Subject is: Visualisation appliquée à la détection d’intrusion (which
can roughly be translated to \visualization applied to intrusion
detection). The slides
can be found on the list of presentation
materials.
The conference was on our work since one year on intrusion detection,
with the proposed implementation of a correlator, some explanations on
classifications and current limitations, and how some graphs can help,
especially the parallel axes representation.
Ulogd (and also ulogd2) is a powerful and flexible logging system for
Netfilter/Iptables, based on a plugin system. It allows, for example, to
log packets in a SQL database, and have some interface to analyze it
(see Nulog2)
Architecture
Ulogd2 combines plugins to create a stack, where each plugin is chained
to another. There are three types of plugins:
Source
Filter
Output
A stack must have only one source, and one output (yet it can
have several filters). It is possible to define several stacks in
the configuration.
Each plugin has a type (for ex, PGSQL), and must be instanciated
(using a name chosen by the user). Each instance is a particular version
of the plugin, defining parameters. This way, we will be able to output
data in several formats using different stacks.
Fusil is a fuzzing framework designed to expose bugs in software by
changing random bits of its input.
.
It helps to start process with a prepared environment (limit memory,
environment variables, redirect stdout, etc.), start network client or
server, and create mangled files. Fusil has many probes to detect
program crash: watch process exit code, watch process stdout and syslog
for text patterns (eg. "segmentation fault"), watch session duration,
watch cpu usage (process and system load), etc.
.
Fusil is based on a modular architecture. It computes a session score
used to guess fuzzing parameters like number of injected errors to
input files.
The next major releaser of FreeBSD, 7.0 will be released soon. There are
many nice improvements:
TCP socket buffers auto-sizing
SCTP (Stream Control Transmission Protocol)
Link aggregation / trunking
New scheduler: ULE 2.0 / 3.0
Most GIANT lock uses have been removed (increasing SMP/multi-thread efficiency)
ZFS support
Security event auditing
New privilege separation capabilities
SATA support
pf firewall updated to 4.1
Upgrade to gcc 4.2
Installation
The installation of 7.0rc2 in VirtualBox went smooth, except the network
part. The installer itself has not changed, so I won’t give details …
For the network, there is a bug (not sure whether it’s virtualbox or
freebsd7, the bug was reported
here) causing
the network not to work. The solution is to force the media type:
ifconfig pcn0 media 10baseT/UTP
For automatic configuration of the if at startup, edit /etc/rc.conf:
ifconfig_pcn0="inet 192.168.1.66 netmask 255.255.255.0 media 10baseT/UTP"
ANSI C requires all uninitialized static and global variables to be
initialized with 0 (§6.7.8 of the C99 definition). This means you can
rely on the following behavior:
int global;
void function() {
printf("%d\n",global);
}
This will print 0, and it is guaranteed by the standard.
However, this is not handled by the compiler. All you will be able to
see is that the variable is put in the bss section:
08049560 l O .bss 00000004 static_var.1279
08049564 g O .bss 00000004 global_var
It is the startup code of the linker which initializes the variables.
The C compiler usually puts variables that are supposed to be
initialized with 0 in the .bss section instead of the .data section.
Opposed to the .data section, the .bss section does not contain actual
data, it just specifies the size of all elements it contains. The C
compiler just *assumes* that the linker, loader, or the startup code
of the C library initializes this block of memory with 0. This is an
optimization; .data elements occupy space in the image (or ROM or flash
memory) and in RAM whereas .bss elements need to occupy RAM space only
if …
Starting from Lenny, apt support the https transport for apt repositories.
Before, this would give the error:
# apt-get update
E: The method driver /usr/lib/apt/methods/https could not be found.
On Lenny (and unstable), install the apt-transport-https package:
apt-get install apt-transport-https
And https repositories will now work.
This is no current backport for Etch on backports.org, because the hack
for the transport is quite intrusive and require some deep modifications
in the entire apt code. Maybe another site will propose
it ?
Note: it seems there is currently no way to check the certificate or
configure trusted certificates. This is a good step towards security
anyway. Remember: always use trusted repositories (signed with a
trusted key - see man apt-key for more information).
While searching for some security papers, I’ve been looking for
something about LDAP injections.
Let’s have a look on what OWASP says on their
site:
The same advanced exploitation techniques available in SQL Injection
can be similarly applied in LDAP Injection.
There is a problem here: there are some big differences between SQL
and LDAP, which lead to differences in security:
in SQL, commands and values are expressed in the same input (a
string containing a command). Several commands can be specified in
one string:
"SELECT field FROM table WHERE ...; DROP TABLE xx;"
while in LDAP, the filter contains only filter parameters, in a
specific representation (RFC
2254). This
representation uses a prefixed form (boolean operator comes before
the fields), and each field must be enclosed between parenthesis.:
"( & (uid=john.doe) (objectClass=person) )
OWASP gives some examples, for a filter (cn=%s):
If a user puts “*” on box search, the system may return all the
usernames on the LDAP base
If a user puts “jonys) (| (password = * ) )”, it will generate the
code bellow revealing jonys’ password
What ? One could make an application display the password ?!
The first line is true: any filter like (uid=*) will return all users
having …
Quilt is a nice tool to manage series of patches, and is particularly
adapted to subversion (not very useful for git, the concept of patch
series is integrated). It can manage dependant patches, edition,
updating patches for a code change, etc.
Start by telling quilt where to store patches:
$ exportQUILT_PATCHES=debian/patches
Quilt will create the directory automatically when creating the first patch.
Now, suppose we want to create a new patch, called my_nice_patch:
$ quilt new my_nice_patch
Patch my_nice_patch is now on top
\On top\ ? quilt manages patches as a stack, so you will have to
push patches to apply them, and pop to deapply.Now that we have a
patch name, we have to mark the files we will modify in this patch:
$ quilt add reports.py gather.py
File reports.py added to patch my_nice_patch
File gather.py added to patch my_nice_patch
So far so good. Three commands, and we have done nothing :) Files can be
modified using your favorite editor (subliminal hint: vim), as usual. At
any moment, you can get the diff between your modifications and the
unpatched files:
