To Linux and beyond !

One of the main advantage of nftables over iptables is its native handling of set. They can be used for multiple purpose and thanks to the timeout capabilities it is easy to do some fun things like implementing port knocking in user space. The idea of this technic is fairly simple, a closed port is dynamically opened if the user send packets in order to a predetermine series of ports. ...

Powerline Powerline is a status extension software changing the prompt or status line for shell, tmux and vim. The result is nice looking and useful for bash: and for gvim: Only point is that even if documentation is good, installation is not straightforward. So here’s what I’ve done. ...

Introduction I’m running Debian sid on my main laptop and if most of the time if works well there is from time to time some issues. Most of them fixes after a few days so most of the time I don’t try to fix them manually if there is no impact on my activity. Since a few weeks, the postinst script of avahi daemon was failing and as it was not fixing by itself during upgrade I’ve decided to have a look at it. ...

I’ve just finished my talk on Linux kernel packet capture technologies at Kernel Recipes 2015. I would like to thanks the organizer for their great work. I also thank Frank Tizzoni for the drawing In that talk, I’ve tried to do an overview of the history of packet capture technologies in the Linux kernel. All that seen from userspace and from a Suricata developer perspective. ...

Now that Debian Jessie is out, it was the time to do an upgrade of my Elasticsearch servers. I’ve got two of them running in LXC containers on my main hardware system Upgrading to Jessie was straightforward via apt-get dist-upgrade. But the Elasticsearch server processes were not here after reboot. I’m using the Elasticsearch 1.5 packages provided by Elastic on their website. Running /etc/init.d/elasticsearch start or service elasticsearch start were not giving any output. Systemd which is now starting the service was not kind enough to provide any debugging information. ...

I’ve been invited by SaLUG to Lecce to give some talks during their Geek Evening. I’ve done a talk on nftables and one of suricata. Lecce by night The nftables talk was about the motivation behind the change from iptables. Here are the slides: Nftables The talk on Suricata was explaining the different feature of Suricata and was showing how I’ve used it to make a study of SSH bruteforce. ...

Introduction I’m currently working on a script that parses Suricata EVE log files and try to detect if some fields in the log are present in a list of bad patterns. So the script has two parts which are reading the log file and searching for the string in a list of strings. This list can be big with a target of around 20000 strings. Note: This post may seem trivial for real Python developers but as I did not manage to find any documentation on this here is this blog post. ...

I’ve been lucky enough to do a talk during the third edition of Kernel Recipes. I’ve presented the evolution of nftables durig the previous year. You can get the slides from here: 2014_kernel_recipes_nftables. Thanks to Hupstream for uploading the video of the talk: Not much material but this slides and a video of the work done during the previous year on nftables and its components:

DOM and SSH honeypot DOM is a solution comparable to fail2ban but it uses Suricata SSH log instead of SSH server logs. The goal of DOM is to redirect the attacker based on its SSH client version. This allows to send attacker to a honeypot like pshitt directly after the first attempt. And this can be done for a whole network as Suricata does not need to be on the targeted box. Using DOM with nftables I’ve pushed a basic nftables support to DOM. Instead of adding element via ipset it uses a nftables set. ...

Introduction I’ve been playing lately on analysis SSH bruteforce caracterization. I was a bit frustrated of just getting partial information: ulogd can give information about scanner settings suricata can give me information about software version sshd server logs shows username But having username without having the password is really frustrating. So I decided to try to get them. Looking for a SSH server honeypot, I did find kippo but it was going too far for me by providing a fake shell access. So I’ve decided to build my own based on paramiko. ...

The slides of my lightning talk at SSTIC are available: Let’s talk about SELKS. The slides are in French and are intended to be humorous. The presentation is about defensive security that needs to get sexier. And Suricata 2.0 with EVE logging combined with Elasticsearch and Kibana can really help to reach that target. If you want to try Suricata and Elasticsearch, you can download and test SELKS. ...

Introduction I’m currently working on Scirius, the web management interface for Suricata developed by Stamus Networks. Scirius is able to fetch IDS signatures from external place and the backend is storing this element in a git tree. As Scirius is a Django application, this means we need to interact with git in Python. Usually the documentation of Python modules is good and enough to develop. This is sadly not the case for GitPython. There is documentation but the overall quality it not excellent, at least for a non genuine Python developer, and there is some big part missing. ...

I’ve gave a lightning talk about coccigrep at Hackito Ergo Sum to show how it can be used to search in code during audit or hacking party. Here are the slides: coccigrep: a semantic grep for the C language. The slides of my talk Suricata 2.0, Netfilter and the PRC will soon be available on Stamus Networks website.

Sending packets with scapy I’m currently doing some code based on scapy. This code reads data from a possibly huge file and send a packet for each line in the file using the contained information. So the code contains a simple loop and uses sendp because the frame must be sent at layer 2. def run(self): filedesc = open(self.filename, 'r') # loop on read line for line in filedesc: # Build and send packet sendp(pkt, iface = self.iface, verbose = verbose) # Inter packet treatment Doing that the performance are a bit deceptive. For 18 packets, we’ve got: ...

Some progress on the JSON side Suricata 2.0-rc2 is out and it brings some progress on the JSON side. The logging of SSH protocol has been added: and the format of timestamp has been updated to be ISO 8601 compliant and it is now named timestamp instead of time. ...

Nftables logging If nftables is bringing a lot of changes on user side, this is also true in the logging area. There is now only one single keyword for logging: log and this target is using the Netfilter logging framework. A corollary of that is that why you may not see any log messages even if a rule with log is matching because the Netfilter logging framework has to be configured. ...

Motivation I’ve recently met @aurelsec and we’ve discussed about the interest of logging connection tracking entries. This is indeed a undervalued information source in a network. Quoting Wikipedia: “Connection tracking allows the kernel to keep track of all logical network connections or sessions, and thereby relate all of the packets which may make up that connection. NAT relies on this information to translate all related packets in the same way, and iptables can use this information to act as a stateful firewall.” ...

Iptables and suricata as IPS Building a Suricata ruleset with iptables has always been a complicated task when trying to combined the rules that are necessary for the IPS with the firewall rules. Suricata has always used Netfilter advanced features allowing some more or less tricky methods to be used. For the one not familiar with IPS using Netfilter, here’s a few starting points: IPS receives the packet coming from kernel via rules using the NFQUEUE target The IPS must received all packets of a given flow to be able to handle detection cleanly The NFQUEUE target is a terminal target: when the IPS verdicts a packet, it is or accepted (and leave current chain) ...

Ulogd and JSON output In February 2014, I’ve commited a new output plugin to ulogd, the userspace logging daemon for Netfilter. This is a JSON output plugin which output logs into a file in JSON format. The interest of the JSON format is that it is easily parsed by software just as logstash. And once data are understood by logstash, you can get some nice and useful dashboard in Kibana: ...

Log analysis experiment I’ve been playing lately with logstash using data from the ulogd JSON output plugin and the Suricata full JSON output as well as standard system logs. Ulogd is getting Netfilter firewall logs from Linux kernel and is writing them in JSON format. Suricata is doing the same with alert and other traces. Logstash is getting both log as well as sytem log. This allows to create some dashboard with information coming from multiple sources. If you want to know how to configure ulogd for JSON output check this post. For suricata, you can have a look at this one. ...