Archive for the ‘Linux’ Category

Installing Snort with Mysql and ACID BASE

Location: Somewhere in a fan noise filled and brightly lit room…

Date: Jan 3, 2010

Time: 2314 UTC

“Hey John come look at this spike in traffic on port 1434 going to 10.0.1.23!” ,Tony exclaimed.

“Yeah, I saw that on 10.0.1.52 as well, looks like a SQL injection attack to me.”

“This one looks like it got through though, I see some outbound traffic on 6667 on that database server as well. There shouldn’t be any traffic on that port, that is IRC chat. The firewall should block it”.

John quickly SSH’ed into the firewall and checked the output of ipchains to determine the  default deny and any IRC rules. Much to his surprise all outbound traffic was allowed.

“What!!” John screamed out.

It just occurred to him that the firewall guys had just replaced the aging firewall that was attached to the DMZ. John  frantically searched for the binder that contained the installation and configuration for the firewall installation. Just has he suspected, the binder’s last date was  Dec 18, 2009. That was before the firewall was swapped out.

“No documentation, that’s great. How may times do I have to emphasize documentation! This will look great on the incident report” John said to himself.

Meanwhile Tony was setting up tcpdumps to capture the data for later forensics analysis.

Tony yelled to John from across the room “John, get the web database folks on the phone to see if they can start locking that system down”

John replied, “Dude it’s almost midnight, and we don’t have a good standby number for anybody.”

“Well there is only one thing to do then, we need to contain the problem and start documenting it. We need to close those ports to stop the leak.”

“But that means no one will be able to login to the ecommerce site, that means lost revenue”

“We better call the boss, and he won’t be happy”,  Tony stated solemnly after some thought.

“Well maybe he can call the database folks and find out why that server wasn’t locked down correctly”

“Why do you think it was their problem? It could have been a zero-day attack, I checked Dshield and there are huge spikes in 1434. Could be the underground is exploiting a flaw that isn’t public yet”

“Well either way, this isn’t good. Let’s lock it down before anymore data leaks out.”

“Ok, its your call until the boss gets here”

“Do it!”

This is a fictional scenario that could happen in the real world. Poor documentation, configuration errors, zero-days and slow response time could plague any business network and create opportunities for breaches. Here is where a  post analysis tool comes into to play. An intrusion detection system is not designed to stop attacks, but they make the watchful administrator aware of potential breaches or configuration problems. It also provides information to create  a more accurate  incident report that can identify the progression of the attack and which attack vector was used. This can be of tremendous value to help thwart attacks against other systems.

Enter SNORT.

With the constant attacks against networks it is essential to have a Intrusion Detection System (IDS) in place and functional. The IDS needs to be robust and easy to read the mountains of data that comes pouring in. Snort is an Open Source product that is free to use and is very customizable.

Snort charges for the rules subscription called “VRT Certified Rules”. If you are serious about keeping your IDS systems the most up to date you must pay for the rules set. You can receive the rules free of charge by registering. However, the free rules are 30 days old. If you manage a network you know that a lot can change in 30 days.

Snort on Ubuntu

Steps:

  1. Use apt-get to retrieve the snort-mysql (Use your host network for the listen address range, e.g 192.168.1.0/24)
  2. Use apt-get to retrieve the mysql-server package. Follow prompts for passwords (use your own password!! do not leave blank)
  3. Follow the instructions below to setup the database

———-Snippets taken from the snort-mysql debian package README—————–

CREATING THE DATABASE
———————–

In order for the above to work you need to create first
a database.

Consider that you have defined the following information when asked
to in the Debconf dialogs when installing the package:

Database User: snort
Database Password:  (Use your own password here)
Database name: snort

For Mysql you can do this:

[ running as an mysql user with admin privileges ]
$  mysql -u root -p

(Type in the password you just created during the mysql-server installation)

mysql> CREATE DATABASE snort;
mysql> grant CREATE, INSERT, SELECT, UPDATE on snort.* to snort@localhost;
mysql> grant CREATE, INSERT, SELECT, UPDATE on snort.* to snort;
mysql> SET PASSWORD FOR snort@localhost=PASSWORD(‘INSERT YOUR OWN PASSWORD HERE‘);
mysql> flush privileges;
mysql> show grants for ‘snort’@’localhost’;

mysql>exit

Run the command below:

$ zcat /usr/share/doc/snort-mysql/create_mysql.gz | mysql -u snort -D snort -pYOUR OWN PASSWORD HERE

To do this remove the file ‘/etc/snort/db-pending-configuration’ and then do ‘/etc/init.d/snort start’. Confirm that snort is working and up
by running ‘/etc/init.d/snort status’ and reviewing the messages in the /var/log/daemon.log syslog file.

Before starting snort you will have to edit the /etc/snort/snort.conf  file.

Find the lines

# (#DBSTART#)
output database: log, mysql,
# (#DBEND#)

Change the output line to: output database: log, mysql, user=snort password=YOUR OWN PASSWORD HERE dbname=snort host=localhost

4. Install apache2  web server (apt-get install apache2)

5. Install acidbase application (apt-get install acidbase)

The package manager will walk you through the setup. You will need to enter the root database password, the database user (snort), the database name (snort) and the database password. It will also ask if you want it to install the configs for apache2. Select Apache2 for autoconfiguration. By default only the localhost has access to the apache site. “http://localhost/acidbase”

You will have to connect and have acidbase create the required fields for the snort database. This can be accomplished by hitting the button listed on the main page to create the tables.

Additionally you will have to edit the /etc/apache2/conf.d/acidbase.conf file and add any additional ip addresses or ip ranges that you want remote access from.

Visit the snort website for more information on updating rules and registering for your own “oinkcode”

MythDora 4.0 and Hauppauge PVR-150 with IR Blaster Support

I wanted to outline a few steps that I had to take to get the IR blaster to work with MythDora. MythDora is my favorite MythTV distro, it is by far the best polished and complete MythTV system that I have found. I was perfectly happy with the setup, that is until I got digital cable. Then the need for the IR Blaster arose. I went as far as making a serial IR blaster that would have worked had I not had Scientific Atlanta Explorer 2200. That is where the search for answers led me to Mark’s Brain Dump. A day later here I am with a working setup. I also wanted to condense the process for others that may be encountering the same issues and/or want to use MythTV but are hesitant because of the digital box. I want to add that the Hauppauge IR Blaster might be the only IR blaster that will operate your digital or satellite box. I found that my serial IR Blaster that I made did not send the codes correctly for my SA 2200. Without any further ado let’s get started: I want to thank the MythDora developers and Mark at “Mark’s Brain Dump” for all the information and PVR-150 package. Without them this would not have been possible. What you’ll need and how to install them:

  1. WinTV PVR-150 (NOT the MCE version) NOTE: There have been some reports that people are receiving a replacement HVR-1600 or HVR-1500 in the PVR-150 box. I bought mine at CircuitCity and had the correct one.
  2. S-Video and/or Composite video cables, Audio cable (RCA to 1/8″ Mini stereo plug) to go from the Digital Receiver to the PVR-150
  3. MythDora 4.0 – Thanks MythDora developers!! Follow the excellent instructions at MythPVR for a step by step install
  4. Mark’s PVR-150 Package – Please follow Mark’s instructions for installation and compiling. You will need the following packages before compiling. Type the following as root before running the ./setup.sh from Mark’s package:
    1. yum install dialog
    2. yum install kernel-devel-`uname -r`
    3. yum install gcc
    4. yum install make
  5. Hauppauge PVR-150 Firmware – As root, copy to your /lib/firmware folder
  6. Config Files: Please backup all files before overwriting them in case you have to go back for any reason
    1. change_chan.pl script
      1. Remove the .txt extension
      2. Place in your /usr/local/bin folder
      3. Type chmod +x /usr/local/bin/change_chan.pl
      4. Point to the file under MythTV Setup; Input Section. Select SVideo put /usr/local/bin/change_chan.pl in the “External Change Channel Command” box
    2. Modified lircd.conf file for the Happauge PVR-150 gray remote and the SA 2200 digital cable box. Rename the downloaded file to lircd.conf, and overwrite the existing /etc/lircd.conf file. Please see Mark’s blog if you have a different satellite or digital box. He explains how to find the proper codes for your box. Use my script as an example for the final script layout however.
    3. Modified lirc file located in /etc/modprobe.d directory. Remove the .txt extension then overwrite the existing /etc/modprobe.d/lirc file
    4. Add these lines to rc.local to the /etc/rc.local file:
    5. Reboot

All files – All the files above in a neat all in one package. Things that can go wrong:

  • Software Installation:
    • lirc_i2c is still being loaded on startup.
      • Solution: Make sure you have performed step # 3 correctly. lirc_i2c usually loads because it is still in the lirc file under /etc/modprobe.d/ directory
    • Permissions are set incorrectly, specifically the execute flag
    • Files are not named correctly or in the wrong location
    • MythTV is not setup correctly
    • Modules are not loading correctly – See Mark\’s website for troubleshooting
    • IR Blaster is trying to use the Serial port
      • Solution – remove any entries in the /etc/modprobe.d/irblaster file, or just comment them out. I made the mistake of setting up irblaster from the MythDora setup screen and it caused me untold grief.
  • Hardware
    • IR Blaster is not located correctly over the digital/satellite box IR Receiver. Use a flashlight to locate it under the front panel on the Digital Box
    • IR Blaster and receiver not fully seated in the PVR-150