mysql57

728x90

SnortDLP - an open source DLP solution utilizing snort OverviewSnortDLP a.k.a. "Pig Pen" is an open source data loss prevention project that utilizes Snort to detect the exfiltration of sensitive data.FeaturesWeb based applicationWritten in PHP and utilizes a MySQL backend for cross operating system portabilityAdministrative login to protect unauthorized accessDetermines a unique fingerprint forfree textindividual documentseach document in a reposit.. 2014. 7. 8.

728x90

Overview

SnortDLP a.k.a. "Pig Pen" is an open source data loss prevention project that utilizes Snort to detect the exfiltration of sensitive data.

Features

Web based application

Written in PHP and utilizes a MySQL backend for cross operating system portability
Administrative login to protect unauthorized access
Determines a unique fingerprint for

free text
individual documents
each document in a repository of sensitive documents
database tables (future)

Supports plain text documents (including doc, ppt, etc) and emails
Generates Perl-compatible regular expressions (PCREs) and automatically adds a custom snort rule for each document or file
Detects and alerts administrators through a Snort interface
Flagging and carving out zip/pdf files based on file headers

Office 2007 (docx, pptx, xlsx) support
PDF support

Future

Email integration

PIGPEN INSTALL GUIDE

Dependencies:
-libpcap-dev
-flex
-python -- version?
-pexpect for python (already installed on ubuntu I believe)
-tcpxtract 1.0.1
	apt-get install libxml-libxml-perl
	apt-get install libarchive-any-perl
libextractor -> apt-get install extract

Permissions:
-in /etc/sudoers
-- under: # User privilege specification
-- add: www-data ALL=NOPASSWD: /bin/mount, /bin/umount, /bin/mkdir, /bin/rmdir

출처 : https://code.google.com/p/snortdlp/

728x90

저작자표시비영리변경금지

Configuring OSSEC with MySQL and Analogi I have been using OSSEC for a while now but I always used only plain text logs. While this is not bad, it does not scale really well. I started looking into a way to do it right(tm). I knew OSSEC was compatible with MySQL, and since 2.7 has been released, it gave me an excuse to play with it again.You will need to enable MySQL in OSSEC (not enabled by default), grab the source then do the follow.. 2013. 11. 5.

728x90

I have been using OSSEC for a while now but I always used only plain text logs. While this is not bad, it does not scale really well. I started looking into a way to do it right(tm). I knew OSSEC was compatible with MySQL, and since 2.7 has been released, it gave me an excuse to play with it again.

You will need to enable MySQL in OSSEC (not enabled by default), grab the source then do the following. Note that if upgrading an existing installation, you might want to save the registered client keys, the file to back up is: /var/ossec/etc/client.keys

cd ossec-hids-2.7/src
make setdb
cd ..
./install.sh

After you have completed the installation, you need to configure your MySQL server, I used the official documentation to do it. Here is my run down of it:

$ mysql -u root -p
mysql> create database ossec;
mysql> grant INSERT,SELECT,UPDATE,CREATE,DELETE,EXECUTE on ossec.* to ossecuser@<ossec ip>;
mysql> set password for ossecuser@<ossec ip>=PASSWORD('ossecpass');
mysql> flush privileges;
mysql> quit
mysql -u root -p ossec < ./src/os_dbd/mysql.schema

You just now need to edit /var/ossec/etc/ossec.conf and add a new section within the config:

<database_output>
      <hostname>127.0.0.1</hostname>
      <username>ossecuser</username>
      <password>xxxxxxx</password>
      <database>ossec</database>
      <type>mysql</type>
  </database_output>

And at last, enable MySQL and restart the service:

/var/ossec/bin/ossec-control enable database
/var/ossec/bin/ossec-control restart

Analogi is a web interface replacement to ossec-wui which is now very dated and spurts too many false positive. To install analogi, go to the main project page and clone it using git:

1	`git clone git://github.com/ECSC/analogi.git`

It is up to you to protect that folder on your webserver as this has potential security risks, I am using NGINX, so here is my setup:

location /ossec/analogi {
        auth_basic "Restricted Access";
        auth_basic_user_file htpasswd-file;
}

You then need to rename the config file and change the SQL information

1	`mv db_ossec.php.new db_ossec.php`

You should now be able to see information gathered from different clients straight into MySQL and using Analogi.

출처 : www.frlinux.eu

728x90

저작자표시비영리변경금지

webhoneypot: Web Application Honeypot webhoneypot is a DShield Web Application Honeypot offering this honeypot for users to capture automated web application exploits. It is a very simple “semi interactive” honeypot implemented in PHP.webhoneypot project is used to develop the honeypot. Do not use this code to install a honeypot unless you are interested in helping development.Prerequisitesfor installing webhoneypot.dshield.org acco.. 2012. 7. 12.

728x90

webhoneypot is a DShield Web Application Honeypot offering this honeypot for users to capture automated web application exploits. It is a very simple “semi interactive” honeypot implemented in PHP.

webhoneypot project is used to develop the honeypot. Do not use this code to install a honeypot unless you are interested in helping development.

Prerequisitesfor installing webhoneypot.

dshield.org account
Publicly routable IP address that can receive requests on TCP port 80. Dynamic IP addresses are ok, but you should sign up with a dynamic dns provider like dyndns so that you can provide a constant hostname.
Linux or Windows machine with a webserver, PHP5 support and the curl extension installed.

webhoneypot installation section should also be applicable to nearly any LAMP (Linux, Apache, MySQL, PHP) application platform, but the exact paths are taken from Fedora Core, and will need to be altered to match your environment.

Installation is very easy

Extract the archive file honeypot.tgz ( webhoneypot ) to a temporary directory or into the directory for a virtual host that you plan to create.
Edit etcconfig.local and edit the userid (userid=…) and password (password=…) to match your account information for your Dshield login; If you provide the password, the script automatically converts it into a hashed password replacing the password entry. Also, complete the full path to the location where you will be keeping your log files (logdir=…) if different from the default location logs/.
Edit your apache configuration file /etc/httpd/httpd.conf ??
Now copy the four folders and contents into the appropriate folders
Set the appropriate permissions. The userid that your webserver runs under — usually apache — will need read permissions to the template folder. Use the chown command to make apache the owner of the templates folder, then use the chmod command to give the apache user read access to the files. (chmod + r) The apache user will also need write access to the logs folder. Once again change the owner to apache with the chown command and give apache write access with chmod + w.
Test the site. Open a webbrowser and navigate to your webhoneypot site. You should be get back the default template which states that you are using the demo server and welcome to phpmyadmin. Try http://[webhoneypot ip or dns name]/robots.txt and you should get back template 104 which is a robots.txt file. If you get an error instead the most common problems are an incorrect path in one of your configuration files, a permissions problem writing to the logfile, or you did not install the curl extension that is required to post the results back to Dshield. You should be able to determine which one it is by the webpage returned from the server or your logfile if you have one.
Check your logfile. If everything is operating properly, you should see the details of which templates are being matched, and the client request successfully posted to http://isc1.sans.org/weblogs/post.html.
Once you have completed your testing list any operational honeypots under your DShield profile page.
Log in to your account, go to the “my info” page and use the link provided to activate webhoneypot .