Everything inline.
Wordpress version 2.6 & ModSecurity
Today I updated my Wordpress installation to version 2.6. The upgrade went smooth as usual. However afterwards I couldn’t login anymore because one of my ModSecurity rules was triggered at the login. Turns out the Wordpress developers changed the use of the ‘redirect_to’ argument in wp-login.php. Wordpress uses it to redirect the browser to some part of the weblog software after a successful login. Some time ago there used to be a vulnerability in Wordpress as described here: http://www.securityfocus.com/archive/1/463291. To prevent exploitation on my box at the time I created the following rule:
…Snort_inline updated to 2.8.2.1 in SVN
This morning I updated our Snort_inline codebase with SourceFire’s just released 2.8.2.1 version. See the original changelogs here: 2.8.1, 2.8.2, 2.8.2.1.
Also Richard Bejtlich and Nr have good posts about the improvements of the last versions. See Richards post about a fixed frag3 vulnerability here and see Nr’s post here.
Please note that our SVN code has seen limited testing so far, so be careful! Please report any issues!
…Snort_inline 2.8.2.rc1 in SVN
Today I’ve spent some time on updating the Snort_inline source to the latest 2.8.2.rc1. The updating went quite smooth, so I hope no big issues pop up. Like before, trying out this code can be done by checking out SVN like this:
svn co https://snort-inline.svn.sourceforge.net/svnroot/snort-inline/trunk
This will save the source to the directory ’trunk’. In the directory ’trunk’, run ‘sh autojunk.sh’ and then configure, make, make install…
…Update to Modsec2sguil
Yesterday the much anticipated Sguil 0.7.0 final was released, as was announced here. I’ve updated Modsec2sguil to support it. Next to this Ryan Cummings sent me a patch for supporting ModSecurity 2.5. So that is included as well. I haven’t given it much testing yet, but works on my boxes.
Get the new release here: http://www.inliniac.net/modsec2sguil/
Thank you Ryan for your contribution!
…Snort_inline 2.8 status
A while ago I wrote about porting Snort_inline to 2.8.0.1. That worked well, however we are still trying to resolve some issues. Especially in stickydrop, that is just broken right now. Also, SourceFire released 2.8.0.2 last week, so we need to update to that too.
First however, I will be traveling to California this week. I will be meeting Will there, so I’ll try to get him to fix that damn code ;-)
…Improving Snort_inline's NFQ performance
When using Snort_inline with NFQ support, it’s likely that at some point you’ve seen messages like these on the console: packet recv contents failure: No buffer space available. When the messages are appearing Snort_inline slows down significantly. I’ve been trying to find out why.
There are a number of setting that influence NFQ performance. One of them is the NFQ queue maximum length. This is a value in packets. Snort_inline takes an argument to modify the buffer length: –queue-maxlen 5000 (note: there are two dashes before queue-maxlen).
…New security weblog by Ivan Ristic
I just noticed that ModSecurity developer Ivan Ristic has started a new blog on computer security and open source. Check it out here: http://blog.ivanristic.com/
Great idea Ivan! :)
…Tunnel unwrapping for Snort_inline 2.8.0.1
Not many people have native IPv6 connectivity and use some form of tunneling. For this reason Nitro Security asked me to develop a Snort preprocessor to unwrap various tunnels. This resulted in the preprocessor ‘ip6tunnel’, which I uploaded to Snort_inline’s SVN yesterday. The preprocessor is capable of unwrapping IPv6-in-IPv4, IPv6-in-IPv6, IPv4-in-IPv6, IPv4-in-IPv4 and finally IPv6-over-UDP. The latter is used by Freenet6.
I chose to develop it as a preprocessor because this allows Snort to inspect both the original packet and the tunnel packet(s). The preprocessor supports recursive unwrapping. The recursion depth is limited to 3 by default, but can be configured differently. Get the preprocessor from Snort_inline’s SVN by checking out the latest trunk:
…Snort_inline updated to 2.8.0.1 in SVN
I’ve just committed an update to Snort_inline’s SVN. It brings it to the Snort 2.8.0.1 level. It supports both IPv4 and IPv6 on IPQ and NFQ. I have not been able to test IPFW on IPv6, so I don’t think that will work currently.
This update removes the libdnet dependency and replaces it with libnet 1.1. To be able to send ICMPv6 unreachable packets you will need the libnet 1.1 patch I wrote a while ago. You can find that here. Get the latest Snort_inline by checking out SVN:
…New Snortsam patch for Snort 2.8.0.1
Matt Jonkman of Emerging Threats asked me to have a look at the existing Snortsam 2.8.0.1 patch as people were continuing to report problems with it. I updated it to compile without compiler warnings, build cleanly with debugging enabled, build cleanly with Snort’s IPv6 support enabled and added a check so it won’t act on alerts in IPv6 packets since the Snortsam framework does not support IPv6. Finally I removed the patch script so it’s provided as a ’normal’ diff. Here is the patch: http://www.inliniac.net/files/snortsam-2.8.0.1.diff
…