How many of you use some type of IDS?Did you set it up? How was it?How many of you have used Security Onion?Did anyone see Doug Burk’s talk at Derbycon, Shmoocon, etc? Anybody go to derbycon?
Take it one step further past the Derbycon videoAbout Packet Parties
great overview, tells you a lot of what you need to knowmet Doug in person atderbycon this past weekend
see the videoDoug describes it as getting a snapshotbook is here…in the back
multiple sensors – you can have
Wasn’t able to get it to work on Ubuntu serverRan great with Ubuntu desktop, needed gui to do the sosetup on Ubuntu server
Mileage may vary – this works with vmwareIf you have a problem with these instructions, please let me knowif you have another version, and want to type up a quick step-by-step, let me know
VRT – awesome group of guys
Snort GUI for Lamersdatabase – this is what barnyard talks to
Setup – have to get all the agents right, didn’t work with newer versions oftcl/tk, didn’t work with different libraries, nightmare
wasn’t working on my wireshark
sguil query tool
Security Onion Packet Party Nova Labs - Oct 12 John deGruyter @johndegruyter
Purpose of this talk• Get us all up and running with Security Onion• Give a better understanding of the tools• Evaluate SO as a tool for Packet Parties – All your traffic analysis tools in one VM – Easy get new users up and running• What it is not: – How to deploy an IDS at your company – How to tune an IDS
AgendaTalk should be about 30 minutes or less.• Overview• Installation• Tools / DemosStay and do some challenges.
About Security Onion• A Linux distribution for Intrusion Detection and Network Security Monitoring• Great video(s) by the author Doug Burks – http://securityonion.blogspot.com/• Started in 2008. Gained momentum in 2011.• Version 12.04 was released this past weekend – Now available in 64 bit – Ability to install from apt repository
IDS vs NSM• Intrusion Detection Systems traditionally deal with getting the alert• Network Security Monitoring involves getting additional context along with the alert – alerts – session data – full packet capture• Security Onion is an NSM image
Why is Security Onion awesome?• Getting all of this setup is hard. – Some of my blog posts from 2008 (deadshell.org) • Installing sguil client on debian • Installing SGUIL is a pain. (part 1)• Most of the tools you need are on here – What are you missing?• You can be up and running in about 20 minutes• Easy to deploy multiple sensors with a single dashboard – DMZ – Server VLAN – Client gateway• Excellent support from both community (see wiki) and developers
Installation (2 methods)• Bootable CD image – Download the .iso – Run it as a live distro – Install it to disk (why not?)• Get it from an apt repository – Instructions here • http://code.google.com/p/security-onion/wiki/Beta – I tried this with Ubuntu desktop (worked great)
Post installation• Resolution does not scale properly• If you are running VMware: 1. Start the VM 2. Click “Virtual Machine” / “Install VMware Tools” 3. Open a command prompt in your VM, 4. switch to root (sudo –i) 5. <enter your password when prompted> 6. cp /media/Vmware ToolsVMareTools<tab> /usr/local/src 7. cd /usr/local/src 8. tar xzvf VM<tab> 9. cd vm<tab> 10. ./vmware-installer.pl 11. (follow instructions, you can use default settings)
Demo – Installation from apt• Take a snapshot if you are running a VM• Follow instructions here:• http://code.google.com/p/security-onion/wiki/Beta• I used Ubuntu desktop 12.04• You can connect to the https://<ip of the server> to get links to the tools
Daemonlogger• Listens on a network interface• Captures and saves your packets to disk. The structure on how these files are saved can be configured.• You can set filters on what you want to capture (BPF – Berkeley Packet Filters)• You set a limit on how much disk space you want to use. It will delete the oldest data as needed.
Daemonlogger - Demo• Look at the file structure• Change the disk threshold• Modify the BPF so that it does not collect ICMP packets
Snort• An open source intrusion detection system developed by Sourcefire• Configuration file (snort.conf) ties everything together• Will check packets passing through an interface against “signature” or “rule” files• Alerts generated by rules can be sent to different output types – Security Onion uses the unified option• Does a lot more. This is just a basic overview.
Snort RuleHeader Options• action • msg• protocol • content• source ip / port • nocase• direction • depth• destination ip / port • flags • flow • fragbits • much more… alert tcp any any -> any 80 (content:"BOB"; gid:1000001; sid:1; rev:1;)
Snort - Demo• Find the running instance by running $ps aux• Look over snort.conf file• Write a simple rule
Pulled Pork• Scripts for updating your rules. It will periodically pull down new signatures (rules) and add them into Snort.• You have a couple of choices where to pull rules from.• You can get an “oinkcode” by registering with Sourcefire’s VRT through the snort website. Paid for versions get you the rules faster. This will need to be added to your configuration.
Snorby• Pretty interface for looking at Snort / Suricata alerts. You can see: – IPs – Time – Raw data – Rule – Statistics• Not much you can do to follow up on an alert but has a lot of potential for growth. This is more of an IDS rather than an NSM.• Pain to set this up without Security Onion.
Sguil• “Sguils main component is an intuitive GUI that provides access to real time events, session data, and raw packet captures.”• “built by network security analysts for security analysts”
Sguil (2)• Written by Bamm Visscher in TCL/TK• Client (sguil.tk) / Server (sguild) architecture, not a web service. You need a client to connect to the server.• Stores data in a mysql database• Connects to different “agents” – snort (alerts) – pcap (full packet captures) – sanscp (sessions) – prads (asset detection)• These agents can run on different systems known as sensors. You can have multiple sensors talking to an agent. Note: Client is different from a sensor. Client connects to the sguil frontend for analysis.• It is a PAIN to setup• It is a PAIN to setup! (Thank you Security Onion)
tcpreplay• Allows you to take a packet capture (.pcap) and resend all of its packets onto a given interface• For demo purposes, we can replay existing attacks to see if they trigger alerts• You need to be root• Demo• #tcpreplay –t –i eth0 <pcap file>
Sguil - Demo• Check agents• Replay TFTP attack• View alert / signature / raw packet• DNS/whois lookup• Deal with alert resolution• Send to wireshark / network miner – Packets for the session are pulled from the sensor to the server and viewed in wireshark
Squert• Reporting service for Sguil• Pulls from mysql database on sguild server• Pretty pictures for the managements• Demo – View interface / pivot through data – Use geoIP to view country data
Issues• Tuning – IDS can be VERY noisy right out of the box – “Do a little bit each day.”• Space – Determine what you want to capture • Adjust Daemonlogger’s filter if necessary – Disk is cheap
Referenceshttp://securityonion.blogspot.com/video, downloads, documentation, wiki@securityonionSecurity Onion reference page from the wiki:http://code.google.com/p/security-onion/wiki/LinksRichard Bejtlich’s blog (NSM and more):http://taosecurity.blogspot.com/Me:@johndegruyter (DeBuG)
Challenges1. Install Security Onion on a virtual machine2. Create a snort rule to detect DNS requests to 22.214.171.124 – You can test this with: snort –Tc <your rule file>3. Find out where the snort instance is getting its rule files from and add your rule to one of the rule files. Test this by viewing it in Snorby or Sguil.4. Modify Daemonlogger so that you will only use up to 80% of the disk (default is 90%)5. Modify Daemonlogger so that you do not capture ARP packets – you can use a BPF for this6. Set up a second Sguil sensor to connect to your original server. Ensure that you can see alerts from each sensor. You can generate some alerts by scanning the sensor.7. Use squert to map network traffic to different locations