Glas Painting

NIDS and Suricata IDS/IPS
Jaroslav Vorlicek ([email protected])
Matthew Jonkman (Emerging Threats)
Will Metcalf (Emerging Threats)
Agenda
●
Introduction to NIDS/NIPS
●
Introduction to Suricata
●
Why Suricata
●
Installing Suricata
●
Rule management
●
Displaying detection results
●
Where to get additional information
Introduction to Network IDS
●
NIDS – Network Intrusion Detection Systems
●
Purpose – catching “Bad guys”
●
●
–
Detect and alert when unusual behavior in
network
–
Detect and alert when unusual behavior inside
network traffic
Answer for “What is going on in my network?
Caveat – IDS is not “The ultimate answer to all
questions of the universe” but it gives some
good hints ;)
Introduction to NIDS technology
●
How it works?
3 major mechanisms
–
Signatures
–
Network behavior analysis
–
Protocol inspection and normalisation
Signatures
●
Finding patterns in network stream
–
Unusual User agents in HTTP
–
SQL injections
–
XSS
–
Shellcodes
–
Pr0n or other “Policy/Ethics violation”
–
Malware communicating via HTTP/IRC/IM
Network behavior analysis
●
Purpose to locate unusual activity by exceeded
thresholds in network activity
–
Worms (Conficker)
–
Brutteforce attacks
–
TCP/UDP/ICMP scans
–
Misconfiguration
Protocol inspection and
normalisation
●
Locating unusual patterns within protocols
–
Improves accuracy in detection
–
Translates network stream “How the victim is
going to represent the stream”
NIDS Challenges
●
Throughput
●
Accuracy of detection
●
Detection avoidance mechanisms
NIPS
●
NIPS - Network Intrusion Prevention Systems
●
Adds response capabilities to NIDS engine
●
Response examples
–
Rejecting traffic
–
Dropping traffic
–
Quarantine
–
Informing other devices to perform containment
How does it fit in network?
Employee zone
Boss zone
NIDS/NIPS
Server zone
Protecting everything
●
Listening on perimeter
Employee zone
or between segments
●
Difficult to tune
●
Has to understand “everything”
NIDS/NIPS
Boss zone
Server zone
Protecting most valuable assets
●
●
●
●
Listening in front
of the most
critical assets
Tuned to
understand
behavior of asset
Employee zone
NIDS/NIPS
Specific
signatures only
Higher
throughput
Server area
Boss zone
Deployment caveats
●
Ethical concerns
–
●
Never use technology like NIDS to perform
unethical or malicious activity
Legal issues
Motto:
Everyone thinks they won't get caught.
Everyone can't be right.
Do you want to take that chance?
Legal issues – CZ (zákon č. 40/2009 Sb.)
●
●
●
●
●
v § 180 - neoprávněné nakládání s osobními údaji - tz. shromažďování infomací na
základě kterých může dojít ke konkrétní identifikaci osoby,
v § 181 - poškození cizích práv - to je velmi široce pojatý tr. čin, je to porušení
jakýchkoliv práv, musí ale jít zejména o uvedení konkrétní osoby v omyl, a této
osobě musí být způsobena vážná újma
v § 182 - porušení tajemství dopravovaných zpráv - zej, odst. 1, písm. b) - kdo
úmyslně poruší tajemství v datových zprávách apod., tz. je to vlastně obdoba
listovního tajemství - číst mail cizích osob by mělo být vždy nezákonné, nicméně i
čtením zpráv se nemusíte tr.činu dopustit, pokud Vaše jednání nebude společensky
nebezpečné - toto posuzení však závisí vždy na soudci, který Vaše jednání
projednává
v § 183 - porušení tajemství listin a jiných dokumentů uchovávaných v soukromí - tj.
narušení soukromých informací. Ochrana soukromí, zde se dostáváme do konfliktu s
oprávněním zaměstnavatele číst poštu zaměstnance - je to vždy na závažnosti
sdělených informací, či zajištěných informací..
Také lze spáchat i značné množství jiných tr. činů, ale tam počítačové programy
působí spíš podpůrně, tedy jako prostředek ke spáchání tr. činu. Jedná se zejména o
možnost zachytit citlivé informace, a pak její využití.
Disclaimer - CZ
●
●
●
●
Skutečnosti, které jsou na přednášce sděleny, jsou pouze pro řádné
použití příslušného počítačového programu.
Je velmi tenká hranice k možnému zneužití tohoto počítačového programu,
tedy zjeména možnost naplnit určité skutkové podstaty tr. činů.
V současné době je tento způsob kriminality na vzestupu, a je mu ze strany
policie věnována značná pozornost - jsou zřizovány speciální odbory pro
počítačovou kriminalitu, což dříve nebylo.
Doporučuji používat skutečnisti uvedené v přednášce pouze legálním
způsobem, neboť zneužitím tohoto programu se můžete dopustit
tretsněprávního jednání za které Vám může hrozit tretst odnětí svobody
až do výše 10 let.
NIDS/NIPS Q/A
●
Any questions?
Introduction to OISF
●
●
Open Infosec Foundation (OISF)– non profit
foundation organized to build next generation
IDS/IPS engine
Why is this needed?
–
Attackers are faster and better than defenders
–
Existing solutions are reaching its limits
–
Need to involve community to address issues
–
How many IDS engine innovations have been
available to the community in last 5 years?
Who is behind OISF?
●
DHS and Industry funding
●
Open Software
●
Infosec community
●
Members of OISF
–
Global defense contractors
–
Several Government Research groups
–
Several Universities
–
Security Vendors
–
Hardware manufacturers!
Suricata – Major features
●
●
●
●
●
●
Multithreading
Full Snort rules
compatibility
Native IPv6
Automatic protocol
detection
Advanced HTTP parsing
Statistical Anomaly
detection
Suricata – Major features II
●
Native Hardware
acceleration support
●
GPU Acceleration
●
IP Reputation
●
●
Distributed Blocking
and Feedback
And more .....
Why Suricata?
●
Quite new project
●
Fully open-source
●
Many experts involved
●
Opportunity to research
–
GPU Acceleration
–
Multithreading
–
Network protocols – finding “bad guys”
–
How to avoid IDS
–
More .....
Installing Suricata
●
Let's install Suricata on Debian
●
Assumptions
●
–
Installing Suricata into /opt/suricata/
–
Installing custom built libraries into
/opt/suricata/lib
–
Installing rules into /opt/suricata/rules
–
Username used is jerry
–
Home directory is /home/jerry
Ready?
Installing Suricata - Preparation
●
1st step - Downloading Debian packages
jerry@suricata:~$ su -c ”/usr/bin/apt-get -y install libpcre3
libpcre3-dbg libpcre3-dev build-essential autoconf automake
libtool libpcap-dev libnet1-dev libyaml-0-1 libyaml-dev zlib1g
zlib1g-dev pkg-config”
Installing Suricata - Preparation
●
2nd step - downloading current libcap-ng
jerry@suricata:~$ wget
http://people.redhat.com/sgrubb/libcap-ng/libcap-ng-0.6.4.tar.gz
●
3rd step - Installing libcap-ng
jerry@suricata:~$ tar -xf libcap-ng-0.6.4.tar.gz
jerry@suricata:~$ cd libcap-ng-0.6.4/
jerry@suricata:~/libcap-ng-0.6.4$ ./configure
--prefix=/opt/suricata –exec-prefix=/opt/suricata
jerry@suricata:~/libcap-ng-0.6.4$ make
jerry@suricata:~/libcap-ng-0.6.4$ su -c "make install"
Installing Suricata - Suricata
●
Let's download Suricata
jerry@suricata:~$ wget
http://www.openinfosecfoundation.org/download/suricata-1.0.2.tar.gz
●
Build it
jerry@suricata:~$ tar -xf suricata-1.0.2.tar.gz
jerry@suricata:~$ cd suricata-1.0.2/
jerry@suricata:~/suricata-1.0.2$ ./configure
--prefix=/opt/suricata --exec-prefix=/opt/suricata --enablegccprotect --with-libcap_ng-includes=/opt/suricata/include
--with-libcap_ng-libraries=/opt/suricata/lib
jerry@suricata:~/suricata-1.0.2$ make
jerry@suricata:~/suricata-1.0.2$su -c “make install”
Suricata – Little finishing touch
●
Create output and rules directory
jerry@suricata:~/suricata-1.0.2$ su -c "/bin/mkdir -p
/var/log/suricata"
jerry@suricata:~/suricata-1.0.2$ su -c "mkdir
/opt/suricata/rules && /bin/chown jerry /opt/suricata/rules"
●
Copy configuration file
jerry@suricata:~/suricata-1.0.2$ su -c "/bin/mkdir -p
/opt/suricata/etc && /bin/cp suricata.yaml /opt/suricata/etc/"
●
We'll deal with Configuration later ;)
Rule Management - Oinkmaster
●
Let's cheat a little bit and install Oinkmaster
from packages
jerry@suricata:~/suricata-1.0.2$ su -c "/usr/bin/apt-get -y
install oinkmaster"
●
Rule download
modify /etc/oinkmaster.conf - add new url ->
url =
http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz
modify /etc/oinkmaster.conf - Comment out (#) tmpdir
modify /etc/oinkmaster.conf - Feel free to add Sourcefire VRT-30 or VRT
subscription rules
●
●
Sync rules
jerry@suricata:~/suricata-1.0.2$ /usr/sbin/oinkmaster -o
/opt/suricata/rules/
Persuade Suricata running
●
●
So we have
–
Suricata
–
New Ruleset
What's next?
Final configuration and “Test Fire”
Final Configuration
●
●
Modify /opt/suricata/etc/suricata.yaml
classification-file:
/opt/suricata/rules/classification.config
default-rule-path: /opt/suricata/rules/
Let's Run
●
●
●
suricata:/opt/suricata# /opt/suricata/bin/suricata
-c /opt/suricata/etc/suricata.yaml -i eth0
Let's check :)
suricata:/opt/suricata# /usr/bin/tail -f
/var/log/suricata/fast.log
Suricata GUI
●
●
●
There are many SIEMs (Security Information
and Event Managers) – BASE, SGUIL,PreludeIDS, OSSIM and others
Let's make output a little bit “User Friendly”
and accessible via web
So we'll install Barnyard2 + BASE
How it works
+
+ ADODB + BASE
Displaying detection results
●
Barnyard 2 + BASE
●
Let's get packages
su -c "apt-get install mysql-server apache2 php5
php5-mysql php5-gd php-pear libmysqlclient15-dev"
●
Additional files
●
Barnyard2
●
http://www.securixlive.com/barnyard2/download.php
●
●
●
●
BASE – version 1.3 (1.4 is not working well with php5)
http://sourceforge.net/projects/secureideas/files/
ADODB
http://sourceforge.net/projects/adodb/files/
GUI - Preparation
●
Barnyard2
jerry@suricata:~$ wget
http://www.securixlive.com/download/barnyard2/
barnyard2-1.8.tar.gz
jerry@suricata:~$ cd barnyard2-1.8/
jerry@suricata:~/barnyard2-1.8$ ./configure --withmysql --prefix=/opt/barnyard2 --execprefix=/opt/barnyard2
jerry@suricata:~/barnyard2-1.8$ make
jerry@suricata:~/barnyard2-1.8$ su -c "make install"
jerry@suricata:~/barnyard2-1.8$ su -c "/bin/mkdir
-p /var/log/barnyard2/"
BASE installation
●
BASE installation
jerry@suricata:~$ wget
http://downloads.sourceforge.net/project
/secureideas/BASE/base-1.3.9/base-1.3.9.tar.gz
jerry@suricata:~$ tar -xf base-1.3.9.tar.gz
jerry@suricata:~$ cd base-1.3.9/
jerry@suricata:~/base-1.3.9$ su -c "/bin/cp -r *
/var/www/"
●
Temporary!
jerry@suricata:~/base-1.3.9$ su -c "/bin/chmod
0777 /var/www/"
BASE installation II.
●
ADODB
jerry@suricata:~$ wget
http://downloads.sourceforge.net/project/
adodb/adodb-php5-only/adodb-511-for-php5/
adodb511.tgz
jerry@suricata:~$ tar -xf adodb511.tgz
jerry@suricata:~$ su -c "/bin/cp -r adodb5 /var/www/"
Base installation III.
●
MySQL configuration
●
jerry@suricata:~$ mysql -u root -p
●
mysql> create database suricata;
●
●
mysql> CREATE USER 'suricata'@'localhost'
IDENTIFIED BY 'S3cur3P4ssw0Rd';
mysql> GRANT ALL PRIVILEGES ON suricata.* TO
'suricata'@'localhost';
Base installation IV.
●
Importing Barnyard scheme
●
jerry@suricata:~$ cd barnyard2-1.8/
●
jerry@suricata:~/barnyard2-1.8$ /usr/bin/mysql -u
root -p suricata < schemas/create_mysql
BASE installation V.
Base Installation VI.
●
Path to ADODB - /var/www/adodb5/
Base Installation VII.
●
●
●
●
Database Name:
Suricata
Database Host:
localhost
Database User Name:
suricata
Database Password:
S3cur3P4ssw0Rd
Base Installation VIII
●
Just skip :)
BASE Installation IX
●
Click on Create
BASE AG
Base Installation X
●
All
OK
Base Working
BASE – No data?
●
No Data? Let's fix that part.
edit /opt/barnyard2/etc/barnyard2.conf
config reference_file:
/opt/suricata/rules/reference.config
config classification_file:
/opt/suricata/rules/classification.config
config gen_file: /opt/suricata/rules/gen-msg.map
config sid_file:/opt/suricata/rules/sid-msg.map
config waldo_file: /tmp/waldo
output database: log, mysql, user=suricata
password=S3cur3P4ssw0Rd dbname=suricata host=localhost
Base – Installation end
●
Let's install graphs (as root) - php-pear
suricata:~#/usr/bin/pear channel-update pear.php.net
suricata:~#/usr/bin/pear upgrade PEAR
suricata:~#/usr/bin/pear install --alldeps Image_Color
suricata:~#/usr/bin/pear install –alldeps
Image_Canvas-alpha
suricata:~#/usr/bin/pear install –alldeps Image_Graphalpha
Suricata:~# /bin/chmod 0755 /var/www/
BASE - Barnyard
●
Let's roll - Barnyard!
jerry@suricata:~/barnyard2-1.8$ su - -c
"/opt/barnyard2/bin/barnyard2 -c
/opt/barnyard2/etc/barnyard2.conf -f suricata.alert
-d /var/log/suricata/ -w
/var/log/suricata/suricata.waldo"
BASE – final
Base – final II
Additional adjustments
●
Starting Suricata after startup
●
Starting Barnyard after system startup
●
●
Scheduling automatic rules updates with
Oinkmaster and Suricata restart
Location of “waldo” file
Live Presentation
●
Detection from packet captures
Wireshark/Captures/Suricata
Where to get additional
information?
●
Suricata
–
Documents http://www.openinfosecfoundation.org
–
Mailing lists:
●
●
●
●
http://lists.openinfosecfoundation.org/mailman/listinfo
Oisf-users
Oisf-devel
Discussion
Where to get additional
information II?
●
Signatures
–
Snort rules
●
–
Snort mailing lists
●
●
–
http://www.snort.org/community/mailing-lists/
Users, Sigs
Emerging threats rules
●
–
http://www.snort.org/snort-rules/#rules
http://rules.emergingthreats.net/
Emerging threats mailing lists
●
http://lists.emergingthreats.net/mailman/listinfo
Q/A
●
Any questions?
End of presentation
●
●
If you have any questions please don't hesitate
to contact me or ask at Mailing lists mentioned
earlier
Have a great time discovering Suricata!
Thank you!