Friday, October 29, 2010

Security Onion: Setup Script

Just a quick note that there is a bug in the setup script in the current version of Security Onion. If you double-click the Setup desktop shortcut (or run "setup" from a non-root user account) AND try to update rules, one of the commands will fail and the snort.rules file will be empty. All other functions in the setup script work fine so if you're not using it to update rules, you will never experience this issue.

The next release of Security Onion will have the Setup desktop shortcut configured to run the script using sudo. In the meantime, you can open a terminal and execute "sudo setup" to obtain the necessary privileges and run the script without errors.

For more information, please see the following email thread in the Security Onion mailing list:

Tuesday, October 19, 2010

Decoding Javascript Hex Encoding

Suppose that a web page has some Javascript that contains some hex encoding like this:
\x74\x65\x73\x74\x69\x6e\x67\x20\x31\x20\x32\x20\x33\x0a
How can we decode this on the command line? TIMTOWTDI, but here's one possible solution:
echo "\x74\x65\x73\x74\x69\x6e\x67\x20\x31\x20\x32\x20\x33\x0a" |sed 's|\\x| |g' |xxd -r -p

This gives us the answer:
testing 1 2 3

So how does it work? "xxd -r -p" converts from hex to ASCII, but it's expecting the hex digits to be space delimited. So we use sed to replace each instance of "\x" with a single space. Note that we have to escape the backslash, hence the "\\x".

NOTE: If you don't already have the xxd utility installed, it can be found in the vim-common package in most Linux distributions.

Sunday, October 17, 2010

CISSP Resources: Cryptography

My SANS MGT414 CISSP class is about to study the Cryptography domain. An excellent resource that I recommend to anybody learning about Cryptography is Cryptool:
"CrypTool is a free, open-source e-learning application, used worldwide in the implementation and analysis of cryptographic algorithms. It supports both contemporary teaching methods at schools and universities as well as awareness training for employees and civil servants. "
-- http://www.cryptool.com/
Cryptool lets you see and interact with several different cryptographic methods, which reinforces the theory that we learn in the textbooks.

Download Cryptool from:

Saturday, October 16, 2010

SSL Decryption using Tshark

Mark Baggett and I learned a few things this week about using tshark to decrypt SSL. Mark posted our lessons learned here:

Wednesday, October 13, 2010

CISSP Resources

I'm mentoring SANS MGT414 Training Program for CISSP right now. Here are some additional resources for students studying for the CISSP.

CISSP All-in-One Exam Guide by Shon Harris:

Official (ISC)2 Guide to the CISSP CBK by Harold Tipton:

CISSP Study Guide by Eric Conrad and Seth Misenar (both SANS Instructors):

Eric Conrad has a sample chapter of his Study Guide available on his website:

He also has 500 free CISSP questions:

More sample questions and forums:

Congratulations to the latest SANS GSEs!

Congratulations to the latest SANS GSEs!

Vishal Hariprasad

If you are considering the SANS GSE, I highly recommend that you pursue it. It is a challenging but fun exam and it definitely gives you the opportunity to showcase your skills.

For more information about the SANS GSE, please see:

Tuesday, October 12, 2010

Security Onion Live: 20101010 Edition!

Security Onion Live 20101010 is now available! Thanks to Matt Jonkman and Emerging Threats for hosting! You can download the ISO here:

If you have any problems or would like to request new features, please submit an issue here:
http://code.google.com/p/security-onion/issues/list

What is it?
The Security Onion LiveDVD is a bootable DVD that contains software used for installing, configuring, and testing Intrusion Detection Systems.

What software does it contain?
The Security Onion LiveDVD is based on Xubuntu 10.04 and contains Snort, Suricata, Sguil, Xplico, nmap, scapy, hping, netcat, tcpreplay, and many other security tools.

What can it be used for?
* The Security Onion LiveDVD can be used for Intrusion Detection. The Snort and Sguil daemons are automatically started on boot, listening on eth0 for any suspicious traffic and creating alerts in the Sguil database. Simply double-click the Sguil desktop shortcut to launch the GUI and view/investigate the alerts.
* The Security Onion LiveDVD can be used to test an Intrusion Detection System. Simply boot the DVD and use the included tools (such as nmap, scapy, hping, metasploit, and others) to test your existing IDS or to test the included Snort and Suricata IDS/IPS engines.
* The Security Onion LiveDVD can be used to install an Intrusion Detection System. Simply boot the DVD and double-click the Install desktop shortcut. For more information about installation, please see the "Installing to Hard Drive" section below.

System Requirements
512MB RAM is a minimum. 1GB or more is recommended.

Sguil
Here are the credentials to login to Sguil:
Username: sguil
Password: password

NOTE! It's "sguil" with a 'g', NOT a 'q'!

Disclaimer of Warranty
THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM .AS IS. WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.

Limitation of Liability
IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Installing to Hard Drive
You can use the Install shortcut on the Desktop to install Security Onion to your hard drive. Once you've completed the installation process and have rebooted into your new installation, you will want to:
* Install any available Ubuntu updates.
* Run the Setup desktop shortcut to:
-Specify your HOME_NET variable.
-Download the latest rules from ET and, optionally, VRT.
-Choose between Snort and Suricata as your IDS engine.

Extra Packages installed from repositories
apache2.2-common argus-client argus-server autopsy bison bittwist build-essential chaosreader chkconfig chkrootkit cryptcat curl daemonlogger dcfldd ddrescue driftnet dsniff ettercap-gtk flawfinder flex foremost fwsnort ghex gpart gparted hping3 httptunnel hunt ifenslave-2.6 iisemulator inundator iptraf john labrea lame lfhex libapache2-mod-php5 libcap-ng-dev libcrypt-ssleay-perl libdumbnet-dev liblua5.1-0-dev libncurses5 libncurses5-dev libnet1-dev libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0 libnids-dev libpcap-dev libpcre3-dev libreadline6-dev libsqlite3-ruby libssl-dev libyaml-dev md5deep mtr mysql-server netsed netsniff-ng ngrep nmap ntp oinkmaster ophcrack ostinato p0f php5-cli php5-common php5-sqlite pkg-config pbnj pscan ptunnel python-all python-dev python-scapy rats recode remastersys ruby scanmem sdd sleuthkit sniffit sox splint ssdeep ssldump sslsniff sqlite steghide subversion tcl8.3 tcpick tcpreplay tcpslice tcpstat tcpxtract tct testdisk traceroute tshark udptunnel unhide uuid uuid-dev xtightvncviewer xprobe yersinia zenmap zlib1g-dev zenmap zlib1g-dev

Extra Packages installed from other sources
Snort
Suricata
Vortex IDS
Bro IDS
ABCIP
Dumbpig
NSMnow (includes Sguil, Barnyard2, Sancp, etc)
Xplico

Download:

Sunday, October 10, 2010

Greater Augusta ISSA 2010 Q4 Public Meeting: Doug Burks presents "Security Onion: Intrusion Detection for your Network in Minutes"

Please join us at the Greater Augusta ISSA Q4 meeting on Thursday, October 28. This is our last public meeting of 2010! I will be presenting "Security Onion: Intrusion Detection for your Network in Minutes". Security Onion is a project that I've been working on for the past few years. Its goal is to provide a pre-configured Intrusion Detection environment that can be downloaded for free and put to use in your network in less than an hour. It's based on Xubuntu 10.04 and contains Snort, Suricata, Sguil, Xplico, Vortex IDS, Bro IDS, Chaosreader, driftnet, hping3, scapy, Wireshark, and many other tools. Come see what Security Onion can do for you!

What: The Greater Augusta ISSA 2010 Q4 Public meeting: Doug Burks presents "Security Onion: Intrusion Detection for your Network in Minutes"
How: This is a FREE public meeting. Please confirm your reservation by sending an email to reservations@augusta.issa.org
When: Thursday October 28 9:00 - 11:00 AM
Where:
University Hall room 242
Augusta State University
2500 Walton Way
Augusta, GA 30904
http://www.aug.edu/public_relations/pr_map_campus.htm

On the morning of the presentation, don't forget to swing by the ASU Public Safety office to get a visitor pass for the parking lot. The Public Safety office is in the back corner of the campus. You can see it at the bottom-left of this map:
http://www.aug.edu/public_relations/asumap/images/PARKINGMAP1008PR.jpg

Speaker Bio
Doug Burks has over 10 years experience in Information Security. He has a Bachelor's degree in Computer Science and also holds the GSE, GPEN, GCIA Gold, GSEC, and CISSP certifications. Doug has worked in many organizations over the years, including government facilities, chemical plants, and the media industry. He excels at providing secure solutions for any environment using a budget of any size. Doug is the author of Security Onion Live (http://code.google.com/p/security-onion/ ), a free bootable DVD that contains many security tools. You can read more about Doug by visiting his blog athttp://securityonion.blogspot.com/.