Our IDS is up and running we are getting alerts but there’s a problem, Snorby shows us the triggering packet, but we don’t see the whole session. If you haven’t read the Post on setting up the IDS i would start there.
Why is this important to us?
This is more useful to us in the Malware Lab we are setting up rather than in a Home environment. Full packet capture will allow us to do network analysis on C2 traffic and Web Exploits that will allow us to generate and more importantly Test our own IDS signatures.
Thankfully there’s a solution that will allow us to achieve this - Full Packet Capture.
There are a few ways we could go about capturing all the packets floating around our network
you could implement your own rolling packet capture with tcpdump and a bash script or two but it’s not very handy when it comes to searching and extracting data.
luckily for us there is an open implementation of packet capture that’s designed to work with Snorby, which is running on our IDS.
OpenFPC - http://www.openfpc.org/
This post is going to look at Installing OpenFPC on to Ubuntu Server 12.04-2. This procedure should work for Most Debian Based Setups.
Install the OS
Im not going to hang around with a basic install of Ubuntu Server, if you can’t manage that you probably shouldn’t be reading this.
Grab the latest LTS release for your architecture from Ubuntu.org and follow the installation instructions. At the package selection i only opted to include the SSH Server, other services will be installed as part of our install, this helps to keep it a little lighter.
Before we get on to the install lets update the system and install some Pre-Reqs
openfpc@openfpc:~$ sudo apt-get update && sudo apt-get upgrade
openfpc@openfpc:~$ sudo apt-get install apache2 tcpdump tshark libarchive-zip-perl libfilesys-df-perl libapache2-mod-php5 mysql-server libdatetime-perl libdbi-perl php5-mysql libterm-readkey-perl libdate-simple-perl libtimedate-perl libpcap-dev libswitch-perl
When prompted make sure to set a Strong Password on your SQL server and remember it. We are going to need this later.
SetUp The Network
Thanks to a kind donation i now have a managed cisco switch capable of Port Spanning so i can mirror all my traffic without having to use IPTABLES.
This means i can have two interfaces.
- eth0 - Will home the Management Interface with Static IP
- eth1 - Will home the Monitor Interface with No IP In promiscuous mode
openfpc@openfpc:~$ sudo nano /etc/network/interfaces # The primary network interface auto eth0 iface eth0 inet static address 192.168.0.128 netmask 255.255.255.0 gateway 192.168.0.1 # The Monitor Interface auto eth1 iface eth1 inet manual up ifconfig eth1 promisc down ifconfig eth1 -promisc
make the changes as shown above but use IP range suitable for your network.
Now the system is prepped let’s get on to the installation. We need to install 3 things in order to get up and running
- DaemonLogger - this will be our packet Logger
- CXTracker - Tracks sessions and writes them to SQL
- OpenFpc - one app to unite them all
At the time of writing all current versions are available but if you want to live on the bleeding edge you can try installing from source.
DaemonLogger 1.2.1 which is the latest release is available in the repos. you can confirm which version with an apt-get -simulate
openfpc@openfpc$ sudo apt-get -s install daemonlogger Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: libdumbnet1 The following NEW packages will be installed daemonlogger libdumbnet1 0 upgraded, 2 newly installed, 0 to remove and 2 not upgraded. Inst libdumbnet1 (1.12-3.1 Ubuntu:12.04/precise [amd64]) Inst daemonlogger (1.2.1-6 Ubuntu:12.04/precise [amd64]) Conf libdumbnet1 (1.12-3.1 Ubuntu:12.04/precise [amd64]) Conf daemonlogger (1.2.1-6 Ubuntu:12.04/precise [amd64])
if your happy with this version run the command again without the ‘-s’ to install it.
cxtracker isn’t technically required for Snorby Interaction but if we start getting lots of data this will help us with quick searches across historic sets.
download the deb and install
openfpc@openfpc:~$ sudo wget https://github.com/downloads/gamelinux/cxtracker/cxtracker_0.9.5-1_amd64.deb openfpc@openfpc:~$ sudo dpkg -i cxtracker*.deb
check for the latest version of openfpc from openfpc currently 0.6, download unpack and install with the following commands
openfpc@openfpc:~$ sudo wget https://openfpc.googlecode.com/files/openfpc-0.6-314.tgz openfpc@openfpc:~$ tar zxvf openfpc* openfpc@openfpc:~$ cd openfpc* openfpc@openfpc:~$ sudo ./openfpc-install.sh install
you should then be presented with this.
[*] Installation Complete OpenFPC should now be installed and ready for *configuration*. 1) Go configure /etc/openfpc/openfpc-default.conf (Make sure you change the usernames and passwords!) 2) Start OpenFPC $ openfpc -a start 3) If you want to use the OpenFPC GUI, you MUST create the GUI database - Install Mysql - Create the DB with the command... sudo ./openfpc-dbmaint create gui /etc/openfpc/openfpc-default.conf 4) Decide if you want to enable session searching See -> http://www.openfpc.org/documentation/enabling-session-capture
These seem like useful instructions we should probably follow them.
Open FPC is ‘Instance’ Based this means we could run more than one instance on a machine, e.g. running one instance per interface. Each instance has its own config file. Lets get started by editing the default config file.
openfpc@openfpc:~$ nano /etc/openfpc/openfpc-default.conf
The config file is fairly well documented. The lines we are most concerned with are listed below with some suitable examples.
If your running this on a VM or on a small box it might be worth setting the save paths to Network Shares or larger drives. Me I’m running these as VM’s and have set aside 2TB on my NAS to store all the packets. This also give me easier access to the Raw Data.
- DESCRIPTION=”Kevs FPC For Lab1”
Finally remove the default accounts from the last line. We will generate our own a little later on.
Save the file and we are done.
Build the DB for the GUI
openfpc@openfpc:~$ sudo ./openfpc-dbmaint create gui /etc/openfpc/openfpc-default.conf [*] Enter mysql "root" credentials to connect to your local mysql server in order to create the databases DB root Username: root DB root Password: [*] Enter an initial username for the first OpenFPC GUI user GUI Username: Openfpc GUI Password: Openfpc Email address: email@example.com Real Name: Kev USER NOT FOUND. Adding Openfpc. CREATING GUI DATABASE [*] OpenFPC instance openfpc-default.conf - NODENAME: Kevs_Lab - DESCRIPTION: "Kevs FPC For Lab1" - STATUS : ENABLED - PORT: 4242 - INTERFACE: eth0 - FULL PACKET CAPTURE: ENABLED - PACKET STORE: /var/tmp/openfpc/pcap - SESSION DATA SEARCH: ENABLED - SESSION DATABASE NAME: openfpc Starting Daemonlogger (Kevs_Lab)... Done Starting OpenFPC Queue Daemon (Kevs_Lab)... Done Starting OpenFPC cxtracker (Kevs_Lab)... Done Starting OpenFPC Connection Uploader (Kevs_Lab) ... Done [*] DB Configured and admin user added. Now navigate to http://youriphere/openfpc/
Build the DB for session Tracking
openfpc@openfpc:~$ sudo ./openfpc-dbmaint create session /etc/openfpc/openfpc-default.conf [*] Enter mysql "root" credentials to connect to your local mysql server in order to create the databases DB root Username: root DB root Password: --------------------------------------------------------- [*] Working on Instance /etc/openfpc/openfpc-default.conf . Would you like session capture ENABLED on Kevs_Lab? (y/n)y <------------- [-] Enabling session capture in Kevs_Lab config Done. [-] Found cxtracker. CREATING DATABASE ################################################################ [*] OpenFPC instance openfpc-default.conf - NODENAME: Kevs_Lab - DESCRIPTION: "Kevs FPC For Lab1" - STATUS : ENABLED - PORT: 4242 - INTERFACE: eth0 - FULL PACKET CAPTURE: ENABLED - PACKET STORE: /var/tmp/openfpc/pcap - SESSION DATA SEARCH: ENABLED - SESSION DATABASE NAME: openfpc - SESSION LAG: 1 Starting Daemonlogger (Kevs_Lab)... Done Starting OpenFPC Queue Daemon (Kevs_Lab)... Done Starting OpenFPC cxtracker (Kevs_Lab)... Done Starting OpenFPC Connection Uploader (Kevs_Lab) ... Done
Hopefully the last 4 lines all read Done.
Testing And Connecting
Now we have our OpenFPC instance running lets run a few tests and make sure everything is working as expected.
There are two ways to gain access to our packets. A command line tool and a web interface.
Testing the Command line interface use any IP that has sent traffic in the last 60 seconds.
openfpc@openfpc:~$ openfpc-client -a fetch --src-addr 192.168.0.128 --last 60 * openfpc-client 0.6 * Part of the OpenFPC project Username: Openfpc Password for user Openfpc : ##################################### Date : Wed Aug 21 05:42:25 2013 Filename: /tmp/pcap-openfpc-1377088945.pcap Size : 987K MD5 : c82aceae170ac905dc2787b9a1c8eee6
That’s working nicely opening the pcap in wireshark shows the correctly filtered traffic.
To enable the web interface we need to tell apache to load our site.
sudo ln -s /etc/apache2/sites-available/openfpc.apache2.site /etc/apache2/sites-enabled/openfpc.conf sudo service apache2 restart
Lets check the web interface and make sure that that’s working ok as well
navigate to http://192.168.0.128/openfpc
Log in with the credentials we created back in the DB Setup
Enter your own IP in the source box or the gateway in the destination box and check that a pcap is downloaded.
If all the tests work successfully there’s one final step to get everything integrated.
This part is simple.
- Log on to the snorby web interface. Select Administration -> General Settings.
- Tick the box to enable Packet Capture and select OpenFPC from the DropDown Box.
- Enter your username and password for OpenFPC
- Enter the Packet Capture URL - http://yourIPHere/openfpc/cgi-bin/extract.cgi
Once these have been configured, next time you browse a signature you should see a new DropDown labelled Packet Capture Options.
And that’s all. We now have a fully functioning IDS with integrated Full Packet Capture. We can run this on our own network, and in our case we can also run this as part of our Malware Lab. To test signatures and capture traffic for C2 Analysis.
If you managed to make it this far thanks for reading :) If your too lazy to follow these instructions. i can try to make like a little easier for you.
I have My IDS set as described earlier and this OpenFPC as OVA’s. Once they have finished uploading to my DropBox ill publish them here for anyone to make use of.
Questions Queries Comments Below.