01.15.10
Posted in Information, OpenSourceSoftware, Security, Sguil, Snort, Suricata, Sourcefire at 9:55 am by Edward Bjarte Fjellskål
I friend of mine at Sourcefire, jim, made some comments yesterday on my little bash-script. He wanted to be able to search through the msg field in a snort rule, and be able to activate or deactivate based on the search.
Also after having Alex Kirks last blogpost fresh in mind, I had the thought on enabling rules based on one of the three default policies Sourcefire maintain - Connectivity Over Security, Balanced, and Security Over Connectivity. And since all the logic was done, why not just add support for classtype as well…
So, I added three new ways too search through the rules, using the msg,classtype and metadata fields.
And you can enable or disable rules in a bunch, say all rules that has “RPC portmap” in the msg field, or “Security Over Connectivity” in the metadata field. And also by classtype, say “attempted-user” or “attempted-admin”.
The script also supports walking through the bunch of rules and enabling/disabling/skipping(don’t do anything) rule by rule.
# sidrule -p policy security-ips drop
Bash’ed together by edward.fjellskal@redpill-linpro.com
[*] Found 4224 rules in 39 rule files.
[*] Searchterm: metadata:”policy security-ips drop”
[*] Disable ALL rules (y/N)?
[*] Enable ALL rules (y/N)?
[*] Enable/Disable rule by rule (y/N)?
# sidrule -s RPC portmap proxy
Bash’ed together by edward.fjellskal@redpill-linpro.com
[*] Found 4 rules in 1 rule files.
[*] Searchterm: msg:”RPC portmap proxy”
[*] Disable ALL rules (y/N)?
[*] Enable ALL rules (y/N)?
[*] Enable/Disable rule by rule (y/N)?
# sidrule -c attempted-admin
Bash’ed together by edward.fjellskal@redpill-linpro.com
[*] Found 894 rules in 41 rule files.
[*] Searchterm: classtype:”attempted-admin”
[*] Disable ALL rules (y/N)?
[*] Enable ALL rules (y/N)?
[*] Enable/Disable rule by rule (y/N)? y
[*] Getting sids from 41 file(s).
[*] (1/41) Getting sids from file: /etc/snort/rules/backdoor.rules
[*] (2/41) Getting sids from file: /etc/snort/rules/bad-traffic.rules
………
[*] (40/41) Getting sids from file: /etc/snort/rules/web-misc.rules
[*] (41/41) Getting sids from file: /etc/snort/rules/web-php.rules
[*] In file: /etc/snort/rules/backdoor.rules
[*] alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:”BACKDOOR w00w00 attempt”; flow:to_server,established; content:”w00w00″; metadata:policy security-ips drop; reference:arachnids,510; classtype:attempted-admin; sid:209; rev:5;)
[*] Rule 1 of 894
[*] Disable/Enable/Skip rule (d/e/S)?S
[*] Not processing rule..
……….
When I started working on this yesterday, I saw that I should rather do all this in perl, but I decided that since I had started it in bash(+sed), I should just finish this version in bash. I need to practice my bash too!
Maybe one day I’ll redo it in perl or something… But not today 
There code is still here.
Enjoy, Jim!
Permalink
01.14.10
Posted in Information, OpenSourceSoftware, Security, Sguil, Snort, Suricata at 11:39 am by Edward Bjarte Fjellskål
On my private servers and home machines etc. (even my laptop), I run snort.
I got tired of spawning vim to edit a rule file (disabling/enabling) or sometimes just to read a rule for joy and pleasure…
So I made a simple bash-script to solve my small needs…
Output from sidrule:
# sidrule
Bash’ed together by edward.fjellskal@redpill-linpro.com
Usage:
sidrule [list|enable|disable] sid
or
sidrule [ -l | -e | -d ] sid
# sidrule list 15363
[*] In file: /etc/snort/rules/web-client.rules
[*] alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:”WEB-CLIENT Potential obfuscated javascript eval unescape attack attempt”; flow:established,to_client; content:”eval|28|”; nocase; content:”unescape|28|”; within:15; nocase; content:!”|29|”; within:250; metadata:policy balanced-ips alert, policy security-ips alert, service http; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.cs.ucsb.edu/~marco/blog/2008/10/dom-based-obfuscation-in-malicious-javascript.html; classtype:misc-activity; sid:15363; rev:1;)
# sidrule disable 15363
[*] Found sid:15363 in /etc/snort/rules/web-client.rules:
[*] Disabling:
[*] #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:”WEB-CLIENT Potential obfuscated javascript eval unescape attack attempt”; flow:established,to_client; content:”eval|28|”; nocase; content:”unescape|28|”; within:15; nocase; content:!”|29|”; within:250; metadata:policy balanced-ips alert, policy security-ips alert, service http; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.cs.ucsb.edu/~marco/blog/2008/10/dom-based-obfuscation-in-malicious-javascript.html; classtype:misc-activity; sid:15363; rev:1;)
# sidrule enable 15363
[*] Found sid:15363 in /etc/snort/rules/web-client.rules
[*] Enabling:
[*] alert tcp $EXTERNAL_NET $HTTP_PORTS -;gt& $HOME_NET any (msg:”WEB-CLIENT Potential obfuscated javascript eval unescape attack attempt”; flow:established,to_client; content:”eval|28|”; nocase; content:”unescape|28|”; within:15; nocase; content:!”|29|”; within:250; metadata:policy balanced-ips alert, policy security-ips alert, service http; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.cs.ucsb.edu/~marco/blog/2008/10/dom-based-obfuscation-in-malicious-javascript.html; classtype:misc-activity; sid:15363; rev:1;)
The git repo is on github.com/gamelinux/sidrule
git clone http://github.com/gamelinux/sidrule.git
Hope you find it usefull!
Permalink
01.13.10
Posted in Information, OpenSourceSoftware, Security, Snort, Sourcefire at 2:53 pm by Edward Bjarte Fjellskål
Sourcefire has recently released version 4.9 of their Sourcefire 3D System. I’m really happy with the changes and improvements they have included in this release. Some of the changes were ones I was looking forward to, as I already had seen some of these smart changes in Snort.
The first improvement that I was eager to try out was the support for Multi Policies/Policy by VLAN or Network/Filtered Policy (I cant seem to find a consistent name in the 3D documentation or GUI) on one Detection Engine (DE). With the previous 4.8 version, I was unable to sufficiently segment my inspection. This meant that I was generating a few more alerts than i needed, and also using up my sensors resources in handling this traffic.
For example:
One network hosting 8 web services, and another network hosting 2 web service, both on the same DE. All the web-rules that I enabled for the Policy for the DE, would default be potentially firing for all 10 web services.
When two of the web services are on appliances that are running the legacy Windows NT 4 Embedded, RNA recommended rules suggest enabling lots of rules that will fire off too many false positives on the other Linux Apache web servers etc. A good tuning was needed for my setup, so that web-iis.rules would not fire on Apache services and vice versa if you get my point. Not a big problem, it just took some time.
With the new multi-policies I can now make a policy for each of the two networks, and RNA recommended rules will give me a better default set to start with (different RNA recommendation for each network) and a lot less false positives, which makes the work of tuning less. It also means fewer false negatives. It is much easier now to tune the rules, as I don’t have to take into account other parts of the network when I’m tuning and the effect on those if I disabled or enabled a rule in a policy. The use of suppression is now done in a better way, as I now don’t need to spend time on suppressing rules for one host which is firing false positives, but the rule is needed for other hosts.
There is of course a limitation here, if the amount and variety of services and hosts is the same in one policy as it was in 4.8, you’re back where you started. Also, there is a limit at this point on 8 policies in total on one DE. I wish there where more, so I could split stuff up more, but hey! Thanks for the 8 I got
Now the second new feature I love is the Policy Layers. This basically allows you to create reusable modules of policy configuration, rules, etc, which you can share among different policies. I can now have different sets of “rule” policies that I can maintain inside an Intrusion Policy. An example is my set of “strange rules I cant live without” or “Standard rules that should be enabled in all policies” in one template now, that I can reuse easy!
Also i like consulting Sourcefire’s RNA (Real-time Network Awareness) recommended rules, but I also like adding more custom rules from the VRT/SEU repo. Now its easier to have things organized like for RNA recommended rules in one rule policy, and my custom “strange rules” in another, more Sourcefire VRT rules in yet another, and finally some Emerging Threats in yet another…
Now back to reviewing events…
Permalink
01.11.10
Posted in Information, OpenSourceSoftware, Security, Sguil, Snort, daemonlogger, forensics, cxtracker, Suricata, fpcgui at 11:06 pm by Edward Bjarte Fjellskål
I started a little project of mine that I have been thinking about since the summer of 2008 (Also see this post). I saw that it was a problem finding vendors selling a cheap setup for a full packet capture solution. The recommendation was to set up a Linux server on your own, run tcpdump and spool pcaps to disk. Well, once you have all that data, you need some way to manage it. I thought about using sancp to index the connections, and tools like tcpxtract, foremost, dsniff, chaosreader, tcptrace and combine features from xplico to add some extra value and possibilities on top.
So I started my project back in september 09, calling it FPCGUI (Full Packet Capture Graphical User Interface). It is currently supporting daemonlogger/tcpdump/sancp for spooling pcaps with a wrapper script that puts pcaps in directories based on “year-month-date”. cxtracker/sancp can be used for connection profiling/tracking, writing session data to disk, where I have written fpc-session-loader.pl which picks up the session data files and inserts them to a mysql database. If I now have an interest in seeing all the traffic from one host, I can do a search in my webgui and get the data. I can do rather interesting queries on all the data from cxtracker/sancp, and get interesting results.
I use cxtracker in my setup, as it collects meta data on both IPv4 and IPv6 connections. I have also managed to store IPv4 and IPv6 addresses in the mysql database in a reasonable and usable way.
I have just finished writing a PHP webgui, where I can enter a search term, and get a list (or just a single session if I’m specific enough), click on the session of choice, and up pops a download dialog, where I can choose to open the pcap straight away in wireshark! The pcap of the specific session is carved out from the pcaps for the relevant period (days) when the session took place. More or less the same functionality you find in a Sguil stack setup. I wrote the php-gui in such a way, that it can take search terms via an URL, like “?srcip=10.10.10.10&srcport=80″ and so on, making it easier to integrate with other applications.
Example screenshot of what happens when you click on an event:
I have associated the pcap files with: ‘Content-Type: application/pcap-capture’ and set firefox to spawn wireshark for those files automatic
So now I’m one step closer to having Full Packet Capture with my Sourcefire 3D system! Just need to find out what part of the 3D webgui code to hack, to add my custom <click here to get the pcap of the session that triggered the event> Of course I can enter the data manually, but I’m lazy, and I like to hack stuff
The project i hosted here. Any thoughts are more than welcome.
Permalink
