Archive for the ‘IDS/IPS’ Category

After succesfully installing Suricata and Snorby, I’m going to use Barnyard2 to read the alerts and send them to Snorby’s database. Barnyard2 understands the unified2 binary format. If you get lost, don’t be worry because I’m going to update the Snorby how-to. If you can’t wait, I’ve followed these steps:

  1. Download Barnyard2
    wget http://www.securixlive.com/download/barnyard2/barnyard2-1.9.tar.gz
  2. tar xvfz barnyard2-1.9.tar.gz
  3. cd barnyard2-1.9/
  4. You’ll need mysql libraries, if you want to store Suricata’s events
    apt-get install mysql-client libmysqlclient-dev
  5. I’m going to compile barnyard2 with pfring an libpcap support. If you followed my howto, include files and libraries are inside /opt/PF_RING
    ./configure –with-mysql –with-libpcap-includes=/opt/PF_RING/include –with-libpcap-libraries=/opt/PF_RING/lib  –with-libpfring-includes=/opt/PF_RING/include –with-libpfring-libraries=/opt/PF_RING/lib
  6. make && make install
  7. Let’s check if barnyard2 is ready.  If you see a pig all is good 😀
    barnyard2 –help
    / ,,_  \  Version 2.1.9 (Build 263)
    |o”  )~|  By the SecurixLive.com Team: http://www.securixlive.com/about.php
    + ”” +  (C) Copyright 2008-2010 SecurixLive.
  8. If barnyard complains about libpcap.so.1 not being found, use this:
    ln -s /opt/PF_RING/lib/libpcap.so.1 /usr/lib/libpcap.so.1
  9. Now, you will need a barnyard2 config file:
    cp etc/barnyard2.conf /etc/barnyard2.conf
  10. Edit /etc/barnyard2.conf and add the following line (change dbuser, dbpass, database, x.x.x.x with the rigth values for your snorby MySQL database):
    output database: alert, mysql, user=dbuser password=dbpass dbname=database host=x.x.x.x
  11. Barnyard’s config file need to know where are your config and map files to indentify the rules. I’m using Emerging Threats rules in my /etc/suricata directory.
    # set the appropriate paths to the file(s) your Suricata process is using.
    config reference_file:      /etc/suricata/reference.config
    config classification_file: /etc/suricata/classification.config
    config gen_file:            /etc/suricata/gen-msg.map
    config sid_file:            /etc/suricata/sid-msg.map
  12. Check if you find this lines in /etc/suricata/suricata.yaml:
    – unified2-alert:
    enabled: yes
    filename: unified2.alert
  13. Ok. I have Suricata running. With this command the unified2 binary files will be read and new events will be sent to snorby -> barnyard2 -c /etc/barnyard2.conf -d /var/log/suricata -f unified2.alert
  14. All seems to work fine. Snorby is starting to show events.

  15. Snorby is awesome. More info soon!

Read Full Post »

According to snorby.org,  Snorby is a ruby on rails web application for network security monitoring that interfaces with current popular intrusion detection systems (Snort, Suricata and Sagan). The project goal is to create a free, open source and highly competitive application for network monitoring for both private and enterprise use.

Today I’m going to show you how to install Snorby on Debian 6. This is the first time I use Snorby and I want to use it to monitor my Suricata IDS. In the following weeks I’ll post my first impressions.

Download the pdf and contact me for any comments, errors or suggestions.

Read Full Post »

Thanks to Kippo SSH Honeypot and those who generously have donated their rootkits and bot software, now I have six interesting malware samples to play with.

I’ve examined three of these files on an isolated machine and these are my first impressions:

  1. People from Western Europe are really bored so they like to write amusing programs
  2. The programs contain funny messages like “We are ROOT, we are deleting the logs,  let’s download evil files…”
  3. They love IRC channels and writing their own versions of ps, top, netstat, ls…

Now I’m preparing my first malware lab to analyze these samples seriously in a protected environment and that’s why I’m testing Samhain Host IDS and working on a network server with DNS, SMTP, HTTP and IRC to simulate a real network, so stay tuned! Any suggestions for this lab are welcomed.

P.S: I’m preparing a new version of the Suricata How-To. I hope you’ve found it useful.

P.S #2: I can´t believe we won the Fifa World Cup! 🙂

Read Full Post »

On July 1, 2010 the Open Information Security Foundation released the first stable version of Suricata IDS. I’m a long time Snort user but I want to know more about this IDS so I’m going to write a howto for Suricata installation and configuration on Debian 5.0. Suricata is ready for using PF_RING the new network socket that, according to the ntop’s web (what a great tool ntop is…), dramatically improves the packet capture speed.

Suricata installation is not difficult but it needs a little time if you want to use PF_RING. This howto uses the INSTALL and INSTALL.PF_RING files that comes with Suricata but with some mods on my own.

Updated 2010/07/08:  the howto now covers a basic configuration section. Enjoy!

Download the HOWTO in PDF format

Read Full Post »

Snort IDS – Report

One of the reasons I was interested in honeypots is that I wanted to install and configure and IDS and learn more about attacks, threats and rules. Once Amun and Glastopf (now also Kojoney/Kippo) logs started to show activity it was time to start my Snort IDS and monitor the traffic passing through my bridge.   It’s obvious that I love reports and statistics so maybe you’re interested in this PDF report or if you’re too lazy clic on the picture 🙂

As you can see the IDS (using Emerging Threats default rules) is performing well with the honeypot activity. Look at those proxy requests for glastopf 😉 …

P.S If you liked the report I can upload the source for jasperreports.

Read Full Post »