FortiAnalyzer and traffic monitoring with an HP ProCurve

A client has been seeing unusual traffic volumes on the Internet side of their Fortinet firewall, FortiGate FG-80C.

We connected a FortiAnalyzer to perform traffic analysis.

Scenario:
FA port 1 is the management port, connected to the HP ProCurve in VLAN 1.
FA port 2 is the traffic collection port, connected to the same ProCurve on port 26.
ProCurve ports 21 and 22 are configured as VLAN 2.
The inside port of the router is connected to port 21.
The WAN1 port of the FG is connected to port 22.

configure the ProCurve:
conf t
no ip routing
mirror-port 26
vlan 2
name "external"
untagged 21-22
ip address
exit
int 21
monitor
exit
int 22
monitor
exit
write mem

Then enable Network Analyzer on the FortiAnalyzer and set Port2 as the mirror port:
config log settings
set analyzer enable
set analyzer-gui enable
set analyzer-quota 10240
set analyzer-interface "port2"
end

(Logoff the GUI and logon to see Network Analyzer under the 'Tools' menu.)

Configure the Fortigate to log to the FortiAnalyzer
config log fortianalyzer setting
set status enable
set server 192.168.1.99
end

Start the monitor from the FortiAnalyzer
Tools -> Network Analyzer -> Real-Time -> Start

The easy part is done. Now *you* have to figure out what to make out of the logs ;o)

Fix .pdf file association

Windows Explorer has its own file associations, independent of HKCR.

A client needed to replace Foxit Reader with Acrobat Reader on their Citrix servers because some third party software required the Adobe rendering engine. After removing Foxit and installing Acrobat Reader, users couldn't open any .pdf documents from Explorer or Outlook.

First thought was the file type association. FTYPE and ASSOC showed the correct associations,but I reset them anyway:

ftype AcroExch.Document="C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe" "%1"
assoc .pdf=AcroExch.Document

to no avail.

Then I lucked out and realized that on one of the servers, I'd failed to remove Foxit, had installed Acrobat Reader alongside. Users on that server were still able to open .pdf files and they were getting Foxit.

A quick registry search for "Foxit" returned several values, including one under the "Progid" value beneath HKCU\Software\Microsoft\Windows\Currentversion\Explorer\FileExts\.pdf

I don't know why Explorer needs a different file association, but deleting it solved the problem and after logoff and logon, users were blissfully (and silently) opening .pdfs with Acrobat Reader.

To delete the key for each user, I added this line to %SystemRoot%\system32\usrlogn1.cmd (it may wrap in this post, but it's all one line):

reg delete "HKCU\Software\Microsoft\Windows\Currentversion\Explorer\FileExts\.pdf" /f

The line could also be added to a domain logon script.

(I initially changed the file type in the registry to point to Acrobat Reader, but then decided to try deleting it altogether. I prefer the deletion, since it appears to force Explorer to lookup the HKCR association. If you need the Explorer FileExt entry, this works:

reg add "HKCU\Software\Microsoft\Windows\Currentversion\Explorer\FileExts\.pdf" /v Progid /t REG_SZ /d AcroExch.Document /f
)

Conficker scanner - using Bonn University's scs in a Windows environment

This post is based on information in ZD Net's article this morning
http://blogs.zdnet.com/security/?p=3043&tag=nl.e589

I followed these steps successfully on two machines, a Windows XP SP3 workstation and Windows 2003 SP2 server, and scanned three subnets in a few minutes.

Overview of steps:

• download and install ActiveState Win32 Python
• download python Crypto module
• download and install python Impacket module
• download, extract and run scs.py

create a working directory for downloads and builds. I used
c:\Download\ConfickerTools

ActiveState python
- download the .msi into the working directory
http://downloads.activestate.com/ActivePython/windows/2.6/ActivePython-2.6.1.1-win32-x86.msi
- install the .msi
- accept the defaults (it will install in C:\Python26)

python Crypto module
- make sure Python is installed first
- download into the working directory
http://www.voidspace.org.uk/downloads/pycrypto-2.0.1.win32-py2.6.exe
- run the executable. it should find the Python26 installation and install there

python Impacket module
- download into the working directory
http://oss.coresecurity.com/repo/Impacket-0.9.6.0.zip
- extract the .zip file, preserving the directory structure
- open a command prompt
- change into the extracted directory,
e.g., cd C:\Download\ConfickerTools\Impacket-0.9.6.0
- at the prompt enter
python setup.py install
python will build the module and install it into its library directory

simple conficker scanner (scs)
download from Bonn university, Germany, into the working directory
http://iv.cs.uni-bonn.de/uploads/media/scs.zip
extract
run the tool using the start and end addresses on your LAN, and redirect the output to a text file
e.g.
scs.py 192.168.1.1 192.168.1.254 > scs-out_192-168-1-0.txt

examine the output file for any infected machines

script to apply Citrix patches

This script applies patches patches to Citrix Presentation Server / XenApp server. It iterates through patch files in the current directory, examines the registry to determine whether the patch has already been applied, and applies it if not found.

Patches are available from
http://support.citrix.com/product/xa/

recommended use:

• download the patches
• paste the following script into a .cmd file in the patch directory (e.g, insthfx.cmd)
  
• the script defaults to Presentation Server version 4.5 on Win2003: if your Citrix version is different or on a different OS, edit the variables under the :setup label (hfxProductVersion or hfxOSVersion) accordingly
  
• logon to the Citrix server with administrative credentials
• ensure no other users are logged on
• run the script
  

This script has been in production for about a year on several different Citrix farms. Feel free to use or modify at your own risk - if something blows up, you have my sympathy. Applying any patch can cause problems with a system: I've had R03 misfire only one server, but that required removing and reinstalling PSE.

@if .%ECHO%. equ .. echo off
rem //
rem // script to apply Citrix XenApp (nee Presentation Server) patches
rem // copy script into directory with .msp files
:setup
setlocal
rem // XenApp 5 uses prefix XAE
set hfxProductPrefix=PSE
set hfxProductVersion=450
rem // 64-bit patch version appends x64 to OS version
rem // e.g., W2K3X64
set hfxOSVersion=W2K3
set hfxRollupPrefix=%hfxProductPrefix%%hfxProductVersion%%hfxOSVersion%
:start
rem //
rem // change into the directory where this script is located
rem // (and where the patches are located)
pushd %~dp0
rem //
rem // disable logon
rem // it would also be nice to check for logged-on users
rem // -- maybe later
change logon /disable
rem //
rem // find latest rollup
rem // (iterate through all the rollups in name order
rem // the variable will be set to the latest one
rem // when the iteration is complete)
for %%a in (%hfxRollupPrefix%R*.msp) do set hfxRollup=%%~na
rem //
rem // extract rollup version number
rem // (last three characters of file name)
set hfxRVersion=%hfxRollup:~-3%
rem //
rem // install rollups first
call :hfx %hfxRollup%.msp
rem //
rem // install post-rollup hotfixes in order
for /f "tokens=*" %%a in ('dir /on /b %hfxProductPrefix%%hfxProductVersion%%hfxRVersion%%hfxOSVersion%*.msp') do call :hfx %%a
popd
change logon /enable
goto :cleanup
:cleanup
rem //
rem // reboot after 60 seconds
if /i .%1. neq .noreboot. start shutdown.exe -f -t 60 -r
goto :end
:hfx
set hfxpkg=%*
set hfxpkgname=%~n1
rem //
rem // find out whether the patch is listed in the registry
rem // reg.exe returns 1 if not found, 0 if found
reg query HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ProductCodes\Hotfixes\%hfxpkgname% > nul 2>&1
if %ERRORLEVEL% == 1 (
echo installing %hfxpkg%
start /wait msiexec /update %hfxpkg% /qn /norestart
choice /t:20 /d:y /c:y
)
goto :eof
:end