Ntop is an extraordinary tool that helps you to know more about your network traffic. Luca Deri’s tool has a lot of features and I use it mainly to know quickly what kind of traffic is being generated in my network thanks to its web interface with summaries and rrd charts.

Years ago I used it to identify SQL Slammer worm and since then this tool is in my arsenal to analyze weird network behaviour.

Ok. In case you didn’t notice I love configure and make but ntop is so popular that you can find ntop in the backports repository:

1. Add the following line to your /etc/apt/sources.list: deb http://backports.debian.org/debian-backports squeeze-backports main
2. apt-get update
3. apt-get install ntop
4. Type the admin user password for ntop’s web interface
5. Ntop will be started.
6. Open a browser and go to http://x.x.x.x:3000 where x.x.x.x is the ip address of the host where ntop is installed.. of course!
7. Debian will install a ntop init.d service, so if you want to stop ntop: /etc/init.d/ntop stop

Ok!. If you want to use the latest stable version … yes configure and make !!:

1. apt-get install build-essential libtool automake autoconf libpcap-dev libgdbm-dev zlib1g-dev rrdtool librrd-dev libssl-dev python-dev libgeoip-dev graphviz libgraphviz-dev
2. cd /opt
3. Download ntop (e.g wget http://switch.dl.sourceforge.net/project/ntop/ntop/Stable/ntop-4.1.0.tar.gz )
4. tar xfz ntop-4.1.0.tar.gz
5. cd ntop-4.1.0/
6. ./autogen.sh
7. make
8. make install
9. ldconfig – So libraries can be found (Thanks Garrie!)
10. You’ll find ntop files in /usr/local according to ./configure:Data files are in     /usr/local/share/ntop
    Config files are in   /usr/local/etc/ntop
    Run directory is      /usr/local/var/ntop
    Plugin files are in   /usr/local/lib/ntop/plugins
    Database files are in /usr/local/var/ntop
    Libraries have been installed in: /usr/local/lib
11. chown -R nobody:nogroup /usr/local/var/ntop
12. Ok now from the command line run: ntop
13. Ntop will ask you for the admin passwordntop startup – waiting for user response!Please enter the password for the admin user:
    Please enter the password again:
14. Access to http://x.x.x.x:3000
15. Nice charts!
16. Use Ctrl-C from the command line to stop ntop.

Ok. That’s all.  Any comments are welcomed!

P.S: I’m trying to write new posts about Snorby and Suricata but I need more time!

Now I want to use it in my Fedora 15 and thanks to Mono you can run it on Linux machines following these instructions. Anyway, these are the steps for Fedora 15:

1. Download the portable version of KeePass and unzip it into a folder.
2. Install Mono and Xdotool packages:

   yum install mono-addins mono-core mono-data mono-data-sqlite mono-extras mono-mvc mono-wcf mono-web mono-winforms mono-winfx libxdo xdotool

3. Go to the KeePass folder and from the command-line execute: mono KeePass.exe
4. That’s all folks!

UPDATE: Thank you B!n@ry for your comment. You can use KeePassX: yum install keepassx

1. Download Barnyard2
   wget http://www.securixlive.com/download/barnyard2/barnyard2-1.9.tar.gz
2. tar xvfz barnyard2-1.9.tar.gz
3. cd barnyard2-1.9/
4. You’ll need mysql libraries, if you want to store Suricata’s events
   apt-get install mysql-client libmysqlclient-dev
5. I’m going to compile barnyard2 with pfring an libpcap support. If you followed my howto, include files and libraries are inside /opt/PF_RING
   ./configure –with-mysql –with-libpcap-includes=/opt/PF_RING/include –with-libpcap-libraries=/opt/PF_RING/lib  –with-libpfring-includes=/opt/PF_RING/include –with-libpfring-libraries=/opt/PF_RING/lib
6. make && make install
7. Let’s check if barnyard2 is ready.  If you see a pig all is good
   barnyard2 –help
   / ,,_  \  Version 2.1.9 (Build 263)
   |o”  )~|  By the SecurixLive.com Team: http://www.securixlive.com/about.php
   + ”” +  (C) Copyright 2008-2010 SecurixLive.
8. If barnyard complains about libpcap.so.1 not being found, use this:
   ln -s /opt/PF_RING/lib/libpcap.so.1 /usr/lib/libpcap.so.1
9. Now, you will need a barnyard2 config file:
   cp etc/barnyard2.conf /etc/barnyard2.conf
10. Edit /etc/barnyard2.conf and add the following line (change dbuser, dbpass, database, x.x.x.x with the rigth values for your snorby MySQL database):
    output database: alert, mysql, user=dbuser password=dbpass dbname=database host=x.x.x.x
11. Barnyard’s config file need to know where are your config and map files to indentify the rules. I’m using Emerging Threats rules in my /etc/suricata directory.
    # set the appropriate paths to the file(s) your Suricata process is using.
    config reference_file:      /etc/suricata/reference.config
    config classification_file: /etc/suricata/classification.config
    config gen_file:            /etc/suricata/gen-msg.map
    config sid_file:            /etc/suricata/sid-msg.map
12. Check if you find this lines in /etc/suricata/suricata.yaml:
    - unified2-alert:
    enabled: yes
    filename: unified2.alert
13. Ok. I have Suricata running. With this command the unified2 binary files will be read and new events will be sent to snorby -> barnyard2 -c /etc/barnyard2.conf -d /var/log/suricata -f unified2.alert
14. All seems to work fine. Snorby is starting to show events.

    

15. Snorby is awesome. More info soon!

Today I’m going to show you how to install Snorby on Debian 6. This is the first time I use Snorby and I want to use it to monitor my Suricata IDS. In the following weeks I’ll post my first impressions.

Download the pdf and contact me for any comments, errors or suggestions.

Download the PDF.

P.S: It’s been a long time since my last post. After a difficult year,  I have time to blog again.

My lab will consist in two virtual hosts, one of them will be the victim where all the malware will be executed and the other will act as a server offering “Internet” services to the victim. The hosts will be placed in the 192.168.10.0/24 network (Server 192.168.10.1 and Client 192.168.10.2)

The first service I’m going to configure is DNS and for this task I’ll use DJBDNS. Two years ago I started to hear about D.J Bernstein DNS which wasn’t affected by Dan Kaminsky‘s DNS flaw announce. I like security, so why not use tinydns for this task? The DNS server will be configured to answer queries for the malware.lab domain and it’ll act as a fake root name server.

You can install Tinydns using aptitude but I like to compile things These are the steps I’ve followed.

1. apt-get install build-essential
2. useradd Gtinydns -s /bin/false
3. useradd Gdnslog -s /bin/false
4. mkdir -p /package
5. chmod 1755 /package
6. cd /package
7. wget http://cr.yp.to/daemontools/daemontools-0.76.tar.gz
8. tar xvfz daemontools-0.76.tar.gz
9. rm -f daemontools-0.76.tar.gz
10. cd admin/daemontools-0.76/
11. echo gcc -O2 -include /usr/include/errno.h > conf-cc (don´t forget this!)
12. cd src/
13. echo gcc -O2 -include /usr/include/errno.h > conf-cc (don´t forget this!)
14. cd ..
15. package/install
16. cd /package
17. wget http://cr.yp.to/ucspi-tcp/ucspi-tcp-0.88.tar.gz
18. tar xvfz ucspi-tcp-0.88.tar.gz
19. rm ucspi-tcp-0.88.tar.gz
20. cd ucspi-tcp-0.88/
21. echo gcc -O2 -include /usr/include/errno.h > conf-cc (don´t forget this!)
22. make
23. make setup check
24. cd /package
25. wget http://cr.yp.to/djbdns/djbdns-1.05.tar.gz
26. tar xvfz djbdns-1.05.tar.gz
27. rm djbdns-1.05.tar.gz
28. echo gcc -O2 -include /usr/include/errno.h > conf-cc
29. make
30. make setup check
31. reboot
32. tinydns-conf Gtinydns Gdnslog /etc/tinydns 192.168.10.1
33. ln -s /etc/tinydns /service/tinydns
34. sleep 5
35. svstat /service/tinydns
36. cd /service/tinydns/root
37. ./add-ns . 192.168.10.1 (this server will answer all DNS queries with the same address 192.168.10.1) If you have problems be sure you add this entry to the /etc/tinydns/root/data file  (   +*.:192.168.10.1    )
38. ./add-host server.malware.lab 192.168.10.1
39. ./add-host client.malware.lab 192.168.10.2
40. ./add-ns 10.168.192.in-addr.arpa 192.168.10.1 (It will resolve inverse queries)
41. make

And that’s it (41 steps!), I have a DNS server running… If you need more information visit DJBDNS page.

DJBDNS has been designed to be secure and it’s very easy to manage it (at least compared with BIND)

See ya!

I’ve examined three of these files on an isolated machine and these are my first impressions:

1. People from Western Europe are really bored so they like to write amusing programs
2. The programs contain funny messages like “We are ROOT, we are deleting the logs,  let’s download evil files…”
3. They love IRC channels and writing their own versions of ps, top, netstat, ls…

Now I’m preparing my first malware lab to analyze these samples seriously in a protected environment and that’s why I’m testing Samhain Host IDS and working on a network server with DNS, SMTP, HTTP and IRC to simulate a real network, so stay tuned! Any suggestions for this lab are welcomed.

P.S: I’m preparing a new version of the Suricata How-To. I hope you’ve found it useful.

P.S #2: I can´t believe we won the Fifa World Cup!

Suricata installation is not difficult but it needs a little time if you want to use PF_RING. This howto uses the INSTALL and INSTALL.PF_RING files that comes with Suricata but with some mods on my own.

Updated 2010/07/08:  the howto now covers a basic configuration section. Enjoy!

Download the HOWTO in PDF format

1. Generate you private and public keys with gpg –gen-key
2. Select the type of key. DSA and Elgamal is a good choice
3. Specify the expiry date for the key
4. Introduce your name and email
5. Protect the key with a passphrase
6. Accept the information and generate entropy
7. Import the public key for the recipient of the message with gpg –import file
8. List the keys to know their UID with gpg –list-keys
9. If you trust the recipient’s public key, sign its key with gpg –edit-key  RecipientUID
10. Use the sign task and then quit
11. Encrypt the file with gpg -e file -r RecipientUID
    
12. You’re done!

I know, there are many good tutorials out there but I don´t want to forget all this again! If you find errors or want me to add more steps tell me!!

Soon I’ll post new things about honeypots

Kippo setup and installation is quite simple. You only have to download it, uncompress it, edit the kippo.cfg file (I changed the hostname) and run it with ./start.sh

Kippo has great features. It emulates a Debian 5.0 filesystem, implements interesting shell commands and it allows the attacker to download files with wget, but what I really love is that it records the attacker session in a way that you can play it back later to analyze it. If anyone is interested, I can upload the session logs.

Updated: Please read mig5′s comments for this post for more great information and impressions about Kippo!

My honeypot has recorded three long sessions and these are the most frequent commands used by the attackers:

• Implemented by Kippo: w, ls, cd, uptime, cat /proc/cpuinfo, uname -a, passwd (but it shows that passwords mismatch ), wget…
• Not implemented by Kippo: cat /etc/issue, cat /proc/version, adduser…

So far the attackers have downloaded three files that I will examine in the following days but a quick inspection shows that one of the files contains a kit to convert a host into a Flood bot. It seems promising.

I really recommend you this honeypot if you want a didactic tool.

Have fun!