On July 1, 2010 the Open Information Security Foundation released the first stable version of Suricata IDS. I’m a long time Snort user but I want to know more about this IDS so I’m going to write a howto for Suricata installation and configuration on Debian 5.0. Suricata is ready for using PF_RING the new network socket that, according to the ntop’s web (what a great tool ntop is…), dramatically improves the packet capture speed.

Suricata installation is not difficult but it needs a little time if you want to use PF_RING. This howto uses the INSTALL and INSTALL.PF_RING files that comes with Suricata but with some mods on my own.

Updated 2010/07/08:  the howto now covers a basic configuration section. Enjoy!

Download the HOWTO in PDF format

A long time ago I used PGP to encrypt files but I forgot how to use it. Today I sent a message to a CERT (but this is another story…) and I had to encrypt a file  so I downloaded GnuPG binary for Windows and started reading the GnuPG mini-howto.  I’ve managed to remember the steps for using this tool:

  1. Generate you private and public keys with gpg –gen-key
  2. Select the type of key. DSA and Elgamal is a good choice
  3. Specify the expiry date for the key
  4. Introduce your name and email
  5. Protect the key with a passphrase
  6. Accept the information and generate entropy 🙂
  7. Import the public key for the recipient of the message with gpg –import file
  8. List the keys to know their UID with gpg –list-keys
  9. If you trust the recipient’s public key, sign its key with gpg –edit-key  RecipientUID
  10. Use the sign task and then quit
  11. Encrypt the file with gpg -e file -r RecipientUID
  12. You’re done!

I know, there are many good tutorials out there but I don´t want to forget all this again! 😀 If you find errors or want me to add more steps tell me!!

Soon I’ll post new things about honeypots

Thanks to Lukas Rist’s suggestion I found Kippo SSH Honeypot. Kippo is developed by Upi Tamminen and according to the project’s homepage, “Kippo is inspired, but not based on Kojoney.”, so I decided to give it a try.

Kippo setup and installation is quite simple. You only have to download it, uncompress it, edit the kippo.cfg file (I changed the hostname) and run it with ./start.sh

Kippo has great features. It emulates a Debian 5.0 filesystem, implements interesting shell commands and it allows the attacker to download files with wget, but what I really love is that it records the attacker session in a way that you can play it back later to analyze it. If anyone is interested, I can upload the session logs.

Updated: Please read mig5’s comments for this post for more great information and impressions about Kippo!

My honeypot has recorded three long sessions and these are the most frequent commands used by the attackers:

  • Implemented by Kippo: w, ls, cd, uptime, cat /proc/cpuinfo, uname -a, passwd (but it shows that passwords mismatch :-D), wget…
  • Not implemented by Kippo: cat /etc/issue, cat /proc/version, adduser…

So far the attackers have downloaded three files that I will examine in the following days but a quick inspection shows that one of the files contains a kit to convert a host into a Flood bot. It seems promising.

I really recommend you this honeypot if you want a didactic tool.

Have fun!

One of the reasons I was interested in honeypots is that I wanted to install and configure and IDS and learn more about attacks, threats and rules. Once Amun and Glastopf (now also Kojoney/Kippo) logs started to show activity it was time to start my Snort IDS and monitor the traffic passing through my bridge.   It’s obvious that I love reports and statistics so maybe you’re interested in this PDF report or if you’re too lazy clic on the picture 🙂

As you can see the IDS (using Emerging Threats default rules) is performing well with the honeypot activity. Look at those proxy requests for glastopf 😉 …

P.S If you liked the report I can upload the source for jasperreports.

In the last weeks I’ve been inspecting what kind of traffic is sent to my DSL Router (I will soon post a report) and I’ve found many telnet and ssh connection attempts. I’m very curious about that traffic so I’ve decided to test Kojoney SSH Honeypot. Kojoney was developed by Joxean Koret and there’s a good post about it at madirish.net.

Kojoney installation is very easy and well-documented. In my case I have followed this steps:

  • apt-get install build-essential python python-dev
  • wget http://downloads.sourceforge.net/project/kojoney/kojoney-
  • tar xvfz kojoney-
  • cd kojoney
  • sh INSTALL.sh
  • You will have to accept the licence and answer some final questions about running automatically at boot time (it will install an init.d script).
  • Thanks to mig5: the script will try to guess where man is installed but in Debian it will fail so you will have to specifythe path (/usr/share/man/man1 on Debian)
  • If you want to change SSH listening port edit /usr/share/kojoney/coret_config.py and change  ROOT_CONFIG_PORTS

Kojoney offers valuable report tools, so I will share with you the results in the following days.

Have fun!

Thanks to Amun, 78 malware samples have been currently collected. Unfortunately my ISP has recently blocked ports 135 and 445, so for a while there will be no more attacks for that ports.

I wanted to know what kind of malware was downloaded so I used an antivirus. Initially I used ClamAV but 35% of the files looked ok (weird) so I then tried Avast which detected 97% of the files as malware though 32% were detected as generic malware. Rbot-GNZ and Virtob are the winners!

If you are running Amun or Dionaea I would like to know what kind of malware you have collected 😀

as WordPress doesn’t let me to upload Python files I had to use PDF files for scripts, so I have moved the files to Google Code. I am currently working on a reporting tool for Snort and I will upload the files there.