LE pare-feu OpenOffice
Date Wed 16 June 2010 Tags OpenOffice Firewall

Internet ça a du bon. Enfin, pas toujours .. Et en combinant une jolie boulette avec quelques outils, on peut réaliser des choses dont personne n’aurait pensé au début …

En bref, et notamment pour faire suite au challenge que certaines personnes m’ont lancé au SSTIC 2010 (très bonne année d’ailleurs), le voila: LE pare-feu OpenOffice ! Mais attention: pas un truc codé à l’arrache, nan, un vrai pare-feu avec un design toussa

Donc, comment ça marche:
- on veut filtrer des paquets avec OpenOffice, donc on a besoin d’OpenOffice
- n’ayant pas eu le temps de planifier le portage d’OpenOffice en mode noyau, j’ai donc fait l’inverse: amener les paquets en espace utilisateur avec nfqueue + python
- on manipule OO avec python-uno
Donc, je commence à coder: on crée une feuille calc avec les numéros de ports à filtrer, je récupère la valeur des cellules (et là je peux vous le dire: quand on a l’habitude de LaTeX, OO c’est pas la joie), et on s’en sert pour filtrer les paquets récupérés par nfqueue.

Premier problème: pour utiliser nfqueue, il faut être root. Et faire tourner OpenOffice en root (donc avec une interface …
read more
Creating a live cd for open source SIEM Prelude and Suricata
Date Fri 05 February 2010 Tags Debian Security IDS Prelude Suricata Snort

I have started to work on a Live CD for Open Source tools like Prelude SIEM, and software like Suricata, Snort, OpenVAS to send alerts. The goal is to easily test these tools, register new agents, get some alerts and be able to correlate them etc. I also want to add some visualization tools, so this CD could maybe become a reference for security alert detection and report.

First, a few points on applications used:
- Debian Live for building the CD. It’s very easy, it’s based on Debian, and it allows me to re-use some work I’ve done
- Suricata IDS, which is a very promising project
- Snort IDS, with the free signatures
- OpenVAS to be able to generate alerts
- Prelude SIEM is the key point: suricata, snort, syslog etc. will send alerts to Prelude, which has a database, a correlator, a web interface (Prewikka) etc.
- Standard useful tools: nmap, scapy, wireshark, p0f, etc.
This first version is based on Debian Lenny and arch x86. Everything is based on packages (.debs) to make it easier to maintain, upgrade versions or add patches: most of the time, I just have to rebuild packages from squeeze or sid.

The build …
read more
implementing the evil maid attack on linux with Luks
Date Wed 28 October 2009 Tags Security Linux Encryption

This month, Joanna Rutkowska implemented the “evil maid” attack against TrueCrypt.

This kind of attack can be done on any OS with disk encryption: when using whole-disk encryption, you have to infect to bootloader. Linux includes dm-crypt/LUKS, which has some nice features (including TKS1 and working encrypted suspend-to-disk). But how does it play with this attack ?

Sadly, the answer is: pretty bad. LUKS has no protection against this attack, and even requires a /boot partition in clear. Before looking at the possible solutions, we’ll play with the /boot partition to see how simple the attack is.

Linux boot sequence basics

The boot sequence (See http://www.ibm.com/developerworks/library/l-linuxboot/index.html) is the following:
- System startup: the BIOS is loaded, searches for a boot medium, loads the MBR, and yields control to it.
- Boot loader stage 1: the job of the primary boot loader is to find and load the secondary boot loader (stage 2)
- Boot loader stage 2: its jobs is to search and load the Linux kernel and initial RAM disk (initrd) images.
- Linux kernel: it starts by uncompressing itself, then mounts the initrd image. This image contains modules and scripts required to find …
read more
animated charts in python and Qt
Date Sun 04 October 2009 Tags Programming Python Graphs Visualization

I’m currently trying to generated interactive (and animated) charts in Python + Qt. The wanted library would be:
- portable: this is one of the reasons of the choice of PyQt
- simple: same reason
- interactive: I want to be able to select, for example, the slices of a pie chart. A signal of events like Qt’s would be perfect
- animated: this is useless, but looking at things like AnyChart or FusionCharts, the result is really nice !
- light on dependencies: relying on tons of libs makes the project hard to maintain and not portable, especially for windows where there is not packaging and dependency system.
- free software
A quick search gave me the following products:
- matplotlib: mostly for scientific plots, but there is a nice number of options, a well-documented API.
- pyQwt: Python bindings for Qwt. Again, it’s more scientific plot than charts
- cairoplot: projects looks dead (or in the "yeah, the project’s not finished, but we’re recoding it in \$LANG to be faster" syndrome, which is more or less the same). It generates images, though item maps can be extracted. The name tells it, it uses Cairo.
- pyCha: some nice charts, uses Cairo. Very simple API (not …
read more
Playing with OpenDPI
Date Thu 17 September 2009 Tags Security DPI

So, Ipoque has published its deep inspection engine under a free license (LGPLv3): OpenDPI This is always good news when a company decides to release source code to the community, so first of all thanks to Ipoque for this.

After downloading the source code on OpenDPI google project’s page, I started to look at it.

Basically, the project looks quite unprepared for release (only a Makefile, no configure script - though no-one can be blamed for not using autotools -), but after looking at the code it seems not so bad:
- the code is reasonably clean
- it builds fine on x86 or x86_64 platforms
- the code is provided with a decent list of identified protocols
- the demo uses pcap files
There are a few minor annoyances:
- the provided lib is a static lib … building a shared library would be better !
- the build system is pretty awful, rebuilding everything each time, without using deps, no install system etc.
- no docs (looking at the demo file was sufficient to understand most of the function).
- no correct website, forums or whatever. I’m sure it will get better in the future
- pcap only
This last point was the most annoying to me, so I …
read more
Planet INL is back

Date Tue 25 August 2009 Tags Work

Planet INL, le Planet non officiel des salariés d’INL, est de retour !

read more
LinkedIn group for Prelude

Date Mon 01 June 2009 Tags Work Prelude SIEM

I’ve just created a LinkedIn group for Prelude IDS.

All Prelude users are welcome to join the Prelude IDS group to stay in touch with other Prelude users, use the forums, get news etc.

read more
New Syslog RFCs
Date Wed 27 May 2009 Tags Logs

Several new RFCs for syslog have been issued in March:
So what are the improvements since the previous RFC (3614), especially in RFC5424 ¹ :
1. In section 5.1, “Minimum Required Transport Mapping”:
  
  All implementations of this specification MUST support a TLS-based transport as described in RFC5425.
  Yay ! So they discovered TLS, that’s great. Especially since RFC 5425 supports certificates authentication (section 4.2.1), certificate path validation, fingerprints, etc. 2. Improved timestamps (Section 6.2.3) with supports for milliseconds, time zones, UTC offsets 3. Section 6.3 describes structured data (name-value pairs) 4. Section 7: Structured Data IDs
  This allows using an enterprise ID (registered to the IANA) for the structured data elements
However, nothing really useful on reliability (resending events, making sure they were delivered, etc.) except the very poor (and useless) section 8.5, which only acknowledges the lack of support :/ Well, Prelude IDS can do that pretty good.

Also, nothing on taxonomy, though it may be improved with structured data. However, it would require a good definition of events …
read more

New GPG Key

Partly because of the latest theoretical attack against the SHA-1 digest algorithm (details), I created a new GPG key:

sec   4096R/F1393998 2009-05-10
uid                  Pierre Chifflier <chifflier@gmail.com>
uid                  Pierre Chifflier <chifflier@inl.fr>
uid                  Pierre Chifflier <pollux@debian.org>
uid                  pollux <pollux@wzdftpd.net>
uid                  Pierre Chifflier <chifflier@cpe.fr>

It’s signed with my old key 0x8D5F40CB, uploaded to keyservers, and will replace my old key.

libnetfilter-{queue,log} bindings release
Date Sun 03 May 2009 Tags Netfilter Python Perl Programming

I just released nfqueue-bindings 0.2 and nflog-bindings 0.1. Despite the difference of versions, functions are almost the same :)

Here is a short diff since previous version:
```
Add af_family argument to bind operations (allow IPv6 binds)
Add notes on set_queue_maxlen requiring a kernel >= 2.6.20
bugfix: use queue number when creating queue
bugfix: really link Perl binding to Perl library 
Fix cmake warning
```
Get them on nfqueue-bindings and nflog-bindings.

read more

« Page 3 / 7 »

links

Tags

Pollux's corner

LE pare-feu OpenOffice

Creating a live cd for open source SIEM Prelude and Suricata

implementing the evil maid attack on linux with Luks

Linux boot sequence basics

animated charts in python and Qt

Playing with OpenDPI

Planet INL is back

LinkedIn group for Prelude

New Syslog RFCs

New GPG Key

libnetfilter-{queue,log} bindings release

links

Social

Tags

Pollux's corner

Linux boot sequence basics