Inspirated

 
 

June 8, 2015

Release: Bro 2.3.1-2 on OpenWRT

Filed under: Blog — krkhan @ 12:08 am

As I promised in the comments section of previous post, I set out on the adventure of recompiling Bro for Lantiq routers. As a result of the exercise I have new-found respect for open-source package maintainers. Holy waffles if troubleshooting build errors in a large Autotools mess isn’t the most hemorrhage-inducing activity known to mankind.

Anyways, this time I’ve tried to keep track of the changes I’ve been making along the way. The full set of updated Makefiles and patches is maintained in the openwrt-bro repo. Also, the compiled ipk packages for Atheros and Lantiq routers are available on the release page.

Now that I have a reasonably updated Buildroot on my system and an organized set of patches, feel free to request an ipk package for your router. While I can’t guarantee that the clusterfuck of patches will compile smoothly for your platform, I’ll still give it a try.

Tags: , , , , , , , , ,

April 29, 2015

Bro 2.3 on OpenWRT

Filed under: Blog — krkhan @ 11:32 pm

After posting the Bro port for OpenWRT on my blog roughly two years ago, I didn’t realize some people were already actually using it on their routers.

I had created an updated version of the port which I hadn’t posted on the blog. Digging in my archived files I finally found it today along with its sources:

Word of caution though, my notes indicate that one of the default scripts was leaking memory and I never got around to figuring out which one. The workaround was to launch Bro in barebone mode with -b switch, which would prevent loading of default scripts.

# cat test.bro
event bro_init()
{
	print "Hello World!";
}

event new_connection(c: connection)
{
	print "New connection created";
}
# bro test.bro
Hello World!
# bro -C -b -i br-lan test.bro
Hello World!
New connection created
New connection created

If someone has cycles to spend and figure out which default script is leaking memory we can update the package to address the bug.

Tags: , , , , , , , ,

July 31, 2014

Bro IDS on OpenWRT Part II — The Paper

Filed under: Blog — krkhan @ 11:40 pm

The paper chronicling our adventures with Bro IDS on home routers just got published in the latest issue of SIGCOMM CCR. Here’re the details:

Title: Rapid and Scalable ISP Service Delivery through a Programmable MiddleBox

Abstract: With only access billing no longer ensuring profits, an ISP’s growth now relies on rolling out new and differentiated services. However, ISPs currently do not have a well-defined architecture for rapid, cost-effective, and scalable dissemination of new services. We present iSDF, a new SDN-enabled framework that can meet an ISP’s service delivery constraints concerning cost, scalability, deployment flexibility, and operational ease. We show that meeting these constraints necessitates an SDN philosophy for a centralized management plane, a decoupled (from data) control plane, and a programmable data plane at customer premises. We present an ISP service delivery framework (iSDF) that provides ISPs a domain-specific API for network function virtualization by leveraging a programmable middlebox built from commodity home-routers. It also includes an application server to disseminate, configure, and update ISP services. We develop and report results for three diverse ISP applications that demonstrate the practicality and flexibility of iSDF, namely distributed VPN (control plane decisions), pay-per-site (rapid deployment), and BitTorrent blocking (data plane processing).

Published in: ACM SIGCOMM Computer Communication Review (Volume 44 Issue 3, July 2014)

Combined with the paper in IEEE COMST about botnet detection that was published last year, this yields a grand-total of 2 publications more than I thought would ever bear my name. In any case, my former colleagues are continuing their excellent work on the project which can be tracked at the iSDF wiki-page.

Tags: , , , , , , , , , , , ,

July 1, 2013

Blocking traffic flows selectively with a timeout from Bro IDS

Filed under: Blog — krkhan @ 2:55 am

I needed to block some flows on OpenWRT from the Bro IDS. One option was to install the recent module for expiring iptables rules which sounded like an overkill. After some tinkering around I landed on using bash and at to expire the firewall rules after timeouts (luckily the at daemon was available on OpenWRT which made my job easier).

There are three parts to the process:

The bash script

First, a script which:

  1. Constructs and adds the iptables rule to the FORWARD chain.
  2. Constructs the corresponding deletion rule.
  3. Creates a temporary bash script, writes the rule to it, makes the new script self-deleting.
  4. Schedules a launch of the temporary script with at command.

Here’s the script:

#!/bin/sh
 
if [ $# -le 5 ] ; then
  echo "usage: $0 proto src sport dst dport timeout"
  exit 1
fi
 
proto=$1
src=$2
sport=$3
dest=$4
dport=$5
timeout=$6
 
echo "  proto: $1"
echo "    src: $2"
echo "  sport: $3"
echo "   dest: $4"
echo "  dport: $5"
echo "timeout: $6"
 
rule=""
 
if [ "$proto" != "any" ]; then
  rule="$rule --protocol $proto"
fi
 
if [ "$src" != "0.0.0.0" ]; then
  rule="$rule --source $src"
fi
 
if [ "$sport" != "0" ]; then
  rule="$rule --sport $sport"
fi
 
if [ "$dest" != "0.0.0.0" ]; then
  rule="$rule --destination $dest"
fi
 
if [ "$dport" != "0" ]; then
  rule="$rule --dport $dport"
fi
 
rule="$rule -j DROP"
 
echo "rule: $rule"
 
addcmd="iptables -I FORWARD $rule"
delcmd="iptables -D FORWARD $rule"
 
delscript=`mktemp`
echo "delscript: $delscript"
 
echo "#!/bin/sh" >>$delscript
echo $delcmd >>$delscript
echo "rm \"${delscript}\"" >>$delscript
chmod 755 $delscript
 
echo "adding iptable rule:"
echo $addcmd
`$addcmd`
 
atcmd="at -M -f $delscript now + $timeout min"
echo "creating at job for deletion:"
echo $atcmd
`$atcmd`

Given below is an example run. First, let’s print the default FORWARD chain:

# iptables -nL FORWARD
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             10.42.0.0/24         state RELATED,ESTABLISHED
ACCEPT     all  --  10.42.0.0/24         anywhere            
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Block a flow for 2 minutes:

# sh blockflow.sh tcp 50.50.50.50 50 60.60.60.60 60 2
  proto: tcp
    src: 50.50.50.50
  sport: 50
   dest: 60.60.60.60
  dport: 60
timeout: 2
rule:  --protocol tcp --source 50.50.50.50 --sport 50 --destination 60.60.60.60 --dport 60 -j DROP
delscript: /tmp/tmp.SAREJvtsK0
adding iptable rule:
iptables -I FORWARD --protocol tcp --source 50.50.50.50 --sport 50 --destination 60.60.60.60 --dport 60 -j DROP
creating at job for deletion:
at -M -f /tmp/tmp.SAREJvtsK0 now + 2 min
job 79 at Sun Jun 30 14:37:00 2013

Let’s check if the new rule was added:

# iptables -nL FORWARD
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
DROP       tcp  --  50.50.50.50          60.60.60.60          tcp spt:50 dpt:60
ACCEPT     all  --  anywhere             10.42.0.0/24         state RELATED,ESTABLISHED
ACCEPT     all  --  10.42.0.0/24         anywhere            
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

After 2 minutes, the temporary bash script shall remove the rule and then delete itself. To confirm:

# iptables -nL FORWARD
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             10.42.0.0/24         state RELATED,ESTABLISHED
ACCEPT     all  --  10.42.0.0/24         anywhere            
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

The Bro module

A simple module which exports just one function, i.e., BlockFlow::block which takes a conn_id and a count and calls the bash script with appropriate parameters:

module BlockFlow;
 
export {
  global block: function(id: conn_id, t: count);
}
 
function block(id: conn_id, t: count)
{
  print fmt("blocking %s:%d -> %s:%d for %d minutes", id$orig_h, id$orig_p, id$resp_h, id$resp_p, t);
 
  local protocol = get_port_transport_proto(id$resp_p);
  print fmt("protocol is: %s", protocol);
 
  local cmd: string = fmt("sh blockflow.sh %s %s %d %s %d %d", protocol
                                                             , id$orig_h, id$orig_p
                                                             , id$resp_h, id$resp_p, t);
  print fmt("executing: %s", cmd);
  system(cmd);
}

Bro module usage

And finally, using the module from a Bro script:

@load ./blockflow
 
event bro_init()
  {
    local id: conn_id;
    id$orig_h = 10.10.10.10;
    id$orig_p = 10/tcp;
    id$resp_h = 20.20.20.20;
    id$resp_p = 20/tcp;
    BlockFlow::block(id, 2);
  }

And the flow will be blocked for 2 minutes. Unfortunately, due to the way at command works the granularity of timeouts is limited to minutes. If you really want to block flows for only a few seconds a quick solution would be to use sleep in place of at before expiring the rule.

Tags: , , , , , , , ,

December 10, 2012

Bro IDS on OpenWRT

Filed under: Blog — krkhan @ 12:59 pm

While I was at SysNet, we had been working on a project we called “Shrimp” — Software-defined Home Router Intelligent Monitoring Point. The goal of the project was to provide a framework for easy programmatic access to network monitoring on low-cost, commodity, home router devices. One of the requirements was to have an IDS on the home routers for which we chose Bro — the leading framework for semantic analysis of network traffic.

The OpenWRT OS was chosen as the target platform. Its SDK contained a cross-compile toolchain for CMake projects. However, during the compilation Bro tried to run the binpac and bifcl executables for processing intermediate files. The executables refused to run on the build platform if the target platform architecture was different (mostly the case, e.g., we were building on x86-64 and target was arm).

The (not-so-pretty ™) workaround we used was to build Bro twice. Once for the host, and once for the target. The CMake files were then patched to first generate binpac and bifcl binaries if they weren’t provided and then use the provided binaries if they were defined at make time. The first compile generated the binaries on x86-64 and the second compile (for arm) used the earlier binaries to process the bif files.

The Makefile and patches are available in this tarball: openwrt-bro.tar.gz, while the compiled ipk package is also available for installation. Here is a test execution of Bro on OpenWRT:

# bro –v
bro version 2.0
# cat test.bro
event bro_init()
{
	print "Hello World!";
}

event new_connection(c: connection)
{
	print "New connection created";
}
# bro test.bro
Hello World!
# bro -i br-lan test.bro
Hello World!
New connection created
New connection created
# ls
conn.log           notice_policy.log  reporter.log       weird.log
dns.log            packet_filter.log  test.bro

A heap of thanks to Zaafar for dealing with my messy code and providing the links to hosted files :) !

Tags: , , , , , , , , ,

March 30, 2011

GSmolt: A GTK+ frontend for Smolt

Filed under: Blog — krkhan @ 1:46 am

Smolt is a hardware profiler for Linux distributions which makes it easier for end-users to report back their machine configurations to a centralized database. Mike McGrath provides an excellent backend for developing Smolt GUIs which I have coupled with GTK+ for GSmolt:

GSmolt Screenshot
GSmolt Send Screenshot
(Click on the thumbnails for larger versions.)

The script can be found at the gsmolt repository on GitHub. Things on todo list include profile reporting in a separate thread and better error handling. I’ll provide RPM and Deb packages when the code is ready for a public release.

As a side note, this is the first project I have tracked using GitHub (as opposed to Launchpad + Bazaar). While Launchpad has its added advantage of PPAs which make it easier to push out public releases for Debian derivatives, I’m liking the Git experience so far. Hopefully some day Copr shall mature to a point where it can be the end-all, be-all Launchpad alternative for Fedora users.

Tags: , , , , , , , , , , ,

November 17, 2010

HOWTO: Use animated XScreenSaver matrix backgrounds with Xfce

Filed under: Blog — krkhan @ 7:13 pm

Screensavers like glmatrix have long been used by *nixers to woo people by showing them customizable animations as desktop wallpapers. Users of desktop environments such as Xfce have to however use xwininfo to determine and use the window IDs of their desktops (as the “-root” option stops working when the root window is overlayed by respective desktop managers e.g., Xfdesktop). For those who want to automate the startup process of XScreenSaver wallpapers in such environments, here’s a quick command you can use:

$ /usr/libexec/xscreensaver/glmatrix -window-id $(xwininfo -name "Desktop" | grep 'Window id' | sed 's/.*\(0x[0-9a-z]*\).*/\1/g')

Results:

Xfce Matrix Screenshot #1
Xfce Matrix Screenshot #2
(Click on the thumbnails for larger versions.)

Tags: , , , , , ,

July 1, 2010

dd: The Ultimate Backup Solution

Filed under: Blog — krkhan @ 7:27 am

Over the 8 years of my acquaintance with computers valuable data has been lost at an average of twice per annum. I have tried all kinds of solution to help my situation only to fail miserably by forgetting to back up some important bits and pieces of information before upgrading my distro.

Backup solutions can mostly be factored into two approaches of archiving and cloning. If space is limited, you can archive your important data using utilities such as tar. This in fact was the approach I had been using until now. The downside appeared to be lesser accessibility of the files inside the backup. Say, I needed a small text-file from a 200 GB archive. It’d take me around 20 minutes to “get” to its location in the archive.

Which is why, I decided to shift to a newer approach. My laptop has a 320 GB hard disk and I own another 320 GB Western Digital Passport for extra data. To utilize the similitude, I bought another 500 GB Passport, transferred the “extra” data to it and then cloned the entire laptop hard disk to its 320 GB external cousin.

$ dd if=/dev/sda of=/dev/sdb

That is all. dd‘s performance was questionable, as it took around 15 hours to clone the entire 320 GB. Nevertheless, this time around I was satisfied with the final backup. Not only was it a bit-by-bit replica of my original data but also an accessible repository which I could access easily by plugging in the USB.

Tags: , , , , , ,

June 5, 2010

HOWTO: Find interesting dictionary words with your Linux box

Filed under: Blog — krkhan @ 4:24 pm

Few *nix users are aware of existence of one /usr/share/dict/words on their machines. The original purpose of this file was to assist Unix programs in spell-checking. Now that every program that supports typo-prevention includes its own dictionaries, the words file no longer fares as something significant in the geek universe.

Nevertheless, the nifty gem can still serve as a fun place to find or coin new words based on lexicographical constraints. The omnipresent egrep command can be used to exploit the power of regular expressions against the English dictionary. Here’s how:

  • Find all words containing 6 or more characters which don’t contain any vowel, dot or dash:
    -bash-$ egrep -i '^[^aeiou.-]{6,}$' /usr/share/dict/words

    bkbndr
    BSDHyg
    BSFMgt
    BSGMgt
    BSPhTh
    crwths
    crypts
    Cynthy
    Cynwyd
    cywydd
    flybys
    Flysch
    flysch
    ftncmd
    ghylls
    glycyl
    glycyls
    glyphs
    gypsyfy
    gypsyry
    Khlyst
    Khlysts
    Khlysty
    Kylynn
    kyschty
    lymphs
    lymphy
    Lynndyl
    MSGMgt
    mtscmd
    myrrhs
    myrrhy
    Myrvyn
    Myrwyn
    nymphly
    nymphs
    pgnttrp
    Phyllys
    Phylys
    phytyl
    psychs
    pyrryl
    rhythm
    rhythms
    Schwyz
    spryly
    SSTTSS
    stddmp
    strych
    styryl
    sylphs
    sylphy
    symphysy
    synchs
    synths
    syzygy
    thymyl
    trysts
    tsktsk
    tsktsks
    tyddyn
    vyrnwy
    why’ll
    Wrycht
    WWMCCS
    xylyls

  • Find all words containing exactly 4 characters which can be spelled in pure Hexspeak, e.g., 0xDEADBEEF or 0xBABEFACE:
    -bash-$ egrep -i '^[abcdef]{4}$' /usr/share/dict/words

    AAAA
    AAEE
    abac
    Abad
    Abba
    abba
    Abbe
    abbe
    abed
    ACAA
    acad
    acca
    acce
    ACDA
    aced
    Adad
    adad
    Adda
    adda
    Adee
    AFCC
    affa
    Baba
    baba
    Babb
    Babe
    babe
    BAcc
    Badb
    bade
    BAEd
    baff
    bead
    Bebe
    Bede
    bede
    Beeb
    beef
    BFDC
    caba
    Cabe
    Caca
    caca
    cace
    CADD
    Cade
    cade
    CAFE
    cafe
    caff
    CDCF
    ceca
    Cece
    cede
    CFCA
    dabb
    Dace
    dace
    Dada
    dada
    Dade
    dade
    daff
    DBAC
    dead
    deaf
    debe
    decd
    deda
    dedd
    Dede
    deed
    Eada
    Eade
    EAFB
    Ebba
    ebcd
    ECAD
    ecad
    Ecca
    ecce
    EDAC
    Edda
    edda
    Edea
    edea
    Edee
    Faba
    Fabe
    FACD
    face
    fade
    faff
    FEAF
    Febe
    feeb
    feed
    feff

  • Find all words which contain ‘H’, ‘T’, ‘M’ and ‘L’ in precisely that order:
    egrep -i '^h.*t.*m.*l$' /usr/share/dict/words

    haemathermal
    haematothermal
    hemathermal
    hematothermal
    hepatoumbilical
    hephthemimeral
    heptametrical
    heteroecismal
    heteromeral
    heterothermal
    hexahydrothymol
    hippotomical
    histochemical
    histomorphological
    homeothermal
    homoiothermal
    homothermal
    hydrothermal
    hygrothermal
    hyperrhythmical
    hypersentimental
    hyperthermal
    hypertridimensional
    hypostomial
    hypothermal
    hysteromaniacal

  • Find all words containing ‘s’, ‘e’ and ‘x’ but at least one different character between each of them:
    -bash-$ egrep -i '^.*s[^sex]+e[^sex]+x.*$' /usr/share/dict/words

    antispermotoxin
    asterixis
    Asteroxylaceae
    Asteroxylon
    Cristineaux
    Erysipelothrix
    erysipelothrix
    Herstmonceux
    Hurstmonceux
    inspectrix
    Issy-les-Molineux
    Lisieux
    mesoappendix
    obstetrix
    pressure-fixing
    proces-verbaux
    salenixon
    salpingemphraxis
    salteaux
    saucebox
    sauceboxes
    sceuophylax
    scleronyxis
    scleroticonyxis
    scleroxanthin
    she-fox
    side-box
    sidebox
    Sideroxylon
    single-tax
    skeptophylaxia
    skeptophylaxis
    slipper-foxed
    smokebox
    sneakbox
    sore-pressedsore-taxed
    sore-taxed
    spectatrix
    speculatrix
    spermatoxin
    spermotoxin
    sphacelotoxin
    sphenomaxillary
    spice-box
    splanchnemphraxis
    splenauxe
    splenotoxin
    state-taxed
    stenothorax
    sternomaxillary
    sternoxiphoid
    stone-axe
    Streptothrix
    subbureaux
    sulfadimethoxine
    superaxillary
    superfix
    superfixes
    superflux
    supergalaxies
    supergalaxy
    superluxurious
    superluxuriously
    superluxuriousness
    supermaxilla
    supermaxillary
    supermixture
    superoxalate
    superoxide
    superoxygenate
    superoxygenated
    superoxygenating
    superoxygenation
    supertax
    supertaxation
    supertaxes
    sweatbox
    sweatboxes
    swine-pox
    swinepox
    swinepoxes
    Thrsieux

Now you can name your start-up company “SupErfiX” and hope that it will someday be acquired by Microsoft.

Tags: , , , , ,

June 4, 2010

How NOT to copy MBR with the dd command

Filed under: Blog — krkhan @ 8:39 pm

Yesterday I needed to copy the MBR of a drive over another. Googling a little I found the following command in various tutorials:

-bash-$ dd if=/dev/sda of=/dev/sdb bs=512 count=1

Where /dev/sda and /dev/sda were the original and target hard disks respectively. The command did complete its work in a snap but it also made me learn a thing about MBR structures the hard way: Only 446 bytes of the MBR contain boot code, the next 64 contain the partition table!

The implications of the lesson being, if partition tables of both hard disks differ — which unfortunately was the case with me — the partition table of the target hard-disk will be overwritten. The correct way would therefore be:

-bash-$ dd if=/dev/sda of=/dev/sdb bs=446 count=1

In case you did mess up the table, I recommend TestDisk for recovering your partitions.

Tags: , , , , , ,
Next Page »