Necessary changes:
A commit to the glTail repo by pfSense developer JimP for an updated logging parser for pfSense 2 (https://github.com/Fudge/gltail/pull/14) included a comment about an additional and mandatory updated log output command used by pfSense 2 to be added to config.yaml called /usr/local/bin/filterpaser.php

In trying out the commit for the updated pfsense2.rb logging processor, glTail output was broken since the updated pfSense 2 logging parser had been revised considerably with a new block naming convention and as well as dropping blocks that were previously used in the pfSense 1 configuration. This resulted a config.yaml revision to use the new block naming convention and depreciated block names.

Additionally updates were needed to the hostwithport value processing for IPv4 traffic in the pfsense2.rb logging processor to parse out the host and port combinations from the old xxx.xxx.xxx.xxx.zzz format from pfSense 1 to the xxx.xxx.xxx.xxx:zzz format now used by pfSense 2. The committed parser did not yet include this necessary change.

Installation of glTail on OSX Lion:
Provided here are some simple steps to take to get glTail installed on OSX. This as been tested on Lion only.

wget https://github.com/Fudge/gltail/zipball/master
unzip Fudge-gltail-9d2b843.zip 
cd Fudge-gltail-9d2b843
sudo gem install net-ssh ruby-opengl file-tail net-ssh-gateway chipmunk -r
mv config.yaml config.yaml.old

Configuration of glTail for pfSense 2:
The following updated config and logging parser include all the fixes necessary to run glTail against pfSense 2 generated log output from /usr/local/bin/filterpaser.php.

Download and save the following config.yaml to the root of your glTail install and update with the host value with the IP of your pfSense 2 server.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69

servers:
    # Example 1: Connect directly to a pfSense router
    pfsense1:
        host: 192.168.1.1
        user: root
        password: 
        command: /usr/sbin/clog -f /var/log/filter.log | /usr/local/bin/filterparser.php
        files: /var/log/filter.log
        parser: pfsense2
        color: white
 
    # Example 2: Logs forwarded to a syslog host 
    # pfsense2:
    #     host: 192.168.1.2
    #     user: logview
    #     password: logviewpassword
    #     command: /usr/bin/tail -f -n0
    #     # Adjust this based on where you have syslog direct the output
    #     files: /var/log/hosts/pfsense.log
    #     parser: pfsense
    #     color: 0.2, 1.0, 0.2, 1.0
 
config:
    dimensions: 1024x700
    min_blob_size: 0.004
    max_blob_size: 0.02
    highlight_color: orange
    bounce: true
    left_column:
        size: 45
        alignment: -0.99
        blocks:
            action:
                order: 1
                size: 5
                color: red
            ipprotocol:
                order: 2
                size: 5
                color: magenta
            int:
                order: 3
                size: 5
            sourcedestination:
                order: 4
                size: 10
                color: pink
 
    right_column:
        size: 45
        alignment: 0.99
        blocks:
            destinationhost:
                order: 1
                size: 15
            destinationport:
                order: 2
                size: 15
                color: cyan
            sourcehost:
                order: 3
                size: 15
            sourceport:
                order: 4
                size: 15
                color: blue
resolver:
    reverse_ip_lookups: true
    reverse_timeout: 0.5

Download and save pfsense2.rb to lib/gl_tail/parsers

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108

# gl_tail.rb - OpenGL visualization of your server traffic
# Copyright 2007 Erlend Simonsen (mr@fudgie.org)
#
# Licensed under the GNU General Public License v2 (see LICENSE)
#
 
# Parser for pfSense PF Logs, specifically those from pfSense (2.0)
# Jim Pingle (myfirstname@pingle.org)
 
# Available Blocks
#action: block|pass
#rule: Rule number matched
#ipprotocol: carp|icmp|tcp|udp|ah|igmp|esp|gre you get the idea..
#int: This will be the actual interface (fxp0, vlan2, em1, etc) as the 'friendly' name is not put in the logs.
#sourcehost: source host/IP
#sourceport: source port
#destinationhost: destination host/IP
#destinationport: destination port
#sourcedestination:  source host and port > destination host and port
 
# Use with command:  /usr/sbin/clog -f /var/log/filter.log | /usr/local/bin/filterparser.php
 
class PFSense2Parser < Parser
  require 'date'
 
  def getipandport(hostwithport)
 
    # Test for IPv6
    if (hostwithport.count(':') > 2)
      if (hostwithport.count('.') == 1)
        thisport = hostwithport.split('.')[1].to_s
        thishost = hostwithport.split('.')[0].to_s
      else
        thishost = hostwithport
        thisport = "none"
      end
    else
      # IPv4
      if (hostwithport.count('.') == 3 && hostwithport.count(':') == 1)
        thisport = hostwithport.split(':')[-1,1].to_s
        thishost = hostwithport.split(':')[0,1].to_s
      else
        thishost = hostwithport
        thisport = "none"
      end
    end
 
    if thisport.include?(':')
      thisport = thisport.split(':')[0]
    end
    if thisport.include?(' ')
      thisport = thisport.split(' ')[0]
    end
 
    return [thishost, thisport]
  end
 
  def getport(thisport)
    if thisport == "none"
      return ""
    else
      return ":" + thisport.to_s
    end
  end
 
  def parse( line )
    lmonth, lday, ltod, action, int, ipprotocol, src, dst = line.split(' ')
    ltime = [ lmonth, lday, ltod ].join(' ')
 
    # Assume the server is in the same time zone as the viewing client.
    timewithoffset = ltime.to_s + DateTime.now().zone()
 
    # Alternately, just set it this way to assume UTC/GMT
    #timewithoffset = ltime.to_s
 
    hours,minutes,seconds,frac = Date.day_fraction_to_time(DateTime.now() - DateTime.parse(timewithoffset))
 
    # When connecting directly, there is no way to only view the end of the log. The clog program to view
    # circular logs will dump the entire log to the parser, then will tail it showing new messages.
    # Therefore, we can run a simple time check and only view entries from the last 5 minutes, or the
    # "future". On some systems, I have seen the clock show negative (-1hr 59mins) instead of 0, so we
    # can allow "future" messages just to be safe.
    if ((hours == 0) and (minutes < 5)) or (hours < 0)
      # Debug
      # printf("Adding entry from %s hours, %s minutes ago\n", hours.to_s, minutes.to_s)
 
      sourcehost, sourceport = getipandport(src)
 
      destinationhost, destinationport = getipandport(dst)
 
      add_activity(:block => 'action',  :name => action.to_s)
      add_activity(:block => 'int',     :name => int.to_s)
      add_activity(:block => 'ipprotocol',   :name => ipprotocol.to_s)
      add_activity(:block => 'sourcehost', :name => sourcehost.to_s)
      if sourceport != "none"
        add_activity(:block => 'sourceport', :name => sourceport.to_s)
      end
      add_activity(:block => 'destinationhost', :name => destinationhost.to_s, :type => 5)
      if destinationport != "none"
        add_activity(:block => 'destinationport', :name => destinationport.to_s, :type => 5)
      end
      add_activity(:block => 'sourcedestination',  :name => sourcehost.to_s + getport(sourceport) + " > " + destinationhost.to_s + getport(destinationport) + " (" + ipprotocol.to_s + ")")
    else
      # Debug
      # printf("Not adding entry from %s hours, %s minutes ago\n", hours.to_s, minutes.to_s)
    end
  end
end

Executing:
Executing glTail is done from the root of the glTail installation folder location.

./bin/gl_tail config.yaml

Notes:
This has not been tested against IPv6 traffic yet.

The National Institute of Standards and Technology (NIST) has published two new documents on cloud computing: the first edition of a cloud computing standards roadmap and a cloud computing reference architecture and taxonomy.

Together, the documents provide guidance to help understand cloud computing standards and categories of cloud services that can be used government-wide.

These documents, along with others from NIST and NIST working groups, will be incorporated into the NIST U.S. Government Cloud Computing Technology Roadmap, expected to be published in November, 2011.

Via: Infosec Island

MIT researchers have devised a protocol to flummox man-in-the-middle attacks against wireless networks. The all-software solution lets wireless radios automatically pair without the use of passwords and without relying on out-of-band techniques such as infrared or video channels.

Dubbed Tamper-evident pairing, or TEP, the technique is based on understanding how man-in-the-middle attacks tamper with wireless messages, and then detects and in some cases blocks the tampering. The researchers suggest that TEP could have detected the reported but still unconfirmed cellular man-in-the-middle attack that unfolded at the Defcon conference earlier this month in Las Vegas.

Via: NetworkWorld

RSA Security will replace virtually every one of the 40 million SecurID tokens currently in use as a result of the hacking attack the company disclosed back in March. The EMC subsidiary issued a letter to customers acknowledging that SecurID failed to protect defense contractor Lockheed Martin, which last month reported a hack attempt.

This admission puts paid to RSA’s initial claims that the hack would not allow any “direct attack” on SecurID tokens; wholesale replacement of the tokens can only mean that the tokens currently in the wild do not offer the security that they are supposed to. Sources close to RSA tell Ars that the March breach did indeed result in seeds being compromised. The algorithm is already public knowledge.

Via: ars technica

RSA, the Security Division of EMC Corp., said Thursday that information related to its SecurID two-factor authentication products was stolen in an “extremely sophisticated cyberattack” against the company.

In an open letter to customers posted on the company’s website, Art Coviello, RSA executive chairman, said RSA recently detected the attack.

“Our investigation has led us to believe that the attack is in the category of an Advanced Persistent Threat (APT). Our investigation also revealed that the attack resulted in certain information being extracted from RSA’s systems. Some of that information is specifically related to RSA’s SecurID two-factor authentication products,” he said.

APT is used to describe attacks in which organized intruders gain access to a network and often stay there undetected for a long period of time with the goal of stealing data.

The RSA open letter is available here

RSA two-factor authentication products are used by corporations, healthcare institutions and charities, banks and financial institutions, as well as by various levels of government .

Via: SearchSecurity

A warning has been issued by the developers of ProFTPD, the popular FTP server software, about a compromise of the main distribution server of the software project that resulted in attackers exchanging the offered source files for ProFTPD 1.3.3c with a version containing a backdoor.

It is thought that the attackers took advantage of an unpatched security flaw in the FTP daemon in order to gain access to the server.

Via: Net Security

Canada’s cyber security strategy, announced in last spring’s budget, will cost $90-million over five years and $18-million in ongoing funding.

It aims to secure federal computer systems and join other governments and industry to “ensure systems vital to Canadian security, economic prosperity and quality of life are protected.”

The strategy will also boost education and awareness to better help Canadians keep personal information secure when online at home and at work.

Via: InfoSecurity Magazine

According to NECN, police busted a burglary ring in Nashua, NH accused of more than 50 break-ins and seized $100,000 in stolen property. The crooks targeted victims who posted their location on Facebook.

Via: Valleywag

IBM has made Firefox the company’s default Web browser. According to IBM’s vice president of Linux and open source software, company-wide Firefox adoption will accelerate IBM’s shift to cloud computing.

Via: ars technica

Canada Post says the email is a fake and likely contains a virus or other malware. Recipients are being strongly cautioned against opening the attachment.

Additionally, Canada Post said that if a tracking number is provided in the email, you can check separately at the agency’s website. If it comes up as invalid, then the tracking number is a fake and the email should be deleted.

Read more at News1130