Tuesday, December 6, 2011
Open Source Vulnerability Scanning and IPS/IDS Tecnology
A particular project that I've been working on has called upon the need for an IPS/IDS as well as vulnerability detection solutions. Well known solutions that fill this particular void that I've come across in the wild are Snort, OpenVAS, Nessus, Suricata, and Tiger (obviously I've looked at many other systems as well and have played around with some of my rules but I'll leave that for another post). Below are some of my research notes.
OpenVAS is basically a fork of Nessus after that project went commercial/proprietary. It works but is somewhat rough around the edges. Installation was via YUM repository. Thereafter, its a case of fetching plugins and configuring them and then using web based or desktop based client in order to conduct scanning.
Note that first time, openvas-scanner can take a substantial amount of time to run. Following is 'timed' startup of before and after caching when starting openvas-scanner service. Obviously, its better to leave the '/var/cache/openvas/' folder be after the initial caching.
real - 0m21.924s
user - 0m16.962s
sys - 0m0.694s
real - 11m19.809s
user - 2m16.576s
sys - 4m3.631s
Funnily enough, there is no counter to indicate progress of processing scripts on launch (I used, 'ls /var/cache/openvas | wc -l' to watch for progress of service startup of openvas-scanner. Should incorporate something like this in init script) so its quite possible that you could be waiting for the service to start after several minutes which brings me to the 'watch' command (I used to use a BASH inifinite loop combined with a sleep command somwhere in between to acheive the same thing). It allows you to run a command periodically, for an infinite amount of time so that you can view the process of a particular command. However, the 'watch' command doesn't conditionally stop based on the 'man' page apparently. I may rectify this one day?
Like Nessus, OpenVAS is also dependent on publicly available plugins/rules in order to scan for vulnerabilities.
Had download issues when downloading feed. Presume that this is more likely related to wireless connection than with site/application level issues. Have noticed that when using 3G for larger downloads broken downloads more likley. Believe that it could have to do with variable nature of 3G connections with regards to variable delay/latency (possibly caused by network congestion) of connection leading to timeout. Have dealt with it previously be using resumption of download feature in download manager otherwise have had to use wget -c. Reminds me of Path MTU issues that I have previously come by in other work. Re-routed the issue by using an online proxy but another solution that I've tried is simply restarting the process hoping that the route would have reset itself at some point along the way (ifconfig mtu MTUSIZE if you're curious about changing MTU size for a NIC. I've found that MTU of 1392 is quite useful.).
multitail, is a useful tool if you're having issues and are unsure of the source of the problem. If you working with a particular service with a special folder and logrotate then its as simple as running multitail *.log
If you're new to it run the following in order to check things after setup/configuration.
Slick web based interface.
OpenVAS web access on, https://localhost:9392
Note that gsd (desktop client) seems to have a long way to go before reaching the state of the openvas web interace.
May need to run the following in order to properly register all plugins after extracting to relevant folder, /var/lib/openvas/plugins.
greenbone-security-assistant (gsd) is the desktop client scanning interface. Looks dated but does the job.
The following is for lazy people.
for i in `ls /etc/init.d/openvas* | sed 's/\/etc\/init.d\///'` ; do service $i start; done
Obviously, one of the 'original' vulnerability scanner which has since spawned forks and commercial offerings.
Need to obtain plugin updates via website,
Note, that documentation may be somewhat outdated. Need to obtain serial code in order to download/update feed.
nessus-fetch --register SERIAL
This may take a while long time. Using iptraf I calculated that the total file transfer to be around 25MB.
Put plugins in /var/lib/nessus/plugins/
Restart nessusd service to load plugins. Can take quite a while. Possible to have a snack/drink during this time. Thereafter, you need to run the following in order to login to the client and run scans.
service nessusd start
Startup the nessus client
Run the scan from within the client
May need to restart the system. Seemed to have memory allocation issues when restarting the nessusd service alone and then loading up the client. No details in relevant logfiles. May investigate further at some point by increasing logging. Research indicates that it may be version related.
Change the parameters from within the client, conduct the scan and hopefully there will be no issues. Otherwise, rectify as required.
Obviously, being a fork of Nessus the OpenVAS project shares many similar aspects/components including setup and configuration.
You'll need to download rules/config files from,
You may have strange errors during loading of rulesets. Have thought about attempting to fix/patch the issues myself but will leave for when I have more time due to the number of them. The project is still young though.
Under Fedora you'll need to change the startup script /etc/init.d/suricata to reference the correct configuration and rules files. The service quite simply will not work otherwise.
If you're lazy (or you don't have an Internet connection) you can just 'touch' the relevant required files as required in order to get the things up and running.
As stated previously, basically it won't start without a downloaded set of rules/configuration set. You can get around this on some installations either using the official 'rules' or using rules that have previously been created by the 'community'. Logs to /var/log/suricata/
Basically a collection of scripts that look for known issues that may exist on Linux/UNIX systems. Using a cron job periodic scans are run on the host with an email being sent to the sysadmin of the server in question. If you have difficulty understanding some of the cryptic codes than there is the tigexp command which when combined with the relevant code in the email will provide a more human readable explanation of the security vulnerability in question. Details are sent to /var/log/tiger also for easier referencing and/or parsing.
Like Nessus, metasploit has commercial forks as well the original open source version as well. Basically, another network mapping, vulnerability scanning engine however there are mechanisms through which to exploit known vulnerabilities as well and alter existing means for exploitation.
Even though it uses a single binary for installation the process of downloading and installing metasploit was anything but easy. As with the case of OpenVAS I've been having download issues with larger files. This time the download would actually stop at about 71%. Multiple attempts at resuming downloads via browser and wget were unsuccessful. Wireshark analysis indicated that PDU fragmentation wasn't occurring properly because TCP segments were somehow being lost. Moreover, when resumptions were successful somehow the download was extending past the anticipated initial download file size which ultimately meant a corrupt file. Cutting the file down to the correct size didn't work (use the cut command to get down to the correct byte size file). What did work funnily enough though, was using VIM and deleting sections at the end of file and then resuming the download from the modified file (manual defragmentation/disassembly?).
Word of warning, NeXpose can be a bit discretionary when it comes to what flavours of Linux it can be installed on. In the past, I've gotten and have seen others get around this issue by altering the relevant /etc/*-release file to something more 'pleasing'. However, on this occassion I decided to go for an installation under Ubuntu instead in a VM (you may be interested to know that VMWare Server may change your partition layout when expanding virtual drive capacity size. partprobe and parted are two lesser known commands you may be curious about if you need to do this). Note that you may need to sign up for a serial code depending on whether you use the community/commercial version of metasploit.
In the past I've used Snort before as part of already complete (software security) solutions and have experimented somewhat with it but its only now that I've really had to gain a better understanding of the technology. Just like a conventional firewall and/or security device its made up of a set of rules. Rules are generally derived from rules that have been generated by professionals/enthusiasts who have since found common ground with regards to particular security issues that they they/most people may be facing.
"Snort can be configured in three main modes: sniffer, packet logger, and network intrusion detection. In sniffer mode, the program will read network packets and display them on the console. In packet logger mode, the program will log packets to the disk. In intrusion detection mode, the program will monitor network traffic and analyze it against a ruleset defined by the user. The program will then perform a specific action based on what has been identified."
Due to its relative maturity and popularity many different tools available and largely compatible alternatives for easier analysis of results as well as creating rules are available.
For those who don't already know this you can often bypass a lot of download managers out there if the 'Download Manager' doesn...
- we're going to attack this from a number of different perpective since it's a bit more complex then you'd normally expect. As...
If you're like many others on the planet you probably can't be bothered purchasing a new piece of software in order to test an appl...