Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Announcing: Quantum Insert detection for OPNsense via HoneyBadger
« previous
next »
Print
Pages: [
1
]
Author
Topic: Announcing: Quantum Insert detection for OPNsense via HoneyBadger (Read 4110 times)
honeybadger
Newbie
Posts: 1
Karma: 2
Announcing: Quantum Insert detection for OPNsense via HoneyBadger
«
on:
February 23, 2016, 12:06:52 pm »
Dear Edward Snowden, OPNsense users, TCP abolitionists and Cypherpunks,
Comprehensive Quantum Insert detection is coming to OPNsense!
I'd like to let you all know about HoneyBadger a passive TCP protocol analyzer I wrote to detect TCP injection attacks.
These so called "Quantum Insert" attacks are used to deliver 0-day payloads so that various oppressive political entities world wide can use it for targeted surveillance of real people to violate their human rights.
https://github.com/david415/HoneyBadger
https://honeybadger.readthedocs.org/
There are some other tools that also detect *some* of these Quantum Insert attacks, but I think you might be interested
in using HoneyBadger instead of those other tools because :
- HoneyBadger is written in golang because langsec; language security is an important consideration and I'd like to point out
the IDS software written in C has had a long history of remote code execution vulnerability.
- HoneyBadger is comprehensive; I've classified TCP injection attacks into 5 categories:
1. handshake hijack
2. segment veto
3. sloppy injection
4. ordered coalesce
5. censorship injection (FIN/RST injection)
Soon I will be publishing a blog post about these attacks and detection. HoneyBadger can currently detect types 1 - 4; though we do have an experimental dev branch that can detect type 5 censorship injection.
Currently, HoneyBadger isn't super user-friendly; it's a tool for hackers and power-users, however I think there's lots of potential for developing a simple web UI for OPNsense users. Basically what I have in mind is two dynamic web pages:
1. a honeybadger configuration page
2. a logs and attack reporting page
Here's a funny blog post that was recently brought to my attention; it's written by someone who intentionally Quantum Inserted all his website visitors to see if anyone actually noticed :
http://www.tedunangst.com/flak/post/on-the-detection-of-quantum-insert
This begs the question;
Does anyone actually care to know if their Internet traffic has been attacked by Quantum Inserts?
Cheers from Berlin,
David Stainton
«
Last Edit: February 23, 2016, 12:09:08 pm by honeybadger
»
Logged
franco
Administrator
Hero Member
Posts: 17681
Karma: 1613
Re: Announcing: Quantum Insert detection for OPNsense via HoneyBadger
«
Reply #1 on:
February 23, 2016, 10:13:59 pm »
Hi David,
Thanks for bringing this to our attention and Shawn adding a FreeBSD port so quickly. Tomorrow's 16.1.4 will have the package ready for manual installation and general tinkering.
We invite everyone interested to try it. To install, simply run:
# pkg install honeybadger
And then follow David's docs for command line operation. Looking forward to your feedback.
https://honeybadger.readthedocs.org/en/latest/#deployment-on-hardenedbsd-example
Cheers,
Franco
Logged
interfaSys
Full Member
Posts: 165
Karma: 13
Re: Announcing: Quantum Insert detection for OPNsense via HoneyBadger
«
Reply #2 on:
February 25, 2016, 12:07:50 am »
It would be good to be able to use it in parallel with Suricata in IPS mode which uses netmap and turns off the interface's promiscuous mode
«
Last Edit: February 25, 2016, 12:15:21 am by interfaSys
»
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Announcing: Quantum Insert detection for OPNsense via HoneyBadger