Skip to main content

ScriptKiddy IDS

I have been dorking with IDSs since the late 1990ies, and really got involved with SNORT when I used it to corroborate the data for the IDS I built for my Master's Thesis.  Anyway, IDSs have never really been easy to set up and monitor. 

So what I use at home most often is the bootable Knoppix type.  This avoids the problems of setup, which can be a HUGE pain.  For instance, to get Sguil, one of my favorite GUIs for Snort, to run, you'll need to get Sguil, Libpcap, Libnet, Snort, P0f, tcpflow, and maybe a few other things to work together.  I have tried on a couple of occasions to get this to work, and gave up because of all the dependencies required, which I could never get to flush out.  

I have gotten BASE to work as a GUI into Snort, and it is OK, but I gotta say that I really like Sguil, and wanted that, especially after reading The TAO of Network Security Monitoring.   That is when I found the  Sguil Knoppix CD.   When typing this blog, I noticed that my old iso CD (ver 1.0) has been superseded by the securix-nsm.

I have yet to try the new Securix NSM, so if anyone beats me to the punch, leave me a post.  

Since they no longer post their instructions for the old Squil Security Monitor CD, here is the quick instructions.  This will not allow you to tailor anything, but it will get you started fast.  Note, these are the instructions for the OLDER Iso, because that is what I'm using.   

boot with
#linux ip=10.10.10.10 systemtype=console hostname=whatever

#/etc/init.d/mysql start
#/etc/init.d/ntop.default start
#/etc/init.d/apache2 start
#/etc/init.d/sguild start
#sensor default start

#sguilc 
This will bring up a dialog box:
Sguildhost: localhost
Sguild port: 7734
username: sguil
password: password

to view with BASE:  right-click for menu, select Firefox (ignore the errors)
userid: admin
password: password

to view NTOP results:  click on NTOP bookmark

That is it.  Here are the FULL quick instructions, which I've pulled from the wayback machine:


a. ALL-IN-ONE

For people new to knoppix-nsm this is the best place to start. Here you can be up in and running in minutes with a complete server/sensor/console environment.
Note: If you run this in a noisy network environment you will fill up your RAM/swap very qucikly.

Step 1 - Boot

When you are greeted with the boot screen you have two options:
  1. Hit enter and boot with the system defaults, or
    boot>
  2. you can customise the ip address (Class C network address automatically set), system type (systemtype) and hostname when booting to the live CD,
    boot> linux ip=192.168.77.1 systemtype=console hostname=securix
The default settings:
  • systemtype: sersen (server/sensor) this is used to define default firewall policies
  • IP: 192.168.100.1.
  • network: 192.168.100.0

Step 2 - Start System Processes

Note: Before you proceed with the following instructions ensure you have the network configured for your environemnt, by default you will only be able to access resouces on the 192.168.100.0 network. The default firewall on a sersen will be blocking all new outbound connections except icmp. See Netwok Setup quick guide if you want to make changes, for more details on the firewall see the firewallsection in architecture page for more details on the default policies.
Successfully booted?
You should now be looking a the default fluxbox environment. By defalt the all-in-one server/sensor configuration will log output to both the snort db (for BASE) and sguild db and monitor on eth0.
  1. Open a root console (right click for menu),
  2. Start MySQL,
    # /etc/init.d/mysql start
  3. Start Apache web server,
    # /etc/init.d/apache2 start
  4. Start the Sguil server,
    # /etc/init.d/sguild start
  5. Start the Sguil-sensor, the following script will start all the processes required for a sensor, in the right sequence. If you want to start individual processes manually see the Architecture page for details on which scripts to use and the best sequence to start them in to minimise problems.
    # sensor default start
  6. Start ntop, Caution: Live CD - by default the previous step will not start ntop on the live CD. Starting ntop with everything else already running may cause the system to slow to a stand still. The following will start ntop, if you experince system slow down and want to test ntop stop the sensor first.
    # /etc/init.d/ntop start
If all went well you should have seen the following results.
All processes

Step 3 - Start Sguil client

Now we want to start looking at events.
  1. Open a console (non-root) and enter
    # sguilc
  2. or right click menu ->NSM->Sguil Cllent
  3. Sqguil Login
  4. Log in with the following details, (take note of ssl option, all connections are ssl encrypted)
    host:localhost (defualt)
    port:7734 (default)
    username: sguil
    password:password
    OpenSSL:selected (default)
You should now be looking at the sguil console and ready to start your journey into the world of NSM and sguil.

Step 4 - Start BASE client

By default, knoppix-nsm also logs data for viewing with BASE, aka snort compitable database. Although this is not recommeded as it can slow snort down by having to log two different types of output, it is great for demonstration purposes.
  1. Start firefox (right click for menu, uder NSM submenu),
  2. click the base option on the bookmark toolbar or enter the following url, (take note of https, all web connections are ssl encrypted)
    localhost/base/
  3. Login in,
    username: admin
    password: password
base_login
You can now begin to navigate around and view events with base.

Step 5 - View Statistical data with Ntop

Ntop is busy collecting network statistical data for us that can be used to help identify network normalcy patterns and anomalous activities. Ntop gives us a little bit more to help in the identification of false positives.
  1. click the ntop option in the bookmark toolbar or enter the following url, (take note of https, even ntop is configured with ssl)
    localhost:3000/

Step 6 - Test it

To test everything works you will need to generete an alert, this is easy to do as all the snort alerts are enabled by defaults so a ping will do. You can do this in one of two ways:
  1. Ping from this box to another host on the network, assuming you have the network configured properly, or
  2. Ping between two hosts on the segment you are monitoring (assumes you are not on a switch, no point being there anyway as you will only see broadcast traffic).
If you were able to send out/receive pings then you should neow see alerts in the sguil and BASE console along with traffic in ntop.


Comments

Popular posts from this blog

HP c6180 Printer and Vista

Hp c6180 driver issues with Vista Home Premium My wife has a Vista Home Premium laptop, and the HP C6180 Photosmart printer keeps disappearing from her available printers.  The only way I've found to fix the problem is to reinstall all the HP software. When I do this, I have to download the (large..507M software from HP, or reinstall the printer (ONLY the printer, not the scanner) with the installation disk, as the drivers are not discovered with a "Windows Update" setting.  My guess is that is because HP doesn't like people to install only the printer driver, which would be easy, but they want folks to install all their crapware as well, so they are withholding the drivers from the on-line Microsoft printer database.  So keep your installation CD!  I've also found that unless I install everything on the CD or in the Full Version download (HP Customer Participation Program, HP Imaging Device functions, HP OCR SW, HP All-In-one SW, HP Photosmart Essential, HP

atftpd vs tftpd-hpa

Recently I was trying to tftp files from a Windows computer to a Kali box.   One version of Windows worked, but another didn't.    After much troubleshooting, here were my symptoms: I could tftp a file from-to any Kali box from-to another Kali box I could NOT tftp files to a specific Windows 7 box from any Kali box I could NOT tftp files to a Chrooted-Ubuntu-Chromebook box from a Kali box After MUCH troubleshooting, going through every setting in atftpd, it seemed like it literally was a client OS problem.  Different clients simply would not download files---unacceptable. Thus, I switched to tftpd-hpa.   To install: apt-get install tftpd-hpa files go to/come from /srv/tftp, but it needs to be a tftp user. Thus, I needed to: chroot -R /srv/tftp Also, if you want to be able to put files ON the tftp server (from a client), you need to modify /etc/default/tftpd-hpa: change "TFTP_OPTIONS="--secure"  to "TFTP_OPTIONS="--secure --create" I al

Security Onion on the Antsle

My Setup of Security Onion on the Antsle: Recently my IDS box, an Intel Atom D2500 Fanless Mini-ITX PC, D2500CCE, died.  Truth be told, I think it came from the factory in a bad state, as I originally thought I had a bad graphics driver, but I then noticed that, after much troubleshooting, it wasn't a driver issue at all.  The box just sometimes wouldn't boot up correctly with video.  It seems heat related, something like not enough thermal paste on the CPU, as after it is powered off for a while it is more likely to boot than when it is warm.  Along with that issue, this box maxed out at 4GB of RAM (only has 2 memory slots, each of which will only take a 2GB card max) and had a single processor, so it was under powered for Security Onion. So, I decided to quit limping along on P.O.S. boxes, and buy a little more heavyweight box for my networked IDS.   Security Onion requires a minimum of 8GB of RAM, and 4 cores per their specs page https://github.com/secur