To work, Suricata needs some rules. The package
"snort-rules-default" provides some rules for Snort, but since
Suricata is compatible these rules will work.
However, these rules have some problems: they are outdated (and updated
only very rarely), and they are not written for Suricata (and cannot use
the specific keywords). Emerging
Threats provides some
rules (both open source and Pro). We will now configure Oinkmaster and
Suricata to be able to automatically update the signatures.
a tool to help you manage your signatures. While it is primarily
designed for Snort, it also works for Suricata.
If you have installed Suricata using the default configuration, then
Oinkmaster should be installed (it is recommended by the package). If
The Digital Forensics Framework (DFF) is both a digital investigation
tool and a development platform.The framework is used by system
administrators, law enforcement examinors, digital
forensicsresearchers and > students, and security professionals
world-wide. Written in Python and C++,it exclusively uses Open Source technologies.
DFF combines an intuitive user interface with a modular and
DFF is a nice tool, combining Python and C++ (and PyQt) to provide
performances, be easy to extend and provide a nice GUI. It is GPLv2,
thanks to ArxSys.
If you like it, don’t hesitate to contact them on the IRC channel
(#digital-forensic on Freenode).
is a is a project developped by Jan Engelhardt to replace the old
patch-o-matic repository for the Linux kernel and iptables. Instead of
patching the kernel source, extensions are built as modules and thus
allow extending kernels without recompilation.
I have created a Debian
in two parts: xtables-addons-source (the sources of the kernel modules),
and xtables-addons-common (common files: shared libraries, man pages, binaries).
To install xtables-addons on Debian (sid only, but the package works on
Lenny after a rebuild), run the following commands:
It will automatically install the headers for your kernel, build the
modules, create a local package, and install it. What’s interesting is
that, unlike before (using p-o-m or kernel patches), there is no need
It adds new targets for iptables:
CHAOS: randomly use REJECT, DELUDE or TARPIT targets. This will fool
network scanners by returning random results
DELUDE: always reply to a SYN by a SYN-ACK. This will fool TCP
DHCPADDR: replace a MAC address from and to a VMware host
Prelude is a general-purpose hybrid intrusion detection system.
This package provides the Prelude Correlator, which is a powerful
correlation engine using Lua to write correlation rules.
The features currently include:
* Rapid identification of important security events, enabling the analyst to
assign task priorities
* Alert correlation originally from heterogeneous sensors deployed on the
* Real-time analysis of events received by the Prelude Manager
You can contribute ! If you use the correlation engine, please share
your correlation rules.
Fusil is a fuzzing framework designed to expose bugs in software by
changing random bits of its input.
It helps to start process with a prepared environment (limit memory,
environment variables, redirect stdout, etc.), start network client or
server, and create mangled files. Fusil has many probes to detect
program crash: watch process exit code, watch process stdout and syslog
for text patterns (eg. "segmentation fault"), watch session duration,
watch cpu usage (process and system load), etc.
Fusil is based on a modular architecture. It computes a session score
used to guess fuzzing parameters like number of injected errors to
Starting from Lenny, apt support the https transport for apt repositories.
Before, this would give the error:
# apt-get update
E: The method driver /usr/lib/apt/methods/https could not be found.
On Lenny (and unstable), install the apt-transport-https package:
apt-get install apt-transport-https
And https repositories will now work.
This is no current backport for Etch on backports.org, because the hack
for the transport is quite intrusive and require some deep modifications
in the entire apt code. Maybe another site will propose
Note: it seems there is currently no way to check the certificate or
configure trusted certificates. This is a good step towards security
anyway. Remember: always use trusted repositories (signed with a
trusted key - see man apt-key for more information).