This page has been designed specifically for the printed screen. It may look different than the page you were viewing on the web.
Please recycle it when you're done reading.
The URI for this page is { http://www.securemind.org }
Congratulations to Victor / Matt / Will at the OISF on the release of Suricata 1.0.
For more information check out the post here
Tagged as Uncategorized | No Comments » | Continue 
Paper Title: A Comparison of Virtualization Technologies for HPC
Paper Authors: J. P. Walters, V. Chaudhary, M. Cha, S. Guercio Jr., and S. Gallo "University of Buffalo"
Papers Objective: This paper was published in 2008, at the time the authors believed that Virtualization held the promise of of improved resource utilization as well as resource guarantees to end users. However at the time Virtualization for HPC was severally limited due to it's slow performance. The paper goes on to state the twp types of evaluations done, single server and cluster. Further discussion of virtualization types and there disadvantages/advantages are made.
The authors chose to test VMWare Server (formerly GSX), Xen and OpenvZ. Performance measurements were made using Netperf, IOZone, OpenMP and MPI. An exhaustive discussion of each of the tests and there results is made.
In authors conclude with the fact that OpenVZ shows the lowest overhead usage and best performance but a warning as to it's networking ability is limited.
The post is brought to you by lekhonee v0.7
Tagged as Research Paper Review | No Comments » | Continue
Paper Title: Quantitative Comparison of Xen and KVM
Author(s): Todd Deshane, Zachary Shepherd, Jeanna Matthews, et al.
Papers Objective: Present the results of a quantitative analysis of performance tests made on Xen and KVM. Compare the results and draw conclusions as to which hypervisior is right for the job at hand.
Performance was measured using "a CPU-Intensive test, a kernel compile, an IOzone write test and an IOzone read test." They used an actual physical system as the reference assigning it's times and load as a baseline of one.
Without going into details (if you want them the read the paper) the results of the study put Xen and KVM head to head and the came out with virtually no performance differences. The real issues started when scalability came into account, KVM didn't scale to multiple guests past 4 on this particular system, while Xen Scaled up to 16 without to much of a performance hit.
Since this paper was made KVM has come a long way, especially with QEMU-KVM project. In my opinion these test should be redone using the latest versions of the software. My current experience with the two shows that in it's latest release KVM seems to run faster.
The post is brought to you by lekhonee v0.7
Tagged as Research Paper Review | No Comments » | Continue
So this will be the first of potentially many paper reviews. I figured that I could/should share some of the information I've been reading and referencing. Wouldn't it be nice if there was a place were everyone could go and get concise highlights of technical papers, just a thought. Bare in mind that these are going to simply be concise, what it's about, reviews. These are not full blown literature reviews.
Paper Title: Toward Botnet Mesocosms
Author(s): Paul Barford and Mike Blodgett (University of Wisconsin-Madison)
Authors Definition(s): Mes-o-cosm: n. a medium size, representative system that matches as directly as possible a larger system in constitution, configuration or development.
Papers Objective: To discuss the BEE (Botnet Evaluation Environment) and its capabilities, as well as report testing results of a specific case study.
The BEE uses 4 well known bots (Agobot, GTbot, Spybot, SDbot) and includes standard services which bots need to operate effectively including DHCP HynDNS and IRC. The environment is built on infected Microsoft Windows variants which reside in both Virtual and Physical Machines.
The requirements for the environment include:
- The ability to experiment with a number of bots, known and unknown, on various operating systems
- Ability to conduct tests without risk of additional internet infection
- Ability to create flexible topologies and configurations
- Ability to conduct experiments at scale
Tagged as Research Paper Review | No Comments » | Continue
So this sites been very quiet lately, it's not for lack of trying. I've just been to busy with Remodelling, and Work. But I've decided to get back in the swing of things. I thought that I would try something new, since I read "and I use that term loosely" 10-20 research papers a day, I thought I would start sharing my thoughts and analysis of some of them. Perhaps someone will find this information useful. So check back latter tonight when I start things off with my first post in a series of paper reviews.
Tagged as Research Paper Review | No Comments » | Continue
I thought I would take a moment and share a python script that I put together to quickly pass through the suricata stats.log file and give back the individual stats so that you can more easily graph them. Latter this week I'll be finishing up an automatic graphing program which I'll share as well. Here's the code, have fun. Each item from the stats file including the time stamps are stored as tuple's. So just add a print command as/where needed to see what it parsed from the log.
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# SuricataStatsGrapher-0.1.0.py
#
# Copyright (c) 2010 Joshua White
#
# GPL v.2
#
# Author: Joshua White
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public License
# as published by the Free Software Foundation; either version 2 of
# the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
# USA
# Contributor:
import CairoPlot
import cairo
import math
from pyparsing import *
# -------- Open Log File and Recursivly Step Through ------
stats = open("/var/log/suricata/stats.log","r")
igotStats = stats.readlines()
# -------- Initialize tuple's ---------------
date_time_stamp = ()
tcp_sessions = ()
decoder_pkts = ()
decoder_pkts_per_sec = ()
decoder_bytes = ()
decoder_bytes_per_sec = ()
decoder_mbit_per_sec = ()
decoder_ipv4 = ()
decoder_ipv6 = ()
decoder_tcp = ()
decoder_udp = ()
decoder_icmpv4 = ()
decoder_icmpv6 = ()
decoder_ppp = ()
decoder_pppoe = ()
decoder_gre = ()
decoder_avg_pkt_size = ()
decoder_max_pkt_size = ()
# -------- Parse For Specific Datasets and Store as Tuple's -------
for line in igotStats:
...
Tagged as Linux, Security | No Comments » | Continue
Part 1:
Ok so for this my goal is simple, I'm just looking to build a simple Inline Linux Router with NIDS capability using Suricata and a really simple front end to view logs through a web based interface. We'll call this 0.1.0 of the project/process. I'm in no way looking to replace anything that's already out there, I'm just screwing around.
For this I'll be using an old server that's mounted in the rack in my office:
- P4 - 1.67GHz
- 768 MB of PC-133 Memory
- 80 GB WD IDE HD
- 2x 10/100 3COM NICS
We'll start with the install, basically there's very little to say here other then do a very minimal install, in this case we're running Fedora 11, with basically every package de-selected during the install. Post install for the time being we disable selinux:
- echo 0 >/selinux/enforce
- newrole -r sysadm_r
- echo 1 >/selinux/enforce "to switch back to enforcing when you want to or reboot"
Latter I'll discuss how to write a policy rule for everything so that SELinux can stay active all the time.
Now that we have a fresh clean system with only 200 or so packages we'll move one and start with what I consider to be most essential, scarf if you must, nano! the easy to use text editor.
Once that has finished installing we can move on to the routing portion of this exercise, we start with our two NICs configuration. For this well stick with standard IPv4 configuration, "if you're interested in IPv6 configuration let me know and I'll post back a howto." For this network I've got a 10.1.1.0/24 that will be talking to a 192.168.1.0/24. As such and since this is/will be the gateway for the 10.1.1.0/24 network to talk to the 192.168.1.0/24 network which is inturn connected to the internet, I'll give the interfaces the ...
Tagged as Linux, Security | No Comments » | Continue
I through together an rpm for quicker setup time (download here), This is x86_64 for Fedora 12/11... this still requires htp and a few other items which you can install quickly with:
sudo yum -y install libpcap libpcap-devel libnet libnet-devel pcre \
pcre-devel gcc gcc-c++ automake autoconf libtool make libyaml \
libyaml-devel zlib zlib-devel
wget http://www.openinfosecfoundation.org/download/htp-current.tar.gz
tar -xzvf htp-current.tar.gz
cd htp-*
./configure
make
make install
ldconfig
Then just:
rpm -ivh suricata-0.8.0-x86_64-1.rpm
and your ready to go... the suricata.yaml config file is placed in your /etc/suricata/ directory, edit it and download the Emerging Threats Rule set.
Edit: 10/4/2010, for those looking for it, here's the spec file:
Summary: Suricata The OISF "Open Information Security Foundation" NIDS IPS.
Name: suricata
Version: current
Release: 1
License: GPL
Group: Applications/Internet
Source: Suricata-0.8.0.tar.gz
BuildRoot: /var/tmp/%{name}-buildroot
%define is_fedora %(test -e /etc/fedora-release && echo 1 || echo 0)
%if %is_fedora
%define dist fedora
%define disttag rhfc
%endif
%description
Suricata is the next generation of multithreaded specialized NIDS IPS.
%prep
%setup
%build
./configure -enable-unittests -enable-debug
mkdir /var/log/suricata/
make RPM_OPT_FLAGS="$RPM_OPT_FLAGS"
make install
mkdir /etc/suricata
cp suricata.yaml /etc/suricata
%clean
rm -rf $RPM_BUILD_ROOT
Tagged as Linux, Security | 2 Comments » | Continue
Victor Julian, Lead Developer for the OISF posted a note about Suricata testing, leave your feedback on the OISF's redmine system and if your having issues use the –enable-unittests and –enable-debug during configure and then run "suricata -u" to get the results. More info is available on the inliniac blog.
Tagged as Linux, Security | No Comments » | Continue
I'm still working on integrating the OISF Engine into my standard NIDS setup. It's going to take a while since there's not much by way of reporting in this early version but it's getting there. If anyone is wondering I have gotten it up and running in both a standard p4 system as well as a qemu guest system, and 2 x Quad Core Servers. Specifically I'm interested in packet loss measurements in high speed environments, such as OC-48.
I'll be posting a modified howto soon that includes signatures.
Tagged as Linux, Wireless Notes | No Comments » | Continue
