Inliniac » Matt Jonkman

DeepSec

Victor Julien — Sun, 30 Nov 2008 09:57:42 +0000

Last month I attended the DeepSec conference in Vienna. I enjoyed it a great deal. It was good to be back in Vienna. Had a few good meetings with my friend Adi with who I work on the Vuurmuur project.

I assisted Matt Jonkman in his Snort Signature writing class. We had a nice group of people and using the Emerging Threats SandNet we could deal with pretty interesting samples to write signatures for. Even though my expertise is more on the code level of Snort I felt I could still contribute something to the sessions.

On the last day Matt and I did the first Open Infosec Foundation brainstorm session. I think it was very useful and the crowd was very responsive. After this encouraging experience we are planning to attend more conferences to do similar sessions. Suggestions about which conferences would be interesting (and why) are very welcome!

First SidReporter statistics available

Victor Julien — Thu, 30 Oct 2008 15:11:37 +0000

Matt Jonkman just announced that the first stats of SidReporter are available here. Matt writes:

These will become more interesting the more sites we have reporting, so please consider running the client. It’s painless, anonymous, and will contribute to us greatly improving the signature base we all use.

It will be interesting to see what data this can bring us. Congrats Matt!

First OISF brainstorming session on Deepsec

Victor Julien — Thu, 23 Oct 2008 09:02:21 +0000

Next November I will be attending Deepsec in Vienna. Matt Jonkman is giving a workshop there and I will be helping/assisting him with it, it’s called ‘Protocol Analysis for Writing Snort Signatures’. If you’re interested, sign up for it! While we are there we will also host the first brainstorming session for OISF. The idea is to get together with everyone thats interested and talk about how our next generation IDS/IPS should look like. But it’s not just about the technology, we also seek input about how to organize the project, about licensing, etc. So if you’re at Deepsec and got some time to spare, be sure to join us in the brainstorming session!

SidReporter beta2 released

Victor Julien — Thu, 21 Aug 2008 15:08:42 +0000

A little over a week ago the second beta of the SidReporter from Emerging Threats was released (see http://www.emergingthreats.net/content/view/95/1/). I’ve been working with Matt Jonkman to setup this new project at Emerging Threats, mostly in writing the reporter scripts. I think it’s an exciting new project that could provide the community with great information. As Matt wrote on the initial announcement:

“As mentioned a few weeks ago, we’ve been working to bring out tool to anonymously report IDS/IPS hits. Similar to DShield’s firewall log reporting, we believe we can make some incredible data inferences with this information, as well as help improve the quality of our signatures while giving us all feedback to tune our rulesets.

But that’s just the start. As with DShield’s data, I think we’ll run into benefits to the community that we can’t even imagine until we start to look at the data.”

The next step for the reporter is adding support for getting the events from Sguil. Expect to see that soon!

New Snortsam patch for Snort 2.8.0.1

Victor Julien — Tue, 08 Jan 2008 12:30:53 +0000

Matt Jonkman of Emerging Threats asked me to have a look at the existing Snortsam 2.8.0.1 patch as people were continuing to report problems with it. I updated it to compile without compiler warnings, build cleanly with debugging enabled, build cleanly with Snort’s IPv6 support enabled and added a check so it won’t act on alerts in IPv6 packets since the Snortsam framework does not support IPv6. Finally I removed the patch script so it’s provided as a ‘normal’ diff. Here is the patch: http://www.inliniac.net/files/snortsam-2.8.0.1.diff

Here are the instructions for getting your Snort 2.8.0.1 source patched:

Make sure you have a clean Snort 2.8.0.1 tree, then patch it:

cd snort-2.8.0.1
patch -p1 < ../snortsam-2.8.0.1.diff

Next, run ‘autojunk.sh’ to update the build system (you need to have libtoolize, aclocal, autoheader, autoconf and automake installed). After this, configure and build Snort normally:

./configure
make
make install

Thats it.

Thanks to Matt Jonkman of Emerging Threats for paying me to do this and CunningPike for doing the first iterations of the patch!

Matt Jonkman leaves Bleeding Edge

Victor Julien — Sat, 17 Nov 2007 12:05:56 +0000

Matt Jonkman is stepping out of the Bleeding Edge project. He announced this here. Apparently Sensory Networks, one of the sponsors of the project, now owns it. It will be interesting to see if they will continue it, and if so, how. Honestly, I’m a bit skeptical, since to my knowledge not many Sensory people are directly involved at this moment. Still I believe Sensory consists of good people. I did a contract job for them about a year ago, and enjoyed working with them.

I think I speak for many if I say “Thanks” for all the hard work Jonkman has done for Bleeding, and I really look forward to new projects he will start or get involved in! Thanks Matt!