Last week OISF announced a new tool called suricata-update. It’s a smart tool for updating suricata rules from remote sources like Emerging Threats. It’s works similar to oinkmaster or pulledpork. The main advantage is that it works great with suricata, makes backup of previous rulesets and tests the rules before applying them. Yesterday it reminded me about deprecated options in my suricata-configuration because of the tests it runs(suricata -T).

I worked the last weeks on suricatas configuration-parser and fixed a couple of minor bugs. Some of them made it to the new suricata 4.0.3 release.

If you type in a wrong command, bash-insulter will insult you badly.

A few weeks ago I started cmus to read in all my music and it crashed badly. I wondered how this could happen and started to investigate. So I figured out that it crashed with a segfault. After compiling it with debugging-symbols and running it with gdb I located the bug in the libcue-library and I also found out the reason why: libcue doesn’t handle unicode-files and one of my cue-files was unicode encodeded. So libcue started to detect a lot of “bad characters” before it segfaulted. The following lines of code leaded to a memory corruption:

Even if I was a little bit lazy and did not write much lately, I am very proud to announce the third anniversary of this blog.

I wrote a role for managing MaraDNS with Ansible.

Requirements

• Ansible 2.1+ (might ork with prior versions too)
• Debian-based Linux-distribution

Check_MK is a great monitoring tool. One of it’s strengths actually is, that it can automatically detect services and monitors it. I always monitored all public ip-addresses of my servers if they are listed on any dns-blacklist. I  had to add new public ip’s manually, so I reached out for a new solution. I found a nice little plugin in a GitHub-repository of HeinleinSupport. The plugin waIs great, but I missed two things. First, it checks all Ipv4-addresses of a server,  including private addresses and second it uses hardcoded dnsrbl-server. So I modified the script so that it checks only public addresses and it can use an ini-file, if it exists(otherwhise it still uses hardcoded dns-servers). My modified version check_mk-rbl is available on github.

A few months ago I published a vulnerability in OpenElecs updater. I successfully hacked remotely OpenElec version 6.x.x and 7.x.x . OpenElec 8 is available for a while and reached version 8.0.4. So I tested the bug against this version and it’s still open. An attacker who is Man-In-The-Middle can remotely compromise Openelec-Updates and plant a reverse-shell on the target.

On Saturday the Debian Project announced the release of Debian 9 “Stretch”. This means that Jessie will be oldstable and Wheezy won’t recieve any updates anymore. So it’s time to dist-upgrade.

In the Linux Kernel 4.11 a new system-call statx() was introduced. The old stat() system-call is used to get meta-data(like size, permissions aso.) of files and directories. Stat() lacks functionallity for remote filesystems and collects all the information of a file at once which might lead to slow operations. Statx() is a new implementation of stat. The caller can request specific information(like just the size of a file) to speed up the call. If the filesystem is a remote filesystem, it is possible to let statx() first sync with the remote-server before requesting the information(or just be fine with the cached infos). Another nice feature is that statx() can also be used to get extra fileattributes like: “is the file encrypted or compressed?”.