macbroadcast´s blog

Snort Intrusion Detection System w/ BASE
January 24, 2012, 5:42 am
Filed under: DNS, Hacking, howto, linux | Tags: , , ,

Bin bei Snort noch auf einen ganz interessanten Hinweiss gestossen:

Snort wurde zuerst 1998 in einer Unix-Version veröffentlicht. Sein Programmierer Martin Roesch gründete später die Firma Sourcefire. Neben der unter der GNU GPL stehenden Version von Snort bietet Sourcefire auch eine kommerzielle Variante, die zusätzliche Entdeckungs- und Analysemethoden bietet. Sourcefire vertreibt Enterprise-Lösungen für das Network Security Monitoring (NSM) mit speziell entwickelter Hardware und kommerziellem Support. Anfang Oktober 2005 versuchte Check Point mit internationalem Hauptsitz in Tel AvivIsraelSourcefire zu übernehmen. Der Kaufpreis wurde mit etwa 225 Millionen Dollar angegeben. Der Kauf scheiterte Anfang 2006 wegen des Widerstands der Bundesregierung der USA. 

Hier in Deutschland scheint es nur eine Koriphähe mit Namen  Ralf Spenneberg auf dem Gebiet zu geben , der auch  Schulungen und Seminare gibt und Bücher  darüber schreibt.  Interessant in dem Zusammenhang das die Bundesregierung eine Sicherheits Firma beauftragt hat die SNORT nutzt.


IDS and firewalls with rate-limiting or source Access  Control List (ACL) capabilities seems to be a common way to detect attacks. Once DDoS attack sources are identified, IDS or firewalls can start dropping or rate-limiting packets from the sources. Snort and BASE seems the defacto standart for IDS and prevention a nice Howto and install on Debian (.pdf) and on OPENWRT. Snorby is worth to have a look at too:)

Expanding VP8 Hardware Decoder for Full WebP Support
June 23, 2011, 11:50 pm
Filed under: openCU, openCV, socialweb, streaming | Tags: , , , , ,

With the recent launch of WebP support in Chrome, Picasa and Gmail, we’re happy to announce that the third generation G-Series 1 VP8 hardware decoder, called “Chip Shot,” now offers full 256 Megapixel support for WebP still images. The G-Series 1 is available for licensing at no cost through the WebM Project hardware page.

Chip Shot is part of our new golf theme for VP8 hardware decoders, as we noticed that most of the engineers working on the G-Series decoder are very fond of the sport.


The G-Series 1 decoder offers both 1080p 30 frames per second WebM and 36.5 Megapixels per second WebP processing at around 100 MHz clock rate. It is a full hardware implementation, requiring a mere 2 MHz host CPU load even when processing 1080p video or any size WebP images. The decoder uses 380 kilogates of logic area and 52 kilobytes of embedded single-port memory. The logic consumes a negligible 27 mW of power at 1080p resolution, ensuring many hours of video playback time on battery-operated devices.

Based on the previous releases of the silicon-proven G-Series 1 decoder IP, Chip Shot is a low-risk solution for anyone who wants to enable WebM and WebP support on their chipsets or SOCs. Including all G-Series 1 versions that support WebM, we have released over 50 decoders to our semiconductor partners worldwide to date.

IPsec/L2TP gateway for Android and iPhone clients on OpenWRT
March 27, 2011, 3:42 pm
Filed under: Hacking, ipv6 | Tags: , , ,

How to set up an OpenWRT router/gateway as an IPsec/L2TP gateway for Andoid and iPhone clients Copyright © Dr. Rene Mayrhofer

The only “reasonable” (that is, not counting PPTP due to its known security issues) VPN protocol supported by default on non-rooted / non-jailbroken Android / iPhone phones as clients is the combination of IPsec and L2TP. Most probably, this was chosen due to its out-of-the-box support by newer Windows clients and MacOS/X as well.

The set-up described on this page therefore focussed on setting up a Linux VPN server to act as a gateway for Android and iPhone clients without additional software installations on the mobile phones. For convenience, I chose OpenWRT as the gateway Linux distribution to be able to run the gateway on my old Asus WL-500G Premium (v1) WLAN router (which has sufficient internal flash and RAM to support such use-cases as well as hardware-accelerated crypto support).

Most of the information on this page has been copied from various sources, most notably Jacco de Leeuw‘s excellent tutorial page, which he has been updating for years already, and taking some hints from here concerning Android and X.509 certificates. We had previous contact in terms of Debian support of L2TP in my openswan and strongswan packages, and he has a lot of experience with corner cases in different clients. Thanks to Jacco for his continuous efforts.

Client authentication is typically performed in two stages:

  1. IPsec authenticated the “outer” transport mode connection, either via
    • pre-shared key (PSK) or
    • X.509 certificates (with corresponding private keys on the gateway and the clients)
  2. L2TP invokes an inner PPP tunnel, which then authenticates based on user/password combination, most typically via the MSCHAP-v2 challenge-response protocol.

Many clients either don’t support X.509 certificate authentication or make it hard to set up. Therefore, I will start with PSK IPsec authentication.

Server installation

At the time of this writing, the newest OpenWRT release is “backfire” (10.03), and on the Asus WL-500GP I chose the newer kernel 2.6 with the bcrm47xx target image. Starting with the default install, the following packages need to be added (e.g. using opkg on the shell or the LuCi package management interface):

  • kmod-ocf-ubsec-ssb for hardware-accelerated crypto support
  • openswan as IPsec IKE daemon
  • ipsec-tools for the “setkey” command
  • xl2tpd as L2TP server (there are multiple L2TP server implementations available, I chose x2ltpd because of known-good integration with openswan and because it is being actively maintained)
  • iptables-mod-ipsec kmod-ipsec4 kmod-ipsec6 kmod-ipt-ipsec for kernel support modules.

If, in addition to the IPsec/L2TP protocol, another option with sometimes better NAT traversal support is desired, then I recommend OpenVPN (which has clients for most operating systems). For OpenVPN support, the following packages are installed on OpenWRT:

  • luci-app-openvpn for a simple administration interface
  • openvpn-easy-rsa for certificate management

Server configuration

The first part to configure is IPsec in the form of openswan /etc/ipsec.conf file. Simply add a block:

conn L2TP-PSK

and exclude the locally used network from virtual_private in the config setup block, if it is a “private” address range, e.g.:


for a local address range of

The specific configuration options are documented in detail in the ipsec.conf manual page, and are thus not repeated here. In essence, this block adds an IPsec policy for PSK-authenticated connections that only allow UDP port 1701 (L2TP), but from any source address connecting via the gateway default route.

Then, the PSK is configured in /etc/ipsec.secrets (which may not exist on a default installation and needs to be created):

%any %any : PSK "your super secret password here"

To automatically start the IPsec service on bootup, first create a file /etc/modules.d/99-local-ipsec:


and create a symlink to start openswan pluto with ln -s /etc/init.d/ipsec /etc/rc.d/S99ipsec.

Next, to configure the L2TP server, edit /etc/xl2tpd/xl2tpd.conf to read like this:

port = 1701
;auth file = /etc/xl2tpd/xl2tp-secrets
access control = no
ipsec saref = yes

[lns default]
exclusive = yes
ip range =
local ip =
;hidden bit = no
length bit = yes
name = VPNServer
ppp debug = yes
require authentication = yes
unix authentication = no
require chap = yes
refuse pap = yes
pppoptfile = /etc/ppp/options.xl2tpd

The PPP options file /etc/ppp/options.xl2tpd should contain these options:


# CCP seems to confuse Android clients, better turn it off
lcp-echo-interval 120
lcp-echo-failure 10
idle 1800
connect-delay 5000

mtu 1400
mru 1400

where the local IP addresses and ranges in both files will obviously need to be adapted. Note that all addresses should be within the local network to which the L2TP server provides access. User names and passwords are configured in /etc/ppp/chap-secrets without any special considerations, including the possibility to specify static IP addresses for users.

Also create a symlink to start xl2tpd with ln -s /etc/init.d/xl2tpd /etc/rc.d/S99xl2tpd.

Finally create a firewall rule (e.g. via LuCi) to allow access from the WAN interface to UDP port 500 and 4500 as well as the ESP protocol. A more specific rule to allow L2TP traffic from the WAN interface only when encrypted with IPsec can not be set in the interface, and therefore must be entered manually e.g. in /etc/firewall.user:

iptables -A input_wan -m policy –strict –dir in –pol ipsec –proto esp -j ACCEPT

Using strongSwan on an Alix 2D13 AMD Geode board

As an alternative to an OpenWRT installation running on a common (typically ARM or MIPS based) access point, I also use my own Gibraltar firewall Linux distribution running e.g. on Alix 2D13 embedded network appliance boards with AMD Geode CPUs. The only catch here is that strongSwan needs to be compiled with support for the IPsec transport mode (in combination with NAT traversal). This requires the configure option –enable-nat-transport, which is disabled by default. My Debian packages enable this option starting with version 4.5.0-1, and Gibraltar version 3.1 includes updated packages with this option enabled.

As mobile devices typically only support IKEv1 but not IKEv2 at the time of this writing, plutostart=yes is required in the config setup section of ipsec.conf for strongSwan. All other configuration options (e.g. the conn section or the xl2tpd configuration) are equal to the ones for OpenWRT as described above.

For improved performance specifically with AMD Geode CPUs, load the geode_aes kernel module for hardware AES acceleration (128 bits only, though).

Client configuration

On Android clients, simply use the supplied settings screen to create an IPsec/L2TP connection, specifying the PSK, username, password, and obviously the server hostname or IP address. This will allow to connect the Android client and get an internal IP address.

Unfortunately, at the time of this writing, testing with an HTC Desire and the stock Android 2.2 ROM leads to automatic disconnects after 10s when connecting to the OpenWRT gateway, seemingly initated by the Android device (‘rcvd [LCP TermReq id=0x3 “User request”]’ is printed in the server log). I am still searching for this issue. However, the connection works well and is not terminated automatically when connecting from the same mobile phone to a Gibraltar firewall 3.1 with strongswan 4.4.1-6, xl2tpd 1.2.0+dfsg-1, and ppp 2.4.4rel-10.1 Debian packages.

Copyright © Rene Mayrhofer unless stated otherwise | OpenPGP key fingerprint: 7FE4 0DB5 61EC C645 B2F1 C847 ABB4 8F0D C3C2 4BD

Availability of WebM (VP8) Video Hardware IP Designs
January 17, 2011, 10:08 pm
Filed under: Softwarepatents, streaming | Tags: , , , ,

Hello from the frigid city of Oulu, in the far north of Finland. Our WebM hardware development team, formerly part of On2 Technologies, is now up-to-speed and working hard on a number of video efforts for WebM.

  • VP8 (the video codec used in WebM) hardware decoder IP is available from Google for semiconductor companies who want to support high-quality WebM playback in their chipsets.
  • The Oulu team will release the first VP8 video hardware encoder IP in the first quarter of 2011. We have the IP running in an FPGA environment, and rigorous testing is underway. Once all features have been tested and implemented, the encoder will be launched as well.

WebM video hardware IPs are implemented and delivered as RTL (VHDL/Verilog) source code, which is a register-level hardware description language for creating digital circuit designs. The code is based on the Hantro brand video IP from On2, which has been successfully deployed by numerous chipset companies around the world. Our designs support VP8 up to 1080p resolution and can run 30 or 60fps, depending on the foundry process and hardware clock frequency.

The WebM/VP8 hardware decoder implementation has already been licensed to over twenty partners and is proven in silicon. We expect the first commercial chips to integrate our VP8 decoder IP to be available in the first quarter of 2011. For example, Chinese semiconductor maker Rockchip last week demonstrated full WebM hardware playback on their new RK29xx series processor at CES in Las Vegas (video below).

Note: To view the video in WebM format, ensure that you’ve enrolled in the YouTube HTML5 trial and are using a WebM-compatible browser. You can also view the video on YouTube.

Hardware implementations of the VP8 encoder also bring exciting possibilities for WebM in portable devices. Not only can hardware-accelerated devices play high-quality WebM content, but hardware encoding also enables high-resolution, real-time video communications apps on the same devices. For example, when VP8 video encoding is fully off-loaded to a hardware accelerator, you can run 720p or even 1080p video conferencing at full framerate on a portable device with minimal battery use.

The WebM hardware video IP team will be focusing on further developing the VP8 hardware designs while also helping our semiconductor partners to implement WebM video compression in their chipsets. If you have any questions, please write or our Hardware page.

Happy New Year to the WebM community!

Jani Huoponen, Product Manager
Aki Kuusela, Engineering Manager


NVIDIA Adds GPU Acceleration for OpenCV Application Development
September 23, 2010, 6:19 pm
Filed under: openCU, streaming | Tags: , , , , ,

CUDA Support for OpenCV Paves the Way for New Mainstream Computer Vision-Based Applications, From Next-Generation Robotics to Safer Automobiles

SANTA CLARA, CA, Sep 23, 2010 (MARKETWIRE via COMTEX) — NVIDIA today announced CUDA support for OpenCV, the popular Computer Vision library used in developing advanced applications for the robotics, automotive, medical, consumer, security, manufacturing, and research fields.

With the addition of GPU acceleration to OpenCV, developers can run more accurate and sophisticated OpenCV algorithms in real-time on higher-resolution images while consuming less power. This will facilitate the development of scores of new, mainstream Computer Vision applications.

With thousands of developers and well over two million downloads to date, OpenCV is a popular Computer Vision library for the development of computational-intensive and powerful applications, many of which require robust real-time performance. For example, the new OpenCV depth calculation engine performs 5-10 times faster with GPU acceleration than with the equivalent CPU-only implementation.

more via marketwatch

openCV examples
June 19, 2010, 11:44 am
Filed under: Hacking, ipv6, socialweb | Tags: , , ,

Google to Open-source VP8 for HTML5 Video
April 12, 2010, 9:57 pm
Filed under: streaming | Tags: , , , ,
 H.264 (left) und On2s VP8 (right)

Google will soon make its VP8 video codec open source, we’ve learned from multiple sources. The company is scheduled to officially announce the release at its Google I/O developers conference next month, a source with knowledge of the announcement said. And with that release, Mozilla — maker of the Firefox browser — and Google Chrome are expected to also announce support for HTML5 video playback using the new open codec.

Freeing VP8
Simply open sourcing it and making it available under a free license doesn’t help. That just provides open source code for a codec where relevant patents are held by a commercial entity and any other entity using it would still need to be afraid of using that technology, even if it’s use is free.


Yesterday at MIX Dean (general manager of the IE team) announced the availability of the first IE9 Platform Preview for developers. Dean also committed to updating the preview approximately every eight weeks. There is a good article on Beta News covering some of the technical details of the release. A key part of the announcements was the support for hardware accelerated HTML5 including supporting the video tag with the H.264 codec.