New switch stack

Today the new switch stack has arrived that will be used for our new datacenter:

  

Its 4 * Cisco 3750-E with the IPS software. The first impression is that they are high quality switches, even compared to the stable 3560. The stacking cables comes along, one with each switch. 

Its also nice that its super easy to get started, just hook up the stacking cables and start the switches and they will auto negotiate which switch will become the master. This can also be changed, for example i wanted the top switch to be the master and the second to be the next master in case of failure so ive set it up like this:

Switch 1 Priority 15

Switch 2 Priority 14

Switch 3 Priority 1

Switch 4 Priority 1

More about the configuring the Cisco 3750-E:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750e_3560e/software/release/12.2_50_se/configuration/guide/swstack.html#wp1153255

Ive also gotten hold of the Juniper EX4200 and the Extreme Summit 200-24:

Ill se if i can write up something about the new Junos which is very nice. Also its very much like the Cisco IOS.

Howto: Collecting Snort logs with Splunk

Ok, now this time we will try to make snort logs into nice little colorful graphs. 

First off you need to think a little about your network design. Snort is very easily overloaded due to high CPU usage when using lots of signatures, thats why its always good to use several Snort installations(or Snort 3.0 which is multi-threaded) or use Vlans to delimit your network.

For example this is how i set it up:

By setting it up this way i get two advantages:

1. This only scans firewalled traffic which takes off a big amount of load.

2. By using two Snorts i can use different signatures on each, for example on the DMZ snort its more likely that i will use WEB-ATTACKS rules etc.

Ok now lets start setting everything up:

1. Installing Snort

Install and setup snort on as many machines as you want.

I am as always using Xubuntu 7.10 but Ubuntu should work aswell as many other dists.

2. Traffic to Snort

 Make Trunk ports from your switches to your Snort machines. Remember that this is a great way to delimit the amount of traffic that will get to your Snort.

On a Cisco machine with IOS you would use something like this:

monitor session 1 source vlan 3 , 4 , 7 - 10

monitor session 1 destination interface Gi3/18

On an Extreme with Extremeware something like this: 

enable mirroring to port 4:26 tagged

configure mirror add vlan "Default"

configure mirror add vlan "Dmz1"

configure mirror add vlan "Dmz2"

configure mirror add vlan "Dmz3"

configure mirror add vlan "Dmz4"

configure mirror add vlan "Dmz5"

configure mirror add vlan "Dmz6"

configure mirror add vlan "Dmz7"

For other switches please check this site out:

3. Install and setup Splunk

 Now you should have traffic flowing to your Snorts, so head over to www.splunk.com and download the latest version, im using the windows 3.4.1 for this test.

If possible you should use a server with dualcore since Splunk can draw lots of CPU and its nice to be able to administrate it while you are running some graphing.

Now that you have setup Splunk and confirmed that its working go to www.splunkbase.com and install this addon.

Now go to your admin area of Splunk and go to application and enable splunk for snort.

We also need to setup which port Splunk will listen to log files on so go to Data inputs -> Network ports and add TCP and UDP 514. Configure them to listen to Snot application like this:

Now i had lots of trouble to get Splunk to eat the snort logs correctly so i had a discussion on the Splunk forum and got some great help. 

You need to go to: %splunk system folder%\etc\system\local and edit props.conf

under the line [source::tcp:514] add:

SHOULD_LINEMERGE=true

BREAK_ONLY_BEFORE = ^.{3}\w{3}\s\d+\s\d+\:\d+\:\d+\s+\w+\s\[[^\]]+\]\s\[\d+\:\d+\:\d+

MAX_EVENTS = 500

TIME_PREFIX = (^|^\<\d\>)

TIME_FORMAT = %b %d %T

MAX_TIMESTAMP_LOOKAHEAD = 20

This enables all syslogs on TCP port 514 to be shown and proccesed in the right way.

Now restart Splunk.

4. Configure Snort to send logs

Ok now we actually need to have our Snorts to send the logs to Splunk. 

First off download syslog-ng using your terminal in Xubuntu:

sudo apt-get install syslog-ng

Edit the config file with your favorite editor:

sudo gedit /etc/syslog-ng/syslog-ng.conf

Add this:

source s_tail { file("/var/log/snort/alert"

                    follow_freq(1) flags(no-parse) ) ; };

destination stail2 {  tcp("10.10.10.10") ;

};

log {

        source(s_tail);

        destination(stail2);

flags(flow-control);

};

Everything in bold you might need to edit. The first bold is where your alert logfile is located. By default it is at /var/log/snort/alert. The second is the adress of your Splunk server.

So what this does is that it tails your alert logfile for updates, when its updated its sent to Splunk via TCP so it wont be discarded on the way. You can change it to UDP by switching out

"{  tcp("10.10.10.10") ;"  to  "{  udp("10.10.10.10") ;"

Note that TCP only makes sure it gets where its supposed to go, not that its encrypted and safe from interception. If you want that you should look in to Stunnel.

5. Create Graphs in Splunk

Ok now you should have Snort logs arriving in your Splunk(if not activate the ICMP signature and ping a bit with your computer) so now we should make some nice graphs.

First we need to extract the fields to make Splunk identify the Snort signatures, this is a very important lesson since you can use this to extract everything and have Splunk identify/graph it.

Click on the little arrow next to the logfile to open the extract menu:

Now the extract menu will open, so select to name of the signature, in this example it is NETBIOS SMB-DS C$ unicode share access. Now paste it into the example box and select preview. Now Splunk is trying to identify the name of the signatures. This is how it should look like if its working:

Now save it with a name, signature for ex.

Now we have names for the signatures and Splunk can identify them. So lets get to graphing.

So open up the logs again in Splunk and click "Report on results:

Now to the left click on the extracted field you made. To the top left you can choose which timeline you want eg 15min 60min 3months etc. And then choose some graphing options, heres an example of how mine looks like:

Ok now save your graph and put it on your dashboard and your done :) Happy Splunking!

6. Enjoy the examples

Here are some pictures of what you can Graph with Splunk:

Snort:

Juniper SA concurrent users and failed logins graphed with Splunk:

DHCP - Subnets without any ipadress left:

Snort also has a default preprocessor namne snort-stats that lets you export loads of stuff, eg. cpu load, blocks/min etc:

Ok, hopefully this will help you alot in securing your network. I will post some guides about nice rules and hints and tips later using Snort. Remember that Splunk can be used for lots of other stuff than graphing, just enter anything in the searchbar.

Enjoy!

Juniper Cartoons

Dont get me wrong, i love Cisco but sometimes these are just spot on! A long time ago their home was at http://www.juniper.net/cartoons/. I talked to a salesguy at Juniper that said they had to remove them because it made Juniper look unserious. Anyhow they are a good laugh!

This week i had the "privilege" to try to upgrade an old Cisco 4003 with CatOs to IOS 12. These pictures pretty much says it all:



Good thing they have a upgrade tool over at tools.cisco.com!

101 uses for a cisco router:



If cisco invented:



Others!:

Update 2009-04-09:

Found some intresting news(Translated to english by google):

"Juniper continues cartoonist at the door 

4 March, 2009 - Luc Blyaert 
Kevin Pope was five years drawing cartoons for Juniper Networks, but his job is now for the ax. Long time the drawings of Pope a witty attack on Cisco. 

Kevin Pope began in late 2003 with his cartoons, then barely knew what networking and telecom, but has been thoroughly trained. "I could do what I wanted, was only able to show that the Juniper products were better or why the equipment of the competitors were undermined," says Kevin Pope to Light Reading. 

Not everyone loved the cartoons, some of them were unprofessional. But they were regularly forwarded by network engineers. Especially when the Pope got out of Cisco solutions, they were popular. Examples can be found here: http://layer8problem.blogspot.com/2009/01/juniper-cartoons.html 

There was an end to demand from Juniper CEO Scott Kriens. It was apparently a good friend of Cisco John Chambers. "John Scott told me that they are funny, but asked whether there is less of what can be published," says Pope. That is not bitter that he may not sign for Juniper. "Ultimately, five years is a very long period.""

Original:

http://www.datanews.be/nl/news/90-104-22838/juniper-zet-cartoonist-aan-de-deur.html

More info:

http://www.lightreading.com/document.asp?doc_id=172836&f_src=lightreading_gnews

The plot thickens!

Cryptographic Analysis Program

If your new into cryptography then you should check out CAP, its a real nice tool that helps out alot when your learning(as im doing right now). Its really hard to find out there so im just going to post a link to it:

http://www.cs.plu.edu/courses/privacy/cap.htm

CAP is a complete tool for cryptanalysis. It allows for encryption and decryption using several common algorithms. It provides tools for cryptanalysis of these and other ciphers. Among the tools are frequency analysis, Kasiski analysis, word patterns, anagramming, and a special autosolve tool. In addition, CAP provides a GAME option that will randomly generate ciphers and challenge you to break them. You can download a demo version of CAP from the download area of this page. Along with CAP you should download the CAP handbook which provides you with a complete CAP manual and a tutorial on ciphers and cryptanalysis.

Howto: The great and mighty tutorial about Snort 2.8 Inline + Base

Ok, so you have looked everywhere for a good tutorial about getting Snort working in bridge(inline, transparent) mode? Look no further stranger, the salvation is near. Sit back and enjoy the ride.

Before you start to cheer please take a look at the requirements to get this stuff rolling:

* Processor x86 preferably 1 ghz + (Depends on how many rules, preprocessors and mbit/s.)
* 2 or 3 Nic preferably 10/100/1000 (3 Nics if you want one separate for mgmt, you can manage it with 2 nics also but for security reasons you should invenst in a third.)
* 256+ ram, the more the better especially if your going to run alot of rules.

(Ive ran this on my 1.6 ghz laptop with 512mb ram and 2 * 100 mbits nics for testing purposes and it pushed 10 mb(megabytes)/s with 100 rules and all preprocessors activated. with 19000 rules it could handle around 2-3 mb/s with alot of packet drops.

For my setup this time i will be using a IBM x350 with Intel Xeon Quad Core 2.8ghz, 3 gb Ram and 1* 100mbit interface for mgmt and 2*1000mbit interface for the bridge. Note that it should be able to run on anything that can handle xubuntu.

So as always start with a clean installation of Xubuntu 7.10 (it can be found here http://cdimage.ubuntu.com/xubuntu/releases/gutsy/release/)

This should be working with 8.10 also, havent tried it yet though.

Always update an upgrade before using it. This is important since Xubuntu 7.10 comes preinstalled with a big flaw in the OpenSSL software.

sudo apt-get update
sudo apt-get upgrade

So lets get started on the long and narrow road to getting a snort inline.

Ive used alot of tutorials as a base for this one:
http://openmaniak.com/inline.php
http://www.intarwebz.com/snort-ips/
http://www.snort.org/docs/snort_htmanuals/htmanual_2.4/node7.html
http://www.howtoforge.com/intrusion-detection-with-snort-mysql-apache2-on-ubuntu-7.10

So if something looks very similar then ive proberly copied it from the above. The reason for this tutorial is that none of them describes howto get the latest snort 2.8.3.1 running inline.

So before heading to the first step you should get a cup of coffe/tea.

1. Installing the packages

So lets get started with installing all the crap that snort/base needs.

i will list them with a short comment:

bridge-utils - makes bridging of interfaces possible
libnet0-dev - development files for libnet, its needed for snort inline
iptables-dev - development files for iptables, used when compiling snort inline
build-essential - important files for compiling, gcc etc
libpcap0.8-dev - snort inline does not use this but perfmonitor does
libmysqlclient15- dev - needed by mysql
mysql-client-5.0 - client for accessing mysql
mysql-server-5.0 - mysql server for storing information for Base
apache2 - webserver
libapache2-mod-php5 - library used by apache
php5-gd - php-gd for drawing graphs
php5-mysql - php extension for mysql
libphp-adodb - library for adodb
php-pear - php extension for pear
bison - language parser
flex - recognises patterns for base
gedit - text editor

Type:

sudo apt-get install build-essential libpcap0.8-dev libmysqlclient15-dev mysql-client-5.0 mysql-server-5.0 bison flex apache2 libapache2-mod-php5 php5-gd php5-mysql libphp-adodb php-pear iptables-dev libnet0-dev gedit bridge-utils

This will install everything you need.

During the installation Mysql will prompt you for root password and give you a warning message about a moved library. This is normal.

2. Manual install of some packages

So now we need to manually install some crap. yes life sucks.

Start by creating a temporary folder that we will be using.

Ive put mine under the filesystem at /layer8/

Do this by typing:

sudo mkdir /layer8/

Or you can do this by opening Thunar(the file manager) as root and rightclick and create a new folder. If you prefer this way type:

sudo thunar

Now head over to www.pcre.org and download the latest package of Perl Compatible Regular Expressions (ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/) (7.8 at the time of writing)

Download it and put it in the /layer8/ directory.
Extract pcre-7.8.tar.gz to the directory.

cd /layer8
sudo tar -xzvf /layer8/pcre-7.8.tar.gz

Now configure and install it:

cd pcre-7.8/
sudo ./configure
sudo make
sudo make install

Now you need to install Libnet (i use the latest 1.1.2.1). Head over to: http://www.packetfactory.net/libnet/

And download it to the /layer8/ folder then install it.

cd /layer8
sudo tar -xzvf libnet.tar.gz
cd /layer8/libnet/
sudo ./configure
sudo make
sudo make install

3. Install and compile Snort Inline + rules

Now lets download the latest version of snort and some nice rules. Put them in the /layer8/ folder. I will be writing about adding rules from bleedinsnort and emerging threats later so for now you can download the stable vrt registered user release. (snortrules-snapshot-2.8.tar.gz)

Extract Snort

cd /layer8
sudo tar -xzvf /layer8/snort-2.8.3.1.tar.gz

Extract Snort rules to the snort directory(you need to move the rules into the snort directory first) cd /layer8/snort-2.8.3.1/
sudo tar -xzvf /layer8/snort-2.8.3.1/snortrules-snapshot-2.8.tar.gz

Feel free to delete any old tar.gz files that you have already used.

Now configure and install it:

cd /layer8/snort-2.8.3.1/

sudo ./configure -enable-dynamicplugin --with-mysql

--enable-inline --with-libipq-includes=/usr/include/libipq/

sudo make

sudo make install

Done! If you get any errors while trying to configure it, here is a good helplist to see what you are missing: http://openmaniak.com/inline_pre.php

4. Pre Launch

Now before we testdrive our inline snort there is a little bit left to do. First create these 3 directorys:

sudo /etc/snort /etc/snort/rules /var/log/snort

Now lets copy some files:

cd /layer8/snort-2.8.3.1/rules

sudo cp * /etc/snort/rules/

cd /layer8/snort-2.8.3.1/etc

sudo cp * /etc/snort/

sudo cp /usr/local/lib/libpcre.so.0 /usr/lib

So now our config file snort.conf resides in /etc/snort. Sweet.

So now Edit /etc/snort/snort.conf and change

var RULE_PATH ../rules to var RULE_PATH /etc/snort/rule

Now testdrive snort inline!!!

sudo snort -Q -c /etc/snort/snort.conf -v

The -Q is for snort inline to take packages from the ip_queue module. Currently you wont have any because we havent edited Iptables to forward to QUEUE yet, be patient. The -c is where is will find snort.conf and the -v is for Verbose output so you can see what is happening on the screen, if you want to you can launch it as a Daemon using the -D.

If everything went succesful you will se a little pig and some text after its done loading:

--== Initialization Complete ==--

,,_ -*> Snort! <*-

o" )~ Version 2.8.3.1 (Build 17) inline

'''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html

(C) Copyright 1998-2008 Sourcefire Inc., et al.

Using PCRE version: 7.8 2008-09-05

Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.9

Preprocessor Object: SF_SSH Version 1.1

Preprocessor Object: SF_SMTP Version 1.1

Preprocessor Object: SF_FTPTELNET Version 1.1

Preprocessor Object: SF_DNS Version 1.1

Preprocessor Object: SF_DCERPC Version 1.1

Not Using PCAP_FRAMES

So now you have a working SNORT INLINE!!! But hey, were far from done yet :'(

You can stop snort by pressing CTRL + C anytime.

So whats left to do?

Base, Mysql setup,Apache2, Bridging the Nics and setting up Iptabels.

5. Download Base + Adodb Extension for PHP

Head over to http://sourceforge.net/project/showfiles.php?group_id=42718&package_id=220409&release_id=636410

And download the adodb-php5-only to the /layer8/ folder.

Untar and move it.

cd /layer8/

sudo tar -xzvf adodb506a.tgz

sudo mv /layer8/adodb5 /var/www/

Done.

Head over to sourceforge and download latest version of Base ( http://sourceforge.net/project/showfiles.php?group_id=103348&package_id=128846&release_id=617636)

Dowload it to /layer8/, untar it and move it:

cd /layer8/

sudo tar -xzvf base-1.4.1.tar.gz

sudo mv /layer8/base-php4 /var/www/base

6. Configure Mysql Server

Now lets setup the Mysql server:

Type:

sudo mysql -u root -p

in the prompt that appears type:

SET PASSWORD FOR root@localhost=PASSWORD('Your password!!!!');

It will return something like: Query OK, 0 rows affected (0.00 sec)

Then type:

create database snort;

exit

use the snort schema for the layout of the database.

sudo mysql -D snort -u root -p < /layer8/snort-2.8.3.1/schemas/create_mysql

Ok great lets move on.

7. Apache2 + Pear

Now edit /etc/php5/apache2/php.ini:

sudo gedit /etc/php5/apache2/php.ini

Add under Dynamic Extensions:

extension=mysql.so

extension=gd.so

Restart apache by typing:

sudo /etc/init.d/apache2 restart

Now we need writing to be enabled at the /var/www folder:

sudo chmod 757 /var/www/base

Now install som pear graphic tools:

sudo pear upgrade-all

sudo pear install Image_Color

sudo pear install Image_Canvas-alpha

sudo pear install Image_Graph-alpha

sudo pear install Mail

sudo pear install Mail_mime

8. Setup Base

Now base should be able to be installed using the websetup, use your browser and open:

http://YOURIPADRESS/base/setup/

When they prompt you for path to ADODB enter:

/var/www/adodb5

Page 2:

Database Name: snort
Database Host: localhost
Database Port: leave blank
Database User Name: root
Database Password: Your password!!!

page 3: Self-explanatory

page 4: Press the create database button and you will get som text:

1. Successfully created 'acid_ag'
   
2. Successfully created 'acid_ag_alert'
   
3. Successfully created 'acid_ip_cache'
   
4. Successfully created 'acid_event'
   
5. Successfully created 'base_roles'
   
6. Successfully INSERTED Admin role
   
7. Successfully INSERTED Authenticated User role
   
8. Successfully INSERTED Anonymous User role
   
9. Successfully INSERTED Alert Group Editor role
   
10. Successfully created 'base_users'

Sweet now you should see the Base window!

9. Configure Output in snort.conf

edit /etc/snort/snort.conf and uncomment the line:

#output database: log, mysql, user=root password=Your Password!! dbname=snort host=localhost

Edit it so it looks like above.

10. Snort inline + Iptables

We want to test snort again but lets add som Iptables first.

Check that ip_queue is loaded:

sudo modprobe ip_queue
sudo lsmod |grep ip_queue

This should return something like:

ip_queue 11792 0

Now add Iptables rule(you will loose any remote connection you have):

sudo iptables -A INPUT -j QUEUE

Check your iptables:
sudo iptables -L

You can flush/delete your Iptables at any time by issuing "sudo iptables -F"

Now test snort again:

sudo snort -Q -v -c /etc/snort/snort.conf

You should now see any traffic going from your snort.

11. Bridging the interfaces

So lets bridge the interfaces you are going to have traffic passing through.

To do this you need to load the bridge module:

sudo modprobe bridge

Now edit /etc/network/interfaces:

sudo gedit /etc/network/interfaces

Make it look like this:( if you have 3 Nics, 1 for Mgmt, if you dont check out http://openmaniak.com/inline_bridge.php):

###############################
# Loopback interface

auto lo
iface lo inet loopback
# the bridge
auto br0
iface br0 inet manual
# Ethernet Interfaces you want to add to bridge !!!!
bridge_ports eth0 eth1
# Time to wait before loading the bridge
bridge_maxwait 0

# Mgmt Interface:
auto eth2
iface eth2 inet static
address 10.2.96.155
netmask 255.255.255.0
broadcast 10.2.96.255
gateway 10.2.96.254

#################################

After you have saved the file restart your NICS

sudo /etc/init.d/networking restart

12. Snort Inline Bridge mode + Forward Ip_queue

So now eth1 and eth0 should be bridged, and we have a port for mgmt!

Now send the packages that you want to the QUEUE and snort will alert, drop, log, alter etc. This is done by issuing Iptables to send all packets it would normally forward in the bridge to the QUEUE.

sudo iptables -A FORWARD -j QUEUE

Now all you got to do is to start snort with the -Q argument.

sudo snort -Q -v -c /etc/snort/snort.conf

Enjoy!!!

Now remember all rules are set to "Alert" by default so you will have to edit them and change them to drop manually or by using oinkmaster. I preffer IDSPM and i will write a howto on that soon. I will also write a Howto on getting splunk to eat snort alert logs and report some nice stuff about them. Check out these screens for a preview :)

Howto: Remote Desktop to Xubuntu 7.10 with FreeNX

I noticed that my other way of remote desktop to Xubuntu via vine had a big flaw, and that was that everytime you had to restart your system you had to manually log in and start the vine session.

So i installed the NX server and NX client instead. So heres a short tutorial on how to do it:

1. Head over to Nomachine and download all three Xubuntu .deb Packages to your server.

And run them in this specific order: 

sudo dpkg -i nxclient_3.2.0-14_i386.deb 

sudo dpkg -i nxnode_3.2.0-13_i386.deb 
sudo dpkg -i nxserver_3.2.0-16_i386.deb

If you dont run them in this specific order you will get dependencies failure and you will have to issue  : "sudo apt-get install -f" to solve it.

2. You also need to install the Opensshd server, thats the one that handles the authentication for NX. Do so by typing

sudo apt-get install ssh

3. Now that the server is done, install your Freenx client Windows xp / Unix software.

Now you need to configure it. So point it to the ip your Xubuntu machine has, and in the desktop options choose "Unix" and "Custom":

Then click on the settings button and mark the "run the following command".

In the box type:

startxfce4

And also mark the "New Virtual Desktop" button.

Voila! Remote connection that works when Xubuntu has rebooted!

Howto: Remote Desktop to Xubuntu 7.10 the simple way

So, my first "tutorial". This idea spawned after i was trying to get remote access to my Xubuntu machine that i was trying to install Snort on. I did not want to spend 2 hours in a cold serverroom so i thought that remote access would be really sweet. 

So the first thing that came to mind was installing a VNC server. That started out to be a lot more complicated than it should have to be. Then i rememberd that Ubuntu has this preinstalled, so i could use the same package as Ubuntu does. 

This will also let you remote access your current session and its also resumable.

So:

(all text that is cursive should be typed into a terminal window!)

1. Make sure you have Xubuntu installed (prefferably 7.10)

2. Make sure you have it updated to the latest version by typing:

sudo apt-get update

sudo apt-get upgrade

3. Now you should install Vino, you do this by typing:

sudo apt-get install vino

4. This will install vino, after you are done you need to configure it, do this by typing:

sudo vino-preferences

this will launch the vino preferences window:

5. Now check the following:

"Allow other users to view your desktop"

"Allow other users to control your desktop"

"Require the user to enter this password"

Enter a password, this is optional

And uncheck:

"Ask for your confirmation"

This will stop you from having to run all the way to the computer/server that runs Vino and allow yourself to remotely login each time you try to do it.

6. Now start Vino by typing:

sudo vino-session

A message stating that Vino has been started will follow.  Now you can close the terminal.

7.Now download your favorite VNC viewer program:

Two free options:

Real VNC

Thight VNC

Congratulations, your done with setting up a Remote Desktop connection to your Xubuntu installation. The problem with this setup is that everytime you reboot you will have to login manually and start the vino server. If you want more challenging ways to get Remote Access to a Xubuntu machine you should check out the Vnc4 Server and the 51page thread over at Ubuntu Forums.