| Scan Detection
Modifications There are several modifications made to the scan detection framework. They include: Landmine Function
Ranges of the local address space (typically the begining and end), which are currently and historically unused, have a very small number of connection attempts required before the host is dropped. This is based on the idea that there is no reason for a non-hostile host to connect into that address space. Low Port Trolling Since low numbered ports (<1024) have historically been home to services running with root privlidges, these services are often targeted. In addition, these ports are not typically used in for ephemeral functionality. Because of this, a smaller number of connection atempts made to this range will result in a dropped host. Value Based Dropping Similar to Low Port Trolling, this function is designed to reduce the number of hosts dropped due to background radiation. Please see here for a complete description. Cluster Detail This defines a spesific address space and provides far more stringent logging and access controlls into (and out of) it. You might want to run this if you, say, operate a large supercomputer. |
| Entropy
Measurement Measuring the entropy of a individual packet, or the stream (TCP/UDP/ICMP) that is asosciated with it can provide a great deal of beneficial information. This modification adds this functionality - it has been used in a number of projects that I have worked on (example this). In it's current form it is not exactly bullet proof, but I plan on cleaning it up and passing it back up to Vern who can decide it's ultimate fate. Contact me if you would like a copy. |
| SSL Connection
Analysis While working on my own SSL analyzer, I had the pleasure of being introduced to Benedikt Ostermai, Michael Kuhn and (again) Robin Sommer who were completing a beautifuly written analyzer of there own. It has officially been released as a patch against 0.8a41. I have made a number of changes to their fine code, including CRL functionality, and many many changes in the policy file side of things. Most of the changes that I made will be rolled into the GSI framework described below, but I would be more than happy to share. A port that works for 0.8a70 can be found here, while a quick and disjointed collection of notes on the changes can be found here. |
| GSI
Authentication Validator Given the incresing use of GSI based authentication (see the Globus page for more details), it seemed like a good idea to create a generalized framework for a number of grid based applications which rely on it. This engine does all the SSL handshake parsing, certificate validation and recording (including CRL), and authentication logging. Since this engine is not overly useful without applications to plug into it, I am hoping to release a complete 'grid package' some time in January of 2004. Contact me of you would like more information before then. |
| GRID Security
Tools Given the increasing use of 'grid enabled' aplications at NERSC (and many other locations), it has become necessisary to develop a series of tools which can deal with this changing landscape. The initial applications that are covered are GridFTP and Gatekeeper/GRAM, along with a Cactus analyzer as well (even though it is not 'officially' part of the grid). With the implementation of the version 3 Globus toolkit, the direction of Grid applications will change once again and the 'Stuff over HTTP' paradigm will have to be grappled with. That is next year though... I will be giving a presentation on our current development effort at GlobusWorld 2004 in January. Please see this link for more information as the presentation (and possible paper) is developed. |
| ICMP Anomoly
Detection There are a large number of interesting detection functions relating to ICMP. All of them are described in the ICMP Covert Chanel Detection paper located elsewhere on this site. The changes assosciated with that paper are welded together with the entropy tools, so I will pry them apart and publish asap. |
| Bro Health
Monitor This is a simple script that looks over the running bro instance and records when one of several indicators exceeds a provided value. The indicators are CPU%, memory footprint, memory delta, connection delta, and dropped host delta. If the defined values are exceeded, the situation is logged (and I can get paged!). It is here. |
| Administrative
Scripts and Reports A weakness of bro is that it is far from simple to use. We have put together a collection of administrative and reporting scripts that are quite useful. Please check the README for details. Also it is put together for a FreeBSD system. |