cipherdyne.org

19 October, 2007

The 2.1 release of psad is ready for download. This release completes the 2.0.x development series with a few minor bugfixes and the addition of a patch against iptables to enforce trailing spaces in log prefixes. Here is the ChangeLog:

• Changed EMAIL_LIMIT model to apply to scanning source addresses only instead of also factoring in the destination address. The original src/dst email limit behavior can be restored by setting a new variable "ENABLE_EMAIL_LIMIT_PER_DST" to "Y".
• Added the patches/iptables-1.3.8_LOG_prefix_space.patch file which can be applied to the iptables-1.3.8 code to enforce a trailing space character before any log prefix when a LOG rule is added. This ensures that the user cannot break the iptables syslog format just by forgetting to include a space at the end of a logging prefix.
• Bugfix to ensure that parsing TCP options does not descend into an infinite loop in some some circumstances with obscure or maliciously constructed options. Also added syslog reporting for broken options lengths of zero or one byte (the minimum option length is two bytes to accomodate the TLV encoding).
• Bugfix to enforce the usage of --CSV-fields in --gnuplot mode.
• Implemented --get-next-rule-id so that it is easy to assign a new rule ID to a new signature in the /etc/psad/signatures file.
• Updated to just call die() if GetOpt fails; this allows erroneous usage of the command line to display informative error messages more clearly.

16 September, 2007

The 1.8.2 release of fwknop is ready for download. This release is the first serious attempt at allowing fwknop to function as a Single Packet Authorization server on Mac OS X systems. Also, several bug fixes and minor command line arguments were added. Here is a screenshot of the fwknop client running under Cygwin on Windows 2000 system that is itself running underneath VMware on Ubuntu Linux. The fwknop client builds an SPA message in the window on the left, and the window on the right shows the syslog messages that are written by the fwknopd server on the Linux machine. Only after the SPA packet is sent does the Windows 2000 system have access to SSH on the Linux box.



Here is the complete ChangeLog:

• Added fwknopd server support for Mac OS X. The Darwin uname return string is detected and this enables Darwin-specific installation code in install.pl.
• Updated to not print sensitive key/password information in --debug mode with fwknopd.
• Bugfix for install.pl on Windows 2003 Server running under Cygwin where 'uname -o' output is reported 'Gygwin' for some reason.
• Added --Cygwin-install command line argument to install.pl to force client-only fwknop install on Cygwin systems.
• Added --OS-type command line argument to install.pl to allow the user to force the installation type.
• Updated to version 1.04 of Crypt::Rijndael. This fixes incompatibilities between SPA packets between 64-bit and 32-bit platorms.
• Bugfix to enforce a maximum of 20 tries to read a password from stdin.
• Applied TCP options parsing fix from psad for invalid zero or one length fields that break TLV encoding (this is for fwknopd, and only applies to the legacy port knocking mode).
• Added code to fwknopd to check to see if there are any state tracking rules in place within the local iptables or ipfw policy.
• Made syslog identity, facility, and priority configurable (applied code from the psad project).
• Implemented --fw-list for ipfw firewalls.
• Bugfix for knoptm removing ipfw rules too quickly after not timing out previously instantiated rules properly.
• Implemented smarter cache removal strategy in knoptm so that rules that are manually removed from the running iptables or ipfw policy are also removed from the cache.
• Added /var/log/fwknop/errs/fwknopd.{warn,die} tracking to the fwknopd daemon for the PCAP modes of collecting packet data. Added knoptm{warn,die} files for knoptm as well.
• Bugfix to import the GnuPG::Interface module in --get-key mode.
• Bugfix to send source IP as a part of the command message in command mode so that REQUIRE_SOURCE_ADDRESS controls can be applied.
• Added --Test-mode to fwknop client so that SPA packets can be built but never sent over the network.

31 August, 2007

The 1.5 release of gpgdir is ready for download. This release adds the ability to use a symmetric cipher to encrypt/decrypt files via the GnuPG::Interface encrypt_symmetrically() function. Here is the ChangeLog:

• Added the --Symmetric option so that files can be encrypted/decrypted via a symmetric encryption algorithm (GnuPG commonly uses CAST5 for this).
• Added the --Plain-ascii option so that GnuPG is invoked with the -a option so that encrypted files are ascii armored instead of encrypted in binary form.
• Bugfix to ensure not to delete zero-size files if a bad password is given (gpgdir now just throws a warning and exits in this case).
• Minor code enhancements to provide a consistent hash_init() invocation with the same options hash.
• Updated to exclude .asc files from the encryption/decryption process.

27 July, 2007

The 2.0.8 release of psad is ready for download. This release includes major new functionality that allow psad to interface with Gnuplot to create graphical representations of iptables log data. Here is the ChangeLog:

• Added --gnuplot mode so that psad can output data that is suitable for plotting with gnuplot. All output produced in this mode is integer data with the exception of date stamps that are derived from iptables syslog messages.
• Added the ability to negate match conditions on fields specified with the --CSV-fields argument by prepending the string "not" (which plays more nicely with shells like bash than a character like "!"). For example, to graph all packet data in --gnuplot or --CSV modes that originates from the 11.11.0.0/16 subnet and is not destined for port 80, the following argument does the trick: --CSV-fields "src:11.11.0.0/16 dp:not80"
• In --gnuplot mode, added the ability to generate the count for a CSV field instead of the field itself. Supported modes are an absolute count (<field>count) , and a unique count (<field>uniqcount). This is useful to plot graphs of source IP vs. the number unique ports for example. Also added the ability to count iptables log fields over various time scales (minutes, hours, and days) with the following switches: <field>countday, <field>counthour, <field>countmin.
• In --gnuplot mode, added the ability to specify the view coordinates for 3D graph viewing with --gnuplot-view.
• Added the Storable-2.16 module along with the --use-store-file argument so that in --gnuplot mode the Gnuplot data can be stored on disk and retrieve quickly. This eliminates a large performance bottleneck when Gnuplot configuration directives are tweaked while the same graph is generated multiple times.
• Added --gnuplot-template so that a template file can be used for all Gnuplot directives (usually psad creates the .gnu file based on the --gnuplot command line arguments).
• Added --gnuplot-grayscale to generate graphs without the default red color for graph points.
• Bugfix for regular expressions not being imported correctly from within the --CSV-fields argument.
• Added --analysis-fields so the iptables log messages that are parsed in -A mode can be restricted to those that meet certain criteria. For example, to restrict the analyze mode to process packets with a source address of 192.168.10.1, use this command: psad -A --analysis-fields "src:192.168.10.1"
• Added --plot-separator to allow the format of plot data (either in --gnuplot or --CSV modes) to be influenced by the user.
• Added the ability to configure the syslog facility and priority via the psad.conf file (see the SYSLOG_FACILITY and SYSLOG_PRIORITY variables).
• Updated psad.spec file to respect the %_initrddir RPM macro.

20 July, 2007

The 1.4 release of gpgdir is ready for download. This release adds two new options that allow previously encrypted or decrypted files to be overwritten. Here is the ChangeLog:

• (Anthony Chivetta) Submitted patch to implement the --overwrite-encrypted command line argument to allow previously encrypted files to be overwritten. This is useful for updating an encrypted directory with new versions of the previously encrypted files. Also added the --overwrite-decrypted command line argument to perform the same function for previously decrypted files.
• (Anthony Chivetta) Submitted patch to fix a bug where a filename of "0.gpg" could not be decrypted because "0" does not evaluate to a true value.

As an example, here is the output gpgdir produces when encrypting a directory: [mbr@minastirith ~/src/gpgdir]$ gpgdir --Exclude "GnuPG-Interface/t" --encrypt GnuPG-Interface
[+] Executing: gpgdir --Exclude GnuPG-Interface/t --encrypt GnuPG-Interface
Using GnuPG key: A742839F
Enter password (for initial encrypt/decrypt test)
Password:

[+] Encrypting directory: /home/mbr/src/gpgdir/GnuPG-Interface
[+] Building file list...
[-] Skipping encrypted file: /home/mbr/src/gpgdir/GnuPG-Interface/test/pubring.gpg
[-] Skipping encrypted file: /home/mbr/src/gpgdir/GnuPG-Interface/test/encrypted.1.gpg
[-] Skipping encrypted file: /home/mbr/src/gpgdir/GnuPG-Interface/test/secring.gpg
[+] Encrypting: /home/mbr/src/gpgdir/GnuPG-Interface/lib/GnuPG/PublicKey.pm
[+] Encrypting: /home/mbr/src/gpgdir/GnuPG-Interface/lib/GnuPG/Options.pm
[+] Encrypting: /home/mbr/src/gpgdir/GnuPG-Interface/Makefile.PL
[+] Encrypting: /home/mbr/src/gpgdir/GnuPG-Interface/MANIFEST
[+] Encrypting: /home/mbr/src/gpgdir/GnuPG-Interface/README
[+] Encrypting: /home/mbr/src/gpgdir/GnuPG-Interface/NEWS
[+] Encrypting: /home/mbr/src/gpgdir/GnuPG-Interface/lib/GnuPG/Signature.pm
[+] Encrypting: /home/mbr/src/gpgdir/GnuPG-Interface/lib/GnuPG/Handles.pm
[+] Encrypting: /home/mbr/src/gpgdir/GnuPG-Interface/lib/GnuPG/PrimaryKey.pm
[+] Encrypting: /home/mbr/src/gpgdir/GnuPG-Interface/THANKS
[+] Encrypting: /home/mbr/src/gpgdir/GnuPG-Interface/lib/GnuPG/Fingerprint.pm
[+] Encrypting: /home/mbr/src/gpgdir/GnuPG-Interface/ChangeLog
[+] Encrypting: /home/mbr/src/gpgdir/GnuPG-Interface/lib/GnuPG/SecretKey.pm
[+] Encrypting: /home/mbr/src/gpgdir/GnuPG-Interface/lib/GnuPG/SubKey.pm
[+] Encrypting: /home/mbr/src/gpgdir/GnuPG-Interface/lib/GnuPG/Key.pm
[+] Encrypting: /home/mbr/src/gpgdir/GnuPG-Interface/VERSION
[+] Encrypting: /home/mbr/src/gpgdir/GnuPG-Interface/COPYING
[+] Encrypting: /home/mbr/src/gpgdir/GnuPG-Interface/lib/GnuPG/UserId.pm
[+] Encrypting: /home/mbr/src/gpgdir/GnuPG-Interface/lib/GnuPG/Interface.pm

[+] Total number of files encrypted: 19


03 June, 2007

The 1.8 release of fwknop is ready for download. This release includes major new functionality to allow fwknop to function in server mode with ipfw firewalls on *BSD systems, and the fwknop client now runs on Windows systems under Cygwin. Here is the ChangeLog:

• Added support for ipfw firewalls (found on *BSD systems). The IPTables::Parse and IPTables::ChainMgr modules are not installed on such systems.
• Added gpg-agent support for both the fwknop client and fwknopd SPA server.
• Updated client-only installation mode to restrict perl module installation to those module that are actually required by the fwknop client. This results in clean installs of the fwknop client on Windows systems running Cygwin.
• Added --Defaults to install.pl so that fwknop can be installed without prompting the user to answer any questions. This is to make it easier to install fwknop on the Source Mage Linux distro.
• Consolidated daemon config files into the fwknop.conf file (except for the access.conf file). This simplifies the configuration of fwknop.
• Added recursive variable resolution in the parsing routines for the fwknop.conf file. This allows variable values to contain embedded variables.
• Added init script for FreeBSD systems.
• Added --BSD-install command line argument to install.pl. This is not normally necessary since the installer should detect installations on *BSD systems, but this option can force this behavior.
• Updated knopmd and knopwatchd to use safe_malloc() instead of malloc().
• Bugfix to never time out rules from SOURCE blocks with FW_ACCESS_TIMEOUT set to zero.

28 May, 2007

The 2.0.7 release of psad is ready for download. This is a minor bugfix release, and here is the ChangeLog:

• Bugfix to define a custom 'source' definition for syslog-ng daemons - this fixes a problem on SuSE systems where the existing syslog-ng reconfig caused the daemon to not start.
• Bugfix to allow specific signatures to be ignored by setting SID values of zero in /etc/psad/snort_rule_dl.
• Added -X command line argument to allow the user to delete any psad chains (in auto-response mode). This is a synonym for the iptables -X command line argument.

28 May, 2007

The 1.2 release of gpgdir is ready for download. This release concentrates on getting gpgdir to function on non-Linux systems - specifically Windows under Cygwin and FreeBSD. Here is the ChangeLog:

• Added support for installing gpgdir on Windows under Cygwin (via the install.pl script). Installing gpgdir on FreeBSD systems also works.
• Added support for installing gpgdir within a user home directory without the need for root access (this requires installing gpgdir with the install.pl script).
• Added --agent to have gpgdir acquire gpg key password from a running gpg-agent instance.
• Added --no-password so gpgdir can use a gpg key with no associated password (this is not common). The user is not prompted for a password in this case.

21 May, 2007

The 1.1 release of gpgdir is ready for download. This is a major release with new functionality such as the ability to drive the wipe program to securely delete original files after successful encryption. Here is the ChangeLog:

• Added the ability to securely delete the original versions of files with the 'wipe' program (after they have been successfully encrypted). Also added --wipe-path to specify a path to the wipe binary (the default is /usr/bin/wipe), --wipe-interactive to force the wipe program to prompt the user before a file is deleted, and --wipe-cmdline to allow the user to build a set of command line arguments that are passed to the wipe program.
• Added --Force to have gpgdir skip over the error condition where a file cannot be deleted (because of a permissions issue for example).
• Added --Trial-run to allow the user to see what actions gpgdir would take to encrypt or decrypt files, but no files are actually modified.
• Added --Interactive to have gpgdir prompt the user before every file is encrypted, decrypted.
• Added the gpgdir.SlackBuild script (contributed by pyllyukko originally for the psad project) for building gpgdir on Slackware systems.

20 April, 2007

The 1.0 release of fwsnort is ready for download. This release is a major update that adds the ability to build an iptables policy against the NFQUEUE or QUEUE targets in order to perform preliminary content matching in the Linux kernel using the iptables string match extension. Here is the full ChangeLog:

• Major update to include support for the NFQUEUE and QUEUE targets with new command line options --NFQUEUE and --QUEUE. This changes the default LOG target to the NFQUEUE or QUEUE targets instead, and at the same time builds a parallel Snort rule set in the /etc/fwsnort/snort_rules_queue directory. Every Snort rule in this directory has at least one "content" keyword, which fwsnort uses in the resulting iptables policy. This policy only sends those packets to snort_inline via the NFQUEUE or QUEUE target that match a content field within some Snort rule. The end result is that snort_inline should run faster because the vast majority of packets (which are not malicious) are processed via the Linux kernel without ever having to be sent to userspace for analysis. There is a tradeoff here in terms of attack detection; snort_inline does not receive all packets associated with a stream, so it cannot detect attacks quite as effectively (snort_inline does not have an opportunity to look at reassembled buffers). However, this trade off may be acceptable for large sites where performance is more important.
• Bug fix to remove any existing jump rules from the built-in INPUT, OUTPUT, and FORWARD chains before creating a new jump rules. This allows the fwsnort.sh script to be executed multiple times without creating a new jump rule into the fwsnort chains for each execution.
• Added the -X command line argument to allow fwsnort to delete all of the fwsnort chains; this emulates the iptables command line argument of the same name.
• Minor output enhancements and bugfixes to give more insight into the translation process. For example, if fwsnort is run in --snort-sid mode but is unable to translate the specified signatures, the user is notified. Also, any existing /etc/fwsnort/fwsnort.sh script is not archived and erased until fwsnort is actually going to write a new one.
• Added sid values to iptables comment match string.
• Bugfix for iptables string match --from and --to values to skip past packet headers. This is an approximation until a new --payload option can be added to the string match extension.
• Added a single iptables rule testing API internally within fwsnort; this adds a measure of consistency and removes some duplicate code.
• Added fwsnort mailing list at SourceForge.