A project I’m involved with that’s still in it’s early stages is the development of an automated, intelligent security environment that consists of:

  • Firewall, router and switch configuration management (existing in-house developed software).
  • Asset management and vulnerability scanning (Metasploit and OpenVAS).
  • Malware detection and analysis (analysis performed by Cuckoo).
  • Intrusion detection and analysis.

The last two are the final pieces to our puzzle, and given the data has high:

  • Variety: applicance, application and server logs.
  • Velocity and Volume: dozens of networks across the globe, hundrens of servers, 1000+ databases, 1000+ applications.

… it’s really a no brainer to use Hadoop as the storage framework. To dip our toes into the newfound waters of big data, whilst also evaluating a solution that could prove useful in piecing together our environment, I pieced together a network analysis server consisting of Snort, Hadoop, Pig and PacketPig.

 

about packetpig

Packetpig is an open-source Network  Security Monitoring toolset developed by Packetloop. It is comprised of a selection of Pig scripts that leverage Snort to perform analysis of full packet captures – allowing you to drill deep into network traffic, correlate data and potentially detect zero-day attacks.

You can read more about Packetpig on the projects GitHub page. The install document there is somewhat outdated, which is one reason why I’ve pieced together this document – to fill in the gaps.

 

installation

As I’ve only done this as a PoC for the moment, I built the server as an Xubunu 14.04 VM with two cores and 4GB memory assigned to it.

After the OS is installed and all preliminary tasks are taken care of – like configuring the network proxy, etc – the Cloudera repositories need to be defined so Hadoop and Pig can be installed. Create /etc/apt/sources.list.d/cloudera.list and into it add:

Update the apt cache:

  • apt-get update

… then install some pre-req’s:

  • apt-get install build-essential python-dev ethtool hadoop-0.20 hadoop-pig git-core libglib2.0-0 libglib2.0-bin libglib2.0-dev  libnids-dev libnids1.21 libmagic-dev ipython libnet1-dev python-pip flex bison libpcap0.8 libpcap0.8-dev openjdk-6-jdk libpcre3 libpcre3-dev libdumbnet-dev pkg-config gettext chromium-browser zlib1g-dev
  • pip install python-magic argparse

Disable GRO and LRO:

  • ethtool -K eth0 gro off
  • ethtool -K eth0 lro off

Install Snort from source:

  • mkdir ~/snort_src
  • cd ~/snort_src
  • wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz
  • tar -xvzf daq-2.0.6.tar.gz
  • cd daq-2.0.6
  • ./configure
  • make
  • sudo make install
  • cd ..
  • wget https://www.snort.org/downloads/snort/snort-2.9.7.6.tar.gz
  • tar -xvzf snort-2.9.7.6.tar.gz
  • cd snort-2.9.7.6
  • ./configure –prefix /usr/local/snort –enable-sourcefire –enable-gre –enable-mpls –enable-targetbased  –enable-ppm –enable-perfprofiling –enable-reload
  • make
  • make install
  • groupadd snort
  • useradd -g snort snort
  • ln -s /usr/local/snort/bin/snort /usr/sbin/snort
  • ln -s /usr/local/snort/etc /etc/snort
  • mkdir -p /usr/local/snort/var/log
  • mkdir -p /var/log/snort
  • chown snort:snort /usr/local/snort/var/log
  • chown snort:snort /var/log/snort
  • ln -s /usr/local/snort/var/log /var/log/snort
  • ln -s /usr/local/snort/lib/snort_dynamicpreprocessor /usr/local/lib/snort_dynamicpreprocessor
  • ln -s /usr/local/snort/lib/snort_dynamicengine /usr/local/lib/snort_dynamicengine
  • mkdir /usr/local/snort/lib/snort_dynamicrules
  • ln -s /usr/local/snort/lib/snort_dynamicrules /usr/local/lib/snort_dynamicrules
  • chown -R snort:snort /usr/local/snort
  • ldconfig

Test that Snort fires up OK:

  • snort -V

If it does, log in to snort.org and download the latest rules snapshot into /usr/local/snort:

  • cd /usr/local/snort
  • tar -zxvf snortrules-snapshot-2976.tar.gz
  • cp so_rules/precompiled/Ubuntu-12-04/x86-64/2.9.7.6/*.so /usr/local/lib/snort_dynamicrules
  • snort -c /usr/local/snort/etc/snort.conf –dump-dynamic-rules=/usr/local/snort/so_rules

Edit /usr/local/snort/etc/snort.conf and uncomment all SO_RULES (excluding the legacy rules). Also ensure that all of the dynamic library paths are correct.

Create dummy white list and black list files:

  • touch /usr/local/snort/rules/white_list.rules
  • touch /usr/local/snort/rules/black_list.rules

Validate the Snort configuration:

  • snort -c /usr/local/snort/etc/snort.conf -T

It’s pretty good at telling you what is wrong with the config if there is anything that does not validate.

You can then progress with installing the remaining pre-requisites:

Edit config.h and change the value for “define FP_FILE” from “p0f.fp” to “/etc/p0f/p0f.fp”.

  •  make
  • cp p0f /usr/local/bin/
  • mkdir /etc/p0f
  • cp p0f.fp /etc/p0f/
  • ln -s /lib/x86_64-linux-gnu/libglib-2.0.so.0 /lib/x86_64-linux-gnu/libglib-2.0.so
  • cd ~
  • wget https://jon.oberheide.org/files/pynids-0.6.1.tar.gz
  • tar -zxvf pynids-0.6.1.tar.gz
  • cd pynids-0.6.1
  • tar -zxvf libnids-1.24.tar.gz
  • cd libnids-1.24/
  • ./configure CFLAGS=-fPIC –disable-libglib –disable-libnet –disable-shared && make
  • sudo make install
  • cd ..
  • python setup.py build
  • python setup.py install
  • cd ~
  • https://cran.r-project.org/src/base/R-3/R-3.2.2.tar.gz
  • tar -zxvf R-3.2.2.tar.gz
  • cd R-3.2.2
  • ./configure
  • make
  • make install
  • R –internet2
  • chooseCRANmirror()

Select Australia (Melbourne). I used the local NZ mirror and it seemed to be missing some dependencies.

 

usage examples

For the purpose of demonstration, download some pcap samples from here. In my examples I used the samples of the ZeroAccess trojan activity.

test the sample(s)

First ensure that Snort detects some attacks in your pcap file:

  • cd /opt/packetpig
  • snort -c lib/snort/etc/snort.conf -A fast -y -l out -r ~/zeroaccess.pcap
  • cat out/alert

out/alert should contain some alerts:

Fire up a based file-serving HTTP server that will allow you to use the built-in visualisation tools:

python -m SimpleHTTPServer 8080

unigram chart

  • pig -v -x local -f pig/charts/ngram-chart.pig -param pcap=~/zeroaccess.pcap -param snortconfig=lib/snort/etc/snort.conf

Concatenate and fix up the output files:

  • find output/ngram-chart/ -name ‘part-m-*’ -exec cat {} \; > output/ngram-chart/combined
  • sed ‘s/,,/,All Protocols,/g’ output/ngram-chart/combined > output/ngram-chart/combined-fixed

In the browser, use http://localhost:8080/vis/charts/main.html to visualise the charts:

globe

  • pig -v -x local -f pig/globe/globe-snort.pig -param pcap=~/zeroaccess.pcap -param snortconfig=lib/snort/etc/snort.conf

what’s next?

Real-time flow analysis.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s