Work Together For The Benefit Of All ManKind…

I also got time to put together a package for the latest version of Suricata, namely 1.1 beta1.

My plan was to stick to a stable version when OISF released 1.0.3, but they skipped that, and went for a 1.1 release instead.
As I also try to help out where I can, I don’t mind running beta software, and reporting bugs etc. when and if I can. I’ll probably pack beta2 and so on until OISF hits a stable release, and then I’ll stick with that in my gamelinux PPA. So until then, I hope you try out Suricata with me on the quest for a stable release

Read more about suricata 1.1 beta 1 here.

Well, I did get a small hour to play today, so I packed updated versions for snort and daq, namely Snort-2.9.0.3 and daq-0.5.

You can read some more details about my last build of the packages here.

My PPA can be found here.

Comments and suggestions are welcome

Moving to the new Snort 2.9 version, it added dependencies on a new library, namely DAQ(Data Acquisition library) for packet I/O.

So the little extra of packaging a new deb (daq) and check snort-debian files that they where compliant to the new version, made me debianize Suricata instead, as I saw that as quicker way to get an IDS up and running on my new firewall at home.

Now that I have suricata in place, plus some extra time last night, and I see people struggling trying to install/upgrade to Snort 2.9 on Ubuntu, I could not help my self trying to be helpful, again…

So I made debian packages and put them in my Ubuntu 10.04 Lucid PPA on launchpad. I started a new clean debian package for Snort. Its not yet packed with “debian-easy-features”, so it just installs Snort, makes the directories and adds some default configuration files. I will improve this as I go.

DAQ is built with:

Build AFPacket DAQ module.. : yes
Build Dump DAQ module…… : yes
Build IPFW DAQ module…… : yes
Build IPQ DAQ module……. : no
Build NFQ DAQ module……. : no
Build PCAP DAQ module…… : yes

And Snort is compiled with:

–enable-perfprofiling
–enable-ipv6
–enable-sourcefire
–enable-dynamicplugin
–enable-targetbased
–enable-zlib
–enable-ppm
–enable-gre
–enable-mpls
–enable-decoder-preprocessor-rules
–without-mysql
–without-postgresql

So, if you add my PPA, you apt-get install snort version 2.9.0.2. Pronto though, Snort 2.9.0.3 will be out, and I’ll upgrade accordingly. Suricata will also soon be out in 1.0.3, hopefully this week. Maybe we get fresh releases from this Santa for both engines

Until then,

-*> Snort! <*-
Version 2.9.0.2 IPv6 GRE (Build 92)
By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
Copyright (C) 1998-2010 Sourcefire, Inc., et al.
Using libpcap version 1.0.0
Using PCRE version: 7.8 2008-09-05
Using ZLIB version: 1.2.3.3

In stead of compiling Suricata over and over again on different hosts I have… I just made a debian package for my Ubuntu Lucid 10.04 systems.

Its a simple build, and Ill hopefully update it with time to incorporate different usage and install help etc.
Right now its just aimed at being a simple IDS using libpcap.

You can find suricata and other cool NSM stuff at my gamelinux PPA found here.

apt-get install suricata
cd /etc/suricata/ && wget http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz
vim /etc/default/suricata
vim /etc/suricata/suricata.yaml
/etc/init.d/suricata start

Feedback and thoughts are welcome and needed !

Barnyard2 is a fork of the original barnyard project. I used to debianize the original barnyard, but since BY2 is more up to date, I have switched.

It is hosted on my Ubuntu PPA, and you can find it here.

I have spent the last week setting up a Ubuntu Launchpad PPA for my packages I used to hoste here on my blog.

The URL to my PPA is : https://launchpad.net/~ebf0/+archive/gamelinux

I pack the packages mainly for Lucid Lynx 10.04.
To try them out, you can add the following in /etc/apt/sources.list:
deb http://ppa.launchpad.net/ebf0/gamelinux/ubuntu lucid main
deb-src http://ppa.launchpad.net/ebf0/gamelinux/ubuntu lucid main

To add my key to you Ubuntu installation:
apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 4B04D050


Then you should be able to apt-get update, and then apt-get install my packages

Please try them out and give me feedback!
You will find my howto on how to configure them here.

Happy F8′ing!

Yesterday I held a presentation about OpenFPC at a Redpill Linpro Security seminar.
My presentation was original in Norwegian, but I translated the slides to English. You can download the presentation here.

E

Back from vacation

I did pack 2.8.6.0, but it never made it to the public before I went on vacations :/

You can find 2.8.6.1 here:

http://debs.gamelinux.org/snort/hardy/

-*> Snort! <*-
Version 2.8.6.1 IPv6 GRE (Build 39)

As Kacper stated here, PRADS 0.2.0 has been released!

You can download some debian packages here, or you can check out the GIT repo here.

Bug reports, issues, thoughts or any comments are very welcome!

Enjoy!

As Ubuntu 10.04 (Lucid Lynx) is the next LTS (Long Time Support) version of Ubuntu that is coming out soon (April 29, 2010), I have started to look at how sguil and my dot deb packages will work.

I installed Lucid Lynx yesterday and installed my server and sensor debs on it.

Some first notes:

* MySQL is not eating the create_sguildb.sql (Just remove the comments)
* Lucid (and Karmic) does not ship with tclx8.3 (Installing the Hardy version worked just fine)

(I filled a bug report to Ubuntu, hoping to get tclx8.3 into the final release…)

So, from my first tests, it seems to work fine!

I have yet to test the sguil-client on Lucid, and also I did not get to test with extensive amount of traffic and operations on the Lucid test server.

So, looking promising

Loglevel: INFO

I have packed snort 2.8.5.3 for Ubuntu Hardy and Jaunty:

http://debs.gamelinux.org/snort/hardy/

http://debs.gamelinux.org/snort/jaunty/

-*> Snort! <*-
Version 2.8.5.3 IPv6 (Build 124)

After installing “[SECURITY] [DSA 1871-1] New wordpress packages fix several vulnerabilities” from 23. of August 2009, I quickly saw that there was something wrong in the logs:
PHP Fatal error: Call to undefined function absint() in /usr/share/wordpress/wp-includes/functions.php on line 2008.

I looked over the DSA, and identified the fix for CVE-2008-4769 that broke this. Then I emailed Steffen Joeris, who released the DSA and notified him about my findings. Two hours later, Giuseppe Iuculano sent me an update which I installed and confirmed worked, and which I could not find any regressions to it.

I looked at the CVE-2008-4769 and at the Secunia advisory, which claims that the vulnerability is only working on Windows platform. This probably explains why Debian has waited so long for including the fix. The original CVE is from 2008-04-25, so this is old news btw…

From advisories:
“It was discovered that the get_category_template function is prone to a directory traversal vulnerability, which could lead to the execution of arbitrary code. This can be exploited to include arbitrary PHP files from local resources via directory traversal attacks. Successful exploitation allows execution of arbitrary PHP code, but requires privileges to store PHP files on an affected system and that WordPress is installed on a Windows platform.”

I have only registered generic attacks in the wild against the ‘cat’ parameter in my gamelinux.org and other web logs (dating back to Dec 2006). No requests seems to aim at exploiting this vulnerability specifically.
An example of an URL that was supposed to work (Not confirmed):
http://www.gamelinux.org/?cat=1.php/../searchform?

The DSA regression was released 4 days after the original DSA BTW.

For 898,- NOK (right around £100) down at Clas Ohlson here in Norway, you get a nice little NAS server (AID 38-2447). Straight out of the box, its a low-end NAS, but I bought this, in spirit of installing a full blown Linux distro on to it. And so I did.

It took me about 30 minutes from I started to read the howtos, downloading and preparing the image to the hard drive and flashing the initrd of the Dual NAS, until it was up and running.

My notes:
* When you connect to the telnet boot menu, ping the NAS in one console, and when it starts answering, you have about one second to connect to it via telnet in another console.

* It needs a DHCP server to obtain an IP address after Debian is booted…

* The Debian Etch image from Felix Mellmann is rather old…(21. Nov. 2007) so you need to upgrade it (contains weak ssh keys etc.)

* It seems that it will not work with Debian Lenny (Complaining about old kernel)

If anyone has any insight into how to compile and install a newer working kernel for this hardware, I would be interested
Also the link to the original source of the kernel which comes default with this NAS would be great (I saw it yesterday, but I cant seem to find it again).

Mean while, I fully recommend this buy for a small cheap home server.

I see sloppy Administrators do this again and again…

They might update the Linux-Xen enabled Kernel on Dom0, but often DomU keeps the same for different reasons.

Running a (para) virtual environment, the freedom of running different Linux distributions, is often a goal. If one keeps a single architect environment stack, like Ubuntu Hardy Dom0 and DomU’s or CentOS 5.x Dom0 and DomU, keeping kernels in DomU up to date is low hassle.

The hassle starts to arise when you deploy mixed environments, like running Ubuntu Hardy as Dom0 and CentOS 5.x as DomU, or vice versa. You could setup CentOS or Ubuntu to use each others Kernel packages, though that seemed a bit overkill for my setup. Having a Debian Etch DomU on a Ubuntu Hardy Dom0 is fixable with pointing Etch to grab the Kernel from Hardy via an apt-repo.

PyGrub solves some hassles, so I recommend reading up on that and verifying that CVE-2007-4993 is not affecting you.

But for the cases where I have a bit hassle, and I dont want to use PyGrub, I wrote a small bash script to update the Linux Kernels.
Get the script here, and update/change/modify or learn from it, before you use it.
It Powers down the DomU if it is booted, and mounts the Logical Volume of the DomU, before it copies the kernel modules to the DomU filesystem. Runs depmod and unmounts the filesystem. Then it gives you the small change you need to update your xen-domU.cfg with (I dont use pygrub).

BTW: This paper has a nice walk through from Xen DomU to Xen Dom0 bypassing SELinux http://invisiblethingslab.com/pub/xenfb-adventures-10.pdf. Recommended read

Now go and update some Kernels!

Yesterday, Computerworld.no wrote an article on the Police/Conficker/Free software debate going on here in Norway.

Information director Eirik Lae Solberg at Microsoft Norway had a chance to comment:
“- If one had used a similar Linux distribution from the same time, one would have significant security issues.”

That is only true, if one did not upgrade! And in the GNU/Linux/Free Software world, one would not have any unmanageable issues upgrading.

I have personally managed lots of servers for large customers and universities, and when a new distribution release has been out,
take Debian as a very good example, you can change the source of packages from the current repository, to the new release repository.
And with some rather simple command line-fu, you can upgrade to the latest major Debian version.

Ubuntu has made this easy for the desktop users. Using a graphical front-end on your server (I dont), you can click your way to
a distribution upgrade.

I still recommend having people in the loop that has done such an upgrade, before you try this on your own. Always keep a
working backup, and you could even try the upgrade in a virtual machine, before you actually do it in production.

Eirik Lae Solberg even goes so far to claim that Zone-H.org shows that Linux is more `hacked` than Windows… Using Zone-H.org as a reliable source for such “scientific” statement, is just what Microsoft is known of doing. Well, just to let you all know, if you bother to check Zone-H.org by your self, this is what you might find today:

$ GET http://zone-h.org/archive/special=1/page=1|grep “<td>Linux”|wc -l
5
$ GET http://zone-h.org/archive/special=1/page=1|grep “<td>Win”|wc -l
7

As you see: Todays score is 5 boxes are Linux, and 7 are Windows.

I wrote a quick bash script (get it here)to check the first 30 pages and print out the total sum:

$ bash bin/Eirik_Lae_Solberg.sh
Total Linux: 289
Total Microsoft: 390

To summarize: On the last 30 pages from Zone-H, 289 websites running Linux OS got defaced, while 390 websites running on Windows OS got defaced.
(If you run the script yourself, the numbers will probably change – this was numbers from today)

So giving you the hard facts, and not marketing propaganda like Eirik Lae Solberg from Microsoft wants you to believe, make up your own mind, and don’t believe what ever you hear from Mister Microsoft…

BTW: Zone-H is not a good reference for measuring security in Operating Systems, if you didn’t know that… But it is a good way to point out that Eirik Lae Solberg don’t know much about Operating System security, and that he would rather focus on telling that Microsoft is way better than every body else…
For how long will you eat that lie?