Security Onion LiveCD 20090731

A new version of the Security Onion LiveCD has been released! Here's the changelog:

2009/07/31: New Release!
* All Xubuntu 9.04 updates as of 2009/07/31.
* Added sqlite and libsqlite3-ruby packages for db_autopwn.
* Added fwbuilder.
* Latest Metasploit msf v3.3-dev as of 2009/07/31.
* Latest Nmap 5.05BETA1 as of 2009/07/31.

The Security Onion LiveCD can be downloaded from the following location:
http://distro.ibiblio.org/pub/linux/distributions/security-onion/

Please let me know if you have any questions or suggestions.

Security Onion LiveCD 20090724

A new version of the Security Onion LiveCD has been released! Here's the changelog:

* All Xubuntu 9.04 updates as of 2009/07/24.
* Added a Security Onion section to the Applications menu.
* Latest Metasploit msf v3.3-dev as of 2009/07/24.
* Latest Nmap as of 2009/07/24.

The Security Onion LiveCD can be downloaded from the following location:
http://distro.ibiblio.org/pub/linux/distributions/security-onion/

Please let me know if you have any questions or suggestions.

Suggestions for the Security Onion LiveCD

I'm currently working on the next version of the Security Onion LiveCD. What specific packages/features would you like to see added to the Security Onion LiveCD? Post a comment here or contact me on Twitter. Thanks!

Security Onion LiveCD 20090613

A new version of the Security Onion LiveCD is now available! Here's the changelog:

-All Xubuntu 9.04 updates as of 2009/06/13.

-Added JJ Cummings's pulledpork as an alternative to oinkmaster. All pulledpork files are in:
/usr/local/bin/pulledpork/

-Added Leon Ward's dumbpig for checking custom Snort rules:
/usr/local/bin/dumbpig.pl

-Added Bro IDS for Marcus J. Carey. All Bro files are in:
/usr/local/bro/

The Security Onion LiveCD can be downloaded from the following location:
http://distro.ibiblio.org/pub/linux/distributions/security-onion/

UPDATE: Some ibiblio mirrors are showing an index page which contains no links. Here are the direct links to the ISO and MD5 file:
http://distro.ibiblio.org/pub/linux/distributions/security-onion/security-onion-livecd-20090613.iso
http://distro.ibiblio.org/pub/linux/distributions/security-onion/security-onion-livecd-20090613.md5

The Security Onion LiveCD is now available!

The Security Onion LiveCD is now available! You can download it from the following location:
http://distro.ibiblio.org/pub/linux/distributions/security-onion/

What is it?
The Security Onion LiveCD is a bootable CD that contains software used for installing, configuring, and testing Intrusion Detection Systems.

What software does it contain?
The Security Onion LiveCD is based on Xubuntu 9.04 and contains Snort 2.8.4.1, Snort 3.0.0b3 (Beta), sguil, idswakeup, nmap, metasploit, scapy, hping, fragroute, fragrouter, netcat, paketto, tcpreplay, and many other security tools.

What can it be used for?

• The Security Onion LiveCD can be used for Intrusion Detection. Simply boot the CD and double-click either the Snort-Sguil or SnortSP-Sguil desktop shortcuts. The Snort and Sguil daemons will then start, listening on eth0 for any suspicious traffic and creating alerts in the Sguil console.
• The Security Onion LiveCD can be used to test an Intrusion Detection System. Simply boot the CD and use the included tools (such as nmap, metasploit, idswakeup, scapy, hping, and others) to test your existing IDS or to test the included Snort 2.8.4.1 and Snort 3.0 Beta 3.
• The Security Onion LiveCD can be used to install an Intrusion Detection System. Simply boot the CD and double-click the Install desktop shortcut. For more information about installation, please see the README desktop shortcut.

You can read more about the Security Onion LiveCD (and, specifically, the integration of Snort 3.0 and Sguil) in my SANS GCIA Gold Paper "Snort 3.0 Beta 3 for Analysts".

Please take a look at the Security Onion LiveCD and let me know what you think!

* Special thanks to:

• Marty Roesch and the whole SourceFire team for all of their work these last 10 years to get Snort to where it is today.
  
• The Sguil team for the best open-source tool to manage Snort alerts.
  
• The SecurixLive crew for their awesome NSMnow installer, the easiest way to install and configure Snort/Sguil on Ubuntu Linux.
• Ubuntu (and Debian) for their well-made Linux distribution(s).
• The Reconstructor team for a very easy to use tool for remastering Ubuntu LiveCDs.
• All developers in the open-source community who work so hard and produce such amazing tools.
  

Snort 3.0 (SnortSP) Beta 3 -- Inline Bridging Mode in 3 Steps

To complete the updating of my 3-part series on Installing and Configuring Snort 3 Beta 3, I now present to you the final chapter in this trilogy: the updated recipe for Snort 3 Inline Bridging Mode in 3 Steps. Snort 3.0 Beta 3 has changed the syntax for creating a new dsrc, so this has been reflected in the new recipe.

Step 1: Add a new function to your snort.lua file
If you followed the updated Snort 3.0 Beta 3 Installation HOWTO, then the default snort.lua file is in /etc/snortsp/snort.lua. Open the file and add the following function:

function bridge (interface1, interface2)
if interface2 == nil then
error("Two interface strings must be specified ( e.g. bridge(\"eth0\", \"eth1\") )")
end
dsrc1 = {name="src1",
type="afpacket",
intf=interface1..":"..interface2,
flags=10,
snaplen=1514,
display="none",
tcp={maxflows=262144, maxidle=30, flow_memcap=10000000},
other={maxflows=131072, maxidle=30, flow_memcap=1000000},
cksum_mode=0x0,
}
dsrc.new(dsrc1)
eng.new({name="e1"})
eng.link({engine="e1", source="src1"})
eng.start("e1")
end

Step 2: Start SnortSP
Start SnortSP using the following command:

sudo snortsp -L /etc/snortsp/snort.lua

SnortSP will start up and read your new snort.lua file. You will then be greeted by the SnortSP Lua shell.

Step 3: Use the bridge() function
In the Lua shell, type the following (replacing eth0 and eth1 with the correct interfaces on your system):

bridge("eth0", "eth1")

Once the bridge is up and running, you can do the following to display packets traversing the bridge:

eng.set_display({engine="e1", display="none"})
Press the Up arrow and change "none" to "classic".
View the output.
Press the Up arrow twice to retrieve the "none" command and press Enter.

When finished, shut down SnortSP by running the following command:

ssp.shutdown()

Integrating Snort 3.0 Beta 3 and Sguil in 3 Steps

Since I updated the "Installing Snort 3.0 Beta on Ubuntu 8.04" post to work with Snort 3.0 Beta 3, here's the update for the "Integrating Snort 3.0 (SnortSP) and Sguil in 3 Steps" post. Since the original post, NSMnow 1.3.5 has been released, so the URL has been updated in the recipe to reflect this new version. Also, there appears to be a bug in the current sspiffy.sh whereby it configures the dsrc type to be "file" instead of "pcap". I added a quick one-liner to correct this in the snort.lua file.

Please note that if you have an existing NSMnow installation, following this recipe may or may not work. This recipe is designed for new NSMnow installations.

The best open source tool to manage Snort alerts is Sguil and the easiest way to install Sguil is using NSMnow. NSMnow automatically installs and configures barnyard2 (compatible with SnortSP's unfied2 format), sancp, Sguil, and Snort 2.x. We're going to replace NSMnow's snort alert process with Snort 3.0.

This quick recipe assumes that you're running on Ubuntu 8.04 and your primary network interface is eth0. You should be able to copy/paste each of the three code blocks into your terminal.

Obligatory disclaimer: I offer no warranty of any kind. If this breaks your box, you get to keep both pieces.

Step 1: Get root privileges

##########################
sudo -i
##########################

Step 2: Install NSMnow

##########################
mkdir /usr/local/src/NSMnow
cd /usr/local/src/NSMnow
wget http://www.securixlive.com/download/nsmnow/NSMnow-1.3.5.tar.gz
tar zxvf NSMnow-1.3.5.tar.gz
./NSMnow -i -y
##########################

Step 3: Configure NSMnow and SnortSP and start

##########################
if ! grep "/nsm/server_data/server1/load" /etc/apparmor.d/usr.sbin.mysqld > /dev/null
then
sed -i 's|}| /nsm/server_data/server1/load/* r,|g' /etc/apparmor.d/usr.sbin.mysqld
echo "}" >> /etc/apparmor.d/usr.sbin.mysqld
fi
/etc/init.d/apparmor restart
/usr/local/sbin/nsm --server --start
/usr/local/sbin/nsm_sensor_ps-start --skip-snort-alert
mkdir /etc/snortsp_alert
cd /etc/snortsp_alert
cp -R /etc/nsm/sensor1/* .
mv snort.conf snort_orig.conf
sspiffy.sh /usr/local -c snort_orig.conf -i eth0
sed -i 's|type="file"|type="pcap"|g' snort.lua
grep -v "sameip" rules/bad-traffic.rules > rules/bad-traffic.rules.2
rm -f rules/bad-traffic.rules
mv rules/bad-traffic.rules.2 rules/bad-traffic.rules
snortsp -C -L snort.lua
##########################

Snort 3.0 is now capturing packets on eth0 and analyzing them. Let's verify that now.

Launch the Sguil client by opening a new terminal and typing the following:

##########################
sguil.tk
##########################

When prompted, login to Sguil using the default credentials:
Username: sguil
Password: password

Next, create some alerts by opening a browser and going to:
http://www.testmyids.com

Finally, go into the Sguil console and you should see two new alerts:


This demonstrates that SnortSP is capturing packets, analyzing them with the Snort 2.8.2 Detection Engine, and outputting in unified2 format, which is then read by Barnyard2 and inserted into the Sguil database.

When finished, return to your SnortSP window and press ctrl-c to terminate the SnortSP process. Then type "nsm --all --stop" to terminate all NSMnow processes.

Installing Snort 3.0 (SnortSP) Beta 3 on Ubuntu 8.04 in 3 Steps

Snort 3.0 Beta 3 was released on April 1. You can read an overview of the changes in Snort 3.0 Beta 3 in the mailing list announcement. For more details on the underlying architectural changes in Beta 3, see Marty Roesch's blog. Thanks to Marty and the rest of the Snort 3 Development Team for their hard work in this release!

Installing Snort 3.0 Beta 3 on Ubuntu 8.04 is almost identical to installing Snort 3.0 Beta 2 on Ubuntu 8.04. However, I did have an issue with the Snort 2.8 Detection Engine not compiling correctly. This turned out to be libtool not liking the fact that /bin/sh was symlinked to /bin/dash instead of /bin/bash. The one-line fix was:

rm /bin/sh && ln -s /bin/bash /bin/sh

(Special thanks to Russ Combs of the SnortSP development team for his assistance with this issue.)

Here's the complete install recipe that worked for me:

Step 1: Get root privileges

##########################
sudo -i
##########################

Step 2: Install dependencies

##########################
aptitude update
aptitude -y install build-essential \
libdumbnet1 libdumbnet-dev \
uuid uuid-dev \
libncurses5 libncurses5-dev \
libreadline5 libreadline5-dev \
libpcap0.8 libpcap0.8-dev \
libpcre3 libpcre3-dev \
liblua5.1-0 liblua5.1-0-dev \
flex bison
##########################

Step 3: Download, compile, and install Snort 3.0 Beta 3

##########################
rm /bin/sh && ln -s /bin/bash /bin/sh
cd /usr/local/src/
wget http://dl.snort.org/snortsp/\
snortsp-3.0.0b3.tar.gz
tar zxvf snortsp-3.0.0b3.tar.gz
cd snortsp-3.0.0b3/
./configure
make
make install
mkdir /etc/snortsp/
cp etc/* /etc/snortsp/
cd src/analysis/snort/
./configure \
--with-platform-includes=/usr/local/include \
--with-platform-libraries=/usr/local/lib
make
make install
ldconfig
##########################

Snort 3.0 (SnortSP) Inline Bridging Mode in 3 Steps

One of the many interesting new features in Snort 3.0 (SnortSP) is the ability to run in inline bridging mode.

Step 1: Add a new function to your snort.lua file
If you followed my previous SnortSP Installation HOWTO, then the default snort.lua file is in /etc/SnortSP/snort.lua. Open the file and add the following function:

function bridge(interface1, interface2)
if interface1 == nil then
error("Two interfaces must be specified ( e.g. bridge(\"eth0\", \"eth1\") )")
end
if interface2 == nil then
error("Two interfaces must be specified ( e.g. bridge(\"eth0\", \"eth1\") )")
end
dsrc2 = {name="src2",
type="afpacket",
intf=interface1..":"..interface2,
flags=10,
snaplen=1518,
maxflows=262144,
maxidle=300,
flow_memcap=10000000}
dsrc.new(dsrc2)
eng.new("e2")
eng.link({engine="e2", source="src2"})
eng.start("e2")
end

Step 2: Start SnortSP
Start SnortSP using the following command:

sudo snortsp -L /etc/SnortSP/snort.lua

SnortSP will start up and read your new snort.lua file. You will then be greeted by the SnortSP Lua shell.

Step 3: Use the bridge() function
In the Lua shell, type the following (replacing eth0 and eth1 with the correct interfaces on your system):

bridge("eth0", "eth1")

Once the bridge is up and running, you can do the following to display packets traversing the bridge:

eng.set_display({engine="e2", display="none"})
Press the Up arrow and change "none" to "classic".
View the output.
Press the Up arrow twice to retrieve the "none" command and press Enter.

When finished, shut down SnortSP by running the following command:

ssp.shutdown()

Note that there is a bug in the SnortSP README file (and/or the SnortSP afpacket DAQ itself). The README file suggests the following:

      dsrc1 = {name="src",
             type="afpacket",
             intf="eth2:eth3",
             flags=10,
             snaplen=0,
             maxflows=262144,
             maxidle=300,
             flow_memcap=10000000}
    dsrc.new(dsrc1)

Setting snaplen to 0 and passing traffic through the bridge results in segmentation fault. Per the SnortSP developers, this value should be set to 1518 for normal ethernet operation. Thanks to the SnortSP developers for their assistance with this issue.

Integrating Snort 3.0 (SnortSP) and Sguil in 3 Steps

So once you have Snort 3.0 installed, what can you do with it? One thing you can do with it (and the one that most people are interested in) is to configure it for IDS mode. The Snort 3.0 architecture includes the Snort 2.8.2 Detection Engine, so we'll have the Snort Security Platform (SnortSP) capturing packets and handing them off to Snort 2.8.2 for analysis and alerting.

The best open source tool to manage Snort alerts is Sguil and the easiest way to install Sguil is using NSMnow. NSMnow automatically installs and configures barnyard2 (compatible with SnortSP's unfied2 format), sancp, Sguil, and Snort 2.x. We're going to replace NSMnow's snort alert process with Snort 3.0.

This quick recipe assumes that you're running on Ubuntu 8.04 and your primary network interface is eth0. You should be able to copy/paste each of the three code blocks into your terminal.

Obligatory disclaimer: I offer no warranty of any kind. If this breaks your box, you get to keep both pieces.

Step 1: Get root privileges

##########################
sudo -i
##########################

Step 2: Install NSMnow

##########################
mkdir /usr/local/src/NSMnow
cd /usr/local/src/NSMnow
wget http://www.securixlive.com/download/nsmnow/NSMnow-1.3.4.tar.gz
tar zxvf NSMnow-1.3.4.tar.gz
./NSMnow -i -y
##########################

Step 3: Configure NSMnow and SnortSP and start

##########################
if ! grep "/nsm/server_data/server1/load" /etc/apparmor.d/usr.sbin.mysqld > /dev/null
then
sed -i 's|}| /nsm/server_data/server1/load/* r,|g' /etc/apparmor.d/usr.sbin.mysqld
echo "}" >> /etc/apparmor.d/usr.sbin.mysqld
fi
/etc/init.d/apparmor restart
/usr/local/sbin/nsm --server --start
/usr/local/sbin/nsm_sensor_ps-start --skip-snort-alert
mkdir /etc/snortsp_alert
cd /etc/snortsp_alert
cp -R /etc/nsm/sensor1/* .
mv snort.conf snort_orig.conf
sspiffy.sh /usr/local -c snort_orig.conf -i eth0
grep -v "sameip" rules/bad-traffic.rules > rules/bad-traffic.rules.2
rm -f rules/bad-traffic.rules
mv rules/bad-traffic.rules.2 rules/bad-traffic.rules
snortsp -C -L snort.lua
##########################

Snort 3.0 is now capturing packets on eth0 and analyzing them. Let's verify that now.

Launch the Sguil client by opening a new terminal and typing the following:

##########################
sguil.tk
##########################

When prompted, login to Sguil using the default credentials:
Username: sguil
Password: password

Next, create some alerts by opening a browser and going to:
http://www.testmyids.com

Finally, go into the Sguil console and you should see two new alerts:


This demonstrates that SnortSP is capturing packets, analyzing them with the Snort 2.8.2 Detection Engine, and outputting in unified2 format, which is then read by Barnyard2 and inserted into the Sguil database.

When finished, return to your SnortSP window and press ctrl-c to terminate the SnortSP process. Then type "nsm --all --stop" to terminate all NSMnow processes.

Installing Snort 3.0 (SnortSP) on Ubuntu in 3 Steps

Here's a really quick recipe for installing the Snort 3.0 Architecture on Ubuntu 8.04. Note that the Snort 3.0 Architecture consists of the SnortSP framework and the Snort 2.8.2 Detection Engine. You should be able to open a terminal and then copy/paste each of the three blocks of commands.

Step 1: Get root privileges

##########################
sudo -i
##########################

Step 2: Install dependencies

##########################
aptitude update
aptitude -y install build-essential \
libdumbnet1 libdumbnet-dev \
uuid uuid-dev \
libncurses5 libncurses5-dev \
libreadline5 libreadline5-dev \
libpcap0.8 libpcap0.8-dev \
libpcre3 libpcre3-dev \
liblua5.1-0 liblua5.1-0-dev \
flex bison
##########################

Step 3: Download, compile, and install the Snort 3.0 Architecture

##########################
cd /usr/local/src/
wget http://www.snort.org/dl/prerelease\
/3.0.0-b2/snortsp-3.0.0b2.tar.gz
tar zxvf snortsp-3.0.0b2.tar.gz
cd snortsp-3.0.0b2/
./configure
make
make install
mkdir /etc/SnortSP/
cp etc/* /etc/SnortSP/
cd src/analysis/snort/
./configure \
--with-platform-includes=/usr/local/include/snortsp \
--with-platform-libraries=/usr/local/lib
make
make install
ldconfig
##########################

Future posts will cover where to go from here.