Security Onion- IDS, NSM, and log management

What if you want an IDS system that monitors malicious activities and provides you with logs (Network Security Monitoring) and graphs to help protect your network?  And what if you want an easy setup that provides you with information that will help you – something with a GUI interface?   Security Onion can provide you with the defacto IDS system – Snort, Squert and a ton of other tools to help you.  While there are options, Security Onion offers the choice of Snort (http://snort.org/) or Suricata (http://suricata-ids.org/).

The setup below shows a test system using VMWare with 2 processors and 2 Gb of RAM if you want to try it out.   While the bare minimum is suggested to be 3 Gb, a production environment should have 8- 128 Gb of RAM, a ton of hard drive space for logs and two network cards.  One network card for management and one to sniff.

Security Onion’s ISO can be downloaded from SourceForge.   While there is a ton of how-tos on the internet about Security Onion, there is a great deal of information on there blog located here.

Here’s a simple setup I did at home to try out Security Onion.  Using VMware’s Player (non-commercial use).  If you plan on trying Security Onion or deploying it in a production environment, you should use the commercial version or have a system that supports the minimum requirements.

menuinstallliveLive Runninginstalling rullinstalling driveinstalling drive erase  Installing files after time keyboard finished

 

Once you restart, you’ll need to run setup again to enter an email address for squert and setup a password. Once this is done, you can open the shortcuts on the desktop or use your host computer to login. Once this is complete, login to Snorby’s url.

While snort is running, Snorby will present a dashboard.  You may be surprised to see no threats once you login.  You can expedite this process by running NMap (Zenmap against the virtual machine) if you want to see threats.

What is Snorby? “ Snorby is a web application interface to view, search and classify Snort and Suricata alerts and generate various types of reports, such as most active IDS signatures, most active sensors, and top source and destination IP addresses.”  more information.
2 snorby

Once you run NMap, click on More Options in the right corner and update the Cache

2a cache update

Give Security Onion just a few seconds and refresh the screen.  You’ll see the events logged.  This will visually show you not only how  many threats were ‘ seen’ on the network but will categorize and graph them.

3 snorby 3 severity

Clicking on the events will show each event and give you the option to categorize unknown threats or to reclassify threats.
4 nmap to test

Logging in to Squert allows you to see threats along with maps and information from threats.

5 squert

Squert map

ELSA – allows you to query and look for information.

6 Elsa

What does NMap show when Security Onion is scanned?

7 is it logging

 

 

 

Introduction to Security Onion

Security Onion Blog

 

Cannot reset winsock, isatap yellow exclamation, no wireless or internet

Have a wireless card that doesn’t see the wireless?  Does checking the Device Manager show a yellow exclamation mark on the isatap or Teredo Tunneling Pseudo Interface?

Mickey and I tried everything on someone’s computer and we couldn’t delete the wireless or other networking adapters above that had a problem.   The error, it turns out can be from multiple areas.   We found someone on the internet who doesn’t want any credit.  So to that ‘person’  we say thanks and we owe you.

Always backup your computer before performing advanced commands.

Steps

  1. Load the latest driver for the wireless or Ethernet card.
  2. Reboot if necessary
  3. Go to the properties of the nic card with a problem.  Uncheck IPv6 protocol.   You can check this later after the repair. Close the properties Windows
  4. Go to the Device Manager
  5. Double click on the isatap with a yellow exclamation, click update driver, browse my computer, select next (the driver will be highlighted) and follow through to the finish.
  6. Right Click and remove the Teredo Tunneling Pseudo Interface if it is there.
  7. Open a command prompt as an administrator
  8. Type netsh int ipv4 reset c:\resetlog.txt – hit the enter key    - Do not reboot  -
    Did you have an error that looks like this?  If so, you must modify your registry (see error list below)
    If not, continue to step 9

    Error
  9. Type netsh reset winsock catalog  - reboot

 

Error list  - Resetting the winsock and TCP/IP stack

If you type the following and receive an error -

netsh int ipv4 reset
netsh reset winsock catalog

Remove any antivirus solution you may have.  Often these will prevent the winsock from being modified.  Use removal tools as necessary.

Next find the following key by opening the registry editor (regedit at the run line)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nsi\{eb004a00-9b1a-11d4-9123-0050047759bc}\26

You may see more than one “26″ key – if so, look for all of the 26 values under the keys and perform the following action on each

Right click on the “26″ key, choose “Permissions”, add a checkmark on “Full control” for the everyone group.

Close the registry editor.

Now for a full reset – Open a command prompt as an admistrator -
netsh int ip reset 

 

  • ipconfig /flushdns
  • nbtstat -R
  • nbtstat -RR
  • netsh int ipv4 reset
  • netsh winsock reset catalog
This will rebuild the tcp/ip protocol stack (fully)

Reboot.

Hopefully you have a connection.   Make sure you reload your antivirus software.

 

Microsoft confirms it’s dropping Windows 8.1 support

From Infoworld -

Microsoft confirms it’s dropping Windows 8.1 support.

 

Here’s how this works – If you have Windows 8.1, You must update to Windows 8.1 Update (Yes, someone named it Windows 8.1 Update).   This will insure you get future security updates in the near future.

Keep updating until you see the power symbol and the search icon in your Metro screen!  And then keep updating …don’t miss any updates so you are covered on future updates.

See our troubleshooting information on getting updates if you have problems.

update

 

More Tips on updating issues-

If the installation fails, try the following-

Run CMD as administrator
Type the following: dism /online /remove-package /packagename:Package_for_KB2919355~31bf3856ad364e35~amd64~~6.3.1.14
After this finishes, type: dism /online /cleanup-image /startcomponentcleanup
Retry the upgrade again.

 

Error 0x80071a91?  Try this update. http://support.microsoft.com/kb/2939087/en-us

 

ReFS – Data Protection – Windows 8.1 and Server 2012

NTFS.  You’ve worked with it for years.  Microsoft’s NTFS is not being replaced by ReFS.   ReFS is available for Windows 8.1 and Server 2012.  What if you have extra drives and need the data protection?  ReFS may be for you. (or Storage Spaces ~See upcoming article)

ReFS is the Resilient File System that makes disk more reliable and works like this.

  • Uses checksums to detect if your data is changed
  • Able to detect and recover from corruption
  • Data is written to a new part of the disk if the above is the case
  • Recovers without limiting availability of the disk
  • Integrity data streams can also be enabled
  • File system metadata is protected
  • No chkdsk
  • Handles 1 Yottabyte ( 1 quadrillion GBs?)

While the boot volume should still be in NTFS, this file system is ideal for servers and workstations that need extra data protection.  The other drives can ideally be made ReFS.

More information from Microsoft

Windows Storage Spaces and ReFS – Is it time to ditch raid for good? via Betanews

 

 

The dangers of using outdated software


 Outdated software contains security flaws which cybercriminals can use as avenues to infiltrate the corporate network.

The dangers of using outdated software.

Microsoft Surface Pro-ready for manufacturing, business and industry

The Microsoft Surface Pro has proven to be versatile in the workplace.  Mr. Arnold our Industrial Maintenance instructor uses the Microsoft Surface Pro to connect to nearly a hundred PLCs, motors, robots and other industrial components.

So why is this tablet perfect for business and industries?

100_3087

External DVD Attached through USB port

100_3088

USB EasyLINK to transfer files from one computer to another

100_3091

The Windows below shows the USB EasyLINK software (loaded on the USB device)

100_3090100_3093

100_3094

Many industrial components require a floppy disk drive – (Above and Below)

100_3092

What if you need to expand your USB with a USB hub or two?

100_3095

100_3097100_3096

IT personnel can attach a Wireless Spectrum Analyzer or multiple wireless cards for site surveys or other wireless needs.

100_3099

 

100_3103100_3101   100_3100100_3102

Four Wi-Fi Nic cards shown above

100_3104

Multitasking (above)

100_3105

Joining a domain (above)

100_3106

100_3107

Connect an external drive, card reader or multiple USB drives at the same time.

Use all of your Windows based software…now why was the Surface a bad idea?  It’s not…

Installing Linux Lite – A mini review

Home users that ONLY check email and use very few other programs may consider replacing their OS.   Linux has made an exceptional gain over the past several years with a Programs (Add/Remove) component and with hardware drivers.

To see just how Linux Lite stacked up other OSs, I decided to load it in Oracle’s VirtualBox.  The little over 600+mb download is comparable in size to Windows XP.  The ISO can be burned with an image burner to make a bootable CD/DVD.  Before you decide to switch, remember there are limitations to Windows software even with Wine.  Wine is a software application that allows you to run Windows programs.  Hunting around the internet you’ll find hundreds of Linux programs comparable to Windows programs.  You don’t have to look far considering the Linux repository has hundreds of programs.

After loading Oracle’s VirtualBox, simply walk through the New OS wizard, select Linux, allocate 2 GB of RAM and 8 GB of HDD space if you can.  Once you have completed this step, click on Settings and select bridge on the Network Card and load the ISO under storage.

Once you complete that step, start the OS and follow the on screen prompts.

1

(Above) – initial load screen.

2

Loading the OS into RAM

3

Load time of around two minutes for the initial screen to appear.

4

Select your language.

5

The above screen is checks to insure hardware and internet connectivity is ok.

6

Erase the hard drive.

7

Below – set your location for the time.

8

Select the keyboard layout.

9

Setup an initial user and password.

10

Copying files

11

After the installation, Restart your computer (VirtualBox)

12

Booting up from the hard disk drive.

13

Login and options.

14

The initial desktop is clean.  Don’t let this fool you.  The amount of programs and options for an internet user is excellent.

15

 

17 updates

 

Checking for updates is easy.  Simply click on the menu and select update.  Provide your login password and Linux Lite does the rest.

Printer setup

If you have a printer that supports IPP Protocol, login to the printer’s web address and Enable IPP.   The printer in our home is the Samsung SCX-3400 wireless.  An inexpensive laser printer that provides for thousands of pages with Samsung’s toner cartridge.  The printer provides hundreds of options for Windows, Apple, Linus or mobile devices.

printer

 

What programs come with Linux Lite?  Hundreds of items.  Here’s the main categories.

  • Office
  • Games  (Such as steam and others)
  • Graphics  (Gimp and more)
  • Accessories
  • Internet (email and browsers)
  • Multimedia
  • System (dozens of tools)
  • Settings

accessories Games Graphics Internet Multimedia Office settings Sharing System

 

If you ONLY use the internet and want to look into an alternate operating system.  Linux Lite may be for you.  It is easy to use, install and offers hundreds of programs.

ASUS RT-AC66U Dual Band 3.3 802.11AC Router

The Asus RT-AC66U Router continues to lead the pack with firmware downloads with improvements through enhanced features and security.   Last night Jay messaged me with details on one of their features that provides a dual WAN option with fail-over features.  Here’s a couple of screenshots that shows the dual WAN features.

Router

http://www.asus.com/us/Networking/RTAC66U/        (Information)

http://www.asus.com/Networking/RTAC66U/specifications/  (Specifications)

Asus’s latest firmware 3.0.0.4.374_4561 is just one of many firmware updates that proves this router is valuable to homes and businesses.

 

Credit: Jay Matlock

 

ASUS MAP    bandwidth  tRAFFIC     wan oNE Wan Setup     WAN TWO wired

AlphiMAX PTP Estimator provides an excellent way to align your wireless antennas

Need an excellent program to estimate your wireless bridges from building to building?  AlphiMAX provides an excellent online program to estimate your wireless links.

Sign up is easy and fast.  The PTP Estimator requires that you have the Latitude and Longitude of both buildings.  You can get an estimated Lat. and Long. from Google maps.  Find your location on Google maps (you should use a GPS) and right click on the location you want then select “What’s here?” .    This will provide the numbers you need.  Remember, it is best to use a GPS on each site where you intend to erect an antenna.

PTP Estimator

You can also search for a location by name by clicking the area in the center of the online application.  icon

Once you have the Lat. and Long., enter the numbers at the top of the online application.  Click Estimate.

Entering LatandLong

The interface will show you the terrain, Antenna height, compass information, Fresnel Zone Clearance, approximate altitude,  along with product information they provide.

Aligned

 

The estimator also offers a 3D view of your project if you have an active subscription.

AlphiMAX Company Overview
AlphiMAX provides products to help you with your wireless needs.

Defending your network with Snort for Windows

SNortlogo
When you hear about Snort, the De facto of Intrusion Detection Systems, you think of Linux.  Snort offers a Windows setup and signatures that can be used with any operating system.

Snort should be a dedicated computer in your network.  This computer’s logs should be reviewed often to see malicious activities on your network.

Steps to install Snort on Windows :
1. Download Snort from the Snort.org website. (http://www.snort.org/snort-downloads)
2. Download Rules from here. You must register to get the rules. (You should download these often)
3. Double click on the .exe to install snort.  This will install snort in the “C:\Snort” folder.
It is important to have WinPcap installed
4. Extract the Rules file. You will need WinRAR for the .gz file.
5. Copy all files from the “rules” folder of the extracted folder.  Now paste the rules into “C:\Snort\rules” folder.
6. Copy “snort.conf” file from the “etc” folder of the extracted folder.  You must paste it into “C:\Snort\etc” folder. Overwrite any      existing file.  Remember if you modify your snort.conf file and download a new file, you must modify it for Snort to work.
7. Open a command prompt (cmd.exe) and navigate to folder “C:\Snort\bin” folder. ( at the Prompt, type cd\snort\bin)
8. To start (execute) snort in sniffer mode use following command:
snort -dev -i 3
-i indicates the interface number.  You must pick the correct interface number.  In my case, it is 3.
 -dev is used to run snort to capture packets on your network.

To check the interface list,  use following command:
 snort   -W
Finding an interface

You can tell which interface to use by looking at the Index number and finding Microsoft.  As you can see in the above example, the other interfaces are for VMWare.  My interface is 3.

9. To run snort in IDS mode, you will need to configure the file “snort.conf” according to your network environment.
10. To specify the network address that you want to protect in snort.conf file, look for the following line.
var HOME_NET 192.168.1.0/24  (You will normally see any here)
11. You may also want to set the addresses of DNS_SERVERS, if you have some on your network.

Example:

example snort
12. Change the RULE_PATH variable to the path of rules folder.
 var RULE_PATH c:\snort\rules

path to rules
13. Change the path of all library files with the name and path on your system. and you must change the path    of snort_dynamicpreprocessorvariable.
C:\Snort\lib\snort_dynamiccpreprocessor
You need to do this to all library files in the “C:\Snort\lib” folder. The old path might be: “/usr/local/lib/…”. you will need to    replace that path with your system path.  Using C:\Snort\lib
14. Change the path of the “dynamicengine” variable value in the “snort.conf” file..
Example:
 dynamicengine C:\Snort\lib\snort_dynamicengine\sf_engine.dll

libraries

 

15 Add the paths for “include classification.config” and “include reference.config” files.
  include c:\snort\etc\classification.config
include c:\snort\etc\reference.config
16. Remove the comment (#) on the line to allow ICMP rules, if it is  commented with a #.
 include $RULE_PATH/icmp.rules
17. You can also remove the comment of ICMP-info rules comment, if it is commented.
 include $RULE_PATH/icmp-info.rules
18. To add log files to store alerts generated by snort,  search for the “output log” test in snort.conf and add the following line:
output alert_fast: snort-alerts.ids
19.  Comment (add a #) the  whitelist $WHITE_LIST_PATH/white_list.rules and the blacklist

Change the nested_ip inner , \  to nested_ip inner #, \
20. Comment out (#) following lines:
#preprocessor normalize_ip4
#preprocessor normalize_tcp: ips ecn stream
#preprocessor normalize_icmp4
#preprocessor normalize_ip6
#preprocessor normalize_icmp6

21. Save the “snort.conf” file.
22. To start snort in IDS mode, run the following command:

snort -c c:\snort\etc\snort.conf -l c:\snort\log -i 3
(Note: 3 is used for my interface card)

If a log is created, select the appropriate program to open it.  You can use WordPard or NotePad++ to read the file.

To generate Log files in ASCII mode, you can use following command while running snort in IDS mode:
snort -A console -i3 -c c:\Snort\etc\snort.conf -l c:\Snort\log -K ascii

23. Scan the computer that is  running snort from another computer by using PING or NMap (ZenMap).

After scanning or during the scan you can check the snort-alerts.ids file in the log folder to insure it is logging properly.  You will see IP address folders appear.

Snort monitoring traffic -

traffic

Snort’s detailed report when scanning has stopped -

termination

 

Log files -

logs

 

 

Note:  Read the setup and configuration of Snort from Snort.org.  While this is a demo, Snort can be configured thousands of ways to detect and alert you in the event you have malicious activity on your network.  Downloading signatures often is extremely important

Cannot update Windows 7 with Service Pack

Windows 7 SP1 is a necessary critical update that should be applied when reinstalling or updating Windows.  You may run into errors when applying this service pack.  During the update, the update may stall or revert changes.  What should you do?

Be Patient – The installation failure or reverting changes may take up to an hour or more.

  • Boot into Safe Mode with networking (Reboot hit F8 several times and select Safe Mode)
    • Be patient this can take an hour or more during the reverting process
    • Once in Safe Mode with networking, disable all antivirus software – Look for other antivirus software programs that may have been installed at an earlier date and remove these (You may have to use removal tools from the vendor).  Also look for any old installations of other anti-virus software or malware tools under c:\program files\any old anti-virus software.  Remove these with Programs and Features (Add/Remove Software) if possible.
  • Rename the SoftwareDistribution folder under C:\Windows\SoftwareDistribution to C:\Windows\SoftwareDistributionold
  • Delete any files under C:\Windows\Temp and C:\Temp
  • Download Tweaking from here
    • Select all repairs and reboot (This may take 20 minutes to 1 hour)
  • Download the System Update Readiness Tool from here
    • Run this Tool
  • Download Windows 7 SP1 (Full Download) from here 

Why Tweaking All-in-one?
Reset Registry Permissions
Reset File Permissions
Register System Files
Repair WMI
Repair Windows Firewall
Repair Internet Explorer
Repair MDAC & MS Jet
Repair Hosts File
Remove Policies Set By Infections
Repair Icons
Repair Winsock & DNS Cache
Remove Temp Files
Repair Proxy Settings
Unhide Non System Files
Repair Windows Updates
Repair CD/DVD Missing/Not Working
and more…

Capture

How to guard your wireless network and see intruders

100% credit goes to Bill Mullins for sharing this information. (BillMullins.wordpress.com).

Softperfect has some of the best freeware for Windows.   With Netscan you can see devices on your network and find information about the  devices.  Now with their software “WiFi  Guard”, you can use a device on your network and find the devices that are attached to it.

While you should take precautions to secure your wireless network, is someone accessing your network without your knowledge?

Installation is fast and easy.  Simply follow the wizard and make sure you run the software at startup.

Scan

Once you install the software, select the adapter and scan your network.  Next double click on known devices and select “I know this device.”  Let the software run and periodically scan your network.   If you find a device connecting to it,   locate the device and remove it from the network or take action to prevent unknown devices from connecting.

I Know

The software is designed to run on Apple, Windows or Linux.

Note: The above pic is from a lab environment and the addresses and macs do not represent real machines or a production environment.