cipherdyne.org

02 July, 2004

At the DEFCON conference (July 30-August 1 in Las Vegas) I will be giving a talk entitled Advanced Netfilter: Content Replacement (ala Snort_inline) and Combining Port Knocking with p0f. This will be the the first conference talk about fwknop and the concept of using passive OS fingerprinting to augment port knocking authentication. Stop by to say "hello" if you are going to attend DEFCON 12!.

Slides can be found here.

26 June, 2004

The 1.3.2 release of psad is ready for download. Here is an excerpt from the ChangeLog:

• Removed FW_MSG_SEARCH from psad.conf, and created a new config file "fw_search.conf" that both psad and kmsgsd use to get the FW_MSG_SEARCH definition(s).
• Added default mode of parsing all iptables messages instead of just those that contain specific search strings. A new config variable "FW_SEARCH_ALL" was added to fw_search.conf that controls this mode.
• Updated psad and kmsgsd so that multiple firewall search strings can be specified through multiple FW_MSG_SEARCH variables in fw_search.conf.
• Added iptables chain and logging-prefix tracking for current scan interval in email alerts.
• Added protocol-specific auto-danger level assignments.
• Added total scan source and destination IP address counters in --Status output.

25 June, 2004

Syngress Publishing has published the book Snort 2.1 Intrusion Detection, Second Edition, and I contributed "Chapter 12; Active Response". This chapter explores the concept and implications of configuring IDS software to automatically respond to attacks in real time. A PDF version of this chapter can be downloaded here. The book has received positive reviews (including one by Richard Bejtlich of taosecurity.com) on amazon.com. Both psad and fwsnort are discussed within this chapter.

29 May, 2004

The 0.8 release of gpgdir is ready for download. Here is an excerpt from the ChangeLog:

• Added --pw-file option so that a decryption password can be read out of a file.
• Better directory validation (filesystem -e and -d checks).
• Added INSTALL file.
• Updated man page and README file.

25 April, 2004

I have written an article for Sys Admin Magazine that discusses both psad and fwsnort. The article is entitled "Content Filtering and Inspection with fwsnort and psad", and shows how effective the combination of fwsnort and psad together can instruct iptables to detect and thwart application layer attacks.

24 April, 2004

The 0.4 release of gpgdir is ready for download. Here is an excerpt from the ChangeLog:

• Bundled perl modules GnuPG and TermReadKey with gpgdir.
• Modified install.pl and gpgdir to install and use GnuPG and TermReadKey modules from the /usr/lib/gpgdir directory.
• Added check_commands() subroutine from psad.

07 April, 2004

The 0.6.3 release of fwsnort is ready for download. Here is an excerpt from the ChangeLog:

• Added ignore functionality for both IPs and networks
• Split --ipt-block into --ipt-drop and --ipt-reject to add DROP or REJECT rules respectively.
• Added --add-deleted option to allow rules in the "deleted.rules" file to be added.

20 March, 2004

The 0.6.2 release of fwsnort is ready for download. Here is an excerpt from the ChangeLog:

• Added --internal-net and --dmz-net options so that internal and dmz networks can be manually specified without having to parse the output of ifconfig. This is most useful for running fwsnort on a linux system that is acting as a bridge where no ip addresses are assigned to the interfaces.
• Bugfix for missing icmp-port-unreachable rejects for UDP packets.

01 February, 2004

The 0.6.1 release of fwsnort is ready for download. Here is an excerpt from the ChangeLog:

• Bugfix for not adding dmz interface rules to INPUT chain.
• Bugfix for not getting the DMZ interface network.

04 January, 2004

The 0.6 release of fwsnort is ready for download. Here is an excerpt from the ChangeLog:

• Speed increase and disk access decrease by writing iptables commands to the iptables script only after all lines have been generated.
• Bugfix for DMZ interface.
• Bugfix for multiple ip_proto fields.
• Removed the ip protocol as an allowed protocol for translation.
• Bugfix for negated port numbers.
• Removed "<-" rule direction since not even snort supports this.
• Fixed snort rule updates from snort.org.