Distributed Nepenthes with PHARM

Just finished releasing version 1.0 of Nepenthes PHARM.

Nepenthes PHARM is a perfect companion to your Nepenthes honeypot installations to catch Malware in the wild. PHARM is an Open Source client/server and web portal package, which provides central reporting and analysis of your distributed Nepenthes based honeypots.

PHARM Clients are installed on along with your Nepenthes installs, PHARM clients listen for any changes in nepenthes log files (logged_submissions and nepenthes.log) and sends over the logged data and malware collected over to the server running the PHARM server.

PHARM server munges all the data collected from PHARM Clients and provides analysis/report of your honeypots through the PHARM Web portal. On the analytical part, Pharm actually queries Virus total's publicly available data to report back the detail of the malware collected.

PHARM is available for download at www.nepenthespharm.com . PHARM is developed and maintained by yours truly ME :) Parvinder S. Bhasin.

Perl and CPAN reconfigure

To reconfigure CPAN do the following:

perl -MCPAN -e shell

When inside the shell...type:

cpan> o conf init

That's it...you will get interactive question and answer to setup CPAN etc...cheers.

Another way to do this is ..just by executing cpan directly from shell.. as pointed out by chorny :) thx.
# cpan
cpan> o conf init

Again..there maybe more ways to do this...choose yours :)

OpenBSD tips and tricks - adding swap on the fly

******* Adding swap on fly *******

# dd if=/dev/zero of=/usr/swap0 bs=1024k count=64

This will create basically a 64MB file that we will use for adding some swap space.

set the proper permissions on (/usr/swap0)

# chmod 0600 /usr/swap0

Now to add the swap file on fly

# swapctl -a /usr/swap0

Check to make sure you are using swap by running top or:

# swapctl -l

You can then further add swap at boot time in /etc/rc.local by adding the swapctl command.

** Note there maybe some security implications with this ...so I won't advise you to do that for production system. This is for those times when you forgot to create proper swap partition and now one of you programs is causing segmentation faults etc cuz you are running out of physical memory. ** You've been cautioned, please use at your own risk.

Squid - WCCP and Cisco ASA setup

Setup squid first:

Then on the box (in this case LINUX) running squid do the following:

modprobe ip_gre
iptunnel add gre1 mode gre remote $ASA_ROUTER_IDENTIFIER local $SQUID_SERVER_IP dev eth0
ifconfig gre1 inet 1.2.3.4 netmask 255.255.255.0 up


Updated to reflect great comment from DanO'Reilly :)

The ASA_ROUTER_IDENTIFIER is first of all just identifier and its the highest ip that is on your ASA. Please use the highest IP on your ASA for the iptunnel command. You can get list of all the ips on your asa by doing "show ip".

Next....

Enable forwarding on squid server:


echo 1 > /proc/sys/net/ipv4/ip_forward


Disable reverse path filter.


echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/gre1/rp_filter



Add IPTABLES rule to redirect all the traffic coming on port 80 over to the squid listening port. i.e: 3128 in this case:


iptables -t nat -A PREROUTING -i gre1 -p tcp -m tcp --dport 80 -j REDIRECT --to-port 3128


Now to configure squid.conf:

Make sure you compiled squid with transparency support (required for PF , IPFW etc). Do config --help | grep transp to see all the firewalls that need this option. For Cisco ASA etc, you don't need to have any transparent option.

anyways back to squid.conf add the following line:


http_port 3128 transparent


"transparent" is the key word here.

Now to configure WCCPv2 in squid.conf:


wccp2_router <$ASA_IP_ADDRESS>
wccp_version 4
wccp2_forwarding_method 1
wccp2_return_method 1




Enabling/configuring WCCPv2 on CISCO ASA(7.x/8.x):

I will go over two scenarios that I came across. First for testing I only wanted certain IPs to hit the squid box before opening it to the rest of the world. Additionaly I didn't want ALL THE PROTOCOLS to go through the proxy server. Only http (80) to go through squid: so here is what i created:

1. First created acl for the clients I wanted to allow access through squid for port 80

ASA# access-list proxyclients extended permit tcp host 192.168.100.202 any eq www

2. I added acl for my proxy servers too.

ASA# access-list proxyservers extended permit ip host 192.168.100.3 any

*** 192.168.100.3 - IP address of my squid box.

3. Now the wccp part:

ASA# wccp web-cache redirect-list proxyclients group-list proxyservers
ASA# wccp interface inside web-cache redirect in

4. Additionaly you can issue:

ASA# wccp web-cache


This should get you going :)

Now if you wanted to let EVERYONE in the world go through and go through proxy: I would remove all the ACLs and remove one wccp line:


ASA# no access-list proxyclients extended permit tcp host 192.168.100.202 any eq www
ASA# no access-list proxyservers extended permit ip host 192.168.100.3 any

This is tricky. You have to "no" the wccp interface command first so...


ASA# no wccp interface inside web-cache redirect in
ASA# no wccp web-cache redirect-list proxyclients group-list proxyservers

Now lets add the wccp interface command back


ASA# wccp web-cache
ASA# wccp interface inside web-cache redirect in


At this point all your traffic hitting the firewall would be redirected to the squid server.

** note about https transparency: packets are encrypted ..so by the time packets arrive at SQUID ..it cannot understand. So other words https transparency, I don't think its supported.

As superpaia pointed out in his comments:

important: "The only topology that the security appliance supports is when client and cache engine are behind the same interface of the security appliance and the cache engine can directly communicate with the client without going through the security appliance." from Cisco.

OpenBSD 4.2 IDS solution - snort and base

OpenBSD is great system to turn into a one box IDS solution.

** Please note: There are several ways of installing theses packages, compiling them from source code, compiling and installing from ports or simply using packages. Use the method that you would prefer.

First step is to have all the pre-reqs taken care of:

Following software are required:

1. OpenBSD (os)
2. MySQL server
3. Apache
4. Php5 or 4 ( I am going to go with php5 in this blog)
5. Php5 modules
6. PEAR
7. PEAR modules
8. Snort and snort rules.
9. Adodb
10. BASE


As you can see it needs quite a bit of installs to turn that openbsd box into full fledged IDS system that has nice graphical interface to view IDS alerts.

I won't dive into how to install the OS (OpenBSD of course). I am going with the 4.2 OpenBSD install. Please go over my OpenBSD Tips and tricks from my other blog to do the pre-reqs.

Now to our first step: Perform the following as root

Install mysql server:

shell#> pkg_add -v mysql-server-5.0.45.tgz

** This should install all the dependencies related to mysql server.

After the install , initialize the default mysql database.


shell#> /usr/local/bin/mysql_install_db


Start mysql for first time and set root password:

shell#> /usr/local/bin/mysqld_safe &
shell#> /usr/local/bin/mysqladmin -u root password 'my-password'


** If needed install any dependencies : If required.

Now lets setup mysql to start automatically after the reboot:

To start MySQL from boot, edit /etc/rc.conf.local:

shell#> vi /etc/rc.conf.local

- add the following:

mysql=YES

Save and quit.

-Now edit: /etc/rc.local:

shell# vi /etc/rc.local

** After the 'starting local daemons' and before the following echo '.' Insert the following into the /etc/rc.local file:

if [ X"${mysql}" == X"YES" -a -x /usr/local/bin/mysqld_safe ]; then

echo -n " mysqld"; /usr/local/bin/mysqld_safe --user=_mysql --log --open-files-limit=256 &

for i in 1 2 3 4 5 6; do
if [ -S /var/run/mysql/mysql.sock ]; then
break
else
sleep 1
echo -n "."
fi
done
#
# Apache chroot Settings

mkdir -p /var/www/var/run/mysql
sleep 2
ln -f /var/run/mysql/mysql.sock /var/www/var/run/mysql/mysql.sock
fi



So why the
"ln -f /var/run/mysql/mysql.sock /var/www/var/run/mysql/mysql.sock"??? .
This line is so that apache can access mysql data socket within the chrooted jail.

*** Also, don't forget to create the /var/www/var/run/mysql directory first.

Make apache startup automatically

Make sure apache starts up on boot. To do this, edit /etc/rc.conf :

shell#> vi /etc/rc.conf


edit

httpd_flags=NO to httpd_flags=""

SAVE and QUIT.

Install SNORT

To install snort, I have always found that its better to install from PORTS instead of pre-compiled package.
so lets install it from ports here.

cd /usr/ports/net/snort
env FLAVOR="mysql flexresp" make install

** Note: Use flavor option flexresp if you would like to turn this box into an IPS instead of IDS.
Otherwise you can omit the "flexresp" from the env line.


This will install snort and also create _snort user and group.

Next step is to get the latest snort rules from http://www.snort.org - VRT certified rules.
Register with the site and get the latest VRT certified snort rules.

Extract the rules in the /etc/snort directory:

You should now see rules directory with snort rules.

Create a /var/log/snort directory: <---This is where snort will log its findings by default.
shell#>mkdir /var/log/snort




** snort -c /etc/snort/snort.conf -u _snort -g _snort -t /var/snort -l /var/snort/log

We will start Snort a lot like we started MySQL:



shell#> echo "snort=YES" >> /etc/rc.conf.local
shell#> vi /etc/rc.local


Add this to the bottom of your rc.local:


if [ X"${snort}" == X"YES" -a -x /usr/local/bin/snort ]; then
echo -n " snort"; /usr/local/bin/snort -D -d -c /etc/snort/snort.conf -u _snort -g _snort
fi



We will do the configuration of snort later lets just get the pre-reqs done first.
So now on to php installation

PHP5.0 installation

Installing php5:

Install the php core first:

pkg_add -v php5-core-5.2.3.tgz

Copy the php.ini-recommended file to php.ini:

cp /usr/local/share/examples/php5/php.ini-recommended /var/www/conf/php.ini

Then install the modules that you need. Note** you may not need all the modules that I am listing here but i use them hence.:)

pkg_add -v php5-gd-5.2.3.tgz

Enable the module by typing: /usr/local/sbin/phpxs -a gd

pkg_add -v php5-mysql-5.2.3.tgz

Enable te module by typing: /usr/local/sbin/phpxs -a mysql

pkg_add -v php5-odbc-5.2.3.tgz

Enable the module by typing : /usr/local/sbin/phpxs -a odbc

At this point PHP part of the installation is complete.

Now on to configuring some of the programs that we just installed.

++++++++++++++++++

Configuring APACHE for PHP5.

By default the liphp5.so should be in: /usr/local/lib/php/ directory , you can double check and see where its located

find / -name "libphp5.so"

- Now enable php in apache:

vi /var/www/conf/httpd.conf

add: under module section

LoadModule php5_module /usr/local/lib/php/libphp5.so

add: application type:

AddType application/x-httpd-php .php .php4 .php3 .htm .html
AddType application/x-httpd-php-source .phps

- Now edit the DirectoryIndex line in httpd.conf:

DirectoryIndex index.html index.htm index.php index.php5 index.php4 index.php3

- Stop and start apache :

apachectl stop
apachectl start


- Now lets test if php is working or not.

vi /var/www/htdocs/phpinfo.php


Type:


" "
** Remove the quotes , these are just so that you can see its code.

:wq! <---- write and quit (save & quit vi) Try accessing the phpinfo test page and make sure it shows up. ** make sure that apache has already been started. Type httpd to make sure. or apachectl start .

SNORT Database

Creating the SNORT database:

mysqladmin -u root -p create SNORT

Ports installs the schema script for SNORT database, find where the script is:

find / -name "create_mysql"

If you followed the above instructions on installation of snort then it should be in ports directory:

/usr/ports/net/snort/w-snort-2.6.0.2p1-mysql-flexresp-prelude/snort-2.6.0.2/schemas/create_mysql

so now we create tables etc using the create_mysql script:

mysql -u root -p SNORT < /usr/ports/net/snort/w-snort-2.6.0.2p1-mysql-flexresp-prelude/snort-2.6.0.2/schemas/create_mysql

You can verify if the tables were created by:


mysql -u root -p SNORT

mysql> show tables;



Now add the snort user and set the permissions:


mysql -u root -p

mysql> use mysql;
mysql> grant all privileges on snort.* to snort@"localhost" identified by 'passwrd';
mysql> flush privileges;


Now lets move on to configuring snort to log to database

SNORT: Logging to database

Now to configure snort to log to database. To do so, edit the snort.conf file located in /etc/snort/

vi /etc/snort/snort.con

First Lets configure the INTERNAL interface:

Setup HOME_NET to your INTERNAL NETWORK.

You can leave EXTERNAL_NET to any.

** again configure these according to your network.

logging to DB:

Uncomment and change the output database lines to:

output database: log, mysql, user=snort password=password dbname=snort host=localhost
output database: alert, mysql, user=root password=password dbname=snort host=localhost


- create a directory called /var/log/snort

mkdir /var/log/snort

To test snort with db type:

/usr/local/bin/snort -c /etc/snort/snort.conf

if you get any error , please look at the error carefully it maybe that you are using rules that are incompatible with the snort version. Always match your rules to the version of snort you are using. Sometime the easiest fix could be just commenting the line causing the badness. I would google for the error first though.

Now we are ready to install and configure BASE.

Installing and configuring BASE

BASE relies on ADODB for snort db connectivity.
++++++++++++++++++++++++++

Get ADODB:
** make sure you have wget installed on your openbsd to do this or just browse over to the link to download adodb.

wget http://downloads.sourceforge.net/adodb/adodb496a.tgz?modtime=1191342715&big_mirror=0

Place it in the /var/www/htdocs directory and then decompress it:

tar -zxvf adodb496a.tgz

It will create a adodb directory.

++++++++++++++++++++++++++

Install PEAR and its modules

Download & install PEAR and some of the modules that are required by base to Graph etc.:

pkg_add -v pear-1.5.0p1.tgz

This will install PEAR. Now to install the PEAR modules.

/usr/local/php/bin/pear install Image_Color
/usr/local/php/bin/pear install Log
/usr/local/php/bin/pear install Numbers_Roman
/usr/local/php/bin/pear install http://pear.php.net/get/Numbers_Words-0.13.1.tgz
/usr/local/php/bin/pear install http://pear.php.net/get/Image_Graph-0.3.0dev4.tgz


+++++++++++++++++

Installing BASE:

Download and extract BASE:

get the latest BASE from:

wget http://downloads.sourceforge.net/secureideas/base-1.3.9.tar.gz?modtime=1195646853&big_mirror=0

extract the tar-gzipped file in /var/www/htdocs directory

tar -zxvf base-1.3.9.tar.gz

Rename base-1.3.9 to base

mv base-1.3.9 base

Configuring base:



cd /var/www/htdocs/base
cp base_conf.php.dist base_conf.php


EDIT the base_conf.php to change the following:


$DBlib_path
Full path to the ADOdb installation
"../adodb"
$DBtype
Type of database used
"mysql"
$BASE_urlpath
The root URI of your site
"/base"
$alert_dbname
The alert database name
"snort"
$alert_host
The alert database server
"localhost"
$alert_port
The port where the database is stored
(Leave blank if you're not running MySQL on a network socket.)
""
$alert_user
The username for the alert database
"snort"
$alert_password
The password for the username
"snort_user_password"



That is all for configuring SNORT with BASE on openbsd.

Now we are ready to test out base install:

Fire up web browser and type in the url : http://your-snort-base-server/base/

One last thing to do is copy over the signatures directory (this includes description of all the signatures in text file) from /etc/snort/doc

cp -rf /etc/snort/doc/signatures /var/www/htdocs/base

Some troubleshooting snort and base install/config

Make sure user _snort has write permissions to the /var/log/snort directory.

OpenBSD post install Tips & Tricks :)

After the initial install of OpenBSD , its a good idea to get the latest ports and to point your PKG_PATH to a good mirror that has pre-compiled packages.

In my case, I point to : ftp5.usa.openbsd.org.
Another good trick is to save the names of all the packages into a file so that you can easily search for pre-compiled packages.

TO GET THE LATEST PORTS:

$shell> ftp ftp.openbsd.org
$shell> get pub/OpenBSD/4.2/port.tar.gz


Decompress the ports.tar.gz file to /usr

$shell> tar –zxvf ports.tar.gz

PLAYING WITH PACKAGES:

First thing to do is to get the names of all the packages into a file. This will help us in searching for a particular package:

$shell> ftp ftp.openbsd.orgcd /pub/OpenBSD/4.2/packages/i386
$shell> mdir *

GIVE THE FILENAME: packages.lst

Unless you specified a path , package.lst should be in your home directory.

Now point your PKG_PATH to a good fast mirror:

$shell> vi ~/.profile

add the following lines:

PKG_PATH=ftp://ftp5.usa.openbsd.org/pub/OpenBSD/4.2/packages/i386/
export PKG_PATH

Now since we have names of all the packages in a text file : packages.lst.
Whenever we want to look for package that is pre-compiled , just do :

$shell> grep package-name packages.lst

I get the name of the package if it exists and then i can just do:

$shell> pkg_add -v package-name


Simple trick eh??:)