Enabling PCRE JIT in OpenResty on CentOS

I’m quickly finding that openresty is an excellent stack, bundling a large number of nginx modules and Lua functionality. One of the most useful features I’ve found so far is the nginx Lua API’s ability to perform PCRE matches (Lua offers string.find, using a search syntax that is similar to PCRE, but lacks robustness). Performance with PCRE can be increased by using PCRE JIT (just-in-time) compilation; this is required to be present within the underlying system’s PCRE package. JIT was introduce in PCRE 8.21, and, go figure, the upstream package on CentOS is PCRE 7.8.

Continue reading

Logging Mod_Security in JSON

mod_sec audit logs are atrocious. There have been a few attempts to make parsing audit data more palatable- BitsOfInfo recently wrote up a proof of concept of working through audit logs with logstash, and the AuditConsole project from JWall provides a more comprehensive approach to collecting log data, but neither solutions addresses the inherent problem of how messy native audit log data is.

As part of my Master’s thesis I need a way to efficiently audit, sort and store audit logs; building my own parser, while doable, would be a waste of time, so I’ve forked the ModSecurity project on Github and built a patch that implements JSON logging directly in the application, replacing the old data log structures entirely. There’s still a long way to go, but the initial patch seems stable and produces valid JSON. Continue reading

Pulling Apart ‘Closed Source’

For a while my mom was using Living Cookbook, a .NET-based desktop solution for managing recipes. It’s decent software, fairly stable and feature-filled, but its commercial closed source nature means locked-in users- and no alternative for when you lose your license as a result of a hardware failure (or human error). So when mom called in a mild panic over losing Grandma’s lasagna recipe, I knew I had to take a gander.

Continue reading

ZOMG REMOTE SHELL EXPLOIT!!!! … Or, Not

A new post to the Full Disclosure mailing list today detailed a remote code exploit vulnerability within all available versions of the Nagios Remote Plugin Executor (NRPE), and provided a PoC that included gaining a reverse shell on the target server. Note that this reported exploit relies on a separate (but similar) vulnerability report in CVE-2013-1362. In today’s post, Dawid Golunski properly identifies a weakness within the NRPE argument sanitation that could allow a client to execute arbitrary commands on the remote host within the context of the NRPE user. At first this seems like a pretty serious vulnerability, but further analysis shows that successful exploitation hinges on a series of bad practices not related to NRPE code itself.

Continue reading

Brute Force Uptick

Okay, so just to clarify, am I actually breaking this news? No. Definitely not. But my automated log scanner picked up a jump in malicious activity yesterday on my network, so it’s worth taking a closer look. First, we see the jump in numbers:

Note that addresses have been lazily obfuscated but do not actually belong to the same class C, though some do share common ASNs (and some do indeed share a common class C). Wonderful, so let’s take a look at the log itself (a small sample is presented below for brevity):

Continue reading

On Struggle

No code today.

It’s 2 AM and I’m at that wonderfully frustrating in-between stage of fatigue where one is too tired to complete any tasks requiring significant concentration, and one is too active to sleep. Plus, I’m slated to start a two week graveyard rotation at work, so I need to tweak my sleep schedule a bit, which makes this a perfect time to crack open that Red Bull and muse about my existence. Or maybe just sit here and stare blankly at my screen while the second season of Big Bang Theory hums on in the background.

Continue reading

boto-rsync – Limitations and Workarounds

boto-rsync is a great tool for interacting with object storage systems like S3, but it’s not without limitation. We all know about the 5GB limit for a single PUT, which isn’t a problem for clients that can handle multipart upload. Sadly, boto-rsync doesn’t handle that, and until someone patches it, we need a way to break up large objects. This can crudely be done with split:

This disadvantage to this is that retrievals need to manually be catted together, which obviously isn’t always a good solution.

boto-rsync’s other weakness is in handling UTF8 filenames. Improperly-encoded filenames will throw a 400 Bad Request and cause the script to choke and die, rather than gracefully skipping the failing file and moving on. Re-encoding files with proper UTF8 fixes this:

Not pretty, but it works. Note that directories need to be checked and renamed first before handling files specifically.

UPDATE – These issues have both been addressed in https://github.com/dreamhost/boto_rsync