I'll be mentoring SANS 401 Security Essentials in Augusta, GA on Thursday nights starting March 3, 2011. ISSA members are eligible for a 25% discount!
SANS 401 Security Essentials mentored by Doug Burks in Augusta GA
Why should you take SANS 401 Security Essentials?
* Considering the SANS Cyber Guardian program, SANS GSE (GIAC Security Expert) certification, or a Masters degree from the SANS Technical Institute? SANS 401 Security Essentials is required for each of these.
* Complement your CISSP. If you've already taken the CISSP, SANS 401 Security Essentials is the perfect technical complement. It takes all the theory that you learned at a high level for the CISSP and applies it in a very practical and updated manner. SANS 401 is "where the rubber meets the road".
* Are you a Systems Administrator or Network Engineer who would like to learn more about security? This course gives a very thorough overview of security theory and practice. Additionally, the tools and techniques that you learn in this class are directly applicable to your current job (and will prepare you for the future).
* Augment your Windows/Linux skills. Highly experienced with Windows, but not so much with Linux? Or the other way around? SANS 401 Security Essentials dedicates an entire section to Windows security and another entire section to Linux security.
These are just a few reasons to register for SANS 401 Security Essentials. For more information, please see:
SANS 401 Security Essentials mentored by Doug Burks in Augusta GA
Don't forget that ISSA members are eligible for a 25% discount! If you would like to register for the ISSA and/or SANS 401, please let me know and I'll be glad to help!
Monday, November 15, 2010
Wednesday, November 3, 2010
Security Onion: Intrusion Detection for your Network in Minutes
Thanks to all those who came out to the Security Onion presentation! For those who were unable to attend, I've made the slides available here:
https://docs.google.com/present/edit?id=0ATQ65xrcMwNEZGZxMmp0ZnNfMTNnc3JzanpkYw&hl=en
https://docs.google.com/present/edit?id=0ATQ65xrcMwNEZGZxMmp0ZnNfMTNnc3JzanpkYw&hl=en
Please let me know if you have any questions or problems. I welcome any and all feedback!
Friday, October 29, 2010
Security Onion: Setup Script
Just a quick note that there is a bug in the setup script in the current version of Security Onion. If you double-click the Setup desktop shortcut (or run "setup" from a non-root user account) AND try to update rules, one of the commands will fail and the snort.rules file will be empty. All other functions in the setup script work fine so if you're not using it to update rules, you will never experience this issue.
The next release of Security Onion will have the Setup desktop shortcut configured to run the script using sudo. In the meantime, you can open a terminal and execute "sudo setup" to obtain the necessary privileges and run the script without errors.
For more information, please see the following email thread in the Security Onion mailing list:
Tuesday, October 19, 2010
Decoding Javascript Hex Encoding
Suppose that a web page has some Javascript that contains some hex encoding like this:
\x74\x65\x73\x74\x69\x6e\x67\x20\x31\x20\x32\x20\x33\x0a
How can we decode this on the command line? TIMTOWTDI, but here's one possible solution:
echo "\x74\x65\x73\x74\x69\x6e\x67\x20\x31\x20\x32\x20\x33\x0a" |sed 's|\\x| |g' |xxd -r -p
This gives us the answer:
testing 1 2 3
So how does it work? "xxd -r -p" converts from hex to ASCII, but it's expecting the hex digits to be space delimited. So we use sed to replace each instance of "\x" with a single space. Note that we have to escape the backslash, hence the "\\x".
NOTE: If you don't already have the xxd utility installed, it can be found in the vim-common package in most Linux distributions.
Sunday, October 17, 2010
CISSP Resources: Cryptography
My SANS MGT414 CISSP class is about to study the Cryptography domain. An excellent resource that I recommend to anybody learning about Cryptography is Cryptool:
"CrypTool is a free, open-source e-learning application, used worldwide in the implementation and analysis of cryptographic algorithms. It supports both contemporary teaching methods at schools and universities as well as awareness training for employees and civil servants. "
-- http://www.cryptool.com/
Cryptool lets you see and interact with several different cryptographic methods, which reinforces the theory that we learn in the textbooks.
Download Cryptool from:
Saturday, October 16, 2010
SSL Decryption using Tshark
Mark Baggett and I learned a few things this week about using tshark to decrypt SSL. Mark posted our lessons learned here:
Wednesday, October 13, 2010
CISSP Resources
I'm mentoring SANS MGT414 Training Program for CISSP right now. Here are some additional resources for students studying for the CISSP.
CISSP All-in-One Exam Guide by Shon Harris:
Official (ISC)2 Guide to the CISSP CBK by Harold Tipton:
CISSP Study Guide by Eric Conrad and Seth Misenar (both SANS Instructors):
Eric Conrad has a sample chapter of his Study Guide available on his website:
He also has 500 free CISSP questions:
More sample questions and forums:
Congratulations to the latest SANS GSEs!
Congratulations to the latest SANS GSEs!
Vishal Hariprasad
If you are considering the SANS GSE, I highly recommend that you pursue it. It is a challenging but fun exam and it definitely gives you the opportunity to showcase your skills.
For more information about the SANS GSE, please see:
Tuesday, October 12, 2010
Security Onion Live: 20101010 Edition!
Security Onion Live 20101010 is now available! Thanks to Matt Jonkman and Emerging Threats for hosting! You can download the ISO here:
http://code.google.com/p/security-onion/issues/list
What is it?
The Security Onion LiveDVD is a bootable DVD that contains software used for installing, configuring, and testing Intrusion Detection Systems.
What software does it contain?
The Security Onion LiveDVD is based on Xubuntu 10.04 and contains Snort, Suricata, Sguil, Xplico, nmap, scapy, hping, netcat, tcpreplay, and many other security tools.
What can it be used for?
* The Security Onion LiveDVD can be used for Intrusion Detection. The Snort and Sguil daemons are automatically started on boot, listening on eth0 for any suspicious traffic and creating alerts in the Sguil database. Simply double-click the Sguil desktop shortcut to launch the GUI and view/investigate the alerts.
* The Security Onion LiveDVD can be used to test an Intrusion Detection System. Simply boot the DVD and use the included tools (such as nmap, scapy, hping, metasploit, and others) to test your existing IDS or to test the included Snort and Suricata IDS/IPS engines.
* The Security Onion LiveDVD can be used to install an Intrusion Detection System. Simply boot the DVD and double-click the Install desktop shortcut. For more information about installation, please see the "Installing to Hard Drive" section below.
System Requirements
512MB RAM is a minimum. 1GB or more is recommended.
Sguil
Here are the credentials to login to Sguil:
Username: sguil
Password: password
NOTE! It's "sguil" with a 'g', NOT a 'q'!
Disclaimer of Warranty
THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM .AS IS. WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
Limitation of Liability
IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Installing to Hard Drive
You can use the Install shortcut on the Desktop to install Security Onion to your hard drive. Once you've completed the installation process and have rebooted into your new installation, you will want to:
* Install any available Ubuntu updates.
* Run the Setup desktop shortcut to:
The Security Onion LiveDVD is a bootable DVD that contains software used for installing, configuring, and testing Intrusion Detection Systems.
What software does it contain?
The Security Onion LiveDVD is based on Xubuntu 10.04 and contains Snort, Suricata, Sguil, Xplico, nmap, scapy, hping, netcat, tcpreplay, and many other security tools.
What can it be used for?
* The Security Onion LiveDVD can be used for Intrusion Detection. The Snort and Sguil daemons are automatically started on boot, listening on eth0 for any suspicious traffic and creating alerts in the Sguil database. Simply double-click the Sguil desktop shortcut to launch the GUI and view/investigate the alerts.
* The Security Onion LiveDVD can be used to test an Intrusion Detection System. Simply boot the DVD and use the included tools (such as nmap, scapy, hping, metasploit, and others) to test your existing IDS or to test the included Snort and Suricata IDS/IPS engines.
* The Security Onion LiveDVD can be used to install an Intrusion Detection System. Simply boot the DVD and double-click the Install desktop shortcut. For more information about installation, please see the "Installing to Hard Drive" section below.
System Requirements
512MB RAM is a minimum. 1GB or more is recommended.
Sguil
Here are the credentials to login to Sguil:
Username: sguil
Password: password
NOTE! It's "sguil" with a 'g', NOT a 'q'!
Disclaimer of Warranty
THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM .AS IS. WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
Limitation of Liability
IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Installing to Hard Drive
You can use the Install shortcut on the Desktop to install Security Onion to your hard drive. Once you've completed the installation process and have rebooted into your new installation, you will want to:
* Install any available Ubuntu updates.
* Run the Setup desktop shortcut to:
-Specify your HOME_NET variable.
-Download the latest rules from ET and, optionally, VRT.
-Choose between Snort and Suricata as your IDS engine.
Extra Packages installed from repositories
apache2.2-common argus-client argus-server autopsy bison bittwist build-essential chaosreader chkconfig chkrootkit cryptcat curl daemonlogger dcfldd ddrescue driftnet dsniff ettercap-gtk flawfinder flex foremost fwsnort ghex gpart gparted hping3 httptunnel hunt ifenslave-2.6 iisemulator inundator iptraf john labrea lame lfhex libapache2-mod-php5 libcap-ng-dev libcrypt-ssleay-perl libdumbnet-dev liblua5.1-0-dev libncurses5 libncurses5-dev libnet1-dev libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0 libnids-dev libpcap-dev libpcre3-dev libreadline6-dev libsqlite3-ruby libssl-dev libyaml-dev md5deep mtr mysql-server netsed netsniff-ng ngrep nmap ntp oinkmaster ophcrack ostinato p0f php5-cli php5-common php5-sqlite pkg-config pbnj pscan ptunnel python-all python-dev python-scapy rats recode remastersys ruby scanmem sdd sleuthkit sniffit sox splint ssdeep ssldump sslsniff sqlite steghide subversion tcl8.3 tcpick tcpreplay tcpslice tcpstat tcpxtract tct testdisk traceroute tshark udptunnel unhide uuid uuid-dev xtightvncviewer xprobe yersinia zenmap zlib1g-dev zenmap zlib1g-dev
Extra Packages installed from other sources
Snort
Suricata
Vortex IDS
Bro IDS
ABCIP
Dumbpig
NSMnow (includes Sguil, Barnyard2, Sancp, etc)
Xplico
Extra Packages installed from repositories
apache2.2-common argus-client argus-server autopsy bison bittwist build-essential chaosreader chkconfig chkrootkit cryptcat curl daemonlogger dcfldd ddrescue driftnet dsniff ettercap-gtk flawfinder flex foremost fwsnort ghex gpart gparted hping3 httptunnel hunt ifenslave-2.6 iisemulator inundator iptraf john labrea lame lfhex libapache2-mod-php5 libcap-ng-dev libcrypt-ssleay-perl libdumbnet-dev liblua5.1-0-dev libncurses5 libncurses5-dev libnet1-dev libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0 libnids-dev libpcap-dev libpcre3-dev libreadline6-dev libsqlite3-ruby libssl-dev libyaml-dev md5deep mtr mysql-server netsed netsniff-ng ngrep nmap ntp oinkmaster ophcrack ostinato p0f php5-cli php5-common php5-sqlite pkg-config pbnj pscan ptunnel python-all python-dev python-scapy rats recode remastersys ruby scanmem sdd sleuthkit sniffit sox splint ssdeep ssldump sslsniff sqlite steghide subversion tcl8.3 tcpick tcpreplay tcpslice tcpstat tcpxtract tct testdisk traceroute tshark udptunnel unhide uuid uuid-dev xtightvncviewer xprobe yersinia zenmap zlib1g-dev zenmap zlib1g-dev
Extra Packages installed from other sources
Snort
Suricata
Vortex IDS
Bro IDS
ABCIP
Dumbpig
NSMnow (includes Sguil, Barnyard2, Sancp, etc)
Xplico
Download:
Sunday, October 10, 2010
Greater Augusta ISSA 2010 Q4 Public Meeting: Doug Burks presents "Security Onion: Intrusion Detection for your Network in Minutes"
Please join us at the Greater Augusta ISSA Q4 meeting on Thursday, October 28. This is our last public meeting of 2010! I will be presenting "Security Onion: Intrusion Detection for your Network in Minutes". Security Onion is a project that I've been working on for the past few years. Its goal is to provide a pre-configured Intrusion Detection environment that can be downloaded for free and put to use in your network in less than an hour. It's based on Xubuntu 10.04 and contains Snort, Suricata, Sguil, Xplico, Vortex IDS, Bro IDS, Chaosreader, driftnet, hping3, scapy, Wireshark, and many other tools. Come see what Security Onion can do for you!
What: The Greater Augusta ISSA 2010 Q4 Public meeting: Doug Burks presents "Security Onion: Intrusion Detection for your Network in Minutes"
How: This is a FREE public meeting. Please confirm your reservation by sending an email to reservations@augusta.issa.org
When: Thursday October 28 9:00 - 11:00 AM
Where:
University Hall room 242
Augusta State University
2500 Walton Way
Augusta, GA 30904
http://www.aug.edu/public_relations/pr_map_campus.htm
On the morning of the presentation, don't forget to swing by the ASU Public Safety office to get a visitor pass for the parking lot. The Public Safety office is in the back corner of the campus. You can see it at the bottom-left of this map:
http://www.aug.edu/public_relations/asumap/images/PARKINGMAP1008PR.jpg
Speaker Bio
Doug Burks has over 10 years experience in Information Security. He has a Bachelor's degree in Computer Science and also holds the GSE, GPEN, GCIA Gold, GSEC, and CISSP certifications. Doug has worked in many organizations over the years, including government facilities, chemical plants, and the media industry. He excels at providing secure solutions for any environment using a budget of any size. Doug is the author of Security Onion Live (http://code.google.com/p/security-onion/ ), a free bootable DVD that contains many security tools. You can read more about Doug by visiting his blog athttp://securityonion.blogspot.com/.
Thursday, August 12, 2010
Suggestions for next version of Security Onion LiveCD
I'm currently working on building the next version of the Security Onion LiveCD. It will be based on a fully-updated Xubuntu 10.04 and will have all the tools that were in previous versions with one exception: Snort 3.0 (SnortSP) currently does not compile on Ubuntu 10.04. However, the new Suricata IDS/IPS engine does compile so it will be taking the place of SnortSP. You'll be able to choose between the current production version of Snort (2.8.6.1) or Suricata. Regardless of which IDS engine you choose, your alerts will be available for analysis in Sguil.
We've been nearing the limit of a 700MB CD image for some time, so we will be switching to a DVD image to allow for more software. What suggestions do you have for the new version of the Security Onion LiveCD? Please leave a comment here or add your suggestion at the Security Onion Issue Tracker. Thanks!
Monday, July 26, 2010
SANS MGT414: SANS(R) +S™ Training Program for the CISSP(R) Certification Exam in Augusta starts 10/12
Have you ever considered pursuing the CISSP certification? It *can* be intimidating, but SANS and the Greater Augusta ISSA are here to help!
"Over the past 4 years, 98% of all respondents, who studied our SANS® +S™ Training Program for the CISSP® Certification Exam and then took
the exam passed; compared to a national average of around 70% for other prep courses. SANS® +S™ Training Program for the CISSP® Certification Exam is designed to prepare you to pass the exam. This course is an accelerated review course that assumes the student has a basic understanding of networks and operating systems and focuses solely on the ten domains of knowledge as determined by ISC2. Each domain of knowledge is dissected into its critical components. Every component is discussed showing its relationship to each other and other areas of network security. After completion of the course the student will have a good working knowledge of the ten domains of knowledge.
Who Should Attend
-Security professionals who are interested in understanding the concepts covered in the CISSP® exam as determined by (ISC)2
-Managers who want to understand the critical areas of network security
-System, security, and network administrators who want to understand the pragmatic applications of the CISSP® 10 Domains
-Security professionals and managers looking for practical ways the 10 domains of knowledge can be applied to the current job
-In short, if you desire a CISSP® or your job requires it, MGT414 is the training for you"
If you work for Department of Defense (or would like to), please reference the 8570 matrix to see what the CISSP certification qualifies you for:
I will be mentoring SANS MGT414 SANS® +S™ Training Program for the CISSP® Certification Exam in Augusta starting Tuesday, October 12. Class will be held at Augusta State University starting starting Tuesday, October 12, 2010 and ending Thursday, November 11, 2010. The registration deadline is Tuesday, October 5.
For more information about the course, please see:
Please note that the Greater Augusta ISSA and SANS have come up with a special arrangement to include the CISSP Exam voucher in the price of
the course! Also, a 25% discount is available for ISSA members! Even if you're not currently an ISSA member, you can join today for only
$120 to obtain the 25% discount (which will save you over $700).
Greater Augusta ISSA 2010 Q3 Public Meeting: Rob Lee presents the Mandiant M-Trends Report on APT (Advanced Persistent Threat)
The Greater Augusta ISSA is extremely excited to welcome Rob Lee this quarter! Rob Lee is the Curriculum Lead for Digital Forensic Training at the SANS Institute and is also a Director in MANDIANT’s Professional Services group. Please join us for this educational training opportunity.
What: The Greater Augusta ISSA 2010 Q3 Public meeting: Rob Lee presents the Mandiant M-Trends Report on APT (Advanced Persistent Threat)
How: This is a FREE public meeting. Please confirm your reservation by sending an email to reservations@augusta.issa.org
When: Thursday August 12 9:00 AM - 11:00 AM
Where:
University Hall Room UH-170
Augusta State University
2500 Walton Way
Augusta, GA 30904
http://www.aug.edu/public_relations/pr_map_campus.htm
On the morning of the presentation, don't forget to swing by the ASU Public Safety office to get a visitor pass for the parking lot. The Public Safety office is in the back corner of the campus. You can see it at the bottom-left of this map:
http://www.aug.edu/public_relations/asumap/images/PARKINGMAP1008PR.jpg
State of the Hack: M-Trends- The Advanced Persistent Threat
In early 2010, MANDIANT released its inaugural M-Trends report. This first report focused on our years of experience responding to computer security incidents perpetrated by the Advanced Persistent Threat (APT). The "straight from the battlefield" presentation provides case studies detailing the most recent computer security incidents MANDIANT has responded to involving the APT. During this presentation we detail the main points of the report through anonymous, in-depth case studies of attacks against commercial, government, and defense industrial base organizations. We demonstrate how the attackers gain access, how they behave once inside the victim network and the impact on the organizations. And, because understanding the problem is only half the battle, we wrap up with remediation recommendations that really work.
Robert Lee
Rob Lee is a Director in MANDIANT’s Professional Services group. Mr. Lee has more than 14 years of experience in computer forensics, vulnerability and exploit discovery, intrusion detection/prevention, and incident response. He served in the U.S. Air Force as a founding member of the 609th Information Warfare Squadron, the first U.S. military operational unit focused on information operations. Later, he was a member of the Air Force Office of Special Investigations where he conducted computer crime investigations, incident response, and computer forensics. Prior to joining MANDIANT, Mr. Lee worked directly with a variety of government agencies in the law enforcement, U.S. Department of Defense, and intelligence communities as the technical lead for a vulnerability discovery and exploit development team, lead for a cyber forensics branch, and lead for a computer forensic and security software development team. A graduate of the U.S. Air Force Academy, Mr. Lee also holds a Masters in Business Administration from Georgetown University. In 2009 he was awarded the Digital Forensic Examiner of the Year from the Forensic 4Cast Awards. Mr. Lee is co-author of the bestselling book Know Your Enemy, (2nd Edition). He is also a co-author of MANDIANT’s Threat intelligence report - M-Trends: The Advanced Persistent Threat.
Friday, June 18, 2010
SANS 560 Network Penetration Testing and Ethical Hacking -- Free Preview!
The Greater Augusta ISSA will present a 2-hour preview of the upcoming SANS 560 Mentor class on Thursday, July 15th. Please join us for a FREE preview of this exciting class!
What: The Greater Augusta ISSA presents a SANS 560 Preview
How: This is a FREE public meeting. Please confirm your reservation by sending an email to reservations@augusta.issa.org
When: Thursday, July 15 9:00 AM - 11:00 AM
Where:
Augusta State University
2500 Walton Way
Augusta, GA 30904
Allgood Hall E-258
Please click here for directions to campus:
http://www.aug.edu/public_relations/pr_map_campus.htm
On the morning of the presentation, don't forget to swing by the ASU Public Safety office to get a visitor pass for the parking lot. The Public Safety office is in the back corner of the campus. You can see it at the bottom-left of this map:
http://www.aug.edu/public_relations/asumap/images/PARKINGMAP1008PR.jpg
What: The Greater Augusta ISSA presents a SANS 560 Preview
How: This is a FREE public meeting. Please confirm your reservation by sending an email to reservations@augusta.issa.org
When: Thursday, July 15 9:00 AM - 11:00 AM
Where:
Augusta State University
2500 Walton Way
Augusta, GA 30904
Allgood Hall E-258
Please click here for directions to campus:
http://www.aug.edu/public_
On the morning of the presentation, don't forget to swing by the ASU Public Safety office to get a visitor pass for the parking lot. The Public Safety office is in the back corner of the campus. You can see it at the bottom-left of this map:
http://www.aug.edu/public_
Friday, May 28, 2010
SANS 560 Network Penetration Testing and Ethical Hacking in Augusta starts 8/17
I will be mentoring SANS 560 Network Penetration Testing and Ethical Hacking in Augusta starting Tuesday, August 17. Typical SANS Mentor sessions are one night a week for 10 weeks, but this class will meet twice a week (Tuesdays and Thursdays), so we'll complete the course in only 5 weeks.
Who should take this course?
- Do you perform penetration testing?
- Do you procure penetration testing?
- Do you manage penetration testers?
- Did you take SANS 504 and really enjoy the Hacker Techniques portion?
- Do you want to know more about how the bad guys perform recon, scan for vulnerabilities, perform exploitation, gain command execution, and then pivot further into the target environment?
If you answered yes to any of these questions, then you need this class!
For more information about the course, please see:
A 25% discount is available for ISSA members! Even if you're not currently an ISSA member, you can join today for only $120 to obtain the 25% discount (which will save you over $700).
To join the ISSA and/or register for SANS 560, please contact me.
Monday, April 19, 2010
Grepping an Active Log File and Mailing Matches
Recently, I had a need to be alerted by email each and every time a certain user logged in. After a few false starts, I eventually settled on something like this (sanitized and simplified for this blog):
tail -n0 -f /var/log/secure | grep --line-buffered "user" | while read line; do echo $line | mail myemail@example.com -s "Found"; done
We use the standard "tail -f" to follow the /var/log/secure file. The "-n0" option is used so that tail will start 0 lines from the end of the file. We only care about new entries in the file, so we start at the very end of the file, ignoring any existing entries.
Next, we pipe that to grep, looking for the username "user". The "--line-buffered" option is used to force grep to flush each and every line of output (instead of waiting for its default buffer to fill). Per the man page, this option can be a performance penalty, but this is not a concern in this scenario.
Then, we pipe that to a while loop that iterates over each line. For each line of output, we generate an email with a subject of "Found" and include what was found in the body of the email.
This solution works quite nicely and can very easily be extended in the following ways:
- adding multiple grep criteria
- modifying format of log entry to be emailed
- changing final action from email to something else (like adding an IPTables drop rule)
Enjoy!
Thursday, April 8, 2010
Keep All Your Windows Software Updated with Secunia PSI
These days, it's imperative to keep all your software updated. Not only is it extremely important that you update your Microsoft software, but all third-party software must be kept updated as well (Adobe Reader and Flash, for example). You could open each application and look for its "Check for Updates" menu entry, but this can be time consuming. This method of updating may also miss some software. For example, you may have multiple installations of the Java JRE on your system in different locations. Many Java applications bundle their own JRE in their own directory and never update it.
What to do?
Secunia PSI (Personal Software Inspector) scans all files on your Windows system and, using Secunia's database of fingerprints, is able to determine the software versions installed on your system (including the multiple installations of Java in the example above). It then makes recommendations for any vulnerable software, including links to download the patched version of the software or to uninstall the program. I recommend switching from the default "simple" interface to the "advanced" interface to see all vulnerabilities on your system.
I've been using Secunia PSI on my personal systems for a few months now. It has saved me a lot of time in trying to keep track of all the different software versions on my systems. It also comes in quite handy when performing tech support for relatives--just install Secunia PSI and let it tell you what exactly needs to be updated.
Secunia PSI is free for personal use and I wholeheartedly recommend you try it today and see what vulnerabilities it finds on your system.
Tuesday, February 9, 2010
Defense in Depth using OSSEC and other free tools
Russ McRee wrote an excellent article about OSSEC for the October 2009 issue of ISSA Journal. (Disclaimer: I contributed to the article.) He then went into some further detail on his blog.
In a recent SANS 401 Mentor session, I used OSSEC in my demo of building a secure webserver using defense-in-depth principles. My rough notes can be found below. All software is freely available and the whole process can be done in under an hour (depending on the speed of your Internet connection). Once completed, OSSEC will be monitoring all system logs (SSH, Apache, mod_security, iptables, Wordpress) and optionally providing Active Response, blocking attacker's source IP addresses.
# Go to http://isoredirect.centos.org/centos/5/isos/i386/, pick a mirror, and then download CentOS-5.4-i386-bin-1of6.iso (you'll only need CD #1)
# Boot a virtual machine from the ISO image -OR- burn the ISO to CD and boot a physical machine from it
# Only install what's absolutely necessary - perform a "Base" install of CentOS 5.4
# Reboot (and remove the CentOS CD)
# When "Setup Agent" appears, select "Firewall Configuration".
# SELinux is in Enforcing mode by default -- leave it that way!
# Go to Customize and allow SSH and HTTP in firewall
# Login as root with the password you specified in the installer
# Install all updates and reboot the machine:
yum -y update && reboot
# Add EPEL repo so that we can install mod_security, alpine, and wordpress
rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-3.noarch.rpm
# Configure EPEL repo to only update mod_security, lua, alpine, and wordpress packages
vi /etc/yum.repos.d/epel.repo
# add this line in the [epel] section:
includepkgs=mod_security* lua* alpine* wordpress*
# Exit vi by pressing Esc and then typing :wq
# Install blog, web server, and database
yum -y install alpine wordpress mysql-server
# Set services to start on boot and start them now
for i in httpd mysqld
do
chkconfig $i on
service $i start
done
# Secure the database
/usr/bin/mysql_secure_installation
# Follow the prompts and create a new MySQL root password
# Start the MySQL command-line client
mysql -p
# Enter the MySQL root password you just created
# Create a database and user and give user all privileges to DB
create database w0rdpressDB;
grant all privileges on w0rdpressDB.* to w0rdpressUser@localhost identified by 'MyReallyReallyStrongPassphrase';
flush privileges;
exit
# Configure Wordpress to use the database and user we just created
sed -i 's|putyourdbnamehere|w0rdpressDB|g' /etc/wordpress/wp-config.php
sed -i 's|usernamehere|w0rdpressUser|g' /etc/wordpress/wp-config.php
sed -i 's|yourpasswordhere|MyReallyReallyStrongPassphrase|g' /etc/wordpress/wp-config.php
# Finish Wordpress configuration by pointing a browser to:
# http://ip.of.centos.vm/wordpress
# Enter a Blog Title
# Enter "root@localhost.localdomain" (without the quotes) as your email address
# Click "Install Wordpress"
# Login using the randomly generated password
# Once logged in, change your password
# Look at logs in /var/log/httpd/
tail access_log
tail error_log
# Check email with alpine to see Welcome email from Wordpress
alpine
# At this point, we've got a basic Wordpress web server.
# Now let's add some layers of instrumentation to augment our defense-in-depth.
# Configure Wordpress to log to /var/log/messages using the WPsyslog2 plugin
cd /usr/share/wordpress/wp-content/plugins
wget http://www.ossec.net/files/other/wpsyslog2.tar.gz
tar zxvf wpsyslog2.tar.gz
# Wordpress admin interface --> activate WPsyslog2 plugin
# Test logging into Wordpress, creating/deleting posts, verify logging in /var/log/messages:
tail /var/log/messages
# Configure IPTables firewall to log any dropped packets to /var/log/messages
iptables -I RH-Firewall-1-INPUT 11 -j LOG --log-prefix="DROP "
service iptables save
tail -f /var/log/messages
# Launch an nmap scan from another host and watch the dropped packets being added to /var/log/messages
# WAF (Web Application Firewall)
yum -y install mod_security
# Configure WAF for extra logging
# Add the following lines to /etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf
SecDataDir /tmp
SecAuditEngine on
SecAuditLog logs/modsec_audit.log
# Restart the web server to activate the mod_security module
service httpd restart
# Test WAF by accessing site by IP address instead of hostname
# Test WAF by trying to do an /etc/passwd attack
# Look at ModSecurity alerts in /var/log/httpd/modsec_audit.log
more /var/log/httpd/modsec_audit.log
# Look at rules in /etc/httpd/modsecurity.d/
# NIDS (Network Intrusion Detection System)
# Install Snort:
rpm -Uvh http://dl.snort.org/snort-current/snort-2.8.5.3-1.RH5.i386.rpm
# Install PulledPork for Snort rules management:
yum -y install perl-libwww-perl
cd /usr/local/src/
mkdir pulledpork && cd pulledpork
wget http://pulledpork.googlecode.com/files/pulledpork-0.3.4.tar.gz
tar zxvf pulledpork-0.3.4.tar.gz
cd pulledpork-0.3.4
# Edit the PulledPork configuration file using vi
vi pulledpork.conf
# and change the following configuration directives
oinkcode=InsertYourOinkcodeHere
tar_path=/bin/tar
rule_path=/etc/snort/rules/
sid_msg=/etc/snort/sid-msg.map
sid_changelog=/var/log/snort/sid_changes.log
#sorule_path=/usr/local/lib/snort_dynamicrules/
config_path=/etc/snort/snort.conf
distro=CentOS-5.0
# Exit vi
# Make pulledpork.pl executable
chmod +x pulledpork.pl
# Execute pulledpork.pl with the new configuration file
./pulledpork.pl -c pulledpork.conf
# Start Snort
service snortd start
# Test Snort with idswakeup and verify logs in /var/log/snort/
# HIDS (Host Intrusion Detection System)
yum -y install gcc
cd /usr/local/src/
mkdir ossec
wget http://www.ossec.net/files/ossec-hids-2.3.tar.gz
tar zxvf ossec-hids-2.3.tar.gz
cd ossec-hids-2.3
./install.sh
# Local installation
# Email to root@localhost
# Enable Active Response, add any IPs to whitelist that you don't want to ever block
# Configure HIDS to monitor WAF logs by editing ossec.conf using vi
vi /var/ossec/etc/ossec.conf
# and copying one of the existing localfile entries and setting:
# log_format to syslog
# location to /var/log/httpd/modsec_audit.log
# Exit vi by pressing Esc and then typing :wq
service ossec start
# Check root email using alpine
alpine
# Test HIDS alerting
# Test OSSEC Active Response using nmap, idswakeup, SSH brute force, Wordpress brute force
What else could we do for more defense in depth?
- Suhosin (PHP Hardening)
- GreenSQL (Database firewall)
- Daemonlogger (full packet capture for forensics purposes)
- Others?
Friday, February 5, 2010
Solutions for CSAW Exercises for a burgeoning Army of Ninjas
Mark Baggett posted some excellent videos at PaulDotCom showing solutions to the CSAW Exercises for a burgeoning Army of Ninjas:
http://pauldotcom.com/2010/01/csaw-challenge---reflections-o.html
Tuesday, February 2, 2010
Help Kill Adobe Flash - Enable HTML5 in Youtube
I'm joining Joel Esler in a quest to help kill Adobe Flash. Go to http://www.youtube.com/html5 to use HTML5 instead of Flash in your Youtube browsing.
Friday, January 8, 2010
Computer Security Training
SANS has a new web site for those interested in Computer Security Training:
Sunday, September 6, 2009
Install Sguil on Fedora/RHEL/CentOS using NSMnow
I've written about NSMnow a few times before and I'm a big fan. They already had at least partial support for Fedora and I suggested to the developers some changes that would allow them to also support RHEL/CentOS. The SecurixLive team has done an amazing job with NSMnow (and Barnyard2) and things just keep getting better!
You can read more at the SecurixLive site:
Install Sguil on Fedora/RHEL/CentOS using NSMnow
You can read more at the SecurixLive site:
Install Sguil on Fedora/RHEL/CentOS using NSMnow
Tuesday, August 25, 2009
SANS 401 Mentor class coming to Augusta!
I'll be mentoring SANS 401 Security Essentials in Augusta, GA on Tuesday nights starting January 12, 2010. ISSA members are eligible for a 25% discount!
SANS 401 Security Essentials mentored by Doug Burks in Augusta GA
Why should you take SANS 401 Security Essentials?
* Are you a Systems Administrator or Network Engineer who would like to learn more about security? This course gives a very thorough overview of security theory and practice. Additionally, the tools and techniques that you learn in this class are directly applicable to your current job (and will prepare you for the future).
* DoD 8570 Compliance. If you work for the Department of Defense (or would like to), DoD Mandate 8570 requires security certification for any employee performing Information Assurance (security) work. The Security Essentials certification is among those required for 8570. For more information, please see the SANS 8570 page.
* Complement your CISSP. If you've already taken the CISSP, SANS 401 Security Essentials is the perfect technical complement. It takes all the theory that you learned at a high level for the CISSP and applies it in a very practical and updated manner. SANS 401 is "where the rubber meets the road".
* Augment your Windows/Linux skills. Highly experienced with Windows, but not so much with Linux? Or the other way around? SANS 401 Security Essentials dedicates an entire section to Windows security and another entire section to Linux security.
* Considering the SANS GSE (GIAC Security Expert) or SANS Masters program? SANS 401 Security Essentials is required for both.
These are just a few reasons to register for SANS 401 Security Essentials. For more information, please see:
SANS 401 Security Essentials mentored by Doug Burks in Augusta GA
Don't forget that ISSA members are eligible for a 25% discount! If you would like to register for the ISSA and/or SANS 401, please let me know and I'll be glad to help get you registered.
SANS 401 Security Essentials mentored by Doug Burks in Augusta GA
Why should you take SANS 401 Security Essentials?
* Are you a Systems Administrator or Network Engineer who would like to learn more about security? This course gives a very thorough overview of security theory and practice. Additionally, the tools and techniques that you learn in this class are directly applicable to your current job (and will prepare you for the future).
* DoD 8570 Compliance. If you work for the Department of Defense (or would like to), DoD Mandate 8570 requires security certification for any employee performing Information Assurance (security) work. The Security Essentials certification is among those required for 8570. For more information, please see the SANS 8570 page.
* Complement your CISSP. If you've already taken the CISSP, SANS 401 Security Essentials is the perfect technical complement. It takes all the theory that you learned at a high level for the CISSP and applies it in a very practical and updated manner. SANS 401 is "where the rubber meets the road".
* Augment your Windows/Linux skills. Highly experienced with Windows, but not so much with Linux? Or the other way around? SANS 401 Security Essentials dedicates an entire section to Windows security and another entire section to Linux security.
* Considering the SANS GSE (GIAC Security Expert) or SANS Masters program? SANS 401 Security Essentials is required for both.
These are just a few reasons to register for SANS 401 Security Essentials. For more information, please see:
SANS 401 Security Essentials mentored by Doug Burks in Augusta GA
Don't forget that ISSA members are eligible for a 25% discount! If you would like to register for the ISSA and/or SANS 401, please let me know and I'll be glad to help get you registered.
Sunday, August 16, 2009
Security Onion on Google Code and Google Groups
I've been getting more and more feedback on each successive release of the Security Onion LiveCD. Thanks to all those who've sent in your questions and comments! To help facilitate a better discussion, I've created a Google Code project and a Google Groups mailing list for Security Onion:
Security Onion on Google Code
Security Onion Wiki
Security Onion Issue Tracker
Security Onion Mailing List
Please take a look and let me know what you think!
Security Onion on Google Code
Security Onion Wiki
Security Onion Issue Tracker
Security Onion Mailing List
Please take a look and let me know what you think!
Monday, August 3, 2009
Security Onion LiveCD 20090731
A new version of the Security Onion LiveCD has been released! Here's the changelog:
2009/07/31: New Release!
* All Xubuntu 9.04 updates as of 2009/07/31.
* Added sqlite and libsqlite3-ruby packages for db_autopwn.
* Added fwbuilder.
* Latest Metasploit msf v3.3-dev as of 2009/07/31.
* Latest Nmap 5.05BETA1 as of 2009/07/31.
The Security Onion LiveCD can be downloaded from the following location:
http://distro.ibiblio.org/pub/linux/distributions/security-onion/
Please let me know if you have any questions or suggestions.
2009/07/31: New Release!
* All Xubuntu 9.04 updates as of 2009/07/31.
* Added sqlite and libsqlite3-ruby packages for db_autopwn.
* Added fwbuilder.
* Latest Metasploit msf v3.3-dev as of 2009/07/31.
* Latest Nmap 5.05BETA1 as of 2009/07/31.
The Security Onion LiveCD can be downloaded from the following location:
http://distro.ibiblio.org/pub/
Please let me know if you have any questions or suggestions.
Wednesday, July 29, 2009
Using Metasploit's db_autopwn on the Security Onion LiveCD
UPDATE: This issue has been fixed in the Security Onion LiveCD 20090731 release.
I was testing the new Security Onion LiveCD yesterday and trying to use Metasploit's db_autopwn function. The first step of db_autopwn is to create a database to hold the information about your potential targets. This is done with the db_create command. When I issued this command, I got an error about sqlite3 (the default database driver for db_autopwn).
I had forgotten to install the sqlite and libsqlite3-ruby packages. If you're having this problem, you can fix it with the following command:
sudo aptitude -y install sqlite libsqlite3-ruby
This will be fixed in the next release of the Security Onion LiveCD.
I was testing the new Security Onion LiveCD yesterday and trying to use Metasploit's db_autopwn function. The first step of db_autopwn is to create a database to hold the information about your potential targets. This is done with the db_create command. When I issued this command, I got an error about sqlite3 (the default database driver for db_autopwn).
I had forgotten to install the sqlite and libsqlite3-ruby packages. If you're having this problem, you can fix it with the following command:
sudo aptitude -y install sqlite libsqlite3-ruby
This will be fixed in the next release of the Security Onion LiveCD.
securityonion@securityonion:/usr/local/bin/framework3$ ./msfconsole
=[ msf v3.3-dev
+ -- --=[ 392 exploits - 234 payloads
+ -- --=[ 20 encoders - 7 nops
=[ 168 aux
msf > db_create
[*] Creating a new database instance...
[-] Error while running command db_create: no such file to load -- sqlite3
msf > quit
securityonion@securityonion:/usr/local/bin/framework3$ sudo aptitude -y install sqlite libsqlite3-ruby
Reading package lists... Done
Building dependency tree
Reading state information... Done
Reading extended state information
Initializing package states... Done
The following NEW packages will be installed:
libsqlite0{a} libsqlite3-ruby libsqlite3-ruby1.8{a} sqlite
0 packages upgraded, 4 newly installed, 0 to remove and 0 not upgraded.
Need to get 247kB of archives. After unpacking 811kB will be used.
Writing extended state information... Done
Get:1 http://archive.ubuntu.com jaunty/main libsqlite0 2.8.17-4build1 [176kB]
Get:2 http://archive.ubuntu.com jaunty/universe libsqlite3-ruby1.8 1.2.4-2 [51.3kB]
Get:3 http://archive.ubuntu.com jaunty/universe libsqlite3-ruby 1.2.4-2 [4042B]
Get:4 http://archive.ubuntu.com jaunty/main sqlite 2.8.17-4build1 [16.2kB]
Fetched 247kB in 1s (150kB/s)
Selecting previously deselected package libsqlite0.
(Reading database ... 118520 files and directories currently installed.)
Unpacking libsqlite0 (from .../libsqlite0_2.8.17-4build1_i386.deb) ...
Selecting previously deselected package libsqlite3-ruby1.8.
Unpacking libsqlite3-ruby1.8 (from .../libsqlite3-ruby1.8_1.2.4-2_i386.deb) ...
Selecting previously deselected package libsqlite3-ruby.
Unpacking libsqlite3-ruby (from .../libsqlite3-ruby_1.2.4-2_all.deb) ...
Selecting previously deselected package sqlite.
Unpacking sqlite (from .../sqlite_2.8.17-4build1_i386.deb) ...
Processing triggers for man-db ...
Setting up libsqlite0 (2.8.17-4build1) ...
Setting up libsqlite3-ruby1.8 (1.2.4-2) ...
Setting up libsqlite3-ruby (1.2.4-2) ...
Setting up sqlite (2.8.17-4build1) ...
Processing triggers for libc6 ...
ldconfig deferred processing now taking place
Reading package lists... Done
Building dependency tree
Reading state information... Done
Reading extended state information
Initializing package states... Done
Writing extended state information... Done
securityonion@securityonion:/usr/local/bin/framework3$ ./msfconsole
=[ msf v3.3-dev
+ -- --=[ 392 exploits - 234 payloads
+ -- --=[ 20 encoders - 7 nops
=[ 168 aux
msf > db_create
[*] Creating a new database instance...
[*] Successfully connected to the database
[*] File: /home/securityonion/.msf3/sqlite3.db
msf >
Tuesday, July 28, 2009
Security Onion LiveCD 20090724
A new version of the Security Onion LiveCD has been released! Here's the changelog:
* All Xubuntu 9.04 updates as of 2009/07/24.
* Added a Security Onion section to the Applications menu.
* Latest Metasploit msf v3.3-dev as of 2009/07/24.
* Latest Nmap as of 2009/07/24.
The Security Onion LiveCD can be downloaded from the following location:
http://distro.ibiblio.org/pub/linux/distributions/security-onion/
Please let me know if you have any questions or suggestions.
* All Xubuntu 9.04 updates as of 2009/07/24.
* Added a Security Onion section to the Applications menu.
* Latest Metasploit msf v3.3-dev as of 2009/07/24.
* Latest Nmap as of 2009/07/24.
The Security Onion LiveCD can be downloaded from the following location:
http://distro.ibiblio.org/pub/
Please let me know if you have any questions or suggestions.
Saturday, July 11, 2009
Know Thy ISP
From http://www.pcworld.com/article/168160/ussouth_korea_cyberattack_lessons_learned.html:
"Investigators may not yet know who was behind a series of cyberattacks on the U.S. and South Korea, but analysts are getting a better grasp on where the nations' governments may have gone wrong. Numerous government Web sites in both countries have been hit by distributed denial-of-service attacks, starting on the Fourth of July and continuing into today. Dozens of high-profile sites have been targeted, including those of the Federal Trade Commission, the Department of Treasury, and other major federal agencies."Quote of the day:
"'Too many federal agency security people did not know which network service provider connected their Web sites to the Internet,' explains Alan Paller, director of research at the SANS Institute, a security research organization."Alan's statement is quite scary, but I'm sure quite true. When the killer clowns come knocking at your firewall's door, you need to be able to pull the plug in a hurry. Perhaps we should have Internet fire drills where we propose a mock DDoS attack and have our technicians play out the scenario. Who ya gonna call?
Friday, July 10, 2009
SANS Courses for the US-CERT GFIRST conference in August
Announcement from SANS:
"In August, SANS will be running 5 tracks in support of the US-CERT GFIRST conference taking place at the Omni Hotel at CNN Center (http://www.us-cert.gov/GFIRST/). SANS is pleased to present the following course offerings:
Security 501: Advanced Security Essentials - Enterprise Defender
http://www.sans.org/atlanta09/description.php?tid=2722
August 17-22
Security 504: Hacker Techniques, Exploits & Incident Handling
http://www.sans.org/atlanta09/description.php?tid=243
August 17-22
Security 441: Windows Forensics
http://www.sans.org/atlanta09/description.php?tid=3012
August 27-28
Security 553: Metasploit for Penetration Testers
http://www.sans.org/atlanta09/description.php?tid=3022
August 27
Security 517: Cutting-Edge Hacking Techniques
http://www.sans.org/atlanta09/description.php?tid=1927
August 28
This will be the first time we are offering Security 501 and a rare opportunity to take this course from Dr. Eric Cole in a small class setting. We are also offering 3 short courses which offer a great opportunity to get SANS content in only 1 or 2 days."
"In August, SANS will be running 5 tracks in support of the US-CERT GFIRST conference taking place at the Omni Hotel at CNN Center (http://www.us-cert.gov/GFIRST/). SANS is pleased to present the following course offerings:
Security 501: Advanced Security Essentials - Enterprise Defender
http://www.sans.org/atlanta09/description.php?tid=2722
August 17-22
Security 504: Hacker Techniques, Exploits & Incident Handling
http://www.sans.org/atlanta09/description.php?tid=243
August 17-22
Security 441: Windows Forensics
http://www.sans.org/atlanta09/description.php?tid=3012
August 27-28
Security 553: Metasploit for Penetration Testers
http://www.sans.org/atlanta09/description.php?tid=3022
August 27
Security 517: Cutting-Edge Hacking Techniques
http://www.sans.org/atlanta09/description.php?tid=1927
August 28
This will be the first time we are offering Security 501 and a rare opportunity to take this course from Dr. Eric Cole in a small class setting. We are also offering 3 short courses which offer a great opportunity to get SANS content in only 1 or 2 days."
Tuesday, June 30, 2009
Suggestions for the Security Onion LiveCD
I'm currently working on the next version of the Security Onion LiveCD. What specific packages/features would you like to see added to the Security Onion LiveCD? Post a comment here or contact me on Twitter. Thanks!
Tuesday, June 16, 2009
Security Onion LiveCD 20090613
A new version of the Security Onion LiveCD is now available! Here's the changelog:
-All Xubuntu 9.04 updates as of 2009/06/13.
-Added JJ Cummings's pulledpork as an alternative to oinkmaster. All pulledpork files are in:
/usr/local/bin/pulledpork/
-Added Leon Ward's dumbpig for checking custom Snort rules:
/usr/local/bin/dumbpig.pl
-Added Bro IDS for Marcus J. Carey. All Bro files are in:
/usr/local/bro/
The Security Onion LiveCD can be downloaded from the following location:
http://distro.ibiblio.org/pub/linux/distributions/security-onion/
UPDATE: Some ibiblio mirrors are showing an index page which contains no links. Here are the direct links to the ISO and MD5 file:
http://distro.ibiblio.org/pub/linux/distributions/security-onion/security-onion-livecd-20090613.iso
http://distro.ibiblio.org/pub/linux/distributions/security-onion/security-onion-livecd-20090613.md5
-All Xubuntu 9.04 updates as of 2009/06/13.
-Added JJ Cummings's pulledpork as an alternative to oinkmaster. All pulledpork files are in:
/usr/local/bin/pulledpork/
-Added Leon Ward's dumbpig for checking custom Snort rules:
/usr/local/bin/dumbpig.pl
-Added Bro IDS for Marcus J. Carey. All Bro files are in:
/usr/local/bro/
The Security Onion LiveCD can be downloaded from the following location:
http://distro.ibiblio.org/pub/
UPDATE: Some ibiblio mirrors are showing an index page which contains no links. Here are the direct links to the ISO and MD5 file:
http://distro.ibiblio.org/pub/linux/distributions/security-onion/security-onion-livecd-20090613.iso
http://distro.ibiblio.org/pub/linux/distributions/security-onion/security-onion-livecd-20090613.md5
Thursday, June 4, 2009
The Security Onion LiveCD is now available!
The Security Onion LiveCD is now available! You can download it from the following location:
http://distro.ibiblio.org/pub/linux/distributions/security-onion/
What is it?
The Security Onion LiveCD is a bootable CD that contains software used for installing, configuring, and testing Intrusion Detection Systems.
What software does it contain?
The Security Onion LiveCD is based on Xubuntu 9.04 and contains Snort 2.8.4.1, Snort 3.0.0b3 (Beta), sguil, idswakeup, nmap, metasploit, scapy, hping, fragroute, fragrouter, netcat, paketto, tcpreplay, and many other security tools.
What can it be used for?
Please take a look at the Security Onion LiveCD and let me know what you think!
* Special thanks to:
http://distro.ibiblio.org/pub/
What is it?
The Security Onion LiveCD is a bootable CD that contains software used for installing, configuring, and testing Intrusion Detection Systems.
What software does it contain?
The Security Onion LiveCD is based on Xubuntu 9.04 and contains Snort 2.8.4.1, Snort 3.0.0b3 (Beta), sguil, idswakeup, nmap, metasploit, scapy, hping, fragroute, fragrouter, netcat, paketto, tcpreplay, and many other security tools.
What can it be used for?
- The Security Onion LiveCD can be used for Intrusion Detection. Simply boot the CD and double-click either the Snort-Sguil or SnortSP-Sguil desktop shortcuts. The Snort and Sguil daemons will then start, listening on eth0 for any suspicious traffic and creating alerts in the Sguil console.
- The Security Onion LiveCD can be used to test an Intrusion Detection System. Simply boot the CD and use the included tools (such as nmap, metasploit, idswakeup, scapy, hping, and others) to test your existing IDS or to test the included Snort 2.8.4.1 and Snort 3.0 Beta 3.
- The Security Onion LiveCD can be used to install an Intrusion Detection System. Simply boot the CD and double-click the Install desktop shortcut. For more information about installation, please see the README desktop shortcut.
Please take a look at the Security Onion LiveCD and let me know what you think!
* Special thanks to:
- Marty Roesch and the whole SourceFire team for all of their work these last 10 years to get Snort to where it is today.
- The Sguil team for the best open-source tool to manage Snort alerts.
- The SecurixLive crew for their awesome NSMnow installer, the easiest way to install and configure Snort/Sguil on Ubuntu Linux.
- Ubuntu (and Debian) for their well-made Linux distribution(s).
- The Reconstructor team for a very easy to use tool for remastering Ubuntu LiveCDs.
- All developers in the open-source community who work so hard and produce such amazing tools.
Thursday, May 7, 2009
Sguil on Ubuntu 9.04 in 3 Steps using NSMnow
My previous Sguil/NSMnow recipes used Ubuntu 8.04. I thought I'd play with the new Ubuntu 9.04 and see if there were any differences. It looks like there is a new AppArmor profile for tcpdump that we'll have to configure if we want to pull session transcripts using Sguil. (This is in addition to the AppArmor profile for MySQL that we were already having to configure to allow it to read the load directory.) These steps have been formatted so that you can copy/paste them into your terminal.
Disclaimer: I offer no warranties of any kind. If your box breaks, you get to keep both pieces!
Step 1: Get root privileges
Launch the Sguil client by opening a new terminal and typing the following:
Username: sguil
Password: password
Next, create some alerts by opening a browser and going to:
http://www.testmyids.com
Finally, go into the Sguil console and you should see two new alerts:
This demonstrates that Snort is analyzing packets and outputting in unified2 format, which is then read by Barnyard2 and inserted into the Sguil database.
When finished, close the Sguil window and return to your NSMnow window. Then type the following to terminate all NSMnow processes:
/usr/local/sbin/nsm --all --stop
Disclaimer: I offer no warranties of any kind. If your box breaks, you get to keep both pieces!
Step 1: Get root privileges
##########################Step 2: Install NSMnow
sudo -i
##########################
##########################Step 3: Configure AppArmor and start NSMnow
mkdir /usr/local/src/NSMnow
cd /usr/local/src/NSMnow
wget http://www.securixlive.com/download/nsmnow/NSMnow-1.4.0.tar.gz
tar zxvf NSMnow-1.4.0.tar.gz
./NSMnow -i -y
##########################
##########################Snort is now capturing packets on eth0 and analyzing them. Let's verify that now.
if ! grep "/nsm/server_data/server1/load" /etc/apparmor.d/usr.sbin.mysqld > /dev/null
then
# Remove the last line of the file (a single right curly brace)
sed -i '$d' /etc/apparmor.d/usr.sbin.mysqld
# Add a line that allows MySQL to read the load directory
echo " /nsm/server_data/server1/load/* r," >> /etc/apparmor.d/usr.sbin.mysqld
# Append the right curly brace to end the file
echo "}" >> /etc/apparmor.d/usr.sbin.mysqld
fi
if ! grep "/nsm/sensor_data/sensor1/dailylogs" /etc/apparmor.d/usr.sbin.tcpdump > /dev/null
then
# Remove the last line of the file (a single right curly brace)
sed -i '$d' /etc/apparmor.d/usr.sbin.tcpdump
# Add a line that allows tcpdump to read all dailylogs
echo " /nsm/sensor_data/sensor1/dailylogs/**[^/] r," >> /etc/apparmor.d/usr.sbin.tcpdump
echo "}" >> /etc/apparmor.d/usr.sbin.tcpdump
fi
/etc/init.d/apparmor restart
/usr/local/sbin/nsm --all --start
##########################
Launch the Sguil client by opening a new terminal and typing the following:
##########################When prompted, login to Sguil using the default credentials:
sguil.tk
##########################
Username: sguil
Password: password
Next, create some alerts by opening a browser and going to:
http://www.testmyids.com
Finally, go into the Sguil console and you should see two new alerts:
This demonstrates that Snort is analyzing packets and outputting in unified2 format, which is then read by Barnyard2 and inserted into the Sguil database.
When finished, close the Sguil window and return to your NSMnow window. Then type the following to terminate all NSMnow processes:
/usr/local/sbin/nsm --all --stop
Subscribe to:
Posts (Atom)