If you’ve not yet heard of Razorback, start listening. Sourcefire, the company behind the incredibly popular and effective Snort IPS, are working on a new project to extend detection capabilities beyond their traditional IPS. The best part: much like Snort, Razorback is an open source project, which will likely be incorporated into Sourcefire commercial solutions at some point while still maintaining the free version. In the age of security budget cuts despite the so-called “Year of the Hack” free is a good thing.
So what is it? Razorback is an attempt to separate traffic capturing and detection. Traditional IPS solutions capture traffic and analyze it real time, which has limits in terms of exactly how much analysis and reconstruction it can perform. Razorback takes the approach of capturing data based on what type of data is being exchanged then submitting content for analysis to additional processes, such as ClamAV scans, dissecting PDFs, submitting file types to Virustotal, and more. Check out the Sourcefire team’s presentation at DefCon 18 if you want to learn more about it before diving in.
Razorback is young, but it’s growing up fast and the latest release overcomes one of the biggest obstacles in deploying the solution for testing: setup and configuration. Sourcefire has released a virtual machine appliance that can get you a Razorback installation up and running in less than 20 minutes. I’m going to walk you through doing just that with VirtualBox.
First you’ll need a PC with at least 8gb of RAM and two NICs. You’ll also need the ability to mirror the traffic you want to monitor via port span, hub or tap. You can download VirtualBox here and don’t forget the VirtualBox extensions here. The Razorback VM can be found here.
- Install VirtualBox then install the VirtualBox extensions. Defaults in both cases should be fine.
- Launch VirtualBox and click File > Import Appliance. Click the Choose button and browse to where you downloaded the Razorback virtual appliance file, Razorback-0.3.0-Release.ova, and click Open then Next. I’d suggest selecting the check box to re-initialize the MAC address of the appliance’s network card then click Import. It should only take a couple minutes to import the appliance.
- Once the appliance is imported, the first thing you’ll need to do is edit the VirtualBox network settings. Right-click the Razorback-0.3.0-Release machine name and select Settings. When the Settings window loads, select Network.First we want to make sure the first network adapter is set to Bridged Adapter. Make sure the “Name” field indicates the network card you want to be the management interface. Next click little triangle next to “Advanced.” You’ll need to change the “Adapter Type” to get it to work with FreeBSD so choose “PCnet-PCI II (Am79C970A).” Since this is only a management interface, don’t worry about Promiscuous Mode. Do NOT create or configure a second adapter for the monitor interface…yet. Choose OK when you’re done with the settings.
- Right-click the Razorback-0.3.0-Release VM and choose “Start” for your initial boot. It will take a couple minutes to boot and once it’s done you’ll see a command line menu and if you dither you’ll start to see some “razorback masterNugget” log events writing to the console. Click in the VM and press enter to see the menu again if it gets away from you. You should see a URL for the system management web interface.Port 8080 is the admin interface, port 80 is the user interface. If you don’t see the URL/IP address or if it’s not valid, reconfirm the network settings above.
- Open a web browser and browse to http://<Management IP>:8080/. Login as admin, password: razorback. Click Network > Interfaces > Add Interface. This is where you configure the Razorback management interface. The NIC should be le0. You can give it whatever interface name you like and setup DHCP or a static IP for the management interface. Scroll down and Click OK when you’re done.
- Shutdown the appliance. You can do so either from the command line menu or from the web UI.
- Once it’s shutdown, go back into VirtualBox Settings > Network (right-click the Razorback VM). Now we need to add a second adapter where your port mirror/span/tap should be. SaaC (Snort as a Collector) will monitor this interface. So click Adapter 2, enable it and set it to bridged. The “Name” should be the physical network card used for the port mirror. Click Advanced and set the “Adapter Type” to “PCnet-PCI II (Am79C970A).” This time we want to set “Promiscuous Mode” to “Allow All.” Click OK.
- Restart Razorback virtual appliance.
- This is where it gets tricky…if you don’t know vi. Basically, we need to edit /etc/rc.conf to configure Snort to monitor the proper interface. If you don’t know vi you can always learn the basics in 5 minutes here. From the Console Setup text menu on the Razorback VM, enter “9” to get Shell access. Type “vi /etc/rc.conf” and scroll to the bottom of the file. You’re looking for the lines following: “## TAP/Span interface on em1”.We need to change “em1” to the interface name “le1” on both the ifconfig_le1 and snort_interface lines as seen in the screen shot above. Save the file.
- Back to the browser, access the Administration web UI at http://<Management IP>:8080. This time, head to Services > Control Services and click the On/Off button next to Snort.If everything goes as planned the button should turn blue/on.
- Open up a new tab and browse to http://<Management IP>/ and login as admin, password razorback and watch for events and more importantly alerts.
That’s about all there is to it. Monitor performance as high bandwidth can really tax the system. If you have the resources, adding more RAM to the VM can help.
When you start to see events and alerts you’ll see something like this:Clicking on the Alert count will show you which inspector alerted and provide a little information as to why, in this case OfficeCat found an Office vulnerability. Drilling into the Metadata count can get you a good bit more detail. In this case the vulnerability was found in a downloaded file from Yahoo!Mail.And we can tell from the HTTP Response what file we need to be worried about. This type of data can be really handy for creating indicators of compromise (openioc.org).If you give it a go, please consider joining the Razorback mailing list and supporting the development with testing feedback.