Michael Rash, Security Researcher

2006 Blog Archive    [Summary View]

Next »

Software Release - psad-2.0.3

psad-2.0.3 release The 2.0.3 release of psad is ready for download. This release removes the perl module in favor of keeping the functions within the psad daemon itself, and the obselete and scripts were the only other things to use so it was not necessary to keep. A few other enhancements and bugfixes were made, particularly in the -S and -A output modes. Here is the ChangeLog:
  • Removed perl module and and scripts. This is a major change that allows psad to be more flexible and completely derive its config from the psad.conf file and from the command line. In the previous scheme, psad imported its config with a function within, and this required that psad imported the Psad perl module before reading its config. A consequence was that the PSAD_LIBS_DIR var could not be specified usefully within the config file.
  • Added the ability to recursively resolve embedded variables from *.conf files (with a limit of 20 resolution attempts).
  • Added IGNORE_KERNEL_TIMESTAMP so that Linux distros that add a timestamp to all kernel messages (Ubuntu for example) can be ignored.
  • Consolidated code to import data out of /var/log/psad/<ip> directories with code to display status and analysis output (-S and -A). Essentially the %scan hash is built by the filesystem data import routine and the remainder of the code references this single data structure.

Wireshark Case Study Published

Wireshark Case Study Published Syngress Publishing has published a case study entitled "Active Response" I wrote for the book Wireshark & Ethereal Network Protocol Analyzer Toolkit (see pages 398-402). This case study explores the usage of Wireshark to examine the structure of TCP RST (reset) packets that are generated by the iptables REJECT target and by the flexresp and flexresp2 Snort detection plugins in response to malicious traffic sent against a webserver. Because each of these mechanisms employs a different strategy for creating the RST packets, it is possible for an attacker to perform some passive fingerprinting in an effort to discover the response mechanism. For example, iptables rules that utilize the REJECT target (see the iptables command below) generate packets from within the Linux kernel and hard code the TTL value at 255 for all kernel versions < 2.6.16.
# iptables -I INPUT 1 -p tcp --dport 80 -m string --string "/etc/passwd" --algo bm -j REJECT --reject-with tcp-reset The REJECT target can only send the RST packet to the source IP that matched the REJECT rule. The flexresp detection plugin can send RST packets to both sides of a TCP connection, always sets the TCP window size to zero, and selects a random TTL value between 64 and 255. The remaining analysis can be found in the book, and provides additional details on characteristics of the RST packets sent by each response mechanism.

Automated RPM builder

RPM builder I have released a new script cd_rpmbuilder that can be used to automatically build an RPM of any of the CipherDyne software projects. For example, you can build an RPM of the latest version of psad with a single execution of cd_rpmbuilder. Using this script it is possible to build an RPM that is tailored for your specific system.
# ./cd_rpmbuilder -p psad
[+] Getting latest version file:
[+] Downloading file:
[+] Downloading file:
[+] Valid md5 sum check for psad-2.0.3.spec
[+] Downloading file:
[+] Downloading file:
[+] Valid md5 sum check for psad-2.0.3.tar.gz
[+] Building RPM, this may take a little while...

[+] The following RPMS were successfully built:

      /usr/src/redhat/SRPMS/psad-2.0.3-1.src.rpm (source RPM)

Software Release - psad-2.0.2

psad-2.0.2 release The 2.0.2 release of psad is ready for download. This release makes a few new features available such as the ability to download the latest psad signatures with the script, and the addition of the "CipherDyne RPM Builder" script cd_rpmbuilder to make it easy to automatically build RPM files on a local system. Also, a few bugs were fixed - particularly with the handling of the HOME_NET variable. Here is the ChangeLog:
  • Added print statements for @INC array in debug mode so that the user can see the additional /usr/lib/psad/* directories added by import_psad_perl_modules().
  • Changed Unix::Syslog import strategy from "use" to "require" since the path is not known until import_psad_perl_modules() gets a chance to run (psad ran fine without this, but it is more consistent this way).
  • Added the ability to download the latest signatures from in
  • Added the cd_rpmbuilder script to make it easy to build RPM's out of CipherDyne projects by automatically downloading the project .tar.gz and .spec files from
  • Bugfix for not properly including elements of the @connected_subnets_cidr array.
  • IP subnet bugfix to make sure to get the entire subnet in signature import routine if it is not in CIDR format
  • Bugfix to not print an IP addresses in the "top attackers" section that do not have at least one packet or signature match (for any reason).
  • Bugfix to not print more than TOP_IP_LOG_THRESHOLD IP addresses in thet top attackers section.
  • Updated to reference configuration paths directly from psad.conf instead of defining them separately. This should fix Debian bug #403566.
  • Added -c argument to so that the path to a psad.conf file can be altered from the command line.
  • Bugfix to not import any IP from the top_attackers file from a previous psad run that does not have a /var/log/psad/<ip> directory.
  • Added MIN_DANGER_LEVEL to allow all alerts and /var/log/psad/<ip> tracking to be disabled unless an attacker reaches at least this danger level.
  • Added text in to mention ifconfig parsing for HOME_NET derivation.

Linux Firewalls Book Cover

Linux Firewalls Cover No Starch Press has created a clever piece of cover art for my upcoming book Linux Firewalls: Attack Detection and Response. The book should be available in early to mid 2007, and discusses intrusion detection and response with iptables firewalls, including significant coverage of both psad and fwsnort. One chapter will also cover visualizing iptables logs, with particular emphasis on the Scan30 and Scan34 challenges from the Honeynet Project. Iptables log visualization is made possible by combining the new --CSV-* options available in psad-2.0 with the AfterGlow project. In addition, two chapters deal with the rise of port knocking and Single Packet Authorization, particularly with fwknop.

Software Release - psad-2.0.1

psad-2.0.1 release The 2.0.1 release of psad is ready for download. This is mostly a bugfix release to correct some issue with respect to how psad modifies the @INC directory list to import psad-specific perl modules. There is one feature addition though - psad now adds a new keyword psad_ip_len to the Snort rules language to allow the length field in the IP header to be explicitly tested. This made it possible to add a new signature for the Nachi worm to the /etc/psad/signatures file. Here is the ChangeLog:
  • Added Nachi worm reconnaisannce icmp signature.
  • Added the psad_ip_len signature keyword to allow the length field in the IP header to be explicitly tested.
  • Bugfix for inappropriately removing some directories in @INC when splicing in psad perl module paths.
  • Switched nf2csv installation path in to /usr/bin/.

Software Release - psad-2.0, Major Update

psad-2.0 release The 2.0 release of psad is ready for download. This release is a major update of psad, and many new features have been added. Psad now more fully supports the Snort rules language via Netfilter log messages. The Snort keywords ttl, id, seq, ack, window, icmp_id, icmp_seq, itype, icode, ipopts, and sameip are now supported. Signature updates are made available on, and can be automatically updated by psad by a new command line argument --sig-update. Visualization of Netfilter log messages is now possible by combining the new --CSV options with the AfterGlow project, and to illustrate this graphs of two of the Honeynet Project scan challenges are availble online here and here. Here is an exerpt from the ChangeLog:
  • Completely refactored the Snort rule matching support in psad. Added many header field tests with full range matching support. These tests include the following keywords from Snort: ttl, id, seq, ack, window, icmp_id, icmp_seq, itype, icode, ip_proto, ipopts, and sameip.
  • Refactored all signatures in /etc/psad/signatures to conform to new signature matching support in this release. There are now about 190 signatures that psad can run directly against Netfilter logging messages (i.e. without the help of fwsnort).
  • Added the ability to download the latest signatures file from with the --sig-update command line argument to psad.
  • Added "MISC Windows popup spam" signature. This allows psad to detect when attempts are made to send spam via the Windows Messenger service.
  • Completely reworked --Status and --Analyze output, signature matches are included now, along with a listing of top sig matches, top scanned ports, and top attackers. Also, scan data is not written to /var/log/psad/ipt_analysis/ before display analysis output in -A mode; analysis results are displayed much faster this way.
  • Added ipEye, Subversion, Kuang2, Microsoft SQL, Radmin, and Ghostsurf signatures.
  • Added 'data in TCP SYN packet' signature.
  • Added --CSV mode so that psad can be used to generate comma-separated value output suitable for the AfterGlow project (see for graphical representations of Netfilter logs and associated scan data. Also added nf2csv so that normal users can take advantage of this feature.
  • Added emulation of the Snort "dsize" test through the use of the IP length field for TCP/ICMP signatures, and the UDP length field for UDP signatures. For SYN packets, TCP options are included so psad automatically adds 44 bytes (the maximum length for TCP options) so the dsize test corresponds to the estimated payload length.
  • Added the psad_id, psad_dsize, and psad_derived_sids fields for the new Snort rule support.
  • Added the ability to decode IP options, which are included within Snort rules as the "ipopts" keyword. This functionality requires that the --log-ip-options command line argument is given to iptables when building a rule that uses the LOG target.
  • Added Snort rules (sids 475, 500, 501, and 502) that detect IP options usage such as source routing and the traceroute IP option with the new IP options decoder.

Software Release - fwknop-1.0

Digg fwknop-1.0 release fwknop-1.0 release The 1.0 release of fwknop is ready for download. This release marks the production-ready release of Single Packet Authorization technology for Linux systems. Single Packet Authorization is becoming an increasingly important mechanism for protecting services such as SSH, and is basically the successor technology to port knocking. Here is an exerpt from the ChangeLog:
  • Bugfix for OpenSSH-4.3p2 patch to make sure to include the spa.h header file.
  • Bugfix for access hashes accumluating when multiple ports are requested to be opened by a client.
  • Better validation of IPT_AUTO_CHAIN variable so that the from_chain cannot be identical to the to_chain.
  • Bugfix in RPM to install List::MoreUtils.
  • Bugfix so that the MD5 sum for an SPA packet is not examined for each SOURCE block. This fixes a problem where an SPA packet could appear to be replayed if multiple SOURCE blocks are defined in /etc/fwknop/access.conf.
  • Refactored main SPA access loop so that it is clearer how and when SPA clients are granted access.
  • Better handling of GnuPG key identifier strings (they can now contain spaces, and syslog messages wrap the identifiers with double quotes).
  • Added source IP address to command string in the SPA packet so that the REQUIRE_SOURCE_ADDRESS criteria can be applied by the fwknopd server.

Book Announcement - Linux Firewalls: Attack Detection and Response

Linux Firewalls Book I am writing a book for No Starch Press entitled "Linux Firewalls: Attack Detection and Response". This book will be available for purchase in late February of 2007, but can be pre-ordered online through No Starch or through Amazon. Topics covered in the book include intrusion detection and prevention with iptables firewalls, and this includes significant coverage of both psad and fwsnort. In addition, two chapters deal with the rise of port knocking and Single Packet Authorization, particularly with fwknop. I'm currently writing the last four out of a total of thirteen chapters, so the bulk of the writing is finished. Pablo Neira Ayuso of Netfilter fame is the Technical Editor for the book, and his input has been invaluable to tightening many of the technical arguments. Ron Gula of Tenable Network Security has also written some kind words about the book.

Fwknop Client in MacPorts

Fwknop in MacPorts Blair Zajac has added the fwknop client into the MacPorts software repository. This makes it easy to install the client piece of fwknop on Mac OS X systems without having to download and install from sources. Although fwknop cannot run on Mac OS X because iptables is not ported to it, you can still use fwknop in order to authenticate to a remote Linux system that is running fwknop in server mode.
Next »