12.29.08
Posted in OpenSourceSoftware, Security at 1:51 pm by Edward Bjarte Fjellskål
This post is mostly for the archive.
When digging into the history of Network Intrusion Detection Systems, I found that SHADOW was the first open source IDS out there to my knowledge. I looked around for the source code, but found it hard to find the latest version (1.8). I finally got it, and here it is!
Developed in 1994 for the Naval Surface Warfare Center, it was originally named the “Cooperative Intrusion Detection Evaluation and Response (CIDER) project“. It was renamed to SHADOW (Secondary Heuristic Analysis for Defensive Online Warfare).
To my knowledge, the developers where mainly Stephen Northcutt, Bill Ralph and the Naval Surface Warfare Center. I do find the name Olav Kolbu as the author of some scripts, and since he is also a fellow Norwegian working at basefarm, I wrote him a mail and he was the one digging up the latest source code of SHADOW 1.8.
There is also an “updated” version named IDABench, written by George Bakos, to be found here: http://idabench.ists.dartmouth.edu/
I highly recommend checking that out on a home network. Very cool visibility.
There is also a Slackware based iso that is based upon among SHADOW and Snort by Guy Brunea:
http://www.whitehats.ca/downloads/ids/shadow-slack/
Hope this brings joy to others looking for the SHADOW source code.
History class dismissed…
Permalink
12.17.08
Posted in OpenSourceSoftware, Snort at 11:45 am by Edward Bjarte Fjellskål
I dropped by the snort forum and couldn’t keep my hands off..
Here are some basic munin plugins for snort using perfmon (Enable preprocessor perfmonitor in snort.conf)
The snort.conf entry should look something like:
preprocessor perfmonitor: time 300 file /your/path/to/snort.stats pktcnt 5000
(Read the snort docs for more info on performance issues etc.)
Drop Rate:
http://download.gamelinux.org/snort/snort_drop_rate
Pattern Matching:
http://download.gamelinux.org/snort/snort_pattern_match
Traffic speed:
http://download.gamelinux.org/snort/snort_traffic
Alerts:
http://download.gamelinux.org/snort/snort_alerts
Avg KBytes/pkt:
http://download.gamelinux.org/snort/snort_bytes_pkt
Avg Pkts/sec:
http://download.gamelinux.org/snort/snort_pkts
Edit any one of them, to graph what you want from perfmon output. It should be easy!
And now I will test them myself!
Update:
Here is a picture to give you an idea on how the graphs looks:
http://download.gamelinux.org/snort/Snort-Munin-Plugins.png
---
"Measure, don't speculate" -- Unknown
"Premature optimization is the root of all evil" -- Tony Hoare
Permalink
12.08.08
Posted in OpenSourceSoftware, Linux Distributions, SuSE, Debian, Ubuntu, Redhat, CentOS, Security at 2:32 pm by Edward Bjarte Fjellskål
You might think that you are safe, but something might be lurking on your system…
There are several ways to protect you from being 0wned by 5kr1p7 kiddies or more 1337 crackers. But still, your system might get 0wned, and you might not know it…
First, you should have a system that can update it self with new security patches/fixes. Red Hat/CentOS, Debian/Ubuntu and so on (Most modern systems today), have this functionality. Then you should use it! This is probably the best way to prevent unauthorized access to you systems.
Then you should probably know a thing or two on how to configure your system to be as secure as you need it to be…
If you have a system with lots of user accounts, may it be ssh, ftp, mail etc, then it might just be time, before someone hijacks an account or two…
Say if someone got login to your server as a normal user, they can misuse your system, generating very little noise, and you might not know about it.
Anyways, back to the point of this posting, checking your systems for things you might not know about…
In my basic toolkit, I use chkrootkit, rkhunter (You could also read here), lynis and unix-privesc-check. I also use ClamAV (clamscan) to scan the file system for suspicious files. I also have some one-liners (baked into a bash script) that extracts some interesting things based on system processes and the file system.
For more advanced “Host based Intrusion Detection”, I recommend that you look at OSSEC. You could also look at Aide and tools alike. RPM based distros like Red Hat, Fedora and CentOS can to an extent use the rpm command to verify installed packages and their signatures.
I will not go into details on how to use any of the tools that I mentioned. If you care, you should pursue the links, and even test the tools.
I will give a brief overview (Copy and paste from their websites), so you know a bit what they are all about:
chkrootkit: chkrootkit is a tool to locally check for signs of a rootkit.
rkhunter: Rootkit Hunter (RKH) is an easy-to-use tool which checks computers running UNIX (clones) for the presence of rootkits and other unwanted tools.
lynis: Lynis is an auditing tool for Unix (specialists). It scans the system and available software, to detect security issues. Beside security related information it will also scan for general system information, installed packages and configuration mistakes. This software aims in assisting automated auditing, software patch management, vulnerability and malware scanning of Unix based systems. It can be run without prior installation, so inclusion on read only storage is no problem (USB stick, cd/dvd).
unix-privesc-check: Unix-privesc-checker is a single bash script that runs on Unix systems. It tries to find misconfigurations that could allow local unprivileged users to escalate privileges to other users or to access local apps (e.g. databases).
ClamAV: Clam AntiVirus is an open source (GPL) anti-virus toolkit for UNIX, designed especially for e-mail scanning on mail gateways. It provides a number of utilities including a flexible and scalable multi-threaded daemon, a command line scanner and advanced tool for automatic database updates.
OSSEC: OSSEC is a scalable, multi-platform, open source Host-based Intrusion Detection System (HIDS). It has a powerful correlation and analysis engine, integrating log analysis, file integrity checking, Windows registry monitoring, centralized policy enforcement, rootkit detection, real-time alerting and active response. It runs on most operating systems, including Linux, OpenBSD, FreeBSD, MacOS, Solaris and Windows.
Aide: Advanced Intrusion Detection Environment. AIDE is an intrusion detection system that detects changes to files on the local system. It creates a database from the regular expression rules that it finds from the config file. Once this database is initialized it can be used to verify the integrity of the files. It has several message digest algorithms (md5, sha1, rmd160, tiger, haval, etc.) that are used to check the integrity of the file. More algorithms can be added with relative ease. All of the usual file attributes can also be checked for inconsistencies.
If you find any thing suspicious (Like a rootkit), you should probably go into “forensic mode”, as you cant trust your system and the installed binaries. Read more here about computer forensics.
If you still do not trust your system, you can Snort your network traffic, or better yet, have a full blown Sguil installation in front of your network/servers. If you get even more paranoid, you should probably shut down the system, and go fishing….
Any suggestions on other useful tools are welcome!
Permalink
12.01.08
Posted in OpenSourceSoftware, Security, Metasploit at 7:59 am by Edward Bjarte Fjellskål
I have been spending some time, digging into the Metasploit Framework the last two days. I first downloaded Metasploit in the beginning of this year, and simply used/tested it at home or in the lab at work. Metasploit is under rather rapid development, and I don’t know how the lads developing Metasploit, have time too sleep…
Well, after poking my hands in it for two days, I finally made my self an Auxiliary and an “Exploit”! Thats including laying my hands on ruby for the first time in my life.
The Auxiliary I made, is an simple MySQL login. It uses the username = root as default, and with no password (Well, someone probably has ‘root’@'%’ ). Im working on making it more dynamic, because right now, one can not change password, as I haven’t got ruby in my blood yet :/ and keeps bumping into minor challenges.
The “exploit” I did, was just to see If I could make one, and as I was playing with MySQL… I implemented the MySQL Authentication Bypass vulnerability found by NGSSecurity and published in July 2004 (So old, that it has to be legal to make such an exploit?).
I have not done a mysql-cli inside the msf, so it really only checks for the vulnerability (logs inn and exits). It does not give you a shell or load any payloads or what ever.
Looking at other Auxiliary and Exploits in the msf3.3-dev framework, it was surprisingly easy getting something up and running. This is truly a great framework. (This is the place to start if you want to develop something of your own!)
Here are some bumps I bumped into along the way, and also mental notes to myself:
* Place all your custom made stuff here : ~/.msf3/modules/
* Make your own Modules/Auxiliary/Stuff in
~/.msf3/modules/<TYPE>/yourmodule.rb
Where <TYPE> is exploit/payload/encoder/nop/auxiliary.
This is new behavior in 3.2/3.3-dev and is not documented yet.
* There are two ways to add a core resource :
1) If you really want to, the way to do it is by setting the MSF_LOCAL_LIB
environment variable to something like ~/.msf3/lib and then creating
~/.msf3/lib/msf/core/exploit/yourstuff.rb and in your exploit module, doing:
require “msf/core/exploit/yourstuff”
include Exploit::Remote::Yourstuff
2) Just add it to msf3.3/lib/msf/core/exploit/yourstuff.rb and “require” it in msf3.3/lib/msf/core/exploit.rb
I hope, and I strongly recommend, that people contribute modules to the Metasploit framework. It would also be great to see more PoC’s released in the MSF, now that MSF is under such a nice and free BSD license 
I would like to thank H D Moore for taking the time to answer my n00b emails and my question in such a good, patient and quick way. (And I believe he is on vacation too!!!)
Resources:
http://metasploit.com/
http://www.rubycentral.com/book/
Permalink
