An alchemists view from the bar

Network Security Alchemy

Archive for the ‘Uncategorized’ Category

OpenFPC in 2014

with 2 comments

They say that time files, and they’re right (damn them, whoever they are). Lots of things have been going on in my life over the last year, but hey you likely don’t care about that, you’re here because you’re interested to find out if OpenFPC is still alive and growing… and the answer is yes – but with a bit of a twist.

So here are the big changes and updates you may like to know about.

  • Hosting has been moved from Googlecode SVN to git on github (
  • I’ve removed the GUI components from the install because I’m struggling to maintain them. I only *ever* used the command line interface anyway, so I expect many others are the same. They’re still in the same git repo for now, but not included in the installer.
  • Session searching now functions from the command line
  • Distributed session databases, each nodes keeps it’s own session data locally
  • If multiple nodes are all linked by a proxynode*, a session search from that proxy will take place *at* all nodes and all results are combined before transmitting them back to the client
  • Multiple TZs are supported. Each node works correctly in it’s own TZ, and when data is combined from multiple nodes in different TZs it functions
  • Added support for parsing passivedns logs (really cool, I’ll put together a walk though of how that works sometime)
  • I’ve wrapped together a release called 0.9 that contains all of these
  • None of the services run as root

There is still a long list of things that I’d like to do with the project, for example I’ve been playing with dancer to provide a full rest api. The next thing I need to do however is update docs, find a stable place to host downloads, sort out the website, then work out what to do with the whole GUI thing for those that used it. All topics for another day.

*I really need to rename “proxy” in the openfpc context… If anyone has a better suggestion for a name I’m all ears.

You can download 0.9 here for now while I try and sort out the old website and turn it into something maintainable. Alternatively you could just clone it from github


Here is a quick teaser of it in use, searching for sessions destined for TCP:22 that started within the last 10 minutes.




Written by leonward

September 15, 2014 at 11:00 am

Posted in Uncategorized

List of Mountain Bike films on iTunes

leave a comment »

I’m a big buyer of content via iTunes, however sometimes the search interface lets me down. I find it frustrating that there isn’t a way of listing content for an intrest group (such as MTB movies), and whenever I’m taking a long flight, I find a bike movie is perfect viewing.

To help anyone else trying to find a list of decent MTB films that are all available on iTunes, perhaps the below could help. I’ll try to keep it updated as I dig out more over time. Simply search for the film name on iTunes and it should turn up in the store. Note that some of these are marked as TV shows rather than films.

Follow Me –

Vast –

Here we go again –

Life Cycles –




Written by leonward

January 14, 2012 at 11:13 am

Posted in Uncategorized

Tagged with

Defining an Achievable Network Segmentation Process

leave a comment »

We all struggle balancing work and personal projects, but somehow I managed to combine both into one with the new Sourcefire blog (

I’ve had a blog posted there rather than here for once, so if you’re interested in network segmentation go take a read.

The modern enterprise network has undertaken massive changes over recent years. The adoption of cloud computing, consumerization, mobilization, and the explosion of the “app” markets, has driven us all to use technology in new ways. We must embrace these new technologies and the business edge that they can offer, but all the while we need to recognize that just below all of this new technology there is something supporting it that hasn’t changed. The security infrastructure they depend on to deliver safe and controlled service.

Read more here ->



Written by leonward

October 3, 2011 at 9:31 am

Posted in Uncategorized

Big OpenFPC release – 0.6

with 2 comments

Pushing forwards closer to a 1.0 release for OpenFPC, one of the major components has now been updated – The GUI.

To introduce this new release I’ve put together a short screen-cast of OpenFPC to show the installation, setup procedure, and a bit of general usage. So if you’re tasked with rolling together your own full packet capture/network traffic recorder/forensics system, perhaps you may want to take a look below.


For those who don’t want to sit through five minutes of video to see what the new GUI looks like, here are a few screenshots of the system in action.

Version 0.6 is now available at . Expect a few bugs, and if you report them, Ill own the task of fixing them.


Written by leonward

June 13, 2011 at 12:37 pm

Posted in OpenFPC, Security, snort, Uncategorized

Tagged with , , ,

Insta-Snorby 0.4 with OpenFPC

with 3 comments

Snorby had a big launch this weekend with an event that rivaled Apple in terms of hype and excitement! The two-dot-ooh-yeah release has reached the unwashed masses.

The Snorby 2.0 feature that I’m most excited about is the inclusion of support for OpenFPC directly in the Snorby UI (but face it I’m kind of biased here). Many users of Snorby will be unaware of the OpenFPC project, and as they could be eager to try out the bleeding Snorby version, I thought I would include a quick how-to (below) of adding OpenFPC on to the Insta-Snorby appliance.

OpenFPS and Snorby together

I wouldn’t expect real-world users of Snorby / OpenFPC to use the Insta-Snorby VM, but it’s a good introduction / test platform. As a guide to effort, the below ten steps should take about ten minutes to follow (including the download and updating of packages).

If you spot any errors please let me know, this is the bleeding edge after all.

First the obvious bits….

1) Download the Insta-Snorby-0.4.iso

2) Install the .iso on to the hard disk of a virtual (or physical) machine

3) SSH in to the device as root.

Now the less-obvious bits…

4) Prepare the platform.

Update the package archives. This is mandatory, it’s not being performed as part of good practice.

root@Insta-Snorby ~# apt-get update

Install the dependancies from the Ubuntu package archive (note you can copy/paste the below into your ssh session rather than re-type).

apt-get install apache2 daemonlogger tcpdump tshark libarchive-zip-perl \
libfilesys-df-perl libapache2-mod-php5 mysql-server php5-mysql \
libdatetime-perl libdbi-perl libdate-simple-perl php5-mysql \
libterm-readkey-perl libdate-simple-perl

5) Download the latest version of OpenFPC from

root@Insta-Snorby ~# wget

Note that 0.4-266 is “current” at the time of writing, but there is a lot of development happening right, so make sure you get the latest and don’t assume 0.4-266 is still “current”

6) Install OpenFPC

root@Insta-Snorby ~# tar -zxf openfpc-0.4-266.tgz 
root@Insta-Snorby ~# cd openfpc-0.4-266/
root@Insta-Snorby ~# ./ install

You will be promoted to provide a password for the OpenFPC extract.cgi script. This password protects any attempts to pull out a pcap via the cgi interface used by Snorby via Apache’s basic auth. It saves the password to /etc/openfpc/apache2.passwd.
You will need this username/pass to access any pcaps via Snorby, so REMEMBER IT!

7) Customize OpenFPC

OpenFPC is a client/server system, the openfpc-client does not need to be on the same physical host as the openfpc-queue daemon and therefore it listens on a network socket (default 4242). The default username and password is

Username: openfpc
Password: openfpc

If you want to change these, edit /etc/openfpc/openfpc-default.conf and set…

a) USER=openfpc=openfpc

Set this to whatever username/pass you desire e.g.

b) Change the user account that is used to pull PCAP files via the extract.cgi interface to one you have specified with a USER definition. e.g. for the above user definition I would use:


8) Start up OpenFPC

root@Insta-Snorby ~/openfpc-0.4-266# openfpc –action start

[*] OpenFPC instance openfpc-example-proxy.conf
 -  NODENAME:              Example_Proxy
 -  DESCRIPTION:           "An example OpenFPC Proxy config."
 -  STATUS :               DISABLED 
 -  PORT:                  4243
[*] OpenFPC instance openfpc-default.conf 
 -  NODENAME:              Default_Node 
 -  DESCRIPTION:           "An OpenFPC node." 
 -  STATUS :               ENABLED
 -  PORT:                  4242
 -  INTERFACE:             eth0
 -  PACKET STORE:          /var/tmp/openfpc/pcap
Starting Daemonlogger (Default_Node)...                                    Done
Starting OpenFPC Queue Daemon (Default_Node)...                            Done

9) Check communications and your openfpc username/password.

Use the command line tool openfpc-client to check things are working. The –action status will provide a status check of a remote OpenFPC instance.

root@Insta-Snorby ~/openfpc-0.4-266# openfpc-client -a status
 * openfpc-client 0.4 *
Part of the OpenFPC project
Username: openfpc
Password for user openfpc : 
 OpenFPC Node name   :  Default_Node 
 OpenFPC Node Type   :  NODE
 OpenFPC Version     :  0.4
 Oldest Packet       :  1291638906 (Mon Dec  6 12:35:06 2010)
 Oldest Session      :  0 (Thu Jan  1 00:00:00 1970)
 Packet utilization  :  10% 
 Session utilization :  Disabled% 
 Session DB Size     :  Disabled rows 
 Session lag         :  0 files 
 Storage utilization :  10% 
 Packet space used   :  1867896 (1.87 GB)
 Session space used  :  Disabled (Disabled Bytes)
 Storage used        :  1867896 (1.87 GB)
 Load avg 1          :  0.04 
 Load avg 5          :  0.05 
 Load avg 15         :  0.08 
 Errors              :  0 
root@Insta-Snorby ~/openfpc-0.4-266#

10) Configure the Snorby OpenFPC plugin

Navigate to the Snorby web interface, and browse to Administration.

Enable your OpenFPC integration here

  • Check the box “Enable OpenFPC support”
  • Use the below URL for extraction
  • Hit “Save Settings”


Now when you look at an IPS event, you will have a “Packet Capture” button that pulls out the complete session data via OpenFPC.

Many of the advanced OpenFPC capabilities are not addressed in this how-to such as connection/flow capture and searching, compressed extracts, reports, distributed extracts, horizontal scaling, etc etc but I’m keeping this How-to simple. If you want to know more, you know where to look


Written by leonward

December 6, 2010 at 1:24 pm

Leon’s ten rules for improved network security

with 12 comments

Last week I was asked to comment on a top ten list of the “rules of network security”, and unsurprisingly I disagreed with many of them :p

This probably isn’t a shock and it’s not to say that the other list was wrong, it’s just the nature of such a subjective list. Nevertheless, I thought I would share my response here in case it stimulates thought.

Prerequisite :  Hire smart people, and trust them to do their job.

I think that’s key to getting anything done in business and not specific to network security at all, however it’s worth considering before you do any of the below.

1) Management and user education

Without educating management to the risks associated with modern network connectivity, insufficient effort and budget will be assigned to the task. This directly leads to fail. Network security education must also be presented in an enabling way, for example, “This is how to do stuff safely”, or “Implementing this security measure will allow us to conduct business with this partner while maintaining our security posture”, rather than a disabling “Don’t do that it’s naughty”.

This first point includes the education associated with AUP (Acceptable usage policies) for network connectivity and resource usage. Without defining acceptable and unacceptable usage of resources users will never know if they are misbehaving.

2) Enforce sensible access controls

This point exists at many layers within the network, including user account management (with good passwords) via role based access (RBAC) and network access controls (and by network access controls, I refer to Firewalls not a NAC-like deployment).

Firewalls should be configured to only allow the required ingress and egress ports for communication through network segments while controlling the direction of trust.

3) Patch, patch, patch, and then patch again.

Always keep up to date with security specific software updates, and automate this process wherever possible.

4) Harden systems that do not operate in a “secure by default” model.

Make sure systems that operate in areas of high risk have the appropriate lock down applied to them including

  • Disabling non-required services
  • Remove/rename system or default user accounts
  • Remove un-required applications

5) Enable logging, audit system, network and user behaviour in the context of the AUP. Monitor and react to violations and security events.

Central and sane event logging and its management is key to accomplishing this goal. Intrusion detection / Network security monitoring also fit in with this point as they are key to detecting the misuse or security violations on the network.

6) Anti-ware (the modern equivalent of Anti-virus)

This is a must on user desktops and servers (where appropriate). Even though some AV software has lower than desirable virus detection rates, having something is better than nothing as long as it’s kept up to date (see point 3)!

7) Segment the network into trust zones

Every network should be made up of multiple zones with differing functions, e.g Management, Public DMZ, Servers, Clients. VLAN’s can be used to implement much of this segregation, and firewalls should be used to route data between those networks.

8) Physical security

Make sure that the correct physical security controls are in place in your data-center. Consider and mitigate the risk of when a user’s laptop get stolen or “lost” after a four-hour business meeting in a high-class wine bar.

9) Take Backups and test them!

Not taking and checking the quality of your backups *will* cause a lot of pain. Fact. Loosing data could mean losing the company, and therefore loosing your job.

10) Use the correct tools to do the job.

If budget is tight (and it always is), look for lower cost software alternatives. There is an amazing resource of high quality open source security software available that can help address many of the security points above. Make sure you research select good tools that your are comfortable with and can scale to meet future requirements.


Written by leonward

May 11, 2010 at 4:07 pm

Posted in Uncategorized

Network Security Bloggers meet, London 30/March/2009

leave a comment »

I’m attending a network security Blogger meeting on the 30/March/2010 in a pub just off Oxford St, London. It’s kindly hosted by Sourcefire but don’t expect any sales people in attendance! It will be an informal event with drinks, nibbles, and networking (read free beer). Hopefully we’ll discuss what’s hot (or not) right now, share some ideas, and provide inspiration for a post or two.

If you’re a network security blogger and want to meet others like you in person, let me know and ill try to get you on the guest list!


Written by leonward

March 18, 2010 at 12:09 pm

Posted in Uncategorized

Tagged with ,