Wednesday, April 8, 2009

New switch stack

Today the new switch stack has arrived that will be used for our new datacenter:


Its 4 * Cisco 3750-E with the IPS software. The first impression is that they are high quality switches, even compared to the stable 3560. The stacking cables comes along, one with each switch. 

Its also nice that its super easy to get started, just hook up the stacking cables and start the switches and they will auto negotiate which switch will become the master. This can also be changed, for example i wanted the top switch to be the master and the second to be the next master in case of failure so ive set it up like this:

Switch 1 Priority 15
Switch 2 Priority 14
Switch 3 Priority 1
Switch 4 Priority 1

More about the configuring the Cisco 3750-E:

Ive also gotten hold of the Juniper EX4200 and the Extreme Summit 200-24:



Ill se if i can write up something about the new Junos which is very nice. Also its very much like the Cisco IOS.

Tuesday, March 31, 2009

Howto: Collecting Snort logs with Splunk

Ok, now this time we will try to make snort logs into nice little colorful graphs. 

First off you need to think a little about your network design. Snort is very easily overloaded due to high CPU usage when using lots of signatures, thats why its always good to use several Snort installations(or Snort 3.0 which is multi-threaded) or use Vlans to delimit your network.

For example this is how i set it up:



By setting it up this way i get two advantages:
1. This only scans firewalled traffic which takes off a big amount of load.
2. By using two Snorts i can use different signatures on each, for example on the DMZ snort its more likely that i will use WEB-ATTACKS rules etc.

Ok now lets start setting everything up:

1. Installing Snort

I am as always using Xubuntu 7.10 but Ubuntu should work aswell as many other dists.

2. Traffic to Snort

 Make Trunk ports from your switches to your Snort machines. Remember that this is a great way to delimit the amount of traffic that will get to your Snort.

On a Cisco machine with IOS you would use something like this:

monitor session 1 source vlan 3 , 4 , 7 - 10
monitor session 1 destination interface Gi3/18

On an Extreme with Extremeware something like this: 

enable mirroring to port 4:26 tagged
configure mirror add vlan "Default"
configure mirror add vlan "Dmz1"
configure mirror add vlan "Dmz2"
configure mirror add vlan "Dmz3"
configure mirror add vlan "Dmz4"
configure mirror add vlan "Dmz5"
configure mirror add vlan "Dmz6"
configure mirror add vlan "Dmz7"

For other switches please check this site out:

3. Install and setup Splunk

 Now you should have traffic flowing to your Snorts, so head over to www.splunk.com and download the latest version, im using the windows 3.4.1 for this test.

If possible you should use a server with dualcore since Splunk can draw lots of CPU and its nice to be able to administrate it while you are running some graphing.

Now that you have setup Splunk and confirmed that its working go to www.splunkbase.com and install this addon.

Now go to your admin area of Splunk and go to application and enable splunk for snort.

We also need to setup which port Splunk will listen to log files on so go to Data inputs -> Network ports and add TCP and UDP 514. Configure them to listen to Snot application like this:



Now i had lots of trouble to get Splunk to eat the snort logs correctly so i had a discussion on the Splunk forum and got some great help. 

You need to go to: %splunk system folder%\etc\system\local and edit props.conf

under the line [source::tcp:514] add:

SHOULD_LINEMERGE=true
BREAK_ONLY_BEFORE = ^.{3}\w{3}\s\d+\s\d+\:\d+\:\d+\s+\w+\s\[[^\]]+\]\s\[\d+\:\d+\:\d+
MAX_EVENTS = 500
TIME_PREFIX = (^|^\<\d\>)
TIME_FORMAT = %b %d %T
MAX_TIMESTAMP_LOOKAHEAD = 20

This enables all syslogs on TCP port 514 to be shown and proccesed in the right way.

Now restart Splunk.

4. Configure Snort to send logs

Ok now we actually need to have our Snorts to send the logs to Splunk. 

First off download syslog-ng using your terminal in Xubuntu:

sudo apt-get install syslog-ng

Edit the config file with your favorite editor:

sudo gedit /etc/syslog-ng/syslog-ng.conf

Add this:

source s_tail { file("/var/log/snort/alert"
                    follow_freq(1) flags(no-parse) ) ; };

destination stail2 {  tcp("10.10.10.10") ;
};

log {
        source(s_tail);
        destination(stail2);
flags(flow-control);
};

Everything in bold you might need to edit. The first bold is where your alert logfile is located. By default it is at /var/log/snort/alert. The second is the adress of your Splunk server.

So what this does is that it tails your alert logfile for updates, when its updated its sent to Splunk via TCP so it wont be discarded on the way. You can change it to UDP by switching out
"{  tcp("10.10.10.10") ;"  to  "{  udp("10.10.10.10") ;"

Note that TCP only makes sure it gets where its supposed to go, not that its encrypted and safe from interception. If you want that you should look in to Stunnel.

5. Create Graphs in Splunk

Ok now you should have Snort logs arriving in your Splunk(if not activate the ICMP signature and ping a bit with your computer) so now we should make some nice graphs.

First we need to extract the fields to make Splunk identify the Snort signatures, this is a very important lesson since you can use this to extract everything and have Splunk identify/graph it.

Click on the little arrow next to the logfile to open the extract menu:



Now the extract menu will open, so select to name of the signature, in this example it is NETBIOS SMB-DS C$ unicode share access. Now paste it into the example box and select preview. Now Splunk is trying to identify the name of the signatures. This is how it should look like if its working:



Now save it with a name, signature for ex.

Now we have names for the signatures and Splunk can identify them. So lets get to graphing.
So open up the logs again in Splunk and click "Report on results:



Now to the left click on the extracted field you made. To the top left you can choose which timeline you want eg 15min 60min 3months etc. And then choose some graphing options, heres an example of how mine looks like:



Ok now save your graph and put it on your dashboard and your done :) Happy Splunking!

6. Enjoy the examples

Here are some pictures of what you can Graph with Splunk:

Snort:


Juniper SA concurrent users and failed logins graphed with Splunk:



DHCP - Subnets without any ipadress left:



Snort also has a default preprocessor namne snort-stats that lets you export loads of stuff, eg. cpu load, blocks/min etc:




Ok, hopefully this will help you alot in securing your network. I will post some guides about nice rules and hints and tips later using Snort. Remember that Splunk can be used for lots of other stuff than graphing, just enter anything in the searchbar.

Enjoy!

Monday, January 26, 2009

Juniper Cartoons

Dont get me wrong, i love Cisco but sometimes these are just spot on! A long time ago their home was at http://www.juniper.net/cartoons/. I talked to a salesguy at Juniper that said they had to remove them because it made Juniper look unserious. Anyhow they are a good laugh!

This week i had the "privilege" to try to upgrade an old Cisco 4003 with CatOs to IOS 12. These pictures pretty much says it all:



Good thing they have a upgrade tool over at tools.cisco.com!

101 uses for a cisco router:



If cisco invented:



Others!:



Update 2009-04-09:

Found some intresting news(Translated to english by google):

"Juniper continues cartoonist at the door 

4 March, 2009 - Luc Blyaert 
Kevin Pope was five years drawing cartoons for Juniper Networks, but his job is now for the ax. Long time the drawings of Pope a witty attack on Cisco. 

Kevin Pope began in late 2003 with his cartoons, then barely knew what networking and telecom, but has been thoroughly trained. "I could do what I wanted, was only able to show that the Juniper products were better or why the equipment of the competitors were undermined," says Kevin Pope to Light Reading. 

Not everyone loved the cartoons, some of them were unprofessional. But they were regularly forwarded by network engineers. Especially when the Pope got out of Cisco solutions, they were popular. Examples can be found here: http://layer8problem.blogspot.com/2009/01/juniper-cartoons.html 

There was an end to demand from Juniper CEO Scott Kriens. It was apparently a good friend of Cisco John Chambers. "John Scott told me that they are funny, but asked whether there is less of what can be published," says Pope. That is not bitter that he may not sign for Juniper. "Ultimately, five years is a very long period.""


Original:

More info:

The plot thickens!

Cryptographic Analysis Program

If your new into cryptography then you should check out CAP, its a real nice tool that helps out alot when your learning(as im doing right now). Its really hard to find out there so im just going to post a link to it:

http://www.cs.plu.edu/courses/privacy/cap.htm

CAP is a complete tool for cryptanalysis. It allows for encryption and decryption using several common algorithms. It provides tools for cryptanalysis of these and other ciphers. Among the tools are frequency analysis, Kasiski analysis, word patterns, anagramming, and a special autosolve tool. In addition, CAP provides a GAME option that will randomly generate ciphers and challenge you to break them. You can download a demo version of CAP from the download area of this page. Along with CAP you should download the CAP handbook which provides you with a complete CAP manual and a tutorial on ciphers and cryptanalysis.