Snort 3.0 (SnortSP) Inline Bridging Mode in 3 Steps

One of the many interesting new features in Snort 3.0 (SnortSP) is the ability to run in inline bridging mode.

Step 1: Add a new function to your snort.lua file
If you followed my previous SnortSP Installation HOWTO, then the default snort.lua file is in /etc/SnortSP/snort.lua. Open the file and add the following function:

function bridge(interface1, interface2)
if interface1 == nil then
error("Two interfaces must be specified ( e.g. bridge(\"eth0\", \"eth1\") )")
end
if interface2 == nil then
error("Two interfaces must be specified ( e.g. bridge(\"eth0\", \"eth1\") )")
end
dsrc2 = {name="src2",
type="afpacket",
intf=interface1..":"..interface2,
flags=10,
snaplen=1518,
maxflows=262144,
maxidle=300,
flow_memcap=10000000}
dsrc.new(dsrc2)
eng.new("e2")
eng.link({engine="e2", source="src2"})
eng.start("e2")
end

Step 2: Start SnortSP
Start SnortSP using the following command:

sudo snortsp -L /etc/SnortSP/snort.lua

SnortSP will start up and read your new snort.lua file. You will then be greeted by the SnortSP Lua shell.

Step 3: Use the bridge() function
In the Lua shell, type the following (replacing eth0 and eth1 with the correct interfaces on your system):

bridge("eth0", "eth1")

Once the bridge is up and running, you can do the following to display packets traversing the bridge:

eng.set_display({engine="e2", display="none"})
Press the Up arrow and change "none" to "classic".
View the output.
Press the Up arrow twice to retrieve the "none" command and press Enter.

When finished, shut down SnortSP by running the following command:

ssp.shutdown()

Note that there is a bug in the SnortSP README file (and/or the SnortSP afpacket DAQ itself). The README file suggests the following:

      dsrc1 = {name="src",
             type="afpacket",
             intf="eth2:eth3",
             flags=10,
             snaplen=0,
             maxflows=262144,
             maxidle=300,
             flow_memcap=10000000}
    dsrc.new(dsrc1)

Setting snaplen to 0 and passing traffic through the bridge results in segmentation fault. Per the SnortSP developers, this value should be set to 1518 for normal ethernet operation. Thanks to the SnortSP developers for their assistance with this issue.

Integrating Snort 3.0 (SnortSP) and Sguil in 3 Steps

So once you have Snort 3.0 installed, what can you do with it? One thing you can do with it (and the one that most people are interested in) is to configure it for IDS mode. The Snort 3.0 architecture includes the Snort 2.8.2 Detection Engine, so we'll have the Snort Security Platform (SnortSP) capturing packets and handing them off to Snort 2.8.2 for analysis and alerting.

The best open source tool to manage Snort alerts is Sguil and the easiest way to install Sguil is using NSMnow. NSMnow automatically installs and configures barnyard2 (compatible with SnortSP's unfied2 format), sancp, Sguil, and Snort 2.x. We're going to replace NSMnow's snort alert process with Snort 3.0.

This quick recipe assumes that you're running on Ubuntu 8.04 and your primary network interface is eth0. You should be able to copy/paste each of the three code blocks into your terminal.

Obligatory disclaimer: I offer no warranty of any kind. If this breaks your box, you get to keep both pieces.

Step 1: Get root privileges

##########################
sudo -i
##########################

Step 2: Install NSMnow

##########################
mkdir /usr/local/src/NSMnow
cd /usr/local/src/NSMnow
wget http://www.securixlive.com/download/nsmnow/NSMnow-1.3.4.tar.gz
tar zxvf NSMnow-1.3.4.tar.gz
./NSMnow -i -y
##########################

Step 3: Configure NSMnow and SnortSP and start

##########################
if ! grep "/nsm/server_data/server1/load" /etc/apparmor.d/usr.sbin.mysqld > /dev/null
then
sed -i 's|}| /nsm/server_data/server1/load/* r,|g' /etc/apparmor.d/usr.sbin.mysqld
echo "}" >> /etc/apparmor.d/usr.sbin.mysqld
fi
/etc/init.d/apparmor restart
/usr/local/sbin/nsm --server --start
/usr/local/sbin/nsm_sensor_ps-start --skip-snort-alert
mkdir /etc/snortsp_alert
cd /etc/snortsp_alert
cp -R /etc/nsm/sensor1/* .
mv snort.conf snort_orig.conf
sspiffy.sh /usr/local -c snort_orig.conf -i eth0
grep -v "sameip" rules/bad-traffic.rules > rules/bad-traffic.rules.2
rm -f rules/bad-traffic.rules
mv rules/bad-traffic.rules.2 rules/bad-traffic.rules
snortsp -C -L snort.lua
##########################

Snort 3.0 is now capturing packets on eth0 and analyzing them. Let's verify that now.

Launch the Sguil client by opening a new terminal and typing the following:

##########################
sguil.tk
##########################

When prompted, login to Sguil using the default credentials:
Username: sguil
Password: password

Next, create some alerts by opening a browser and going to:
http://www.testmyids.com

Finally, go into the Sguil console and you should see two new alerts:


This demonstrates that SnortSP is capturing packets, analyzing them with the Snort 2.8.2 Detection Engine, and outputting in unified2 format, which is then read by Barnyard2 and inserted into the Sguil database.

When finished, return to your SnortSP window and press ctrl-c to terminate the SnortSP process. Then type "nsm --all --stop" to terminate all NSMnow processes.

Installing Snort 3.0 (SnortSP) on Ubuntu in 3 Steps

Here's a really quick recipe for installing the Snort 3.0 Architecture on Ubuntu 8.04. Note that the Snort 3.0 Architecture consists of the SnortSP framework and the Snort 2.8.2 Detection Engine. You should be able to open a terminal and then copy/paste each of the three blocks of commands.

Step 1: Get root privileges

##########################
sudo -i
##########################

Step 2: Install dependencies

##########################
aptitude update
aptitude -y install build-essential \
libdumbnet1 libdumbnet-dev \
uuid uuid-dev \
libncurses5 libncurses5-dev \
libreadline5 libreadline5-dev \
libpcap0.8 libpcap0.8-dev \
libpcre3 libpcre3-dev \
liblua5.1-0 liblua5.1-0-dev \
flex bison
##########################

Step 3: Download, compile, and install the Snort 3.0 Architecture

##########################
cd /usr/local/src/
wget http://www.snort.org/dl/prerelease\
/3.0.0-b2/snortsp-3.0.0b2.tar.gz
tar zxvf snortsp-3.0.0b2.tar.gz
cd snortsp-3.0.0b2/
./configure
make
make install
mkdir /etc/SnortSP/
cp etc/* /etc/SnortSP/
cd src/analysis/snort/
./configure \
--with-platform-includes=/usr/local/include/snortsp \
--with-platform-libraries=/usr/local/lib
make
make install
ldconfig
##########################

Future posts will cover where to go from here.

NSMnow 1.3

I previously discussed the NSMnow project. These guys have made tremendous progress in the last few weeks and have fixed the bugs that I notified them of. They are now at version 1.3. Go check it out!

SANS 503 Mentor class is full

Registration is now closed for the previously mentioned SANS 503 Mentor class here in Augusta. This was the first SANS Mentor class to sell out in a few years! Thanks to all who registered.

Links for Binary and Hex Refreshers

If you're about to take SANS 503 and it's been a while since you've had to deal with the world of binary and hex, here are a few good links for refreshing your memory:
http://en.wikipedia.org/wiki/Hexadecimal
http://en.wikipedia.org/wiki/Binary_numeral_system
http://www.underground-security.com/downloads/crew/frostbyte/tutorials/conversions-tutorial.php
http://www.blaenkdenum.com/binary-and-hexadecimal/
http://www.permadi.com/tutorial/numHexToBin/index.html
http://atrevida.comprenica.com/atrtut01.html
http://www.sans.org/training/tcpip_quiz.php

Creating md5 and sha1 hashes using dcfldd

Have you ever been in a situation where you needed to calculate multiple hashes (md5 and sha1, for example) of a large drive image, but you didn't want to wait the long time it would take to do the following?

md5 image.dd
sha1 image.dd

dcfldd can calculate multiple hashes at the same time. All you have to do is set dcfldd's output to /dev/null like this:

dcfldd if=image.dd of=/dev/null hash=md5,sha1
512 blocks (16Mb) written.Total (md5): 95581c2eb1d0e18d4c9d0a08f06e1b28
Total (sha1): f80c5845df633e5ed586cf5006a746cc648abd9a

572+1 records in
572+1 records out

2009 SANS Log Management Survey

SANS is researching how organizations handle log management. Please take 5 minutes out of your day and complete the following survey (I did):
SANS Log Management Survey

Reminder about SANS 503 training here in Augusta

We have less than 2 weeks to go before the January 20 deadline for the best deal on SANS 503 Intrusion Detection training here in Augusta! If you're not an ISSA member already, you can join today (only $120.00) and take advantage of the 40% discount for ISSA members. ISSA Members who wish to register for the class should contact me or one of the other chapter leaders for the Discount Registration code.

For further information, please see:
http://www.sans.org/mentor/details.php?nid=15354

Upgrading from Fedora 9 to Fedora 10 using Preupgrade

A few months ago, I upgraded from Fedora 8 to Fedora 9 using Preupgrade. Last night, I decided it was time to upgrade to Fedora 10 (F10), so I went the Preupgrade route again.

I did a yum update and then launched preupgrade. It downloaded all the necessary F10 RPMs and said it was ready for reboot. I rebooted into the installer and was greeted with an error message saying it couldn't find the RPM repository. I surmised that the installer hadn't mounted my /var partition (Preupgrade creates a local RPM repository at /var/cache/yum/preupgrade/). I did some searching and found Bugzilla bug 473782, which describes this exact problem. The fix was to reboot back into Fedora 9 and install Preupgrade 1.0.1-1 from the testing repository with the following command:

yum --enablerepo=updates-testing-newkey update preupgrade

I then launched Preupgrade again, rebooted into the installer, and successfully upgraded from Fedora 9 to Fedora 10. I rebooted into Fedora 10 and did a full yum update. I then noticed that I couldn't SSH into this Fedora 10 machine using SSH keys anymore. I did some more searching and found Bugzilla bug 473014. It seems that the upgrade process changes the SELinux security context on the user .ssh directories. The fix is to run the following command as root:

restorecon -r /home/*/.ssh

Haven't seen any other problems so far.

Securix-NSM

I mentioned in my last post that I'm using NSMnow to install Barnyard2, SANcp, Snort, and Sguil in my Security Onion LiveCD. The NSMnow guys have released their own LiveCD called Securix-NSM. Go check it out!

Barnyard2, SanCP, Snort, and Sguil using NSMnow

In my last post, I mentioned that I was working on integrating BASE into the Security Onion LiveCD. I chose BASE because I wanted a quick and easy GUI for Snort until I could get Sguil up and running. Little did I know that there was a quick and easy way to get Sguil up and running (even easier than installing BASE).

The stars aligned and I stumbled upon NSMnow. This is an amazing little project that will analyze your system; download and install Barnyard2, SanCP, Snort, and Sguil; and automatically configure the whole thing! I ran NSMnow in a terminal chrooted into the Security Onion LiveCD build environment (courtesy of Reconstructor) and a few minutes later it was done. I generated a new ISO, booted it, ran the init script, and fired up the Sguil client. That was too easy!

Apache EnableSendfile directive

I'm currently working on integrating Barnyard and BASE into the Security Onion LiveCD. After generating a new ISO and booting it up, I opened Firefox and went to http://localhost/base/. I was greeted with the BASE setup screen, but it was plain white with no CSS formatting:


The /base/styles/base_style.css file was in place and had the proper permissions, but doing "curl http://localhost/base/styles/base_style.css" would result in "transfer closed with bytes remaining". I created a small "Hello World!" test page in the styles directory and Apache served it just fine. I then copied base_style.css and began taking things out until Apache served the file. Ultimately, I determined that Apache couldn't serve non-PHP files over 255 bytes. I did some research and stumbled upon the EnableSendfile directive. I added "EnableSendfile off" to my Apache configuration file, restarted Apache, and verified that Apache could serve files over 255 bytes. BASE then showed up with the proper formatting:

Upgrading from Fedora 8 to Fedora 9 using Preupgrade

In the past, I've upgraded to the latest Fedora version by using the unsupported "yum upgrade". This is potentially dangerous, but it always worked for me. When I read in Red Hat Magazine that Fedora had a new tool to do in-place upgrades, I was excited to try it out.

I tried out Preupgrade on a few Fedora 8 virtual machines and everything went smoothly. Preupgrade had earned my confidence, so I proceeded to "yum -y update && yum -y install preupgrade && preupgrade" on my main Fedora 8 desktop. It downloaded all the RPMs and rebooted into the installer. It upgraded the system and said it was ready for the final reboot. So I rebooted the machine and was greeted by a blinking GRUB prompt. Somehow, GRUB had lost its configuration and could no longer boot my Fedora installation. Doh!

I've never really played around in the GRUB shell, so I never realized how powerful and versatile it is. All I had to do was the following (the {tab} indicates to use the Tab key for filename completion):

kernel (hd0,2)/vmlinuz{tab} root=/dev/sda5
initrd (hd0,2)/initrd{tab}
boot

The system came up and I then did the following to re-write GRUB into the MBR:

grub-install /dev/sda

And we have a working Fedora 9 installation!

Building Ubuntu LiveCDs with Reconstructor

As I mentioned previously, I'm currently working on the Security Onion LiveCD. I started building custom LiveCDs years ago by going through the painstakingly manual process of remastering Knoppix. Last year, I began using the Fedora Revisor tool which didn't require as much manual work, but it is limited in that it seems to require that software is installed using RPMs and configuration is done via kickstart file as the ISO is being generated. Earlier this year, I produced a custom BackTrack CD for the Greater Augusta ISSA using Gene Bransfield Jr.'s guide and the Linux Live scripts. For the Security Onion LiveCD, I decided to try a new approach. This is my first time using Reconstructor and it provides a good balance of automation while still allowing you to easily customize at any time.

The process hasn't been totally painless, however (I should mention that I'm using Reconstructor 2.8.1.):

• I ran into a squashfs bug, which required updating squashfs-tools to a newer version than is currently available in Ubuntu's repositories.
  
• In the main Customization interface, there is an Apply button above the Next button. When I first starting using Reconstructor, I assumed that when you click Next, your settings are automatically applied, but that is not the case. You must click Apply or else your settings will be lost.
  
• If you select a custom Gnome background color, Reconstructor seems to increment it each time it is launched. For example, I configured my background color to be #486ac1. The next time I opened Reconstructor, it showed the value as #486ac2. The next time I opened Reconstructor, it was #486ac3, and so on.
  
• As with any LiveCD, there is always the issue of space--one has to balance having every remotely-useful tool available with the size limitation of a 700MB CD. Reconstructor helps somewhat in that it estimates the ISO size before generation, but this estimation isn't always accurate. You still may have to fully generate the ISO before you know for sure that it is under 700MB.

Overall, Reconstructor is a very good tool. If you can work through the minor issues detailed above, it is the easiest way to build a fully customized LiveCD. I look forward to the upcoming Reconstructor 3.

Security Onion LiveCD

As part of my GCIA Gold research paper, I'm building a security LiveCD based on Ubuntu 8.04. The Security Onion LiveCD includes both Snort 2.8 and the new SnortSP. This gives Snort users a way of trying out SnortSP without having to worry about satisfying all the dependencies and compiling and installing it. The LiveCD also contains the following network/security utilities.

bastille
cheops-ng
corkscrew
daemonlogger
doscan
dsniff
etherape
fragroute
fragrouter
honeyd
hping2
hping3
hunt
idswakeup
iperf
ipgrab
iptraf
knocker
labrea
lanmap
ndiff
nemesis
netcat
netcat6
netcat-openbsd
netcat-traditional
netdiscover
netdude
netrw
netsed
ngrep
nmap
nsm-console
nwatch
p0f
pads
paketto
pbnj
pcaputils
pnscan
potion
psad
python-scapy
scanssh
scapy
sendip
socat
ssldump
tcpflow
tcpick
tcpreplay
tcpslice
tcpspy
tcpstat
tcptrace
tcpxtract
tshark
wireshark
xprobe
yersinia
zenmap

What other utilities would you like to see in the Security Onion LiveCD?

Mentoring SANS 503

Starting in February, I'll be mentoring SANS 503: Intrusion Detection In-Depth. This class is extremely valuable for those who work with Intrusion Detection Systems such as Snort. Even if you have never used an IDS before, you will learn TCP/IP from an attacker's perspective, how to analyze packets using tcpdump, and how to configure Snort and write your own Snort rules.

Classes will be on Tuesday nights at Augusta State University from 7:00 PM - 9:00 PM starting on February 17, 2009. Greater Augusta ISSA members will receive a 40% discount off the normal price. If you wish to become a member of the Greater Augusta ISSA or are already a member and would like the SANS discount code, please let me or one of the other chapter leaders know.

For more information about SANS 503, please see:
http://www.sans.org/mentor/details.php?nid=15354

My name is Doug Burks and I'm a GCIA

Back in April, I traveled to Orlando and took SANS 503 from the amazing Mike Poor. I then spent the next few months reviewing the course material, listening to Mike Poor MP3s, and taking practice exams. On September 5th, I took the real exam and passed with a 95! (I almost broke my arm patting myself on the back.) This certifies me at the GCIA Silver level. I'm now working on my research paper for GCIA Gold.

Security Onion

Onions have layers...good security has layers.

Onions smell bad...quite often, security stinks.

Onions make you cry...poor security can make you cry, scream, and cuss.

Welcome to the Security Onion.