It is hosted on my Ubuntu PPA, and you can find it here.
In early June, Leon Ward and I teamed up in Oslo chatting about his OpenFPC and my FPCGUI project. I met Leon for the first time in April 2009 at Sourcefires offices in Wokingham, UK, and I have chatted with him now and then on IRC etc. since then.
I started using Sourcefire 3D in December 2008, and the first thing I was missing was the lack of pcaps from the events that I got. The second was the real-time view that you get in Sguil (I can live without that though).
So I needed a second host that did full packet capture along side my new IPS/IDS. Just running tcpdump/daemonlogger/sancp is OK for a small installation, but carving out the sessions manually was taking time. I needed to script something that would take an easy interface, so I could quickly get a pcap from the whole sessions I was getting events from. So I was thinking of an API and a easy way to add this to the Sourcefire 3D WebGUI.
My PoC was FPCGUI (Full Packet Capture Graphical User Interface). It can take a query in the URL, search the flow data from its database and give you the sessions details if it exists. If you click on the session, you will get the pcap served straight in you face, and I choose to open my pcaps with wireshark. With a little grease monkey magic, this would have been an OK solution for satisfying my pcap needs working with SF3D.
I made my thoughts public in a blog post in September 2009 and started coding right away. I also discussed FPCGUI with Leon the day after I posted the blog. The first release that worked good enough for me was in January 2010. Leon released his project in May 2010, and I quickly saw that we where doing more or less the same. He had implemented the distributed node part, which I had not started to even draft, and I had the WebGUI and flowdata which gives more meaning and is more user friendly to the analyst.
So, instead of working on two separate projects (aiming for the same goal), we decided to join forces and merge the two projects. And as I thought that OpenFPC is a better name than FPCGUI, OpenFPC it is 🙂
I have merged my parts slowly into OpenFPC during the summer, with vacation time and changing job, I did not have much time for coding on the side. We also re-factored much of the code, file names etc., so getting thing to a working condition has been the main task.
As of the last weeks, I can now install OpenFPC and use it in the way that I want it again, like I did with FPCGUI. The plus is that I now have a command line interface, a distributed architecture (Not WebGUI friendly yet), and a way to automagically extract pcaps and files in it, for automatic analysis 🙂
To test my dream of automatic analysis, I used a setup similar to this earlier blog post where I more or less did the same. I carve the pcap with openfpc-client (which will come from an event from an IDS or nftracker), extract files with tcpxtract (or simular tools), scan files with ClamAV and also test md5/sha sums towards shadowserver, virustotal or wepawet. I tried some different infected and non infected PDF files. All files I had to test with was detected with ClamAV, even my home grown metasploit PDF. All known bad PDF files was detected with the md5/sha sum of the files towards the different services (shadow/VT/wepawet), but again, only ClamAV detected my home made metasploit PDF.
evil.pdf: Heuristics.PDF.ObfuscatedNameObject FOUND
So, now I will have more events to live with 🙂
I have spent the last week setting up a Ubuntu Launchpad PPA for my packages I used to hoste here on my blog.
The URL to my PPA is : https://launchpad.net/~ebf0/+archive/gamelinux
I pack the packages mainly for Lucid Lynx 10.04.
To try them out, you can add the following in /etc/apt/sources.list:
deb http://ppa.launchpad.net/ebf0/gamelinux/ubuntu lucid main
deb-src http://ppa.launchpad.net/ebf0/gamelinux/ubuntu lucid main
To add my key to you Ubuntu installation:
apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 4B04D050
Then you should be able to apt-get update, and then apt-get install my packages 🙂
Please try them out and give me feedback!
You will find my howto on how to configure them here.
Finally moving on to Ubuntu 10.04 LTS (lucid) and installing my sguil-client_0.7.0-3_all.deb package, I had to run into some problems…
ERROR: Cannot fine the Iwidgets extension.
The iwidgets package is part of the incr tcl extension and is
available as a port/package most systems.
See http://www.tcltk.com/iwidgets/ for more info.
Read here if you want to know more.
Install the sguil-client_0.7.0-3_all.deb again, and Bob is your uncle!
I also pinned the packages, so that an upgrade would not b0rk things.
Pin: release a=hardy
Pin: release a=lucid
Pin: release a=hardy
Pin: release a=lucid
Not sure if this is 100% correct, as I don’t have hardy in my sources.list, but it seems to work 🙂
For aptitude, use:
$ sudo aptitude hold itcl3 itk3
Back from vacation 🙂
I did pack 188.8.131.52, but it never made it to the public before I went on vacations
You can find 184.108.40.206 here:
-*> Snort! <*-
Version 220.127.116.11 IPv6 GRE (Build 39)
I haven’t seen any HOWTOs yet on how to use the feature of dividing up your network into multiple snort configuration files (Virtual Networks?). I have tried this on my sensors and it works great.
Before, one would solve the problem by firing up multiple instances of snort, each with their own sets of options/arguments. Now we only start one instance of snort with a default snort config, and including config files for each IP, IP-range or VLAN that one would like to monitor. The default snort config file is used as a fall-back if the traffic is not matched in one of the virtual configs.
config binding: /etc/snort/vips/snort-0.conf net 192.168.0.0/24
config binding: /etc/snort/vips/snort-1.conf net 192.168.1.0/24
config binding: /etc/snort/vips/snort-2.conf net 192.168.2.0/24
config binding: /etc/snort/vips/snort-3.conf vlan 1337
So, you have a default /etc/snort/snort.conf and configure that as a fall-back configuration (Catch all traffic not handled by your virtual configs) and then add the statements above. You can then configure snort-0.conf, snort-1.conf, snort-2.conf and snort-3.conf to handle their respective traffic (Variables, rules, preprocessors etc).
In this case, if you have:
192.168.0.0/24 on eth1
192.168.1.0/24 on eth2
192.168.2.0/24 on eth3
vlan 1337 on eth4
you would need to bond them together and have snort listen on the bonded interface.
My gut feelings are that there are some performance and memory benefits firing up one instance of snort configured with virtual-networks, then firing up X instances of snort, but I have not done any tests.
Read more in the README.multipleconfigs in the doc/ directory of the Snort Tarball.
*I would like to hear thoughts from other playing with this feature*
Small PADS info:
I bumped the version of pads to 1.2.1 (My version) after applying a patch that fixes many issues as follow:
PADS did not enable warnings during compilation. Enabling that revealed
that it did not actually include header files declaring the functions it
used. Fixing this revealed a multitude of little bugs of varying
- Uninitialized variables
- Unused variables
- Using close() instead of fclose()
- Using a bstring as a string, rather then using bdata()
- Useless statements
- Return without argument, even though function must return something
- Assuming time_t is int
- Passing pointers to arrays instead of the array itself
Many thanks to Erwin Paternotte for submitting this patch in the work of getting pads to work on Hardened Gentoo 64bit.
I just had to comment on this…
Read the advisory here.
My short comment; If you install any type of Software, or use any kind of mechanical devices, or do anything in life, be sure too know what you are doing.
If you buy a car, and the car door is not locked when you are handed the keys, do still lock the doors if you don’t want people to come into your car!
Snippets from the advisory:
"In order to completely protect against the vulnerability (in the short term), Nth Dimension recommend turning off the server and replacing it with another reverse proxy such as Squid."
That would be like stepping out of a Ferrari and crawling into twelve old Tractors… I don’t think people will do that Mr. Brown…
"Should this not be possible, Nth Dimension would strongly recommend that users confirm that the master process is not listening on an external network interface."
This is so much easier to do than migrate to Squid or alike? And the right thing to do if you are not in a trusted environment. Again, do lock your car door.
"In the latter case, users should confirm that only trusted users have SSH access to the system."
As a rule of thumb: You should NEVER have untrusted users on your systems if you value your data on it or the data accessible from it.
There are tons of information on how to harden a Operating System (OS). One of the first and most common step is to make sure the system does not listen on network ports that you don’t want it too. I feel that the advisory is bogus because it is a feature of Varnish.
The advisory should have been aimed at the distributions that have packages that don’t implement “non-clue friendly defaults”.
That said, there is nothing stopping me from sending out my passwords via email once I have installed a browser and I manage to log into my gmail account…
Subject: “Medium security hole in Mozilla Firefox”
Body: “I’ve identified a couple of security flaws affecting Mozilla Firefox (All versions) which may allow privilege escalation….”