Eclectic Security

Your favourite Intrusion Detection/Prevention System (IDS/IPS) is just installed and running, and you are probably wondering if everything is working as it should, logging or dropping evil packets. Here it comes Pytbull, a python based flexible IDS/IPS testing framework shipped with more than 300 tests, grouped in 9 modules, covering a large scope of attacks (clientSideAttacks, testRules, badTraffic, fragmentedPackets, multipleFailedLogins, evasionTechniques, shellCodes, denialOfService, pcapReplay).

Testing your IDS/IPS with Pytbull will save you a big deal of time!

Lets  assume we have an Ubuntu Linux testing box A with ip address 192.168.1.25 and a Smooth-Sec installation B with ip address192.168.1.1.

On the testing box A 192.168.1.25, install all the required packages and dependencies.

#apt-get install python python-scapy nmap hping3 nikto tcpreplay python-iniparse

Download Pytbull

#wget https://downloads.sourceforge.net/project/pytbull/pytbull-1.3.tar.bz2
#bzip2 -cd pytbull-1.3.tar.bz2 | tar xf -
#cd pytbull

Edit the Pytbull configuration file:

vim config.cfg

#Pytbull config file
[CLIENT]
ipaddr                  = 192.168.1.1 #ip address of the IDS to test.
iface                   = eth0

[PATHS]
report                  = report.html
sudo                    = /usr/bin/sudo
nmap                    = /usr/bin/nmap
nikto                   = /usr/bin/nikto
niktoconf               = /root/pytbull/nikto.conf
hping3                  = /usr/sbin/hping3
tcpreplay               = /usr/bin/tcpreplay
urlpdf                  = http://droid-protector.com/borrar_ya/md5
alertsfile              = /var/log/suricata/fast.log

[CREDENTIALS]
ftpuser                 = pytbull
ftppasswd               = pytbull

Create a nikto configuration file and add the following content

#start nikto configuration file
SKIPPORTS=21 111
USERAGENT=Mozilla/4.75 (Nikto/@VERSION) (Evasions:@EVASIONS) (Test:@TESTID)
RFIURL=http://cirt.net/rfiinc.txt?
NIKTODTD=docs/nikto.dtd
DEFAULTHTTPVER=1.0
UPDATES=yes
MAX_WARN=20
CIRT=174.142.17.165
CHECKMETHODS=HEAD GET
@@MUTATE=dictionary;subdomain
@@DEFAULT=@@ALL;-@@MUTATE;tests(report:500)
#end nikto configuration file

Copy the Pytbull server script (reverse shell) used for client side attacks to the Smooth-Sec box 192.168.1.1:

#scp server/pytbull-server.py root@192.168.1.1:

Define the kind of tests that you want to run against Suricata, please refer to the end of the Pytbull configuration file config.cfg.

0 = disabled
1 = enabled

[TESTS]
clientSideAttacks = 1
testRules = 1
badTraffic = 1
fragmentedPackets = 1
multipleFailedLogins = 1
evasionTechniques = 1
shellCodes = 1
denialOfService = 1
pcapReplay = 1

On the Smooth-Sec box 192.168.1.1 B

#apt-get install vsftpd apache2
#adduser –home /var/log/suricata –shell /bin/bash pytbull
#usermod -G suricata pytbull

Start the reverse shell on the Smooth-Sec box 192.168.1.1

#python pytbull-server.py  --port 34567

                                 _   _           _ _
                     _ __  _   _| |_| |__  _   _| | |
                    | '_ \| | | | __| '_ \| | | | | |
                    | |_) | |_| | |_| |_) | |_| | | |
                    | .__/ \__, |\__|_.__/ \__,_|_|_|
                    |_|    |___/
                       Sebastien Damaye, aldeid.com

Checking root privileges......................................... [   OK   ]
Checking port to use............................................. [   OK   ]

Server started on port: 34567
Listening...

 Run the test from 192.168.1.25 to 192.168.1.1

#python pytbull.py -t 192.168.1.1

                     _ __  _   _| |_| |__  _   _| | |
                    | '_ \| | | | __| '_ \| | | | | |
                    | |_) | |_| | |_| |_) | |_| | | |
                    | .__/ \__, |\__|_.__/ \__,_|_|_|
                    |_|    |___/
                       Sebastien Damaye, aldeid.com

BASIC CHECKS
------------
Checking root privileges......................................... [   OK   ]
Checking remote port 21/tcp (FTP)................................ [   OK   ]
Checking remote port 22/tcp (SSH)................................ [   OK   ]
Checking remote port 80/tcp (HTTP)............................... [   OK   ]
Checking path for sudo........................................... [   OK   ]
Checking path for nmap........................................... [   OK   ]
Checking path for nikto.......................................... [   OK   ]
Checking path for niktoconf...................................... [   OK   ]
Checking path for hping3......................................... [   OK   ]
Checking path for tcpreplay...................................... [   OK   ]
Removing temporary file.......................................... [   OK   ]

TESTS
------------
Client Side Attacks.............................................. [   yes  ]
Test Rules....................................................... [   yes  ]
Bad Traffic...................................................... [   yes  ]
Fragmented Packets............................................... [   yes  ]
Multiple Failed Logins........................................... [   yes  ]
Evasion Techniques............................................... [   yes  ]
ShellCodes....................................................... [   yes  ]
Denial of Service................................................ [   yes  ]
Pcap Replay...................................................... [   yes  ]

-----------------------
DONE. Check the report.
-----------------------

Report view.

On the testing machine 192.168.1.25

cp report.html /var/www/

open http://192.168.1.25 with your web browser

Restore Suricata as it was. (192.168.1.1)

apt-get remove vsftpd apache2
deluser pytbull
rm pytbull-server.py

Insta-snorby

The appliance is designed for users who want to test Snorby (a new Snort IDS front-end) or need a quick and dirty snort sensor installed.
It comes with the following:
* Snort 2.9.0.3 – The latest version of the popular Intrusion Detection System
* Barnyard 2.19  – An application that deciphers Snort unified2 logs and puts them into the snorby database
* Snorby 2.2.1 – The IDS front-end
* OpenFPC – Full packet capture monitoring
* Pulled Pork 0.5 – IDS rule update management

The installation process will walk you through setting up the MySQL server and ask you to put in your “Oinkcode” which will automatically download the latest VRT  rules (the sigs that power the IDS) from SourceFire. Emerging Threat rules (another popular rules distro) are already downloaded and enabled.

http://www.snorby.org

Smooth-Sec

Smooth-Sec is a ready to-go  IDS/IPS (Intrusion Detection/Prevention System) linux distribution based on the multi threaded Suricata IDS/IPS engine and Snorby, the top notch web application for network security monitoring. Smooth-Sec is built on Ubuntu 10.04 LTS using the TurnKey Core base as development platform. Functionality is the key point that allow to deploy a complete  IDS/IPS System up and running out of the box within a few minutes, even for security beginners with minimal Linux experience.

http://bailey.st/blog/smooth-sec/

Siem-live

SIEM-live is a ready to go SIEM (Security Information and Event Management) system based on Open Source tools, and Debian-live. To collect events it is using Suricata IDS/IPS, syslog as a central collector, OpenVAS to scan for vulnerabilities, and many others. Alerts and events will be stored in the Open Source SIEM Prelude, analyzed and correlated. Results will be accessible using the web interface (Prewikka).

SIEM-live is a bootable live-CD, which provides a fully functional system without any configuration required. It can also use persistence, or may be installed on a hard disk / USB key.

It aims at providing an easy way to deploy and test a SIEM, and be able to quickly see what is happening on a network and concentrate on trying to detect high-level patterns with correlation. It will also contain visualization and reporting tools in a nearby future.

https://www.wzdftpd.net/redmine/projects/siem-live

Security Onion LiveDVD

The Security Onion LiveDVD is a bootable DVD that contains software used for installing, configuring, and testing Intrusion Detection Systems. It is based on Xubuntu 10.04 and contains Snort, Suricata, Sguil, Squert, Xplico, nmap, metasploit, Armitage, scapy, hping, netcat, tcpreplay, and many other security tools

http://securityonion.blogspot.com/

Network Security Toolkit

The Network Security Toolkit (NST) is a Linux-based Live CD that provides a set of open source computer security and networking tools to perform routine security and networking diagnostic and monitoring tasks. The distribution can be used as a network security analysis, validation and monitoring tool on servers hosting virtual machines. Other features include visualization of ntop, wireshark, traceroute and kismet data by geolocating the host addresses, IPv4 Address conversation, traceroute data and wireless access points and displaying them via Google Earth or a Mercator World Map bit image, a browser-based packet capture and protocol analysis system capable of monitoring up to four network interfaces using Wireshark, as well as a Snort-based intrusion detection system with a “collector” backend that stores incidents in a MySQL database.

http://www.networksecuritytoolkit.org

EasyIds

EasyIDS is an open source IDS (Intrusion Detection System) distribution based upon Snort. Built on CentOS and administered from a web based management interface, EasyIDS takes the pain and frustration out of deploying an intrusion detection system.

Designed for the network security beginner with minimal Linux experience, EasyIDS can convert almost any industry standard x86 computer into fully-functioning intrusion detection system in as little as 15 minutes. EasyIDS lowers deployment and maintenance costs for network security without compromising functionality or performance.

http://www.skynet-solutions.net/easyids/

Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP net-works. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks  and  probes,  such  as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. Snort has three primary uses.  It can be used as a straight packet sniffer like tcpdump , a packet logger  , or as a full blown network intrusion detection/prevention system system. A few days ago a new version of Snort was released, in this version some things about compiling  have slightly changed, the libdnet and the Data AcQuisition library (DAQ) must be compiled separately. In this post I’m going only to illustrate how to compile and install Snort 2.9.0.1 from the source code.

Installation tested on Ubuntu Server 10.04 32bit

Data AcQuisition library

apt-get install flex bison  build-essential checkinstall libpcap0.8-dev libnet1-dev
wget --no-check-certificate   http://www.snort.org/downloads/363
tar xvfz 363
cd daq-0.3/
./configure
make
checkinstall
dpkg -i daq_0.3-1_i386.deb

Libdnet

wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz
tar xvfz libdnet-1.12.tgz
cd libdnet-1.12/
./configure
make
checkinstall
dpkg -i libdnet_1.12-1_i386.deb
ln -s /usr/local/lib/libdnet.1.0.1 /usr/lib/libdnet.1

Snort

apt-get install libpcre3-dev libmysqlclient15-dev

wget --no-check-certificate http://www.snort.org/downloads/369

tar xvfz 369
cd snort-2.9.0.1/
./configure --with-mysql --enable-build-dynamic-examples  --enable-gre --enable-reload --enable-linux-smp-stats --enable-zlib
make
checkinstall
dpkg -i snort_2.9.0.1-1_i386.deb
ldconfig

At this point you need to configure the snort.conf file according to your environment.

Main features introduced in 2.9.0.1:

* Fixed maximum flowbits configuration parsing to specify the number
of bits in accordance with the Snort manual, rather than number of
bytes.  If you have ‘config flowbits_size’ in your snort.conf,
double check that it has the correct setting.

* Fixed a packet size issue with the IPQ and NFQ DAQs.

* Updated the version of LibPCRE bundled with the Windows installer.
This update fixes a bug that caused some PCRE matches to fail on Windows.

Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP net-works. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks  and  probes,  such  as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. Snort has three primary uses.  It can be used as a straight packet sniffer like tcpdump , a packet logger  , or as a full blown network intrusion detection/prevention system system. A few days ago a new version of Snort was released, in this version some things about compiling  have slightly changed, the libdnet and the Data AcQuisition library (DAQ) must be compiled separately. In this post I’m going only to illustrate how to compile and install Snort 2.9.0 from the source code.

Installation tested on Ubuntu Server 10.04 32bit

Data AcQuisition library

apt-get install flex bison  build-essential checkinstall libpcap0.8-dev libnet1-dev
wget --no-check-certificate   http://www.snort.org/downloads/263
tar xvfz 263
cd daq-0.2/
./configure
make
checkinstall
dpkg -i daq_0.2-1_i386.deb

Libdnet

wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz
tar xvfz libdnet-1.12.tgz
cd libdnet-1.12/
./configure
make
checkinstall
dpkg -i libdnet_1.12-1_i386.deb
ln -s /usr/local/lib/libdnet.1.0.1 /usr/lib/libdnet.1

Snort

apt-get install libpcre3-dev libmysqlclient15-dev
wget --no-check-certificate  http://www.snort.org/downloads/269
tar xvfz 269
cd snort-2.9.0
./configure --with-mysql --enable-build-dynamic-examples  --enable-gre --enable-reload --enable-linux-smp-stats --enable-zlib
make
checkinstall
dpkg -i snort_2.9.0-1_i386.deb

ldconfig

At this point you need to configure the snort.conf file according to your environment.

Main features introduced in 2.9.0:

* Feature rich IPS mode including improvements to Stream for inline deployments. Additionally a common active response API is used for all packet responses, including those from Stream, Respond, or React. A new response module, respond3, supports the syntax of both resp & resp2, including strafing for passive deployments. When Snort is deployed inline, a new preprocessor has been added to handle packet normalization to allow Snort to interpret a packet the same way as the receiving host.
* Use of a Data Acquisition API (DAQ) that supports many different packet access methods including libpcap, netfilterq, IPFW, and afpacket. For libpcap, version 1.0 or higher is now required. The DAQ library can be updated independently from Snort and is a separate module that Snort links. See README.daq for details on using Snort and the new DAQ./li>
* Updates to HTTP Inspect to extract and log IP addresses from X-Forward-For and True-Client-IP header fields when Snort generates events on HTTP traffic.
* A new rule option ‘byte_extract’ that allows extracted values to be used in subsequent rule options for isdataat, byte_test, byte_jump, and content distance/within/depth/offset.
* Updates to SMTP preprocessor to support MIME attachment decoding across multiple packets.
* Ability to “test” drop rules using Inline Test Mode. Snort will indicate a packet would have been dropped in the unified2 or console event log if policy mode was set to inline.
* Two new rule options to support base64 decoding of certain pieces of data and inspection of the base64 data via subsequent rule options.
* Updates to the Snort packet decoders for IPv6 for improvements to anomaly detection.
* Added a new pattern matcher that supports Intel’s Quick Assist Technology for improved performance on supported hardware platforms. Visit http://www.intel.com to find out more about Intel Quick Assist. The following document describes Snort’s integration with the Quick Assist Technology: http://download.intel.com/embedded/applications/networksecurity/324029.pdf.
* Reference applications for reading unified2 output that handle all unified2 record formats used by Snort.

A few days ago was released Suricata 1.0.0 the new open source-based intrusion detection system (IDS). The main  feature of this IDS is the multi-threaded engine, this  feature is very usefull when you have to monitor a high speed links, having a multi-core monster machine allow you to use all the cores available. Other IDSs use only a  signle core with with the risk to be ineffective by  dropping packets due the CPU overload. Other feaures present on Suricata are: IpReputation, MultiPacketMatching, HardwareAccelerationSupport.

In this short How-To I’m going to cover an easy and effective way to compile and install Suricata on Ubuntu Server 10.04.

Add the suricata user and prepare the required folders:

useradd suricata -s /bin/false -c suricata_user
mkdir /etc/suricata
mkdir /var/log/suricata/
chown suricata.suricata /var/log/suricata/

Install the packages needed for compiling:

apt-get install libpcre3-dev libpcap-dev libyaml-dev zlib1g-dev libnet1  libnet1-dev libcap-ng-dev libhtp1 libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0 build-essential checkinstall

Get suricata and decompress:

cd /tmp/
wget http://openinfosecfoundation.org/download/suricata-1.0.0.tar.gz
tar xvfz suricata-1.0.0.tar.gz
cd suricata-1.0.0

Run ./configure –help to see all the build options.

This will build suricata with IPS capabilities

./configure –enable-nfqueue

Suricata Configuration:
NFQueue support:          yes
IPFW support:             no
PF_RING support:          no
Prelude support:          no
Unit tests enabled:       no
Debug output enabled:     no
Debug validation enabled: no
CUDA enabled:             no
DAG enabled:              no
Profiling enabled:        no
GCC Protect enabled:      no
GCC march native enabled: yes
GCC Profile enabled:      no
Unified native time:      no
Non-bundled htp:          no

make

checkinstall

**********************************************************************

Done. The new package has been installed and saved to

/tmp/suricata-1.0.0/suricata_1.0.0-1_i386.deb

You can remove it from your system anytime using:

dpkg -r suricata

**********************************************************************

Install suricata with dpkg -i suricata_1.0.0-1_i386.deb

Copy the configuration files

cp classification.config suricata.yaml /etc/suricata/

Edit the configuration file suricata.yaml according to your  need. In the file are present some main sections to be configured.

Logging section, where you can define which kind of output is suitable, plain text, unified2-alert to be used with Barnyard2
The network interface, where you can define the network interface/s where you are runnin suricata, eth,wlan,br.
The rule-path, where suricata will look for the rules. In my case I’m sharing the same rules used by snort /etc/snort/rules
The HOME_NET, where you need to define the local addresses of your system/network.
The  libhtp config, where is possible to configure the web servers variables.

To start suricata:

suricata -D  -c /etc/suricata/suricata.yaml -s /etc/suricata/classification.config -i eth0

This is Suricata version 1.0.0
CPUs Summary:
CPUs online: 1
CPUs configured 1
Output module “AlertFastLog” registered.
Output module “AlertDebugLog” registered.
Output module “AlertUnifiedLog” registered.
Output module “AlertUnifiedAlert” registered.
Output module “Unified2Alert” registered.
Output module “LogHttpLog” registered.

You can tail the suricata log to check if is working, and run Inundator to create some allerts. So far so good.

tail -f /var/log/suricata/fast.log

[1:2001219:18] ET SCAN Potential SSH Scan [**]
[Classification: Attempted Information Leak]
[Priority: 3] {6} 173.244.197.210:27041 -> victim_ip

[1:2002911:4] ET SCAN Potential VNC Scan 5900-5920
[**] [Classification: Attempted Information Leak]
[Priority: 3] {6} 173.244.197.210:27041 -> victim_ip

Thanks to all the Suricata developers for all the efforts placed to meet the 1st July deadline.