Images with Network IDS Tools

Two new images with network IDS tools are added to ExoGENI Image Registry. Both images can be used to deploy Network IDS tools to the slices.
Centos 7.4 v1.0.4 BRO
Ubuntu 14.04 Security Onion

Bro Network Security Monitor” is a framework that can be used to monitor network traffic. It has built-in analyzers to inspect the traffic for all kinds of activity. Bro Web Site includes documentation.

Security Onion is a Linux distro for intrusion detection, network security monitoring, and log management. It’s based on Ubuntu and contains Snort, Suricata, Bro, OSSEC, Sguil, Squert, ELSA, Xplico, NetworkMiner, and many other security tools. Detailed information can be found on wiki and web site.

1. Configuration of Bro instance from image “Centos 7.4 v1.0.4 BRO”
Bro v2.5.2 is built from source with pf_ring and installed to /opt directory.

Minimal starting configuration can be done by modifying /opt/bro/etc/node.cfg and /opt/bro/etc/broctl.cfg files.

Standalone:

[root@bro ~]# cat /opt/bro/etc/node.cfg 
# Example BroControl node configuration.
#
# This example has a standalone node ready to go except for possibly changing
# the sniffing interface.

# This is a complete standalone configuration.  Most likely you will
# only need to change the interface.
[bro]
type=standalone
host=localhost
interface=eth0

Cluster (multiple workers with pf_ring):

[root@bro ~]# cat /opt/bro/etc/node.cfg 
[manager]
type=manager
host=localhost
#
[proxy]
type=proxy
host=localhost

[bro-eth1]
type=worker
host=localhost
interface=eth1
lb_method=pf_ring
lb_procs=5
#pin_cpus=1,3

Deploy configuration and start Bro:

[root@bro ~]# broctl deploy
checking configurations ...
installing ...
removing old policies in /opt/bro/spool/installed-scripts-do-not-touch/site ...
removing old policies in /opt/bro/spool/installed-scripts-do-not-touch/auto ...
creating policy directories ...
installing site policies ...
generating cluster-layout.bro ...
generating local-networks.bro ...
generating broctl-config.bro ...
generating broctl-config.sh ...
stopping ...
bro-eth1-1 not running
bro-eth1-2 not running
proxy not running
manager not running
starting ...
starting manager ...
starting proxy ...
starting bro-eth1-1 ...
starting bro-eth1-2 ...

[root@bro ~]# broctl status
Name         Type    Host             Status    Pid    Started
manager      manager localhost        running   1307   25 Oct 15:46:02
proxy        proxy   localhost        running   1348   25 Oct 15:46:04
bro-eth1-1   worker  localhost        running   1399   25 Oct 15:46:05
bro-eth1-2   worker  localhost        running   1401   25 Oct 15:46:05

2. Configuration of Security Onion instance from image “Ubuntu 14.04 Security Onion”

After deploying the VM, login with SSH X11 forwarding and run sosetup.

$ ssh -Y -i ~/.ssh/id_rsa root@147.72.248.6
... [output omitted] ...

root@so-1:~# sosetup

Follow the prompts:

Screen Shot 2017-10-25 at 10.37.27

Next window about network interface configuration can be omitted since we will not change the management interface. However, if a configuration needs to be done through this window, eth0 should be selected as the management interface with the current IP address of the VM (from 10.103.0.0/24 subnet) and netmask (255.255.255.0) and default gateway 10.103.0.1 .

Screen Shot 2017-10-25 at 10.37.49

Details about the server configuration can be found on the wiki . This sample configuration will select “Evaluation Mode”.

Screen Shot 2017-10-25 at 10.39.04

Dataplane interfaces (eth1, eth2 … ) can be selected for monitoring.
Screen Shot 2017-10-25 at 10.39.23

A local user account needs to be created to access Squil, Squert and ELSA.
Screen Shot 2017-10-25 at 10.39.48

Screen Shot 2017-10-25 at 10.40.10

Screen Shot 2017-10-25 at 10.40.28

Configuration changes will be committed.

Screen Shot 2017-10-25 at 10.40.43

Screen Shot 2017-10-25 at 12.14.01

Information messages pop up.

Screen Shot 2017-10-25 at 10.41.59

Screen Shot 2017-10-25 at 10.42.25

Screen Shot 2017-10-25 at 10.48.39

Firewall needs to be configured to allow connections to the instance. this should be done after sosetup is completed.

Screen Shot 2017-10-25 at 10.49.13

Screen Shot 2017-10-25 at 10.49.36

Configure firewall for access to the instance (Entries are mentioned with bold text below):

root@so-1:~# so-allow
This program allows you to add a firewall rule to allow connections from a new IP address.

What kind of device do you want to allow?

[a] - analyst - ports 22/tcp, 443/tcp, and 7734/tcp
[c] - apt-cacher-ng client - port 3142/tcp
[l] - syslog device - port 514
[o] - ossec agent - port 1514/udp
[s] - Security Onion sensor - 22/tcp, 4505/tcp, 4506/tcp, and 7736/tcp

If you need to add any ports other than those listed above,
you can do so using the standard 'ufw' utility.

For more information, please see the Firewall page on our Wiki:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Firewall

Please enter your selection (a - analyst, c - apt-cacher-ng client, l - syslog, o - ossec, or s - Security Onion sensor):
a
Please enter the IP address of the analyst you'd like to allow to connect to port(s) 22,443,7734:
152.54.9.188
We're going to allow connections from 152.54.9.188 to port(s) 22,443,7734.

Here's the firewall rule we're about to add:
sudo ufw allow proto tcp from 152.54.9.188 to any port 22,443,7734

We're also whitelisting 152.54.9.188 in /var/ossec/etc/ossec.conf to prevent OSSEC Active Response from blocking it.  Keep in mind, the OSSEC server will be restarted once configuration is complete.

To continue and add this rule, press Enter.
Otherwise, press Ctrl-c to exit.
PRESS ENTER
Rule added
Rule has been added.

Here is the entire firewall ruleset:
Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere
22,443,7734/tcp            ALLOW       152.54.9.188
22/tcp (v6)                ALLOW       Anywhere (v6)


Added whitelist entry for 152.54.9.188 in /var/ossec/etc/ossec.conf.

Restarting OSSEC Server...
Deleting PID file '/var/ossec/var/run/ossec-remoted-5006.pid' not used...
Killing ossec-monitord .. 
Killing ossec-logcollector .. 
ossec-remoted not running ..
Killing ossec-syscheckd .. 
Killing ossec-analysisd .. 
ossec-maild not running ..
Killing ossec-execd .. 
Killing ossec-csyslogd .. 
OSSEC HIDS v2.8 Stopped
Starting OSSEC HIDS v2.8 (by Trend Micro Inc.)...
Started ossec-csyslogd...
2017/10/25 16:20:23 ossec-maild: INFO: E-Mail notification disabled. Clean Exit.
Started ossec-maild...
Started ossec-execd...
Started ossec-analysisd...
Started ossec-logcollector...
Started ossec-remoted...
Started ossec-syscheckd...
Started ossec-monitord...
Completed.

Check status of the services:

root@so-1:~# service nsm status
Status: securityonion
  * sguil server                                                                           [  OK  ]
Status: HIDS
  * ossec_agent (sguil)                                                                    [  OK  ]
Status: Bro
Name         Type       Host          Status    Pid    Started
bro          standalone localhost     running   7390   25 Oct 16:14:13
Status: so-1-eth1
  * netsniff-ng (full packet data)                                                         [  OK  ]
  * pcap_agent (sguil)                                                                     [  OK  ]
  * snort_agent-1 (sguil)                                                                  [  OK  ]
  * snort-1 (alert data)                                                                   [  OK  ]
  * barnyard2-1 (spooler, unified2 format)                                                 [  OK  ]

Web UI can be accessed through the public IP address of the VM. Squert and ELSA can be accessed from the links:

Screen Shot 2017-10-25 at 10.56.43

Screen Shot 2017-10-25 at 10.57.02

Screen Shot 2017-10-25 at 10.57.42

Have something to add?

Loading Facebook Comments ...