Guy Bruneau to teach "Comprehensive Packet Analysis" at SANS Toronto in May 2009
This SANS course "Comprehensive Packet analysis" is designed to give student the skills necessary to decode network traffic with open-source tools available for Unix and Windows systems. The student will learn advance pcap packet filtering methods to decode and manipulate network traffic using tcpdump and use Wireshark to extract files (pictures, documents, executable, etc) from datastream for malware recovery, incident response and forensics analysis.
Who should attend this course?
. Incident Response analysts, firewall and network administrators looking to learn advance packet decoding skills
. Analysts looking to learn advance techniques in packet analysis
. Analysts wanting to learn how to recover and analyze files from packet streams
. Network administrators and operations professionals seeking a deeper understanding of network analysis techniques
For course details and register and the complete list of courses available at SANS Toronto 09: http://www.sans.org/info/37069
| 08-15-08 |
Seeker has released Shadow IDS Powered by Slackware version 6.2. Thanks Seeker!
|
| 02-09-08 |
Guy Bruneau to teach "Comprehensive Packet Analysis" at SANS Toronto in May 2008
This SANS course "Comprehensive Packet analysis" is designed to give student the skills necessary to decode network traffic with open-source tools available for Unix and Windows systems. The student will learn advance pcap packet filtering methods to decode and manipulate network traffic using tcpdump and use Wireshark to extract files (pictures, documents, executable, etc) from datastream for malware recovery, incident response and forensics analysis.
Who should attend this course?
Incident Response analysts, firewall and network administrators looking to learn advance packet decoding skills
Analysts looking to learn advance techniques in packet analysis
Analysts wanting to learn how to recover and analyze files from packet streams
Network administrators and operations professionals seeking a deeper understanding of network analysis techniques
For course details and register:
http://www.sans.org/info/23789
See the complete list of courses available as SANS Toronto 08: http://www.sans.org/info/23789
|
| 01-03-08 |
The Whitehats server will be down for maintenance for a period of time over the weekend of the 5th Jan 2008 and possibly at some point during the week of the 7th Jan 2008. Sorry for any inconvenience in advance. |
| 12-20-07 |
Shadow IDS Powered by Slackware Linux 6.1 has been released. Thank you Seeker for your continued contributions. |
| 05-29-07 |
Adrien de Beaupre (ASP) would like to announce the availability of the OSSTMM Professional Security Testing (OPST) course in Ottawa again. It will be held 16 to 20 July 2007 at the Preston St location of Cinnabar/Bell Security Solutions. For more information and links please visit ASP's members page. |
| 04-17-07 |
Guy Bruneau will be teaching SANS GIAC Security 503: Intrusion Detection In-Depth and Management 421: SANS Leadership and Management Competencies in Toronto May 7-13, 2007. There are many other great courses available. Click here http://www.sans.org/toronto07/ for more details...
Thanks,
Guy
Guy Bruneau, B.A., CD
ISSPCS, GSEC, GCIA, GCIH, GCUX
Senior Security Consultant
ipss Inc.
150 Isabella St., Suite 101
Ottawa, On K1S 1V7
Phone: 613-232-2228 Ext: 225
Cell: 613-851-6222
Fax: 613-231-4888
Toll free: 1-866-532-2207
www.ipss.ca |
| 03-25-07 |
Shadow IDS Powered by Slackware Linux 6.0 has been released. Changelog details follow:
Version 6.0 - 25 March 2007
- This is the sixth major release of Shadow IDS Powered by Slackware.
This version is based on Slackware 11.0 and Linux kernel 2.6.18
with all the lastest packages. The default kernel is for all PCs
(SCSI and IDE) and includes SMP support.
- Added support for USB drives
- Upgraded to MySQL version 5.0.33.
- Upgraded Snort to version 2.6.1.3
- Upgraded to Oinkmaster 2.0
- Upgraded p0f to 2.0.8
- Upgraded to Webmin 1.330
- Added a Webmin button in the Servers section for NIC bond0 support
for Snort. Activate the cards in /etc/rc.d/rc.local
- Upgraded DST zoneinfo file to version 2.3.6
- Upgraded slackupdate.sh to version 0.7.1
- Added ntop Network Top monitoring tool. To enable, edit
the /etc/rc.d/rc.local script and enable at booting.
For additional information on installation and configuration of the
various features of the system, please refer to the
Shadow_IDS_installation_6.0.pdf file. |
| 03-05-06 |
Ubergeek has updated content in his members section with the addition of 'ANALYST WORKING AIDE'.
This Working Aide is primarily focused on Explicit Congestion Notification and is very thorough. An excellent reference and overall refresher for novice and experienced analysts. Thank you Ubergeek! |
| 26-04-06 |
Shadow IDS Powered by Slackware Linux 5.4 has been released. Changelog details follow:
Version 5.4 - 16 April 2006
- Upgraded to Sguil version 0.6.1 all the system components. This
version now include built-in SSL encryption between the sensor(s)
and the database. Follow the install.pdf to setup encryption
between the database and the sensors.
- Added in the Webmin server section two new section: Sguil Reports
and TCP Wrappers configuration utility. The Sguil Reports are
done daily from /etc/sguild/incident_report.tcl and dumped in
/usr/local/webmin/reports/Sguil_Reports.
- Added in the Webmin server section two new options: Sguil Server
Controls and Sguil Sensor Controls used to configure sensor and
server components. These two sections are used to edit config
files and restart some of the Sguil services.
- Modified the Shadow fetchem.pl script to provide hourly reports in
Webmin under Server Sguil Reports. To configure this additional
capability on each sensors, see the install.pdf document to enable
this feature and the ShadowFilters.pdf document to understand how
to correctly configure the filters. The reports are dumped in
/usr/local/webmin/reports/Shadow/external (eth1) and internal (eth2).
- Patch Barnyard with the Sguil TCL patch to use the new Sguil
functionality
- Added a shell script to search through the Sguil pcap log files
at the command line. The script is located in the /root account
and is called sguil_pcap.sh. Just run it and fill in the blanks.
- Upgraded wget to version 1.10.2.
- Upgraded mysqltcl to version 3.02.
- Upgraded OpenSSH from version 3.9p1 to 4.3p1
- Upgraded Webmin to version 1.270
- Upgraded Snort to 2.4.4 because of security issues |
| 09-10-05 |
Shadow
IDS Powered by Slackware Linux version 5.2 has been released.
Changelog
details follow:
Version 5.2 - 3 October 2005
- Upgraded MySQL to version 4.1.13 which fixes
numerous bugs.
- Upgraded ngrep to version 1.43.
- Upgraded package util-linux.
- Upgraded Webmin to version 1.230
- Added numerous Webmin management scripts under
the Others/Custom Commands
section to assist with the management of the database server and
the sensor.
- Upgraded tcpdump to version 3.9.3 due to a
security issue
with version 3.8.3.
- Upgraded Snort to version 2.4.2. You should
check out the release
notes at http://www.snort.org/docs/release_notes/release_notes_240.txt
that details several changes including frag3 preprocessor. Added
support for Phil Woods' MMAPed pcap which is built in directly
in
Snort. Additional information available on MMAPed pcap at
http://public.lanl.gov/cpw/
- Minor update to the TCP/IP package
- Included the convert_time binary in /root to
convert compute epoch
time to regular computer time.
- Included in /etc/rc.d/rc.local NIC bonding
startup scripts for those
who would like to use IDS TAPS including ifenslave in /sbin
- Added several scripts in Webmin under Others
and Custom Commands. The
commands are used for manage the database and Snort. |
| 17-05-05 |
Shadow
IDS Powered by Slackware Linux version 5.1 has been released.
Changelog
details follow:
Version 5.1 - 1 May 2005
- Upgraded Webmin to version 1.200. Made modification
for
Webmin to see rules that are looking in both directions
such as "alert any any <> any 80". Added severy
commands
under the Custom Commands to manipulate Sguil files and
restart the daemon including testing Snort rules and
restarting the Snort services.
- Upgraded Snort to version 2.3.3.
- Added information on how to subscribe and configure
oinkmaster to download the VRT Snort Certified Rules updates.
- Enabled in the Snort configurations file the
threshold.conf
file.
- Added a new Snort Webmin button to edit and
configure the
Snort threshold configuration file. This file contains
several examples of events that can be auto-configured.
- Added a new Sguil button for the Sguil autocat.conf
file
under the Webmin custom commands tab.
- Added a new script to control the MySQL database
called
/etc/rc.d/rc.mysqld.
- Upgraded the /etc/rc.d/rc.K script to ensure
it kills al
the services associated with Sguil including MySQL
shutdown.
- Upgraded p0f to version 2.0.5.
- Added a script in /root/scripts to optimize
the
Sguil database daily. Need to add the MySQL root password
in the script by the admin for this to function properly. |
| 21-02-05 |
Seeker has released
Shadow IDS Powered by Slackware Linux version 5.0. The changelog
details are below.
- This is the fifth major release of Shadow IDS
Powered
by Slackware. This version is based on Slackware 10.1
and Linux kernel 2.4.29 with all the lastest packages.
- Included lastest slackupdate.sh script to help
monitor
package updates for Slackware 10.1.
- Added Webmin Snort management for oinkmaster.conf
and
the local-sid.map file.
- Created a new Snort script used by Snort Webmin
to stop
and start Snort and Barnyard as well as parse an updated
master Snort sid.map used by Barnyard.
- Upgraded Webmin to version 1.180.
- Upgraded Snort to version 2.3.0.
- Upgraded Ngrep to 1.42
- Changed Sguil/Snort scripts to monitor interface
eth1
and eth2 instead of eth0. All the scripts to enable eth2
are commented out in the /etc/rc.d/rc.local scripts
and only require to be uncommented to start them.
You also need to edit the root crontab to activate
eth2 logging.
- There are three separate package for Sguil:
sguil
containing all of the components to run Sguil on a single
box, sensguil use to install the sensor components only and
sguildb to install the database components only. If deploying
multiple sensors to report to a single database, use sensguil
for the sensors and sguildb for the database.
- Dropped support for ACID which has been replaced
by Sguil. |
| 04-02-05 |
Woo Hoo - A Whitehats
pubcall - Slated for Feb 12th 2005 at the Riverside starting at
7PM. More details are available here.
|
| 15-12-04 |
Seeker has released Shadow
IDS on Slackware Linux version 4.6. Changelog details follow:
version 4.6 - 21 November 2004
- This release has a new package to use the Sguil
console
(http://sguil.sourceforge.net) instead of ACID.
In order to access the database, you will need to download
the sguil client available on the Sourceforge website.
You have a choice of installing ACID or Sguil. Sguil has
two package sensguil for sensor only installation and
sguil if installing the database and the sensor on the
same system. See the sguil.pdf
http://www.whitehats.ca/downloads/ids/shadow-slack/docs/sguil.pdf
document for installation and configuration
of both the
sensor and the Window client. Both packages have their own
directory on the install CD. The Sguil package contains
the same MySQL database as ACID including the same tables.
- New with this release is a document called
stunnel.pdf
http://www.whitehats.ca/downloads/ids/shadow-slack/docs/stunnel.pdf
to configure a database and the sensors to encrypt
the
data via SSL. The examples are based on encrypting data
using the Sguil daemon and MySQL.
- Updated MySQL database to 4.0.22.
- Added a new package called sguil. This package
contains
several binaries associated with the Sguil data management
console. The following binaries are included:
p0f, tcpflow, sancp.
- Updated Apache to 1.3.33 due to a buffer overflow
affecting mod_include and mod_proxy.
- Updated mod_ssl to mod_ssl-2.8.22-1.3.33 to
fix the
SSL security issues. |
| 22-09-04 |
Seeker
has released Shadow
IDS on Slackware Linux version 4.5. Changelog details follow:
version 4.5 - 15 September 2004
- Added Webmin package to manage entire sensor from
a web browser. Webmin runs its own web server
and does not require Apache. Webmin is started from
/etc/rc.d/rc.local. Webmin default username and
password are admin and admin. Webmin uses SSL
encrytion and is access like https://sensor:10000.
See install.pdf document on how to change the
defaul password.
- Reorganized the install.pdf document in two sections.
The first section is the install section and the
second is background information on the sensor setup.
- Added the "restart" command in the /etc/rc.d/rc.snort
script.
- Added an /etc/rc.d/rc.barnyard script to control the
barnyard service.
- Changed the default output by Snort to log_unified
format to use Barnyard as the backend processor. The
unified logs are saved in /usr/local/snort/log/eth*.
Barnyard process those logs and save them in pcap
format in /usr/local/barnyard/log/eth*.
- Added a new ACID backup database table. This table is
called snortarchive and events can be archived using
the ACID action menu. This additional table will permit
long term data analysis.
- Added access control to Apache. You now require a valid
user account in order to access ACID. See install.pdf
for the instructions to change default password and add
new accounts. The default account is cyber and the
password is admin.
- Removed support for PCMCIA card.
- Configured SHADOW to run a console on the sensor if
configured according to the setup supplied in the
install.pdf document.
- Automated daily updates of the Bleeding Edge rules each
day using Oinkmaster. The 3 files are located in the
/usr/local/snort/rules directory.
- Added the stunnel package to provide encryption to securely
tunnel Snort data to MySQL over an unsecured network.
|
| 23-08-04 |
Seeker
has released Shadow
IDS on Slackware Linux version 4.4. Changelog details follow:
Version 4.4 - 12 August 2004
- Updated Snort to 2.2.0
- Updated Oinkmaster to 1.0
- Updated various components of the ACID package
- Updated jpgraph to version 1.16
- Updated adobd to version 4.52
- Updated php to 4.3.8
- Added the Bleeding Edge Malware rules in the etc/ directory. The
rule file is called bleeding_edge.rules and it has been added in
each configuration files (ext and int). |
| 07-07-04 |
Cerberus
has updated some site content. Two whitepapers have been added. |
| 07-07-04 |
Seeker has released
an updated version of ShadowIDS on Slackware Linux. |
| 17-05-04 |
Whitehats - Server
maintenance - The Whitehats website will be down Thursday
20th May thru Friday 21st May 2004. We appologize for
any inconvenience. |
| 19-04-04 |
Slackware linux
has released an update for tcpdump 3.8.3 addressing security vulnerabilities
with earlier versions. Those of you using tcpdump prior to this
version should upgrade your version as soon as possible. See the
advisory
from Secunia. |
| 19-04-04 |
Ubergeek
has updated content in his members section. Check them out! |
| 29-02-04 |
Seeker has released
Security
Advisory 2004-02-26 for Shadow
IDS on Slackware Linux. The security advisory covers how to
patch your system. Version
4.2 incorporates these fixes if you're installing a new sensor. |
| 30-01-04 |
Malik added a
quick tutorial on getting firewall
builder running on RedHat 9. Click here
to view it. |
| 23-01-04 |
Seeker and Slyfox would like to announce the
availability of training courses in the Ottawa area offered by
IPSS as follows:
| |
Feb 16th to 18th, 2004 |
|
Fundamentals 202 - Information
Security
for Analysts (Hands On) |
| |
Mar 22nd to 24th, 2004 |
|
Security Fundamentals 101 |
Please see the IPSS
website for more information. |
| 19-01-04 |
Seeker
has released version 4.1
of Shadow IDS on Slackware Linux. This release addresses a kernel
vulnerability which could allow local privilege escalation. More
info is available from the security vulnerability here.
Updated install docs
are also available. |
| 13-01-04 |
ISEStorm
is coming! This is a great training opportunity for those interested
in Network Security. The venue is in Barcelona, Spain from March
22 2004 to April 3 2004 where ISECOM, La Salle University, ISC2
and BSI Global have joined forces to bring a full 10 day training
schedule. More information is available at http://www.whitehats.ca/main/members/ASP/ASP.html
or ISECom's website. |
| 13-01-04 |
Seeker
has released a security fix and an advisory for Shadow IDS on Slackware
Linux. It is available at http://www.whitehats.ca/downloads/ids/shadow-slack/security_advisory_2004-01-13.txt.
Please read the brief advisory and follow the directions within
to patch your kernel and download and update the Snort portion. |
| 04-01-04 |
Whitehats.ca welcomes
its newest member
Peter Giannoulis - aka Snapcase.
Glad to have you with us Peter. |
| 09-12-03 |
Seeker
has released version
4.0 of Shadow. Please see the changelog
for more info on this release, which incorporates support for
Apache/ACID/MySQL for use with Snort. Download it from here... |
| 30-11-03 |
Great to see
the port
database has had some interest. Some new ports have been added.
Thanks to the person who has taken the time to do the initial research
and submit these ports (BitTorrent and PeerEnabler). |
| 26-11-03 |
Cerberus
has added some content under his members section. A presentation
on the Value
of Certification and a paper on Rule
Organisation for Stateful Firewall Inspection. Visit his homepage
for more details. |
| 15-11-03 |
An update is
available for Snort
on Shadow IDS. Also, the ACID
package for Shadow IDS is now available for download too. Thanks
Seeker. |
|
15-11-03 |
Please welcome Jason
O'Toole as our newest member. Welcome to the group Jason. |
| 24-10-03 |
SANS GCFW LMP:
Rick Wanner (Cerberus)
will be leading a SANS GIAC Firewall Analyst Local Mentor Program
in Ottawa starting November 6th. For further information contact
him at cerberus@whitehats.ca.
More details on the track and LMP are available at http://www.sans.org/local/track2.php
and http://www.sans.org/local/schedule.php#track2
respectively. |
| 18-10-03 |
Whitehats.ca
is having a pub call! Click here
for more info.
| Place: |
Riverside Pub
Tel: (613) 733-8459
3673 Riverside Dr
Ottawa, ON K1V 1G8 |
| Date/Time: |
October 25th 2003
8PM |
Visitors are welcome to attend. |
| 16-10-03 |
Seeker - aka
Guy
Bruneau - will be teaching SANS GIAC track 3 - Intrusion Detection
In-Depth, October 27th to November 1st 2003 in Toronto. Click here
for more details... |
| 06-10-03 |
Seeker has released
version 3.2 of Shadow IDS. This update includes some security patches
for openssl/ssh, lsof, minor Snort script updates, support required
for Snort used with ACID and MySQL. See the changelog
here for more info. Installation documentation and supporting
literature is located here.
The ISO image is located here
with the MD5 sig here. |
| 27-09-03 |
Ubergeek
has added briefing number 2 in his Know Your Enemy series under
his homepage. Check it out at KYE2. |
| 25-08-03 |
Seeker has released
an update for Shadow IDS to
version 3.1. The change log is located here.
Click here
to proceed to the documentation including links to download
it.
|
| 25-08-03 |
Cerberus
has added three papers (on the 22nd) to his members section. Hardening
Win2K, Securing a Linksys Wireless Access Point, and his SANS GIAC
GCFW honours paper. |
| 21-08-03 |
I'm pleased to
announce Cerberus
has joined Whitehats.ca. |
| 21-08-03 |
I have fixed
the search functionality on the site and done some general maintenance
of older pages to aid our visitors. These mostly relate to the outage
in July. We're almost back up to 100%.
Also, the pub call on the 15th was a lot of fun. I think everyone
had a good time and I'm glad to see that conversations from the
BoF carried on after the Marriot lost power over a cold pint or
two. |
| 19-08-03 |
Sobig.f
is propagating fast. Update your antivirus software as soon as possible.
See this advisory
for more information. |
| 19-08-03 |
The site was
unavailable due to power issues over the weekend. Sorry for the
inconvenience. |
| 13-08-03 |
Scanning has
been noted picking up pace looking for ntisslog.dll in relation
to the Microsoft Windows Media Services NSIISlog.DLL Remote Buffer
Overflow Vulnerability noted June 25th this year. See this link
for more details... Patch and harden your IIS servers. |
| 11-08-03 |
We're pleased
to welcome mmicman
to Whitehats.ca. Glad you've joined our group and we're looking
forward to your contributions to the infosec community. |
| 08-08-03 |
Some RPC DCOM links to help you understand the
vulnerability and how to protect yourself. Some of the exploit
code currently in use is associated with opening a backdoor on
TCP port 4444 or TCP port 3333.
|
| 31-07-03 |
I'd like to welcome
both Herc_Man
and Encrypo
to Whitehats.ca as our newest members.
Hopefully both of you will have some content to share with the community
in the near future. |
| 31-07-03 |
A wuftpd exploit
was released publically today. This is in many instances a local
and remote root exploit. See ISEC Security Research isec-0011-wu-ftpd.txt
bulletin for more details. |
| 19-07-03 |
Another pub
call/crawl is being scheduled for the 15th August 2003 at the
Heart and Crown Pub starting at 6PM. This coincides with the SANS
Parliament Hill 2003 conference. Hope to see some familiar faces
in addition to our regular members. |
| 17-07-03 |
The site has been down due to
a hardware failure. Sorry for the inconvenience. We are in the
process of restoring service and there will be periods of continued
outages for the next little while.
An update will be posted when
the outages are expected to be finished. |
| 12-06-03 |
Announcing a pub
call for June 25th 2003 at the Heart and Crown Pub in the Irish
Village at 6PM. This coincides with the FIRST
conference. I hope a few of the attendees can join our group
for a few refreshments. |
| 08-06-03 |
Jason has posted
a presentation on Relational
Database and IDS log analysis techniques. |
| 08-06-03 |
Malik has posted
a presentation on TCP/IP
(basic) and TCPDump
filters. |
| 12-05-03 |
A few links of interest I thought I'd throw up
on the site for Snort fans.
|
| 24-04-03 |
Seeker
has released Shadow IDS version 3.0. This is a major release
which incorporates the use of one of my favourite tools - ngrep.
See the changelog
for more details on this release. Installation instructions are
available here,
and the iso image is available from here.
Thank
you Seeker for your continued
development and support of this wonderful NIDS tool. |
| 18-04-03 |
It is my pleasure
to welcome Nighthawk
to the group. A current list of members is available here. |
| 18-04-03 |
The last pub call
was a great time had by all. It was good to see so many friends
over a wobbly pop or two. |
| 01-04-03 |
A quick observation on the Sendmail
Patches... A new worm is ripe for release as the catalysts
are really starting to show. A worm that should equal Slapper
in proliferation but one which will likely incorporate mass mailing
that will have much more devastating impacts on overall bandwidth
consumption. This is at least what my crystal ball is saying based
on the recent Sendmail vulnerability announcements. Some experts
in the field I've discussed this topic with feel that the next
worm to hit will be similar to the SADMIN/IIS worm in that it
will target both flaws present in software running on Windows
and xNIX.
I did a quick passive study of approximately
20 class B addresses last week and noted that of those running
Sendmail, roughly 10% had patched their version of Sendmail. This
was three weeks after the vulnerability and a patch availability
was made public. Now yet another version of Sendmail has been
released to address a separate buffer overflow. Check your mail
servers and transfer agents! Make sure you've patched and securely
configured your systems. You can do this by looking at the mail
headers (in most cases) of messages that have traveled through
the mail servers in question. You can also check manually over
the network which I won't cover here. If you're a manager and
want to know, send your administrators a message asking for confirmation
of the servers in questions version and patch number and then
proceed based upon the answers you get back from your staff.
I tallied up some quick stats and noted approximately
43% of the email messages checked were handled by Sendmail. Some
other stats I collected last week of other networks indicated
roughly 60% of mail servers were running Sendmail. This
is scary folks! Prime targets for attackers are prolific
services with a high impact. Sendmail is one of those services
so patch your servers and employ defense in-depth practices to
ensure your organisations email continues to flow and be a good
neighbour by not having your mail servers hacked and used to attack
others.
Below are listings of some common mail servers
noted over the last three months or so. These statistics do not
represent a definitive or even well laid out and methodical study
so should be taken with a grain of salt. They are at best rough
numbers.
|
42.6% |
Sendmail |
Version |
|
|
|
(8.10.0/8.10.0)
(8.10.1/8.10.1)
(8.11.0.Beta3/8.11.0.Beta3)
(8.11.0/8.11.0)
(8.11.1/8.11.1)
(8.11.3/8.11.2)
(8.11.3/8.11.3)
(8.11.6/8.11.6)
(8.11.6/8.11.6/1.14)
(8.12.1/8.12.1)
(8.12.2/8.12.2)
(8.12.3/xxx/VER6.4)
(8.12.5/8.12.0.Beta10)
(8.12.5/8.12.5)
(8.12.6/8.12.1)
(8.12.6/8.12.6)
(8.12.7/8.12.5)
(8.12.8/8.12.5)
(8.12.8/8.12.6)
(8.12.8/8.12.8)
(8.8.8+Sun/8.8.8)
(8.9.2-aidan/8.9.2)
(8.9.3/8.9.3)
(8.9.3/8.9.3/kr)
(AIX4.3/8.9.3/8.9.3) |
|
38.9% |
InterMail |
Version |
|
|
|
(InterMail vK.4.04.00.00
(InterMail vK.4.04.00.02
(InterMail vM.4.01.03.27
(InterMail vM.5.01.04.05
(InterMail vM.5.01.04.19
(InterMail vM.5.01.05.06
(InterMail vM.5.01.05.09
(InterMail vM.5.01.05.12
(InterMail vM.5.01.05.20
(InterMail vM.5.01.05.25 |
|
12.6% |
Postfix |
|
|
5.9% |
Others |
|
|
|
|
Qmail
MS Exchange
Courier-MTA |
It is simply this easy to find vulnerable, unpatched
servers. Once working exploit code is developed it won't be long
before it is wrapped within a worm and will start off on its deadly
beginnings.
Malik |
| 27-03-03 |
Please welcome
RaDaR
to the group. We're glad to have you with us! |
| 27-03-03 |
Our new VP is
Ubergeek.
More info on the association executives can be found in the about_us
section under contact_us. |
| 14-03-03 |
Whitehats.ca
has posted our sites Responsible
Disclosure Policy. Please refer to this policy for guidance
when dealing with our members on vulnerability related issues. |
| 08-03-03 |
Seeker has released
a new, updated
version of Shadow IDS on Slackware Linux. Current version is
v2.4. Change log is available here.
Differences between the last release and v2.4 are listed below:
| |
Version 2.4 - 5 March 2003
- This version contains the addition of
Network Grep
(Ngrep) which can be used in standalone mode or combine
with the Shadow logs. If used with the Shadow logs, a
script has been added in /root/ngrep_pat_search.pl to
look for strings, HEX data or keywords using the Shadow
logs as source data as long as the snaplen is long enough.
- This is a minor upgrade to upgrade tcpdump
version
3.7.1 to 3.7.2 to patch a security flaw in the isakmp
parser. See iDEFENSE security advisory.
- It also includes a minor upgrade on Snort
1.9.0 because
of a rpc preprocessor buffer overflow discovered by
X-Force. See X-Force Advisory |
|
| 03-03-03 |
Hmmm, this date bothers me for some reason. Anyway,
the remote root vulnerability in Sendmail looks to be pretty nasty.
Apparently all versions of Sendmail prior to the version released
today are vulnerable to attack. Seeing as the Internet email backbone
is probably at around 50 - 60% running on Sendmail this is a significant
vulnerability. Patch or upgrade your mail servers quickly! It
isn't hard to wrap exploit code into a worm and these are the
kind of exploits that have high exposure, therefore are prime
candidates for automated rooters. Make sure you check the signatures
for files being installed and that you trust the source. |
| 03-03-03 |
A vulnerability
has been published for Snort 1.8.0 thru 1.9.0. Interestingly it
was found by a rival company - can't see any one-upsmanship here.
Unlike some previous flak from the industry, ISS seems to have released
this information in a responsible manner as Snort had a fix available
at the time of the advisories release. See www.snort.org
for your updates. See the current threats section above right for
a link to the ISS X-Force advisory. |
| 27-02-03 |
Malik added a
partial listing of whois
servers for reference. |
| 25-02-03 |
Looks like www.gnu.org
was defaced. I hope they come forward with a press announcement
detailing the damage done and can restore confidence in their site
and software offered quickly. |
| 25-02-03 |
Mike Gibson is
our newest member. Glad to have you with us Mike. |