Today I gave a talk at the ISPA office concerning DNSSEC. See here for the official announcement.
Attendance was good, we had interesting questions and a lively discussion.
You can download my slides in pdf format.
Category: CERT
This is one of the “simple” problems which always take longer to solve than expected.
The goal: Script RTIR to generate Investigations associated with an Incident.
In order to do that, I needed to solve the following who subproblems:
- Being able to use the “edit” feature in the command line “rt” client and capture the new ticket’s id
- Add attachments during ticket creation
Basically, I needed to capture the STDOUT of the “rt” command, and let also rt invoke vi. My solution:
--- /usr/bin/rt 2007-10-31 11:52:20.000000000 +0100
+++ /usr/local/bin/rt 2008-08-20 14:14:20.000000000 +0200
@@ -1335,7 +1335,7 @@
local $/ = undef;
open(F, ">$file") || die "$file: $!\n"; print F $text; close(F);
- system($editor, $file) && die "Couldn't run $editor.\n";
+ system("$editor $file < /dev/tty > /dev/tty") && die "Couldn't run $editor.\n";
open(F, $file) || die "$file: $!\n"; $text =
unlink($file);
The “Autoreply on Create” Scrip is supposed to mail out the newly created content to the Requestor, thus I needed to not only provide plaintext while the creation, but also all the attachments that need to be sent out to the Requestor.
Adding text is simple, just use “Text: foo bar” to the Template. But attachments are simply not supported for “rt create” (and not that easy to add in the code). They are supported for “rt correspond”, so I can sidestep the “attachment on create” problem by simply splitting up the work into an empty “rt create” followed by a “rt correspond -a file”.
There is just one gotcha: The Autoreply script will happily mail on ticket creation with an empty mail.
Solution: Change the “Condition = On Create” for the Scrip to “Custom” with
my $t = $self->TransactionObj;
return 0 unless ($t->Type eq "Create");
my $c = $t->ContentObj;
return (defined($c)) ? 1 : 0;
In April I speculated about the impending doom of the DNS.
Now we know what was in the works, and yes, it’s not a pretty picture.
My idea from april doesn’t work 1:1, as the attacker doesn’t attack a single target, sondern arbitrary other hostnames in the same domain.
Anyway, I spent the last days analyzing data from .at nameserver regarding patch discipline in Austria. You can read the depressing results here.
Assume you have a number of patterns you might want to watch out for in various logfiles. These could be harmless, e.g. postfix/smtp\[[[:digit:]]+\]: .* status=sent which indicates that a mail was sent by postfix, or could be bad, e.g. indications of hardware troubles, firewall log entries or suspicious entries in proxy logs.
There are a number of tools which can help you do that, e.g. logwatch can produce nice reports for you.
In my case, I was less interested in individual log entries, but in a graphical representation of their frequency. For that, I need something similar to MRTG. Cacti is a decent graphical frontend to the core MRTG engine, rrdtool. It provides various data sources and graphing options all packed up into a neat web interface.
So, what needs to be done to get Cacti to graph match-rates of regexs in logfiles?