https://u-random.dev/tags/difesa/Recent content in Difesa on u-randomHugo -- gohugo.ioit-itFri, 29 May 2026 00:00:00 +0000https://u-random.dev/blog/suricata-ips-nfqueue/Fri, 29 May 2026 00:00:00 +0000https://u-random.dev/blog/suricata-ips-nfqueue/<p> </p> <div style="border-left:3px solid #6366f1;background:rgba(99,102,241,0.06);padding:12px 16px;border-radius:0 6px 6px 0;margin:1.5rem 0;"> <div style="font-size:0.7rem;font-weight:800;letter-spacing:0.1em;color:#6366f1;text-transform:uppercase;margin-bottom:6px;">TL;DR</div> <div style="font-size:0.95rem;line-height:1.6;"><ul> <li><strong>IDS (af-packet):</strong> copia del traffico → Suricata vede tutto, non può bloccare niente → <code>[**]</code> in fast.log</li> <li><strong>IPS (nfqueue):</strong> traffico originale trattenuto → il kernel aspetta il verdetto → <code>[Drop]</code> in fast.log</li> <li><code>iptables -I INPUT -j NFQUEUE --queue-num 0</code> è la singola regola che trasforma il sistema</li> <li><code>fail-open: no</code> = fail-closed: se Suricata muore, tutto il traffico viene droppato</li> <li>Il Docker bridge (<code>br-XXXX</code>) bypassa NFQUEUE - la SYN-ACK di ritorno viene bloccata e Wazuh si disconnette</li> <li>La persistenza al reboot richiede un systemd service dedicato (non <code>iptables-persistent</code>, che rimuove UFW)</li> </ul> </div> </div> <details style="border-left:3px solid #10b981;background:rgba(16,185,129,0.06);border-radius:0 6px 6px 0;margin:1.5rem 0;"> <summary style="padding:10px 16px;font-size:0.7rem;font-weight:800;letter-spacing:0.1em;color:#10b981;text-transform:uppercase;cursor:pointer;list-style:none;display:flex;align-items:center;gap:8px;"> <span style="font-size:0.65rem;transition:transform 0.2s;">▶</span> $ history </summary> <div style="padding:4px 16px 12px;font-size:0.92rem;line-height:1.7;font-family:'JetBrains Mono','Fira Code',monospace;"><ul> <li>suricata -T -c /etc/suricata/suricata.yaml -v</li> <li>suricata-update</li> <li><a href="https://u-random.dev/concetti/iptables/" >iptables</a> -I INPUT 1 -j NFQUEUE --queue-num 0</li> <li><a href="https://u-random.dev/concetti/iptables/" >iptables</a> -L INPUT -n -v --line-numbers</li> <li><a href="https://u-random.dev/comandi/nmap/" >nmap</a> --min-rate 1000 -p 1-1000 192.168.64.3</li> <li>hping3 -S --flood 192.168.64.3</li> <li>cat /proc/net/tcp</li> </ul> </div> </details> <hr> <p>Voglio vedere cosa succede quando Suricata non si limita a guardare il traffico, ma lo blocca davvero.</p>https://u-random.dev/blog/il-fantasma-nella-rete/Tue, 19 May 2026 00:00:00 +0000https://u-random.dev/blog/il-fantasma-nella-rete/<p> </p> <div style="border-left:3px solid #6366f1;background:rgba(99,102,241,0.06);padding:12px 16px;border-radius:0 6px 6px 0;margin:1.5rem 0;"> <div style="font-size:0.7rem;font-weight:800;letter-spacing:0.1em;color:#6366f1;text-transform:uppercase;margin-bottom:6px;">TL;DR</div> <div style="font-size:0.95rem;line-height:1.6;"><ul> <li>Un honeypot è un sistema esca - qualsiasi connessione ricevuta è per definizione sospetta</li> <li>La ricognizione interna (lateral movement iniziale) lascia tracce nei log prima che l'attaccante agisca</li> <li>Analizzare chi ha contattato il honeypot rivela quali host sono compromessi o controllati da un attaccante</li> <li>IDS/IPS signature-based non rileva zero-day - il comportamento anomalo verso risorse inesistenti lo fa</li> </ul> </div> </div> <details style="border-left:3px solid #10b981;background:rgba(16,185,129,0.06);border-radius:0 6px 6px 0;margin:1.5rem 0;"> <summary style="padding:10px 16px;font-size:0.7rem;font-weight:800;letter-spacing:0.1em;color:#10b981;text-transform:uppercase;cursor:pointer;list-style:none;display:flex;align-items:center;gap:8px;"> <span style="font-size:0.65rem;transition:transform 0.2s;">▶</span> $ history </summary> <div style="padding:4px 16px 12px;font-size:0.92rem;line-height:1.7;font-family:'JetBrains Mono','Fira Code',monospace;"><ul> <li><a href="https://u-random.dev/comandi/tshark/" >tshark</a> -r capture.pcap -Y &quot;ip.dst == 192.168.10.99&quot; -T fields -e ip.src -e tcp.dstport</li> <li><a href="https://u-random.dev/comandi/dig/" >dig</a> -x 192.168.10.99</li> </ul> </div> </details> <p>Sono le 14:33. Il SIEM ha flaggato una connessione TCP verso <code>192.168.10.99</code>. Il problema: a quell'IP non c'è nessun server. Non c'è nessun servizio. Non c'è nessun device registrato nell'inventario.</p>https://u-random.dev/blog/il-postino-lavora-di-notte/Tue, 19 May 2026 00:00:00 +0000https://u-random.dev/blog/il-postino-lavora-di-notte/<p> </p> <div style="border-left:3px solid #6366f1;background:rgba(99,102,241,0.06);padding:12px 16px;border-radius:0 6px 6px 0;margin:1.5rem 0;"> <div style="font-size:0.7rem;font-weight:800;letter-spacing:0.1em;color:#6366f1;text-transform:uppercase;margin-bottom:6px;">TL;DR</div> <div style="font-size:0.95rem;line-height:1.6;"><ul> <li>SMTP consegna le email, IMAP/POP3 le recuperano - protocolli separati con porte e ruoli distinti</li> <li>Una workstation che apre connessioni dirette sulla porta 25 è anomala: quel traffico spetta al mail server aziendale</li> <li>base64 negli allegati non è cifratura: su SMTP senza TLS, qualsiasi allegato è estraibile dal pcap in chiaro</li> <li>SPF, DKIM e DMARC sono i tre record DNS che distinguono un dominio difeso da uno esposto allo spoofing</li> </ul> </div> </div> <details style="border-left:3px solid #10b981;background:rgba(16,185,129,0.06);border-radius:0 6px 6px 0;margin:1.5rem 0;"> <summary style="padding:10px 16px;font-size:0.7rem;font-weight:800;letter-spacing:0.1em;color:#10b981;text-transform:uppercase;cursor:pointer;list-style:none;display:flex;align-items:center;gap:8px;"> <span style="font-size:0.65rem;transition:transform 0.2s;">▶</span> $ history </summary> <div style="padding:4px 16px 12px;font-size:0.92rem;line-height:1.7;font-family:'JetBrains Mono','Fira Code',monospace;"><ul> <li><a href="https://u-random.dev/comandi/tshark/" >tshark</a> -r capture.pcap -Y &quot;smtp&quot; -T fields -e ip.src -e ip.dst -e smtp.req.command -e smtp.req.parameter</li> <li><a href="https://u-random.dev/comandi/dig/" >dig</a> MX dominio.com</li> <li><a href="https://u-random.dev/comandi/dig/" >dig</a> TXT _dmarc.dominio.com</li> </ul> </div> </details> <p><figure><img class="my-0 rounded-md" loading="lazy" decoding="async" fetchpriority="auto" alt="Il Postino Lavora di Notte" width="2752" height="1536" src="https://u-random.dev/assets/email-routing-smtp_hu_8e9b834350c07076.webp" srcset="https://u-random.dev/assets/email-routing-smtp_hu_8e9b834350c07076.webp 800w, https://u-random.dev/assets/email-routing-smtp_hu_dd83c9b5ac0ab8a9.webp 1280w" sizes="(min-width: 768px) 50vw, 65vw" data-zoom-src="https://u-random.dev/assets/email-routing-smtp.webp"></figure> </p>