Opensvp, a new tool to analyse the security of firewalls using ALGs

Following my talk at SSTIC, I’ve released a new tool called opensvp. Its aim is to cover the attacks described in this talk. It has been published to be able to determine if the firewall policy related to Application Layer Gateways is correctly implemented.

Opensvp implements two type of attacks:

  • Abusive usage of protocol commands: an protocol message can be forged to open pinhole into firewall. Opensvp currently implements message sending for IRC and FTP ALGs.
  • Spoofing attack: if anti-spooofing is not correctly setup, an attacker can send command which result in arbitrary pinhole being opened to a server.

It has been developed in Python and uses scapy to implement the spoofing attack on ALGs.

For usage and download, you can have a look at opensvp page. The attack against helpers is described in the README of opensvp.

The document “Secure use of iptables and connection tracking helpers” was published some months ago and it describes how to protect a Netfilter firewall when using connection tracking helpers (the Netfilter name for ALGs).

Transparents de ma présentation au SSTIC

Les transparents de ma présentation du SSTIC sont disponibles : Utilisation malveillante des suivis de connexions. Merci aux organisateurs du SSTIC d’avoir accepté mon papier!

Des vidéos de démonstration sont disponibles sur ce post: Playing with Network Layers to Bypass Firewalls’ Filtering Policy

L’outil de test openvsp est disponible sur cette page.

Using Scapy lfilter

Scapy BPF filtering is not working when some exotic interface are used. This includes Virtualbox interface such as vboxnet.

For example, the following code will not work if the interface is a virtualbox interface:

build_filter = "src host %s and src port 21"
sniff(iface=iface, prn=callback, filter=build_filter)

To fix this, you can use the lfilter option. The filtering is now done inside Scapy. This is powerful but less efficient.

The code can be modified like this:

build_lfilter = lambda (r): TCP in r and r[TCP].sport == 21 and r[IP].src == ip
sniff(iface=iface, prn=callback, lfilter=build_lfilter)

Tanks a lot to Guillaume Valadon for the tips!

Doing miracles with darktable and gimp

I’ve worked on a picture of a Volkswagen Beetle using Darktable and Gimp for post processing. This two tools are free available free software. Darktable is for now available on Linux and Mac OS X but Gimp is available for most platforms.

The picture was made during autumn 2011 in San Francisco. It features an old Volkswagen Beetle in a parking near a house. There is an old cover on the car which gave a strange pirat look to the car. The picture straight out of the camera is the following:

A Beetle is a fun car and I did not want to make a sad picture from this photography. I thus decide to make my best to transform the original picture in a shiny colorful seventies spirit image. Most technical parameters of the RAW file are correct: The exposure is almost good if we omit some highlights and sharpness is here too. It is thus a good basis to work on.

The main problem of the image is that the car is dark. To enlighten the dark part of an image, on of the best tool of darktable is “shadows and highlights”.

Just activating it with default settings in enough to improve the situation but here we need to increase the effect. I thus set the shadow value to something like 170% to get a really lightful car. The color become light but not enough flashy. It then used the “color zone” filter to boost the color of the car by increasing the saturation for the main color of the car. I’ve also increase the light in the blue to have a less dark house.

This was enough to have what I wanted in term of color but I also wanted to give on oldies look to the picture. For that, I used the soften filter:

I’ve not done much personal setting here, just changing the size parameter.

The result was matching my expectation:

Hummm, almost matching. The sun light is making a too bright zone in front of the car. I thus decide to use gimp to locally decrease the lightness in that zone.

I opened the JPEG export in Gimp. I used the “Fuzzy selector tool” (activating the “Feather edges” option) to select the highlight zone. I copied this selection into a new layer and simply decrease the lightness of the extracted zone.

The result was an old but shiny Beetle. You can see it on 500px:

Back to the seventies. by Eric Leblond (regit) on 500px.com
Back to the seventies. by Eric Leblond

Building Suricata for OpenBSD 4.9 and over

It seems OpenBSD upgrade are done to give maintenance work to the developers of third-party application. In a way, OpenBSD fight against the economic crisis: It gives jobs to developers and if you want some performance you need a powerful thus new computer.

Let’s stop bashing and be serious: Suricata was building fine on OpenBSD 4.8 but the build was failing on subsequent version. This was link with an include modification around the “socket.h” file. It is now mandatory to include “types.h” before “socket.h” to avoid compilation error. The patch 0001-Fix-OpenBSD-compilation.patch.gz fixes the build.

I’ve also updated my Building Suricata under OpenBSD post which does explain installation of dependencies which are now mandatory since Suricata 1.2.

Playing with Network Layers to Bypass Firewalls’ Filtering Policy

The slides of my CansecWest talk can now be downloaded: Playing with Network Layers to Bypass Firewalls’ Filtering Policy.

The required counter-measures are described in the Secure use of iptables and connection tracking helpers document

The associated video demonstrations are available:

First video demonstrates how to use forged IRC protocol command (DCC request) to be able to open connection to a NATed client from internet.

Second video demonstrates the effect of the attack on helpers on a non protected Netfilter Firewall.

Third video demonstrates the effect of the attack on helpers on a badly configured Checkpoint firewall.

More information will come in upcoming posts.

Using AF_PACKET zero copy mode in Suricata

Victor Julien has just pushed a new feature to suricata’s git tree. It brings improvements to the AF_PACKET capture mode.

This capture mode can be used on Linux. It is the native way to capture packet. Suricata is able to use the interesting new multithreading feature provided by AF_PACKET on recent kernels: it is possible to have multiple capture threads receiving the packet of a single interface.

The commits add mmaped ring buffer support to AF_PACKET capture and also provide a zero copy mode. Mmaped ring buffer is mechanism similar to the one used by PF_RING. The kernel allocates some memory to store the packets and share this memory with the capture process. Instead of sending messages, the kernel just write to the shared memory and the process capture reads it. This is less consuming in term of CPU ressource and helps to increase the capture rate. But the main avantage of this technique is that the capture process can treat the packets without making a copy and this saves a lot of time

To activate this features, you need a Suricata compiled from latest git and you need to modify some entries in your suricata.yaml file. You have to tell suricata that you want to activate the mmap feature. For example to activate the feature on eth0, you have to add ‘use-mmap’ to your configuration:
[code]
af-packet:
– interface: eth0
use-mmap: yes
[/code]

You can then run Suricata with the command:

suricata -c suricata.yaml --af-packet=eth0

This setup will not activate the zero copy feature which is currently dependant of the running mode. You will need to activate the worker mode to enable zero copy. To do so, run Suricata with a command similar to this one:

suricata -c suricata.yaml --af-packet=eth0 --runmode=workers

This code should provide an interesting performance boost to the AF_PACKET capture system. I’ve no number to provide now but I will be happy to hear some if you make some tests

Ecosystem of Suricata

Suricata is an IDS/IPS engine. To build a complete solution, you will need to use other tools.

The following schema is a representation of a possible software setup in the case Suricata is used as IDS or IPS on the network. It only uses opensource components:

Suricata is used to sniff and analyse the traffic. To detect malicious traffic, it uses signatures (or rules). You can download a set of specialised rules from EmergingThreats.

To analyse the alerts generated by Suricata, you will need an interface such as, for example, snorby.

But this interface will need to have an access to the data. This is done by storing the alerts in a database. The feed of this database can be done by barnyard2 which take the files outputted by suricata in unified2 and convert and send them to a database (or to some other format).

If you want counter-measure to be taken (such as blocking for a moment attacker at the firewall level), you can use snortsam.

More complex setup can include interactions with a SIEM solution.

À propos de la publication de code d’EdenWall

J’ai cofondé la société INL en 2004. Renommée en 2009 EdenWall, suite à une levée de fonds et un changement de métier,
le nouveau business model de la société fut la commercialisation d’appliances de sécurité basées sur le logiciel libre NuFW
que j’avais initié en 2003. NuFW, couche logicielle ajoutant l’authentification des flux à Netfilter, est resté le
moteur technologique de la société mais n’était pas d’un accès facile car nécessitant des compétences bas niveaux pour
son déploiement. Nous avons donc distribué sous licence libre des briques complémentaires à partir de 2005. Nulog,
projet d’analyse de journaux, que j’avais commencé en 2001 et Nuface, interface de configuration de politiques de
filtrage en 2005. La conclusion de cette démarche d’ouverture a été NuFirewall, une solution autonome de pare-feu
basée sur les briques EdenWall qui a été distribuée en 2010. Il s’agissait d’une version
libre des appliances EdenWall distribuée sous forme d’une distribution indépendante publiée sous licence GPL.
L’idée des fondateurs était d’avoir une structure de produits similaires à une offre comme celle de VirtualBox avec
une distribution sous double licence : une solution libre convenant au plus grand nombre et une version avec des
fonctionnalités Entreprise.

Suite à un enchainemenent d’événements malheureux, la société EdenWall a fait faillite en courant d’année 2011.
Les différents logiciels libres se sont alors retrouvés orphelins. La FSF en relation avec une partie
des anciens développeurs de la société a décidé de coordonner les efforts pour la reprise des différents
logiciels libres. Je m’étais battu pour la publication de ses briques et solutions et je me suis donc montré
très enthousiaste quant à l’idée de remonter un site hébergeant ce qui avait été publié sous licence libre. C’est
ce que j’exprime dans la citation reprise dans le communiqué de presse de la FSF.

Cc’est toutefois la majeure partie du code
de la société EdenWall qui a été publié. Cette publication est peut-être valable au point de vue juridique comme expliqué
dans le communiqué de la FSF mais
elle ne reflète en rien mon positionnement moral personnel. Je ne cautionne donc pas cette publication globale
mais uniquement la reprise des projets NuFW et NuFirewall et de manière plus globale du code qui avait déjà été publié
sous licence libre par EdenWall.

Securing Netfilter connection tracking helpers

Following the presentation I’ve made during the 8th Netfilter Workshop, it was decided to write a document containing the best practices for a secure use of iptables and connection tracking helpers.

This document called “Secure use of iptables and connection tracking helpers” is now available on this site. It contains recommendations that should be followed carefully if you are the administrator of a Netfilter/Iptables or the developer of a Netfilter based software.