Tag Archives: GNU/Linux

Install a KVM host on Ubuntu 14.04 Trusty Tahr

How to install a KVM host and configure KVM with libvirt and Open vSwitch on Ubuntu 14.04 Trusty Tahr. The following steps have been tested on freshly installed server installation. Let’s start from scratch by installing all required packages.

Install required packages

# apt-get install openvswitch-switch qemu-kvm libvirt-bin

And wait until all packages are downloaded and installed.
Afterwards, let’s continue by destroying the default bridge and creating the new ovs bridge.

Setup networking

# ovs-vsctl add-br ovsbr0
# virsh net-destroy default

Edit the config from the default bridge with this command.

# virsh net-edit default

And make sure, you change the file to this:

<network>
<name>ovsbr0</name>
<forward mode='bridge'/>
<bridge name='ovsbr0'/>
<virtualport type='openvswitch'/>
</network>

Remove the old bridge completely and make sure the new bridge is autostarted.

# virsh net-undefine default
# virsh net-autostart ovsbr0

I’d like to keep my networking configuration in /etc/network/interfaces. That’s why I added the following section to that file.

auto ovsbr0
iface ovsbr0 inet static
   address 172.16.11.1
   network 172.16.11.0
   netmask 255.255.255.0
   broadcast 172.16.11.255

iface ovsbr0 inet6 static
   address 2001:xxxx:xxxx:1::1
   netmask 64

Test new installed KVM host

Now reboot your machine and check with following commands if you’re network is properly configured.

# virsh net-list
# ip addr
# ovs-vsctl show

Congratulations! You’ve installed a KVM host. Now you can proceed and install virtual machines on this new host. The network interfaces will be added to the freshly created Open vSwitch bridge.

Edit on 2014/05/14 : changed the ovsbr0 XML file
Edit in 2014/05/28 : only tested on a Server installation of Ubuntu 14.04

Traffic shaper benchmark

1 Reply

These are the results of a traffic shaper benchmark. This previous post describes the complete configuration and setup instructions on OpenWRT.

I’ll be running a simple ping while doing a speedtest on speedtest.net.

Benchmark without shaping

Ping results

Below you can find the ping response times. The destination is www.google.com.

$ ping www.google.com
PING www.google.com (173.194.66.105) 56(84) bytes of data.
64 bytes from we-in-f105.1e100.net (173.194.66.105): icmp_req=1 ttl=47 time=24.9 ms
64 bytes from we-in-f105.1e100.net (173.194.66.105): icmp_req=2 ttl=47 time=18.9 ms
64 bytes from we-in-f105.1e100.net (173.194.66.105): icmp_req=3 ttl=47 time=19.6 ms
64 bytes from we-in-f105.1e100.net (173.194.66.105): icmp_req=4 ttl=47 time=52.7 ms
64 bytes from we-in-f105.1e100.net (173.194.66.105): icmp_req=5 ttl=47 time=134 ms
64 bytes from we-in-f105.1e100.net (173.194.66.105): icmp_req=6 ttl=47 time=89.8 ms
64 bytes from we-in-f105.1e100.net (173.194.66.105): icmp_req=7 ttl=47 time=177 ms
64 bytes from we-in-f105.1e100.net (173.194.66.105): icmp_req=8 ttl=47 time=246 ms
64 bytes from we-in-f105.1e100.net (173.194.66.105): icmp_req=9 ttl=47 time=250 ms
64 bytes from we-in-f105.1e100.net (173.194.66.105): icmp_req=10 ttl=47 time=210 ms
64 bytes from we-in-f105.1e100.net (173.194.66.105): icmp_req=11 ttl=47 time=368 ms
64 bytes from we-in-f105.1e100.net (173.194.66.105): icmp_req=12 ttl=47 time=307 ms
64 bytes from we-in-f105.1e100.net (173.194.66.105): icmp_req=13 ttl=47 time=391 ms
64 bytes from we-in-f105.1e100.net (173.194.66.105): icmp_req=14 ttl=47 time=21.2 ms
64 bytes from we-in-f105.1e100.net (173.194.66.105): icmp_req=15 ttl=47 time=63.1 ms
64 bytes from we-in-f105.1e100.net (173.194.66.105): icmp_req=16 ttl=47 time=300 ms
64 bytes from we-in-f105.1e100.net (173.194.66.105): icmp_req=17 ttl=47 time=366 ms
64 bytes from we-in-f105.1e100.net (173.194.66.105): icmp_req=18 ttl=47 time=190 ms
64 bytes from we-in-f105.1e100.net (173.194.66.105): icmp_req=19 ttl=47 time=412 ms
64 bytes from we-in-f105.1e100.net (173.194.66.105): icmp_req=20 ttl=47 time=464 ms
64 bytes from we-in-f105.1e100.net (173.194.66.105): icmp_req=21 ttl=47 time=148 ms
64 bytes from we-in-f105.1e100.net (173.194.66.105): icmp_req=22 ttl=47 time=499 ms
64 bytes from we-in-f105.1e100.net (173.194.66.105): icmp_req=23 ttl=47 time=658 ms
64 bytes from we-in-f105.1e100.net (173.194.66.105): icmp_req=24 ttl=47 time=507 ms
64 bytes from we-in-f105.1e100.net (173.194.66.105): icmp_req=25 ttl=47 time=485 ms
64 bytes from we-in-f105.1e100.net (173.194.66.105): icmp_req=26 ttl=47 time=734 ms
64 bytes from we-in-f105.1e100.net (173.194.66.105): icmp_req=27 ttl=47 time=704 ms
64 bytes from we-in-f105.1e100.net (173.194.66.105): icmp_req=28 ttl=47 time=52.2 ms
64 bytes from we-in-f105.1e100.net (173.194.66.105): icmp_req=29 ttl=47 time=893 ms
64 bytes from we-in-f105.1e100.net (173.194.66.105): icmp_req=30 ttl=47 time=885 ms
64 bytes from we-in-f105.1e100.net (173.194.66.105): icmp_req=31 ttl=47 time=298 ms
64 bytes from we-in-f105.1e100.net (173.194.66.105): icmp_req=32 ttl=47 time=18.5 ms
64 bytes from we-in-f105.1e100.net (173.194.66.105): icmp_req=33 ttl=47 time=20.5 ms
64 bytes from we-in-f105.1e100.net (173.194.66.105): icmp_req=34 ttl=47 time=18.1 ms
^C
--- www.google.com ping statistics ---
34 packets transmitted, 34 received, 0% packet loss, time 33036ms
rtt min/avg/max/mdev = 18.141/295.204/893.783/254.974 ms
$

Speedtest results

Traffic shaper benchmark without shaping

Benchmark with shaping

Ping results

$ ping www.google.com
PING www.google.com (173.194.67.106) 56(84) bytes of data.
64 bytes from wi-in-f106.1e100.net (173.194.67.106): icmp_req=1 ttl=47 time=19.1 ms
64 bytes from wi-in-f106.1e100.net (173.194.67.106): icmp_req=2 ttl=47 time=18.4 ms
64 bytes from wi-in-f106.1e100.net (173.194.67.106): icmp_req=3 ttl=47 time=18.2 ms
64 bytes from wi-in-f106.1e100.net (173.194.67.106): icmp_req=4 ttl=47 time=18.9 ms
64 bytes from wi-in-f106.1e100.net (173.194.67.106): icmp_req=5 ttl=47 time=24.4 ms
64 bytes from wi-in-f106.1e100.net (173.194.67.106): icmp_req=6 ttl=47 time=28.7 ms
64 bytes from wi-in-f106.1e100.net (173.194.67.106): icmp_req=7 ttl=47 time=25.6 ms
64 bytes from wi-in-f106.1e100.net (173.194.67.106): icmp_req=8 ttl=47 time=25.6 ms
64 bytes from wi-in-f106.1e100.net (173.194.67.106): icmp_req=9 ttl=47 time=30.8 ms
64 bytes from wi-in-f106.1e100.net (173.194.67.106): icmp_req=10 ttl=47 time=22.7 ms
64 bytes from wi-in-f106.1e100.net (173.194.67.106): icmp_req=11 ttl=47 time=24.2 ms
64 bytes from wi-in-f106.1e100.net (173.194.67.106): icmp_req=12 ttl=47 time=24.8 ms
64 bytes from wi-in-f106.1e100.net (173.194.67.106): icmp_req=13 ttl=47 time=22.7 ms
64 bytes from wi-in-f106.1e100.net (173.194.67.106): icmp_req=14 ttl=47 time=24.5 ms
64 bytes from wi-in-f106.1e100.net (173.194.67.106): icmp_req=15 ttl=47 time=22.1 ms
64 bytes from wi-in-f106.1e100.net (173.194.67.106): icmp_req=16 ttl=47 time=20.1 ms
64 bytes from wi-in-f106.1e100.net (173.194.67.106): icmp_req=17 ttl=47 time=19.7 ms
64 bytes from wi-in-f106.1e100.net (173.194.67.106): icmp_req=18 ttl=47 time=20.8 ms
64 bytes from wi-in-f106.1e100.net (173.194.67.106): icmp_req=19 ttl=47 time=21.1 ms
64 bytes from wi-in-f106.1e100.net (173.194.67.106): icmp_req=20 ttl=47 time=17.5 ms
64 bytes from wi-in-f106.1e100.net (173.194.67.106): icmp_req=21 ttl=47 time=21.9 ms
64 bytes from wi-in-f106.1e100.net (173.194.67.106): icmp_req=22 ttl=47 time=17.8 ms
64 bytes from wi-in-f106.1e100.net (173.194.67.106): icmp_req=23 ttl=47 time=19.9 ms
64 bytes from wi-in-f106.1e100.net (173.194.67.106): icmp_req=24 ttl=47 time=21.2 ms
64 bytes from wi-in-f106.1e100.net (173.194.67.106): icmp_req=25 ttl=47 time=18.0 ms
64 bytes from wi-in-f106.1e100.net (173.194.67.106): icmp_req=26 ttl=47 time=22.6 ms
64 bytes from wi-in-f106.1e100.net (173.194.67.106): icmp_req=27 ttl=47 time=20.8 ms
64 bytes from wi-in-f106.1e100.net (173.194.67.106): icmp_req=28 ttl=47 time=20.0 ms
64 bytes from wi-in-f106.1e100.net (173.194.67.106): icmp_req=29 ttl=47 time=18.6 ms
64 bytes from wi-in-f106.1e100.net (173.194.67.106): icmp_req=30 ttl=47 time=17.3 ms
64 bytes from wi-in-f106.1e100.net (173.194.67.106): icmp_req=31 ttl=47 time=20.3 ms
64 bytes from wi-in-f106.1e100.net (173.194.67.106): icmp_req=32 ttl=47 time=18.8 ms
64 bytes from wi-in-f106.1e100.net (173.194.67.106): icmp_req=33 ttl=47 time=17.5 ms
64 bytes from wi-in-f106.1e100.net (173.194.67.106): icmp_req=34 ttl=47 time=18.1 ms
64 bytes from wi-in-f106.1e100.net (173.194.67.106): icmp_req=35 ttl=47 time=18.5 ms
64 bytes from wi-in-f106.1e100.net (173.194.67.106): icmp_req=36 ttl=47 time=19.2 ms
64 bytes from wi-in-f106.1e100.net (173.194.67.106): icmp_req=37 ttl=47 time=18.2 ms
64 bytes from wi-in-f106.1e100.net (173.194.67.106): icmp_req=38 ttl=47 time=18.8 ms
^C
--- www.google.com ping statistics ---
38 packets transmitted, 38 received, 0% packet loss, time 37052ms
rtt min/avg/max/mdev = 17.320/21.026/30.842/3.183 ms
$

Speedtest results

Traffic shaper benchmark with shaping

Differences

1. With shaping : lower download and upload speeds.
2. With shaping : speedtest has almost no impact on ping
3. Without shaping : speedtest is higher
4. Without shaping : ping response times increased a lot during the speedtest. Average is 15 times higher during speedtest.

Conclusion

1. The 2 speedtests show that the traffic shaper is limitting the amount of bandwidth that is used for upload and downloads from the internet. This seems to be a disadvantage.
2. The ping results show that the speedtest has a high impact on the response times. With traffic shaping enabled, this impact goes away. This is a clear advantage and the primary reason why I do traffic shaping on my network. The traffic of my voip phones are getting the same threatment as the ICMP packets. This results in better call quality.

Updating Snort Rules using Pulled Pork

31 Replies

In this previous post, I explained how to install Snort on Ubuntu 12.04. The next step is to make sure that your rules are up-to-date. This is accomplished by updating SNORT rules using Pulled Pork. An IDS with an outdated rule set is as effective as an Antivirus product which hasn’t been updated for a couple of months. It only gives you a false sense of security. We’ll describe the steps you have to take for Updating Snort Rules using Pulled Pork.

This tool is not available for installation from the Ubuntu repositories. Therefor have to install the tool and any prerequisites on our own.

Install prerequisites

Pulled Pork requires 2 perl libraries. On Ubuntu, you can install them like this.

# apt-get install libcrypt-ssleay-perl liblwp-protocol-https-perl

Install Pulled Pork

I downloaded the most recent version. It’s critical to download the latest version from the trunk. Version 0.6.1 which is available for download doesn’t work anymore due to changes on the Emerging Threats website. You’ll get an error because the certificate isn’t valid.

root@ids:~# cd /usr/local/bin
root@ids:/usr/local/bin# wget http://pulledpork.googlecode.com/svn/trunk/pulledpork.pl
--2013-03-07 19:14:12--  http://pulledpork.googlecode.com/svn/trunk/pulledpork.pl
Resolving pulledpork.googlecode.com (pulledpork.googlecode.com)... 173.194.67.82, 2a00:1450:400c:c05::52
Connecting to pulledpork.googlecode.com (pulledpork.googlecode.com)|173.194.67.82|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 35444 (35K) [application/x-gzip]
Saving to: `pulledpork.pl'

100%[=====================================================================================================================================================================>] 35,444      --.-K/s   in 0.1s    

2013-03-07 19:14:12 (276 KB/s) - `pulledpork.pl' saved [35444/35444]

root@ids:/usr/local/bin# chmod 755 pulledpork.pl

Next I created a new directory in /etc for the configuration files.

root@ids:/usr/local/bin# mkdir /etc/pulledpork
root@ids:/usr/local/bin# cd /etc/pulledpork
root@ids:/etc/pulledpork# wget http://www.rivy.org/custom/pulledpork.conf

After fetching the config file, you still have to go to snort.conf, make an account to become a registered user and create your own personal oinkcode. You have the choice between getting the most recent signatures and signatures which are one month old. If you want to have the most recent signature, you have to pay a small fee. When you have your oinkcode, you can place it in pulledpork.conf.

Configuration of Snort

Since we want to enable the dynamic rules, we make sure the second line in /etc/snort/snort.conf is not commented anymore.

# path to dynamic rules libraries
dynamicdetection directory /usr/lib/snort_dynamicrules

And we also want to create that directory.

# mkdir /usr/lib/snort_dynamicrules

Remove all include rules from the main config by executing this.

sed -i '/^include $RULE_PATH/d' /etc/snort/snort.conf

And execute the following 2 commands to add the include rules.

echo "include \$RULE_PATH/snort.rules" >> /etc/snort/snort.conf
echo "include \$RULE_PATH/local.rules" >> /etc/snort/snort.conf

Delete the current rules

rm /etc/snort/rules/*.rules

Add the following variable to /etc/snort/snort.conf (first part of the file)

# List of file data ports for file inspection
portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143]

Running of pulledpork

This command will run pulledpork and update your rules.

# pulledpork.pl -c /etc/pulledpork/pulledpork.conf
...
Rule Stats...
	New:-------185
	Deleted:---3
	Enabled Rules:----16662
	Dropped Rules:----0
	Disabled Rules:---15312
	Total Rules:------31974
No IP Blacklist Changes

Done
Please review /var/log/sid_changes.log for additional details
Fly Piggy Fly!

After updating your rules, you always have to restart snort. Make sure that you didn’t get any errors during the restart. If you received errors, check the /var/log/syslog file and try to fix the issue.

# service snort restart
Updating Snort Rules using Pulled Pork

Thomas Elsen Security Blog

About what I know, think and think I know about computer security, Linux and maybe something else…

Tag Archives: GNU/Linux

Install a KVM host on Ubuntu 14.04 Trusty Tahr

Install required packages

Setup networking

Test new installed KVM host

Traffic shaper benchmark

Benchmark without shaping

Ping results

Speedtest results

Benchmark with shaping

Ping results

Speedtest results

Differences

Conclusion

Updating Snort Rules using Pulled Pork

Install prerequisites

Install Pulled Pork

Configuration of Snort

Running of pulledpork