Thursday, August 26, 2010

Vortex Howto Series: Demo VM Image

(Updated 10/16/2010) Doug Burks just informed me that he's included vortex in his Security Onion liveCD. See comments. In many ways, this is probably a superior way to kick the wheels on vortex because if you run it on real hardware with multiple cores, you can actually see the benefits of parallelism. You can also easily and directly compare vortex to full IDS platforms like Snort or Bro as well as other smaller utilities like tcpick (vortex hopefully providing some value add somewhere). Note that Security Onion Live doesn't include libBSF, but most people don't use that extensively anyway. I gave Security Onion Live a quick test drive and highly recommend it. The VM image below will remain available for (slow) download in the event anyone finds it useful.

In order to make vortex, especially my vortex howto series, more accessible, I've created a vmware image. The image is a basic install of centos with all the prerequisites for the vortex howto series installed, including the html instruction for offline reading. Only the small pcaps are included, but scripts that download the other data sets are included.

The intent is to make basic demonstration of vortex very easy. It's as easy as I dare make it. I've tested the content from installments 1 and 2, which were very easy to execute. Unfortunately, installments 3, and especially installment 4, are difficult to demonstrate in VM due to the small number of processor cores, use of 32-bit for portability, etc.

The image can be downloaded here. Please excuse the slow download rates. See the included README for more details.

One errata item I've already noticed is that to install the defcon data set using the script provided, you'll need to install ctorrent. Ex. sudo yum install ctorrent. Also, I seemed to have trouble using mergcap to create the whole 7 GB pcap file for defcon. It fails at the 2GB mark, but this amount of data should be adequate for demonstration purposes anyway.

Nergal uncovers another cool 'sploit

I'm really happy to see that Rafal Wojtczuk has gotten a fair amount of press, including a mention on slashdot, for his recent disclosure of a vulnerability allowing execution of code with root privileges. It's not the first of this sort for him and hopefully not the last.

Rafal is the primary developer and maintainer of libnids, the library on which vortex is based. My only contact with Rafal was a short email thread seeking help with libnids: he was most helpful.

Go Nergal!