Security Onion Integrity Checksum Changed Again
Managing Alerts¶
Security Onion generates a lot of valuable information for you the second you lot plug it into a TAP or Span port. Betwixt Zeek logs, alert data from Snort/Suricata, and full packet capture from netsniff-ng, you have, in a very short corporeality of fourth dimension, enough data to begin making identifying areas of interest and making positive changes to your security opinion.
Even so, Network Security Monitoring, as a practice, is not a solution you can plug into your network, brand sure y'all see blinking lights and tell people you are "secure." Information technology requires agile intervention from an analyst to qualify the quantity of information presented. One of those regular interventions is to ensure that yous are tuning properly and proactively attempting to achieve an acceptable level of indicate to dissonance.
Testing to make sure the IDS is working¶
Below, we'll provide a few ways we can test our IDS (Snort/Suricata) to make sure information technology is working as expected.
-
The easiest style to test might be just accessing
testmyids.comfrom a motorcar who'south traffic is being monitored:We should see a corresponding warning (
GPL ATTACK_RESPONSE id cheque returned root) pop up in Sguil if everything is configured correctly. If y'all practice not see this alert, effort checking to see if the rule is enabled in/etc/nsm/rules/downloaded.rules. If it is non enabled, try enabling it via/etc/nsm/pulledpork/enablesid.confand runrule-update(if this is a distributed deployment, update the principal first, runrule-update, so push button the changes out to the other sensor(s)). -
If running a test or evaluation version of Security Onion, consider replaying some of the case PCAP files nowadays in
/opt/samples/:Alerts for various signatures should announced in Sguil.
-
If in a product environs where you might not want to replay the example PCAPs, another way to test would be to employ Scapy to craft a test PCAP file, in conjunction with a custom Snort rule added to
/etc/nsm/rules/local.rules:
-
Snort Rule
warning tcp any any -> any whatsoever ( msg : "Security Onion - testing" ; content : "SecurityOnion" ; nocase ; sid : 1234567 ;)
Now update your ruleset:
-
Scapy
sudo scapy pkt = Ether () / IP ( dst = "192.168.1.thirty" ) / TCP () / "SecurityOnion" wrpcap ( "then-testing.pcap" , pkt )
Press
CTRL+Dto exit scapy. So utilise tcpreplay to replay the pcap to your sniffing interface:sudo tcpreplay - i ens34 - M10 so - testing . pcap
If everything went as planned, an alarm should pop up in Sguil with the message
Security Onion - testing.
Identifying overly active signatures¶
Given the big number of analyst tools bachelor in Security Onion past default there are multiple means to see signatures that are producing as well many alerts. We'll accept a await at identifying the alerts using Squert, Sguil, and the command line.
From Squert¶
You can access the Squert interface from a spider web browser using the URL: https://IP_ADDRESS/squert/. You will need to log in using the username and password yous prepare for Sguil. Click the Summary tab and then look at the Peak SIGNATURES section.
From Sguil¶
Sguil is a powerhouse of an interface for alerts and we since it allows us a more directly interaction with the database belongings our alerts, we tin gain a little bit more than insight into the alerts, the associated IPs, and the rules in full general.
Here, I have logged into the sguil interface and clicked on the "CNT" column to sort the alerts by the number of correlated alerts.
From the Command Line¶
If at that place are a big number of uncategorized events in the securityonion_db database, sguil can have a hard fourth dimension of managing the vast amount of data information technology needs to process to nowadays a comprehensive overview of the alerts.
At those times, it tin can be useful to query the database from the commandline. Interacting with the mysql database directly demands caution. Issuing SELECT queries should not take any agin effect on your database, merely if y'all endeavour to UPDATE while the diverse NSM framework tools are too accessing the database it has the potential to introduce corruption.
Yous can enter the mysql shell or issue mysql 1-liner's from the command line.
To enter the mysql vanquish, issue the following command:
sudo mysql -- defaults - file =/ etc / mysql / debian . cnf - Dsecurityonion_db To issue commandline one-liners apply the following template:
sudo mysql -- defaults - file =/ etc / mysql / debian . cnf - Dsecurityonion_db - e "QUERY" Listing the top twenty signatures¶
Giving the post-obit query to mysql will return a table much like you run into below. Hither, we are asking mysql to return the columns "signature and signature_id" besides equally a count of each row returned. We also want the output grouped past the signature message and ordered by the count (cnt) in descending social club.
SELECT COUNT ( * ) AS cnt , signature , signature_id FROM event WHERE status = 0 GROUP Past signature ORDER BY cnt DESC LIMIT xx ; +--------+----------------------------------------------------------------------------------+--------------+ | cnt | signature | signature_id | +--------+----------------------------------------------------------------------------------+--------------+ | 900286 | GPL SNMP public admission udp | 2101411 | | 4709 | ET POLICY Dropbox . com Offsite File Fill-in in Use | 2012647 | | 2334 | ET POLICY GNU / Linux APT User - Agent Outbound likely related to package management | 2013504 | | 1169 | GPL SHELLCODE x86 inc ebx NOOP | 1390 | | 464 | ET POLICY Dropbox Client Broadcasting | 2012648 | | 343 | ET POLICY iTunes User Agent | 2002878 | | 270 | ET POLICY Executable served from Amazon S3 | 2013437 | | 216 | [ OSSEC ] New dpkg ( Debian Package ) installed . | 2902 | | 191 | ET RBN Known Russian Business organisation Network IP TCP ( 214 ) | 2406426 | | 188 | ET POLICY curl User - Agent Outbound | 2013028 | | 119 | [ OSSEC ] Integrity checksum inverse . | 550 | | 106 | ET GAMES STEAM Connection ( v2 ) | 2003089 | | 84 | GPL ICMP_INFO PING * NIX | 2100366 | | 69 | GPL CHAT MISC Jabber / Google Talk Outgoing Traffic | 100000230 | | 65 | ET Conversation Google IM traffic Jabber client sign - on | 2002334 | | 59 | ET Conversation Google Talk ( Jabber ) Client Login | 2002327 | | 56 | [ OSSEC ] Try to login using a non - existent user | 5710 | | 47 | ET SCAN Potential SSH Scan OUTBOUND | 2003068 | | 44 | ET SCAN Potential SSH Scan | 2001219 | | 38 | GPL ICMP_INFO PING BSDtype | 2100368 | +--------+----------------------------------------------------------------------------------+--------------+ 20 rows in set ( 32.65 sec ) Over again we can see that the top signature is the "GPL SNMP public access udp" alert and here we can run across there are over 900,000 uncategorized events. Not only will the processing of these uncategorized events boring our employ of tools they will toll the analyst time which could be better used in responding to alerts of greater significance.
If we're going to have activeness on this alert, it's all-time to ensure that these alerts are benign equally role of our tuning procedure. See which machines generated these alerts tin be helpful in making that decision.
SELECT COUNT ( * ) As ip_cnt , INET_NTOA ( src_ip ) FROM event WHERE condition = 0 AND signature_id = 2101411 Grouping BY src_ip Club By ip_cnt DESC ; +--------+-------------------+ | ip_cnt | INET_NTOA ( src_ip ) | +--------+-------------------+ | 824459 | 172.16 . 42.109 | | 41643 | 172.16 . 42.250 | | 33732 | 172.16 . 42.140 | | 452 | 172.sixteen . 42.137 | +--------+-------------------+ 4 rows in set ( 9.lx sec ) We can get together a piddling more information by using a query that also returns the destination IP address besides.
SELECT COUNT ( * ) as ip_cnt , INET_NTOA ( src_ip ), INET_NTOA ( dst_ip ) FROM event WHERE condition = 0 and signature_id = 2101411 Group Past dst_ip Order By ip_cnt DESC ; +--------+-------------------+-------------------+ | ip_cnt | INET_NTOA ( src_ip ) | INET_NTOA ( dst_ip ) | +--------+-------------------+-------------------+ | 858191 | 172.16 . 42.109 | 192.168 . 0.33 | | 41643 | 172.16 . 42.250 | 192.168 . 0.31 | | 226 | 172.16 . 42.137 | 192.168 . 200.5 | | 226 | 172.xvi . 42.137 | 192.168 . 200.51 | +--------+-------------------+-------------------+ 4 rows in set ( 9.65 sec ) Identifying rule categories¶
Both the Snort Subscriber (Talos) and the Emerging Threats rulesets come with a large number of rules enabled (over 15,000 by default). You should only run the rules necessary for your environment. So you lot may want to disable unabridged categories of rules that don't apply to you. Run the following command to go a list of categories and the number of rules in each:
cut -d\" -f2 /etc/nsm/rules/downloaded.rules | grep -v "^$" | grep -five "^#" | awk '{print $i, $ii}'|sort |uniq -c |sort -nr Recovering from also many alerts¶
Sometimes we may get flooded with a barrage of alerts that brand information technology difficult or non possible to categorize within Sguil or Squert. When this happens, we tin can perform mass categorization of alerts using MySQL on the principal server, where sguild (the Sguil server) runs. The steps beneath outline an example of this:
-
Stop the Sguil server:
-
List the peak xx signatures (descending) pertaining to uncategorized alerts (with a status of
0):sudo mysql -- defaults - file =/ etc / mysql / debian . cnf - Dsecurityonion_db - e 'SELECT COUNT(signature)as count, signature FROM event WHERE condition=0 Grouping By signature ORDER By count DESC LIMIT 20;'
-
Update any records (to accept a status value of
1) with a signature that contains the textET INFO:sudo mysql -- defaults - file =/ etc / mysql / debian . cnf - Dsecurityonion_db - eastward "UPDATE event SET status=1, last_modified='2018-06-27 01:00:00', last_uid='sguil' WHERE event.status='0' and event.signature Like ' %East T INFO%';"
-
- Check again to come across if our alerts accept been categorized as
acknowledged( these should no longer be visible in the -
output):
sudo mysql -- defaults - file =/ etc / mysql / debian . cnf - Dsecurityonion_db - e 'SELECT COUNT(signature)as count, signature FROM issue WHERE status=0 Group BY signature ORDER BY count DESC LIMIT twenty;'
- Check again to come across if our alerts accept been categorized as
-
Bring the Sguil server dorsum upward:
Adapted from https://taosecurity.blogspot.com/2013/02/recovering-from-suricata-gone-wild.html.
And so what's next?¶
Firstly, in tuning your sensor, you must understand whether or not taking cosmetic actions on this signature will lower your overall security opinion. For some alerts, your understanding of your ain network and the concern being transacted across it volition be the deciding factor. If yous don't care that users are accessing facebook, y'all tin silence the policy-based signatures that will generate alerts.
This signature, sid:1411, /is/ a useful signature to have on hand. Attackers will often search for SNMP enabled devices with default community strings in their attempts to pivot to other parts of the network. In this case, I know the alerts are beingness generated by beneficial traffic but I cannot guarantee that further alerts volition be.
Some other consideration to take into listen is determine whether or not the traffic is being generated by a misconfigured slice of equipment. If so, the almost expedient measure is to correctly configure said equipment and then reinvestigate tuning.
In that location are multiple means to handle overly productive signatures and we'll try to cover equally many as we tin can without producing a full novel on the subject field.
Disable the sid¶
Security Onion uses PulledPork to download new signatures every nighttime and process them against a prepare list of user generated configurations.
In a distributed Security Onion environment, you lot only need to modify the configuration file on the server and the rule-update script will sync with the signatures from the Server.
Every bit mentioned earlier, take care in disabling signatures as it tin can be probable that a more appropriate response is warranted.
-
Edit the disablesid.conf configuration file:
sudo six / etc / nsm / pulledpork / disablesid . conf
-
Suspend the signature you wish to disable in the format gid:sid. gid is the generator ID and volition usually be "one". You can check the generator ID by checking the verbal signature. If a gid is not listed, information technology is assumed to be "1". A common exception would be rules that outset with "SURICATA" having a gid of "0" and Talos VRT Shared Object (compiled) rules having a gid of "3". Here are some examples:
# Disable the "GPL SNMP public admission udp" signature i : 2101411 # Disable the "SURICATA HTTP unable to match response to request" signature 0 : 2221010
-
Update rules as shown in the Updating Rules section.
Disable the category¶
In /etc/nsm/pulledpork/disablesid.conf , instead of providing a sid, nosotros can use a PCRE (Perl-compatible regular expression) or refer to the rule category (found in the header above the rule grouping in /etc/nsm/rules/downloaded.rules ).
For example, if we wanted to disable the entire ET-emerging-misc category, we could practice and then by putting the post-obit in /etc/nsm/pulledpork/disablesid.conf :
If we wanted to disable all rules with ET MISC in the rule clarification, we could put the following in /etc/nsm/pulledpork/disablesid.conf :
After making changes to the file, update your rules as shown in the Updating Rules section.
modifysid.conf¶
PulledPork's modifysid.conf will let you to write modifications to rules that are applied every time PulledPork downloads the latest ruleset. There are several examples in the modifysid.conf file, and so we won't repeat them hither. Edit the modifysid.conf configuration file:
sudo vi / etc / nsm / pulledpork / modifysid . conf Update rules as shown in the Updating Rules section.
Rewrite the signature¶
In some cases, you may non want to use Pulledpork's modifysid.conf, but instead create a re-create of the dominion and disable the original. In Security Onion, locally created rules are stored in /etc/nsm/rules/local.rules
-
Edit the /etc/nsm/rules/local.rules file:
sudo half-dozen / etc / nsm / rules / local . rules
-
Snort rules are incredibly flexible, this is a bird's centre view of the rule format:
Activeness Protocol SrcIP SrcPort Management DestIP DestPort ( rule options )
-
Here is the rule that has been generating so many alerts on our sensor(s)
macphisto@SecOnion-Dev:~$ grep -i "GPL SNMP public access udp" /etc/nsm/rules/downloaded.rules alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP public admission udp"; content:"public"; fast_pattern:only; reference:bugtraq,2112; reference:bugtraq,4088; reference:bugtraq,4089; reference:cve,1999-0517; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101411; rev:11;)
-
We can rewrite the rule then information technology's a little less active. We will rewrite the rule to ignore this kind of alert if the destination is whatever of the hosts we've identified.
-
For starters let's create some variables in /etc/nsm/rules/local.rules to define the traffic. First we're going to ascertain a variable for our chosen overactive hosts called OVERACTIVE
var OVERACTIVE [ 192.168 . 0.31 , 192.168 . 0.33 , 192.168 . 0.5 , 192.168 . 0.51 ]
-
We can plug this information into our snort rule format,
warning udp $HOME_NET any -> !$OVERACTIVE whatsoever (msg:"GPL SNMP public access udp"; content:"public"; fast_pattern:merely; reference:bugtraq,2112; reference:bugtraq,4088; reference:bugtraq,4089; reference:cve,1999-0517; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:9001411; rev:1;)
-
We as well gave the alarm a unique signature id (sid) by bumping information technology into the 90,000,000 range and set the revision to 1.
-
Now that we have a signature that will generate alerts a little more selectively, we demand to disable the original signature. Like above, nosotros edit the disablesid.conf file and add:
-
Update rules as shown in the Updating Rules section.
Threshold¶
Run into /etc/nsm/rules/threshold.conf for more data and examples.
Suppressions¶
A suppression rule allows y'all to brand some finer grained decisions nearly certain rules without the onus of rewriting them. With this functionality nosotros can suppress rules based on their signature, the source or destination address and even the IP or full CIDR network block. This style, y'all nonetheless have the basic ruleset, but the situations in which they fire are altered. It's important to note that with this functionality, care should be given to the suppressions beingness written to make sure they practise not suppress legitimate alerts.
Sticking with our current example of disabling the GPL SNMP public admission udp alert we can build a suppression dominion that limits this signature from firing for machines in which this behavior is deemed acceptable. For instance, y'all would often come across this rule firing rapidly for whatever service that queries SNMP on a regular basic. Services like Nagios produce a great many of these alerts. In this case, we will operate on the following known information:
| Source IP Accost | 172.sixteen.42.109 |
|---|---|
| Generator ID | i |
| Signature ID | 2101411 |
The format for a suppression is very direct forward. Below is the basic format for a suppression with the configurable areas marked in assuming text.
suppress gen_id gen-id, sig_id sid-id, track [by_src|by_dst], ip IP/MASK-Bits
Nosotros can simply transplant the known information for the bold text in a higher place and place the following in /etc/nsm/rules/threshold.conf :
suppress gen_id 1 , sig_id 2101411 , track by_src , ip 172.xvi . 42.109 Once the correct suppression has been placed in threshold.conf , restart the alert engine:
Autocategorize events¶
The sguild server can be ready to autocategorize events every bit it processes them. This is a great way to have sguil process the events for us as it sees them, saving us from any laborious categorization. In the Sguil console, you can create an autocat by right-clicking the event status or by clicking File -> Autocat. In Squert, y'all can click the Autocat icon in the upper correct corner.
Why is pulledpork ignoring disabled rules in downloaded.rules¶
If your syntax is right, you are likely trying to disable a rule that has flowbits set. For a quick primer on flowbits meet http://blog.snort.org/2011/05/resolving-flowbit-dependancies.html and section 3.half dozen.10 of the Snort Manual (http://world wide web.snort.org/docs).
Let'south wait at the following rules using:
alert tcp $HOME_NET any -> $EXTERNAL_NET !1433 (msg:"ET POLICY Outbound MSSQL Connection to Non-Standard Port - Likely Malware"; catamenia:to_server,established; content:"|12 01 00|"; depth:3; content:"|00 00 00 00 00 00 15 00 06 01 00 1b 00 01 02 00 1c 00|"; distance:1; inside:18; content:"|03 00|"; altitude:1; inside:ii; content:"|00 04 ff 08 00 01 55 00 00 00|"; distance:1; within:10; flowbits:gear up,ET.MSSQL; classtype:bad-unknown; sid:2013409; rev:3;) alarm tcp $HOME_NET any -> $EXTERNAL_NET 1433 (msg:"ET POLICY Outbound MSSQL Connection to Standard port (1433)"; menstruum:to_server,established; content:"|12 01 00|"; depth:iii; content:"|00 00 00 00 00 00 15 00 06 01 00 1b 00 01 02 00 1c 00|"; distance:1; within:xviii; content:"|03 00|"; distance:1; inside:two; content:"|00 04 ff 08 00 01 55 00 00 00|"; distance:ane; within:10; flowbits:set up,ET.MSSQL; classtype:bad-unknown; sid:2013410; rev:4;) alarm tcp $HOME_NET whatever -> $EXTERNAL_NET !1433 (msg:"ET TROJAN Bancos.DV MSSQL CnC Connexion Outbound"; flow:to_server,established; flowbits:isset,ET.MSSQL; content:"|49 00 B4 00 4D 00 xx 00 54 00 48 00 45 00 20 00 4D 00 41 00 53 00 54 00 45 00 52 00|"; classtype:trojan-activity; sid:2013411; rev:1;) If yous endeavor to disable the offset two rules without disabling the third rule (which has "flowbits:isset…) the 3rd rule could never fire due to 1 of the first two rules needing to burn down first. Pulled Pork (helpfully) resolves all of your flowbit dependencies, and in this case, is "re-enabling" that rule for you on the fly. Disabling all 3 of those rules past adding the post-obit to disablesid.conf has the obvious negative consequence of disabling all three of the rules:
1 : 2013409 one : 2013410 1 : 2013411 When you run sudo rule-update , scout the "Setting Flowbit Country…" section and y'all tin encounter that if you disable all three (or nevertheless many rules share that flowbit) that the "Enabled Twenty flowbits" line is decrimented and all iii rules should then exist disabled in your downloaded.rules .
Sguil Days To Keep¶
Yous can configure Sguil'southward database retention by editing securityonion.conf and changing the DAYSTOKEEP setting (the default is 30 days):
/ etc / nsm / securityonion . conf You can also apply this setting to perform a Sguil database purge by lowering the DAYSTOKEEP variable to a small number (like seven or ane) and manually running:
Source: http://stuff.is-a-geek.net/OnlineDocs/Security/securityonion.readthedocs.io/en/latest/alerts.html
0 Response to "Security Onion Integrity Checksum Changed Again"
Postar um comentário