Archive

Archive for April, 2010

Richard Clarke sucks [updated]

April 23rd, 2010 1 comment

Today I read a review on Threat Level tearing apart Richard Clarke’s new pile of hardbound bullshit.  I really hate Richard Clarke.  At least when it comes to cyber-anything, he’s full of shit and I don’t know why anyone considers him any kind of expert.

Rather than my usual obscene rant, I’m just going to provide some choice video clips.  These are my two favorite segments from the PBS Frontline titled “Cyberwar” from a few years ago.

Update:  I found a photographic record of Richard Clarke and his brave three hundred pushing enemy packets off the edge of the internet.

"Those packets look thirsty, boys!"

Categories: Books, FAIL

Sguil database schema

April 7th, 2010 Comments off

I can’t find this anywhere else, so I’m just going to quickly throw it up here. These are the tables and columns of a Sguil database. I think there are some extra tables (nessus, etc.) because this is from running a SecurityOnion live CD which uses NSMNow to do the Sguil setup.  Also Sguil seems to copy the following tables for each date and sensor: data, event, icmphdr, sancp, tcphdr, and udphdr, e.g. each day it will make data_sensorname_20100407.

Database: server1_db
+--------------------------+
|          Tables          |
+--------------------------+
| data                     |
| event                    |
| history                  |
| icmphdr                  |
| nessus                   |
| nessus_data              |
| pads                     |
| portscan                 |
| sancp                    |
| sensor                   |
| status                   |
| tcphdr                   |
| udphdr                   |
| user_info                |
| version                  |
+--------------------------+
Database: server1_db  Table: data
+--------------+------------------+-------------------+------+-----+---------+-------+---------------------------------+---------+
| Field        | Type             | Collation         | Null | Key | Default | Extra | Privileges                      | Comment |
+--------------+------------------+-------------------+------+-----+---------+-------+---------------------------------+---------+
| sid          | int(10) unsigned |                   | NO   | MUL |         |       | select,insert,update,references |         |
| cid          | int(10) unsigned |                   | NO   |     |         |       | select,insert,update,references |         |
| data_payload | text             | latin1_swedish_ci | YES  |     |         |       | select,insert,update,references |         |
+--------------+------------------+-------------------+------+-----+---------+-------+---------------------------------+---------+
Database: server1_db  Table: event
+-------------------+----------------------+-------------------+------+-----+---------+-------+---------------------------------+---------+
| Field             | Type                 | Collation         | Null | Key | Default | Extra | Privileges                      | Comment |
+-------------------+----------------------+-------------------+------+-----+---------+-------+---------------------------------+---------+
| sid               | int(10) unsigned     |                   | NO   | MUL |         |       | select,insert,update,references |         |
| cid               | int(10) unsigned     |                   | NO   |     |         |       | select,insert,update,references |         |
| signature         | varchar(255)         | latin1_swedish_ci | NO   | MUL |         |       | select,insert,update,references |         |
| signature_gen     | int(10) unsigned     |                   | NO   |     |         |       | select,insert,update,references |         |
| signature_id      | int(10) unsigned     |                   | NO   |     |         |       | select,insert,update,references |         |
| signature_rev     | int(10) unsigned     |                   | NO   |     |         |       | select,insert,update,references |         |
| timestamp         | datetime             |                   | NO   | MUL |         |       | select,insert,update,references |         |
| unified_event_id  | int(10) unsigned     |                   | YES  |     |         |       | select,insert,update,references |         |
| unified_event_ref | int(10) unsigned     |                   | YES  |     |         |       | select,insert,update,references |         |
| unified_ref_time  | datetime             |                   | YES  |     |         |       | select,insert,update,references |         |
| priority          | int(10) unsigned     |                   | YES  |     |         |       | select,insert,update,references |         |
| class             | varchar(20)          | latin1_swedish_ci | YES  |     |         |       | select,insert,update,references |         |
| status            | smallint(5) unsigned |                   | YES  | MUL | 0       |       | select,insert,update,references |         |
| src_ip            | int(10) unsigned     |                   | YES  | MUL |         |       | select,insert,update,references |         |
| dst_ip            | int(10) unsigned     |                   | YES  | MUL |         |       | select,insert,update,references |         |
| src_port          | int(10) unsigned     |                   | YES  | MUL |         |       | select,insert,update,references |         |
| dst_port          | int(10) unsigned     |                   | YES  | MUL |         |       | select,insert,update,references |         |
| icmp_type         | tinyint(3) unsigned  |                   | YES  | MUL |         |       | select,insert,update,references |         |
| icmp_code         | tinyint(3) unsigned  |                   | YES  | MUL |         |       | select,insert,update,references |         |
| ip_proto          | tinyint(3) unsigned  |                   | YES  |     |         |       | select,insert,update,references |         |
| ip_ver            | tinyint(3) unsigned  |                   | YES  |     |         |       | select,insert,update,references |         |
| ip_hlen           | tinyint(3) unsigned  |                   | YES  |     |         |       | select,insert,update,references |         |
| ip_tos            | tinyint(3) unsigned  |                   | YES  |     |         |       | select,insert,update,references |         |
| ip_len            | smallint(5) unsigned |                   | YES  |     |         |       | select,insert,update,references |         |
| ip_id             | smallint(5) unsigned |                   | YES  |     |         |       | select,insert,update,references |         |
| ip_flags          | tinyint(3) unsigned  |                   | YES  |     |         |       | select,insert,update,references |         |
| ip_off            | smallint(5) unsigned |                   | YES  |     |         |       | select,insert,update,references |         |
| ip_ttl            | tinyint(3) unsigned  |                   | YES  |     |         |       | select,insert,update,references |         |
| ip_csum           | smallint(5) unsigned |                   | YES  |     |         |       | select,insert,update,references |         |
| last_modified     | datetime             |                   | YES  | MUL |         |       | select,insert,update,references |         |
| last_uid          | int(10) unsigned     |                   | YES  |     |         |       | select,insert,update,references |         |
| abuse_queue       | enum('Y','N')        | latin1_swedish_ci | YES  |     |         |       | select,insert,update,references |         |
| abuse_sent        | enum('Y','N')        | latin1_swedish_ci | YES  |     |         |       | select,insert,update,references |         |
+-------------------+----------------------+-------------------+------+-----+---------+-------+---------------------------------+---------+
Database: server1_db  Table: history
+-----------+----------------------+-------------------+------+-----+---------+-------+---------------------------------+---------+
| Field     | Type                 | Collation         | Null | Key | Default | Extra | Privileges                      | Comment |
+-----------+----------------------+-------------------+------+-----+---------+-------+---------------------------------+---------+
| sid       | int(10) unsigned     |                   | NO   |     |         |       | select,insert,update,references |         |
| cid       | int(10) unsigned     |                   | NO   |     |         |       | select,insert,update,references |         |
| uid       | int(10) unsigned     |                   | NO   |     |         |       | select,insert,update,references |         |
| timestamp | datetime             |                   | NO   | MUL |         |       | select,insert,update,references |         |
| status    | smallint(5) unsigned |                   | NO   |     |         |       | select,insert,update,references |         |
| comment   | varchar(255)         | latin1_swedish_ci | YES  |     |         |       | select,insert,update,references |         |
+-----------+----------------------+-------------------+------+-----+---------+-------+---------------------------------+---------+
Database: server1_db  Table: icmphdr
+-----------+----------------------+-----------+------+-----+---------+-------+---------------------------------+---------+
| Field     | Type                 | Collation | Null | Key | Default | Extra | Privileges                      | Comment |
+-----------+----------------------+-----------+------+-----+---------+-------+---------------------------------+---------+
| sid       | int(10) unsigned     |           | NO   | MUL |         |       | select,insert,update,references |         |
| cid       | int(10) unsigned     |           | NO   |     |         |       | select,insert,update,references |         |
| icmp_csum | smallint(5) unsigned |           | YES  |     |         |       | select,insert,update,references |         |
| icmp_id   | smallint(5) unsigned |           | YES  |     |         |       | select,insert,update,references |         |
| icmp_seq  | smallint(5) unsigned |           | YES  |     |         |       | select,insert,update,references |         |
+-----------+----------------------+-----------+------+-----+---------+-------+---------------------------------+---------+
Database: server1_db  Table: nessus
+-----------+-------------+-------------------+------+-----+---------+-------+---------------------------------+---------+
| Field     | Type        | Collation         | Null | Key | Default | Extra | Privileges                      | Comment |
+-----------+-------------+-------------------+------+-----+---------+-------+---------------------------------+---------+
| uid       | int(11)     |                   | NO   |     |         |       | select,insert,update,references |         |
| rid       | varchar(40) | latin1_swedish_ci | NO   | PRI |         |       | select,insert,update,references |         |
| ip        | varchar(15) | latin1_swedish_ci | NO   | MUL |         |       | select,insert,update,references |         |
| timestart | datetime    |                   | YES  |     |         |       | select,insert,update,references |         |
| timeend   | datetime    |                   | YES  |     |         |       | select,insert,update,references |         |
+-----------+-------------+-------------------+------+-----+---------+-------+---------------------------------+---------+
Database: server1_db  Wildcard: nessus_data
+-------------+
|   Tables    |
+-------------+
| nessus_data |
+-------------+
Database: server1_db  Table: pads
+-------------+---------------------+-------------------+------+-----+---------+-------+---------------------------------+---------+
| Field       | Type                | Collation         | Null | Key | Default | Extra | Privileges                      | Comment |
+-------------+---------------------+-------------------+------+-----+---------+-------+---------------------------------+---------+
| hostname    | varchar(255)        | latin1_swedish_ci | NO   |     |         |       | select,insert,update,references |         |
| sid         | int(10) unsigned    |                   | NO   | PRI |         |       | select,insert,update,references |         |
| asset_id    | int(10) unsigned    |                   | NO   | PRI |         |       | select,insert,update,references |         |
| timestamp   | datetime            |                   | NO   |     |         |       | select,insert,update,references |         |
| ip          | int(10) unsigned    |                   | NO   |     |         |       | select,insert,update,references |         |
| service     | varchar(40)         | latin1_swedish_ci | NO   |     |         |       | select,insert,update,references |         |
| port        | int(10) unsigned    |                   | NO   |     |         |       | select,insert,update,references |         |
| ip_proto    | tinyint(3) unsigned |                   | NO   |     |         |       | select,insert,update,references |         |
| application | varchar(255)        | latin1_swedish_ci | NO   |     |         |       | select,insert,update,references |         |
| hex_payload | varchar(255)        | latin1_swedish_ci | YES  |     |         |       | select,insert,update,references |         |
+-------------+---------------------+-------------------+------+-----+---------+-------+---------------------------------+---------+
Database: server1_db  Table: portscan
+-----------+------------------+-------------------+------+-----+---------+-------+---------------------------------+---------+
| Field     | Type             | Collation         | Null | Key | Default | Extra | Privileges                      | Comment |
+-----------+------------------+-------------------+------+-----+---------+-------+---------------------------------+---------+
| hostname  | varchar(255)     | latin1_swedish_ci | YES  |     |         |       | select,insert,update,references |         |
| timestamp | datetime         |                   | YES  | MUL |         |       | select,insert,update,references |         |
| src_ip    | varchar(16)      | latin1_swedish_ci | YES  | MUL |         |       | select,insert,update,references |         |
| src_port  | int(10) unsigned |                   | YES  |     |         |       | select,insert,update,references |         |
| dst_ip    | varchar(16)      | latin1_swedish_ci | YES  |     |         |       | select,insert,update,references |         |
| dst_port  | int(10) unsigned |                   | YES  |     |         |       | select,insert,update,references |         |
| data      | text             | latin1_swedish_ci | YES  |     |         |       | select,insert,update,references |         |
+-----------+------------------+-------------------+------+-----+---------+-------+---------------------------------+---------+
Database: server1_db  Table: sancp
+------------+----------------------+-----------+------+-----+---------+-------+---------------------------------+---------+
| Field      | Type                 | Collation | Null | Key | Default | Extra | Privileges                      | Comment |
+------------+----------------------+-----------+------+-----+---------+-------+---------------------------------+---------+
| sid        | int(10) unsigned     |           | NO   | MUL |         |       | select,insert,update,references |         |
| sancpid    | bigint(20) unsigned  |           | NO   |     |         |       | select,insert,update,references |         |
| start_time | datetime             |           | NO   | MUL |         |       | select,insert,update,references |         |
| end_time   | datetime             |           | NO   |     |         |       | select,insert,update,references |         |
| duration   | int(10) unsigned     |           | NO   |     |         |       | select,insert,update,references |         |
| ip_proto   | tinyint(3) unsigned  |           | NO   |     |         |       | select,insert,update,references |         |
| src_ip     | int(10) unsigned     |           | YES  | MUL |         |       | select,insert,update,references |         |
| src_port   | smallint(5) unsigned |           | YES  | MUL |         |       | select,insert,update,references |         |
| dst_ip     | int(10) unsigned     |           | YES  | MUL |         |       | select,insert,update,references |         |
| dst_port   | smallint(5) unsigned |           | YES  | MUL |         |       | select,insert,update,references |         |
| src_pkts   | int(10) unsigned     |           | NO   |     |         |       | select,insert,update,references |         |
| src_bytes  | int(10) unsigned     |           | NO   |     |         |       | select,insert,update,references |         |
| dst_pkts   | int(10) unsigned     |           | NO   |     |         |       | select,insert,update,references |         |
| dst_bytes  | int(10) unsigned     |           | NO   |     |         |       | select,insert,update,references |         |
| src_flags  | tinyint(3) unsigned  |           | NO   |     |         |       | select,insert,update,references |         |
| dst_flags  | tinyint(3) unsigned  |           | NO   |     |         |       | select,insert,update,references |         |
+------------+----------------------+-----------+------+-----+---------+-------+---------------------------------+---------+
Database: server1_db  Table: sensor
+-------------+------------------+-------------------+------+-----+-------------------+----------------+---------------------------------+---------+
| Field       | Type             | Collation         | Null | Key | Default           | Extra          | Privileges                      | Comment |
+-------------+------------------+-------------------+------+-----+-------------------+----------------+---------------------------------+---------+
| sid         | int(10) unsigned |                   | NO   | PRI |                   | auto_increment | select,insert,update,references |         |
| hostname    | varchar(255)     | latin1_swedish_ci | NO   | MUL |                   |                | select,insert,update,references |         |
| agent_type  | varchar(40)      | latin1_swedish_ci | YES  |     |                   |                | select,insert,update,references |         |
| net_name    | varchar(40)      | latin1_swedish_ci | YES  |     |                   |                | select,insert,update,references |         |
| interface   | varchar(255)     | latin1_swedish_ci | YES  |     |                   |                | select,insert,update,references |         |
| description | text             | latin1_swedish_ci | YES  |     |                   |                | select,insert,update,references |         |
| bpf_filter  | text             | latin1_swedish_ci | YES  |     |                   |                | select,insert,update,references |         |
| updated     | timestamp        |                   | NO   |     | CURRENT_TIMESTAMP |                | select,insert,update,references |         |
| active      | enum('Y','N')    | latin1_swedish_ci | YES  |     | Y                 |                | select,insert,update,references |         |
| ip          | varchar(15)      | latin1_swedish_ci | YES  |     |                   |                | select,insert,update,references |         |
| public_key  | varchar(255)     | latin1_swedish_ci | YES  |     |                   |                | select,insert,update,references |         |
+-------------+------------------+-------------------+------+-----+-------------------+----------------+---------------------------------+---------+
Database: server1_db  Table: status
+-------------+----------------------+-------------------+------+-----+---------+-------+---------------------------------+---------+
| Field       | Type                 | Collation         | Null | Key | Default | Extra | Privileges                      | Comment |
+-------------+----------------------+-------------------+------+-----+---------+-------+---------------------------------+---------+
| status_id   | smallint(5) unsigned |                   | NO   | PRI |         |       | select,insert,update,references |         |
| description | varchar(255)         | latin1_swedish_ci | NO   |     |         |       | select,insert,update,references |         |
| long_desc   | varchar(255)         | latin1_swedish_ci | YES  |     |         |       | select,insert,update,references |         |
+-------------+----------------------+-------------------+------+-----+---------+-------+---------------------------------+---------+
Database: server1_db  Table: tcphdr
+-----------+----------------------+-----------+------+-----+---------+-------+---------------------------------+---------+
| Field     | Type                 | Collation | Null | Key | Default | Extra | Privileges                      | Comment |
+-----------+----------------------+-----------+------+-----+---------+-------+---------------------------------+---------+
| sid       | int(10) unsigned     |           | NO   | MUL |         |       | select,insert,update,references |         |
| cid       | int(10) unsigned     |           | NO   |     |         |       | select,insert,update,references |         |
| tcp_seq   | int(10) unsigned     |           | YES  |     |         |       | select,insert,update,references |         |
| tcp_ack   | int(10) unsigned     |           | YES  |     |         |       | select,insert,update,references |         |
| tcp_off   | tinyint(3) unsigned  |           | YES  |     |         |       | select,insert,update,references |         |
| tcp_res   | tinyint(3) unsigned  |           | YES  |     |         |       | select,insert,update,references |         |
| tcp_flags | tinyint(3) unsigned  |           | YES  |     |         |       | select,insert,update,references |         |
| tcp_win   | smallint(5) unsigned |           | YES  |     |         |       | select,insert,update,references |         |
| tcp_csum  | smallint(5) unsigned |           | YES  |     |         |       | select,insert,update,references |         |
| tcp_urp   | smallint(5) unsigned |           | YES  |     |         |       | select,insert,update,references |         |
+-----------+----------------------+-----------+------+-----+---------+-------+---------------------------------+---------+
Database: server1_db  Table: udphdr
+----------+----------------------+-----------+------+-----+---------+-------+---------------------------------+---------+
| Field    | Type                 | Collation | Null | Key | Default | Extra | Privileges                      | Comment |
+----------+----------------------+-----------+------+-----+---------+-------+---------------------------------+---------+
| sid      | int(10) unsigned     |           | NO   | MUL |         |       | select,insert,update,references |         |
| cid      | int(10) unsigned     |           | NO   |     |         |       | select,insert,update,references |         |
| udp_len  | smallint(5) unsigned |           | YES  |     |         |       | select,insert,update,references |         |
| udp_csum | smallint(5) unsigned |           | YES  |     |         |       | select,insert,update,references |         |
+----------+----------------------+-----------+------+-----+---------+-------+---------------------------------+---------+
Database: server1_db  Wildcard: user_info
+-----------+
|  Tables   |
+-----------+
| user_info |
+-----------+
Database: server1_db  Table: version
+-----------+-------------+-------------------+------+-----+---------+-------+---------------------------------+---------+
| Field     | Type        | Collation         | Null | Key | Default | Extra | Privileges                      | Comment |
+-----------+-------------+-------------------+------+-----+---------+-------+---------------------------------+---------+
| version   | varchar(32) | latin1_swedish_ci | YES  |     |         |       | select,insert,update,references |         |
| installed | datetime    |                   | YES  |     |         |       | select,insert,update,references |         |
+-----------+-------------+-------------------+------+-----+---------+-------+---------------------------------+---------+
Categories: Tools