Tuesday, July 3, 2012

Cryptlib

If you are playing around with certificates and other encryption tools such as Openssl or GNUTLS you may want to have a look at cryptlib. This is a really nice lib done by Peter Gutmann with a lot of bindings and particularly binding to python.
As I am working on SCEP implementation lately I hope this will be of some help to get to understand that damn protocol!

I am also running a build to RPM (and hopefully some deb later)  for the library.
You can find it on OpenSUSE Build Service at home:sbarebreau:openca.

Tuesday, November 8, 2011

Using CARVER to identify risks and vulnerabilities

Using CARVER to identify risks and vulnerabilities:
CARVER is an acronym that stands for Criticality, Accessibility, Recuperability, Vulnerability, Effect and Recognizability. It’s a system used by Special Forces to assess the targets and see which one needs to be addressed first.

Read more at http://redteams.tumblr.com/post/11690104332/using-carver-to-identify-risks-and-vulnerabilities


Monday, November 7, 2011

Lastpass, the password management solution, is now supporting google two factor authentication service. Well, you need a supported smartphone, but this is really nice.

More information on the service can be found at: http://helpdesk.lastpass.com/security-options/google-authenticator/

Monitoring Trendmicro Officescan log entries

I noticed that a Trendmicro officescan installation I have, was not updating the AV patterns for a couple of days. This behaviors happens from time to time (once a month in average), and I still can not pinpoint exactly the cause (wonderful world of windows which does not have proper logging and debugging).
As there is no automated mechanism to alert you on this phenomena I decided to go back to the proven methods: send logs to syslogs, parse with sec to generate alarm.


  • Log files

Officescan keeps a "server update log"  in his home directory: %PROGRAMFILES/Trend Micro\OfficeScan\PCCSRV\Log\update.log. This flat text file store a line for each of the update operations done by the service and erases the file on a regular basis depending on your settings in the 'log maintenance' settings. Example:
20111107042518,4,1,1,8.555.00
20111107075300,4,51,1,8.555.00
The format is not documented and the only things I identified up to now are: timestamp (first field), product code(3rd field, 1 being AV pattern, 51 being Smartscan pattern), version (5th field)

  • Windows to syslog

To allow collecting windows events or flat text logfile on a syslog service you will need to deploy some non MS addon. One of the options is Epilog for Windows by the IntersecAlliance another is to to use cygwin(less straightforward). 
Epilogs' installation is really easy and offer some really nice feature to collect events on a windows system (simple web GUI, filtering of log entries, ...). Just point Epilog to your log files, configure the destination to be your syslog server and wait for something to be written to the log (force a manual update of the AV does the trick).
If everything does well you will see the log lines appear on your syslog server. In my case I use syslog-ng to get those entries in a dedicated log file. Configuration is something like this:

# Log infrastructure servers - OLD
filter h_prodnet { netmask(10.1.1.0/24); };
destination d_local3 { file("/var/log/Windows/$HOST-$YEAR$MONTH$DAY.log" create_dirs(yes) perm(0644)); };
destination d_local2 { file("/var/log/Windows/$HOST-FILELOG-$YEAR$MONTH$DAY.log" create_dirs(yes) perm(0644)); };


  • Syslog parsing
For the log file parsing I am using SEC with some customized set of rules. As I am only interested on the update issues with Trendmicro, I only created a single rule:
#Trendmicro related event
type=Single
ptype=RegExp
pattern=TRENDMICRO;.*unable to complete.*
desc=Trendmicro update problem. Please review console log, stop services and empty all AU_temp directory, reboot server.
action=pipe 'Trendmicro: %s' /usr/bin/mail -s "Trendmicro issue on package updates" youyou@nobody.test

Thats it. Now I get spammed when ever the Officescan encounters issues to update its local databases, and this happens way to often in my opinion.



Tuesday, November 1, 2011

OpenSUSE Build Service

I am really a big fan of openSUSE build service. If you need to build packages for multiple distribution and you development environment is restricted this can be a life saver.

I personally use it mainly to backport packages to my production hosts. In other words, it helps me cleanly install these shiny new tools I always like to have (yeah sure, still have some testing to do but ...).
Benefits:

  • keep dependencies
  • avoid conflicting installation of same tools (packaged and hand compiled)
  • stay on bleeding edge software (can be argued to not be a benefit)
  • rapid deployment on multiple hosts
  • fun

Take for example sec (simple event correlation). The 'sec' package distributed with openSUSE 11.4 is 2.5.3 which date back from December 2009. The most recent version is from September 2011, and adds a few new features which can be practical. In older times, to deploy the most recent version, I would probably have overwritten the installed binaries/scripts. Now, I install a clean package (available here). 

I know of some alternatives, but this is like beer, everyone has his favourite.
Give it a try: https://build.opensuse.org/


Tuesday, December 15, 2009

python-libmemcached replication

While adding some Nagios monitoring checks I was requiring a simple mechanism to replicate data betwen multiple memcached servers. Since libmemcached 0.34 this is possible using the 'replica' behavior.

Friday, December 11, 2009

RRDcached for cricket

We all have our favorite tools for our daily job.

For statistics collection I like to use Cricket (http://cricket.sourceforge.net/).

Sure, it is old school but it does the job, and it does it well. I enjoy having a flat configuration and storage structure for the RRD. No fancy database!!! Of course, this comes to the cost of some very old fashioned perl code and performance issues (but have a look at the CVS version).

Never the less, a few days ago I update the rrdtool version I was using on my SNMP collector host and started to run the new RRDcached service. This was a real pleasure as I could see some real performance improvments and I had to do nothing in term of code for Cricket. Yep, worked out of the box with it.