Saturday, January 22, 2011

Security Onion 20110122 fixes DNS error in Sguil

I received Issue 77 in the Security Onion Issue Tracker.  The Issue describes an error when enabling Reverse DNS queries in Sguil.  I was able to duplicate the issue.

I consulted with Bamm Visscher and he said this was due to Ubuntu's libudp-tcl package.  I removed libudp-tcl and Reverse DNS queries started working again.

I've released a new upgrade script that fixes this issue automatically.  Just download security-onion-upgrade.sh from http://sourceforge.net/projects/security-onion/files/ and run it like so:
sudo bash security-onion-upgrade.sh

It will then upgrade your Security Onion installation to version 20110122 and Reverse DNS queries should start working correctly.

Thursday, January 20, 2011

Introduction to Sguil and Squert: Part 4

This post is the fourth in a multi-part series designed to introduce Sguil and Squert to beginners.

I'm assuming you've already been through the steps in the previous posts in this series:

Introduction to Sguil and Squert: Part 1
Introduction to Sguil and Squert: Part 2
Introduction to Sguil and Squert: Part 3


In Part 3, we saw Sguil's killer feature of being able to pull session transcripts from the full packet captures to show an entire attack from beginning to end.  In Part 4, we're going to see one of Squert's killer features: alert visualization.


Using the alerts from yesterday's demo, we display them in Squert.




Right above the alerts, we click "create" and are then prompted for some options.  We give it a name and keep the other options at their default settings.


We then click the "create" button and then a graph is generated of the alert data.


We can then click on the graph to open a larger version and see more detail.

Security Onion nsm_all_del script

This blog post will demonstrate the nsm_all_del script.  If you ran through Setup and configured your sensors but decide that you need to re-run Setup for some reason (perhaps you want to choose Advanced Setup to choose specific interfaces), then you need to run nsm_all_del first.  nsm_all_del will delete your current sensor configuration in preparation for running Setup again.

Suppose I ran through Setup using Quick Setup which enumerated my ethernet interfaces and created Sguil sensors for eth0, eth1, and eth2.

Now suppose I want eth0 to be just a management interface with no Sguil sensor.  I need to run Setup again and choose Advanced Setup to exclude eth0, but first I need to run nsm_all_del to delete the current Sguil configuration.

Once clicked, nsm_all_del displays a warning.

It then begins deleting sensors, asking for confirmation along the way.

Once nsm_all_del completes, I then run Setup again and choose Advanced Setup so that I can choose which network interfaces should have Sguil sensors.

Once Setup completes, I login to Sguil and see that I only have Sguil sensors for eth1 and eth2.

Security Onion Upgrade Script

This is a quick blog post to demonstrate the Security Onion Upgrade Script.  If you're running Security Onion 20110101 or newer, you can download and run the Security Onion Upgrade script to do an in-place upgrade.  In the screenshot below, you can see that I started with Security Onion 20110116 and then ran the following commands:

wget http://downloads.sourceforge.net/project/security-onion/security-onion-upgrade.sh
sudo bash security-onion-upgrade.sh

The upgrade script then upgraded the system to 20110117 and then to 20110118.


Wednesday, January 19, 2011

Introduction to Sguil and Squert: Part 3

This post is the third in a multi-part series designed to introduce Sguil and Squert to beginners.


I'm assuming you've already been through the steps in Introduction to Sguil and Squert: Part 1 and Introduction to Sguil and Squert: Part 2.


In Parts 1 and 2, we compared Sguil and Squert and showed how you can accomplish the same thing in both.  In Part 3, we're going to contrast them and see why we need both.


Let's start with Sguil.  Sguil's killer feature is the ability to take an alert and pull a full session transcript.  By doing this, we not only see the traffic that triggered the alert, but also the traffic in the session that occurred before and after the alert.  


Time for an example.  Download "Scan of the Month 19" from the Honeynet Project:
wget http://old.honeynet.org/scans/scan19/scan19.tar.gz


Expand the tarball:
tar zxvf scan19.tar.gz


If you haven't already, log into Sguil so that you'll be able to see the alerts as they populate.  Now use tcpreplay to replay newdat3.log onto your eth0 interface (you may need/want to use a different interface, just make sure it's one that's being monitored by Sguil):
sudo tcpreplay -i eth0 -t newdat3.log


As soon as you hit Enter, switch over to your Sguil console so that you can see the alerts.  You should see something like this:


Go to either of the "GPL FTP SITE ..." events, right-click the Alert ID, and click Transcript.  A new window will appear like this:


It may take a few seconds to pull the entire transcript.  Once it does, you'll be able to scroll down and see the entire FTP attack, from the buffer overflow to the attacker catting the passwd file:


Can your commercial IDS do that?  Come back tomorrow to see one of the killer features that Squert has.

Tuesday, January 18, 2011

Introduction to Sguil and Squert: Part 2

This post is the second in a multi-part series designed to introduce Sguil and Squert to beginners.


I'm assuming you've already been through the steps in Introduction to Sguil and Squert: Part 1.  


Before we get started with Part 2, we need to fix a bug in Security Onion's Squert configuration.  Download the Security Onion Upgrade script and run it from a terminal like so:
sudo bash security-onion-upgrade.sh


Let's get started!  Generate an alert like you did previously using the testmyids.com bookmark in Firefox.  If the page loads but you get no alert in Sguil, then Firefox loaded the page from cache and you'll need to do a Shift-Reload to force the browser to get a new copy of the page.


In Sguil, make sure that "Show Packet Data" and "Show Rule" are enabled.  Now click the alert.  You should something like the following screenshot.  Notice that we can instantly see both the rule and the traffic that triggered the alert without any further navigation in the user interface.


In Squert, set Status to Unclassified as we did before and click the "submit" button.  You should see something like the following.  Notice that we only see the Signature.


Click the View drop-down box and select "event detail" and then click the "submit" button.  You should now see something like the following.


Click on the Timestamp for the alert.  A separate window will appear that shows the packet data:


Now click the Signature field.  A separate window will appear that shows the rule:




In this post, we've covered looking at rule and packet data in both Sguil and Squert.

Stay tuned for future posts in this series!

Monday, January 17, 2011

Introduction to Sguil and Squert: Part 1

This post is the first in a multi-part series designed to introduce Sguil and Squert to beginners.

1. Download Security Onion 20110116.
2. Boot the ISO and run through the installer.
3. Reboot into your new Security Onion installation and login using the username/password you specified in the previous step.
4. Double-click the Setup script on the Desktop and follow the prompts to configure and start the Sguil processes.
5. Double-click the Sguil desktop icon.  Log into Sguil using the username/password you specified in the previous step.  There may already be some alerts in the Sguil console.  If not, open Firefox and click the testmyids.com bookmark and you should then see an alert appear in Sguil.


6. Double-click the Squert desktop icon.  The Squert main page appears.  Click the "submit" button.  Snort alerts appear at the bottom of the page and they should match what you saw in Sguil.


7. Go back to Sguil, select an alert, and press the F8 key to expire it.  Notice that the alert disappears from Sguil.


8. Go back to Squert and click the "submit" button again.  Notice that the alert remains in Squert.  Sguil's main console shows events that have not yet been classified, so we need to tell Squert to do the same.  Click the "Status" drop-down box and select "Unclassified".  Click the "submit" button and notice that the alert is now gone.



In this post, we've covered the following:
  • Logging into Sguil and Squert
  • generating an IDS alert
  • expiring an IDS alert
  • Configuring Squert to show Unclassified events to match the main Sguil window
Stay tuned for future posts in this series!

Sunday, January 16, 2011

Security Onion 20110116

Security Onion 20110116 is now available!  This release is primarily a bug fix and resolves the following issues:


You can download Security Onion 20110116 here:
http://sourceforge.net/projects/security-onion/files/security-onion-live-20110116.iso/download


If you're currently running Security Onion 20110101, you can do an in-place upgrade to version 20110116 using the upgrade script found here:
http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh/download


Once downloaded, open a terminal and execute the script like this:
sudo bash security-onion-upgrade.sh


Please note that performing an in-place upgrade requires Internet access to download Ubuntu updates.

Friday, January 7, 2011

Security Onion 20110101: OSSEC and Sguil

Security Onion 20110101 includes OSSEC 2.5.1.  OSSEC is a Host Intrusion Detection System (HIDS) and it monitors system logs for signs of intrusions.  When it sees something that looks like an intrusion, it writes an alert to /var/ossec/logs/alerts/alerts.log.  Security Onion 20110101 also includes the OSSEC Agent for Sguil, which takes any alerts from /var/ossec/logs/alerts/alerts.log and sends it to Sguil.

In this first screenshot, I have launched the Sguil client and entered my username and password.  Sguil then allows me to select which networks to monitor (eth0 and/or ossec).  I click the "Select All" button and then click "Start SGUIL".


After clicking "Start SGUIL", the Sguil console appears and I see my OSSEC alerts:

Thursday, January 6, 2011

Security Onion 20110101: Setup script

Security Onion 20110101 includes a new and improved Setup script.  Here are some screenshots of the Quick Setup process.













Once the Setup script is complete, you can then log into the Sguil client using the username and password you chose in Setup.





Wednesday, January 5, 2011

Security Onion 20110101

Security Onion Live 20110101 is now available! Thanks to Matt Jonkman and Emerging Threats for hosting! You can download the ISO here:

If you have any problems or would like to request new features, please submit an issue here:

Changelog
  • All Xubuntu 10.04 updates as of release date.
  • Snort updated to 2.9.0.3.
  • Suricata updated to 1.1beta1.
  • Barnyard2 updated to 1.9 Stable.
  • Vortex updated to 2.9.0.
  • Installed OSSEC for host-based intrusion detection.
  • Installed Squert web interface for Sguil.
  • Installed Armitage GUI interface for Metasploit.
  • Many improvements to Setup script for user-friendliness and capability.

Please note!
In previous releases of Security Onion, Snort and Sguil were automatically configured for eth0.  This is no longer the case.  The Setup script on the Desktop is now used to choose your IDS engine, select the network interfaces it should listen on, and start the Sguil services.

What is Security Onion?
The Security Onion LiveDVD is a bootable DVD that contains software used for installing, configuring, and testing Intrusion Detection Systems.

What software does it contain?
The Security Onion LiveDVD is based on Xubuntu 10.04 and contains Snort, Suricata, Sguil, Xplico, nmap, scapy, hping, netcat, tcpreplay, and many other security tools.

What can it be used for?
  • The Security Onion LiveDVD can be used for Intrusion Detection. Simply boot the DVD, double-click the Setup desktop shortcut, and follow the prompts. Once Setup completes, then double-click the Sguil desktop shortcut to launch the GUI and view/investigate the alerts. (This is fine for temporary or demo environments, but production environments should not run from the LiveDVD environment. See installation information below.)
  • The Security Onion LiveDVD can be used to test an Intrusion Detection System. Simply boot the DVD and use the included tools (such as nmap, scapy, hping, metasploit, and others) to test your existing IDS or to test the included Snort and Suricata IDS/IPS engines.
  • The Security Onion LiveDVD can be used to install an Intrusion Detection System. Simply boot the DVD and choose the Install option in the Boot Menu or boot into the full live Desktop and double-click the Install desktop shortcut. Once you've completed the installation process and have rebooted into your new installation, you will want to install any available Ubuntu updates and then double-click the Setup desktop shortcut to configure Security Onion.

System Requirements

512MB RAM is a minimum. 1GB or more is recommended.

Extra Packages installed from repositories
apache2.2-common argus-client argus-server autopsy bison bittwist build-essential chaosreader chkconfig chkrootkit cryptcat curl daemonlogger dcfldd ddrescue dkms driftnet dsniff flawfinder flex foremost fwsnort ghex gpart gparted hping3 httptunnel hunt ifenslave-2.6 iisemulator inundator iptraf irb john labrea lame lfhex libapache2-mod-php5 libcap-ng-dev libcrypt-ssleay-perl libdl-ruby libdumbnet-dev libiconv-ruby liblua5.1-0-dev libncurses5 libncurses5-dev libnet1-dev libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0 libnids-dev libopenssl-ruby libpcap-dev libpcre3-dev libreadline6-dev libreadline-ruby libsqlite3-dev libsqlite3-ruby libssl-dev libyaml-dev libyaml-ruby md5deep mtr mysql-server netsed netsniff-ng ngrep nmap ntp oinkmaster ophcrack ostinato p0f php5-cli php5-common php5-sqlite pkg-config pbnj pscan ptunnel python-all python-dev python-scapy rats recode remastersys ri ruby rubygems scanmem sdd sleuthkit sniffit sox splint ssdeep ssldump sslsniff sqlite steghide subversion tcl8.3 tcpick tcpreplay tcpslice tcpstat tcpxtract tct testdisk traceroute tshark udptunnel unhide uuid uuid-dev xtightvncviewer xprobe yersinia zenmap zlib1g-dev

Extra Packages installed from other sources
Snort
Suricata
Vortex IDS
Bro IDS
ABCIP
Dumbpig
NSMnow (includes Sguil, Barnyard2, Sancp, etc)
OSSEC
Squert
Xplico
hogger
SnortValidator
Metasploit

Disclaimer of Warranty
THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM .AS IS. WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.

Limitation of Liability
IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.