Top
Subscribe
Social
GitHub
Blog History
Further Reading
Search
Tags
Tuesday
Jul052011

Snort on Ubuntu 11.04

DateTuesday, July 5, 2011 at 11:22PM

Previously I had been running insta-snorby, but after the 100th time of either ruby, ruby on rails, snorby's job or some other failure, it was decided to build a new system, this time where all the parts were easily supported and UP-TO-DATE!

The final result was Ubuntu Server 11.04, with the latest versions of Snort, Barnyard2, PulledPork and SnortReport.

I tried very, very, very hard to also add in Snorby to the mix, and I managed to get its cache jobs to run for a few hours, then they would die with no useful error messages. It doesn't help that some of the official documentation points you to an old repository, it also does help that the GEMs it makes use of are highly unstable.

I also looked at Sguil and its framework, its nice but i dislike the need to install a client, and massively change the effiency of this Snort deployment.

It should also be added that both Snorby and Sguil fail at one thing, having documentation. You need accurate documentation, and also need documentation that isn't 5 years old. SnortReport is old, but the documentation was perfect, not that i needed it.

Anyway, here is how I did it.

1) Follow the Installing Snort on Ubuntu 10.04 guide at http://www.snort.org/docs.

I didn't install Snort to /usr/local/snort, I instead put everything in the default paths, its just a lot less work.

2) Installed PulledPork according to the documentation

3) To start snort and barnyard2:

sudo ifconfig eth1 up

sudo snort -D -u snort -g snort -c /etc/snort/snort.conf -i eth1 --pid-path /var/run/snort

sudo barnyard2 -c /etc/snort/barnyard2.conf -G /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.wald -D --pid-path /var/run/barnyard2

4) To update rules:

sudo perl /usr/local/pulledpork/pulledpork.pl -c /etc/snort/pulledpork.conf

There really isn't anything else you need to do.

I have included various config files in the brain samples section:

Snort

Barnyard2

PulledPork

Disablesid.conf

Comments Off | | | Print ArticlePrint Article |
tagged , , , , ,
Tuesday
Jun142011

Windows Server 2008 R2 + LVS with Direct Routing and Windows Firewall

DateTuesday, June 14, 2011 at 3:50PM

For those of you who are in the need for an IP LoadBalanacer, and do not want to pay for an F5, check out the LVS project.

We recently set up a number of LVS balanced pages, and quickly came into difficulty in selecting thr routing method used. We struggled to find documentation, and were told to use the NAT technique, something that we were not happy with. The lack of documentation was also not helped due to the fact we wanted to load balanced Windows 2008 R2 servers running IIS 7.5.

We managed to work out how to set up both the Linux side of the fence (the machines running LVS) and then what to do on the Windows Servers being balanced. We also managed to leave the Windows Firewall on!

Once you have your LVS setup running. Perform the following steps to

1. Perform the standard configuration using what ever method you like (Piranha the web interface is brilliant for this) and ensure you select "Direct Route"

2. Restart Pulse service

3. Add the Loop back adapter to each Windows machine as specified at DR and LV Tun Clusters

4. You do not need to disable the Windows Firewall

5. Setup weak host send and recieve as specified at the loadbalancer blog.

Comments Off | | | Print ArticlePrint Article |
tagged , , , in
Saturday
Jun112011

Powershell Script Template

DateSaturday, June 11, 2011 at 10:23PM

Just a quick post to cover layout/format of all PowerShell scripts I write.

This default template ensures that a sufficient amount level of of quality is ensured in all scripts. There are several things you will notice:

  • All scripts start with param definitions, which include items for the functionality for that script (both mandatory and option) as well as variables used to support features other basic functions
  • Email alerting on success of failure with option to turn off or on both, either, or no email alerts
  • I use exit calls, I know this is probably considered bad, but as you can see, it makes it easier to troubleshoot

 

And here it is (you can download it here):

 

# ==============================================================================================
#
# Microsoft PowerShell Source File -- Created with SAPIEN Technologies PrimalScript 2009
#
# NAME: <name of script which will be helpful>
#
# AUTHOR: <author>
# DATE  : <date>
#
# COMMENT: <Step through what this script does
#
# ==============================================================================================

#<place comments used to assist in the calling of the script

param(
    #<application specific params>
    
    #<email and alerting params>
    [Parameter(Position=3, Mandatory=$false, HelpMessage="Specify email alert recipient address")]$recipient="user@user.com",
    [Parameter(Position=4, Mandatory=$false, HelpMessage="Specify email alert from address")]$from="user@user.com",
    [Parameter(Position=5, Mandatory=$false, HelpMessage="Specify smtp server name/ip")]$smtpserver="smtp.server.com",
    [Parameter(Position=6, Mandatory=$false, HelpMessage="Alert on sucessfuly copy")]$emailonsuccess=$true,
    [Parameter(Position=7, Mandatory=$false, HelpMessage="alert on failure of copy")]$emailonfailure=$true,
    [Parameter(Position=8, Mandatory=$false, HelpMessage="alert email subject")]$emailsubject="<change to be helpful subject>"
)

#
#variable declarations
        

function send-email ($body, $success)
{
    #incase we are troublshooting, output the body here
    $body
    
    $error.clear()
    #if it is sucessful
    if ($success)
    {
        #if we want a successful emails
        if ($emailonsuccess)
        {
            $subject = $emailsubject + "- Success"
            Send-MailMessage -To $recipient -From $from -SmtpServer $smtpserver -Subject $subject -Body $body -bodyashtml
        }                 
    }
    else #if unsuccessful
    {
        #if we want emails on failure
        if ($emailonfailure)
        {       
            $subject = $emailsubject + "- Failure"
            Send-MailMessage -To $recipient -From $from -SmtpServer $smtpserver -Subject $subject -Body $body -bodyashtml
        }                    
    }
    
    if ($error)
    {
        "Unable to send an email"
        exit 666
    }                                                                                                                  
}                                                                                                                           

#
# If we expect a crash/error here is an example (this is using $error but it could be try catch or based on $lastexitcode for external calls
#
$error.clear()
#do something bad
somethingbad()
if ($error)
{
    send-email "<sad>" $false
    exit 7
}


#email that we got here successfully
send-email "<HAPPY>" $true

CommentPost a Comment | | | Print ArticlePrint Article |
tagged , , in
Friday
Jun102011

Wireless Cracking Notes

DateFriday, June 10, 2011 at 10:18PM

So, the first "full" post for this blog will be just some simple notes about wireless cracking.

 

Firstly:

  • Use backtrack 5 however backtrack 4 has some better support for older cards
  • Gerix Wifi Cracking suite makes life pretty easy
  • If you are going to be capturing for a continued period, for example: if you are trying to get IVS for a WEP access point and it just isn't being kind and handing them over to you; make sure you use wither a persistent usb install with a large amount of disk or use a installed version of back track.
  • I am currently using the following card: USB Realtek
  • The following directional yaggi is also brutal: 25GB Yaggi
  • Don't use your antennas as drum sticks!

 

Stay in tune for some details on a neat network tap that is a royal pain to find!

CommentPost a Comment | | | Print ArticlePrint Article |
tagged , ,
Page 1 ... 13 14 15 16 17