Blog

5/13/16

Digging into IDS/IPS tech a bit more.  I have become quite happy/familiar with junos.  Running a SRX240, 2x EX3200 and a EX2200 at home. A slight problem came up.  How to use less power and rack space but still utilize my snort rules sub?? BTW Juniper IPS is nothing to shake a stick at, but at the cost of a small fortune each year, lets dig into something a bit more pocket friendly.  After some research, snortsam came onto the radar, but seems to have been abandoned :( Snortsam seemed as though it was intended to use already inplace senors, and forward events off to your edge firewalls / etc for a somewhat reactive NGIPS. So, after that fail, I came across something rather intriguing, JIST.  JIST (Juniper IPS Signature Translator) is a very rare gem... a tool by a large sec company, to use free snort rules in their IDP engine.  Its rather rough, and I will have to play with it a bit.  The newest release as of 2010 is v1.2 for centos and v1.3 for deb based linux. It can be had here (note: you will need at least a customer login do download afaik): https://download.juniper.net/software/idp/jist.tar.gz  Looking inside, I can see that centos was their target platform, and after some time they ported it to debian. There are also 2 python scripts, which looking through the code, best guess is a pure python version that is very experimental. This snippet of code comment proves that :)

                # A war was lost for want of a screw,
                # A day was screwed, for want of this "continue"... :)
                continue


3/11/16

Purchased a Decru E515v2 on eBay for $25.  After numerous attempts to have Netapp (which acquired Decru back in 2005??)  transfer ownership of the appliance, apparently very stiff on 3rd party deals. So, have to hack around a bit.  Unit came with partial rail kit, E515v2 itself, CD and two System cards.  The management software comes with its own portable JRE 1.6 (DMC) and would error out while trying to initialize the system with a "java.lang.nullpointerexception"  This was due to the fact it was missing a GemPlus card reader on the management station. So, bought a usb gemalto reader, and installed everything on a xp pro vm.  DMC calls for either xp or vista, although will run on Windows 10.  The drivers are none existent for the specific gemplus reader I have, but maybe newer versions will work with DMC.  I am awaiting some more Expresso 64k FIPS cards to use as recovery cards which are required to initialize the system.  If the datasheets are true, and I can get AES-256 via cifs/nfs/iscsi at gigabit wirespeed, this might be some fun.  Otherwise, Ill rip out the PCI-X HSM and see if I can hack around with it.  Side note:  Apparently, my E515 has a CryptoShred button, if you either press the red button on the front, open the case, or let the unit sit unpowered for 3 months, the HSM deletes the crypto keys.
Comments