Monday, August 3, 2009

Security Onion LiveCD 20090731

A new version of the Security Onion LiveCD has been released! Here's the changelog:

2009/07/31: New Release!
* All Xubuntu 9.04 updates as of 2009/07/31.
* Added sqlite and libsqlite3-ruby packages for db_autopwn.
* Added fwbuilder.
* Latest Metasploit msf v3.3-dev as of 2009/07/31.
* Latest Nmap 5.05BETA1 as of 2009/07/31.

The Security Onion LiveCD can be downloaded from the following location:
http://distro.ibiblio.org/pub/linux/distributions/security-onion/

Please let me know if you have any questions or suggestions.

18 comments:

Deion "Mule" Christopher said...

After running SnortSP-Sguil I found that my users' Citrix clients were dropping. Is there any way to configure the app to NOT mess with the Citrix clients?

Deion "Mule" Christopher
K0MUL

Doug Burks said...

Hi Deion,

First, SnortSP is still in Beta and therefore shouldn't be used in production. Second, it shouldn't be dropping any packets by default (only alerting). How do you have it configured?

Thanks,
Doug Burks

Deion "Mule" Christopher said...

Thanks for the quick reply.

Other than simply starting the application, I haven't made any configuration changes. I installed the OS to disk in VMWare and am using bridged networking. I also updated the packages that were installed using the package manager (I'm more familiar with Mandriva's urpmi).

The Citrix clients connect with ssh handshakes and, unless it was a fluke, I noticed the clients were disconnecting while I had SnortSP-Sguil running. However, I also tested EtherApe around the same time, but I don't think that was the culprit. After stopping the two applications I tested the Citrix connections again and had no other drops.

It reminded me of a botched arp poisoning attempt that caused the Citrix clients to drop the connections.

I am new to SNORT, as you can probably guess by this post. I will attempt to recreate this problem tomorrow. Is there anything on my end that you would like for me to try to help figure this out?

Thanks again,

Deion "Mule" Christopher
K0MUL

Doug Burks said...

Hello again Deion,

Did you happen to try arpspoof or ettercap? Those utilities will do ARP poisoning.

Thanks,
Doug Burks

Deion "Mule" Christopher said...

No, I didn't start any arp poisoning applications, though I could try them out and see if that knocks off my Citrix connections.

My understanding (limited as it is) of SNORT is that it doesn't act as a man-in-the-middle. Is that correct? It just seemed odd that the clients dropped as SnortSP-Sguil was running.

Do you think any of the following info from SNORT's website (granted it's an older page)could have been the culprit, and if so, could it/they be changed? :
9629 <-> WEB-CLIENT Citrix.ICAClient ActiveX clsid access (web-client.rules)
9630 <-> WEB-CLIENT Citrix.ICAClient ActiveX clsid unicode access (web-client.rules)
9631 <-> WEB-CLIENT Citrix.ICAClient ActiveX function call access (web-client.rules)

Thanks again,

Deion "Mule" Christopher
K0MUL

Doug Burks said...

You are correct--Snort does NOT act as a man-in-the-middle. The only time it would drop packets is if you install it on your gateway or configure it for inline bridging AND specifically configure the rules to drop traffic that it would normally alert on. In addition, the Security Onion LiveCD has a very minimal rule set which doesn't include the Citrix rules that you refer to. Did you see any alerts in the Sguil console that corresponded to the source IP address of the disconnected Citrix clients?

To help you troubleshoot your problem further, I would need to know more about your network. Are the clients connecting through the Security Onion instance to get to the Citrix server? Is the Citrix server another VMWare guest on the same host as your Security Onion installation? If you can provide more detail, I'll be glad to help you trace down the problem.

Thanks,
Doug Burks

Deion "Mule" Christopher said...

After exhaustive testing and log reviews I concluded that the Citrix clients were dropping due to a bottleneck created by a 3rd party vendor and NOT FROM RUNNING SECURITY ONION LIVECD.

The fact that the Citrix clients were dropping at the same time as Security Onion LiveCD - SnortSP-Sguil was running was purely coincidental.

Thanks for the suggestions and help; you are putting out a great tool.

Deion "Mule" Christopher
K0MUL

Doug Burks said...

Deion,

Thanks for your feedback. Please let me know if you have any suggestions for the next version of the Security Onion LiveCD.

Thanks,
Doug Burks

Chris Teodorski said...

Doug,

The link to the liveCD appears to be dead. When I visit:

http://distro.ibiblio.org/pub/linux/distributions/security-onion/security-onion-livecd-20090731.iso

I get a file not found from ibiblio.

Chris

Doug Burks said...

Hi Chris,

The link seems to work for me. Can you try it again and see if you get a different result? Please let me know what you find out.

Thanks,
Doug Burks

Ross said...

I installed SecurityOnion to my hard drive. It installed fine, but I got "Incorrect username or password" when I tried to logon. Perhaps I didn't pay attention and mistyped something? So I reinstalled to disk again. Same error. It is a US keyboard layout with a simple username and password. And no, CAPS LOCK is not on. Has anyone else installed to disk and logged on?

Doug Burks said...

Hi Ross,

For some reason, the installer doesn't actually create the account that you specify during the installation process. You should be able to login using the following credentials:

Username: securityonion
Password: securityonion

Once you've logged in as securityonion, create your real account and delete the securityonion account.

Please let me know if you have any further questions or problems.

Thanks,
Doug Burks

Ray said...

Doug,

First, I ran the install located on the LiveCD desktop.

I followed your advice for logging in as the SO user. However, the SO user does not have the rights to add a new user. What should I do so I can add another user? (root password?)

Also, I cannot edit the network adapters as the SO user.

This is running on a Dell PowerEdge 1950

Doug Burks said...

The securityonion user is in /etc/sudoers, so you should be able to perform any administrative task using the securityonion username/password. If adding a user from the graphical utility, it should prompt you for the securityonion password. If adding a user from the command line, just prefix the command with "sudo". For example:
sudo adduser mynewuseraccount

Please let me know if you have any further questions or problems.

Thanks,
Doug Burks

Deion "Mule" Christopher said...

Found more time to play with the LiveCD. I noticed an issue while trying to send a report via email through the Sguil GUI. Chatting on the #snort-gui channel and sifting through the sguil how-to's didn't help. Let me rephrase that. There are instructions on setting up the mail in sguild.email, but I need to use an smtp server that requires port 587 AND that uses authentication. I thought about setting up CLAWS mail client to check the securityonion@localhost account and then to run a rule to forward that message to an outside email address using my email server with my username, password and port number. This would require, probably at the least, the CLAWS packages as well as sendmail.

Any ideas on how to get this to work? This isn't necessarily a Security Onion LiveCD issue, but I figured you would be the person whith a good idea to fix it.

Deion "Mule" Christopher
K0MUL

Doug Burks said...

Hello again Deion,

Depending on your circumstances, this could be extremely easy or a little more difficult.

If all of your Sguil email is going to the same domain and you can contact that domain's MX over port 25, then you should just be able to edit sguild.email and set SMTP_SERVER to that domain's MX and EMAIL_RCPT_TO to your email address in that domain.

If that doesn't work, then you can install and configure Sendmail to relay through an authenticated port 587 (no CLAWS needed):
http://www.linuxha.com/other/sendmail/

As an alternative, you may wish to consider Postfix, as it is easier to configure and use than Sendmail.

Changing the subject, I've created a mailing list for the Security Onion LiveCD. Please submit any future questions to the mailing list:
Security Onion Mailing List

Anonymous said...

Hello Doug,

Can you point me in the direction on how to configure pulled.pork to automatically update the snort sigs

Thanks,
Vince

Doug Burks said...

Hi Anonymous,

You can find the pulledpork documentation on the Security Onion LiveCD at:
/usr/local/bin/pulledpork/README

Also see the pulledpork project page at:
http://code.google.com/p/pulledpork/

And the author's home page at:
http://global-security.blogspot.com/

For any questions relating to the Security Onion LiveCD itself, please see the Security Onion Wiki and Mailing List:
http://code.google.com/p/security-onion/w/list
http://groups.google.com/group/security-onion

Thanks,
Doug Burks