This blog entry is a mini-howto on the installation and configuration of
Suricata with Oinkmaster, on Debian. If you are familiar with the Debian
commands it should take no more than five minutes.
It was tested on Debian Sid, but should work for all Debian versions.
To work, Suricata needs some rules. The package
"snort-rules-default" provides some rules for Snort, but since
Suricata is compatible these rules will work.
However, these rules have some problems: they are outdated (and updated
only very rarely), and they are not written for Suricata (and cannot use
the specific keywords). Emerging
Threats provides some
rules (both open source and Pro). We will now configure Oinkmaster and
Suricata to be able to automatically update the signatures.
Install Oinkmaster
Oinkmaster is
a tool to help you manage your signatures. While it is primarily
designed for Snort, it also works for Suricata.
If you have installed Suricata using the default configuration, then
Oinkmaster should be installed (it is recommended by the package). If
not, run:
The Digital Forensics Framework (DFF) is both a digital investigation
tool and a development platform.The framework is used by system
administrators, law enforcement examinors, digital
forensicsresearchers and > students, and security professionals
world-wide. Written in Python and C++,it exclusively uses Open Source technologies.
DFF combines an intuitive user interface with a modular and
cross-platform architecture.
DFF is a nice tool, combining Python and C++ (and PyQt) to provide
performances, be easy to extend and provide a nice GUI. It is GPLv2,
thanks to ArxSys.
If you like it, don’t hesitate to contact them on the IRC channel
(#digital-forensic on Freenode).
Xtables-addons
is a is a project developped by Jan Engelhardt to replace the old
patch-o-matic repository for the Linux kernel and iptables. Instead of
patching the kernel source, extensions are built as modules and thus
allow extending kernels without recompilation.
I have created a Debian
package, split
in two parts: xtables-addons-source (the sources of the kernel modules),
and xtables-addons-common (common files: shared libraries, man pages, binaries).
To install xtables-addons on Debian (sid only, but the package works on
Lenny after a rebuild), run the following commands:
It will automatically install the headers for your kernel, build the
modules, create a local package, and install it. What’s interesting is
that, unlike before (using p-o-m or kernel patches), there is no need
to reboot.
It adds new targets for iptables:
CHAOS: randomly use REJECT, DELUDE or TARPIT targets. This will fool
network scanners by returning random results
DELUDE: always reply to a SYN by a SYN-ACK. This will fool TCP
half-open discovery
DHCPADDR: replace a MAC address from and to a VMware host
Prelude is a general-purpose hybrid intrusion detection system.
.
This package provides the Prelude Correlator, which is a powerful
correlation engine using Lua to write correlation rules.
.
The features currently include:
* Rapid identification of important security events, enabling the analyst to
assign task priorities
* Alert correlation originally from heterogeneous sensors deployed on the
whole infrastructure
* Real-time analysis of events received by the Prelude Manager
You can contribute ! If you use the correlation engine, please share
your correlation rules.
Fusil is a fuzzing framework designed to expose bugs in software by
changing random bits of its input.
.
It helps to start process with a prepared environment (limit memory,
environment variables, redirect stdout, etc.), start network client or
server, and create mangled files. Fusil has many probes to detect
program crash: watch process exit code, watch process stdout and syslog
for text patterns (eg. "segmentation fault"), watch session duration,
watch cpu usage (process and system load), etc.
.
Fusil is based on a modular architecture. It computes a session score
used to guess fuzzing parameters like number of injected errors to
input files.
Starting from Lenny, apt support the https transport for apt repositories.
Before, this would give the error:
# apt-get update
E: The method driver /usr/lib/apt/methods/https could not be found.
On Lenny (and unstable), install the apt-transport-https package:
apt-get install apt-transport-https
And https repositories will now work.
This is no current backport for Etch on backports.org, because the hack
for the transport is quite intrusive and require some deep modifications
in the entire apt code. Maybe another site will propose
it ?
Note: it seems there is currently no way to check the certificate or
configure trusted certificates. This is a good step towards security
anyway. Remember: always use trusted repositories (signed with a
trusted key - see man apt-key for more information).
