Security Onion- IDS, NSM, and log management

What if you want an IDS system that monitors malicious activities and provides you with logs (Network Security Monitoring) and graphs to help protect your network?  And what if you want an easy setup that provides you with information that will help you – something with a GUI interface?   Security Onion can provide you with the defacto IDS system – Snort, Squert and a ton of other tools to help you.  While there are options, Security Onion offers the choice of Snort (http://snort.org/) or Suricata (http://suricata-ids.org/).

The setup below shows a test system using VMWare with 2 processors and 2 Gb of RAM if you want to try it out.   While the bare minimum is suggested to be 3 Gb, a production environment should have 8- 128 Gb of RAM, a ton of hard drive space for logs and two network cards.  One network card for management and one to sniff.

Security Onion’s ISO can be downloaded from SourceForge.   While there is a ton of how-tos on the internet about Security Onion, there is a great deal of information on there blog located here.

Here’s a simple setup I did at home to try out Security Onion.  Using VMware’s Player (non-commercial use).  If you plan on trying Security Onion or deploying it in a production environment, you should use the commercial version or have a system that supports the minimum requirements.

menuinstallliveLive Runninginstalling rullinstalling driveinstalling drive erase  Installing files after time keyboard finished

 

Once you restart, you’ll need to run setup again to enter an email address for squert and setup a password. Once this is done, you can open the shortcuts on the desktop or use your host computer to login. Once this is complete, login to Snorby’s url.

While snort is running, Snorby will present a dashboard.  You may be surprised to see no threats once you login.  You can expedite this process by running NMap (Zenmap against the virtual machine) if you want to see threats.

What is Snorby? “ Snorby is a web application interface to view, search and classify Snort and Suricata alerts and generate various types of reports, such as most active IDS signatures, most active sensors, and top source and destination IP addresses.”  more information.
2 snorby

Once you run NMap, click on More Options in the right corner and update the Cache

2a cache update

Give Security Onion just a few seconds and refresh the screen.  You’ll see the events logged.  This will visually show you not only how  many threats were ‘ seen’ on the network but will categorize and graph them.

3 snorby 3 severity

Clicking on the events will show each event and give you the option to categorize unknown threats or to reclassify threats.
4 nmap to test

Logging in to Squert allows you to see threats along with maps and information from threats.

5 squert

Squert map

ELSA – allows you to query and look for information.

6 Elsa

What does NMap show when Security Onion is scanned?

7 is it logging

 

 

 

Introduction to Security Onion

Security Onion Blog

 

The dangers of using outdated software


 Outdated software contains security flaws which cybercriminals can use as avenues to infiltrate the corporate network.

The dangers of using outdated software.

Defending your network with Snort for Windows

SNortlogo
When you hear about Snort, the De facto of Intrusion Detection Systems, you think of Linux.  Snort offers a Windows setup and signatures that can be used with any operating system.

Snort should be a dedicated computer in your network.  This computer’s logs should be reviewed often to see malicious activities on your network.

Steps to install Snort on Windows :
1. Download Snort from the Snort.org website. (http://www.snort.org/snort-downloads)
2. Download Rules from here. You must register to get the rules. (You should download these often)
3. Double click on the .exe to install snort.  This will install snort in the “C:\Snort” folder.
It is important to have WinPcap installed
4. Extract the Rules file. You will need WinRAR for the .gz file.
5. Copy all files from the “rules” folder of the extracted folder.  Now paste the rules into “C:\Snort\rules” folder.
6. Copy “snort.conf” file from the “etc” folder of the extracted folder.  You must paste it into “C:\Snort\etc” folder. Overwrite any      existing file.  Remember if you modify your snort.conf file and download a new file, you must modify it for Snort to work.
7. Open a command prompt (cmd.exe) and navigate to folder “C:\Snort\bin” folder. ( at the Prompt, type cd\snort\bin)
8. To start (execute) snort in sniffer mode use following command:
snort -dev -i 3
-i indicates the interface number.  You must pick the correct interface number.  In my case, it is 3.
 -dev is used to run snort to capture packets on your network.

To check the interface list,  use following command:
 snort   -W
Finding an interface

You can tell which interface to use by looking at the Index number and finding Microsoft.  As you can see in the above example, the other interfaces are for VMWare.  My interface is 3.

9. To run snort in IDS mode, you will need to configure the file “snort.conf” according to your network environment.
10. To specify the network address that you want to protect in snort.conf file, look for the following line.
var HOME_NET 192.168.1.0/24  (You will normally see any here)
11. You may also want to set the addresses of DNS_SERVERS, if you have some on your network.

Example:

example snort
12. Change the RULE_PATH variable to the path of rules folder.
 var RULE_PATH c:\snort\rules

path to rules
13. Change the path of all library files with the name and path on your system. and you must change the path    of snort_dynamicpreprocessorvariable.
C:\Snort\lib\snort_dynamiccpreprocessor
You need to do this to all library files in the “C:\Snort\lib” folder. The old path might be: “/usr/local/lib/…”. you will need to    replace that path with your system path.  Using C:\Snort\lib
14. Change the path of the “dynamicengine” variable value in the “snort.conf” file..
Example:
 dynamicengine C:\Snort\lib\snort_dynamicengine\sf_engine.dll

libraries

 

15 Add the paths for “include classification.config” and “include reference.config” files.
  include c:\snort\etc\classification.config
include c:\snort\etc\reference.config
16. Remove the comment (#) on the line to allow ICMP rules, if it is  commented with a #.
 include $RULE_PATH/icmp.rules
17. You can also remove the comment of ICMP-info rules comment, if it is commented.
 include $RULE_PATH/icmp-info.rules
18. To add log files to store alerts generated by snort,  search for the “output log” test in snort.conf and add the following line:
output alert_fast: snort-alerts.ids
19.  Comment (add a #) the  whitelist $WHITE_LIST_PATH/white_list.rules and the blacklist

Change the nested_ip inner , \  to nested_ip inner #, \
20. Comment out (#) following lines:
#preprocessor normalize_ip4
#preprocessor normalize_tcp: ips ecn stream
#preprocessor normalize_icmp4
#preprocessor normalize_ip6
#preprocessor normalize_icmp6

21. Save the “snort.conf” file.
22. To start snort in IDS mode, run the following command:

snort -c c:\snort\etc\snort.conf -l c:\snort\log -i 3
(Note: 3 is used for my interface card)

If a log is created, select the appropriate program to open it.  You can use WordPard or NotePad++ to read the file.

To generate Log files in ASCII mode, you can use following command while running snort in IDS mode:
snort -A console -i3 -c c:\Snort\etc\snort.conf -l c:\Snort\log -K ascii

23. Scan the computer that is  running snort from another computer by using PING or NMap (ZenMap).

After scanning or during the scan you can check the snort-alerts.ids file in the log folder to insure it is logging properly.  You will see IP address folders appear.

Snort monitoring traffic -

traffic

Snort’s detailed report when scanning has stopped -

termination

 

Log files -

logs

 

 

Note:  Read the setup and configuration of Snort from Snort.org.  While this is a demo, Snort can be configured thousands of ways to detect and alert you in the event you have malicious activity on your network.  Downloading signatures often is extremely important

How to guard your wireless network and see intruders

100% credit goes to Bill Mullins for sharing this information. (BillMullins.wordpress.com).

Softperfect has some of the best freeware for Windows.   With Netscan you can see devices on your network and find information about the  devices.  Now with their software “WiFi  Guard”, you can use a device on your network and find the devices that are attached to it.

While you should take precautions to secure your wireless network, is someone accessing your network without your knowledge?

Installation is fast and easy.  Simply follow the wizard and make sure you run the software at startup.

Scan

Once you install the software, select the adapter and scan your network.  Next double click on known devices and select “I know this device.”  Let the software run and periodically scan your network.   If you find a device connecting to it,   locate the device and remove it from the network or take action to prevent unknown devices from connecting.

I Know

The software is designed to run on Apple, Windows or Linux.

Note: The above pic is from a lab environment and the addresses and macs do not represent real machines or a production environment.

Protecting your network by pen testing it

This post is for educational purposes and any use of these tools against a network without explicit permission could be illegal.   Metasploit is designed to identify weaknesses in networks and hardware/software on a network.  Do NOT use metasploit for other reasons.

Want to protect your network and the computers in your network?  You can get updates for your operating systems (Linux, Mac, iOS, Android, Windows or whatever) along with updates for third party programs yet you can still be unsecure.    When updating these products, you also have to remember firmware and updates for wireless devices, access points, bridges, firewalls, routers, switches, SCADA devices, robots, mobile devices, printers and any device on your network.

Metasploit

http://www.metasploit.com/download/

Metasploit Community is free and allows for a free scan of your network or server. Although limited (Try Pro for details and Brute Force), Metasploit Community is a first step in finding open services and ports on your operating system, hardware devices such as routers and other devices.   The trick to installing Metasploit is to disable your antivirus or make exceptions to what your antivirus finds.   You should truly install the software inside of a VM (Virtual Machine) so that your computer remains protected.

You can use Metasploit to protect your network by ‘seeing’ what a hacker or malicious person would see.  Truly for network professionals and auditors, this software can help you identify services, ports and weaknesses in your network.

There are several versions of Metasploit – Community, Pro, Express and Framework (Compare Editions)

Metasploit     Metasploit Two

Metasploit Scan Complete     metasploit Hosts

Metasploit Services After Scan

The above scan was in a controlled lab.  Malicious scanning of networks may be illegal.  Read  Penetration Basics on Metasploit’s website.

Tutorials (Videos)

Your business and home needs a firewall…why?

So what happens when you install a firewall and make sure all operating systems on your home network are fresh installs?

craziness

 

You’ll probably see hits from foreign and U.S. IP addresses trying to make connections to your computers, phones and other devices on your network.   You’ll also notice common port numbers in the above log.  So what would happen if any of the services and ports were open?  It could result in the loss of data.

What should you do?  Install a hardware SOHO firewall and keep your OS firewall on.  While there are tons of other precautions you also need to take, ultimately this is a form of protection most home users and business users fail to implement.

Credit: Chris Davis

What should you do with an old computer? Create a home router/firewall!

ITX-motherboards can often be found in older computers from garage sales or thrift stores.  What is the practical use for these motherboards or older computers?

Here’s a small project that involves protecting your home.

After finding an ITX motherboard and gathering extra parts from broken laptops and computers, this project will put the software SMOOTHWALL Express onto the computer to make a mini firewall.  Total cost?

  • $22 250watt power supply
  • $5 Gearhead mini keyboard

0306141659a

Base processor
Athlon 64 X2 (B) 5400+ 2.8 GHz (65W)
800 MHz front side bus
Socket AM2

Chipset
GeForce 9100

Motherboard

  • Manufacturer: Pegatron
  • Motherboard Name: APX78-BN
  • HP/Compaq motherboard name: Nutmeg-GL6E

Power supply
250W

Memory
240 Pin DDR2 PC2-6400 MB/sec
4GB
Hard drive
120 GB SATA 6G (6.0 Gb/sec)
7200 rpm

Video Graphics

Integrated on motherboard (NVidia 9100)

Sound/Audio
High Definition 6-channel audio
ALC 888S chipset

Network (LAN)
Integrated 10/100 Base-T networking interface
Added Broadcom wireless to create a wireless router

External I/O ports connections – 6  USB

Expansion slots

PCI Express mini card socket – added Broadcom Wireless
PCI Express x16
PCI Express x1

Additions-

  • 2″ Fan for Chipset

In the video below, HAK5 shows just how to make a motherboard like this into a nice home router/Firewall.

Solving The Security Workforce Shortage – DarkReading

According to the study, the most sought-after quality is a broad knowledge of security — more of a strategic understanding than technical know-how followed by certifications.  Read More

Opinion – While certifications are an important part of IT, the technical know-how is the most important. Getting a degree or a certification is a great advancement for your education but can you configure a firewall? Run Linux-OSX- Windows? Support mobile, wireless, servers with Active Directory and monitor and control an IT environment?   That’s the difference between $12 an hour and a career.

FREE – Security engineering training by SAFECode

FREE – How can you beat it?  Once again, another excellent site has training that is Free.   While we have found Rackspace’s Cloud University,  Free Microsoft Training and virtualization this site adds an additional form of training that can help you supplement your training programs.

“Security engineering training by SAFECode is an online community resource offering free software security training courses delivered via on-demand webcasts.

Covering issues from preventing SQL injection to avoiding cross site request forgery, the courses are designed to be used as building blocks for those looking to create an in-house training program for their product development teams, as well as individuals interested in enhancing their skills. All courses are free and published under a Creative Commons license and open, non-commercial usage of the content is encouraged.

SAFECode will be adding new courses to the site on an ongoing basis. Our goal is to create a diverse catalog of security engineering training courses for all expertise levels as a community resource.”
https://training.safecode.org/

SAFECODE

“While registration is not required to view the courses, registered users of the site will benefit from the ability to:
–Download courses for offline viewing
–Post comments to provide feedback on the courses and ideas for updates.
Your feedback will be used to help keep the material up-to-date and ensure it best meet the needs of the community it aims to serve.
–Receive email updates when new courses and resources are available”

 

CryptoLocker and CryptoLocker 2 are still alive – take steps to protect your computer

CryptoLocker and CryptoLocker2 are still alive.   You can help prevent infections and encryption (losing your data) by downloading Foolish IT’s CryptoPrevent for Home and Commercial use.

Get the prevention software from here.  http://www.foolishit.com/vb6-projects/cryptoprevent/

CryptoPrevent

US businesses suffered 666,000 internal security breaches

Over 666,000 internal security breaches took place in US businesses in the last 12 months, an average of 2,560 per working day, new research has revealed. The findings, revealed by IS Decisions, also found that despite this regular occurrence, only 17.5% of IT managers consider insider threats to be in their top three security priorities.

US businesses suffered 666,000 internal security breaches.

Nessus® – A vulnerability scanner for home or enterprise

What is one of the best vulnerability scanners on the market?  Nessus® by Tenable Network Security.  Nessus® provides an exceptional scanner that creates a server on your computer to scan your network or an individual device on your network.    This software allows you to scan for patch, configuration, compliance details, malware, botnet discovery and more.  (Features)  Nessus® has more than 60,000 plugins to detect vulnerabilities on your network.

Here’s the basics behind the installation and operation of Nessus® -

Note:   The detailed information and power of this program  are not shown in these screenshots.  Nessus® is much more complex than is shown in this brief.  

Nessus®  is a small download that installs a server on your local computer.   The server which is accessed by your webbrowser allows you to scan all hosts on your network.

Installation

Installation of Tenable Nessus® is straightforward and easy.   Nessus® does require a free registration allowing for up to 16 IPs on your network for the basic version.

Getting Started

Once the software is installed, your browser will open requiring you to use a SSL connection and to create a username and password.

Warning

If you have not registered Nessus®, you will be required to do so.  Once you register and enter your key, the software will download plugins needed to check your network and hosts.

plugins            Registered      

Plugin downloads

Once the plugins are downloaded (This will take some time),  the server will initialize.   This can become resource intensive and may take a few minutes.  Be patient.

initializing                      intense

Once the plugins are downloaded, you will be required to sign in.  Once you sign in, you will need to setup a basic policy along with providing authentication settings (for other computers in your network) in order to scan your network.

Signin          Authentication for Scan    

 

 

The policy wizard creates basic policies that can discovery hosts, credential patch, basic scan, web application tests, malware scans or mobile device scans.

Policy and Scans

 

Once a policy is created, you can begin a scan of your network.

 

scanning

 

Vulnerabilities are shown after the scan.   By clicking on an individual node, you can view the details about the node and its vulnerabilities.

 

 

 

scan done detailed 

Nessus® provides detailed reports can exported in different formats.

Report

Nessus

Difference in editions – Link