Michael Earls

Import WordPress Security Patch

michael earls — Thu, 30 Dec 2010 21:38:11 +0000

It is very important that all WordPress users update their installations to 3.0.4 as quickly as possible. This newest edition of WordPress fixes a security bug in the WordPress KSES library which is in charge of performing HTML sanitization within the script.

This cross-site scripting vulnerability should be taken very seriously.

A cross-site scripting vulnerability (otherwise known as a XSS attack) could be used to steal sensitive information (like login details) from people who visit your website. They often do this by injecting a client-side script into your website.

You have two options when it comes to updating WordPress. You can download the latest version from WordPress’s website and do a manual update or better yet – log into your WordPress administration section and do the update from within WordPress.

Updates during the holiday break are never fun, but this is one security issue you should fix as quickly as possible.
-
Michael Earls

How to use the Public NTP (Network Time Protocol) Server

michael earls — Thu, 30 Dec 2010 21:28:51 +0000

In this post we will discuss how to configure your local server to use the public NTP (Network time Protocol) Server to synchronize the clocks on your local computer or network device.

Why is NTP Important?

In a commercial environment, accurate time stamps are essential to everything from maintaining and troubleshooting equipment and forensic analysis of distributed attacks, to resolving disputes among parties contesting a commercially valuable time-sensitive transaction. In a programming environment, time stamps are usually used to determine what bits of code need to be rebuilt as part of a dependency checking process as they relate to other bits of code and the time stamps on them, and without good time stamps your entire development process can be brought to a complete standstill. Within law enforcement, they are essential for correlation of distributed communication events, forensic analysis, and potential evidentiary use in criminal proceedings. In essence, all debugging, security, audit, and authentication is founded on the basis of event correlation (knowing exactly what happened in what order, and on which side), and that depends on good time synchronization.

Another good explanation for this issue comes from Thomas Akin, in chapter 10 of his book Hardening Cisco Routers:

Time is inherently important to the function of routers and networks. It provides the only frame of reference between all devices on the network. This makes synchronized time extremely important. Without synchronized time, accurately correlating information between devices becomes difficult, if not impossible. When it comes to security, if you cannot successfully compare logs between each of your routers and all your network servers, you will find it very hard to develop a reliable picture of an incident. Finally, even if you are able to put the pieces together, unsynchronized times, especially between log files, may give an attacker with a good attorney enough wiggle room to escape prosecution.

Additional information on this subject can be found at UC Berkeley, University of Wyoming, in Rik Farrow’s Network Defense columns for Network Magazine , and in the Linux System Administrators Guide at the Linux Documentation Project.

Depending on the operating system NTP can very on the installation guide, please reference your OS type in order to find the correct distribution to install.

Current NTP Version:
http://support.ntp.org/bin/view/Main/SoftwareDownloads

NTP Ports For Windows:
http://support.ntp.org/bin/view/Main/ExternalTimeRelatedLinks
Edit ntp.conf file, an add the following lines
server pool.ntp.org maxpoll 12
server pool.ntp.org maxpoll 12
server pool.ntp.org maxpoll 12

Please check out http://www.pool.ntp.org for a list of different time zone servers.

How to verify that your server is synchronized.
Issue the following command ntpq -p or ntpq -pn (DNS lookup off)

vermeer:~$ ntpq -p
remote refid st t when poll reach delay offset jitter
=========================================================
+daffy.test1.org 193.5.216.14 2 u 68 1024 377 158.995 51.220 50.287
*navobs1.o.net 130.149.17.8 2 u 191 1024 176 79.245 3.589 27.454
-ntp.vermeer.org 131.188.3.222 3 u 766 1024 377 22.302 -2.928 0.508

vermeer:~$ ntpq -pn
remote refid st t when poll reach delay offset jitter
=========================================================
+205.142.198.4 193.5.216.14 2 u 68 1024 377 158.995 51.220 50.287
*198.30.92.2 130.149.17.8 2 u 191 1024 176 79.245 3.589 27.454
-64.44.160.38 131.188.3.222 3 u 766 1024 377 22.302 -2.928 0.508

How to verify that your clients are synchronized.
Issue the following command ntpdc -c monlist or ntpdc -nc monlist ( DNS lookup off ):
ntpq -p
remote address port local address count m ver drop last first
=========================================================
127.0.0.1 40583 127.0.0.1 53273 7 2 0 0 15483660

router1.vermeer.org   123 10.1.20.10             93542 3 3      0      4 15483164
router2.vermeer.org   123 10.1.30.10             68744 3 3      0      5 15483060
router3.vermeer.org   123 10.1.40.10             56228 3 3      0      5 15483127

vermeer:~$ ntpq -p
remote address          port local address      count m ver drop   last   first
=========================================================
127.0.0.1              40583 127.0.0.1              53273 7 2      0      0 15483660
10.253.40.38             123 10.1.20.10           93542 3 3            4 15483164
10.11.15.4                123 10.1.20.10            68744 3 3      0      5 15483060
10.10.80.16              123 10.1.20.10            56228 3 3      0      5 15483127

Graphing Cisco Systems (NBAR) Network-based application recognition with MRTG

michael earls — Thu, 30 Dec 2010 21:23:35 +0000

Synopsis:
This documentation assumes that you have a version of Cisco IOS that supports the following MIB ciscoNbarProtocolDiscoveryMIB (1.3.6.1.4.1.9.9.244). This documentation assumes that (MRTG) Multi Router Traffic Grapher is installed and working. This documentation assumes that you have SNMP installed and working. This documentation assumes that you have used custom mrtg.cfg files.

What is NBAR?
Network Based Application Recognition is an intelligent classification engine that recognizes applications that are static (which use fixed TCP or UDP port numbers), and stateful (which dynamically assign TCP or UDP port numbers).

The NBAR Protocol Discovery Management Information Base (MIB) expands the capabilities of NBAR Protocol Discovery by providing the following new Protocol Discovery functionalities through SNMP:

What is MRTG?
MRTG consists of a Perl script which uses SNMP to read the traffic counters of your routers and a fast C program which logs the traffic data and creates beautiful graphs representing the traffic on the monitored network connection. These graphs are embedded into webpages which can be viewed from any modern Web-browser.

In addition to a detailed daily view, MRTG also creates visual representations of the traffic seen during the last seven days, the last five weeks and the last twelve months. This is possible because MRTG keeps a log of all the data it has pulled from the router. This log is automatically consolidated so that it does not grow over time, but still contains all the relevant data for all the traffic seen over the last two years. This is all performed in an efficient manner. Therefore you can monitor 200 or more network links from any halfway decent UNIX box.

MRTG is not limited to monitoring traffic, though. It is possible to monitor any SNMP variable you choose. You can even use an external program to gather the data which should be monitored via MRTG. People are using MRTG, to monitor things such as System Load, Login Sessions, Modem availability and more. MRTG even allows you to accumulate two or more data sources into a single graph.

Enable NBAR in IOS:

!
router#
Interface FastEthernet 1/0
Router(config-if)#ip nbar protocol-discovery
!

Test for Supported MIB:

snmpwalk -c COMMUNITY -v2c IPADDRESS 1.3.6.1.4.1.9.9.244
iso.3.6.1.4.1.9.9.244.1.1.1.1.1.1 = INTEGER: 1
iso.3.6.1.4.1.9.9.244.1.1.1.1.1.2 = INTEGER: 2
iso.3.6.1.4.1.9.9.244.1.1.1.1.1.3 = INTEGER: 2
iso.3.6.1.4.1.9.9.244.1.1.1.1.1.4 = INTEGER: 2
iso.3.6.1.4.1.9.9.244.1.1.1.1.2.1 = Timeticks: (1537) 0:00:15.37
iso.3.6.1.4.1.9.9.244.1.1.1.1.2.2 = Timeticks: (0) 0:00:00.00
iso.3.6.1.4.1.9.9.244.1.1.1.1.2.3 = Timeticks: (0) 0:00:00.00
iso.3.6.1.4.1.9.9.244.1.1.1.1.2.4 = Timeticks: (0) 0:00:00.00
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.1 = STRING: “ftp”
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.2 = STRING: “http”
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.3 = STRING: “egp”
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.4 = STRING: “gre”
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.5 = STRING: “icmp”
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.6 = STRING: “eigrp”
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.7 = STRING: “ipinip”
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.8 = STRING: “ipsec”
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.9 = STRING: “bgp”
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.10 = STRING: “cuseeme”
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.11 = STRING: “dhcp”
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.12 = STRING: “dns”
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.13 = STRING: “finger”
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.14 = STRING: “gopher”
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.15 = STRING: “secure-http”
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.16 = STRING: “imap”
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.17 = STRING: “secure-imap”
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.18 = STRING: “irc”
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.19 = STRING: “secure-irc”
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.20 = STRING: “kerberos”
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.21 = STRING: “l2tp”
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.22 = STRING: “ldap”
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.23 = STRING: “secure-ldap”
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.24 = STRING: “sqlserver”
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.25 = STRING: “netbios”
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.26 = STRING: “nfs”
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.27 = STRING: “nntp”
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.28 = STRING: “secure-nntp”
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.29 = STRING: “notes”
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.30 = STRING: “ntp”
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.31 = STRING: “pcanywhere”
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.32 = STRING: “pop3″
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.33 = STRING: “secure-pop3″
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.34 = STRING: “pptp”
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.35 = STRING: “rip”
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.36 = STRING: “rsvp”
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.37 = STRING: “smtp”
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.38 = STRING: “snmp”
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.39 = STRING: “socks”
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.40 = STRING: “ssh”
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.41 = STRING: “syslog”
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.42 = STRING: “telnet”
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.43 = STRING: “secure-telnet”
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.44 = STRING: “secure-ftp”
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.45 = STRING: “xwindows”
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.46 = STRING: “printer”
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.47 = STRING: “novadigm”
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.48 = STRING: “tftp”
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.49 = STRING: “exchange”
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.50 = STRING: “vdolive”
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.51 = STRING: “sqlnet”
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.52 = STRING: “rcmd”
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.53 = STRING: “netshow”
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.54 = STRING: “sunrpc”
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.55 = STRING: “streamwork”
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.56 = STRING: “citrix”
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.57 = STRING: “napster”
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.58 = STRING: “fasttrack”
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.59 = STRING: “gnutella”
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.60 = STRING: “kazaa2″
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.61 = STRING: “custom-01″
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.62 = STRING: “custom-02″
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.63 = STRING: “custom-03″
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.64 = STRING: “custom-04″
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.65 = STRING: “custom-05″
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.66 = STRING: “custom-06″

Not Supported MIB in IOS

snmpwalk -c COMMUNITY -v2c IPADDRESS 1.3.6.1.4.1.9.9.244
Cannot find module (IP-MIB): At line 0 in (none)
Cannot find module (IF-MIB): At line 0 in (none)
Cannot find module (TCP-MIB): At line 0 in (none)
Cannot find module (UDP-MIB): At line 0 in (none)
Cannot find module (SNMPv2-MIB): At line 0 in (none)
Cannot find module (SNMPv2-SMI): At line 0 in (none)
Cannot find module (UCD-SNMP-MIB): At line 0 in (none)
Cannot find module (UCD-DEMO-MIB): At line 0 in (none)
Cannot find module (SNMP-TARGET-MIB): At line 0 in (none)
Cannot find module (SNMP-VIEW-BASED-ACM-MIB): At line 0 in (none)
Cannot find module (SNMP-COMMUNITY-MIB): At line 0 in (none)
Cannot find module (UCD-DLMOD-MIB): At line 0 in (none)
Cannot find module (SNMP-FRAMEWORK-MIB): At line 0 in (none)
Cannot find module (SNMP-MPD-MIB): At line 0 in (none)
Cannot find module (SNMP-USER-BASED-SM-MIB): At line 0 in (none)
Cannot find module (SNMP-NOTIFICATION-MIB): At line 0 in (none)
Cannot find module (SNMPv2-TM): At line 0 in (none)
.iso.3.6.1.2.1.1.3.6.1.4.1.9.9.244 = No Such Instance currently exists

Examples from the following output:

snmpget -c COMMUNITY -v2c IPADDRESS 1.3.6.1.4.1.9.9.244.1.2.1.1.2.1.1
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.interface-number.protocol
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1 – FastEthernet 1/0
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.1 – FTP Protocol Number

The nbar-internet.cfg file assumes that you are monitoring FastEthernet 1/0. Change this to refelect the interface you are monitoring.
Change public@isp1 to the correct community string and ip address.

Create New Directory:
Create the following directory under mrtg web files.

nbar-internet

Files Created:
The above configuration will create the following files under nbar-internet directory.

fasttrack.log
ftp.log
gnutella.log
h323.log
http.log
https.log
kazaa2.log
napster.log
nntp.log
pop3.log
rstp.log
smtp.log
streamworks.log
vdolive.log

MRTG CFG FILE: (nbar-internet.cfg)
Download nbar-internet.cfg

### Global Config Options
Options[_]: growright,bits
WithPeak[_]: ymw
Xsize[_]: 600
Ysize[_]: 200
Ytics[_]: 10

##
## FTP Traffic Analysis
##
Target[nbar-internet-ftp]:
1.3.6.1.4.1.9.9.244.1.2.1.1.5.1.1&1.3.6.1.4.1.9.9.244.1.2.1.1.6.1.1:public@isp1 +
1.3.6.1.4.1.9.9.244.1.2.1.1.5.1.1&1.3.6.1.4.1.9.9.244.1.2.1.1.6.1.1:public@isp1:
SetEnv[nbar-internet-ftp]: MRTG_INT_IP=”" MRTG_INT_DESCR=”"
Directory[nbar-internet-ftp]: nbar-internet
MaxBytes[nbar-internet-ftp]: 1000000
Title[nbar-internet-ftp]: Cisco Nbar Protocol Analysis
PageTop[nbar-internet-ftp]:

##
## HTTP Traffic Analysis
##
Target[nbar-internet-http]:
1.3.6.1.4.1.9.9.244.1.2.1.1.5.1.2&1.3.6.1.4.1.9.9.244.1.2.1.1.6.1.2:public@isp1 +
1.3.6.1.4.1.9.9.244.1.2.1.1.5.1.2&1.3.6.1.4.1.9.9.244.1.2.1.1.6.1.2:public@isp1:
SetEnv[nbar-internet-http]: MRTG_INT_IP=”" MRTG_INT_DESCR=”"
Directory[nbar-internet-http]: nbar-internet
MaxBytes[nbar-internet-http]: 1000000
Title[nbar-internet-http]: Cisco Nbar Protocol Analysis
PageTop[nbar-internet-http]:

##
## HTTPs Traffic Analysis
##
Target[nbar-internet-https]:
1.3.6.1.4.1.9.9.244.1.2.1.1.5.1.15&1.3.6.1.4.1.9.9.244.1.2.1.1.6.1.15:public@isp1 +
1.3.6.1.4.1.9.9.244.1.2.1.1.5.1.15&1.3.6.1.4.1.9.9.244.1.2.1.1.6.1.15:public@isp1:
SetEnv[nbar-internet-https]: MRTG_INT_IP=”" MRTG_INT_DESCR=”"
Directory[nbar-internet-https]: nbar-internet
MaxBytes[nbar-internet-https]: 1000000
Title[nbar-internet-https]: Cisco Nbar Protocol Analysis
PageTop[nbar-internet-https]:

##
## smtp Traffic Analysis
##
Target[nbar-internet-smtp]:
1.3.6.1.4.1.9.9.244.1.2.1.1.5.1.37&1.3.6.1.4.1.9.9.244.1.2.1.1.6.1.37:public@isp1 +
1.3.6.1.4.1.9.9.244.1.2.1.1.5.1.37&1.3.6.1.4.1.9.9.244.1.2.1.1.6.1.37:public@isp1:
SetEnv[nbar-internet-smtp]: MRTG_INT_IP=”" MRTG_INT_DESCR=”"
Directory[nbar-internet-smtp]: nbar-internet
MaxBytes[nbar-internet-smtp]: 1000000
Title[nbar-internet-smtp]: Cisco Nbar Protocol Analysis
PageTop[nbar-internet-smtp]:

##
## NNTP Traffic Analysis
##
Target[nbar-internet-nntp]:
1.3.6.1.4.1.9.9.244.1.2.1.1.5.1.27&1.3.6.1.4.1.9.9.244.1.2.1.1.6.1.27:public@isp1 +
1.3.6.1.4.1.9.9.244.1.2.1.1.5.1.27&1.3.6.1.4.1.9.9.244.1.2.1.1.6.1.27:public@isp1:
SetEnv[nbar-internet-nntp]: MRTG_INT_IP=”" MRTG_INT_DESCR=”"
Directory[nbar-internet-nntp]: nbar-internet
MaxBytes[nbar-internet-nntp]: 1000000
Title[nbar-internet-nntp]: Cisco Nbar Protocol Analysis
PageTop[nbar-internet-nntp]:

##
## vdolive Traffic Analysis
##
Target[nbar-internet-vdolive]:
1.3.6.1.4.1.9.9.244.1.2.1.1.5.1.50&1.3.6.1.4.1.9.9.244.1.2.1.1.6.1.50:public@isp1 +
1.3.6.1.4.1.9.9.244.1.2.1.1.5.1.50&1.3.6.1.4.1.9.9.244.1.2.1.1.6.1.50:public@isp1:
SetEnv[nbar-internet-vdolive]: MRTG_INT_IP=”" MRTG_INT_DESCR=”"
Directory[nbar-internet-vdolive]: nbar-internet
MaxBytes[nbar-internet-vdolive]: 1000000
Title[nbar-internet-vdolive]: Cisco Nbar Protocol Analysis
PageTop[nbar-internet-vdolive]:

##
## streamworks Traffic Analysis
##
Target[nbar-internet-streamworks]:
1.3.6.1.4.1.9.9.244.1.2.1.1.5.1.55&1.3.6.1.4.1.9.9.244.1.2.1.1.6.1.55:public@isp1 +
1.3.6.1.4.1.9.9.244.1.2.1.1.5.1.55&1.3.6.1.4.1.9.9.244.1.2.1.1.6.1.55:public@isp1:
SetEnv[nbar-internet-streamworks]: MRTG_INT_IP=”" MRTG_INT_DESCR=”"
Directory[nbar-internet-streamworks]: nbar-internet
MaxBytes[nbar-internet-streamworks]: 1000000
Title[nbar-internet-streamworks]: Cisco Nbar Protocol Analysis
PageTop[nbar-internet-streamworks]:

##
## napster Traffic Analysis
##
Target[nbar-internet-napster]:
1.3.6.1.4.1.9.9.244.1.2.1.1.5.1.57&1.3.6.1.4.1.9.9.244.1.2.1.1.6.1.57:public@isp1 +
1.3.6.1.4.1.9.9.244.1.2.1.1.5.1.57&1.3.6.1.4.1.9.9.244.1.2.1.1.6.1.57:public@isp1:
SetEnv[nbar-internet-napster]: MRTG_INT_IP=”" MRTG_INT_DESCR=”"
Directory[nbar-internet-napster]: nbar-internet
MaxBytes[nbar-internet-napster]: 1000000
Title[nbar-internet-napster]: Cisco Nbar Protocol Analysis
PageTop[nbar-internet-napster]:

##
## fasttrack Traffic Analysis
##
Target[nbar-internet-fasttrack]:
1.3.6.1.4.1.9.9.244.1.2.1.1.5.1.58&1.3.6.1.4.1.9.9.244.1.2.1.1.6.1.58:public@isp1 +
1.3.6.1.4.1.9.9.244.1.2.1.1.5.1.58&1.3.6.1.4.1.9.9.244.1.2.1.1.6.1.58:public@isp1:
SetEnv[nbar-internet-fasttrack]: MRTG_INT_IP=”" MRTG_INT_DESCR=”"
Directory[nbar-internet-fasttrack]: nbar-internet
MaxBytes[nbar-internet-fasttrack]: 1000000
Title[nbar-internet-fasttrack]: Cisco Nbar Protocol Analysis
PageTop[nbar-internet-fasttrack]:

##
## gnutella Traffic Analysis
##
Target[nbar-internet-gnutella]:
1.3.6.1.4.1.9.9.244.1.2.1.1.5.1.59&1.3.6.1.4.1.9.9.244.1.2.1.1.6.1.59:public@isp1 +
1.3.6.1.4.1.9.9.244.1.2.1.1.5.1.59&1.3.6.1.4.1.9.9.244.1.2.1.1.6.1.59:public@isp1:
SetEnv[nbar-internet-gnutella]: MRTG_INT_IP=”" MRTG_INT_DESCR=”"
Directory[nbar-internet-gnutella]: nbar-internet
MaxBytes[nbar-internet-gnutella]: 1000000
Title[nbar-internet-gnutella]: Cisco Nbar Protocol Analysis
PageTop[nbar-internet-gnutella]:

##
## kazaa2 Traffic Analysis
##
Target[nbar-internet-kazaa2]:
1.3.6.1.4.1.9.9.244.1.2.1.1.5.1.60&1.3.6.1.4.1.9.9.244.1.2.1.1.6.1.60:public@isp1 +
1.3.6.1.4.1.9.9.244.1.2.1.1.5.1.60&1.3.6.1.4.1.9.9.244.1.2.1.1.6.1.60:public@isp1:
SetEnv[nbar-internet-kazaa2]: MRTG_INT_IP=”" MRTG_INT_DESCR=”"
Directory[nbar-internet-kazaa2]: nbar-internet
MaxBytes[nbar-internet-kazaa2]: 1000000
Title[nbar-internet-kazaa2]: Cisco Nbar Protocol Analysis
PageTop[nbar-internet-kazaa2]:

##
## H323 Traffic Analysis
##
Target[nbar-internet-h323]:
1.3.6.1.4.1.9.9.244.1.2.1.1.5.1.75&1.3.6.1.4.1.9.9.244.1.2.1.1.6.1.75:public@isp1 +
1.3.6.1.4.1.9.9.244.1.2.1.1.5.1.75&1.3.6.1.4.1.9.9.244.1.2.1.1.6.1.75:public@isp1:
SetEnv[nbar-internet-h323]: MRTG_INT_IP=”" MRTG_INT_DESCR=”"
Directory[nbar-internet-h323]: nbar-internet
MaxBytes[nbar-internet-h323]: 1000000
Title[nbar-internet-h323]: Cisco Nbar Protocol Analysis
PageTop[nbar-internet-h323]:

##
## rstp Traffic Analysis
##
Target[nbar-internet-rstp]:
1.3.6.1.4.1.9.9.244.1.2.1.1.5.1.71&1.3.6.1.4.1.9.9.244.1.2.1.1.6.1.71:public@isp1 +
1.3.6.1.4.1.9.9.244.1.2.1.1.5.1.71&1.3.6.1.4.1.9.9.244.1.2.1.1.6.1.71:public@isp1:
SetEnv[nbar-internet-rstp]: MRTG_INT_IP=”" MRTG_INT_DESCR=”"
Directory[nbar-internet-rstp]: nbar-internet
MaxBytes[nbar-internet-rstp]: 1000000
Title[nbar-internet-rstp]: Cisco Nbar Protocol Analysis
PageTop[nbar-internet-rstp]:

##
## pop3 Traffic Analysis
##
Target[nbar-internet-pop3]:
1.3.6.1.4.1.9.9.244.1.2.1.1.5.1.32&1.3.6.1.4.1.9.9.244.1.2.1.1.6.1.32:public@isp1 +
1.3.6.1.4.1.9.9.244.1.2.1.1.5.1.32&1.3.6.1.4.1.9.9.244.1.2.1.1.6.1.32:public@isp1:
SetEnv[nbar-internet-pop3]: MRTG_INT_IP=”" MRTG_INT_DESCR=”"
Directory[nbar-internet-pop3]: nbar-internet
MaxBytes[nbar-internet-pop3]: 1000000
Title[nbar-internet-pop3]: Cisco Nbar Protocol Analysis
PageTop[nbar-internet-pop3]:

Additional References:
Cisco IOS images that support CISCO-NBAR-PROTOCOL-DISCOVERY-MIB MIB.
[...]

Network-Based Application Recognition and Distributed Network-Based Application Recognition:
[...]

Network-Based Application Recognition Protocol Discovery Management Information Base:
[...]

Donate to my favorite projects

michael earls — Thu, 30 Dec 2010 21:17:06 +0000

I felt its important to donate to my favorite projects that I use in my everyday life and I continually promote to friends, co-works, and family. To name a few of the projects I donated to today:

winscp – www.winscp.net
pdfCreator – www.pdfforge.org/products/pdfcreator
fileZilla – filezilla.sourceforge.net

I also want to thank everyone who has donated to my project phpIP Management http://www.phpip.net/contributers.php, this has really given me the chance to spend the extra hours a night to make my project better.

Thanks again,

-
Michael Earls

Presented at the Ohio Information Security Forum

michael earls — Thu, 30 Dec 2010 20:46:56 +0000

The Ohio Information Security Forum is a group of enthusiasts and professionals involved in information security, networking, system administration, engineering, and other computing environments. I was asked to present on the following topic to the group on April 12th, 2007. My presentation will be posted online and also with OISF (www.ohioinfosec.org).

This presentation covered topics related to DNS with regards to design, attacks, and security including:

• DNS Reconnaissance
• Cache Poisoning using DNS
• Denial of Service Attack (Query Flooding DNS)
• Man in the Middle Attacks (DNS Hijacking)
• DNS Design Best Practice

-
Michael Earls

Presentation on DNS

michael earls — Fri, 30 Apr 2010 21:08:26 +0000