9. Installing Suricata with Oinkmaster on Debian

   This blog entry is a mini-howto on the installation and configuration of Suricata with Oinkmaster, on Debian. If you are familiar with the Debian commands it should take no more than five minutes.

   It was tested on Debian Sid, but should work for all Debian versions.

   Install Suricata

   Suricata is in Debian since Squeeze, so a simple:

   apt-get install suricata
   

   will do the job.

   To work, Suricata needs some rules. The package "snort-rules-default" provides some rules for Snort, but since Suricata is compatible these rules will work.

   However, these rules have some problems: they are outdated (and updated only very rarely), and they are not written for Suricata (and cannot use the specific keywords). Emerging Threats provides some rules (both open source and Pro). We will now configure Oinkmaster and Suricata to be able to automatically update the signatures.

   Install Oinkmaster

   Oinkmaster is a tool to help you manage your signatures. While it is primarily designed for Snort, it also works for Suricata.

   If you have installed Suricata using the default configuration, then Oinkmaster should be installed (it is recommended by the package). If not, run:

   apt-get install oinkmaster
   

   Edit the configuration file /etc/oinkmaster.conf:

   url =  http://rules.emergingthreats …

   read more

10. DFF accepted into Debian

    DFF (Digital Forensics Framework) has been accepted into Debian unstable.

    From the website:

    The Digital Forensics Framework (DFF) is both a digital investigation tool and a development platform.The framework is used by system administrators, law enforcement examinors, digital forensicsresearchers and > students, and security professionals world-wide. Written in Python and C++,it exclusively uses Open Source technologies.

    DFF combines an intuitive user interface with a modular and cross-platform architecture.

    DFF is a nice tool, combining Python and C++ (and PyQt) to provide performances, be easy to extend and provide a nice GUI. It is GPLv2, thanks to ArxSys.

    If you like it, don’t hesitate to contact them on the IRC channel (#digital-forensic on Freenode).

    • http://packages.qa.debian.org/d/dff.html (page may not be up at the moment)
    • http://www.digital-forensic.org/#panel4 (Screenshots)
    • http://www.digital-forensic.org/
    • http://www.arxsys.eu/

    read more

11. Debian SELinux Documentation

    

    When I installed this server, I have decided to enable SELinux, and run it in enforcing mode. And it works !

    Finding relevant documentation for SELinux and Debian was more difficult than expected, and even when it exists, it is often outdated. Also, It does not give real examples, and one problem I encountered very often is a policy module with correct labels, but created for another distribution, and thus not labeling Debian packages correctly. Some other distros (Gentoo and Fedora) have made huge progress on RBAC security, it would be nice to see the same on Debian.

    I have started a guide for SELinux on Debian. The goals are to:

    • give a practical approach on using SELinux on Debian,
    • fight some false ideas (like not being usable on a Desktop, or that you have to enable it globally etc.),
    • describe how to mix confined and unconfined services,
    • give some examples (Cyrus IMAP, git, redmine, PostgreSQL, etc) see the examples page
    • explain how to use it with PaX/Grsec
    • give some example on using the
    • give some generic hardening tips.

    Please notes that the examples and solutions given in the guide are only my own explanations and solutions, and that of …

    read more

12. new project: djedi

    I have started a new project (yet another), pretty different from my usual programming languages: a framework for visualizing data in a browser. This framework is a Extract-Transform-Visualize tool, where data come from a database and are rendered by the browser.

    Features

    While some other project exist, I wanted to create a project with the following features:

    • simplicity: it provide objects (widgets) that you just place in your page as you want. It also provides dashboards to manage widgets, and in its simplest form you just give the name of a div element where a graph will be rendered.
    • modularity: every part of the project can be replaced easily by another component, either on the server-side (you only need an ajax server, not especially django) or the client-side (you can use javascript, svg, flash etc.)
    • interactive: interactions are important, to make the interface pretty, and also to navigate in data, or to enhance visualization. Most recent web toolkits allow a good number of interactions and animations (and most of them, without using flash)
    • working with big data sets: existing toolkits generally fail when dealing with big databases. Here, all requests are asynchronous and are designed to work on big tables …

    read more

13. goodbye EdenWall

    Ça fait un certain temps que je n’avais rien posté, alors voici quelques news

    Après un peu plus de 4 ans, j’ai décidé de repartir à l’aventure et de quitter EdenWall. C’est surtout l’occasion de remercier tous les gens que j’ai rencontré, avec qui j’ai pu travailler ou échanger quelques blagues (à leur grand désespoir parfois!).

    Je remercie toute l’équipe, et en particulier Éric, Jérôme et Loïc pour leurs immenses qualités humaines et professionnelles, ces années ont été autant de fun que de travail intéressant :)

    read more

14. debian squeeze and postgresql

    Debian squeeze has been released, that’s nice ! (With the usual rants from some trolls, of course, but it wouldn’t be fun otherwise)

    However, the PostgreSQL package has some problem in psql due to the fact it is using libedit instead of readline (for license reasons) :

    • it segfaults: #611918
    • you can’t use non-ascii characters #608442

    There is a solution: you can still use psql with readline by preloading the library:

    $ LD_PRELOAD=/lib/libreadline.so.6 psql
    

    read more

15. Python scripts in GDB

    Since version 7.0, gdb has gained the ability to execute Python scripts. This allows to write gdb extensions, commands, or manipulate data in a very easy way. It can also allow to manipulate graphic data (by spawning commands in threads), change the program, or even write a firewall (ahem ..). I’ll assume you’re familiar with both gdb commands and basic Python scripts.

    The first and very basic test is to check a simple command

    (gdb) python print "Hello, world !"
    Hello, world !
    

    So far so good. Yet, printing hello world won’t help us to debug our programs :)

    The reference documentation can be found here, but does not really help for really manipulating data. I’ll try to give a few examples here.

    The Python script

    The first thing to do is to write a script (we’ll call it gdb-wzdftpd.py) containing the Python commands.

    We will define a command to print the Glib’s type GList, with nodes and content (which is stored using a void*).

    To define a new command, we have to create a new class inherited from gdb.Command. This class has two mandatory methods, __init__ and invoke.

    Gdb redirects stdout and stderr to …

    read more

16. GPG transition - signatures welcome

    I finally managed to issue a transition statement for my new GPG key (4096R) a,d signed it with both keys.

    If you happened to sign my old 8D5F40CB key at Solutions Linux, SSTIC, or any beersigning party, and you’re satisfied with the content of the transition statement,then please sign my new F1393998 key. Thanks !

    read more

17. Project page for SIEM-live

    

    I’ve created a project in redmine for SIEM-live, so there is now a wiki, a tracker, and a repository. I’ll add some documentation and instructions on how to build the CD soon.

    Contributors would be gladly accepted :)

    I’ve also updated the Git repository for recent versions of live-build, where all variables have been renamed without keeping compatibility :/

    The bug where booting with no network (no DHCP, for ex.) made many command fail with a weird error message has been fixed:

    could not resolve 127.0.0.1: address family for hostname not supported
    

    For the record, this was caused by .. IPv6 ! Disabling it during the configuration sequence fixes the problem.

    • Project page: https://www.wzdftpd.net/redmine/projects/siem-live

    read more

18. Site migrated

    As you’ve probably already seen, this blog and the entire site have been migrated to another hosting.

    Changes include :

    • Upgrade from etch to squeeze (PHP4 to PHP5 + suhosin, grub to grub2 etc.)
    • Most services are now using PostgreSQL instead of MySQL
    • Server is installed with SELinux in enforcing mode (why ? because it’s fun !)
    • IPv6 (and fun with iptables)
    • OpenLDAP + Kerberos
    • This blog had been migrated from dotclear 1 to DC2 (with some fun to keep old URLs working)
    • Trac migrated to Redmine: this will allow adding some projects
    • Git repositories
    • All cleartext URLs are redirected to SSL
    • Other (non-public) services, like postfix + greylisting, cyrus etc.

    There are still some things to do, like installing real SSL certificates, but globally it has been pretty easy (and this is one reason I like Debian ). I’ve kept notes from the entire migration, so if someone’s interested I can share some parts.

    read more

« Page 2 / 7 »