Monday, January 26, 2009

Integrating Snort 3.0 (SnortSP) and Sguil in 3 Steps

So once you have Snort 3.0 installed, what can you do with it? One thing you can do with it (and the one that most people are interested in) is to configure it for IDS mode. The Snort 3.0 architecture includes the Snort 2.8.2 Detection Engine, so we'll have the Snort Security Platform (SnortSP) capturing packets and handing them off to Snort 2.8.2 for analysis and alerting.

The best open source tool to manage Snort alerts is Sguil and the easiest way to install Sguil is using NSMnow. NSMnow automatically installs and configures barnyard2 (compatible with SnortSP's unfied2 format), sancp, Sguil, and Snort 2.x. We're going to replace NSMnow's snort alert process with Snort 3.0.

This quick recipe assumes that you're running on Ubuntu 8.04 and your primary network interface is eth0. You should be able to copy/paste each of the three code blocks into your terminal.

Obligatory disclaimer: I offer no warranty of any kind. If this breaks your box, you get to keep both pieces.

Step 1: Get root privileges
##########################
sudo -i
##########################
Step 2: Install NSMnow
##########################
mkdir /usr/local/src/NSMnow
cd /usr/local/src/NSMnow
wget http://www.securixlive.com/download/nsmnow/NSMnow-1.3.4.tar.gz
tar zxvf NSMnow-1.3.4.tar.gz
./NSMnow -i -y
##########################
Step 3: Configure NSMnow and SnortSP and start
##########################
if ! grep "/nsm/server_data/server1/load" /etc/apparmor.d/usr.sbin.mysqld > /dev/null
then
sed -i 's|}| /nsm/server_data/server1/load/* r,|g' /etc/apparmor.d/usr.sbin.mysqld
echo "}" >> /etc/apparmor.d/usr.sbin.mysqld
fi
/etc/init.d/apparmor restart
/usr/local/sbin/nsm --server --start
/usr/local/sbin/nsm_sensor_ps-start --skip-snort-alert
mkdir /etc/snortsp_alert
cd /etc/snortsp_alert
cp -R /etc/nsm/sensor1/* .
mv snort.conf snort_orig.conf
sspiffy.sh /usr/local -c snort_orig.conf -i eth0
grep -v "sameip" rules/bad-traffic.rules > rules/bad-traffic.rules.2
rm -f rules/bad-traffic.rules
mv rules/bad-traffic.rules.2 rules/bad-traffic.rules
snortsp -C -L snort.lua
##########################
Snort 3.0 is now capturing packets on eth0 and analyzing them. Let's verify that now.

Launch the Sguil client by opening a new terminal and typing the following:
##########################
sguil.tk
##########################
When prompted, login to Sguil using the default credentials:
Username: sguil
Password: password

Next, create some alerts by opening a browser and going to:
http://www.testmyids.com

Finally, go into the Sguil console and you should see two new alerts:


This demonstrates that SnortSP is capturing packets, analyzing them with the Snort 2.8.2 Detection Engine, and outputting in unified2 format, which is then read by Barnyard2 and inserted into the Sguil database.

When finished, return to your SnortSP window and press ctrl-c to terminate the SnortSP process. Then type "nsm --all --stop" to terminate all NSMnow processes.

Saturday, January 24, 2009

Installing Snort 3.0 (SnortSP) on Ubuntu in 3 Steps

Here's a really quick recipe for installing the Snort 3.0 Architecture on Ubuntu 8.04. Note that the Snort 3.0 Architecture consists of the SnortSP framework and the Snort 2.8.2 Detection Engine. You should be able to open a terminal and then copy/paste each of the three blocks of commands.

Step 1: Get root privileges
##########################
sudo -i
##########################
Step 2: Install dependencies
##########################
aptitude update
aptitude -y install build-essential \
libdumbnet1 libdumbnet-dev \
uuid uuid-dev \
libncurses5 libncurses5-dev \
libreadline5 libreadline5-dev \
libpcap0.8 libpcap0.8-dev \
libpcre3 libpcre3-dev \
liblua5.1-0 liblua5.1-0-dev \
flex bison
##########################
Step 3: Download, compile, and install the Snort 3.0 Architecture
##########################
cd /usr/local/src/
wget http://www.snort.org/dl/prerelease\
/3.0.0-b2/snortsp-3.0.0b2.tar.gz
tar zxvf snortsp-3.0.0b2.tar.gz
cd snortsp-3.0.0b2/
./configure
make
make install
mkdir /etc/SnortSP/
cp etc/* /etc/SnortSP/
cd src/analysis/snort/
./configure \
--with-platform-includes=/usr/local/include/snortsp \
--with-platform-libraries=/usr/local/lib
make
make install
ldconfig
##########################


Future posts will cover where to go from here.

Tuesday, January 20, 2009

NSMnow 1.3

I previously discussed the NSMnow project. These guys have made tremendous progress in the last few weeks and have fixed the bugs that I notified them of. They are now at version 1.3. Go check it out!

Sunday, January 18, 2009

SANS 503 Mentor class is full

Registration is now closed for the previously mentioned SANS 503 Mentor class here in Augusta. This was the first SANS Mentor class to sell out in a few years! Thanks to all who registered.

Creating md5 and sha1 hashes using dcfldd

Have you ever been in a situation where you needed to calculate multiple hashes (md5 and sha1, for example) of a large drive image, but you didn't want to wait the long time it would take to do the following?
md5 image.dd
sha1 image.dd
dcfldd can calculate multiple hashes at the same time. All you have to do is set dcfldd's output to /dev/null like this:
dcfldd if=image.dd of=/dev/null hash=md5,sha1
512 blocks (16Mb) written.Total (md5): 95581c2eb1d0e18d4c9d0a08f06e1b28
Total (sha1): f80c5845df633e5ed586cf5006a746cc648abd9a

572+1 records in
572+1 records out

Friday, January 9, 2009

2009 SANS Log Management Survey

SANS is researching how organizations handle log management. Please take 5 minutes out of your day and complete the following survey (I did):
SANS Log Management Survey

Thursday, January 8, 2009

Reminder about SANS 503 training here in Augusta

We have less than 2 weeks to go before the January 20 deadline for the best deal on SANS 503 Intrusion Detection training here in Augusta! If you're not an ISSA member already, you can join today (only $120.00) and take advantage of the 40% discount for ISSA members. ISSA Members who wish to register for the class should contact me or one of the other chapter leaders for the Discount Registration code.

For further information, please see:
http://www.sans.org/mentor/details.php?nid=15354

Monday, January 5, 2009

Upgrading from Fedora 9 to Fedora 10 using Preupgrade

A few months ago, I upgraded from Fedora 8 to Fedora 9 using Preupgrade. Last night, I decided it was time to upgrade to Fedora 10 (F10), so I went the Preupgrade route again.

I did a yum update and then launched preupgrade. It downloaded all the necessary F10 RPMs and said it was ready for reboot. I rebooted into the installer and was greeted with an error message saying it couldn't find the RPM repository. I surmised that the installer hadn't mounted my /var partition (Preupgrade creates a local RPM repository at /var/cache/yum/preupgrade/). I did some searching and found Bugzilla bug 473782, which describes this exact problem. The fix was to reboot back into Fedora 9 and install Preupgrade 1.0.1-1 from the testing repository with the following command:
yum --enablerepo=updates-testing-newkey update preupgrade


I then launched Preupgrade again, rebooted into the installer, and successfully upgraded from Fedora 9 to Fedora 10. I rebooted into Fedora 10 and did a full yum update. I then noticed that I couldn't SSH into this Fedora 10 machine using SSH keys anymore. I did some more searching and found Bugzilla bug 473014. It seems that the upgrade process changes the SELinux security context on the user .ssh directories. The fix is to run the following command as root:
restorecon -r /home/*/.ssh

Haven't seen any other problems so far.