Security on To Linux and beyond !

pshitt: collect passwords used in SSH bruteforce

Thu, 26 Jun 2014 08:41:02 +0000

Introduction

I’ve been playing lately on analysis SSH bruteforce caracterization. I was a bit frustrated of just getting partial information:

ulogd can give information about scanner settings
suricata can give me information about software version
sshd server logs shows username

But having username without having the password is really frustrating.

So I decided to try to get them. Looking for a SSH server honeypot, I did find kippo but it was going too far for me
by providing a fake shell access. So I’ve decided to build my own based on paramiko.

Logging connection tracking event with ulogd

Sun, 23 Feb 2014 17:11:30 +0000

Motivation

I’ve recently met @aurelsec and we’ve discussed about the interest of logging connection tracking entries. This is indeed a undervalued information source in a network.

Quoting Wikipedia: “Connection tracking allows the kernel to keep track of all logical network connections or sessions, and thereby relate all of the packets which may make up that connection. NAT relies on this information to translate all related packets in the same way, and iptables can use this information to act as a stateful firewall.”

Using ulogd and JSON output

Sun, 02 Feb 2014 16:39:34 +0000

Ulogd and JSON output

In February 2014, I’ve commited a new output plugin to ulogd, the userspace logging daemon for Netfilter. This is a JSON output plugin which output logs into a file in JSON format. The interest of the JSON format is that it is easily parsed by software just as logstash. And once data are understood by logstash, you can get some nice and useful dashboard in Kibana:

Investigation on an attack tool used in China

Sun, 02 Feb 2014 15:28:32 +0000

Log analysis experiment

I’ve been playing lately with logstash using data from the ulogd JSON output plugin and the Suricata full JSON output as well as standard system logs.

Ulogd is getting Netfilter firewall logs from Linux kernel and is writing them in JSON format. Suricata is doing the same with alert and other traces. Logstash is getting both log as well as sytem log. This allows to create some dashboard with information coming from multiple sources. If you want to know how to configure ulogd for JSON output check this post. For suricata, you can have a look at this one.

Logstash and Suricata for the old guys

Mon, 28 Oct 2013 10:47:31 +0000

Introduction

logstash an opensource tool for managing events and logs. It is using elasticsearch for the storage and has a really nice interface named Kibana. One of the easiest to use entry format is JSON.

Suricata is an IDS/IPS which has some interesting logging features. Version 2.0 will feature a JSON export for all logging subsystem. It will then be possible to output in JSON format:

HTTP log
DNS log
TLS log
File log
IDS Alerts

For now, only File log is available in JSON format. This extract meta data from files transferred over HTTP.

Netfilter and the NAT of ICMP error messages

Wed, 24 Apr 2013 22:30:00 +0000

The problem

I’ve been recently working for a customer which needed consultancy because of some unexplained Netfilter behaviors related to ICMP error messages. He authorizes me to share the result of my study and I thank him for making this blog entry possible.
His problem was that one of his firewalls is using a private interconnexion with their border router and the customer did not manage to NAT all outgoing ICMP error messages.

Martin Topholm: DDoS experiences with Linux and Netfilter

Mon, 11 Mar 2013 10:54:17 +0000

Martin is working for one.com a local ISP and is facing some DDoS. SYN cookie was implemented but the performance were too low with performance below 300kpps which is not what was expected. In fact SYN is on a slow path with a single spin lock protecting the SYN backtrack queue. So the system behave like a single core system relatively to SYN attacks.

Jesper Dangaard Brouer has proposed a patch to move the syn cookie out of the lock but it has some downside and could not be accepted. In particular, the syncookie system needs to check every type of packet to see if they belong to a previous syn cookie response and thus a central point is needed.

Eric Leblond: ulogd2, Netfilter logging reloaded

Mon, 11 Mar 2013 07:30:30 +0000

Introduction

I’ve made yesterday a presentation of ulogd2 at Open Source Days in Copenhagen. After a brief history of Netfilter logging, I’ve described the key features of ulogd2 and demonstrate two interfaces, nf3d and djedi.

The slides are available:
Ulogd2, Netfilter logging reloaded.

Screencasts

This video demonstrates some features of nf3d:

This screencast is showing some of the capabilities of djedi:

Thanks a lot to the organizers for this cool event.

Tomasz Bursztyka, ConnMan usage of Netfilter: a close overview

Sun, 10 Mar 2013 15:36:08 +0000

Introduction

ConnMan is a connection manager which integrate all critical networking components. It provides a smart D-Bus API to develop an User Interface. It is plugin oriented and all different network stacks are implemented in different modules.
Connection sharing (aka tethering) is using Netfilter to setup NAT masquerading. So it is a simple usage.

Switching to nftables

Application connectivity is a more advanced part involving Netfilter as it makes a use of statistics and differenciated routing. For example, in a car, service data must be sent to manufacturer operator and not on the owner network.

Julien Vehent, AFW: Automating host-based firewalls with Chef

Sun, 10 Mar 2013 15:12:52 +0000

The problem

Centralized firewall design does not scale well when dealing with a lot of servers. It begins to collapse after a few thousands rules.
Furthermore, to be able to have an application A to connect to server B, it would take a workflow and possibly 3 weeks to get the opening.

From Service Oriented Architecture to Service Oriented Security

Service are autonomous. They call each other using a standard protocol. The architecture is described by a list of dependencies between services.
You can then specify security via things like ACCEPT Caching TO Frontend ON PORT 80.
But this force you to do provisioning each time a server start.

Jozsef Kadlecsik, Faster firewalling with ipset

Sun, 10 Mar 2013 13:51:19 +0000

Why ipset ?

iptables is enough sufficient but in some cases limit are found:

High number of rules: iptables is linear
Need to change the rules often

Independant study available at d(a)emonkeeper’s purgatory has shown that the performance of ipset are almost constant with respect to the number of filtered hosts:

History

The originating project was ippool featuring a a basic set and after some time it has been taken over by Jozsef and renamed ipset. A lot of type of sets are now handled.

Patrick McHardy: Oops, I did it: IPv6 NAT

Sun, 10 Mar 2013 13:01:41 +0000

Introduction

Harald Welte when asked about IPv6 NAT was answering: “it will be over my dead body”. It is now available in official kernel.

Reasons for adding IPv6 NAT

Dynamic IPv6 Prefixes : ISP assigning dynamic IPv6 prefixes so Internal network address change. NAT can bring you stability.
Easier test setup.
Users are asking and most operating systems have it.

To resume the arguments of NAT, Patrick McHardy used this video:

Pablo Neira Ayuso: nftables, a new packet filtering framework for Netfilter

Sun, 10 Mar 2013 12:37:15 +0000

Introduction

nftable is a kernel packet filtering framework to replaces iptables. It brings no changes in the core (conntrack, hooks).

Match logic is changed: you fetch keys and once you have your key set, you make operation on them. Advanced and specialized matchs are built upon this system.

nftables vs iptables

In iptables, extension were coded in separate files and they must be put in iptables source tree. To act, they must modify on a binary array storing the ruleset and injecting it back to the kernel. So every update involve a full download and upload of the whole ruleset.

Ulogd 2.0.2, my first release as maintainer

Mon, 04 Mar 2013 00:13:13 +0000

Objectives of this release

So it is my first ulogd2 release as maintainer. I’ve been in charge of the project since 2012 October 30th and this was an opportunity for me to increase my developments on the project. Roadmap was almost empty so I’ve decided to work on issues that were bothering me as a user of the project. I’ve also included two features which are connection tracking event filtering and a Graphite output module. Ulogd is available on Netfilter web site

Some statistics about Suricata 1.4

Thu, 13 Dec 2012 16:11:00 +0000

A huge work

Suricata 1.4 has been released December 13th 2012 and it has been a huge work. The number of modifications is just impressing:

390 files changed, 25299 insertions(+), 11982 deletions(-)

The following video is using gource to display the evolution of Suricata IDS/IPS source code between version 1.3 and version 1.4. It only displays the modified files and do not show the files existing at start.

A collaborative work

A total of 11 different authors have participated to this release. The following graph generated by gitstats shows the number of lines of code by author:

The defense blues

Thu, 06 Dec 2012 13:02:39 +0000

Mother Nature has been really unfair with me. It has given me two strong interests in life: building things and information security. Once that was done, my doom was sealed and I’ve become a infosec defense guy. Nowadays this is one of the worst fate possible in computer science.

Today, this burden is really hard to wear. I know some of you will try to encourage me by saying this like:

A new unix command mode in Suricata

Tue, 18 Sep 2012 22:21:05 +0000

Introduction

I’ve been working for the past few days on a new Suricata feature. It is available in Suricata 1.4rc1.

Suricata can now listen to a unix socket and accept commands from the user. The exchange protocol is JSON-based and the format of the message has been done to be generic and it is described in this commit message. An example script called suricatasc is provided in the source and installed automatically when updating Suricata.

New AF_PACKET IPS mode in Suricata

Tue, 04 Sep 2012 20:53:53 +0000

A new Suricata IPS mode

Suricata IPS capabilities are not new. It is possible to use Suricata with Netfilter or ipfw to build a state-of-the-art IPS. On Linux, this system has not the best throughput performance. Patrick McHardy’s work on netlink: memory mapped I/O should bring some real improvement but this is not yet available.

I’ve thus decided to do an implementation of IPS based on AF_PACKET (read raw socket). The idea is based on one of the snort’s running mode. It peers two network interfaces and all packets received from one interface are sent to the other interface (if a signature with drop keyword does not fired on the packet). This requires to dedicate two network interfaces for Suricata but this provide a simple bridge system. As suricata is using latest AF_PACKET features (read load balancing), it was possible to build something really promising.

Suricata new TLS fingerprint and TLS store keywords.

Mon, 27 Aug 2012 17:10:49 +0000

Suricata TLS support

Victor Julien has just merged to main tree a branch containing some interesting new TLS related features. They have been contributed by me and Jean-Paul Roliers.

This patchset introduces TLS logging and brings some new keywords to Suricata engine.
Here’s the list of all TLS related keywords that are available in latest Suricata git:

tls.version: match on version of protocol
tls.subject: match on subject of certificate
tls.issuerdn: match on issuer DN of certificate
tls.fingerprint: match on SHA1 fingerprint of certificate
tls.store: store the certificate on disk

You will find detailed explanation below.

Flow accounting with Netfilter and ulogd2

Sat, 14 Jul 2012 21:11:44 +0000

Introduction

Starting with Linux kernel 3.3, there’s a new module called nfnetlink_acct.
This new feature added by Pablo Neira brings interesting accountig capabilities to Netfilter.
Pablo has made an extensive description of the feature in the commit.

System setup

We need to build a set of tools to get all that’s necessary:

libmnl
libnetfilter_acct
nfacct

The build is the same for all projects:

git clone git://git.netfilter.org/PROJECT
cd PROJECT
autoreconf -i
./configure
make
sudo make install

Opensvp, a new tool to analyse the security of firewalls using ALGs

Fri, 08 Jun 2012 13:34:07 +0000

Following my talk at SSTIC, I’ve released a new tool called opensvp. Its aim is to cover the attacks described in this talk. It has been published to be able to determine if the firewall policy related to Application Layer Gateways is correctly implemented.

Opensvp implements two type of attacks:

Abusive usage of protocol commands: an protocol message can be forged to open pinhole into firewall. Opensvp currently implements message sending for IRC and FTP ALGs.
Spoofing attack: if anti-spooofing is not correctly setup, an attacker can send command which result in arbitrary pinhole being opened to a server.

It has been developed in Python and uses scapy to implement the spoofing attack on ALGs.

Fri, 08 Jun 2012 10:26:13 +0000

Les transparents de ma prÃ©sentation du SSTIC sont disponibles : Utilisation malveillante des suivis de connexions. Merci aux organisateurs du SSTIC d’avoir acceptÃ© mon papier!

Des vidÃ©os de dÃ©monstration sont disponibles sur ce post: Playing with Network Layers to Bypass Firewalls’ Filtering Policy

L’outil de test openvsp est disponible sur cette page.

Playing with Network Layers to Bypass Firewalls’ Filtering Policy

Fri, 09 Mar 2012 22:02:38 +0000

The slides of my CansecWest talk can now be downloaded: Playing with Network Layers to Bypass Firewalls’ Filtering Policy.

The required counter-measures are described in the Secure use of iptables and connection tracking helpers document

The associated video demonstrations are available:

First video demonstrates how to use forged IRC protocol command (DCC request) to be able to open connection to a NATed client from internet.

<div>
  <p>
    Second video demonstrates the effect of the attack on helpers on a non protected Netfilter Firewall.
  </p>
  
  <p>
    </div> 
    
    <div>
      <p>
        Third video demonstrates the effect of the attack on helpers on a badly configured Checkpoint firewall.
      </p>
      
      <p>
        </div> 
        
        <p>
          More information will come in upcoming posts.
        </p>

Using AF_PACKET zero copy mode in Suricata

Thu, 23 Feb 2012 18:25:15 +0000

Victor Julien has just pushed a new feature to suricata’s git tree. It brings improvements to the AF_PACKET capture mode.

This capture mode can be used on Linux. It is the native way to capture packet. Suricata is able to use the interesting new multithreading feature provided by AF_PACKET on recent kernels: it is possible to have multiple capture threads receiving the packet of a single interface.

The commits add mmaped ring buffer support to AF_PACKET capture and also provide a zero copy mode. Mmaped ring buffer is mechanism similar to the one used by PF_RING. The kernel allocates some memory to store the packets and share this memory with the capture process. Instead of sending messages, the kernel just write to the shared memory and the process capture reads it. This is less consuming in term of CPU ressource and helps to increase the capture rate. But the main avantage of this technique is that the capture process can treat the packets without making a copy and this saves a lot of time

Ecosystem of Suricata

Mon, 13 Feb 2012 16:46:32 +0000

Suricata is an IDS/IPS engine. To build a complete solution, you will need to use other tools.

The following schema is a representation of a possible software setup in the case Suricata is used as IDS or IPS on the network. It only uses opensource components:

Suricata is used to sniff and analyse the traffic. To detect malicious traffic, it uses signatures (or rules). You can download a set of specialised rules from EmergingThreats.

Ã€ propos de la publication de code d’EdenWall

Thu, 01 Dec 2011 15:30:28 +0000

J’ai cofondÃ© la sociÃ©tÃ© INL en 2004. RenommÃ©e en 2009 EdenWall, suite Ã une levÃ©e de fonds et un changement de mÃ©tier,
le nouveau business model de la sociÃ©tÃ© fut la commercialisation d’appliances de sÃ©curitÃ© basÃ©es sur le logiciel libre NuFW
que j’avais initiÃ© en 2003. NuFW, couche logicielle ajoutant l’authentification des flux Ã Netfilter, est restÃ© le
moteur technologique de la sociÃ©tÃ© mais n’Ã©tait pas d’un accÃ¨s facile car nÃ©cessitant des compÃ©tences bas niveaux pour
son dÃ©ploiement. Nous avons donc distribuÃ© sous licence libre des briques complÃ©mentaires Ã partir de 2005. Nulog,
projet d’analyse de journaux, que j’avais commencÃ© en 2001 et Nuface, interface de configuration de politiques de
filtrage en 2005. La conclusion de cette dÃ©marche d’ouverture a Ã©tÃ© NuFirewall, une solution autonome de pare-feu
basÃ©e sur les briques EdenWall qui a Ã©tÃ© distribuÃ©e en 2010. Il s’agissait d’une version
libre des appliances EdenWall distribuÃ©e sous forme d’une distribution indÃ©pendante publiÃ©e sous licence GPL.
L’idÃ©e des fondateurs Ã©tait d’avoir une structure de produits similaires Ã une offre comme celle de VirtualBox avec
une distribution sous double licence : une solution libre convenant au plus grand nombre et une version avec des
fonctionnalitÃ©s Entreprise.

Securing Netfilter connection tracking helpers

Wed, 30 Nov 2011 09:57:02 +0000

Following the presentation I’ve made during the 8th Netfilter Workshop, it was decided to write a document containing the best practices for a secure use of iptables and connection tracking helpers.

This document called “Secure use of iptables and connection tracking helpers” is now available on this site. It contains recommendations that should be followed carefully if you are the administrator of a Netfilter/Iptables or the developer of a Netfilter based software.

Acquisition systems and running modes evolution of Suricata

Thu, 06 Oct 2011 23:06:24 +0000

Some new features have recently reach Suricata’s git tree and will be available in the next development release. I’ve worked on some of them that I will describe here.

Multi interfaces support and new running modes

Configuration update

IDS live mode in suricata (pcap, pf_ring, af_packet) now supports the capture on multiple interfaces. The syntax of the YAML configuration file has evolved and it is now possible to set per-interface variables.

For example, it is possible to define pfring configuration with the following syntax:

Slides of my Suricata talk at Libre Software Meeting

Wed, 13 Jul 2011 08:55:15 +0000

I gave a talk about Suricata entitled Suricata, rethinking IDS/IPS at Libre Software Meeting (RMLL in french). The slides can be downloaded from the RMLL website.

Thanks a lot to Christophe Brocas and Mathieu Blanc for the organisation of the security track of LSM.

About Suricata performance boost between 1.0 and 1.1beta2

Thu, 02 Jun 2011 19:45:03 +0000

Discovering the performance boost

When doing some coding on both 1.0 and 1.1 branch of suricata, I’ve remarked that there was a huge performance improvement of the 1.1 branch over the 1.0 branch. The parsing of a given real-life pcap file was taking 200 seconds with 1.0 but only 30 seconds with 1.1. This performance boost was huge and I decide to double check and to study how such a performance boost was possible and how it was obtained:

Suricata conference at Solutions Linux 2011

Wed, 11 May 2011 20:18:59 +0000

I’ve gived today a presentation about Suricata at the Solutions Linux event. It was part of the security track presided by Herve Schauer.

The slides are in french and are available here: 2011_sollinux_suricata

Security on To Linux and beyond !

pshitt: collect passwords used in SSH bruteforce

Introduction

Logging connection tracking event with ulogd

Motivation

Using ulogd and JSON output

Ulogd and JSON output

Investigation on an attack tool used in China

Log analysis experiment

Logstash and Suricata for the old guys

Introduction

Netfilter and the NAT of ICMP error messages

The problem

Martin Topholm: DDoS experiences with Linux and Netfilter

Eric Leblond: ulogd2, Netfilter logging reloaded

Introduction

Screencasts

Tomasz Bursztyka, ConnMan usage of Netfilter: a close overview

Introduction

Switching to nftables

Julien Vehent, AFW: Automating host-based firewalls with Chef

The problem

From Service Oriented Architecture to Service Oriented Security

Jozsef Kadlecsik, Faster firewalling with ipset

Why ipset ?

History

Patrick McHardy: Oops, I did it: IPv6 NAT

Introduction

Reasons for adding IPv6 NAT

Pablo Neira Ayuso: nftables, a new packet filtering framework for Netfilter

Introduction

nftables vs iptables

Ulogd 2.0.2, my first release as maintainer

Objectives of this release

Some statistics about Suricata 1.4

A huge work

A collaborative work

The defense blues

A new unix command mode in Suricata

Introduction

New AF_PACKET IPS mode in Suricata

A new Suricata IPS mode

Suricata new TLS fingerprint and TLS store keywords.

Suricata TLS support

Flow accounting with Netfilter and ulogd2

Introduction

System setup

Opensvp, a new tool to analyse the security of firewalls using ALGs

Transparents de ma prÃ©sentation au SSTIC

Playing with Network Layers to Bypass Firewalls’ Filtering Policy

Using AF_PACKET zero copy mode in Suricata

Ecosystem of Suricata

Ã€ propos de la publication de code d’EdenWall

Securing Netfilter connection tracking helpers

Acquisition systems and running modes evolution of Suricata

Multi interfaces support and new running modes

Configuration update

Slides of my Suricata talk at Libre Software Meeting

About Suricata performance boost between 1.0 and 1.1beta2

Discovering the performance boost

Suricata conference at Solutions Linux 2011