Monday, May 19, 2014

Croissants - Intrusion Detection and Prevention System


INTRODUCTION

In 2013, I joined the SmoothSec project and modified it to adopt to Intrusion Detection and Prevention System by using Suricata with AF_PACKET. Since SmoothSec 3.4 is developed on Debian 7 (Wheezy), the Linux kernel 3.2.x is too old for Suricata with AF_PACKET. I used the backport kernel to complete the task. However, it makes the system not so easy to maintain.

Meanwhile, the SmoothSec project seems to be dead. The core developer does not active in the project and IRC channel. Therefore, I make up my mind to create a new project namely "Croissants" based on the SmoothSec. Croissants is designed for Ubuntu Server LTS or higher (Long Team Support only) and targeted to work with Suricata on AF_PACKET only. It is an Open Source Project under GPLv3 License by Samiux.

Croissants is a bash script instead of a Linux distribution likes SmoothSec. It downloads and compiles as well as setup the applications almost automatically. It combines with Suricata (IDPS Engine), Snorby (Event Manager & Web Interface), Pigsty (Event Spooler) and Pulledpork (Rules Manager). It will use the latest verion of the software on every installation but the only drawback is requiring internet.


WHY UBUNTU AND AF_PACKET?

I am a long term user of Ubuntu since 2006 (Ubuntu 6.06). I find that Ubuntu uses newer packages and kernel. Ubuntu can be set to update the system automatically, although you can do it with cron job. It makes the system almost up-to-date in order to avoid some known vulnerabilities attack. Therefore, you can focus on your business and network security monitoring (NSM). Furthermore, Ubuntu is free forever according to the founder, Mark Richard Shuttleworth.

AF_PACKET can be running on a very low-end computer, such as Intel ATOM D2550. The performance of the AF_PACKET is very good under this CPU on my home network. I can watch 720p Youtube video without lagging on my network (10Mbit internet and Gigabit internal network with Untangle UTM and Croissants). The amount of RAM is 8GB on this default setup. However, home router will be lagged while watching 720p Youtube video. This poor performance should be caused by the home router.


WHY CROISSANTS?

Croissants (food) is delicious and common as well as cheap in price. I would like Intrusion Detection and Prevention System is common and cheap in price that everyone can affort.

Croissants can run on a low-end computer such as Intel ATOM D2550 with 3 network interface cards and 4GB RAM. This configuration is ideal for home network and home office. For business, I recommended to have a more high-end multi-core computer and more than 32GB RAM for Croissants with some tuning on Suricata engine.


INSTALLATION

Make sure your computer can access to the internet when installing. Meanwhile, the "automatically update" should also be selected when installing Ubuntu Server. Set the Ubuntu Server LTS to UTC time zone at the end of the setup; otherwise, the time stamp of Snorby (event manager web application) will be incorrect. You are required to install OpenSSH only during the installation of Ubuntu Server.

Download the Croissants from here. Extracts it and runs the script namely "nsm_install" with "sudo". After that, re-cabling the computer when necessary and then reboot. That's all! However, the installation may take hours which is depending on the power of your hardware and the internet speed.

You can even reinstall the Snorby database by running "nsm_snorby_db_reinstall" after the trial run.

When you write some local rules, you can update them to the system by running the script "nsm_rules_update". When you want to update the Ubuntu Server, you can run "update_ubuntu". When updating the Croissants, you can run "update_nsm" which will update the system by compiling from source code that download from the internet. Make sure to run those scripts with "sudo".

In addition, Croissants will update the rules file on every 4 hours automatically.


That's all! See you.

Sunday, May 04, 2014

HOWTO : Azazel on Debian Wheezy

I know this rootkit - Azazel for some time; however, I am busy to give it a test. Recently, I am bored and take it a look.

Azazel is a linux userland rookit based on original LD_PRELOAD technique from Jynx (rootkit). Azazel has some features that are very useful for attackers, such as file hidden and anti-debugging.

I set up four virutalbox guests in Debian 7 (Wheezy), Ubuntu 12.04.4 LTS, Ubuntu 14.04 LTS and CentOS 6.5.

The Azazel can be compiled without problem if you installed the required libraries. You need root privilege to install this rootkit. Once installed, you are very hard to remove it unless you re-install your system. However, the developer sugguest to remove one of the files by booting from live cd.

After a very quick test on Azazel under the above mentioned Virtualbox (version 4.3.10 r93012) guests, only Debian can run it flawlessly. Ubuntu cannot be reboot. CentOS cannot be login after the reboot. Azazel cannot be ran properly in Ubuntu and CentOS too. I think no attacker will want to destroy the victim box unless s/he really want to.

After a quick look at the developer's products, I think that the developer is running Debian and his products should be tested on Debian only.

Meanwhile, only backdoor, anti-debugging and file hidden of Azazel on Debian are tested. Plaintext backdoor and Crypthook backdoor cannot be tested successful in my lab. Once the file is hidden, you cannot undo it and it can be access by Azazel only.

If you want to port this rootkit to other Linux distributions, you need to modify the source code. One of the reasons that Linux is harder to be attacked due to too many variants.

REFERENCE

To compile Azazel on Debian or Ubuntu, you need to do the following :

apt-get install libpam0g-dev libssl-dev libpcap0.8-dev build-essential git

To compile Azazel on CentOS, you need to do the following :

yum install gcc make pam-devel openssl-devel libpcap-devel

That's all! See you.