9. NFQueue bindings (2)

   The code for nfqueue-bindings is now almost ready, I have made some progress since last week:

   • you can now modify packets in live, and send the new packet with the verdict
   • new functions are wrapped, and the creation of the queue can be done in one function
   • more examples

   I have presented a special script for SSTIC, using the weather to decide if a packet should be accepted or dropped :)While the utility of the module still has to be proven, it is a good example of how easy it is to use the new bindings.

   The slides can be found online here, and contains some code examples (with some funny things ;). They are in french, but they should be quite easy to understand.

   Random ideas:

   • The Netfilter workshop will be held in Paris from 30 September to 3 October 2008.
   • Eric has presented nf3d, a nice tool to view netfilter logs (from ulogd2) in 3D.

   Gamers will recognize a nice try to convert network logs into Guitar Hero tracks ;)

   • Some people have weird habits at SSTIC !

   read more

10. NFQueue bindings

    I am currently working (amongst other projects ..) on nfqueue-bindings, set of high-level modules for several languages (Python and Perl, for the moment), for libnetfilter_queue.

    The goal is to provide a library to gain access to packets queued by the kernel packet filter. For more details, see nfqueue-bindings project site.

    Current state

    Actually, you can

    • access the module in Perl or Python
    • create a queue connected to netfilter
    • register a callback
    • access the contents of the packet. As I do not want to do what was already done many times, I use some other libraries to decode the packet:
    • NetPacket::IP for Perl
    • dpkg for Python.
    • • If you know some other libraries, please let me know.
    • set the verdict (decision) to ACCEPT or DROP for the packet

    I have written some scripts to show what can be done in a few lines of code. The current examples are:

    • example Perl script
    • example Python script
    • Packet dumper, in pcap format (use scapy)
    • HTTP request checker
    • A surprise I will present in a lightning talk at SSTIC :)

    I will make a release as soon as the code is stable (and can be installed).

    Examples

    Create and bind the queue (Perl)

    use nfqueue;
    
    use …

    read more

11. Next-generation firewall

    A firewall has to find the difference between good and bad packets, and for this, nothing is better than humans ! (french people could add this is the same difference as for good and bad hunters).

    So the next generation firewall will be:

    • better than stateful
    • better than layer 7 analysis
    • compliant with encrypted traffic
    • able to detect malware, suspicious traffic, virus, etc.

    Preview screenshot:

    

    Source code should be released on monday, on the Netfilter mailing lists. Stay tuned !

    read more

12. gcc security features (part 2)

    (See part 1)

    Remember: you must compile with -02 if you want the checks to be effective

    DEB_BUILD_HARDENING_FORTIFY (gcc/g++ -D_FORTIFY_SOURCE=2)

    The idea behind FORTIFY_SOURCE is relatively simple: there are cases where the compiler can know the size of a buffer (if it’s a fixed sized buffer on the stack, as in the example, or if the buffer just came from a malloc() function call). With a known buffer size, functions that operate on the buffer can make sure the buffer will not overflow.

    Example:

    void foo(char *string)
    {
        char buf[20];
        strcpy(buf, string);
    }
    

    Execution will fail:

    [home ~/harden] ./bad $(perl -e 'print "A"x100')
    zsh: segmentation fault  ./bad $(perl -e 'print "A"x100')
    

    When compiling with -D_FORTIFY_SOURCE=2, gcc will add some checks to detect the overflow and terminate the program:

    [home ~/harden] DEB_BUILD_HARDENING=1 make
    [home ~/harden] ./bad $(perl -e 'print "A"x100')
    
    *** buffer overflow detected ***: ./bad terminated
    ======= Backtrace: =========
    /lib/libc.so.6(__fortify_fail+0x37)[0x2ba8d18fb787]
    /lib/libc.so.6[0x2ba8d18f9e70]
    ./bad(main+0x26)[0x555555554856]
    /lib/libc.so.6(__libc_start_main+0xf4)[0x2ba8d18411c4]
    ./bad[0x555555554789]
    ======= Memory map:  ========
    2ba8d1607000-2ba8d1622000 r-xp 00000000 03:01 468316                     /lib/ld-2.7.so
    2ba8d1622000-2ba8d1625000 rw-p 2ba8d1622000 00:00 0 
    2ba8d1821000-2ba8d1823000 rw-p 0001a000 …

    read more

13. ulogd2: the new userspace logging daemon for netfilter/iptables (part 2)

    This article explains how to build, install and configure ulogd 2 for use with netfilter/iptables. It explains how to use plugins to store logs in databases (MySQL and PostgreSQL), use plugins to filter data, and gives some iptables rules to log packets.

    Get the sources

    You can use the official repository:

    git clone git://git.netfilter.org/ulogd2.git/
    

    Prerequisites

    • libnfnetlink (>= 0.30) http://www.netfilter.org/projects/libnfnetlink/index.html
    • libnetfilter_log
    • mysql-dev
    • postgresql-dev

    Build

    Use the standard autotools method for configure, build and install:

    ./autogen.sh
    ./configure --prefix=/path/to/prefix
    make
    sudo make install
    

    Configuration

    Edit ulogd.conf

    1. enable plugins

    You will have to choose the input and output plugins according to your setup. NFLOG is present in recent kernels (and iptables installation), and should be preferred if possible.

    • Input plugin: ULOG or NFLOG
    • Output: MySQL or PostgreSQL

    You have to enable the corresponding in the configuration before you can use them:

    plugin="/path/to/prefix/lib/ulogd/ulogd_inppkt_ULOG.so"
    plugin="/path/to/prefix/lib/ulogd/ulogd_output_MYSQL.so"
    

    See “Stack configuration” later.

    2. buid the stack

    For MySQL, we will use a very simple plugin stack. As MySQL is quite inefficient in storing IP addresses (and …

    read more

14. OOXML, a standard ?

    

    read more

15. BlackHat 2008 materials

    The Black Hat Europe 2008 Media Archives are now online. I wasn’t there, but the archives contains some interesting materials:

    • Spam-Evolution
    • LDAP Injection & Blind LDAP Injection (see my post)
    • New Viral Threats of PDF Language
    • 0-Day Patch -Exposing Vendors (In)Security Performance
    • Client-side Security
    • Attacking Anti-Virus (there was a presentation on the same subject at CanSecWest and Hack.lu)
    • Investigating Individuals and Organizations Using Open Source Intelligence
    • DTRACE: The Reverse Engineer’s Unexpected Swiss Army Knife
    • …

    Related links:

    • Hack.lu presentations
    • USENIX Proceedings online
    • Defcon Media Archives

    read more

16. gcc security features (part 1)

    Since recent versions (>= 4.0, maybe before), gcc (and ld) has some nice security features. Debian has created a wrapper for the toolchain, to make the use of these features easy.

    To install the wrapper, run:

    apt-get install hardening-wrapper
    

    To enable the hardening features, you have to export the environment variable:

    export DEB_BUILD_HARDENING=1
    

    The features include additional checks for printf-like functions, stack protector, using address-space layout randomization (ASLR), marking ELF-sections as read-only after loading when possible, etc.

    Please note that you must compile with *-02* if you want the checks to be effective

    DEB_BUILD_HARDENING_FORMAT (gcc/g++ -Wformat -Wformat-security)

    Ask gcc to make additional checks on format strings, to prevent attacks.

    The following code, for ex:

    printf(buf);
    

    will result in a warning:

    [home ~/harden] DEB_BUILD_HARDENING=1 make
    gcc     bad.c   -o bad
    bad.c: In function ‘main’:
    bad.c:10: warning: format not a string literal and no format arguments
    

    Why is this code vulnerable ? Because the buffer (buf) could contain format characters like %s, and the printf function will interpret these characters to pop arguments from the stack, and can result in the execution of arbitrary code.

    Solution:

    • Replace previous code by

    printf("%s",buf);
    

    • Remember this …

    read more

17. CanSecWest 2008

    

    Sébastien and I gave a presentation on IDS Correlation: A Weapon of Mass Investigation slides at CanSecWest.

    Most of the presentations were very interesting, including attacks against the anti-virus software (they are the most interesting targets, imho : run with system privileges, include parser for many protocols, are present on almost all machines, etc.), secure programming with gcc and glibc, snort 3 (our presentation was just after Marty’s), fuzzing with Peach, and some others I do not remember at the moment.

    We also gave two lightning talks, one on the Authenticating Firewall NuFW (slides here) and one on the Signatures.NU project (slides here).

    

    We even won a beer for doing the presentation :)

    After so much work (and eating so much sushis with a delicious wild salmon), we went to Whistler for skiing, that was great.

    

    Many thanks to all the people from the conference and to all who helped us !

    Some links:

    • Our photos
    • Photos from Hirosan
    • Photos from Sid
    • CanSecWest last events and materials

    read more

18. Prelude quick install

    To install Prelude, the Hybrid IDS (or Meta IDS) on Debian, on less than ten minutes, just use the packages:

    • install a database (PostgreSQL or MySQL)
    • install the Prelude manager, all needed packages will be installed automatically

    apt-get install prelude-manager
    

    • during the installation, dbconfig will ask to configure the database. Say yes, and give the parameters. dbconfig will create a new user, set a password, create the SQL schema and configure prelude-manager to use it.

    This should be enough for the manager. You will have to configure the listen address for the manager (the default is restricted to localhost) to listen on the network.

    To add agents (sensors), you have to install the package and register a new profile for each sensor.For ex:

    apt-get install prelude-lml
    apt-get install snort
    

    Create a new profile:

    prelude-admin register prelude-lml "idmef:w" <manager address> --uid 0 --gid 0
    ...
    prelude-admin register snort "idmef:w" <manager address> --uid 0 --gid 0
    ...
    

    Follow the instructions for the registration.

    Check the address of the manager in the config (global file is /etc/prelude/default/client.conf):

    server-addr = 192.168.1.1
    

    For a complete installation guide (with explanations) including the web interface Prewikka, look at the Prelude …

    read more

« Page 5 / 7 »