Eclectic Security

Your favourite Intrusion Detection/Prevention System (IDS/IPS) is just installed and running, and you are probably wondering if everything is working as it should, logging or dropping evil packets. Here it comes Pytbull, a python based flexible IDS/IPS testing framework shipped with more than 300 tests, grouped in 9 modules, covering a large scope of attacks (clientSideAttacks, testRules, badTraffic, fragmentedPackets, multipleFailedLogins, evasionTechniques, shellCodes, denialOfService, pcapReplay).

Testing your IDS/IPS with Pytbull will save you a big deal of time!

Lets  assume we have an Ubuntu Linux testing box A with ip address 192.168.1.25 and a Smooth-Sec installation B with ip address192.168.1.1.

On the testing box A 192.168.1.25, install all the required packages and dependencies.

#apt-get install python python-scapy nmap hping3 nikto tcpreplay python-iniparse

Download Pytbull

#wget https://downloads.sourceforge.net/project/pytbull/pytbull-1.3.tar.bz2
#bzip2 -cd pytbull-1.3.tar.bz2 | tar xf -
#cd pytbull

Edit the Pytbull configuration file:

vim config.cfg

#Pytbull config file
[CLIENT]
ipaddr                  = 192.168.1.1 #ip address of the IDS to test.
iface                   = eth0

[PATHS]
report                  = report.html
sudo                    = /usr/bin/sudo
nmap                    = /usr/bin/nmap
nikto                   = /usr/bin/nikto
niktoconf               = /root/pytbull/nikto.conf
hping3                  = /usr/sbin/hping3
tcpreplay               = /usr/bin/tcpreplay
urlpdf                  = http://droid-protector.com/borrar_ya/md5
alertsfile              = /var/log/suricata/fast.log

[CREDENTIALS]
ftpuser                 = pytbull
ftppasswd               = pytbull

Create a nikto configuration file and add the following content

#start nikto configuration file
SKIPPORTS=21 111
USERAGENT=Mozilla/4.75 (Nikto/@VERSION) (Evasions:@EVASIONS) (Test:@TESTID)
RFIURL=http://cirt.net/rfiinc.txt?
NIKTODTD=docs/nikto.dtd
DEFAULTHTTPVER=1.0
UPDATES=yes
MAX_WARN=20
CIRT=174.142.17.165
CHECKMETHODS=HEAD GET
@@MUTATE=dictionary;subdomain
@@DEFAULT=@@ALL;-@@MUTATE;tests(report:500)
#end nikto configuration file

Copy the Pytbull server script (reverse shell) used for client side attacks to the Smooth-Sec box 192.168.1.1:

#scp server/pytbull-server.py root@192.168.1.1:

Define the kind of tests that you want to run against Suricata, please refer to the end of the Pytbull configuration file config.cfg.

0 = disabled
1 = enabled

[TESTS]
clientSideAttacks = 1
testRules = 1
badTraffic = 1
fragmentedPackets = 1
multipleFailedLogins = 1
evasionTechniques = 1
shellCodes = 1
denialOfService = 1
pcapReplay = 1

On the Smooth-Sec box 192.168.1.1 B

#apt-get install vsftpd apache2
#adduser –home /var/log/suricata –shell /bin/bash pytbull
#usermod -G suricata pytbull

Start the reverse shell on the Smooth-Sec box 192.168.1.1

#python pytbull-server.py  --port 34567

                                 _   _           _ _
                     _ __  _   _| |_| |__  _   _| | |
                    | '_ \| | | | __| '_ \| | | | | |
                    | |_) | |_| | |_| |_) | |_| | | |
                    | .__/ \__, |\__|_.__/ \__,_|_|_|
                    |_|    |___/
                       Sebastien Damaye, aldeid.com

Checking root privileges......................................... [   OK   ]
Checking port to use............................................. [   OK   ]

Server started on port: 34567
Listening...

 Run the test from 192.168.1.25 to 192.168.1.1

#python pytbull.py -t 192.168.1.1

                     _ __  _   _| |_| |__  _   _| | |
                    | '_ \| | | | __| '_ \| | | | | |
                    | |_) | |_| | |_| |_) | |_| | | |
                    | .__/ \__, |\__|_.__/ \__,_|_|_|
                    |_|    |___/
                       Sebastien Damaye, aldeid.com

BASIC CHECKS
------------
Checking root privileges......................................... [   OK   ]
Checking remote port 21/tcp (FTP)................................ [   OK   ]
Checking remote port 22/tcp (SSH)................................ [   OK   ]
Checking remote port 80/tcp (HTTP)............................... [   OK   ]
Checking path for sudo........................................... [   OK   ]
Checking path for nmap........................................... [   OK   ]
Checking path for nikto.......................................... [   OK   ]
Checking path for niktoconf...................................... [   OK   ]
Checking path for hping3......................................... [   OK   ]
Checking path for tcpreplay...................................... [   OK   ]
Removing temporary file.......................................... [   OK   ]

TESTS
------------
Client Side Attacks.............................................. [   yes  ]
Test Rules....................................................... [   yes  ]
Bad Traffic...................................................... [   yes  ]
Fragmented Packets............................................... [   yes  ]
Multiple Failed Logins........................................... [   yes  ]
Evasion Techniques............................................... [   yes  ]
ShellCodes....................................................... [   yes  ]
Denial of Service................................................ [   yes  ]
Pcap Replay...................................................... [   yes  ]

-----------------------
DONE. Check the report.
-----------------------

Report view.

On the testing machine 192.168.1.25

cp report.html /var/www/

open http://192.168.1.25 with your web browser

Restore Suricata as it was. (192.168.1.1)

apt-get remove vsftpd apache2
deluser pytbull
rm pytbull-server.py

Smooth-sec is built on Ubuntu server 10.04 32bit (www.turnkeylinux.org), this mean the system won’t recognize more than 3GB of memory. An available workaround is to install the PAE (Physical Address Extension), this allow PAE capable processors to access physical memory up to 64 GB (36 bits of address bus). In this how-to, I’m going to show how to install a PAE kernel in order to enjoy Suricata and Snorby at full power. . If you have enough RAM please consider the Suricata High Performance Configuration reported here. It will be very appreciated to receive feedback and comments.

For instance we have Smooth-Sec installed with the default 2.6.32-30-generic kernel on a server with 8GB ram, running a  we can see only 3 of 8GB ram installed.

#free -m

total
Mem: 3072

Now we need to determine if our CPU has PAE support,If the command returns nothing, then the CPU does not have PAE support.

#grep pae /proc/cpuinfo
flags : fpu vme de pse tsc msr pae
flags : fpu vme de pse tsc msr pae

Installing the linux PAE kernel:

#apt-get update

#apt-get install linux-generic-pae linux-headers-generic-pae

and reboot

Check if the correct kernel is loaded.

#uname -a must return 2.6.32-32-generic-pae

Check if the correct amount of RAM is recognised by the system.

#free -m
total
Mem: 8192

Photo by http://www.flickr.com/photos/jepoirrier/

Since the release of Smooth-Sec this is the first time that we are upgrading  suricata . This release brings a lot of new features, improvements and a few fixes. If you want to know more about  the new IPS features in Suricata  1.1 beta 2 please refer to Eric Leblond blog post. Thanks to Victor Julien for all the efforts in the new release.

Please follow this simple steps to upgrade to the new suricata.

#stop suricata
/etc/init.d/suricata stop
#make a backup of the old suricata
cp -a  /etc/suricata/ /etc/suricata.1.1beta1
cd /root/
#get the new suricata and install it
git clone git://gitorious.org/smooth-sec/suricata-1-1beta2.git
cd suricata-1-1beta2/
cp suricata.yaml /etc/suricata
dpkg -i suricata_1.1beta2-1_i386.deb

run #suricata -V to check if the new version is installed, you must get this
output. This is Suricata version 1.1beta2 (rev )

/etc/init.d/suricata start

Below, you can find a brief summary of the new suricata functionalities.

New features

- New keyword support: http_raw_uri (including /I for pcre), ssl_state, ssl_version (#258, #259, #260, #262).
- Inline mode for the stream engine (#230, #248).
- New keyword support: nfq_set_mark
- Included an example decoder-events.rules file
- api for adding and selecting runmodes was added
- pcap logging / recording output was added
- basic SCTP protocol parsing was added
- more fine grained CPU affinity setting support was added

Improvements

- stream engine inspects stream in larger chunks
- fast_pattern support for http_method content modifier (#255)
- negation support for isdataat keyword (#257)
- configurable interval for stats.log updates (#247)
- new pf_ring runmode was added that scales better
- pcap live mode now handles the monitor interface going up and down
- several QA additions to “make check”
- NFQ (linux inline) mode was improved

Fixes

- Alerts classification fix (#275)
- compiles and runs on big-endian systems (#63)
- unified2 output works around barnyard2 issues with DLT_RAW + IPv6

A few days ago was released Suricata 1.0.0 the new open source-based intrusion detection system (IDS). The main  feature of this IDS is the multi-threaded engine, this  feature is very usefull when you have to monitor a high speed links, having a multi-core monster machine allow you to use all the cores available. Other IDSs use only a  signle core with with the risk to be ineffective by  dropping packets due the CPU overload. Other feaures present on Suricata are: IpReputation, MultiPacketMatching, HardwareAccelerationSupport.

In this short How-To I’m going to cover an easy and effective way to compile and install Suricata on Ubuntu Server 10.04.

Add the suricata user and prepare the required folders:

useradd suricata -s /bin/false -c suricata_user
mkdir /etc/suricata
mkdir /var/log/suricata/
chown suricata.suricata /var/log/suricata/

Install the packages needed for compiling:

apt-get install libpcre3-dev libpcap-dev libyaml-dev zlib1g-dev libnet1  libnet1-dev libcap-ng-dev libhtp1 libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0 build-essential checkinstall

Get suricata and decompress:

cd /tmp/
wget http://openinfosecfoundation.org/download/suricata-1.0.0.tar.gz
tar xvfz suricata-1.0.0.tar.gz
cd suricata-1.0.0

Run ./configure –help to see all the build options.

This will build suricata with IPS capabilities

./configure –enable-nfqueue

Suricata Configuration:
NFQueue support:          yes
IPFW support:             no
PF_RING support:          no
Prelude support:          no
Unit tests enabled:       no
Debug output enabled:     no
Debug validation enabled: no
CUDA enabled:             no
DAG enabled:              no
Profiling enabled:        no
GCC Protect enabled:      no
GCC march native enabled: yes
GCC Profile enabled:      no
Unified native time:      no
Non-bundled htp:          no

make

checkinstall

**********************************************************************

Done. The new package has been installed and saved to

/tmp/suricata-1.0.0/suricata_1.0.0-1_i386.deb

You can remove it from your system anytime using:

dpkg -r suricata

**********************************************************************

Install suricata with dpkg -i suricata_1.0.0-1_i386.deb

Copy the configuration files

cp classification.config suricata.yaml /etc/suricata/

Edit the configuration file suricata.yaml according to your  need. In the file are present some main sections to be configured.

Logging section, where you can define which kind of output is suitable, plain text, unified2-alert to be used with Barnyard2
The network interface, where you can define the network interface/s where you are runnin suricata, eth,wlan,br.
The rule-path, where suricata will look for the rules. In my case I’m sharing the same rules used by snort /etc/snort/rules
The HOME_NET, where you need to define the local addresses of your system/network.
The  libhtp config, where is possible to configure the web servers variables.

To start suricata:

suricata -D  -c /etc/suricata/suricata.yaml -s /etc/suricata/classification.config -i eth0

This is Suricata version 1.0.0
CPUs Summary:
CPUs online: 1
CPUs configured 1
Output module “AlertFastLog” registered.
Output module “AlertDebugLog” registered.
Output module “AlertUnifiedLog” registered.
Output module “AlertUnifiedAlert” registered.
Output module “Unified2Alert” registered.
Output module “LogHttpLog” registered.

You can tail the suricata log to check if is working, and run Inundator to create some allerts. So far so good.

tail -f /var/log/suricata/fast.log

[1:2001219:18] ET SCAN Potential SSH Scan [**]
[Classification: Attempted Information Leak]
[Priority: 3] {6} 173.244.197.210:27041 -> victim_ip

[1:2002911:4] ET SCAN Potential VNC Scan 5900-5920
[**] [Classification: Attempted Information Leak]
[Priority: 3] {6} 173.244.197.210:27041 -> victim_ip

Thanks to all the Suricata developers for all the efforts placed to meet the 1st July deadline.

Inundator is and IDS evasion tool that can generate  an overwhelming number of false positives while you are performing the attack in order to minimize the detection. One of the main features of inundator is the possibility to send  false attacks anonymously via SOCKS proxy, the use  of Tor is strongly recommended. Other features are  multithread, queue-driven and multiple targets support. The concept beyond Inundator is to read the snort rules and generate packets or traffic from each rule previously parsed, the key of success is the IDS configuration on the target machine, a good configuration will determine if our false attacks are detected or not.

to get and install Inundator go to inundator.sourceforge.net

I tried Inundator against Suricata, and I was amazed to see the false positive attacks filling the Suricata IDS log.

Example:

inundator -r /etc/snort/rules   -p localhost:9050  victim_ip

where -r is the path to the snort rules location
where -p is the SOCKS proxy configuration
and the last argument is the victim ip

On the suricata IDS sensor:

[1:2001219:18] ET SCAN Potential SSH Scan [**]
[Classification: Attempted Information Leak]
[Priority: 3] {6} 173.244.197.210:27041 -> victim_ip

[1:2002995:6] ET SCAN Rapid IMAPS Connections – Possible Brute Force Attack
[**] [Classification: Misc activity]
[Priority: 3] {6}  173.244.197.210:27041  -> victim_ip

[1:2002911:4] ET SCAN Potential VNC Scan 5900-5920
[**] [Classification: Attempted Information Leak]
[Priority: 3] {6} 173.244.197.210:27041 -> victim_ip

Just to double check that the attack was coming from a TOR
exit node i searched the ip 173.244.197.210 on this list.

Not always is a good idea to be quiet.