Search This Blog

Friday, May 9, 2014

Linux with Suricata, Barnyard2 and Snorby

Introduction

Suricata, like the older and better-known Snort, is an intrusion detection / intrusion prevention system (IDS/IPS) that operates by capturing packets and searching for signatures of potentially malicious payloads.  It uses Snort-compatible rule sets and interacts with other software -- such as Barnyard2, Snorby and MySQL -- for presentation.

This article describes installing the Suricata IDS/IPS, Barnyard2 log-exporting daemon and Snorby web-based front- and back-end built upon Apache, MySQL and Ruby on Rails.  There are many other considerations -- such as hardware and application configuration tuning -- that must also be considered, but these will be addressed in other articles.

The installation shall consist of two servers: Suricata and Barnyard2 on the first at address 10.64.0.3 and Snorby, Apache, Ruby ob Rails and MySQL on the second at address 10.64.0.4.

Suricata

The following series of commands will install Suricata:
#apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev build-essential autoconf automake libtool libpcap-dev libnet1-dev libyaml-0-2 libyaml-dev pkg-config zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 make libmagic-dev git-core libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0

#mkdir suricata && cd suricata && git clone git://phalanx.openinfosecfoundation.org/oisf.git && cd oisf && git clone https://github.com/ironbee/libhtp.git -b 0.5.x

#./autogen.sh && ./configure --enable-nfqueue --prefix=/usr --sysconfdir=/etc --localstatedir=/var && make && make install-full && ldconfig

Network Card Modifications

First, the NIC must be set to promiscuous mode, in which it accepts all packets, not just those whose destination is its own MAC address.  For a VirtualBox VM, this is set in the VM configuration.  That is, the VM's NIC is connected to a virtual hub (which sends each packet to every port) instead of a virtual switch (which maintains a MAC address table and only forwards a packet to the port to which the packet's destination MAC address is attached).

Network interface cards (NICs) are designed to optimize system performance by offloading work from the CPU to dedicated logic on the NIC -- the TCO Offload Engine (TOE).  Processing TCP/IP processing requires approximately 1 Hz processing per 1 bit/second network traffic.  Thus, a fully utilized Gigabit Ethernet NIC, transferring 1 Gigibit/second, consumes 1 GHz processing cycles.  That represents approximately 40% of a single 2.5 GHz processor's capacity.  The dedicated logic on the NIC frees up a significant amount of processor resources by offloading the TCP/IP processing from the CPU to the logic on the NIC.

TOE also enhances PCIe bus performance.  PCIe is inefficient at small-data transfers, such as unassembled TCP/IP traffic.  By performing the TCP/IP processing and reassembling the data into larger streams, data transfers on the PCIe bus are more efficient.

Unfortunately, the packet capture functionality of an IDS system operates not on the NIC, but with the operating system on the CPU.  If the TCP/IP processing occurs on the NIC, the packet capture will not see the Ethernet traffic as packets but as reassembled data.  This breaks the ability of the packet capturing software to read the data.  Therefore, it is necessary to disable the driver functionality that performs TOE and allows the unprocessed TCP/IP packets to reach the operating system and packet capture software.

The ethtool package provides access to driver information and configurations.  Use the ethtool -k <interface_name> command to view the current settings, as this default for an Intel PRO/1000 MT Desktop (82540EM) NIC:
# ethtool -k eth1
Features for eth1:
rx-checksumming: off
tx-checksumming: on
    tx-checksum-ipv4: off [fixed]
    tx-checksum-unneeded: off [fixed]
    tx-checksum-ip-generic: on
    tx-checksum-ipv6: off [fixed]
    tx-checksum-fcoe-crc: off [fixed]
    tx-checksum-sctp: off [fixed]
scatter-gather: on
    tx-scatter-gather: on
    tx-scatter-gather-fraglist: off [fixed]
tcp-segmentation-offload: on
    tx-tcp-segmentation: on
    tx-tcp-ecn-segmentation: off [fixed]
    tx-tcp6-segmentation: off [fixed]
udp-fragmentation-offload: off [fixed]
generic-segmentation-offload: on
generic-receive-offload: on
large-receive-offload: off [fixed]
rx-vlan-offload: on
tx-vlan-offload: on [fixed]
ntuple-filters: off [fixed]
receive-hashing: off [fixed]
highdma: off [fixed]
rx-vlan-filter: on [fixed]
vlan-challenged: off [fixed]
tx-lockless: off [fixed]
netns-local: off [fixed]
tx-gso-robust: off [fixed]
tx-fcoe-segmentation: off [fixed]
fcoe-mtu: off [fixed]
tx-nocache-copy: on
loopback: off [fixed]
 You may also check the ring parameters for the NIC with the ethtool -g <interface_name> command:
root@cou-gateway:~# ethtool -g eth1
Ring parameters for eth1:
Pre-set maximums:
RX: 4096
RX Mini: 0
RX Jumbo: 0
TX: 4096
Current hardware settings:
RX: 256
RX Mini: 0
RX Jumbo: 0
TX: 256

The TOE parameters are a problem and packet capturing will not work correctly.  The TOE functionality must be disabled.  The ring parameters are not optimal because the NIC supports jumbo frames (4096), but the driver is configured for 256.  If you have configured Suricata to support jumbo frames, you may increase the receive ring parameters to 4096, if not, you may increase them to 1512.  A simple port-up script applied to the end of each Ethernet interface definition in /etc/network/interfaces will optimize the NIC for packet capture:
post-up ethtool -G $IFACE rx 1512; for i in rx tx sg tso ufo gso gro lro; do ethtool -K $IFACE $i off; done
This is the output for a properly-configured packet capture NIC:

# ethtool -k eth0
Features for eth0:
rx-checksumming: off
tx-checksumming: off
tx-checksum-ipv4: off [fixed]
tx-checksum-unneeded: off [fixed]
tx-checksum-ip-generic: off
tx-checksum-ipv6: off [fixed]
tx-checksum-fcoe-crc: off [fixed]
tx-checksum-sctp: off [fixed]
scatter-gather: off
tx-scatter-gather: off
tx-scatter-gather-fraglist: off [fixed]
tcp-segmentation-offload: off
tx-tcp-segmentation: off
tx-tcp-ecn-segmentation: off [fixed]
tx-tcp6-segmentation: off [fixed]
udp-fragmentation-offload: off [fixed]
generic-segmentation-offload: off
generic-receive-offload: off
large-receive-offload: off [fixed]
rx-vlan-offload: on
tx-vlan-offload: on [fixed]
ntuple-filters: off [fixed]
receive-hashing: off [fixed]
highdma: off [fixed]
rx-vlan-filter: on [fixed]
vlan-challenged: off [fixed]
tx-lockless: off [fixed]
netns-local: off [fixed]
tx-gso-robust: off [fixed]
tx-fcoe-segmentation: off [fixed]
fcoe-mtu: off [fixed]
tx-nocache-copy: on
loopback: off [fixed]

# ethtool -g eth0
Ring parameters for eth0:
Pre-set maximums:
RX: 4096
RX Mini: 0
RX Jumbo: 0
TX: 4096
Current hardware settings:
RX: 1512
RX Mini: 0
RX Jumbo: 0
TX: 1512
Keep in mind that these necessary modifications will negatively impact system performance.  A live IDS/IPS system, with the large TCP/IP processing overhead, is one of the most hardware-intensive applications available.  It's hardware specifications are similar to (or exceed) a database server because it is so intensive of all major server components: processor, disk, network and memory IO.

Barnyard2

Barnyard2 reads Suricata log file output (in our case in the unified2 format), formats and exports it to a database (in our case MySQL).  The following series of commands will install Barnyard2:
apt-get install mysql-client libmysqlclient-dev libprelude-dev

git clone git://github.com/firnsy/barnyard2.git && cd barnyard2 && ./autogen.sh && ./configure --with-mysql --with-mysql-libraries=/usr/lib/x86_64-linux-gnu/ && make && make install

cd etc && cp barnyard2.conf /etc/suricata


Modify /etc/suricata/barnyard2.conf

Change:

config reference_file: /etc/snort/reference.config
config classification_file: /etc/snort/classification.config
config gen_file: /etc/snort/gen-msg.map
config sid_file: /etc/snort/sid-msg.map
To:
config reference_file: /etc/suricata/reference.config
config classification_file: /etc/suricata/classification.config
config gen_file: /etc/suricata/rules/gen-msg.map
config sid_file: /etc/suricata/rules/sid-msg.map
Change:
# output database: log, mysql, user=root password=test dbname=db host=localhost
To:
output database: log, mysql, user=root password=secretpassword dbname=snorby host=10.64.0.4
Change:
output alert_fast: stdout
To:
output alert_fast
Make sure the following lines are present:
config logdir: /var/log/suricata

config waldo_file: /var/log/suricata/barnyard2.waldo

config hostname: cou-ids
config interface: eth0
config daemon

Start the barnyard2 process in daemon mode with the following command:
#barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/suricata -f unified2.alert -D


Oinkmaster

Oinkmaster is a simple application that retrieves signature files for the Suricata IDS/IPS.  By default, Suricata looks to the /etc/suricata/rules directory for signatures and Oinkmaster will place them there.  The following command installs Oinkmaster:
#apt-get install oinkmaster
At this point, simply modify the /etc/oinkmaster.conf file to configure it to retrieve:
http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz
and place them in:
/etc/suricata/rules 

MySQL

The following command installs MySQL:
#apt-get install mysql-server mysql-client
By default, the mysql server listens on localhost only. Edit /etc/mysql/my.cnf to change the default behavior from listening on the bind-address 127.0.0.1 to the server's IP address:
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
bind-address = 10.64.0.4
#service mysql restart

Snorby

Snorby is a configuration and presentation application for Snort / Suricata data.  It requires the Apache web server with Ruby on Rails and the MySQL database.

Make sure the linux-headers for the system architecture are installed.

Debian Packages:

apt-get install gcc g++ build-essential libssl-dev libreadline6-dev zlib1g-dev libsqlite3-dev libxslt1-dev libxml2-dev imagemagick git-core libmysqlclient-dev mysql-server libmagickwand-dev default-jre ruby1.9.3 rubygems ruby-dev

Install wkhtmltopdf from Google Code:

wget http://wkhtmltopdf.googlecode.com/files/wkhtmltopdf-0.10.0_rc2-static-amd64.tar.bz2
bunzip2 wkhtmltopdf-0.10.0_rc2-static-amd64.tar.bz2
tar xvf wkhtmltopdf-0.10.0_rc2-static-amd64.tar
cp wkhtmltopdf-amd64 /usr/bin/wkhtmltopdf

Install Ruby Gems:

gem install thor i18n bundler tzinfo builder memcache-client rack rack-test erubis mail text-format rack-mount rails sqlite3

gem install rake --version=0.9.2

Install Snorby from github:

git clone http://github.com/Snorby/snorby.git /var/www/snorby

cp /var/www/snorby/config/database.yml.example /var/www/snorby/config/database.yml
cp /var/www/snorby/config/snorby_config.yml.example /var/www/snorby/config/snorby_config.yml


Edit /var/www/snorby/config/database.yml : look for the "snorby" entry and enter the mysql root username & password here :

nano /var/www/snorby/config/database.yml
snorby: &snorby
adapter: mysql
username: root
password: "mysqlrootpassword"
host: localhost

Edit /var/www/snorby/config/snorby_config.yml : set the correct path to wkhtmltopdf ( if you need to find it use which wkhtmltopdf ), make it look like this:

development:
domain: localhost:3000
wkhtmltopdf: /usr/bin/wkhtmltopdf

test:
domain: localhost:3000
wkhtmltopdf: /usr/bin/wkhtmltopdf

production:
domain: localhost:3000
wkhtmltopdf: /usr/bin/wkhtmltopdf

Then

cd /var/www/snorby
bundle update activesupport railties rails
gem install arel ezprint && bundle install
bundle exec rake snorby:setup



apt-get install apache2 apache2-prefork-dev libapr1-dev libaprutil1-dev libopenssl-ruby libcurl4-openssl-dev

service apache2 start

gem install --no-ri --no-rdoc passenger
/usr/local/bin/passenger-install-apache2-module -a


Edit /etc/apache2/mods-available/passenger.load (or create if it does not exits) :

to find what you need you can use :

find / -name "*mod_passenger*"
/var/lib/gems/1.9.1/gems/passenger-4.0.41/buildout/apache2/mod_passenger.so


Then put that in the file :

#nano /etc/apache2/mods-available/passenger.load
LoadModule passenger_module /var/lib/gems/1.9.1/gems/passenger-4.0.41/buildout/apache2/mod_passenger.so

<IfModule mod_passenger.c>
PassengerRoot /var/lib/gems/1.9.1/gems/passenger-4.0.41
PassengerRuby /usr/bin/ruby
</IfModule>



#a2enmod passenger
#a2enmod rewrite
#a2enmod ssl
#chown www-data:www-data /var/www/snorby -R

Create a file "snorby" under /etc/apache2/sites-available :
#nano /etc/apache2/sites-available
<VirtualHost *:80>
ServerAdmin webmaster@localhost
ServerName snorby.Server2
DocumentRoot /var/www/snorby/public

<Directory "/var/www/snorby/public">
AllowOverride all
Order deny,allow
Allow from all
Options -MultiViews
</Directory>

</VirtualHost>

Enable the new website :

#ln -s /etc/apache2/sites-available/snorby /etc/apache2/sites-enabled/snorby_config
#service apache2 restart
#cd /var/www/snorby
#bundle pack && bundle install --path vender/cache

Make sure cou-ids-web.mydomain.com points at your local apache2 server in the /etc/hosts file, and navigate to that website :

127.0.0.1 localhost
127.0.1.1 debian.localhost
127.0.0.1 cou-ids-web.mydomain.com

# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

sudo service apache2 restart.

Conclusion

These two servers constitute a base IDS/IPS installation. We will look at the tuning and operational issues in subsequent articles.

Postscript

An example of Suricata successfully detecting an OpenVAS scan is available here.  It is quite apparent that something -- a port scan and vulnerability test -- is occurring.  However, OpenVAS is a rather blunt tool.  An attacker who is targeting web services will use a more focused tool.  An example of Suricata failing to detect an Arachni scan of Microsoft Exchange HTTPS is available here.  In this case, network intrusion detection fails; integration with a host intrusion detection system is warranted.

No comments :

Post a Comment