To Linux and beyond !

Nftables port knocking

Mon, 17 Jul 2017 23:07:37 +0000

One of the main advantage of nftables over iptables is its native handling of set. They can be used for multiple purpose and thanks to the timeout capabilities it is easy to do some fun things like implementing port knocking in user space.

The idea of this technic is fairly simple, a closed port is dynamically opened if the user send packets in order to a predetermine series of ports.

Updated status in vim and bash

Tue, 13 Sep 2016 22:39:49 +0000

Powerline

Powerline is a status extension software changing the prompt or status line for shell, tmux and vim.

The result is nice looking and useful for bash:

and for gvim:

Only point is that even if documentation is good, installation is not straightforward. So here’s what I’ve done.

Out of [name]space issue

Sun, 27 Dec 2015 16:50:12 +0000

Introduction

I’m running Debian sid on my main laptop and if most of the time if works well there is from time to time some issues. Most of them fixes after a few days so most of the time I don’t try to fix them manually if there is no impact on my activity. Since a few weeks, the postinst script of avahi daemon was failing and as it was not fixing by itself during upgrade I’ve decided to have a look at it.

My “Kernel packet capture technologies” talk at KR2015

Thu, 01 Oct 2015 13:44:57 +0000

I’ve just finished my talk on Linux kernel packet capture technologies at Kernel Recipes 2015. I would like to thanks the organizer for their great work. I also thank Frank Tizzoni for the drawing

In that talk, I’ve tried to do an overview of the history of packet capture technologies in the Linux kernel. All that seen from userspace and from a Suricata developer perspective.

Elasticsearch, systemd and Debian Jessie

Thu, 30 Apr 2015 20:35:46 +0000

Now that Debian Jessie is out, it was the time to do an upgrade of my Elasticsearch servers. I’ve got two of them running in LXC containers on my main hardware system

Upgrading to Jessie was straightforward via apt-get dist-upgrade.

But the Elasticsearch server processes were not here after reboot. I’m using the Elasticsearch 1.5 packages provided by Elastic on their website.

Running /etc/init.d/elasticsearch start or service elasticsearch start were not giving any output. Systemd which is now starting the service was not kind enough to provide any debugging information.

Slides of my talks at Lecce

Wed, 18 Feb 2015 10:44:41 +0000

I’ve been invited by SaLUG to Lecce to give some talks during their Geek Evening. I’ve done a talk on nftables and one of suricata.

Lecce by night

The nftables talk was about the motivation behind the change from iptables.

Here are the slides: Nftables

The talk on Suricata was explaining the different feature of Suricata and was showing how I’ve used it to make a study of SSH bruteforce.

Efficient search of string in a list of strings in Python

Sun, 09 Nov 2014 10:12:16 +0000

Introduction

I’m currently working on a script that parses Suricata EVE log files and try to detect if some fields in the log are present in a list of bad patterns. So the script has two parts which are reading the log file and searching for the string in a list of strings. This list can be big with a target of around 20000 strings.

Note: This post may seem trivial for real Python developers but as I did not manage to find any documentation on this here is this blog post.

Slides of my nftables talk at Kernel Recipes

Mon, 29 Sep 2014 20:48:14 +0000

I’ve been lucky enough to do a talk during the third edition of Kernel Recipes. I’ve presented the evolution of nftables durig the previous year.

You can get the slides from here: 2014_kernel_recipes_nftables.

Thanks to Hupstream for uploading the video of the talk:

Not much material but this slides and a video of the work done during the previous year on nftables and its components:

Using DOM with nftables

Wed, 24 Sep 2014 12:12:25 +0000

DOM and SSH honeypot

DOM is a solution comparable to fail2ban but it uses Suricata SSH log instead of SSH server logs. The goal of DOM is to redirect the attacker based on its SSH client version. This allows to send attacker to a honeypot like pshitt directly after the first attempt. And this can be done for a whole network as Suricata does not need to be on the targeted box.

Using DOM with nftables

I’ve pushed a basic nftables support to DOM. Instead of adding element via ipset it uses a nftables set.

pshitt: collect passwords used in SSH bruteforce

Thu, 26 Jun 2014 08:41:02 +0000

Introduction

I’ve been playing lately on analysis SSH bruteforce caracterization. I was a bit frustrated of just getting partial information:

ulogd can give information about scanner settings
suricata can give me information about software version
sshd server logs shows username

But having username without having the password is really frustrating.

So I decided to try to get them. Looking for a SSH server honeypot, I did find kippo but it was going too far for me
by providing a fake shell access. So I’ve decided to build my own based on paramiko.

Let’s talk about SELKS

Wed, 11 Jun 2014 09:14:24 +0000

The slides of my lightning talk at SSTIC are available: Let’s talk about SELKS. The slides are in French and are intended to be humorous.

The presentation is about defensive security that needs to get sexier. And Suricata 2.0 with EVE logging combined with Elasticsearch and Kibana can really help to reach that target. If you want to try Suricata and Elasticsearch, you can download and test SELKS.

Playing with python-git

Mon, 19 May 2014 18:44:10 +0000

Introduction

I’m currently working on Scirius, the web management interface for Suricata developed by Stamus Networks.
Scirius is able to fetch IDS signatures from external place and the backend is storing this element in a git tree. As Scirius is a Django application, this means we need to interact with git in Python.

Usually the documentation of Python modules is good and enough to develop. This is sadly not the case for GitPython. There is documentation but the overall quality it not excellent, at least for a non genuine Python developer, and there is some big part missing.

Slides of my coccigrep lightning talk at HES2014

Sun, 27 Apr 2014 20:54:17 +0000

I’ve gave a lightning talk about coccigrep at Hackito Ergo Sum to show how it can be used to search in code during audit or hacking party. Here are the slides: coccigrep: a semantic grep for the C language.

The slides of my talk Suricata 2.0, Netfilter and the PRC will soon be available on Stamus Networks website.

Speeding up scapy packets sending

Thu, 17 Apr 2014 14:11:58 +0000

Sending packets with scapy

I’m currently doing some code based on scapy. This code reads data from a possibly huge file and send a packet for each line in the file using the contained information.
So the code contains a simple loop and uses sendp because the frame must be sent at layer 2.

def run(self):
         filedesc = open(self.filename, 'r')
         # loop on read line
         for line in filedesc:
             # Build and send packet
             sendp(pkt, iface = self.iface, verbose = verbose)
             # Inter packet treatment

Doing that the performance are a bit deceptive. For 18 packets, we’ve got:

Suricata and Ulogd meet Logstash and Splunk

Fri, 07 Mar 2014 23:19:37 +0000

Some progress on the JSON side

Suricata 2.0-rc2 is out and it brings some progress on the JSON side. The logging of SSH protocol has been added:

and the format of timestamp has been updated to be ISO 8601 compliant and it is now named timestamp instead of time.

Nftables and the Netfilter logging framework

Mon, 24 Feb 2014 22:17:22 +0000

Nftables logging

If nftables is bringing a lot of changes on user side, this is also true in the logging area.
There is now only one single keyword for logging: log and this target is using the Netfilter logging framework.
A corollary of that is that why you may not see any log messages even if a rule with log is matching because the Netfilter logging framework has to be configured.

Logging connection tracking event with ulogd

Sun, 23 Feb 2014 17:11:30 +0000

Motivation

I’ve recently met @aurelsec and we’ve discussed about the interest of logging connection tracking entries. This is indeed a undervalued information source in a network.

Quoting Wikipedia: “Connection tracking allows the kernel to keep track of all logical network connections or sessions, and thereby relate all of the packets which may make up that connection. NAT relies on this information to translate all related packets in the same way, and iptables can use this information to act as a stateful firewall.”

Suricata and Nftables

Wed, 05 Feb 2014 09:03:28 +0000

Iptables and suricata as IPS

Building a Suricata ruleset with iptables has always been a complicated task when trying to combined the rules that are necessary for the IPS with the firewall rules. Suricata has always used Netfilter advanced features allowing some more or less tricky methods to be used.

For the one not familiar with IPS using Netfilter, here’s a few starting points:

IPS receives the packet coming from kernel via rules using the NFQUEUE target
The IPS must received all packets of a given flow to be able to handle detection cleanly
The NFQUEUE target is a terminal target: when the IPS verdicts a packet, it is or accepted (and leave current chain)

Using ulogd and JSON output

Sun, 02 Feb 2014 16:39:34 +0000

Ulogd and JSON output

In February 2014, I’ve commited a new output plugin to ulogd, the userspace logging daemon for Netfilter. This is a JSON output plugin which output logs into a file in JSON format. The interest of the JSON format is that it is easily parsed by software just as logstash. And once data are understood by logstash, you can get some nice and useful dashboard in Kibana:

Investigation on an attack tool used in China

Sun, 02 Feb 2014 15:28:32 +0000

Log analysis experiment

I’ve been playing lately with logstash using data from the ulogd JSON output plugin and the Suricata full JSON output as well as standard system logs.

Ulogd is getting Netfilter firewall logs from Linux kernel and is writing them in JSON format. Suricata is doing the same with alert and other traces. Logstash is getting both log as well as sytem log. This allows to create some dashboard with information coming from multiple sources. If you want to know how to configure ulogd for JSON output check this post. For suricata, you can have a look at this one.

Why you will love nftables

Mon, 20 Jan 2014 11:57:35 +0000

Linux 3.13 is out

Linux 3.13 is out bringing among other thing the first official release of nftables. nftables is the project that aims to replace the existing {ip,ip6,arp,eb}tables framework aka iptables.
nftables version in Linux 3.13 is not yet complete. Some important features are missing and will be introduced in the following Linux versions.
It is already usable in most cases but a complete support (read nftables at a better level than iptables) should be available in Linux 3.15.

A bit of logstash cooking

Fri, 10 Jan 2014 15:24:34 +0000

Introduction

I’m running a dedicated server to host some internet services. The server runs Debian. I’ve installed logstash on it to do a bit of monitoring of my system logs and suricata.

I’ve build a set of dashboards. The screenshot below shows a part of the one being dedicated to suricata:

What’s new in ulogd 2.0.3

Wed, 27 Nov 2013 20:35:10 +0000

New features in ulogd 2.0.3 release

Database framework update

ulogd 2.0.3 implements two new optional modes for database connections:

backlog system to avoid event loss in case of database downtime
running mode where acquisition is made in one thread and queries to databases are made in separate threads to reduce latency in the treatment of kernel messages

These two modes are described below.

Postgresql update

Postgresql output plugin was only offering a small subset of Postgresql connection-related options.
It is now possible to use the connstring to use all possible parameters of libpq param keywords. If set, this variable has precedence on other variables.

Using linux perf tools for Suricata performance analysis

Mon, 18 Nov 2013 12:59:59 +0000

Introduction

Perf is a great tool to analyse performances on Linux boxes. For example, perf top will give you this type of output on a box running Suricata on a high speed network:

Events: 32K cycles                                                                                                                                                                                                                            
 28.41%  suricata            [.] SCACSearch
 19.86%  libc-2.15.so        [.] tolower
 17.83%  suricata            [.] SigMatchSignaturesBuildMatchArray
  6.11%  suricata            [.] SigMatchSignaturesBuildMatchArrayAddSignature
  2.06%  suricata            [.] tolower@plt
  1.70%  libpthread-2.15.so  [.] pthread_mutex_trylock
  1.17%  suricata            [.] StreamTcpGetFlowState
  1.10%  libc-2.15.so        [.] __memcpy_ssse3_back
  0.90%  libpthread-2.15.so  [.] pthread_mutex_lock

The functions are sorted by CPU consumption. Using arrow key it is possible to jump into the annotated code to see where most CPU cycles are used.

Logstash and Suricata for the old guys

Mon, 28 Oct 2013 10:47:31 +0000

Introduction

logstash an opensource tool for managing events and logs. It is using elasticsearch for the storage and has a really nice interface named Kibana. One of the easiest to use entry format is JSON.

Suricata is an IDS/IPS which has some interesting logging features. Version 2.0 will feature a JSON export for all logging subsystem. It will then be possible to output in JSON format:

HTTP log
DNS log
TLS log
File log
IDS Alerts

For now, only File log is available in JSON format. This extract meta data from files transferred over HTTP.

A bit of fun with IPv6 setup

Thu, 26 Sep 2013 09:28:38 +0000

When doing some tests on Suricata, I needed to setup a small IPv6 network. The setup is simple with one laptop which is Ethernet connected to a desktop. And the desktop host a Virtualbox system.
This way, the desktop can act as a router with laptop on eth0 and Vbox on vboxnet0.

To setup the desktop/router, I’ve used:

ip a a 4::1/64 dev eth0
ip a a 2::1/64 dev vboxnet0
echo "1">/proc/sys/net/ipv6/conf/all/forwarding

To setup the laptop who already has a IPv6 public address on eth0, I’ve done:

Talk about nftables at Kernel Recipes 2013

Tue, 24 Sep 2013 13:48:19 +0000

I’ve just gave a talk about nftables, the iptables successor, at Kernel Recipes 2013. You can find the slides here:
2013_kernel_recipes_nftables

A description of the talk as well as slides and video are available on Kernel Recipes website

Here’s the video of my talk:

I’ve presented a video of nftables source code evolution:

The video has been generated with gource. Git history of various components have been merged and the file path has been prefixed with project name.

Adding a force build to all builders

Fri, 20 Sep 2013 10:56:26 +0000

Recent versions of buildbot, the continuous integration framework don’t allow by default the force build feature.
This feature can be used to start a build on demand. It is really useful when you’ve updated the build procedure or when you want to test new branches.

It was a little tricky to add it, so I decided to share it. If c is the name of the configuration you build in your master.cfg, you can add after all builders declarations:

Using tc with IPv6 and IPv4

Wed, 18 Sep 2013 12:57:21 +0000

The first news is that it works! It is possible to use tc to setup QoS on IPv6 but the filter have to be updated.

When working on adding IPv6 support to lagfactory, I found out by reading tc sources and specifically ll_proto.c that the keyword to use for IPv6 was ipv6. Please read that file if you need to find the keyword for an other protocol.
So to send packet with Netfilter mark 5000 to a specific queue, one can use:

Nftables quick howto

Thu, 30 May 2013 16:39:37 +0000

Introduction

This document is between a dirty howto and a cheat sheet. For a short description of some interesting nftables features, you can read Why you will love nftables.

For a description of architecture and ideas behind Nftables, please read the announce of the first release of nftables.
For more global information, you can also watch the talk I’ve made atKernel Recipes: Eric Leblond, OISF – Nftables.

Building nftables

Libraries

The following libraries are needed

Some ulogd db improvements

Tue, 21 May 2013 21:42:57 +0000

Some new features

I’ve just pushed to ulogd tree a series of patches. They bring two major improvements to database handling:

Backlog system: temporary store SQL query in memory if database is down.
Ring buffer system: a special mode with a thread to read data from kernel and a thread to do the SQL query.

The first mode is attended for preventing data loss when database is temporary down. The second one is an attempt to improve performance and the resistance to netlink buffer overrun problem.
The modification has been done in the database abstraction layer and it is thus available in MySQL, PostgreSQL and DBI.

Netfilter and the NAT of ICMP error messages

Wed, 24 Apr 2013 22:30:00 +0000

The problem

I’ve been recently working for a customer which needed consultancy because of some unexplained Netfilter behaviors related to ICMP error messages. He authorizes me to share the result of my study and I thank him for making this blog entry possible.
His problem was that one of his firewalls is using a private interconnexion with their border router and the customer did not manage to NAT all outgoing ICMP error messages.

A month in the life of Debian in 2000 and 2012

Fri, 05 Apr 2013 21:56:59 +0000

Visualizing Debian packages upload

Ultimate Debian Database provide a way to get information about all packages upload on Debian repositories accros time. After a discussion with Lucas Nussbaum at Distro Recipes, he made available a webpage to access to a gource compatible file format of packages upload.

Using this I was able to create videos of Debian evolution over time. I’ve generated two videos showing on month of packages upload in 2000 and to compare one month in 2012.

WiFi interface and suricata AF_PACKET IPS mode

Tue, 26 Mar 2013 15:24:45 +0000

Not usual setup can lead to surprise

The 5th of December 2012, I’ve setup suricata in AF_PACKET IPS mode between a WiFi interface and an Ethernet interface. The result was surprising as it was leading to a crash after some time:

The issue was linked with the defrag option of AF_PACKEt fanout. I’ve proposed a patch the 7th Dec 2012 and after a discussion with David Miller and Johannes Berg, Johannes has proposed a better patch which was included in official tree. So the problem is fixed for kernel superior or equal to 3.7.

Jan Engelhardt, â€œMerge Meâ€

Tue, 12 Mar 2013 14:43:50 +0000

Xtables2

xtables 2 suppress the different tables that exits in current Netfilter. If a rule only apply to a specific type of traffic (read owner id match per-example) then it just don’t match.

One of the interest to have one single table is that it is possible to easily update the ruleset by just doing a single atomic swap.

Manual chains can be created by hand as there are very useful to create factorized rules.

NFWS group photo

Tue, 12 Mar 2013 13:34:59 +0000

Top starting from left:
Jan Engelhardt, Tomasz Bursztyka, Daniel Borkmann, Julien Vehent, Holger Eitzenberger, Victor Julien, Eric Leblond, Eric Dumazet, Nicolas Dichtel, David Miller, S. Park

Bottom starting from left:
Martin Topholm, Jesper Sander Lindgren, Pablo Neira Ayuso, Simon Horman, Jozsef Kadlecsik, Jesper Dangaard Brouer, Patrick McHardy, Thomas Graf

Tomasz Bursztyka, connMan usage of Netfilter

Tue, 12 Mar 2013 12:52:16 +0000

Introduction

connMan is a network manager which has support for a lot of different layers from ethernet and WiFi to NFC and link sharing.

It features automatic link switch and allow you to select your preferred type of support. The communication with UI is event based so it is easy to do as only a few windows type are needed.

Discussion

David Miller pointed out the fact that DHCP client is really often putting the interface in promiscuous mode and this is not a good idea as it is like having a tcpdump started on every laptop. As connMann does ahave its own implementation, they could maybe take this into account and improved the situation. This is in fact already the case as the DHCP client is using an alternate method.

Jozsef Kadlecsik, ipset status

Tue, 12 Mar 2013 11:00:51 +0000

Tc interaction

tc interaction has been contributed by Florian Westphal. It is thus now possible to use a set match to differentiate Qos or routing of packet. This opens a wide area for experimentation.

Packet and byte counters

This is a fairly larger rewriting of set element and extensions which adds packets and bytes counters to the element.

The syntax has been updated:

ipset add <set> <elem> packets n bytes m

It is also possible to do check on counters !! For example, ipset will be able to do a match on a set and to refine the selection by specifying the number of packets we must have seen before matching. Counters can also be updated in the set match.

Pablo Neira Ayuso, nftables strikes back

Tue, 12 Mar 2013 10:13:42 +0000

Introduction

This is a new kernel packet filtering framework. The only change is on iptables. Netfilter hooks, connection tracking system, NAT are unchanged.
It provides a backward compatibility. nftables was released in March 2009 by Patrick Mchardy. It has been revived in the precedent months by Pablo Neira Ayuso and other hackers.

Architecture

It uses a pseudo-state machine in kernel-space which is similar to BPF:

4 registers: 4 general purpose (128 bits long each) + 1 verdict
provides instruction set (which can be extended)

Here’s a example of existing instructions:

Simon Horman, MPLS Enlightened Open vSwitch

Mon, 11 Mar 2013 15:58:36 +0000

Open vSwitch is a multi-layer switch. It is designed to enable network automation through programmatic extension, while still supporting standard management interfaces and protocols.

Openflow is a management protocol that is supported by Open vSwitch. Openflow is has a basic support for MPLS. It features a minimum operation set to enable to configure MPLS correclty.
Openflow MPLS support is partially implemented in Open vSwitch but there is some difficulties.

SOme of the operations feature update of L3+ parameter like TTL. They must be updated in same manner in the MPLS header and in the packet header. And this is quite complicated as it supposed to decode the packet below MPLS. But MPLS header does not include the encapsulated ethernet type so it is almost impossible to access correctly to the packet structure.

Victor Julien, Suricata and Netfilter

Mon, 11 Mar 2013 15:04:14 +0000

Suricata and Netfilter can be better friend as they are doing some common work like decoding packet and maintaining flow table.

In IPS mode, Suricata is receiving raw packet from libnetfilter_queue. It has to made the parsing of this packet but this kind of thing has also been done by kernel. So it should be possible to avoid to duplicate the work.

Pablo Neira Ayuso, Netfilter summary of changes since last workshop

Mon, 11 Mar 2013 14:05:00 +0000

Pablo Neira Ayuso has made a panorama of Netfilter changes since last workshop.

On user side, the first main change to be published after last workshop, is libnetfilter_cttimeout. It allows you to define different timeout policies and to apply them to connections by using the CT target.

An other important new “feature” is a possibility to disable to automatic helper assignment. More information on
Secure use of iptables and connection tracking helpers.

Martin Topholm: DDoS experiences with Linux and Netfilter

Mon, 11 Mar 2013 10:54:17 +0000

Martin is working for one.com a local ISP and is facing some DDoS. SYN cookie was implemented but the performance were too low with performance below 300kpps which is not what was expected. In fact SYN is on a slow path with a single spin lock protecting the SYN backtrack queue. So the system behave like a single core system relatively to SYN attacks.

Jesper Dangaard Brouer has proposed a patch to move the syn cookie out of the lock but it has some downside and could not be accepted. In particular, the syncookie system needs to check every type of packet to see if they belong to a previous syn cookie response and thus a central point is needed.

David Miller: routing cache is dead, now what ?

Mon, 11 Mar 2013 10:17:21 +0000

The routing cache was maintaining a list of routing decisions. This was an hash table which was highly dynamic and was changing due to traffic. One of the major problem was the garbage collector. An other severe issue was the possibility of DoS using the increase

The routing cache has been suppressed in Linux 3.6 after a 2 years effort by David and the other Linux kernel developers. The global cache has been suppressed and some stored information have been moved to more separate resources like socket.

Fabio Massimo Di Nitto: Kronosnet.org

Mon, 11 Mar 2013 09:03:03 +0000

Kronosnet is a “I conceived it when drunk but it works well” VPN implementation. It is using an Ether TAP for the VPN to provide a lyaer 2 vpn. To avoid reinventing the wheel, it is delegating most of the work to the kernel. It supports multilink and redundancy of servers. On multilink side, 8 links can be done per-host to help redundancy.

One of the use of this project is the creation of private network in the cloud as it can be easily setup to provide redundancy and connection for a lot of clients (64k simultaneous clients). And because a layer 2 VPN is really useful for this type of usage.

Eric Leblond: ulogd2, Netfilter logging reloaded

Mon, 11 Mar 2013 07:30:30 +0000

Introduction

I’ve made yesterday a presentation of ulogd2 at Open Source Days in Copenhagen. After a brief history of Netfilter logging, I’ve described the key features of ulogd2 and demonstrate two interfaces, nf3d and djedi.

The slides are available:
Ulogd2, Netfilter logging reloaded.

Screencasts

This video demonstrates some features of nf3d:

This screencast is showing some of the capabilities of djedi:

Thanks a lot to the organizers for this cool event.

Jan Engelhardt, Xtables2: Packet Filter Evolved

Sun, 10 Mar 2013 16:27:58 +0000

Introduction

Iptables duplicate work for each family and is using a socket protocol which is far too static. Xtables2 is an ongoing effort to evolve the packet filter.
It aims at providing finer frained modification (and not the whole ruleset modification).

Capabilities

rule packing: increase cache hit.
family independent: no more IPv4 and IPv6 specific code. Only the hook remains specific as they are dependant of core network.
xt extension support
atomic replace support

xtables syntax is quite similar but not the same. libxtadm is a high-level library for ruleset inspection/manipulation.

Daniel Borkmann: Packets Sockets, BPF and Netsniff-NG

Sun, 10 Mar 2013 16:11:29 +0000

PF_PACKET introduction

This is access to raw packet inside Linux. It is used by libpcap and by other projects like Suricata.
PF_PACKET performance can be improved via dedicated features:

Zero-copy RX/TX
Socket clustering
Linux socket filtering (BPF)

BPF architecture looks like a small virtual machine with register and memory stores. It has different instructions and the kernel has its own kernel extensions to access to cpu number, vlan tag.

Netsniff-NG

Netsniff-ng is a set of minimal tools:

Tomasz Bursztyka, ConnMan usage of Netfilter: a close overview

Sun, 10 Mar 2013 15:36:08 +0000

Introduction

ConnMan is a connection manager which integrate all critical networking components. It provides a smart D-Bus API to develop an User Interface. It is plugin oriented and all different network stacks are implemented in different modules.
Connection sharing (aka tethering) is using Netfilter to setup NAT masquerading. So it is a simple usage.

Switching to nftables

Application connectivity is a more advanced part involving Netfilter as it makes a use of statistics and differenciated routing. For example, in a car, service data must be sent to manufacturer operator and not on the owner network.

Julien Vehent, AFW: Automating host-based firewalls with Chef

Sun, 10 Mar 2013 15:12:52 +0000

The problem

Centralized firewall design does not scale well when dealing with a lot of servers. It begins to collapse after a few thousands rules.
Furthermore, to be able to have an application A to connect to server B, it would take a workflow and possibly 3 weeks to get the opening.

From Service Oriented Architecture to Service Oriented Security

Service are autonomous. They call each other using a standard protocol. The architecture is described by a list of dependencies between services.
You can then specify security via things like ACCEPT Caching TO Frontend ON PORT 80.
But this force you to do provisioning each time a server start.

Jozsef Kadlecsik, Faster firewalling with ipset

Sun, 10 Mar 2013 13:51:19 +0000

Why ipset ?

iptables is enough sufficient but in some cases limit are found:

High number of rules: iptables is linear
Need to change the rules often

Independant study available at d(a)emonkeeper’s purgatory has shown that the performance of ipset are almost constant with respect to the number of filtered hosts:

History

The originating project was ippool featuring a a basic set and after some time it has been taken over by Jozsef and renamed ipset. A lot of type of sets are now handled.

Patrick McHardy: Oops, I did it: IPv6 NAT

Sun, 10 Mar 2013 13:01:41 +0000

Introduction

Harald Welte when asked about IPv6 NAT was answering: “it will be over my dead body”. It is now available in official kernel.

Reasons for adding IPv6 NAT

Dynamic IPv6 Prefixes : ISP assigning dynamic IPv6 prefixes so Internal network address change. NAT can bring you stability.
Easier test setup.
Users are asking and most operating systems have it.

To resume the arguments of NAT, Patrick McHardy used this video:

Pablo Neira Ayuso: nftables, a new packet filtering framework for Netfilter

Sun, 10 Mar 2013 12:37:15 +0000

Introduction

nftable is a kernel packet filtering framework to replaces iptables. It brings no changes in the core (conntrack, hooks).

Match logic is changed: you fetch keys and once you have your key set, you make operation on them. Advanced and specialized matchs are built upon this system.

nftables vs iptables

In iptables, extension were coded in separate files and they must be put in iptables source tree. To act, they must modify on a binary array storing the ruleset and injecting it back to the kernel. So every update involve a full download and upload of the whole ruleset.

Ulogd 2.0.2, my first release as maintainer

Mon, 04 Mar 2013 00:13:13 +0000

Objectives of this release

So it is my first ulogd2 release as maintainer. I’ve been in charge of the project since 2012 October 30th and this was an opportunity for me to increase my developments on the project. Roadmap was almost empty so I’ve decided to work on issues that were bothering me as a user of the project. I’ve also included two features which are connection tracking event filtering and a Graphite output module. Ulogd is available on Netfilter web site

nf3d

Sun, 17 Feb 2013 17:14:19 +0000

Introduction

nf3d is a Netfilter visualisation tool. It displays connections and logged packets in a GANTT diagram fashion. nf3d source are hosted on github: nf3d source

Download latest version: nf3d-0.8.tar.gz

This is a visualization method that can be used to see and detect attacks. For example, the following image is the trace of an ssh scan:

Using NFQUEUE and libnetfilter_queue

Sat, 12 Jan 2013 18:00:57 +0000

Introduction

NFQUEUE is an iptables and ip6tables target which delegate the decision on packets to a userspace software. For example, the following rule will ask for a decision to a listening userpsace program for all packet going to the box:

iptables -A INPUT -j NFQUEUE --queue-num 0

In userspace, a software must used libnetfilter_queue to connect to queue 0 (the default one) and get the messages from kernel. It then must issue a verdict on the packet.

Visualize Netfilter accounting in Graphite

Sat, 22 Dec 2012 11:27:09 +0000

Ulogd Graphite output plugin

I’m committed a new output plugin for ulogd. The idea is to send NFACCT accounting data to a graphite server to be able to display the received data. Graphite is a web application which provide real-time visualization and storage of numeric time-series data.

Once data are sent to the graphite server, it is possible to use the web interface to setup different dashboard and graphs (including combination and mathematical operation):

Some statistics about Suricata 1.4

Thu, 13 Dec 2012 16:11:00 +0000

A huge work

Suricata 1.4 has been released December 13th 2012 and it has been a huge work. The number of modifications is just impressing:

390 files changed, 25299 insertions(+), 11982 deletions(-)

The following video is using gource to display the evolution of Suricata IDS/IPS source code between version 1.3 and version 1.4. It only displays the modified files and do not show the files existing at start.

A collaborative work

A total of 11 different authors have participated to this release. The following graph generated by gitstats shows the number of lines of code by author:

The defense blues

Thu, 06 Dec 2012 13:02:39 +0000

Mother Nature has been really unfair with me. It has given me two strong interests in life: building things and information security. Once that was done, my doom was sealed and I’ve become a infosec defense guy. Nowadays this is one of the worst fate possible in computer science.

Today, this burden is really hard to wear. I know some of you will try to encourage me by saying this like:

About Suricata and a kernel oops in AF_PACKET

Wed, 05 Dec 2012 10:38:19 +0000

Introduction

Kernel oops have been reported by some users running Suricata with AF_PACKET multiple thread capture activated. This is due to a bug I’ve introduced in AF_PACKET when fixing an other bug.

Which kernel not to use with Suricata in AF_PACKET mode

The following kernel version will surely crash if Suricata or any other program is used with AF_PACKET capture with multiple capture threads:

Linux 3.2.30 to 3.2.33
Linux 3.4.12 to 3.4.18
Linux 3.5.5 to 3.5.7
Linux 3.6.0 to 3.6.6

If only one capture thread is used there is no risk of crash. If you are running a vulnerable kernel, your configuration should looks like:

Flow reconstruction and normalization in Suricata

Thu, 15 Nov 2012 17:36:06 +0000

The naive approach would consider that an IDS is just taking packet and doing a lot of matching on it. In fact, this is not at all what is happening. An IDS/IPS like Suricata is in fact rebuilding the data stream and in case of known protocols it is even normalizing the data stream and providing keyword which can be used to match on specific field of a protocol.

Let’s say, we a rule to match on a HTTP request where method is GET and the URL is “/download.php”.

Installing Debian sid on a XPS 15

Thu, 08 Nov 2012 13:47:25 +0000

Since this morning, I’m the owner of a XPS 15 end-2012 edition. The model I have come with a hard drive and a SSD and it is pre-installed with Windows 8. As it is not a good choice for a OS you want to use the laptop for real work, I’ve installed a Debian sid on it.

Display suricata signatures in Latex

Tue, 23 Oct 2012 18:04:11 +0000

lstlisting is a convenient way to display code when using latex. It has no definition for suricata rules language and I’ve cooked one:

\lstdefinelanguage{suricata}
{morekeywords= {alert, tcp, http, tls, ip, ipv4, ipv4, drop, pass, sid, priority, rev, classtype, threshold, metadata, reference, tag, msg, content, uricontent, pcre, ack, seq, depth, distance, within, offset, replace, nocase, fast\_pattern, rawbytes, byte\_test, byte\_jump, sameip, ip\_proto, flow, window, ftpbounce, isdataat, id, rpc, dsize, flowvar, flowint, pktvar, noalert, flowbits, stream\_size, ttl, itype, icode, tos, icmp\_id, icmp\_seq, detection\_filter, ipopts, flags, fragbits, fragoffset, gid, nfq\_set\_mark, tls.version, tls.subject, tls.issuerdn, tls.fingerprint, tls.store, http\_cookie, http\_method, urilen, http\_client\_body, http\_server\_body, http\_header, http\_raw\_header, http\_uri, http\_raw\_uri, http\_stat\_msg, http\_stat\_code, http\_user\_agent, ssh.protoversion, ssh.softwareversion, ssl\_version, ssl\_state, byte\_extract, file\_data, dce\_iface, dce\_opnum, dce\_stub\_data, asn1, filename, fileext, filestore, filemagic, filemd5, filesize, l3\_proto, luajit},
otherkeywords={ipv4-csum, tcpv4-csum, tcpv6-csum, udpv4-csum, udpv6-csum, icmpv4-csum, icmpv6-csum, decode-event, app-layer-event, engine-event, stream-event},
sensitive=true,
morecomment=[l]{//},
morecomment=[s]{/*}{*/},
morestring=[b]",
}

To use it, you can simply add this code at start of your tex file and you can then use it:

Defend your network from Microsoft Word upload with Suricata and Netfilter

Tue, 09 Oct 2012 14:17:13 +0000

Introduction

Some times ago, I’ve blogged about new IPS features in Suricata 1.1 and did not find at the time
any killer application of the nfq_set_mark keyword. When using Suricata in Netfilter IPS mode, this keyword allows you to set the Netfilter mark on the packet when a rule match.
This mark can be used by Netfilter or by other network subsystem to differentiate the treatment to apply to the packet.

A new unix command mode in Suricata

Tue, 18 Sep 2012 22:21:05 +0000

Introduction

I’ve been working for the past few days on a new Suricata feature. It is available in Suricata 1.4rc1.

Suricata can now listen to a unix socket and accept commands from the user. The exchange protocol is JSON-based and the format of the message has been done to be generic and it is described in this commit message. An example script called suricatasc is provided in the source and installed automatically when updating Suricata.

Coccigrep improved func operation

Mon, 10 Sep 2012 15:22:02 +0000

Coccigrep 1.11 is now available and mainly features some improvements related to the func search. The func operation can be used to search when a structure is used as argument of a function. For example, to search where the Packet structures are freed inside Suricata project, one can run:

$ coccigrep -t Packet -a "SCFree" -o func src/
src/alert-unified2-alert.c:1156 (Packet *p):         SCFree(p);
src/alert-unified2-alert.c:1161 (Packet *p):         SCFree(p);
...
src/alert-unified2-alert.c:1368 (Packet *pkt):         SCFree(pkt);

New AF_PACKET IPS mode in Suricata

Tue, 04 Sep 2012 20:53:53 +0000

A new Suricata IPS mode

Suricata IPS capabilities are not new. It is possible to use Suricata with Netfilter or ipfw to build a state-of-the-art IPS. On Linux, this system has not the best throughput performance. Patrick McHardy’s work on netlink: memory mapped I/O should bring some real improvement but this is not yet available.

I’ve thus decided to do an implementation of IPS based on AF_PACKET (read raw socket). The idea is based on one of the snort’s running mode. It peers two network interfaces and all packets received from one interface are sent to the other interface (if a signature with drop keyword does not fired on the packet). This requires to dedicate two network interfaces for Suricata but this provide a simple bridge system. As suricata is using latest AF_PACKET features (read load balancing), it was possible to build something really promising.

Suricata new TLS fingerprint and TLS store keywords.

Mon, 27 Aug 2012 17:10:49 +0000

Suricata TLS support

Victor Julien has just merged to main tree a branch containing some interesting new TLS related features. They have been contributed by me and Jean-Paul Roliers.

This patchset introduces TLS logging and brings some new keywords to Suricata engine.
Here’s the list of all TLS related keywords that are available in latest Suricata git:

tls.version: match on version of protocol
tls.subject: match on subject of certificate
tls.issuerdn: match on issuer DN of certificate
tls.fingerprint: match on SHA1 fingerprint of certificate
tls.store: store the certificate on disk

You will find detailed explanation below.

Minimal linux kernel config for Virtualbox

Fri, 17 Aug 2012 08:23:28 +0000

I was looking for some minimal Linux kernel configuration for Virtualbox guest and did only find some old one. I thus decide to build one and to publish them.
They are available on github: regit-config

For now, the only published configuration are for Linux kernel 3.5:

config-3.5-vbox: A minimal Linux kernel config for Virtualbox
config-3.5-vbox-no-netfilter: Same as previous config with Netfilter disabled

Suri-stats

Fri, 10 Aug 2012 09:35:55 +0000

Suri-stats is a small script based on ipython and matplotlib. It enables you to load a suricata stats.log file. Once this is done, it is possible to graph things.

Suri-stats is hosted on github: https://github.com/regit/suri-stats

Run a build on all commits in a git branch

Tue, 07 Aug 2012 09:37:15 +0000

Sometime, you need to check that all the commits in a branch are building correctly. For example, when a rebase has been done, it is possible you or diff has made a mistake during the operation. The building operation can be run against all commits of the current branch with the following one-liner (splitted here for more readability):

for COMMIT in $(git log --reverse --format=format:%H origin/master..HEAD); do
    git checkout ${COMMIT} ;
    make -j8 1>/dev/null || { echo "Commit $COMMIT don't build";  break; }
done

The idea is trivial, we build the list of commits with git log using a simple format string (to get only the hash). We add the reverse tag to start from the oldest commit.
For each commit, we checkout and run the build command. If the build fails, we exit from the loop.

Set or unset define variables in Coccigrep

Tue, 31 Jul 2012 09:10:09 +0000

Following a discussion with the great Julia Lawall, she added a new feature in coccinelle: it is now possible to define as set or unset some variables. This option has been added in coccigrep 1.9 and requires coccinelle 1.0-rc14.

For example, let’s have a code like Suricata where a lot of unit tests are implemented. The structure of the code is the following:

REGULAR CODE

#ifdef UNITTESTS
 TEST CODE
#endif

When doing search in the regular code, you don’t want to be bothered by results found in the test code. To obtain this result, you can pass the -U UNITTESTS option to coccigrep to tell him to consider UNITTESTS variable as undefined. If you want to define a variable, you can use the -D flag.

Suricata, to 10Gbps and beyond

Mon, 30 Jul 2012 21:03:19 +0000

Introduction

Since the beginning of July 2012, OISF team is able to access to a server where one interface is receiving
some mirrored real European traffic. When reading “some”, think between 5Gbps and 9.5Gbps
constant traffic. With that traffic, this is around 1Mpps to 1.5M packet per seconds we have to study.

The box itself is a standard server with the following characteristics:

CPU: One Intel(R) Xeon(R) CPU E5-2680 0 @ 2.70GHz (16 cores counting Hyperthreading)
Memory: 32Go
capture NIC: Intel 82599EB 10-Gigabit SFI/SFP+

The objective is simple: be able to run Suricata on this box and treat the whole
traffic with a decent number of rules. With the constraint not to use any non
official system code (plain system and kernel if we omit a driver).

Flow accounting with Netfilter and ulogd2

Sat, 14 Jul 2012 21:11:44 +0000

Introduction

Starting with Linux kernel 3.3, there’s a new module called nfnetlink_acct.
This new feature added by Pablo Neira brings interesting accountig capabilities to Netfilter.
Pablo has made an extensive description of the feature in the commit.

System setup

We need to build a set of tools to get all that’s necessary:

libmnl
libnetfilter_acct
nfacct

The build is the same for all projects:

git clone git://git.netfilter.org/PROJECT
cd PROJECT
autoreconf -i
./configure
make
sudo make install

Opensvp, a new tool to analyse the security of firewalls using ALGs

Fri, 08 Jun 2012 13:34:07 +0000

Following my talk at SSTIC, I’ve released a new tool called opensvp. Its aim is to cover the attacks described in this talk. It has been published to be able to determine if the firewall policy related to Application Layer Gateways is correctly implemented.

Opensvp implements two type of attacks:

Abusive usage of protocol commands: an protocol message can be forged to open pinhole into firewall. Opensvp currently implements message sending for IRC and FTP ALGs.
Spoofing attack: if anti-spooofing is not correctly setup, an attacker can send command which result in arbitrary pinhole being opened to a server.

It has been developed in Python and uses scapy to implement the spoofing attack on ALGs.

Transparents de ma prÃ©sentation au SSTIC

Fri, 08 Jun 2012 10:26:13 +0000

Les transparents de ma prÃ©sentation du SSTIC sont disponibles : Utilisation malveillante des suivis de connexions. Merci aux organisateurs du SSTIC d’avoir acceptÃ© mon papier!

Des vidÃ©os de dÃ©monstration sont disponibles sur ce post: Playing with Network Layers to Bypass Firewalls’ Filtering Policy

L’outil de test openvsp est disponible sur cette page.

Using Scapy lfilter

Thu, 07 Jun 2012 13:13:45 +0000

Scapy BPF filtering is not working when some exotic interface are used. This includes Virtualbox interface such as vboxnet.

For example, the following code will not work if the interface is a virtualbox interface:

build_filter = "src host %s and src port 21"
sniff(iface=iface, prn=callback, filter=build_filter)

To fix this, you can use the lfilter option. The filtering is now done inside Scapy. This is powerful but less efficient.

The code can be modified like this:

Opensvp

Sun, 03 Jun 2012 10:47:13 +0000

Introduction

Opensvp is a security tool implementing attacks to be able to the
resistance of firewall to protocol level attack. It implements
classic attacks as well as some new kind of attacks against application
layer gateway (called helper in the Netfilter world).

The document Secure use of iptables and connection tracking helpers describes
the protection method against this type of attack for a Netfilter firewall.

Download and more

The project is hosted on github:

Doing miracles with darktable and gimp

Sat, 28 Apr 2012 11:12:19 +0000

I’ve worked on a picture of a Volkswagen Beetle using Darktable and Gimp for post processing. This two tools are free available free software. Darktable is for now available on Linux and Mac OS X but Gimp is available for most platforms.

The picture was made during autumn 2011 in San Francisco. It features an old Volkswagen Beetle in a parking near a house. There is an old cover on the car which gave a strange pirat look to the car. The picture straight out of the camera is the following:

Building Suricata for OpenBSD 4.9 and over

Fri, 27 Apr 2012 14:57:47 +0000

It seems OpenBSD upgrade are done to give maintenance work to the developers of third-party application. In a way, OpenBSD fight against the economic crisis: It gives jobs to developers and if you want some performance you need a powerful thus new computer.

Let’s stop bashing and be serious: Suricata was building fine on OpenBSD 4.8 but the build was failing on subsequent version. This was link with an include modification around the “socket.h” file. It is now mandatory to include “types.h” before “socket.h” to avoid compilation error. The patch 0001-Fix-OpenBSD-compilation.patch.gz fixes the build.

Playing with Network Layers to Bypass Firewalls’ Filtering Policy

Fri, 09 Mar 2012 22:02:38 +0000

The slides of my CansecWest talk can now be downloaded: Playing with Network Layers to Bypass Firewalls’ Filtering Policy.

The required counter-measures are described in the Secure use of iptables and connection tracking helpers document

The associated video demonstrations are available:

First video demonstrates how to use forged IRC protocol command (DCC request) to be able to open connection to a NATed client from internet.

<div>
  <p>
    Second video demonstrates the effect of the attack on helpers on a non protected Netfilter Firewall.
  </p>
  
  <p>
    </div> 
    
    <div>
      <p>
        Third video demonstrates the effect of the attack on helpers on a badly configured Checkpoint firewall.
      </p>
      
      <p>
        </div> 
        
        <p>
          More information will come in upcoming posts.
        </p>

Using AF_PACKET zero copy mode in Suricata

Thu, 23 Feb 2012 18:25:15 +0000

Victor Julien has just pushed a new feature to suricata’s git tree. It brings improvements to the AF_PACKET capture mode.

This capture mode can be used on Linux. It is the native way to capture packet. Suricata is able to use the interesting new multithreading feature provided by AF_PACKET on recent kernels: it is possible to have multiple capture threads receiving the packet of a single interface.

The commits add mmaped ring buffer support to AF_PACKET capture and also provide a zero copy mode. Mmaped ring buffer is mechanism similar to the one used by PF_RING. The kernel allocates some memory to store the packets and share this memory with the capture process. Instead of sending messages, the kernel just write to the shared memory and the process capture reads it. This is less consuming in term of CPU ressource and helps to increase the capture rate. But the main avantage of this technique is that the capture process can treat the packets without making a copy and this saves a lot of time

Ecosystem of Suricata

Mon, 13 Feb 2012 16:46:32 +0000

Suricata is an IDS/IPS engine. To build a complete solution, you will need to use other tools.

The following schema is a representation of a possible software setup in the case Suricata is used as IDS or IPS on the network. It only uses opensource components:

Suricata is used to sniff and analyse the traffic. To detect malicious traffic, it uses signatures (or rules). You can download a set of specialised rules from EmergingThreats.

Ã€ propos de la publication de code d’EdenWall

Thu, 01 Dec 2011 15:30:28 +0000

J’ai cofondÃ© la sociÃ©tÃ© INL en 2004. RenommÃ©e en 2009 EdenWall, suite Ã une levÃ©e de fonds et un changement de mÃ©tier,
le nouveau business model de la sociÃ©tÃ© fut la commercialisation d’appliances de sÃ©curitÃ© basÃ©es sur le logiciel libre NuFW
que j’avais initiÃ© en 2003. NuFW, couche logicielle ajoutant l’authentification des flux Ã Netfilter, est restÃ© le
moteur technologique de la sociÃ©tÃ© mais n’Ã©tait pas d’un accÃ¨s facile car nÃ©cessitant des compÃ©tences bas niveaux pour
son dÃ©ploiement. Nous avons donc distribuÃ© sous licence libre des briques complÃ©mentaires Ã partir de 2005. Nulog,
projet d’analyse de journaux, que j’avais commencÃ© en 2001 et Nuface, interface de configuration de politiques de
filtrage en 2005. La conclusion de cette dÃ©marche d’ouverture a Ã©tÃ© NuFirewall, une solution autonome de pare-feu
basÃ©e sur les briques EdenWall qui a Ã©tÃ© distribuÃ©e en 2010. Il s’agissait d’une version
libre des appliances EdenWall distribuÃ©e sous forme d’une distribution indÃ©pendante publiÃ©e sous licence GPL.
L’idÃ©e des fondateurs Ã©tait d’avoir une structure de produits similaires Ã une offre comme celle de VirtualBox avec
une distribution sous double licence : une solution libre convenant au plus grand nombre et une version avec des
fonctionnalitÃ©s Entreprise.

Securing Netfilter connection tracking helpers

Wed, 30 Nov 2011 09:57:02 +0000

Following the presentation I’ve made during the 8th Netfilter Workshop, it was decided to write a document containing the best practices for a secure use of iptables and connection tracking helpers.

This document called “Secure use of iptables and connection tracking helpers” is now available on this site. It contains recommendations that should be followed carefully if you are the administrator of a Netfilter/Iptables or the developer of a Netfilter based software.

Secure use of iptables and connection tracking helpers

Mon, 28 Nov 2011 16:33:00 +0000

Authors: Eric Leblond, Pablo Neira Ayuso, Patrick McHardy, Jan Engelhardt, Mr Dash Four

PDF version: Secure use of iptables and connection tracking helpers
Download HTML version: Secure use of iptables and connection tracking helpers
Get source on Github page

Introduction

<div class="section" id="principle-of-helpers">
  <h3>
    Principle of helpers
  </h3>
  
  <p>
    Some protocols use different flows for signaling and data transfers. This is<br /> the case for FTP, SIP and H.323 among many others. In the setup stage, it is<br /> common that the signaling flow is used to negotiate the configuration<br /> parameters for the establishment of the data flow, i.e. the IP address and<br /> port that are used to establish the data flow. These sort of protocols are<br /> particularly harder to filter by firewalls since they violate layering by<br /> introducing OSI layer 3/4 parameters in the OSI layer 7.
  </p>
  
  <p>
    In order to overcome this situation in the iptables firewall, Netfilter<br /> provides the Connection Tracking helpers, which are modules that are able<br /> to assist the firewall in tracking these protocols. These helpers create<br /> the so-called expectations, as defined by the Netfilter project jargon.<br /> An expectation is similar to a connection tracking entry, but it is stored<br /> in a separate table and generally with a limited duration. Expectations<br /> are used to signal the kernel that in the coming seconds, if a packet with<br /> corresponding parameters reaches the firewall, then this packet is RELATED<br /> to the previous connection.
  </p>
  
  <p>
    These kind of packets can then be authorized thanks to modules like state or<br /> conntrack which can match RELATED packets.
  </p>
  
  <p>
    This system relies on parsing of data coming either from the user or the server.<br /> It is therefore vulnerable to attack and great care must be taken when using<br /> connection tracking helpers.
  </p>
</div>

<div class="section" id="connection-tracking-helpers-default-configuration">
  <h3>
    Connection Tracking helpers default configuration
  </h3>
  
  <p>
    Due to protocol constraints, not all helpers are equal. For example, the FTP<br /> helper will create an expectation whose IP parameters are the two peers. The<br /> IRC helper creates expectations whose destination address is the client address<br /> and source address is any address. This is due to the protocol: we do not know<br /> the IP address of the person who is the target of the DCC.
  </p>
  
  <p>
    The degree of freedom due to connection tracking helpers are therefore dependent on<br /> the nature of the protocol. Some protocols have dangerous extensions, and these<br /> are disabled by default by Netfilter. The user has to pass an option during<br /> loading of the module to enable this dangerous protocol features. For example,<br /> the FTP protocol can let the user choose to have the target server connect to<br /> another arbitrary server. This could lead to a hole in the DMZ and it is therefore<br /> deactivated by default. To enable it, you&#8217;ve got to pass the <cite>loose</cite> option<br /> with the <cite>1</cite> value.
  </p>
  
  <p>
    The following list describes the different connection tracking helper<br /> modules and their associated degree of freedom:
  </p>
  
  <table border="1" class="docutils">
    <colgroup> <col width="12%"> <col width="12%"> <col width="9%"> <col width="16%"> <col width="14%"> <col width="7%"> <col width="30%"> </colgroup> <tr>
      <td>
        Module
      </td>
      
      <td>
        Source address
      </td>
      
      <td>
        Source Port
      </td>
      
      <td>
        Destination address
      </td>
      
      <td>
        Destination port
      </td>
      
      <td>
        Protocol
      </td>
      
      <td>
        Option
      </td>
    </tr>
    
    <tr>
      <td>
        amanda
      </td>
      
      <td>
        Fixed
      </td>
      
      <td>
        0-65535
      </td>
      
      <td>
        Fixed
      </td>
      
      <td>
        In CMD
      </td>
      
      <td>
        TCP
      </td>
      
      <td>
        &nbsp;
      </td>
    </tr>
    
    <tr>
      <td>
        ftp
      </td>
      
      <td>
        Fixed
      </td>
      
      <td>
        0-65535
      </td>
      
      <td>
        In CMD
      </td>
      
      <td>
        In CMD
      </td>
      
      <td>
        TCP
      </td>
      
      <td>
        loose = 0 (default)
      </td>
    </tr>
    
    <tr>
      <td>
        ftp
      </td>
      
      <td>
        Full
      </td>
      
      <td>
        0-65535
      </td>
      
      <td>
        In CMD
      </td>
      
      <td>
        In CMD
      </td>
      
      <td>
        TCP
      </td>
      
      <td>
        loose = 1
      </td>
    </tr>
    
    <tr>
      <td>
        h323
      </td>
      
      <td>
        Fixed
      </td>
      
      <td>
        0-65535
      </td>
      
      <td>
        Fixed
      </td>
      
      <td>
        In CMD
      </td>
      
      <td>
        UDP
      </td>
      
      <td>
        &nbsp;
      </td>
    </tr>
    
    <tr>
      <td>
        h323 q931
      </td>
      
      <td>
        Fixed
      </td>
      
      <td>
        0-65535
      </td>
      
      <td>
        In CMD
      </td>
      
      <td>
        In CMD
      </td>
      
      <td>
        UDP
      </td>
      
      <td>
        &nbsp;
      </td>
    </tr>
    
    <tr>
      <td>
        irc
      </td>
      
      <td>
        Full
      </td>
      
      <td>
        0-65535
      </td>
      
      <td>
        Fixed
      </td>
      
      <td>
        In CMD
      </td>
      
      <td>
        TCP
      </td>
      
      <td>
        &nbsp;
      </td>
    </tr>
    
    <tr>
      <td>
        netbios_ns
      </td>
      
      <td>
        Iface Network
      </td>
      
      <td>
        Fixed
      </td>
      
      <td>
        Fixed
      </td>
      
      <td>
        Fixed
      </td>
      
      <td>
        UDP
      </td>
      
      <td>
        &nbsp;
      </td>
    </tr>
    
    <tr>
      <td>
        pptp
      </td>
      
      <td>
        Fixed
      </td>
      
      <td>
        In CMD
      </td>
      
      <td>
        Fixed
      </td>
      
      <td>
        In CMD
      </td>
      
      <td>
        GRE
      </td>
      
      <td>
        &nbsp;
      </td>
    </tr>
    
    <tr>
      <td>
        sane
      </td>
      
      <td>
        Fixed
      </td>
      
      <td>
        0-65535
      </td>
      
      <td>
        Fixed
      </td>
      
      <td>
        In CMD
      </td>
      
      <td>
        TCP
      </td>
      
      <td>
        &nbsp;
      </td>
    </tr>
    
    <tr>
      <td>
        sip rtp_rtcp
      </td>
      
      <td>
        Fixed
      </td>
      
      <td>
        0-65535
      </td>
      
      <td>
        Fixed
      </td>
      
      <td>
        In CMD
      </td>
      
      <td>
        UDP
      </td>
      
      <td>
        sip_direct_media = 1 (default)
      </td>
    </tr>
    
    <tr>
      <td>
        sip rtp_rtcp
      </td>
      
      <td>
        Full
      </td>
      
      <td>
        0-65535
      </td>
      
      <td>
        In CMD
      </td>
      
      <td>
        In CMD
      </td>
      
      <td>
        UDP
      </td>
      
      <td>
        sip_direct_media = 0
      </td>
    </tr>
    
    <tr>
      <td>
        sip signalling
      </td>
      
      <td>
        Fixed
      </td>
      
      <td>
        0-65535
      </td>
      
      <td>
        Fixed
      </td>
      
      <td>
        In CMD
      </td>
      
      <td>
        In CMD
      </td>
      
      <td>
        sip_direct_signalling = 1 (default)
      </td>
    </tr>
    
    <tr>
      <td>
        sip signalling
      </td>
      
      <td>
        Full
      </td>
      
      <td>
        0-65535
      </td>
      
      <td>
        In CMD
      </td>
      
      <td>
        In CMD
      </td>
      
      <td>
        In CMD
      </td>
      
      <td>
        sip_direct_signalling = 0
      </td>
    </tr>
    
    <tr>
      <td>
        tftp
      </td>
      
      <td>
        Fixed
      </td>
      
      <td>
        0-65535
      </td>
      
      <td>
        Fixed
      </td>
      
      <td>
        In Packet
      </td>
      
      <td>
        UDP
      </td>
      
      <td>
        &nbsp;
      </td>
    </tr>
  </table>
  
  <p>
    The following keywords are used:
  </p>
  
  <blockquote>
    <ul class="simple">
      <li>
        Fixed: Value of a connection tracking attribute is used. This is not a candidate for forgery.
      </li>
      <li>
        In CMD: Value is fetched from the payload. This is a candidate for forgery.
      </li>
    </ul>
  </blockquote>
  
  <p>
    The options are module loading options. They permit activation of the<br /> extended but dangerous features of some protocols.
  </p>
</div>

Secure use of Connection Tracking Helpers

<p>
  Following the preceding remarks, it appears that it is necessary to not<br /> blindly use helpers. You must take into account the topology of your network<br /> when setting parameters linked to a helper.
</p>

<p>
  For each helper, you must carefully open the RELATED flow. All iptables statements<br /> using &#8220;-m conntrack &#8211;ctstate RELATED&#8221; should be used in conjunction with the<br /> choice of a helper and of IP parameters. By doing that, you will be able to describe<br /> how the helper must be used with respect to your network and information system<br /> architecture.
</p>

<div class="section" id="example-ftp-helper">
  <h3>
    Example: FTP helper
  </h3>
  
  <p>
    For example, if you run an FTP server, you can setup
  </p>
  
  <pre class="literal-block">iptables -A FORWARD -m conntrack --ctstate RELATED -m helper \\
   --helper ftp -d $MY_FTP_SERVER -p tcp \\
   --dport 1024: -j ACCEPT

What’s new in coccigrep 1.6?

Mon, 07 Nov 2011 23:07:29 +0000

I did not write any article on coccigrep since the 1.0 release. Here is an update on what has been added to the software since that release.

C++ support

Coccinelle has a basic C++ support which can be activated by using the –cpp flag in coccigrep.

Patches information

The -L -v options on command line will display a description of the match available on the system.

$ coccigrep -L -v
set: Search where a given attribute of structure 'type' is set
 * Confidence: 80%
 * Author: Eric Leblond <eric@regit.org>
 * Arguments: type, attribute
 * Revision: 2

For the developer, this is obtained from structured comments put at the start of the cocci file:

Acquisition systems and running modes evolution of Suricata

Thu, 06 Oct 2011 23:06:24 +0000

Some new features have recently reach Suricata’s git tree and will be available in the next development release. I’ve worked on some of them that I will describe here.

Multi interfaces support and new running modes

Configuration update

IDS live mode in suricata (pcap, pf_ring, af_packet) now supports the capture on multiple interfaces. The syntax of the YAML configuration file has evolved and it is now possible to set per-interface variables.

For example, it is possible to define pfring configuration with the following syntax:

Suriwire

Thu, 29 Sep 2011 00:07:13 +0000

Introduction

Suriwire is a plugin for wireshark which display suricata alert and protocol info on a pcap file inside the wireshark output. Suriwire is using Suricata’s EVE JSON log file to generate information inside Wireshark and thus is requiring at least Suricata 2.0.

Suriwire has the following features:

Display of alerts in the expert info window
Display of alerts on a packet in the packet details
Filter wireshark output by using signature fields such as a given sid or the content of a signature message
Display of protocols information such as TLS and SSH in the expert info window and packet details
Filter wireshark output using Suricata extracted protocol fields such as TLS subject DN

For example, you can filter on all TLS subject matching a string like ‘microsoft’ by using the filter suricata.tls.subject contains “microsoft”:

OISF brainstorming: planning phase 3 (take 3)

Mon, 19 Sep 2011 23:42:25 +0000

GEO IP

Idea is to add a keyword that would be used to interact with GEOIP database (free at least) and be able to use it to detect things like control canal. For example, an IRC server in an non common country is certainly a control canal.

Live ruleset swap

A must have! This is vital for critical environnement. This is very costly in memory and this should be an option to avoid exploding low memory boxes.

OISF brainstorming: planning phase 3 (take 2)

Mon, 19 Sep 2011 22:49:17 +0000

DNS fast flux/anomaly detection

The idea is to detect malware and other things by collecting the DNS request and their answer and detecting anomaly. For example, if an host is making a lot of request to a domain.

First part of the job on Suricata is to log all requests and their answer. Then analysis can occurs in the database.

File extraction

This is a work under progress linked with a third party contract. It permit to store exchanged files on disk for some application level protocol. It is possible to say: “store the file, if the content type is different from the extension”. File extraction works currently on HTTP. It focus on POST request to detect uploaded file.

Oisf brainstorming: planning phase 3 (take 1)

Mon, 19 Sep 2011 21:52:28 +0000

Performance improvement

As shown by Victor’s latest work on performance counters, there is a lot of work that can be done to improve performance. They are currently good but there is place for improvement. Proposal to provide off-loading or clustering is done. This is heavily discussed but as pointed out by Victor, it will be more interesting to do this in the next phase. Phase 3 should focus in improvement of current code. This will permit to use the upcoming Suricata killing features like global flow variable.

Matt Jonkman: development avancement

Mon, 19 Sep 2011 21:14:59 +0000

Phase 2 development is almost over now. Among the completed major features:

Multithread
protocol discovery
smb logging
HTTP logging
flowvars

One of the advantage of Suricata over Snort is protocol discovery combined to HTTP parsing by libhtp. It provides a huge improvement over Snort as a lot of bad flow are using HTTP on non standard ports.

Victor Julien: Development status

Mon, 19 Sep 2011 20:49:42 +0000

Work has started in september 2007. The work depends on some externel library like multithread of input handling library. The main external depedency is libhtp which is initally developped by Ivan Ristic.

The development is managed in a single git repository. Victor is the only one with commit right. The review are done by Victor and cross review are made by developpers.

Work unit for developers are tasks which are written by Victor and describe a specific task to do. This task are mainly done by OISF funded developers. Some simpler task are let to the comunity and everyone can help with this.

Matt Jonkman: introduction speech

Mon, 19 Sep 2011 20:25:53 +0000

Matt presents the goal of the OISF brainstorming session:

Make a status of the foundation
Grabbing new ideas

The session will be interactive and anybody is invited to participate through physical intendance or webex.

The foundation is non-profitable and aim at building a powerful engine for us all. OISF is member og the HOST program and happily supported by some industrials.

Foundation business

Matt fills he can not give enough times to the foundation due to his work at EmergingThreat and propose to hire a General Manager that would take care of finding the funding and administrative part.

Patrick McHardy: memory mapped netlink tree is available for testing

Fri, 26 Aug 2011 09:03:08 +0000

Patrick (aka kaber) has just made available his work on memory mapped netlink. Both the kernel and the libmnl part are available on git.kernel.org.

You can pull kernel code other net-next tree:

git pull git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nl-mmap-2.6.git

Libmnl code can be fetched:

git clone git://git.kernel.org/pub/scm/linux/kernel/git/kaber/libmnl-mmap.git

Once done a NETLINK_MMAP kernel compilation option is then available via make config.

Documentation is available in the Linux tree. It is in the file: Documentation/networking/netlink_mmap.txt

Eric Leblond: Introduction to coccinelle

Wed, 24 Aug 2011 14:00:59 +0000

The Netfilter workshop being a developer conference, I’ve decided to presente an introduction to the coccinelle tool. Coccinelle is a program matching and transformation engine for the C language which is used in many place and among them in the Linux kernel. It is able to perform C clever modification in the code. If you ever had to modify multiple code files following an API change, I invite you to have a look at the slides or my Coccinelle for the newbie page. I’ve also presented my coccigrep tool which is a easy to use semantic grep.

Jesper Dangaard Brouer: CPAN module IPTables::libiptc

Wed, 24 Aug 2011 13:17:05 +0000

Jesper’s IPTables::libiptc is a perl module which allow you to modify Netfilter rules from Perl. He’s the maintener and this is available on CPAN. It currently supports up-to iptables 1.4.10 (version 0.51 of IPTables::libiptc).

It dynamically load xtables.so and libiptc.so to access to iptables feature. It is fast as it does not suffer of iptables limitation (which is running modification one by one). Performance are quite good: it takes only 16 sec to generate and implement a 80000 rules ruleset (which is quite good compare to the 42h hours that would be take by direct iptables calls)

Patrick McHardy: getting rid of the second tuple

Wed, 24 Aug 2011 10:55:21 +0000

Patrick presents one work that is aiming at getting rid of the second tuple in the connection tracking. This second tuple is only necessary when NAT is used. idea is not new but at the time the ct-extention where not available and thus it would not be possible to add it when needed. Patrick has done most of the work but there is still a missing point which is the hash function. It has to be symetrical: hash_func(src,dst) = hash_func(dst, src) and it must be very fast to avoid slowdown of the conntrack.

Ulrich Weber: IPV6 NAT

Wed, 24 Aug 2011 10:05:48 +0000

We have been ignoring the fact that NAT could have some interest in IPv6 during the latest 5 years. IPv6 will not fix everything and it may be time to reconsider NAT. There is some reasons for that:

Dynamic IPv6 prefixes: some ISP decide to not give fixed address to people
Server load balancing, DMZ
Uplink Balancing (multi-homing): this is one of the most important reason. IPv6 client can handle multiple addresses but you may want not having your user to choose their internet output.

Pablo Neira Ayuso: nfgrep: traffic classification for Netfilter/iptables

Wed, 24 Aug 2011 09:11:08 +0000

Pablo is presenting is work on protocol classification. As you may not have guess, nfgrep is not using regular expression but a descriptive language.

The basic architecture is the following:

developped layer-7 filter in userspace
filter is passed to a tool that generates byte-code
it loads the byte-code to the kernel via nfnetlink
The kernel does the classification
nfgrep match can then be used to select or mark the flow

In userspace, nfgrep and libnfgrep can be used to interact with the system. There’s also a nfgrep-test to validate filter before sending them.

Nishit Shah & Jimit Mahadevia: TCP Session Load-balancing in Active-Active HA Cluster

Wed, 24 Aug 2011 08:31:46 +0000

Cyberoam team presents their work on active active cluster. They’ve done a 2 nodes active active setup, with a primary and an auxiliary sytem. The primary take care of load balancing. The setup is using virtual MAC addresses.

To avoid split-brain problem, the primary take all decisions by always treating the SYN packet. It also transfer the NAT, marks to the auxiliary thanks to a module. This is done via a module called ipt_SYNDATA. It is placed in PREROUTING

Holger Eitzenberger: speeding up selective conntrack flush

Tue, 23 Aug 2011 13:58:52 +0000

At times it is necessary to flush UNREPLIED connection tracking entries for connectionless protocols if there are NAT rules involved. For example this is the case when a ipsec or a ppp connection goes up. Without doing that the connection are not correctly NATed because the topology change has not been taken into account.

Doing this in userspace with the conntrack-tools was taking long like minutes on some setup. They thus decide to put in kernel space and this is now only taking milliseconds instead of minutes.

Jesper Dangaard Brouer: the missing conntrack garbage collector

Tue, 23 Aug 2011 13:38:01 +0000

There is a fixed number of connection tracking entries. When reaching the maximum, new connections are simply dropped. Default maximum size is ridicully too low like using 20Mbytes oon a 12GB memory computer.

Kernel syslog message “nf_conntrack: table full, dropping, packet” is not correct because packet have just no state relatively to conntrack. Usually they get blocked by invalid rules but an adapted ruleset could let them go through.

One other problem is that adjusting the connection tracking size does not change the hash size. This results in longer search because conntrack has often to go through a list.

Jan Engelhardt: Free form discussion

Tue, 23 Aug 2011 10:29:32 +0000

Jan starts its presentation by talking about its Distro Availability Matrix of Netfilter tech page. It contains the software and their versions in a lot of distributions.

Next subject is the discussion about maintaining translations of iptables man page. The team is international and could translate in a few language the man pages. But the question is about finding volunteers in the long term. Jan is alright with taking in charge the synchronization of translation. Any volunteers for translation is welcome.

Florian Westphal: Moving rp_filter into netfilter

Tue, 23 Aug 2011 09:17:32 +0000

Reverse Path filtering is currently only implemented in IPv4. Eric Leblond sends a patch to add support for IPv6 but it was refused by David Miller who, among other points, wanted to get rid of rp_filter and would like to see it in the Netfilter code.

Reverse patch filter implementation is a single function called fib_validate_source. Looking at the problem, it seem relatively simple to implement because, it is just to reverse source and destination and then get the output interface. if it match with the incoming interface, then this is ok.

Eric Leblond: In need of reverse path filtering

Tue, 23 Aug 2011 08:53:14 +0000

I just gave a presentation to explain that it is necessary to implement carefully reverse path filtering in IPv4 and IPv6.

More to come later.

Patrick McHardy: memory mapped netlink and nfnetlink_queue

Mon, 22 Aug 2011 13:56:34 +0000

Patrick McHardy presents his work on a modification of netlink and nfnetlink_queue which is using memory map.

One of the problem of netlink is that netlink uses regular socket I/O and data need to be copied to the socket buffer data areas before being send. This is a problem for performance.

The basic concept or memory mapped netlink is to used a shared memory area which can be used by kernel and userspace. A ring buffer is set and instead of copying the data, we just move a pointer to the correct memory area and the userspace reads
It is necessary to synchronize kernel and user spaces to avoid a read on a non significative area. This is done by using a area ownership.

Jesper Dangaard Brouer: IPTV-analyzer

Mon, 22 Aug 2011 13:17:14 +0000

Jesper presents its IP TV analyser know called IPTV-analyser.

He starts the project when encountering problem in the IP TV system in the company he works for. Proprietary analyser exists but they are expensive and the tested equipment were not able to show the burstiness directly. To fix this, he started using wireshark and add it a burstiness detector. It was not enough because pcap was not scaling enough and they decide to build their own probe. One of the decisive point was the 192000â‚¬ necessary to buy the necessary probes.

Holger Eitzenberger: experiences from making Network Stack Multicore

Mon, 22 Aug 2011 10:51:38 +0000

Holger want to describe its experience when switching from monocore system to mutiticore system at ~~Astaro~~ Sophos.
They used:

RPS: Receive packet steering
RFS:Receive flow steering
XPS: Transmit flow steering

They are using a 2.6.32 kernel and they had to backport the code but this was quite easy because the code is self-contained. irqbalance is not RPS and XPS aware and it is know to degrade performance. Holger decide then to start a new project.

Sanket Shah: An alternate way to use IPSet framework for increasing firewall throughput

Mon, 22 Aug 2011 10:25:14 +0000

When doing matching on iptables, the sequential test of the rules is costly. By using ipset this is possible to limit the number of matches by using the sets.

For their use, they decide to use the connection mark to determine the fate of the packet. It is used to jumb on the correct chain. This logic, combined with a connectionmark set they have developed this lead to a filtering system with a really limited number of rules. In fact, this was switching from something like 10000 rules to one single rule. Ipset is doing all the classification work. The performance increase is huge as on the test system, it goes from a bandwith of 256Mb with iptables to a bandwith 1.8Gb with their system.

JÃ³zsef Kadlecsik: ipset status

Mon, 22 Aug 2011 09:38:11 +0000

Ipset is now included in the kernel and that’s the main event of ipset in the previous year. JÃ³zsef recommands to use the 6.8 version which is included in kernel 3.1. If your kernel is older, using a separately compiler ipset is recommanded.

If we omit the bugfixes, a lot of of new features have been introduced sinced version 6.0. It is possible to list the sets defined on a system without getting everything which is useful when big set have been defined.

Eric Leblond: degree of freedom offered by connection tracking helpers

Mon, 22 Aug 2011 09:37:22 +0000

I gave a small presentation about a study I’ve made on connection tracking helpers. The slides are here: nfws_helper_freedom

Discussion following the speech was interesting. The main subject was automatic testing of the connection tracking helpers (as well as testing the other components). Pablo Neira Ayuso came with the idea of injecting the packet inside the kernel via a mechanism similar to NFQUEUE. This would then be easy to replay traffic. An extended discussion about the subject should take place during the week.

Samir Bellabes: userspace security for network syscalls – snet

Mon, 22 Aug 2011 08:35:50 +0000

Snet is an LSM module which treat network access. It is composed of a kernel part, a library and a tool.

In the kernel, event are generated for protocol and syscall, for example tcp and listen. It is then possible through a ticket system to decide if a process has the right to the event. For example, you can tell firefox can open connections to outside. A netlink protocol is used to communicate with userspace. Thus this is possible in userspace to take the decision by issuing ticket and sending it to kernel.

Opening of 8th Netfilter Workshop

Mon, 22 Aug 2011 08:10:50 +0000

The 8th Netfilter Workshop has been opened by Patrick McHardy in Freiburg. It is hosted by the Freiburg University.

The schedule is available on the workshop wiki.

About and contact

Sat, 20 Aug 2011 09:40:28 +0000

About me

I’m now one of the co-founder of Stamus Networks a company providing Suricata based network probe appliances.
I’m also a freelance consultant in security and free software. Don’t hesitate to contact me if you are interested in hiring me for a mission.

I’m member of Netfilter coreteam, the decision-making team for the packet filtering framework inside Linux. I’m the official maintainer of ulogd2, the userspace logging daemon. I’m also team member of OISF where I developed on Suricata, the IDS/IPS.
I’ve created and have been lead of the NuFW project aimed at creating identity based enterprise firewall.
You can find here more information about my projects and contributions.

Coccigrep, a semantic grep for the C language

Mon, 15 Aug 2011 07:28:38 +0000

Introduction

When diving in some code with a relative important size, I’ve often ask myself: where is this attribute used for this structure ? Where it is set ? Using grep is not a good answer to theses questions: you can’t guess the name of the variable of a given type and even an attribute name can be shared between multiple structures. I was in need of a semantic grep!

Coccigrep

Sat, 13 Aug 2011 20:59:57 +0000

Introduction

coccigrep is a semantic grep for the C language based on coccinelle. It can be used to find where a given structure is used in code files. coccigrep depends on the spatch program which comes with coccinelle.

Download and source

Latest version is 1.13: coccigrep-1.13.tar.gz

The source can be accessed via github.

Examples

To find where in a set of files the structure named Packet is used, you can run:

Slides of my Suricata talk at Libre Software Meeting

Wed, 13 Jul 2011 08:55:15 +0000

I gave a talk about Suricata entitled Suricata, rethinking IDS/IPS at Libre Software Meeting (RMLL in french). The slides can be downloaded from the RMLL website.

Thanks a lot to Christophe Brocas and Mathieu Blanc for the organisation of the security track of LSM.

Playing a bit with vim macros

Mon, 27 Jun 2011 06:31:31 +0000

During one of my recent coding, I had to modify a signature file for suricata. The file was looking like this:

alert pkthdr any any -> any any (msg:"SURICATA ICMPv4 unknown code"; decode-event:icmpv4.unknown_code; sid:2200024; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA ICMPv4 truncated packet"; decode-event:icmpv4.ipv4_trunc_pkt; sid:2200025; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA ICMPv4 unknown version"; decode-event:icmpv4.ipv4_unknown_ver; sid:2200026; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA ICMPv6 packet too small"; decode-event:icmpv6.pkt_too_small; sid:2200027; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA ICMPv6 unknown type"; decode-event:icmpv6.unknown_type; sid:2200028; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA ICMPv6 unknown code"; decode-event:icmpv6.unknown_code; sid:2200029; rev:1;)

The modification was to decrease the number behind <em<sid by 24 for each signatures.

About Suricata performance boost between 1.0 and 1.1beta2

Thu, 02 Jun 2011 19:45:03 +0000

Discovering the performance boost

When doing some coding on both 1.0 and 1.1 branch of suricata, I’ve remarked that there was a huge performance improvement of the 1.1 branch over the 1.0 branch. The parsing of a given real-life pcap file was taking 200 seconds with 1.0 but only 30 seconds with 1.1. This performance boost was huge and I decide to double check and to study how such a performance boost was possible and how it was obtained:

Upgrading Galaxy S from Android 2.1 to 2.3.3 under Linux

Sat, 14 May 2011 15:29:03 +0000

After some time lost by trying in vain to have Kies (of Death) from Samsung oder Odin working under Virtualbox, I’ve found about the exitence of Heimdall. This software has been developped to flash firmware onto Samsung Galaxy S devices.

It did work quiet easily. Upgrade procedure only requires some files download and in my case some usage of the tar command.

The command line was long but simple:
[bash]heimdall flash -pit s1_odin_20100512.pit –factoryfs factoryfs.rfs \
–cache cache.rfs –dbdata dbdata.rfs –param param.lfs \
–kernel zImage –modem modem.bin \
–primary-boot boot.bin –secondary-boot Sbl.bin \
–verbose[/bash]

Suricata conference at Solutions Linux 2011

Wed, 11 May 2011 20:18:59 +0000

I’ve gived today a presentation about Suricata at the Solutions Linux event. It was part of the security track presided by Herve Schauer.

The slides are in french and are available here: 2011_sollinux_suricata

IPv6 privacy extensions on Linux

Fri, 29 Apr 2011 17:41:24 +0000

IPv6 global address

The global address is used in IPv6 to communicate with the outside world. This is thus the one that is used as source for any communication and thus in a way identify you on Internet.

Below is a dump of an interface configuration:

eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000

link/ether 00:22:15:64:42:bd brd ff:ff:ff:ff:ff:ff
inet6 2a01:f123:1234:5bd0:222:15ff:fe64:42bd/64 scope global dynamic 
   valid_lft 86314sec preferred_lft 86314sec
inet6 fe80::222:15ff:fe64:42bd/64 scope link 
   valid_lft forever preferred_lft forever</pre>

The global address is here 2a01:f123:1234:5bd0:222:15ff:fe64:42bd/64. It is build by using the prefix and adding an identifier build with the hardware address. For example, here the hardware address is 00:22:15:64:42:bd and the global IPv6 address is ending with 22:15_ff:fe_64:42bd.

Joining the OISF coding staff

Wed, 20 Apr 2011 21:19:55 +0000

My collaboration with OISF has been announced today. This is an honor for me to join this excellent team on this wonderful project. I’ve taken a lot of pleasure in the past months contributing to the project and I’m sure the start of an official collaboration will lead to good things. The challenge is high and I will do my best to merit the trust.

A big thanks to all people who congrat me for this nomination.

Building Suricata under OpenBSD

Sun, 17 Apr 2011 08:17:35 +0000

Suricata 1.1beta2 has brought OpenBSD to the list of supported operating system. I’m a total newbie to OpenBSD so excuse me for the lack of respect of OpenBSD standards and usages in this documentation.

Here’s the different step, I’ve used to finalize the port starting from a fresh install of OpenBSD.

If you want to use source taken from git, you will need to install building tools:

pkg_add git libtool

automake and autoconf need to be installed to. For a OpenBSD 4.8, one can run:

Some new features of IPS mode in Suricata 1.1beta2

Wed, 13 Apr 2011 22:37:12 +0000

The IDS/IPS suricata has a native support for Netfilter queue. This brings IPS functionnalities to users running Suricata on Linux.

Suricata 1.1beta2 introduces a lot of new features related to the NFQ mode.

New stream inline mode

One of the main improvement of Suricata IPS mode is related with the new stream engine dedicated to inline. Victor Julien has a great blog post about it.

Multiqueue support

Suricata can now be started on multiple queue by using a comma separated list of queue identifier on the command line. The following syntax:

More about Suricata multithread performance

Tue, 15 Feb 2011 23:30:49 +0000

Following my preceding post on suricata multithread performance I’ve decided to continue to work on the subject.

By using perf-tool, I found out that when the number of detect threads was increasing, more and more time was used in a spin lock. One of the possible explanation is that the default running mode for pcap file (RunModeFilePcapAuto) is not optimal. The only decode thread take some time to treat the packets and he is not fast enough to send data to the multiple detect threads. This is triggering a lot of wait and a CPU usage increase. Following a discussion with Victor Julien, I decide to give a try to an alternate run mode for working on pcap file, RunModeFilePcapAutoFp.

Optimizing Suricata on multicore CPUs

Wed, 26 Jan 2011 00:20:28 +0000

Suricata IDS/IPS architecture is heavily using multithreading. On almost every runmode (PCAP, PCAP file, NFQ, …) it is possible to setup the number of thread that are used for detection. This is the most CPU intensive task as it does the detection of alert by checking the packet on the signatures. The configuration of the number of threads is done by setting
a ratio which decide of the number of threads to be run by available CPUs (detect_thread_ratio variable).

Building a suricata compliant ruleset

Sun, 16 Jan 2011 16:13:08 +0000

Introduction

During Nefilter Workshop 2008, we had an interesting discussion about the fact that NFQUEUE is a terminal decision. This has some strong implication and in particular when working with an IPS like suricata (or snort-inline at the time of the discussion): the IPS must received all packets routed by the gateway and can only issue a terminal DROP or ACCEPT verdict. It thus take precedence over all subsequent rules in the ruleset: any ACCEPT rules before the IPS rules will remove packets from IPS analysis and in the other way, any decision after the IPS rules will be ignored.

Something behind the herbs.

Tue, 30 Nov 2010 01:10:56 +0000

Sometime, you are really excited when you take a picture. In this case I was simply a little bit afraid. Being on foot, with a giant elephant going in my way was a tremendous experience:

{.thickbox}

Happy not to be on first row

That photo was fun to take but I really prefer the following:

Coccinelle for the newbie

Sat, 27 Nov 2010 22:13:10 +0000

coccinelle which is a “program matching and transformation engine which provides the language SmPL (Semantic Patch Language) for specifying desired matches and transformations in C code”. Well, from user point of view it is a mega over-boosted sed for C. coccinelle knows C and is thus has the necessary intelligence to go over C formatting and to manage things better than you will have done.

This article is my own experience with coccinelle. I have try here to put all the things that have been useful to know from my point of view. For a more complete and classical presentation just go to coccinelle website.

Massive and semantic patching with Coccinelle

Sat, 27 Nov 2010 21:54:13 +0000

I’m currently working on suricata and one of the feature I’m working on change the way the main structure Packet is accessed.

One of the consequences is that almost all unit tests need to be rewritten because the use Packet p construction which has to be replace by an dynamically allocated Packet *. Given the number of tests in suricata, this task is very dangerous:

It is error prone
Too long to be done correctly

I thus decide to give a try to coccinelle which is a "program matching and transformation engine which provides the language SmPL (Semantic Patch Language) for specifying desired matches and transformations in C code". Well, from user point of view it is a mega over-boosted sed for C.

Splitting and shrinking a git repository

Mon, 02 Aug 2010 19:53:20 +0000

I have recently faced the challenge to rewrite a git repository. It has two problems:

First problem was small: an user has commited with a badly setup git and E-mail as well as username were not correctly set.
Second problem seems more tricky: I was needing to split the git repository in two different one. To be precise on that issue, from the two directories at root (src and deps) have to become the root of their own repository.

I then dig into the doc and it leads me directly to ‘filter-branch’ which was the solution of my two problems. The names of the command is almost self-explanatory: it is used to rewrite branches.

Using Suricata with CUDA

Sun, 23 May 2010 19:10:25 +0000

Suricata is a next generation IDS/IPS engineÂ developedÂ by the Open Information Security Foundation.

This article describes the installation, setup and usage of Suricata with CUDA support on a Ubuntu 10.04 64bit. For 32 bit users, simply remove 64 occurances where you find them.

Preparation

You need to download both Developper driver and Cuda driver from nvidia website. I really mean both because Ubuntu nvidia drivers are not working with CUDA.

I’ve first downloaded and installed CUDA toolkit for Ubuntu 9.04. It was straightforward:

Quand Ã§a fonctionne tout seul

Tue, 19 Jan 2010 00:15:36 +0000

Je venais d’avoir l’idÃ©e d’une modification d’ulogd2 pour rÃ©aliser la chose pratique d’avoir deux sorties sur la mÃªme stack. J’ai donc rajoutÃ© pour tester la stack suivante Ã mon fichier ulogd.conf :

stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR, \

print1:PRINTPKT,sys1:SYSLOG,mark1:MARK,emu1:LOGEMU

Les tests ont montrÃ© que c’Ã©tait dÃ©jÃ fonctionnel ! D’un coup, la neuviÃ¨me de Beethoven par Harnoncourt est encore plus grandiose.

Dan Brown est un gÃ©nie

Thu, 31 Dec 2009 08:06:08 +0000

Et bien oui, dans Da Vinci Code, il a quand mÃªme rÃ©ussi Ã passionner le monde avec l’histoire d’un mec super intelligent qui cherche Ã faire un test de filiation mÃ¨re-fille pour prouver une paternitÃ©.

Il faut Ãªtre gÃ©nial pour faire passer un truc pareil. Ou alors, on est tous super stupide…

PS: bonne annÃ©e 2010

Vers une nouvelle agora ?

Wed, 30 Dec 2009 01:03:00 +0000

RÃ©cemment, le Nouvel Observateur a rÃ©alisÃ© un dossier intitulÃ© “Internet en procÃ¨s”. Ce dossier a semble-t-il Ã©tÃ© motivÃ© par l’apparition de plus en plus frÃ©quente d’informations qui font suffisamment de bruit sur Internet pour devoir Ãªtre reprises par les mÃ©dias classiques. Le dossier est intÃ©ressant mais l’avis des partisans d’un contrÃ´le d’internet me fascine. L’Ã©ternel tentation de la censure est toujours bien prÃ©sente. On peut certes comprendre qu’au vu des affaires rÃ©centes (Jean Sarkozy ou FrÃ©dÃ©ric Mitterand) une envie d’Ã©touffer la contestation naisse dans l’esprit de certaines personnes.

Il ne faut pas confondre (version 2)

Wed, 05 Aug 2009 21:19:28 +0000

Je disais donc, il ne faut pas confondre la coquetterie et la classe. Pour certains, la barriÃ¨re est difficile Ã estimer:

Une Ferrari, dorÃ©e c’est mieux

Pour reprendre approximativement Clint Eastwood : “Peindre une telle voiture dans cette couleur devrait Ãªtre considÃ©rÃ© comme un crime”

Debian, le retour de la faille SSL

Wed, 13 May 2009 20:41:04 +0000

La distribution Debian GNU/Linux est habituÃ©e au problÃ¨me de hasard pas si alÃ©atoire que Ã§a. Cela s’Ã©tait illustrÃ© avec la faille openssl et cela vient d’Ãªtre confirmÃ© par le debian logo en ascii art du boot.

J’en tiens pour preuve le screenshot suivant :

Hadopi, partage et crÃ©ation

Mon, 04 May 2009 22:44:46 +0000

Bon, oui c’est vrai, je n’ai pas grand chose Ã dire lÃ dessus. Alors, je laisse la parole Ã ceux qui savent l’utiliser :

Partager n’est pas voler de La Quadrature du Net.

Si l’on considÃ¨re les propos de notre ministre de la culture “ce qui compte c’est l’avenir de l’industrie”, il est facile d’avoir un majorant du prix de la libertÃ© du peuple franÃ§ais dans son entier : c’est le chiffre d’affaire des industries “culturelles”.

En route vers le 2.6.30 et encore merci Denis

Fri, 03 Apr 2009 21:31:01 +0000

Oui, bon, vous savez sans doute que le noyau Linux 2.6.30 est en cours de rÃ©alisation. Mais saviez-vous que grÃ¢ce Ã l’excellent Denis Bodor toute une sÃ©rie de patchs a Ã©tÃ© incorporÃ©e au noyau ?

Lors de la rÃ©daction du Hors SÃ©rie Netfilter de GLMF, j’ai, avec tous les autres rÃ©dacteurs (Gwenael, Haypo, Pollux et Toady), voulu faire dÃ©couvrir les derniÃ¨res avancÃ©es de Netfilter. Et, forcÃ©ment, lorsque l’on est sur le fil du rasoir et que l’on pousse les choses Ã fond pour Ãªtre le plus prÃ©cis possible, il arrive que l’on dÃ©couvre des problÃ¨mes ou des choses pas aussi pratiques que on le dÃ©sirerait.

Mon bureau en mode noyau

Fri, 03 Apr 2009 21:05:56 +0000

Non, non, vous ne verrez pas dans cet article de screenshots du noyau ! J’ai juste envie de poster ici une capture d’Ã©crans que j’ai rÃ©alisÃ©e et commentÃ©e il y a quelque temps. J’Ã©tais Ã ce moment-lÃ en train de rÃ©aliser un des mes dÃ©veloppements noyau les plus consÃ©quents et cela m’avait conduit Ã industrialiser mon environnement de travail pour effectuer dÃ©veloppements et tests de la maniÃ¨re la plus efficace possible.

Lenteur de subversion en image.

Thu, 05 Mar 2009 22:50:15 +0000

J’utilise de plus en plus git mais de nombreux projets sur lesquels je travaille utilise “encore” subversion. RÃ©cemment dans le cadre d’une sÃ©ance de debug nocturne avec Pollux, j’ai tapÃ© une commande subversion sur les sources de NuFW :

svn log -r 5437:5443

LÃ , Ã§a a pris du temps, beaucoup de temps. Bon, d’accord, subversion ne stocke pas l’historique et il faut aller chercher les informations sur le rÃ©seau mais tout de mÃªme.

Recherche troll base de donnÃ©es

Fri, 13 Feb 2009 12:55:56 +0000

J’ai effectuÃ© une recherche pour trouver de l’aide sur une fonction postgresql. Ma recherche Ã©tait :

pgsql conditional table creation

Le retour de google est pour le moins surprenant :

google et postgresql

Me proposer une recherche sur mysql, ce n’est pas vraiment sympa !

Qu’est devenue la moralitÃ© ?

Sat, 07 Feb 2009 10:32:49 +0000

Ã€ tout ceux qui ont fait de la publicitÃ© pour du lait en poudre en Afrique, Ã tous ceux qui ont brevetÃ© des mÃ©dicaments contre le sida, Ã tout ceux qui touchent des millions et licencient des milliers de salariÃ©s, Ã tout ceux qui ont collaborÃ© sous le rÃ©gime de Vichy, rassurez-vous vous n’avez rien fait qui ne mÃ©rite que l’on s’y attarde car vous Ã©tiez dans la lÃ©galitÃ©. Vivez sereinement, les gens qui ont le pouvoir en France ne viendront pas gÃ¢cher votre vie comme vous l’avez fait Ã d’autres.

Un publiciste et un physicien sont dans une Renault …

Tue, 03 Feb 2009 22:44:02 +0000

Le publiciste crie Ã la face du monde son slogan dont il est trÃ¨s fier :

Renault – La France avance Renault accÃ©lÃ¨re

Le physicien rÃ©pond alors :

Comme c’est triste, Renault va dÃ©localiser.

Ce discours qu’Ã premiÃ¨re vue Ionesco n’aurait pas reniÃ© est pourtant complÃ©tement logique. Le slogan annonce en effet que la France se dÃ©place vers l’avant et que Renault accÃ©lÃ¨re. On en dÃ©duit donc que Renault est en accÃ©lÃ©ration par rapport au rÃ©fÃ©rentiel France. La vitesse de Renault dans ce rÃ©fÃ©rentiel va donc augmenter. La taille de la France Ã©tant finie, on en dÃ©duit qu’au bout d’un certain temps, Renault va sortir de France. En terme Ã©conomique, on appelle Ã§a une dÃ©localisation.

La classe et la coquetterie

Thu, 15 Jan 2009 23:34:45 +0000

Dans la sÃ©rie, il ne faut pas confondre la classe et la coquetterie, je vous prÃ©sente le manteau en fausse fourrure lÃ©opard avec des imprimÃ©s Mickey et Minnie :

Fourrure lÃ©opard avec imprimÃ©s Mickey

Il faut me croire sur parole, mais la petite tache rouge dans le pli sur la droite du manteau, c’est le ruban de Minnie qui est rouge comme il se doit.

Portrait d’un acheteur d’Office

Thu, 15 Jan 2009 23:17:05 +0000

Bon, la publicitÃ© Microsoft Office, j’en parle, j’en parle mais ais-je la preuve de son efficacitÃ© ? Ais-je par exemple vu quelqu’un ayant achetÃ© Office ?

Et oui, voilÃ la photo :

Victime de la pub Office

L’Ã©charpe OM autour du cou, le tÃ©lÃ©phone tactile dans une main et la boite Microsoft Office dans l’autre, dans le mÃ©tro Ligne 14, voici mon premier exemplaire d’acheteur du pack Office.

Contribution au libre, 2009 commence fort.

Tue, 13 Jan 2009 22:45:54 +0000

Du cÃ´tÃ© de mes contributions au logiciel libre, l’annÃ©e 2009 commence assez fort. Il semble que j’ai rÃ©ussi Ã dÃ©clencher une petite rÃ©volution.

Le systÃ¨me de test de NuFW avait mis en Ã©vidence un crash rare, non reproductible facilement dans nuauth, le serveur d’authentification de NuFW. Les sorties de gdb ou valgrind rÃ©vÃ©laient un problÃ¨me absurde dans la bibliothÃ¨que cyrus-sasl. NuFW l’utilise pour rÃ©aliser la phase d’authentification des utilisateurs. Le crash apparaissait lors d’un appel Ã sasl_dispose() qui est la fonction Ã appeler lorsque l’on a terminÃ© la phase d’authentification. AprÃ¨s maintes vÃ©rifications et plusieurs dizaines d’heures de debug, j’Ã©tais convaincu que nuauth, le serveur d’authentification de NuFW, utilisait la bibliothÃ¨que de maniÃ¨re correcte et que le code environnant Ã©tait correct.

“Offer office to your PC”, c’est moins cher

Thu, 08 Jan 2009 23:36:19 +0000

Parfois, on a l’impression d’Ãªtre poursuivi.Si l’on en croit ce mail (publicitÃ© dÃ©sastreuse de ms dans la rue : agissons !), la campagne pour l’offre promotionnelle Office semble avoir repris. Comme c’est l’Ã©poque des soldes, il n’y a rien de bien Ã©tonnant Ã cela. C’est facile pour Microsoft de casser les prix quand on fait plus de 90% de bÃ©nÃ©fice sur un produit.

J’arrÃªte lÃ la digression. Je disais donc que je me sentais poursuivi. La raison en est la suivante. La campagne de publicitÃ© pour Office est mondiale (ce qui confirme que l’aire de rÃ©partition du pigeon est une des plus Ã©tendues). J’en tiens pour preuve qu’en me connectant innocemment Ã amazon.com, je suis tombÃ© sur la version amÃ©ricaine de la publicitÃ© :

LCL en veut toujours plus Ã votre argent

Fri, 26 Dec 2008 14:00:14 +0000

L’article sur le fabuleux agenda LCL gratuit la premiÃ¨re annÃ©e et bien cher la deuxiÃ¨me connait en cette fin d’annÃ©e 2008 un succÃ¨s retentissant. Pour vous en persuader, voici l’analyse des statistiques sur cet article :

Comme on peut le voir, il y a une explosion en fin d’annÃ©e.

Ceci s’explique facilement, un grand nombre de personnes constatent un prÃ©lÃ¨vement “publibanque” de 24,90â‚¬ sur leur compte sans comprendre de quoi il s’agit. Or l’article du blog apparait en deuxiÃ¨me page de google pour la recherche publibanque et de nombreuses personnes parviennent donc sur ce blog avec cette recherche.

DiÃ©tÃ©tique et fÃ©minisme sont dans un bateau.

Wed, 17 Dec 2008 21:18:27 +0000

Parfois le matin, on n’est tellement pas rÃ©veillÃ© qu’on lit tout et n’importe quoi. Cette fois, c’Ã©tait le paquet de special K pour les fÃªtes de fin d’annÃ©e.

Pour Ã©gayer la fin d’annÃ©e, le paquet comporte une partie astuce. Le titre de l’astuce du jour est “AffligÃ©e ou positive ?”. Ci dessous, un scan de l’astuce :

Pour les gens qui n’ont pas l’image, Kellogs nous fait un remake de la blague :

J’ai mal Ã ma France

Sat, 29 Nov 2008 12:40:09 +0000

Un article du monde.fr relate la rencontre de notre prÃ©sident avec le prÃ©sident soudanais:

La dÃ©cision de Nicolas Sarkozy de rencontrer, samedi 29 novembre au Qatar, le prÃ©sident du Soudan, Omar Al-Bachir qui est menacÃ© d’un mandat d’arrÃªt de la Cour pÃ©nale internationale (CPI) pour “gÃ©nocide” au Darfour, a semÃ© le trouble chez les organisations non gouvernementales (ONG) de dÃ©fense des droits de l’homme.

Je cherche des excuses, mais je ne vois rien, la seule idÃ©e qui me sois passÃ©e par la tÃªte est d’imaginer notre prÃ©sident en train de remplir un album photo Panini intitulÃ© “Dictateur et criminel contre l’HumanitÃ©”. AprÃ¨s Khadafi, Poutine, Hu Jintao et maintenant Omar Al-Bachir, Nicolas Sarkozy doit avoir un des albums les mieux remplis de la planÃªte.

Total annihilation (version C)

Thu, 20 Nov 2008 13:30:34 +0000

Bon, je m’amuse en ce moment Ã rajouter une fonctionnalitÃ© Ã snort-inline. En finissant mes modifications, je suis tombÃ© sur le morceau de code suivant :

/* Check to see if we got a Reinjection rule or not */
if(!pv.ipfw_reinject_rule)
{
pv.ipfw_reinject_rule = 0;
}

Pour les non dÃ©veloppeurs c’est un peu l’Ã©quivalent de :

Si t’es mort, meurt encore

Tient, Ã§a pourrait faire un titre de James Bond.

Contre pub openoffice, la suite

Thu, 13 Nov 2008 21:29:52 +0000

Ã‰tant Ã cours d’idÃ©e, j’ai soumis la contre publicitÃ© Openoffice.org Ã la sagacitÃ© des lecteurs de Linux en postant un journal.

Il est remontÃ© plusieurs idÃ©es intÃ©ressantes. L’une des idÃ©es principales a Ã©tÃ© de rendre le message plus explicite et d’Ã©viter tout sexisme. L’essai suivant rÃ¨gle les deux points :

Offrez des cadeaux

On m’a aussi proposÃ© une version plus geek :

Suite bureautique, une question de valeurs

Sun, 09 Nov 2008 13:51:00 +0000

Microsoft rÃ©alise en ce moment une campagne publicitaire annonÃ§ant une offre promotionnelle sur la suite office. Le slogan est :

Offrez office Ã votre PC

et cela pour la somme modique de 79â‚¬.

C’est comme vous voulez, si vous voulez claquer une fortune pour faire plaisir Ã votre ordinateur, vous pouvez toujours le faire. Personnellement, je pense qu’il y a mieux Ã faire :

openoffice.org, c’est libre et gratuit

De l’importance des contributions

Fri, 17 Oct 2008 10:49:51 +0000

Denis Bodor parle sur son blog du livre “FreeBSD 7.0 Guide complet”. Il cite une phrase de l’auteur :

Chaque fois que je pense avoir gÃ¢chÃ© ma vie, je vais voir sur le site Web de FreeBSD et j’y retrouve mes travaux qui ont Ã©tÃ© acceptÃ©s par les committers et distribuÃ©s Ã des milliers de personnes.

Plus sÃ©rieusement, je confirme le point de vue de l’auteur du livre et je ne peux m’empÃªcher de reprendre cette phrase du blog :

Google censure Microsoft ?

Sat, 13 Sep 2008 10:20:11 +0000

J’ai Ã©tÃ© trÃ¨s surpris par une recherche effectuÃ©e sur google :

Recherche sur microsoft

Bon, d’accord il fallait taper site:microsoft.com au lieu de sites:microsoft.com mais tout de mÃªme, la proposition de google de rechercher google.com au lieu de microsoft.com est :

assez amusante si l’on pense Ã un bug
plus inquiÃ©tante si l’on rÃ©flÃ©chit Ã comment on en arrive lÃ .

C’est aussi bien qu’avant

Mon, 08 Sep 2008 21:40:17 +0000

Tout est parti d’un caprice de mon ordinateur fixe :

Si tu me rebootes ou si tu m’arrÃªtes, je ne me rallumerais que dans 24h

AprÃ¨s avoir tentÃ© de raisonner Ã coups de tournevis, je lui ai dit :

Babe, I’m gonna leave you

Ce qui donne en franÃ§ais :

Je file t’acheter un successeur !

Je cours donc guerrier Ã montgallet pour aller dÃ©nicher un nouveau PC.

Mon choix se porte sur un montage Ã base d’une carte mÃ¨re Asus P5Q et d’un processeur IntelÂ E8500. Confiant aprÃ¨s avoir ubuntuifiÃ© un certain nombre de machines rÃ©centes sans me poser la moindre question, je n’ai mÃªme pas vÃ©rifiÃ© la conformitÃ© des composants. Le plaisir de la surprise n’en a Ã©tÃ© que plus grand.

Chrome de Google, attention Ã vos droits !

Wed, 03 Sep 2008 17:18:08 +0000

Chrome, je pense que presque tout le monde le sait, est le nouveau navigateur dÃ©veloppÃ© par google. Il est rapide, sÃ©curisÃ©, simple d’utilisation et surtout pratique pour Google !

Si l’on prend la peinde de lire la licence de Chrome (qu’il est nÃ©cessaire d’accepter pour utiliser le logiciel) on dÃ©couvre des choses hallucinantes :

Vous conservez les droits d’auteur et tous les autres droits en votre possession vis-Ã -vis du Contenu que vous fournissez, publiez ou affichez sur les Services ou par le biais de ces derniers. En fournissant, publiant ou affichant le contenu, vous accordez Ã Google une licence permanente, irrÃ©vocable, mondiale, gratuite et non exclusive permettant de reproduire, adapter, modifier, traduire, publier, prÃ©senter en public et distribuer tout Contenu que vous avez fourni, publiÃ© ou affichÃ© sur les Services ou par le biais de ces derniers.

JournÃ©e utilisateurs du Netfilter Workshop

Wed, 03 Sep 2008 09:50:39 +0000

La journÃ©e utilisateurs du Netfilter Workshop aura lieu Ã Paris le 29 septembre 2008. Cette journÃ©e prendra la forme d’une sÃ©rie de confÃ©rences sur Netfilter. Les sujets seront variÃ©s allant de la description de l’utilisation de Netfilter chez un ISP dannois Ã la prÃ©sentation par David Miller (maiteneur de la couche rÃ©seau de Linux) ou Patrick McHardy (Leader du projet Netfilter) de leurs derniers dÃ©veloppements.

Je donnerai d’ailleurs lors de cette journÃ©e une confÃ©rence sur ulogd2, la nouvelle infrastructure de journalisation de Netfilter.

NuFW a 5 ans !

Mon, 01 Sep 2008 21:58:41 +0000

La premiÃ¨re version publique de NuFW est sortie le 01 septembre 2003. Cela fait donc maintenant 5 ans que le projet est public. L’idÃ©e avait germÃ©e en 2001 mais ne s’Ã©tait concrÃ©tisÃ©e que le 01 septembre de l’annÃ©e 2003 comme le prouve la page Freshmeat de NuFW :

Added: Mon, Sep 1st 2003 14:40 UTC (5 years, 0 months ago)

Je profite donc de cet anniversaire pour remercier tous ceux qui ont rendu l’existence de ce logiciel possible. Merci donc Ã tous les contributeurs qu’ils habitent en France, au Pakistan, en Allemagne, au Canada ou encore en Italie.

JO : Changement d’ambiance et choc des cultures

Tue, 26 Aug 2008 21:55:44 +0000

Je suis tombÃ© par hasard sur la cÃ©rÃ©monie de clÃ´ture des jeux Ã la tÃ©lÃ©. La chance a voulu que Ã§a soit au moment mÃªme oÃ¹ Londres faisait son spectacle de passage du tÃ©moin. Ce fut une surprise rafraÃ®chissante, au milieu des milliers de danseurs chinois bien coordonnÃ©s, bien abiles, bien comme il faut, Leona Lewis et Jimmy Page exÃ©cutant la chanson “Whole lotta love“.

Ã‡a m’a complÃ©tement bluffÃ©. D’une part c’est une de mes chansons prÃ©fÃ©rÃ©es, d’autre part c’est une chanson sulfureuse. Pour preuve, je vous laisse soin de traduire ce passage :

Retour de vacances

Mon, 18 Aug 2008 21:34:30 +0000

Je viens de passer 15 jours loin du clavier. Pour rÃ©sister, il a fallu les somptueux paysages de NorvÃ¨ge. Et plus prÃ©cisÃ©ment, ceux du nord du pays :

Flakstagvag, Ã®le de Senja, NorvÃ¨ge

“Tusend tak” aux norvÃ©giens pour leur accueil !

Un remÃ¨de de cheval pour l’armÃ©e

Sun, 27 Jul 2008 09:18:51 +0000

Le livre blanc sur l’armÃ©e a Ã©tÃ© publiÃ© rÃ©cemment et quelque chose comme 54000 suppressions de postes et des dizaines de fermetures de bases sont planifiÃ©es.

La pilule ayant du mal Ã passer, le secrÃ©taire d’Ã©tat Ã la dÃ©fense et/ou le prÃ©sident ont tentÃ© une opÃ©ration marketing en envoyant le secrÃ©taire d’Ã©tat au Liban pour discuter avec les soldats de la FINUL. L’opÃ©ration est relayÃ©e sur France Info et le journaliste (usant lÃ du peu de libertÃ©s qui lui reste) dÃ©clare que les soldats sont peu bavards. Il ne cite bien sÃ»r pas le plan de restructuration pour aider Ã comprendre ce mutisme. Le reportage se poursuit par cette phrase du secrÃ©taire d’Ã©tat :

Lutter contre la faille DNS avec Netfilter

Mon, 14 Jul 2008 16:53:02 +0000

La dÃ©couverte rÃ©cente d’une mÃ©thode permettant d’exploiter des failles dans la plupart des implÃ©mentations DNS Ã fait beaucoup de bruits. J’en tiens pour preuve des articles dans ZDNET (Colmatage d’une faille de grande envergure sur les serveurs DNS), Le Monde et les Ã©chos.

Si l’on Ã©tudie ce qu’Ã©crit le CERT dans l’article Multiple DNS implementations vulnerable to cache poisoning, une mÃ©thode de contournement de la faille consiste Ã rendre alÃ©atoire le port source utilisÃ© pour les requÃªtes DNS.

Un bel exemple de courage

Sat, 28 Jun 2008 08:53:46 +0000

Le Monde publie sur son site un article relatant la visite dans une classe de Alice GuÃ©na, la prÃ©sidente du Mouvement d’affirmation des jeunes gais, lesbiennes, bi et trans. IntitulÃ© “J’avais jamais vu un homosexuel”, il dÃ©taille les rÃ©actions d’une classe de BEP lorsque Alice GuÃ©na les pousse Ã parler de l’homosexualitÃ©.

Rien de bien neuf sur les rÃ©actions des Ã©lÃ¨ves, mais le courage de l’intervenante est vraiment impressionnant. Se pointer devant une classe de mÃ©canique (tiens un clichÃ©), porter la discussion sur ce terrain, encaisser des propos pas vraiment agrÃ©able, ne pas s’Ã©nerver et rÃ©pondre juste pour faire rebondir la discussion, Ã§a m’inspire le respect.

Tue, 10 Jun 2008 16:35:27 +0000

J’ai prÃ©sentÃ© Ulogd2 et nf3d lors de la rump session du SSTIC 2008.
AprÃ¨s une brÃ¨ve introduction sur l’architecture de ulogd2, j’ai montrÃ© le rÃ©sultat de mon travail sur la visualisation des connexions et des paquets logguÃ©s, nf3d.
Les slides sont disponibles.

Je me rend compte que je n’ai pas encore parlÃ© de nf3d ici. Il s’agit d’un logiciel reprÃ©sentant sur une vue 3D les connexions Netfilter et les paquets logguÃ©s. Comme une image vaut mieux qu’un long discours :

Le FBI criminalise les clicks

Fri, 09 May 2008 22:13:29 +0000

Un article de Securityfocus revient en dÃ©tail sur une affaire rÃ©vÃ©lÃ©e le 20 mars 2008. L’affaire avait notamment Ã©tÃ© traitÃ© par News.com.

Le FBI a postÃ© des liens censÃ©s menÃ©s vers des images ou des vidÃ©os pÃ©dophiles. Il n’y a en fait rien Ã l’arrivÃ©e hormis une enquÃªte du FBI, un dÃ©barquement d’agents, et jusqu’Ã 10 ans de prison (et ce mÃªme si aucune preuve n’est retrouvÃ©e au domicile de la victime).

GPL contre Skype : 2-0

Fri, 09 May 2008 13:41:50 +0000

D’un point de vue juridique, j’aurais du plutÃ´t titrer Welte vs. Skype Technologies SA. En effet, Harald Welte, ex leader du projet Netfilter et fondateur de GPL violations vient de gagner en appel contre Skype Technologies SA.

Harald Welte, dans le cadre de GPL violations, avait commencÃ© Ã lutter contre Skype Technologies SA en fÃ©vrier 2007 pour que la sociÃ©tÃ© cesse de violer la GPL en commercialisant des tÃ©lÃ©phones Wifi sous Linux sans respecter les exigences de la licence.

Subversion aware prompt

Thu, 08 May 2008 13:47:52 +0000

Introduction

As I found some really cool stuff for adding git related information to the bash prompt, I’ve decided to do something similar for subversion. You can get the whole thing called subversion-prompt on a github repository.

Results

I’ve cooked some bash functions to retrieve informations about the status of a directory relatively to subversion. With that, it is possible to have the following prompt session:

eric@ice-age:~$ nt
eric@ice-age:~/nufw-svn/trunk/nufw[4779*]$ cd doc/
eric@ice-age:~/nufw-svn/trunk/nufw/doc[4779]$

Home directory is not a subversion managed directory and the prompt is standard. When going to my nufw subversion tree, the prompt warns me that current revision is 4779 and that I’ve done local modifications (star is present). If I go to the doc directory, the revision is still the same but as there is no star I’ve no local modifications pending.

Wed, 30 Apr 2008 21:57:17 +0000

AprÃ¨s des annÃ©es de dÃ©veloppements acharnÃ©s, l’interface ultime de gestion du suivi de connexions de Netfilter est enfin disponible :

Wolfotrack, c’est son nom, est une interface de gestion du suivi de connexions basÃ© sur wolfeinstein 3D. Chaque soldat rÃ©prÃ©sente une connexion et pour tuer une connexion, il suffit de tuer le soldat correspondant.

Interview dans le cadre des RMLLs

Fri, 25 Apr 2008 13:50:58 +0000

Je vais donner une confÃ©rence sur NuFW et les interactions entre espace utilisateur et noyau dans Netfilter lors des rencontres mondiales du logiciel libre 2008 Ã Mont-de-Marsans.

Dans ce cadre, Christophe Brocas m’a gentillement interviewÃ© par mail. L’interview est en ligne sur le site des RMLLs : Interview Ã‰ric Leblond.

Ã€ noter qu’une interview de l’excellent Pablo Neira est elle aussi disponible sur le site.

Spam et astuce d’affichage

Fri, 25 Apr 2008 07:21:55 +0000

J’ai reÃ§u ce spam qui semblait Ã premiÃ¨re vue avoir complÃ¨tement passÃ© indemne mes logiciels anti-spams. Le sujet notamment n’Ã©tait pas tagguÃ© *SPAM*. Enfin, je ne voyais pas qu’il Ã©tait tagguÃ© :

Received: by d10.nt.com (Postfix, from userid 0)
id D73C21E4490; Thu, 24 Apr 2008 23:03:13 +0200 (CEST)
To: XXXXXXXX@XXX.fr
Subject: Invitation XXXXXXXX 2008
Date: Thu, 24 Apr 2008 23:03:13 +0200
From: SPAMMER noreply@mailing.spam.com
Message-ID: 67190e93d75ec77aea41896d6c6d6f89@localhost.localdomain
X-Priority: 3
X-Mailer: EmailingSoft Powered [version 1.73]
MIME-Version: 1.0
Content-Type: text/html; charset=”iso-8859-1″
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 7.7 (+++++++)
Subject: *SPAM* Invitation XXXXXXXXX 2008

Fri, 25 Apr 2008 05:49:02 +0000

Ã€ partir de lundi, Ã§a sera facile et amusant :

NuFW.Live fourni avec Linux Magazin Allemagne

Fri, 25 Apr 2008 00:10:13 +0000

Presque tout est dans le titre : NuFW.live 1.0.2 est le CD fourni avec le magazine Sonderheft Linux-Magazin 02/08 dont le titre est “Security – Sicher im Netz” :

Ce magazine est un trimestriel sur Linux qui me fait regretter mon faible niveau en allemand. Ce numÃ©ro sur la sÃ©curitÃ© semble en effet contenir des articles trÃ¨s intÃ©ressants que je suis quasiment incapable de dÃ©chiffrer.

Fri, 18 Apr 2008 09:36:20 +0000

Bon, Cisco avait annoncÃ© qu’il ne sortirait des alertes de sÃ©curitÃ©s que deux fois par an. Sauf si une alerte Ã©tait suffisamment sÃ©vÃ¨re ou critique pour justifier une modification d’agenda.

Il n’aura pas fallu longtemps : Une prise de contrÃ´le est rÃ©alisable sur le composant NAC de Cisco. La faille est prodigieuse, la clÃ© partagÃ© Ã©tait rÃ©cupÃ©rable dans les flux d’erreurs. Mais rassurons nous

Cisco has released free software updates that address this vulnerability.

“Pour un monde meilleur”

Tue, 15 Apr 2008 06:48:10 +0000

Le CIO refuse que les athlÃ¨tes franÃ§ais portent le badge “Pour un monde meilleur”.

Voici donc deux images, une pour le CIO:

une pour les athlÃ¨tes:

NuFW Ã CansecWest 2008

Tue, 01 Apr 2008 15:35:21 +0000

Une fois n’est pas coutume, deux mots de la confÃ©rence sÃ©curitÃ© Cansecwest oÃ¹ deux de mes acolytes d’INL se sont rendus pour faire une confÃ©rence. Ils en ont profitÃ© pour faire une lightning talk sur NuFW :

An introduction to Ulogd2 hacking

Mon, 24 Mar 2008 10:49:28 +0000

Short introduction to Ulogd2

Ulogd2 is a userspace logging daemon for netfilter/iptables related logging. This is the successor of the ulogd daemon which one of the best mean to log packets coming from Netfilter.

Ulogd-2.x uses latest Netfilter features to provide:

Packet based logging (via libnetfilter_log or ULOG target)
Flow based logging (via libnetfilter_conntrack)

Logging can be done to file, syslog, pcap or a database (MySQL, PostgreSQL, …).

To use libnetfilter_log and libnetfilter_conntrack, a kernel superior to 2.6.14 is needed.

Cisco en avance sur le poisson d’Avril et Halloween

Thu, 20 Mar 2008 07:16:17 +0000

La companie Cisco, leader des Ã©quipements rÃ©seau, a le sens de l’humour mais a aussi un problÃ¨me de calendrier. Elle a en effet annoncÃ© qu’Ã partir du 26 mars, les correctifs de sÃ©curitÃ© sur IOS ne seront publiÃ©s que deux fois par an, les 4eme mercredi du mois de mars et de septembre. Ã€ mon avis, ils devaient vouloir sortir l’annonce le premier avril pour faire une blague Ã leurs utilisateurs. J’imagine en effet Renault annoncer :

La religion du poisson

Tue, 18 Mar 2008 21:19:56 +0000

Il est souvent difficille d’allier poisson et religion. On a bien l’Ã©pisode de la pÃªche miraculeuse dans le nouveau testament, mais bon Ã part Ã§a il n’y a pas grand chose.

Bien sÃ»r, il y a le carÃªme et notamment lors de la semaine sainte. Dans un quartier de Paris, cela conduit Ã des annonces originales :

Et oui, pendant la semaine sainte, il faut dessaler sa morue.

Fraicheur

Fri, 01 Feb 2008 23:03:11 +0000

Lorsque je rentre du travail, je passe toujours Ã un angle de rue devant un cafÃ© parisien aux grandes vÃ©randas. Je jette souvent un coup d’oeil Ã l’intÃ©rieur. Jusqu’au dÃ©but de l’annÃ©e, ce regard percait la fumÃ©e pour entrevoir les fumeurs.

Ce soir, en rentrant, un pÃ¨re et sa fille d’environ 6 ans lisaient, cÃ´te Ã cÃ´te sur une banquette, dans le cafÃ© inondÃ© de lumiÃ¨re.

NuFW.Live : tester NuFW, c’est facile !

Mon, 21 Jan 2008 16:41:32 +0000

AprÃ¨s des annÃ©es de travail (et de documentation) sur NuFW, il restait tout de mÃªme difficile de tester le projet. Il existe maintenant une faÃ§on simple de le faire grÃ¢ce au Live CD NuFW.Live. BasÃ© sur knoppix, ce CD dÃ©veloppÃ© par INL, contient NuFW et l’ensemble des briques associÃ©s.

Un tutoriel simple permet de tester et de valider le fonctionnement de NuFW. Au final cela donne un NuFW qui marche en quelques clics et qui plus est avec les derniÃ¨res interfaces web :

Sun, 30 Dec 2007 18:57:06 +0000

Je n’ai pas vraiment envie de faire de commentaires, je rajouterais donc quelques dÃ©tails. La conductrice Ã©tait en fait dans un magasin de luxe situÃ© juste en face de la place vide. Elle Ã©tait bien sÃ»r blonde.

Sun, 30 Dec 2007 18:44:42 +0000

AprÃ¨s les nombreuses campagnes de lutte contre l’utilisation de la fourrure, il semble que les professionnels du domaine commencent Ã se sentir concernÃ©. J’en tiens pour preuve une photo de la vitrine d’un fourreur prestigieux (jugement portÃ© suite au nombre de zÃ©ros Ã©levÃ© des prix des manteaux) :

Ce fourreur situÃ© rue du Faubourg Saint HonorÃ© doit essayer de faire passer un message au moyen de ses mannequins rouge sang, qu’on dirait fraichement Ã©corchÃ©. En effet ceci rappelle curieusement les campagnes d’affichages des anti-fourrures qui reprÃ©sente souvent des animaux aprÃ¨s prÃ©lÃ¨vement de la fourrure.

Sarkozy et l’industrie du disque

Thu, 27 Dec 2007 12:17:53 +0000

Alors que tout le monde s’offusque des vacances People de Nicolas Sarkozy, l’Ã©tude d’une photo rÃ©vÃ¨le que la prÃ©sence de Carla Bruni au cÃ´tÃ© du prÃ©sident ne devrait pas tout Ã l’amour :

Et oui ! Carla Bruni, chanteuse de son Ã©tat, serait en service commandÃ© pour l’industrie de la musique. Il fallait bien Ã§a pour remercier M. Sarkozy de ses interventions lors des votes de la loi DADVSI qui leur a accordÃ© tant de faveurs.

Windows Onecare aime les documents openoffice ?

Sat, 22 Dec 2007 09:45:33 +0000

Une source qui me semble digne de confiance m’a indiquÃ© hier que l’antivirus Wndows Onecare se mettrait depuis quelques temps Ã reconnaitre les documents OpenOffice.org comme des documents contenant des virus.

Il est vrai que OneCare a besoin d’amÃ©liorer son taux de dÃ©tection, mais cela serait tout de mÃªme un peu fort. En tout cas, ce n’est pas la premiÃ¨re fois qu’une telle chose se produit puisque Gmail a dÃ©jÃ Ã©tÃ© pris pour un virus.

MÃªme pas vrai

Tue, 11 Dec 2007 07:12:58 +0000

Le prÃ©sident franÃ§ais, son gouvernement, son parti politique, sa femme ont tentÃ© de faire passer la pillule de la visite de Khadafi en annonÃ§ant la signature de contrats pour 10 milliards d’euros. Que nenni, il s’agissait en fait (pour une trÃ¨s grosse partie) d’un protocole d’accord pour des nÃ©gociations exclusives avec la France notamment dans le domaine de l’armement.

M. Sarkozy, le chef des farcs voudrait investir de l’argent en France, il peut venir manger Ã l’Ã©lysÃ©e ? Ah pardon, en fait ce n’est pas de l’argent qu’il veut envoyer en France c’est de la cocaine.

Mon, 10 Dec 2007 23:02:30 +0000

Notre prÃ©sident a dÃ©cidÃ© de fÃ©ter la journÃ©e des droits de l’homme en se focalisant sur un aspect prÃ©cis, la discrimination. Oui, la discrimination est un problÃ¨me terrible qui prÃ©sente de nombreuses formes et porte sur des aspects trÃ¨s divers de la personne humaine :

Couleur de la peau
Sexe
Taille
Marque des lunettes

Sur ce dernier point, on le sait peu mais l’attitude des gens face aux porteurs de Rayban lors de leur jogging les obligent d’ailleurs parfois Ã s’entourer de gardes du corps.

Led Zeppelin, Mothership

Sat, 08 Dec 2007 19:20:43 +0000

Cela fait plus de 15 ans que j’Ã©coute Led Zeppelin. J’ai donc bien entendu tous les albums en CDs, sans parler des DVDs, cassette vidÃ©o. Vous l’aurez compris, je suis un fan.

C’est donc avec plaisir, que j’ai vu sortir pour Noel une compilation double CD, Mothership, regroupant les meilleurs chansons du groupe. Avec plaisir, car je me suis dit que cela allait permettre le passage de tÃ©moin aux jeunes gÃ©nÃ©rations. Aayant dÃ©jÃ tous les CDs, je ne pensais vraiment pas en avoir besoin. Le terme “RemasterisÃ©” affichÃ© sur la pochette m’a ensuite fait rÃ©flÃ©chir et je me suis dirigÃ© vers un vendeur (de la FNAC) pour savoir si on Ã©tait dans le registre du flan marketing ou si ce CD avait vraiment Ã©tÃ© retravaillÃ© par rapport aux CD des albums qui datent de plus de 10 ans. Le vendeur, fan de Led Zep, m’ a confirmÃ© qu’un vÃ©ritable travail avait Ã©tÃ© effectuÃ© sur les chansons de ce CD. Je l’ai donc achetÃ© et je suis rentrÃ© chez moi rapidement pour une sÃ©ance d’Ã©coute.

L’art du commit

Tue, 04 Dec 2007 22:27:37 +0000

Lors du Netfilter Workshop 2007, j’ai eu le plaisir de revoir Patrick McHardy et la chance de rencontrer David Miller (Davem) le mainteneur de la couche rÃ©seau de Linux.

Patrick envoie assez souvent des sÃ©ries de patchs impressionnantes Ã Davem pour demander leur intÃ©gration dans le noyau officiel. L’ensemble des contributions des dÃ©veloppeurs de Netfilter qui est ainsi transfÃ©rÃ© lors de ces envois.

Lors d’un des repas, j’ai citÃ© Ã Davem l’un des plus gros envois de Patrick et je lui ai demandÃ© ce qu’il ressentait lorsqu’il recevait une telle sÃ©rie de patchs. Sa rÃ©ponse a Ã©tÃ© rapide :

Ariane et Barbe-Bleue, Fermez le rideau

Mon, 17 Sep 2007 21:54:45 +0000

Je sors d’une reprÃ©sentation de Ariane et Barbe-Bleue qui n’a pas Ã©tÃ© Ã©pargnÃ©e par les critiques tant au niveau de la musicalitÃ© que de la mise en scÃ¨ne. Je passerais complÃ¨tement le premier aspect pour me concentrer sur le travail de madame Viebrock. On peut s’offusquer de cette rÃ©alisation sur plusieurs modes :

En mode radin, cela peut donner :

Quoi ? une place Ã ce prix lÃ pour voir une friche industrielle post-communiste.

Sarkozy veut priver les enfants ayant des parents malades de Noel

Tue, 04 Sep 2007 06:03:40 +0000

Sarkozy veut priver les enfants ayant des parents malades de Noel pour pouvoir soigner les personnes agÃ©es.

En effet, le prÃ©sident a annoncÃ© fin juillet la crÃ©ation d’une franchise mÃ©dicale pour lutter contre la maladie d’Alzheimer. Cette mesure prÃ©voit de faire payer jusqu’Ã 50 euros par an, les assurÃ©s sociaux ayant eu recours Ã des soins ou Ã des mÃ©dicaments. Un tollÃ©, comme d’habitude limitÃ© Ã Internet et Ã la presse et sans contre-attaque claire de l’opposition, s’est bien sÃ»r produit en rÃ©action avec notamment une pÃ©tition que je vous invite Ã signer si vous aimez les petits enfants et que vous voulez qu’il aient des cadeaux Ã Noel.

Tue, 24 Jul 2007 22:51:18 +0000

Bon, vous allez me dire qu’il y a sans doute un rapport aussi dense entre les deux qu’entre un pape et un mode d’emploi de prÃ©servatifs. Je continuerai pourtant.

Non au rÃ©chauffement de la clientÃ¨le (nos restaurants sont climatisÃ©s)

Ceux qui ne voient toujours pas le rapport peuvent essayer de se rappeler une ritournelle de notre temps, le “rÃ©chauffement de l’atmosphÃ¨re”. VoilÃ donc, Mac Donald qui sort un slogan pour promouvoir la prÃ©sence de climatiseur dans ses restaurants en dÃ©tournant une phrase Ã©cologiste.

Mon, 23 Jul 2007 20:49:38 +0000

Loin des poncifs rabattus sur l’inaction des politiques et leur incapacitÃ© Ã changer les choses, les Ã©lus locaux sont souvent capables de changer la vie de leur concitoyen. J’en tiens pour preuve le projet des VÃ©lib qui reconstruit le rapport des parisiens avec leur environnement. Une nouvelle faÃ§on de se dÃ©placer Ã©merge, facile et pratique. Merci donc Ã la mairie de Paris ! Merci aussi Ã eux pour les couloirs de bus qui prennent une autre dimension lorsque l’on est Ã vÃ©lo !
Je profite de l’occasion pour, une fois n’est pas coutume, remercier un homme politique de droite, Alain JuppÃ©. Merci donc Ã lui pour son travail sur la piÃ©tonnisation de Bordeaux qui a rendu cette ville bien plus habitable qu’elle ne l’Ã©tait.

Les logiciels libres et la confiance

Wed, 23 May 2007 22:44:53 +0000

J’ai donnÃ© une confÃ©rence lors de la JournÃ©e Logiciels libres et sÃ©curitÃ© organisÃ©e par le Cetril. Cela m’a permis d’assiter Ã la confÃ©rence de Nat Makarevitch sur la sÃ©curitÃ© des systÃ¨mes basÃ©e sur des logiciels libres. Il a relevÃ© avec justesse l’augmentation des attaques sur les sources de certains logiciels libres et la tentative d’inclusion de backdoor. Une des meilleures solutions Ã ce problÃ¨me repose sur la signature gpg des archives et des paquets des distributions ce qui permet de garantir la provenance des donnÃ©es tÃ©lÃ©chargÃ©es.

Linux and Sierra Wireless AC850

Thu, 10 May 2007 22:21:35 +0000

Sierra Wireless AC850 is working fine under Linux thanks to a firmware provided by Sierra but there is problem in firmware detection which is explained in this document.

You can download the 850 firmware from Sierra website. An installation guide is available from Sierra support site. But for french reading people, I recommand to read and use Lea Linux documentation.

The latest linux kernels are able to automatically load firmware for pcmcia card. The idea is cleanly implemented. For example, let’s see how it detects the “Sierra Wireless AC710” in serial_cs.c:

Sat, 21 Apr 2007 09:18:05 +0000

Mais sa rÃ©ponse est telle que l’April se montre trÃ¨s inquiÃ¨te. Il y a de quoi tout y est. Les brevets logiciels c’est bien, la propriÃ©tÃ© intellectuelle et la propriÃ©tÃ© privÃ©e c’est pareil. J’arrÃªte lÃ .

Malheureusement, aprÃ¨s DADVSI, la LEN, il semble que Sarkozy ne veuille pas en rester lÃ . Le monde affirme mÃªme qu’il nous prÃ©pare “Big Brother”.

Sarkozy, tueur de TuX

Fri, 20 Apr 2007 20:52:06 +0000

L’initiative candidats.fr a Ã©tÃ© un succÃ¨s mais le candidat Sarkozy n’a pas rÃ©pondu au questionnaire malgrÃ¨ son engagement lors de Solution Linux. Il brise ainsi une promesse avant mÃªme la date de l’Ã©lection.

Dans le mÃªme temps, le discours tenu par les reprÃ©sentants du candidat UMP font peur, notamment en ce qui concerne la loi DADVSI :

La protection du droit de propriÃ©tÃ© est essentielle pour Nicolas Sarkozy, et sa conviction est inÃ©branlable en la matiÃ¨re. Nous ne considÃ©rons pas aujourd’hui que les droits des consommateurs soient lÃ©sÃ©s.

Les yeux de johnny ou presque

Mon, 19 Mar 2007 13:36:36 +0000

Ã€ dijon, ils sont forts, ils ont un optic 2000 pour les nons-voyants :

L’UMP et l’orthographe

Sun, 04 Mar 2007 21:58:39 +0000

Imaginons la France d’aprÃ¨s

Je n’ose imaginer qu’il n’y ait pas de faute d’orthographe. En effet si on prend le texte tel qu’il est Ã©crit, c’est grave : cela fait 5 ans qu’ils sont au pouvoir ; en Ãªtre encore Ã imaginer c’est absurde. Je pense donc qu’ils voulaient dire :

L’UMP Ã la superette

Thu, 01 Mar 2007 22:48:20 +0000

Rentrant du travail, je suis passÃ© faire quelques courses dans une superette pour pouvoir manger quelque chose le soir. Une fois n’est pas coutume, il y avait un peu de monde Ã la caisse. Pour tout dire, j’avais deux personnes devant moi et une personne derriÃ¨re.

Il Ã©tait possible d’accÃ©der Ã la caisse oÃ¹ j’attendais en passant par la droite. C’est ce qu’a fait une femme, la quarantaine, en tailleur. Elle l’a tellement bien fait qu’elle m’a doublÃ© passant ainsi devant moi et les personnes qui me suivaient.

Netfilter (en)

Sat, 24 Feb 2007 23:59:34 +0000

As main developer of NuFW, I’m working since some years on Netfilter, the packet filtering framework inside inside Linux.

My principal field of interest is user interaction. I’ve worked on libnetfilter_queue and libnetfilter_conntrack since early stage of development. These new interaction features are great and will lead to interesting applications.

I’ve put here some articles of general interest about Netfilter and Iptables usage.

Thu, 08 Feb 2007 23:51:53 +0000

Une Ã©mission de France 2 semble indiquer qu’il pourrait y avoir une suite Ã Starship Troopers. Elle devrait avoir lieu en France si le premier tour de l’Ã©lection prÃ©sidentielle est favorable Ã Jean-Marie Le Pen.

“Je suis partisan d’un service militaire volontaire de six mois assorti d’un certain nombre d’avantages, en particulier pour l’accession dans les services publics”

Mon, 18 Dec 2006 00:25:35 +0000

Pour la premiÃ¨re fois le magazine Time n’ a pas rÃ©compensÃ© un individu pour sa nomination d’homme de l’annÃ©e. C’est nous, les acteurs d’internet, qui avons Ã©tÃ© rÃ©compensÃ©s. L’explication donnÃ©e par Time est convaincante. Ils ont plutÃ´t trouvÃ© Ã blamer cette annÃ©e et c’est surtout que quleque chose a retenu leur attention. Je cite :

It’s a story about community and collaboration on a scale never seen before. It’s about the cosmic compendium of knowledge Wikipedia and the million-channel people’s network YouTube and the online metropolis MySpace. It’s about the many wresting power from the few and helping one another for nothing and how that will not only change the world, but also change the way the world changes.

Sun, 19 Nov 2006 10:00:48 +0000

En quoi un groupe de rap et la rÃ©pression du tabagisme peuvent Ãªtre liÃ©s (je ne parle pas de Doc Gyneco). C’est simple, il arrive parfois qu’il parle de tabac, parfois de maniÃ¨re indirecte.

Dans la chanson Danse le Mia un des passages a le contenu suivant :

"au New starflash Lazerline Hatchin Club,
Nous sommes ensemble ce soir pour une soirÃ©e de bonheur musical
avec un grand concours de danse.
De nombreux super cadeaux pour les heureux gagnants,
il y aura les T-shirt Marlboro, les autocollants Pioneer,
les caleÃ§ons JB, les peluches,"

Et oui, on parle de Marlboro et le personnel de la chaÃ®ne TNT diffusant le disque (ou la maison de disque) a dÃ©cidÃ© de beeper le terme Malboro puis de norcir l’image d’une bouteille dans la scÃ¨ne de la discothÃ¨que. C’est affligeant, d’autant plus qu’ils n’ont mÃªme pas beepÃ© JB cette bande d’incultes.

La coiffeuse devait Ãªtre blonde

Wed, 15 Nov 2006 08:11:17 +0000

On va sans doute m’accuser de racisme anti-blonde mais parfois il faut avouer qu’elles le cherchent. J’en tiens pour preuve cette affiche :

Hasard et quadran solaire

Sun, 12 Nov 2006 22:17:18 +0000

Le soleil, juste dans l’alignement des pilÃ´nes, un moment fugace.

Sun, 12 Nov 2006 22:08:54 +0000

En flÃ¢nant la semaine derniÃ¨re dans Paris, je suis tombÃ© sur une vitrine Burberry qui exposait toute une sÃ©rie de vÃªtements. Parmi ceux-ci un impermÃ©able tout simple Ã environ 1500â‚¬. InterloquÃ©s par le prix, mon amie et moi nous sommes demandÃ©s ce qui pouvait diffÃ©rencier un tel produit de ses concurrents dix fois moins cher. Nous avons donc regardÃ© d’un peu plus prÃ¨s le spÃ©cimen exposÃ© :

Tout cela pour constater qu’il y avait des fils apparents et donc une absence notable de finitions. Ã€ titre de preuve, on pourra remarquer sur la grande couture verticale un fil non coupÃ© de plus de deux centimÃ¨tres.

L’invention de la prime bombes et missiles

Sat, 29 Jul 2006 21:47:14 +0000

Rompant avec la monotonie habituelle de la diplomatie lors des conflits armÃ©s “faut pas tuer c’est mal”, les Ã‰tats-Unis s’opposent ouvertement Ã la demande d’un cessez-le-feu entre Israel et le Liban, pardon le Hezbollah.
Au delÃ de l’habituel soutien des amÃ©ricains Ã leur alliÃ© au moyen orient, on peut peut-Ãªtre voir un peu plus loin. En effet, la secretaire d’Ã©tat “CondolÃ©ances rise” annonce fiÃ¨rement qu’un cessez-le-feu est inutile. Mais elle comprend la douleur du peuple libanais au bout d’une semaine ou deux d’offensives. Si bien qu’elle dÃ©cide de faire don de 30 millions de dollars au Liban.
En fait, cette broutille (au vu des dÃ©sastres) ressemble plus Ã une prime :

Sat, 22 Jul 2006 14:24:59 +0000

Cette affirmation peut sembler bizarre mais elle est vÃ©ridique. En effet, lorsque Sarkozy se propose de nettoyer les banlieux au kÃ¤rcher, l’Ã©tat d’Israel lui compte sur les Pluies d’Ã©tÃ© pour nettoyer la bande de Gaza. L’un gaspille de l’eau potable et l’autre fait confiance Ã la nature.

Relativisons tout de mÃªme ce point de vue, on passe ici du ridicule dÃ©magogique et politique Ã l’horreur et aux massacres. Il y a cependant toujours dans les deux cas un mÃ©pris pour l’autre et aucune confiance Ã la nature humaine.

Adieu Ã la coupe du monde 2006

Sun, 09 Jul 2006 22:02:57 +0000

L’Ã©quipe de France vient de perdre la finale de la coupe du monde 2006. Peu de choses Ã dire si ce n’est que l’on aurait rÃ©ver de les voir lÃ il y a 3 semaines. Donc, merci, merci Ã eux.

Dommage que ZinÃ©dine Zidane soit parti sur un coup de tÃªte. Il nous avait tant fait rÃªver lors du splendide France-BrÃ©sil. C’est bien triste de finir d’autant plus que l’on ne saura sans doute jamais ce qu’il lui a Ã©tÃ© dit.

Logiciels libres : drogue douce ou drogue dure ?

Sun, 09 Jul 2006 12:05:31 +0000

La sortie du bureau Free-EOS 2.0 vient d’Ãªtre annoncÃ©e mais je m’interroge sur la pertinence d’une telle approche en 2006.

Le bureau sous GNU/Linux est maintenant une alternative sÃ©rieuse au bureau estampillÃ© Microsoft. N’est-il pas temps de promouvoir le changement d’OS plutÃ´t que de promouvoir l’utilisation du libre sous OS propriÃ©taire ?

En faisant des Logiciels Libres une drogue douce que l’on prend de temps en temps pour s’aÃ©rer l’esprit, on le canalise et on ne permet pas Ã ce qu’il attaque suffisamment le cerveau. Pour moi, il doit devenir une drogue dure : quelques prises de LiveCD et on finit par installer GNU/Linux contraint par la qualitÃ© de l’outil.

MacOS X, la grande salade

Fri, 12 May 2006 21:49:11 +0000

Je viens de passer ma journÃ©e Ã travailler sur Mac OS X Ã la finalisation du client pour NuFW. Comme d’habitude avec ce systÃ¨me d’exploitation cela a Ã©tÃ© une drÃ´le de journÃ©e.

Ce mÃ©lange entre puissance d’Unix et expÃ©rience end-user est vraiment dÃ©routant. J’en ai encore fait les frais en utilisant le logiciel Platypus. Ce logiciel trÃ¨s pratique permet de gÃ©nÃ©rer un script exÃ©cutable. Tiens d’ailleurs, le principe en soi est bizarre sous Unix.

JPP et le CPE

Mon, 24 Apr 2006 21:31:28 +0000

Et il semblerait que j’ai manquÃ© quelque chose : JPP et le CPE. On dirait que lÃ encore, notre maÃ§on de l’info en a fait des tonnes.

Je n’ai pas grand chose Ã dire de plus Ã ce sujet : je n’ai pas vu donc je m’abstiendrais de critiquer.

Ah si pour terminer, j’ai de la famille en Belgique. Quel rapport me direz-vous ?

Wanadoo, l’authentification et la porte ouverte

Mon, 24 Apr 2006 17:04:14 +0000

Soucieuse du confort de ses abonnÃ©s, wanadoo est beaucoup moins prÃ©occupÃ© par leur sÃ©curitÃ©. J’en tiens pour preuve leur politique d’authentification sur wanadoo.fr.

Si une requÃªte provient de l’adresse IP de l’ADSL de monsieur Dupont c’est forcÃ©ment monsieur Dupont qui est Ã l’origine de la requÃªte. On ne passe pas Ã Madame Dupont qui pourrait trÃ¨s bien elle-aussi vouloir consulter ses mails sur le webmail de wanadoo.fr. HÃ© oui, j’en sens certains mÃ©dusÃ©s, l’authentification est totale et va au moins jusqu’au webmail.

Thu, 20 Apr 2006 20:23:23 +0000

Cher Monsieur DelanoÃ©, quand j’entends ces propos pleins de bon sens d’une vielle dame habitant le 17Ã¨me arrondissement, je me dis que nous sommes descendu bien bas :

Le manque d’ordre est flagrant

Bon sang, mais vous attendez quoi pour flanquer les vieilles fachos Ã l’asile !

Pour les amateurs de dÃ©tails, voici une tentative de retranscription de la scÃ¨ne opposant une dame agÃ©e et une femme. Pour plus de facilitÃ©, je noterai VF pour vielle femme (ou Vichy, France) et F pour femme.

Git for the newbie

Mon, 03 Apr 2006 22:28:27 +0000

This page describes the mistake I’ve done with git. First of all : read the manual and the howto, as usual this is the first step to go !

Some interesting documentation includes :

Customizing your repository

git config user.name "Your Name"
git config user.email "your@mail.com"

To check modification:

git config --list

To do global modification, that will be used for all repositories, just add the --global to the commands.

CPE et DADVSI

Fri, 10 Mar 2006 20:19:58 +0000

Il s’agit de deux actualitÃ©s presque simultanÃ©es mais on le sait trÃ¨s bien la simultanÃ©itÃ© dans le gouvernement de pain perdu n’est pas un hasard.

Le Contrat Premier Embauche, c’est l’acceptation du libÃ©ralisme le plus total pour la masse, avec ici toutefois une prÃ©fÃ©rence pour les moins de 26 ans. Pour Villepin, les jeunes doivent s’adapter, Ãªtre flexible pour coller au monde d’aujourd’hui. C’est du moins son argumentation publique.
De son cÃ´tÃ©, la loi DADvSI traite d’un des sujets les plus modernes qui soit : “Quelles Ã©volutions pour le droit d’auteur aprÃ¨s l’avÃ©nement d’internet et la mondialisation”. Euh, non en fait, au vu du texte ce n’est pas ce qu’ont compris les rÃ©dacteurs mais c’est grosso modo l’idÃ©e.
Bref, on a donc deux lois portant sur l’adaptation Ã l’Ã©volution de la sociÃ©tÃ©. Quel est la philosophie du gouvernement vis Ã vis de ces deux problÃ¨mes ? Elle est simple, toute droite :

Jean Pierre Pernod et le Chikungunya

Sun, 22 Jan 2006 16:44:25 +0000

Au cours de mes vacances, j’ai pu voir des journaux tÃ©lÃ©visÃ©s auxquels je n’ai pas accÃ¨s habituellement. Il s’agit d’une part du “journal” de 13h sur TF1 (freebox oblige) et d’autre part du journal d’une chaine rÃ©unionnaise (pas captÃ© en mÃ©tropole).

Je ne pensais pas que, hors vacances scolaires, le journal de TF1 pouvait Ãªtre aussi proche d’une video promotionnelle sur la France et ses campagnes. L’ensemble de petits riens abordÃ©s dans le journal Ã©tait affligeant Ã croire que rien ne se passe en France puisque le journal parlait par exemple d’une arnaque aux travaux. Pourtant, le mÃªme jour, le journal de la RÃ©union m’a fait froid dans le dos :

Sarkozy et polemix

Sun, 22 Jan 2006 16:29:30 +0000

Hors des guignols, la satire politique reste vivante. Par exemple, certaines radios sont trÃ¨s actives. Aisi des parodies audio sous forme de chansons excellentes sont mis Ã dispositions par polemix.

Mon, 26 Dec 2005 22:56:37 +0000

J’ai trÃ¨s souvent et notamment sur ces pages dÃ©criÃ© la documentation fournie par Microsoft. MalgrÃ¨ un effort d’impartialitÃ© certain quant aux impressions que je livrais alors, une partie de moi se demandait si mon analyse n’Ã©tait pas entachÃ©e par mon addiction Ã GNU/Linux.

Que nenni, la commission europÃ©enne menace Microsoft de sanctions car la documentation fournie ne suffit toujours pas Ã assurer l’intÃ©ropÃ©rabilitÃ© notamment pour le dÃ©veloppement de services. Le commissaire chargÃ© de l’affaire est assez direct :

DADVSI, Freud et le Stalinisme

Tue, 20 Dec 2005 23:23:47 +0000

GrÃ¢ce au streaming des dÃ©bats de l’assemblÃ©e nationale, j’ai Ã©coutÃ© le discours de FrÃ©dÃ©ric Dutoit dont le but Ã©tait de prouver l’inconstitutionnalitÃ© de la loi DADVSI. MÃªme si son exposÃ© Ã©tait complÃ¨tement incapable de le prouver (il aurait du citer le copyright “sony”, “Universal” en bas du texte de loi mais le CLUF l’interdisait), il n’en restait pas moins interessant.

Les rÃ©ponses Ã son intervention ont Ã©tÃ© hallucinantes. Je passe sur celle du ministre dÃ©jÃ bien gratinÃ©e (“c’est pas liberticide tu dÃ©lires” pour rÃ©sumer) pour m’attarder Ã celle de Christian Vanneste, rapporteur du projet de loi, qui n’a pas pu s’empÃ©cher de faire une minable tirade anti communiste en faisant des “allusions” Ã Freud et Staline et disant que la perte des libertÃ©s est du cÃ´tÃ© du communisme.

Thu, 15 Dec 2005 15:52:50 +0000

Il semble rÃ©Ã©llement que l’heuristique microsoftienne consiste Ã se limiter au premier aspect des choses sans chercher Ã aller au delÃ . L’exemple de code suivant est trÃ¨s rÃ©vÃ©lateur. Le code POSIX :

pthread_t* checkthread;<br /> pthread_mutex_t * mutex;<br /> pthread_cond_t *check_cond;

devient

HANDLE checkthread;<br /> HANDLE mutex;<br /> HANDLE check_cond;

LÃ oÃ¹ POSIX mets du sens, on se trouve sous Windows face Ã un vulgaire “manipulateur”. Pour en revenir Ã un Ã©quivalent sexuel, on passe d’un “Quelles positions aujourd’hui chÃ©rie ?” Ã “On baise ?”.

Sony, avec un S comme Sarkozy

Tue, 15 Nov 2005 19:49:49 +0000

Bon, vous allez dire, je ne vois pas le rapport Ã premiÃ¨re vue (notez que j’ai bien dit Ã premiÃ¨re vue)… Qu’est ce qui peut bien rapprocher une multinationale qui installe des rootkits sur vos machines et un homme politique franÃ§ais dont le parti utilise Cecilia et banlieue comme mot clÃ© pour les pubs google. Mince, je l’ai presque dit 🙁

Bon, le point est effectivement Ã©vident, ils ont tout les deux des attitudes inexcusables face Ã la libertÃ© individuelle. Je leur propose donc une association :

Marketing et marketing

Wed, 19 Oct 2005 20:35:30 +0000

La “pauvre” Kate Moss a fait l’actualitÃ© rÃ©cemment. HÃ© oui, le top model maigrichon Ã l’air camÃ©e l’Ã©tait vraiment ;-). Comme quoi, dans la mode, mÃªme si l’habit ne fait pas le moine …

Bon, Kate Moss, disais-je, aurais perdu tous ses contrats publicitaires ou presque suite Ã ce problÃ¨me. Tous, oui sauf un en tout cas. Ce petit dernier laisserait presque Ã penser que tout cela n’Ã©tait que coup mÃ©diatique : les rues de Paris sont en effet couvertes de la pub pour “Opium” oÃ¹ figure le mannequin.

Thu, 29 Sep 2005 08:05:55 +0000

J’ai des comptes au CrÃ©dit Lyonnais, oui Ã§a peut arriver Ã tout le monde. Jusque lÃ , pas grand chose Ã dire, c’est une banque, donc Ã§a cherche Ã faire de l’argent sur tout, mais gÃ©nÃ©ralement cela ne dÃ©passe pas les bornes de la dÃ©cence.

j’ai malheureusement reÃ§u un courrier qui me fait penser que le changement de nom en LCL Ã fait changer aussi les mentalitÃ©s. Ce courrier me propose l’Agenda ClÃ©o 2006 en ne payant que 3â‚¬ de traitement. Ah, sympa, c’est presque cadeau alors ? je regarde la lettre et en bas c’est Ã©crit

Sarkozy avec un S comme Spam

Wed, 28 Sep 2005 10:29:03 +0000

J’ai reÃ§u un mail de M. Nicolas Sarkozy hier. Il m’annonÃ§ait que la France va mal. C’est bizarre, Ã§a m’a fait l’effet du maroille qui hurle au plateau de fromage entier : “Ã§a pue !”.

Bah, oui, monsieur Sarkozy, Ã§a pue mais on sait pourquoi, c’est l’odeur trop forte de l’arrivisme et de l’ambition.

En plus, j’ai mal Ã ma France lÃ . Que le principal parti de droite franÃ§ais en arrive Ã revendiquer les mÃ©thodes de communication du parti rÃ©publicain amÃ©ricain au moment mÃªme ou celui-ci est vilipendÃ© de part le monde pour ses comportements antidÃ©mocratiques, tout de mÃªme, un peu de dignitÃ©, la France n’est pas les Ã‰tats-Unis. Ce n’est pas comme si le ministÃ¨re des Finances et le principal syndicat patronnal pouvait Ãªtre dans les mains de la mÃªme famille ou, autre exemple plus contemporain, si le prÃ©sident d’un important parti Ã©tait aussi ministre de l’intÃ©rieur. Non, je ne vois pas du tout comment on a pu en arriver lÃ .

Tue, 13 Sep 2005 21:54:24 +0000

Bon, oui, je sais c’est une faÃ§on d’avouer que j’ai pris du plaisir sous Windows. Mais bon, devant cette application, je ne peux que m’incliner et ce pour plusieurs raisons :

Un rendu excellent

Pour illustrer le dernier point, je me suis plantÃ© en voiture Ã Atlanta il y a quelques annÃ©es. Cela c’Ã©tait passÃ© sur le chemin entre un Burger King et l’hotel oÃ¹ je rÃ©sidais. J’ai retrouvÃ© sur google earth, l’hotel avec sa piscine, le fast-food, le carrefour (oÃ¹ j’ai Ã©tÃ© percutÃ©) avec une voiture blanche comme celle qui me prÃ©cedait lors de l’accident ;-).

Links Load balancing

Thu, 08 Sep 2005 22:03:37 +0000

Prerequisites :

Netfilter :

CONNMARK
nth (or statistic module for recent kernel)
condition (for failover, available in xtables addon)
Iproute2

System :

A linux gw and 2 internet links (what ever techno) :

Link 1 : BP 1500 – fraction 3
Link 2 : BP 500 – fraction 1

The ratio between the 2 link is 1/4 3/4.

Objective

The objective is to have a load-balancing failover between the two link at connection level. Setup is here for a
nated LAN.

Vieux comme Mathusalem mais encore maintenu

Wed, 07 Sep 2005 09:59:15 +0000

La sociÃ©tÃ© CCScentral a un site des plus dÃ©ments. On dirait un site hÃ©bergÃ© chez mygale vers 1996. Mais non ! Il s’agit du site d’une entreprise spÃ©cialisÃ©e dans l’informatique. Vous allez dire : “mais ils n’ont pas eu le temps de le mettre Ã jour” ; que nenni :

Last Revised: Fri, 19 Aug 2005 23:47:11 GMT

Ã€ ne surtout pas rater : le message d’accueil si vous venez avec mozilla ou firefox.

Tue, 06 Sep 2005 19:52:07 +0000

J’ai croisÃ© un drÃ´le de personnage cet aprÃ¨s-midi dans le mÃ©tro. VÃ©tu d’un costume deux teintes dans un jean non commun, d’un chapeau et arborant une cravate assortie, il portait une pochette en cuir brillant. Un petit objet du format d’une carte de crÃ©dit Ã©tait pendu Ã la fermeture Ã©clair. IntriguÃ©, j’observais l’objet et j’ai vu une photo de Bush, un compteur de temps fonctionnant Ã rebour indiquant 1231 et l’inscription backwardbush.

Thu, 01 Sep 2005 19:11:51 +0000

La Caisse d’Ã©pargne comme toutes les banques propose un site web pour gÃ©rer ses comptes. On peut y faire des opÃ©rations courantes comme les virements et mÃªme (enfin sous certaines conditions) vendre et acheter des SICAVs et autres obligations.
L’ensemble du site est utilisable sous Firefox sauf un seul champ dans un formulaire. Malheureusement il s’agit du champ permettant de saisir le nombre d’objets Ã vendre ou Ã acheter (il ne rÃ©pond pas quand on clique). Bref, il n’est pas possible de passer un seul ordre sous Firefox (ou mozilla).

Comment recruter pour une conf de barbus

Thu, 01 Sep 2005 18:43:50 +0000

Imaginez que vous deviez faire de la publicitÃ© pour une confÃ©rence sur un langage. Pas facile non ? Trouver un angle d’attaque original et attractif semble assez difficile, mais il suffit de penser Ã des choses universelles :

Le retour du netstat en furie

Thu, 01 Sep 2005 16:15:46 +0000

Allez cette fois-ci je ne pars pas dans un dÃ©lire mais je vais vous donner de la matiÃ¨re. En travaillant sur le client windows pour nufw, j’ai trouvÃ© une page sur le site de la respectable sociÃ©tÃ© HSC. Ils dÃ©crivent de maniÃ¨re prÃ©cise certains des problÃ¨mes relatif Ã netstat. Cela va s’en dire qu’il s’agit des problÃ¨mes rencontrÃ©s avant d’avoir virÃ© la dame pipi. L’article est trÃ¨s technique et trÃ¨s sÃ©rieux donc prÃ©voyez un peu de temps avant de le lire (quelques mois si vous n’Ãªtes pas informaticien, le temps d’apprendre les bases 😉 .
Je profite de cette brÃ¨ve pour tirer mon chapeau Ã l’auteur, Jean-Baptiste Marchand. j’aurais sans doute eu du mal Ã rester aussi calme et impartial en rÃ©digeant un tel texte.

Sun, 28 Aug 2005 18:54:43 +0000

La seule diffÃ©rence entre des paquets IP et des poupÃ©es russes, c’est qu’il faut Ãªtre un geek pour connaÃ®tre et apprÃ©cier l’encapsulation IP qui est souvent transparente pour l’utilisateur.
J’ai rÃ©cemment rÃ©alisÃ© une configuration me permettant de relever mes mails depuis une connexion WiFi anonyme. Le cahier des charges est simple, je ne veux pas toucher Ã la configuration de mon logiciel de mail, et je ne veux pas ouvrir de port sur mon firewall depuis le VPN. Plusieurs Ã©tapes sont donc nÃ©cessaires pour parvenir Ã mes fins. La succession des encapsulations et transformations rÃ©seaux est alors la suivante :

De la surveillance et du paradoxe de la poule et de l’oeuf

Wed, 17 Aug 2005 20:02:59 +0000

Le logiciel MOM est un outil de monitoring. Ce logiciel renouvÃ¨le agrÃ©ablement le paradoxe de l’oeuf est de la poule : Pour monitorer un serveur on a besoin de pouvoir le joindre, donc de connaitre son adresse. Or, pour connaÃ®tre son adresse, MOM impose l’utilisation de la rÃ©solution de nom par l’Active Directory. Donc si on veut monitorer l’Active Directory, on a besoin de l’Active Directory. CÃ´t cÃ´t ! Euh pardon Gruik !!! Gruik !!!

Sun, 14 Aug 2005 10:00:50 +0000

J’ai rÃ©cemment Ã©voquÃ© le Windows 2003 SP1 DDK qui permait de compiler les pilotes de pÃ©riphÃ©riques sous Windows. Ce logiciel d’une taille de 220Mo est disponible gratuitement depuis un des sites de Microsoft, mais il n’est pas tÃ©lÃ©chargeable (Je sens que certains commencent Ã voir la suite).

Pensant avoir Ã faire Ã un envoi de CD du mÃªme type que celui qui avait eu lieu pour windows XP SP2, j’ai rempli les formulaires jusqu’Ã dÃ©couvrir que l’envoi du CD Ã©tait facturÃ© 25$ (voir la Saisie d’Ã©cran).

Introduction to Netfilter

Sat, 13 Aug 2005 13:22:17 +0000

This page is a try to show what is going on when you do filtering and network address translation.

Topology Example

We will work on the following example :

It’s a classical example, we’ve got a Local Area Network and a DeMilitarized Zone. A single computer (Admin, 192.168.1.18) in the LAN can directly go outside internet in http. We’ve got a single smtp server (SMTP, 1.2.3.18) in our DMZ.

Technical Articles (en)

Sat, 13 Aug 2005 13:09:06 +0000

Here you will find technical articles about Free Software.

In fact, as I am member of the EFICAAS research project. You will find here network and security oriented articles as well as developper oriented ones.

Atm bridging

Sat, 13 Aug 2005 12:53:13 +0000

What is it ?

ATM bridging (RFC2684) is mainly use in the scope of xDSL connections. It provides a convenient way to extend ethernet facility over ATM. The RFC 2684 â€œdescribes two encapsulations methods for carrying network interconnect traffic over AAL type 5 over ATMâ€. In clear, this explains how to encapsulate standard network traffic (such as ethernet) in ATM to carry them over long distance. For that we use AAL type 5, which is the data transfer protocol layer of ATM.

Netfilter Connmark

Sat, 13 Aug 2005 12:47:04 +0000

Introduction

CONNMARK is a cool feature of Netfilter. It provides a way to have a mark which is linked to the a connection tracking entry. Once a connmark is set, it also apply for RELATED connection entry. So, if you add a connmark to an FTP connection, the same connmark will be put of connections from ftp-data.

All Linux tools (for QoS or routing) are only able to use a mark put on packet. Thus, to be really useful, CONNMARK has the capability to transfer the connection mark to the packet mark (and reverse). This can be used to established connection persistent decision for QoS or routing.

Fri, 12 Aug 2005 20:16:23 +0000

Je vous entends tous dire :
“Et la marmotte, …”

J’en tiens pour preuve ce qu’il se passe lorsque j’ai lancÃ© build dans le rÃ©pertoire des drivers d’un projet respectable trouvÃ© sur internet (Celui-ci se contente de maniÃ¨re bien politiquement correcte d’inclure le Makefile du DDK et de lui faire confiance.)
DÃ¨s que la compilation se lance, la console est noyÃ©e sous les messages d’erreurs :
jvc command not found
Ne sachant pas ce que c’est jvc (jvc tÃ©lÃ©commande not found, j’aurais compris mais lÃ non), je googlize et apprends qu’il s’agit du compilateur Java de Microsoft.

Des paramÃ¨tres constants et autres fioritures

Fri, 12 Aug 2005 20:05:44 +0000

D’un cÃ´tÃ©, elle tient de Perl, il y a toujours plus d’un moyen de faire la mÃªme chose. Le problÃ¨me vient ici qu’il ne s’agit pas de trouver des solutions algorithmiques diffÃ©rentes Ã un mÃªme problÃ¨me mais qu’il y a de multiples systÃ¨mes parallÃ¨les pour effectuer une mÃªme tÃ¢che. Il s’ensuit une complexitÃ© inutile amplifiÃ© par la puissance de l’outil de recherche disponible sur MSDN.

L’histoire de netstat et de la dame pipi

Fri, 12 Aug 2005 19:26:40 +0000

Comme vous le savez peut-Ãªtre je suis l’un des developpeurs de NuFW. Ce magnifique parefeu authentifiant a besoin d’un client sur chaque poste de travail. Grosso modo c’est un netstat qui rÃ©cupÃ¨re la liste des paquets SYN (Pour ceux qui n’ont pas suivi, c’est un peu comme une dame pipi qui lÃ¨ve les yeux Ã chaque fois que quelqu’un entre). Bon bref, c’est au systÃ¨me d’exploitation ce que la balayette est aux toilettes : “on peut faire sans, mais Ã§a finit vite par Ãªtre vraiment sale.”.
Donc c’est le genre de trucs qui existent sur toutes les machines qui font du rÃ©seau (mÃªme Windows 95 Ã cette fonctionnalitÃ© si vous me passez la mÃ©taphore).

De l’avantage des fichiers plats

Fri, 12 Aug 2005 18:53:39 +0000

Nagios stocke bien entendu ses fichiers de configuration et son fichier de status dans des fichiers plats. Il est donc possible de les parser pour en extraire les informations. C’est ce que fait le projet Naupy qui fournit une classe PHP permetttant d’extraire les informations maintenues par Nagios.

Un blog de plus !

Fri, 12 Aug 2005 18:01:09 +0000

Bon, qu’est ce que c’est que ce blog de plus ?

C’est simple, c’est un site de plus qui nait pour pouvoir pousser des coups de gueule. Linuxien confirmÃ© et passionnÃ© je suis professionnellement de plus en plus confrontÃ© Ã l’OS de Redmond et Ã§a m’Ã©nerve au plus haut point. Passant du stade de “c’est de la merde mais je ne connais pas” Ã “Mais qu’est ce qu’ils nous ont encore fait!”, j’ai pas mal de choses Ã dire.

To Linux and beyond !

Nftables port knocking

Updated status in vim and bash

Powerline

Out of [name]space issue

Introduction

My “Kernel packet capture technologies” talk at KR2015

Elasticsearch, systemd and Debian Jessie

Slides of my talks at Lecce

Efficient search of string in a list of strings in Python

Introduction

Slides of my nftables talk at Kernel Recipes

Using DOM with nftables

DOM and SSH honeypot

Using DOM with nftables

pshitt: collect passwords used in SSH bruteforce

Introduction

Let’s talk about SELKS

Playing with python-git

Introduction

Slides of my coccigrep lightning talk at HES2014

Speeding up scapy packets sending

Sending packets with scapy

Suricata and Ulogd meet Logstash and Splunk

Some progress on the JSON side

Nftables and the Netfilter logging framework

Nftables logging

Logging connection tracking event with ulogd

Motivation

Suricata and Nftables

Iptables and suricata as IPS

Using ulogd and JSON output

Ulogd and JSON output

Investigation on an attack tool used in China

Log analysis experiment

Why you will love nftables

Linux 3.13 is out

A bit of logstash cooking

Introduction

What’s new in ulogd 2.0.3

New features in ulogd 2.0.3 release

Database framework update

Postgresql update

Using linux perf tools for Suricata performance analysis

Introduction

Logstash and Suricata for the old guys

Introduction

A bit of fun with IPv6 setup

Talk about nftables at Kernel Recipes 2013

Adding a force build to all builders

Using tc with IPv6 and IPv4

Nftables quick howto

Introduction

Building nftables

Libraries

Some ulogd db improvements

Some new features

Netfilter and the NAT of ICMP error messages

The problem

A month in the life of Debian in 2000 and 2012

Visualizing Debian packages upload

WiFi interface and suricata AF_PACKET IPS mode

Not usual setup can lead to surprise

Jan Engelhardt, â€œMerge Meâ€

Xtables2

NFWS group photo

Tomasz Bursztyka, connMan usage of Netfilter

Introduction

Discussion

Jozsef Kadlecsik, ipset status

Tc interaction

Packet and byte counters

Pablo Neira Ayuso, nftables strikes back

Introduction

Architecture

Simon Horman, MPLS Enlightened Open vSwitch

Victor Julien, Suricata and Netfilter

Pablo Neira Ayuso, Netfilter summary of changes since last workshop

Martin Topholm: DDoS experiences with Linux and Netfilter

David Miller: routing cache is dead, now what ?

Jan Engelhardt, â€œMerge Meâ€