tag:blogger.com,1999:blog-27422244159848053312024-03-08T21:32:09.078+01:00BarbichUnknownnoreply@blogger.comBlogger7125tag:blogger.com,1999:blog-2742224415984805331.post-78337876375685339662012-07-03T14:19:00.003+02:002012-07-03T14:20:44.252+02:00CryptlibIf you are playing around with certificates and other encryption tools such as Openssl or GNUTLS you may want to have a look at <a href="http://goo.gl/xN2jc">cryptlib</a>. This is a really nice lib done by Peter Gutmann with a lot of bindings and particularly binding to python.<br />
As I am working on SCEP implementation lately I hope this will be of some help to get to understand that damn protocol!<br />
<br />
I am also running a build to RPM (and hopefully some deb later) for the library.<br />
You can find it on OpenSUSE Build Service at <a href="https://build.opensuse.org/package/show?package=cryptlib&project=home%3Asbarbereau%3Aopenca">home:sbarebreau:openca</a>.<br />
<br />Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2742224415984805331.post-65178945764469074212011-11-08T14:02:00.000+01:002012-07-03T14:11:17.270+02:00Using CARVER to identify risks and vulnerabilities<a href="http://redteams.tumblr.com/post/11690104332">Using CARVER to identify risks and vulnerabilities</a>: <br />
CARVER is an acronym that stands for Criticality, Accessibility, Recuperability, Vulnerability, Effect and Recognizability. It’s a system used by Special Forces to assess the targets and see which one needs to be addressed first.<br />
<br />
Read more at <a href="http://redteams.tumblr.com/post/11690104332/using-carver-to-identify-risks-and-vulnerabilities">http://redteams.tumblr.com/post/11690104332/using-carver-to-identify-risks-and-vulnerabilities</a><br />
<br />
<br />Unknownnoreply@blogger.comtag:blogger.com,1999:blog-2742224415984805331.post-84214403870085416542011-11-07T14:58:00.003+01:002011-11-07T14:58:59.192+01:00<a href="https://lastpass.com/">Lastpass</a>, the password management solution, is now supporting google two factor authentication service. Well, you need a supported smartphone, but this is really nice.<br />
<br />
More information on the service can be found at: <a href="http://helpdesk.lastpass.com/security-options/google-authenticator/">http://helpdesk.lastpass.com/security-options/google-authenticator/</a>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2742224415984805331.post-60944241133857035652011-11-07T10:46:00.004+01:002011-11-07T10:46:38.538+01:00Monitoring Trendmicro Officescan log entriesI noticed that a Trendmicro officescan installation I have, was not updating the AV patterns for a couple of days. This behaviors happens from time to time (once a month in average), and I still can not pinpoint exactly the cause (wonderful world of windows which does not have proper logging and debugging).<br />
As there is no automated mechanism to alert you on this phenomena I decided to go back to the proven methods: send logs to syslogs, parse with sec to generate alarm.<br />
<br />
<br />
<ul>
<li><b>Log files</b></li>
</ul>
<br />
<blockquote class="tr_bq">
Officescan keeps a "server update log" in his home directory:<span class="Apple-style-span" style="background-color: white;"> %PROGRAMFILES/<span class="Apple-style-span" style="font-family: Verdana, Helvetica, sans-serif; font-size: 12px;">Trend Micro\OfficeScan\PCCSRV\Log\update.lo</span><span class="Apple-style-span" style="font-family: Verdana, Helvetica, sans-serif; font-size: 12px;">g</span></span>. This flat text file store a line for each of the update operations done by the service and erases the file on a regular basis depending on your settings in the 'log maintenance' settings. Example:</blockquote>
<blockquote class="tr_bq">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">20111107042518,4,1,1,8.555.00<br />20111107075300,4,51,1,8.555.00</span></blockquote>
<blockquote class="tr_bq">
The format is not documented and the only things I identified up to now are: timestamp (first field), product code(3rd field, 1 being AV pattern, 51 being Smartscan pattern), version (5th field)</blockquote>
<br />
<ul>
<li><b>Windows to syslog</b></li>
</ul>
<br />
<blockquote class="tr_bq">
To allow collecting windows events or flat text logfile on a syslog service you will need to deploy some non MS addon. One of the options is <a href="http://www.intersectalliance.com/projects/EpilogWindows/index.html">Epilog</a> for Windows by the IntersecAlliance another is to to use <a href="http://www.cygwin.com/">cygwin</a>(less straightforward). </blockquote>
<blockquote class="tr_bq">
Epilogs' installation is really easy and offer some really nice feature to collect events on a windows system (simple web GUI, filtering of log entries, ...). Just point Epilog to your log files, configure the destination to be your syslog server and wait for something to be written to the log (force a manual update of the AV does the trick).</blockquote>
<blockquote class="tr_bq">
If everything does well you will see the log lines appear on your syslog server. In my case I use syslog-ng to get those entries in a dedicated log file. Configuration is something like this:</blockquote>
<br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"># Log infrastructure servers - OLD</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">filter h_prodnet { netmask(10.1.1.0/24); };</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">destination d_local3 { file("/var/log/Windows/$HOST-$YEAR$MONTH$DAY.log" create_dirs(yes) perm(0644)); };</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">destination d_local2 { file("/var/log/Windows/$HOST-FILELOG-$YEAR$MONTH$DAY.log" create_dirs(yes) perm(0644)); };</span><br />
<br />
<br />
<ul>
<li><b>Syslog parsing</b></li>
</ul>
<blockquote class="tr_bq">
For the log file parsing I am using <a href="http://simple-evcorr.sourceforge.net/">SEC</a> with some customized set of rules. As I am only interested on the update issues with Trendmicro, I only created a single rule:</blockquote>
<div>
<div>
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">#Trendmicro related event</span></div>
<div>
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">type=Single</span></div>
<div>
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">ptype=RegExp</span></div>
<div>
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">pattern=TRENDMICRO;.*unable to complete.*</span></div>
<div>
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">desc=Trendmicro update problem. Please review console log, stop services and empty all AU_temp directory, reboot server.</span></div>
<div>
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">action=pipe 'Trendmicro: %s' /usr/bin/mail -s "Trendmicro issue on package updates" youyou@nobody.test</span></div>
<div>
<br /></div>
</div>
<blockquote class="tr_bq">
Thats it. Now I get spammed when ever the Officescan encounters issues to update its local databases, and this happens way to often in my opinion.</blockquote>
<div>
<br /></div>
<br />
<br />Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2742224415984805331.post-86646124801067553752011-11-01T12:18:00.002+01:002011-11-01T12:18:51.054+01:00OpenSUSE Build Service<div style="text-align: justify;">
I am really a big fan of <b>openSUSE build service</b>. If you need to build packages for multiple distribution and you development environment is restricted this can be a life saver.</div>
<br />
<div style="text-align: justify;">
I personally use it mainly to backport packages to my production hosts. In other words, it helps me cleanly install these shiny new tools I always like to have (yeah sure, still have some testing to do but ...).</div>
Benefits:<br />
<br />
<ul>
<li>keep dependencies</li>
<li>avoid conflicting installation of same tools (packaged and hand compiled)</li>
<li>stay on bleeding edge software (can be argued to not be a benefit)</li>
<li>rapid deployment on multiple hosts</li>
<li>fun</li>
</ul>
<br />
<div style="text-align: justify;">
Take for example <a href="http://simple-evcorr.sourceforge.net/">sec</a> (simple event correlation). The 'sec' package distributed with openSUSE 11.4 is 2.5.3 which date back from December 2009. The most recent version is from September 2011, and adds a few new features which can be practical. In older times, to deploy the most recent version, I would probably have overwritten the installed binaries/scripts. Now, I install a clean package (<a href="http://download.opensuse.org/repositories/home:/sbarbereau:/branches:/server:/monitoring/" style="text-align: -webkit-auto;">a</a>vailable <a href="http://download.opensuse.org/repositories/home:/sbarbereau:/branches:/server:/monitoring/">here</a>). </div>
<br />
I know of some alternatives, but this is like beer, everyone has his favourite.<br />
Give it a try: <a href="https://build.opensuse.org/">https://build.opensuse.org/</a><br />
<br />
<br />Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2742224415984805331.post-68657730841797916972009-12-15T17:25:00.001+01:002009-12-15T22:49:37.334+01:00python-libmemcached replicationWhile adding some <a href="http://nagios.org/">Nagios</a> monitoring checks I was requiring a simple mechanism to replicate data betwen multiple <a href="http://memcached.org/">memcached</a> servers. Since <a href="http://tangent.org/552/libmemcached.html">libmemcached</a> 0.34 this is possible using the 'replica' behavior.<br />
<br />
<a name='more'></a><div><br />
</div><div>Using the memcached_set_behavior function and setting the MEMCACHED_BEHAVIOR_NUMBER_OF_REPLICAS to some integer you are ensuring that multiple copies of the stored values exist throughout your memcached farm.<br />
</div><div>My only issue was that I am using <a href="http://code.google.com/p/python-libmemcached/">python-libmemcached</a> to access my memcache servers from python and the 'replicas' behavior has not yet (as of 0.17.0) been incorporated. So using I had to patch the sources (RPM package is available on OpenSuse Build Service, patch is attached).<br />
</div><br />
Usage example:<br />
<span style="font-family: 'Courier New', Courier, monospace;">===============================</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">>>> import cmemcached as memcache</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">>>> mc=memcache.Client(['netmona:11211','netmonb:11211'],debug=1,behaviors={'replicas':2,'binary':1})</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">>>> mca=memcache.Client(['netmona:11211'],debug=1,behaviors={})</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">>>> mcb=memcache.Client(['netmonb:11211'],debug=1,behaviors={})</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">>>> mc.set('replicated-data','yeah',time=600)</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">1</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">>>> mc.get('replicated-data')</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">'yeah'</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">>>> mca.get('replicated-data')</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">'yeah'</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">>>> mcb.get('replicated-data')</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">'yeah'</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">===============================</span><br />
<br />
Of course, if you set the data on 1 server only it wont be replicated. Never the less ,this simple replication system opens a number of opportunities for some of my projects where I use memcache as a 'shared' storage between processes.<br />
<br />
<span style="color: #e06666;">Warning: memcache does not have any security mechanism embedded (access,confidentiality...), use it only on trusted networks.</span>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2742224415984805331.post-81799784115184196772009-12-11T20:02:00.001+01:002009-12-11T20:03:15.325+01:00RRDcached for cricketWe all have our favorite tools for our daily job.<br />
<br />
For statistics collection I like to use Cricket (<a href="http://cricket.sourceforge.net/">http://cricket.sourceforge.net/</a>).<br />
<br />
Sure, it is old school but it does the job, and it does it well. I enjoy having a flat configuration and storage structure for the RRD. No fancy database!!! Of course, this comes to the cost of some very old fashioned perl code and performance issues (but have a look at the CVS version).<br />
<br />
Never the less, a few days ago I update the rrdtool version I was using on my SNMP collector host and started to run the new RRDcached service. This was a real pleasure as I could see some real performance improvments and I had to do nothing in term of code for Cricket. Yep, worked out of the box with it.<br />
<br />
<a name='more'></a><br />
<br />
What I did was:<br />
<br />
<ul><li>Get rrdtool 1.4.2 . As I am running OpenSuse11.1 I wanted to stick to a clean package installation and tried to find the RPM for it. No luck at that time. So second option was to of course make the rrdtool package myself with OBS. Package can be downloaded from <a href="http://download.opensuse.org/repositories/home:/sbarbereau/openSUSE_11.1/">http://download.opensuse.org/repositories/home:/sbarbereau/openSUSE_11.1/</a> .</li>
<li> Install package</li>
<li>Start rrdcached. That was probably the most "complex" part. As I wanted to keep this clean I created a pseudo initd scripts as well as a separate config file. For simplicity I could have packed everything together. Here are the files:</li>
</ul><br />
<span style="font-family: 'Courier New', Courier, monospace;"><span style="font-size: small;">======== rrdcached.defaults ======== </span></span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><span style="font-size: small;">RUN_RRDCACHED=1</span></span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><span style="font-size: small;">RRDCACHED_USER="cricket"</span></span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><span style="font-size: small;">OPTS="-w 300 -z 300 -f 1800 -F"</span></span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><span style="font-size: small;">PIDFILE="/shared/netmonb/cricket/var/run/rrdcached/rrdcached.pid"</span></span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><span style="font-size: small;">SOCKFILE="/shared/netmonb/cricket/var/run/rrdcached/rrdcached.socket"<br />
JOURNAL="/shared/netmonb/cricket/var/run/rrdcached/rrdcached.journal"</span></span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><span style="font-size: small;">SOCKPERMS=0660<br />
======== rrdcached.defaults ======== </span></span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><span style="font-size: small;">======== rrdcached.init ======== <br />
RRDCACHED_BIN=/usr/bin/rrdcached<br />
test -x $RRDCACHED_BIN || { echo "$RRDCACHED_BIN not installed"; <br />
if [ "$1" = "stop" ]; then exit 0;<br />
else exit 5; fi; }</span></span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><span style="font-size: small;">RRDCACHED_CONFIG=/shared/netmonb/cricket/cricket/util/rrdcached/rrdcached.defaults<br />
test -r $RRDCACHED_CONFIG || { echo "$RRDCACHED_CONFIG not existing";<br />
if [ "$1" = "stop" ]; then exit 0;<br />
else exit 6; fi; }</span></span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><span style="font-size: small;">. $RRDCACHED_CONFIG</span></span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><span style="font-size: small;"><br />
. /etc/rc.status</span></span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><span style="font-size: small;">rc_reset</span></span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><span style="font-size: small;"><br />
case "$1" in<br />
start)<br />
echo -n "Starting rrdcached "</span></span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><span style="font-size: small;"> startproc -u $RRDCACHED_USER -p $PIDFILE $RRDCACHED_BIN $OPTS \</span></span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><span style="font-size: small;">-p $PIDFILE -l $SOCKFILE -j $JOURNAL<br />
rc_status -v</span></span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><span style="font-size: small;"> echo -n "Setting Permissions "</span></span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><span style="font-size: small;"> chmod $SOCKPERMS "${SOCKFILE}"<br />
rc_status -v</span></span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><span style="font-size: small;"> ;;<br />
stop)<br />
echo -n "Shutting down rrdcached "<br />
killproc -TERM -p $PIDFILE $RRDCACHED_BIN</span></span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><span style="font-size: small;"> rc_status -v<br />
;;<br />
try-restart|condrestart)<br />
if test "$1" = "condrestart"; then<br />
echo "${attn} Use try-restart ${done}(LSB)${attn} rather than condrestart ${warn}(RH)${norm}"</span></span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><span style="font-size: small;"> fi<br />
$0 status</span></span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><span style="font-size: small;"> if test $? = 0; then</span></span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><span style="font-size: small;"> $0 restart</span></span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><span style="font-size: small;"> else</span></span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><span style="font-size: small;"> rc_reset # Not running is not a failure.</span></span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><span style="font-size: small;"> fi</span></span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><span style="font-size: small;"> rc_status</span></span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><span style="font-size: small;"> ;;<br />
try-start)<br />
$0 status<br />
if test $? = 0; then</span></span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><span style="font-size: small;"> rc_reset # Not running is not a failure.</span></span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><span style="font-size: small;"> else<br />
$0 restart</span></span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><span style="font-size: small;"> fi </span></span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><span style="font-size: small;"> rc_status<br />
;;<br />
restart)<br />
$0 stop<br />
$0 start</span></span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><span style="font-size: small;"> rc_status<br />
;;<br />
force-reload)<br />
$0 try-restart</span></span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><span style="font-size: small;"> rc_status<br />
;;<br />
reload)<br />
echo -n "Reload service rrdcached : not supported"</span></span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><span style="font-size: small;"> rc_status -v<br />
;;<br />
status)<br />
echo -n "Checking for service rrdcached "<br />
checkproc -p $PIDFILE $RRDCACHED_BIN</span></span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><span style="font-size: small;"> rc_status -v<br />
;;</span></span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><span style="font-size: small;"> *)<br />
echo "Usage: $0 {start|stop|status|try-restart|try- start|restart|force-reload|reload}"</span></span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><span style="font-size: small;"> exit 1</span></span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><span style="font-size: small;"> ;;<br />
esac<br />
rc_exit<br />
======== rrdcached.init ======== </span></span><br />
<br />
Obviously you will need to change a few things in the files to (path, users, ...)<br />
<br />
But as said, no change in any of the perl stuff from cricket was then required. I just had to set RRDCACHED_ADDRESS in my environment ... <br />
<br />
It is really nice to use rrdcached as it really works out of the box with any properly coded program using the standard rrdtool API. Wether it is Cacti, MRTG or similar tools ... it should work! <br />
<br />
But there are 2 drawback I found out:<br />
- if RRDCACHED_ADDRESS is set but points to a non existing socket/file you are going to have problems as RRD will not update your data files.<br />
- if you use your RRD files to do some monitoring (thresholds detection or similar) the added write delay from the rrdcache is going to pose some problems.<br />
<br />
Anyway was fun.Unknownnoreply@blogger.com2