2009/07/31: New Release!
* All Xubuntu 9.04 updates as of 2009/07/31.
* Added sqlite and libsqlite3-ruby packages for db_autopwn.
* Added fwbuilder.
* Latest Metasploit msf v3.3-dev as of 2009/07/31.
* Latest Nmap 5.05BETA1 as of 2009/07/31.
The Security Onion LiveCD can be downloaded from the following location:
http://distro.ibiblio.org/pub/
Please let me know if you have any questions or suggestions.
After running SnortSP-Sguil I found that my users' Citrix clients were dropping. Is there any way to configure the app to NOT mess with the Citrix clients?
ReplyDeleteDeion "Mule" Christopher
K0MUL
Hi Deion,
ReplyDeleteFirst, SnortSP is still in Beta and therefore shouldn't be used in production. Second, it shouldn't be dropping any packets by default (only alerting). How do you have it configured?
Thanks,
Doug Burks
Thanks for the quick reply.
ReplyDeleteOther than simply starting the application, I haven't made any configuration changes. I installed the OS to disk in VMWare and am using bridged networking. I also updated the packages that were installed using the package manager (I'm more familiar with Mandriva's urpmi).
The Citrix clients connect with ssh handshakes and, unless it was a fluke, I noticed the clients were disconnecting while I had SnortSP-Sguil running. However, I also tested EtherApe around the same time, but I don't think that was the culprit. After stopping the two applications I tested the Citrix connections again and had no other drops.
It reminded me of a botched arp poisoning attempt that caused the Citrix clients to drop the connections.
I am new to SNORT, as you can probably guess by this post. I will attempt to recreate this problem tomorrow. Is there anything on my end that you would like for me to try to help figure this out?
Thanks again,
Deion "Mule" Christopher
K0MUL
Hello again Deion,
ReplyDeleteDid you happen to try arpspoof or ettercap? Those utilities will do ARP poisoning.
Thanks,
Doug Burks
No, I didn't start any arp poisoning applications, though I could try them out and see if that knocks off my Citrix connections.
ReplyDeleteMy understanding (limited as it is) of SNORT is that it doesn't act as a man-in-the-middle. Is that correct? It just seemed odd that the clients dropped as SnortSP-Sguil was running.
Do you think any of the following info from SNORT's website (granted it's an older page)could have been the culprit, and if so, could it/they be changed? :
9629 <-> WEB-CLIENT Citrix.ICAClient ActiveX clsid access (web-client.rules)
9630 <-> WEB-CLIENT Citrix.ICAClient ActiveX clsid unicode access (web-client.rules)
9631 <-> WEB-CLIENT Citrix.ICAClient ActiveX function call access (web-client.rules)
Thanks again,
Deion "Mule" Christopher
K0MUL
You are correct--Snort does NOT act as a man-in-the-middle. The only time it would drop packets is if you install it on your gateway or configure it for inline bridging AND specifically configure the rules to drop traffic that it would normally alert on. In addition, the Security Onion LiveCD has a very minimal rule set which doesn't include the Citrix rules that you refer to. Did you see any alerts in the Sguil console that corresponded to the source IP address of the disconnected Citrix clients?
ReplyDeleteTo help you troubleshoot your problem further, I would need to know more about your network. Are the clients connecting through the Security Onion instance to get to the Citrix server? Is the Citrix server another VMWare guest on the same host as your Security Onion installation? If you can provide more detail, I'll be glad to help you trace down the problem.
Thanks,
Doug Burks
After exhaustive testing and log reviews I concluded that the Citrix clients were dropping due to a bottleneck created by a 3rd party vendor and NOT FROM RUNNING SECURITY ONION LIVECD.
ReplyDeleteThe fact that the Citrix clients were dropping at the same time as Security Onion LiveCD - SnortSP-Sguil was running was purely coincidental.
Thanks for the suggestions and help; you are putting out a great tool.
Deion "Mule" Christopher
K0MUL
Deion,
ReplyDeleteThanks for your feedback. Please let me know if you have any suggestions for the next version of the Security Onion LiveCD.
Thanks,
Doug Burks
Doug,
ReplyDeleteThe link to the liveCD appears to be dead. When I visit:
http://distro.ibiblio.org/pub/linux/distributions/security-onion/security-onion-livecd-20090731.iso
I get a file not found from ibiblio.
Chris
Hi Chris,
ReplyDeleteThe link seems to work for me. Can you try it again and see if you get a different result? Please let me know what you find out.
Thanks,
Doug Burks
I installed SecurityOnion to my hard drive. It installed fine, but I got "Incorrect username or password" when I tried to logon. Perhaps I didn't pay attention and mistyped something? So I reinstalled to disk again. Same error. It is a US keyboard layout with a simple username and password. And no, CAPS LOCK is not on. Has anyone else installed to disk and logged on?
ReplyDeleteHi Ross,
ReplyDeleteFor some reason, the installer doesn't actually create the account that you specify during the installation process. You should be able to login using the following credentials:
Username: securityonion
Password: securityonion
Once you've logged in as securityonion, create your real account and delete the securityonion account.
Please let me know if you have any further questions or problems.
Thanks,
Doug Burks
Doug,
ReplyDeleteFirst, I ran the install located on the LiveCD desktop.
I followed your advice for logging in as the SO user. However, the SO user does not have the rights to add a new user. What should I do so I can add another user? (root password?)
Also, I cannot edit the network adapters as the SO user.
This is running on a Dell PowerEdge 1950
The securityonion user is in /etc/sudoers, so you should be able to perform any administrative task using the securityonion username/password. If adding a user from the graphical utility, it should prompt you for the securityonion password. If adding a user from the command line, just prefix the command with "sudo". For example:
ReplyDeletesudo adduser mynewuseraccount
Please let me know if you have any further questions or problems.
Thanks,
Doug Burks
Found more time to play with the LiveCD. I noticed an issue while trying to send a report via email through the Sguil GUI. Chatting on the #snort-gui channel and sifting through the sguil how-to's didn't help. Let me rephrase that. There are instructions on setting up the mail in sguild.email, but I need to use an smtp server that requires port 587 AND that uses authentication. I thought about setting up CLAWS mail client to check the securityonion@localhost account and then to run a rule to forward that message to an outside email address using my email server with my username, password and port number. This would require, probably at the least, the CLAWS packages as well as sendmail.
ReplyDeleteAny ideas on how to get this to work? This isn't necessarily a Security Onion LiveCD issue, but I figured you would be the person whith a good idea to fix it.
Deion "Mule" Christopher
K0MUL
Hello again Deion,
ReplyDeleteDepending on your circumstances, this could be extremely easy or a little more difficult.
If all of your Sguil email is going to the same domain and you can contact that domain's MX over port 25, then you should just be able to edit sguild.email and set SMTP_SERVER to that domain's MX and EMAIL_RCPT_TO to your email address in that domain.
If that doesn't work, then you can install and configure Sendmail to relay through an authenticated port 587 (no CLAWS needed):
http://www.linuxha.com/other/sendmail/
As an alternative, you may wish to consider Postfix, as it is easier to configure and use than Sendmail.
Changing the subject, I've created a mailing list for the Security Onion LiveCD. Please submit any future questions to the mailing list:
Security Onion Mailing List
Hello Doug,
ReplyDeleteCan you point me in the direction on how to configure pulled.pork to automatically update the snort sigs
Thanks,
Vince
Hi Anonymous,
ReplyDeleteYou can find the pulledpork documentation on the Security Onion LiveCD at:
/usr/local/bin/pulledpork/README
Also see the pulledpork project page at:
http://code.google.com/p/pulledpork/
And the author's home page at:
http://global-security.blogspot.com/
For any questions relating to the Security Onion LiveCD itself, please see the Security Onion Wiki and Mailing List:
http://code.google.com/p/security-onion/w/list
http://groups.google.com/group/security-onion
Thanks,
Doug Burks