Monday, November 22, 2010

Security Onion: SSH Keys

Security Onion is remastered using Remastersys.  As part of the remastering process, Remastersys removes the SSH Host keys.  The end result is that, even though the SSH daemon is running, it will not accept any connections.

To generate SSH host keys, use the ssh-keygen command as follows:
ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N ''
ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N '' 
The SSH daemon will then accept connections normally.  

The next version of Security Onion will include SSH host key generation in its Setup script. 

Sunday, November 21, 2010

Security Onion: Update Manager Breaks Sguil

Sguil relies on older version of the tcl/tk packages, so upgrading to newer versions will break Sguil.  I was aware of this potential issue and used the following command to put the packages on hold to try to prevent them from being upgraded.
aptitude hold itcl3 itk3 iwidgets4 tcl8.3 tclx8.3 tclsh 
This seems to work in preventing aptitude from upgrading those packages, but it doesn't prevent Update Manager from upgrading them.  To prevent this, you can do the following.
aptitude -y install wajig 
wajig hold itcl3 itk3 iwidgets4 tcl8.3 tclx8.3 tclsh
If you've already run Update Manager and Sguil is currently broken, do the following to revert to the required versions.
aptitude remove tcl8.5 itcl3 tk8.5 itk3 iwidgets4
dpkg -i *.deb
aptitude -y install iwidgets4
If all went well, Sguil should launch correctly with no errors and Update Manager should be prevented from breaking Sguil again. 

This will be fixed in the next version of Security Onion.

Monday, November 15, 2010

SANS 401 Security Essentials mentored by Doug Burks in Augusta GA

I'll be mentoring SANS 401 Security Essentials in Augusta, GA on Thursday nights starting March 3, 2011. ISSA members are eligible for a 25% discount!

SANS 401 Security Essentials mentored by Doug Burks in Augusta GA

Why should you take SANS 401 Security Essentials?

* Considering the SANS Cyber Guardian program, SANS GSE (GIAC Security Expert) certification, or a Masters degree from the SANS Technical Institute? SANS 401 Security Essentials is required for each of these.

* Complement your CISSP. If you've already taken the CISSP, SANS 401 Security Essentials is the perfect technical complement. It takes all the theory that you learned at a high level for the CISSP and applies it in a very practical and updated manner. SANS 401 is "where the rubber meets the road".

* Are you a Systems Administrator or Network Engineer who would like to learn more about security? This course gives a very thorough overview of security theory and practice. Additionally, the tools and techniques that you learn in this class are directly applicable to your current job (and will prepare you for the future).

* Augment your Windows/Linux skills. Highly experienced with Windows, but not so much with Linux? Or the other way around? SANS 401 Security Essentials dedicates an entire section to Windows security and another entire section to Linux security.

These are just a few reasons to register for SANS 401 Security Essentials. For more information, please see:

SANS 401 Security Essentials mentored by Doug Burks in Augusta GA

Don't forget that ISSA members are eligible for a 25% discount! If you would like to register for the ISSA and/or SANS 401, please let me know and I'll be glad to help!

Wednesday, November 3, 2010

Security Onion: Intrusion Detection for your Network in Minutes

Thanks to all those who came out to the Security Onion presentation! For those who were unable to attend, I've made the slides available here:
Please let me know if you have any questions or problems. I welcome any and all feedback!

Friday, October 29, 2010

Security Onion: Setup Script

Just a quick note that there is a bug in the setup script in the current version of Security Onion. If you double-click the Setup desktop shortcut (or run "setup" from a non-root user account) AND try to update rules, one of the commands will fail and the snort.rules file will be empty. All other functions in the setup script work fine so if you're not using it to update rules, you will never experience this issue.

The next release of Security Onion will have the Setup desktop shortcut configured to run the script using sudo. In the meantime, you can open a terminal and execute "sudo setup" to obtain the necessary privileges and run the script without errors.

For more information, please see the following email thread in the Security Onion mailing list:

Tuesday, October 19, 2010

Decoding Javascript Hex Encoding

Suppose that a web page has some Javascript that contains some hex encoding like this:
How can we decode this on the command line? TIMTOWTDI, but here's one possible solution:
echo "\x74\x65\x73\x74\x69\x6e\x67\x20\x31\x20\x32\x20\x33\x0a" |sed 's|\\x| |g' |xxd -r -p

This gives us the answer:
testing 1 2 3

So how does it work? "xxd -r -p" converts from hex to ASCII, but it's expecting the hex digits to be space delimited. So we use sed to replace each instance of "\x" with a single space. Note that we have to escape the backslash, hence the "\\x".

NOTE: If you don't already have the xxd utility installed, it can be found in the vim-common package in most Linux distributions.

Sunday, October 17, 2010

CISSP Resources: Cryptography

My SANS MGT414 CISSP class is about to study the Cryptography domain. An excellent resource that I recommend to anybody learning about Cryptography is Cryptool:
"CrypTool is a free, open-source e-learning application, used worldwide in the implementation and analysis of cryptographic algorithms. It supports both contemporary teaching methods at schools and universities as well as awareness training for employees and civil servants. "
Cryptool lets you see and interact with several different cryptographic methods, which reinforces the theory that we learn in the textbooks.

Download Cryptool from:

Saturday, October 16, 2010

SSL Decryption using Tshark

Mark Baggett and I learned a few things this week about using tshark to decrypt SSL. Mark posted our lessons learned here:

Wednesday, October 13, 2010

CISSP Resources

I'm mentoring SANS MGT414 Training Program for CISSP right now. Here are some additional resources for students studying for the CISSP.

CISSP All-in-One Exam Guide by Shon Harris:

Official (ISC)2 Guide to the CISSP CBK by Harold Tipton:

CISSP Study Guide by Eric Conrad and Seth Misenar (both SANS Instructors):

Eric Conrad has a sample chapter of his Study Guide available on his website:

He also has 500 free CISSP questions:

More sample questions and forums:

Congratulations to the latest SANS GSEs!

Congratulations to the latest SANS GSEs!

Vishal Hariprasad

If you are considering the SANS GSE, I highly recommend that you pursue it. It is a challenging but fun exam and it definitely gives you the opportunity to showcase your skills.

For more information about the SANS GSE, please see:

Tuesday, October 12, 2010

Security Onion Live: 20101010 Edition!

Security Onion Live 20101010 is now available! Thanks to Matt Jonkman and Emerging Threats for hosting! You can download the ISO here:

If you have any problems or would like to request new features, please submit an issue here:

What is it?
The Security Onion LiveDVD is a bootable DVD that contains software used for installing, configuring, and testing Intrusion Detection Systems.

What software does it contain?
The Security Onion LiveDVD is based on Xubuntu 10.04 and contains Snort, Suricata, Sguil, Xplico, nmap, scapy, hping, netcat, tcpreplay, and many other security tools.

What can it be used for?
* The Security Onion LiveDVD can be used for Intrusion Detection. The Snort and Sguil daemons are automatically started on boot, listening on eth0 for any suspicious traffic and creating alerts in the Sguil database. Simply double-click the Sguil desktop shortcut to launch the GUI and view/investigate the alerts.
* The Security Onion LiveDVD can be used to test an Intrusion Detection System. Simply boot the DVD and use the included tools (such as nmap, scapy, hping, metasploit, and others) to test your existing IDS or to test the included Snort and Suricata IDS/IPS engines.
* The Security Onion LiveDVD can be used to install an Intrusion Detection System. Simply boot the DVD and double-click the Install desktop shortcut. For more information about installation, please see the "Installing to Hard Drive" section below.

System Requirements
512MB RAM is a minimum. 1GB or more is recommended.

Here are the credentials to login to Sguil:
Username: sguil
Password: password

NOTE! It's "sguil" with a 'g', NOT a 'q'!

Disclaimer of Warranty

Limitation of Liability

Installing to Hard Drive
You can use the Install shortcut on the Desktop to install Security Onion to your hard drive. Once you've completed the installation process and have rebooted into your new installation, you will want to:
* Install any available Ubuntu updates.
* Run the Setup desktop shortcut to:
-Specify your HOME_NET variable.
-Download the latest rules from ET and, optionally, VRT.
-Choose between Snort and Suricata as your IDS engine.

Extra Packages installed from repositories
apache2.2-common argus-client argus-server autopsy bison bittwist build-essential chaosreader chkconfig chkrootkit cryptcat curl daemonlogger dcfldd ddrescue driftnet dsniff ettercap-gtk flawfinder flex foremost fwsnort ghex gpart gparted hping3 httptunnel hunt ifenslave-2.6 iisemulator inundator iptraf john labrea lame lfhex libapache2-mod-php5 libcap-ng-dev libcrypt-ssleay-perl libdumbnet-dev liblua5.1-0-dev libncurses5 libncurses5-dev libnet1-dev libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0 libnids-dev libpcap-dev libpcre3-dev libreadline6-dev libsqlite3-ruby libssl-dev libyaml-dev md5deep mtr mysql-server netsed netsniff-ng ngrep nmap ntp oinkmaster ophcrack ostinato p0f php5-cli php5-common php5-sqlite pkg-config pbnj pscan ptunnel python-all python-dev python-scapy rats recode remastersys ruby scanmem sdd sleuthkit sniffit sox splint ssdeep ssldump sslsniff sqlite steghide subversion tcl8.3 tcpick tcpreplay tcpslice tcpstat tcpxtract tct testdisk traceroute tshark udptunnel unhide uuid uuid-dev xtightvncviewer xprobe yersinia zenmap zlib1g-dev zenmap zlib1g-dev

Extra Packages installed from other sources
Vortex IDS
NSMnow (includes Sguil, Barnyard2, Sancp, etc)


Sunday, October 10, 2010

Greater Augusta ISSA 2010 Q4 Public Meeting: Doug Burks presents "Security Onion: Intrusion Detection for your Network in Minutes"

Please join us at the Greater Augusta ISSA Q4 meeting on Thursday, October 28. This is our last public meeting of 2010! I will be presenting "Security Onion: Intrusion Detection for your Network in Minutes". Security Onion is a project that I've been working on for the past few years. Its goal is to provide a pre-configured Intrusion Detection environment that can be downloaded for free and put to use in your network in less than an hour. It's based on Xubuntu 10.04 and contains Snort, Suricata, Sguil, Xplico, Vortex IDS, Bro IDS, Chaosreader, driftnet, hping3, scapy, Wireshark, and many other tools. Come see what Security Onion can do for you!

What: The Greater Augusta ISSA 2010 Q4 Public meeting: Doug Burks presents "Security Onion: Intrusion Detection for your Network in Minutes"
How: This is a FREE public meeting. Please confirm your reservation by sending an email to
When: Thursday October 28 9:00 - 11:00 AM
University Hall room 242
Augusta State University
2500 Walton Way
Augusta, GA 30904

On the morning of the presentation, don't forget to swing by the ASU Public Safety office to get a visitor pass for the parking lot. The Public Safety office is in the back corner of the campus. You can see it at the bottom-left of this map:

Speaker Bio
Doug Burks has over 10 years experience in Information Security. He has a Bachelor's degree in Computer Science and also holds the GSE, GPEN, GCIA Gold, GSEC, and CISSP certifications. Doug has worked in many organizations over the years, including government facilities, chemical plants, and the media industry. He excels at providing secure solutions for any environment using a budget of any size. Doug is the author of Security Onion Live ( ), a free bootable DVD that contains many security tools. You can read more about Doug by visiting his blog at

Thursday, August 12, 2010

Suggestions for next version of Security Onion LiveCD

I'm currently working on building the next version of the Security Onion LiveCD. It will be based on a fully-updated Xubuntu 10.04 and will have all the tools that were in previous versions with one exception: Snort 3.0 (SnortSP) currently does not compile on Ubuntu 10.04. However, the new Suricata IDS/IPS engine does compile so it will be taking the place of SnortSP. You'll be able to choose between the current production version of Snort ( or Suricata. Regardless of which IDS engine you choose, your alerts will be available for analysis in Sguil.

We've been nearing the limit of a 700MB CD image for some time, so we will be switching to a DVD image to allow for more software. What suggestions do you have for the new version of the Security Onion LiveCD? Please leave a comment here or add your suggestion at the Security Onion Issue Tracker. Thanks!

Monday, July 26, 2010

SANS MGT414: SANS(R) +S™ Training Program for the CISSP(R) Certification Exam in Augusta starts 10/12

Have you ever considered pursuing the CISSP certification? It *can* be intimidating, but SANS and the Greater Augusta ISSA are here to help!

"Over the past 4 years, 98% of all respondents, who studied our SANS® +S™ Training Program for the CISSP® Certification Exam and then took
the exam passed; compared to a national average of around 70% for other prep courses. SANS® +S™ Training Program for the CISSP® Certification Exam is designed to prepare you to pass the exam. This course is an accelerated review course that assumes the student has a basic understanding of networks and operating systems and focuses solely on the ten domains of knowledge as determined by ISC2. Each domain of knowledge is dissected into its critical components. Every component is discussed showing its relationship to each other and other areas of network security. After completion of the course the student will have a good working knowledge of the ten domains of knowledge.
Who Should Attend
-Security professionals who are interested in understanding the concepts covered in the CISSP® exam as determined by (ISC)2
-Managers who want to understand the critical areas of network security
-System, security, and network administrators who want to understand the pragmatic applications of the CISSP® 10 Domains
-Security professionals and managers looking for practical ways the 10 domains of knowledge can be applied to the current job
-In short, if you desire a CISSP® or your job requires it, MGT414 is the training for you"

If you work for Department of Defense (or would like to), please reference the 8570 matrix to see what the CISSP certification qualifies you for:

I will be mentoring SANS MGT414 SANS® +S™ Training Program for the CISSP® Certification Exam in Augusta starting Tuesday, October 12. Class will be held at Augusta State University starting starting Tuesday, October 12, 2010 and ending Thursday, November 11, 2010. The registration deadline is Tuesday, October 5.

For more information about the course, please see:

Please note that the Greater Augusta ISSA and SANS have come up with a special arrangement to include the CISSP Exam voucher in the price of
the course! Also, a 25% discount is available for ISSA members! Even if you're not currently an ISSA member, you can join today for only
$120 to obtain the 25% discount (which will save you over $700).

Greater Augusta ISSA 2010 Q3 Public Meeting: Rob Lee presents the Mandiant M-Trends Report on APT (Advanced Persistent Threat)

The Greater Augusta ISSA is extremely excited to welcome Rob Lee this quarter! Rob Lee is the Curriculum Lead for Digital Forensic Training at the SANS Institute and is also a Director in MANDIANT’s Professional Services group. Please join us for this educational training opportunity.

What: The Greater Augusta ISSA 2010 Q3 Public meeting: Rob Lee presents the Mandiant M-Trends Report on APT (Advanced Persistent Threat)
How: This is a FREE public meeting. Please confirm your reservation by sending an email to
When: Thursday August 12 9:00 AM - 11:00 AM
University Hall Room UH-170
Augusta State University
2500 Walton Way
Augusta, GA 30904

On the morning of the presentation, don't forget to swing by the ASU Public Safety office to get a visitor pass for the parking lot. The Public Safety office is in the back corner of the campus. You can see it at the bottom-left of this map:

State of the Hack: M-Trends- The Advanced Persistent Threat
In early 2010, MANDIANT released its inaugural M-Trends report. This first report focused on our years of experience responding to computer security incidents perpetrated by the Advanced Persistent Threat (APT). The "straight from the battlefield" presentation provides case studies detailing the most recent computer security incidents MANDIANT has responded to involving the APT. During this presentation we detail the main points of the report through anonymous, in-depth case studies of attacks against commercial, government, and defense industrial base organizations. We demonstrate how the attackers gain access, how they behave once inside the victim network and the impact on the organizations. And, because understanding the problem is only half the battle, we wrap up with remediation recommendations that really work.

Robert Lee
Rob Lee is a Director in MANDIANT’s Professional Services group. Mr. Lee has more than 14 years of experience in computer forensics, vulnerability and exploit discovery, intrusion detection/prevention, and incident response. He served in the U.S. Air Force as a founding member of the 609th Information Warfare Squadron, the first U.S. military operational unit focused on information operations. Later, he was a member of the Air Force Office of Special Investigations where he conducted computer crime investigations, incident response, and computer forensics. Prior to joining MANDIANT, Mr. Lee worked directly with a variety of government agencies in the law enforcement, U.S. Department of Defense, and intelligence communities as the technical lead for a vulnerability discovery and exploit development team, lead for a cyber forensics branch, and lead for a computer forensic and security software development team. A graduate of the U.S. Air Force Academy, Mr. Lee also holds a Masters in Business Administration from Georgetown University. In 2009 he was awarded the Digital Forensic Examiner of the Year from the Forensic 4Cast Awards. Mr. Lee is co-author of the bestselling book Know Your Enemy, (2nd Edition). He is also a co-author of MANDIANT’s Threat intelligence report - M-Trends: The Advanced Persistent Threat.

Friday, June 18, 2010

SANS 560 Network Penetration Testing and Ethical Hacking -- Free Preview!

The Greater Augusta ISSA will present a 2-hour preview of the upcoming SANS 560 Mentor class on Thursday, July 15th. Please join us for a FREE preview of this exciting class!

What: The Greater Augusta ISSA presents a SANS 560 Preview
How: This is a FREE public meeting. Please confirm your reservation by sending an email to
When: Thursday, July 15 9:00 AM - 11:00 AM
Augusta State University
2500 Walton Way
Augusta, GA 30904
Allgood Hall E-258
Please click here for directions to campus:

On the morning of the presentation, don't forget to swing by the ASU Public Safety office to get a visitor pass for the parking lot. The Public Safety office is in the back corner of the campus. You can see it at the bottom-left of this map:

Friday, May 28, 2010

SANS 560 Network Penetration Testing and Ethical Hacking in Augusta starts 8/17

I will be mentoring SANS 560 Network Penetration Testing and Ethical Hacking in Augusta starting Tuesday, August 17. Typical SANS Mentor sessions are one night a week for 10 weeks, but this class will meet twice a week (Tuesdays and Thursdays), so we'll complete the course in only 5 weeks.

Who should take this course?
  • Do you perform penetration testing?
  • Do you procure penetration testing?
  • Do you manage penetration testers?
  • Did you take SANS 504 and really enjoy the Hacker Techniques portion?
  • Do you want to know more about how the bad guys perform recon, scan for vulnerabilities, perform exploitation, gain command execution, and then pivot further into the target environment?
If you answered yes to any of these questions, then you need this class!

For more information about the course, please see:

A 25% discount is available for ISSA members! Even if you're not currently an ISSA member, you can join today for only $120 to obtain the 25% discount (which will save you over $700).

To join the ISSA and/or register for SANS 560, please contact me.

Monday, April 19, 2010

Grepping an Active Log File and Mailing Matches

Recently, I had a need to be alerted by email each and every time a certain user logged in. After a few false starts, I eventually settled on something like this (sanitized and simplified for this blog):
tail -n0 -f /var/log/secure | grep --line-buffered "user" | while read line; do echo $line | mail -s "Found"; done
We use the standard "tail -f" to follow the /var/log/secure file. The "-n0" option is used so that tail will start 0 lines from the end of the file. We only care about new entries in the file, so we start at the very end of the file, ignoring any existing entries.

Next, we pipe that to grep, looking for the username "user". The "--line-buffered" option is used to force grep to flush each and every line of output (instead of waiting for its default buffer to fill). Per the man page, this option can be a performance penalty, but this is not a concern in this scenario.

Then, we pipe that to a while loop that iterates over each line. For each line of output, we generate an email with a subject of "Found" and include what was found in the body of the email.

This solution works quite nicely and can very easily be extended in the following ways:
  • adding multiple grep criteria
  • modifying format of log entry to be emailed
  • changing final action from email to something else (like adding an IPTables drop rule)

Thursday, April 8, 2010

Keep All Your Windows Software Updated with Secunia PSI

These days, it's imperative to keep all your software updated. Not only is it extremely important that you update your Microsoft software, but all third-party software must be kept updated as well (Adobe Reader and Flash, for example). You could open each application and look for its "Check for Updates" menu entry, but this can be time consuming. This method of updating may also miss some software. For example, you may have multiple installations of the Java JRE on your system in different locations. Many Java applications bundle their own JRE in their own directory and never update it.

What to do?

Secunia PSI (Personal Software Inspector) scans all files on your Windows system and, using Secunia's database of fingerprints, is able to determine the software versions installed on your system (including the multiple installations of Java in the example above). It then makes recommendations for any vulnerable software, including links to download the patched version of the software or to uninstall the program. I recommend switching from the default "simple" interface to the "advanced" interface to see all vulnerabilities on your system.

I've been using Secunia PSI on my personal systems for a few months now. It has saved me a lot of time in trying to keep track of all the different software versions on my systems. It also comes in quite handy when performing tech support for relatives--just install Secunia PSI and let it tell you what exactly needs to be updated.

Secunia PSI is free for personal use and I wholeheartedly recommend you try it today and see what vulnerabilities it finds on your system.

Tuesday, February 9, 2010

Defense in Depth using OSSEC and other free tools

Russ McRee wrote an excellent article about OSSEC for the October 2009 issue of ISSA Journal. (Disclaimer: I contributed to the article.) He then went into some further detail on his blog.

In a recent SANS 401 Mentor session, I used OSSEC in my demo of building a secure webserver using defense-in-depth principles. My rough notes can be found below. All software is freely available and the whole process can be done in under an hour (depending on the speed of your Internet connection). Once completed, OSSEC will be monitoring all system logs (SSH, Apache, mod_security, iptables, Wordpress) and optionally providing Active Response, blocking attacker's source IP addresses.

# Go to, pick a mirror, and then download CentOS-5.4-i386-bin-1of6.iso (you'll only need CD #1)
# Boot a virtual machine from the ISO image -OR- burn the ISO to CD and boot a physical machine from it
# Only install what's absolutely necessary - perform a "Base" install of CentOS 5.4
# Reboot (and remove the CentOS CD)

# When "Setup Agent" appears, select "Firewall Configuration".
# SELinux is in Enforcing mode by default -- leave it that way!
# Go to Customize and allow SSH and HTTP in firewall

# Login as root with the password you specified in the installer
# Install all updates and reboot the machine:
yum -y update && reboot

# Add EPEL repo so that we can install mod_security, alpine, and wordpress
rpm -Uvh

# Configure EPEL repo to only update mod_security, lua, alpine, and wordpress packages
vi /etc/yum.repos.d/epel.repo
# add this line in the [epel] section:
includepkgs=mod_security* lua* alpine* wordpress*
# Exit vi by pressing Esc and then typing :wq

# Install blog, web server, and database
yum -y install alpine wordpress mysql-server

# Set services to start on boot and start them now
for i in httpd mysqld
chkconfig $i on
service $i start

# Secure the database
# Follow the prompts and create a new MySQL root password

# Start the MySQL command-line client
mysql -p
# Enter the MySQL root password you just created
# Create a database and user and give user all privileges to DB
create database w0rdpressDB;
grant all privileges on w0rdpressDB.* to w0rdpressUser@localhost identified by 'MyReallyReallyStrongPassphrase';
flush privileges;

# Configure Wordpress to use the database and user we just created
sed -i 's|putyourdbnamehere|w0rdpressDB|g' /etc/wordpress/wp-config.php
sed -i 's|usernamehere|w0rdpressUser|g' /etc/wordpress/wp-config.php
sed -i 's|yourpasswordhere|MyReallyReallyStrongPassphrase|g' /etc/wordpress/wp-config.php

# Finish Wordpress configuration by pointing a browser to:
# http://ip.of.centos.vm/wordpress
# Enter a Blog Title
# Enter "root@localhost.localdomain" (without the quotes) as your email address
# Click "Install Wordpress"
# Login using the randomly generated password
# Once logged in, change your password
# Look at logs in /var/log/httpd/
tail access_log
tail error_log
# Check email with alpine to see Welcome email from Wordpress

# At this point, we've got a basic Wordpress web server.
# Now let's add some layers of instrumentation to augment our defense-in-depth.

# Configure Wordpress to log to /var/log/messages using the WPsyslog2 plugin
cd /usr/share/wordpress/wp-content/plugins
tar zxvf wpsyslog2.tar.gz
# Wordpress admin interface --> activate WPsyslog2 plugin
# Test logging into Wordpress, creating/deleting posts, verify logging in /var/log/messages:
tail /var/log/messages

# Configure IPTables firewall to log any dropped packets to /var/log/messages
iptables -I RH-Firewall-1-INPUT 11 -j LOG --log-prefix="DROP "
service iptables save
tail -f /var/log/messages
# Launch an nmap scan from another host and watch the dropped packets being added to /var/log/messages

# WAF (Web Application Firewall)
yum -y install mod_security
# Configure WAF for extra logging
# Add the following lines to /etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf
SecDataDir /tmp
SecAuditEngine on
SecAuditLog logs/modsec_audit.log

# Restart the web server to activate the mod_security module
service httpd restart
# Test WAF by accessing site by IP address instead of hostname
# Test WAF by trying to do an /etc/passwd attack
# Look at ModSecurity alerts in /var/log/httpd/modsec_audit.log
more /var/log/httpd/modsec_audit.log
# Look at rules in /etc/httpd/modsecurity.d/

# NIDS (Network Intrusion Detection System)
# Install Snort:
rpm -Uvh
# Install PulledPork for Snort rules management:
yum -y install perl-libwww-perl
cd /usr/local/src/
mkdir pulledpork && cd pulledpork
tar zxvf pulledpork-0.3.4.tar.gz
cd pulledpork-0.3.4
# Edit the PulledPork configuration file using vi
vi pulledpork.conf
# and change the following configuration directives
# Exit vi
# Make executable
chmod +x
# Execute with the new configuration file
./ -c pulledpork.conf
# Start Snort
service snortd start
# Test Snort with idswakeup and verify logs in /var/log/snort/

# HIDS (Host Intrusion Detection System)
yum -y install gcc
cd /usr/local/src/
mkdir ossec
tar zxvf ossec-hids-2.3.tar.gz
cd ossec-hids-2.3
# Local installation
# Email to root@localhost
# Enable Active Response, add any IPs to whitelist that you don't want to ever block
# Configure HIDS to monitor WAF logs by editing ossec.conf using vi
vi /var/ossec/etc/ossec.conf
# and copying one of the existing localfile entries and setting:
# log_format to syslog
# location to /var/log/httpd/modsec_audit.log
# Exit vi by pressing Esc and then typing :wq
service ossec start
# Check root email using alpine
# Test HIDS alerting
# Test OSSEC Active Response using nmap, idswakeup, SSH brute force, Wordpress brute force

What else could we do for more defense in depth?
  • Suhosin (PHP Hardening)
  • GreenSQL (Database firewall)
  • Daemonlogger (full packet capture for forensics purposes)
  • Others?