Michael Rash, Security Researcher

2005 Blog Archive    [Summary View]

« Previous | Next »

Software Release - fwknop-0.9.3

The 0.9.3 release of fwknop is ready for download. Here is an excerpt from the ChangeLog:
  • Added an on-disk cache of md5 sums so that the md5 sum check can survive restarts of fwknop.
  • Updated to be more friendly to Mac OS X (Blair Zajac).
  • Updated to allow access.conf variables to have values instead of just being defined.
  • Started on additional server authentication mode code (re-worked MD5 sum calculation to allow packet format to be extended by taking into account the fwknop version number).

Technical Editor for Nessus Book Chapter

Nessus Technical Editor Syngress Publishing has published a book entitled "Nessus, Snort, & Ethereal Power Tools : Customizing Open Source Security Applications", and I was the Technical Editor for Chapter 10 "Modifying Snort". This chapter explores the steps necessary to modify Snort to support a custom requirement. Examples are given for two custom projects "Snort-AV" and "Snort-Wireless".

Software Release - fwknop-0.9.2

The 0.9.2 release of fwknop is ready for download. Here is an excerpt from the ChangeLog:
  • Added FILE_PCAP data collection method when running in server mode. This is a more general way of getting packets than the ULOG_PCAP mode since then a normal ethernet sniffer can be used to build the file.
  • Added the ability to re-open a pcap file if its size shrinks (i.e. it gets rotated out or something).
  • Bugfix for multiple rules with the same timestamp not being timed out by knoptm.
  • Integrated spoofing capability directly within fwknop (instead of using the knopspoof command) through the use of "require Net::RawIP".
  • Better multi-protocol support in server mode. Tcp and icmp packets are properly decoded now.

Software Release - fwknop-0.9.1

The 0.9.1 release of fwknop is ready for download. Here is an excerpt from the ChangeLog:
  • Added the ability to specify multiple ports/protocols to access on a server with the --Access command line option.
  • Added the ability to spoof SPA packets over icmp and tcp protocols.
  • Added the ability to restrict access at the server to only those ports defined in the OPEN_PORTS keyword. This option is controled by a new keyword "PERMIT_CLIENT_PORTS".
  • Bugfix for MD5 sum not being properly calculated over decrypted data. This allowed old packets that contained additional garbage data to be replayed against an fwknop server.
  • Updated to fall back to getpwuid() if getlogin() fails (Blair Zajac).
  • Added --ipt-list to list all current rules in the FWKNOP Netfilter chains.
  • Added --ipt-flush to flush all current rules in the FWKNOP Netfilter chains.
  • Bugfix for the installer dying if ~/lib already exists (Blair Zajac).
  • Updated to delay the loading of server perl modules (Net::Pcap, etc.) only if we are running in server mode.
  • Bugfix for module directory paths in

Software Release - psad-1.4.2

The 1.4.2 release of psad is ready for download. Here is an excerpt from the ChangeLog:
  • Dependency bugfixes for mail binary.
  • Bugfix for various IGNORE_* keywords not being honored.
  • Bugfix for not timing out blocked IP addresses from a previous run.
  • Updated to version 0.2 of the IPTables::ChainMgr module.
  • Updated to not truncate the fwdata file upon psad startup.
  • Added --fw-dump which produces a sanitized (i.e. no IP addresses) version of the local Netfilter policy. Also added --fw-include-ips to (optionally) not sanitize IPs/nets. Note that the and IPs/nets are not sanitized since they give no useful information about specific IPs/nets.
  • Added ulogd data collection mode.
  • Bugfix for FW_MSG_SEARCH default (at least "DROP" is included now even if FW_SEARCH_ALL is set to "N").

Software Release - fwsnort-0.8.0

The 0.8.0 release of fwsnort is ready for download. Here is an excerpt from the ChangeLog:
  • Completely re-structured fwsnort w.r.t. how it creates Netfilter chains. There are no longer any per-interface chains (this greatly simplifies the Netfilter chains).
  • Added three new chains "FWSNORT_INPUT_ESTAB", "FWSNORT_OUTPUT_ESTAB" and "FWSNORT_FORWARD_ESTAB" to which tcp connections in the ESTABLISHED state are jumped. This allows fwsnort to use the Netfilter tcp connection tracking mechanism to ignore Stick and Snot style attacks (similar to the flow:established Snort rule option).
  • Added true variable resolution (i.e. HTTP_SERVERS -> HOME_NET -> any) for the Snort rule header. This directly emulates the behavior of the Snort IDS.
  • Added IP protocol support in the translation of the Snort rule header. The Snort rule translation rate is now at about 53% for Snort-2.3.
  • Bugfix for ipopts Snort option (several arguments are not supported by the ipv4options extension).
  • Better tests for Netfiler TTL, TOS, and ipv4options matches.
  • Replaced IGNORE_IP and IGNORE_NET keywords with single IGNORE_ADDR keywork in fwsnort.conf.

Software Release - fwsnort-0.7.0

The 0.7.0 release of fwsnort is ready for download. Here is an excerpt from the ChangeLog:
  • Added support for the Snort pass action by using the ACCEPT target.
  • Added support for the Snort log action by using the ULOG target (which can then log the packet via the pcap writer).
  • Added support for all fwsnort alerts to be logged via the ULOG target instead of the LOG target.
  • Added support for the "resp" keyword to allow it to drive the Netfilter argument to the REJECT target.
  • Added "pcre" to the unsupported list... this knocks the fwsnort translation rate down to about 50% for Snort-2.3 rules (pcre is heavily utilized).
  • Added "priority" and "rev" to comment lines.

fwknop on Slashdot (again!)

fwknop has made Slashdot once again for the new Single Packet Authorization mode. The story has been given the title Going Beyond Port Knocking; Single Packet Access.

Software Release - fwknop-0.9.0

The 0.9.0 release of fwknop is ready for download. Here is an excerpt from the ChangeLog:
  • Added new authorization mode that uses Net::Pcap to read packets out of a file that is written to by the ulogd pcap writer (also stubbed in code to sniff packets directly off the wire). This authorization mode only requires single packets, and has many characteristics that are better than simple port knocking, including being non-replayable, and much more data can be sent. This mode is now the default for both the server and the client.
  • Made the execution of knopmd optional depending on whether AUTH_MODE is a pcap mode (e.g. ULOG_PCAP or PCAP).
  • Added --Spoof-src argument so that encrypted packets can be spoofed via /usr/sbin/knopspoof.
  • Added /usr/sbin/knoptm so that firewall rules can be timed-out when the server is running in PCAP mode even if new packets don't appear on the wire.
  • Updated fwknop man page to talk about the new pcap-based authorization mode.

News Forge Article on psad

News Forge is running an article on psad entitled "Detecting suspicious network traffic with psad".
« Previous | Next »