#!/usr/bin/perl -w
#Add the sentence below (bear in mind that there is no Pound sign)
#to /etc/rsyslog.conf before restarting the rsyslog service.
#*.* @127.0.0.1:88
use Net::Syslogd;
use IO::Socket;
$|=1;
$email_server='192.168.0.100';
$email_domain='local.mail.com';
$email_sender='sender@mail.com';
$email_receiver='receiver@mail.com';
$syslogd_port=88;
sub sendmail($$){
$content = shift;
$subject = shift;
$sock = IO::Socket::INET->new(PeerAddr => $email_server,
PeerPort => 25,
Proto => 'tcp') || die "Cannot create Socket!\n";
$sock->send("HELO".$email_domain."\r\n");
$sock->recv($mem, 100, 0);
$sock->send("MAIL FROM: ".$email_sender."\r\n");
$sock->recv($mem, 100, 0);
$sock->send("RCPT TO: ".$email_receiver."\r\n");
$sock->recv($mem, 100, 0);
$sock->send("DATA\r\n");
$sock->recv($mem, 100, 0);
$sock->send("From: ".$email_sender."\r\n");
$sock->send("To: ".$email_receiver."\r\n");
$subject = "Subject: ".$subject."\r\n\r\n";
$sock->send($subject);
$content = $content."\r\n".'.'."\r\n";
$sock->send($content);
$sock->recv($mem, 100, 0);
$sock->send("QUIT\r\n");
$sock->recv($mem, 100, 0);
$sock->close();
}
$syslogd = Net::Syslogd->new(LocalPort=>$syslogd_port) or die "Error creating Syslogd listener: ", Net::Syslogd->error;
while (1) {
$message = $syslogd->get_message();
if (!defined($message)) {
printf "$0: %s\n", Net::Syslogd->error;
exit 1
} elsif ($message == 0) {
next
}
if (!defined($message->process_message())) {
printf "$0: %s\n", Net::Syslogd->error
} else {
$syslog_content = sprintf "%s\t%i\t%s\t%s\t%s\t%s\t%s\n",
$message->remoteaddr,
$message->remoteport,
$message->facility,
$message->severity,
$message->time,
$message->hostname,
$message->message;
#print $syslog_content;
if ($message->message=~/snort(.*): \[(.*)\] (.*) \[Classification:/){
print $syslog_content;
$alert=$3;
&sendmail($syslog_content, $alert);
}
}
}
Monday, December 26, 2016
Sunday, December 11, 2016
An example regarding Scapy scripts
#!/usr/bin/python
from scapy.all import *
ipAddr=raw_input("Target IP : ")
payloadContent=raw_input("Content : ")
packetForTest=IP(dst=ipAddr)/ ICMP()/payloadContent
send(packetForTest)
print "Sending the ICMP packet..."
print "Done!"
Test Suricata through Scapy
The configuration of suricata.yaml refers to a new-added rule named alex.rules
root@LinuxTest:~# cat /etc/suricata/suricata.yaml|grep rules
## Step 2: select the rules to enable or disable
default-rule-path: /etc/suricata/rules
- emerging-all.rules
- app-layer-events.rules
- files.rules
- stream-events.rules
- decoder-events.rules
- http-events.rules
- tls-events.rules
- dns-events.rules
#- modbus-events.rules
- smtp-events.rules
- alex.rules
The content of the alex.rules
alert icmp any any -> any any (content:"|64656D6F6E616C6578|"; msg:"Show demonalex"; sid:1000888;)
Run Suricata
root@LinuxTest:~# suricata -c /etc/suricata/suricata.yaml -i eth0
Lauch a test case through Scapy:
>>> b=IP(dst='184.0.172.222')/ICMP()/'demonalex';send(b)
.
Sent 1 packets.
Check the alert of Suricata
root@LinuxTest:~# tail -n 10 -f /var/log/suricata/fast.log
12/11/2016-15:47:22.255835 [**] [1:1000888:0] Show demonalex [**] [Classification: (null)] [Priority: 3] {ICMP} 184.0.1.189:8 -> 184.0.172.222:0
12/11/2016-15:47:22.256266 [**] [1:1000888:0] Show demonalex [**] [Classification: (null)] [Priority: 3] {ICMP} 184.0.172.222:0 -> 184.0.1.189:0
root@LinuxTest:~# cat /etc/suricata/suricata.yaml|grep rules
## Step 2: select the rules to enable or disable
default-rule-path: /etc/suricata/rules
- emerging-all.rules
- app-layer-events.rules
- files.rules
- stream-events.rules
- decoder-events.rules
- http-events.rules
- tls-events.rules
- dns-events.rules
#- modbus-events.rules
- smtp-events.rules
- alex.rules
The content of the alex.rules
alert icmp any any -> any any (content:"|64656D6F6E616C6578|"; msg:"Show demonalex"; sid:1000888;)
Run Suricata
root@LinuxTest:~# suricata -c /etc/suricata/suricata.yaml -i eth0
Lauch a test case through Scapy:
>>> b=IP(dst='184.0.172.222')/ICMP()/'demonalex';send(b)
.
Sent 1 packets.
Check the alert of Suricata
root@LinuxTest:~# tail -n 10 -f /var/log/suricata/fast.log
12/11/2016-15:47:22.255835 [**] [1:1000888:0] Show demonalex [**] [Classification: (null)] [Priority: 3] {ICMP} 184.0.1.189:8 -> 184.0.172.222:0
12/11/2016-15:47:22.256266 [**] [1:1000888:0] Show demonalex [**] [Classification: (null)] [Priority: 3] {ICMP} 184.0.172.222:0 -> 184.0.1.189:0
Some notes regarding testing Snort through Scapy
The rule for testing the NIDS engine:
alert icmp any any -> any any (content:"|64656D6F6E616C6578|"; msg:"Show demonalex"; sid:1000888;)
Launch a test case through Scapy:
>>> a=IP(dst='192.168.172.222')/ICMP()/"demonalex"
>>> send(a)
Tcpdump monitoring the conversation:
root@LinuxTest:/etc/snort/rules# tcpdump -i eth0 -Avv host 192.168.172.222 and icmp
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
15:05:28.450743 IP (tos 0x0, ttl 64, id 1, offset 0, flags [none], proto ICMP (1), length 37)
dynamic.dsl.skybest.com > xxxxxxxxxxx.local: ICMP echo request, id 0, seq 0, length 17
E..%....@.\;...........c....demonalex
15:05:28.451176 IP (tos 0x0, ttl 127, id 21335, offset 0, flags [none], proto ICMP (1), length 37)
xxxxxxxxxxx.local > dynamic.dsl.skybest.com: ICMP echo reply, id 0, seq 0, length 17
E..%SW.................c....demonalex.........
Corresponding Snort Log:
root@LinuxTest:~# tail -n 10 -f /var/log/snort/alert
[**] [1:1000888:0] Show demonalex [**]
[Priority: 0]
12/09-15:23:37.880520 192.168.1.189 -> 192.168.172.222
ICMP TTL:64 TOS:0x0 ID:1 IpLen:20 DgmLen:37
Type:8 Code:0 ID:0 Seq:0 ECHO
[**] [1:1000888:0] Show demonalex [**]
[Priority: 0]
12/09-15:23:37.881118 192.168.172.222 -> 192.168.1.189
ICMP TTL:127 TOS:0x0 ID:3121 IpLen:20 DgmLen:37
Type:0 Code:0 ID:0 Seq:0 ECHO REPLY
[**] [1:408:5] ICMP Echo Reply [**]
[Classification: Misc activity] [Priority: 3]
12/09-15:23:37.881118 192.168.172.222 -> 192.168.1.189
ICMP TTL:127 TOS:0x0 ID:3121 IpLen:20 DgmLen:37
Type:0 Code:0 ID:0 Seq:0 ECHO REPLY
alert icmp any any -> any any (content:"|64656D6F6E616C6578|"; msg:"Show demonalex"; sid:1000888;)
Launch a test case through Scapy:
>>> a=IP(dst='192.168.172.222')/ICMP()/"demonalex"
>>> send(a)
Tcpdump monitoring the conversation:
root@LinuxTest:/etc/snort/rules# tcpdump -i eth0 -Avv host 192.168.172.222 and icmp
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
15:05:28.450743 IP (tos 0x0, ttl 64, id 1, offset 0, flags [none], proto ICMP (1), length 37)
dynamic.dsl.skybest.com > xxxxxxxxxxx.local: ICMP echo request, id 0, seq 0, length 17
E..%....@.\;...........c....demonalex
15:05:28.451176 IP (tos 0x0, ttl 127, id 21335, offset 0, flags [none], proto ICMP (1), length 37)
xxxxxxxxxxx.local > dynamic.dsl.skybest.com: ICMP echo reply, id 0, seq 0, length 17
E..%SW.................c....demonalex.........
Corresponding Snort Log:
root@LinuxTest:~# tail -n 10 -f /var/log/snort/alert
[**] [1:1000888:0] Show demonalex [**]
[Priority: 0]
12/09-15:23:37.880520 192.168.1.189 -> 192.168.172.222
ICMP TTL:64 TOS:0x0 ID:1 IpLen:20 DgmLen:37
Type:8 Code:0 ID:0 Seq:0 ECHO
[**] [1:1000888:0] Show demonalex [**]
[Priority: 0]
12/09-15:23:37.881118 192.168.172.222 -> 192.168.1.189
ICMP TTL:127 TOS:0x0 ID:3121 IpLen:20 DgmLen:37
Type:0 Code:0 ID:0 Seq:0 ECHO REPLY
[**] [1:408:5] ICMP Echo Reply [**]
[Classification: Misc activity] [Priority: 3]
12/09-15:23:37.881118 192.168.172.222 -> 192.168.1.189
ICMP TTL:127 TOS:0x0 ID:3121 IpLen:20 DgmLen:37
Type:0 Code:0 ID:0 Seq:0 ECHO REPLY
Sunday, December 4, 2016
Officially update feeds for OSSIM or USM.
Directly Quoted from: https://www.alienvault.com/documentation/usm-v5/ids-configuration/updating-alienvault-nids-rules.htm
To install threat intelligence updates using the web interface
- Navigate to Configuration > Deployment > Components > AlienVault Center.
- Click the yellow arrow in the New Updates column next to the USM appliance you want to install the updates on.
- Examine the available updates.NIDS updates contain “suricata” in the package name.
- Click Update Feed Only.Note: This updates signatures and rules for all packages listed in the update summary, not just the IDS signatures.
The upgrade process can take several minutes. After completion, the page displays a message indicating a successful update.
To install threat intelligence updates in the AlienVault Setup Menu
- Launch the AlienVault console.
- Select System Preferences; press Enter (<OK>).
- Select Update AlienVault System; press Enter (<OK>).
- Select Update Threat Intelligence; press Enter (<OK>).
- Confirm your selection.Note: The AlienVault console does not show the list of available updates, but you can check the update progress.
The upgrade process can take several minutes. After completion, the console displays a message indicating a successful update.
Manually update the NVT through Shell
1) Execute the command below in order to update NVT. root@LinuxTest:~# http_proxy="http://USERNAME:PASSWORD@PROXYIP:PORT/" /usr/sbin/openvas-nvt-sync --wget
2) Restart the Openvasd via executing the following commands so that the new plugins can be reloaded into the scanner. root@LinuxTest:~# /usr/bin/openvas-stop && /usr/bin/openvas-start OR: alienvault:/usr/local/sbin/crond# /usr/bin/killall -HUP openvassd 3) In order to see whether all new plugins have been imported, "ps" command may be utilized. root@LinuxTest:~# ps -aef|grep open root 28135 1 0 13:33 ? 00:00:00 openvasmd root 28152 1 98 13:33 ? 00:01:05 openvassd: Reloaded 50450 of 50527 NVTs (99% / ETA: 00:00) root 28155 28152 0 13:33 ? 00:00:00 openvassd (Loading Handler) root 28231 21831 0 13:34 pts/0 00:00:00 grep open 4) Furthermore, as shown in the example below, "openvas-check-setup" can be used to check the status. root@LinuxTest:~# /usr/bin/openvas-check-setup
Friday, December 2, 2016
Using NMAP to test the Screening functionality within the NetScreen platform.
The nmap command below is able to determine whether or not the Screening functionality works properly.
nmap -v --min-rate 3000 --max-rate 3000 -sS 192.168.0.1-253
Please refer to https://nmap.org/book/man-performance.html to get more details.
nmap -v --min-rate 3000 --max-rate 3000 -sS 192.168.0.1-253
Please refer to https://nmap.org/book/man-performance.html to get more details.
Send SYSLOG to remote servers through Snort being hosted on Kali
root@LinuxTest:~# snort -V ,,_ -*> Snort! <*- o" )~ Version 2.9.7.0 GRE (Build 149) '''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.8.1 Using PCRE version: 8.39 2016-06-14 Using ZLIB version: 1.2.8 root@LinuxTest:~# cat /etc/rsyslog.conf|grep '*.*'|grep 514|grep -v '#' *.* @192.168.0.1:514 root@LinuxTest:~# cat /etc/snort/snort_syslog.conf|grep syslog|grep -v '#' output alert_syslog: host=192.168.0.1:514, LOG_LOCAL1 LOG_ALERT root@LinuxTest:~# ps -aef|grep snort root 8709 1 0 01:59 ? 00:00:02 /usr/sbin/snort -c /etc/snort/snort_syslog.conf -i eth0 -A full -D -s
P.S.: In this case, 192.168.0.1 is the remote syslogd server. Moreover, after everything above is set, rebooting the system is a must. Otherwise, the rsyslogd may not function properly.
Subscribe to:
Posts (Atom)