An alchemists view from the bar

Network Security Alchemy

OpenFPC in 2014

leave a comment »

They say that time files, and they’re right (damn them, whoever they are). Lots of things have been going on in my life over the last year, but hey you likely don’t care about that, you’re here because you’re interested to find out if OpenFPC is still alive and growing… and the answer is yes – but with a bit of a twist.

So here are the big changes and updates you may like to know about.

  • Hosting has been moved from Googlecode SVN to git on github (https://github.com/leonward/OpenFPC)
  • I’ve removed the GUI components from the install because I’m struggling to maintain them. I only *ever* used the command line interface anyway, so I expect many others are the same. They’re still in the same git repo for now, but not included in the installer.
  • Session searching now functions from the command line
  • Distributed session databases, each nodes keeps it’s own session data locally
  • If multiple nodes are all linked by a proxynode*, a session search from that proxy will take place *at* all nodes and all results are combined before transmitting them back to the client
  • Multiple TZs are supported. Each node works correctly in it’s own TZ, and when data is combined from multiple nodes in different TZs it functions
  • Added support for parsing passivedns logs (really cool, I’ll put together a walk though of how that works sometime)
  • I’ve wrapped together a release called 0.9 that contains all of these
  • None of the services run as root

There is still a long list of things that I’d like to do with the project, for example I’ve been playing with dancer to provide a full rest api. The next thing I need to do however is update docs, find a stable place to host downloads, sort out the website, then work out what to do with the whole GUI thing for those that used it. All topics for another day.

*I really need to rename “proxy” in the openfpc context… If anyone has a better suggestion for a name I’m all ears.

You can download 0.9 here for now while I try and sort out the old http://www.openfpc.org website and turn it into something maintainable. Alternatively you could just clone it from github

ofpc-0.9-simplesearch

Here is a quick teaser of it in use, searching for sessions destined for TCP:22 that started within the last 10 minutes.

==

 

Written by leonward

September 15, 2014 at 11:00 am

Posted in Uncategorized

Lex Deux Alpes 2014

leave a comment »

Sometimes you just need to get away from it all. This is the video from our 2014 downhillin’ trip to Les Deux Alpes bike park. Loads of fun. You don’t see much of me in the video because the gopro is attached to my head.

Written by leonward

September 14, 2014 at 11:32 am

Posted in Cycling

Tagged with

OpenFPC on Security Onion

with 7 comments

I’ve been asked a couple of times if OFPC can be installed on Security Onion, and I’m happy to say yes it can (as of the time of writing anyway rev 335 in SVN). While poking about with it I spotted a small yet critical bug that I had to squish with 334. Here is what you have to do:

1) Download and install Security Onion

You can download it from here -> http://sourceforge.net/projects/security-onion/files/

2) Grab OpenFPC from SVN

$ svn checkout http://openfpc.googlecode.com/svn/trunk/ openfpc-read-only
A openfpc-read-only/tools
A openfpc-read-only/tools/ofpc-cxsearch.pl
A openfpc-read-only/tools/mk_release.sh
A openfpc-read-only/tools/testParse.pl
<snip>

2) Install some extra packages

Get and install cxtracker and some other stuff

$ wget http://github.com/downloads/gamelinux/cxtracker/cxtracker_0.9.5-1_i386.deb

$ sudo dpkg -i ./cxtracker_0.9.5-1_i386.deb

$ sudo apt-get install libarchive-zip-perl libfilesys-df-perl libdate-simple-perl libdatetime-perl

3) Run the installer

OpenFPC checks for some dependencies during install, these will fail on Onion even after installing the above. One reason is that it checks for Apache 2 however Apache 2.2 is installed on Onion. Use the –foceinstall option instead to continue.

$ sudo ./openfpc-install.sh forceinstall

4) Create the GUI and Session DBs

Security Onion doesn’t have a password set for the root mysql user, this doesn’t sit well with the OpenFPC install scripts as they expect there to be one. When a password is prompted for, simply hit the Enter key. This looks a little confusing, so here is an exact copy/paste below of what to expect. You could of course set a password for root, but I don’t know what else on the platform this may break (if anything).

$ sudo openfpc-dbmaint create gui /etc/openfpc/openfpc-default.conf
[*] Enter mysql “root” credentials to connect to your local mysql server in order to create the databases
DB root Username: root
DB root Password: <Enter> Enter password: <Enter> 

[*] Enter an initial username for the first OpenFPC GUI user.
GUI Username: admin
GUI Password: <a password>
Email address: admin@admin.com
Real Name: My real name
grep: /etc/openfpc/openfpc.passwd: No such file or directory
USER NOT FOUND. Adding admin.
Creating new user file /etc/openfpc/openfpc.passwd…
Adding user admin
Done.
CREATING GUI DATABASE
—————————
Enter password: <Enter> 
Enter password: <Enter> 
Enter password: <Enter> 
Enter password: <Enter> 
GUI DB Created.
Enter password: <Enter> 
Enter password: <Enter> 
New user admin added.
[*] Restarting OpenFPC

<SNIP>

5) Create the session DB, it will also look a little weird if a blank password is used for the mysql ‘root’ user.

$ sudo  openfpc-dbmaint create session /etc/openfpc/openfpc-default.conf
[*] Enter mysql “root” credentials to connect to your local mysql server in order to create the databases
DB root Username: root
DB root Password: <Enter> Enter password:
———————————————————
[*] Working on Instance /etc/openfpc/openfpc-default.conf .
Would you like session capture ENABLED on Default_Node? (y/n)y
[-] Enabling session capture in Default_Node config
Done.
[-] Found cxtracker.
CREATING DATABASE
—————————
Enter password: <Enter>
Enter password: <Enter>
Enter password: <Enter>
Enter password: <Enter>
Enter password: <Enter>
Session DB Created.
Adding function INET_ATON6… to DB openfpc
Enter password: <Enter>
[*] Restarting OpenFPC <SNIP>

6) Try it out.

The command line should be functional now, as should the GUI accessible at https://localhost/openfpc/

$ sudo  openfpc-client -a status

* openfpc-client 0.7 *
Part of the OpenFPC project

Username: admin
Password for user admin : <My Password>
####################################
OpenFPC Node name : Default_Node
OpenFPC Node Type : NODE
OpenFPC Version : 0.6
Oldest Packet : 1347467610 (Wed Sep 12 16:33:30 2012)
Oldest Session : 1347479998 (Wed Sep 12 19:59:58 2012)
Packet utilization : 25%
Session utilization : 25%
Session DB Size : 8 rows
Session lag : 0 files
Storage utilization : 25%
Packet space used : 4726172 (4.73 GB)
Session space used : 4726172 (4.73 GB)
Storage used : 4726172 (4.73 GB)
Load avg 1 : 1.54
Load avg 5 : 1.34
Load avg 15 : 1.16
Errors : 0

You should now be able to configure Snorby to extract data from OpenFPC when alerts fire on the Security Onion.

Written by leonward

September 19, 2012 at 3:40 pm

Posted in OpenFPC, Security

My Coed y Brenin Bike Crash (March 2012)

leave a comment »

I had a good crash this weekend while at a trail center in Wales. I’ll live to ride another day!

Here’s the video taken from the GoPRO mounted to my chest.

 

 

Written by leonward

March 20, 2012 at 2:09 pm

Posted in Fail

Tagged with ,

List of Mountain Bike films on iTunes

leave a comment »

I’m a big buyer of content via iTunes, however sometimes the search interface lets me down. I find it frustrating that there isn’t a way of listing content for an intrest group (such as MTB movies), and whenever I’m taking a long flight, I find a bike movie is perfect viewing.

To help anyone else trying to find a list of decent MTB films that are all available on iTunes, perhaps the below could help. I’ll try to keep it updated as I dig out more over time. Simply search for the film name on iTunes and it should turn up in the store. Note that some of these are marked as TV shows rather than films.

Follow Me – http://www.anthillfilms.com/followme/

Vast – http://www.ionatefilms.com/

Here we go again – http://dh-productions.com/HereWeGoAgain/index.html

Life Cycles – http://www.lifecyclesfilm.com/

 

 

 

Written by leonward

January 14, 2012 at 11:13 am

Posted in Uncategorized

Tagged with

Defining an Achievable Network Segmentation Process

leave a comment »

We all struggle balancing work and personal projects, but somehow I managed to combine both into one with the new Sourcefire blog (http://blog.sourcefire.com).

I’ve had a blog posted there rather than here for once, so if you’re interested in network segmentation go take a read.

The modern enterprise network has undertaken massive changes over recent years. The adoption of cloud computing, consumerization, mobilization, and the explosion of the “app” markets, has driven us all to use technology in new ways. We must embrace these new technologies and the business edge that they can offer, but all the while we need to recognize that just below all of this new technology there is something supporting it that hasn’t changed. The security infrastructure they depend on to deliver safe and controlled service.

Read more here -> http://blog.sourcefire.com/2011/09/defining-achievable-network.html

-Leon

 

Written by leonward

October 3, 2011 at 9:31 am

Posted in Uncategorized

Big OpenFPC release – 0.6

with 2 comments

Pushing forwards closer to a 1.0 release for OpenFPC, one of the major components has now been updated – The GUI.

To introduce this new release I’ve put together a short screen-cast of OpenFPC to show the installation, setup procedure, and a bit of general usage. So if you’re tasked with rolling together your own full packet capture/network traffic recorder/forensics system, perhaps you may want to take a look below.

 

For those who don’t want to sit through five minutes of video to see what the new GUI looks like, here are a few screenshots of the system in action.

Version 0.6 is now available at  http://code.google.com/p/openfpc/downloads/list . Expect a few bugs, and if you report them, Ill own the task of fixing them.

-Leon

Written by leonward

June 13, 2011 at 12:37 pm

Posted in OpenFPC, Security, snort, Uncategorized

Tagged with , , ,

Follow

Get every new post delivered to your Inbox.

Join 783 other followers