Hello,
Lots to talk about, so let's get started.
I finally got around to finishing testing for the new, improved, and much cleaned up build of Autosnort that I had been hyping for a little while. For those who didn't see the last blog post, or the screen shot, I've done a bit of housekeeping with Autosnort.
Instead of puking the output for every single command all over the screen buffer, Autosnort's output has been significantly minimized and cleaned up where it could be cleaned up. Output is now very metasploit-like:
[*] are things that the script is doing
[*] are things the user should pay attention to
[*] are successful results
[*] are unsuccessful results
"Okay, so what if something goes wrong? All I have is a generic 'something went wrong' comment." Well, instead of hoping whatever you need was caught in the screen buffer, autosnort now logs the output of the ENTIRE installation to /var/log/autosnort_install.log, and /var/log/[interface you chose to install here -- for example, snort_install.log], So now, instead of having to hope the screen buffer caught the relevant bits of a problem with my script, you now have an entire log of what the script was actually doing for review, or to send to me to debug the script and get it to work properly.
The script will now actually tell you where I installed things, instead of you having to hunt and guess (sorry about that..)
Additionally, this release sees support for Ubuntu 13.04 and Debian 7. Currently in the process of Verifying support for Kali Linux (Backtrack's newer, younger sibling), but since it's all supposed to based off Debian and follows the Debian software methodology, it should be pretty straightforward.
The child installer scripts all got this little makeover, and as previously mentioned also have logging built in, and write to their own log files in /var/log.
The only thing of note that changed here in addition to the minimizing of output would be that I finally added a prompt to run Aanval's BPU processes on boot via rc.local. That's something I've been meaning to do for a while.
So now that this is over with, the next step would be for me to focus on Getting CentOS updated -- Snorby and the cleaned up autosnort script. That is next up on my plate before enabling anymore features on any platform. period.
After that is finished, here's what I'd like to focus on:
- All web interfaces should have SSL/HTTPS enabled by default. No exceptions.
- Remove database/barebone sensors should have a method to secure database transactions to the "Master Console"
+ some point way far down the line, I want to begin experimenting with p0f. The project has recently gotten some new blood (as mentioned in a recent shmoocon), and there are some interesting possibilities I can think of where p0f and snort could play incredibly well off of one another:
--have p0f run for a set period of time, sample traffic off the network, fingerprint operating systems and write results to a database
--script something out that takes the database results and helps write frag3/stream5 reassembly policies based off p0f results.
Same as always, the scripts are available via The Autosnort Github Repo
That's about it for now. Happy snorting, hope you enjoy the new release!
DA_667
Showing posts with label snorby. Show all posts
Showing posts with label snorby. Show all posts
Friday, June 14, 2013
Friday, May 24, 2013
Troubleshooting your Snort deployment
I recently had a discussion with a user new to snort and autosnort who
wanted to know some troubleshooting techniques that can be done to see
if snort is working and/or snorby or the web interface of your choosing
is working. After thinking about it, I decided it might be a good idea
to post my troubleshooting steps here to assist users of snort and
snorby in general to determine if things are working okay.
Before we begin here, realize that there are a number of moving parts with any IDS/IPS deployment. Understanding the basics of networking (OSI/TCPIP stacks, collision domains and/or broadcast domains) really help you in understanding why snort can or cannot see traffic for certain parts of your network. If you have no way of copying traffic from the network segment you want to protect, then snort will not be able to see anything.
Now that I got that part out of the way, there are a couple of basic components in any snort deployment:
1) the network
How busy is your network? If the network isn't particularly active, it may take a while before you see any sort of alerts from snort.
2) the method you are using to pass network traffic to snort
How are you copying traffic to snort's sniffing interface? Do you have an old hub? a professional grade network tap or hobbyist network tap? A switch that can do port mirroring/span ports? Is snort sitting in a VM? does that virtual machine have a way to sniff traffic off of the vswitch?
Any IDS/IPS deployment needs a reliable method to clone/copy traffic off of the network. If you plug snort into a regular switch port or SOHO router, you're usually only going to see broadcast traffic (usually UDP broadcasts, CDP broadcasts, Spanning tree traffic, and ARP requests) and will be absolutely useless to you.
You need to have the equipment or means to copy traffic to snort somehow.
3) Snort itself and how it's configured
If you have a light ruleset (say the balanced ruleset from pulledpork, or the connectivity over security ruleset), you won't be seeing very many alerts, unless those rules are a really big deal, like big enough to be included in those rulesets, and/or if your network is particularly infested with bad traffic.
4) Barnyard2, how it's configured and/or the database it is logging to
Autosnort is configured to use barnyard2 and log to a local database. normally this is the "snort" database, but some web interfaces require their own database (e.g. Aanval uses the aanval database and snort database, snorby uses the snorby database). Does barnyard2's database user have the right access to insert events to the database? does the database user have the right credentials?
For other barnyard2 logging options, such as syslog, is the remote host allowing connections from your sensor's management interface? is the SIEM solution configured to log syslog events properly?
So, to summarize IDS/IPS deployments have a number of parts that have to work together to provide you with a working solution: The network itself, the method you are using to copy network traffic to snort, snort or the IDS/IPS solution you are using and what its configured to alert on, and the method by which you are logging intrusion events (barnyard2/database/syslog).
Here are some basic troubleshooting methods I've devised:
1) are snort processes running? If you're using Snorby or another specialized logging interface, are the processes that interface relies on running?
ps -ef | grep snort
you are looking for this output from ps -ef | grep delayed:
root 1869 1258 0 17:55 pts/0 00:00:00 grep delayed
root 2161 1 0 May18 ? 00:11:01 delayed_job
2) ifconfig -a
-- which interface is snort sniffing traffic on? is it in promiscuous mode?
3)
How are you passing traffic to snort? is snort's sniffing interface
attached to a switch span? a hub? a network tap? if it's a virtual
machine on ESXi or something of that nature, is the vswitch snort is
sniffing off of configured to allow promiscuous mode network cards?
If you're in a corporate environment, and are a proficient network administrator, I'm going to assume you know what a switch span port is. These are also referred to as mirror ports. Most professional grade switches have an option to copy ALL traffic seen on a switch to a single interface. You would plug snort's sniffing interface into this mirror interface for snort to see traffic for that entire network segment.
If you're a security reasearcher and don't have money for a procurve or cisco switch that does port mirroring, here's some awesome alternatives:
http://routerboard.com/RB260GS
This is a 5-port switch from microtik. Very very affordable and capable of port mirroring.
Alternatively, if you want a bigger name-brand switch, I personally use netgear's GS108T switch for my home network, since it was the cheapest switch I was aware at the time that allowed port mirroring:
http://www.newegg.com/Product/Product.aspx?Item=33-122-381&IsVirtualParent=1
An alternative to span/mirror ports are network taps. On the professional/corporate side, Net Optics, Gigamon and several other vendors offer network tap solutions. Often ridiculously priced, but without all of the possible problems that come with setting of span/mirror ports. These devices are solely dedicated to creating exact clones of network traffic passing over the wire and nothing else.
For those on the cheap side, there are several results via google on how to make your own network tap, but be aware that these sorts of taps are usually for 10/100 networks and usually do not support tapping gigabit networks.
Finally for vmware environments, I posted a specialized tutorial on how to "hack" vmware player on how to bridge traffic from one physical interface or another, using the vmnetconfig.exe from vmware workstation (check the pdf document available in my autosnort github if you're interested...)
But for professional deployments or network labs running vmware ESX/ESXi, it's pretty easy to configure a vswitch to allow promiscuous mode nics. That's really all you have to do is change vswitch security settings, allow promiscuous mode NICs and just configure the snort VM to sniff off of that vswitch.
4) run tcpdump on snort's sniffing interface:
tcpdump -i ethX not arp and not port 22
X is the ethernet interface number snort is sniffing traffic on. the "not arp and not port 22" is telling tcpdump to ignore ssh traffic and arp broadcasts.
cat /var/www/snorby/config/database.yml
verify these lines in database.yml:
snorby: &snorby
adapter: mysql
username: snort
password: [same password in the barnyard2.conf file]
host: localhost
development:
database: snorby
<<: *snorby
test:
database: snorby
<<: *snorby
production:
database: snorby
<<: *snorby
the most important lines to check are the dbname: and database: line under production are the same database, and that the password= and password: lines are the same to make sure that barnyard2 and snorby agree on the correct password to use to log to and read from that same database.
If the database lines and password lines match, at the very least, we know that barnyard2 and snorby are talking to the right database.
3) One last check you can perform is to verify that the snort user has the privileges to talk to the snorby database. run this command:
mysql -usnort -p[snort database user's password, no spaces] snorby -e "show tables;"
Hope this helps you all out
Cheers,
DA_667
Before we begin here, realize that there are a number of moving parts with any IDS/IPS deployment. Understanding the basics of networking (OSI/TCPIP stacks, collision domains and/or broadcast domains) really help you in understanding why snort can or cannot see traffic for certain parts of your network. If you have no way of copying traffic from the network segment you want to protect, then snort will not be able to see anything.
Now that I got that part out of the way, there are a couple of basic components in any snort deployment:
1) the network
How busy is your network? If the network isn't particularly active, it may take a while before you see any sort of alerts from snort.
2) the method you are using to pass network traffic to snort
How are you copying traffic to snort's sniffing interface? Do you have an old hub? a professional grade network tap or hobbyist network tap? A switch that can do port mirroring/span ports? Is snort sitting in a VM? does that virtual machine have a way to sniff traffic off of the vswitch?
Any IDS/IPS deployment needs a reliable method to clone/copy traffic off of the network. If you plug snort into a regular switch port or SOHO router, you're usually only going to see broadcast traffic (usually UDP broadcasts, CDP broadcasts, Spanning tree traffic, and ARP requests) and will be absolutely useless to you.
You need to have the equipment or means to copy traffic to snort somehow.
3) Snort itself and how it's configured
If you have a light ruleset (say the balanced ruleset from pulledpork, or the connectivity over security ruleset), you won't be seeing very many alerts, unless those rules are a really big deal, like big enough to be included in those rulesets, and/or if your network is particularly infested with bad traffic.
4) Barnyard2, how it's configured and/or the database it is logging to
Autosnort is configured to use barnyard2 and log to a local database. normally this is the "snort" database, but some web interfaces require their own database (e.g. Aanval uses the aanval database and snort database, snorby uses the snorby database). Does barnyard2's database user have the right access to insert events to the database? does the database user have the right credentials?
For other barnyard2 logging options, such as syslog, is the remote host allowing connections from your sensor's management interface? is the SIEM solution configured to log syslog events properly?
So, to summarize IDS/IPS deployments have a number of parts that have to work together to provide you with a working solution: The network itself, the method you are using to copy network traffic to snort, snort or the IDS/IPS solution you are using and what its configured to alert on, and the method by which you are logging intrusion events (barnyard2/database/syslog).
Here are some basic troubleshooting methods I've devised:
Basic Steps:
ps -ef | grep snort
ps -ef | grep delayed
you are looking for this output from ps -ef | grep snort:
root 1853 1258 0 17:54 pts/0 00:00:00 grep snort
snort 1883 1 0 May18 ? 00:00:47 /usr/local/snort/bin/snort -D -u snort -g snort -c /usr/local/snort/etc/snort.conf -i br0
root 1912 1 0 May18 ? 00:00:53 /usr/local/bin/barnyard2 -c /usr/local/snort/etc/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -D
root 1853 1258 0 17:54 pts/0 00:00:00 grep snort
snort 1883 1 0 May18 ? 00:00:47 /usr/local/snort/bin/snort -D -u snort -g snort -c /usr/local/snort/etc/snort.
root 1912 1 0 May18 ? 00:00:53 /usr/local/bin/barnyard2 -c /usr/local/snort/etc/
you are looking for this output from ps -ef | grep delayed:
root 1869 1258 0 17:55 pts/0 00:00:00 grep delayed
root 2161 1 0 May18 ? 00:11:01 delayed_job
If snort and barnyard2 BOTH are not running, check /var/log/messages (cat /var/log/messages [or /var/log/syslog depending on your distro] | grep snort) to see if you can determine why. Look for error, critical or fatal messages as they indicate reasons why snort or barnyard2 refused to run. We'll talk about snorby's delayed_job process in a moment.
-- which interface is snort sniffing traffic on? is it in promiscuous mode?
You're looking for output that looks something like this
on the interface that snort is sniffing traffic on, pay attention to the
lines in bold face:
eth1 Link encap:Ethernet HWaddr 00:0c:29:8b:bb:ca
inet6 addr: fe80::20c:29ff:fe8b:bbca/64 Scope:Link
UP BROADCAST RUNNING NOARP PROMISC MTU:1500 Metric:1
eth1 Link encap:Ethernet HWaddr 00:0c:29:8b:bb:ca
inet6 addr: fe80::20c:29ff:fe8b:bbca/64 Scope:Link
UP BROADCAST RUNNING NOARP PROMISC MTU:1500 Metric:1
The most important lines above are UP RUNNING PROMISC, because the interface must be up, must be running, and likely should be in promiscuous mode to pick up traffic. the NOARP line isn't entirely necessary, but it's there to ensure that the sniffing interface doesn't respond to arp queries in case attackers are probing the network to try and find your IDS installations.
If you're in a corporate environment, and are a proficient network administrator, I'm going to assume you know what a switch span port is. These are also referred to as mirror ports. Most professional grade switches have an option to copy ALL traffic seen on a switch to a single interface. You would plug snort's sniffing interface into this mirror interface for snort to see traffic for that entire network segment.
If you're a security reasearcher and don't have money for a procurve or cisco switch that does port mirroring, here's some awesome alternatives:
http://routerboard.com/RB260GS
This is a 5-port switch from microtik. Very very affordable and capable of port mirroring.
Alternatively, if you want a bigger name-brand switch, I personally use netgear's GS108T switch for my home network, since it was the cheapest switch I was aware at the time that allowed port mirroring:
http://www.newegg.com/Product/Product.aspx?Item=33-122-381&IsVirtualParent=1
An alternative to span/mirror ports are network taps. On the professional/corporate side, Net Optics, Gigamon and several other vendors offer network tap solutions. Often ridiculously priced, but without all of the possible problems that come with setting of span/mirror ports. These devices are solely dedicated to creating exact clones of network traffic passing over the wire and nothing else.
For those on the cheap side, there are several results via google on how to make your own network tap, but be aware that these sorts of taps are usually for 10/100 networks and usually do not support tapping gigabit networks.
Finally for vmware environments, I posted a specialized tutorial on how to "hack" vmware player on how to bridge traffic from one physical interface or another, using the vmnetconfig.exe from vmware workstation (check the pdf document available in my autosnort github if you're interested...)
But for professional deployments or network labs running vmware ESX/ESXi, it's pretty easy to configure a vswitch to allow promiscuous mode nics. That's really all you have to do is change vswitch security settings, allow promiscuous mode NICs and just configure the snort VM to sniff off of that vswitch.
4) run tcpdump on snort's sniffing interface:
tcpdump -i ethX not arp and not port 22
X is the ethernet interface number snort is sniffing traffic on. the "not arp and not port 22" is telling tcpdump to ignore ssh traffic and arp broadcasts.
while tcpdump is running, on another system on the network, try doing something to generate network traffic (ping google.com,
go to a web page, etc.). did tcpdump see your traffic? If not, you may
need to investigate how you're mirroring traffic to snort.
5) Check and see if the snort.u2 file is greater than 0 bytes:
ls -al /var/log/snort
check the output of the ls command. You're looking for the snort.u2 file, it should look something like this:
-rw------- 1 snort snort 67261 May 19 17:39 snort.u2.1368917933
the
numbr "67261" in the middle is the file's size. If your snort.u2 file
is 0 bytes, that means snort hasn't generated any alerts.-rw------- 1 snort snort 67261 May 19 17:39 snort.u2.1368917933
So those are the basic steps. You confirm that snort is
running, confirm that the interface is in promisc mode, and confirm that
mirroring device is actually pushing traffic to where snort can see it, and confirm snort is logging events.
Snorby-specific troubleshooting steps:
Here's a couple of things you can
try to confirm that barnyard2 and snorby are working together:
1) ps -ef | grep delayed
1) ps -ef | grep delayed
- You are looking for an entry that looks something like this:
root 2161 1 0 May18 ? 00:11:00 delayed_job
root 2161 1 0 May18 ? 00:11:00 delayed_job
if the delayed_job process is NOT running, run this command:
cd /var/www/snorby && ruby script/delayed_job start
cd /var/www/snorby && ruby script/delayed_job start
then run this command to see if the sensor_cache needs to be updated:
cd /var/www/snorby && rails runner 'Snorby::Jobs::SensorCacheJob.new(false).perform; Snorby::Jobs::DailyCacheJob.new(false).perform'
cd /var/www/snorby && rails runner 'Snorby::Jobs::SensorCacheJob.
note: I do not know if you need root permission to run
the commands above, but if the above commands fail without root
privileges, run the command:
sudo su -
sudo su -
to get a shell with root privileges and re-run those commands.
2) you'll want to check the contents of barnyard2.conf and snorby's database.yml to make sure they match:
cat /usr/local/snort/etc/barnyard2.conf
on the log mysql line, check these values and make sure they match:
log,mysql, user=snort password=[password you gave the snort database user] dbname=snorby host=localhostcat /var/www/snorby/config/database.yml
verify these lines in database.yml:
snorby: &snorby
adapter: mysql
username: snort
password: [same password in the barnyard2.conf file]
host: localhost
development:
database: snorby
<<: *snorby
test:
database: snorby
<<: *snorby
production:
database: snorby
<<: *snorby
the most important lines to check are the dbname: and database: line under production are the same database, and that the password= and password: lines are the same to make sure that barnyard2 and snorby agree on the correct password to use to log to and read from that same database.
If the database lines and password lines match, at the very least, we know that barnyard2 and snorby are talking to the right database.
3) One last check you can perform is to verify that the snort user has the privileges to talk to the snorby database. run this command:
mysql -usnort -p[snort database user's password, no spaces] snorby -e "show tables;"
your output should look like this:
+-------------------+
| Tables_in_snorby |
+-------------------+
| agent_asset_names |
| aggregated_events |
| asset_names |
| caches |
| classifications |
| data |
| delayed_jobs |
| detail |
| encoding |
| event |
| events_with_join |
| favorites |
| icmphdr |
| iphdr |
| lookups |
| notes |
| notifications |
| opt |
| reference |
| reference_system |
| schema |
| search |
| sensor |
| settings |
| severities |
| sig_class |
| sig_reference |
| signature |
| tcphdr |
| udphdr |
| users |
+-------------------+
+-------------------+
| Tables_in_snorby |
+-------------------+
| agent_asset_names |
| aggregated_events |
| asset_names |
| caches |
| classifications |
| data |
| delayed_jobs |
| detail |
| encoding |
| event |
| events_with_join |
| favorites |
| icmphdr |
| iphdr |
| lookups |
| notes |
| notifications |
| opt |
| reference |
| reference_system |
| schema |
| search |
| sensor |
| settings |
| severities |
| sig_class |
| sig_reference |
| signature |
| tcphdr |
| udphdr |
| users |
+-------------------+
This confirms that the snorby database exists and that the schema was configured properly during installation.
4) If the snort.u2 file in /var/log/snort is
NOT 0 bytes, and you confirmed the snort database user was able to see
the tables in the snorby database, there's one last set of commands you
can run:
mysql -usnort -p[snort database user's password] snorby -e "select * from event\G;"
if
you get "empty set" as the return value from that command, snorby
doesn't have anything. If you get a bunch of data from this command,
snorby should have events in the "events" tab on the web interface.
you can also run this command:
mysql -usnort -p[snort database user's password] snorby -e "select count(*) from event;"
you should get something like this:
+----------+
| count(*) |
+----------+
| 5284 |
+----------+
I
have a boatload of events, because I have a testing suite that causes
snort to trigger alerts like crazy, but basically, you're looking for
the count number to NOT be 0. If the count is 0 there's no events for
snorby to report on.+----------+
| count(*) |
+----------+
| 5284 |
+----------+
Hope this helps you all out
Cheers,
DA_667
Sunday, May 19, 2013
Autosnorby Follow-up: Support to Debian officially released, distributed installations under testing.
Hello again,
As I had mentioned a few blog posts ago updates to autosnort and/or support for snorby were probably going to be staggered out across platforms, since I have to do testing to ensure that things aren't horribly broken on release, that I have the right packages for the right platform that puts the right stuff in the right place, etc.
That being said, porting over the changes to autosnort and support for snorby to Debian went fast. Like, really fast. I should have figured this would be the case since Ubuntu and Debian share similarity in packages installed and package management utilized. It was almost quite literally a copy/paste job -- copy the code from ubuntu autosnort and it its child shell scripts, integrate it in with debian's existing scripts (and some custom things that Debian needs to work right) and just test it to make sure nothing exploded in a fit of errors and incompatibility.
Therefore, it brings me great pleasure to release a new version of autosnort for Debian as well as a snorby child shell script for Debian-based systems, and code improvements to debian autosnort and child shell scripts.
I'm not going to bother going over all of the changes I made to the script(s), since more or less the changes are practically identical to the ubuntu/autosnorby post I made yesterday (e.g. code cleanup, doing things that make sense to make the code easier to manage, installing relevant packages only when they are needed for a particular interface/function, etc.) except to note that I fixed a small bug in the remote database/experimental distributed sensor installation support (In both Ubuntu and Debian)
Speaking of the distributed installation support, I have a rough guide to doing a distributed install. This is very, very rough right now, expect some official or at least "better" guidance soon:
1. Perform a standard autosnort install on your "master console" system, and choose the interface you wish to install. Bear in mind that aanval requires licensing to support more than one snort sensor, and that snort report doesn't really clearly delinate which sensor an event came from. Reboot.
2. Edit /etc/mysql/my.cnf and reconfigure mysql to accept connections globally (e.g. listen on 0.0.0.0; also note that you'd better have a security measure of some sort up to limit connections to your other sensors (e.g. a firewall) if you plan on having this system accessible in *any* way over the internet)
3. run mysql -uroot -p[password here]
snort@'1.2.3.4' should be the snort database user on the remote sensor you plan to have store events on your master console, likewise the IDENTIFIED BY 'my_password'; should be the password you place into barnyard2.conf to talk to the master console.
4. Run the autosnort installer on your barebones sensor (choose option 2 to NOT install apache or mysql), somewhere down the line, the script will ask if you have a remote database that barnyard2 will be logging into. Enter the username (snort), the remote database name (snort), the remote database ip (e.g. the management interface for your 'master console' sensor), and the password you entered above on the mysql statement on the master console
5. finish the autosnort install (when it gets to the what interface do you want to install phase, just select option 6 for no interface at all.)
6. On the barebones sensor, install mysql-client (apt: apt-get install mysql-client) and try to connect to the database on the master console:
mysql -uroot -psnort -h [master console ip address]
use snort;
show tables;
If you get output, and a list of database tables, that's a very good sign. Otherwise you have some troubleshooting to do. note that by default autosnort installs libmysqlclient to allow barnyard2 to talk to the remote database, however, I'm having you install mysql-client in the event you want to troubleshoot and verify that you can talk to the database as a regular user. libmysqlclient won't let you test things out with manual queries, etc.
I can't re-iterate this enough, but allowing mysql to listen globally opens up some security risks (which is why I've trying to move to having the traffic SSL wrapped and tunneled between sensors/consoles...), so I would most definitely make sure the network your barebone sensor and master consoles are talking over is protected, trusted, and your master console host is firewalled to hell and back, only allowing 3306/tcp connections from your barebone sensors. Know the risks before you take this leap.
Check out the autosnort github and happy snorting!
Cheers,
DA_667
As I had mentioned a few blog posts ago updates to autosnort and/or support for snorby were probably going to be staggered out across platforms, since I have to do testing to ensure that things aren't horribly broken on release, that I have the right packages for the right platform that puts the right stuff in the right place, etc.
That being said, porting over the changes to autosnort and support for snorby to Debian went fast. Like, really fast. I should have figured this would be the case since Ubuntu and Debian share similarity in packages installed and package management utilized. It was almost quite literally a copy/paste job -- copy the code from ubuntu autosnort and it its child shell scripts, integrate it in with debian's existing scripts (and some custom things that Debian needs to work right) and just test it to make sure nothing exploded in a fit of errors and incompatibility.
Therefore, it brings me great pleasure to release a new version of autosnort for Debian as well as a snorby child shell script for Debian-based systems, and code improvements to debian autosnort and child shell scripts.
I'm not going to bother going over all of the changes I made to the script(s), since more or less the changes are practically identical to the ubuntu/autosnorby post I made yesterday (e.g. code cleanup, doing things that make sense to make the code easier to manage, installing relevant packages only when they are needed for a particular interface/function, etc.) except to note that I fixed a small bug in the remote database/experimental distributed sensor installation support (In both Ubuntu and Debian)
Speaking of the distributed installation support, I have a rough guide to doing a distributed install. This is very, very rough right now, expect some official or at least "better" guidance soon:
1. Perform a standard autosnort install on your "master console" system, and choose the interface you wish to install. Bear in mind that aanval requires licensing to support more than one snort sensor, and that snort report doesn't really clearly delinate which sensor an event came from. Reboot.
2. Edit /etc/mysql/my.cnf and reconfigure mysql to accept connections globally (e.g. listen on 0.0.0.0; also note that you'd better have a security measure of some sort up to limit connections to your other sensors (e.g. a firewall) if you plan on having this system accessible in *any* way over the internet)
3. run mysql -uroot -p[password here]
GRANT ALL ON snort.* TO snort@'1.2.3.4' IDENTIFIED BY 'my_password';
snort@'1.2.3.4' should be the snort database user on the remote sensor you plan to have store events on your master console, likewise the IDENTIFIED BY 'my_password'; should be the password you place into barnyard2.conf to talk to the master console.
4. Run the autosnort installer on your barebones sensor (choose option 2 to NOT install apache or mysql), somewhere down the line, the script will ask if you have a remote database that barnyard2 will be logging into. Enter the username (snort), the remote database name (snort), the remote database ip (e.g. the management interface for your 'master console' sensor), and the password you entered above on the mysql statement on the master console
5. finish the autosnort install (when it gets to the what interface do you want to install phase, just select option 6 for no interface at all.)
6. On the barebones sensor, install mysql-client (apt: apt-get install mysql-client) and try to connect to the database on the master console:
mysql -uroot -psnort -h [master console ip address]
use snort;
show tables;
If you get output, and a list of database tables, that's a very good sign. Otherwise you have some troubleshooting to do. note that by default autosnort installs libmysqlclient to allow barnyard2 to talk to the remote database, however, I'm having you install mysql-client in the event you want to troubleshoot and verify that you can talk to the database as a regular user. libmysqlclient won't let you test things out with manual queries, etc.
I can't re-iterate this enough, but allowing mysql to listen globally opens up some security risks (which is why I've trying to move to having the traffic SSL wrapped and tunneled between sensors/consoles...), so I would most definitely make sure the network your barebone sensor and master consoles are talking over is protected, trusted, and your master console host is firewalled to hell and back, only allowing 3306/tcp connections from your barebone sensors. Know the risks before you take this leap.
Check out the autosnort github and happy snorting!
Cheers,
DA_667
Saturday, May 18, 2013
Autosnorby, updates to autosnort, and the updated to-do list
Hello Snort and Autosnort users.
I've got a lot to talk about today, so let's get started.
First and foremost, I've finally managed to work in support for snorby into autosnort. The snorby script installs the necessary packages, a compatible version of ruby (via rvm), all the necessary gems and configures the right files with the right info needed to get snorby up and running. Additionally, I've managed to work out away to drop privileges from the root database user to another user (the snort user in our case)
One thing to be aware of: the delayed_job and the sensor cache jobs do NOT start up on boot. Initial runs of the script had me trying to put commands into rc.local to start the delayed_job and sensorcachejob commands on startup... but they aren't working. I'm working on having a reliable method to start them on boot, but until that is discovered, any time the system is restarted, you'll want to, at a minimum start the delayed_job script:
cd /var/www/snorby && ruby script/delayed_job start
optionally, these commands run the Sensor and Daily cachejobs as well:
cd /var/www/snorby && rails runner 'Snorby::Jobs::SensorCacheJob.new(false).perform; Snorby::Jobs::DailyCacheJob.new(false).perform'
There are options to start the snorby worker process via the web UI, but I find the direct approach to my liking.
Another note is that at first you may notice alerts coming in and displaying properly in the events tab, but the dashboard may not updated at first. If this is the case, on the dashboard page, there is an option to force cache update. Select this option, wait 10 seconds, and reload the page. the graphs should update.
Next up on the list, is the main autosnort script itself. I've done a bit of spring cleaning.
- I've reduced the number of packages installed by default with autosnort.
--By default all we install are the packages necessary to install daq, libdnet, snort, and barnyard 2 with the ability to write to a remote database (more on this in a minute)
--I introduced a quick check that asks the user if they plan on installing a web interface as a part of the autosnort installation, or if they just want a stripped-down barebones install. If you're not sure what option to pick, select option 1.
- I've added a couple of functions to the script near the beginning for pulled pork to facilitate code re-use. this is because:
-- I've added support to download snort rules from previous versions of snort; up to four versions prior.
Why: I ran into a little problem recently where the free rules for version 2.9.4.5 were not available yet, and snort version 2.9.4.6 had just came out. The current version of the script only checks for the current version of snort rules, and one version prior. So now, you have a choice for four versions of rules:
1) the current version (if you have a VRT subscription oink code; e.g. 2.9.4.6)
2) the previous version (the kind that registered users usually get access to; e.g. 2.9.4.5)
3) two more prior versions (in the event that they are needed and/or a similar situation arises)
- If the user has elected to not install a web interface, the script asks them if they have a remote database they want barnyard to log to. I haven't officially tested this feature yet, but theorhetically, this allows for distributed installations... Any volunteers to test this? :)
- The child shell scripts all have functionality to install the packages necessary for them to work individually Again to reduce clutter and excess packages installed by autosnort (e.g. reduce attack surface)
- thanks to DK1844, I have a couple of code cleaniness fixes that I have added, and future todo list items.
I've achieved most of the stuff I intended to do when I initially started this little project, but I still have more that I can do.
Speaking of to-do list items:
- SSL for all web interfaces (generate a default, self-signed SSL cert, use mod-rewrite and mod-ssl to force ssl usage for all web interfaces)
- Further testing with distributed installations (Can I get a master console to register events from a remote system?)
- Encrypted comms between master console and remote sensor (e.g. have barnyard dump database updates to the master console over a secure channel)
- Kali Linux testing! Since Kali is fully compliant with Debian standards, will the debian autosnort script work with it?
The updates to autosnort.sh, snorby, aanval, snortreport and base child shell scripts are being pushed to ubuntu tonight, with support for other operating systems (debian and centOS) to come soon.
Report bugs, problems, praise, feature requests, etc. to:
deusexmachina667 [at] gmail [dot] com
As always the code is on my github repo.
Happy snorting,
DA_667
I've got a lot to talk about today, so let's get started.
First and foremost, I've finally managed to work in support for snorby into autosnort. The snorby script installs the necessary packages, a compatible version of ruby (via rvm), all the necessary gems and configures the right files with the right info needed to get snorby up and running. Additionally, I've managed to work out away to drop privileges from the root database user to another user (the snort user in our case)
One thing to be aware of: the delayed_job and the sensor cache jobs do NOT start up on boot. Initial runs of the script had me trying to put commands into rc.local to start the delayed_job and sensorcachejob commands on startup... but they aren't working. I'm working on having a reliable method to start them on boot, but until that is discovered, any time the system is restarted, you'll want to, at a minimum start the delayed_job script:
cd /var/www/snorby && ruby script/delayed_job start
optionally, these commands run the Sensor and Daily cachejobs as well:
cd /var/www/snorby && rails runner 'Snorby::Jobs::SensorCacheJob.new(false).perform; Snorby::Jobs::DailyCacheJob.new(false).perform'
There are options to start the snorby worker process via the web UI, but I find the direct approach to my liking.
Another note is that at first you may notice alerts coming in and displaying properly in the events tab, but the dashboard may not updated at first. If this is the case, on the dashboard page, there is an option to force cache update. Select this option, wait 10 seconds, and reload the page. the graphs should update.
Next up on the list, is the main autosnort script itself. I've done a bit of spring cleaning.
- I've reduced the number of packages installed by default with autosnort.
--By default all we install are the packages necessary to install daq, libdnet, snort, and barnyard 2 with the ability to write to a remote database (more on this in a minute)
--I introduced a quick check that asks the user if they plan on installing a web interface as a part of the autosnort installation, or if they just want a stripped-down barebones install. If you're not sure what option to pick, select option 1.
- I've added a couple of functions to the script near the beginning for pulled pork to facilitate code re-use. this is because:
-- I've added support to download snort rules from previous versions of snort; up to four versions prior.
Why: I ran into a little problem recently where the free rules for version 2.9.4.5 were not available yet, and snort version 2.9.4.6 had just came out. The current version of the script only checks for the current version of snort rules, and one version prior. So now, you have a choice for four versions of rules:
1) the current version (if you have a VRT subscription oink code; e.g. 2.9.4.6)
2) the previous version (the kind that registered users usually get access to; e.g. 2.9.4.5)
3) two more prior versions (in the event that they are needed and/or a similar situation arises)
- If the user has elected to not install a web interface, the script asks them if they have a remote database they want barnyard to log to. I haven't officially tested this feature yet, but theorhetically, this allows for distributed installations... Any volunteers to test this? :)
- The child shell scripts all have functionality to install the packages necessary for them to work individually Again to reduce clutter and excess packages installed by autosnort (e.g. reduce attack surface)
- thanks to DK1844, I have a couple of code cleaniness fixes that I have added, and future todo list items.
I've achieved most of the stuff I intended to do when I initially started this little project, but I still have more that I can do.
Speaking of to-do list items:
- SSL for all web interfaces (generate a default, self-signed SSL cert, use mod-rewrite and mod-ssl to force ssl usage for all web interfaces)
- Further testing with distributed installations (Can I get a master console to register events from a remote system?)
- Encrypted comms between master console and remote sensor (e.g. have barnyard dump database updates to the master console over a secure channel)
- Kali Linux testing! Since Kali is fully compliant with Debian standards, will the debian autosnort script work with it?
The updates to autosnort.sh, snorby, aanval, snortreport and base child shell scripts are being pushed to ubuntu tonight, with support for other operating systems (debian and centOS) to come soon.
Report bugs, problems, praise, feature requests, etc. to:
deusexmachina667 [at] gmail [dot] com
As always the code is on my github repo.
Happy snorting,
DA_667
Sunday, May 5, 2013
Snorby script progress, and a rundown of how to perform the installation.
Hello Autosnort users,
Still working on the Snorby release for Autosnort, and even then, It's probably going to be a staggered release -- first Ubuntu, then Debian, and Finally moving to CentOS. I imagine that based on some of the issues I have been experiencing, Getting Snorby to play with with SELinux is going to be a lot of fun.
I managed to get it to work with Aanval, snortreport and BASE, so I can do it again.
Anyhow, for those of you who can't wait for me to release a script, here's a basic run-down of the commands I'm running in Ubuntu 12.04 that I've used that work. this assumes you've ran autosnort up to the point where web interface installation takes place.
Don't be alarmed when it says you're downloading 400m of packages. that's about right:
apt-get install libyaml-dev git-core imagemagick libmagickwand-dev wkhtmltopdf libssl-dev libxslt1-dev libsqlite3-dev libmysql++-dev libcurl4-openssl-dev apache2-prefork-dev default-jre-headless
this installs rvm. rvm is a nice little program that can be used to automatically install ruby:
\curl -\#L https://get.rvm.io | sudo bash -s stable
/usr/local/rvm/bin/rvm autolibs enable
source /etc/profile.d/rvm.sh
this is a cute little hack that I've used for installing the latest stable version of snort, DAQ, and determine what version of snort rules are available via snort.org. From what I gather ruby updates frequently. very, very frequently. This string of commands tells us the latest ruby 1.9.x release available for installation. Why not install ruby 2.0.0? because snorby doesn't support it yet. Submitted an issue to snorby's github. We'll see where that takes us:
wget http://ruby-lang.org/en/index.html -O /tmp/index.html
rubyver=`cat /tmp/index.html | grep -e "ruby-" | head -4 | grep released | grep -v Continue | cut -d"/" -f8 | cut -d" " -f2 | tail -1`
rvm install ruby-$rubyver
After all the packages you need to install, there's also a boatload of gems that need installation. and oh, we haven't pulled down the snorby web UI yet:
gem install thor i18n bundler tzinfo builder memcache-client rack rack-test rack-mount rails rake rubygems-update erubis mail text-format sqlite3 daemon_controller
gem install passenger
update_rubygems
cd /var/www/
git clone http://github.com/Snorby/snorby.git
cd snorby/config
Make copies of database.yml.example and snorby_config.yml.example and rename them to database.yml and snorby_config.yml:
cp database.yml.example database.yml
cp snorby_config.yml.example snorby_config.yml
modify snorby_config.yml. this should be the only change that needs to be made:
sed -i 's/usr\/local\/bin/usr\/bin/' snorby_config.yml
modify database.yml the snorby section at the top, you MUST enter the root database user's password. this is necessary for the rake snorby:setup portion
Next, we have to compile the mod_passenger apache module. this will take a little bit of time.
passenger-install-apache2-module
If the passenger-install command above bombs, try running "gem install passenger --pre" and running the command again.
The passenger-install command will ask you to modify a couple of files. First we have to point apache to the passenger module:
echo "" >> /etc/apache2/apache2.conf
echo "# This stuff is to make Snorby work properly mod_passenger is required for snorby to work." >> /etc/apache2/apache2.conf
echo "" >> /etc/apache2/apache2.conf
echo "LoadModule passenger_module /usr/local/rvm/gems/ruby-$rubyver/gems/passenger-4.0.0.rc6/libout/apache2/mod_passenger.so" >> /etc/apache2/apache2.conf
echo "PassengerRoot /usr/local/rvm/gems/ruby-$rubyver/gems/passenger-4.0.0.rc6" >> /etc/apache2/apache2.conf
echo "PassengerDefaultRuby /usr/local/rvm/wrappers/ruby-$rubyver/ruby" >> /etc/apache2/apache2.conf
Next, we create a virtualhost for snorby and set the documentroot to snorby's public directory, then disable the default site. This effect means that if you navigate to http://[ip address] you automatically get the index page for snorby:
echo "<VirtualHost *:80>" >> /etc/apache2/sites-available/snorby
echo " ServerName snorby.localhost" >> /etc/apache2/sites-available/snorby
echo " # !!! Be sure to point DocumentRoot to 'public'!" >> /etc/apache2/sites-available/snorby
echo " DocumentRoot /var/www/snorby/public" >> /etc/apache2/sites-available/snorby
echo " <Directory /var/www/snorby/public>" >> /etc/apache2/sites-available/snorby
echo " # This relaxes Apache security settings." >> /etc/apache2/sites-available/snorby
echo " AllowOverride all" >> /etc/apache2/sites-available/snorby
echo " # MultiViews must be turned off." >> /etc/apache2/sites-available/snorby
echo " Options -MultiViews" >> /etc/apache2/sites-available/snorby
echo " </Directory>" >> /etc/apache2/sites-available/snorby
echo "</VirtualHost>" >> /etc/apache2/sites-available/snorby
All this has just been setup so we can successfully run bundler and rake to actually install snorby:
cd /var/www/snorby
bundle install --deployment
note: if the bundle install command fails or gives you an error referencing to the gemlock file or a gem called psych shield, you may have to run "bundle install --no-deployment" then run "bundle install --deployment" for things to work right.
finally, the moment you've been waiting for...:
rake snorby:setup
note: do not try to create the snorby database prior to running rake snorby:setup. If the database already exists, rake will bomb and exit.
At this point, provided rake snorby:setup ran, you should have a web interface that you can log into. default creds for snorby are: snorby@snorby.org with a password of snorby.
If you reboot your sensor, the worker jobs and the delayed_run jobs, processes necessary for populating the dashboard on the web UI do not automatically start with the system. You need to run these commands on reboot:
cd /var/www/snorby && ruby script/delayed_job start
cd /var/www/snorby && rails runner 'Snorby::Jobs::SensorCacheJob.new(false).perform; Snorby::Jobs::DailyCacheJob.new(false).perform'
What I am working on:
- Every time I've ran the installation, I've varied one thing (e.g. the first time through I tried installing with ruby 2.0.0, the second time around, I installed and found out daemon_controller was a needed gem that no install guide referenced, the third time around I tried installing by creating the snorby database and granting the snort database user access to the database. This is also when I encountered the problem with bundler complaining about the gemlock file and the psych shield gem and had to re-run bundler with the --no-deployment option.
I need to re-run the installation until I get absolutely zero errors. I want this fully repeatable with no errors.
I want to investigate the possibility of editing the database.yml post-installation: using the snort database user, and using mysql commands to grant the necessary privs to the snort mysql user instead of root. Having the root mysql user's privs in plaintext in a file that's world readable by default sounds like a terrible idea to me.
possibly adding the delayed_job and SensorCacheJob commands to rc.local to ensure they are ran upon reboot.
Getting support for Snorby is my highest priority right now. After that is done, I have some efficiencies and changes to autosnort I'll talk about in another post. Until then,
Cheers from DA.
Still working on the Snorby release for Autosnort, and even then, It's probably going to be a staggered release -- first Ubuntu, then Debian, and Finally moving to CentOS. I imagine that based on some of the issues I have been experiencing, Getting Snorby to play with with SELinux is going to be a lot of fun.
I managed to get it to work with Aanval, snortreport and BASE, so I can do it again.
Anyhow, for those of you who can't wait for me to release a script, here's a basic run-down of the commands I'm running in Ubuntu 12.04 that I've used that work. this assumes you've ran autosnort up to the point where web interface installation takes place.
Don't be alarmed when it says you're downloading 400m of packages. that's about right:
apt-get install libyaml-dev git-core imagemagick libmagickwand-dev wkhtmltopdf libssl-dev libxslt1-dev libsqlite3-dev libmysql++-dev libcurl4-openssl-dev apache2-prefork-dev default-jre-headless
this installs rvm. rvm is a nice little program that can be used to automatically install ruby:
\curl -\#L https://get.rvm.io | sudo bash -s stable
/usr/local/rvm/bin/rvm autolibs enable
source /etc/profile.d/rvm.sh
this is a cute little hack that I've used for installing the latest stable version of snort, DAQ, and determine what version of snort rules are available via snort.org. From what I gather ruby updates frequently. very, very frequently. This string of commands tells us the latest ruby 1.9.x release available for installation. Why not install ruby 2.0.0? because snorby doesn't support it yet. Submitted an issue to snorby's github. We'll see where that takes us:
wget http://ruby-lang.org/en/index.html -O /tmp/index.html
rubyver=`cat /tmp/index.html | grep -e "ruby-" | head -4 | grep released | grep -v Continue | cut -d"/" -f8 | cut -d" " -f2 | tail -1`
rvm install ruby-$rubyver
After all the packages you need to install, there's also a boatload of gems that need installation. and oh, we haven't pulled down the snorby web UI yet:
gem install thor i18n bundler tzinfo builder memcache-client rack rack-test rack-mount rails rake rubygems-update erubis mail text-format sqlite3 daemon_controller
gem install passenger
update_rubygems
cd /var/www/
git clone http://github.com/Snorby/snorby.git
cd snorby/config
Make copies of database.yml.example and snorby_config.yml.example and rename them to database.yml and snorby_config.yml:
cp database.yml.example database.yml
cp snorby_config.yml.example snorby_config.yml
modify snorby_config.yml. this should be the only change that needs to be made:
sed -i 's/usr\/local\/bin/usr\/bin/' snorby_config.yml
modify database.yml the snorby section at the top, you MUST enter the root database user's password. this is necessary for the rake snorby:setup portion
Next, we have to compile the mod_passenger apache module. this will take a little bit of time.
passenger-install-apache2-module
If the passenger-install command above bombs, try running "gem install passenger --pre" and running the command again.
The passenger-install command will ask you to modify a couple of files. First we have to point apache to the passenger module:
echo "" >> /etc/apache2/apache2.conf
echo "# This stuff is to make Snorby work properly mod_passenger is required for snorby to work." >> /etc/apache2/apache2.conf
echo "" >> /etc/apache2/apache2.conf
echo "LoadModule passenger_module /usr/local/rvm/gems/ruby-$rubyver/gems/passenger-4.0.0.rc6/libout/apache2/mod_passenger.so" >> /etc/apache2/apache2.conf
echo "PassengerRoot /usr/local/rvm/gems/ruby-$rubyver/gems/passenger-4.0.0.rc6" >> /etc/apache2/apache2.conf
echo "PassengerDefaultRuby /usr/local/rvm/wrappers/ruby-$rubyver/ruby" >> /etc/apache2/apache2.conf
Next, we create a virtualhost for snorby and set the documentroot to snorby's public directory, then disable the default site. This effect means that if you navigate to http://[ip address] you automatically get the index page for snorby:
echo "<VirtualHost *:80>" >> /etc/apache2/sites-available/snorby
echo " ServerName snorby.localhost" >> /etc/apache2/sites-available/snorby
echo " # !!! Be sure to point DocumentRoot to 'public'!" >> /etc/apache2/sites-available/snorby
echo " DocumentRoot /var/www/snorby/public" >> /etc/apache2/sites-available/snorby
echo " <Directory /var/www/snorby/public>" >> /etc/apache2/sites-available/snorby
echo " # This relaxes Apache security settings." >> /etc/apache2/sites-available/snorby
echo " AllowOverride all" >> /etc/apache2/sites-available/snorby
echo " # MultiViews must be turned off." >> /etc/apache2/sites-available/snorby
echo " Options -MultiViews" >> /etc/apache2/sites-available/snorby
echo " </Directory>" >> /etc/apache2/sites-available/snorby
echo "</VirtualHost>" >> /etc/apache2/sites-available/snorby
All this has just been setup so we can successfully run bundler and rake to actually install snorby:
cd /var/www/snorby
bundle install --deployment
note: if the bundle install command fails or gives you an error referencing to the gemlock file or a gem called psych shield, you may have to run "bundle install --no-deployment" then run "bundle install --deployment" for things to work right.
finally, the moment you've been waiting for...:
rake snorby:setup
note: do not try to create the snorby database prior to running rake snorby:setup. If the database already exists, rake will bomb and exit.
At this point, provided rake snorby:setup ran, you should have a web interface that you can log into. default creds for snorby are: snorby@snorby.org with a password of snorby.
If you reboot your sensor, the worker jobs and the delayed_run jobs, processes necessary for populating the dashboard on the web UI do not automatically start with the system. You need to run these commands on reboot:
cd /var/www/snorby && ruby script/delayed_job start
cd /var/www/snorby && rails runner 'Snorby::Jobs::SensorCacheJob.new(false).perform; Snorby::Jobs::DailyCacheJob.new(false).perform'
What I am working on:
- Every time I've ran the installation, I've varied one thing (e.g. the first time through I tried installing with ruby 2.0.0, the second time around, I installed and found out daemon_controller was a needed gem that no install guide referenced, the third time around I tried installing by creating the snorby database and granting the snort database user access to the database. This is also when I encountered the problem with bundler complaining about the gemlock file and the psych shield gem and had to re-run bundler with the --no-deployment option.
I need to re-run the installation until I get absolutely zero errors. I want this fully repeatable with no errors.
I want to investigate the possibility of editing the database.yml post-installation: using the snort database user, and using mysql commands to grant the necessary privs to the snort mysql user instead of root. Having the root mysql user's privs in plaintext in a file that's world readable by default sounds like a terrible idea to me.
possibly adding the delayed_job and SensorCacheJob commands to rc.local to ensure they are ran upon reboot.
Getting support for Snorby is my highest priority right now. After that is done, I have some efficiencies and changes to autosnort I'll talk about in another post. Until then,
Cheers from DA.
Subscribe to:
Posts (Atom)