Saturday, January 26, 2013

HOWTO : Suricata on SSD and Ubuntu 12.04 LTS Desktop

Hardware

Laptop : Lenovo ThinkPad X201s Type 5397-G9B
Processor : Intel Core i7 CPU L640 @ 2.13GHz (2-core with 4 HT)
Memory : 8GB DDR3 RAM
Storage : AData SX900 512GB SSD

Software

Operating System : Ubuntu Desktop 12.04 LTS x86_64
Intrusion Prevention System : Suricata 1.4 (inline mode)

Introduction

Suricata is an Open Source Next Generation Intrusion Detection and Prevention Engine. This engine is not intended to just replace or emulate the existing tools in the industry, but will bring new ideas and technologies to the field.

There is an Ubuntu PPA of Suricata for Ubuntu 10.04 to 13.04 and the Ubuntu 13.04 is included Suricata in her repositories too. Meanwhile, those packages have IPS mode through NFQUEUE enabled. In addition, Suricata supports nVidia CUDA which requires to recompile the source code with suitable parameter.

Suricata not only can installed on servers but also on desktops and laptops. It performs quiet well on an Intel Atom ITX machine.

For the features, please read here for details.

Installation

Step 0 :

This step is for SSD only and make sure you have enough memory.

sudo nano /etc/fstab

Add the following to the "/" (or "/home" and "/" or alike) :

discard,noatime,nodiratime

To make it look like :

UUID=99f0925f-badc-4939 .... -7df6eca0c720 / ext4 discard,noatime,nodiratime,errors=remount-ro 0 1

Then, add the following :

tmpfs /tmp tmpfs defaults,noatime,mode=1777 0 0
tmpfs /var/spool tmpfs defaults,noatime,mode=1777 0 0
tmpfs /var/log tmpfs defaults,noatime,mode=0755 0 0
tmpfs /var/log/suricata tmpfs defaults,noatime,mode=0755 0 0


After that, edit the following :

sudo nano /etc/rc.local

Add the following right before the "exit 0" :

echo deadline > /sys/block/sda/queue/scheduler
echo 1 > /sys/block/sda/queue/iosched/fifo_batch


Step 1 :

sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt-get update
sudo apt-get install suricata htp


Step 2 :

To get the Emerging Threats rules :

cd /etc/suricata/

sudo wget https://rules.emergingthreatspro.com/open/suricata/emerging.rules.tar.gz

sudo tar -xvzf emerging.rules.tar.gz

sudo ln -s /etc/suricata/rules/reference.config /etc/suricata/reference.config

sudo ln -s /etc/suricata/UbuntuPPA-configs/classification.config /etc/suricata/classification.config

sudo cp /etc/suricata/UbuntuPPA-configs/suricata-ppa-1.4-6ubuntu6.yaml /etc/suricata/suricata.yaml


*** You can use reference.config and classification.config at /etc/suricata/rules.

sudo touch /etc/suricata/threshold.config

Step 3 :

sudo nano /etc/suricata/suricata.yaml

Locate the following lines :

default-log-dir: /usr/local/var/log/suricata/
default-rule-path: /usr/local/etc/suricata/rules
classification-file: /usr/local/etc/suricata/classification.config
reference-config-file: /usr/local/etc/suricata/reference.config
#pid-file: /var/run/suricata.pid
#- rule-reload: true
#threshold-file: /usr/local/etc/suricata/threshold.config

- drop
enable: no


Replace with the following lines :

default-log-dir: /var/log/suricata/
default-rule-path: /etc/suricata/rules
classification-file: /etc/suricata/classification.config
reference-config-file: /etc/suricata/reference.config
pid-file: /var/run/suricata.pid
- rule-reload: true
threshold-file: /usr/local/etc/suricata/threshold.config

- drop
enable: yes


To test if it work or not :

sudo suricata -c /etc/suricata/suricata.yaml -i eth0

Several minutes later, check the /var/log/suricata/stats.log and /var/log/suricata/http.log to see if there are some entries or not.

Step 4 :

sudo iptables -A INPUT -j NFQUEUE
sudo iptables -A OUTPUT -j NFQUEUE
sudo iptables -A FORWARD -j NFQUEUE


To test if it work or not :

sudo suricata -c /etc/suricata/suricata.yaml -q 0

Step 5 :

sudo apt-get install oinkmaster

sudo nano /etc/oinkmaster.conf

Append the following line :

url = https://rules.emergingthreatspro.com/open/suricata/emerging.rules.tar.gz

sudo oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules

Step 6 :

When everything is working fine, you can put them in the /etc/rc.local just right above "exit 0" :

iptables -A INPUT -j NFQUEUE --queue-balance 0:3
iptables -A OUTPUT -j NFQUEUE --queue-balance 0:3
iptables -A FORWARD -j NFQUEUE --queue-balance 0:3

/etc/suricata/ips

Then create a file /etc/suricata/ips :

sudo nano /etc/suricata/ips
suricata -D -c /etc/suricata/suricata.yaml -q 0 -q 1 -q 2 -q 3

chmod +x /etc/suricata/ips

Then create the update-rule

sudo nano /etc/suricata/update-rules

oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules
kill -USR2 `pidof suricata`

sudo chmod +x /etc/suricata/update-rules


Step 7 :

Whenever you want to update the rules, you can :

sudo /etc/suricata/update-rules

That's all! See you.

Friday, January 25, 2013

The Volatility Framework

The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer unprecedented visibilty into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.

The following video and command list are not created by me, I just copied them for the reference. Please credit to the video maker.



Commands list

./vol.py –f zeus.vmem pslist

To list the processes of a system, use the pslist command.

./vol.py –f zeus.vmem malfind

You can use it to find hidden or injected code/DLLs in user mode memory

./vol.py –f zeus.vmem ldrmodules

To find out the hidden dll

./vol.py –f zeus.vmem apihooks

To find API hooks in user mode or kernel mode

./vol.py –f zeus.vmem idt

IDT (Interrupt Descriptor Table)

./vol.py –f zeus.vmem gdt

Gdt (Global Descriptor Table)

./vol.py –f zeus.vmem threads –L

The command gives you extensive details on threads

./vol.py –f zeus.vmem callbacks

Callbacks for detecting Windows kernel use of these callbacks to monitor and/or react to events.

./vol.py –f zeus.vmem driverirp

To print a driver's IRP Major Function table

./vol.py –f zeus.vmem devicetree

Windows uses a layered driver architecture

./vol.py –f zeus.vmem psxview

This plugin helps you detect hidden processes.

Source : - Volatility Wiki

That's all! See you.

Friday, January 18, 2013

HOWTO : Suricata on Ubuntu 12.04 LTS Server

Suricata is an Open Source Next Generation Intrusion Detection and Prevention Engine. This engine is not intended to just replace or emulate the existing tools in the industry, but will bring new ideas and technologies to the field.

There is an Ubuntu PPA of Suricata for Ubuntu 10.04 to 13.04 and the Ubuntu 13.04 is included Suricata in her repositories too. Meanwhile, those packages have IPS mode through NFQUEUE enabled. In addition, Suricata supports nVidia CUDA which requires to recompile the source code with suitable parameter.

Suricata not only can installed on servers but also on desktops and laptops. It performs quiet well on an Intel Atom ITX machine.

For the features, please read here for details.

The following is a basic and general setup of Suricata. For more advanced settings, please refer to the Reference below.


Step 1 :

sudo apt-get install python-software-properties
sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt-get update
sudo apt-get install suricata htp


Step 2 :

To get the Emerging Threats rules :

cd /etc/suricata/

sudo wget https://rules.emergingthreatspro.com/open/suricata/emerging.rules.tar.gz

sudo tar -xvzf emerging.rules.tar.gz

sudo ln -s /etc/suricata/rules/reference.config /etc/suricata/reference.config

sudo ln -s /etc/suricata/UbuntuPPA-configs/classification.config /etc/suricata/classification.config

sudo cp /etc/suricata/UbuntuPPA-configs/suricata-ppa-1.4-6ubuntu6.yaml /etc/suricata/suricata.yaml


*** You can use reference.config and classification.config at /etc/suricata/rules.

sudo mkdir /var/log/suricata
sudo touch /etc/suricata/threshold.config


Step 3 :

sudo nano /etc/suricata/suricata.yaml

Locate the following lines :

default-log-dir: /usr/local/var/log/suricata/
default-rule-path: /usr/local/etc/suricata/rules
classification-file: /usr/local/etc/suricata/classification.config
reference-config-file: /usr/local/etc/suricata/reference.config
#pid-file: /var/run/suricata.pid
#- rule-reload: true
#threshold-file: /usr/local/etc/suricata/threshold.config

- drop
enable: no


Replace with the following lines :

default-log-dir: /var/log/suricata/
default-rule-path: /etc/suricata/rules
classification-file: /etc/suricata/classification.config
reference-config-file: /etc/suricata/reference.config
pid-file: /var/run/suricata.pid
- rule-reload: true
threshold-file: /usr/local/etc/suricata/threshold.config

- drop
enable: yes


To test if it work or not :

sudo suricata -c /etc/suricata/suricata.yaml -i eth0

Several minutes later, check the /var/log/suricata/stats.log and /var/log/suricata/http.log to see if there are some entries or not.

Step 4 :

sudo iptables -A INPUT -j NFQUEUE
sudo iptables -A OUTPUT -j NFQUEUE
sudo iptables -A FORWARD -j NFQUEUE


To test if it work or not :

sudo suricata -c /etc/suricata/suricata.yaml -q 0

Step 5 :

sudo apt-get install oinkmaster

sudo nano /etc/oinkmaster.conf

Append the following line :

url = https://rules.emergingthreatspro.com/open/suricata/emerging.rules.tar.gz

sudo oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules

Step 6 :

When everything is working fine, you can put them in the /etc/rc.local just right above "exit 0" :

#iptables -F
iptables -A INPUT -j NFQUEUE
iptables -A OUTPUT -j NFQUEUE
iptables -A FORWARD -j NFQUEUE


/etc/suricata/ips

Then create a file /etc/suricata/ips :

sudo nano /etc/suricata/ips
suricata -D -c /etc/suricata/suricata.yaml -q 0
oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules
kill -USR2 `pidof suricata`

chmod +x /etc/suricata/ips

Then you can write a cron job to update Emerging Threats Rules everyday.

sudo crontab -e

Append the following :

@daily /etc/suricata/update-rules

Then create the update-rule

sudo nano /etc/suricata/update-rules

oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules
kill -USR2 `pidof suricata`

sudo chmod +x /etc/suricata/update-rules


Remarks :

If you want to create a user-interface for the IPS, you can refer to the "Reference" item [12].

If the Suricata acts as IPS gateway, it requires to bridge 2 NICs and 1 NIC for management purpose. In addition, you need to do some changes on the configure files.

If you have 4-cores CPU, you need to change the settings as the following :

iptables -A INPUT -j NFQUEUE --queue-balance 0:3
iptables -A OUTPUT -j NFQUEUE --queue-balance 0:3
iptables -A FORWARD -j NFQUEUE --queue-balance 0:3


suricata -D -c /etc/suricata/suricata.yaml -q 0 -q 1 -q 2 -q 3





Reference

[1] OISF - Open Information Security Foundation
[2] Ubuntu PPA
[3] Suricata - Features
[4] Suricata Rules
[5] Rules reload
[6] Rule Management with Oinkmaster
[7] SmoothSec 2.1 (Suricata IDS distribution)
[8] Setting up IPS/inline for Linux
[9] Installation with CUDA on Ubuntu Server
[10] Suricata, Snorby and Barnyard2 setup guide
[11] Kill process in Linux or terminate a process in UNIX or Linux systems
[12] Installing Snorby on Ubuntu 12.04
[13] Suricata.yaml
[14] Suricata IPS information
[15] Suricata - Windows
[16] Suricata - Mac OSX
[17] Suricata - FreeBSD

That's all! See you.

Thursday, January 17, 2013

We Are Legion: The Story of the Hacktivists

Want to know more about Anonymous and Hacktivists? Here you are ....

*** Please note that English subtitle is available and its colour can be configured. ***



That's all! See you!

Friday, January 04, 2013

Why You Need To Learn Hacking Skills (2013)?



Male : I am managing a network and some servers. Ah, how to protect them from being compromised?

Female : In general speaking, you need to know how to hardening your network and servers.

Male : I followed all the advices and suggestions from the internet, such as security discussions or wiki. Some advices are asking me to read logs. However, I learnt from the internet that some exploit activities will not be logged. Any suggestion?

Female : Why not learn how malicious hackers thinking and doing in order to protect your network and servers?

Male : What that means?

Female : To be an Ethical Hacker in order to protect your network and servers. Then, you will be thinking like a criminal and act as a professional.

Male : It sounds good. However, when I ask for something about hacking skills in the forums, those guys in the forums always turn me down. Sometimes, they will misleading me.

Female : Why not take some formal training on hacking? Such as OSCP or CEH? Those courses will teach you about hacking skills or knowledge. When you know how malicious hackers thinking and doing, you will know how to protect your network and servers well. Ethical Hackers and Malicious Hackers are speaking the same language, using the same tools and playing the same game. Learn to hire a thief to try to steal something but don't hire a cop.

Male : Sure. Thanks for the suggestion.

Female : You're welcome.

That's all! See you.

Wednesday, January 02, 2013

HOWTO : Xenotix XSS Exploit Framework V2

Xenotix XSS Exploit Framework is developed by Kerala Cyber Force.

The exploitation framework in the tool includes a XSS encoder, a victim side XSS keystroke logger, an Executable Drive-by downloader and a XSS Reverse Shell.



That's all! See you.