Hi again!
Today I’m going to talk about ntop and how to install the latest stable version in Debian Squeeze.

Ntop is an extraordinary tool that helps you to know more about your network traffic. Luca Deri’s tool has a lot of features and I use it mainly to know quickly what kind of traffic is being generated in my network thanks to its web interface with summaries and rrd charts.

Years ago I used it to identify SQL Slammer worm and since then this tool is in my arsenal to analyze weird network behaviour.

Ok. In case you didn’t notice I love configure and make but ntop is so popular that you can find ntop in the backports repository:

  1. Add the following line to your /etc/apt/sources.list: deb http://backports.debian.org/debian-backports squeeze-backports main
  2. apt-get update
  3. apt-get install ntop
  4. Type the admin user password for ntop’s web interface
  5. Ntop will be started.
  6. Open a browser and go to http://x.x.x.x:3000 where x.x.x.x is the ip address of the host where ntop is installed.. of course!
  7. Debian will install a ntop init.d service, so if you want to stop ntop: /etc/init.d/ntop stop

Ok!. If you want to use the latest stable version … yes configure and make !!:

  1. apt-get install build-essential libtool automake autoconf libpcap-dev libgdbm-dev zlib1g-dev rrdtool librrd-dev libssl-dev python-dev libgeoip-dev graphviz libgraphviz-dev
  2. cd /opt
  3. Download ntop (e.g wget http://switch.dl.sourceforge.net/project/ntop/ntop/Stable/ntop-4.1.0.tar.gz )
  4. tar xfz ntop-4.1.0.tar.gz
  5. cd ntop-4.1.0/
  6. ./autogen.sh
  7. make
  8. make install
  9. ldconfig – So libraries can be found (Thanks Garrie!)
  10. You’ll find ntop files in /usr/local according to ./configure:Data files are in     /usr/local/share/ntop
    Config files are in   /usr/local/etc/ntop
    Run directory is      /usr/local/var/ntop
    Plugin files are in   /usr/local/lib/ntop/plugins
    Database files are in /usr/local/var/ntop
    Libraries have been installed in: /usr/local/lib
  11. chown -R nobody:nogroup /usr/local/var/ntop
  12. Ok now from the command line run: ntop
  13. Ntop will ask you for the admin passwordntop startup – waiting for user response!Please enter the password for the admin user:
    Please enter the password again:
  14. Access to http://x.x.x.x:3000
  15. Nice charts!
  16. Use Ctrl-C from the command line to stop ntop.

Ok. That’s all.  Any comments are welcomed!

P.S: I’m trying to write new posts about Snorby and Suricata but I need more time! 😀


KeePass is a great open source password manager with many features (passwords are stored in an encrypted database, strong password generator…). which I’ve been using since 2006 in my Windows machine.

Now I want to use it in my Fedora 15 and thanks to Mono you can run it on Linux machines following these instructions. Anyway, these are the steps for Fedora 15:

  1. Download the portable version of KeePass and unzip it into a folder.
  2. Install Mono and Xdotool packages:

    yum install mono-addins mono-core mono-data mono-data-sqlite mono-extras mono-mvc mono-wcf mono-web mono-winforms mono-winfx libxdo xdotool

  3. Go to the KeePass folder and from the command-line execute: mono KeePass.exe
  4. That’s all folks!

UPDATE: Thank you B!n@ry for your comment. You can use KeePassX: yum install keepassx


After succesfully installing Suricata and Snorby, I’m going to use Barnyard2 to read the alerts and send them to Snorby’s database. Barnyard2 understands the unified2 binary format. If you get lost, don’t be worry because I’m going to update the Snorby how-to. If you can’t wait, I’ve followed these steps:

  1. Download Barnyard2
    wget http://www.securixlive.com/download/barnyard2/barnyard2-1.9.tar.gz
  2. tar xvfz barnyard2-1.9.tar.gz
  3. cd barnyard2-1.9/
  4. You’ll need mysql libraries, if you want to store Suricata’s events
    apt-get install mysql-client libmysqlclient-dev
  5. I’m going to compile barnyard2 with pfring an libpcap support. If you followed my howto, include files and libraries are inside /opt/PF_RING
    ./configure –with-mysql –with-libpcap-includes=/opt/PF_RING/include –with-libpcap-libraries=/opt/PF_RING/lib  –with-libpfring-includes=/opt/PF_RING/include –with-libpfring-libraries=/opt/PF_RING/lib
  6. make && make install
  7. Let’s check if barnyard2 is ready.  If you see a pig all is good 😀
    barnyard2 –help
    / ,,_  \  Version 2.1.9 (Build 263)
    |o”  )~|  By the SecurixLive.com Team: http://www.securixlive.com/about.php
    + ”” +  (C) Copyright 2008-2010 SecurixLive.
  8. If barnyard complains about libpcap.so.1 not being found, use this:
    ln -s /opt/PF_RING/lib/libpcap.so.1 /usr/lib/libpcap.so.1
  9. Now, you will need a barnyard2 config file:
    cp etc/barnyard2.conf /etc/barnyard2.conf
  10. Edit /etc/barnyard2.conf and add the following line (change dbuser, dbpass, database, x.x.x.x with the rigth values for your snorby MySQL database):
    output database: alert, mysql, user=dbuser password=dbpass dbname=database host=x.x.x.x
  11. Barnyard’s config file need to know where are your config and map files to indentify the rules. I’m using Emerging Threats rules in my /etc/suricata directory.
    # set the appropriate paths to the file(s) your Suricata process is using.
    config reference_file:      /etc/suricata/reference.config
    config classification_file: /etc/suricata/classification.config
    config gen_file:            /etc/suricata/gen-msg.map
    config sid_file:            /etc/suricata/sid-msg.map
  12. Check if you find this lines in /etc/suricata/suricata.yaml:
    – unified2-alert:
    enabled: yes
    filename: unified2.alert
  13. Ok. I have Suricata running. With this command the unified2 binary files will be read and new events will be sent to snorby -> barnyard2 -c /etc/barnyard2.conf -d /var/log/suricata -f unified2.alert
  14. All seems to work fine. Snorby is starting to show events.

  15. Snorby is awesome. More info soon!

According to snorby.org,  Snorby is a ruby on rails web application for network security monitoring that interfaces with current popular intrusion detection systems (Snort, Suricata and Sagan). The project goal is to create a free, open source and highly competitive application for network monitoring for both private and enterprise use.

Today I’m going to show you how to install Snorby on Debian 6. This is the first time I use Snorby and I want to use it to monitor my Suricata IDS. In the following weeks I’ll post my first impressions.

Download the pdf and contact me for any comments, errors or suggestions.

More than a year later I have updated the document so you can install and configure Suricata for Debian Squeeze.

Download the PDF.

P.S: It’s been a long time since my last post. After a difficult year,  I have time to blog again.

I’m starting with my malware lab but before you read maybe you are interested in REMnux a Linux Distribution for Reverse-Engineering Malware that offers many analysis tools.

My lab will consist in two virtual hosts, one of them will be the victim where all the malware will be executed and the other will act as a server offering “Internet” services to the victim. The hosts will be placed in the network (Server and Client

The first service I’m going to configure is DNS and for this task I’ll use DJBDNS. Two years ago I started to hear about D.J Bernstein DNS which wasn’t affected by Dan Kaminsky‘s DNS flaw announce. I like security, so why not use tinydns for this task? The DNS server will be configured to answer queries for the malware.lab domain and it’ll act as a fake root name server.

You can install Tinydns using aptitude but I like to compile things 🙂 These are the steps I’ve followed.

  1. apt-get install build-essential
  2. useradd Gtinydns -s /bin/false
  3. useradd Gdnslog -s /bin/false
  4. mkdir -p /package
  5. chmod 1755 /package
  6. cd /package
  7. wget http://cr.yp.to/daemontools/daemontools-0.76.tar.gz
  8. tar xvfz daemontools-0.76.tar.gz
  9. rm -f daemontools-0.76.tar.gz
  10. cd admin/daemontools-0.76/
  11. echo gcc -O2 -include /usr/include/errno.h > conf-cc (don´t forget this!)
  12. cd src/
  13. echo gcc -O2 -include /usr/include/errno.h > conf-cc (don´t forget this!)
  14. cd ..
  15. package/install
  16. cd /package
  17. wget http://cr.yp.to/ucspi-tcp/ucspi-tcp-0.88.tar.gz
  18. tar xvfz ucspi-tcp-0.88.tar.gz
  19. rm ucspi-tcp-0.88.tar.gz
  20. cd ucspi-tcp-0.88/
  21. echo gcc -O2 -include /usr/include/errno.h > conf-cc (don´t forget this!)
  22. make
  23. make setup check
  24. cd /package
  25. wget http://cr.yp.to/djbdns/djbdns-1.05.tar.gz
  26. tar xvfz djbdns-1.05.tar.gz
  27. rm djbdns-1.05.tar.gz
  28. echo gcc -O2 -include /usr/include/errno.h > conf-cc
  29. make
  30. make setup check
  31. reboot
  32. tinydns-conf Gtinydns Gdnslog /etc/tinydns
  33. ln -s /etc/tinydns /service/tinydns
  34. sleep 5
  35. svstat /service/tinydns
  36. cd /service/tinydns/root
  37. ./add-ns . (this server will answer all DNS queries with the same address If you have problems be sure you add this entry to the /etc/tinydns/root/data file  (   +*.:    )
  38. ./add-host server.malware.lab
  39. ./add-host client.malware.lab
  40. ./add-ns 10.168.192.in-addr.arpa (It will resolve inverse queries)
  41. make

And that’s it (41 steps!), I have a DNS server running… If you need more information visit DJBDNS page.

DJBDNS has been designed to be secure and it’s very easy to manage it (at least compared with BIND)

See ya!

Thanks to Kippo SSH Honeypot and those who generously have donated their rootkits and bot software, now I have six interesting malware samples to play with.

I’ve examined three of these files on an isolated machine and these are my first impressions:

  1. People from Western Europe are really bored so they like to write amusing programs
  2. The programs contain funny messages like “We are ROOT, we are deleting the logs,  let’s download evil files…”
  3. They love IRC channels and writing their own versions of ps, top, netstat, ls…

Now I’m preparing my first malware lab to analyze these samples seriously in a protected environment and that’s why I’m testing Samhain Host IDS and working on a network server with DNS, SMTP, HTTP and IRC to simulate a real network, so stay tuned! Any suggestions for this lab are welcomed.

P.S: I’m preparing a new version of the Suricata How-To. I hope you’ve found it useful.

P.S #2: I can´t believe we won the Fifa World Cup! 🙂