silica.dopefish.de – catching data leaks

I was testing a PHP script for security flaws today and needed a way to check if it was possible to “accidently” leak sensitive data to an external server. So I threw together a small script to save the contents of the $_SERVER $_COOKIE $POST and $_GET arrays and dump them in a file. Since it worked so good I decided to leave the site online.

Why did I call it silica? Because silica gel absorbs and stores fluids like this website absorbs information thrown at it. How to use it? Just get your application to connect to silica.dopefish.de instead of where it intended to connect to (by overwriting variables, DNS foo, be creative) and see what happens.

Base Domain: silica.dopefish.de
The webserver will catch any URL (regardless what path or filename) and log the environment. The only exception is the logfile.

Logfile: http://silica.dopefish.de/access.log
The log is automatically emptied every 10 minutes, so save the output if you need it.

Updated OSSEC Web UI 0.3 files for OSSEC 2.6

OSSEC is an open source HIDS (Host-based Intrusion Detection System), and a pretty darn good one too. It also has a simple web front-end to view what’s going on, search through alerts and stuff like that  (called OSSEC Web UI, I’ll just call it “WUI” here). Unfortunately the code is a bit outdated (the last official update was from 2008 as far as I can tell) and it doesn’t support newer features of OSSEC like polling data from a database. Something I’d like to tackle if I find the time 😉

The latest version of OSSEC is 2.6, and due to some small changes to the format of the logs WUI no longer works out-of-the-box. I had a look at the code this weekend and am providing patches and downloads of the files needed to change to get everything running again with OSSEC 2.6.

List of changes:

  • Works with the OSSEC 2.6 alert log file format
  • Changed Rule ID Link to better work with the new documentation wiki
  • Added “user” field to alert output
  • Widened the layout by a few pixels (to 1000px) and changed the CSS / alert layout to make the individual alerts better readable
  • Moved some of the hardcoded formatting to CSS

Download Download changed files
Download Patch download

 

Wireshark Version 1.8.0 released

A new version of Wireshark was released yesterday (1.8.0), head on over to http://www.wireshark.org/download.html to download it for your OS.

New and updated features since version 1.6:

  • Wireshark supports capturing from multiple interfaces at once.
  • You can now add, edit, and save packet and capture file annotations.
  • Wireshark, TShark, and their associated utilities now save files using the pcap-ng file format by default. (Your copy of Wireshark might still use the pcap file format if pcap-ng is disabled in your preferences.)
  • Decryption key management for IEEE 802.11, IPsec, and ISAKMP is easier.
  • OID resolution is now supported on 64-bit Windows.
  • The “Save As” menu item has been split into “Save As”, which lets you save a file using a different filename and “Export Specified Packets”, which lets you have more control over which packets are saved.
  • TCP fast retransmissions are now indicated as an expert info note, rather than a warning, just as TCP retransmissions are.
  • TCP window updates are no longer colorized as “Bad TCP”.
  • TShark’s command-line options have changed. The previously undocumented -P option is now -2 option for performing a two-pass analysis; the former -S option is now the -P option for printing packets even if writing to a file, and the -S option is now used to specify a different line separator between packets.
  • GeoIP IPv6 databases are now supported.

How to use Cluster SSH (cssh) and Mosh together

A colleague told me about mosh today, just saying “it’s an alternative to SSH that addresses many of the problems” doesn’t do it credit. Go look at the page and have a look, don’t worry it’s a nice page and I’ll still be here waiting when you come back. I do a lot of work on servers across the globe, and believe me, although subtle, the difference between a 10ms connection and a 100+ ms connection is definitely noticeable 😉 That lag all but disappears with mosh. Mosh doesn’t support X11/SSH-Agent forwarding yet, but it’s on their roadmap.

Back to topic, I also use cssh for working on multiple servers simultaneously. I’d recommend making a copy of your .cshrc file (cp -a ~/.csshrc ~/.csshrc_mosh) and working on the copy. Edit the  ~/.csshrc_mosh and change the lines ssh= and ssh_args= (diff of my files):

You will have to remove any parameters in ssh_args= and move them to your ~/.ssh/config due to the difference in command line parameters between mosh and ssh. Now all you have to do is call cssh with the new config file, e.g. with an alias to make things easier alias mcssh=”cssh -C ${HOME}/.csshrc_mosh” And your done.

Playing around with Exim, Spamassassin, DKIM and SPF

I was playing around with my mail server today and decided to have a look at DKIM and SPF. Jump to the bottom for some useful links. You will have to be able to change TXT entries for your domain/subdomains to do any of this. Sending a mail to check-auth@verifier.port25.com will generate an auto-reply with the result of your mail servers settings. I also noticed that Exim wasn’t listening to the IPv6 interface and promptly fixed that, and have received my first mail via IPv6.

Some spamassassin scores for your local/user settings:

SPF:
Syntax: http://www.openspf.org/SPF_Record_Syntax
Tools & Information: http://www.openspf.org/
Wizard: http://www.spfwizard.net/

DKIM:
Exim walkthrough: http://mikepultz.com/2010/02/using-dkim-in-exim/
Domain specific settings: http://www.debian-administration.org/users/lee/weblog/41
Tools: http://dkimcore.org/tools/
Wizard: https://www.port25.com/dkim-wizard/