Debian, forensics, Information, Linux Distributions, OpenSourceSoftware, Suricata, Ubuntu

Suricata 1.0.2 Debian/Ubuntu package

In stead of compiling Suricata over and over again on different hosts I have… I just made a debian package for my Ubuntu Lucid 10.04 systems.

Its a simple build, and Ill hopefully update it with time to incorporate different usage and install help etc.
Right now its just aimed at being a simple IDS using libpcap.

You can find suricata and other cool NSM stuff at my gamelinux PPA found here.

apt-get install suricata
cd /etc/suricata/ && wget http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz
vim /etc/default/suricata
vim /etc/suricata/suricata.yaml
/etc/init.d/suricata start

Feedback and thoughts are welcome and needed 🙂 !

Standard
daemonlogger, forensics, fpcgui, Information, Linux Distributions, Metasploit, OpenFPC, OpenSourceSoftware, Security, Ubuntu

FPCGUI -> OpenFPC

In early June, Leon Ward and I teamed up in Oslo chatting about his OpenFPC and my FPCGUI project. I met Leon for the first time in April 2009 at Sourcefires offices in Wokingham, UK, and I have chatted with him now and then on IRC etc. since then.

I started using Sourcefire 3D in December 2008, and the first thing I was missing was the lack of pcaps from the events that I got. The second was the real-time view that you get in Sguil (I can live without that though).

So I needed a second host that did full packet capture along side my new IPS/IDS. Just running tcpdump/daemonlogger/sancp is OK for a small installation, but carving out the sessions manually was taking time. I needed to script something that would take an easy interface, so I could quickly get a pcap from the whole sessions I was getting events from. So I was thinking of an API and a easy way to add this to the Sourcefire 3D WebGUI.

My PoC was FPCGUI (Full Packet Capture Graphical User Interface). It can take a query in the URL, search the flow data from its database and give you the sessions details if it exists. If you click on the session, you will get the pcap served straight in you face, and I choose to open my pcaps with wireshark. With a little grease monkey magic, this would have been an OK solution for satisfying my pcap needs working with SF3D.

I made my thoughts public in a blog post in September 2009 and started coding right away. I also discussed FPCGUI with Leon the day after I posted the blog. The first release that worked good enough for me was in January 2010. Leon released his project in May 2010, and I quickly saw that we where doing more or less the same. He had implemented the distributed node part, which I had not started to even draft, and I had the WebGUI and flowdata which gives more meaning and is more user friendly to the analyst.

So, instead of working on two separate projects (aiming for the same goal), we decided to join forces and merge the two projects. And as I thought that OpenFPC is a better name than FPCGUI, OpenFPC it is 🙂

I have merged my parts slowly into OpenFPC during the summer, with vacation time and changing job, I did not have much time for coding on the side. We also re-factored much of the code, file names etc., so getting thing to a working condition has been the main task.

As of the last weeks, I can now install OpenFPC and use it in the way that I want it again, like I did with FPCGUI. The plus is that I now have a command line interface, a distributed architecture (Not WebGUI friendly yet), and a way to automagically extract pcaps and files in it, for automatic analysis 🙂

To test my dream of automatic analysis, I used a setup similar to this earlier blog post where I more or less did the same. I carve the pcap with openfpc-client (which will come from an event from an IDS or nftracker), extract files with tcpxtract (or simular tools), scan files with ClamAV and also test md5/sha sums towards shadowserver, virustotal or wepawet. I tried some different infected and non infected PDF files. All files I had to test with was detected with ClamAV, even my home grown metasploit PDF. All known bad PDF files was detected with the md5/sha sum of the files towards the different services (shadow/VT/wepawet), but again, only ClamAV detected my home made metasploit PDF.
evil.pdf: Heuristics.PDF.ObfuscatedNameObject FOUND

So, now I will have more events to live with 🙂

Standard
cxtracker, daemonlogger, Debian, forensics, Linux Distributions, OpenSourceSoftware, PADS, Security, Sguil, Snort, Suricata, Ubuntu

Ubuntu repo for sguil

I have spent the last week setting up a Ubuntu Launchpad PPA for my packages I used to hoste here on my blog.

The URL to my PPA is : https://launchpad.net/~ebf0/+archive/gamelinux

I pack the packages mainly for Lucid Lynx 10.04.
To try them out, you can add the following in /etc/apt/sources.list:
deb http://ppa.launchpad.net/ebf0/gamelinux/ubuntu lucid main
deb-src http://ppa.launchpad.net/ebf0/gamelinux/ubuntu lucid main

To add my key to you Ubuntu installation:
apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 4B04D050

Then you should be able to apt-get update, and then apt-get install my packages 🙂

Please try them out and give me feedback!
You will find my howto on how to configure them here.

Happy F8’ing!

Standard
OpenSourceSoftware

Themes and plugins for WordPress on Ubuntu 10.04 LTS (Lucid)

As three of my hosts where going down permanently at more or less the same time, I have spent the last two months on moving my infrastructure to a new host. The host that was serving my blog http://www.gamelinux.org was an outdated Debian Etch (Last update from Debian was on 22 May 2010 – so about time to upgrade!!!). The old wordpress version on Etch was 2.0.10 and the new wordpress shipping with Ubuntu 10.04 Lucid is running 2.9.2. So after a simple mysqldump from my old installation, and importing it to my new installation, wordpress automatically updated the needed things in the DB and things kinda worked OK. I had to change the theme to a default theme before everything was 100%.

But the default theme is kinda dull, and Akismet was complaining about updates that where available, but trying to upgrade or install new themes brought me to a “strange” page (Just new to me) where I had to add FTP/SFTP credentials… Googling it quick told me that this happens if wordpress does not have the permissions on the file system that it wants. It should then try to FTP to the hosts its running on, trying to add the new files that way… Going through search results to find a solution not involving using FTP, kinda scared me… People was changing owner of the whole directory recursively where wordpress was installed. I’m not a fan of such a method, specially when I have installed wordpress using the Ubuntu standard repository. I also can not see a valid reason that wordpress should not be able to install and update stuff based on the permissions in the directory where it is installed!

So, digging into the code on why it choose to try the FTP method and with the intension of forcing it to ignore errors and try to install it on the file system anyways, I see in the file “/usr/share/wordpress/wp-admin/includes/file.php” above the function get_filesystem_method that one can define a override in the configuration file!

* Note that the return value of this function can be overridden in 2 ways
* - By defining FS_METHOD in your wp-config.php file
* - By using the filesystem_method filter
* Valid values for these are: 'direct', 'ssh', 'ftpext' or 'ftpsockets'

So I added in my /etc/wordpress/config-www.gamelinux.org.php:

define('FS_METHOD', 'direct');

and tried to upgrade Akismet again… TaDa!!! It worked! I tried to install a theme… TaDa!!! It worked!

So I’m adding this as my first post on my newly upgraded wordpress, to hopefully help some others that are annoyed with the fact that there where no real good/usable solutions when googling for the problem.

Standard
Information, Linux Distributions, OpenSourceSoftware, Security, Sguil, Ubuntu

Ubuntu 10.04 and my sguil-client .deb package

Finally moving on to Ubuntu 10.04 LTS (lucid) and installing my sguil-client_0.7.0-3_all.deb package, I had to run into some problems…

$ ./sguil.tk
ERROR: Cannot fine the Iwidgets extension.
The iwidgets package is part of the incr tcl extension and is
available as a port/package most systems.
See http://www.tcltk.com/iwidgets/ for more info.

Read here if you want to know more.

Quick and dirty, this is how I fixed it after installing the sguil-client:

$ sudo apt-get remove tcl8.5

Install itk3 and itcl3 from here and here.
Then:

$ sudo apt-get install iwidgets4

Install the sguil-client_0.7.0-3_all.deb again, and Bob is your uncle!

I also pinned the packages, so that an upgrade would not b0rk things.
In /etc/apt/preferences.d/00Sguil:

Package: itcl3
Pin: release a=hardy
Pin-Priority: 900

Package: itcl3
Pin: release a=lucid
Pin-Priority: -10

Package: itk3
Pin: release a=hardy
Pin-Priority: 900

Package: itk3
Pin: release a=lucid
Pin-Priority: -10

Not sure if this is 100% correct, as I don’t have hardy in my sources.list, but it seems to work 🙂
For aptitude, use:

$ sudo aptitude hold itcl3 itk3

Enjoy!

Standard
Information, OpenSourceSoftware, Security, Snort

Virtual splitting networks in Snort

I haven’t seen any HOWTOs yet on how to use the feature of dividing up your network into multiple snort configuration files (Virtual Networks?). I have tried this on my sensors and it works great.

Before, one would solve the problem by firing up multiple instances of snort, each with their own sets of options/arguments. Now we only start one instance of snort with a default snort config, and including config files for each IP, IP-range or VLAN that one would like to monitor. The default snort config file is used as a fall-back if the traffic is not matched in one of the virtual configs.

example:

config binding: /etc/snort/vips/snort-0.conf net 192.168.0.0/24
config binding: /etc/snort/vips/snort-1.conf net 192.168.1.0/24
config binding: /etc/snort/vips/snort-2.conf net 192.168.2.0/24
config binding: /etc/snort/vips/snort-3.conf vlan 1337

So, you have a default /etc/snort/snort.conf and configure that as a fall-back configuration (Catch all traffic not handled by your virtual configs) and then add the statements above. You can then configure snort-0.conf, snort-1.conf, snort-2.conf and snort-3.conf to handle their respective traffic (Variables, rules, preprocessors etc).

In this case, if you have:
192.168.0.0/24 on eth1
192.168.1.0/24 on eth2
192.168.2.0/24 on eth3
vlan 1337 on eth4

you would need to bond them together and have snort listen on the bonded interface.

My gut feelings are that there are some performance and memory benefits firing up one instance of snort configured with virtual-networks, then firing up X instances of snort, but I have not done any tests.

Read more in the README.multipleconfigs in the doc/ directory of the Snort Tarball.

*I would like to hear thoughts from other playing with this feature*

Standard
Information, Linux Distributions, OpenSourceSoftware, PADS, Security, Sguil

Bumped version on PADS

Small PADS info:

I bumped the version of pads to 1.2.1 (My version) after applying a patch that fixes many issues as follow:
PADS did not enable warnings during compilation. Enabling that revealed
that it did not actually include header files declaring the functions it
used. Fixing this revealed a multitude of little bugs of varying
severity, including:
- Uninitialized variables
- Unused variables
- Using close() instead of fclose()
- Using a bstring as a string, rather then using bdata()
- Useless statements
- Return without argument, even though function must return something
- Assuming time_t is int
- Passing pointers to arrays instead of the array itself

Many thanks to Erwin Paternotte for submitting this patch in the work of getting pads to work on Hardened Gentoo 64bit.

Standard