George Starcher

I saw mention of the DualComm Ethernet switch/tap on my twitter feed a few weeks back from @Pauldotcom.  It is really difficult to sniff traffic without a hub or business level switch.  Or you could do a pass through feed using a dedicated pc.   The DualComm tap provides a very simple and affordable way to tap traffic by putting a port replicator feature in a small switch.

So I ordered the USB Powered 10/100 Ethernet Tap DCSW-1005.  It cost $59.95 and they take paypal.

Ethernet Tap

It works like a champ.  I plugged it into a spare apple usb power plug where all my network hardware is.  Then I patched the cable from my router wan port to the port two of the switch.  Port one then went to my cable modem.  I tested and found all my Internet connectivity works fine without issue or performance hit.  Then I just plugged the port five from the Ethernet tap to a old Thinkpad laptop I have for such things.  I did have to order a Linksys USB Network adapter to have the second interface on the Thinkpad for sniffing the traffic.  The onboard nic is used for normal network access, ssh, etc.  Testing Ntop, Dsniff, URLSnarf etc all work perfectly.  It was amazing that I could not find the USB wired network adapter in any local stores.  I had to order that Linksys adapter from Amazon.

All said and done.  The DualComm DCSW-1005 works great!  And having it be usb powered means no dedicated power adapters to be lost or mislabeled.  If you need an Ethernet tap for your security work this is a great find.

PS If you are like me and forget how to put an interface into promisc mode under Ubuntu linux.  Andrew Hay has a great post on promisc mode setup I keep handy.

The latest round of adobe patches are a pain for IT staff to implement.   If you allow automatic updates then many machines updating the full reader installer from Adobe is likely to knock out your wan or Internet links.  Too much traffic.

Manually running around and installing the update is also a pain for IT and consumes a lot of man hours.  So I love to make script packs for them to automate things.

To use these scripts you need to do several prep things.

1. Download and put nmap binaries for windows in the folder you will run the scripts from.
2. You will need to install the winpcap driver for the nmap scans to work.
3. Download psexec from the Microsoft Sysinternals site and put it in the script folder too.
4. Download the adobe reader installer and put it on a network share.
5. Create a toss off domain user account that simply can map to the network share of the acrobat. I put it in a subfolder of that share called acro93 for the version I am installing.  Because if you have your domain setup reasonably well you want only authenticated users to connect to shares etc.  You will delete this account once done.

Next come the scripts.  We have the master script we call acrobat.bat.  This script pushes a second bat file into each target host.  You need to put your target hosts into a text file in a format that would be accepted by nmap.  A subnet, indvidiual ips, hostnames your pc can resolve.

(more…)

Perhaps you have made yourself a logging vm, or even a logging machine out of an old laptop using my pdf instructions.  At home I actually turned a real old IBM Thinkpad A22m into a unbuntu logging machine.  Just like my directions only no vmware.

I send all my network hardware logs via syslog to the machine.  BUT I also did one simple change to the syslog.conf on every mac in my house.  Now all my mac logs collect into my machine for searching in Splunk.

1. Just open Terminal on your mac.
2. sudo vi /etc/syslog.conf
3. edit the file and add the following line, substituting your own logging machine IP address.
   *.*               @loggingmachineipaddress
4. Make sure to use an actual ip address in place of loggingmachineipaddress.  I tried using the bonjour or mdns name like logger.local and my macs never consistently sent logs.  So changing to IP address it seemed to work after that.
5. Next if you are in Leopard you can do the following two terminal commands to restart syslog and pick up the config change.  Otherwise you could also just reboot your mac.
6. sudo launchctl unload /System/Library/LaunchDaemons/com.apple.syslogd.plist
7. sudo launchctl load /System/Library/LaunchDaemons/com.apple.syslogd.plist

Recently I wanted to build a log collection virtual machine.  I settled on a combination of syslog-ng and splunk.  Syslog-ng lets you do filtering, message rewriting and routing to multiple destination types.  Splunk v4 gives you a nice ability to search the gathered logs.  So you can follow my two documents.  The roll your own covers the building of the vm.  The getting started covers doing the last setup tweak to use and collect certain event types I decided would make a good stating example set.

We use Ubuntu sever 32bit 9.10 with syslog-ng v3 and splunk v4 in this tutorial.  I built mine in vmware fusion on my mac.  But you should be able to adapt to your own box/virtualization of choice.

• Roll you own Logging VM – PDF
• Getting started with the Logging VM – PDF

Lately I have been working on making a vmware virtual machine for combining syslog-ng version 3 and splunk.  I wanted to leverage syslog-ng for routing of messages and for rewriting messages from an existing kiwisyslog server.

Let’s say you have all your network gear sending events to an existing kiwisyslog install.  You can add an action to foward the messages and include the original source IP.  The problem is that the original IP becomes part of the message.  When it reaches splunk you would rather it see the messages as having come from the original host so you get the best mapping to host fields in splunk searches.

So we use syslog-ng to receive the forwarded messages then rewrite the message before it is picked up by splunk.  We tell syslog-ng to listen on udp port 3514.  This is the port we tell kiwisyslog to forward events to.  Next we tell syslog-ng to write the events to a fifo linux queue while applying the rewrite.  It is easy from there to tell splunk to pull events from the fifo.

So click more to see the config I used in syslog-ng to make this work.  The solution is a combination of telling syslog-ng to NOT parse the incoming messages then to apply the rewrite rule.  I do plan on writing a pdf guide on building the logging vm from scratch soon.  But for now you can check out the config below.

(more…)