August 2006 Archives

Will be in training all week at the Regional Computer Foresics Group at GMU - should be interesting. Here is some information about the RCFG:

"The Regional Computer Forensic Group (RCFG) symposium is sponsored by RCFG, Inc. The RCFG is a non-profit Virginia corporation supporting the Law Enforcement and computer forensic community training needs. Membership is free and is comprised of local, federal, state employees and contractors sponsored by the government in support of law enforcement and combating cyber crime."

Author: JD Durick

Problem

This recipe demonstrates how to configure Snort Acid on Solaris 9 using Nemesis as our test Acid console and washint1.XXXXX.org as our test remote sensor. Additionally, this recipe will show you how to configure snort so that alerts will be remotely logged to our mysql database on nemesis.XXXXX.org.

Requirements

1. Solaris 8 should be installed on nemesis.XXXXX.org.
2. Solaris 9 should be installed on washint1.XXXXX.org.
3. Compilation and configuration of the following packages/binaries is required:
a. snort 2.3.0
b. mysql 4.0.23 is necessary for nemesis and mysql client libraries are needed for all remote sensors. Mysql will (by default) be installed in the /usr/local/mysql directory.
c. libpcap is needed for snort to sniff the network.
d. libnet
e. apache 1.3.
f. openssl 0.9.
g. mod_ssl
h. php
i. jpgraph
j. adodb
k. acid
l. pcre

Solution

The solution is to install and configure Snort/ACID goes as follows:

1. Become a root user and log in as root.

# su - root

Set your shell/path and environment variables correctly:

# bash
# export LD_LIBRARY_PATH=/usr/local/lib:/usr/local/mysql/lib/mysql

2. Install mysql-4.0.23 on nemesis (version 4).

# gunzip -d mysql-4.0.23-sol8-sparc-local.gz
# pkgadd -d mysql-4.0.23-sol8-sparc-local

If you want the more recent mysql downloads, use a source distribution and compile it:
http://www.mysql.com/downloads

Compilation instustructions can be found:
http://www.mysql.com/doc/en/Solaris.html

3. Configuration of Mysql-4.0.23

# mysql -u root -p

Password for root local access:

mysql> set password fpr 'root'@'localhost'=password('your_password');

Delete unnecessary database:

mysql> drop database test

Delete the anonymous access:

mysql> connect mysql
mysql> delete from user where user="";
mysql> delete db where user="";
mysql> exit

Make soft link to mysql binary

# ln -s /usr/local/mysql/bin/mysql /usr/bin/mysql

4. Installation of snort-2.3.0

Installation of snort with

# gunzip -c snort-2.3.0.tar.gz| tar xvf -
# cd snort-2.3.0
# ./configure --with-mysql=/usr/local/mysql --host=sparc-sun-solaris2.9
# make;make install

If you don't have pcre installed, you may have to install that source before you install snort-2.3.0. After you install pcre, make sure your LD_LIBRARY_PATH is set correctly. Additionally, only the mysql client libraries are needed for installation of snort-2.3.0 to work with mysql. The mysql client libraries have to be installed on the remote snort sensor prior to compiling and installing snort 2.3.0.

Configuration of the snort.conf file for remote access to the database, make the following change:

output database: log, mysql, user=snort dbname=snort host=128.29.210.16
128.29.210.16 = nemesis.XXXXX.org or can correspond to any database being used.

5. Create database for snort

# mysql -u root -p
# create database snort

Install the tables using create_mysql and snortdb-extra.gz. To do this you must copy those files from your remote sensor, which in our case was washint1.XXXXX.org over to nemesis.XXXXX.org. Put these files into the /tmp directory. Then perform the following:

# source /tmp/create_mysql
# gunzip /tmp/snortdb-extra.gz
# source /tmp/snortdb-extra

This will create the necessary tables and data for the snort database within mysql. One interesting problem I found, snortdb-extra.gz does not come with some snort-2.3.0 builds. To get around this, you might have to go down one level to snort-2.2.0, then get the snortdb-extra.gz file from there.

Configure the good rights in the database mysql

# mysql> connect mysql
# mysql> set password for 'snort'@'localhost' = password('your_password');
# mysql> set password for 'snort'@'%' = password('your_password');
# flush privileges

6. Test whether or not the tables were created.

# mysql -u root -p
# mysql> connect snort
# mysql> show tables

+------------------+
| Tables_in_snort |
+------------------+
| acid_ag |
| acid_ag_alert |
| acid_event |
| acid_ip_cache |
| data |
| detail |
| encoding |
| event |
| flags |
| icmphdr |
| iphdr |
| opt |
| protocols |
| reference |
| reference_system |
| schema |
| sensor |
| services |
| sig_class |
| sig_reference |
| signature |
| tcphdr |
| udphdr |
+------------------+
23 rows in set (0.02 sec)

# mysql> exit

7. Installation of Apache & mod_ssl

Get a copy of openssl, mod_ssl, and apache from the following locations:

http://www.openssl.org/source/openssl-0.9.7e.tar.gz
http://www.modssl.org/source/mod_ssl-2.8.22-1.3.33.tar.gz
http://www.apache.org/dist/httpd/apache_1.3.33.tar.gz

bash-2.05# gunzip -c openssl-0.9.7e.tar.gz | tar xvf -
bash-2.05# gunzip -c mod_ssl-2.8.22-1.3.33.tar.gz | tar xvf -
bash-2.05# gunzip -c apache_1.3.ee.tar.gz | tar xvf -
bash-2.05# cd openssl-0.9.7b
bash-2.05# sh config -fPIC
bash-2.05# make
bash-2.05# make test (optional)
bash-2.05# make install (optional)

bash-2.05# cd ../mod_ssl-2.8.22-1.3.33
bash-2.05# ./configure --with-apache=../apache_1.3.33 --with-ssl=../openssl-0.9.7e -- prefix=/usr/local/apache --enable-shared=ssl
bash-2.05# cd ../apache_1.3.33
bash-2.05# make
bash-2.05# make certificate TYPE=custom
bash-2.05# make install

Configure the httpd.conf file, I am assuming you know how to configure this configuration file.
I will use the path "/web" for the DocumentRoot in Apache for the rest of installation.

Test your configuration:

bash-2.05# ln -s /usr/local/apache/bin/apachectl /usr/local/bin/apache
bash-2.05# apache start

http://your_acid_computer/

bash-2.05# apache stop
bash-2.05# apache startssl

https://your_acid_computer/

8. PHP & Apache/mod_ssl configuration

Download php from: http://www.php.net/
wget http://us2.php.net/get/php-4.3.10.tar.gz/from/this/mirror
bash-2.05# gunzip -c php-4.3.10.tar.gz | tar xvf -
bash-2.05# cd ../php-4.3.10
bash-2.05# CFLAGS='-DEAPI' ./configure --with-apxs=/usr/local/apache/bin/apxs --with-mysql=/usr/local/mysql --with-zlib=/usr/local --with-gd
bash-2.05# make
bash-2.05# make install

Verify that all these lines have been added in your "httpd.conf" in "/usr/local/apache/conf" :

LoadModule php4_module libexec/libphp4.so
AddModule mod_php4.c
AddType application/x-httpd-php .php
You can add "index.php" in the DirectoryIndex property too.

Restart apache :
bash-2.05# apache stop
bash-2.05# apache startssl

Test your php configuration

Create a file "test.php" contening the following code :

and place it in your DocumentRoot, here it's "/web".
Open your browser and see the result :
https://your_acid_computer/test.php
If you see the date, it's OK.

9. Acid installation and corresponding packages. We are under the assumption that all your apache configuration files are under /web.

bash-2.05# gunzip -c jpgraph-1.12.1.tar.gz | tar xvf -
bash-2.05# gunzip -c adodb340.tgz | tar xvf -
bash-2.05# gunzip -c acid-0.9.6b23.tar.gz | tar xvf -
bash-2.05# cp -R jpgraph-1.12.1 /web/jpgraph
bash-2.05# cp -R adodb /web/
bash-2.05# cp -R acid /web/
bash-2.05# vi /web/acid/acid_conf.php

Configuration of Acid and corresponding packages
$DBlib_path = "../adodb";
$DBtype = "mysql";
$alert_dbname = "snort";
$alert_host = "localhost";
$alert_port = "";
$alert_user = "snort";
$alert_password = "your_snort_password";
$ChartLib_path = "../jpgraph/src";

You can verify your setup by the following way :
bash-2.05# mysql-u snort -p
mysql> connect snort
mysql> show tables;
+------------------+
| Tables_in_snort |
+------------------+
| acid_ag |
| acid_ag_alert |
| acid_event |
| acid_ip_cache |
| data |
| detail |
| encoding |
| event |
| icmphdr |
| iphdr |
| opt |
| reference |
| reference_system |
| schema |
| sensor |
| sig_class |
| sig_reference |
| signature |
| tcphdr |
| udphdr |
+------------------+
20 rows in set (0.00 sec)
mysql> exit

Final step:

bash-2.05# snort -devyq -c /usr/local/snort/etc/snort.conf -l /var/snort/log -D

https://your_acid_computer/acid/acid_main.php

You should now start seeing traffic to your mysql database. You might want to nmap your sensor or write a custom rule to verify it is actually working correctly.

Problem

This recipe demonstrates how to install and configure a SILC server on the XXXXX network.

Motivation

The main motivation for this recipe is the desire to effectively communicate with other IDS members as well as notify staff of possible virus infections or compromises that may occur during an analysts rotation.

Assumptions

A server has been designated to server as the silc server for all silc traffic. For the IDS team, the infosec-scan2.XXXXX.org box has been designated for this use. Currently, we are in the process of moving this over to its final home, nemesis.XXXXX.org.

Requirements

The SILC server (silcd) binds to TCP port 706 (default), which requires root privileges. Additionally, the server requires development tools such as gcc or g++. Platforms that silcd may be installed on are:

- Linux, RedHat 9.0 or newer
- Linux, Mandrake 9.0 or newer
- Linux, Debian 3.0 or newer
- Linux, Slackware 8.1 or newer
- NetBSD 1.6
- FreeBSD 4.7
- OpenBSD 3.2
- Mac OS X 10.2
- HP-UX
- Solaris 8, 9
- IRIX
- AIX

Solution

The following steps implement this solution (which was done on INFOSEC-SCAN2):

The following steps install the silcd server: (Make sure you have installed the silc client on the same machine)
1. cd to the /tmp directory

2. Login as root via "su -"

3. Download the latest silc-server from http://www.silcnet.org (ie. Wget http://www.silcnet.org/download/server/sources/silc-server-0.9.18.tar.gz). The latest version as of this writing is: 0.9.18.

4. Unzip and untar the silc-server-0.9.18.tar.gz file

5. gunzip silc-server-0.9.18.tar.gz

6. tar xvf silc-server-0.9.18.tar

7. cd silc-server-0.9.18

8. ./configure;make;make install - for a default installation (this actually creates silc in the /usr/local/silc directory)

9. groupadd silcd

10. useradd -g silcd -s /bin/sh -d /usr/local/silc silcd

11. Create the SILC keypair
/usr/local/silc/sbin/silcd -C /usr/local/silc/etc --identifier="UN=, HN=labgeek.net, RN=JD, E=jd@labgeek.net,C=US"

12. mkdir /etc/silc

13. mkdir /etc/silc/adminkeys

14. Since you have installed the client on the same machine, your personal public key should be found under:
/home//.silc/public_key.pub

15. cp /home//.silc/public_key.pub /etc/silc/adminkeys/admin.pub

16. You may have to copy over the silcd.conf file over to the /etc/silc directory. I am pretty sure it is located in the /usr/local/silc directory.

17. vi /etc/silc/silcd.conf
Change the following:
key_exchange_pfs = true;
detach_timeout=2160; # 36 hours

18. Set your server's information in place
hostname = "[your server's FQDN]";
ip = "[your server's IP address]";
Few lines down there are four lines more that you need to change:
ServerType = "[Purpose of your server]";
Location = "[geographic location of server]";
Admin = "[SILC server administrator's full name, ie. your's]";
AdminEmail = "[SILC server administrator's email address]";

19. Change to server's user account
User = "silcd";
Group = "silcd";

20. Run silcd

/usr/local/silc/sbin/silcd &

You should come up with no errors when executed. Fire up your trusty silc client and start chatting over the silc protocol. More information can be found on silcnet.org.

Closing remarks:
The instructions above allow you to install silcd on a number of systems. However, I have found (on silcnet mailing lists) that most people have had issues installing silcd
on solaris servers (eiter 8 or 9). The installation above was done on a redhat 9.0 server - future tests will be done on both bsd and sun servers.

Credits

This recipe was brought to you by JD Durick – 11/17/2004

References

(1) http://www.silcnet.org
(2) https://lists.silcnet.org/mailman/listinfo
(3) http://www.silcnet.org/support/documentation/manual/helps.php

You do not mount a partition of type "Linux LVM" the same way you mount a partition using a standard Linux file system (e.g. ext2, ext3).

# fdisk -l /dev/hda

Disk /dev/hda: 160.0 GB, 160041885696 bytes
255 heads, 63 sectors/track, 19457 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot Start End Blocks Id System
/dev/hda1 * 1 13 104391 83 Linux
/dev/hda2 14 19457 156183930 8e Linux LVM

# mount /dev/hda2 /tmp/mnt
mount: /dev/hda2 already mounted or /tmp/mnt busy

First, let's determine the volume group containing the physical volume /dev/hda2.

# pvs
PV VG Fmt Attr PSize PFree
/dev/hda2 VolGroup01 lvm2 a- 148.94G 32.00M
/dev/hdb2 VolGroup00 lvm2 a- 114.94G 96.00M

Next, let's list the logical volumes in VolGroup01.

# lvdisplay /dev/VolGroup01
--- Logical volume ---
LV Name /dev/VolGroup01/LogVol00
VG Name VolGroup01
LV UUID zOQogm-G8I7-a4WC-T7KI-AhWe-Ex3Y-JVzFcR
LV Write Access read/write
LV Status available
# open 0
LV Size 146.97 GB
Current LE 4703
Segments 1
Allocation inherit
Read ahead sectors 0
Block device 253:2

--- Logical volume ---
LV Name /dev/VolGroup01/LogVol01
VG Name VolGroup01
LV UUID araUBI-4eer-uh5L-Dvnr-3bI6-4gYg-APgYy2
LV Write Access read/write
LV Status available
# open 0
LV Size 1.94 GB
Current LE 62
Segments 1
Allocation inherit
Read ahead sectors 0
Block device 253:3

The logical volume I would like to "mount" (in purely the computing-related sense) is /dev/VolGroup01/LogVol00. The other logical volume is a swap partition.

# mount /dev/VolGroup01/LogVol00 /tmp/mnt

Reverse ssh tunnel to use SVN from my NAT'd honeywall behind HC3
Notes for me:

To use svn client from my honeywall which is NAT'd behind HC3
1. login to HC2
2. ssh -R 8080:prxyaddress.mitre.org:80 honeyclient3-adm.mitre.org (that
should open up port 8080 on hc3)
3. enter password for HC3
3a. Log in either via putty/ssh command line
ssh tunnel: L127.0.0.1:902 127.0.0.1:902
Login to VMware remote console with localhost now.
4. you can specify 192.168.0.1:8080 as your proxy
5. On Honeywall : export http_proxy="http://192.168.0.1:8080"
6. On Honeywall: edit ~/.subversion/servers file [global] settings:
http-proxy-host = 192.168.0.1
http-proxy-port = 8080

Make sure servers configuration file is properly formatted (meaning no spaces before configuration settings)

7. test by doing wget http://www.google.com
8. svn co http://scm.developer.mitre.org/svn/honeyclient --username jdurick