Other articles

  1. Installing Suricata with Oinkmaster on Debian

    This blog entry is a mini-howto on the installation and configuration of Suricata with Oinkmaster, on Debian. If you are familiar with the Debian commands it should take no more than five minutes.

    It was tested on Debian Sid, but should work for all Debian versions.

    Install Suricata

    Suricata is in Debian since Squeeze, so a simple:

    apt-get install suricata
    

    will do the job.

    To work, Suricata needs some rules. The package "snort-rules-default" provides some rules for Snort, but since Suricata is compatible these rules will work.

    However, these rules have some problems: they are outdated (and updated only very rarely), and they are not written for Suricata (and cannot use the specific keywords). Emerging Threats provides some rules (both open source and Pro). We will now configure Oinkmaster and Suricata to be able to automatically update the signatures.

    Install Oinkmaster

    Oinkmaster is a tool to help you manage your signatures. While it is primarily designed for Snort, it also works for Suricata.

    If you have installed Suricata using the default configuration, then Oinkmaster should be installed (it is recommended by the package). If not, run:

    apt-get install oinkmaster
    

    Edit the configuration file /etc/oinkmaster.conf:

    url =  http://rules.emergingthreats …
    read more
  2. DFF accepted into Debian

    DFF (Digital Forensics Framework) has been accepted into Debian unstable.

    From the website:

    The Digital Forensics Framework (DFF) is both a digital investigation tool and a development platform.The framework is used by system administrators, law enforcement examinors, digital forensicsresearchers and > students, and security professionals world-wide. Written in Python and C++,it exclusively uses Open Source technologies.

    DFF combines an intuitive user interface with a modular and cross-platform architecture.

    DFF is a nice tool, combining Python and C++ (and PyQt) to provide performances, be easy to extend and provide a nice GUI. It is GPLv2, thanks to ArxSys.

    If you like it, don’t hesitate to contact them on the IRC channel (#digital-forensic on Freenode).

    read more
  3. debian squeeze and postgresql

    Date Wed 09 February 2011

    Debian squeeze has been released, that’s nice ! (With the usual rants from some trolls, of course, but it wouldn’t be fun otherwise)

    However, the PostgreSQL package has some problem in psql due to the fact it is using libedit instead of readline (for license reasons) :

    There is a solution: you can still use psql with readline by preloading the library:

    $ LD_PRELOAD=/lib/libreadline.so.6 psql
    

    read more
  4. xtables-addons accepted in Debian

    debian-packages

    Xtables-addons is a is a project developped by Jan Engelhardt to replace the old patch-o-matic repository for the Linux kernel and iptables. Instead of patching the kernel source, extensions are built as modules and thus allow extending kernels without recompilation.

    I have created a Debian package, split in two parts: xtables-addons-source (the sources of the kernel modules), and xtables-addons-common (common files: shared libraries, man pages, binaries).

    To install xtables-addons on Debian (sid only, but the package works on Lenny after a rebuild), run the following commands:

    apt-get install module-assistant xtables-addons-source
    module-assistant prepare
    module-assistant auto-install xtables-addons-source
    

    It will automatically install the headers for your kernel, build the modules, create a local package, and install it. What’s interesting is that, unlike before (using p-o-m or kernel patches), there is no need to reboot.

    It adds new targets for iptables:

    • CHAOS: randomly use REJECT, DELUDE or TARPIT targets. This will fool network scanners by returning random results
    • DELUDE: always reply to a SYN by a SYN-ACK. This will fool TCP half-open discovery
    • DHCPADDR: replace a MAC address from and to a VMware host
    • IPMARK: mark a packet, based on its IP address
    • LOGMARK: log packet and mark to syslog
    • SYSRQ: trigger …
    read more
  5. Prelude Correlator in Debian

    The Prelude Correlator is now packaged in Debian.

    From the description of the package:

    Prelude is a general-purpose hybrid intrusion detection system.
    .
    This package provides the Prelude Correlator, which is a powerful
    correlation engine using Lua to write correlation rules.
    .
    The features currently include:
     * Rapid identification of important security events, enabling the analyst to
       assign task priorities
     * Alert correlation originally from heterogeneous sensors deployed on the
       whole infrastructure
     * Real-time analysis of events received by the Prelude Manager
    

    You can contribute ! If you use the correlation engine, please share your correlation rules.

    Related links:

    read more
  6. fusil_0.7-1_amd64.changes ACCEPTED

    Fusil (http://fusil.hachoir.org) has been accepted into Debian.

    The description:

    Fusil is a fuzzing framework designed to expose bugs in software by
    changing random bits of its input.
    .
    It helps to start process with a prepared environment (limit memory,
    environment variables, redirect stdout, etc.), start network client or
    server, and create mangled files. Fusil has many probes to detect
    program crash: watch process exit code, watch process stdout and syslog
    for text patterns (eg. "segmentation fault"), watch session duration,
    watch cpu usage (process and system load), etc.
    .
    Fusil is based on a modular architecture. It computes a session score
    used to guess fuzzing parameters like number of injected errors to
    input files.
    

    read more
  7. https transport for apt

    Starting from Lenny, apt support the https transport for apt repositories.

    Before, this would give the error:

    # apt-get update
    E: The method driver /usr/lib/apt/methods/https could not be found.
    

    On Lenny (and unstable), install the apt-transport-https package:

    apt-get install apt-transport-https
    

    And https repositories will now work.

    This is no current backport for Etch on backports.org, because the hack for the transport is quite intrusive and require some deep modifications in the entire apt code. Maybe another site will propose it ?

    Note: it seems there is currently no way to check the certificate or configure trusted certificates. This is a good step towards security anyway. Remember: always use trusted repositories (signed with a trusted key - see man apt-key for more information).

    read more

Page 1 / 1