Other articles

  1. grsec kernel with nvidia module

    Compiling a grsec kernel on a laptop/workstation is a good way to add protection against wide classes of attacks. However, while the options may be easy to choose on a server, this may be difficult because a typical desktop needs more privileges. Here are a few points:

    • Xorg (wants privileged I/O, unless you use KMS) conflicts with PAX_NOEXEC and GRKERNSEC_IO
    • power management: applets to display the battery level want (non-root) read permission on /sys, this will conflict with GRKERNSEC_SYSFS_RESTRICT. You can enable SYSFS_DEPRECATED as a workaround.
    • power management: ACPI is required for a laptop (if you want to be able to use suspend/resume, control fan speed, etc.)
    • power management: suspend/restore conflicts with some options (PAX_MEMORY_UDEREF and PAX_KERNEXEC)
    • virtualization: PAX_KERNEXEC conflicts with kvm/vmx

    If you have other points to add/corrections, just send them to me !

    Now, another problem I have is that I must use the proprietary kernel. Not that I really want to, but it is the only driver with proper support for my graphics card (GT555M), since the nouveau driver has some problems here: breaks suspend to ram/disk, sucks battery (I have 2h30 of autonomy with nouveau, and about 5 with Nvidia …

    read more
  2. Installing Suricata with Oinkmaster on Debian

    This blog entry is a mini-howto on the installation and configuration of Suricata with Oinkmaster, on Debian. If you are familiar with the Debian commands it should take no more than five minutes.

    It was tested on Debian Sid, but should work for all Debian versions.

    Install Suricata

    Suricata is in Debian since Squeeze, so a simple:

    apt-get install suricata

    will do the job.

    To work, Suricata needs some rules. The package "snort-rules-default" provides some rules for Snort, but since Suricata is compatible these rules will work.

    However, these rules have some problems: they are outdated (and updated only very rarely), and they are not written for Suricata (and cannot use the specific keywords). Emerging Threats provides some rules (both open source and Pro). We will now configure Oinkmaster and Suricata to be able to automatically update the signatures.

    Install Oinkmaster

    Oinkmaster is a tool to help you manage your signatures. While it is primarily designed for Snort, it also works for Suricata.

    If you have installed Suricata using the default configuration, then Oinkmaster should be installed (it is recommended by the package). If not, run:

    apt-get install oinkmaster

    Edit the configuration file /etc/oinkmaster.conf:

    url =  http://rules.emergingthreats …
    read more
  3. DFF accepted into Debian

    DFF (Digital Forensics Framework) has been accepted into Debian unstable.

    From the website:

    The Digital Forensics Framework (DFF) is both a digital investigation tool and a development platform.The framework is used by system administrators, law enforcement examinors, digital forensicsresearchers and > students, and security professionals world-wide. Written in Python and C++,it exclusively uses Open Source technologies.

    DFF combines an intuitive user interface with a modular and cross-platform architecture.

    DFF is a nice tool, combining Python and C++ (and PyQt) to provide performances, be easy to extend and provide a nice GUI. It is GPLv2, thanks to ArxSys.

    If you like it, don’t hesitate to contact them on the IRC channel (#digital-forensic on Freenode).

    read more
  4. Project page for SIEM-live


    I’ve created a project in redmine for SIEM-live, so there is now a wiki, a tracker, and a repository. I’ll add some documentation and instructions on how to build the CD soon.

    Contributors would be gladly accepted :)

    I’ve also updated the Git repository for recent versions of live-build, where all variables have been renamed without keeping compatibility :/

    The bug where booting with no network (no DHCP, for ex.) made many command fail with a weird error message has been fixed:

    could not resolve address family for hostname not supported

    For the record, this was caused by .. IPv6 ! Disabling it during the configuration sequence fixes the problem.

    read more
  5. Creating a live cd for open source SIEM Prelude and Suricata

    I have started to work on a Live CD for Open Source tools like Prelude SIEM, and software like Suricata, Snort, OpenVAS to send alerts. The goal is to easily test these tools, register new agents, get some alerts and be able to correlate them etc. I also want to add some visualization tools, so this CD could maybe become a reference for security alert detection and report.


    First, a few points on applications used:

    • Debian Live for building the CD. It’s very easy, it’s based on Debian, and it allows me to re-use some work I’ve done
    • Suricata IDS, which is a very promising project
    • Snort IDS, with the free signatures
    • OpenVAS to be able to generate alerts
    • Prelude SIEM is the key point: suricata, snort, syslog etc. will send alerts to Prelude, which has a database, a correlator, a web interface (Prewikka) etc.
    • Standard useful tools: nmap, scapy, wireshark, p0f, etc.

    This first version is based on Debian Lenny and arch x86. Everything is based on packages (.debs) to make it easier to maintain, upgrade versions or add patches: most of the time, I just have to rebuild packages from squeeze or sid.

    The build …

    read more
  6. xtables-addons accepted in Debian


    Xtables-addons is a is a project developped by Jan Engelhardt to replace the old patch-o-matic repository for the Linux kernel and iptables. Instead of patching the kernel source, extensions are built as modules and thus allow extending kernels without recompilation.

    I have created a Debian package, split in two parts: xtables-addons-source (the sources of the kernel modules), and xtables-addons-common (common files: shared libraries, man pages, binaries).

    To install xtables-addons on Debian (sid only, but the package works on Lenny after a rebuild), run the following commands:

    apt-get install module-assistant xtables-addons-source
    module-assistant prepare
    module-assistant auto-install xtables-addons-source

    It will automatically install the headers for your kernel, build the modules, create a local package, and install it. What’s interesting is that, unlike before (using p-o-m or kernel patches), there is no need to reboot.

    It adds new targets for iptables:

    • CHAOS: randomly use REJECT, DELUDE or TARPIT targets. This will fool network scanners by returning random results
    • DELUDE: always reply to a SYN by a SYN-ACK. This will fool TCP half-open discovery
    • DHCPADDR: replace a MAC address from and to a VMware host
    • IPMARK: mark a packet, based on its IP address
    • LOGMARK: log packet and mark to syslog
    • SYSRQ: trigger …
    read more
  7. Prelude Correlator in Debian

    The Prelude Correlator is now packaged in Debian.

    From the description of the package:

    Prelude is a general-purpose hybrid intrusion detection system.
    This package provides the Prelude Correlator, which is a powerful
    correlation engine using Lua to write correlation rules.
    The features currently include:
     * Rapid identification of important security events, enabling the analyst to
       assign task priorities
     * Alert correlation originally from heterogeneous sensors deployed on the
       whole infrastructure
     * Real-time analysis of events received by the Prelude Manager

    You can contribute ! If you use the correlation engine, please share your correlation rules.

    Related links:

    read more
  8. gcc security features (part 2)

    (See part 1)

    Remember: you must compile with -02 if you want the checks to be effective


    The idea behind FORTIFY_SOURCE is relatively simple: there are cases where the compiler can know the size of a buffer (if it’s a fixed sized buffer on the stack, as in the example, or if the buffer just came from a malloc() function call). With a known buffer size, functions that operate on the buffer can make sure the buffer will not overflow.


    void foo(char *string)
        char buf[20];
        strcpy(buf, string);

    Execution will fail:

    [home ~/harden] ./bad $(perl -e 'print "A"x100')
    zsh: segmentation fault  ./bad $(perl -e 'print "A"x100')

    When compiling with -D_FORTIFY_SOURCE=2, gcc will add some checks to detect the overflow and terminate the program:

    [home ~/harden] DEB_BUILD_HARDENING=1 make
    [home ~/harden] ./bad $(perl -e 'print "A"x100')
    *** buffer overflow detected ***: ./bad terminated
    ======= Backtrace: =========
    ======= Memory map:  ========
    2ba8d1607000-2ba8d1622000 r-xp 00000000 03:01 468316                     /lib/ld-2.7.so
    2ba8d1622000-2ba8d1625000 rw-p 2ba8d1622000 00:00 0 
    2ba8d1821000-2ba8d1823000 rw-p 0001a000 …
    read more
  9. gcc security features (part 1)

    Since recent versions (>= 4.0, maybe before), gcc (and ld) has some nice security features. Debian has created a wrapper for the toolchain, to make the use of these features easy.

    To install the wrapper, run:

    apt-get install hardening-wrapper

    To enable the hardening features, you have to export the environment variable:


    The features include additional checks for printf-like functions, stack protector, using address-space layout randomization (ASLR), marking ELF-sections as read-only after loading when possible, etc.

    Please note that you must compile with *-02* if you want the checks to be effective

    DEB_BUILD_HARDENING_FORMAT (gcc/g++ -Wformat -Wformat-security)

    Ask gcc to make additional checks on format strings, to prevent attacks.

    The following code, for ex:


    will result in a warning:

    [home ~/harden] DEB_BUILD_HARDENING=1 make
    gcc     bad.c   -o bad
    bad.c: In function ‘main’:
    bad.c:10: warning: format not a string literal and no format arguments

    Why is this code vulnerable ? Because the buffer (buf) could contain format characters like %s, and the printf function will interpret these characters to pop arguments from the stack, and can result in the execution of arbitrary code.


    • Replace previous code by
    • Remember this …
    read more

Page 1 / 2 »