Send Snort alerts through emails from Syslog

#!/usr/bin/perl -w
#Add the sentence below (bear in mind that there is no Pound sign)
#to /etc/rsyslog.conf before restarting the rsyslog service.
#*.* @127.0.0.1:88
use Net::Syslogd;
use IO::Socket;
$|=1;

$email_server='192.168.0.100';
$email_domain='local.mail.com';
$email_sender='sender@mail.com';
$email_receiver='receiver@mail.com';
$syslogd_port=88;

sub sendmail($$){
                $content = shift;
                $subject = shift;

                $sock = IO::Socket::INET->new(PeerAddr => $email_server,
                                              PeerPort => 25,
                                              Proto => 'tcp') || die "Cannot create Socket!\n";

                $sock->send("HELO".$email_domain."\r\n");
                $sock->recv($mem, 100, 0);
                $sock->send("MAIL FROM: ".$email_sender."\r\n");
                $sock->recv($mem, 100, 0);
                $sock->send("RCPT TO: ".$email_receiver."\r\n");
                $sock->recv($mem, 100, 0);
                $sock->send("DATA\r\n");
                $sock->recv($mem, 100, 0);
                $sock->send("From: ".$email_sender."\r\n");
                $sock->send("To: ".$email_receiver."\r\n");
                $subject = "Subject: ".$subject."\r\n\r\n";
                $sock->send($subject);
                $content = $content."\r\n".'.'."\r\n";
                $sock->send($content);
                $sock->recv($mem, 100, 0);
                $sock->send("QUIT\r\n");
                $sock->recv($mem, 100, 0);

                $sock->close();
}

$syslogd = Net::Syslogd->new(LocalPort=>$syslogd_port) or die "Error creating Syslogd listener: ", Net::Syslogd->error;

while (1) {
                $message = $syslogd->get_message();

                if (!defined($message)) {
                                printf "$0: %s\n", Net::Syslogd->error;
                                exit 1
                } elsif ($message == 0) {
                                next
                }

                if (!defined($message->process_message())) {
                                printf "$0: %s\n", Net::Syslogd->error
                } else {

                                $syslog_content = sprintf "%s\t%i\t%s\t%s\t%s\t%s\t%s\n",
                                                $message->remoteaddr,
                                                $message->remoteport,
                                                $message->facility,
                                                $message->severity,
                                                $message->time,
                                                $message->hostname,
                                                $message->message;
                             
                                #print $syslog_content;
                             
                                if ($message->message=~/snort(.*): \[(.*)\] (.*) \[Classification:/){
                                                print $syslog_content;
                                                $alert=$3;
                                                &sendmail($syslog_content, $alert);

                                }
                }
}

An example regarding Scapy scripts

#!/usr/bin/python

from scapy.all import *

ipAddr=raw_input("Target IP : ")

payloadContent=raw_input("Content : ")

packetForTest=IP(dst=ipAddr)/ICMP()/payloadContent

send(packetForTest)

print "Sending the ICMP packet..."

print "Done!"

Test Suricata through Scapy

The configuration of suricata.yaml refers to a new-added rule named alex.rules
root@LinuxTest:~# cat /etc/suricata/suricata.yaml|grep rules
## Step 2: select the rules to enable or disable
default-rule-path: /etc/suricata/rules
- emerging-all.rules
- app-layer-events.rules
- files.rules
- stream-events.rules
- decoder-events.rules
- http-events.rules
- tls-events.rules
- dns-events.rules
#- modbus-events.rules
- smtp-events.rules
- alex.rules



The content of the alex.rules
alert icmp any any -> any any (content:"|64656D6F6E616C6578|"; msg:"Show demonalex"; sid:1000888;)



Run Suricata
root@LinuxTest:~# suricata -c /etc/suricata/suricata.yaml -i eth0



Lauch a test case through Scapy:
>>> b=IP(dst='184.0.172.222')/ICMP()/'demonalex';send(b)
.
Sent 1 packets.



Check the alert of Suricata
root@LinuxTest:~# tail -n 10 -f /var/log/suricata/fast.log
12/11/2016-15:47:22.255835  [**] [1:1000888:0] Show demonalex [**] [Classification: (null)] [Priority: 3] {ICMP} 184.0.1.189:8 -> 184.0.172.222:0
12/11/2016-15:47:22.256266  [**] [1:1000888:0] Show demonalex [**] [Classification: (null)] [Priority: 3] {ICMP} 184.0.172.222:0 -> 184.0.1.189:0

Some notes regarding testing Snort through Scapy

The rule for testing the NIDS engine:
alert icmp any any -> any any (content:"|64656D6F6E616C6578|"; msg:"Show demonalex"; sid:1000888;)



Launch a test case through Scapy:
>>> a=IP(dst='192.168.172.222')/ICMP()/"demonalex"
>>> send(a)



Tcpdump monitoring the conversation:
root@LinuxTest:/etc/snort/rules# tcpdump -i eth0 -Avv host 192.168.172.222 and icmp
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
15:05:28.450743 IP (tos 0x0, ttl 64, id 1, offset 0, flags [none], proto ICMP (1), length 37)
    dynamic.dsl.skybest.com > xxxxxxxxxxx.local: ICMP echo request, id 0, seq 0, length 17
E..%....@.\;...........c....demonalex
15:05:28.451176 IP (tos 0x0, ttl 127, id 21335, offset 0, flags [none], proto ICMP (1), length 37)
    xxxxxxxxxxx.local > dynamic.dsl.skybest.com: ICMP echo reply, id 0, seq 0, length 17
E..%SW.................c....demonalex.........



Corresponding Snort Log:
root@LinuxTest:~# tail -n 10 -f /var/log/snort/alert
[**] [1:1000888:0] Show demonalex [**]
[Priority: 0]
12/09-15:23:37.880520 192.168.1.189 -> 192.168.172.222
ICMP TTL:64 TOS:0x0 ID:1 IpLen:20 DgmLen:37
Type:8  Code:0  ID:0   Seq:0  ECHO

[**] [1:1000888:0] Show demonalex [**]
[Priority: 0]
12/09-15:23:37.881118 192.168.172.222 -> 192.168.1.189
ICMP TTL:127 TOS:0x0 ID:3121 IpLen:20 DgmLen:37
Type:0  Code:0  ID:0  Seq:0  ECHO REPLY

[**] [1:408:5] ICMP Echo Reply [**]
[Classification: Misc activity] [Priority: 3]
12/09-15:23:37.881118 192.168.172.222 -> 192.168.1.189
ICMP TTL:127 TOS:0x0 ID:3121 IpLen:20 DgmLen:37
Type:0  Code:0  ID:0  Seq:0  ECHO REPLY

Officially update feeds for OSSIM or USM.

Directly Quoted from: https://www.alienvault.com/documentation/usm-v5/ids-configuration/updating-alienvault-nids-rules.htm

To install threat intelligence updates using the web interface

1. Navigate to Configuration > Deployment > Components > AlienVault Center.
2. Click the yellow arrow in the New Updates column next to the USM appliance you want to install the updates on.
3. Examine the available updates.
   NIDS updates contain “suricata” in the package name.
4. Click Update Feed Only.
   Note: This updates signatures and rules for all packages listed in the update summary, not just the IDS signatures.

The upgrade process can take several minutes. After completion, the page displays a message indicating a successful update.

To install threat intelligence updates in the AlienVault Setup Menu

1. Launch the AlienVault console.
2. Select System Preferences; press Enter (<OK>).
3. Select Update AlienVault System; press Enter (<OK>).
4. Select Update Threat Intelligence; press Enter (<OK>).
5. Confirm your selection.
   Note: The AlienVault console does not show the list of available updates, but you can check the update progress.

The upgrade process can take several minutes. After completion, the console displays a message indicating a successful update.

Manually update the NVT through Shell

1) Execute the command below in order to update NVT.
root@LinuxTest:~# http_proxy="http://USERNAME:PASSWORD@PROXYIP:PORT/" /usr/sbin/openvas-nvt-sync --wget

2) Restart the Openvasd via executing the following commands so that the new plugins can be reloaded into the scanner.
root@LinuxTest:~# /usr/bin/openvas-stop && /usr/bin/openvas-start
OR:
alienvault:/usr/local/sbin/crond# /usr/bin/killall -HUP openvassd

3) In order to see whether all new plugins have been imported, "ps" command may be utilized.
root@LinuxTest:~# ps -aef|grep open
root     28135     1  0 13:33 ?        00:00:00 openvasmd
root     28152     1 98 13:33 ?        00:01:05 openvassd: Reloaded 50450 of 50527 NVTs (99% / ETA: 00:00)
root     28155 28152  0 13:33 ?        00:00:00 openvassd (Loading Handler)
root     28231 21831  0 13:34 pts/0    00:00:00 grep open

4) Furthermore, as shown in the example below, "openvas-check-setup" can be used to check the status.
root@LinuxTest:~# /usr/bin/openvas-check-setup

Using NMAP to test the Screening functionality within the NetScreen platform.

The nmap command below is able to determine whether or not the Screening functionality works properly.

nmap -v --min-rate 3000 --max-rate 3000 -sS 192.168.0.1-253

Please refer to https://nmap.org/book/man-performance.html to get more details.

Send SYSLOG to remote servers through Snort being hosted on Kali

root@LinuxTest:~# snort -V

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.7.0 GRE (Build 149)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
           Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.8.1
           Using PCRE version: 8.39 2016-06-14
           Using ZLIB version: 1.2.8


root@LinuxTest:~# cat /etc/rsyslog.conf|grep '*.*'|grep 514|grep -v '#'
*.*                             @192.168.0.1:514

root@LinuxTest:~# cat /etc/snort/snort_syslog.conf|grep syslog|grep -v '#'
output alert_syslog: host=192.168.0.1:514, LOG_LOCAL1 LOG_ALERT

root@LinuxTest:~# ps -aef|grep snort
root      8709     1  0 01:59 ?        00:00:02 /usr/sbin/snort -c /etc/snort/snort_syslog.conf -i eth0 -A full -D -s

P.S.: In this case, 192.168.0.1 is the remote syslogd server. Moreover, after everything above is set, rebooting the system is a must. Otherwise, the rsyslogd may not function properly.