Check out the packetprotector firmware. http://packetprotector.org/
This is also a good read: https://packetprotector.org/trac/wiki/DocumentationHome
I wanted to try this on a WRT, and after the revival of the bricked router below, I had some confidence that I'd be able to recover from a firmware failure, so I replaced the Linksys firmware with the packetprotector-openwrt-wrt54g-2.4-squashfs.bin image.
Upon booting, I couldn't log in with a browser. I tried to ssh in, and that worked. I was greeted with the following display:
After I was in and changed the password, I tried to log in with a browser again. No luck. But I tried with https://192.168.1.1, and that worked. Well, it worked for a little while. It suddenly stopped me from logging in via a web browser. I couldn't get in no matter how many times I tried. Apparently, there are bugs with the version I installed. I tried to erase the NVRAM by holding down the reset button, no success. I tried to tftp up new firmware, no success. I guess it was a good thing I had the JTAG cable, as this seemed like the only way to get rid of the buggy firmware!
I plugged the JTAG cable in and erased the NVRAM and flash, and then tftp'd up the packetprotector openwrt-wrt54g3g-2.4-squashfs.bin firmware. Upon booting, I was able to ssh into the router and got a screen like above. After I changed the root password, I tried to https in. I couldn't. After much trial and error, I discovered that I could https in if I first selected root/packetprotector (the default password), and when it prompted me again, I did the root/thenewrootpassword. Strange. So I tried to change the root password using the https GUI, and then ie quit prompting me at all! Again, this seemed a bit buggy. I noticed that there was no IDS tab on the packetprotector light version. Darn! It only had an IPS. That screen looked like the below.
Since I already had a Snort account, I input my Oink code in the settings tab, and all the Snort signatures were downloaded to the router.
The above LOOKS like it downloaded new rules, and perhaps it did. But after searching through the entire OS, I only found the same bittorrent, community-web-client, example, and local rules. Nothing else. The full (non light) version of Packetprotector does ClamAV and stuff, but the light version doesn't have as much. So I figured I'd put them on the router by hand. When I manually downloaded the current Snort rules, they were 93MB large, so the update via the GUI only updates those rules, which you already have, not adding any new rule set to the /packetprotector/etc/snort/drop-rules/ directory.
So, I moved a rule set by
$scp backdoor.rules root@192.168.1.1:/tmp/ and when prompted for a password, gave it.
Then I moved the backdoor.rules to the /packetprotector/etc/snort/drop-rules/ directory, and voila! It was added to the in-line Snort list. Clicking on it let me view the rule. To enable it, I had to add the following line in the snort.conf file:
include $RULE_PATH/backdoor.rules and then chmod +x to make the file executable
to test it, I added a simple ping drop rule, like so:
alert icmp $HOME_NET 1024: -> EXTERNAL_NET any (msg:"Ping sent and dropped"; security-ips drop; classtype:not-suspicious; sid:2000000; rev:1; )
When I exited the prompt, the window kind of hung. Strange. I rebooted the router.
Then I sent a ping. Strangely enough, it worked and I got no alerts! So I modified the test alert to:
drop icmp any any <> any any (msg:"Ping sent and dropped"; sid:1000001; )
When trying to save my file I got an error that there was no space left on the device. Ugh. Below shows the router out of space.
root@PacketProtector:/packetprotector/etc/snort/drop-rules# df
Filesystem 1k-blocks Used Available Use% Mounted on
none 4096 360 3736 9% /tmp
/dev/mtdblock/4 512 452 60 88% /jffs
mini_fo:/jffs 2752 2752 0 100% /
It appears that if I want a good IDS (Snort), and a set of realistic rules, I'll have to run the WRTSL54GS, which means spending another hundred dollars. Ouch! But, to just get this up and running in case I wanted to run my own home-rolled rules, I kept at it.
So I started over from scratch. I hooked up the JTAG cable, nuked the CFE (BIOS), Firmware, and NVRAM. I tftp'd up the original Linksys firmware, and maked sure it worked fine. I used the browser interface that to download the packetprotector-openwrt-wrt54g-squashfs.bin firmware (but changed the filename to start with FW, to avoid file name checking conventions). The router then booted into PacketProtector, and I changed the interfaces, password, etc. I then uploaded the new snort rules with my oink code, as shown above. Then I changed the ping rule in /packetprotector/etc/snort/drop-rules/local.rules to look for pings, and tested it. It worked great! Here's a screenshot
So, I got Snort in-line not just as an IDS, but as an IPS (it can be either, using "alert" or "drop" as necessary), working on the WRT54GL, and can put whatever rules I want in the /packetprotector/etc/snort/drop-rules/ directory. But remember, this is limited for space, so keep the rules small! This works great for small scale IDS monitoring, but if I were to make it operational, I will have to include storage of some type (probably a hardware hack to install an SD card reader to the WRT). This is not really because the flash is only good for 10K to 100K writes (which is true, but as far as I can tell the IDS writes the alerts to RAM). However, there is practically NO storage on the router itself, so if you want to run the full Snort ruleset (as of this writing 93Mb in size), it is impossible. So this IDS/IPS is good for home monitoring with home spun or very small rulesets, but not much else. But, it's better than not having an IDS at all, and this won't slow my traffic like a traditional IDS to a hub will.
This is also a good read: https://packetprotector.org/trac/wiki/DocumentationHome
I wanted to try this on a WRT, and after the revival of the bricked router below, I had some confidence that I'd be able to recover from a firmware failure, so I replaced the Linksys firmware with the packetprotector-openwrt-wrt54g-2.4-squashfs.bin image.
Upon booting, I couldn't log in with a browser. I tried to ssh in, and that worked. I was greeted with the following display:
After I was in and changed the password, I tried to log in with a browser again. No luck. But I tried with https://192.168.1.1, and that worked. Well, it worked for a little while. It suddenly stopped me from logging in via a web browser. I couldn't get in no matter how many times I tried. Apparently, there are bugs with the version I installed. I tried to erase the NVRAM by holding down the reset button, no success. I tried to tftp up new firmware, no success. I guess it was a good thing I had the JTAG cable, as this seemed like the only way to get rid of the buggy firmware!
I plugged the JTAG cable in and erased the NVRAM and flash, and then tftp'd up the packetprotector openwrt-wrt54g3g-2.4-squashfs.bin firmware. Upon booting, I was able to ssh into the router and got a screen like above. After I changed the root password, I tried to https in. I couldn't. After much trial and error, I discovered that I could https in if I first selected root/packetprotector (the default password), and when it prompted me again, I did the root/thenewrootpassword. Strange. So I tried to change the root password using the https GUI, and then ie quit prompting me at all! Again, this seemed a bit buggy. I noticed that there was no IDS tab on the packetprotector light version. Darn! It only had an IPS. That screen looked like the below.
Since I already had a Snort account, I input my Oink code in the settings tab, and all the Snort signatures were downloaded to the router.
The above LOOKS like it downloaded new rules, and perhaps it did. But after searching through the entire OS, I only found the same bittorrent, community-web-client, example, and local rules. Nothing else. The full (non light) version of Packetprotector does ClamAV and stuff, but the light version doesn't have as much. So I figured I'd put them on the router by hand. When I manually downloaded the current Snort rules, they were 93MB large, so the update via the GUI only updates those rules, which you already have, not adding any new rule set to the /packetprotector/etc/snort/drop-rules/ directory.
So, I moved a rule set by
$scp backdoor.rules root@192.168.1.1:/tmp/ and when prompted for a password, gave it.
Then I moved the backdoor.rules to the /packetprotector/etc/snort/drop-rules/ directory, and voila! It was added to the in-line Snort list. Clicking on it let me view the rule. To enable it, I had to add the following line in the snort.conf file:
include $RULE_PATH/backdoor.rules and then chmod +x to make the file executable
to test it, I added a simple ping drop rule, like so:
alert icmp $HOME_NET 1024: -> EXTERNAL_NET any (msg:"Ping sent and dropped"; security-ips drop; classtype:not-suspicious; sid:2000000; rev:1; )
When I exited the prompt, the window kind of hung. Strange. I rebooted the router.
Then I sent a ping. Strangely enough, it worked and I got no alerts! So I modified the test alert to:
drop icmp any any <> any any (msg:"Ping sent and dropped"; sid:1000001; )
When trying to save my file I got an error that there was no space left on the device. Ugh. Below shows the router out of space.
root@PacketProtector:/packetprotector/etc/snort/drop-rules# df
Filesystem 1k-blocks Used Available Use% Mounted on
none 4096 360 3736 9% /tmp
/dev/mtdblock/4 512 452 60 88% /jffs
mini_fo:/jffs 2752 2752 0 100% /
It appears that if I want a good IDS (Snort), and a set of realistic rules, I'll have to run the WRTSL54GS, which means spending another hundred dollars. Ouch! But, to just get this up and running in case I wanted to run my own home-rolled rules, I kept at it.
So I started over from scratch. I hooked up the JTAG cable, nuked the CFE (BIOS), Firmware, and NVRAM. I tftp'd up the original Linksys firmware, and maked sure it worked fine. I used the browser interface that to download the packetprotector-openwrt-wrt54g-squashfs.bin firmware (but changed the filename to start with FW, to avoid file name checking conventions). The router then booted into PacketProtector, and I changed the interfaces, password, etc. I then uploaded the new snort rules with my oink code, as shown above. Then I changed the ping rule in /packetprotector/etc/snort/drop-rules/local.rules to look for pings, and tested it. It worked great! Here's a screenshot
So, I got Snort in-line not just as an IDS, but as an IPS (it can be either, using "alert" or "drop" as necessary), working on the WRT54GL, and can put whatever rules I want in the /packetprotector/etc/snort/drop-rules/ directory. But remember, this is limited for space, so keep the rules small! This works great for small scale IDS monitoring, but if I were to make it operational, I will have to include storage of some type (probably a hardware hack to install an SD card reader to the WRT). This is not really because the flash is only good for 10K to 100K writes (which is true, but as far as I can tell the IDS writes the alerts to RAM). However, there is practically NO storage on the router itself, so if you want to run the full Snort ruleset (as of this writing 93Mb in size), it is impossible. So this IDS/IPS is good for home monitoring with home spun or very small rulesets, but not much else. But, it's better than not having an IDS at all, and this won't slow my traffic like a traditional IDS to a hub will.
Comments
Post a Comment