Inspirated

 
 

July 1, 2013

Blocking traffic flows selectively with a timeout from Bro IDS

Filed under: Blog — krkhan @ 2:55 am

I needed to block some flows on OpenWRT from the Bro IDS. One option was to install the recent module for expiring iptables rules which sounded like an overkill. After some tinkering around I landed on using bash and at to expire the firewall rules after timeouts (luckily the at daemon was available on OpenWRT which made my job easier).

There are three parts to the process:

The bash script

First, a script which:

  1. Constructs and adds the iptables rule to the FORWARD chain.
  2. Constructs the corresponding deletion rule.
  3. Creates a temporary bash script, writes the rule to it, makes the new script self-deleting.
  4. Schedules a launch of the temporary script with at command.

Here’s the script:

#!/bin/sh
 
if [ $# -le 5 ] ; then
  echo "usage: $0 proto src sport dst dport timeout"
  exit 1
fi
 
proto=$1
src=$2
sport=$3
dest=$4
dport=$5
timeout=$6
 
echo "  proto: $1"
echo "    src: $2"
echo "  sport: $3"
echo "   dest: $4"
echo "  dport: $5"
echo "timeout: $6"
 
rule=""
 
if [ "$proto" != "any" ]; then
  rule="$rule --protocol $proto"
fi
 
if [ "$src" != "0.0.0.0" ]; then
  rule="$rule --source $src"
fi
 
if [ "$sport" != "0" ]; then
  rule="$rule --sport $sport"
fi
 
if [ "$dest" != "0.0.0.0" ]; then
  rule="$rule --destination $dest"
fi
 
if [ "$dport" != "0" ]; then
  rule="$rule --dport $dport"
fi
 
rule="$rule -j DROP"
 
echo "rule: $rule"
 
addcmd="iptables -I FORWARD $rule"
delcmd="iptables -D FORWARD $rule"
 
delscript=`mktemp`
echo "delscript: $delscript"
 
echo "#!/bin/sh" >>$delscript
echo $delcmd >>$delscript
echo "rm \"${delscript}\"" >>$delscript
chmod 755 $delscript
 
echo "adding iptable rule:"
echo $addcmd
`$addcmd`
 
atcmd="at -M -f $delscript now + $timeout min"
echo "creating at job for deletion:"
echo $atcmd
`$atcmd`

Given below is an example run. First, let’s print the default FORWARD chain:

# iptables -nL FORWARD
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             10.42.0.0/24         state RELATED,ESTABLISHED
ACCEPT     all  --  10.42.0.0/24         anywhere            
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Block a flow for 2 minutes:

# sh blockflow.sh tcp 50.50.50.50 50 60.60.60.60 60 2
  proto: tcp
    src: 50.50.50.50
  sport: 50
   dest: 60.60.60.60
  dport: 60
timeout: 2
rule:  --protocol tcp --source 50.50.50.50 --sport 50 --destination 60.60.60.60 --dport 60 -j DROP
delscript: /tmp/tmp.SAREJvtsK0
adding iptable rule:
iptables -I FORWARD --protocol tcp --source 50.50.50.50 --sport 50 --destination 60.60.60.60 --dport 60 -j DROP
creating at job for deletion:
at -M -f /tmp/tmp.SAREJvtsK0 now + 2 min
job 79 at Sun Jun 30 14:37:00 2013

Let’s check if the new rule was added:

# iptables -nL FORWARD
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
DROP       tcp  --  50.50.50.50          60.60.60.60          tcp spt:50 dpt:60
ACCEPT     all  --  anywhere             10.42.0.0/24         state RELATED,ESTABLISHED
ACCEPT     all  --  10.42.0.0/24         anywhere            
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

After 2 minutes, the temporary bash script shall remove the rule and then delete itself. To confirm:

# iptables -nL FORWARD
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             10.42.0.0/24         state RELATED,ESTABLISHED
ACCEPT     all  --  10.42.0.0/24         anywhere            
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

The Bro module

A simple module which export one function, i.e., BlockFlow::block which takes a conn_id and a count and calls the bash script with appropriate parameters:

module BlockFlow;
 
export {
  global block: function(id: conn_id, t: count);
}
 
function block(id: conn_id, t: count)
{
  print fmt("blocking %s:%d -> %s:%d for %d minutes", id$orig_h, id$orig_p, id$resp_h, id$resp_p, t);
 
  local protocol = get_port_transport_proto(id$resp_p);
  print fmt("protocol is: %s", protocol);
 
  local cmd: string = fmt("sh blockflow.sh %s %s %d %s %d %d", protocol
                                                             , id$orig_h, id$orig_p
                                                             , id$resp_h, id$resp_p, t);
  print fmt("executing: %s", cmd);
  system(cmd);
}

Bro module usage

And finally, using the module from a Bro script:

@load ./blockflow
 
event bro_init()
  {
    local id: conn_id;
    id$orig_h = 10.10.10.10;
    id$orig_p = 10/tcp;
    id$resp_h = 20.20.20.20;
    id$resp_p = 20/tcp;
    BlockFlow::block(id, 2);
  }

And the flow will be blocked for 2 minutes. Unfortunately, due to the way at command works the granularity of timeouts is limited to minutes. If you really want to block flows for only a few seconds a quick solution would be to use sleep in place of at before expiring the rule.

Tags: , , , , , , ,

December 10, 2012

Bro IDS on OpenWRT

Filed under: Blog — krkhan @ 12:59 pm

While I was at SysNet, we had been working on a project we called “Shrimp” — Software-defined Home Router Intelligent Monitoring Point. The goal of the project was to provide a framework for easy programmatic access to network monitoring on low-cost, commodity, home router devices. One of the requirements was to have an IDS on the home routers for which we chose Bro — the leading framework for semantic analysis of network traffic.

The OpenWRT OS was chosen as the target platform. Its SDK contained a cross-compile toolchain for CMake projects. However, during the compilation Bro tried to run the binpac and bifcl executables for processing intermediate files. The executables refused to run on the build platform if the target platform architecture was different (mostly the case, e.g., we were building on x86-64 and target was arm).

The (not-so-pretty ™) workaround we used was to build Bro twice. Once for the host, and once for the target. The CMake files were then patched to first generate binpac and bifcl binaries if they weren’t provided and then use the provided binaries if they were defined at make time. The first compile generated the binaries on x86-64 and the second compile (for arm) used the earlier binaries to process the bif files.

The Makefile and patches are available in this tarball: openwrt-bro.tar.gz, while the compiled ipk package is also available for installation. Here is a test execution of Bro on OpenWRT:

# bro –v
bro version 2.0
# cat test.bro
event bro_init()
{
	print "Hello World!";
}

event new_connection(c: connection)
{
	print "New connection created";
}
# bro test.bro
Hello World!
# bro -i br-lan test.bro
Hello World!
New connection created
New connection created
# ls
conn.log           notice_policy.log  reporter.log       weird.log
dns.log            packet_filter.log  test.bro

A heap of thanks to Zaafar for dealing with my messy code and providing the links to hosted files :) !

Tags: , , , , , , , ,

March 30, 2011

GSmolt: A GTK+ frontend for Smolt

Filed under: Blog — krkhan @ 1:46 am

Smolt is a hardware profiler for Linux distributions which makes it easier for end-users to report back their machine configurations to a centralized database. Mike McGrath provides an excellent backend for developing Smolt GUIs which I have coupled with GTK+ for GSmolt:

GSmolt Screenshot
GSmolt Send Screenshot
(Click on the thumbnails for larger versions.)

The script can be found at the gsmolt repository on GitHub. Things on todo list include profile reporting in a separate thread and better error handling. I’ll provide RPM and Deb packages when the code is ready for a public release.

As a side note, this is the first project I have tracked using GitHub (as opposed to Launchpad + Bazaar). While Launchpad has its added advantage of PPAs which make it easier to push out public releases for Debian derivatives, I’m liking the Git experience so far. Hopefully some day Copr shall mature to a point where it can be the end-all, be-all Launchpad alternative for Fedora users.

Tags: , , , , , , , , , , ,

November 17, 2010

HOWTO: Use animated XScreenSaver matrix backgrounds with Xfce

Filed under: Blog — krkhan @ 7:13 pm

Screensavers like glmatrix have long been used by *nixers to woo people by showing them customizable animations as desktop wallpapers. Users of desktop environments such as Xfce have to however use xwininfo to determine and use the window IDs of their desktops (as the “-root” option stops working when the root window is overlayed by respective desktop managers e.g., Xfdesktop). For those who want to automate the startup process of XScreenSaver wallpapers in such environments, here’s a quick command you can use:

$ /usr/libexec/xscreensaver/glmatrix -window-id $(xwininfo -name "Desktop" | grep 'Window id' | sed 's/.*\(0x[0-9a-z]*\).*/\1/g')

Results:

Xfce Matrix Screenshot #1
Xfce Matrix Screenshot #2
(Click on the thumbnails for larger versions.)

Tags: , , , , , ,

July 1, 2010

dd: The Ultimate Backup Solution

Filed under: Blog — krkhan @ 7:27 am

Over the 8 years of my acquaintance with computers valuable data has been lost at an average of twice per annum. I have tried all kinds of solution to help my situation only to fail miserably by forgetting to back up some important bits and pieces of information before upgrading my distro.

Backup solutions can mostly be factored into two approaches of archiving and cloning. If space is limited, you can archive your important data using utilities such as tar. This in fact was the approach I had been using until now. The downside appeared to be lesser accessibility of the files inside the backup. Say, I needed a small text-file from a 200 GB archive. It’d take me around 20 minutes to “get” to its location in the archive.

Which is why, I decided to shift to a newer approach. My laptop has a 320 GB hard disk and I own another 320 GB Western Digital Passport for extra data. To utilize the similitude, I bought another 500 GB Passport, transferred the “extra” data to it and then cloned the entire laptop hard disk to its 320 GB external cousin.

$ dd if=/dev/sda of=/dev/sdb

That is all. dd‘s performance was questionable, as it took around 15 hours to clone the entire 320 GB. Nevertheless, this time around I was satisfied with the final backup. Not only was it a bit-by-bit replica of my original data but also an accessible repository which I could access easily by plugging in the USB.

Tags: , , , , , ,

June 5, 2010

HOWTO: Find interesting dictionary words with your Linux box

Filed under: Blog — krkhan @ 4:24 pm

Few *nix users are aware of existence of one /usr/share/dict/words on their machines. The original purpose of this file was to assist Unix programs in spell-checking. Now that every program that supports typo-prevention includes its own dictionaries, the words file no longer fares as something significant in the geek universe.

Nevertheless, the nifty gem can still serve as a fun place to find or coin new words based on lexicographical constraints. The omnipresent egrep command can be used to exploit the power of regular expressions against the English dictionary. Here’s how:
(more…)

Tags: , , , , ,

June 4, 2010

How NOT to copy MBR with the dd command

Filed under: Blog — krkhan @ 8:39 pm

Yesterday I needed to copy the MBR of a drive over another. Googling a little I found the following command in various tutorials:

-bash-$ dd if=/dev/sda of=/dev/sdb bs=512 count=1

Where /dev/sda and /dev/sda were the original and target hard disks respectively. The command did complete its work in a snap but it also made me learn a thing about MBR structures the hard way: Only 446 bytes of the MBR contain boot code, the next 64 contain the partition table!

The implications of the lesson being, if partition tables of both hard disks differ — which unfortunately was the case with me — the partition table of the target hard-disk will be overwritten. The correct way would therefore be:

-bash-$ dd if=/dev/sda of=/dev/sdb bs=446 count=1

In case you did mess up the table, I recommend TestDisk for recovering your partitions.

Tags: , , , , , ,

October 31, 2009

HOWTO: Use PyS60′s Bluetooth Console on Fedora/Ubuntu/Debian Linux

Filed under: Blog — krkhan @ 11:03 pm

While developing PyS60 apps is one of the most fun things you could do with your Nokia phone, debugging them isn’t as zippy as one would hope for in a Py development environment. To make up for that, PyS60 gives the developers an option for directly connecting to the interpreter through Bluetooth. Doesn’t sound very appealing? How about this: You connect your laptop with the cellphone, jump in at some place in the code while your app is executing and then use lappy’s big keyboard for exploiting different code and values in the interpreter. Sounds better?

To accomplish this on a Linux distro, you will need the following packages installed on your system:

Name Links
gnome-bluetooth
uucp/cu

After making sure that both are present on your system, install PyS60 on your phone if you haven’t already done so.

Now the fun part:

  1. Switch on Bluetooth in the cellphone.

    PyS60 Bluetooth HOWTO, Mobile screenshot #1

  2. Launch bluetooth-properties and click on “Setup New Device”.

    PyS60 Bluetooth HOWTO, PC screenshot #1

  3. Select your cellphone.

    PyS60 Bluetooth HOWTO, PC screenshot #2

  4. You will be shown a pin.

    PyS60 Bluetooth HOWTO, PC screenshot #3

  5. Enter the pin when queried on the cellphone.

    PyS60 Bluetooth HOWTO, Mobile screenshot #2

  6. The phone should be successfully paired.

    PyS60 Bluetooth HOWTO, PC screenshot #4

  7. Authorize your Linux system to make automatic connections to the phone.

    PyS60 Bluetooth HOWTO, Mobile screenshot #3

  8. As root, run this shell script:
    [root@orthanc ~]# ./rfcomm-listen.sh

    Serial Port service registered
    Waiting for connection on channel 2

  9. Launch PyS60 interpreter and select “Bluetooth Console” from the application menu.

    PyS60 Bluetooth HOWTO, Mobile screenshot #4

  10. Select your Linux machine.

    PyS60 Bluetooth HOWTO, Mobile screenshot #5

    The command you ran in previous step should have new output:

    [root@orthanc ~]# ./rfcomm-listen.sh

    Serial Port service registered
    Waiting for connection on channel 2
    Connection from 00:17:4B:B6:35:31 to /dev/rfcomm0
    Press CTRL-C for hangup

    The cellphone screen should be showing something like this:

    PyS60 Bluetooth HOWTO, Mobile screenshot #6

  11. As root again, open a new terminal and run:
    [root@orthanc ~]# cu -l /dev/rfcomm0

    Connected.

  12. Hit Enter till prompt (>>>) appears, then type:

    >>> import appuifw
    >>> appuifw.query(u'Hello World', 'text')

  13. Viola, you should have an input box on the mobile screen:

    PyS60 Bluetooth HOWTO, Mobile screenshot #7

  14. Enter any text and press the OK key. It should be show up in the terminal you were using to type in code:

    >>> import appuifw
    >>> appuifw.query(u'Hello World', 'text')
    u’Finally’

  15. Exit the interpreter by typing CTRL+D on an empty line:

    >>> import appuifw
    >>> appuifw.query(u'Hello World', 'text')
    u’Finally’
    >>>
    Interactive interpreter finished.
    cu: Got hangup signal

    Disconnected.

Pat yourself on the back. Now, you can use your Bluetooth console to import your modules, execute some stuff and then jump in the middle to test some extra lines or values. In fact, I found it to be a pretty darned good way of learning about PyS60′s API. Res secundae!

Tags: , , , , , , , , , , , , , , , ,

October 17, 2009

HOWTO: Integrate Compiz Fusion with Xfce the right way

Filed under: Blog — krkhan @ 10:03 pm

In past, I had always struggled to find the “correct” way of launching Compiz Fusion while starting Xfce. For a while, I had resorted to the easiest — and not perhaps the prettiest — way of launching Fusion Icon with the desktop autostart files. The problem with this method lied in the fact that Xfwm was launched before Fusion, and the most glaring workaround was to write my own xinitrc files for X startup, which was just uglier anyway.

Xfce’s own documentation is as bare as my memory while running it, so the right way was not actually obvious until I was fiddling around my configuration directory a few days ago. There, I found an interesting file named xfce4-session.xml. To truly exploit this lovely thing, I first copied it into my home configuration directory:

[krkhan@orthanc ~]$ cp /etc/xdg/xfce4/xfconf/xfce-perchannel-xml/xfce4-session.xml ~/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-session.xml

And then edited the file with a text-editor, making it look something like:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
<?xml version="1.0" encoding="UTF-8"?>
<channel name="xfce4-session" version="1.0">
  <property name="general" type="empty">
    <property name="FailsafeSessionName" type="string" value="Failsafe"/>
    <property name="SessionName" type="string" value="Default"/>
    <property name="SaveOnExit" type="bool" value="false"/>
  </property>
  <property name="sessions" type="empty">
    <property name="Failsafe" type="empty">
      <property name="IsFailsafe" type="bool" value="true"/>
      <property name="Count" type="int" value="5"/>
      <property name="Client0_Command" type="array">
        <value type="string" value="fusion-icon"/>
        <value type="string" value="--force-compiz"/>
      </property>
      <property name="Client0_PerScreen" type="bool" value="false"/>
      <property name="Client1_Command" type="array">
        <value type="string" value="xfce4-panel"/>
      </property>
      <property name="Client1_PerScreen" type="bool" value="false"/>
      <property name="Client2_Command" type="array">
        <value type="string" value="Thunar"/>
        <value type="string" value="--daemon"/>
      </property>
      <property name="Client2_PerScreen" type="bool" value="false"/>
      <property name="Client3_Command" type="array">
        <value type="string" value="xfdesktop"/>
      </property>
      <property name="Client3_PerScreen" type="bool" value="false"/>
      <property name="Client4_Command" type="array">
        <value type="string" value="xfce4-settings-helper"/>
      </property>
      <property name="Client4_PerScreen" type="bool" value="false"/>
    </property>
  </property>
  <property name="splash" type="empty">
    <property name="Engine" type="string" value=""/>
  </property>
</channel>

Lines 13-15 initially referred to Xfwm’s commands, but replacing them with the Fusion Icon ones worked like a charm. This way, Fusion is always guaranteed a launch, which actually wasn’t the case with other workarounds.

Tags: , , , , , , ,

August 28, 2009

Brace yourself and join the euphoria: Nokia N900 has been announced

Filed under: Blog — krkhan @ 10:18 pm

Rarely do I feel the urge to jump on the buzzword bandwagon. This time, however, the product deserves the hype. Before you hear me any further, jump straightaway to the Nokia 900 website and stagger yourself into oblivion. Cliff notes:

  • First Linux-based cellphone from Nokia — world’s largest manufacturer of mobile phones. The previous Linux tablets from the Finnish giants (e.g., N810) were nice but lacked the basic phone functionality.
  • A plethora of insane mouth-watering features that are just too many to list here in their entirety.
  • Sex.

If you still aren’t convinced, let me be lazy and shamelessly copy some items from the linked page:

  • ARM Cortex – A8 superscalar microprocessor core running at 600 MHz
  • Up to 1 GB of application memory (256 MB RAM, 768 MB virtual memory)
  • 3D graphics accelerator with OpenGL ES 2.0 support
  • 32 GB internal storage
  • 3.5G and WLAN connectivity
  • Quadband GSM with GPRS and EDGE
  • 5-megapixel digital camera
  • Carl Zeiss optical lens
  • Touch-sensitive screen
  • Assisted-GPS receiver

Essentially, that’s iPhone+N810+N96+Neo FreeRunner for you. An year ago, I did have a feeling that Nokia was planning big things with Linux when it acquired Trolltech but I had absolutely no idea that the definition of “big” would be this exotic.

Can’t. Wait.

Tags: , , , , ,
Next Page »