Security

Introduction I’ve been playing lately on analysis SSH bruteforce caracterization. I was a bit frustrated of just getting partial information: ulogd can give information about scanner settings suricata can give me information about software version sshd server logs shows username But having username without having the password is really frustrating. So I decided to try to get them. Looking for a SSH server honeypot, I did find kippo but it was going too far for me by providing a fake shell access. So I’ve decided to build my own based on paramiko. ...

Motivation I’ve recently met @aurelsec and we’ve discussed about the interest of logging connection tracking entries. This is indeed a undervalued information source in a network. Quoting Wikipedia: “Connection tracking allows the kernel to keep track of all logical network connections or sessions, and thereby relate all of the packets which may make up that connection. NAT relies on this information to translate all related packets in the same way, and iptables can use this information to act as a stateful firewall.” ...

Ulogd and JSON output In February 2014, I’ve commited a new output plugin to ulogd, the userspace logging daemon for Netfilter. This is a JSON output plugin which output logs into a file in JSON format. The interest of the JSON format is that it is easily parsed by software just as logstash. And once data are understood by logstash, you can get some nice and useful dashboard in Kibana: ...

Log analysis experiment I’ve been playing lately with logstash using data from the ulogd JSON output plugin and the Suricata full JSON output as well as standard system logs. Ulogd is getting Netfilter firewall logs from Linux kernel and is writing them in JSON format. Suricata is doing the same with alert and other traces. Logstash is getting both log as well as sytem log. This allows to create some dashboard with information coming from multiple sources. If you want to know how to configure ulogd for JSON output check this post. For suricata, you can have a look at this one. ...

Introduction logstash an opensource tool for managing events and logs. It is using elasticsearch for the storage and has a really nice interface named Kibana. One of the easiest to use entry format is JSON. Suricata is an IDS/IPS which has some interesting logging features. Version 2.0 will feature a JSON export for all logging subsystem. It will then be possible to output in JSON format: HTTP log DNS log TLS log File log IDS Alerts For now, only File log is available in JSON format. This extract meta data from files transferred over HTTP. ...

The problem I’ve been recently working for a customer which needed consultancy because of some unexplained Netfilter behaviors related to ICMP error messages. He authorizes me to share the result of my study and I thank him for making this blog entry possible. His problem was that one of his firewalls is using a private interconnexion with their border router and the customer did not manage to NAT all outgoing ICMP error messages. ...

Martin is working for one.com a local ISP and is facing some DDoS. SYN cookie was implemented but the performance were too low with performance below 300kpps which is not what was expected. In fact SYN is on a slow path with a single spin lock protecting the SYN backtrack queue. So the system behave like a single core system relatively to SYN attacks. Jesper Dangaard Brouer has proposed a patch to move the syn cookie out of the lock but it has some downside and could not be accepted. In particular, the syncookie system needs to check every type of packet to see if they belong to a previous syn cookie response and thus a central point is needed. ...

Introduction I’ve made yesterday a presentation of ulogd2 at Open Source Days in Copenhagen. After a brief history of Netfilter logging, I’ve described the key features of ulogd2 and demonstrate two interfaces, nf3d and djedi. The slides are available: Ulogd2, Netfilter logging reloaded. Screencasts This video demonstrates some features of nf3d: This screencast is showing some of the capabilities of djedi: Thanks a lot to the organizers for this cool event.

Introduction ConnMan is a connection manager which integrate all critical networking components. It provides a smart D-Bus API to develop an User Interface. It is plugin oriented and all different network stacks are implemented in different modules. Connection sharing (aka tethering) is using Netfilter to setup NAT masquerading. So it is a simple usage. Switching to nftables Application connectivity is a more advanced part involving Netfilter as it makes a use of statistics and differenciated routing. For example, in a car, service data must be sent to manufacturer operator and not on the owner network. ...

The problem Centralized firewall design does not scale well when dealing with a lot of servers. It begins to collapse after a few thousands rules. Furthermore, to be able to have an application A to connect to server B, it would take a workflow and possibly 3 weeks to get the opening. From Service Oriented Architecture to Service Oriented Security Service are autonomous. They call each other using a standard protocol. The architecture is described by a list of dependencies between services. You can then specify security via things like ACCEPT Caching TO Frontend ON PORT 80. But this force you to do provisioning each time a server start. ...

Why ipset ? iptables is enough sufficient but in some cases limit are found: High number of rules: iptables is linear Need to change the rules often Independant study available at d(a)emonkeeper’s purgatory has shown that the performance of ipset are almost constant with respect to the number of filtered hosts: History The originating project was ippool featuring a a basic set and after some time it has been taken over by Jozsef and renamed ipset. A lot of type of sets are now handled. ...

Introduction Harald Welte when asked about IPv6 NAT was answering: “it will be over my dead body”. It is now available in official kernel. Reasons for adding IPv6 NAT Dynamic IPv6 Prefixes : ISP assigning dynamic IPv6 prefixes so Internal network address change. NAT can bring you stability. Easier test setup. Users are asking and most operating systems have it. To resume the arguments of NAT, Patrick McHardy used this video: ...

Introduction nftable is a kernel packet filtering framework to replaces iptables. It brings no changes in the core (conntrack, hooks). Match logic is changed: you fetch keys and once you have your key set, you make operation on them. Advanced and specialized matchs are built upon this system. nftables vs iptables In iptables, extension were coded in separate files and they must be put in iptables source tree. To act, they must modify on a binary array storing the ruleset and injecting it back to the kernel. So every update involve a full download and upload of the whole ruleset. ...

Objectives of this release So it is my first ulogd2 release as maintainer. I’ve been in charge of the project since 2012 October 30th and this was an opportunity for me to increase my developments on the project. Roadmap was almost empty so I’ve decided to work on issues that were bothering me as a user of the project. I’ve also included two features which are connection tracking event filtering and a Graphite output module. Ulogd is available on Netfilter web site ...

A huge work Suricata 1.4 has been released December 13th 2012 and it has been a huge work. The number of modifications is just impressing: 390 files changed, 25299 insertions(+), 11982 deletions(-) The following video is using gource to display the evolution of Suricata IDS/IPS source code between version 1.3 and version 1.4. It only displays the modified files and do not show the files existing at start. A collaborative work A total of 11 different authors have participated to this release. The following graph generated by gitstats shows the number of lines of code by author: ...

Mother Nature has been really unfair with me. It has given me two strong interests in life: building things and information security. Once that was done, my doom was sealed and I’ve become a infosec defense guy. Nowadays this is one of the worst fate possible in computer science. Today, this burden is really hard to wear. I know some of you will try to encourage me by saying this like: ...

Introduction I’ve been working for the past few days on a new Suricata feature. It is available in Suricata 1.4rc1. Suricata can now listen to a unix socket and accept commands from the user. The exchange protocol is JSON-based and the format of the message has been done to be generic and it is described in this commit message. An example script called suricatasc is provided in the source and installed automatically when updating Suricata. ...

A new Suricata IPS mode Suricata IPS capabilities are not new. It is possible to use Suricata with Netfilter or ipfw to build a state-of-the-art IPS. On Linux, this system has not the best throughput performance. Patrick McHardy’s work on netlink: memory mapped I/O should bring some real improvement but this is not yet available. I’ve thus decided to do an implementation of IPS based on AF_PACKET (read raw socket). The idea is based on one of the snort’s running mode. It peers two network interfaces and all packets received from one interface are sent to the other interface (if a signature with drop keyword does not fired on the packet). This requires to dedicate two network interfaces for Suricata but this provide a simple bridge system. As suricata is using latest AF_PACKET features (read load balancing), it was possible to build something really promising. ...

Suricata TLS support Victor Julien has just merged to main tree a branch containing some interesting new TLS related features. They have been contributed by me and Jean-Paul Roliers. This patchset introduces TLS logging and brings some new keywords to Suricata engine. Here’s the list of all TLS related keywords that are available in latest Suricata git: tls.version: match on version of protocol tls.subject: match on subject of certificate tls.issuerdn: match on issuer DN of certificate tls.fingerprint: match on SHA1 fingerprint of certificate tls.store: store the certificate on disk You will find detailed explanation below. ...

Introduction Starting with Linux kernel 3.3, there’s a new module called nfnetlink_acct. This new feature added by Pablo Neira brings interesting accountig capabilities to Netfilter. Pablo has made an extensive description of the feature in the commit. System setup We need to build a set of tools to get all that’s necessary: libmnl libnetfilter_acct nfacct The build is the same for all projects: git clone git://git.netfilter.org/PROJECT cd PROJECT autoreconf -i ./configure make sudo make install ...