Securix-NSM

I mentioned in my last post that I'm using NSMnow to install Barnyard2, SANcp, Snort, and Sguil in my Security Onion LiveCD. The NSMnow guys have released their own LiveCD called Securix-NSM. Go check it out!

Barnyard2, SanCP, Snort, and Sguil using NSMnow

In my last post, I mentioned that I was working on integrating BASE into the Security Onion LiveCD. I chose BASE because I wanted a quick and easy GUI for Snort until I could get Sguil up and running. Little did I know that there was a quick and easy way to get Sguil up and running (even easier than installing BASE).

The stars aligned and I stumbled upon NSMnow. This is an amazing little project that will analyze your system; download and install Barnyard2, SanCP, Snort, and Sguil; and automatically configure the whole thing! I ran NSMnow in a terminal chrooted into the Security Onion LiveCD build environment (courtesy of Reconstructor) and a few minutes later it was done. I generated a new ISO, booted it, ran the init script, and fired up the Sguil client. That was too easy!

Apache EnableSendfile directive

I'm currently working on integrating Barnyard and BASE into the Security Onion LiveCD. After generating a new ISO and booting it up, I opened Firefox and went to http://localhost/base/. I was greeted with the BASE setup screen, but it was plain white with no CSS formatting:


The /base/styles/base_style.css file was in place and had the proper permissions, but doing "curl http://localhost/base/styles/base_style.css" would result in "transfer closed with bytes remaining". I created a small "Hello World!" test page in the styles directory and Apache served it just fine. I then copied base_style.css and began taking things out until Apache served the file. Ultimately, I determined that Apache couldn't serve non-PHP files over 255 bytes. I did some research and stumbled upon the EnableSendfile directive. I added "EnableSendfile off" to my Apache configuration file, restarted Apache, and verified that Apache could serve files over 255 bytes. BASE then showed up with the proper formatting:

Upgrading from Fedora 8 to Fedora 9 using Preupgrade

In the past, I've upgraded to the latest Fedora version by using the unsupported "yum upgrade". This is potentially dangerous, but it always worked for me. When I read in Red Hat Magazine that Fedora had a new tool to do in-place upgrades, I was excited to try it out.

I tried out Preupgrade on a few Fedora 8 virtual machines and everything went smoothly. Preupgrade had earned my confidence, so I proceeded to "yum -y update && yum -y install preupgrade && preupgrade" on my main Fedora 8 desktop. It downloaded all the RPMs and rebooted into the installer. It upgraded the system and said it was ready for the final reboot. So I rebooted the machine and was greeted by a blinking GRUB prompt. Somehow, GRUB had lost its configuration and could no longer boot my Fedora installation. Doh!

I've never really played around in the GRUB shell, so I never realized how powerful and versatile it is. All I had to do was the following (the {tab} indicates to use the Tab key for filename completion):

kernel (hd0,2)/vmlinuz{tab} root=/dev/sda5
initrd (hd0,2)/initrd{tab}
boot

The system came up and I then did the following to re-write GRUB into the MBR:

grub-install /dev/sda

And we have a working Fedora 9 installation!

Building Ubuntu LiveCDs with Reconstructor

As I mentioned previously, I'm currently working on the Security Onion LiveCD. I started building custom LiveCDs years ago by going through the painstakingly manual process of remastering Knoppix. Last year, I began using the Fedora Revisor tool which didn't require as much manual work, but it is limited in that it seems to require that software is installed using RPMs and configuration is done via kickstart file as the ISO is being generated. Earlier this year, I produced a custom BackTrack CD for the Greater Augusta ISSA using Gene Bransfield Jr.'s guide and the Linux Live scripts. For the Security Onion LiveCD, I decided to try a new approach. This is my first time using Reconstructor and it provides a good balance of automation while still allowing you to easily customize at any time.

The process hasn't been totally painless, however (I should mention that I'm using Reconstructor 2.8.1.):

• I ran into a squashfs bug, which required updating squashfs-tools to a newer version than is currently available in Ubuntu's repositories.
  
• In the main Customization interface, there is an Apply button above the Next button. When I first starting using Reconstructor, I assumed that when you click Next, your settings are automatically applied, but that is not the case. You must click Apply or else your settings will be lost.
  
• If you select a custom Gnome background color, Reconstructor seems to increment it each time it is launched. For example, I configured my background color to be #486ac1. The next time I opened Reconstructor, it showed the value as #486ac2. The next time I opened Reconstructor, it was #486ac3, and so on.
  
• As with any LiveCD, there is always the issue of space--one has to balance having every remotely-useful tool available with the size limitation of a 700MB CD. Reconstructor helps somewhat in that it estimates the ISO size before generation, but this estimation isn't always accurate. You still may have to fully generate the ISO before you know for sure that it is under 700MB.

Overall, Reconstructor is a very good tool. If you can work through the minor issues detailed above, it is the easiest way to build a fully customized LiveCD. I look forward to the upcoming Reconstructor 3.

Security Onion LiveCD

As part of my GCIA Gold research paper, I'm building a security LiveCD based on Ubuntu 8.04. The Security Onion LiveCD includes both Snort 2.8 and the new SnortSP. This gives Snort users a way of trying out SnortSP without having to worry about satisfying all the dependencies and compiling and installing it. The LiveCD also contains the following network/security utilities.

bastille
cheops-ng
corkscrew
daemonlogger
doscan
dsniff
etherape
fragroute
fragrouter
honeyd
hping2
hping3
hunt
idswakeup
iperf
ipgrab
iptraf
knocker
labrea
lanmap
ndiff
nemesis
netcat
netcat6
netcat-openbsd
netcat-traditional
netdiscover
netdude
netrw
netsed
ngrep
nmap
nsm-console
nwatch
p0f
pads
paketto
pbnj
pcaputils
pnscan
potion
psad
python-scapy
scanssh
scapy
sendip
socat
ssldump
tcpflow
tcpick
tcpreplay
tcpslice
tcpspy
tcpstat
tcptrace
tcpxtract
tshark
wireshark
xprobe
yersinia
zenmap

What other utilities would you like to see in the Security Onion LiveCD?

Mentoring SANS 503

Starting in February, I'll be mentoring SANS 503: Intrusion Detection In-Depth. This class is extremely valuable for those who work with Intrusion Detection Systems such as Snort. Even if you have never used an IDS before, you will learn TCP/IP from an attacker's perspective, how to analyze packets using tcpdump, and how to configure Snort and write your own Snort rules.

Classes will be on Tuesday nights at Augusta State University from 7:00 PM - 9:00 PM starting on February 17, 2009. Greater Augusta ISSA members will receive a 40% discount off the normal price. If you wish to become a member of the Greater Augusta ISSA or are already a member and would like the SANS discount code, please let me or one of the other chapter leaders know.

For more information about SANS 503, please see:
http://www.sans.org/mentor/details.php?nid=15354

My name is Doug Burks and I'm a GCIA

Back in April, I traveled to Orlando and took SANS 503 from the amazing Mike Poor. I then spent the next few months reviewing the course material, listening to Mike Poor MP3s, and taking practice exams. On September 5th, I took the real exam and passed with a 95! (I almost broke my arm patting myself on the back.) This certifies me at the GCIA Silver level. I'm now working on my research paper for GCIA Gold.

Security Onion

Onions have layers...good security has layers.

Onions smell bad...quite often, security stinks.

Onions make you cry...poor security can make you cry, scream, and cuss.

Welcome to the Security Onion.