Defend your network from Microsoft Word upload with Suricata and Netfilter

Introduction Some times ago, I’ve blogged about new IPS features in Suricata 1.1 and did not find at the time any killer application of the nfq_set_mark keyword. When using Suricata in Netfilter IPS mode, this keyword allows you to set the Netfilter mark on the packet when a rule match. This mark can be used by Netfilter or by other network subsystem to differentiate the treatment to apply to the packet. ...

October 9, 2012 · 6 min · Regit

A new unix command mode in Suricata

Introduction I’ve been working for the past few days on a new Suricata feature. It is available in Suricata 1.4rc1. Suricata can now listen to a unix socket and accept commands from the user. The exchange protocol is JSON-based and the format of the message has been done to be generic and it is described in this commit message. An example script called suricatasc is provided in the source and installed automatically when updating Suricata. ...

September 18, 2012 · 4 min · Regit

Coccigrep improved func operation

Coccigrep 1.11 is now available and mainly features some improvements related to the func search. The func operation can be used to search when a structure is used as argument of a function. For example, to search where the Packet structures are freed inside Suricata project, one can run: $ coccigrep -t Packet -a "SCFree" -o func src/ src/alert-unified2-alert.c:1156 (Packet *p): SCFree(p); src/alert-unified2-alert.c:1161 (Packet *p): SCFree(p); ... src/alert-unified2-alert.c:1368 (Packet *pkt): SCFree(pkt); ...

September 10, 2012 · 1 min · Regit

New AF_PACKET IPS mode in Suricata

A new Suricata IPS mode Suricata IPS capabilities are not new. It is possible to use Suricata with Netfilter or ipfw to build a state-of-the-art IPS. On Linux, this system has not the best throughput performance. Patrick McHardy’s work on netlink: memory mapped I/O should bring some real improvement but this is not yet available. I’ve thus decided to do an implementation of IPS based on AF_PACKET (read raw socket). The idea is based on one of the snort’s running mode. It peers two network interfaces and all packets received from one interface are sent to the other interface (if a signature with drop keyword does not fired on the packet). This requires to dedicate two network interfaces for Suricata but this provide a simple bridge system. As suricata is using latest AF_PACKET features (read load balancing), it was possible to build something really promising. ...

September 4, 2012 · 4 min · Regit

Suricata new TLS fingerprint and TLS store keywords.

Suricata TLS support Victor Julien has just merged to main tree a branch containing some interesting new TLS related features. They have been contributed by me and Jean-Paul Roliers. This patchset introduces TLS logging and brings some new keywords to Suricata engine. Here’s the list of all TLS related keywords that are available in latest Suricata git: tls.version: match on version of protocol tls.subject: match on subject of certificate tls.issuerdn: match on issuer DN of certificate tls.fingerprint: match on SHA1 fingerprint of certificate tls.store: store the certificate on disk You will find detailed explanation below. ...

August 27, 2012 · 4 min · Regit

Minimal linux kernel config for Virtualbox

I was looking for some minimal Linux kernel configuration for Virtualbox guest and did only find some old one. I thus decide to build one and to publish them. They are available on github: regit-config For now, the only published configuration are for Linux kernel 3.5: config-3.5-vbox: A minimal Linux kernel config for Virtualbox config-3.5-vbox-no-netfilter: Same as previous config with Netfilter disabled

August 17, 2012 · 1 min · Regit

Run a build on all commits in a git branch

Sometime, you need to check that all the commits in a branch are building correctly. For example, when a rebase has been done, it is possible you or diff has made a mistake during the operation. The building operation can be run against all commits of the current branch with the following one-liner (splitted here for more readability): for COMMIT in $(git log --reverse --format=format:%H origin/master..HEAD); do git checkout ${COMMIT} ; make -j8 1>/dev/null || { echo "Commit $COMMIT don't build"; break; } done The idea is trivial, we build the list of commits with git log using a simple format string (to get only the hash). We add the reverse tag to start from the oldest commit. For each commit, we checkout and run the build command. If the build fails, we exit from the loop. ...

August 7, 2012 · 1 min · Regit

Set or unset define variables in Coccigrep

Following a discussion with the great Julia Lawall, she added a new feature in coccinelle: it is now possible to define as set or unset some variables. This option has been added in coccigrep 1.9 and requires coccinelle 1.0-rc14. For example, let’s have a code like Suricata where a lot of unit tests are implemented. The structure of the code is the following: REGULAR CODE #ifdef UNITTESTS TEST CODE #endif When doing search in the regular code, you don’t want to be bothered by results found in the test code. To obtain this result, you can pass the -U UNITTESTS option to coccigrep to tell him to consider UNITTESTS variable as undefined. If you want to define a variable, you can use the -D flag. ...

July 31, 2012 · 1 min · Regit

Suricata, to 10Gbps and beyond

Introduction Since the beginning of July 2012, OISF team is able to access to a server where one interface is receiving some mirrored real European traffic. When reading “some”, think between 5Gbps and 9.5Gbps constant traffic. With that traffic, this is around 1Mpps to 1.5M packet per seconds we have to study. The box itself is a standard server with the following characteristics: CPU: One Intel(R) Xeon(R) CPU E5-2680 0 @ 2.70GHz (16 cores counting Hyperthreading) Memory: 32Go capture NIC: Intel 82599EB 10-Gigabit SFI/SFP+ The objective is simple: be able to run Suricata on this box and treat the whole traffic with a decent number of rules. With the constraint not to use any non official system code (plain system and kernel if we omit a driver). ...

July 30, 2012 · 9 min · Regit

Flow accounting with Netfilter and ulogd2

Introduction Starting with Linux kernel 3.3, there’s a new module called nfnetlink_acct. This new feature added by Pablo Neira brings interesting accountig capabilities to Netfilter. Pablo has made an extensive description of the feature in the commit. System setup We need to build a set of tools to get all that’s necessary: libmnl libnetfilter_acct nfacct The build is the same for all projects: git clone git://git.netfilter.org/PROJECT cd PROJECT autoreconf -i ./configure make sudo make install ...

July 14, 2012 · 3 min · Regit

Opensvp, a new tool to analyse the security of firewalls using ALGs

Following my talk at SSTIC, I’ve released a new tool called opensvp. Its aim is to cover the attacks described in this talk. It has been published to be able to determine if the firewall policy related to Application Layer Gateways is correctly implemented. Opensvp implements two type of attacks: Abusive usage of protocol commands: an protocol message can be forged to open pinhole into firewall. Opensvp currently implements message sending for IRC and FTP ALGs. Spoofing attack: if anti-spooofing is not correctly setup, an attacker can send command which result in arbitrary pinhole being opened to a server. It has been developed in Python and uses scapy to implement the spoofing attack on ALGs. ...

June 8, 2012 · 1 min · Regit

Transparents de ma présentation au SSTIC

Les transparents de ma présentation du SSTIC sont disponibles : Utilisation malveillante des suivis de connexions. Merci aux organisateurs du SSTIC d’avoir accepté mon papier! Des vidéos de démonstration sont disponibles sur ce post: Playing with Network Layers to Bypass Firewalls’ Filtering Policy L’outil de test openvsp est disponible sur cette page.

June 8, 2012 · 1 min · Regit

Using Scapy lfilter

Scapy BPF filtering is not working when some exotic interface are used. This includes Virtualbox interface such as vboxnet. For example, the following code will not work if the interface is a virtualbox interface: build_filter = "src host %s and src port 21" sniff(iface=iface, prn=callback, filter=build_filter) To fix this, you can use the lfilter option. The filtering is now done inside Scapy. This is powerful but less efficient. The code can be modified like this: ...

June 7, 2012 · 1 min · Regit

Doing miracles with darktable and gimp

I’ve worked on a picture of a Volkswagen Beetle using Darktable and Gimp for post processing. This two tools are free available free software. Darktable is for now available on Linux and Mac OS X but Gimp is available for most platforms. The picture was made during autumn 2011 in San Francisco. It features an old Volkswagen Beetle in a parking near a house. There is an old cover on the car which gave a strange pirat look to the car. The picture straight out of the camera is the following: ...

April 28, 2012 · 2 min · Regit

Building Suricata for OpenBSD 4.9 and over

It seems OpenBSD upgrade are done to give maintenance work to the developers of third-party application. In a way, OpenBSD fight against the economic crisis: It gives jobs to developers and if you want some performance you need a powerful thus new computer. Let’s stop bashing and be serious: Suricata was building fine on OpenBSD 4.8 but the build was failing on subsequent version. This was link with an include modification around the “socket.h” file. It is now mandatory to include “types.h” before “socket.h” to avoid compilation error. The patch 0001-Fix-OpenBSD-compilation.patch.gz fixes the build. ...

April 27, 2012 · 1 min · Regit

Playing with Network Layers to Bypass Firewalls’ Filtering Policy

The slides of my CansecWest talk can now be downloaded: Playing with Network Layers to Bypass Firewalls’ Filtering Policy. The required counter-measures are described in the Secure use of iptables and connection tracking helpers document The associated video demonstrations are available: First video demonstrates how to use forged IRC protocol command (DCC request) to be able to open connection to a NATed client from internet. <div> <p> Second video demonstrates the effect of the attack on helpers on a non protected Netfilter Firewall. </p> <p> </div> <div> <p> Third video demonstrates the effect of the attack on helpers on a badly configured Checkpoint firewall. </p> <p> </div> <p> More information will come in upcoming posts. </p>

March 9, 2012 · 1 min · Regit

Using AF_PACKET zero copy mode in Suricata

Victor Julien has just pushed a new feature to suricata’s git tree. It brings improvements to the AF_PACKET capture mode. This capture mode can be used on Linux. It is the native way to capture packet. Suricata is able to use the interesting new multithreading feature provided by AF_PACKET on recent kernels: it is possible to have multiple capture threads receiving the packet of a single interface. The commits add mmaped ring buffer support to AF_PACKET capture and also provide a zero copy mode. Mmaped ring buffer is mechanism similar to the one used by PF_RING. The kernel allocates some memory to store the packets and share this memory with the capture process. Instead of sending messages, the kernel just write to the shared memory and the process capture reads it. This is less consuming in term of CPU ressource and helps to increase the capture rate. But the main avantage of this technique is that the capture process can treat the packets without making a copy and this saves a lot of time ...

February 23, 2012 · 2 min · Regit

Ecosystem of Suricata

Suricata is an IDS/IPS engine. To build a complete solution, you will need to use other tools. The following schema is a representation of a possible software setup in the case Suricata is used as IDS or IPS on the network. It only uses opensource components: Suricata is used to sniff and analyse the traffic. To detect malicious traffic, it uses signatures (or rules). You can download a set of specialised rules from EmergingThreats. ...

February 13, 2012 · 1 min · Regit

À propos de la publication de code d’EdenWall

J’ai cofondé la société INL en 2004. Renommée en 2009 EdenWall, suite àune levée de fonds et un changement de métier, le nouveau business model de la société fut la commercialisation d’appliances de sécurité basées sur le logiciel libre NuFW que j’avais initié en 2003. NuFW, couche logicielle ajoutant l’authentification des flux àNetfilter, est resté le moteur technologique de la société mais n’était pas d’un accès facile car nécessitant des compétences bas niveaux pour son déploiement. Nous avons donc distribué sous licence libre des briques complémentaires àpartir de 2005. Nulog, projet d’analyse de journaux, que j’avais commencé en 2001 et Nuface, interface de configuration de politiques de filtrage en 2005. La conclusion de cette démarche d’ouverture a été NuFirewall, une solution autonome de pare-feu basée sur les briques EdenWall qui a été distribuée en 2010. Il s’agissait d’une version libre des appliances EdenWall distribuée sous forme d’une distribution indépendante publiée sous licence GPL. L’idée des fondateurs était d’avoir une structure de produits similaires àune offre comme celle de VirtualBox avec une distribution sous double licence : une solution libre convenant au plus grand nombre et une version avec des fonctionnalités Entreprise. ...

December 1, 2011 · 2 min · Regit

Securing Netfilter connection tracking helpers

Following the presentation I’ve made during the 8th Netfilter Workshop, it was decided to write a document containing the best practices for a secure use of iptables and connection tracking helpers. This document called “Secure use of iptables and connection tracking helpers” is now available on this site. It contains recommendations that should be followed carefully if you are the administrator of a Netfilter/Iptables or the developer of a Netfilter based software.

November 30, 2011 · 1 min · Regit