Security

Following my talk at SSTIC, I’ve released a new tool called opensvp. Its aim is to cover the attacks described in this talk. It has been published to be able to determine if the firewall policy related to Application Layer Gateways is correctly implemented. Opensvp implements two type of attacks: Abusive usage of protocol commands: an protocol message can be forged to open pinhole into firewall. Opensvp currently implements message sending for IRC and FTP ALGs. Spoofing attack: if anti-spooofing is not correctly setup, an attacker can send command which result in arbitrary pinhole being opened to a server. It has been developed in Python and uses scapy to implement the spoofing attack on ALGs. ...

Les transparents de ma présentation du SSTIC sont disponibles : Utilisation malveillante des suivis de connexions. Merci aux organisateurs du SSTIC d’avoir accepté mon papier! Des vidéos de démonstration sont disponibles sur ce post: Playing with Network Layers to Bypass Firewalls’ Filtering Policy L’outil de test openvsp est disponible sur cette page.

The slides of my CansecWest talk can now be downloaded: Playing with Network Layers to Bypass Firewalls’ Filtering Policy. The required counter-measures are described in the Secure use of iptables and connection tracking helpers document The associated video demonstrations are available: First video demonstrates how to use forged IRC protocol command (DCC request) to be able to open connection to a NATed client from internet. <div> <p> Second video demonstrates the effect of the attack on helpers on a non protected Netfilter Firewall. </p> <p> </div> <div> <p> Third video demonstrates the effect of the attack on helpers on a badly configured Checkpoint firewall. </p> <p> </div> <p> More information will come in upcoming posts. </p>

Victor Julien has just pushed a new feature to suricata’s git tree. It brings improvements to the AF_PACKET capture mode. This capture mode can be used on Linux. It is the native way to capture packet. Suricata is able to use the interesting new multithreading feature provided by AF_PACKET on recent kernels: it is possible to have multiple capture threads receiving the packet of a single interface. The commits add mmaped ring buffer support to AF_PACKET capture and also provide a zero copy mode. Mmaped ring buffer is mechanism similar to the one used by PF_RING. The kernel allocates some memory to store the packets and share this memory with the capture process. Instead of sending messages, the kernel just write to the shared memory and the process capture reads it. This is less consuming in term of CPU ressource and helps to increase the capture rate. But the main avantage of this technique is that the capture process can treat the packets without making a copy and this saves a lot of time ...

Suricata is an IDS/IPS engine. To build a complete solution, you will need to use other tools. The following schema is a representation of a possible software setup in the case Suricata is used as IDS or IPS on the network. It only uses opensource components: Suricata is used to sniff and analyse the traffic. To detect malicious traffic, it uses signatures (or rules). You can download a set of specialised rules from EmergingThreats. ...

J’ai cofondé la société INL en 2004. Renommée en 2009 EdenWall, suite àune levée de fonds et un changement de métier, le nouveau business model de la société fut la commercialisation d’appliances de sécurité basées sur le logiciel libre NuFW que j’avais initié en 2003. NuFW, couche logicielle ajoutant l’authentification des flux àNetfilter, est resté le moteur technologique de la société mais n’était pas d’un accès facile car nécessitant des compétences bas niveaux pour son déploiement. Nous avons donc distribué sous licence libre des briques complémentaires àpartir de 2005. Nulog, projet d’analyse de journaux, que j’avais commencé en 2001 et Nuface, interface de configuration de politiques de filtrage en 2005. La conclusion de cette démarche d’ouverture a été NuFirewall, une solution autonome de pare-feu basée sur les briques EdenWall qui a été distribuée en 2010. Il s’agissait d’une version libre des appliances EdenWall distribuée sous forme d’une distribution indépendante publiée sous licence GPL. L’idée des fondateurs était d’avoir une structure de produits similaires àune offre comme celle de VirtualBox avec une distribution sous double licence : une solution libre convenant au plus grand nombre et une version avec des fonctionnalités Entreprise. ...

Following the presentation I’ve made during the 8th Netfilter Workshop, it was decided to write a document containing the best practices for a secure use of iptables and connection tracking helpers. This document called “Secure use of iptables and connection tracking helpers” is now available on this site. It contains recommendations that should be followed carefully if you are the administrator of a Netfilter/Iptables or the developer of a Netfilter based software.

Some new features have recently reach Suricata’s git tree and will be available in the next development release. I’ve worked on some of them that I will describe here. Multi interfaces support and new running modes Configuration update IDS live mode in suricata (pcap, pf_ring, af_packet) now supports the capture on multiple interfaces. The syntax of the YAML configuration file has evolved and it is now possible to set per-interface variables. For example, it is possible to define pfring configuration with the following syntax: ...

I gave a talk about Suricata entitled Suricata, rethinking IDS/IPS at Libre Software Meeting (RMLL in french). The slides can be downloaded from the RMLL website. Thanks a lot to Christophe Brocas and Mathieu Blanc for the organisation of the security track of LSM.

Discovering the performance boost When doing some coding on both 1.0 and 1.1 branch of suricata, I’ve remarked that there was a huge performance improvement of the 1.1 branch over the 1.0 branch. The parsing of a given real-life pcap file was taking 200 seconds with 1.0 but only 30 seconds with 1.1. This performance boost was huge and I decide to double check and to study how such a performance boost was possible and how it was obtained: ...

I’ve gived today a presentation about Suricata at the Solutions Linux event. It was part of the security track presided by Herve Schauer. The slides are in french and are available here: 2011_sollinux_suricata