Doing miracles with darktable and gimp

Photography No Responses »
Apr 282012

I’ve worked on a picture of a Volkswagen Beetle using Darktable and Gimp for post processing. This two tools are free available free software. Darktable is for now only available on Linux but Gimp is available for most platform.

The picture was made during autumn 2011 in San Francisco. It features an old Volkswagen Beetle in a parking near a house. There is an old cover on the car which gave a strange pirat look to the car. The picture straight out of the camera is the following:

A Beetle is a fun car and I did not want to make a sad picture from this photography. I thus decide to make my best to transform the original picture in a shiny colorful seventies spirit image. Most technical parameters of the RAW file are correct: The exposure is almost good if we omit some highlights and sharpness is here too. It is thus a good basis to work on.

The main problem of the image is that the car is dark. To enlighten the dark part of an image, on of the best tool of darktable is “shadows and highlights”.

Just activating it with default settings in enough to improve the situation but here we need to increase the effect. I thus set the shadow value to something like 170% to get a really lightful car. The color become light but not enough flashy. It then used the “color zone” filter to boost the color of the car by increasing the saturation for the main color of the car. I’ve also increase the light in the blue to have a less dark house.

This was enough to have what I wanted in term of color but I also wanted to give on oldies look to the picture. For that, I used the soften filter:

I’ve not done much personal setting here, just changing the size parameter.

The result was matching my expectation:

Hummm, almost matching. The sun light is making a too bright zone in front of the car. I thus decide to use gimp to locally decrease the lightness in that zone.

I opened the JPEG export in Gimp. I used the “Fuzzy selector tool” (activating the “Feather edges” option) to select the highlight zone. I copied this selection into a new layer and simply decrease the lightness of the extracted zone.

The result was an old but shiny Beetle. You can see it on 500px:

Back to the seventies. by Eric Leblond (regit) on 500px.com
Back to the seventies. by Eric Leblond
Posted by Regit at 12:12 Tagged with: , ,

Building Suricata for OpenBSD 4.9 and over

Suricata No Responses »
Apr 272012

It seems OpenBSD upgrade are done to give maintenance work to the developers of third-party application. In a way, OpenBSD fight against the economic crisis: It gives jobs to developers and if you want some performance you need a powerful thus new computer.

Let’s stop bashing and be serious: Suricata was building fine on OpenBSD 4.8 but the build was failing on subsequent version. This was link with an include modification around the “socket.h” file. It is now mandatory to include “types.h” before “socket.h” to avoid compilation error. The patch 0001-Fix-OpenBSD-compilation.patch.gz fixes the build.

I’ve also updated my Building Suricata under OpenBSD post which does explain installation of dependencies which are now mandatory since Suricata 1.2.

Posted by Regit at 15:57 Tagged with: ,

Playing with Network Layers to Bypass Firewalls' Filtering Policy

Netfilter, Sécurité 3 Responses »
Mar 092012

The slides of my CansecWest talk can now be downloaded: Playing with Network Layers to Bypass Firewalls’ Filtering Policy.

The required counter-measures are described in the Secure use of iptables and connection tracking helpers document

The associated video demonstrations are available:

First video demonstrates how to use forged IRC protocol command (DCC request) to be able to open connection to a NATed client from internet.

Second video demonstrates the effect of the attack on helpers on a non protected Netfilter Firewall.

Third video demonstrates the effect of the attack on helpers on a badly configured Checkpoint firewall.

More information will come in upcoming posts.

Posted by Regit at 23:02 Tagged with: ,

Using AF_PACKET zero copy mode in Suricata

Suricata No Responses »
Feb 232012

Victor Julien has just pushed a new feature to suricata’s git tree. It brings improvements to the AF_PACKET capture mode.

This capture mode can be used on Linux. It is the native way to capture packet. Suricata is able to use the interesting new multithreading feature provided by AF_PACKET on recent kernels: it is possible to have multiple capture threads receiving the packet of a single interface.

The commits add mmaped ring buffer support to AF_PACKET capture and also provide a zero copy mode. Mmaped ring buffer is mechanism similar to the one used by PF_RING. The kernel allocates some memory to store the packets and share this memory with the capture process. Instead of sending messages, the kernel just write to the shared memory and the process capture reads it. This is less consuming in term of CPU ressource and helps to increase the capture rate. But the main avantage of this technique is that the capture process can treat the packets without making a copy and this saves a lot of time

To activate this features, you need a Suricata compiled from latest git and you need to modify some entries in your suricata.yaml file. You have to tell suricata that you want to activate the mmap feature. For example to activate the feature on eth0, you have to add ‘use-mmap’ to your configuration: 

af-packet:
  - interface: eth0
    use-mmap: yes

You can then run Suricata with the command:

suricata -c suricata.yaml --af-packet=eth0

This setup will not activate the zero copy feature which is currently dependant of the running mode. You will need to activate the worker mode to enable zero copy. To do so, run Suricata with a command similar to this one:

suricata -c suricata.yaml --af-packet=eth0 --runmode=worker

This code should provide an interesting performance boost to the AF_PACKET capture system. I’ve no number to provide now but I will be happy to hear some if you make some tests

Posted by Regit at 19:25 Tagged with: , , ,

Ecosystem of Suricata

Sécurité, Suricata No Responses »
Feb 132012
Suricata is an IDS/IPS engine. To build a complete solution, you will need to use other tools. The following schema is a representation of a possible software setup in the case Suricata is used as IDS or IPS on the network. It only uses opensource components:

Suricata is used to sniff and analyse the traffic. To detect malicious traffic, it uses signatures (or rules). You can download a set of specialised rules from EmergingThreats.

To analyse the alerts generated by Suricata, you will need an interface such as, for example, snorby.

But this interface will need to have an access to the data. This is done by storing the alerts in a database. The feed of this database can be done by barnyard2 which take the files outputted by suricata in unified2 and convert and send them to a database (or to some other format).

If you want counter-measure to be taken (such as blocking for a moment attacker at the firewall level), you can use snortsam.

More complex setup can include interactions with a SIEM solution.

Posted by Regit at 17:46 Tagged with: ,

À propos de la publication de code d'EdenWall

Divers 3 Responses »
Dec 012011

J’ai cofondé la société INL en 2004. Renommée en 2009 EdenWall, suite à une levée de fonds et un changement de métier, le nouveau business model de la société fut la commercialisation d’appliances de sécurité basées sur le logiciel libre NuFW que j’avais initié en 2003. NuFW, couche logicielle ajoutant l’authentification des flux à Netfilter, est resté le moteur technologique de la société mais n’était pas d’un accès facile car nécessitant des compétences bas niveaux pour son déploiement. Nous avons donc distribué sous licence libre des briques complémentaires à partir de 2005. Nulog, projet d’analyse de journaux, que j’avais commencé en 2001 et Nuface, interface de configuration de politiques de filtrage en 2005. La conclusion de cette démarche d’ouverture a été NuFirewall, une solution autonome de pare-feu basée sur les briques EdenWall qui a été distribuée en 2010. Il s’agissait d’une version libre des appliances EdenWall distribuée sous forme d’une distribution indépendante publiée sous licence GPL. L’idée des fondateurs était d’avoir une structure de produits similaires à une offre comme celle de VirtualBox avec une distribution sous double licence : une solution libre convenant au plus grand nombre et une version avec des fonctionnalités Entreprise.

Suite à un enchainemenent d’événements malheureux, la société EdenWall a fait faillite en courant d’année 2011. Les différents logiciels libres se sont alors retrouvés orphelins. La FSF en relation avec une partie des anciens développeurs de la société a décidé de coordonner les efforts pour la reprise des différents logiciels libres. Je m’étais battu pour la publication de ses briques et solutions et je me suis donc montré très enthousiaste quant à l’idée de remonter un site hébergeant ce qui avait été publié sous licence libre. C’est ce que j’exprime dans la citation reprise dans le communiqué de presse de la FSF.

Cc’est toutefois la majeure partie du code de la société EdenWall qui a été publié. Cette publication est peut-être valable au point de vue juridique comme expliqué dans le communiqué de la FSF mais elle ne reflète en rien mon positionnement moral personnel. Je ne cautionne donc pas cette publication globale mais uniquement la reprise des projets NuFW et NuFirewall et de manière plus globale du code qui avait déjà été publié sous licence libre par EdenWall.

Posted by Regit at 16:30 Tagged with: ,

Securing Netfilter connection tracking helpers

Netfilter, Sécurité No Responses »
Nov 302011
Following the presentation I’ve made during the 8th Netfilter Workshop, it was decided to write a document containing the best practices for a secure use of iptables and connection tracking helpers. This document called “Secure use of iptables and connection tracking helpers” is now available on this site. It contains recommendations that should be followed carefully if you are the administrator of a Netfilter/Iptables or the developer of a Netfilter based software.
Posted by Regit at 10:57 Tagged with: ,

What's new in coccigrep 1.6?

Development No Responses »
Nov 082011
I did not write any article on coccigrep since the 1.0 release. Here is an update on what has been added to the software since that release.

C++ support

Coccinelle has a basic C++ support which can be activated by using the –cpp flag in coccigrep.

Patches information

The -L -v options on command line will display a description of the match available on the system. 
$ coccigrep -L -v
set: Search where a given attribute of structure 'type' is set
 * Confidence: 80%
 * Author: Eric Leblond 
 * Arguments: type, attribute
 * Revision: 2
For the developer, this is obtained from structured comments put at the start of the cocci file: 
$ head src/data/set.cocci 
// Author: Eric Leblond 
// Desc: Search where a given attribute of structure 'type' is set
// Confidence: 80%
// Arguments: type, attribute
// Revision: 2
@init@
This is thus an easy way to document the search operation. Please note, that this will also work for the operations put in the user or system custom directory.

Context line display improvement

Guillaume Nault has contributed a series of patches that greatly improved the display of context lines: 
$ coccigrep -C 3 -t Packet -a flags -o set decode*c 
decode.c-90            -     }
decode.c-91            - 
decode.c-92            -     PACKET_INITIALIZE(p);
decode.c:93 (Packet *p):     p->flags |= PKT_ALLOC;
decode.c-94            - 
decode.c-95            -     SCLogDebug("allocated a new packet only using alloc...");
decode.c-96            -

Documentation

A man page is now available.

Python 2.5 support

The 1.6 release came with a code modification that permit coccigrep to run with python 2.5. Some users seem to still use this old version of Python and the support was not requiring to degrade coccigrep code. It has even improved it.

Option to read file lists from a file

Thomas Graf has contributed the -l option which provides a way to specify a file containing the list of the files to search in.

Operation improvement

The set operation has been improved and is now more accurate thanks to the support of all related operators.

Conclusion

Coccigrep is becoming more and more mature over time. The existing code base remains and a polishing work is currently under progress. One last point on the project is that some Linux and *BSD distribution seems to have done packages. This is the case of Aur, Gentoo, NetBSD, OpenBSD, Mandriva and soon Debian if the intention to package is confirmed.
Posted by Regit at 00:07 Tagged with: ,

Acquisition systems and running modes evolution of Suricata

Suricata No Responses »
Oct 072011
Some new features have recently reach Suricata’s git tree and will be available in the next development release. I’ve worked on some of them that I will describe here.

Multi interfaces support and new running modes

Configuration update

IDS live mode in suricata (pcap, pf_ring, af_packet) now supports the capture on multiple interfaces. The syntax of the YAML configuration file has evolved and it is now possible to set per-interface variables. For example, it is possible to define pfring configuration with the following syntax: 
pfring:
  - interface: eth4
    threads: 8
    cluster-id: 99
    cluster-type: cluster_flow
  - interface: eth1
    threads: 2
    cluster-id: 98
    cluster-type: cluster_round_robin
This set different parameters for the eth4 and eth2 interfaces. With that configuration, it the user launches suricata with 
suricata -c suricata.yaml --pfring
it will be listening on eth4 and with 8 threads receiving packets on eth4 with a flow based load balancing and 2 threads on eth3. If you want to run suricata on a single interface, simply do: 
suricata -c suricata.yaml --pfring=eth4
This syntax can be used with the new AF_PACKET acquisition module describe below.

New running modes

The running modes have been extended by a new running mode available for pfring and af_packet which is called workers. This mode starts a configurable number of threads which are doing all the treatment from packet acquisition to logging.

List of running modes

Here is the list of current running modes:
  • auto: Multi threaded mode (available for all packet acquisition modules)
  • single: Single threaded mode (available in pcap, pcap file, pfring, af_packet)
  • workers: Workers mode (available in AF_PACKET and pfring)
  • autofp: Multi threaded mode. Packets from each flow are assigned to a single detect thread.

af_packet support

Suricata now supports acquisition via AF_PACKET. This linux packet acquisition socket has recently evolved and it supports now load balancing of the capture of an interface between userspace sockets. This module can be configured like show at the start of this post. It will run on almost any Linux but you will need a 3.0 kernel to be able to use the load balancing features. 
suricata -c suricata.yaml --af-packet=eth4
Posted by Regit at 00:06 Tagged with: , ,

OISF brainstorming: planning phase 3 (take 3)

Suricata No Responses »
Sep 202011

GEO IP

Idea is to add a keyword that would be used to interact with GEOIP database (free at least) and be able to use it to detect things like control canal. For example, an IRC server in an non common country is certainly a control canal.

Live ruleset swap

A must have! This is vital for critical environnement. This is very costly in memory and this should be an option to avoid exploding low memory boxes.

Qosmos integration / API for data exchange

Bringing protocol analysis is an interesting point as it will help to increase performance and accuracy of the engine. Knowing the protocol permit to only run protocol related rules to flow of that protocol. And this avoid to have false detection by running the rules on bad protocol. OpenDPI technology and Qosmos technology integration is discussed. A common API is needed to be able to use both systems.

Global shared flowvars

Global flow var will permit to change the way we build rules. Not being constrained anymore to stream variable will increase the power of rules.

Host/app/OS table import

Idea is to load host type from file to be able to tune the host setting precisely.

IPFIX support

IPFIX support as entry or output could bring some advantages.

Conclusion

Matt Jonkman and Victor Julien will now summarize the input and publish on OISF website the planned features for phase 3 based on discussion about priority of the tasks that have been held.
Posted by Regit at 00:42 Tagged with: ,
Older Entries
© 2012 To Linux and beyond ! Suffusion theme by Sayontan Sinha

Switch to our mobile site