Hinky’s Proxy Obsession

I got bored with snort and intrusion detection a few years ago.

The last thing I did with snort was try to code a netfilter detector/packet killer for one of Luigi’s UT99 hacks.

It was an epic FAIL.

I even read the docs!

But back in the day I ran snort & ACID (now BASE – how clever) on a number of boxes, both at work and at home.  I got very tired of seeing all those false positives, every day, day after day after day.  And then reading in the snort online docs that a particular rule I was unfamiliar with had “no known” false positives or negatives.

Riiiiight.

And then snort went commercial.  Well, good riddance.

So it’s been at least three years since I touched it.

Suddenly, out of nowhere, my boss the Security Thought Leader decides snort has to be deployed throughout our organization on every-fucking-thing that can run it.  And since I was stupid enough at one time to open my mouth and let the word “snort” fall out of it, it’s my problem.

Lo and behold we’re now up to snort v2.8.6.1.  And it turns out to be a bad time to be implementing snort.

As of June 2010 (Hey!  That’s like… now!) a lot of the old freeware utilities for managing snort are obsolete.  Not that they were any good, but their very existence was helpful in avoiding reinventing the wheel.

And the more things change the more they stay the same.

Like depending on Libnet v1.0.2a.  They still give you a link to a dead Web site in the docs so you can download this ancient piece of code required to build snort.  Luckily (I think it was luck) freebsd.org still had it in their archives.

Also luckily Mr. Security Thought Leader only wants to send snort alerts to a centralized SIM/SIEM syslog server, which simplifies everything (although he doesn’t know that… he would complicate the fuck out of everything if he did know it).  This is the only documented design requirement in the whole project:

Send snort to syslog!

That’s it!  Nothing more.  What he plans to do after that is a mystery.  Right now I have the Proof of Concept running on a few Windows servers and as usual they’re not producing anything of any interest whatsoever.

The Linux servers are another matter entirely.

I hate to say it, but our *ix admins are the biggest newbz I’ve ever met in my long and glorious IT career.  They need to have a vendor hold their hand whenever they do anything and their collective mantra is the age old refrain:

THE VENDOR WON’T SUPPORT IT!!!

To make matters worse, they are going to have to build snort if their vendor doesn’t distribute a 2.8.6 version of snort.  And considering they run Red Hat, they’re going to have a long wait.

So with all that in mind I built snort 2.8.6.1 for my Linux firewall (good old Debian Etch) and configured it for syslog alerts only.

It’s been running for about an hour now and all I’m getting is:

(http_inspect) LONG HEADER [Priority: 3]

… from just about every Web site I visit.  You would think with all this proxy crap running every hour I’d at least get a “Hey! Somebody’s using an external proxy” kind of alert but no.

There’s obviously some tuning that needs to be done (max http header was 750, so I upped it first to 1024, which wasn’t enough, and then to 2048), but with all the doom & gloom about hackers and cybercrime, et cetera, I really expected a shitload more alerts.

I guess my firewall rules are pretty good after all.

FWIW, it took less than ten hours for some idiot named Tedickhead to remove my PoTTY entry at Wikipedia, without any reason given.  Of course, it pissed me off but I refrained from putting it back in for the time being.

I have to admit to being not all that obsessed lately.

The Websense shit took a lot out of me.  In the end it turned out to be an ISA configuration issue, which made me feel a little stoopit, but at least it was an extremely esoteric (“undocumented”) aspect of the configuration.  The fix Websense published seems to leave much to be desired, and is probably exploitable as well.  Time will tell.

I got into a spontaneous SSH shit-storm on Full Disclosure just to do a little promotion for obfuscated-openssh and PoTTY, but apparently nobody cares.

It seems people are just stuck in their ways and no one is going to do anything any different than whatever it is they’re doing right now.

But somehow I did get this guy to mention PoTTY in his blog and give me and obfuscated-openssh a few links.  Spread the word!

Last week I spent an extraordinarily brutal amount of time compiling Google Maps (here and here), which has also added to my general burn-outedness.

On top of that I had some hardware issues in May that caused the List to malfunction in June.  In fact I just noticed that today.

I had a power supply die in my decade-old Windows 2003 server, which was were I was dropping the nightly backups to the database.

I forgot about that.

Subsequently, the mount point where the files should have gone was pointing to itself, which caused the root partition to fill up.  And when that happens things start to choke.

I only noticed it after seeing the List stuck at 666 proxies for about a day.

Normally when power supplies blow it’s a mad scramble to the nearest computer store to get a replacement, but this time I just said FUCK IT and let it slide, ordering a replacement from Tiger Direct.  But a couple of days later I decided to clean up the computer room and discovered I already had a replacement power supply.  And although I didn’t really want to replace it (having already said FUCK IT and being burnt out on technology in general), I replaced it anyway.

To top all that off, rumors are buzzing at work about a new re-org, so I took a five day mini-vacation (Thursday through Monday) to depressurize.

And during all that I missed the two-year anniversary of the List!  I had planned to do… something… but June 7th came and went unceremoniously.

So that’s how June, 2010 is going for me so far.

Oh, and I’m still waiting for the WordPress hammer to fall, too.