Just finished releasing version 1.0 of Nepenthes PHARM.
Nepenthes PHARM is a perfect companion to your Nepenthes honeypot installations to catch Malware in the wild. PHARM is an Open Source client/server and web portal package, which provides central reporting and analysis of your distributed Nepenthes based honeypots.
PHARM Clients are installed on along with your Nepenthes installs, PHARM clients listen for any changes in nepenthes log files (logged_submissions and nepenthes.log) and sends over the logged data and malware collected over to the server running the PHARM server.
PHARM server munges all the data collected from PHARM Clients and provides analysis/report of your honeypots through the PHARM Web portal. On the analytical part, Pharm actually queries Virus total's publicly available data to report back the detail of the malware collected.
PHARM is available for download at www.nepenthespharm.com . PHARM is developed and maintained by yours truly ME :) Parvinder S. Bhasin.
Thursday, November 26, 2009
Distributed Nepenthes with PHARM
Posted by Parvinder Bhasin at 2:46 PM 6 comments
Friday, August 7, 2009
Perl and CPAN reconfigure
To reconfigure CPAN do the following: perl -MCPAN -e shell
When inside the shell...type: cpan> o conf init
That's it...you will get interactive question and answer to setup CPAN etc...cheers.
Another way to do this is ..just by executing cpan directly from shell.. as pointed out by chorny :) thx. # cpan
cpan> o conf init
Again..there maybe more ways to do this...choose yours :)
Posted by Parvinder Bhasin at 10:24 PM 1 comments
OpenBSD tips and tricks - adding swap on the fly
******* Adding swap on fly ******* # dd if=/dev/zero of=/usr/swap0 bs=1024k count=64
This will create basically a 64MB file that we will use for adding some swap space.
set the proper permissions on (/usr/swap0)# chmod 0600 /usr/swap0
Now to add the swap file on fly# swapctl -a /usr/swap0
Check to make sure you are using swap by running top or:# swapctl -l
You can then further add swap at boot time in /etc/rc.local by adding the swapctl command.
** Note there maybe some security implications with this ...so I won't advise you to do that for production system. This is for those times when you forgot to create proper swap partition and now one of you programs is causing segmentation faults etc cuz you are running out of physical memory. ** You've been cautioned, please use at your own risk.
Posted by Parvinder Bhasin at 10:14 PM 0 comments
Thursday, June 18, 2009
Squid - WCCP and Cisco ASA setup
Setup squid first:
Then on the box (in this case LINUX) running squid do the following:
modprobe ip_gre
iptunnel add gre1 mode gre remote $ASA_ROUTER_IDENTIFIER local $SQUID_SERVER_IP dev eth0
ifconfig gre1 inet 1.2.3.4 netmask 255.255.255.0 up
Updated to reflect great comment from DanO'Reilly :)
The ASA_ROUTER_IDENTIFIER is first of all just identifier and its the highest ip that is on your ASA. Please use the highest IP on your ASA for the iptunnel command. You can get list of all the ips on your asa by doing "show ip".
Next....
Enable forwarding on squid server:
echo 1 > /proc/sys/net/ipv4/ip_forward
Disable reverse path filter.
echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/gre1/rp_filter
Add IPTABLES rule to redirect all the traffic coming on port 80 over to the squid listening port. i.e: 3128 in this case:
iptables -t nat -A PREROUTING -i gre1 -p tcp -m tcp --dport 80 -j REDIRECT --to-port 3128
Now to configure squid.conf:
Make sure you compiled squid with transparency support (required for PF , IPFW etc). Do config --help | grep transp to see all the firewalls that need this option. For Cisco ASA etc, you don't need to have any transparent option.
anyways back to squid.conf add the following line:
http_port 3128 transparent
"transparent" is the key word here.
Now to configure WCCPv2 in squid.conf:
wccp2_router <$ASA_IP_ADDRESS>
wccp_version 4
wccp2_forwarding_method 1
wccp2_return_method 1
Enabling/configuring WCCPv2 on CISCO ASA(7.x/8.x):
I will go over two scenarios that I came across. First for testing I only wanted certain IPs to hit the squid box before opening it to the rest of the world. Additionaly I didn't want ALL THE PROTOCOLS to go through the proxy server. Only http (80) to go through squid: so here is what i created:
1. First created acl for the clients I wanted to allow access through squid for port 80
ASA# access-list proxyclients extended permit tcp host 192.168.100.202 any eq www
2. I added acl for my proxy servers too.
ASA# access-list proxyservers extended permit ip host 192.168.100.3 any
*** 192.168.100.3 - IP address of my squid box.
3. Now the wccp part:
ASA# wccp web-cache redirect-list proxyclients group-list proxyservers
ASA# wccp interface inside web-cache redirect in
4. Additionaly you can issue:
ASA# wccp web-cache
This should get you going :)
Now if you wanted to let EVERYONE in the world go through and go through proxy: I would remove all the ACLs and remove one wccp line:
ASA# no access-list proxyclients extended permit tcp host 192.168.100.202 any eq www
ASA# no access-list proxyservers extended permit ip host 192.168.100.3 any
This is tricky. You have to "no" the wccp interface command first so...
ASA# no wccp interface inside web-cache redirect in
ASA# no wccp web-cache redirect-list proxyclients group-list proxyservers
Now lets add the wccp interface command back
ASA# wccp web-cache
ASA# wccp interface inside web-cache redirect in
At this point all your traffic hitting the firewall would be redirected to the squid server.
** note about https transparency: packets are encrypted ..so by the time packets arrive at SQUID ..it cannot understand. So other words https transparency, I don't think its supported.
As superpaia pointed out in his comments:
important: "The only topology that the security appliance supports is when client and cache engine are behind the same interface of the security appliance and the cache engine can directly communicate with the client without going through the security appliance." from Cisco.
Posted by Parvinder Bhasin at 3:28 PM 24 comments
Monday, December 24, 2007
OpenBSD 4.2 IDS solution - snort and base
OpenBSD is great system to turn into a one box IDS solution.
** Please note: There are several ways of installing theses packages, compiling them from source code, compiling and installing from ports or simply using packages. Use the method that you would prefer.
First step is to have all the pre-reqs taken care of:
Following software are required:
1. OpenBSD (os)
2. MySQL server
3. Apache
4. Php5 or 4 ( I am going to go with php5 in this blog)
5. Php5 modules
6. PEAR
7. PEAR modules
8. Snort and snort rules.
9. Adodb
10. BASE
As you can see it needs quite a bit of installs to turn that openbsd box into full fledged IDS system that has nice graphical interface to view IDS alerts.
I won't dive into how to install the OS (OpenBSD of course). I am going with the 4.2 OpenBSD install. Please go over my OpenBSD Tips and tricks from my other blog to do the pre-reqs.
Now to our first step: Perform the following as root
Install mysql server:
shell#> pkg_add -v mysql-server-5.0.45.tgz
** This should install all the dependencies related to mysql server.
After the install , initialize the default mysql database.
shell#> /usr/local/bin/mysql_install_db
Start mysql for first time and set root password:
shell#> /usr/local/bin/mysqld_safe &
shell#> /usr/local/bin/mysqladmin -u root password 'my-password'
** If needed install any dependencies : If required.
Now lets setup mysql to start automatically after the reboot:
To start MySQL from boot, edit /etc/rc.conf.local:
shell#> vi /etc/rc.conf.local
- add the following:
mysql=YES
Save and quit.
-Now edit: /etc/rc.local:
shell# vi /etc/rc.local
** After the 'starting local daemons' and before the following echo '.' Insert the following into the /etc/rc.local file:
if [ X"${mysql}" == X"YES" -a -x /usr/local/bin/mysqld_safe ]; then
echo -n " mysqld"; /usr/local/bin/mysqld_safe --user=_mysql --log --open-files-limit=256 &
for i in 1 2 3 4 5 6; do
if [ -S /var/run/mysql/mysql.sock ]; then
break
else
sleep 1
echo -n "."
fi
done
#
# Apache chroot Settings
mkdir -p /var/www/var/run/mysql
sleep 2
ln -f /var/run/mysql/mysql.sock /var/www/var/run/mysql/mysql.sock
fi
So why the
"ln -f /var/run/mysql/mysql.sock /var/www/var/run/mysql/mysql.sock"??? .
This line is so that apache can access mysql data socket within the chrooted jail.
*** Also, don't forget to create the /var/www/var/run/mysql directory first.
Make apache startup automatically
Make sure apache starts up on boot. To do this, edit /etc/rc.conf :
shell#> vi /etc/rc.conf
edit
httpd_flags=NO to httpd_flags=""
SAVE and QUIT.
Install SNORT
To install snort, I have always found that its better to install from PORTS instead of pre-compiled package.
so lets install it from ports here.
cd /usr/ports/net/snort
env FLAVOR="mysql flexresp" make install
** Note: Use flavor option flexresp if you would like to turn this box into an IPS instead of IDS.
Otherwise you can omit the "flexresp" from the env line.
This will install snort and also create _snort user and group.
Next step is to get the latest snort rules from http://www.snort.org - VRT certified rules.
Register with the site and get the latest VRT certified snort rules.
Extract the rules in the /etc/snort directory:
You should now see rules directory with snort rules.
Create a /var/log/snort directory: <---This is where snort will log its findings by default.
shell#>mkdir /var/log/snort
** snort -c /etc/snort/snort.conf -u _snort -g _snort -t /var/snort -l /var/snort/log
We will start Snort a lot like we started MySQL:
shell#> echo "snort=YES" >> /etc/rc.conf.local
shell#> vi /etc/rc.local
Add this to the bottom of your rc.local:
if [ X"${snort}" == X"YES" -a -x /usr/local/bin/snort ]; then
echo -n " snort"; /usr/local/bin/snort -D -d -c /etc/snort/snort.conf -u _snort -g _snort
fi
We will do the configuration of snort later lets just get the pre-reqs done first.
So now on to php installation
PHP5.0 installation
Installing php5:Install the php core first:
pkg_add -v php5-core-5.2.3.tgz
Copy the php.ini-recommended file to php.ini:
cp /usr/local/share/examples/php5/php.ini-recommended /var/www/conf/php.ini
Then install the modules that you need. Note** you may not need all the modules that I am listing here but i use them hence.:)
pkg_add -v php5-gd-5.2.3.tgz
Enable the module by typing:
/usr/local/sbin/phpxs -a gd
pkg_add -v php5-mysql-5.2.3.tgz
Enable te module by typing:
/usr/local/sbin/phpxs -a mysql
pkg_add -v php5-odbc-5.2.3.tgz
Enable the module by typing : /usr/local/sbin/phpxs -a odbc
At this point PHP part of the installation is complete.
Now on to configuring some of the programs that we just installed.
++++++++++++++++++
Configuring APACHE for PHP5.
By default the liphp5.so should be in: /usr/local/lib/php/ directory , you can double check and see where its located
find / -name "libphp5.so"
- Now enable php in apache:
vi /var/www/conf/httpd.conf
add: under module section
LoadModule php5_module /usr/local/lib/php/libphp5.so
add: application type:
AddType application/x-httpd-php .php .php4 .php3 .htm .html
AddType application/x-httpd-php-source .phps
- Now edit the DirectoryIndex line in httpd.conf:
DirectoryIndex index.html index.htm index.php index.php5 index.php4 index.php3
- Stop and start apache :
apachectl stop
apachectl start
- Now lets test if php is working or not.
vi /var/www/htdocs/phpinfo.php
Type:
" "
** Remove the quotes , these are just so that you can see its code.
:wq! <---- write and quit (save & quit vi) Try accessing the phpinfo test page and make sure it shows up. ** make sure that apache has already been started. Type
httpd
to make sure. or apachectl start
.SNORT Database
Creating the SNORT database:
mysqladmin -u root -p create SNORT
Ports installs the schema script for SNORT database, find where the script is:
find / -name "create_mysql"
If you followed the above instructions on installation of snort then it should be in ports directory:
/usr/ports/net/snort/w-snort-2.6.0.2p1-mysql-flexresp-prelude/snort-2.6.0.2/schemas/create_mysql
so now we create tables etc using the create_mysql script:
mysql -u root -p SNORT < /usr/ports/net/snort/w-snort-2.6.0.2p1-mysql-flexresp-prelude/snort-2.6.0.2/schemas/create_mysql
You can verify if the tables were created by:
mysql -u root -p SNORT
mysql> show tables;
Now add the snort user and set the permissions:
mysql -u root -p
mysql> use mysql;
mysql> grant all privileges on snort.* to snort@"localhost" identified by 'passwrd';
mysql> flush privileges;
Now lets move on to configuring snort to log to database
SNORT: Logging to database
Now to configure snort to log to database. To do so, edit the snort.conf file located in /etc/snort/
vi /etc/snort/snort.con
First Lets configure the INTERNAL interface:
Setup HOME_NET to your INTERNAL NETWORK.
You can leave EXTERNAL_NET to any.
** again configure these according to your network.
logging to DB:
Uncomment and change the output database lines to:
output database: log, mysql, user=snort password=password dbname=snort host=localhost
output database: alert, mysql, user=root password=password dbname=snort host=localhost
- create a directory called /var/log/snort
mkdir /var/log/snort
To test snort with db type:
/usr/local/bin/snort -c /etc/snort/snort.conf
if you get any error , please look at the error carefully it maybe that you are using rules that are incompatible with the snort version. Always match your rules to the version of snort you are using. Sometime the easiest fix could be just commenting the line causing the badness. I would google for the error first though.
Now we are ready to install and configure BASE.
Installing and configuring BASE
BASE relies on ADODB for snort db connectivity.
++++++++++++++++++++++++++
Get ADODB:
** make sure you have wget installed on your openbsd to do this or just browse over to the link to download adodb.
wget http://downloads.sourceforge.net/adodb/adodb496a.tgz?modtime=1191342715&big_mirror=0
Place it in the /var/www/htdocs directory and then decompress it:
tar -zxvf adodb496a.tgz
It will create a adodb directory.
++++++++++++++++++++++++++
Install PEAR and its modules
Download & install PEAR and some of the modules that are required by base to Graph etc.:
pkg_add -v pear-1.5.0p1.tgz
This will install PEAR. Now to install the PEAR modules.
/usr/local/php/bin/pear install Image_Color
/usr/local/php/bin/pear install Log
/usr/local/php/bin/pear install Numbers_Roman
/usr/local/php/bin/pear install http://pear.php.net/get/Numbers_Words-0.13.1.tgz
/usr/local/php/bin/pear install http://pear.php.net/get/Image_Graph-0.3.0dev4.tgz
+++++++++++++++++
Installing BASE:
Download and extract BASE:
get the latest BASE from:
wget http://downloads.sourceforge.net/secureideas/base-1.3.9.tar.gz?modtime=1195646853&big_mirror=0
extract the tar-gzipped file in /var/www/htdocs directory
tar -zxvf base-1.3.9.tar.gz
Rename base-1.3.9 to base
mv base-1.3.9 base
Configuring base:
cd /var/www/htdocs/base
cp base_conf.php.dist base_conf.php
EDIT the base_conf.php to change the following:
$DBlib_path
Full path to the ADOdb installation
"../adodb"
$DBtype
Type of database used
"mysql"
$BASE_urlpath
The root URI of your site
"/base"
$alert_dbname
The alert database name
"snort"
$alert_host
The alert database server
"localhost"
$alert_port
The port where the database is stored
(Leave blank if you're not running MySQL on a network socket.)
""
$alert_user
The username for the alert database
"snort"
$alert_password
The password for the username
"snort_user_password"
That is all for configuring SNORT with BASE on openbsd.
Now we are ready to test out base install:
Fire up web browser and type in the url : http://your-snort-base-server/base/
One last thing to do is copy over the signatures directory (this includes description of all the signatures in text file) from /etc/snort/doc
cp -rf /etc/snort/doc/signatures /var/www/htdocs/base
Some troubleshooting snort and base install/config
Make sure user _snort has write permissions to the /var/log/snort directory.
Posted by Parvinder Bhasin at 11:59 AM 13 comments
Monday, December 17, 2007
OpenBSD post install Tips & Tricks :)
After the initial install of OpenBSD , its a good idea to get the latest ports and to point your PKG_PATH to a good mirror that has pre-compiled packages.
In my case, I point to : ftp5.usa.openbsd.org.
Another good trick is to save the names of all the packages into a file so that you can easily search for pre-compiled packages.
TO GET THE LATEST PORTS:
$shell> ftp ftp.openbsd.org
$shell> get pub/OpenBSD/4.2/port.tar.gz
Decompress the ports.tar.gz file to /usr
$shell> tar –zxvf ports.tar.gz
PLAYING WITH PACKAGES:
First thing to do is to get the names of all the packages into a file. This will help us in searching for a particular package:
$shell> ftp ftp.openbsd.orgcd /pub/OpenBSD/4.2/packages/i386
$shell> mdir *
GIVE THE FILENAME: packages.lst
Unless you specified a path , package.lst should be in your home directory.
Now point your PKG_PATH to a good fast mirror:
$shell> vi ~/.profile
add the following lines:
PKG_PATH=ftp://ftp5.usa.openbsd.org/pub/OpenBSD/4.2/packages/i386/
export PKG_PATH
Now since we have names of all the packages in a text file : packages.lst.
Whenever we want to look for package that is pre-compiled , just do :
$shell> grep package-name packages.lst
I get the name of the package if it exists and then i can just do:
$shell> pkg_add -v package-name
Simple trick eh??:)
Posted by Parvinder Bhasin at 3:27 PM 3 comments