Anthony TellezNational security, cyber-security, and securing the future.

Adding Custom Tiles: Splunk & MapBox

Anthony Tellez 2017-05-03

Enhance the out-of-the-box visualizations provided by Splunk for cluster map visualizations by integrating with the MapBox API. It has been possible to add custom tiles to cluster map visualizations in Splunk, but the options for adding tiles were limited because it was unclear whether external APIs integrated with Splunk. This blog shows you how to integrate with the MapBox API to use the styles included with MapBox or custom maps.

Before you start!

  • Requirements:
    • MapBox Account & API Key
    • Internet access for your Splunk instance
    • Geographical data in the Splunk platform
  • Optional:
    • Missile Map Visualization (https://splunkbase.splunk.com/app/3511/)

Get started: Add latitude and longitude coordinates to data

  • To use any geographic visualization in the Splunk platform, you need data with latitude and longitude coordinates tagged to each event. External network traffic data is a great data source that you can tag with geographical coordinates.

This example search takes Netflow events from an Intrusion Prevention System (IPS) running Suricata located on the public internet and uses the iplocation search command to create latitude and longitude fields for each event based on the src_ip and dest_ip fields. It also appends a prefix to the fields created by the iplocation command to track the flow of the data. See the Search Reference manual for more information on the iplocation command. (http://docs.splunk.com/Documentation/Splunk/6.6.0/SearchReference/Iplocation)

index=suricata event_type=flow
| iplocation src prefix=start_
| iplocation dest prefix=end_

This prefix isn’t required for all cluster maps, but the Missile Map visualization expects data in this format. The exact data format expected by each visualization depends on which one you want to use. When you select a visualization, a search fragment that shows you how to format the data appears.

For example the Missile Map expects data in the following format: Image of Missle Map

In order to format the data correctly for the Missile Map, you need to complete a few more steps.

  • Make a table out of the data
  • optional:
    • enable animation
    • enable pulse
    • enable different colors by application detected.

Create a table of the data with the type of application protocol detected by Suricata. In order to keep the total number of connections low, use a short-duration real-time search to make this table. This example covers the last 5 minutes and removes connections that are missing geographical information.

index= suricata event_type=flow
| iplocation src prefix=start_
| iplocation dest prefix=end_
| search start_Country="*" end_Country="*"
| table start_lat start_lon end_lat end_lon app

This search enables the Animation and Pulse options using eval:

| iplocation src prefix=start_
| iplocation dest prefix=end_
| search start_Country="*" end_Country="*"
| table start_lat start_lon end_lat end_lon app
| eval animate="yes", pulse_at_start="yes"

Using eval, create a case statement to use different colors for each type of application protocol detected. These colors come courtesy of flatuicolors.com.

| iplocation src prefix=start_
| iplocation dest prefix=end_
| search start_Country="*" end_Country="*"
| table start_lat start_lon end_lat end_lon app
| eval animate="yes", pulse_at_start="yes"
| eval color = case (
    match(app, "ssh"), "#c0392b",
    match(app, "dns"), "#e67e22",
    match(app, "tls"), "#f1c40f",
    match(app, "http"), "#27ae60",
    match(app, "dcerpc"), "#2980b9",
    1==1, "#7f8c8d")

Table for Missile Map

At this point, you’ve created the custom tile that you can use for your visualization. To add the custom tileset, select the visualization tab, select missile map and select format > Configure Missile Map

To update the tileset, you need two different pieces of information:

  • API Token
  • MapBox Style URL
API Token

The following help page shows you how to create a new access token for the Mapbox API. (https://www.mapbox.com/help/create-api-access-token/)

MapBox Style URL

There are two options for the style URL. The first option is a custom map that you or someone else has created and shared. MapBox also provides free styles for all MapBox users with a valid API token (https://www.mapbox.com/api-documentation/#styles). For this example we will use a free style provided by MapBox. The help documentation to locating the URL for your custom map can be located on the following page. (https://www.mapbox.com/help/define-style-url/)

mapbox://styles/mapbox/streets-v9
mapbox://styles/mapbox/outdoors-v9
mapbox://styles/mapbox/light-v9
mapbox://styles/mapbox/dark-v9
mapbox://styles/mapbox/satellite-v9
mapbox://styles/mapbox/satellite-streets-v9

The following code snipped from (https://www.mapbox.com/api-documentation/#retrieve-tiles) explains the syntax required to retrieve the tiles for usage with Splunk Enterprise.

/v4/{map_id}/{z}/{x}/{y}{@2x}.{format}

$ curl "https://api.mapbox.com/v4/mapbox.streets/1/0/0@2x.png?access_token=your-access-token"

The most important part of the code snippet is the format, as it gives us all of the 3 required arguments for Splunk to make the correct API request. The final syntax will look like:

https://api.mapbox.com/v4/mapbox.streets/{z}/{x}/{y}@2x.png?access_token=your-access-token

Configured Missile Map Configured Missile Map

Conclusion

Hopefully through this exercise you have learned how to improve your geographical visualizations with MapBox. Customers can leverage their own custom styles to personalize the tilesets and add additional context to their data.

DefCon1

Analyzing Shadowbrokers Implants

Anthony Tellez 2017-02-25

Who are the Shadowbrokers?

  • In $DATE the shadowbrokers attempted to auction off zero day tools allegedly developed by the NSA. These tools used undisclosed vulns to target other adversarial nation states and surveil targets with the goal of improving national security. The tools were leaked and subsequently came into possesion of the shadowbrokers. the encrypted set of tools was hosted on github and other sites before they were removed. On $DATE the shadowbrokers released the decryption key (medium.com/shadowbrokers) in response to President Trump’s military intervention in Syria and “broken promises”. True motives aside, the key released exposed the numerous zero day exploits still unresolved by numerous vendors.

What is the impact?

  • Many of the affected systems will take time to patch while vendors and security researchers attempt to determine how to address each vuln. Due to this disclosure, anyone with the capacity to download the tools can make use of these exploits for their own kits. As information is shared amongst the security community, indictors of compromise tied to this disclosure will develop to scope how to best detect and mitigate these attacks.

Analysis of implants

  • Security researches have “identified” hosts supposedly exploited by reviewing the code dump by the Shadowbrokers. This first blog post will look at the composition of the systems which have been targeted to begin to identify patterns. Subsequent blog posts will analyze indicators of compromise as security researchers dig through the code and disclose signatures to the community.
$ wget "https://gist.githubusercontent.com/anthonygtellez/737fed2cebdec5a803ced2d713a7f7d5/raw/a082d2b8bf105e1bfd90639b92221872c4e5e322/dump.csv"

Modify transforms.conf to give the lookup a more friendly name:

[shadowbrokers]
filename = dump.csv

inputlookup shadowbrokers
inputlookup shadowbrokers
stats count by OS
sort -count
inputlookup shadowbrokers
stats count by Implant
sort -count

Geographical

| inputlookup shadowbrokers | rename “IP Address” as ip_address | iplocation ip_address

stats count by Country sort -count
inputlookup shadowbrokers
eval _time= (Year-1970) * 31557600 + (Month-1) * 2629800 + (Day * 86400)

How to detect?

Analyzing Malware with Splunk & Stream

Anthony Tellez 2017-02-25

What is Stream?

Understanding and Reacting to Cloudbleed.

Determining if you're impacted.

Anthony Tellez 2017-02-25

What is CloudBleed?

Cloudbleed is serious flaw discovered by Google Project Zero security researcher Tavis Ormany, in the Cloudflare content delivery network. This vulnerability is considered worse than Heartbleed as Cloudflare accelerates the performance of nearly 5.5 Million websites globally. This vulnerability may have exposed a range of sensitive information to WebCrawler’s or nefarious actors such as passwords, tokens and cookies used to authenticate users. In some cases, the information exposed included messages relayed between users on a popular dating site.

Understanding the severity of Cloudbleed

Content delivery networks primarily act as a proxy between the user and webserver, caching content locally to reduce the number of requests to the original host server. In this case, edge servers in the Cloudflare infrastructure were susceptible to buffer overflow exposing sensitive user information like authentication tokens. Technical of the disclosure can still be viewed: [https://bugs.chromium.org/p/project-zero/issues/detail?id=1139]

Determining impact to your business

The most obvious impact includes any exposed user data, which may be the same credentials users may be using for corporate authentication. An easy way to enumerate the scope of this problem is to run the list of domains which use Cloudflare DNS against your proxy or DNS logs. This will give you some insights into the frequency that users might be using the affected websites and the risk associated with using the same credentials for multiple accounts.

To do this analysis, we need to download list of Cloudflare domains and modify the file slightly so we can use it as a lookup.

$ git clone https://github.com/pirate/sites-using-cloudflare.git

Convert txt list to csv

$ cat sorted_unique_cf.txt | sed -e 's/^/"/' > sorted_unique_cf.csv
$ cat sorted_unique_cf.csv | sed -e 's/$/","true"/' > sorted_unique_cf_final.csv

Using a text editor, update first line of file:

Change: "","true" to "domain","CloudflareDNS"

Finally copy the formatted file to the lookups directory of an app such as search or a custom app you use for security analysis.

Once that step is complete, validate the lookup works: |inputlookup sorted_unique_cf_final.csv

This may take some time as there are nearly 4.3 million domains currently in the lookup. ![Image of CloudBleed Inputlookup] (img/cloudbleed-inputlookup.png)

You might notice that the domains are not fully qualified, which can be problematic for matching them against your proxy or ips logs. To deal with this problem, you should make use of URL Toolbox [https://splunkbase.splunk.com/app/2734/], which will help us to parse the DNS queries or HTTP url.

index=suricata event_type=dns
| lookup ut_parse_extended_lookup url AS query

In the below example, we are parsing DNS queries and comparing them against the Cloudflare lookup. When a domain is matched, that event gets a new field called CloudflareDNS with a value of “True”.

index=suricata event_type=dns 
| lookup ut_parse_extended_lookup url AS query 
| lookup sorted_unique_cf_final.csv domain AS ut_domain OUTPUT CloudflareDNS

While the above search is helpful, we need to go a step further and use the new field we have crated to filter to only DNS requests for Cloudflare domains.

index=suricata event_type=dns 
| lookup ut_parse_extended_lookup url AS query 
| lookup sorted_unique_cf_final.csv domain AS ut_domain OUTPUT CloudflareDNS
| search CloudflareDNS=true

Enhancing Enterprise Security for Ransomware

Analyzing the logs

Anthony Tellez 2016-12-28

Ransomware isn’t going away

Ransomware is a profitable business model for cyber criminals, in 2016 payments closed in on the billon dollar mark. According to findings by IBM [https://ibm.biz/RansomwareReport], nearly 70% of executives hit by ransomware have paid to get their data back. Those findings do not include smaller organizations, and consumers as part of the survey. Aside from prevention, detection is key to removing compromised devices from the network quickly before fileshares, and other machines are infected. In this blog we will walk through adding the free ransomware intelligence feed from abuse.ch to Splunk Enterprise Security.

Requirements

- Internet Access for the Splunk Enterprise Security Instance
- Splunk Enterprise Security
- Knowlege of updating Splunk Configurations

Configuration

There are two paths forward, which will depend on the level of access you have to the enterprise security search head. Commandline is the simplest option since you can copy paste the configuration from this page, while using the GUI will require you to manually input the data into the textboxes.

The configuration file walthrough requires you to create a new inputs.conf file or add to an existing one in the SA-ThreatIntelligence app’s local directory.

$ vi /opt/splunk/etc/apps/SA-ThreatIntelligence/local/inputs.conf

inputs.conf

[threatlist://ransomware_ip_blocklist]
delim_regex = :
description = abuse.ch Ransomware Blocklist
disabled = false
fields = ip:$1,description:Ransomware_ip_blocklist
type = threatlist
url = https://ransomwaretracker.abuse.ch/downloads/RW_IPBL.txt

Once completed, restart the splunkd service. $ /opt/splunk/bin/splunk restart

GUI Walkthrough:

Locate the Enterprise Security Configuration Page:

From the Enterprise Security Configuration page, select Threat Intelligence Downloads.

Click new, and fill in the various text fields on the resulting page:

Name: ransomware_ip_blocklist
Type: threatlist
Description: abuse.ch Ransomware Blocklist
URL: https://ransomwaretracker.abuse.ch/downloads/RW_IPBL.txt
Delimiting regular expression: :
Fields: ip:$1,description:Ransomware_ip_blocklist

SSL Reverse Proxy Splunk & NGINX

Reverse Proxy made easy

Anthony Tellez 2016-12-23

Who is this guide for?

A best practice deployed by customers is to install Splunk as a non-root user or service account as part of a defense in depth strategy. This installation choice comes with the consequences of preventing the Splunk user from using privileged ports (Anything below 1024). Some of the solutions to this problem, found on Splunk Answers require iptables rules or other reverse proxy trickery. In my experience, the IP tables method is not reliable, and many newer distributions of Linux are abandoning iptables in favor of firewalld as the default host firewall. In this guide, I will show you how to use Nginx, and Let’s Encrypt to secure your Splunk Search Head, while allowing ssl traffic on port 443.

Prerequisites

  • OS which supports the latest version of Nginx
  • Linux OS which supports Let’s Encrypt (If you choose to use that as you CA)
  • Root access to the search head

Configuration

The easiest way to get both products installed is to use yum or apt depending on your flavor of Linux.

Install Let’s Encrypt, Configure Splunk Web SSL

In a previous blog post, I provided a guide to generate the certs and configure Splunk to make use of the certs. You should follow that process to generate your certs or your own organizational process for generating certificates before proceeding with the next steps.

Install Nginx

sudo apt install nginx

Configure Nginx to use SSL

Create a configuration for your site, it is best to use the hostname/domainname of the Splunk server. This file should be created in /etc/nginx/sites-enabled

touch /etc/nginx/sites-enabled/splunk-es.anthonytellez.com

To configure Nginx, you only need three pieces of information:

  • location of the certificate
  • ocation of the private key used for the certificate
  • ssl port to redirect

Example configuration of splunk-es.anthonytellez.com:

server {
    listen 443 ssl;
    ssl on;
    ssl_certificate /opt/splunk/etc/auth/anthonytellez/fullchain.pem;
    ssl_certificate_key /opt/splunk/etc/auth/anthonytellez/privkey.pem;
    location / {
        proxy_pass https://127.0.0.1:8000;
    }
}

Reload Nginx: $ nginx -s reload

An exercise in threat attribution

GRIZZLY STEPPE

Anthony Tellez 2016-02-28

What

On Dec 29, 2016, the Department of Homeland Security jointly released a report[https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf] with the Directorate of National Intelligence regarding supposed “Russian interface” in the 2016 Presidential Election. The report mostly detailed malicious actor behaviors not uncommon to most cyber security professionals. Included in the release were recommendations to blunt intrusion attempts by state actors and the indicators of compromise related to the “GRIZZLY STEPPE” campaign carried out by Russian Military and Civilian Intelligence Services. [https://www.dni.gov/files/documents/ICA_2017_01.pdf]. The report has circulated widely since the election of a new President with various experts weighing in as to the validity of the report. While this author finds the report dubious, I am leaving it you the reader to make your own judgment through the exercise.

Request for Assistance

DHS & DNI jointly requested assistance from the public to contribute additional information they may have related to the threat. Using the indicators provided by the report I will show you how to detect this activity in Splunk and decide as to impact.

Indicators of Compromise

The first step is to download the csv hosted by us-cert to your own Splunk instance. There are two methods of doing so: splunkweb or command line using wget. Depending on how your environment one may be easier to do than the other.

Select an app to save the lookup file, it could be search or a custom application. In this case, I have my own app called “security_viz”.

$ cd /opt/splunk/etc/apps/security_viz/lookups

From the lookups directory of your app download the lookup from us-cert.

$ wget https://www.us-cert.gov/sites/default/files/publications/JAR-16-20296A.csv

Check the permissions of your knowledge objects by reviewing the configuration of your local.meta or default.meta in the app you selected.

$ cat /opt/splunk/etc/apps/security_viz/metadata/default.meta

# Application-level permissions

[]
access = read : [ * ], write : [ admin, power ]

### EVENT TYPES

[eventtypes]
export = system

### PROPS

[props]
export = system

### TRANSFORMS

[transforms]
export = system

### LOOKUPS

[lookups]
export = system

### VIEWSTATES: even normal users should be able to create shared viewstates

[viewstates]
access = read : [ * ], write : [ * ]
export = system

For the GUI method download the csv to your local desktop and follow the documentation Configure Lookups Splunk Enterprise.

Searching in Splunk:

Filter to threat intel where only IPV4 Address are provided. Remove the left and right brackets around the octets from the value of the INDICATOR_VALUE field.

| inputlookup JAR-16-20296A.csv where TYPE=IPV4ADDR 
| rex field=INDICATOR_VALUE mode=sed "s/\[|\]//g"

Use the crafted lookup as sub search to correlate traffic from any data source.

index=suricata [ | inputlookup JAR-16-20296A.csv where TYPE=IPV4ADDR | rex field=INDICATOR_VALUE mode=sed "s/\[|\]//g" | rename INDICATOR_VALUE as src_ip] 

Known Tor Addresses?

One claim made by many journalists and security experts is the list includes known tor addresses in the indicators of compromise, which makes the report dubious in its attempt to nail Russia as the sole suspect [https://theintercept.com/2017/01/04/the-u-s-government-thinks-thousands-of-russian-hackers-are-reading-my-blog-they-arent/]. This claim should be taken seriously, as various exit nodes in the tor network were previously used by Ghost Net (Chinese based APT) for exfiltration of sensitive governmental information which were intercepted by WikiLeaks [https://www.wired.com/2010/06/wikileaks-documents/].

To test this claim we can run compared against known tor addresses and the IOC’s provided by the report in Splunk.

First download the list of known tor addresses from the time specified in the report, merge them into a csv: $ wget https://collector.torproject.org/archive/exit-lists/exit-list-2016-05.tar.xz

Second configure your lookup

Third we write a search which compares the two lookup files against one another.

Conclusion

Building a Defensive Raspberry Pi Pt.4

Intrusion Detection @ Home

Anthony Tellez 2016-02-28

Dolor sit amet?

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Proin vestibulum non mi non pulvinar. Donec tempus risus vel ex fringilla tempor. Vivamus pharetra non mauris quis fermentum. Vestibulum sed maximus elit, sit amet suscipit orci. Morbi at enim at libero dignissim egestas vel ac nisi. Etiam at lectus a arcu sodales consequat. Aliquam consequat ligula sed purus tincidunt, a ultrices nibh dapibus. Phasellus convallis ipsum nec semper ultricies. In facilisis lacus velit, sit amet lacinia velit blandit id. Nullam ut magna erat. Aliquam sit amet dapibus odio, aliquet tempus tortor. Donec in nisi massa.

Aliquam suscipit.

Cras eget nisl accumsan, porta nisl in, egestas sapien. Vestibulum gravida nulla sed facilisis tempor. Suspendisse maximus nisi sit amet velit sodales fringilla. Vivamus luctus risus eget dui consectetur porttitor. Maecenas ut ultrices orci. Maecenas mollis est eu sodales mollis. Nulla facilisi. Suspendisse eros arcu, elementum sed sem eu, pharetra rhoncus odio. Proin nec tincidunt velit. Cras nisl augue, faucibus sed mauris in, vestibulum mollis nisl. Nam id libero ultrices, consequat ex vitae, convallis nulla.

Suspendisse lorem odio, blandit at nisl quis, hendrerit tempus tellus. Donec eget leo quis nisi vulputate consectetur. Praesent dignissim enim elit, congue luctus nisl cursus at. Sed rutrum molestie risus. Donec vulputate gravida accumsan. Vivamus tempus ullamcorper eleifend. Sed sagittis mi ut dolor tincidunt, ac rutrum nisi commodo.

Fusce non elit in diam rutrum vestibulum. Donec vitae elementum erat. Praesent elementum eget justo at bibendum. Fusce interdum diam lorem, ut placerat elit pretium quis. Quisque eu urna at quam commodo sagittis. Etiam posuere convallis tincidunt. Phasellus vitae ligula neque. Vivamus a purus at dolor iaculis placerat. Curabitur convallis eu lacus congue sagittis.

Aliquam suscipit fermentum mauris a accumsan. In facilisis, mauris quis pulvinar tempus, turpis sapien sodales nibh, nec feugiat augue est quis nisi. Fusce eget odio feugiat, luctus quam et, dapibus nulla. Sed ornare lacus non libero lacinia pretium. In eu dui vitae purus euismod feugiat ac ac est. Morbi vitae pretium lorem, non eleifend felis. Nullam at massa feugiat, rutrum elit at, semper lacus. Etiam vel rutrum felis. Nullam quis auctor lorem, et tempor arcu.

Analyzing BotNets with Suricata & Machine Learning

Analyzing the logs

Anthony Tellez 2016-02-16

Machine Learning Toolkit

Splunk released the initial beta for the machine learning toolkit at Conf15 and since that time splunkers have been doing some interesting work with it. Since the official rollout at the year’s. conf, use cases ranged widely from its operations, planning, security and business analytics. Those use cases barely scratch the surface of what is possible with machine learning. Using the machine learning toolkit and Suricata I will walkthrough an analysis of botnet populations. This analysis will be used to create a model for predicting the Mirai botnet based on network features.

Suricata

Suricata is an open source threat detection engine, which can be run in passive mode for intrusion detection or inline for intrusion prevention. My lab environment is configured for intrusion detection, meaning Suricata will not make any attempt to prevent an intruder from accessing my system. This is a good thing because as noted in a previous blog post (Analyzing the Mirai Botnet) the behavioral signature of Mirai is the use of specific usernames for IoT devices found in the scanner.c module.

Analysis

The analysis largely builds upon the previous blog post, which correlated the failed logins of specific usernames and ip addresses. This created us a threat list of suspected Mirai ip addresses.

Combining this in threat list with our passive intrusion detection data creates an enriched dataset which provides contextual and detailed information about each access attempt. As an example, we can determine which tcp flags were present in the packets both client side & server side in each flow transaction. We can also create a ratio of packets_in v. packets_out and classify these flows into various producer consumer ratio categories.

MLTK

The MLTK is handy because using clustering assistant we can attempt to discern different botnet populations based on the features present in our dataset. In the below example, I have select 50k random Suricata flow events, where the dest_port is 22. I have picked features which have some relation to each other. but are enriched by the PCR metric. I have selected a label of isMirai with possible values of 0 | 1, using Kmeans clustering with a k=5.

Interestingly, a clear visual pattern emerges with cluster_4. It is clearly an outlier compared to the rest of the population, but is there anything special about it? From a isMirai 1 | 0, perspective there is a mixture. The packet_pcr_range, is 3:1 Import, with varying ratios, which seems to be the only common feature of cluster_4.

Using a model for prediction

MLTK isn’t intended to create models for the sake of creating models, it also allows you to operationalize those models for predicting based on features found in the model, one such feature we get from kmeans is the cluster_distance. This number describes the distance an event is from the centroid.

Using the prediction assistant, the Kmeans model can be loaded in search before selecting features from the dropdowns to use for prediction. We can then select the features we wish to use for prediction: cluster_distance, packet_pcr_range, packet_ratio, and packet_total. The prediction assistant also gives you the ability to adjust the specific algorithm to use for prediction, I have opted for Random Forest.

Next Steps

The model appears to be very good at predicting 0 (not Mirai), while it is reasonably good at predicting 1 (89.4%). This is an improvement over Suricata, which did not detect Mirai with the emerging threats ruleset. This may imply that there is an indicator of compromise for the Mirai botnet at the packet level. Proff of this requires further investigation to understand why the model can predict Mirai so effectively and collaboration with others who have also gathered traffic from botnets.

Building a Defensive Raspberry Pi Pt.3

Analyzing the logs

Anthony Tellez 2016-02-16

Dolor sit amet?

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Proin vestibulum non mi non pulvinar. Donec tempus risus vel ex fringilla tempor. Vivamus pharetra non mauris quis fermentum. Vestibulum sed maximus elit, sit amet suscipit orci. Morbi at enim at libero dignissim egestas vel ac nisi. Etiam at lectus a arcu sodales consequat. Aliquam consequat ligula sed purus tincidunt, a ultrices nibh dapibus. Phasellus convallis ipsum nec semper ultricies. In facilisis lacus velit, sit amet lacinia velit blandit id. Nullam ut magna erat. Aliquam sit amet dapibus odio, aliquet tempus tortor. Donec in nisi massa.

Aliquam suscipit.

Cras eget nisl accumsan, porta nisl in, egestas sapien. Vestibulum gravida nulla sed facilisis tempor. Suspendisse maximus nisi sit amet velit sodales fringilla. Vivamus luctus risus eget dui consectetur porttitor. Maecenas ut ultrices orci. Maecenas mollis est eu sodales mollis. Nulla facilisi. Suspendisse eros arcu, elementum sed sem eu, pharetra rhoncus odio. Proin nec tincidunt velit. Cras nisl augue, faucibus sed mauris in, vestibulum mollis nisl. Nam id libero ultrices, consequat ex vitae, convallis nulla.

Suspendisse lorem odio, blandit at nisl quis, hendrerit tempus tellus. Donec eget leo quis nisi vulputate consectetur. Praesent dignissim enim elit, congue luctus nisl cursus at. Sed rutrum molestie risus. Donec vulputate gravida accumsan. Vivamus tempus ullamcorper eleifend. Sed sagittis mi ut dolor tincidunt, ac rutrum nisi commodo.

Fusce non elit in diam rutrum vestibulum. Donec vitae elementum erat. Praesent elementum eget justo at bibendum. Fusce interdum diam lorem, ut placerat elit pretium quis. Quisque eu urna at quam commodo sagittis. Etiam posuere convallis tincidunt. Phasellus vitae ligula neque. Vivamus a purus at dolor iaculis placerat. Curabitur convallis eu lacus congue sagittis.

Aliquam suscipit fermentum mauris a accumsan. In facilisis, mauris quis pulvinar tempus, turpis sapien sodales nibh, nec feugiat augue est quis nisi. Fusce eget odio feugiat, luctus quam et, dapibus nulla. Sed ornare lacus non libero lacinia pretium. In eu dui vitae purus euismod feugiat ac ac est. Morbi vitae pretium lorem, non eleifend felis. Nullam at massa feugiat, rutrum elit at, semper lacus. Etiam vel rutrum felis. Nullam quis auctor lorem, et tempor arcu.

Building a Defensive Raspberry Pi Pt.2

Integrating Bro & Critical Stack

Anthony Tellez 2016-02-15

Introduction

In this tutorial we will get Bro and Critical Stack installed with minimal effort. The longest time you will spend is compiling Bro from source. Of all the various iterations I found online, getting Critical Stack to function properly was also quite difficult as there wasn’t much documentation on why I couldn’t add the API key. I randomly stumbled on a solution, where another user used the command sudo - u. It seems the process needs to be executed by root, but passed to the critical-stack user. Hopefully if anyone else is having this issue you I may have just saved you some headache.

Overview - Brodown

  • Configure Bro Repo
  • Install Dependencies
  • Compile Bro from Source
  • Initialize Bro
  • Configure Critical Stack Intel
  • Configure Bro for Network Traffic

Configure Bro Repo

In order to begin we will need to add the bro repo which will have a majority of the components we require. I followed the suggestion of another blogger by appending src to the end so I can easily identify the repo later. The second command adds the bro repo key.

$ echo 'deb-src http://download.opensuse.org/repositories/network:/bro/Debian_8.0/ /' \
  >> /etc/apt/sources.list.d/bro.list
$ wget http://download.opensuse.org/repositories/network:bro/Debian_8.0/Release.key \
  -O - | apt-key add -

Once these two have executed we can update our local repos.

$ apt-get update
$ apt-get build-dep bro

Install Dependencies

Running the apt-get build-dep bro should resolve the following dependencies for the jessie version of raspbian:

bison cmake cmake-data libarchive13 libbison-dev libpcap-dev libpython-dev
libpython2.7-dev libssl-dev python-dev python2.7-dev swig swig2.0

This step may take a few moments depending on your internet connection, once it has completed we are ready to begin the tedious build process.

Compile Bro From Source

There are some important prerequisites for this step:</br>

  • Ensure you have enough space. Use the following command to ensure that you have enough space:
     $ df -h
  • Ensure you are running this command as root Use the following command to become root:
     $ sudo - su
  • Start the process from the /opt directory.
     $ cd /opt

Once you have verified all of these prerequisites are met run the following command:

$ apt-get source --compile bro

This process can take anywhere from 60 minutes to 120 depending on your internet connection, and how efficient your Pi is. It took me about 70 minutes to build on a RaspberryPi Model 2.

Once the build job has finished, you will need to utilize the build packages which have a .deb extension. Easiest way to do so is with the following command:

# dpkg -i bro_2.4.1-0_armhf.deb bro-core_2.4.1-0_armhf.deb \
broctl_2.4.1-0_armhf.deb libbroccoli_2.4.1-0_armhf.deb

Configure Critical Stack Intel

If you haven’t already signed up for a free account with Critical Stack I suggest you do so now. You should also read through the docs to get a sense of the various integration methods and what they can provide. https://intel.criticalstack.com/ Once you have created an account you should create a new collection and add a few threat feeds to that collection.

alt text

Once you have completed this step you will need to add a new sensor and assign it to the threat collection you just created. Remember to copy the API key as you will need this later during the configuration process.

The next step will be to get the .deb package installed on the RaspberyPi, the following command will install the correct file:

$ wget https://intel.criticalstack.com/client/critical-stack-intel-arm.deb

Next, let’s unpack the .deb package:

dpkg -i critical-stack-intel-arm.deb

Lastly, lets initialize critical stack using the user critical-stack with the API key we copied down earlier:

$ su -u critical-stack critical-stack-intel api <key>

Configure Bro for Network Traffic

Before we start Bro up we need to make some modifications to /etc/sysctl.conf:

$ vi /etc/sysctl.conf

Change or add the following configuartions:

# Enable Spoof protection (reverse-path filter)
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.all.rp_filter=1

# Enable TCP/IP SYN cookies
net.ipv4.tcp_syncookies=1

# Ignore ICMP broadcasts
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Ignore bogus ICMP errors
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Do not accept ICMP redirects (prevent MITM attacks)
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0

# Do not send ICMP redirects (really important for our single NIC gateway)
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.eth0.send_redirects = 0

# Do not accept IP source route packets
net.ipv4.conf.all.accept_source_route = 0

# Log Martian Packets
net.ipv4.conf.all.log_martians = 1

# router function  (important!)
net.ipv4.ip_forward = 1

# Avoid Out Of Memory
vm.min_free_kbytes=8192

After saving the settings apply the changes:

$ sysctl –p

Start Bro

To start Bro use the following command:

$ /opt/bro/bin/broctl

When prompted type deploy to begin the process:

[BroControl] > deploy
checking configurations ...
installing ...
removing old policies in /opt/bro/spool/installed-scripts-do-not-touch/site ...
removing old policies in /opt/bro/spool/installed-scripts-do-not-touch/auto ...
creating policy directories ...
installing site policies ...
generating standalone-layout.bro ...
generating local-networks.bro ...
generating broctl-config.bro ...
generating broctl-config.sh ...
updating nodes ...
stopping ...
stopping bro ...
starting ...
starting bro ...
[BroControl] > status
Getting process status ...
Getting peer status ...
Name Type Host Status Pid Peers Started
bro standalone localhost running 16514 ??? 15 Feb 22:19:57
[BroControl] >

And that’s it for now! In part 3 we will find where Bro stores logs and how to bring those into Splunk for easy analysis.

Part 3 Analyzing the logs

References:

Building a Defensive Raspberry Pi Pt.1

Building the foundation

Anthony Tellez 2016-02-14

Introduction

After finding a few blog posts online of how to configure a RaspberryPi to run BRO and a few different approaches to configuring Critical Stack Intel properly, I decided it would be beneficial to construct a complete walkthrough. I have taken the best from each of these resources and combined them into a step-by-step process for beginners and experienced developers. I also wanted to use Splunk to analyze the logs since I am more familiar with the product (disclaimer: I am an employee). Gaining security insights quickly was going to be easier for me than trying to work with the ELK stack as some guides utilize. One thing that has been missing from many of the guides is how to configure the Pi to grab all of the network traffic, I spent lots of time searching and found quite a few people searching for the same answer. Here is how I was able to solve the issue:

Network set up on my home network:
+------------------------------------------------------------------------------------------+
|                                                                                          |
|  +-------------------+                                                                   |
|  |                   |                                                                   |
|  |  ISP Router       |                                                                   |
|  |               +   |                                                                   |
|  +-------------------+                                                                   |
|                  ^                                                                       |
|                  |                                                                       |
|                  |                              +--> Network Switch With Port Mirroring  |
|                  V                              |                                        |
|              +-------------------------------------------------+                         |
|              | |-1-| |-2-| |-3-| |-4-| |-5-| |-6-| |-7-| |-8-| |                         |
|              +-------------------------------------------------+                         |
|                        ^     |                                                           |
|                        |     |                                                           |
|                        |     |                                                           |
|                        |     |                  +----------------+                       |
|  +-----------------+   |     |                  |                |                       |
|  |                 |   |     |                  |  RaspberryPi   |                       |
|  | Apple AirPort   |   |     +----------------> |                |                       |
|  | Base Station    <---+                        +----------------+                       |
|  |                 |                                   ~                                 |
|  +-----------------+ ~~~~~~~~~~~~WLAN ~~~~~~~~~~~~~~~~~~                                 |
|                                                                                          |
+------------------------------------------------------------------------------------------+

The RaspberryPi is recieving data via a port mirroring configuration which grabs all traffic to and from the ISP Router. I also have WIFI configured via a USB thumbstick, which allows me to connect to the Pi using a different interface.

Overview - Preparing the Enviornment

  • Install Raspbian, Expand File System
  • Install VIM
  • Fix locale setting
  • Configure static IP
  • Rotate ssh keys, change default password

Install Raspbian, Expand File System

Download the Jessie version of Raspbian, the desktop version is better as I will explain why later:

https://www.raspberrypi.org/downloads/raspbian/

$ wget https://downloads.raspberrypi.org/raspbian_latest

Use PiFiller to image the sdcard for Raspbian from:

http://ivanx.com/raspberrypi/

$ wget: http://ivanx.com/raspberrypi/files/PiFiller.zip

Follow the prompts - wait until it begins searching for a sdcard to insert it into your computer it will not function properly.

Provide credentials for PiFiller to erase the card and begin imaging it for the OS.

Once PiFiller has completed hook up the RaspberryPi to a HDMI monitor, keyboard, mouse, Ethernet and power source.

Here is the explanation as to why you need the GUI: The image will only use 4GB of space on your card no matter what the size of the card is. In order to expand the OS, we could either do this via the command line (which is prone to error) or we could use the built in tool to expand the file system. In the preferences menu you can configure OS to expand to the remainder of the card. While you are in this menu also disable the desktop, we won’t need it any longer. Verify on the next tab ssh is enabled, and change the hostname if you like.

After you save these settings restart the RaspberryPi by answering Yes to the pop-up window.

The Pi will reboot into the command line interface, in order to do the remainder of our configuration remotely we need to determine the host ip of the device:

$ ifconfig

it will be the ip listed next to interface for example:

eth0      Link encap:Ethernet  HWaddr b8:27:eb:e2:14:f7
          inet addr:10.0.0.10  Bcast:10.0.0.255  Mask:255.255.255.0
          inet6 addr: 2601:243:c300:f460:631e:40b4:b994:fd5a/64 Scope:Global
          inet6 addr: fe80::bedc:8417:f515:fc3c/64 Scope:Link
          inet6 addr: 2601:243:c300:f460::17/128 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:160 errors:0 dropped:0 overruns:0 frame:0
          TX packets:136 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:14320 (13.9 KiB)  TX bytes:21314 (20.8 KiB)

from your workstation ssh to the device:

$ ssh pi@10.0.0.10

password is raspberry

We will need to change many OS level settings. It is best to become root to make these changes, instead of prefacing every command with sudo.

$ sudo su

Install VIM

I am going to recommend installing VIM as it tends to be more reliable than VI when it comes to various keyboards and I really dislike nano.

$ apt-get update $ apt-get install vim

Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  vim-runtime
Suggested packages:
  ctags vim-doc vim-scripts
The following NEW packages will be installed:
  vim vim-runtime
0 upgraded, 2 newly installed, 0 to remove and 2 not upgraded.
Need to get 5857 kB of archives.
After this operation, 28.2 MB of additional disk space will be used.
Do you want to continue? [Y/n]

Answer Y to the prompt.

Do not worry about the following warning:

perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
	LANGUAGE = (unset),
	LC_ALL = "en_US.UTF-8",
	LANG = "en_GB.UTF-8"
    are supported and installed on your system.
perl: warning: Falling back to a fallback locale ("en_GB.UTF-8").
locale: Cannot set LC_CTYPE to default locale: No such file or directory
locale: Cannot set LC_MESSAGES to default locale: No such file or directory
locale: Cannot set LC_ALL to default locale: No such file or directory

Fix locale setting

The RaspberryPi Foundation is based in Great Britain; the warnings above are a result of a locale setting of en_GB.UTF-8. Not to worry, we can easily fix this using a few commands.

$ export LANGUAGE=en_US.UTF-8
$ export LANG=en_US.UTF-8
$ export LC_ALL=en_US.UTF-8
$ locale-gen en_US.UTF-8
$ dpkg-reconfigure locales

The final command should prompt you with a blue screen. Uncheck en_GB.UTF-8 using the arrow keys to move down the list and space bar to select and deselect.

Package configuration

 ┌──────────────────────────┤ Configuring locales ├──────────────────────────┐
 │ Locales are a framework to switch between multiple languages and allow    │
 │ users to use their language, country, characters, collation order, etc.   │
 │                                                                           │
 │ Please choose which locales to generate. UTF-8 locales should be chosen   │
 │ by default, particularly for new installations. Other character sets may  │
 │ be useful for backwards compatibility with older systems and software.    │
 │                                                                           │
 │ Locales to be generated:                                                  │
 │                                                                           │
 │    [ ] en_GB.UTF-8 UTF-8                                                  │
 │    [ ] en_HK ISO-8859-1                                                   │
 │    [ ] en_HK.UTF-8 UTF-8                                              ▒   │
 │    [ ] en_IE ISO-8859-1                                               ▒   │
 │    [ ] en_IE.UTF-8 UTF-8                                              ▒   │
 │    [ ] en_IE@euro ISO-8859-15                                             │
 │                                                                           │
 │                                                                           │
 │                    <Ok>                        <Cancel>                   │
 │                                                                           │
 └───────────────────────────────────────────────────────────────────────────┘

Select en_US.UTF-8 UTF-8:

Package configuration

 ┌──────────────────────────┤ Configuring locales ├──────────────────────────┐
 │ Locales are a framework to switch between multiple languages and allow    │
 │ users to use their language, country, characters, collation order, etc.   │
 │                                                                           │
 │ Please choose which locales to generate. UTF-8 locales should be chosen   │
 │ by default, particularly for new installations. Other character sets may  │
 │ be useful for backwards compatibility with older systems and software.    │
 │                                                                           │
 │ Locales to be generated:                                                  │
 │                                                                           │
 │    [ ] en_SG.UTF-8 UTF-8                                                  │
 │    [ ] en_US ISO-8859-1                                                   │
 │    [ ] en_US.ISO-8859-15 ISO-8859-15                                  ▒   │
 │    [*] en_US.UTF-8 UTF-8                                              ▒   │
 │    [ ] en_ZA ISO-8859-1                                               ▒   │
 │    [ ] en_ZA.UTF-8 UTF-8                                                  │
 │                                                                           │
 │                                                                           │
 │                    <Ok>                        <Cancel>                   │
 │                                                                           │
 └───────────────────────────────────────────────────────────────────────────┘

Use the tab key to highlight the buttion and press enter.
On the next screen, scroll down to en_US.UTF-8 for the default locale:

Package configuration

 ┌──────────────────────────┤ Configuring locales ├──────────────────────────┐
 │ Many packages in Debian use locales to display text in the correct        │
 │ language for the user. You can choose a default locale for the system     │
 │ from the generated locales.                                               │
 │                                                                           │
 │ This will select the default language for the entire system. If this      │
 │ system is a multi-user system where not all users are able to speak the   │
 │ default language, they will experience difficulties.                      │
 │                                                                           │
 │ Default locale for the system environment:                                │
 │                                                                           │
 │                                None                                       │
 │                                C.UTF-8                                    │
 │                                en_US.UTF-8                                │
 │                                                                           │
 │                                                                           │
 │                    <Ok>                        <Cancel>                   │
 │                                                                           │
 └───────────────────────────────────────────────────────────────────────────┘

Use the tab key to highlight the buttion and press the enter key.
The locales will take some time to generate:

Generating locales (this might take a while)...
  en_US.UTF-8... done
Generation complete.

Configure static IP

Now let’s ensure that the device always uses the same ip address, we will need some information from the device for configuring the gateway, and proper netmask.

$ cat /etc/network/interfaces

# interfaces(5) file used by ifup(8) and ifdown(8)

# Please note that this file is written to be used with dhcpcd
# For static IP, consult /etc/dhcpcd.conf and 'man dhcpcd.conf'

# Include files from /etc/network/interfaces.d:
source-directory /etc/network/interfaces.d

auto lo
iface lo inet loopback

iface eth0 inet manual

allow-hotplug wlan0
iface wlan0 inet manual
    wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf

allow-hotplug wlan1
iface wlan1 inet manual
    wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf

We need to change the following line: iface eth0 inet dhcp OR iface eth0 inet manual To configure the static ip we will need to gather some information using the following commands:

$ ifconfig

eth0      Link encap:Ethernet  HWaddr b8:27:eb:e2:14:f7
          inet addr:10.0.0.10  Bcast:10.0.0.255  Mask:255.255.255.0
          inet6 addr: 2601:243:c300:f460:631e:40b4:b994:fd5a/64 Scope:Global
          inet6 addr: fe80::bedc:8417:f515:fc3c/64 Scope:Link
          inet6 addr: 2601:243:c300:f460::17/128 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:160 errors:0 dropped:0 overruns:0 frame:0
          TX packets:136 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:14320 (13.9 KiB)  TX bytes:21314 (20.8 KiB)

Copy the following information into a safe place (text editor or notepad):

inet addr:10.0.0.10 (Pi’s Current IP Address) Bcast:10.0.0.255 (The Broadcast IP Range) Mask:255.255.255.0 (Subnet Mask Address)

Use the following to command to get the final information:

$ netstat -nr

          Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         10.0.0.1        0.0.0.0         UG        0 0          0 eth0
10.0.0.0        0.0.0.0         255.255.255.0   U         0 0          0 eth0

Save the following information into a notepad:

‘Gateway’ Address – 10.0.0.1 ‘Destination’ Address – 10.0.0.0

Now that we have everything, we need to update our /etc/network/interfaces file:

$ vi /etc/network/interfaces

Remove the line:

iface eth0 inet dhcp

Replacing it with:

iface eth0 inet static
address 10.0.0.10
netmask 255.255.255.0
network 10.0.0.0
broadcast 10.0.0.255
gateway 10.0.0.1

Let’s remove any existing leases: $ rm /var/lib/dhcp/*

Rotate ssh keys, install patches, change default password

The final step is to secure the Pi by reconfiguring ssh for security, installing the most recent security updates and changing the default password for the pi user.

$ rm /etc/ssh/ssh_host_*
$ dpkg-reconfigure openssh-server
$ service ssh restart

Update to the latest patches: $ apt-get update $ apt-get upgrade

Let’s change the default password of the user pi: $ exit

you should now be pi@raspberrypi, in order to change the password type the following command: $ passwd

You should be prompted for the current password:

Changing password for pi.
(current) UNIX password:

Current password is raspberry

When presented with the next two prompts type the new password you wish to use:

Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully

To make sure that our configurations have succeeded we will need to reboot the pi.

$ sudo reboot

You should get disconnected from the pi, you should be able to ssh in a minute or so using the same configuration we used initially.

$ ssh pi@10.0.0.10

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:<?>.
Please contact your system administrator.
Add correct host key in /Users/<user>/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /Users/<user>/.ssh/known_hosts:7
ECDSA host key for 10.0.0.10 has changed and you have requested strict checking.
Host key verification failed.

You Should expect to get a warning about man-in-the-middle, due to the host changing it’s ECDSA Key. This is a positive sign that the ssh configurations are now in effect. To make this message go away, we now need to delete the local key from known_hosts our computer.

Run the following command subsituting with the username that showed up in your terminal:

$ vi /Users/<user>/.ssh/known_hosts

Locate the offending entry at the bottom of the file:

10.0.0.10 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHmAUHOxXljBP+gwPFCZHj0sFdvPtgzS0muEmeE/...

While highlighting the offending entry type: dd - this should delete the line from the file. Next, press the escape key, and then type :wq to save the changes.

You should now be able to use ssh on the host using the new password you set for the pi user. $ ssh pi@10.0.0.10

Part 2: Part 2 Installing BRO

References: [1]: http://bl0gg.ruberg.no/2015/11/installing-bro-the-network-security-monitor-on-raspberry-pi/ [2]: http://daker.me/2014/10/how-to-fix-perl-warning-setting-locale-failed-in-raspbian.html [3]: https://intel.criticalstack.com/client/ [4]: https://www.iotvillage.org/slides_DC23/Sweet%20Security.pptx