OpenFPC On Ubuntu And Integrating with Snorby

Our IDS is up and running we are getting alerts but there’s a problem, Snorby shows us the triggering packet, but we don’t see the whole session. If you haven’t read the Post on setting up the IDS i would start there.

Why is this important to us?

This is more useful to us in the Malware Lab we are setting up rather than in a Home environment. Full packet capture will allow us to do network analysis on C2 traffic and Web Exploits that will allow us to generate and more importantly Test our own IDS signatures.

Thankfully there’s a solution that will allow us to achieve this  - Full Packet Capture.

There are a few ways we could go about capturing all the packets floating around our network

you could implement your own rolling packet capture with tcpdump and a bash script or two but it’s not very handy when it comes to searching and extracting data.

luckily for us there is an open implementation of packet capture that’s designed to work with Snorby, which is running on our IDS.

OpenFPC - http://www.openfpc.org/

This post is going to look at Installing OpenFPC on to Ubuntu Server 12.04-2. This procedure should work for Most Debian Based Setups.

Install the OS

Im not going to hang around with a basic install of Ubuntu Server, if you can’t manage that you probably shouldn’t be reading this.

Grab the latest LTS release for your architecture from Ubuntu.org and follow the installation instructions. At the package selection i only opted to include the SSH Server, other services will be installed as part of our install, this helps to keep it a little lighter.

Before we get on to the install lets update the system and install some Pre-Reqs

openfpc@openfpc:~$ sudo apt-get update && sudo apt-get upgrade
openfpc@openfpc:~$ sudo apt-get install apache2 tcpdump tshark libarchive-zip-perl libfilesys-df-perl libapache2-mod-php5 mysql-server libdatetime-perl libdbi-perl php5-mysql libterm-readkey-perl libdate-simple-perl libtimedate-perl libpcap-dev libswitch-perl

When prompted make sure to set a Strong Password on your SQL server and remember it. We are going to need this later.

SetUp The Network

Thanks to a kind donation i now have a managed cisco switch capable of Port Spanning so i can mirror all my traffic without having to use IPTABLES.

This means i can have two interfaces.

  • eth0 - Will home the Management Interface with Static IP
  • eth1 - Will home the Monitor Interface with No IP In promiscuous mode
openfpc@openfpc:~$  sudo nano /etc/network/interfaces

# The primary network interface
auto eth0
iface eth0 inet static
    address 192.168.0.128
    netmask 255.255.255.0
    gateway 192.168.0.1

# The Monitor Interface
auto eth1
iface eth1 inet manual
    up ifconfig eth1 promisc
    down ifconfig eth1 -promisc

make the changes as shown above but use IP range suitable for your network.

Install OpenFPC

Now the system is prepped let’s get on to the installation. We need to install 3 things in order to get up and running

  1. DaemonLogger - this will be our packet Logger
  2. CXTracker - Tracks sessions and writes them to SQL
  3. OpenFpc - one app to unite them all

At the time of writing all current versions are available but if you want to live on the bleeding edge you can try installing from source.

DaemonLogger 1.2.1 which is the latest release is available in the repos. you can confirm which version with an apt-get -simulate

openfpc@openfpc$ sudo apt-get -s install daemonlogger
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
libdumbnet1
The following NEW packages will be installed
daemonlogger libdumbnet1
0 upgraded, 2 newly installed, 0 to remove and 2 not upgraded.
Inst libdumbnet1 (1.12-3.1 Ubuntu:12.04/precise [amd64])
Inst daemonlogger (1.2.1-6 Ubuntu:12.04/precise [amd64])
Conf libdumbnet1 (1.12-3.1 Ubuntu:12.04/precise [amd64])
Conf daemonlogger (1.2.1-6 Ubuntu:12.04/precise [amd64])

if your happy with this version run the command again without the ‘-s’ to install it.

cxtracker isn’t technically required for Snorby Interaction but if we start getting lots of data this will help us with quick searches across historic sets.

download the deb and install

openfpc@openfpc:~$ sudo wget https://github.com/downloads/gamelinux/cxtracker/cxtracker_0.9.5-1_amd64.deb
openfpc@openfpc:~$ sudo dpkg -i cxtracker*.deb

check for the latest version of openfpc from openfpc currently 0.6, download unpack and install with the following commands

openfpc@openfpc:~$ sudo wget https://openfpc.googlecode.com/files/openfpc-0.6-314.tgz
openfpc@openfpc:~$ tar zxvf openfpc*
openfpc@openfpc:~$ cd openfpc*
openfpc@openfpc:~$ sudo ./openfpc-install.sh install

you should then be presented with this.

[*] Installation Complete
OpenFPC should now be installed and ready for *configuration*.
1) Go configure /etc/openfpc/openfpc-default.conf (Make sure you change the usernames and passwords!)
2) Start OpenFPC $ openfpc -a start
3) If you want to use the OpenFPC GUI, you MUST create the GUI database
 - Install Mysql
 - Create the DB with the command...
 sudo ./openfpc-dbmaint create gui /etc/openfpc/openfpc-default.conf
 4) Decide if you want to enable session searching
 See -> http://www.openfpc.org/documentation/enabling-session-capture

These seem like useful instructions we should probably follow them.

Configure OpenFPC

Open FPC is ‘Instance’ Based this means we could run more than one instance on a machine, e.g. running one instance per interface. Each instance has its own config file. Lets get started by editing the default config file.

openfpc@openfpc:~$ nano /etc/openfpc/openfpc-default.conf

The config file is fairly well documented. The lines we are most concerned with are listed below with some suitable examples.

If your running this on a VM or on a small box it might be worth setting the save paths to Network Shares or larger drives. Me I’m running these as VM’s and have set aside 2TB on my NAS to store all the packets. This also give me easier access to the Raw Data.

General Variables

  • NODENAME=Lab1
  • DESCRIPTION=”Kevs FPC For Lab1”
  • SAVEDIR=/tmp
  • INTERFACE=eth1
  • BUFFER_PATH=/var/tmp/openfpc/pcap

Session Variables

  • ENABLE_SESSION=1
  • SESSION_DIR=/var/tmp/openfpc/session

SQL Variables

  • SESSION_DB_NAME=openfpc
  • SESSION_DB_USER=openfpc
  • SESSION_DB_PASS=openfpc
  • SESSION_DB_HOST=127.0.0.1
  • GUI_DB_NAME=openfpcgui
  • GUI_DB_PASS=openfpcgui
  • GUI_DB_USER=openfpcgui
  • TIMEZONE=Europe/London

Finally remove the default accounts from the last line. We will generate our own a little later on.

Save the file and we are done.

Build the DB for the GUI

openfpc@openfpc:~$ sudo ./openfpc-dbmaint create gui /etc/openfpc/openfpc-default.conf

[*] Enter mysql "root" credentials to connect to your local mysql server in order to create the databases
DB root Username: root
DB root Password:
[*] Enter an initial username for the first OpenFPC GUI user
GUI Username: Openfpc
GUI Password: Openfpc
Email address: openfpc@techanarchy.net
Real Name: Kev
USER NOT FOUND. Adding Openfpc.
CREATING GUI DATABASE

[*] OpenFPC instance openfpc-default.conf
- NODENAME: Kevs_Lab
- DESCRIPTION: "Kevs FPC For Lab1"
- STATUS : ENABLED
- PORT: 4242
- INTERFACE: eth0
- FULL PACKET CAPTURE: ENABLED
- PACKET STORE: /var/tmp/openfpc/pcap
- SESSION DATA SEARCH: ENABLED
- SESSION DATABASE NAME: openfpc
Starting Daemonlogger (Kevs_Lab)... Done
Starting OpenFPC Queue Daemon (Kevs_Lab)... Done
Starting OpenFPC cxtracker (Kevs_Lab)... Done
Starting OpenFPC Connection Uploader (Kevs_Lab) ... Done
[*] DB Configured and admin user added. Now navigate to http://youriphere/openfpc/

Build the DB for session Tracking

openfpc@openfpc:~$ sudo ./openfpc-dbmaint create session /etc/openfpc/openfpc-default.conf

[*] Enter mysql "root" credentials to connect to your local mysql server in order to create the databases
DB root Username: root
DB root Password: ---------------------------------------------------------
[*] Working on Instance /etc/openfpc/openfpc-default.conf .
Would you like session capture ENABLED on Kevs_Lab? (y/n)y <-------------
[-] Enabling session capture in Kevs_Lab config
Done.
[-] Found cxtracker.
CREATING DATABASE

################################################################
[*] OpenFPC instance openfpc-default.conf
- NODENAME: Kevs_Lab
- DESCRIPTION: "Kevs FPC For Lab1"
- STATUS : ENABLED
- PORT: 4242
- INTERFACE: eth0
- FULL PACKET CAPTURE: ENABLED
- PACKET STORE: /var/tmp/openfpc/pcap
- SESSION DATA SEARCH: ENABLED
- SESSION DATABASE NAME: openfpc
- SESSION LAG: 1
Starting Daemonlogger (Kevs_Lab)...                 Done
Starting OpenFPC Queue Daemon (Kevs_Lab)...         Done
Starting OpenFPC cxtracker (Kevs_Lab)...            Done
Starting OpenFPC Connection Uploader (Kevs_Lab) ... Done

Hopefully the last 4 lines all read Done.

Testing And Connecting

Now we have our OpenFPC instance running lets run a few tests and make sure everything is working as expected.

There are two ways to gain access to our packets. A command line tool and a web interface.

Testing the Command line interface use any IP that has sent traffic in the last 60 seconds.

openfpc@openfpc:~$ openfpc-client -a fetch --src-addr 192.168.0.128 --last 60
* openfpc-client 0.6 *
Part of the OpenFPC project

Username: Openfpc
Password for user Openfpc :
#####################################
Date : Wed Aug 21 05:42:25 2013
Filename: /tmp/pcap-openfpc-1377088945.pcap
Size : 987K
MD5 : c82aceae170ac905dc2787b9a1c8eee6

That’s working nicely opening the pcap in wireshark shows the correctly filtered traffic.

To enable the web interface we need to tell apache to load our site.

sudo ln -s /etc/apache2/sites-available/openfpc.apache2.site /etc/apache2/sites-enabled/openfpc.conf
sudo service apache2 restart

Lets check the web interface and make sure that that’s working ok as well

navigate to http://192.168.0.128/openfpc

Log in with the credentials we created back in the DB Setup

Enter your own IP in the source box or the gateway in the destination box and check that a pcap is downloaded.

If all the tests work successfully there’s one final step to get everything integrated.

Configure Snorby

This part is simple.

  • Log on to the snorby web interface. Select Administration -> General Settings.
  • Tick the box to enable Packet Capture and select OpenFPC from the DropDown Box.
  • Enter your username and password for OpenFPC
  • Enter the Packet Capture URL - http://yourIPHere/openfpc/cgi-bin/extract.cgi

Once these have been configured, next time you browse a signature you should see a new DropDown labelled Packet Capture Options.

And that’s all. We now have a fully functioning IDS with integrated Full Packet Capture. We can run this on our own network, and in our case we can also run this as part of our Malware Lab. To test signatures and capture traffic for C2 Analysis.

If you managed to make it this far thanks for reading :) If your too lazy to follow these instructions. i can try to make like a little easier for you.

I have My IDS set as described earlier and this OpenFPC as OVA’s. Once they have finished uploading to my DropBox ill publish them here for anyone to make use of.

Questions Queries Comments Below.

Comments