Last month I attended the DeepSec conference in Vienna. I enjoyed it a great deal. It was good to be back in Vienna. Had a few good meetings with my friend Adi with who I work on the Vuurmuur project.

I assisted Matt Jonkman in his Snort Signature writing class. We had a nice group of people and using the Emerging Threats SandNet we could deal with pretty interesting samples to write signatures for. Even though my expertise is more on the code level of Snort I felt I could still contribute something to the sessions.

…

Matt Jonkman just announced that the first stats of SidReporter are available here. Matt writes:

These will become more interesting the more sites we have reporting, so please consider running  the client. It’s painless, anonymous, and will contribute to us greatly improving the signature base we all use.

It will be interesting to see what data this can bring us. Congrats Matt!

…

Next November I will be attending Deepsec in Vienna. Matt Jonkman is giving a workshop there and I will be helping/assisting him with it, it’s called ‘Protocol Analysis for Writing Snort Signatures’. If you’re interested, sign up for it! While we are there we will also host the first brainstorming session for OISF. The idea is to get together with everyone thats interested and talk about how our next generation IDS/IPS should look like. But it’s not just about the technology, we also seek input about how to organize the project, about licensing, etc. So if you’re at Deepsec and got some time to spare, be sure to join us in the brainstorming session!

…

Last week Matt Jonkman announced the formation of the Open Infosec Foundation. This foundation has been grant funded to create a new open source IDS/IPS engine. Together with Will Metcalf and of course Matt himself, I will be working on this. We want this to be a real community effort where there is a role for everyone in the infosec community. Developers, admins, vendors, goverments, research, education, everyone. There is a lot of work ahead, but that should be great fun and very inspiring. So far things are interesting already. The discussion mailinglist is growing rapidly with many ppl from the community and industry. A #oisf IRC channel was created today on freenode. Join us there to participate in discussion about this project!

…

Today I’ve changed the versioning scheme for Vuurmuur. I was unhappy with the scheme for quite some time already. Versions like 0.5.73 are not making much sense in my view. Originally, my intention was to have a scheme like the linux kernel at the time had. Even versions for stable releases, odd versions for unstable/development releases. The idea was that the 0.5.x development series would some day become a 0.6 stable, after which the 0.7 development series would begin. Of course, that never happened. Instead, I added the alpha releases that became the real development releases and the 0.5.x effectively became the stable releases. So we ended up with releases like 0.5.74 alpha 6. In my opinion quite confusing.

…

Dave Remien of NitroSecurity created a patch that “implements a relatively simple form of (IPV4) load balancing” between multiple Snort_inline processes using Nfqueue. Here is what it does:

1. Load balancing. The bottom half of the source and dest addresses are added together, and mod’d with the number of “load-balancing” snorts you desire to run. This means that traffic stays with a particular snort, so that state is maintained.

2. Because you can run many snorts (presumably on many CPUs), you can now take advantage of that super-hooty 16way box and those 10 gig NICs you just got your hands on…

…

Snort_inline was just updated to Snort 2.8.3 in SVN. Please give it a try. It hasn’t seen much testing so far, so be careful when putting it on production servers.

Get the code from SVN like this:

svn co https://snort-inline.svn.sourceforge.net/svnroot/snort-inline/trunk

Check it out!

…

A little over a week ago the second beta of the SidReporter from Emerging Threats was released (see http://www.emergingthreats.net/content/view/95/1/). I’ve been working with Matt Jonkman to setup this new project at Emerging Threats, mostly in writing the reporter scripts. I think it’s an exciting new project that could provide the community with great information. As Matt wrote on the initial announcement:

“As mentioned a few weeks ago, we’ve been working to bring out tool to anonymously report IDS/IPS hits. Similar to DShield’s firewall log reporting, we believe we can make some incredible data inferences with this information, as well as help improve the quality of our signatures while giving us all feedback to tune our rulesets.

…

One of the workarounds for the current DNS problems is that servers introduce source port randomization.  So it’s time for you to patch your DNS server so it uses random source ports. If for some reason you are unable to do that, iptables can help. Michael Rash has a good write up of how that works here.

In Vuurmuur there is now a per rule option, that can be enabled for the SNAT, MASQ, PORTFW, DNAT and BOUNCE actions, called ‘random’. This passes the ‘–random’ option to the iptables rules Vuurmuur creates. Note that you need a recent distro for this. Debian Etch is too old, Ubuntu Hardy is fine. The new functionality is just released in Vuurmuur 0.5.74 alpha 6. Check it out!

…

Not security related at all, but it took me so much time to figure this out, I want to share this with the world!

I own a Lenovo Thinkpad T60 that I like very much. There is one annoyance, and that is that when on battery, the laptop produces a high pitched noise when idle. It turns out that this has something to do with the ACPI state. States of C3 and higher made my laptop produce the noise. In Ubuntu Gutsy 7.10 there was a simple solution. I could force the laptop to never use anything higher that C2. That was done like this:

…