Tag: nids

RedHat, Firestorm, 802.11b and rpm2html

I’ve been working on my qmail rpms for RedHat ES/AS/Fedora. I’ve even started some documentation. It’s all on my RedHat page.

I’ve also been working on Firestorm, improving the arp decoder and developing my macwatch arpwatch clone. Hopefully this will appear in the latest Firestorm tree soon.

I recently ditched my aging Linux wireless bridge/router/firewall in favour of a little Linksys device that cost no more than 60 pounds, uses considerably less electricity and makes almost no noise. The price is impressive and even the device seems to work ok. One thing it can’t deal with properly at all is the TCP ECN flag. The web admin port just sends a RST. Can you believe a Cisco company would make this mistake? Yes. I can.

Also, I’ve created an rpm2html index of all the RPMs in my downloads tree. Some are old crap I’ve not bothered deleting yet, but there is some stuff in there that will be useful to someone (not just google).

Gianni will be home from Luxembourg soon.

Ethereal ELOG support and keepalived

Updated my Firestorm ELOG alert file support patch for Ethereal (0.10.0). Get it here.

I’ve been playing with keepalived over the last couple of weeks. It’s basically an entire Linux HA cluster system. It does the job of heartbeat for failover and incorporates LVS for load balanced services. It looks really great but I’ve managed to upset it a few times by restarting the daemon too much. Also I’ve found using bonded ethernet interfaces with multicast traffic results in multiple copies of the packets coming out of bond0, which really confuses the keepalived anti-replay sequence numbers (Hey, I’ve seen that packet already!). I’ve reported it to the keepalived guys and will do the same for the bonding people. I’m not sure whose problem it is to solve.

Qmail, RedHat and Firestorm

I’ve built some packages of djbs software (qmail, daemontools, djbdns…) for RedHat ES.

I’ve also been working on Firestorm again, primarily on my mac/arp watcher preprocessor. It now saves state between restarts, and reports on more nefarious ethernet/arp. It’ll be included in the next release of Firestorm.

Firestorm ethereal and RedHat Advanced Server

I’ve ported my Ethereal ELOG patch to the latest version (0.9.14) and fixed a bug handling pcap captured alerts. Created Debian debs for powerpc and i386. Matt is working on some RPMS for RedHat 9

RedHat’s latest change of support plans for RedHat Linux seems to be doing what was intended, getting more people to purchase Advanced Server (and the new Enterprise Server and Workstation) rather than leeching off them. Good for RedHat. There have been too many idiots selling RedHat Linux-based solutions expecting the coloured headgear company to do the hard work of beta testing, bug fixing etc.etc. for free.

mac/arpwatcher firestorm preprocessor and PIX tomfoolery

I’m currently working on a preprocessor for the Firestorm NIDS to detect dodgy looking arp activity. So far it keeps track of hardware and protocol addresses in arp packets and alert if things change. It will soon monitor IP traffic too (and IPX/Appletalk etc. I guess) and detect a bunch of other ettercap style trickery.

I’m also working with some Cisco PIX firewalls to make them play nice with FreeS/WAN on Linux. I’ll put some example configs up here at some point. I’m going to take the Cisco VPN exam and be one step closer to a CCSP (I’m really not sure if this is a good or a bad thing career-wise). The original Cisco press VPN book has some serious problems with factual content. The authors seems to have little understanding of the underlying technology. I guess you don’t need to know it to parrot-type the Cisco commands in (or copy and paste them, as I often see) and charge 200 quid an hour, but it would be nice to be a bit professional about things.

My Mozilla/Galeon is broken on Debian unstable. Using gdb I found /usr/lib/mozilla/components/libimglib2.so to be the culprit, so just moved it out the way. I now have Galeon working with no images which suits me fine. In fact, as everything loads so quickly and is far less offensive to the eye, I may keep it this way permanently.

Program received signal SIGSEGV, Segmentation fault.
0x0de9de98 in NSGetModule () from/usr/lib/mozilla/components/libimglib2.so

Firestorm elog support for Ethereal

I finally got a patch together to all Firestorm NIDS elog support to Ethereal. You can find the Ethereal patch and a screenshot within my downloads directory. I may put a couple of example elog files on there to play with too.

Liverpool and Firestorm NIDS Ethereal support

I’ve been down near Liverpool for the last few days, but I still found time to work on my latest project, adding support for Firestorm NIDS alert elogs to Ethereal 0.9.8. See a screen shot. Ethereal seems nicely written and I’m not having too many problems adding support for new file formats and protocols.

Linux 2.4.20, Clockspeed, Firestorm IPX and Macrostupid Coldfusion

Upgraded to Linux 2.4.0 with a few patches such as Gianni’s ECSC security patches, FreeS/WAN IPSEC, CPUFreq and more. Now I’m losing time again on my Dell Inspiron 8200. Dan Bernstein’s Clockspeed isn’t helping; I don’t think it’s meant for drift such as this (caused my frequency scaling I think).

I have also been putting some time into the IPX support in Firestorm I originally started. I’ve fixed a couple of things Gianni broke during his clean-up, and have begun work on a matcher. This adds support for IPX in snort signatures, which is kinda cute.

Having lots of trouble getting Coldfusion “MX”(tm) to work on Linux for a client. It is invariably unstable and crashes thousands of times a second (see diary: Nov 25 2002). Macromedia want to charge us $500 to report this. Apparently we’ll get our money back if it is confirmed as a genuine bug. We’re considering billing for the bug hunting we’re doing for them instead. With the tens of thousands of SIG4 and SIG11 crashes we’d be quids in charging per bug. Now if only an open-source project such as PHP existed.

Websense WISP and IPX updates

Gianni, Matt and I spent a little time poking around at the Websense WISP protocol to see how likely it would be to get Squid working with it. We observered a Cisco PIX communicating with a Websense service running Linux. It seems pretty easy (which was strange as we’ve heard to the contrary from Websense themselves). Gianni has knocked up a tool that can query a Websense server with a url to see if it is blocked. If we need it we’ll build a squid redirector. (see http://www.scaramanga.co.uk )

New patch for IPX support on Firestorm. Fixes a few lame bugs and possible remote DoSs Gianni pointed out to me. Also improved the SAP support a little.