Snort preinstalled in QubesOS
94 views
Skip to first unread message
Jonas
Jun 23, 2020, 8:57:10 AM6/23/20
to qubes...@googlegroups.com
Why are No Network introduction system preinstalled.
And why are No Firewall Messages to allow outgoing and ingoing Network Firewall Message popuped Like in opensnitch
Gesendet von ProtonMail mobile
And why are No Firewall Messages to allow outgoing and ingoing Network Firewall Message popuped Like in opensnitch
Gesendet von ProtonMail mobile
bradbury9
Jul 7, 2020, 8:39:39 AM7/7/20
to qubes-devel
NIDS: Should be pretty straighforward in QubeOS architecture, just create a proxyVM and install the NIDS software in its template. After you are done configuring it, boot it, check network connectivity and if everything is fine, configure the VM's to use the nidsVM as its nerwork VM.
HIDS: I really do not see its ue case. If you are in need of a HIDS, either you dont trust what it is installed on the template (should not install untrusted software in it) or the VM usage is not trusted (you should be using disposable VM's and Qubes has them)
The only use case I find for a HIDS is if you have a VM serving as a server, and want to really know there is nothing suspicious in its private files.
Zrubi
Jul 17, 2020, 8:42:08 AM7/17/20
to qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 2020-06-23 12:57, 'Jonas' via qubes-devel wrote:
> Why are No Network introduction system preinstalled.
>
> And why are No Firewall Messages to allow outgoing and ingoing
> Network Firewall Message popuped Like in opensnitch
I have already made a PoC about this:
http://zrubi.hu/en/2017/traffic-analysis-qubes/
Why it is not a default?
Probably because:
- - it is not trivial to setup the intrusion rules,
- - it may provides an additional attack surface,
- - it is surely not needed for everyone ;)
Regards:
- --
Zrubi
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEDsKMZo+hMFazCV9Ayl3oncRnmBUFAl8RnJMACgkQyl3oncRn
mBWN0xAAl0d9vGKDkK2FT+R5JZmwuWmtDTeSR+OqJnZMpdDQZMxpf4GQfbOVKqLG
QuTLozaufbs9s+EmhbQRg+AUsTsi4pSrVvZgbSG60uG8St0eohc3mEP6pn7RBGxW
KDshQcDID6XA7ba7bz2PQJ0HuNuwYaZNEzTvcU3hVbQfqf5EzVmpGcK3CDyvx4gi
5DN0ZEiAXfoLhnDRY219vW18Mj3FqGn2R9ISv3dpETPrgmfMn+zVohPcOEcf870h
gS/40lEDVW+ZnsRisasPi4QyRJY8rh2SNHU++O0q+D7nzopBnmpsRBhN3yhC5x14
ri/1vXpRZzXJsV1wYurKTQvGWK69JutRFxOl/TL5YsxaB3oavRx9WsYmU1ykkiVc
f1Uogbr1R6XsYhVq5RRaoMaO7tY04wWG4Ph80zDoe8nxCqcqGb+Id0RBeI1oFflp
oXgZrXWF4QQOoYLGeSMePUgEKX6qlnS9j/GRZdLeQfgF7TflOjeIc89UMlX7kDWV
Lj9XYMrUjr30GfprZV8SiKurR64PQVsDq0RFy3jxvMhzp4QKQpu8x4/Ga9yKYEff
PbS5SKwMFrQObA9aTMEa5feFUUR3q/cQim1L3itt50OswVtI/U+3LPCtE9WMmsGf
AhypUsMDlQRxep1RW7NE3DDYOkR+dblfsDsioX+bqs+jav7iCmU=
=sQDu
-----END PGP SIGNATURE-----
Hash: SHA256
On 2020-06-23 12:57, 'Jonas' via qubes-devel wrote:
> Why are No Network introduction system preinstalled.
>
> And why are No Firewall Messages to allow outgoing and ingoing
> Network Firewall Message popuped Like in opensnitch
http://zrubi.hu/en/2017/traffic-analysis-qubes/
Why it is not a default?
Probably because:
- - it is not trivial to setup the intrusion rules,
- - it may provides an additional attack surface,
- - it is surely not needed for everyone ;)
Regards:
- --
Zrubi
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEDsKMZo+hMFazCV9Ayl3oncRnmBUFAl8RnJMACgkQyl3oncRn
mBWN0xAAl0d9vGKDkK2FT+R5JZmwuWmtDTeSR+OqJnZMpdDQZMxpf4GQfbOVKqLG
QuTLozaufbs9s+EmhbQRg+AUsTsi4pSrVvZgbSG60uG8St0eohc3mEP6pn7RBGxW
KDshQcDID6XA7ba7bz2PQJ0HuNuwYaZNEzTvcU3hVbQfqf5EzVmpGcK3CDyvx4gi
5DN0ZEiAXfoLhnDRY219vW18Mj3FqGn2R9ISv3dpETPrgmfMn+zVohPcOEcf870h
gS/40lEDVW+ZnsRisasPi4QyRJY8rh2SNHU++O0q+D7nzopBnmpsRBhN3yhC5x14
ri/1vXpRZzXJsV1wYurKTQvGWK69JutRFxOl/TL5YsxaB3oavRx9WsYmU1ykkiVc
f1Uogbr1R6XsYhVq5RRaoMaO7tY04wWG4Ph80zDoe8nxCqcqGb+Id0RBeI1oFflp
oXgZrXWF4QQOoYLGeSMePUgEKX6qlnS9j/GRZdLeQfgF7TflOjeIc89UMlX7kDWV
Lj9XYMrUjr30GfprZV8SiKurR64PQVsDq0RFy3jxvMhzp4QKQpu8x4/Ga9yKYEff
PbS5SKwMFrQObA9aTMEa5feFUUR3q/cQim1L3itt50OswVtI/U+3LPCtE9WMmsGf
AhypUsMDlQRxep1RW7NE3DDYOkR+dblfsDsioX+bqs+jav7iCmU=
=sQDu
-----END PGP SIGNATURE-----
OutBackdingo
Jul 17, 2020, 10:34:55 AM7/17/20
to qubes...@googlegroups.com
On 7/17/20 7:42 PM, Zrubi wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On 2020-06-23 12:57, 'Jonas' via qubes-devel wrote:
>> Why are No Network introduction system preinstalled.
>>
>> And why are No Firewall Messages to allow outgoing and ingoing
>> Network Firewall Message popuped Like in opensnitch
> I have already made a PoC about this:
> http://zrubi.hu/en/2017/traffic-analysis-qubes/
>
> Why it is not a default?
> Probably because:
> - - it is not trivial to setup the intrusion rules,
> - - it may provides an additional attack surface,
> - - it is surely not needed for everyone ;)
Scarpafo Scarpafo
Jul 17, 2020, 10:48:46 AM7/17/20
to OutBackdingo, qubes-devel
Hello
Just create a template with security tools so you can do what you need. I think QubesOS don't have to add it by default but this would be good to have in some kind of community security template.
--
You received this message because you are subscribed to the Google Groups "qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/984d7bec-1274-64e8-bf9a-3f38c10d4a43%40gmail.com.
Zrubi
Jul 17, 2020, 11:02:41 AM7/17/20
to qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hash: SHA256
On 2020-07-17 14:34, OutBackdingo wrote:
>> I think suricata would be the better choice here....
have you read my blog?
>> I think suricata would be the better choice here....
that's what I used too :)
- --
Zrubi
-----BEGIN PGP SIGNATURE-----
mBXktg//VPHVBMM7AnxsOn4UIzB2kki5k4KNzd9tt5mCYL79ANoooqb1hLxOiwjO
VXcafVaC9tv6cFsrf+R5javOcfEnf2IqQPmb7A7fjy+boQUxyfc32JxpL9XiWeOB
WJ7EUYkFOAM9BK8TRMTZ0dQg2M348Inc0ZUaNqHR9/pDwLAELHyJQ/B8jy0ne7IM
cIT8F0lGoGYXOPZVanG0uoSmfEXwFKqCnSfDw7FVjOzRGpqEu7aadCn3ly6LRqPo
6Gn4BNpdUg0qypUQsExwvYwxNR5SL780OXxh+hf8vhxyiXw9XyzRph7EHVwYlzg1
7Pl8mthZOWOdTcTDrP322mLnZJXctwRFWhHi1rq5XUYEm2sQrXreEFPLpChvkh81
3gdXrMqu8TlKz+x4BXtfsf8c/sSgFYpjvtchYP1MvA97KgD8Zk/t+neLuOzAnjKw
1U4ROjsO45Pn5SZGXW4lpMs40uyteJL5V+It6Uw60+7p1jRuE8l63fveAtrr0vEr
1f8aHGSAwKfPgO24sVeL4qNUnRBYuSm6bc70iTwX23dmiYHhVwwGcpF7FU1oh4wJ
Re2HMW5F9os+NrPHZrL0V7QrzQrK3chNTOr7PZ9i6DKB+BYjLteDTv1clIoyjwbF
n5H0EygM9oW7nXa/5wsav30h0hRkgJTQLvfY1tlUj3y/8PhC5KQ=
=VApT
-----END PGP SIGNATURE-----
Scarpafo Scarpafo
Jul 17, 2020, 11:12:30 AM7/17/20
to Zrubi, qubes-devel
No sorry, i will :)
--
You received this message because you are subscribed to the Google Groups "qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/a2e1ee0e-4ddc-e6d5-89ad-7c434a91ba0b%40zrubi.hu.
Outback Dingo
Jul 18, 2020, 12:23:49 AM7/18/20
to bradbury9, qubes-devel
On Tue, Jul 7, 2020, 19:39 bradbury9 <ray.br...@gmail.com> wrote:
NIDS: Should be pretty straighforward in QubeOS architecture, just create a proxyVM and install the NIDS software in its template. After you are done configuring it, boot it, check network connectivity and if everything is fine, configure the VM's to use the nidsVM as its nerwork VM.HIDS: I really do not see its ue case. If you are in need of a HIDS, either you dont trust what it is installed on the template (should not install untrusted software in it) or the VM usage is not trusted (you should be using disposable VM's and Qubes has them)The only use case I find for a HIDS is if you have a VM serving as a server, and want to really know there is nothing suspicious in its private files.
My guess is you've never had a desktop hacked into....
El martes, 23 de junio de 2020 a las 14:57:10 UTC+2, Jonas escribió:Why are No Network introduction system preinstalled.
And why are No Firewall Messages to allow outgoing and ingoing Network Firewall Message popuped Like in opensnitch
Gesendet von ProtonMail mobile
--
You received this message because you are subscribed to the Google Groups "qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/da61162f-daf6-46a0-b0ef-b54238ea88e3n%40googlegroups.com.
Scarpafo Scarpafo
Jul 18, 2020, 12:33:24 AM7/18/20
to Outback Dingo, bradbury9, qubes-devel
Stay cool guys. Be nice.
You can use the HIDS as an EDR but you need a server in backend. The problem is we are speaking about a laptop most of the time and use all this server features on a laptop will drop the batterie from 2h with QubesOS to 10 min xD...
To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/CAKYr3zxUwSm7N8-REbrRR4%2BxyQpux_jouqciqMUh6CxdN3iQGg%40mail.gmail.com.
Jonas
Jul 18, 2020, 5:21:43 AM7/18/20
to ma...@zrubi.hu, qubes...@googlegroups.com
No, can you give me the Link to IT?
I have yet choose suricate, but I have Not found a notify Tool.
But write some Tool for this.
Www.Pastebin.com/AnFmShSP
Gesendet von ProtonMail mobile
-------- Original-Nachricht --------
Am 17. Juli 2020, 17:02, Zrubi schrieb:
I have yet choose suricate, but I have Not found a notify Tool.
But write some Tool for this.
Www.Pastebin.com/AnFmShSP
Gesendet von ProtonMail mobile
-------- Original-Nachricht --------
Am 17. Juli 2020, 17:02, Zrubi schrieb:
On 2020-07-17 14:34, OutBackdingo wrote:
>> I think suricata would be the better choice here....
have you read my blog?
that's what I used too :)
--
Zrubi
Zrubi
Jul 22, 2020, 11:44:10 AM7/22/20
to Jonas, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hash: SHA256
On 2020-07-18 09:21, 'Jonas' via qubes-devel wrote:
> No, can you give me the Link to IT?
>
> I have yet choose suricate, but I have Not found a notify Tool.
>
> But write some Tool for this.
>
> Www.Pastebin.com/AnFmShSP <http://Www.Pastebin.com/AnFmShSP>
> No, can you give me the Link to IT?
>
> I have yet choose suricate, but I have Not found a notify Tool.
>
> But write some Tool for this.
>
Here is my PoC solution:
http://zrubi.hu/en/2017/traffic-analysis-qubes/
- --
Zrubi
-----BEGIN PGP SIGNATURE-----
mBWOPg/+JtT/fsPxN5iG13f1f0b0QlT44220jixssy00tNKnPbc7+Uc7xgjF2/n9
LljZm+NDFr0Dxm8F3Eei9EyN3PaAdig0dbSQPkGfK5UL6KjmVYDZS4rQQRYx+zdm
Ob1lj0e9aNNqIMdYdXkYt5XNA5W33kCxDemis77kc6bc3EJEWTpusI7e99d5j+4Y
T3iS84J739n8bhRfWi4pGmBl+VPIJj2dbL/zBbmrLj66PTpAKqchZA2e4eTBkEeG
Kn6E48KW6Fk7NnQhVwK6Epd+ivmzJE3R/DaxrhIRXWL6RjipY86JwEOghsgyjf7U
AFgXpHdc4r1dw/giengluMBT9W7CxySfJ24wdxlCTccVCwFj7YTtuP3e0Ey94bbl
rJPf5Wgui/BKmdCGUORTPRgAm2l4bgbpZ79ih/8zHFPmNGmGOADRdj7v6mimiU96
zU3//3ZJasNm6/sexfqtK5HMtegcxXubFE9O6LUGZ4hc4OWa9s7zATbQ4u8cNnMl
fss3JFHSb5lU58UYAnwpdcF6xfBjiBYblkM5Us7RfBEW/bqH/yYS7hHB1i150qWu
vgMyGOO+/bkz8PAl14V+a7Qo0FVQ0RNeEbcmEWrLckk1udqFZjaa2sbxiclGMm+6
l+LrEHgqLjkm1IOJvuz9bNEAu6sY7BKhjUzcwIxdZcAQbJiBp68=
=T+VP
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages