Glas Painting
Transkript
Glas Painting
NIDS and Suricata IDS/IPS Jaroslav Vorlicek ([email protected]) Matthew Jonkman (Emerging Threats) Will Metcalf (Emerging Threats) Agenda ● Introduction to NIDS/NIPS ● Introduction to Suricata ● Why Suricata ● Installing Suricata ● Rule management ● Displaying detection results ● Where to get additional information Introduction to Network IDS ● NIDS – Network Intrusion Detection Systems ● Purpose – catching “Bad guys” ● ● – Detect and alert when unusual behavior in network – Detect and alert when unusual behavior inside network traffic Answer for “What is going on in my network? Caveat – IDS is not “The ultimate answer to all questions of the universe” but it gives some good hints ;) Introduction to NIDS technology ● How it works? 3 major mechanisms – Signatures – Network behavior analysis – Protocol inspection and normalisation Signatures ● Finding patterns in network stream – Unusual User agents in HTTP – SQL injections – XSS – Shellcodes – Pr0n or other “Policy/Ethics violation” – Malware communicating via HTTP/IRC/IM Network behavior analysis ● Purpose to locate unusual activity by exceeded thresholds in network activity – Worms (Conficker) – Brutteforce attacks – TCP/UDP/ICMP scans – Misconfiguration Protocol inspection and normalisation ● Locating unusual patterns within protocols – Improves accuracy in detection – Translates network stream “How the victim is going to represent the stream” NIDS Challenges ● Throughput ● Accuracy of detection ● Detection avoidance mechanisms NIPS ● NIPS - Network Intrusion Prevention Systems ● Adds response capabilities to NIDS engine ● Response examples – Rejecting traffic – Dropping traffic – Quarantine – Informing other devices to perform containment How does it fit in network? Employee zone Boss zone NIDS/NIPS Server zone Protecting everything ● Listening on perimeter Employee zone or between segments ● Difficult to tune ● Has to understand “everything” NIDS/NIPS Boss zone Server zone Protecting most valuable assets ● ● ● ● Listening in front of the most critical assets Tuned to understand behavior of asset Employee zone NIDS/NIPS Specific signatures only Higher throughput Server area Boss zone Deployment caveats ● Ethical concerns – ● Never use technology like NIDS to perform unethical or malicious activity Legal issues Motto: Everyone thinks they won't get caught. Everyone can't be right. Do you want to take that chance? Legal issues – CZ (zákon č. 40/2009 Sb.) ● ● ● ● ● v § 180 - neoprávněné nakládání s osobními údaji - tz. shromažďování infomací na základě kterých může dojít ke konkrétní identifikaci osoby, v § 181 - poškození cizích práv - to je velmi široce pojatý tr. čin, je to porušení jakýchkoliv práv, musí ale jít zejména o uvedení konkrétní osoby v omyl, a této osobě musí být způsobena vážná újma v § 182 - porušení tajemství dopravovaných zpráv - zej, odst. 1, písm. b) - kdo úmyslně poruší tajemství v datových zprávách apod., tz. je to vlastně obdoba listovního tajemství - číst mail cizích osob by mělo být vždy nezákonné, nicméně i čtením zpráv se nemusíte tr.činu dopustit, pokud Vaše jednání nebude společensky nebezpečné - toto posuzení však závisí vždy na soudci, který Vaše jednání projednává v § 183 - porušení tajemství listin a jiných dokumentů uchovávaných v soukromí - tj. narušení soukromých informací. Ochrana soukromí, zde se dostáváme do konfliktu s oprávněním zaměstnavatele číst poštu zaměstnance - je to vždy na závažnosti sdělených informací, či zajištěných informací.. Také lze spáchat i značné množství jiných tr. činů, ale tam počítačové programy působí spíš podpůrně, tedy jako prostředek ke spáchání tr. činu. Jedná se zejména o možnost zachytit citlivé informace, a pak její využití. Disclaimer - CZ ● ● ● ● Skutečnosti, které jsou na přednášce sděleny, jsou pouze pro řádné použití příslušného počítačového programu. Je velmi tenká hranice k možnému zneužití tohoto počítačového programu, tedy zjeména možnost naplnit určité skutkové podstaty tr. činů. V současné době je tento způsob kriminality na vzestupu, a je mu ze strany policie věnována značná pozornost - jsou zřizovány speciální odbory pro počítačovou kriminalitu, což dříve nebylo. Doporučuji používat skutečnisti uvedené v přednášce pouze legálním způsobem, neboť zneužitím tohoto programu se můžete dopustit tretsněprávního jednání za které Vám může hrozit tretst odnětí svobody až do výše 10 let. NIDS/NIPS Q/A ● Any questions? Introduction to OISF ● ● Open Infosec Foundation (OISF)– non profit foundation organized to build next generation IDS/IPS engine Why is this needed? – Attackers are faster and better than defenders – Existing solutions are reaching its limits – Need to involve community to address issues – How many IDS engine innovations have been available to the community in last 5 years? Who is behind OISF? ● DHS and Industry funding ● Open Software ● Infosec community ● Members of OISF – Global defense contractors – Several Government Research groups – Several Universities – Security Vendors – Hardware manufacturers! Suricata – Major features ● ● ● ● ● ● Multithreading Full Snort rules compatibility Native IPv6 Automatic protocol detection Advanced HTTP parsing Statistical Anomaly detection Suricata – Major features II ● Native Hardware acceleration support ● GPU Acceleration ● IP Reputation ● ● Distributed Blocking and Feedback And more ..... Why Suricata? ● Quite new project ● Fully open-source ● Many experts involved ● Opportunity to research – GPU Acceleration – Multithreading – Network protocols – finding “bad guys” – How to avoid IDS – More ..... Installing Suricata ● Let's install Suricata on Debian ● Assumptions ● – Installing Suricata into /opt/suricata/ – Installing custom built libraries into /opt/suricata/lib – Installing rules into /opt/suricata/rules – Username used is jerry – Home directory is /home/jerry Ready? Installing Suricata - Preparation ● 1st step - Downloading Debian packages jerry@suricata:~$ su -c ”/usr/bin/apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev build-essential autoconf automake libtool libpcap-dev libnet1-dev libyaml-0-1 libyaml-dev zlib1g zlib1g-dev pkg-config” Installing Suricata - Preparation ● 2nd step - downloading current libcap-ng jerry@suricata:~$ wget http://people.redhat.com/sgrubb/libcap-ng/libcap-ng-0.6.4.tar.gz ● 3rd step - Installing libcap-ng jerry@suricata:~$ tar -xf libcap-ng-0.6.4.tar.gz jerry@suricata:~$ cd libcap-ng-0.6.4/ jerry@suricata:~/libcap-ng-0.6.4$ ./configure --prefix=/opt/suricata –exec-prefix=/opt/suricata jerry@suricata:~/libcap-ng-0.6.4$ make jerry@suricata:~/libcap-ng-0.6.4$ su -c "make install" Installing Suricata - Suricata ● Let's download Suricata jerry@suricata:~$ wget http://www.openinfosecfoundation.org/download/suricata-1.0.2.tar.gz ● Build it jerry@suricata:~$ tar -xf suricata-1.0.2.tar.gz jerry@suricata:~$ cd suricata-1.0.2/ jerry@suricata:~/suricata-1.0.2$ ./configure --prefix=/opt/suricata --exec-prefix=/opt/suricata --enablegccprotect --with-libcap_ng-includes=/opt/suricata/include --with-libcap_ng-libraries=/opt/suricata/lib jerry@suricata:~/suricata-1.0.2$ make jerry@suricata:~/suricata-1.0.2$su -c “make install” Suricata – Little finishing touch ● Create output and rules directory jerry@suricata:~/suricata-1.0.2$ su -c "/bin/mkdir -p /var/log/suricata" jerry@suricata:~/suricata-1.0.2$ su -c "mkdir /opt/suricata/rules && /bin/chown jerry /opt/suricata/rules" ● Copy configuration file jerry@suricata:~/suricata-1.0.2$ su -c "/bin/mkdir -p /opt/suricata/etc && /bin/cp suricata.yaml /opt/suricata/etc/" ● We'll deal with Configuration later ;) Rule Management - Oinkmaster ● Let's cheat a little bit and install Oinkmaster from packages jerry@suricata:~/suricata-1.0.2$ su -c "/usr/bin/apt-get -y install oinkmaster" ● Rule download modify /etc/oinkmaster.conf - add new url -> url = http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz modify /etc/oinkmaster.conf - Comment out (#) tmpdir modify /etc/oinkmaster.conf - Feel free to add Sourcefire VRT-30 or VRT subscription rules ● ● Sync rules jerry@suricata:~/suricata-1.0.2$ /usr/sbin/oinkmaster -o /opt/suricata/rules/ Persuade Suricata running ● ● So we have – Suricata – New Ruleset What's next? Final configuration and “Test Fire” Final Configuration ● ● Modify /opt/suricata/etc/suricata.yaml classification-file: /opt/suricata/rules/classification.config default-rule-path: /opt/suricata/rules/ Let's Run ● ● ● suricata:/opt/suricata# /opt/suricata/bin/suricata -c /opt/suricata/etc/suricata.yaml -i eth0 Let's check :) suricata:/opt/suricata# /usr/bin/tail -f /var/log/suricata/fast.log Suricata GUI ● ● ● There are many SIEMs (Security Information and Event Managers) – BASE, SGUIL,PreludeIDS, OSSIM and others Let's make output a little bit “User Friendly” and accessible via web So we'll install Barnyard2 + BASE How it works + + ADODB + BASE Displaying detection results ● Barnyard 2 + BASE ● Let's get packages su -c "apt-get install mysql-server apache2 php5 php5-mysql php5-gd php-pear libmysqlclient15-dev" ● Additional files ● Barnyard2 ● http://www.securixlive.com/barnyard2/download.php ● ● ● ● BASE – version 1.3 (1.4 is not working well with php5) http://sourceforge.net/projects/secureideas/files/ ADODB http://sourceforge.net/projects/adodb/files/ GUI - Preparation ● Barnyard2 jerry@suricata:~$ wget http://www.securixlive.com/download/barnyard2/ barnyard2-1.8.tar.gz jerry@suricata:~$ cd barnyard2-1.8/ jerry@suricata:~/barnyard2-1.8$ ./configure --withmysql --prefix=/opt/barnyard2 --execprefix=/opt/barnyard2 jerry@suricata:~/barnyard2-1.8$ make jerry@suricata:~/barnyard2-1.8$ su -c "make install" jerry@suricata:~/barnyard2-1.8$ su -c "/bin/mkdir -p /var/log/barnyard2/" BASE installation ● BASE installation jerry@suricata:~$ wget http://downloads.sourceforge.net/project /secureideas/BASE/base-1.3.9/base-1.3.9.tar.gz jerry@suricata:~$ tar -xf base-1.3.9.tar.gz jerry@suricata:~$ cd base-1.3.9/ jerry@suricata:~/base-1.3.9$ su -c "/bin/cp -r * /var/www/" ● Temporary! jerry@suricata:~/base-1.3.9$ su -c "/bin/chmod 0777 /var/www/" BASE installation II. ● ADODB jerry@suricata:~$ wget http://downloads.sourceforge.net/project/ adodb/adodb-php5-only/adodb-511-for-php5/ adodb511.tgz jerry@suricata:~$ tar -xf adodb511.tgz jerry@suricata:~$ su -c "/bin/cp -r adodb5 /var/www/" Base installation III. ● MySQL configuration ● jerry@suricata:~$ mysql -u root -p ● mysql> create database suricata; ● ● mysql> CREATE USER 'suricata'@'localhost' IDENTIFIED BY 'S3cur3P4ssw0Rd'; mysql> GRANT ALL PRIVILEGES ON suricata.* TO 'suricata'@'localhost'; Base installation IV. ● Importing Barnyard scheme ● jerry@suricata:~$ cd barnyard2-1.8/ ● jerry@suricata:~/barnyard2-1.8$ /usr/bin/mysql -u root -p suricata < schemas/create_mysql BASE installation V. Base Installation VI. ● Path to ADODB - /var/www/adodb5/ Base Installation VII. ● ● ● ● Database Name: Suricata Database Host: localhost Database User Name: suricata Database Password: S3cur3P4ssw0Rd Base Installation VIII ● Just skip :) BASE Installation IX ● Click on Create BASE AG Base Installation X ● All OK Base Working BASE – No data? ● No Data? Let's fix that part. edit /opt/barnyard2/etc/barnyard2.conf config reference_file: /opt/suricata/rules/reference.config config classification_file: /opt/suricata/rules/classification.config config gen_file: /opt/suricata/rules/gen-msg.map config sid_file:/opt/suricata/rules/sid-msg.map config waldo_file: /tmp/waldo output database: log, mysql, user=suricata password=S3cur3P4ssw0Rd dbname=suricata host=localhost Base – Installation end ● Let's install graphs (as root) - php-pear suricata:~#/usr/bin/pear channel-update pear.php.net suricata:~#/usr/bin/pear upgrade PEAR suricata:~#/usr/bin/pear install --alldeps Image_Color suricata:~#/usr/bin/pear install –alldeps Image_Canvas-alpha suricata:~#/usr/bin/pear install –alldeps Image_Graphalpha Suricata:~# /bin/chmod 0755 /var/www/ BASE - Barnyard ● Let's roll - Barnyard! jerry@suricata:~/barnyard2-1.8$ su - -c "/opt/barnyard2/bin/barnyard2 -c /opt/barnyard2/etc/barnyard2.conf -f suricata.alert -d /var/log/suricata/ -w /var/log/suricata/suricata.waldo" BASE – final Base – final II Additional adjustments ● Starting Suricata after startup ● Starting Barnyard after system startup ● ● Scheduling automatic rules updates with Oinkmaster and Suricata restart Location of “waldo” file Live Presentation ● Detection from packet captures Wireshark/Captures/Suricata Where to get additional information? ● Suricata – Documents http://www.openinfosecfoundation.org – Mailing lists: ● ● ● ● http://lists.openinfosecfoundation.org/mailman/listinfo Oisf-users Oisf-devel Discussion Where to get additional information II? ● Signatures – Snort rules ● – Snort mailing lists ● ● – http://www.snort.org/community/mailing-lists/ Users, Sigs Emerging threats rules ● – http://www.snort.org/snort-rules/#rules http://rules.emergingthreats.net/ Emerging threats mailing lists ● http://lists.emergingthreats.net/mailman/listinfo Q/A ● Any questions? End of presentation ● ● If you have any questions please don't hesitate to contact me or ask at Mailing lists mentioned earlier Have a great time discovering Suricata! Thank you!