I often need to convert avi, mkv, mp4 or some other video format to generic DVD.  Using a Mac, I’ve found that this processes is a pain in the ass.  It surprises me that there are very few tools for pulling this together.  I spent a few days searching and see that there was a few tools, but they were either dead projects, or not stable.  Don’t get me wrong, FFMpegX is pretty good at converting video formats, but trying to use it to actually make a dvd with subtitles just doesn’t work for me.  I did notice that it was based of the opensource ffmpeg, dvdauthor and cdrtools projects, so I decided to use my Darwin Ports system to install the packages (With all prerequisites)  and use the command line tools to do all the conversion.

sudo port install ffmpeg

sudo port install dvdauthor

sudo port install cdrtools

I had no clue how easy the command line tools would be to use and decided to document for my own use later.  Most of my info came from http://atomized.org/2005/03/converting-divxxvid-avi-to-dvd-with-ffmpeg/

Step 1)  Convert Source file to DVD video format

The first thing you need to do is convert the video file to a mpeg2 file with the proper video dimensions 720×480.  Luckily the FFMpeg package has a predefined template for it ‘-target ntsc-dvd, or -target pal-dvd for europe’.  Since I have a widescreen plasma screen, I use the 16:9 aspect ratio, if you have a more square tv, or if you just want your file more square use the ‘-aspect 4:3′  The ffmpeg faq has some great info on additional options like converting videos to play on game consoles or smart phones or even to just a different format.  FFMPEG can be downloaded from http://www.ffmpeg.org for non-osx systems

ffmpeg -i MyMovie.avi -target ntsc-dvd -aspect 16:9 -sameq MyMovie.mpg

Step 2) Add Subtitles (If Needed)

The easiest way to add subtitles to your newly created mpeg2 file is with DVDAuthor’s spumux tool.  This tool is a bit confusing to use, so I’ll try to make this as simple as possible.  First you need to make a xml config file for each subtitle you want to add.  Here is the one I make, and tend to use over and over by copying the file and changing the subfile name inside. Get the DVDauthor tools here http://dvdauthor.sourceforge.net

<subpictures>
<stream>
<textsub filename=”ongbak.3.english.srt” characterset=”ISO8859-1″
fontsize=”28.0″ font=”Geneva.ttf”
horizontal-alignment=”center”
vertical-alignment=”bottom” left-margin=”40″
right-margin=”40″
top-margin=”20″ bottom-margin=”30″
subtitle-fps=”25″
movie-fps=”25″ movie-width=”720″ movie-height=”480″
force=”yes”
/>
</stream>
</subpictures>

Here is a simple breakdown of what is going on in this config. Better definition found here http://dvdauthor.sourceforge.net/doc/spumux.html

• filename – This is the subtitle file you will be attaching.
• characterset – This is the characterset for your subtitle text to use in the film.  For english you can use ISO8859-1, for other languages reference http://en.wikipedia.org/wiki/Character_encoding
• fontsize – This is the size of the font to display in the movie
• font – Which font to show as.  The fonts used by spumux are locate in ~/.spumux/
• horizontal-alignment – Where to place the subtitles in the film, {left, right, center}
• vertical-alignment - Where to place the subtitles on the film {top, center, bottom}
• right-margin – Don’t really understand these
• left-margin – Don’t really understand these
• top-margin – Don’t really understand these
• bottom-margin – Don’t really understand these
• subtitle-fps – Just set this to 25, for DVD
• movie-fps – Just set this to 25, for DVD
• movie-width – for DVD set to 720 for wide or 640 4:3
• movie-height – for dvd set to 480
• force – turns the subtitle without being selected

spumux -s 0 -P MyMovie.xml < MyMovie.mpg > MyMovie.sub.eng.mpg

Step 3) Convert mpg to Video_TS format, this is called DVD authoring

Now that we have our file encoded to the mpeg2 (AKA DVD) format and perhaps even the subtitles, it’s time to get the mpeg file turned into the more recognizable video_ts structure.   You can get the full lowdown on all the dvdauthor arguments from http://dvdauthor.sourceforge.net/doc/r1741.html

dvdauthor –title -f MyMovie.sub.eng.mpg -o MyMovie

the -o MyMovie means create a output directory with the VIDEO_TS subdirectory & files inside

Step 4) Create the DVD menu system

Now that the mpeg file is in the video_ts directory structure (and is broken into vob files). You need to make the dvd menu.  Personally I don’t care for advanced menus.  I just want my movies to start, so I use the following command to just make an empty menu that just auto starts the movie.

dvdauthor -T -o MyMovie

Step 5) Create ISO image from finished VIDEO_TS directory

Now that we have our functioning dvd video, lets convert it to an ISO that we can burn.  I do this with the mkisofs command from the cdrtools package.  It’s pretty simple, just use the following.  You can get cdrtools from  http://cdrecord.berlios.de/

mkisofs -dvd-video -o MyMovie.iso MyMovie/

Share on Facebook

This document describes the steps for install and setting up Snort the opensource intrustion detection system. It also describes the process for updating the signature definitions.

Snort is an opensource IDS (Intrusion Detection System) written and maintained by a company called sourcefire. It is one of the best IDS available and is free (Kinda).

Downloading Snort

Since we us Redhat Enterprise Linux 5 here go to the snort download page and select snort-2.8.5.2-1.RH5.i386.rpm. Since we will also be using the BASE web interface to view the alerts also download the snort-mysql-2.8.5.2-1.RH5.i386.rpm add-on that allows snort to log its alerts to a MySQL database.

Installing Snort

Installing Snort via the rpms is very easy. Just use the rpm command like the following.

[root@mytest src]# rpm -Uvh snort-2.8.5.2-1.RH5.i386.rpm snort-mysql-2.8.5.2-1.RH5.i386.rpm
Preparing...                ########################################### [100%]
  1:snort                    ########################################### [ 50%]
  2:snort-mysql          ########################################### [100%]

That’s it, Snort is installed and the rpm install script already configures Snort to start at boot.

[root@mytest src]# chkconfig --list |grep snort
snortd          0:off   1:off   2:on    3:on    4:on    5:on    6:off

Configuring Snort

Here is where the real magic happens. He now need to configure Snort for use. Typicaly your server will have two NICs. One will be for remote administration and one will be dedicated to Snort. In our case I will use eth0 for remote administration and logging into the computer and I’ll use eth1 for Snort. We want to dedicate the whole interface to snort because we will be placing it in promiscus mode which will cause the network interface to take sniff all the traffic coming across its segment.

Configure Dedicated Network Interface

You don’t actually need to use a real IP for the Snort interface so when you configure the if-cfg file just leave out the actual IP info In redhat the network config files are located under /ettc/sysconfig/network-scripts/ so I’ll place the following in /etc/sysconfig/network-scripts/ifcfg-eth1

DEVICE=eth0
BOOTPROTO=none
ONBOOT=yes
TYPE=Ethernet

Then recycle the network service with the service network restart command.

[root@mytest network-scripts]# service network restart
Shutting down interface eth0:                              [  OK  ]
Shutting down interface eth1:                              [  OK  ]
Shutting down loopback interface:                        [  OK  ]
Bringing up loopback interface:                            [  OK  ]
Bringing up interface eth0:                                  [  OK  ]
Bringing up interface eth1:                                 [  OK  ]

This will then turn on your network interface. You can verify that the interface is up and on with the ifconfig command.

[root@mytest network-scripts]# ifconfig eth1
eth1      Link encap:Ethernet  HWaddr 00:C0:F2:01:16:73
         UP BROADCAST MULTICAST  MTU:1500  Metric:1
         RX packets:0 errors:0 dropped:0 overruns:0 frame:0
         TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:1000
         RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
         Interrupt:193 Base address:0xdde0

Snort Sysconfig file

So now that we have our network up it’s time to configure Snort to use the new network interface we just created. You can tell snorrt to either usee a certain NIC or ALL. In our case we only want it to use eth1 so edit /etc/sysconfig/snort find the line that has INTERFACE=eth0 and change it to INTERFACE=eth1

# What interface should snort listen on?  [Pick only 1 of the next 3!]
# This is -i {interface} on the command line
# This is the snort.conf config interface: {interface} directive
INTERFACE=eth1

Next since we will be logging to MySQL we need to shut off the standard flat file out by commenting out the ALERTMODE option. This step is actually really important. Without it no matter what you tell the snort config file, it will not send any logs to the MySQL database.

# How should Snort alert? Valid alert modes include fast, full, none, and
# unsock.  Fast writes alerts to the default "alert" file in a single-line,
# syslog style alert message.  Full writes the alert to the "alert" file
# with the full decoded header as well as the alert message.  None turns off
# alerting. Unsock is an experimental mode that sends the alert information
# out over a UNIX socket to another process that attaches to that socket.
# -A {alert-mode}
# output alert_{type}: {options}
#ALERTMODE=fast

Create and Configure the Database

We now need to create and configure our mysql database and tables where Snort’s events will be logged. The snort rpm you installed earlier placed a MySQL database scheme at /usr/share/snort-2.8.5.2/schemas/create_mysql Sso first we will need to manually create the MySQL database.

[root@mytest ~]# mysql
mysql> create database snort;
Query OK, 1 row affected (0.09 sec)
mysql> exit
Bye

Next we will import the database scheme to the snorrt database we just created with the following command.

[root@mytest ~]# mysql snort < /usr/share/snort-2.8.5.2/schemas/create_mysql

Last we need to create a snort user in mysql with full access to the database and tables we just created. In the following example replace secret password with an actual password.

[root@mytest ~]# mysql snort
mysql> grant all on snort.* to 'snort'@'%' identified by 'secret password';
Query OK, 0 rows affected (0.04 sec)
mysql> exit
Bye

Snort Configuration File

The actual Snort config file is located in /etc/snort and is called snort.conf’ Really the only things we should edit in this file are the VAR options that are specific to our network and the log line that defines our snort connection.

#This should reflect all the subnets we have on our network.
var HOME_NET [10.0.0.0/24,10.0.10.0/24,10.0.23.0/24]
var EXTERNAL_NET any
# Configure your server lists.  This allows snort to only look for attacks to
# systems that have a service up.  Why look for HTTP attacks if you are not
# running a web server?  This allows quick filtering based on IP addresses
# These configurations MUST follow the same configuration scheme as defined
# above for $HOME_NET.
var DNS_SERVERS [10.0.0.42,10.0.23.42]
var SMTP_SERVERS $HOME_NET
#Any computer that was a webserver running should be in this list
var HTTP_SERVERS [10.0.0.23,10.0.23.42]
#Any Machine that is running any type of SQL server should be listed here
var SQL_SERVERS [10.0.0.60,10.0.0.61]
var TELNET_SERVERS $HOME_NET
var FTP_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
#Now we should define our database config
output database: log, mysql, user=snort password=secretpassword dbname=snort host=localhost

That’s it after that you can start snort with a simple service snortd start

Configuring Switches for Snort

In the old days of hubs every packet was always sent out every port. This was inefficient and a huge security risk. So Switches came along to make sure only the port that needed the data got the packet. It did this my keeping an internal list of which mac was on which port. Then it only sends out packets destine for the mac associated with each port. This is much more efficient and secure but for snort this actually causes a problem. In order to see every packet to inspect it, it needs the switch to treat it’s port like a hub. Luckily in managed Cisco switches you have the ability to mirror ports or vlans to another port or vlan.

On our vlan we will assume that we have two vlans. In reality we probably have many more but for our example it doesn’t matter we will also assume that our dedicated network interface is plugged in to port GigabitEtherrnet0/5.

Switch> conf t
Switch> monitor session 1 source vlan 1 - 2 rx
Switch> monitor session 1 destination interface gigabitEthernet0/5

This will tell your switch to take all traffic on vlan 1 & 2 and mirror them to gigabitEthernet port 0/5

after that write and save your config. Now snort should be getting all the traffic from your vlans. As stated above if you have multiple Vlans then add more monitor session 1 source statements. You can combine all sorts of interfaces and vlans.

Updating Scanning Signatures

Unfortunately updating snort rules requires an account on the snort.org website. Their are free and paid subscriptions based accounts. The free account gets new signatures 30 days after the paid account. For our purposes we will be using the free version for now. So create your free account via the Signup Page and after you do the whole email confirm thing login to the website at the Login Page When you login Click on the Get Rules button this will take you to a download page and show you two sections one for VRT Subscription users and one for Registered users (Free 30days late). Select the snortrules-snapshot-CURRENT.tar.gz from the registered users section, this file is usually about 25-30MB so be patient. Once you download this tar archive to your snort machine create a tmp dir and unarchive all the files with the tar command again.

[root@mytest src]# mkdir snort-rules-temp
[root@mytest src]# cd snort-rules-temp
[root@mytest snort-rules-temp]# tar -zxf ../snortrules-snapshot-CURRENT.tar.gz

Once you uncompressed the rules you need to copy only the normal rules. Copy the normal rules to the /etc/snort/rules directory.

[root@mytest snort-rules-temp]# cp rules/* /etc/snort/rules/

Test the so rules with

[root@mytest src]# snort -c /etc/snort/snort.conf -T

If everything looks good recycle snort with service snortd restart For best results you should update your snort rules every week.

References

• https://forums.snort.org/forums
• http://snort.org/

Share on Facebook

When ever I come across a command or service in Unix that crashes or fails to run properly I quickly go to the trace tools to trace the system commands.  I often find that If I just follow the system trace i can usually see what was supposed to happen and didn’t.  Unfortunatley not every unix flavor uses the same tracing commands.

In linux it is very simple prefix any command with strace and it will give you lots of system trace info.

In Solaris use the truss command.

In Irix use the par command.

Share on Facebook

The name service cache daemon has some serious flaws. One that I notice pretty often in Linux arises when you are using LDAP. It seems that nscd will crash and burn when/if ldap is unavailable. Unfortunately when nscd bombs, it usually takes the entire system with it. Actually what will happen is nscd sockets will start getting broken pipe’s and becoming stale until you have several nscd. Eventually your system will slow to a halt. Mind you the box hasn’t crashed, but the box is in a dos state. If you do an ‘$# netstat -an‘ you’ll notice several entries in reference to ‘/var/run/nscd/socket’. This bug has been listed by several distros, I’ve yet to see any of them address it properly.

From what I’ve discovered about nscd this issue is a design flaw in nscd. Several people have just recommended disabling nscd. While this is a solution, it isn’t an acceptable solution in an enterprise environment. Especially if you are using oracle. Several oracle tools and apps will freeze or crash if they can’t talk to the nscd socket. Lame I know, but I’ve observed this in at least Oracle 10i.

Solutions

Now there are tow ways to get around this. One is to make your LDAP service load balanced and highly available. You can do replication in OpenLDAP with slurpd and then use something like balance to make the service highly available. Another option though is to fix nscd so it doesn’t bomb your machine when it dies.

In this article we are going to go over the fix nscd solution.  nscd comes with a config file located in ‘/etc/nscd.conf’ This file tells the nscd daemon how long to cache which name service.  See the man page to understand what each option means. The quick way to fix nscd is to tell the service here not to cache passwd and group info.  This will make nscd not go to LDAP and freak out if LDAP is not available.  Randomly I also came across a drop in replacement for nscd that dosen’t suffer from this issue. unscd-033.c The compile instructions are in the file. I can’t guarantee this safe, but I’ve used it for a while in an enterprise environment and seem haven’t had any nscd issues since

Refferences:

• http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=248271

Share on Facebook

LDAP has been around for over a decade, and yet it is still considered a newer technology.  Many modern vendors have added LDAP authentication.  This document is a brief generic howto for configuring linux to use LDAP.  This will be a fairly detailed recipe as most of my docs are.

Linux Name Services
Name Server Switch is the engine that really enables Linux to harness LDAP. In linux you have two different ldap.conf files that the modules and services use to configure their ldap communications ‘/etc/ldap.conf’ and ‘/etc/openldap/ldap.com’. The first gives the dn’s for passwd, group and sudoers. You can also specify the server and communication protocol. One really cool bonus is that you get to enable the host_acl based of users with this config file

host    ldap.analogrithems.com
base    dc=analogrithems,dc=com,dc=us
ldap_version    3
#Validate cert
tls_checkpeer no
ssl     start_tls
#ssl on
nss_map_attribute       uniqueMember member
pam_password_prohibit_message Please visit http://enterprise.company.com/password_policy.html.
pam_groupdn cn=ldap.analogrithems.com,ou=Computers,dc=analogrithems,dc=com,dc=us
pam_member_attribute uniquemember
pam_filter accountStatus=active
nss_base_passwd         ou=People,dc=analogrithems,dc=com,dc=us?one
nss_base_shadow         ou=People,dc=analogrithems,dc=com,dc=us?one
nss_base_group          ou=Groups,dc=analogrithems,dc=com,dc=us?one
sudoers_base    ou=SUDOers,dc=analogrithems,dc=com,dc=us
#This options is VERY helpful for debugging sudo ldap extension
#sudoers_debug 2

PAM
PAM is an authentication and accounting module that allows Linux services to use different methods for authenticating users (MySQL, LDAP, NIS, etc..). Their are two different pam config versions. You should look up the version your gnu/linux vedor uses for exact details on ldap setup, for SuSE you modify “/etc/security/pam_unix2.conf” to include the following. This system makes it so you don’t have to modify every pam service to use ldap, you just let them all use the standard unix2 module which then handles the ldap lookup.

auth:   use_ldap
account:        use_ldap
password:       use_ldap
session:        none

NSS
Edit your ‘/etc/nsswitch.conf’ place the word ldap before files for the passwd and group name service. You can also add it to sudoers if you want to store your sudo configs in ldap also

passwd: compat
shadow: compat
group: compat
sudoers: files ldap

passwd_compat: files ldap
shadow_compat: files ldap
group_compat: files ldap

Share on Facebook