IDS Rule Reference for Splunk 1.0

I created a standalone version of IDS Rule Reference for Splunk for Snort/PulledPork users who are not running Security Onion. I’ve added a few dashboard views to provide a little more flexibility for searching or researching rule documents.

The initial IDS Rules view is what is included in the Security Onion for Splunk app. It can be used for researching rules and activity by filtering on enabled rules or by category, classtype or source file.

The first of the new additions is a more flexible search dashboard allowing for wildcard searches by rule name or sid. Simply enter keywords or some (or all) of a sid and you’re off and running.

Lastly, the IDS Rule Tome allows you to browse only the rules that have a matching rule reference document. Undocumented rules will not appear in these results.

Known issues: I’ve not sorted out how best to handle the small subset of rule documents that share a sid, so rule documents named genid-sid.txt will provide inconsistent results.

If you’re using IDS Rule Reference in Security Onion for Splunk and want the additional views, simply download this app and you’ll be good to go.

Setup is pretty simple if you’ve got Splunk rolling already.

Install:
Download the Snort Rule Documentation (opensource.gz) from http://www.snort.org/snort-rules then extract opensource.gz to the monitored path:

tar zxvf opensource.gz -C /opt/splunk/etc/apps/ids_ref/local/rules

Copy your Snort PulledPork *.rules files to the monitored path:

cp *.rules /opt/splunk/etc/apps/ids_ref/local/rules/

Restart Splunk.

Event Workflows:
You can modify the Event Workflows from Splunk Manager > Fields > Workflow actions. Edit the IDS Rule Reference “Apply only to the following fields” to apply the workflow link to your Snort sig_id field in Splunk). You’ll also want to edit the Search String variable field name ($sig_id$ is the default).

As always feedback and suggestions are welcome for improvements!

Security Onion 1.1 for Splunk

README notes w/ bonus comments for Version 1.1

I’ve added an input for Bro’s capture_loss.log which now displays on the SOstat Security Onion monitor in a time chart paired with Snort packet loss. To enable this log in Bro edit:

/usr/local/share/bro/site/local.bro

and add the following:

@load misc/capture-loss

You’ll have to check and install Bro for the change to get loaded.

sudo broctl
check
install
exit

and you’re done. It takes a few before the first logged event will show so give it a bit before you worry if it’s working. (The main reason I added this aside from the value is it will likely be standard in SO down the road. It’s completely optional and if I didn’t tell you about it you’d be none the wiser unless you did have it turned up, in which case you’d be pleasantly surprised.)

I also tweaked the sguild inputs to exclude “{URL” events. This data is already being consumed via bro_http so it should cut down on the licensing volume. (This will save you a ton of indexing volume and alone is worthy of updating!)

Monitors Dashboard

  • Returned misc-activity to the Sguil panel. (I’d yanked it due to the volume of URL events, but since we’re leaving those to bro_http, it’s value returns.)
  • Added date/time and raw event to drill down display for the FTP Args panel.

GeoIP

  • A drop down list has been added to GeoIP allowing you to search GeoIP by sourcetype which should reduce query times for more targeted views. The map also now includes drill down capabilities with results appearing below the map when selected. (Neatest update. Much more efficient than relying on all connections and lets you get geo visibility into each sourcetype.)

Mining

  • Added drill down to the time chart panels for HTTP and SMTP mining

(The following additions bring a little asset and vulnerability management to the game via two dashboards: PADS [passive asset detection] and  Bro’s Known Knowns.)

  • Added a PADS dashboard (similar to HTTP and SMTP mining) searchable by Name, Classification, Source IP, Source Port, Destination IP, Destination Port, Protocol, and Severity.
  • Added a Known Knowns dashboard. Includes: Known Services; Known Software searchable by Name and Type; and Known Certs searchable by Country, Common Name, Certificate Issuer Subject, Location, Organization, Organizational Unit, Port Number, State, and Certificate Subject.

PADS

  • Created an event type for PADS in addition to the PADS Mining dashboard.

SOstat

  • Updated SOstat SO to include Bro capture loss in addition to Snort packet loss. (Also improved the packet/capture loss displays to be more “deployment friendly” tracking by host or sensor.)

Enjoy!

Few screenshots for @remor:

1.1 GeoIP1.1 Known Knowns

1.1 PADS

Reflections on MIRcon

If you missed MIRcon 2011, you should tune in to Mandiant’s State of the Hack: What really happened at MIRcon webcast on October 28th. (Archived version should be available here.) There were some great talks from the likes of Richard Clarke, Michael Chertoff, and Tony Sager, and a lot of the greatest minds in incident response and cybersecurity either presented or were present. Kevin Mandia has assembled an insanely gifted and giving crew.

What did we learn? Organized crime, hacktivism and nation-states are the attackers and no target is invulnerable. Your only defense is to quickly identify and carefully disrupt attacks. Don’t be a soft target. The harder the attacker has to work, the more likely you’ll either stop them the next time or they’ll move on to a softer target. They understand and have seen firsthand the effects of cyber espionage: the skill, speed and agility of the attackers; the ineffectiveness of standard security infrastructure; the economic impact of personal, corporate and national data loss and compromise.

We cannot put a price on the ultimate impact of cybercrime. Sure, we all know someone who has had to deal with credit card fraud or has received one of those letters stating that your personal information “may” have been lost. That’s a huge hit on our economy. But it’s the tip of the iceberg. It’s what you see in the media and has the most potential to effect you personally. Now think corporate. Stealing PII is valuable. Attacking corporate bank accounts is profitable too. I believe it was Michael Chertoff who referred to “outsider trading” in his talk: stealing confidential corporate communications to leverage that information against the victim company in business negotiations. If you’re a bidder and you know the lowest bid in advance you can pretty much guarantee a win.

It doesn’t stop there. Richard Clarke told a great story about driving down a highway in Dubai where he saw an eighteen wheeler carrying a predator drone. He later asked Dubai officials when they had starting buying predators. “We haven’t.” they said.  “The US won’t sell them to us. That was a Flying Dragon.” Guess who they bought that from?

The ultimate impact seems immeasurable and there are no indications that it’s going to let up. In that sense, MIRcon was as depressing as I had expected. Actually, a little more so. Kevin Mandia’s opening remarks left my co-worker turning to me saying, “Wow. Depressing. Wow.” and me nodding affirmatively. Had it ended there I probably would be looking to buy some farmland and chickens far away from the Interwebs. Instead the next two days were filled with quality presentations, amazing technology and it’s uses, and real-world stories of victories and defeats. By the time Kevin gave his closing remarks I was still depressed, don’t get me wrong. It’s bleak. But some people get it. Some battles are being won. And at least some of the people fighting those battles are interested in helping you wage those battles yourself and providing tools and guidance to do so. There’s a rich, military background in the core of Mandiant. It’s quite apparent they’ve never abandoned service to their country.

/salute Mandiant

Mouse Traps?

Wired reported on a blog entry by Netragard detailing a wonderfully clever social engineering attack that should open some eyes. I’m not sure it will, but it should. For the unaware, social engineering is the art of manipulating a person into doing something you want, in this case inserting a USB device into their work computer.

Fearing the awareness levels around USB flash drives and malware were too high, they opted for a different USB device…a mouse. Carefully disassembling the mouse, they added a mini USB hub to which they attached a mini flash drive. When the user plugs in the mouse, they get the added bonus of a free flash drive with malware. After reassembly, they repackaged the mouse and sent it on it’s way. Are you surprised that within three days of sending it to their target the malware phoned home?

It’s a truly brilliant attack and they are to be commended for their creative thinking. I would think with most targets this attack or a variant thereof (free printers anyone?) would have a 100% success rate. I’d also like to thank them for sharing the story. While it sounds like to the stuff of spy movies, it’s real. And if good guys can think up these kinds of attacks you can bet the bad guys can to.

Which gets me thinking about risk. Does risk matter at all when the reality is you’re faced with attacks like this? Lesser attacks are just as effective, like targeted spear phishing. At one point does risk just become a way of measuring security through obscurity? Or is it there already? We already assume a lot of risk. Have we crossed a threshold?

It does confirm what I’m reading a lot of lately, especially from the likes of Richard Bejtlich of TaoSecurity and Mandiant CSO. The future of defense is a balance between prevention AND detection, trust AND distrust. The new model is not foreign to us. It’s the same castle and inner-keep concept. The difference is we’ve been lulled by security vendors into thinking we can prevent attacks while all along we watch virus detection rates fluctuate but never striking anywhere near 100%. In fact, AV-Comparatives.org’s most recent tests of “proactive on-demand detection” topped out at 61% back in May.

The key to defense is in knowing where your sensitive data lives and building your architecture around protecting that data. It’s your Fort Knox. Guard it, monitor it, trend it, know it. Inbound and outbound access should be locked down to required use only. This is your inner-keep. If it falls, game over.

That doesn’t mean your people milling around inside the castle’s walls get left for the vikings. But you can never know everyone and everything going on out there. Focus on what you need to protect, position it so it can be protected and closely monitored and defend the rest to the best of your abilities. But always, always watch the keep.

SMBs take heed as you’ll likely have greater agility in adapting this approach. If you have a server, a point of sale host and one or more daily operations hosts, do they all need to talk? Isolate the server and the point of sale host. Those machines that get used mostly for surfing the web for research, lookups or entertainment? Keep them away from your server and point of sale. And keep casual use away from sensitive systems.

If you don’t try to protect your company’s data, no one will.

WTF FB?

I happened to catch a @TheHackerNews tweet that linked to an article at theintelclub.com titled “Facebook Now Helping Governments Spy On And Arrest Peaceful Activists.” An interesting read and probably less conspiracy theory than truth. I thought it worthy to share on Facebook.

After pasting the URL (http://theintelhub.com/2011/07/09/facebook-now-helping-governments-spy-on-and-arrest-peaceful-activists/) and typing up a little comment, I was ready to unleash this gem of knowledge to my friends and family.

I hovered over the “Share” button for a moment, then clicked.

WTF FB?

Huh? WTF FB?

Zuckerberg, you’re scaring me.

Tough Love, End Users

Next time you get infected, take a few minutes and learn from the experience.

You get infected and luckily your antivirus detects it and tells you as much in a nifty little pop up window. (In a majority of cases, that’s about the only way you’ll know you got infected or came in contact with malware.) What do you do? Do you thank your antivirus software and carry on? Do you wonder whether it caught everything? Or if it will come back? Do you get curious about how or why? Do you care?

I’ll answer the last question. You better. Your computer holds keys to your financial data, whether you’ve ever logged on to an online banking or financial site from it. It contains information about you that can be used fraudulently and to gain more information about you. It can also reveal information about your friends, family and co-workers, thanks to the boom in social networking. Carelessness puts not only you, but everyone you interact with online at risk.

If your computer gets 0wned (fully controlled by an attacker) the attacker has more control over your computer than you do, because they know how to use it in ways you likely haven’t imagined. For example, at work, you might not have access to personally identifiable information (PII), but your actions can lead to a compromised host and an internal launching point for deeper attacks that will. The PII could be ex-filtrated without ever coming in contact with your computer. Scary, eh? Potentially very damaging to all involved too.

What can you do? Endpoint security software (firewalls, antivirus and IPS) can do a moderately effective job of protecting your host. In most cases, the fault of an infection isn’t that the security vendors “missed” it. They catch a lot and work hard at getting better and stopping more. Harder than you do I bet. Eh? Computers have software and hardware that can help detect and prevent malicious attacks. What do you use?

From the keyboard to the chair is your responsibility. Be responsible! Educate yourself. Learn to defend yourself and identify attacks on you. As long as you aren’t willing to put in some effort to learn about how you can be attacked, how you can identify those attacks, and how you can avoid them in the future, you are the biggest unpatchable vulnerability affecting your computer.

If you still don’t care, then thanks for stopping by and may your fortunes be secure. If you do care, then lets talk a little about attacks and defenses.

You’ve likely heard about phishing emails and spam containing malicious attachments or links. Some of these are very sophisticated and seem very trustworthy. Trust nothing when computing. Any email, attachment, or link you encounter via email or social networking should be considered untrustworthy until you’ve ascertained the source is valid and the source intended the information for you. Think about whether the person who posted that link on your Facebook profile is the type who would have validated the information. If there is even the slightest doubt about whether it’s secure, consider it insecure until you have verbally spoken with the sender and taken measures to identify if the link or file is malicious. (Virustotal allows you to submit potentially malicious files for scanning by more than 35 a/v vendors and gives you a good idea if the file is good or bad. They also have a URL scanner if you’re unsure about a link. Neither of these are 100% assurances however, so you start to see how this is about reducing risk, not eliminating it.)

Sometimes even the wisest are fooled if the scam is good enough or they are caught with their guard down. And sometimes the completely innocent are victimized. Drive by downloads take advantage of browsing-related vulnerabilities to exploit a computer without the user doing anything other than browsing to the wrong site at the wrong time. Malvertisements use social engineering to entice users to run a program, such as the Fake A/V attacks. And those of us who like Macs need to get over the false notion that Mac OS X is more secure. It’s binary code written by humans and potentially vulnerable to being exploited by humans. Mac’s are gaining popularity and with that will come attention and attacks.

A familiarity with what your programs are supposed to look like can help you identify anomalous behavior. Know what your antivirus alerts look like so when you see a fake one it’s obvious you’re being attacked. Patching is another solid defense. At the bare minimum always patch operating systems, browsers, and the Adobe products Flash, Shockwave, Reader and Acrobat as soon as patches become available…on all platforms.

I highly recommend Secunia PSI for Windows users. It’s free for home use and will monitor your computer for updates specific to your hardware and the software installed. It provides assistance with remediation as well, providing links to patches or details on how to close the gaps.

I bet you’d be hard pressed to find anyone who has used the Internet for more than a year who hasn’t run into something malicious, whether they are aware of it or not. People cling to guns for self-defense from an enemy they’ll likely never encounter. Yet they’ll pay no attention to a virus detection or the fact that their computer “might” be infected. I realize education and awareness aren’t as exciting as guns, but they’ll protect you from a whole lot more than a gun probably ever will.

Educate yourself.

IE Zero Day Coming Your Way

Symantec, and subsequently Microsoft, released information about a new zero day vulnerability in Internet Explorer being exploited in the wild. This first salvo was targeted and appears to have been contained with the malicious payload servers in Poland taken down, but exploit code is available. Which is more than can be said about the patch. Internet Explorer 6 and 7 are currently the most vulnerable.

Welcome to the Bulls-Eye: Fast Net Service and the Power of Bandwidth

Fastest Net Service in U.S. Coming to Chattanooga. The title says it all. I have to give mad props to EPB for finally getting this rolling, despite Comcast’s (may you rest in peace) attempts to derail it at every turn. Competition is a bitch and Comcast just got slapped in our fine city. The result will prove a pleasant example of why this is better for the city and a utility company than a desperate cable company.

The business allure the fastest bandwidth in the U.S. will draw is obvious, but I feel like I need to warn the recipients of such powerful speeds. As far behind as the rest of the nation is in terms of competing with the speeds, you will highly likely become targets of cyber attack.

The power of bandwidth in cyberspace is immeasurable. Denial of service attacks with fractions of the number of participating bots needed today could unleash enormous damage. Spambots will also do well with high capacity. The bot rental business might even give us our own nickname!

I wonder how long it would take for the Chinese to steal 10 terabytes of data from a US gov’t or corporation with gigabit speeds?

So call me the lunatic on the corner wearing the sandwich board spouting nonsense or call me paranoid. Heed the warning and take caution in your Internet activities and care of your computing environment. It won’t hurt you if I’m wrong.

But if I’m right, it could save you the shame and embarrassment of a visit from the FBI.

You, Your Company, and Some Asshats in Eastern Europe

We in security see slivers of this just about everyday. The Washington Post has an article titled Eastern European Cyber Criminals Target US Businesses. It’s the same old (spear) phishing scheme…with a little trojan or browser based exploit thrown in. As easy as it was to infect and defraud residential users, it’s apparently just as easy and more profitable if they target the place where you work. It’s really a twofer as the untold story here could lie in the status of the Comptroller or Treasurer’s personal finances when all was said and done.

Fraud via computer technology is a big money game. If you have money and use a computer consider yourself a target. Yes, it is that simple. From online shopping and online banking to social networking, everything you do online sprinkles little pieces of you and your money all over the web. Sure they use trojans/rootkits to gather the intelligence, but they have to get them on the machines in the first place and to do that you need to go phishing.

So please, think before you do anything online. They are after your money as much as your employer’s. Don’t open attachments you aren’t expecting….period. Confirm with the person purportedly sending it by phone or in person before opening it. Likewise, don’t click on links in e-mail. If you don’t know how to tell the real destination of a link in an e-mail, then don’t risk the click. Before logging into to pay bills ask yourself if your computer has had any issues lately? Blue screens? Errors or popups? If you’re not 100% certain your computer is clean, get help. The following won’t stop everything, but they’ll definitely help and they’re free.

AVG Free Edition

Avira Antivir Free

F-Secure Online Scanner

Windows Live OneCare Safety Scanner (They rate a lot better than anyone is giving them credit for in detections of current threats.)

TrendMicro HouseCall

Be smart, because I promise you there are people much smarter than you who want your money…and you and your actions are the only thing standing in their way.

Virus Detected?

If you’re running antivirus software and you see the dreaded virus detection notice, take heed and be paranoid. Many drive-by infections will throw a host of exploits at a possible victim in their attempts to optimize the ratio of “visitors” and successful infections. With malware variants, polymorphism and obfuscation, antivirus is only going to go so far in it’s ability to detect and prevent and typically that’s not far enough.

So next time your antivirus software tells you a virus was detected, consider it a warning, not a notification. There’s a good chance something malicious has landed on your machine and your antivirus is clueless to the fact. If antivirus detects one infection and misses another it’s a tie.

And in the attacker/victim game of life, tie goes to the attacker.