=paper


OS := $(shell uname -s)

.PHONY: all pdf clean read 

all: pdf

pdf: $(PROJ).tex
 pdflatex $(PROJ)
 bibtex $(PROJ)
 pdflatex $(PROJ)
 pdflatex $(PROJ)

diff: $(PROJ)-original.tex
 latexdiff $(PROJ)-original.tex $(PROJ).tex > $(PROJ)-diff.tex
 pdflatex $(PROJ)-diff
 bibtex $(PROJ)-diff
 pdflatex $(PROJ)-diff
 pdflatex $(PROJ)-diff

readdiff:
ifeq ($(OS), windows32)
 start ${PROJ}-diff.pdf
endif
ifeq ($(OS), Darwin)
 open -a /Applications/Preview.app/Contents/MacOS/Preview ${PROJ}-diff.pdf
endif
ifeq ($(OS), Linux)
 acroread ${PROJ}-diff.pdf
endif

read:
ifeq ($(OS), windows32)
 start ${PROJ}.pdf
endif
ifeq ($(OS), Darwin)
 open -a /Applications/Preview.app/Contents/MacOS/Preview ${PROJ}.pdf
endif
ifeq ($(OS), Linux)
 acroread ${PROJ}.pdf
endif

clean:
 rm -f ${PROJ}.ps ${PROJ}.pdf ${PROJ}.log ${PROJ}.aux ${PROJ}.out ${PROJ}.dvi ${PROJ}.bbl ${PROJ}.blg ${PROJ}.toc 

cleandiff:
 rm -f ${PROJ}-diff.ps ${PROJ}-diff.pdf ${PROJ}-diff.log ${PROJ}-diff.aux ${PROJ}-diff.out ${PROJ}-diff.dvi ${PROJ}-diff.bbl ${PROJ}-diff.blg ${PROJ}-diff.toc
References
  1. http://www.springer.com/computer/lncs/lncs+authors?SGWID=0-40209-0-0-0
2 comments:
Labels: , , , , , , , , , , , , , , ,

7/20/2012

My ant build.xml file

I am doing some development work using Java and am using ant to build my code. Decided to post a copy of the build.xml file here... sorry about the formatting


<project name="TODO-PROJ-NAME" basedir="." default="main">
    <property name="username"    value="TODO-USERNAME"/>
    <property name="proj.name"   value="TODO-PROJ-NAME"/>
    <property name="proj.ver"    value="TODO-VER"/>
    <property name="proj.owner"  value="TODO-COPYRIGHT"/>

    <tstamp>
        <format property="TODAY" pattern="yyyy-MM-dd HH:mm:ss" />
    </tstamp>
    
    <property name="src.dir"     value="src"/>
    <property name="build.dir"   value="bin"/>
    <property name="lib.dir"     value="lib"/>
    <property name="classes.dir" value="${build.dir}/classes"/>
    <property name="jar.dir"     value="${build.dir}/jar"/>
    <property name="javadoc.dir"     value="${build.dir}/javadoc"/>

    <property name="main-class"  value="fj.com.kush.ui.TODO-PROJ"/>

    <path id="project.classpath">
 <fileset dir="${lib.dir}">
  <include name="*.jar"/>
 </fileset>
        <pathelement path="${classes.dir}"/>
    </path>


    <target name="clean">
        <delete dir="${build.dir}"/>
        <delete>
            <fileset dir="." includes="**/*~" defaultexcludes="false"/>
        </delete>     
    </target>


    <target name="compile">
        <mkdir dir="${classes.dir}"/>
 <javac destdir="${classes.dir}" includeantruntime="false" debug="true" debuglevel="lines, vars, and source">
  <src path="${src.dir}"/>
  <classpath refid="project.classpath"/>
 </javac>
    </target>


    <target name="javadoc">
        <mkdir dir="${javadoc.dir}"/>
 <javadoc destdir="${javadoc.dir}">
                <fileset dir="${src.dir}"/>
        </javadoc>
    </target>


    <target name="release" depends="jar, javadoc" description="make a new release of the project"/>


    <target name="copy.properties">
 <mkdir dir="${classes.dir}"/>

 <patternset id="properties.files">
  <include name="**/*.properties"/>
 </patternset>

 <copy todir="${classes.dir}">
  <fileset dir="${src.dir}">
   <patternset refid="properties.files"/>
  </fileset>
 </copy>
    </target>


    <target name="jar" depends="compile,copy.properties">
        <mkdir dir="${jar.dir}"/>
 <jar destfile="${jar.dir}/${ant.project.name}.jar" basedir="${classes.dir}">
            <manifest>
  <attribute name="Implementation-Title" value="${proj.name}"/>
  <attribute name="Implementation-Version" value="${proj.ver}"/>
  <attribute name="Implementation-Vendor" value="${proj.owner}"/>
                <attribute name="Main-Class" value="${main-class}"/>
  <attribute name="Built-By" value="${username}"/>
  <attribute name="Built-Date" value="${TODAY}"/>
  <attribute name="Class-Path" value="./"/>
            </manifest>
        </jar>
    </target>


    <target name="run" depends="jar">
        <java jar="${jar.dir}/${ant.project.name}.jar" fork="true"/>
    </target>


    <target name="clean-build" depends="clean,jar"/>


    <target name="main" depends="clean,run"/>
</project>
No comments:
Labels: , , , , , , ,

5/08/2012

Microsoft Windows Server 2003 for Small Business Server Microsoft Exchange Mail Store unmounts

At 08:59hrs this morning I got a call from a customer who was unable to receive e-mail. Logging into their server I discovered that there were indeed messages stuck in the Local Delivery queue. I checked the Application event logs and found the following event log

Event Type: Error

Event Source: MSExchangeSA
Event Category: MAPI Session 
Event ID: 9175
Date: 8/05/2012
Time: 9:12:31 AM
User: N/A
Computer: ***DELETED***
Description:
The MAPI call 'OpenMsgStore' failed with the following error: 
The attempt to log on to the Microsoft Exchange Server computer has failed.
The MAPI provider failed.
Microsoft Exchange Server Information Store
ID no: 8004011d-0512-00000000 


For more information, click http://www.microsoft.com/contentredirect.asp.

Further investigation led to an un-mounted mail store.It was relatively easy to re-mount the store, however the support link at http://support.microsoft.com/kb/896143 leads me to think it may not be so easy all the time. After getting the service back up and running, I re-visited the logs to find that the event started at approximately 23:22hrs last night, and was preceded by the following message;


Event Type: Error
Event Source: MSExchangeSA
Event Category: Monitoring 
Event ID: 1005
Date: 7/05/2012
Time: 11:22:24 PM
User: N/A
Computer: ***DELETED***
Description:
Unexpected error <<0xc1050000 - The attempt to log on to the Microsoft Exchange Server computer has failed. The MAPI provider failed. Microsoft Exchange Server Information Store ID no: 8004011d-0512-00000000>> occurred. 


For more information, click http://www.microsoft.com/contentredirect.asp.


The support link at http://support.microsoft.com/kb/888179 did not provide much assistance in resolving the issue permanently, but I did check the allocated space and size of the mail store and the available space on disk and they were all OK.

No comments:
Labels: , , , , , ,

5/07/2012

I had to do some maintenance work on a Linux based server

I had to do some maintenance work on a Linux based server. It was mainly just archiving some files around and updating packages and configurations. However, as part of the maintenance I took the opportunity to put in some simple technical security controls in place and documented some of them here for my reference.

MySQL Database
There was a MySQL server running that was only needed for the local host, but a "netstat -ltn" indicated that it was not bound to any specific IP, i.e. listening on 0.0.0.0, so I bound it to the localhost IP of 127.0.0.1 by editing the /etc/my.cnf file using the entry bind-address=127.0.0.1

vi /etc/my.cnf
bind-address=127.0.0.1
RKHunter Rootkit Anti-malware
I installed the new version of rkhunter and modified the configuration file to suit.

yum install rkhunter
vi /etc/rkhunter.conf
PKGMGR=RPM
ENABLE_TESTS="all"
DISABLE_TESTS="none"
SCAN_MODE_DEV=THOROUGH 
rkhunter --propupd --update --check --sk -l
vi /etc/rkhunter.conf
ALLOWHIDDENDIR=
ALLOWDEVFILE=
IPTables Firewall
Strangely enough there was no firewall configured on the host, so I quickly knocked up an script and saved it. Here's a snippet of the script that simply resets the rules, sets the default policies to drop and allows all local communications. There are additional parts that allow specific traffic through, but I have not put this up here to obscure the services and IP addresses being used.

#!/bin/bash

#
# Global script variables
#

# Commands
IPTABLES=/sbin/iptables

# Network interfaces and addresses
LOOP_IFACE=lo
LAN=192.168.100.0/24
LAN_ADDR=192.168.100.201
LAN_IFACE=eth0

# Port numbers
NAMED_PORT=53
NETFLOW_PORT=9996
NTP_PORT=123
PRIV_PORTS=1:1024
SMB_PORTS=137:139
SSHD_PORT=4022
UNPRIV_PORTS=1025:65535


#
# Manage kernel parameters
#

echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/ip_forward


#
# Configure default table policies
#

$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP


#
# Initialise tables - flush rules, remove chains, zero counts
#

$IPTABLES -F
$IPTABLES -F -t mangle
$IPTABLES -F -t nat

$IPTABLES -X
$IPTABLES -X -t mangle
$IPTABLES -X -t nat

$IPTABLES -Z


#
# Allow all local loopback traffic
#

$IPTABLES -A INPUT -i $LOOP_IFACE -j ACCEPT
$IPTABLES -A OUTPUT -o $LOOP_IFACE -j ACCEPT


#
# Allow all traffic that is part of a related or established connection in
#

$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


#
# Politely reject SMB traffic
#

$IPTABLES -A INPUT -i $LAN_IFACE -p tcp --dport $SMB_PORTS -j REJECT
$IPTABLES -A INPUT -i $LAN_IFACE -p udp --dport $SMB_PORTS -j REJECT


#
# Allow icmp pings
#

$IPTABLES -A INPUT -i $LAN_IFACE -s $LAN -d $LAN_ADDR -p icmp --icmp-type echo-request -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $LAN_IFACE -s $LAN_ADDR -d $LAN -p icmp --icmp-type echo-reply -m state --state ESTABLISHED,RELATED -j ACCEPT


#
# *** DELETED SERVICES SPECIFIC RULES TO IMPLEMENT SECURITY BY OBSCURITY ***
# 


#
# Debugging - log all other traffic *** DO NOT USE IN PRODUCTION ENVIRONMENT ***
#
#
#$IPTABLES -A INPUT -i $LAN_IFACE -j LOG --log-prefix "rc.firewall "
#

ClamAV Anti-virus
ClamAV is an open source anti-virus software for Linux. I installed this using the yum package manager and configured the AV to scan daily, and used freshclam to ensure that the virus definitions are updated hourly.
yum install clamav clamd clamav-db


vi /etc/cron.hourly/freshclam
#!/bin/bash
/usr/bin/freshclam --quiet -l /var/log/clamav/freshclam.log

vi /etc/cron.daily/clamscan
#!/bin/bash
/usr/bin/clamscan -r / --exclude-dir=/proc --quiet --infected --log=/var/log/clamd/clamscan
Fail2Ban Intrusion Prevention
fail2ban is an interesting intrusion prevention system that parses system logs to dynamically update firewall rules to stop potential intrusion attempts. It supports several other mechanism, but I was only interested in the firewall and SSH access


yum install fail2ban
vi /etc/ssh/sshd_config
SyslogFacility LOCAL5
LogLevel INFO

vi /etc/syslog.conf
local5.info                                     /var/log/sshd/sshd.log

vi /etc/fail2ban/jail.conf
[ssh-iptables]
enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest=*DELTED*, sender=*DELETED*]
logpath  = /var/log/sshd/sshd.log
maxretry = 2

Legal notices
The client wanted some legal notices and disclaimers on the host for various reasons, one of them being to notify employees that their usage was being monitored. I stuck the disclaimer from their legal department (it looked pretty generic though) into /etc/issue and created a link from /etc/issue.net to it.


No comments:
Labels: , , , , , , , , , , , ,

10/31/2011

Installing OpenVPN 2.2 on Centos 5.7

OpenVPN is an SSL based VPN. There are other VPN solutions such as IPsec, etc. but OpenVPN provides a cost effective alternative. I like OpenVPN as it support two-way authentication, i.e. both the client and server authenticate using certificates. To install OpeVPN on CentOS we need a number of cryptographic libraries. The simplest way is to use the DAG/RPMForge repository.

Set-up the RPMForge repository [1], as this contains the packages necessary for the installation and the instructions are provided below. The instructions below are just to document this specific installation and therefore this blog post is not to be misinterpreted as a best practises guide. The instructions are adapted from the OpenVPN website [2], but this blog post is intended more as a quick and dirty guide to getting OpenVPN running on CentOS 5.7. Additionally the set-up and configuration of the client is considered beyond the scope of this blog post.

  1. Install packages
    1. rpm -Uhv http://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/rpmforge-release-0.3.6-1.el5.rf.i386.rpm
    2. yum -y update
    3. yum -y openvpn
  2. Set-up configuration files
    1. cd /etc/openvpn/
    2. cp /usr/share/doc/openvpn-2.2.0/sample-config-files/server.conf .
    3. mkdir -p /etc/openvpn/easy-rsa/keys
    4. cd /etc/openvpn/easy-rsa
    5. cp -rf /usr/share/doc/openvpn-2.2.0/easy-rsa/2.0/* .
    6. chmod o+x,g+x clean-all, build-* vars whichopensslcnf pkitool inherit-inter list-crl revoke-full sign-req
  3. Edit the PKI configuration
    1. vi /etc/openvpn/easy-rsa/vars
      1. Also consider setting the key length using KEY_SIZE variable, 1024 is the default 2048 is better, but slows down the TLS, but I am paranoid and use 4096 bit keys
      2. Set the country (KEY_COUNTRY), state (KEY_PROVINCE), locality (KEY_CITY), organisation name (KEY_ORG), and support email (KEY_EMAIL)
  4. Set-up the PKI infrastructure. This involves make a certificate authority and then generate the server certificate and any client machine certificates
    1. Create the certificate authority
      1. . ./vars
      2. ./clean-all
      3. ./build-ca
      4. The CA key and certificate should not be in the keys directory inside the easy-rsa directory.
    2. Create certificate for the server
      1. ./build-key-server NAME_OF_SERVER
      2. Answer the questions and commit the certificate into the database
    3. Create the Diffie Hellman files
      1. These files are used for the actual key exchange to ensure the confidentiality over an insecure channel, aka the Internet. Based on the length of the key used (KEY_SIZE) it may take a while.
      2. ./build-dh
    4. Create the certificate for each client
      1. When doing this for clients, I generate one for each device a client may use, that way if a device is stolen or goes missing, I only have to revoke a single certificate and the others keep working as they do. Not sure if this a good approach, but its definitely my quick and dirty (lazy) approach.
      2. ./build-key LAPTOP
      3. ./build-key HOME-DESKTOP
      4. ./build-key PDA
  5. Edit the server configuration file 
    1. vi /etc/openvpn/server.conf
    2. Check/change
      1. local
      2. proto
      3. dev
      4. port
      5. ca
      6. cert
      7. key
      8. dh
      9. max-clients
      10. user
      11. group
      12. log-append
      13. verb
  6. Start everything
    1. /etc/rc.d/init/openvpn start
    2. chkconfig --level 235 openvpn on
Possible Errors:
  1. If the OpenVPN server fails to start, ensure that logging is enabled, i.e. refer to log-append in the configuration file and examine the log. A common error is that OpenVPN fails to open certain files, check that the paths to these files are specified correctly.
References:
11 comments:
Labels: , , , , , ,

10/30/2011

Installing OSSEC on Centos 5.7

OSSEC is an open source host-based IDS that performs log analysis, and is able to correlate and analyse logs for a number of Linux (and Windows, but that is outside the scope of this blog post) servers. The software architecture of OSSEC and the use of agents, lends OSSEC to flexible deployment and management [1].

Set-up the Atomic repository that already has the appropriate OSSEC packages and install them would be the easiest way. However I have a strong dislike for the use of the /var partition (most system administrators, hmm... well at-least I have always, set this up as a separate partition for ease of management and security reasons) as an install location, esp. when it has been specified as a "noexec" partition.

Please Note
Firstly, there are a number of dependencies of some of the set-up below, such as Apache, PHP, MySQL, but the installation and secure configuration of these services are beyond the scope of this blog post. Secondly, the configuration below is only to set-up OSSEC as a monitor and not run it in IPS, i.e. as an active response alert handler.

Installation using the repository
  1. wget https://www.atomicorp.com/installers/atomic -O atomic.sh
  2. . ./atomic.sh
  3. yum -y update
  4. yum -y install ossec-hids ossec-hids-server ossec-wui
Installation using the tar ball source
  1. Download, compile and install the source
    1. wget http://www.ossec.net/files/ossec-hids-2.6.tar.gz
    2. tar zxvf ossec-hids-2.6.tar.gz
    3. cd ossec-hids-2.6/src
    4. make clean
    5. make setdb
    6. make all
    7. cd ..
    8. ./install.sh
      1. en
      2. local
      3. /opt/ossec
      4. y
      5. user@domain
      6. mx.domain
      7. y
      8. y
      9. n
  2. Setup mysql DB for logging
    1. Grant access to database
      1. mysql -u root -p
      2. grant INSERT,SELECT,UPDATE,CREATE,DELETE,EXECUTE on ossec.* to ossecuser@localhost;
      3. set password for ossecuser@localhost=PASSWORD('PASSWD');
      4. quit;
    2. Create database and tables
      1. mysqladmin -u root -p create ossec
      2. mysql -u root -p ossec < src/os_dbd/mysql.schema
    3. Edit the /opt/ossec/etc/ossec.conf file
      1. Check the wiki to setup logging to the database and syslog [2]
  3. Install the Web User Interface, you will need Apache and php
    1. Again, the installation and secure configuration of Apache is beyond the scope of this blog post. 
    2. wget http://www.ossec.net/files/ui/ossec-wui-0.3.tar.gz
    3. tar zxvf ossec-wui-0.3.tar.gz
    4. mkdir -p /var/www/html/ossec-wui
    5. cp -rf ./ossec-wui-0.3/* /var/www/html/ossec-wui/
    6. cd /var/www/html/ossec-wui/
    7. ./setup.sh
    8. Edit the ossec_conf.php to point to the ossec installation completed in the previous stage
      1. $ossec_dir="/opt/ossec";
  4. Start the OSSEC services
    1. /opt/ossec/bin/ossec-control enable database
    2. /opt/ossec/bin/ossec-control enable client-syslog
    3. /opt/ossec/bin/ossec-control start
    Possible Errors:
    1. When executing OSSEC-WUI you may get a page that displays. "Unable to access OSSEC directory". Ensure that the user that your Apache web server runs as, e.g. httpd or apache is added to the ossec group
      1. usermod -a -G ossec apache.
    2. "Unable to retrieve alerts". Ensure that you web server is able to open the alerts file. This issue is two fold, firstly ensure that the web server has permissions to open the file and secondly that the fopen command is enabled in PHP.
      1. safe_mode Off
      2. safe_mode_gid On
    3. These two are no so much error, but warning that will be annoy your syslog server, but depend on your PHP configuration.
      1. PHP Warning:  shell_exec() has been disabled for security reasons - This is because of a uname -a query in the /var/www/html/ossec-wui/lib/os_lib_agent.php script;
        1. //$agent_list[$agent_count]{'os'} = `uname -a`;
        2. $agent_list[$agent_count]{'os'} = "Linux";
      2. PHP Warning:  fseek() expects parameter 3 to be long - This may be a simple programming error in the /var/www/html/ossec-wui/lib/os_lib_alerts.php
        1. //fseek($fp, $seek_place, "SEEK_SET");
        2. fseek($fp, $seek_place );
      References:
      No comments:
      Labels: , , , , , , ,

      10/29/2011

      Installing Snort 2.9.1.2 on CentOS 5.7

      CentOS 5.7 uses an older version of libpcap (0.9.4), but Snort's Data Acquisition Library (daq) needs a newer version of libpcap (>=1.0.0). The latter is not an issue with the CentOS 6.0. Vishesh Kumar [1] provides an excellent instructions to getting Snort 2.9 to run on RHEL 5 (http://www.linuxmantra.com/2010/10/install-snort-29-on-rhel-5.html). The purpose of this post is not to duplicate his efforts, but to extend it slightly to include instructions for a complete Snort set-up.
      1. libpcap - http://www.tcpdump.org/release/libpcap-1.1.1.tar.gz [3]
      2. daq : http://www.snort.org/downloads/1221 [2]
      3. snort : http://www.snort.org/downloads/1207 [2]
      Download and install the libraries and software as per the instructions below;
      1. Enable the Extra Packaged for Enterprise Linux (EPEL) repository to enable the installation of additional packages not available under the standard repositories
        1. rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-4.noarch.rpm
        2. yum -y update
        3. yum -y upgrade
      2. Install developments to compile the libraries and source code, and additional libraries and header files that are required later on
        1. yum -y groupinstall 'Development Tools'
        2. yum -y install pcre-devel
        3. yum -y install libdnet-devel
        4. yum -y install zlib-devel
        5. yum -y install mysql mysql-server mysql-devel mysql-bench
      3. Download, compile and install libpcap
        1. wget http://www.tcpdump.org/release/libpcap-1.1.1.tar.gz
        2. cd libpcap-1.1.1
        3. ./configure --prefix=/usr
        4. make && make install
      4. Download, compile and install daq
        1. wget http://www.snort.org/downloads/1221 -O daq-0.6.2.tar.gz
        2. cd daq-0.6.2
        3. ./configure
        4. make && make install
      5. Download, compile and install snort
        1. wget http://www.snort.org/downloads/1207 -O snort-2.9.1.2.tar.gz
        2. cd snort-2.9.1.2
        3. ./configure --with-mysql
        4. make && make install
      6. Download, compile and install Barnyard2
        1. wget --no-check-certificate https://github.com/firnsy/barnyard2/tarball/master -O firnsy-barnyard2-405761e.tar.gz
        2. tar zxvf firnsy-barnyard2-405761e.tar.gz
        3. cd firnsy-barnyard2-405761e
        4. ./autogen.sh
        5. ./configure --with-mysql
        6. make && make install
      7. Create the snort database on the mysql enginer
        1. mysqladmin -u root -p create snort
        2. mysql -u root -p -D snort < schemas/create_mysql
        3. mysql -u root -p
          1. GRANT CREATE,INSERT ON root.* TO snort@localhost IDENTIFIED BY 'PASSWORD';
          2. GRANT CREATE,INSERT,SELECT,DELETE,UPDATE ON snort.* TO snort@localhost IDENTIFIED BY 'PASSWORD';
      8. To get the current registered user rules, you need to sign up and obtain an Oinkcode. The Oinkcode will be used for downloading the rules and used with pulledpork.
        1. Sign in or request an account from https://www.snort.org/login
        2. Get your oinkcode after signing in from https://www.snort.org/account/oinkcode
        3. cd etc
        4. wget http://www.snort.org/reg-rules/snortrules-snapshot-.tar.gz/OINKCODE -O snortrules-snapshot-LATEST.tar.gz
        5. tar zxvf snortrules-snapshot-LATEST.tar.gz
      9. Setup the configuration and rules files for snort
        1. mkdir -p /etc/snort
        2. mv -f etc/* .
        3. rmdir etc/
        4. mv snortrules-snapshot-LATEST.tar.gz ../../
        5. rm -f Makefile Makefile.am Makefile.in
        6. cp -rf * /etc/snort/
      10. Edit the snort configuration
        1. vi /etc/snort/snort.conf
          1. ipvar HOME_NET
          2. var RULE_PATH rules
          3. var SO_RULE_PATH so_rules
          4. var PREPROC_RULE_PATH preproc_rules
          5. output database: log, mysql, user=snort password=PASSWORD dbname=snort host=localhost
          6. output alert_syslog: LOG_LOCAL6 LOG_ALERT
      11. Edit the syslog.conf file to log alerts to separate file and restart the syslog daemon
        1. Include the line in syslog.conf "local6.*        /var/log/snort/alerts.log"
        2. /etc/rc.d/init.d/syslog restart
      12. Test the snort installation, and set-up environment to run snort if all OK
        1. snort -c /etc/snort/snort.conf -T
        2. useradd -G snort snort -s /bin/false
        3. chown -R root:snort /var/log/snort
        4. chmod -R g+w /var/log/snort
      13. Configure barnyard [4]
        1. mkdir -p /var/log/barnyard2
        2. chmod 666 /var/log/barnyard2
        3. touch /var/log/snort/barnyard2.waldo
        4. cp etc/barnyard2.conf /etc/snort/
        5. Edit the /etc/snort/barnyard2.conf
          1. output database: log, mysql, user=snort password= dbname=snort host=localhost
          2. config hostname:   localhost
          3. config interface:  eth0
      14. You can get snort to start automatically, but writing a customer script to start/stop/restart the daemon or simply kicking it off to start up when the machine boots. Edit the rc.local file and out the following in
        1. /usr/local/bin/snort -D -u snort -g snort -c /etc/snort/snort.conf -i eth0
        2. /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo -D
      Common Errors:
      1. ERROR: parser.c(5261) Could not stat dynamic module path "/usr/local/lib/snort_dynamicrules": No such file or directory.
        Fatal Error, Quitting..
        1. mkdir -p /usr/local/lib/snort_dynamicrules
        2. cp /etc/snort/so_rules/precompiled/DIST/i386/2.9.0.0/* /usr/local/lib/snort_dynamicrules/
      2. ERROR: /etc/snort/rules/web-misc.rules(555) Cannot use the fast_pattern content modifier for a lone http cookie/http raw uri /http raw header /http raw cookie /status code / status msg /http method buffer content.
        Fatal Error, Quitting..
        1. The fast_pattern option cannot be used with the http_method string. Edit the web-misc.rules file and remove it from the snort rule. Do a search for "2010-0388" and remove the alert option fast_pattern from the alert rule.
      3. ERROR: /etc/snort/snort.conf(244) => 'compress_depth' and 'decompress_depth' should be set to max in the default policy to enable 'unlimited_decompress'
        Fatal Error, Quitting..
        1. Edit the /etc/snort/snort.conf file and set the http_inspect compress_depth and decompress_depth to 65535 from 20480.
      4. ERROR: ByteExtract variable 'bugtraq' in rule [3:13897] is used before it is defined
        1. Ensure that the shared libraries copied above using "cp /etc/snort/so_rules/precompiled/DIST/i386/2.9.0.0/* /usr/local/lib/snort_dynamicrules/" are for the correct distribution
        2. Ensure that the rules being used are for the version of snort being used.
      Please note: 
      1. These instruction are for 32bit hardware, for 64bit machines you will need to select appropriate 64bit RPM packages or configure and compile with appropriate compiler switches. These are considered beyond the scope of this post.
      2. All instructions are executed with root privileges.
      References:
      1. http://www.linuxmantra.com/2010/10/install-snort-29-on-rhel-5.html
      2. http://www.snort.org/snort-downloads?
      3. http://www.tcpdump.org/#latest-release
      4. http://www.snort.org/assets/145/Install_Snort_2.8.6_on_CentOS_5.5.pdf
      No comments:
      Labels: , , , , , , , , , ,

      10/26/2011

      Gnu Screen

      Running some experiment on a VM server I rapidly ran out of patience having to wait for commands to run, and/or switching back and forth using Ctrl+Z, bg, and fg. My thoughts went back to Nick Black who had introduced me to Gnu Screen several years back, alas I has forgotten the short-cuts, Thankfully Google and the man page came to the rescue.

      Since the VM server was a CentOS 6.0 box, with minimal install, I had to install Gnu Screen using;

      1. yum -y install screen
      Here's a summary of the shortcuts that may be useful;
      • Ctrl+A, c : create a new screen
      • Ctrl+A, A : set a name for the screen instead of the default shell name (bash)
      • Ctrl+A, " : lists the screens available
      • Ctrl+A, n : toggle to next screen
      • Ctrl+A, p : toggle to previous screen
      References:
      1. http://www.gnu.org/s/screen/
      No comments:
      Labels: , ,

      10/25/2011

      APAcite on Mac OS X (Lion) with texlive

      I had to recently rebuild my Mac Book Pro (gasp!), and decided to upgrade to Lion.  The whole process was relatively painless. Files were copied back from backups, and updated from my SVN repositories, however I had troubles installing the appropriate Mac port package for the APACite classes.

      sudo port install texlive-bibtex-extra

      The latter yielded errors, which were logged in

      /opt/local/var/macports/logs/_opt_local_var_macports_sources_rsync.macports.org_release_tarballs_ports_perl_p5-text-bibtex/p5.12-text-bibtex/main.log

      Since the dependency p5.12-text-bibtex could not be installed, examination of the log file provided the following clues; error: 'main' must return 'int'

      The same error was reported for;

      1. /opt/local//var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_release_tarballs_ports_perl_p5-text-bibtex/p5.12-text-bibtex/work/Text-BibTeX-0.60/btparse/tests/namebug.c
      2. /opt/local//var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_release_tarballs_ports_perl_p5-text-bibtex/p5.12-text-bibtex/work/Text-BibTeX-0.60/btparse/tests/tex_test.c

      A quick rename of void to int enabled the package to be installed without further issues.
      No comments:
      Labels: , , , ,

      10/17/2011

      APAcite on Mac OS X with texlive

      While compiling a LaTeX document, a blank template of my PhD thesis to be exact, when I got the following error "! LaTeX Error: File `apacite.sty' not found." Again a quick search for Mac ports indicated that the texlive-bibtex-extra package was required. It was quickly installed using;

      sudo port install texlive-bibtex-extra

      Subsequent compile yielded more errors, this time it was "! Undefined control sequence. \abstract". This was solved using the texlive-latex-extra package, installed using;

      sudo port install texlive-latex-extra


      Then adding the following to define the abstract in the book documentclass;

      % Define abstract in book documentclass
      \pagestyle{empty}
      \newenvironment{abstract}%
      {
        \onehalfspacing%
        \null
        \vfill
        \chapter*{\centering Abstract}%
        \addcontentsline{toc}{chapter}{Abstract}
      }%
      {\vfill\null}

      % Start the actual abstract
      \begin{abstract}
      \end{abstract}

      More errors resulted "! Use of \@year@ doesn't match its definition." I had to add "\bibliographystyle{apacite}" to the bibligraphy page, and all was well once again.

      References:
      1. https://trac.macports.org/wiki/TeXLivePackages
      2. http://www.cs.utexas.edu/~witchel/errorclasses.html
      No comments:
      Labels: , , , , , , , , ,
      Subscribe to: Posts (Atom)