Saturday, November 24, 2012

iBall Groovy Bluetooth Neckphone With Mic


Hello Friends,

Just a little Review on iball Groovy .


  1. Effective range : 10 m
  2. Working Time : 6-7 Hours
  3. Supported Profiles : HSP, HFP, A2DP, AVRCP
Pairing with device :

  1. Switch on by pressing power button for 5-6 seconds till alternate RED , BLUE LED blinks , which means you are in Pairing Mode
  2. Search from Laptop Bluetooth Devices > Add a Bluetooth Device > My Device is Setup and ready to find 
  3. It will start Bluetooth device search  , select iBall-Groovy 
  4. Select --> Use Passkey Found in Documentation
  5. For iBall-Groovy passkey is 0000 .
  6. Once done , you need to click on Audio Icon at bottom right 
  7. Click on Devices > Independent (R.T.C.) Headphones (IDT High Defination Audio CODEC)
  8. Unmute selected volume and that should work!!!!

iBall-Groovy Main Pannel

Playback Interface 


Blue LED




  • Simple and Slim design 
  • Nice audio quality 
  • Mic works absolutely fine , with clarity
  • affordable price


I Personally Enjoying iBall Groovy!!!! Your reviews and experience is welcome here , any problems issues it will be nice if all of you can post here, I know this was just a little overview and not a complete analysis

Best Regards,
Girish

Tuesday, November 20, 2012

Squid Proxy Configuration RHEL5

Hello Friends,

Squid is very popular proxy used on Redhat servers , here is little tutorial on configuring sqid , checking squid logs , Hope you will enjoy!

SQUID Configuration :
---------------------------

1. yum install squid*
2. vi /etc/squid/squid.conf

Parameters to configure :
-----------------------------

By Default no machine is allowed to connect proxy server except localhost so need to allow access
to our subnet 192.168.0.0/24 (Need to create acl Step 3)

1. visible_hostname universe.server.com    # universe.server.com is my Servers Hostname
2. http_port 192.168.0.60:8080             # My Servers Ip : 192.168.0.60 , Port 8080
3. acl mylan src 192.168.0.0/255.255.255.0 # mylan is name given to ACL
4. http_access allow mylan
5. http_access deny !mylan
6. Save changes and Exit
7. service squid start

On Client :
---------------
1. Open browser
2. Edit > Preferences > Connection settings > 
3. Manual Proxy Configuration > Http Proxy > 192.168.0.60 , Port 8080

Thats it!!!!
You should be able to browse websites here onwards!!!



Additional Configuration :
-------------------------------
http://www.redhat.com/archives/ext3-users/2010-August/msg00003.html
1. vi /etc/squid/squid.conf
2. cache_dir ufs /var/spool/squid 100 16 256 
Amount of Disk in MB to be used for Caching             : 100
Number of First  Level cache directories to be created  : 16
NUmber of Second Level cache directories to be created  : 256

Default Squid Cache directory  : /var/spool/squid/(16 dirs)/(256 dirs)/(the small files)

'Level-1' is the number of first-level subdirectories which will be created under the 'Directory'--> The default is 16.
'Level-2' is the number of second-level subdirectories which will be created under each first-level directory -->  The default is 256.

Where to check Squid Access Logs ? Who visited XYZ Sites?
-----------------------------------------------------------
Log File : /var/log/squid/access.log
Sample Logs :
---------------
[root@universe squid]# tail -f /var/log/squid/access.log
1350983287.130   2452 192.168.0.254 TCP_MISS/200 83569 GET http://www.htc.com/managed-assets/images/home-page/marquee/wp-8x-360/blue/wp8_35.png - DIRECT/125.99.127.201 image/png
1350983287.865   3913 192.168.0.254 TCP_MISS/200 61282 GET http://www.htc.com/managed-assets/images/home-page/marquee/wp-8x-360/blue/wp8_31.png - DIRECT/125.99.127.209 image/png
1350983288.327   1746 192.168.0.254 TCP_MISS/200 44226 GET http://www.htc.com/managed-assets/images/home-page/marquee/wp-8x-360/blue/wp8_08.png - DIRECT/125.99.127.209 image/png
1350983290.043   1595 192.168.0.254 TCP_MISS/200 22004 GET http://www.htc.com/managed-assets/images/home-page/marquee/wp-8x-360/blue/wp8_10.png - DIRECT/125.99.127.201 image/png
1350983290.214   2348 192.168.0.254 TCP_MISS/200 32779 GET http://www.htc.com/managed-assets/images/home-page/marquee/wp-8x-360/blue/wp8_26.png - DIRECT/125.99.127.209 image/png
1350983290.553   3932 192.168.0.254 TCP_MISS/200 66018 GET http://www.htc.com/managed-assets/images/home-page/marquee/wp-8x-360/blue/wp8_17.png - DIRECT/125.99.127.201 image/png
1350983291.331    777 192.168.0.254 TCP_MISS/200 830 GET http://metrics.htc.com/b/ss/htcww-en-prod,htcglobal-prod/1/H.25.2T/s3457431454036? - DIRECT/66.235.142.3 image/gif
1350983291.525   3197 192.168.0.254 TCP_MISS/200 79093 GET http://www.htc.com/managed-assets/images/home-page/marquee/wp-8x-360/blue/wp8_01.png - DIRECT/125.99.127.209 image/png
1350983292.021   1806 192.168.0.254 TCP_MISS/200 32147 GET http://www.htc.com/managed-assets/images/home-page/marquee/wp-8x-360/blue/wp8_28.png - DIRECT/125.99.127.209 image/png
1350983292.572   2529 192.168.0.254 TCP_MISS/200 66253 GET http://www.htc.com/managed-assets/images/home-page/marquee/wp-8x-360/blue/wp8_19.png - DIRECT/125.99.127.201 image/png

Squid Forensics :
----------------------
http://philosecurity.org/2009/04/19/squid-forensics
Where in cache , file xyz.jpg stored ?
------------------------------------------
grep -r “xyz.jpg” /var/spool/squid/    --> recursively search

Monitoring and Displaying squid logs in a nice fashion, and may then go deeper with searching and reporting functions --> squidview
Squidview Tool   : http://www.rillion.net/squidview/
Sarg tool        : http://sarg.sourceforge.net/sarg.php

Squidview :
---------------
1. wget http://www.rillion.net/squidview/squidview-0.79.tar.gz
2. tar -zxvf squidview-0.79.tar.gz
3. cd squidview-0.79/
4. ./configure
5. make
6. cp Makefile.old Makefile
7. make oldgcc
Launch squidview : ./squidview


Best Regards,
Girish







 

Snort Tutorials

Snort Tutorial :
-------------------

3 Basic Modes :
--------------------
1. Sniffer Mode
2. Packet Logger Mode (Logs Packets to disk)
3. Network Intrusion Detection System (NIDS) , analyze network traffic as per Rules Defined by users.

Sniffer Mode :
------------------
[root@universe rules]# snort -v
10/23-16:53:37.964423 192.168.0.104:22 -> 192.168.0.102:51490
TCP TTL:64 TOS:0x10 ID:9175 IpLen:20 DgmLen:712 DF
***AP*** Seq: 0xE9BBEF63  Ack: 0x7C361CE8  Win: 0x4B60  TcpLen: 32
TCP Options (3) => NOP NOP TS: 2482891 2406025
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
10/23-16:53:37.964504 192.168.0.104:22 -> 192.168.0.102:51490
TCP TTL:64 TOS:0x10 ID:9176 IpLen:20 DgmLen:360 DF
***AP*** Seq: 0xE9BBF1F7  Ack: 0x7C361CE8  Win: 0x4B60  TcpLen: 32
TCP Options (3) => NOP NOP TS: 2482891 2406025
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


Display packet data + Headers :
---------------------------------
[root@universe rules]# snort -vd
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
10/23-16:55:25.083474 192.168.0.104:22 -> 192.168.0.102:51490
TCP TTL:64 TOS:0x10 ID:10322 IpLen:20 DgmLen:168 DF
***AP*** Seq: 0xE9C66BA7  Ack: 0x7C364A68  Win: 0x4B60  TcpLen: 32
TCP Options (3) => NOP NOP TS: 2509669 2416736
87 45 00 A3 DC 71 91 72 AE 1E 8B B0 A6 A6 2E 56  .E...q.r.......V
9A 29 BE 45 64 80 28 71 5C 46 02 FF 52 FF 54 8B  .).Ed.(q\F..R.T.
51 39 5D B0 3E 14 BA 5D 99 27 FA 89 D8 0C DC EC  Q9].>..].'......
46 5A 27 29 DB DA E4 20 00 3B 93 3A C6 A4 43 A9  FZ')... .;.:..C.
E9 99 30 EC 69 5B 83 8D 46 9D DF FA C8 93 F9 04  ..0.i[..F.......
A4 02 28 33 4F CF 2D 15 EB 48 1D 55 C7 17 20 2A  ..(3O.-..H.U.. *
F3 58 C7 73 EA A5 2D 3F 66 82 64 F3 AE 76 C3 42  .X.s..-?f.d..v.B
C8 52 A5 88                                      .R..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
10/23-16:55:25.084084 192.168.0.104:22 -> 192.168.0.102:51490
TCP TTL:64 TOS:0x10 ID:10323 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0xE9C66C1B  Ack: 0x7C364A68  Win: 0x4B60  TcpLen: 32
TCP Options (3) => NOP NOP TS: 2509669 2416736
46 18 30 B7 BD 5C A8 16 E8 38 87 49 A7 CA DF 6C  F.0..\...8.I...l
AD 79 02 5F 17 A5 AF 17 6D 66 F6 E0 1F 3C 5B F9  .y._....mf...<[.
47 D4 CD 3C 62 03 D6 09 FB B3 B2 F5 4F 10 3C 05  G..34 BA 04 EB 0C EF 2A 7D 79 63 AE 3B AB 22 DE 2E  4.....*}yc.;."..
CE 79 D1 FB                                      .y..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

3 Main Commands :
--------------------
snort -v                 --> Headers
snort -dv                --> Headers + Packet Data
snort -dev               --> Headers + Packet Data + Data Link Layer
snort -dev -l ./log      --> -l for specifying Log Directory
snort -dev -l ./log -h 192.168.0.0/24   --> Log data with specified network range
snort -dev -l ./log -b  --> Binary mode logging
snort -dev -r packet.log --> Read packets with -r switch


Links :
----------
http://seclists.org/snort/2010/q4/533

How to create own snort Rules :
--------------------------------------
SQL Injections are becoming very common attacks on websites , in such cases we can detect attemps on IDS like snort
We need to find signature for most common SQL Injection Queries
Ex.
' or 1=1--  -->  %27+or+1%3D1--
Rule for attack :
--------------------
alert tcp any any -> any any (content:"%27+or+1%3D1--";msg:"Dude Someone is performing SQL INJECTION";sid:1000003;rev:1;)

Content = %27+or+1%3D1--
msg     = Message you want to display
sid     = Unique ID assigned to this rule
sid & rev uniquely identify the rule

Implement Rule in Snort :
-------------------------------
1. vi sqlinjection.rules     (I created this file /etc/snort/rules )
2. alert tcp any any -> any any (content:"%27+or+1%3D1--";msg:"Dude Someone is performing SQL INJECTION";sid:1000003;rev:1;)
3. Save and Exit
4. vi /etc/snort/snort.conf
5. Edit As Below :
   ----------------------------------
   include $RULE_PATH/youtube.rules
   include $RULE_PATH/sqlinjection.rules
   ----------------------------------
   In our case #RULE_PATH = /etc/snort/rules/
6. Save and Exit

7. snort -v -i eth0 -l . -c /etc/snort/snort.conf --snaplen 1518 
-l .             --> Save files in current directory
-c               --> Snort configuration file
--snaplen 1518   -->

8. Execute attack on client machine
 
Snort Output :
-----------------
Action Stats:
     Alerts:            5 (  0.074%)   --> We successfully caught ATTACK!!!
     Logged:            5 (  0.074%)
     Passed:            0 (  0.000%)

9. Check file alert in current directory
[root@universe rules]# pwd
/etc/snort/rules
[root@universe rules]# cat alert
[**] [1:1000003:1] Dude Someone is performing SQL INJECTION [**]
[Priority: 0]
10/23-20:05:06.145217 192.168.0.101:45670 -> 192.168.0.13:8080
TCP TTL:64 TOS:0x0 ID:2665 IpLen:20 DgmLen:332 DF
***AP*** Seq: 0x6564F124  Ack: 0x28B08D67  Win: 0x2E  TcpLen: 32
TCP Options (3) => NOP NOP TS: 42526540 5354755
[**] [1:1000003:1] Dude Someone is performing SQL INJECTION [**]
[Priority: 0]
10/23-20:05:06.230814 192.168.0.104:28692 -> 220.226.205.30:80
TCP TTL:64 TOS:0x0 ID:41431 IpLen:20 DgmLen:260 DF
***AP*** Seq: 0x29121933  Ack: 0x43B3A536  Win: 0x2E  TcpLen: 32
TCP Options (3) => NOP NOP TS: 5354776 23618074

Now we have All required information about ongoing Attack!!!!


Why we used --snaplen ??
------------------------------
Command : snort -V
My Current Snort version : Version 2.9.0.5
When I use snort without --snaplen option , I was not able to collect alerts , nor any alert file was generated
With reference to : http://seclists.org/snort/2010/q4/533
The IPQ and NFQ DAQs had an internal buffer limitation that is fixed in the latest release.




Will be adding more soon.....

Best Regards,
Girish

Installation Snort IDS for FUN in 2 Minutes

Hello Friends,


As a beginner I struggled to run Snort IDS (Intrusion Detection System) on my Personal  RHEL 5 ,

Its absolutely easy but , was not for me on RHEL 5 especially , due to dependencies.


Snort Download Link                                 : http://www.snort.org/snort-downloads

RHEL5, Cent OS 5.5, or Fedora Core 11 : http://www.snort.org/snort-downloads/rhel5/


My Snort Version : Snort 2.9.0

Linux Kernel        : 2.6.18-8.el5xen

Linux OS             : RHEL 5


I am uploading all required dependencies for snort 2.9.0 here , you need to follow simple steps to install snort in 2 minutes.

After installation comes gr8 part of IDS World!!!!!

Soon will be adding snort tutorials!!!

Best Regards,
Girish