Monday, June 06, 2016

HOWTO : Downgrade from PHP7.0 to PHP5.6 on Ubuntu 16.04 LTS

When you upgrade to Ubuntu 16.04 LTS from Ubuntu 14.05 LTS, PHP5.6 will not be uninstalled or deleted. However, if you deleted yourself and your web application does not compatible to PHP7.0, you need a way to downgrade it back to PHP5.6. Here is the way but some settings will be similar to PHP7.0 for newly installed PHP5.6. Here you are :

sudo add-apt-repository ppa:ondrej/php
sudo apt-get update

sudo apt-get install php5.6-cgi php5.6 php5.6-cli php5.6-mysql php5.6-curl php5.6-gd php5.6-intl php-imagick php5.6-imap php5.6-mcrypt php-memcache php5.6-pspell php5.6-recode php5.6-sqlite3 php5.6-tidy php5.6-xmlrpc php5.6-xsl php-xcache php5.6-fpm

That's all! See you.


Thursday, June 02, 2016

HOWTO : OwnCloud 9.0.2 and Hiawatha 10.2 on Ubuntu 16.04 LTS

Step 1 - Update Ubuntu :

sudo apt-get update
sudo apt-get dist-upgrade
sudo apt-get autoclean
sudo apt-get --purge autoremove


Step 2 - Hiawatha Installation :

sudo apt-get install libc6-dev libssl-dev dpkg-dev debhelper fakeroot libxml2-dev libxslt1-dev

wget https://cmake.org/files/v3.5/cmake-3.5.2.tar.gz
tar -xvzf cmake-3.5.2.tar.gz
cd cmake-3.5.2
./configure
make
sudo make install


wget http://www.hiawatha-webserver.org/files/hiawatha-10.2.tar.gz
tar -xzvf hiawatha-10.2.tar.gz
cd hiawatha-10.2/extra
./make_debian_package
cd ..
sudo dpkg -i hiawatha_10.2_amd64.deb


sudo mkdir /etc/hiawatha/enable-sites

sudo nano /etc/hiawatha/hiawatha.conf

Add "MaxRequestSize" to "Binding Settings" :

# BINDING SETTINGS
# A binding is where a client can connect to.
#
Binding {
    Port = 80
    # MaxRequestSize is 16GB
    MaxRequestSize = 16777216
}


Append the following line at the end of the file :

Include /etc/hiawatha/enable-sites/

Create "owncloud" file at /etc/hiawatha/enable-sites :

sudo nano /etc/hiawatha/enable-sites/owncloud

VirtualHost {
    Hostname = [your domain or IP address here]
    WebsiteRoot = /var/www/owncloud
    StartFile = index.php
    AccessLogfile = /var/log/hiawatha/owncloud-access.log
    ErrorLogfile = /var/log/hiawatha/owncloud-error.log
    TimeForCGI = 600
    WebDAVapp = yes
    UseFastCGI = PHP70
    UseToolkit = denyData
    EnablePathInfo = yes
}

UrlToolkit {
    ToolkitID = denyData
    Match ^/data DenyAccess
}

FastCGIserver {
    FastCGIid = PHP70
    ConnectTo = /var/run/php/php7.0-fpm.sock
    Extension = php
    SessionTimeout = 600
}


sudo nano /etc/php/7.0/fpm/php-fpm.conf

Append the following lines at the end of the file :

; for OwnCloud
env[HOSTNAME] = $HOSTNAME
env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp


Step 3 - MySQL Setting :

sudo mysql -u root -p

create database owncloud;
GRANT ALL ON owncloud.* TO owncloud@'127.0.0.1' IDENTIFIED BY '[your password here]';
flush privileges;
quit


Step 4 - OwnCloud Installation :

wget -nv https://download.owncloud.org/download/repositories/stable/Ubuntu_16.04/Release.key -O Release.key
sudo apt-key add - < Release.key

rm Release.key

sudo sh -c "echo 'deb http://download.owncloud.org/download/repositories/stable/Ubuntu_16.04/ /' >> /etc/apt/sources.list.d/owncloud.list"
sudo apt-get update
sudo apt-get install owncloud-files


sudo apt-get install exim4 exim4-base exim4-config exim4-daemon-light libapr1 libaprutil1 libaprutil1-dbd-sqlite3 libaprutil1-ldap liblua5.1-0 s-nail php-common php7.0-cli php7.0-common php7.0-curl php7.0-gd php7.0-imap php7.0-intl php7.0-json php7.0-mbstring php7.0-mcrypt php7.0-mysql php7.0-readline php7.0-xml php7.0-zip php7.0-pgsql php7.0-sqlite3 php7.0-fpm php-apcu mysql-server mysql-client php7.0-cgi

sudo nano /var/www/owncloud/.usr.ini

The content of the file may looking like this one :

upload_max_filesize=16G
post_max_size=16G
memory_limit=4G
mbstring.func_overload=0
always_populate_raw_post_data=-1
default_charset='UTF-8'
output_buffering=0
max_input_time=3600
max_execution_time=3600


sudo nano /var/www/owncloud/config/config.php

Insert the following line into the end of the block of the code :

'memcache.local' => '\OC\Memcache\APCu',

You may need to edit the following file at client sync program when necessary :

sudo nano /etc/ownCloud/sync-exclude.lst

Remarks :

If you want to have https connection, you need to generate the private SSL certificate or purchase one. You can also use Let's Encrypt when necessary. If so, the "binding settings" at Hiawatha should be "Port 443".

That's all! See you.

Tuesday, May 17, 2016

HOWTO : edb-debugger on Ubuntu 16.04

edb is a cross platform x86/x86-64 debugger. It was inspired by Ollydbg, but aims to function on x86 and x86-64 as well as multiple OS's. Linux is the only officially supported platform at the moment, but FreeBSD, OpenBSD, OSX and Windows ports are underway with varying degrees of functionality.


Install

sudo apt-get install git build-essential libboost1.58-all-dev qt5-default libqt5xmlpatterns5-dev

cd ~
mkdir arsenal
cd arsenal
git clone --recursive https://github.com/eteran/edb-debugger.git
cd edb-debugger
./travis_install_capstone.sh
qmake
make
sudo make install
cd ~
sudo edb



Update/Upgrade

cd ~/arsenal
rm -R edb-debugger


Repeat the Install procedure as previous mentioned.


Reference

Wiki


That's all! See you.


Wednesday, April 20, 2016

[RESEARCH] Banks In Hong Kong Running With What Services

After the research on SSL certificate grading on banks in Hong Kong, I am going to do another research on banks in Hong Kong to see what services they are running with, such as web server or protection. I am based on the List of banks in Hong Kong for the test. The standard site URL and personal online banking URL have been tested for the purpose. The web application vulnerability testing is not in the scope. The test is carried out on April 20, 2016.

DBS Bank (Hong Kong) 星展銀行(香港) and Standard Chartered Bank (Hong Kong) 渣打銀行 are running with Akamai which provides DDoS/DoS protection to their clients. Meanwhile, Akamai also provides Web Application Firewall (WAF) to their clients. WAF can protect the web applications from being attacked by SQLi, XSS, CSRF and etc, even the web applications have these kind of vulnerabilities. I will not discuss about the WAF bypass here. Anyway, WAF can do the job well in general speaking.

Public Bank (Hong Kong) 大眾銀行(香港) and Chong Hing Bank 創興銀行 are running with G2 Web Services which is also considered to provide secure services.

It seems that almost all the bank websites in Hong Kong are protected by firewall or/and WAF as I cannot fetch any information from some of the sites during the test. It does not mean that the sites that I can fetch information are not protected by firewall or/and WAF.

In conclusion, I am sure that DBS Bank (Hong Kong) 星展銀行(香港) and Standard Chartered Bank (Hong Kong) 渣打銀行 cannot be DDoS/DoS.

With reference to my previous research on SSL certificate, DBS Bank (Hong Kong) 星展銀行(香港) is the most secure bank in Hong Kong at the time of this writing. Their IT department is doing a great job on security. If their IT department can implement HPKP on the SSL certificate, it will be very great. Anyway, congratulations!

REFERENCE

The Personal Online Banking URL :

Bank of China (Hong Kong) 中國銀行(香港)
- Personal Customers - https://its.bochk.com/login/ibs_lgn_index_e.jsp
- System Details - Powered by: Servlet/3.0

Dah Sing Bank 大新銀行
- ebanking Personal - https://www.dahsing.com/eBank/jsp/login/ebank_id_login_frm.jsp
- System Details - Running on: Microsoft-IIS/7.5 and Powered by: ASP.NET

DBS Bank (Hong Kong) 星展銀行(香港)
- iBanking - https://internet-banking.hk.dbs.com/IB/Welcome
- System Details - Running on: AkamaiGHost

Public Bank (Hong Kong) 大眾銀行(香港)
- Net Banking - https://ebank.publicbank.com.hk/index0028.html
- System Details - Running on: G2

Shanghai Commercial Bank 上海商業銀行
- Personal Internet Banking - https://www.shacombank.com.hk/ibanking/servlet/com.ibm.dse.cs.servlet.CSEstablishSessionServlet/customer/en_US
- System Details - Running on: IBM_HTTP_Server

Standard Chartered Bank (Hong Kong) 渣打銀行
- Online Banking - https://ibank.standardchartered.com.hk/nfs/login.htm?lang=en_US
- System Details - Running on: AkamaiGHost

Wing Lung Bank 永隆銀行
- Personal Net Banking - https://www.winglungbank.com/EnNbMainR.html
- System Details - Running on: IBM_HTTP_Server

* The banks that not in the list are not getting any information during the test.


The standard site URL :

China CITIC Bank International 中信銀行國際
- http://www.cncbinternational.com/home/en/index.jsp
- System Details - Powered by: Servlet/2.5

Chong Hing Bank 創興銀行
- http://www.chbank.com/en/index.shtml
- System Details - Running on: G2

Dah Sing Bank 大新銀行
- http://www.dahsing.com/en/html/index.html
- System Details - Running on: Microsoft-IIS/7.5 and Powered by: ASP.NET

DBS Bank (Hong Kong) 星展銀行(香港)
- https://www.dbs.com.hk/index/default.page
- System Details - Running on: AkamaiGHost

Fubon Bank (Hong Kong) 富邦銀行(香港)
- http://www.fubonbank.com.hk/web/html/index_e.html
- System Details - Powered by: Servlet/3.0

Industrial and Commercial Bank of China (Asia) 工銀亞洲
- http://www.icbcasia.com/ICBC/%E6%B5%B7%E5%A4%96%E5%88%86%E8%A1%8C/%E5%B7%A5%E9%93%B6%E4%BA%9A%E6%B4%B2/EN/
- System Details - Running on: Microsoft-IIS/7.5 and Powered by: ASP.NET

Public Bank (Hong Kong) 大眾銀行(香港)
- http://www.publicbank.com.hk/en/home
- System Details - Running on: G2

Shanghai Commercial Bank 上海商業銀行
- http://www.shacombank.com.hk/eng/personal/index.jsp
- System Details - Running on: IBM_HTTP_Server

Standard Chartered Bank (Hong Kong) 渣打銀行
- https://www.sc.com/hk/
- System Details - Running on: AkamaiGHost

Wing Lung Bank 永隆銀行
- http://www.winglungbank.com/wlb_corporate/en/index.html
- System Details - Running on: IBM_HTTP_Server

* The banks that not in the list are not getting any information during the test.

That's all! See you.


Tuesday, April 19, 2016

[RESEARCH] SSL Certificate Grading of Banks in Hong Kong

In order to understand the information security condition in Hong Kong, I select website of banks in Hong Kong for SSL certificate checking. The check is aimed for testing the strength of the SSL certificate, Man-In-The-Middle attack prevention and vulnerability. The web application vulnerability and corporation online banking are not in the testing scope. However, most SSL certificates may be shared with sub-domains.

The check are based on "List of Banks In Hong Kong". I use Qualys SSL Labs online testing tool for the check.

The result of the check (the check is carried out on April 19, 2016) is rated in SSL Grade Ranking :

Grade A
DBS Bank (Hong Kong) 星展銀行(香港)

Grade A-
(1) Bank of China (Hong Kong) 中國銀行(香港)
(2) Bank of East Asia 東亞銀行
(3) China Construction Bank (Asia) 中國建設銀行(亞洲)
(4) Chong Hing Bank 創興銀行
(5) Citibank (Hong Kong) 花旗銀行
(6) Dah Sing Bank 大新銀行
(7) Fubon Bank (Hong Kong) 富邦銀行(香港)
(8) OCBC Wing Hang Bank 華僑永亨銀行
(9) Public Bank (Hong Kong) 大眾銀行(香港)
(10) Standard Chartered Bank (Hong Kong) 渣打銀行

Grade C
(1) Hang Seng Bank 恒生銀行
(2) Hongkong and Shanghai Banking Corporation 滙豐銀行
(3) Industrial and Commercial Bank of China (Asia) 工銀亞洲
(4) Shanghai Commercial Bank 上海商業銀行
(5) Wing Lung Bank 永隆銀行

Grade F
China CITIC Bank International 中信銀行國際

The following three banks are implemented HSTS (HTTP Strict Transport Security) to force the users' browser to use HTTPS connection. This has some degree of Man-In-The-Middle attack (MITM) protection. However, the HPKP (HTTP Public Key Pinning) is not implemented. Therefore, it has a risk of being attacked by MITM attack. Meanwhile, China CITIC Bank International 中信銀行國際 website has POODLE vulnerability for the SSL protocol that makes her grading down to F.

(1) China CITIC Bank International 中信銀行國際
(2) Chong Hing Bank 創興銀行
(3) Fubon Bank (Hong Kong) 富邦銀行(香港)

Even the highest ranking DBS Bank (Hong Kong) 星展銀行(香港) do not implement HPKP (HTTP Public Key Pinning), she has a risk to face Man-In-The-Middle attack even she used HSTS. Attackers can use fake SSL certificate to bypass HSTS protection when HPKP is not in force.

It is very interesting that the largest bank in Hong Kong (Hongkong and Shanghai Banking Corporation 滙豐銀行) only bearing a Grade C rank. I wonder why no website of banks in Hong Kong bearing a Grade A+ SSL certificate even my personal site is grading A+.

[Edit after several hours of the post :
I think the IT department of the banks may misunderstand or may be not fully understood the purpose of SSL certificate for a website. In addition, they may even do not know the limitation of HSTS that can be bypassed by the attackers. In my opinion, the best practice of SSL certificate implementation is to adopt the HPKP to reduce the MITM attacks risk at the moment.

The low grading of the rank is not the excuse of backward compatible to old browsers. To compatible to old or vulnerable browsers will void the security of the website for sure. Some low grading website of the banks even compatible to insecure protocol (RC4 {please refer to the bottom of this article for details}) which will place a trap to their clients.]

In conclusion, all website of banks in Hong Kong are facing a risk of being attacked by Man-In-The-Middle attack. As reference to this result, it is predicted that most websites in Hong Kong are not good at SSL Grading.

REFERENCE

I only check the licensed banks incorporated in Hong Kong. The following is the summary of the checking :

Bank of China (Hong Kong) 中國銀行(香港)
- Personal Customers - https://its.bochk.com/login/ibs_lgn_index_e.jsp
- Overall Rating - A- (https://www.ssllabs.com/ssltest/analyze.html?d=its.bochk.com)
- No protocol vulnerability found but HSTS and HPKP are not in force.

Bank of East Asia 東亞銀行
- Cyberbanking - https://mobile.hkbea-cyberbanking.com/servlet/FRLogon?Lang=Eng
- Overall Rating - A- (https://www.ssllabs.com/ssltest/analyze.html?d=mobile.hkbea-cyberbanking.com)
- No protocol vulnerability found but HSTS and HPKP are not in force.

China CITIC Bank International 中信銀行國際
- Personal - https://ibanking.cncbinternational.com/CKWPortal/appmanager/Portal/CKWPerson?isPPB=0&displayLang=en_US
- Overall Rating - F (https://www.ssllabs.com/ssltest/analyze.html?d=ibanking.cncbinternational.com)
- Vulnerable to POODLE (TLS) and HPKP is not in force. But HSTS is in force.

China Construction Bank (Asia) 中國建設銀行(亞洲)
- Personal Banking - https://online.asia.ccb.com/PersonalHKWeb/signin/SigninController.jpf
- Overall Rating - A- (https://www.ssllabs.com/ssltest/analyze.html?d=online.asia.ccb.com)
- No protocol vulnerability found but HSTS and HPKP are not in force.

Chong Hing Bank 創興銀行
- i-Banking - https://www.ibanking.chbank.com/index0041.html
- Overall Rating - A- (https://www.ssllabs.com/ssltest/analyze.html?d=www.ibanking.chbank.com)
- No protocol vulnerability found and HSTS is in force. But HPKP is not in force.

Citibank (Hong Kong) 花旗銀行
- Online - https://www.citibank.com.hk/HKGCB/JSO/signon/DisplayUsernameSignon.do?locale=en_HK
- Overall Rating - A- (https://www.ssllabs.com/ssltest/analyze.html?d=www.citibank.com.hk)
- No protocol vulnerability found but HSTS and HPKP are not in force.

Dah Sing Bank 大新銀行
- ebanking Personal - https://www.dahsing.com/eBank/jsp/login/ebank_id_login_frm.jsp
- Overall Rating - A- (https://www.ssllabs.com/ssltest/analyze.html?d=www.dahsing.com)
- No protocol vulnerability found but HSTS and HPKP are not in force.

DBS Bank (Hong Kong) 星展銀行(香港)
- iBanking - https://internet-banking.hk.dbs.com/IB/Welcome
- Overall Rating - A (https://www.ssllabs.com/ssltest/analyze.html?d=internet-banking.hk.dbs.com)
- No protocol vulnerability found but HSTS and HPKP are not in force.

Fubon Bank (Hong Kong) 富邦銀行(香港)
- e-banking - https://www.ebank.fubonbank.com.hk/index0128J.html
- Overall Rating - A- (https://www.ssllabs.com/ssltest/analyze.html?d=www.ebank.fubonbank.com.hk)
- No protocol vulnerability found and HSTS is in force. But HPKP is not in force.

Hang Seng Bank 恒生銀行
- Personal e-Banking - https://e-banking1.hangseng.com/1/2/!ut/p/c5/04_SB8K8xLLM9MSSzPy8xBz9CP0os3gDd-NQv1BDg2AXA1-PEE9zH2cTAwgAykcC5Q3CfCydDEy9LAzMDL39vNzMDGDyROh2dnf0MDH3AfLDPF0NPE2cTAxMfd0MDTyNCej288jPTdUvyA2NKHdUVAQA-SNG7A!!/dl3/d3/L2dJQSEvUUt3QS9ZQnZ3LzZfMEczVU5VMTBTRDBNSFRJN01DNDAwMDAwMDA!/
- Overall Rating - C (https://www.ssllabs.com/ssltest/analyze.html?d=e-banking1.hangseng.com)
- No protocol vulnerability found but insecure RC4 protocol is in force. HSTS and HPKP are not in force.

Hongkong and Shanghai Banking Corporation 滙豐銀行
- Personal Internet Banking - https://www.ebanking.hsbc.com.hk/1/2/logon?LANGTAG=en&COUNTRYTAG=US
- Overall Rating - C (https://www.ssllabs.com/ssltest/analyze.html?d=www.ebanking.hsbc.com.hk)
- No protocol vulnerability found but insecure RC4 protocol is in force. HSTS and HPKP are not in force.

Industrial and Commercial Bank of China (Asia) 工銀亞洲
- Personal/Private Banking - https://myebankasia.icbc.com.cn/icbc/perbank/index.jsp?areaCode=0110&dse_locale=en-US
- Overall Rating - C (https://www.ssllabs.com/ssltest/analyze.html?d=myebankasia.icbc.com.cn)
- No protocol vulnerability found but insecure RC4 protocol is in force. HSTS and HPKP are not in force.

OCBC Wing Hang Bank 華僑永亨銀行
- Personal Customer - https://ebanking.ocbcwhhk.com/jsp/chs/personal/0830/errorInvalidDevice.jsp
- Overall Rating - A- (https://www.ssllabs.com/ssltest/analyze.html?d=ebanking.ocbcwhhk.com)
- No protocol vulnerability found but HSTS and HPKP are not in force.

Public Bank (Hong Kong) 大眾銀行(香港)
- Net Banking - https://ebank.publicbank.com.hk/index0028.html
- Overall Rating - A- (https://www.ssllabs.com/ssltest/analyze.html?d=ebank.publicbank.com.hk)
- No protocol vulnerability found but HSTS and HPKP are not in force.

Shanghai Commercial Bank 上海商業銀行
- Personal Internet Banking - https://www.shacombank.com.hk/ibanking/servlet/com.ibm.dse.cs.servlet.CSEstablishSessionServlet/customer/en_US
- Overall Rating - C (https://www.ssllabs.com/ssltest/analyze.html?d=www.shacombank.com.hk)
- No protocol vulnerability found but HSTS and HPKP are not in force.

Standard Chartered Bank (Hong Kong) 渣打銀行
- Online Banking - https://ibank.standardchartered.com.hk/nfs/login.htm?lang=en_US
- Overall Rating - A- (https://www.ssllabs.com/ssltest/analyze.html?d=ibank.standardchartered.com.hk)
- No protocol vulnerability found and HSTS is in force. But HPKP is not in force.

Wing Lung Bank 永隆銀行
- Personal Net Banking - https://www.winglungbank.com/EnNbMainR.html
- Overall Rating - C (https://www.ssllabs.com/ssltest/analyze.html?d=www.winglungbank.com)
- No protocol vulnerability found but HSTS and HPKP are not in force.


About Insecure RC4
Imperva Security Response to OpenSSL and TLS/RC4 Vulnerabilities
Killing RC4 (softly)

See Also : [RESEARCH] Banks In Hong Kong Running With What Services

That's all! See you.


Friday, April 01, 2016

HOWTO : Netdata on Ubuntu 14.04.4 LTS

netdata is a highly optimized Linux daemon providing real-time performance monitoring for Linux systems, Applications, SNMP devices, over the web!

It tries to visualize the truth of now, in its greatest detail, so that you can get insights of what is happening now and what just happened, on your systems and applications.

This is what you get:

- Beautiful out of the box bootstrap dashboards
- Custom dashboards that can be built using simple HTML (no javascript necessary)
- Blazingly fast and super efficient, written in C (for default installations, expect just 2% of a single core CPU usage and a few MB of RAM)
- Zero configuration - you just install it and it autodetects everything
- Zero dependencies, it is its own web server for its static web files and its web API
- Extensible, you can monitor anything you can get a metric for, using its Plugin API (anything can be a netdata plugin - from BASH to node.js)
- Embeddable, it can run anywhere a Linux kernel runs

Okay, what will it be looked like? Here you are.

Step 1 :

sudo apt-get update
sudo apt-get install build-essential zlib1g-dev gcc make git autoconf autogen automake pkg-config


Step 2 :

git clone https://github.com/firehol/netdata.git
cd netdata
sudo ./netdata-installer.sh


Please "Enter" to install.

Step 3 :

sudo nano /etc/init/netdata.conf

Make the file looks like :



Step 4 :

To start it :

sudo start netdata

To stop it :

sudo stop netdata

To restart it :

sudo restart netdata

Remark : it will start automatically on every reboot.

Step 5 :

Start browser and point it to :

http://192.168.0.100:19999

* where 192.168.0.100 is the IP address of the server

Upgrade/Update

cd netdata
git pull
sudo ./netdata-installer.sh


That's all! See you.

Friday, March 18, 2016

HOWTO : Ubuntu Linux Kernel 4.4.0 (Xenial) on Ubuntu 14.04.4

We can use Linux Kernel 4.4.x on Ubuntu 14.04.4 LTS. Kernel 4.x has a good feature that it can live patching the Kernel without rebooting your box. However, it seems that Ubuntu 14.04.x users need to build the kpatch module themselves. Anyway, it is a good news for all Ubuntu 14.04 LTS users.

Meanwhile, the performance of the box will be improved a lot after the upgrade.

Step 1 :

sudo apt-get update

Step 2 :

sudo apt-get install linux-generic-lts-xenial linux-headers-generic-lts-xenial linux-image-generic-lts-xenial linux-tools-generic-lts-xenial

Step 3 :

sudo apt-get remove linux-image-generic-lts-utopic linux-headers-generic-lts-utopic linux-image-generic-lts-vivid linux-headers-generic-lts-vivid

Step 4 :

sudo apt-get autoremove
sudo apt-get autoclean


Step 5 :

sudo update-grub

Step 6 :

Reboot your box.

REMARK

If you are running Croissants (IPS) on Ubuntu 14.04 LTS, you can upgrade the Kernel to 4.4.0 as well. You just follow the captioned steps.

That's all! See you.


Saturday, February 27, 2016

REVIEW : TorGuard Anonymous VPN on Ubuntu 14.04 LTS

TorGuard provides anonymous VPN and anonymous proxy as well as anonymous mail services. You can purchase dedicated IP address for your anonymous VPN service too. Anonymous VPN can be worked with Stealth Proxy in order to enhance the anonymous power. Be keep in mind that it is not related to TOR (The Onion Router). You can have up to 5 simultaneously connections on every default purchase. You can add more connections with a reasonable price.

There are 4 encryption strength for the anonymous VPN, they are none, BF-CBC (BlowFish), AES-128-CBC and AES-256-CBC. For better performance, you can select UDP instead of TCP protocol. When Stealth Proxy is applied, the protocol is limited to TCP only. The stronger the encryption strength, the slower the connection speed.

The power of CPU, the speed of the internet connection, the protocol of VPN connection and the strength of encryption of the VPN connection may affect the performance of the anonymous VPN.

Once purchased, you can find HTTP and SOCKS Proxy Server Lists in your account. You can use the proxy servers without further charges. The most important is that TorGuard to identify you with your email address only. No personal detail will be recorded or asked. There is no DNS leakage when using the TorGuard VPN client. You can install "Disable WebRTC" or similar Firefox Add-on when necessary to prevent IP address leakage.

TorGuard provides VPN clients for Windows, Linux, Mac OSX, Android and iOS. Even the interface is the same, but the VPN server list is different. Android and iOS have lesser VPN servers and encryption strength as well as no Stealth Proxy to choose. On the other hand, you can use the VPN server list in your account but you need to set it up yourself.

The current version of VPN clients at the time of this writing is v0.3.42. You can further tune for the VPN performance on Linux, such as Ubuntu, Debian, Kali and Arch, when it is using TCP protocol. Make sure to enable "Prevent IPv6 Leak" on the client when necessary.

For example, if you want to connect to USA Dallas VPN server, you can tune the TCP connection as the following :

cd ~/.local/share/VPNetworkLLC/TorGuard/configs
nano TorGuard.USA-Dallas-NO-TORRENTS-TCP.ovpn


Change from :
sndbuf 393216
rcvbuf 393216


To :
sndbuf 0
rcvbuf 0


Then connect to TorGuard Anonymous VPN and you can watch YouTube more smoother.

That's all! See you.


Monday, February 15, 2016

HOWTO : Kali Linux 2016.1 Live USB Persistence Encryption on M.2 SSD

I (Samiux) recommend to install Kali Linux 2016.1. Live USB Persistence on M.2 SSD 128GB or higher. The M.2 SSD will be installed to an enclosure with USB 3.0 interface. I will install Kali Linux 2016.1 Live USB Persistence for Encryption only.

I (Samiux) have tried to install Kali Linux 2016.1 Live USB Persistence Encryption on 32GB USB 3.0 Pendrive. It is very very slow and insufficent space for the first update. It takes over 12 hours to update Kali Linux 2016.1 and the reboot failed. May be you can use a larger size and faster USB pendrive or an external portable SSD drive for the purpose. I find Live USB Persistence on fast device is better than dual boot on Windows, Mac or Linux computers.

This guide covers how to install Kali Linux 2016.1 Live USB Persistence Encryption for Apple Macbook (Air/Pro/Pro Retina) and Lenovo ThinkPad (X201s or newer). However, this guide does not suitable for The New Macbook as it does not display "Windows" when pressing "Option" during boot up. Therefore, this guide may not work for all models of Mac machine.

Step 1 :

You need a Linux computer (such as Ubuntu) to do the following steps. If you do not have gparted install, you can install it.

If you are using Ubuntu, you can :

sudo apt-get update
sudo apt-get -y install gparted


Step 2 :

Download Kali Linux 2016.1 from official site. I download amd64 version. Install it to M.2 SSD 128GB.

Usually, M.2 SSD will be mounted at "/dev/sdb". You can confirm it when running "fdisk -l".

If you are using Ubuntu, you can :

sudo dd if=kali-linu-2016.1-amd64.iso of=/dev/sdb bs=1024k

Step 3 :

Do not unplug the M.2 SSD. Run gparted and format the remained space to ext3 (ext4 should work but not yet tested).

Step 4 :

The M.2 SSD is still inserted to USB port. Run the following commands :

If you are using Ubuntu, you can :

cryptsetup --verbose --verify-passphrase luksFormat /dev/sdb3
cryptsetup luksOpen /dev/sdb3 my_usb

mkfs.ext3 -L persistence /dev/mapper/my_usb
e2label /dev/mapper/my_usb persistence

mkdir -p /mnt/my_usb
mount /dev/mapper/my_usb /mnt/my_usb
echo "/ union" > /mnt/my_usb/persistence.conf
umount /dev/mapper/my_usb

cryptsetup luksClose /dev/mapper/my_usb


* Make sure you enter a very strong passphrase for the encryption

Step 5 :

Then reboot the M.2 SSD.

If you are using Macbook, you should long press "Option" key when boot up. Once the boot menu is displayed, select "Windows" icon to boot.

If you are using ThinkPad, you should press "F12" to launch the boot menu when boot up. Once the boot menu is displayed, select the M.2 SSD to boot.

Once Kali Linux boot menu is displayed, select "Live USB Encrypted Persistence". You will be asked for Passphrase when boot to unlock /dev/sdb3.

Step 6 :

On Kali Linux 2016.1 Live USB Persistence, you run the following commands :

apt-get update
apt-get -y install dkms linux-headers-amd64 tlp tlp-rdw

wget http://ftp.wa.co.za/pub/ubuntu/ubuntu/pool/restricted/b/bcmwl/bcmwl-kernel-source_6.30.223.248+bdcom-0ubuntu2.1_amd64.deb
dpkg -i bcmwl-kernel-source_6.30.223.248+bdcom-0ubuntu2.1_amd64.deb


If you are using ThinkPad, you need this command. However, it is no harm to install it when you are using Macbook :

apt-get -y install tp-smapi-dkms acpi-call-dkms

Step 7 :

If you are using Macbook, you need this step. However, it is no harm to set it up when you are using ThinkPad.

nano /usr/local/bin/mac_keyboard

Enter the following :

#!/bin/bash

# Author : Samiux (http://samiux.blogspot.com)
# Date : Feb 15, 2016

if [ -f /sys/module/hid_apple/parameters/iso_layout ]
then
    echo 0 > /sys/module/hid_apple/parameters/iso_layout
    echo 1 > /sys/module/hid_apple/parameters/fnmode
fi


Save it with "Ctrl o" and "Ctrl x".

chmod +x /usr/local/bin/mac_keyboard

Step 8 :

If you are using Macbook, you need this step. However, it is no harm to set it up when you are using ThinkPad.

nano ~/.config/autostart/mac_keyboard.desktop

Enter the following :

[Desktop Entry]
Type=Application
Exec=/usr/local/bin/mac_keyboard
Hidden=false
X-GNOME-Autostart-enabled=true
Name[en_US]=Mac Keyboard Layout
Name=Mac Keyboard Layout
Comment[en_US]=Start Mac Keyboard Layout when GNOME starts
Comment=Start Mac Keyboad Layout when GNOME starts


Step 9 :

nano ~/update_kali

Enter the following :

apt-get update
apt-get -y dist-upgrade
apt-get autoclean
apt-get -y --purge autoremove


Save it with "Ctrl o" and "Ctrl x".

chmod +x ~/update_kali

Step 10

Then update Kali to the latest status. It takes time to update. However, when the kernel is updated, the update process will be failed as it cannot update the kernel and its related packages.

cd ~
./update_kali


Step 11

Change your time zone when necessary.

dpkg-reconfigure tzdata

Step 12

Make sure you change the root password on every boot up.

passwd

* Make sure you entered a strong password and it should be difference to the encryption passpharse

Know Issue

The New Macbook is not supported. It may not working on all models of Mac machine.

"maltego" on Kali Linux 2016.1 refuses to launch on my Macbook Air (Mid 2013), Macbook Pro Retina (Mid 2012) and ThindPad X201s even it is not in Live USB Persistence mode, maybe it is a bug for older CPU.

REFERENCE

TLP Setting
Broadcom Wireless Driver
Kali Linux Live USB Persistence


That's all! See you.

Source : Samiux's Blog


Saturday, February 13, 2016

HOWTO : Install HexChat on Kali Linux 2016.1

This guide is about to install HexChat on Kali Linux 2016.1.

apt-get update
apt-get -y install hexchat hexchat-common hexchat-plugins libsexy2


That's all! See you.


HOWTO : Install VirtualBox 5.0.14 on Kali Linux 2016.1

This guide is about to install the latest VirtualBox 5.0.14 on Kali Linux 2016.1 (amd64).

Step 1 - Download dependencies :
wget http://http.us.debian.org/debian/pool/main/libv/libvpx/libvpx1_1.3.0-3_amd64.deb
wget http://http.us.debian.org/debian/pool/main/o/openssl/libssl1.0.0_1.0.1k-3+deb8u2_amd64.deb


Step 2 - Create Virtualbox repos :
echo "deb http://download.virtualbox.org/virtualbox/debian jessie contrib" > /etc/apt/sources.list.d/vbox.list

Step 3 - Install Virtualbox public key :
wget -q https://www.virtualbox.org/download/oracle_vbox.asc -O- | sudo apt-key add -

Step 4 - Install it now :
dpkg -i libvpx1_1.3.0-3_amd64.deb
dpkg -i libssl1.0.0_1.0.1k-3+deb8u2_amd64.deb
apt-get update
apt-get -y install linux-headers-amd64 dkms libsdl-ttf2.0-0 virtualbox-5.0


Step 5 - Install Virtualbox Extension Pack :
wget http://download.virtualbox.org/virtualbox/5.0.14/Oracle_VM_VirtualBox_Extension_Pack-5.0.14-105127.vbox-extpack
VBoxManage extpack install Oracle_VM_VirtualBox_Extension_Pack-5.0.14-105127.vbox-extpack


Step 6 - Clean up :
rm *.deb
rm *.vbox-extpack


Step 7 - Reboot :
reboot

Bonus

When install Kali Linux as guest on VirtualBox, you may need to install "Guest Additions CD Image".

apt-get update
apt-get -y install dkms


Then mount the "Guest Additions CD Image" from the VirtualBox menu.

cd /media/cdrom0
cp VBoxLinuxAdditions.run /tmp/
cd /tmp
./VBoxLinuxAdditions.run



That's all! See you.


Thursday, January 14, 2016

HOWTO : Network Security for Home and SOHO Users

Never think of Intrusion Prevention System (IPS) can be deployed at home or SOHO environment because of expensive cost? I have a good news for you that you can deploy IPS at home or SOHO with a very low price.

Croissants is an Intrusion Detection and Prevention System (IDPS) which is developed by me (Samiux). Its engine is next generation IDPS - Suricata. It is a very high performance engine.

Features of Croissants :

- Plug, Play and Forget!
- Suricata as IDPS Engine which is the Next Generation IDPS
- Based on ET Open rules (can use ET Pro rules with minimal settings)
- Work with ClamAV (Open Source Anti-Virus) MD5 signatures
- Work with LMD (Linux Malware Detect) MD5 signatures
- Work with IP Reputation blacklists
- Work with SSL Certificate blacklist
- Work with Denyhost SSH blacklist
- Work with Advertising Domains blacklist
- Drop certain traffic with minimal settings
- Disable and Enable rules with minimal settings
- Auto update ET Open rules, MD5 signatures and Blacklists
- Data analysis with charts on web interface
- 4K video streaming playback capable
- Can play common online games (but not ideal for playing demanding First Person Shooting games as it may has spikes) Demo videos

Zotac CI323 Nano Plus with Windows 10 equipped with 2 wired network interfaces and 1 wireless interface as well as 4GB RAM and onboard 32GB M.2 SSD.

Zotac CI323 Nano Plus is ideal to install Croissants when you insert extra 4GB RAM or replaced it with two 8GB RAM (total 16GB). I recommend to install 16GB RAM on it for better performance. Meanwhile, you need a wireless router. Croissants (special version for CI323) can be installed on the 32GB M.2 SSD with Ubuntu 14.04 LTS Server previously installed. However, it is better to install to hard drive or SSD drive.

You can get the special version at the following (the current version is 1.0-RELEASE). Please also note that the performance of 16GB version is higher than 8GB version :

8GB RAM Zotac CI323 - https://www.infosec-ninjas.com/files/croissants-1.0/croissants-home-ci323-1.0.1-RELEASE.tar.gz
sha256sum - a12f78ae571fa93dce0ee68f383c8b5af39a903ccaac09336dcaf0b9c5fd6278 croissants-home-ci323-1.0.1-RELEASE.tar.gz

16GB RAM Zotac CI323 - https://www.infosec-ninjas.com/files/croissants-1.0/croissants-smb-ci323-1.0.1-RELEASE.tar.gz
sha256sum - 759616b21235353953ab363f6ca8f6ecbe05e48a7988b0c771675596045959ba croissants-smb-ci323-1.0.1-RELEASE.tar.gz

Please refer to the Croissants website for the installation procedure. The procedure is similar to standard version of Croissants. Meanwhile, this special version will only keep 60 days data.

Make sure you connect Zotac CI323 between ISP and wireless rotuer and the monitoring cable should be connected to the router or switch (if any).

Before installing Croissants, you need to edit nsm.conf :

WIFI_SSID - The SSID of your wireless router
WIFI_PASSWORD - The password of your wireless router

The default monitoring IP will be x.x.x.180, such as 192.168.1.180.





To extend the security of your network, you may consider to add the following OpenDNS servers to your router.

OpenDNS FamilyShield DNS servers have build-in fraud and phishing protection as well as pre-configured to block adult content :
208.67.222.123
208.67.220.123

OpenDNS Home DNS servers have the captioned features but it can customized what content to be filtered. You can register to OpenDNS Home for the customization or just use the following servers without customization. They all use the following addresses :
208.67.222.222
208.67.220.220

OpenDNS DNS servers are compatible to Croissants.


REFERENCE

5 DNS Services to Block Porn Sites without Installing Software
HOWTO : Hardening and Tuning Ubuntu 14.04 LTS

That's all! See you.


Monday, December 07, 2015

Facebook Don't Care About Their Users Again

Several years ago, a researcher found a vulnerability in Facebook and he informed the official and provided with the PoC in full details when asked. Later, the researcher was told that it was not vulnerable. The researcher then exploited the founder of Facebook account with the vulnerability that he found in order to alert the founder. However, the researcher could not get his bug bounty at the end and the vulnerability was fixed by Facebook then. Some Facebook users knowing that, they then funding the researcher themselves as they thought that the researcher need the reward.

Today, another researcher, teh3ck (Twitter @teh_h3ck) found a open-redirect vulnerability and Facebook has been informed. However, tech3ck was informed that "the security impact of this bug is not significant" and refused to pay the bug bounty. The following is the timeline of the bug report :

12th of Nov 2015 | Initial bug report
12th of Nov 2015 | Reply from FB bot that it is false positive
12th of Nov 2015 | Added more clarification for the bug
16th of Nov 2015 | Reply from facebook that they use a blacklist method on their next_uri
16th of Nov 2015 | Sent POC videos of the bug that show the impact of the vulnerability
18th of Nov 2015 | Reply from facebook that i am redirecting to a non blacklisted site
18th of Nov 2015 | Explaining why url blacklisting is not the solution for the specific bug
26th of Nov 2015 | Reply from fb that security impact of this bug is not significant.
6th of Dec 2015 | Public post of the bug

For details, please refer to Vag Mour site.

In conclusion, Facebook and her security team are suck again.

That's all! See you.

Update :

After teh3ck and this article posting several hours, Facebook fixed the vulnerability without giving teh3ck any bug bounty. My recommendation is not to report to Facebook if you find something else on it. You will never never never get the bug bounty for sure.


Tuesday, November 10, 2015

HOWTO : Quick Audit Your Android Devices

*** Google Play install is no longer supported by Google. The official site provides apk file download for installation. Make sure you enabled the "Unknown sources" at "Settings" -- "Security" before the install. ***

Recently, there are some famous vulnerabilities on Android devices from Android 4.x to 5.x as well as 6.x. Since not all the vendors of Android device will release the fixes, you can inspect your devices to see if they are vulnerable or not. If they are vulnerable, you can use it with care or change to other devices which have been fixed the vulnerabilities.

VTS for Android is an open source project which can scan for the following current vulnerabilities :

ZipBug9950697
Zip Bug 8219321 / Master keys
Zip Bug 9695860
Jar Bug 13678484 / Android FakeID
CVE 2013-6282 / put/get_user
CVE_2011_1149 / PSNueter / Ashmem Exploit
CVE_2014_3153 / Futex bug / Towelroot
CVE 2014-3847 / WeakSauce
StumpRoot
Stagefright bugs
x509 Serialization bug
PingPong root - CVE-2015-3636
Stagefright - CVE-2015-6602
Samsung Remote Code Execution as System
CVE-2015-6608
CVE-2015-7414
CVE-2015-1528
CVE-2015-6616

By the way, we should also beware of the adware too. Some adware can auto-root your Android devices and they are almost impossible to remove. For details, please refer to this article.

That's all! See you.


HOWTO : Audit Your Home Router

Recently, a lot of home routers have been compromised. However, vendors of home router will not disclose if the vulnerabilities have been fixed or not. If you are Android users and using wifi at home, you can audit your home router easily with RouterCheck which can be downloaded at Google Play.

This apps will check the router if the default username and password are in force or not. It will also check if your router has the known vulnerabilities or not.

It will not change any setting of your router but it has some information for you to improve the security of your router.

That's all! See you.


Monday, October 26, 2015

HOWTO : Detect and Prevent ICMP Tunnel Attack on Suricata

Recently, I read an article about ICMP Tunnel attack. It demo how to upload a file by encoding the content with Base64 via ICMP protocol.

There is a suricata rule for detecting large ICMP packet but it is disabled by default (dated Oct 26, 2015) currently, which is :

#alert icmp any any -> any any (msg:"GPL ICMP Large ICMP Packet"; dsize:>800; reference:arachnids,246; classtype:bad-unknown; sid:1000029; rev:5;)

We can enable it by removing the "#" in front of the rule and change it to "drop".

However, it cannot detect the packet that is encoded with Base64. I draft the following Suricata rule and make it to "drop" base on the previous rule :

drop icmp any any -> any any (msg:"LOCAL ICMP Large ICMP Packet (Base64)"; dsize:>800; content:"="; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; reference:url,www.notsosecure.com/2015/10/15/icmp-tunnels-a-case-study/; classtype:bad-unknown; sid:1000028; rev:1;)

That's all! See you.


Thursday, October 22, 2015

HOWTO : Self-signed Certificate on Suricata

Problem

The most common weakness of Intrusion Detection and Prevention System is encrypted traffic inspection. The encrypted SSL/TLS traffic requires signed certificate for decryption. Some malicious activities may use self-signed certificate for the SSL/TLS connection.

Solution

How we can do that? If you are running Suricata as IPS, you can do it very easy with the reference of this blog. The rule will detect self-signed certificate without concerning of port number.

Make sure you have configure the Suricata properly according to the blog.

You can also use this rule for other purpose too.

Quick Reference

self-signed-cert.lua

The suricata rule is :

alert tls any any -> any any (msg:"SURICATA TLS Self Signed Certificate"; flow:established; luajit:self-signed-cert.lua; tls.store; classtype:protocol-command-decode; sid:999666111; rev:1;)

HOWTO : LuaJIT on Suricata

That's all! See you.


Thursday, October 15, 2015

HOWTO : Detect and Prevent SSH Tunnel On Suricata

Problem

The most common weakness of Intrusion Detection and Prevention System is encrypted traffic inspection. The SSH encrypted traffic requires private/public keys for encryption/decryption and it is very hard to obtain the private key from attackers.

Solution

How we can do that? If you are running Suricata as IPS, SSH Dynamic, Reverse and Port Forwarding tunnel will be detected by the following rules :

# ssh (port 5228=Google Talk, port 6697=IRC)
alert tcp any any -> any 22 (msg:"LOCAL SSH connect"; flow:established,to_server; app-layer-protocol:ssh; sid:1000008; rev:1;)

drop tcp any any -> any 22 (msg:"LOCAL not SSH but Port 22"; flow:established,to_server; app-layer-protocol:!ssh; sid:1000009; rev:1;)

drop tcp any any -> any ![22,5228,6697] (msg:"LOCAL SSH but not Port 22"; flow:established,to_server; app-layer-protocol:ssh; sid:1000010; rev:1;)


The first rule will alert you that there is a SSH connection to the port 22. The second rule will block the traffic the not SSH protocol but connect to port 22. The last rule will block the SSH connection that are not connecting to port 22, 5228 or 6697, where port 5228 is Google Talk and port 6697 is IRC.

If you do not use standard port 22 for SSH, please change the value when necessary.

Reference

SSH Brute Force and Suricata
Protocol Anomalies Detection

That's all! See you.


Wednesday, October 14, 2015

HOWTO : LuaJIT on Suricata

What is LuaJIT?

LuaJIT is a Just-In-Time Compiler (JIT) for the Lua programming language. Lua is a powerful, dynamic and light-weight programming language. It may be embedded or used as a general-purpose, stand-alone language.

LuaJIT can be used as scripting lauguage for Suricata detection rules. Emerging Threats creates some lua scripts for Suricata at here.

Lua is not enabled by default on Suricata. You need to re-compile it to make it works.

If you compile Suricata from GitHub, you can :

Compile and Install of LuaJIT :

The current version at the writing is 2.0.4.

cd ~
git clone http://luajit.org/git/luajit-2.0.git
cd luajit-2.0
make
sudo make install


Compile and Install of Suricata on Ubuntu 14.04.3 LTS :

cd ~
git clone git://phalanx.openinfosecfoundation.org/oisf.git
cd oisf
git clone https://github.com/ironbee/libhtp.git

./autogen.sh
./configure --prefix=/usr/ --sysconfdir=/etc/ --localstatedir=/var/ --enable-luajit \
--enable-geoip --with-libnss-libraries=/usr/lib --with-libnss-includes=/usr/include/nss/ \
--with-libnspr-libraries=/usr/lib --with-libnspr-includes=/usr/include/nspr \
--with-libcap_ng-libraries=/usr/local/lib --with-libcap_ng-includes=/usr/local/include \
--with-libluajit-includes=/usr/local/include/luajit-2.0/ \
--with-libluajit-libraries=/usr/local/lib/


make clean
make
sudo make install
sudo ldconfig


Works with ET Lua scripts :

# install lua related packages
sudo apt-get -y install cmake lua-zip lua-zip-dev lua-zlib lua-zlib-dev \
luarocks libzzip-dev libzzip-0.13 lua-apr lua-apr-dev lua-socket \
lua-socket-dev lua-sec lua-sec-dev lua-rex-gnu lua-rex-gnu-dev \
lua-rex-pcre lua-rex-pcre-dev lua-bitop lua-bitop-dev liblua5.1 \
libzip-dev

sudo apt-get -y install cmake build-essential

sudo luarocks install struct
sudo luarocks install bitlib

sudo cp /usr/lib/x86_64-linux-gnu/liblua5.1.so /usr/local/lib/liblua.so


# compile and install ltn12ce
cd ~
git clone https://github.com/mkottman/ltn12ce.git
cd ltn12ce
mkdir build && cd build
cmake ..
make
sudo make install
sudo mkdir -p /usr/local/lib/lua/5.1/ltn12ce
sudo cp ~/ltn12ce/build/src/ltn12ce/core.so /usr/local/lib/lua/5.1/ltn12ce


# compile and install zlib
cd ~
wget http://zlib.net/zlib-1.2.8.tar.gz
tar -xzvf zlib-1.2.8.tar.gz
cd zlib-1.2.8
./configure
make
sudo make install


# compile and install lua-zlib
cd ~
git clone https://github.com/brimworks/lua-zlib.git
cd lua-zlib
make linux
sudo mkdir -p /usr/lib/lua/5.1
sudo mkdir -p /usr/local/lib/lua/5.1
sudo cp zlib.so /usr/local/lib/lua/5.1
sudo make install

sudo cp /usr/lib/x86_64-linux-gnu/lua/5.1/zip.so /usr/local/lib/lua/5.1
sudo mkdir -p /usr/local/lib/lua/5.1/apr
sudo cp /usr/lib/x86_64-linux-gnu/lua/5.1/apr/core.so /usr/local/lib/lua/5.1/apr



Make sure the ET lua scripts and related rules are placed at "/etc/suricata/rules" and the "luajit-drop.rules" or "luajit.rules" is loaded in suricata.yaml.

Bug Fix on ET Lua scripts :

Please note that CVE-2015-1770.lua and CVE-2015-2375.lua have a small bug when using with luajit. You can fix them like this :

sudo sed -i -e 's/activeX%d+\\.xml/activeX%d+.xml/g' /etc/suricata/rules/CVE-2015-1770.lua
sudo sed -i -e 's/table%d+\\.xml/table%d+.xml/g' /etc/suricata/rules/CVE-2015-2375.lua


Finally, if you are using Snorby, you need to copy the all rules files (except lua scripts) to another place, such as "/etc/suricata/rules/snorby" for Snorby; otherwise, Snorby cannot display the rules when requested. Meanwhile, you need to edit "/var/www/snorby/config/snorby_config.yml" for the new rules path.

One more thing, the value of "prealloc" at "flow" section at suricata.yaml should not more than "4000000"; otherwise, the lua scripts cannot be loaded.

After that, restart Suricata.

That's all! See you.


Friday, October 09, 2015

HOWTO : ClamAV For Suricata

Suricata is an Intrusion Detection and Prevention System and it can work with ClamAV too. One of the features of Suricata is using MD5 hash with the file. We can use ClamAV signature MD5 hash for every file download inspection. We can also save the malicious file for further analysis.

Install and Configure of ClamAV

sudo apt-get update
sudo apt-get install clamav
sudo update-rc.d clamav-freshclam disable


We will not use ClamAV engine for Suricata but use ClamAV MD5 signature instead.

Prepare ClamAV MD5 Signature for Suricata

sudo nano /usr/bin/nsm_clamav_md5



sudo chmod +x /usr/bin/nsm_clamav_md5

Create cron job :

sudo crontab -e

0 03 * * * /usr/bin/nsm_clamav_md5


* The cron job will run the script (nsm_clamav_md5) at 0300 hours every day and it should be earlier than the Suricata rules update script/procedure.

Create your Suricata Local Rule

sudo nano /etc/suricata/rules/local.rules

Append the following to the file :

# rules for file extraction
# this rule drop all the file that matches the clamav md5 hash
drop http any any -> any any (msg:"LOCAL Malicious file - Clamav MD5 Hash"; flow:established; filestore; filemd5:blacklist_md5; classtype: suspicious-filename-detect; sid:1000000; rev:1;)


Configure suricata.yaml

sudo nano /etc/suricata/suricata.yaml

Make the following settings as the following :



* If you do not like to save the malicious file for further analysis, you can disable the "file-store" setting at suricata.yaml and remove the "filestore" keyword from the local.rules.

Make It To Work Together

sudo nsm_clamav_md5

Restart suricata or reboot the box. For Croissants, you can restart the Suricata by issuing the following command :

sudo restart suricata

The Suricata will block the malicious files from downloading when the MD5 hash is matched and the malicious files will be saved at /var/log/suricata/files for further inspection.

Known Issue

libhtp 0.5.x cannot handle the file download re-try with browser at the moment. It is recommended that all users should not re-try to download any file when it cannot be downloaded in the beginning. According to the developer of libhtp, 0.6.x can handle this problem.

Another limitation is that Suricata can detected the malicious files (MD5 hash) that known to ClamAV only.

Reference

Filemd5 and white or black listing with MD5 hashes

That's all! See you.