'ids'에 해당되는 글 13건

  1. 2013.11.05 Configuring OSSEC with MySQL and Analogi
  2. 2011.07.11 Testing Snort IDS with Metasploit vSploit Modules
  3. 2011.04.08 Snort 2.9.0.5 is available for download!
2013. 11. 5. 19:57

Configuring OSSEC with MySQL and Analogi

728x90


I have been using OSSEC for a while now but I always used only plain text logs. While this is not bad, it does not scale really well. I started looking into a way to do it right(tm). I knew OSSEC was compatible with MySQL, and since 2.7 has been released, it gave me an excuse to play with it again.

You will need to enable MySQL in OSSEC (not enabled by default), grab the source then do the following. Note that if upgrading an existing installation, you might want to save the registered client keys, the file to back up is: /var/ossec/etc/client.keys

1
2
3
4
cd ossec-hids-2.7/src
make setdb
cd ..
./install.sh

After you have completed the installation, you need to configure your MySQL server, I used the official documentation to do it. Here is my run down of it:

1
2
3
4
5
6
7
$ mysql -u root -p
mysql> create database ossec;
mysql> grant INSERT,SELECT,UPDATE,CREATE,DELETE,EXECUTE on ossec.* to ossecuser@<ossec ip>;
mysql> set password for ossecuser@<ossec ip>=PASSWORD('ossecpass');
mysql> flush privileges;
mysql> quit
mysql -u root -p ossec < ./src/os_dbd/mysql.schema

You just now need to edit /var/ossec/etc/ossec.conf and add a new section within the config:

1
2
3
4
5
6
7
<database_output>
      <hostname>127.0.0.1</hostname>
      <username>ossecuser</username>
      <password>xxxxxxx</password>
      <database>ossec</database>
      <type>mysql</type>
  </database_output>

And at last, enable MySQL and restart the service:

1
2
/var/ossec/bin/ossec-control enable database
/var/ossec/bin/ossec-control restart

Analogi is a web interface replacement to ossec-wui which is now very dated and spurts too many false positive. To install analogi, go to the main project page and clone it using git:

It is up to you to protect that folder on your webserver as this has potential security risks, I am using NGINX, so here is my setup:

1
2
3
4
location /ossec/analogi {
        auth_basic "Restricted Access";
        auth_basic_user_file htpasswd-file;
}

You then need to rename the config file and change the SQL information

1
mv db_ossec.php.new db_ossec.php

You should now be able to see information gathered from different clients straight into MySQL and using Analogi.


출처 : www.frlinux.eu



Trackback 0 Comment 0
2011. 7. 11. 13:57

Testing Snort IDS with Metasploit vSploit Modules

728x90

One of my key objectives for developing the new vSploit modules was to test network devices such as Snort. Snort or Sourcefire enterprise products are widely deployed in enterprises, so Snort can safely be considered the de-facto standard when it comes to intrusion detection systems (IDS). So much that even third-party intrusion detection systems often import Snort rules.

Organizations are often having a tough time verifying that their IDS deployment actually work as intended, which is why I created several vSploit modules to test whether Snort sensors are seeing certain traffic. Because vSploit modules were made to trigger Snort alerts, so they don't obfuscate attacks to avoid detection.

However, not every rule is used in every environment. For example, if you aren't using Microsoft Frontpage on your network, you likely won't want to use Snort's Frontpage rules. On the other hand, if you are running Frontpage you may not want to try exploiting it because it may affect the production system. Because of Metasploit Framework's flexibility, you can use the vSploit Generic HTTP Server module to host a small web server that answers all testing requests, so production systems won't be affected.

You can run vSploit modules with a mix of Metasploit Framework, Metasploit Pro, and Metasploit Express, providing there is end-to-end network connectivity to the vSploit instances:

To try out the new vSploit modules, start up the vSploit Generic HTTP Server.

Then launch Frontpage-related attack attributes:

Verify that the packets are being transmitted in Wireshark:

Finally, verify that Snort IDS sees the activity:

Metasploit vSploit Modules will be released at DEFCON 19.

출처 : Metasploit Blog


Trackback 0 Comment 0
2011. 4. 8. 09:46

Snort 2.9.0.5 is available for download!

728x90


This is the changelog for Snort 2.9.0.5:

  * src/build.h:
      Increment Snort build number to 134
  * src/: decode.h, encode.c:
  * src/dynamic-plugins/sf_engine/: sf_snort_packet.h:
  * src/preprocessors/: spp_sfportscan.c, spp_frag3.c:
  * src/output-plugins/: spo_alert_fast.c:
  * src/preprocessors/Stream5/: stream5_common.c:
      Updated portscan to set protocol correctly in raw packet for
      IPv6 and changed the encoder to recognize portscan packets as pseudo
 packets so that the checksum isn't calculated
  * src/: sfdaq.c, util.c:
      Improve handling of DAQ failure codes when Snort is shutting down.
  * src/preprocessors/spp_perfmonitor.c:
      Update perfmonitor to create now files prior to dropping privs
  * src/build.h:
      Increment Snort build number to 132
  * src/snort.c:
  * src/preprocessors/: normalize.c, perf-base.c, perf-base.h,
    Stream5/snort_stream5_tcp.c:
      TCP timestamp options are only NOPed by the Normalization preprocessor
      if Stream5 has seen a full 3-way handshake, and timestamps weren't
      negotiated.

      The IPS mode reassembly policy has been refactored to do stream
      normalization within the first policy.

      Packets injected by the normalization preprocessor are now counted
      in the packet statistics.
  * doc/snort_manual.tex:
  * src/: parser.c, parser.h:
  * src/preprocessors/: spp_frag3.c, Stream5/snort_stream5_session.c:
      Added a &quot;config vlan_agnostic&quot; setting that globally disables Stream's
      use of vlan tag in session tracking.
  * src/: snort.c, preprocessors/normalize.c,
    preprocessors/spp_normalize.c, preprocessors/spp_normalize.h,
    preprocessors/perf-base.c, preprocessors/perf-base.h:
  * doc/: README.normalize, snort_manual.pdf, snort_manual.tex:
      Fixed the normalization preprocessor to call its post-initialization
      config functions during a policy reload.

      Packets can no longer be trimmed below the minimum ethernet frame
      length. Trimming is now configurable with the &quot;normalize_ip4: trim;&quot;
      option. TOS clearing is now configurable with &quot;normalize_ip4: tos;&quot;.

      The &quot;normalize_ip4: trim&quot; option is automatically disabled if the
      DAQ can't inject packets. If the DAQ tries and fails to inject
      a given packet, the wire packet is not blocked.

      Updated documentation regarding these changes.
  * src/detection-plugins/sp_cvs.c:
      Fixed a false positive in the CVS detection plugin. It was incorrectly
      parsing CVS entries that had a '+' in between the 3rd and 4th slashes.
  * src/preprocessors/HttpInspect/: client/hi_client.c,
    server/hi_server.c:
      Changed a pointer comparison to a size check for code readability.
      Belated thanks to Dwane Atkins and Parker Crook for reporting a
      related issue that was fixed in Snort 2.9.0.4 build 111.

      Moved the zlib initialization such that gzipped responses are still
      inspected if the zipped data starts after the first Stream-reassembled
      packet is inspected.
  * src/decode.c:
      Fixed an issue with decoding too many IP layers in a single packet. The
      Teredo proto bit was not unset after hitting the limit on IP layers.
      Thanks to Dwane Atkins for reporting this issue.

      IPv6 fragmented packets are no longer inspected unless they have an
      offset of zero and the next layer is UDP. This behavior is consistent
      with IPv4 decoding.
      Thanks to Martin Schütte for reporting an issue where fragged ICMPv6
      packets were being inspected.

      The decoder no longer attempts to decode Teredo packets inside of
      IPv4 fragments, instead waiting for the reassembled packet.
  * src/encode.c:
      Fixed a problem where encoded packets had their lengths calculated
      incorrectly. This caused the active response feature to generate
      incorrect RST packets if the original packet had a VLAN tag.
  * preproc_rules/preprocessor.rules:
      Updated references to rule 125:1:1
  * src/preprocessors/spp_perfmonitor.c:
      Perfmonitor files are now created after Snort changes uid/gid.
  * src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.c:
      Fixed the size formatting of an error message argument when
      compiling with --enable-rzb-saac.
      Thanks to Cleber S. Brandão for reporting this issue.
  * etc/snort.conf:
      Updated the default snort.conf with max compress and decompress
      depths to enable unlimited decompression of gzipped HTTP responses.
  * snort.8:
      Fixed the man page's URL regarding the location of Snort rules.
      Thanks to Michael Scheidell for reporting an out-of-date man page section.
  * doc/README.http_inspect, doc/snort_manual.tex,
    src/preprocessors/snort_httpinspect.c:
      HTTP Inspect's &quot;unlimited_decompress&quot; option now requires that
      &quot;compress_depth&quot; and &quot;decompress_depth&quot; are set to their max values.
  * src/: fpcreate.c, dynamic-plugins/sf_dynamic_define.h,
    dynamic-plugins/sf_dynamic_engine.h,
    preprocessors/Stream5/snort_stream5_tcp.c:
      Fixed an error that prevented compiling with --disable-dynamicplugin.
      Thanks to Jason Wallace for reporting this issue.
  * src/dynamic-preprocessors/ftptelnet/: snort_ftptelnet.c,
    snort_ftptelnet.h, spp_ftptelnet.c:
      Changed the names of ProcessGlobalConf() and PrintGlobalConf() inside
      the ftp_telnet preprocessor to avoid a naming conflict with similar
      functions in HTTP Inspect.
      Thanks to Bruce Corwin for reporting this issue.
  * src/preprocessors/: perf.c, perf-base.c, perf-base.h, perf-flow.c,
    perf-flow.h:
      Fixed comparisons between signed and unsigned int, which lead to
      a faulty length check.
      Thanks to Cihan Ayyildiz and Jason Wallace for helping us debug this
      issue.

Download Snort v2.9.0.5 (snort-2.9.0.5.tar.gz/Snort_2_9_0_5_Installer.exe) here.



Trackback 0 Comment 0