cipherdyne.org

22 June, 2009

On June 19th Leandro Almeida gave a presentation entitled "Single Packet Authorization - Increasing the security in SSH" at the ENSOL conference in João Person, Brazil. ENSOL is an open source conference that goes by the title "Freedom in the Extreme", and given that Brazil is highly supportive of Linux, I'm sure that it is a good conference. Leandro has posted an English translation of his slides here. It is good to see some additional presentations on the SPA concept at open source conferences, and Leandro emphasizes the usage of the fwknop SPA implementation to protect SSH.

30 May, 2009

The 1.0.6 release of fwsnort is ready for download. This release fixes a bug that caused some Snort rules to not be translated into iptables rules due to improper handling of escaped semicolons. Now that this bug has been fixed, an additional 58 rules from the Emerging Threats rule set are now properly supported. Also made it easier to point fwsnort at a single file with a Snort rule set to be converted (see the --fwsnort-rfile command line argument).

Here is the complete ChangeLog:

• (Franck Joncourt) Updated fwsnort to use the "! <option> <arg> syntax instead of the older "<option> ! <arg> for the iptables command line.
• (Franck Joncourt) For the --hex-string and --string matches, if the argument exceeds 128 bytes (iptables 1.4.2) then iptables fails with an error "iptables v1.4.2: STRING too long". Fixes this with a patch that adds a new variable in fwsnort.conf "MAX_STRING_LEN", so that the size of the content can be limited. If the content (null terminated string) is more than MAX_STRING_LEN chars, fwsnort throws the rule away.
• Bug fix to allow fwsnort to properly translate snort rules that have "content" fields with embedded escaped semicolons (e.g. "\;"). This allows fwsnort to translate about 58 additional rules from the Emerging Threats rule set.
• Bug fix to allow case insensitive matches to work properly with the --include-re-caseless and --exclude-re-caseless arguments.
• Bug fix to move the 'rawbytes' keyword to the list of keywords that are ignored since iptables does a raw match anyway as it doesn't run any preprocessors in the Snort sense.
• Added the --snort-rfile argument so that a specific Snort rules file (or list of files separated by commas) is parsed.
• Added a small hack to choose the first port from a port list until the iptables 'multiport' match is supported.
• Updated to consolidate spaces in hex matches in the fwsnort.sh script since the spaces are not part of patterns to be searched anyway.
• Updated to the latest complete rule set from Emerging Threats (see http://www.emergingthreats.net/).
• Added the "fwsnort-nobuildreqs.spec" file for building fwsnort on systems (such as Debian) that do not install/upgrade software via RPM. This file omits the "BuildRequires: perl-ExtUtils-MakeMaker" directive, and this fixes errors like the following on an Ubuntu system when building fwsnort with rpmbuild: rpm: To install rpm packages on Debian systems, use alien. See README.Debian.
error: cannot open Packages index using db3 - No such file or directory (2)
error: cannot open Packages database in /var/lib/rpm

27 May, 2009

Recently I ran into a situation in which several Snort rules from the Emerging Threats rule sets were not being properly translated into iptables rules by fwsnort. It turned out that fwsnort did not correctly parse Snort content fields that contained escaped semicolons (e.g. "\;"). In the Snort signature language, the argument to every keyword in the body of a Snort rule such as content, pcre, and flowbits is terminated with a semicolon, and some keywords also use opening and closing double quotes. But, Snort supports escaping with a backslash so that these characters can easily be made to be part of a keyword argument as opposed to the delimiting syntax. Snort does not allow the argument of a content keyword to contain an embedded semicolon that is not escaped (e.g. content:"distloc=;";), and will generate an error similar to the following if a rule does not conform to this: Initializing rule chains...
ERROR: /etc/snort/rules/web-cgi.rules(3) =& Content data needs to be enclosed in quotation marks (")!
Fatal Error, Quitting.. In this case, we change content:"distloc=;"; to content:"distloc=\;"; and the error goes away. However, in addition to the escaping mechanism, any double quote or semicolon that is part of a content field can just be specified in hex notation between pipe "|" characters instead.

So, what are the tradeoffs in using one convention vs. the other?

Using backslashes can complicate the way an argument looks (since backslashes are not part of the content that is actually searched for in network traffic), but they can also make the argument more intuitive to look at than the hex syntax. This can be important when looking at lots of packet traces. For example, in web traffic the semicolon is used in HTTP request headers as a separator and therefore has special significance in HTTP, and the semicolon is also a separator for multiple commands launched from a command shell. So, for those that don't automatically know the hex equivalent of a semicolon (0x3b), it might be better to look at content:"distloc=\;"; instead of content:"distloc=|3B|"; when interpreting signature matches against raw packet traces since it emphasizes the importance of the semicolon.

There are important examples of Snort rule sets that use each strategy for the arguments to content fields (escaped semicolons vs. the hex equivalent). The complete Emerging Threats rule set contains 58 signatures with escaped semicolons: $ perl -lwne 'while (/content:"(.*?)"/g) { $tmp = $1; if ($tmp =~ /\x3b/) { print $tmp; }} ' emerging-all.rules |wc -l
58 Note that the 'while (/content:"(.*?)"/g)' loop is necessary above in order to parse all content fields from each Snort rule - using something like 'if (/content:"(.*?)"/' would just parse the very first content field in each Snort rule. Here is an example content field from the "ET MALWARE Vaccine-program.co.kr Related Spyware Checkin" signature: |0d 0a|User-Agent\: Mozilla/3.0 (compatible\; Indy Library)|0d 0a| By contrast, I've seen a few Sourcefire VRT rule sets, and none of them appear to use escaped semicolons in any of their signatures. They always prefer to use the "|3B|" hex notation.

Now, why is this important for fwsnort? The reason is that the current version - fwsnort-1.0.5 - does not properly parse content fields with escaped semicolons. However, this will be corrected in the upcoming fwsnort-1.0.6 release, which will be completed within the next two days or so. In the meantime, here is a link to fwsnort-1.0.6-pre4 that corrects this issue.

26 May, 2009

Sean Wilkerson convinced me to join Twitter as a way to help increase the exposure that the Cipherdyne projects have on the Internet, and also to interact more with peers in the security community. After having used Twitter now for a couple of weeks, I can see some benefit in its ability to rapidly broadcast updates (140 characters at a time) and to make it easy to see what others are working on (subject to what they choose to reveal of course). Further, it seems plausible that Twitter's flexibility and speed would make it easier to acquire answers to questions than trying to contact people directly via email. Sean also had mentioned that after a recent talk he gave at DojoSec (hopefully video of it will be posted soon) he noticed that people are using Twitter during security talks as a way to organize the audience around the topic at hand. This provides a way for the audience to converge on challenging questions and bring participation to a higher level. Finally, as a measure of its success, it might be worth noting that Twitter has also been in the news recently as a mechanism for organizing a revolution in the former-Soviet republic of Moldova.

11 May, 2009

The 1.9.11 release of fwknop is ready for download. The major feature addition in this release is the ability to utilize ipfw 'sets' to organize new rules added by the fwknopd daemon on Mac OS X or FreeBSD systems after receiving a valid SPA packet. A couple of other features were added as well, such as user-defined type and code values for SPA packets sent over ICMP, and support in the test suite for running specific chains of related tests.

Here is the complete ChangeLog:

• (Julien Picalaus) Contributed patches to implement a proper interface to use ipfw 'sets' on systems running ipfw firewalls. This involved changes to fwknopd, knoptm, and the fwknop.conf file like so: Added a test to see if the local ipfw firewall policy is using dynamic rules. Added ipfw_move_rule() so that rules can be moved from one set to another. Added ipfw_disable() set subroutine and it is called at init for IPFW_SET_NUM (except when ipfw isn't using dynamic rules). Made sure that rule finding includes disabled rules (ipfw list -S and changes to regexp) and returning the set in addition to the rule number. When granting access, if a corresponding disabled rule already exists, enable it instead of adding a new one (except when ipfw isn't using dynamic rules). When adding rules, only use keep-state if there are already dynamic rules. Added IPFW_SET_NUM so that the set number for new ipfw can be specified, and add IPFW_DYNAMIC_INTERVAL so that the interval over which rules that have no associated dynamic rules are removed (the default is 60 seconds).
• (Franck Joncourt) Bug fix to add -O command line arg to knopwatchd to specify an override config file if one is given on the fwknopd command line.
• Added --icmp-type and --icmp-code command line arguments for the fwknop client in order to manually set the ICMP type/code values when using "--Spoof-proto icmp" or "--Server-proto icmp". Also restructured how SPA packets are sent over the various protocols. Here is an example of sending an SPA packet over an ICMP packet with type "123" and code "123" (not normal ICMP type/code values) with the pcap trace shown:
  # fwknop -A tcp/22 -s --Server-proto icmp --icmp-type 123 --icmp-code 123 -D 127.0.0.1
# tcpdump -i lo -l -nn icmp or udp -s 0 -X
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode listening on lo, link-type EN10MB (Ethernet), capture size 65535 bytes
07:24:32.527221 IP 127.0.0.1 > 127.0.0.1: ICMP type-#123, length 169
0x0000: 4510 00bd 0000 4000 4001 3c2e 7f00 0001 E.....@.@.<.....
0x0010: 7f00 0001 7b7b e66f 0000 0000 2b63 6a6f ....{{.o....+cjo
0x0020: 5049 6138 7345 7a35 4864 7955 5176 624b PIa8sEz5HdyUQvbK
0x0030: 6637 6f51 5934 4e36 4c6c 3454 6931 4453 f7oQY4N6Ll4Ti1DS
0x0040: 2b4f 3756 6636 4775 6234 756f 6738 4432 +O7Vf6Gub4uog8D2
0x0050: 3155 4377 5259 6b52 2b30 354b 7043 6b33 1UCwRYkR+05KpCk3
0x0060: 4f66 452f 4f32 6737 6d37 5064 4846 4842 OfE/O2g7m7PdHFHB
0x0070: 7a32 4745 3766 7a31 4a4c 7652 764e 626c z2GE7fz1JLvRvNbl
0x0080: 7a4a 7250 5355 3665 5051 5375 7a54 394b zJrPSU6ePQSuzT9K
0x0090: 702b 4446 4a79 7a6b 3847 6c51 6a70 3564 p+DFJyzk8GlQjp5d
0x00a0: 3957 3673 4f52 7945 3771 6f57 6b56 634e 9W6sORyE7qoWkVcN
0x00b0: 4e41 6167 6231 5a79 6a63 4834 49 NAagb1ZyjcH4I
• Updated all unpack() calls for packet decoding in fwknopd to use the "mN" format instead of "m[N]" format for proper operation on older versions of perl. On FreeBSD 7.0 with perl-5.6.2 the following error is generated without this fix: "Invalid type in unpack: '['".
• Bug fix to not require that gpg is installed in order to install fwknop.
• (Franck Joncourt) Documentation updates for the knopwatchd.8 man page to include the latest command line options.
• (Martin Ferrari) Bug fix to provide a work around for fwknopd segfaults on Debian systems when the version of Net::Pcap that is installed comes from doing 'apt-get install fwknop-server'. See the thread at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508432 for more info.
• Bug fix to ensure that UDP rules in ipfw firewalls are timed out correctly by knoptm (the problem was that 'keep-state' was required).
• (Test suite): Added tests for multi-port access requests. So, to gain access to tcp/22,udp/1194 with one SPA packet, the test suite verifies that the code support this.
• (Test suite): Started on updates to handle the upcoming libfko C implementation of Single Packet Authorization (the command line args are somewhat different).
• (Test suite): Added support for multiple include/exclude test identifying strings (separated by commas). For example, to run the 'Setup', 'Basic', and 'Replay' tests, just do:
  ./fwknop_test.pl --include Setup,Basic,Replay
• (Test suite): Added the ability to test sending SPA packets over ICMP.
• (Test suite): Added import_perl_modules() routine from fwknop itself to enforce the usage of the same perl modules as those that fwknop references. The main application of this is for the Net::RawIP module which is used by the test suite for the SPA over ICMP tests.

02 May, 2009

Julien Picalaus recently posted a message to the fwknop mailing list in which he explains how to use Strawberry Perl (reportedly what Larry Wall uses for his perl distribution on Windows systems) along with the Perl Packager to create a native Windows binary for the fwknop client. The result is a functional fwknop.exe binary that can be used on Windows systems to gain access to services protected by an fwknopd server running on other systems with iptables or ipfw policies.

At some point, if fwknopd is modified to hook into a Windows firewalling API, then this same technique could be used create stand alone fwknopd binaries for Windows as well. This would extend Single Packet Authorization (SPA) firmly into the Windows world. In the meantime, Julien's instructions for the fwknop client are as follows:

• Install strawberry perl.
• Use CPAN to install Crypt::CBC and Crypt::Rijndael (required by fwknop).
• Grab the fwknop sources and try to run perl fwknop -whatever options you need, to make sure it works. Apparently, you need to provide the --Home option since fwknop can't find home folders without it.
• Use CPAN to install Module::ScanDeps, PAR::Dist, PAR, PAR::Packer.
• Run pp -c -M Crypt::Rijndael -o fwknop.exe fwknop (at least this worked for me, not sure why I had to specify the Rijndael module manually).
• You have fwknop.exe.

19 February, 2009

The IPTables::ChainMgr module is now used by the PacketFence NAC system in the latest 1.8.0 release. The module is used to build iptables rules that match on source MAC addresses, set a connection mark, and jump packets into a dedicated MARK chain.

The latest release of the IPTables::ChainMgr module is 0.9 (available as of Feb 11th), and can be downloaded from CPAN. The changes since the 0.8 release are:

• Added Net::IPv4Addr prerequisite to Makefile.PL (patch submitted by Dominik Gehl).
• Updated perldoc documentation to properly discuss the delete_chain() API. The material about the $jump_from_chain was missing (Darien Kindlund reported this issue).
• Applied patch from Darien Kindlund to add the ability to specify the source MAC address via the --mac-source <addr> command line argument to iptables.