Twitter

I’ve finally given in to the hype and got an account on Twitter. I must say that so far I’m liking it more than I expected. It seems almost everyone from the infosec community is active on the service. I am updating it nearly daily about (among other things) the OISF development I’m doing.

If you’re interested follow me here: http://twitter.com/inliniac

Available for contract work

This year there will be a lot of work that needs to be done for the Open Infosec Foundation. And like I wrote a few days ago, a lot of work is already being done. However, most of it is unpaid at this time as it will be some months before our funding comes in. So at least until then I’m available and looking for contract work.

For the last two years I’ve been doing work as a contractor in the (open source) security field. My experience is mostly in coding in C and Perl, primarily on Snort and Snort_inline. Recently I created the (Perl language) SidReporter program for Emerging Threats. Areas I worked in: IPv6 IDS/IPS coding, signature writing, Web Application Firewalls, threading, bandwidth accounting, and more…

Checkout my LinkedIn profile for more info. My resume is available on request.

If you have some work or know someone that does, please let me know!

Site moved

This site is hosted at a server at my home and is connected using my DSL connection. Next weekend I’m moving and the DSL has to be moved as well. Since that usually takes a few weeks here, I had to move the blog (and my mailserver) elsewhere for a while. Luckily Adi Kriegisch provided me with access to a server, so yesterday both my mailserver and weblog were moved. I have no native IPv6 connection there so I’ve disabled IPv6 access for now. Maybe I’ll try to restore it later. As far as I can see everything works, but if you see any problems please let me know! Big thanks to Adi for hosting my site!

Vuurmuur developments

This is my first blog post in 2007, so let me start by wishing everyone a good and healthy new year. In the new year I finally released a new version of Vuurmuur. It was the longest period between two releases, the last one was in April 06. The last year has been pretty hectic, with my graduation, looking for work, and now working… Also I’ve been stepping up work on Snort_inline and Modsec2sguil, which all took away coding time from Vuurmuur.

Of course, just after the new release came out, I discovered some problems with the connection killing functionality, and a new alpha release partly fixing that is already out. Partly, since I have yet some fixes to make. The release got a fair amount of publicity since it was mentioned on the Dutch computer enthousiast site tweakers.net. The server that hosts the wiki (and the screenshots) nearly colapsed under the requests, but luckily I could adapts it’s config in time to bring the load down from 18 to 2.

Looking ahead, I intent to get a new release out fairly quickly, hopefully even this month. The focus of this release will be fixing the bugs from 0.5.72. Looking further ahead main focus will be the setup wizard, that should help new users to get going quickly. Adi is working on an updated autobuild server that can also support the newer versions of Debian and Ubuntu. He will also be looking at adding support for rpm-building.

I’m also thinking about modifying the iptables rules that Vuurmuur creates, to better handle traffic marking, add support for the classify target and support nfqueue. But it will be a while before work on that will start…

Snort_inline: getting closer to 2.6.0.2

I’m back from my vacation which was very nice. Hardly did any geek stuff, other than meeting up with Philippe, who lives in Paris. It was the first time I met someone I got to know through the Vuurmuur project :)

So with Snort_inline things aren’t moving as fast as I hoped, but there is certainly progress. I’m currently hunting for a few bugs. First of all I’ve seen it segfault on me once. Sadly I had forgotten to enable coredumps, so no clue as of why. Second, William and I have been ironing out some issues where the new stream4 mode was getting mixed up with the old. I think these are pretty much taken care of now. Third, there is a bug where an unified alert fired by http_inspect doesn’t contain a payload. Finally, i’m hunting what appears to be a heisenbug in the new stream reassembly, because I’ve never encountered it since I’m actually looking for it.

Still it has been running on my gateway with good stability and performance for a few weeks now. So I think that if we can find the http_inspect issue, we should be ready for a beta release…