Skip to main content

WRT Unified Threat Monitor

Check out the packetprotector firmware.  http://packetprotector.org/

This is also a good read:  https://packetprotector.org/trac/wiki/DocumentationHome

I wanted to try this on a WRT, and after the revival of the bricked router below, I had some confidence that I'd be able to recover from a firmware failure, so I replaced the Linksys firmware with the packetprotector-openwrt-wrt54g-2.4-squashfs.bin image.   

Upon booting, I couldn't log in with a browser.  I tried to ssh in, and that worked.  I was greeted with the following display:



After I was in and changed the password, I tried to log in with a browser again.  No luck.  But I tried with https://192.168.1.1, and that worked.  Well, it worked for a little while.   It suddenly stopped me from logging in via a web browser.  I couldn't get in no matter how many times I tried.  Apparently, there are bugs with the version I installed.  I tried to erase the NVRAM by holding down the reset button, no success.  I tried to tftp up new firmware, no success.  I guess it was a good thing I had the JTAG cable, as this seemed like the only way to get rid of the buggy firmware!

I plugged the JTAG cable in and erased the NVRAM and flash, and then tftp'd up the packetprotector openwrt-wrt54g3g-2.4-squashfs.bin firmware.  Upon booting, I was able to ssh into the router and got a screen like above.  After I changed the root password, I tried to https in.  I couldn't.  After much trial and error, I discovered that I could https in if I first selected root/packetprotector (the default password), and when it prompted me again, I did the root/thenewrootpassword.   Strange.  So I tried to change the root password using the https GUI, and then ie quit prompting me at all!  Again, this seemed a bit buggy.  I noticed that there was no IDS tab on the packetprotector light version.   Darn!  It only had an IPS.  That screen looked like the below.


Since I already had a Snort account, I input my Oink code in the settings tab, and all the Snort signatures were downloaded to the router.  


The above LOOKS like it downloaded new rules, and perhaps it did.  But after searching through the entire OS, I only found the same bittorrent, community-web-client, example, and local rules.  Nothing else.  The full (non light) version of Packetprotector does ClamAV and stuff, but the light version doesn't have as much.  So I figured I'd put them on the router by hand.  When I manually downloaded the current Snort rules, they were 93MB large, so the update via the GUI only updates those rules, which you already have, not adding any new rule set to the /packetprotector/etc/snort/drop-rules/ directory.  

So, I moved a rule set by
$scp backdoor.rules root@192.168.1.1:/tmp/  and when prompted for a password, gave it.

Then I moved the backdoor.rules to the /packetprotector/etc/snort/drop-rules/ directory, and voila!  It was added to the in-line Snort list.  Clicking on it let me view the rule.  To enable it, I had to add the following line in the snort.conf file:
include $RULE_PATH/backdoor.rules  and then chmod +x to make the file executable

to test it, I added a simple ping drop rule, like so:
alert icmp $HOME_NET 1024: -> EXTERNAL_NET any (msg:"Ping sent and dropped"; security-ips drop; classtype:not-suspicious; sid:2000000; rev:1; )

When I exited the prompt, the window kind of hung.  Strange.   I rebooted the router.  

Then I sent a ping.  Strangely enough, it worked and I got no alerts!  So I modified the test alert to:
drop icmp any any <> any any (msg:"Ping sent and dropped"; sid:1000001; )
When trying to save my file I got an error that there was no space left on the device.  Ugh.  Below shows the router out of space.

root@PacketProtector:/packetprotector/etc/snort/drop-rules# df
Filesystem              1k-blocks      Used         Available      Use%        Mounted on
none                      4096            360            3736           9%             /tmp
/dev/mtdblock/4     512              452            60               88%           /jffs
mini_fo:/jffs            2752             2752          0                100%         /

It appears that if I want a good IDS (Snort), and a set of realistic rules, I'll have to run the WRTSL54GS, which means spending another hundred dollars.  Ouch!   But, to just get this up and running in case I wanted to run my own home-rolled rules, I kept at it.

So I started over from scratch.  I hooked up the JTAG cable, nuked the CFE (BIOS), Firmware, and NVRAM.  I tftp'd up the original Linksys firmware, and maked sure it worked fine.  I used the browser interface that to download the packetprotector-openwrt-wrt54g-squashfs.bin firmware (but changed the filename to start with FW, to avoid file name checking conventions).  The router then booted into PacketProtector, and I changed the interfaces, password, etc.  I then uploaded the new snort rules with my oink code, as shown above.  Then I changed the ping rule in /packetprotector/etc/snort/drop-rules/local.rules to look for pings, and tested it.  It worked great!  Here's a screenshot


So, I got Snort in-line not just as an IDS, but as an IPS (it can be either, using "alert" or "drop" as necessary), working on the WRT54GL, and can put whatever rules I want in the /packetprotector/etc/snort/drop-rules/ directory.  But remember, this is limited for space, so keep the rules small!  This works great for small scale IDS monitoring, but if I were to make it operational,  I will have to include storage of some type (probably a hardware hack to install an SD card reader to the WRT).  This is not really because the flash is only good for 10K to 100K writes (which is true, but as far as I can tell the IDS writes the alerts to RAM).  However, there is practically NO storage on the router itself, so if you want to run the full Snort ruleset (as of this writing 93Mb in size), it is impossible.  So this IDS/IPS is good for home monitoring with home spun or very small rulesets, but not much else.  But, it's better than not having an IDS at all, and this won't slow my traffic like a traditional IDS to a hub will.


Comments

Popular posts from this blog

ADS-B plotting with Kali (and other SDR goodies)

Recently I wanted to try some Software Defined Radio stuff.   
I had a RTL-SDR, FM+DAB, DVB-T USB Stick Set with RTL2832U & R820T. that I got from: http://www.amazon.com/gp/product/B00C37AZXK/ref=oh_details_o04_s00_i00?ie=UTF8&psc=1
But, even though this dongle would break out FM radio stations, and ATC frequencies (like the local Ground Control, tower, and even ATIS), which was cool, it wouldn't break out ADS-B.   
Thus, I bought a Vantech Green Mini RTL2832U R820T DVB-T SDR DAB FM USB DIGITAL TV Tuner Receiver RTL-SDR Project + DAB dongle Tuner MCX Input from Amazon, and tried this.  
This dongle was able to listen to the 1090MHz frequency required for ADS-B (as it goes from 25MHz to 1700MHz).  There were tons of Windows programs out there for breaking out and plotting ADS-B Mode S broadcasts, but not many for Linux.  
For Kali Linux, here's how I got it running and plotting planes around my home:
0) before you start, you should do an apt-get update to ensure you hav…

Beaglebone Black as a Wireless Intrusion Detection System (WIDS)

Recently I have been wanting a wireless IDS (WIDS) to detect nefarious wifi activity.  I also had a Beaglebone Black hanging around that I wanted to put to good use.   This seemed like a perfect match, and indeed it seems to be so!

I did some research on WIDSs, and although there is SUPPOSED to be several out there, nearly all that I seemed to find was commercial and Windows-based products, not something I could use myself.   
About the only exception to that rule was Kismet, so I decided to give that a try.  Kismet is supposed to work as a WIDS, and per its documentation should catch the following attacks:
Kismet supports the following alerts, where applicable the WVE (Wireless Vulnerability and Exploits, www.wve.org) ID is included: AIRJACKSSID Fingerprint Deprecated The original 802.11 hacking tools, Airjack, set the initial SSID to 'airjack' when starting up. This alert is no longer relevant as the Airjac…

Temper Temperature monitor on a Beaglebone Black

Beaglebone Black as a temperature monitor:

Recently I wanted to monitor the temperature of my shed.  I thought I'd use a small computer such as a Raspberry Pi or a Beaglebone or Odroid.

My Raspberry Pi boxes were all in use, so I grabbed my Beaglebone, which was doing nothing.

I flashed it with the Debian9.32018-03-054GB SDIoTimage, but that seemed like it was running lots of bloatware and the ethernet interface wouldn't take a static IP with /etc/network/interfaces.

So I went with the Debian9.32018-01-284GB SDLXQTi image instead.  I still had the same problem, that lots of junk was running, and I couldn't configure my interface by modifying /etc/network/interfaces

So my first step was to get rid of all the bloatware.  If you're using a Raspberry Pi or something, you can skip this and just go to the second step below

STEP 1--Remove Blotatware from Beaglebone Black:

With some searching, I came across this post:
https://www.linuxquestions.org/questions/linux-newbie-8/inte…