Michael Rash, Security Researcher

2005 Blog Archive    [Summary View]

Next »

Software Release - psad-1.4.4

The 1.4.4 release of psad is ready for download. Here is an excerpt from the ChangeLog:
  • Added MAC address reporting in psad email alerts. This feature is enabled via a new config keyword "ENABLE_MAC_ADDR_REPORTING".
  • Added --fw-rm-block-ip option to allow IP addresses to be removed from the auto-blocking chains from the command line.
  • Updated command line firewall arguments to write commands to the AUTO_IPT_SOCK domain socket.
  • Added the ability to specify ports and port ranges to auto_dl file.
  • Added --force-mod-install command line argument to installer to force perl modules used by psad to be installed within /usr/lib/psad regardless of whether they already exist in the system perl tree.
  • Bugfix for psad repeatedly trying to remove the same IP address(es) from the auto-blocking chains.

The Netfilter String Match Extension is back!

The Netfilter String Match Extension is back! The Fwsnort project translates Snort rules into equivalent Netfilter rules in the Linux kernel, and relies heavily on the Netfilter string match extension to match application layer data against malicious content strings. The string match extension is available once again with the release of the 2.6.14 Linux kernel (it was not available in any 2.6.x kernel until now). If you want to be able to run a decent percentage of Snort rules directly within the Linux kernel without having to run Snort at all, download Fwsnort!

Software Release - fwsnort-0.8.1

The 0.8.1 release of fwsnort is ready for download. Here is an excerpt from the ChangeLog:
  • Updated to use the string match extension "--algo bm" argument if fwsnort is being run on a 2.6.14 (or greater) kernel.
  • Updated to handle the Snort "offset" and "depth" keywords via the --from and --to options to the string match extension in the 2.6.14 kernel.
  • Created RPM package of fwsnort.
  • Minor documentation updates.

Software Release - gpgdir-0.9.4

The 0.9.4 release of gpgdir is ready for download. Here is an excerpt from the ChangeLog:
  • Updated test mode to encrypt and decrypt a testing file within the directory to be encrypted or decrypted. This file is located at <dir>gpgdir_test, and is removed after the test is completed.
  • Bugfix for "protocol error: expected SHM_GET_XXX got GOOD_PASSPHRASE" error in GnuPG module.

Software Release - fwknop-0.9.5

The 0.9.5 release of fwknop is ready for download. Here is an excerpt from the ChangeLog:
  • Added the ability to resolve the external IP associated with the local network via This is a more secure method of accomplishing what the -s option performs. The new command line option is --whatismyip (or just -w).
  • Updated fwknop to communicate with knoptm via a UNIX domain socket instead of the previous file-based communication.
  • Updated to flush the fwknop Netfilter chains at start time.
  • Bugfix for removing the wrong hash key in the knoptm IP cache.

Software Release - psad-1.4.3

The 1.4.3 release of psad is ready for download. Here is an excerpt from the ChangeLog:
  • Bugfixes for auto-blocking code. Timeouts should be handled properly, including cached IP addresses in the auto_blocked_iptables file that are referenced upon psad startup. Communication with the running psad is performed over a Unix domain socket in --fw-block mode.
  • Bugfix to seek to the end of the fwdata file instead of reading the entire thing into memory and then looking for newly written logging messages. This drastically reduces the amount of memory required by psad.
  • Updated to only display psad chains if --verbose is set.
  • Updated to automatically flush the psad auto-response Netfilter chains at start time (subject to a new config keyword "FLUSH_IPT_AT_INIT").

Software Release - fwknop-0.9.4

The 0.9.4 release of fwknop is ready for download. Here is an excerpt from the ChangeLog:
  • Bugfix for knoptm timing out new entries based on old time values (this caused new rules to timed out too quickly).
  • Added support for multiple users in REQUIRE_USERNAME keyword in access.conf.
  • Added the ability to display raw encrypted packet data in client mode with --verbose.
  • Created fwknop RPM for RPM-based Linux distributions.
  • Bugfix for inappropriate redirects in command mode where the command already contained a redirect.

Intrusion Prevention Book Review On Slashdot

Intrusion Prevention Book Review On Slashdot Jose Nazario has written a favorable book review for Slashdot of my book Intrusion Prevention and Active Response: Deploying Network and Host IPS. This book was published by published by Syngress Publishing, and is the first to concentrate exclusively on the concept of Intrusion Prevention. Site Update

The and websites have been updated to use the Apache Forrest project for a better and more consistent look and feel. The Forrest project uses a validated XML description for each html page, which is automatically rendered and checked for consistency.

ToorCon 7 Talk

At the seventh ToorCon conference (September 16-18th in San Diego) I will be giving a talk entitled Netfilter and Encrypted, Non-replayable, Spoofable, Single Packet Remote Authorization. This will be the first conference presentation I make about the concept of Single Packet Authorization as implemented by fwknop. Stop by to say "hello" if you are going to attend ToorCon!

Slides can be found here.
Next »