Ubuntu on Inliniac

tcpreplay on Intel 82576

Thu, 27 Feb 2014 11:48:39 +0000

For my Suricata QA setup, I’m using tcpreplay on a dual port gigabit NIC. The idea is to blast out packets on one port and then have Suricata listen on the other part.

For the traffic replay I’m using tcpreplay 3.4.4 from the Ubuntu archive. As I have a lot of pcaps to process I intend to use the –topspeed option to keep runtimes as low as possible. This will result in approximately ~500Mbps on this box, as the pcaps come from a nas.

Vuurmuur 0.8rc1 released

Fri, 25 Jan 2013 16:45:34 +0000

I just released a new Vuurmuur version: 0.8rc1. The first release candidate for the 0.8 series. This release improves IPv6 support a lot. The wizard is now also fully functional. Try “vuurmuur_conf –wizard”.

Improved IPv6 support: #115
Improved Debian packages, switching to nflog as default for logging.
Fix connection viewer not showing accounting on newer systems. #141
Amd64 packages for Debian and Ubuntu are now available through the apt server. #83
Switch from “state” match to “conntrack” match for connection tracking.
Services now support possible protocols. #63
Add support for rpfilter match. #137

Get this release from the ftp server: ftp://ftp.vuurmuur.org/releases/0.8rc1/Vuurmuur-0.8rc1.tar.gz

IPv6 Evasions, Scanners and the importance of staying current

Tue, 11 Dec 2012 16:13:49 +0000

Lots of activity on the IPv6 front lately. There was a talk on a conference on bypassing IDS using IPv6 tricks. Also a new scan tool (Topera) claimed to scan a host while staying below the radar of an IDS was released. To start with the latter, even though Suricata doesn’t have a dedicated port scan detector, the tool’s traffic lights up like a Christmas tree. The trick it pulls is to pack a lot of duplicate DST OPTS extension headers in the IPv6 packets. These options are just fillers, the only options they use are the “pad” option. In Suricata we’ve had an event for duplicate DST OPTS headers since 1.3 and the padding only headers generate an event in 1.4. Both alerts will be very noisy, so calling this a stealth attack rather dubious.

Speeding up Suricata with tcmalloc

Thu, 21 Oct 2010 12:10:33 +0000

’tcmalloc’ is a library Google created as part of the google-perftools suite for speeding up memory handling in a threaded program. It’s very simple to use and does work fine with Suricata. Don’t expect magic from it, but it should give you a few percent more speed.

On Ubuntu, install the libtcmalloc-minimal0 package:

apt-get install libtcmalloc-minimal0

Then run Suricata as follows (on a single line):

LD_PRELOAD="/usr/lib/libtcmalloc_minimal.so.0" ./src/suricata -c suricata.yaml -i eth0

Setting up Suricata 0.9.0 for initial use on Ubuntu Lucid 10.04

Mon, 10 May 2010 14:27:25 +0000

The last few days I blogged about compiling Suricata in IDS and IPS mode. Today I’ll write about how to set it up for first use.

Starting with Suricata 0.9.0 the engine can run as an unprivileged user. For this create a new user called “suricata”.

useradd –no-create-home –shell /bin/false –user-group –comment “Suricata IDP account” suricata

This command will create a user and group called “suricata”. It will be unable to login as the shell is set to /bin/false.

Compiling Suricata 0.9.0 in Ubuntu Lucid 10.04 in IPS (inline) mode

Fri, 07 May 2010 08:30:30 +0000

Note: the difference with the 0.8.2 post is that addition of libcap-ng-dev. This allows Suricata to run as an unprivileged user.

Here is how to compile Suricata 0.9.0 in inline mode on Ubuntu Lucid 10.04.

First, make sure you have the “universe” repository enabled. Go to the System menu, Administration, Software Sources. There enable “Community-maintained Open Source Software (universe)”. If you’re not running a gui, edit /etc/apt/sources.list and enable the universe repository there. Don’t forget doing an “apt-get update”.

Compiling Suricata 0.9.0 in Ubuntu Lucid 10.04 in IDS mode

Fri, 07 May 2010 08:16:53 +0000

Note: the difference with the 0.8.2 post is that addition of libcap-ng-dev. This allows Suricata to run as an unprivileged user.

Ubuntu Lucid 10.04 LTS looks like a good platform for running an IDS on. It’s up to date and has long term support. Here is how to compile and install Suricata 0.9.0 on it.

Install the following packages needed to build Suricata: libpcre3-dev libpcap-dev libyaml-dev zlib1g-dev libcap-ng-dev.

apt-get install libpcre3-dev libpcap-dev libyaml-dev zlib1g-dev libcap-ng-dev

Compiling Suricata 0.8.2 in Ubuntu Lucid 10.04 in IPS (inline) mode

Sat, 01 May 2010 19:45:12 +0000

Yesterday I wrote about how to compile and install Suricata 0.8.2 as an IDS on Ubuntu Lucid 10.04, today I’ll explain the steps to compile and install it as an IPS. In IPS mode the engine runs in inline mode. This means that it gets it’s packets from netfilter and sets a verdict on them after inspecting them. This way we can drop packets that trigger the rules.

Compiling Suricata 0.8.2 in Ubuntu Lucid 10.04 in IDS mode

Fri, 30 Apr 2010 18:35:51 +0000

The newly released Ubuntu Lucid 10.04 LTS looks like a good platform for running an IDS on. It’s up to date and has long term support. Here is how to compile and install Suricata 0.8.2 on it.

Install the following packages needed to build Suricata: libpcre3-dev libpcap-dev libyaml-dev zlib1g-dev.

apt-get install libpcre3-dev libpcap-dev libyaml-dev zlib1g-dev

Download Suricata 0.8.2 here

Extract the suricata-0.8.2.tar.gz file as follows:

tar xzvf suricata-0.8.2.tar.gz

Enter the extracted directory suricata-0.8.2.

Fixing noise on Ubuntu Hardy 8.04, aka setting max_cstate

Thu, 24 Jul 2008 22:46:30 +0000

Not security related at all, but it took me so much time to figure this out, I want to share this with the world!

I own a Lenovo Thinkpad T60 that I like very much. There is one annoyance, and that is that when on battery, the laptop produces a high pitched noise when idle. It turns out that this has something to do with the ACPI state. States of C3 and higher made my laptop produce the noise. In Ubuntu Gutsy 7.10 there was a simple solution. I could force the laptop to never use anything higher that C2. That was done like this:

Sguil 0.7-CVS client on Ubuntu Gutsy

Tue, 30 Oct 2007 16:11:29 +0000

Last week I installed Ubuntu Gutsy on my laptop. I did a clean install, which went fine. Of course, I needed the Sguil client on it as well. Gutsy has all the required libraries in it’s repositories. Install the following packages:

tcl8.4 tclx8.4 tcllib tk8.4 iwidgets4

Checking out the Sguil client is easy (make sure you have ‘cvs’ installed):

cvs -d:pserver:anonymous@sguil.cvs.sourceforge.net:/cvsroot/sguil login cvs -d:pserver:anonymous@sguil.cvs.sourceforge.net:/cvsroot/sguil co sguil

After this the client runs fine on my system.

Update on Sguil 0.7-CVS client on Ubuntu Feisty

Wed, 04 Jul 2007 17:10:56 +0000

A short time ago I wrote about how the Sguil 0.7-CVS client can be installed on Ubuntu Feisty. Since then there has been a change to Sguil that changes the requirements a bit. Because of this the standard tcllib package in Feisty is no longer usable. It provides tcllib 1.8 while Sguil now needs 1.9. Luckily, we can use the tcllib package from the upcoming Ubuntu release called ‘Gutsy’. It can be found here: http://packages.ubuntu.com/gutsy/interpreters/tcllib

Compiling Snort_inline with NFQUEUE support on Ubuntu

Tue, 26 Jun 2007 15:59:21 +0000

I needed to setup the right libraries for Snort_inline development on my fresh Ubuntu Feisty installation, so I decided to write down the procedure for those who think compiling Snort_inline from source is hard. :)

Make sure you have build-essential package installed. This makes sure you have a compiler and development packages for glibc and other important libraries. I’m installing the libraries from source to get the latest versions because the latest versions are more stable and perform better than the versions included in Feisty. I’m installing them into /usr because some programs like them there best.

Sguil 0.7-CVS client on Ubuntu Feisty

Tue, 19 Jun 2007 09:49:08 +0000

I just got a new workstation that I’m setting up today with Ubuntu Feisty 7.04. When setting up the Sguil client from CVS I needed to install the following packages (including dependencies, but apt-get takes care of that):

tcl8.4 tclx8.4 tcllib tk8.4 iwidgets4

After this it ran but looked horrible because of some ugly font that was used. I found that for my use the following fonts look good: