"Block the Bad" OSS IPS with Content Filtration and Transparent Proxy Acceleration pt 1.

In this two part series I will discuss and demonstrate the creation of an inline security and content filtration system built on FreeBSD 7.0R. What is a security and content filtration system you might ask? Simply put it is a system that has the capabilities of an IPS with the included benefit of advanced content filtration (things like blacklists, page content scoring "keywords etc", greylists, whitelists and so on...).

This first part, entitled "block the bad" will deal with the IPS aspect of the system that includes some new "or newly revisited" ways of utilizing snortsam with barnyard rather than directly patching snort. This is good for a variety of reasons that include the capability to keep your snort version updated without having to continually re-patch it for snortsam, and not having to load snort down with more work than what it was intended "SNIFFING J00r PAket F00".

Some things in the below documented barnyard snortsam plugin have been hacked together, and I am sure that more capable individuals "rotorhead, Obiwan..." will write a non-hacked-together plugin in the near future. But this will get you up and rolling for now.

A few assumptions are made before we get started... the first is that you have already built snort (2.8.1 is the latest as of the time I wrote this), and if not that you can follow the directions to do so on a previous posting of mine. The second assumes if you want to see output such as BASE, you read and followed that entire posting. The third assumption is that you know how to modify your kernel options and ultimately make and install a new kernel. The fourth and final assumption is that if any of the previous assumptions are not true, you know how to use google.

Now, to the heart of the subject at hand, we will be using the following for the remainder of the excercise:

1. Snort 2.8.1 (see above)
2. barnyard 0.20.0 (with a modified snortsam plugin)
3. snortsam 2.52
4. ipf
5. ipfw (this will come into play in the next part re: content filtering, but can also be used to block by entire source or destination *not protocol/port* hence ipf)

So, for our first step (since we have snort built/running) let's get our barnyard patched so that we have the snortsam plugin. If you previously built barnyard and still have all of the source, that's great... but remember to make clean before we do anything. For my purposes I'll be demonstrating with a freshly downloaded barnyard. You will need autotools "cd /usr/ports/devel/autotools/ && make install clean" to finish the patch work.

[jj@Azazel /usr/home/jj]$ wget http://www.snort.org/dl/barnyard/barnyard-0.2.0.tar.gz

2008-04-13 18:14:39 (537 KB/s) - `barnyard-0.2.0.tar.gz' saved [161543/161543]

[jj@Azazel /usr/home/jj]$ tar xvfz barnyard-0.2.0.tar.gz
x barnyard-0.2.0/

[jj@Azazel /usr/home/jj]$ wget http://www.snortsam.net/files/barnyard-plugin/barnyard-snortsam-patch.gz

2008-04-13 18:16:37 (148 KB/s) - `barnyard-snortsam-patch.gz' saved [27149/27149]

[jj@Azazel /usr/home/jj]$ gunzip barnyard-snortsam-patch.gz
[jj@Azazel /usr/home/jj]$ cd barnyard-0.2.0
[jj@Azazel /usr/home/jj/barnyard-0.2.0]$ patch -p1 < ../barnyard-snortsam-patch
Hmm... Looks like a unified diff to me...
...
Hunk #1 succeeded at 1.
Hunk #2 succeeded at 33.
Hunk #3 succeeded at 54.
...
done
[jj@Azazel /usr/home/jj/barnyard-0.2.0]$ ./autojunk.sh
configure.in:147: warning: underquoted definition of SN_CHECK_DECL
configure.in:147: run info '(automake)Extending aclocal'
configure.in:147: or see http://sources.redhat.com/automake/automake.html#Extending-aclocal
autoheader-2.61: WARNING: Using auxiliary files such as `acconfig.h', `config.h.bot'
autoheader-2.61: WARNING: and `config.h.top', to define templates for `config.h.in'
autoheader-2.61: WARNING: is deprecated and discouraged.
autoheader-2.61:
autoheader-2.61: WARNING: Using the third argument of `AC_DEFINE' and
autoheader-2.61: WARNING: `AC_DEFINE_UNQUOTED' allows one to define a template without
autoheader-2.61: WARNING: `acconfig.h':
autoheader-2.61:
autoheader-2.61: WARNING: AC_DEFINE([NEED_FUNC_MAIN], 1,
autoheader-2.61: [Define if a function `main' is needed.])
autoheader-2.61:
autoheader-2.61: WARNING: More sophisticated templates can also be produced, see the
autoheader-2.61: WARNING: documentation.
[jj@Azazel /usr/home/jj/barnyard-0.2.0]$

Now that we have the main part of the patch completed we need to make a few quick modifications to "src/output-plugins/op_alert_fwsam.c" so that it handles the barnyard output properly and loads the sid-msg.map file via a hard coded path (line 191). I threw a patch out there so that you don't need to do this manually, located here: http://www.redsphereglobal.com/data/tools/security/patches/barnyard-snortsam-hack.gz.

[jj@Azazel /usr/home/jj]$ wget http://www.redsphereglobal.com/data/tools/security/patches/barnyard-snortsam-hack.gz

2008-04-13 18:52:54 (1.15 MB/s) - `barnyard-snortsam-hack.gz' saved [641/641]

[jj@Azazel /usr/home/jj]$ gunzip barnyard-snortsam-hack.gz
[jj@Azazel /usr/home/jj]$ cd barnyard-0.2.0
[jj@Azazel /usr/home/jj/barnyard-0.2.0]$ patch -p1 < ../barnyard-snortsam-hack Hmm... Looks like a unified diff to me... The text leading up to this was: ...
Patching file src/output-plugins/op_alert_fwsam.c using Plan A...
Hunk #1 succeeded at 188.
Hunk #2 succeeded at 815.
done
[jj@Azazel /usr/home/jj/barnyard-0.2.0]$

This patch or "hack" has assumed that the location of your sid-msg.map is at /usr/local/etc/snort/sid-msg.map if this is not the case, you will need to edit /src/output-plugins/op_alert_fwsam.c around line 191 and specify the correct path. At this point you can configure barnyard and build as you normally would.

[jj@Azazel /usr/home/jj/barnyard-0.2.0]$./configure --enable-mysql
[jj@Azazel /usr/home/jj/barnyard-0.2.0]$make
[jj@Azazel /usr/home/jj/barnyard-0.2.0]$sudo make install

Your barnyard is now ready and we will cover the config file and startup after we get ipf and snortsam up and running.

The next step is to add the following to our Kernel so that we have ipf and ipfw enabled and running by default at boot.

# IPFW support

options IPFIREWALL #Enable IPFW directly in the kernel
options IPFIREWALL_FORWARD #Enable the Ip Forwarding function of IPFW
options IPFIREWALL_VERBOSE
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPDIVERT #allow this host to divert packets to/through different ints and routes

# IPF Support - default is to accept
options IPFILTER
options IPFILTER_LOG

Once these have been added please build your kernel, install and reboot. At this point we are ready to fetch and make snortsam.

[jj@Azazel /usr/home/jj]$ wget http://www.snortsam.net/files/snortsam/snortsam-src-2.52.tar.gz

2008-04-13 19:17:28 (497 KB/s) - `snortsam-src-2.52.tar.gz' saved [1075606/1075606]

[jj@Azazel /usr/home/jj]$ tar xvfz snortsam-src-2.52.tar.gz
x snortsam
[jj@Azazel /usr/home/jj]$ cd snortsam
[jj@Azazel /usr/home/jj/snortsam]$ sh ./makesnortsam.sh
-------------------------------------------------------------------------------
Building SnortSam (release)
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Building SnortSam (debug)
-------------------------------------------------------------------------------
Done.
[jj@Azazel /usr/home/jj/snortsam]$sudo cp snortsam* /usr/local/bin/

That's it for the snortsam build, now we are ready to configure everything and fire it up for a test! The first thing that we will configure is our snortsam. There is a good amount of documentation under snortsam/docs/README.conf that covers basic configuration. For our purposes we will create the file /etc/snortsam.conf and place the following in it.

defaultkey secrets
port 6783
accept 192.168.1.0/24
keyinterval 30 minutes
ipf bge0

This configuration specifies a default key of "secrets" and that the snortsam daemon should listen on port 6783 for connectoins from the 192.168.1.0/24 network. The configuration also specifies that the connection between the client (barnyard) and snortsam daemon will be rekeyed every 30 minutes and that ipf will be used on bge0 locally.

On to the barnyard configuration, this file will be barnyard-snortsam.conf located at /usr/local/etc/. The only line that needs to be in this file is the one that calls the snortsam plugin for barnyard and specifies the host:port/password

output alert_fwsam: 192.168.1.7:6783/secrets

The barnyard snortsam plugin uses a sid-block.map file to define what sids will be blocked, how they will be blocked and for how long they will be blocked. The format is quite simple "sid: where[option],duration;" and to test we will put the file at /usr/local/etc/snort/sid-block.map with the following entry

9999999: src[conn], 15 seconds;

I chose sid 9999999 so that I could create a custom rule in my local.rules to test my configuration.

alert icmp any any -> 1.2.3.4 any (msg:"test"; sid:9999999;)

Assuming you were able to add that rule, we are now at the point to fire things up and give it a good old fashioned roll (all in debugging verbose mode of course)!

Restart your snort so that it sees the new SID if you have not done so... -HUP FTW!@!!
Start snortsam (must be as root right now to have access to ipf)

[jj@Azazel /usr/home/jj]$ sudo snortsam-debug

Start barnyard with the new config file (even if you have a previosly running barnyard from the previous security appliance article... this will run at the same time, we have specified a new waldo file and pid file). Note that the following is ALL ONE LINE... no line breaks or crs! Note that this uses the snort.alert and not the snort.log just like the syslog facility.

[jj@Azazel /usr/home/jj]$ sudo /usr/local/bin/barnyard -c /usr/local/etc/barnyard-snortsam.conf -g /usr/local/etc/snort/gen-msg.map -s /usr/local/etc/snort/sid-msg.map -d /var/log/snort/ -f snort.alert -w /var/log/snort/barnyard-snortsam.waldo -p /usr/local/etc/snort/classification.config -X /var/barnyard-snortsam.pid -vvv

After starting barnyard you should see the following debug output from your snortsam-debug:

Debug: Connection from: 192.168.1.7.
Debug: Received Packet: CHECKIN
Debug: Snort SeqNo: cbb9
Debug: Mgmt SeqNo : 7000
Debug: Status : 1
Debug: Version : 14

Now that everything is up and running we can test. The best way to test all aspects is to point a separate system at the IP of this box (default router/gateway) or on my system as evident by the above config "192.168.1.7" and ping 1.2.3.4 with that separate system. The ipfw options that we previously set in the kernel will allow this host to simply route the traffic to the proper destination. You should see debug output from your snortsam-debug as such:

Blocking host 192.168.1.43 in connection 192.168.1.43->1.2.3.4:0 (icmp) for 60 seconds (Sig_ID: 9999999).
Debug: [ipf][28201600] Plugin Blocking...
Debug: [ipf][28201600] command /bin/echo "@1 block in log level local7.info quick on bge0 proto 1 from 192.168.1.43/32 to 1.2.3.4/32"|/sbin/ipf -f -

We can see from the output that it is blocking the source address of 192.168.1.43 and proto 1 (ICMP) only. This means that this host can still browse the internet and do everything (other than send icmp to 1.2.3.4 for 60 seconds), this is a function of the [conn] option in the sid-block.map file.

Wonderful, we now have a functioning version of snortsam running off of the snort output and not snort directly. This means that we can upgrade / change our snort instance itself and not have to re-patch and mess with that... (this of course assumes that the version you use can output unified so that your patched version of barnyard can read it). The final step in this process is to add the sids that you want to block to the sid-msg.map file. I have modified the create-sidmap.pl file to create a sid-block.map compatible output by reading all of the .rules files in a directory and dumping "sid: src[conn], 30min;" output. This output blocks the service by source that the alert was generated from for 30 minutes. The file can be obtained at http://www.redsphereglobal.com/data/tools/security/patches/create-sidblock.pl.gz. Usage is simple and as follows (again, note that it's one line):

[root@Azazel /home/jj]# ./create-sidblock.pl /usr/local/etc/snort/rules/ > /usr/local/etc/snort/sid-block.map
[root@Azazel /home/jj]# tail -n 3 /usr/local/etc/snort/sid-block.map
2500000: src[conn],30min;
2510000: src[conn],30min;
9999999: src[conn],30min;

I suggest that you not put ALL sids in this file, but rather take a subset from rules files that you know are bad news. To do this simply copy the .rules files into a directory of your choice and run the script against that directory (note that the sid-block.map must always live in /usr/local/etc/snort at this time). Other suggestions include daemonizing your barnyard instance (-D) rather than -vvv. The rest you can figure out.

The next part of this series will cover adding content filtration and a transparent squid instance into the mix on this box.

Cheers,
JJC

Cisco Acquires Sguil!

In many of my past writings I have mentioned using Sguil and have been an avid user of the solution. On that front, I would like to extend my congratulations to the core members of the team for their great success! It will be exciting to see it running on IOS!

Cisco Announces Agreement to Acquire Sguil™ Open Source Security Monitoring Project

Acquisition Furthers Cisco’s Vision for Integrated Security Products

SAN JOSE, Calif., and LONGMONT, Color., April 1st, 2008 – Cisco and the Sguil™ project today announced an agreement for Cisco to acquire the Sguil™ project, a leading Open Source network security solution. With hundreds of installations world-wide, Sguil™ is the de facto reference implementation for the Network Security Monitoring (NSM) model. Sguil™-based NSM will enable Cisco’s customer base to more efficiently collect and analyze security-related information as it traverses their enterprise networks. This acquisition will help Cisco to cement its reputation as a leader in the Open Source movement while at the same time furthering its long-held vision of integrating security into the network infrastructure.

Under terms of the transaction, Cisco has acquired the Sguil™ project and related trademarks, as well as the copyrights held by the five principal members of the Sguil™ team, including project founder Robert "Bamm" Visscher. Cisco will assume control of the open source Sguil™ project including the Sguil.net domain, web site and web site content and the Sguil™ Sourceforge project page. In addition, the Sguil™ team will remain dedicated to the project as Cisco employees, continuing their management of the project on a day-to-day basis.

To date, Sguil™ has been developed primarily in the Tcl scripting language, support for which is already present inside many of Cisco’s routers and switches. The new product, to be known as “Cisco Embedded Monitoring Solution (CEMS)”, will be made available first in Cisco’s carrier-grade products in 3Q08, with support being phased into the rest of the Cisco product line by 4Q09. Linksys-branded device will follow thereafter, though the exact deployment schedule has yet to be announced.

“We’re extremely pleased to announce this deal,” said Cisco’s Chief Security Product Manager Cletus F. Simmons. “For some time, our customers have told us that our existing security monitoring products did not extend far enough into their network infrastructure layer. Not only was it sometimes difficult to intercept and monitor the traffic, but there were often political problems at the customer site with deploying our Intrusion Detection Systems, as management had heard several years ago that they ere ‘dead’. Now, with Sguil™ integrated into all their network devices, they’ll have no choice!”

Although the financial details of the agreement have not been announced, Sguil™ developer Robert Visscher will become the new VP of Cisco Rapid Analysis Products for Security. “This deal means a lot to the Sguil™ project and to me personally,” Visscher explains. “Previously, we had to be content with simply being the best technical solution to enable intrusion analysts to collect and analyze large amounts of data in an extraordinarily efficient manner. But now, we’ll have the additional advantage of the world’s largest manufacturer of networking gear shoving it down their customers’ throats! We will no longer have to concern ourselves with mere technical excellence. Instead, I can worry more about which tropical island to visit next, and which flavor daiquiri to order. You know, the important things.”

About Cisco Systems

Cisco, (NASDAQ: CSCO), is the worldwide leader in networking that transforms how people connect, communicate and collaborate. Information about Cisco can be found at http://www.cisco.com. For ongoing news, please go to http://newsroom.cisco.com.

About Sguil™

Sguil™ is the leading Network Security Monitoring (NSM) framework. It is built for network security analysts by network security analysts. Sguil’s main component is an intuitive GUI that provides access to a wide variety of security related information, including real-time IDS alerts, network session database and full packet captures. Sguil™ was written by Robert “Bamm” Visscher, who was apparently too cheap to buy a book on Java or C.

Again, congrats to the team... if you get a chance, please stop in at #snort-gui on freenode and say hi / congratulate the team.

Cheers,
JJC

HeX 1.0.3 LiveUSB (CNY Release)

After much adeau, here it is! Instructions for usage are quite simple, dd it to your usb thumb drive (the drive, not a partition or it will NOT work). This image includes all of the same features as our mainline HeX 1.0.3 release but is on USB not CD, the filesystem is therefore also writable. You will need a minimum of a 2G Thumb Drive or Memory Stick to write this. I say "Memory Stick" because I have heard rumor of some people using SD rather than USB Thumb Drives to use this tool.

So for example on my freebsd system I would dd as follows:

dd if=/path/to/foo/hex-i386-1.0.3.usb.img of=/dev/da0 bs=1M

command is simple... if is the Input File, output is the Output File (in this case it is the da0 device) and bs=1M is setting the block size to 1mb - this helps to speed up the write process.

Downloads:
USA Site (521MB)
USA MD5 Verification
USA SHA256 Verification

Malaysia Mirrors to be populated soon, I'll post them when they are.

Cheers,
JJC

HeX 1.0.3, the CNY Release

I am pleased to announce the release of HeX 1.0.3, release info is below. Thanks to the entire development team for their dedication and hard work. This release has been dubbed the CNY, or Chinese New Year release.

With the recent release of FreeBSD 7.0 RC2, we anticipate an actual 7.0 release in the near future. When the Release version of 7.0 becomes available we will begin working on the new HeX 2.0 project.

Get HeX 1.0.3 Here:
US Mirrors:
https://secure.redsphereglobal.com/data/tools/security/live/hex-i386-1.0.3.iso
https://secure.redsphereglobal.com/data/tools/security/live/hex-i386-1.0.3.iso.md5
https://secure.redsphereglobal.com/data/tools/security/live/hex-i386-1.0.3.iso.sha256

Malaysia Mirrors:
http://bsd.ipv6.la/hex-i386-1.0.3.iso
http://bsd.ipv6.la/hex-i386-1.0.3.iso.md5
http://bsd.ipv6.la/hex-i386-1.0.3.iso.sha256

Fixed:
- pkg_info works after installation
- ping works without sudo
- procfs is correctly mounted on /proc at boot

Upgraded:
1. NSM Console 0.6-DEVEL
Features:
- 'dump' command added, you can now dump packet payloads into a binary
file for later analysis
- Significant speedups in the harimau module and 'checkip' command if
wget is installed
- tcpxtract configuration file changed to extract more types of files
- Added foremost module
- Added clamscan module (Thanks JohnQPublic)
- Argus and tcptrace have reverse dns turned off by default now, it
was causing the module to hang for extremely large pcap files. Can be
switched on by changed the module options
- rot13 encoding and decoding added :)
Bugfixes:
- alias command
- urlescape (en|de)coding
- file existence check
- many other things
All the other enhancements, bugfixes and additions since the 0.2
release (there have been many!)

New Application Packages:
- xplot
- uni2ascii
- vnc
- vsftpd
- samplicator
- sflowtool
- pmacct
- ming
- ploticus
- tcpick
- bvi
- elinks
- feh
- tftpgrab
- arpwatch

Misc:
- New wallpapers with different color schemes

The LiveUSB image will be out shortly, it is undergoing a quick regression test currently.

Cheers,
JJC

HeX and NSM-Console Writeup in ISSA Journal

Russ McRee has written a nice piece about the HeX Live project and the included NSM-Console in his 'toolsmith' section of the ISSA Journal. This 3.5 page writeup has clearly captured our intent behind HeX and the NSM-Console created by Mathew Lee Hinman.

If you are not an ISSA subscriber, you can access the writeup at Russ McRee's column or here in the form of pdf.

I would like to thank the community for their continued support and feedback on this project.

Cheers,
JJC

HeX Virtual Appliance Image: 1.0.2R

While I have not yet had time to create images for multiple Virtualization technologies, I did finish the image for VMware. Please obtain it at the below URL.

This image is 825M in size and will decompress to a 3G VM.

https://secure.redsphereglobal.com/data/tools/security/live/HeX_1.0.2_VMware.tar.gz
https://secure.redsphereglobal.com/data/tools/security/live/HeX_1.0.2_VMware.tar.gz.md5
https://secure.redsphereglobal.com/data/tools/security/live/HeX_1.0.2_VMware.tar.gz.sha256

Enjoy,
JJC

HeX 1.0.2 LiveUSB Update

Unfortunately, the previous HeX 1.0.2 LiveUSB image was not the proper release, thanks to those that pointed this out. This has since been remediated, the original links are still valid, I will re-post here for your downloading pleasure.

For additional information on the project, please read my earlier post at: http://global-security.blogspot.com/2008/01/hex-102r-liveusb-release.html

https://secure.redsphereglobal.com/data/tools/security/live/HeX-i386-1.0.2.img.gz
https://secure.redsphereglobal.com/data/tools/security/live/HeX-i386-1.0.2.img.gz.md5
https://secure.redsphereglobal.com/data/tools/security/live/HeX-i386-1.0.2.img.gz.sha256

Cheers,
JJC

HeX 1.0.2R LiveUSB Release

As I have been away on holiday, I have been unable to release the next iteration of the HeX LiveUSB tool. Let this post serve to remediate that (albeit a bit late). Without further adeau, the download is located at the following URLs:

https://secure.redsphereglobal.com/data/tools/security/live/HeX-i386-1.0.2.img.gz
https://secure.redsphereglobal.com/data/tools/security/live/HeX-i386-1.0.2.img.gz.md5
https://secure.redsphereglobal.com/data/tools/security/live/HeX-i386-1.0.2.img.gz.sha256

For those that are not familiar with the HeX project, please read further at rawpacket.org. The LiveUSB project is a subset of the overall HeX project and adds a bit of functionality to suit your portable packet monkeying needs. Essentially it gives you a slightly larger (and writable) filesystem to do with what you please; i.e. update signatures, modify configurations, store data and the like.

To use the LiveUSB; simply download decompress and dd onto your device (example on fbsd: dd if=/path/to/HeX-i386-1.0.2.img of=/dev/da0 bs=1M). Note that for speed purposes it is important to increase your default block size in fbsd, the value of 1M takes about 200 seconds for my system to write the entire 2G image.

This release contains the NSM Console as described below.

Matthew(Dakrone) is the main developer of NSM Console, here’s the short description about it -

NSM Console (Network Security Monitoring Console) is a framework for performing analysis on packet capture files. It implements a modular structure to allow for an analyst to quickly write modules of their own without any programming language experience which means you can quickly integrate all the other NSM based tools to it. Using these modules a large amount of pcap analysis can be performed quickly using a set of global (as well as per-module) options. NSM Console also aims to be simple to run and easy to understand without lots of learning time.

If you want more information about what it is (and what it does), check out this introductory post -

http://thnetos.wordpress.com/2007/11/27/nsm-console-a-framework-for-running-things/

You can access NSM Console by clicking the menu -> NSM-Tools -> NSM Console

There are also several bug fixes in this release, as well as new nifty wallpapers (for the holiday season hah).

http://www.rawpacket.org/projects/hex/artwork

1. unicornscan run time error
2. svn run time error
3. lsof run time error
4. firefox startup issue
5. pidgin and liferea dbus issue
6. CDROM-Mount.sh syntax error
7. script command issue
8. ping setuid issue

Other known major or minor issues in the Base System are fixed, thanks to chfl4gs_.

Cheers,
JJC

managing snort rulesets cont...

I need to amend my previous posting about the usage of Oinkmaster to automate and manage your Snort rules. I had added in the simple script a command that updates the sid-msg.map in a fairly unclean way. There is, infact, included within the /contrib of Oinkmaster a nifty little script called create-sidmap.pl. This script reads all of the rules from the rules path that you specify and generates sid-msg.map output that can be redirected into a clean sid-msg.map file.

The location in my original posting that should be changed is highlighted here:

secure2# vi /usr/local/bin/autooinkall.sh
#! /bin/sh
#
# simple script to run oinkmaster and obtain bleeding threat updates
# in addition to the regular snort.org updates
#
/usr/local/bin/oinkmaster -o /usr/local/etc/snort/rules/
/usr/local/bin/oinkmaster -C /usr/local/etc/oinkmaster-bleeding.conf -o /usr/local/etc/snort/rules/
cat /usr/local/etc/snort/rules/bleeding-sid-msg.map >> /usr/local/etc/snort/rules/sid-msg.map
/bin/kill -HUP `cat /var/run/snort_em1.pid`
/bin/kill -HUP `cat /var/run/by.pid`

This should be changed to /path/to/your/create-sidmap.pl /path/to/rules/ > /usr/local/etc/snort/rules/sid-msg.map so that the whole thing looks like the following:

secure2# vi /usr/local/bin/autooinkall.sh
#! /bin/sh
#
# simple script to run oinkmaster and obtain bleeding threat updates
# in addition to the regular snort.org updates
#
/usr/local/bin/oinkmaster -o /usr/local/etc/snort/rules/
/usr/local/bin/oinkmaster -C /usr/local/etc/oinkmaster-bleeding.conf -o /usr/local/etc/snort/rules/
/usr/lobal/bin/create-sidmap.pl /usr/local/etc/snort/rules > /usr/local/etc/snort/rules/sid-msg.map
/bin/kill -HUP `cat /var/run/snort_em1.pid`
/bin/kill -HUP `cat /var/run/by.pid`

Regards,
JJC

HeX 1.0.1R LiveUSB Image

After receiving numerous requests to create a HeX Live USB Key Image, I have completed it. This image includes all of the standard tools that you will find on HeX and is writable; so you can update things (signatures etc), make changes and so on.

To use this tool, simply download it from the below location, decompress it and use dd to place it onto your USB Key. If you are not familiar with the dd syntax it's quite simple really; dd if=/path/to/extracted/hex-i386-1.0.1.usb.img of=/dev/da0 (your USB device). Note, that you should not dd this to a mounted partition, it will not work. You need to dd onto a USB Key that you don't mind losing the data on, because this will overwrite everything on that key. You can create a small partition after the dd (this of course assumes that you know how to do this, leaving the existing partition in-place) and have that to write data to etc...

This image does require a minimum 2G key (actually uses 1.75G), and has no minimum memory requirements (other than standard fbsd and X requirements).

https://secure.redsphereglobal.com/data/tools/security/live/hex-i386-1.0.1.usb.img.gz
http://secure.redsphereglobal.com:8080/data/tools/security/live/hex-i386-1.0.1.usb.img.gz
MD5 (hex-i386-1.0.1.usb.img.gz) = cd7489ba0a2a1fe824d286c72eee6842
SHA256 (hex-i386-1.0.1.usb.img.gz) = ffbb428145e0184d3848e45afee0d10ba41a4d9177688db10befc943dd4058f5

Please test this out and let me know how it works for you, or let the entire team at rawpacket.org know.

Regards,
JJC

MySpace accont pwnage!

As the title indicates and as I have wanted to write about for some time now, ever since I noticed that the MySpace login page is not protected by any type of encryption, this posting is about sniffing MySpace passwords off of your network...

To test this theory, and have a little fun, I used snort to sniff some packets off of a ToR (The Onion Router) system that I built specifically for this purpose. The results below are fairly self-evident, though the names, dates, and locations have been changed to protect the guilty ^_^. As we can see from the below highlighted output, the username is j00r_myspace_pwned@hotmail.com and their password is password12345. I am both surprised and not surprised to see this on the internet today.

POST /index.cfm?fuseaction=login.process HTTP/1.1
Host: secure.myspace.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.8) Gecko/20071008 Firefox/2.0.0.8
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://www.myspace.com/
Cookie: MSCulture=IP=10.10.10.10&IPCulture=en-US&PreferredCulture=en-US&Country=US&timeZone=0&ForcedExpiration=633298319485005304&USRLOC=QXJlYUNvZGU9MjA3JkNpdHk9Q2FtZGVuJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT01MDAmTGF0aXR1ZGU9NDQuMjI1MyZMb25naXR1ZGU9LTY5LjA5MjMmUG9zdGFsQ29kZT0mUmVnaW9uTmFtZT1NRQ%3D%3D; SessionDDF1=933aa40e14c3e8ee00fd99a3ab029eea43bb704eb259248a

Content-Type: application/x-www-form-urlencoded
Content-Length: 586

__VIEWSTATE=%2FwEPDwUKMTI3ODg2ODMzM2QYAQUeX19Db250cm9sc1JlcXV
pcmVQb3N0QmFja0tleV9fFgIFMGN0bDAwJE1haW4kU3BsYXNoRGlzcGxheSRjdGw
wMCRSZW1lbWJlcl9DaGVja2JveAUwY3RsMDAkTWFpbiRTcGxhc2hEaXNwbGF5JG
N0bDAwJExvZ2luX0ltYWdlQnV0dG9u&NextPage=&ctl00%24Main%24Splash
Display%24ctl00%24Email_Textbox=j00r_myspace_pwned%40hotmail.com
&ctl00%24Main%24SplashDisplay%24ctl00%24Password_Textbox=password12345&ctl00%24Main%24SplashDisplay
%24ctl00%24Login_ImageButton.x=26&ctl00%24Main%24SplashDisplay%24ctl00%24Login_ImageButton.y=14&ctl00%24
Main%24SplashDisplay%24ctl00%24nexturl=&ctl00%24Main%24SplashDisplay%24ctl00%24apikey=
HTTP/1.1 302 Found
Cache-Control: private
Content-Length: 214
Content-Type: text/html; charset=utf-8
Location: http://login.myspace.com/index.cfm?fuseaction=ad&MyToken=2d99f690-abae-4839-97dd-64b48d1edd52
Server: Microsoft-IIS/6.0
X-AspNet-Version: 2.0.50727
Set-Cookie: MYUSERINFO=; domain=.myspace.com; expires=Wed, 19-Jan-2005 08:28:17 GMT; path=/
Set-Cookie: MYUSERINFO=; domain=myspace.com; expires=Wed, 19-Jan-2005 08:28:17 GMT; path=/
Set-Cookie: USER=; domain=.myspace.com; expires=Wed, 19-Jan-2005 08:28:17 GMT; path=/
Set-Cookie: USER=; domain=myspace.com; expires=Wed, 19-Jan-2005 08:28:17 GMT; path=/
Set-Cookie: MYUSERINFO=MIICtQYKKwYBBAGCN1gDlqCCAqUwggKhBgorBgEEAYI3WAMBoIICkTCCAo0CAwIAAQICZgMCAgDABAjl8wldaxuF7AQQzm1U8TfL0hIgLZm%2f%2baYNBwSCAmDFTCkutM5yyyvSN8vTANn5kgTYOPD3DWWxRcRQEx2ehj0nYpz3kqS0jJaAnb1PD7auiaNq8XMaipcAFbJbzntSKmLEwK7H%2brQknmAbEpo4YP3ofM9GcZb5ZYWzN2hj%2bclZDsJ4M%2fEPlqDElkLW7cWbUGcP2KMMcd%2bxJDxL3tcHHNaZymfryqMHpEibZtUEs%2bvHjbbQ8pcVNm%2bFyfO8yfnIJ20BCwebS7ZiseN0D0I8yWuZRwULf
7HTAYB8jdhQyx49ULlkCUT4DL0iORqNL8Q3CvSdRwS7zT7cyBNC%2fg6%2b0Hy1D4NGHQcSzIXJ2tGg2%2bz5kCDPrARZVK5qgsSbI90ouN5LKu4kPLDd7w9%2fHtsFo%2ft%2bP4h4k%2fMq57s%2fuPPkM4J4h7ewHwEIVzv4lnk39l7QTthhroMwi9Qn196c%2fDNByifjkOAocz09n%2fB4t%2bzycg7B8VyIlY1P%2f29syvz%2ft5NbkbyYbAu6Sfz0%2biNM%2fjuqEFHAY1dGU6W%2btR8GD%2bGvsWttdb8kPXKL4x6HpIr1QyGIwk0SZEDr2oMzZjcQegezv3loAV9JivU8HmYaaibwLMJUVIPv6uvvr1slqJ%2f7dmG6hjFeEDjb4uEvrYfZrV0R75JQPd3W6MXjciL%2bRW3YDuK
XGghi9I70PnpFuWeEkzE11U2IkyX3jb6GP4uOAl4KEZtQoF8LSsezdXPjlBP%2f1Q0upnPXJTzy0RNTfZZ0bdOuqnC13%2fNXIL96aZKgo0KVILrKN7E2uJYGkavoYyeK7Efolb%2f%2fgLSrX%2bUoicGc2oLceCWhrVxXdZAVt%2b0c7YNUTQ%3d%3d; domain=.myspace.com; path=/; HttpOnly
Set-Cookie: MSCulture=IP=10.10.10.10&IPCulture=en-US&PreferredCulture=en-US&Country=US&timeZone=0&ForcedExpiration=633298319485005304&USRLOC=QXJlYUNvZGU9MjA3JkNpdHk9Q2FtZGVuJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT01MDAmTGF0aXR1ZGU9NDQuMjI1MyZMb25naXR1ZGU9LTY5LjA5MjMmUG9zdGFsQ29kZT0mUmVnaW9uTmFtZT1NRQ==; domain=.myspace.com; expires=Mon, 12-Nov-2007 12:00:36 GMT; path=/
Set-Cookie: LASTUSERCLICK=%7bts+'2007-11-05+04%3a00%3a36'%7d; domain=.myspace.com; path=/
Set-Cookie: GADC=EUD=0:0:YTVkMTA4OTQ5ZDg5ZWI0OekNaTFtgDI_S7P6H2jrQzkk4nPuDPBbmATsWT8Cbo-Vd3Hgs227A2MQcf3dzClR3nwSH5PPEg8uiygF6KzHRgPJYhvfCX0YsIcKZKOEwjO3; domain=.myspace.com; expires=Fri, 05-Nov-2027 11:00:36 GMT; path=/
Set-Cookie: SplashDisplayName=j00r_myspace_pwned; domain=.myspace.com; path=/
Set-Cookie: D
ERDB=ZG9tYWluPS5teXNwYWNlLmNvbSZ0bGQ9Y29tJnNtb2tlcj0yJnNleHByZWY9MSZ1dHlwZT0yJnJlbGlnaW9uaWQ9MCZyZWdpb249MjAmcG9zdGFsY29kZT0wNDU3MiZtYXJpdGFsc3RhdHVzPU0maW5jb21laWQ9MCZoZWlnaHQ9MTcxJmdlbmRlcj1NJmZyaWVuZHM9MSZldGhuaWNpZD04JmFnZT0zMCZib2R5dHlwZWlkPTYmY2hpbGRyZW5pZD00JmNvdW50cnk9VVMmZGF0aW5nPTAmZHJpbmtlcj0xJmVkdWNhdGlvbmlkPTEmcmVsYXRpb25zaGlwcz0wJm5ldHdvcmtpbmc9MCZkaXNwbGF5bmFtZT1KZXJlbXkmZnJpZW5kaWRfaW50PTE0MzE0MDkxNyZpcGFkZHJlc3M9JzY
5LjM5LjExMC4yNycmc2NobD0wJnNjaGw9MCZzY2hsPTAmZ3JwPTAmZ3JwPTAmZ3JwPTAmY3VsdHVzZXJwcmVmPTEwMzM=; domain=.myspace.com; path=/
Set-Cookie: MSCulture=IP=10.10.10.10&IPCulture=en-US&PreferredCulture=en-US&Country=US&timeZone=0&ForcedExpiration=633298319485005304&USRLOC=QXJlYUNvZGU9MjA3JkNpdHk9Q2FtZGVuJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT01MDAmTGF0aXR1ZGU9NDQuMjI1MyZMb25naXR1ZGU9LTY5LjA5MjMmUG9zdGFsQ29kZT0mUmVnaW9uTmFtZT1NRQ==; domain=.myspace.com; expires=Mon, 12-Nov-2007 12:00:36 GMT; path=/
Set-Cookie: Login=; domain=.myspace.com; path=/
X-Server: ce28ca171d6578a0dad1823b61ec8978cabea8d4955341dd
Date: Mon, 05 Nov 2007 12:00:36 GMT

I am surprised because I know that MySpace receives a large amount of traffic and has quite the large user base, I would therefore think that they would provide SSL/TLS transport as a minimum to protect the authentication information of their user base. But I am also not surprised by the fact that this is yet another blaring sign pointing to the fact that many organizations, engineers and so on do not take security seriously, nor do they develop with security as even so much as an afterthought.

I also find it quite humorous that they actually have "Safety Tips" on their site. Probably the most humerus of which is their sixth tip on that page: "Don’t get hooked by a phishing scam. Phishing is a method used by fraudsters to try to get your personal information, such as your username and password, by pretending to be a site you trust. Click here to learn more." I suppose that they are right though...I mean, why submit your information to a phishing site/scam when they can just sniff your traffic and own your account!

Of course gaining access to the users account is only the beginning, this opens up the door to a whole realm of possibilities, given the fact that *most* users will use the exact same password for all of their accounts. Or they will at least use a basic derrivation of that password, an example would be adding a different number to the end in each instance i.e. password1, password2, password3. Compromising the email account associated with the MySpace account also makes it extremely easy to gain additional information about an individual and ultimately be able to steal various types of sensitive information or even to further breach their resources (corporate accounts and the like).

With the use of ToR and various anonymizers growing every day, and the level of expertise / knowledge of the basic ToR user not being that of a security minded individual, it is surprisingly easy to grab a number of MySpace user accounts in short-order. During my testing period (roughly two weeks) of running a ToR server and sniffing for the magic MySpace packet, I was able to build a database of over 20 accounts and their associated passwords. Conceivably I could create a network of ToR servers and be able to easily own accounts at a fairly rapid rate.

All of this said, I strongly urge MySpace to purchase an SSL cert or two and use them, if nothing more than for the login process "This is what google does with gmail, a user browses to http://gmail.google.com and to logon is redirected to the https:// site, after authentication they are directed back to the http:// site".

For fun, I have included below a snort rule that should catch the magic MySpace packet ;-), this is from bleedingthreats.net.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY Myspace Login Attempt"; flow:established,to_server; content:"login.myspace.com"; uricontent:"/index.cfm?fuseaction=login"; classtype:policy-violation; sid:2002872; rev:2;)

I would like to thank Jeff for sending me some of his pcap data for analysis!

Cheers,
JJC

HeX-VA (Virtual Security Appliance)

I am pleased to announce the release of the HeX Virtual Appliance!

To facilitate quick and easy use of the tools that are built into the HeX Live CD, we have installed the Live CD on four Virtual Machines to create four Security Virtual Appliance Images. These images are intended to aide in the rapid deployment and usability of the HeX Live Toolkit and we are dubbing it HeX-VA. The images are designed for use with Parallels, Qemu, VMware and Virtualbox virtualization technologies. If you have any problems using these images or have any suggestions, please feel free to contact us or stop by #rawpacket on freenode.

Thanks to geek00l for the screenshots and continued hard work on this project! I have included the US Mirrors below for your downloading pleasure. If you are not US based, there are other Malaysian mirrors listed on the official rawpacket.org site under the Virtual Appliance project section.

HeX-Paralleles | md5 | sha256
HeX-Qemu | md5 | sha256
HeX-VMware | md5 |sha256
HeX-Virtualbox | md5 |sha256

I'll be posting some detailed directions shortly on the usage of NTop and some specifics on tuning it for your environment (by request).

Cheers,
JJC

Screenshots of various HeX-VAs:

HeX 1.0.1 Release (Bug Fixes)

So, due to several flaws that people were experiencing with HeX 1.0R we are releasing an updated version (1.0.1). The fixes in this version include increased bootup speed; during the extraction and loading of the data into mfs /var, the IO process of several different system types was causing an apparent system hang, this has been resolved.

Another major issue that was occurring was with the msfweb not loading properly or not functioning when loaded. It turns out that this was actually a firefox related issue; deleting ~/.mozill/firefox and using the global Firefox configuration fixed the problem (note that this also fixed javascript issues in ntop and darkstat).

As geek00l says, we are "shamelessly" releasing this fixed version. As always please give it a roll and let us know if you experience any issues. You can report bugs using our Trac interface, the Mailing List or via IRC in #rawpacket on freenode.

Download URLs:

• hex-i386-1.0.1.iso
• hex-i386-1.0.1.iso.md5
• hex-i386-1.0.1.iso.sha256

Cheers,
JJC

Openpacket.org Beta

The openpacket.org beta site is live (and has been for a while, but I did not think to post about it) :-\

This site is the brainchild of Richard Bejtlich who announced the beta at http://openpacket.blogspot.com. Please swing by and drop some pcap data or just some comments / requests.

The site is located at http://beta.openpacket.org:8080

Cheers,
JJC

HeX Live 1.0 Release

After 6 months of heavy development and debugging I am pleased to announce the release of the HeX Live CD 1.0 Release. What is HeX Live? HeX Live is the worlds first and foremost Network Security Monitoring & Network Based Forensics liveCD. The intent is to provide a wide array of highly usable tools in a pre-packaged format that the analyst can use to investigate and monitor real-time network activity, whether security related or in the course of reviewing traffic to determine bandwidth over utilization sources and so on...

This will be the final major release of HeX LiveCD until the release of FreeBSD 7.0 Rel, this is of course pending no major bugs are located in HeX 1.0R. If there are any major bugs found, then a bug-fixed HeX will be released prior to FreeBSD 7.0 Rel.\\

For a detailed list of what applications can be found on HeX Live 1.0R check out the actual project at rawpacket.org.

I have also included in this posting the CD covers that were created by vickz, fantastic work man! You can download the HeX LiveCD 1.0R from the following locations:

1. US Server (East Coast) | MD5 | SHA256 | User Guide
   
2. Malaysia Server | MD5 | SHA256 | User Guide
   

I will try to get some decent screenshots posted soon so that everyone can see just how slick the HeX LiveCD 1.0R really is. I would also suggest that you download it and play with it. There are a good number of tools on here for packet monkeys of all ages and skill to have a good old time!

I'll leave it at that for now, and again would like to thank the community for their support and feedback throughout the development process of this tool.

Shout to Geek00l for organizing everything and kicking some a$$!
Shout to ch4flgs_ and zarul for everything!
Shout to all others involved in this project (esp for putting up with me)

Cheers,
JJC

HeX Live Pending Release

For all of you anxious packet monkeys out there, the HeX LiveCD 1.0R will soon be available. We are running through extensive tests and bug fixing excersizes right now, but anticipate releasing this new version within the next week. I'll post an update once released, as well as the standard US mirrors.

This project has also been gaining a good amount of momentum and continued community support. I would like to thank all involved, esp geek00l and chfl4gs_ (the core founders)!

If you want some additional information concerning this project, please check out www.rawpacket.org!

Cheers,
JJC

HeX Live Update

Excerpt from geek00l:

For all the HeX liveCD users out there, we have been developing this liveCD for quite sometimes and I have received some positive and negative comments and various inputs from the users, therefore instead of me receiving the email and redirect to other co-developers, I decide to create the mailing list for the HeX liveCD so that it will has life of its own ;P

There you go -

http://groups.google.com/group/HeX-liveCD?hl=en

Since this is public group and mainly used for mailing list management, I decided to use google group as it is convenience and easy. Therefore feel free to join us!!!!!

On the other hand, you can visit us at Freenode #rawpacket. Most of us are slacking there.

I would also like to thank everyone for their feedback and support of this project, one small step at a time. As to some additional information, there has been some discussion surrounding the creation of a VM image / Virtual Appliance that would embody the HeX Live CD capabilities and give the network analyst a broad set of tools. I'll post updated about this as they are available.

Cheers,
JJC

Network Security Toolkit Pt 1 (using snort with barnyard, apache, mysql, php and BASE)

So, as the title implies this is the first in a multi-part series discussing a network security toolkit built on Open Source. The system that I am using to create this is FreeBSD 6.2 RELEASE. We will be building tools mostly from the ports tree, but a few are not yet ported, so we will manually install those as needed.

Assumptions:

1. You have installed and somewhat adequately secured FreeBSD
2. You have a basic knowledge of the FreeBSD OS and have network connectivity on this system
3. If you don't know this / have your system setup, you know how to RTFM (Google)
   
4. You have updated your ports tree prior to building this stuff

Ok, now that we have established the assumptions, let's go over the software that we are going to use for this implementation:


Requirements:

1. Apache22 - Core webserver to serve up your base /usr/ports/www/apache22
2. MySQL 50 - Database server to house your snort data /usr/ports/databases/mysql50-server/ (also -client and -scripts)
3. php5 - php support for apache22 /usr/ports/lang/php5
4. base - your snort alert and event viewing tool /usr/ports/security/base
5. barnyard - the tool that takes the unified snort logs and puts them into your MySQL database /usr/ports/security/barnyard
6. snort - your IDS engine /usr/ports/security/snort
7. oinkmaster - snort rule updater /usr/ports/security/oinkmaster
   

Optional:

• phpmyadmin a GUI tool to help you manage your MySQL databases /usr/ports/databases/phpmyadmin

Installation:

Apache22 - install and edit httpd.conf then start and test

secure2# cd /usr/ports/www/apache22 && make install clean
.
.
.
secure2# vi /usr/local/etc/apache22/httpd.conf
.
secure2# /usr/local/sbin/apachectl start
.
.
you should now be able to browse to http://ipofinstalledhost/ and receive the "It Works!" message.

MySQL 50 - install and set a password for root user

secure2# cd /usr/ports/databases/mysql50-server/ && make install clean
.
.
.
secure2# cd /usr/ports/databases/mysql50-scripts/ && make install clean
.
.
.
secure2# cd /usr/ports/databases/mysql50-client/ && make install clean
.
.
.
secure2# /usr/local/etc/rc.d/mysql-server start
secure2# mysqladmin -u root password "passwordwithouquoteshere"
secure2# mysqladmin -u root -h localhost password "passwordwithouquoteshere"
secure2# mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 88965
Server version: 5.0.45-log FreeBSD port: mysql-server-5.0.45

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)

mysql>

php5 - php5 install be sure to select apache when asked for configuration options!

secure2# cd /usr/ports/lang/php5 && make install clean
.
.
.
secure2# vi /usr/local/etc/apache22/httpd.conf
.
.# insure that the following is in your httpd.conf
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
.
.
secure2# apachectl restart

BASE - install and prepare base for use

secure2# cd /usr/ports/security/base && make install clean
.#be sure to select MySQL support...PDF is optional
.
.
. #configure apache22 to serve base
secure2# vi /usr/local/etc/apache22/httpd.conf
.
##place this at the bottom of httpd.conf
Alias /base/ "/usr/local/www/base/"
##save
secure2# apachectl restart
chown -R www:www /usr/local/www/base/
mysql -u root -p
mysql> create database base_demo;
Query OK, 1 row affected (0.00 sec)
secure2# mysql -u root -p base_demo < /usr/local/www/base/sql/create_base_tbls_mysql.sql

Now that we have setup the previous components we can access BASE by browsing to http://ipofinstalledhost/base/ where you should see the following BASE configuration screen:

We will be going through this setup process in a bit, first we need to get snort with barnyard up and running.

snort - install and configure the system to use snort.

secure2# cd /usr/ports/security/snort/ && make install clean
#be sure to Enable MySQL support
.
#add tables to the database...
secure2# mysql -u root -p base_demo < /usr/local/share/examples/snort/create_mysql #configure snort.conf secure2# vi /usr/local/etc/snort/snort.conf #modify this file as needed for your network.... . #configure logging only for unified..i.e. the following lines output alert_unified: filename snort.alert, limit 128 output log_unified: filename snort.log, limit 128 #I'll write more about tuning SNORT rules later, but for now this will get you started. #before we can start snort to test, we will need to get the latest signatures using oinkmaster!

oinkmaster - magical snort rule updater?

secure2# cd /usr/ports/security/oinkmaster/ && make install clean
.
.
secure2# vi /usr/local/etc/oinkmaster.conf
#get your registration code from snort.org and plug it into the Snort 2.4 download url in the oinkmaster file....

barnyard - log unified snort output to database

secure2# cd /usr/ports/security/barnyard/ && make install clean
#be sure to Enable MySQL support
.
secure2# vi /usr/local/etc/barnyard.conf
#configure your barnyard to log the data..the following lines are important
# set the hostname (currently only used for the acid db output plugin)
config hostname: secure2
# set the interface name (currently only used for the acid db output plugin)
config interface: em1
# Converts data from the dp_log plugin into an approximation of Snort's
# "ASCII packet dump" mode. Argument:

output log_dump
# password database connect trash
output alert_acid_db: mysql, sensor_id 1, database base_demo, server 127.0.0.1, user root, password passwordhere
output log_acid_db: mysql, sensor_id 1, database base_demo, server 127.0.0.1, user root, password passwordhere detail full

Putting it all together and starting it up.

secure2# oinkmaster -o /usr/local/etc/snort/rules/
secure2# /usr/local/bin/snort -c /usr/local/etc/snort/snort.conf -i em1 -u root -D > /dev/null -n
secure2# /usr/local/bin/barnyard -c /usr/local/etc/barnyard.conf -g /usr/local/etc/snort/gen-msg.map -s /usr/local/etc/snort/rules/sid-msg.map -d /var/log/snort/ -f snort.log -w /var/log/snort/barnyard.waldo -p /usr/local/etc/snort/rules/classification.config

once all of this is done, your snort should be logging the unified data, barnyard reading it and slapping it into your database.

Now, let's get back to our configuration for BASE. Browse to http://ipofinstalledhost/base/ and select the continue option. The next few screens are filled with the configuration options to connect you to the base database(s). Simply input the information for the db, dbuser, dbpass and you will be all set!

Congratulations, you now have a functioning SNORT install using barnyard, MySQL and BASE. I did not cover the install of phpmyadmin, but you should be able to Google it and figure it out...

I'll be following this post up with the addition of bleeding snort rules, how to properly tune your snort configuration, the use of SGUIL (TRUE NSM) and several other goodies relating to network security... so stay posted.

Cheers,
JJC