Sunday, May 3, 2015

SourceFire IPS - Understanding Inline Deployments

Understanding how your SourceFire Sensors (or any other IPS for that matter) are deployed is very important to the results you can expect from the device(s).

In this post, I will focus on providing clarity on some of the things you should be aware of when configuring your SourceFire IPS to be inline.

First off let's  understand what is meant by inline deployment. In an inline deployment, the IPS device sits between two network devices. Typically, this would be a perimeter firewall which connects the internal network to the Internet and an internal device such as a switch which connects the devices in the local LAN to the perimeter firewall as shown below.

In the diagram above, the eth0 and eth1 on the sensor forms an inline pair through which the traffic will flow between the switch and the firewall. This is the first step in a successful inline deployment.

Now that our device is inline, we need to configure our IPS Intrusion Policy to "Drop When Inline"


Final step is to select the relevant rule and ensure "Drop and Generate Events" is specified for the rule
 

Below shows the options available for configuring rule state.



Below shows an example of a rue which has been configured to "Drop and Generate Events". Note the red "X" at the end.



As this post has shown, to truly achieve IPS functionality, you need to not only have your device inline but also to cinfigure both the policy and the rules.

Hope you enjoyed reading this post. 

PFSense + Splunk - Security on the cheap - Parsing DHCP Server Logs

Continuing with the Splunk dashboards, let's add a panel for parsed ARPWatch logs

Sample DHCP Server Message


May  2 20:15:14 192.168.0.1 May  3 00:15:06 dhcpd: DHCPACK on 192.168.0.14 to cc:55:ad:1a:2b:c5 via dc0

Our Search Filter:
"dhcpd:" | rex field=_raw "dhcpd:\s(?<dhcp_message>[A-Za-z]*).*\s(?<ip_address>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).*\s(?<mac_address>[A-Fa-f0-9]{2}:[A-Fa-f0-9]{2}:[A-Fa-f0-9]{2}:[A-Fa-f0-9]{2}:[A-Fa-f0-9]{2}:[A-Fa-f0-9]{2}).*\s(?<interface>.*)" | stats count by ip_address, dhcp_message, mac_address, interface

Our Results:




Similarly to the previous posts in this series, being able to monitor your DHCP activity can help add context to your network, putting you in a better position to decide how to move forward.



In this series:
1. PFSense + Splunk - Security on the cheap
2. PFSense + Splunk - Security on the cheap - Parsing Firewall logs
3. PFSense + Splunk - Security on the cheap - Parsing ARPWatch Logs
4. PFSense + Splunk - Security on the cheap - Parsing Snort Logs
5. PFSense + Splunk - Security on the cheap - Parsing DHCP Server Logs

PFSense + Splunk - Security on the cheap - Parsing Snort Logs


Continuing with the Splunk dashboards, let's add a panel for parsed Snort logs

A Snort alert message looks as follows:
Apr 22 16:33:30 192.168.0.1 Apr 22 20:33:03 snort[64690]: [119:2:1] (http_inspect) DOUBLE DECODING ATTACK [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 192.168.0.11:49917 -> 72.251.227.249:80

To build out our Snort Monitoring Panel, the following search filter will be used:

host="192.168.0.1" snort NOT "/usr/sbin/cron" | rex field=_raw "\ssnort\[[0-9]*\]:\s\[(?<snort_sid>[0-9:].*?)\]\s\((?<snort_preprocessor>.*)\)\s(?<snort_message>.*)\[Classification:\s(?<snort_classification>.*)\]\s\[Priority:\s(?<snort_priority>[0-9]{1})\]\s\{(?<snort_protocol>.*)\}\s(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):(?<src_port>[0-9].*?)\s\-\>\s(?<dest_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):(?<d_port>[0-9].*)" | stats count by snort_sid, snort_preprocessor, snort_message,  snort_classification, snort_priority, snort_protocol, src_ip, src_port, dest_ip, d_port | sort snort_priority

Results from our search



Why would this information be helpful? If you are using a centralize dashboard for all your security monitoring, the panel can give you the insight as to what is going on in your network. You can then go directly to your Snort device to dig a bit deeper or to perform further analysis.

Hope you find this helpful and see you in the post on Parsing of ARPWatch Logs

In this series:
1. PFSense + Splunk - Security on the cheap
2. PFSense + Splunk - Security on the cheap - Parsing Firewall logs
3. PFSense + Splunk - Security on the cheap - Parsing ARPWatch Logs
4. PFSense + Splunk - Security on the cheap - Parsing Snort Logs
5. PFSense + Splunk - Security on the cheap - Parsing DHCP Server Logs


PFSense + Splunk - Security on the cheap - Parsing ARPWatch Logs


Continuing with the Splunk dashboards, let's add a panel for parsed ARPWatch logs

Sample ARPWatch Log Message
Apr 14 16:05:49 192.168.0.1 Apr 14 20:05:08 kernel: arp: 192.X.X.11 moved from 24:77:03:32:55:30 to 88:53:2e:50:9d:3f on dc0

This message shows that the MAC Address for IP 192.X.X.11 has changed. This is significant as it can help to detect ARP Spoofing


Our Search Filter:
host="pfsense_firewall" arp: | rex field=_raw "arp:\s(?<ip_address>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\smoved\sfrom\s(?<before_mac>[A-Fa-f0-9]{2}:[
A-Fa-f0-9]{2}:[A-Fa-f0-9]{2}:[A-Fa-f0-9]{2}:[A-Fa-f0-9]{2}:[A-Fa-f0-9]{2})\sto\s(?<after_mac>[A-Fa-f0-9]{2}:[A-Fa-f0-9]{2}:[A-Fa-f0-9]{2}:[A-Fa-f0-9]{2}:[A-Fa-f0-9]{2}:[A-Fa-f0-9]{2})\son\s(?<interface>.*)" | stats count by ip_address, before_mac, after_mac, interface

Our Results


Being able to track changing MAC Addresses may help you identify misconfigured and or malicious hosts in your network.


See you in the next post where we parse DHCP Logs

In this series:
1. PFSense + Splunk - Security on the cheap
2. PFSense + Splunk - Security on the cheap - Parsing Firewall logs
3. PFSense + Splunk - Security on the cheap - Parsing ARPWatch Logs
4. PFSense + Splunk - Security on the cheap - Parsing Snort Logs
5. PFSense + Splunk - Security on the cheap - Parsing DHCP Server Logs

PFSense + Splunk - Security on the cheap - Parsing Firewall logs


Splunk allows you to build dashboards which can be the view you see as you enter Splunk.

The searches below should be plugged into your dashboards as a panel, giving you a quick environment overview.

Sample Firewall Log
May  1 19:43:35 pfsense_firewall May  1 23:43:25 filterlog: 78,16777216,,1000002761,eth0,match,pass,out,4,0x0,,63,55879,0,DF,6,tcp,60,10.0.0.2,10.0.0.3,52008,443,0,S,4088643738,,14600,,mss;sackOK;TS;nop;wscaleFrom the above we can see that the firewall logs are flagged via "filterlog:". Using this information we will build out the information to monitor for the firewalls.

First let's build a table that allows us to get a view of all information flow seen by the firewall


Our search filter:
host="pfsense-firewall" "filterlog:"  | rex field=_raw "filterlog:\s[0-9]*,[0-9]*,,[0-9]*,(?<interface>[0-9A-Za-z]*),(?<status>[A-Za-z]*),(?<pass_block>[A-Za-z]*),(?<in_out>[A-Za-z]*),[0-9]*,[0-9A-Za-z\s]*,[0-9]*,[0-9]*,[0-9]*,[0-9]*,[0-9A-Za-z]*,(?<protocol_number>[0-9]*),(?<protocol>[A-Za-z0-9]*),[0-9]*,(?<s_ip>[A-Za-z0-9\.\:]*),(?<d_ip>[A-Za-z0-9\.\:]*),(?<s_port>[0-9]*),(?<d_port>[0-9]*)"

The result of the above is shown below:



Now that we have the overview of the traffic, let's expand on our security monitoring by being a bit more focused. Let's look at the more active IPs

Our search filter:
host="pfsense_firewall" "filterlog:" ,match,pass, NOT *v6 | rex field=_raw "filterlog:\s[0-9]*,[0-9]*,,[0-9]*,(?<interface>[0-9A-Za-z]*),(?<status>[A-Za-z]*),(?<pass_block>[A-Za-z]*),(?<in_out>[A-Za-z]*),[0-9]*,[0-9A-Za-z\s]*,[0-9]*,[0-9]*,[0-9]*,[0-9]*,[0-9A-Za-z]*,(?<protocol_number>[0-9]*),(?<protocol>[A-Za-z0-9]*),[0-9]*,(?<s_ip>[A-Za-z0-9\.\:]*),(?<d_ip>[A-Za-z0-9\.\:]*),(?<s_port>[0-9]*),(?<d_port>[0-9]*)" | stats count by s_ip | sort count | reverse


Results of our search























While monitoring successful IPs is important, monitoring dropped IPs is just as important. These dropped IPs can serve as an early warning system

Our search filter:
host="pfsense_firewall" "filterlog:" ,match,block, NOT *v6  | rex field=_raw "filterlog:\s[0-9]*,[0-9]*,,[0-9]*,(?<interface>[0-9A-Za-z]*),(?<status>[A-Za-z]*),(?<pass_block>[A-Za-z]*),(?<in_out>[A-Za-z]*),[0-9]*,[0-9A-Za-z\s]*,[0-9]*,[0-9]*,[0-9]*,[0-9]*,[0-9A-Za-z]*,(?<protocol_number>[0-9]*),(?<protocol>[A-Za-z0-9]*),[0-9]*,(?<s_ip>[A-Za-z0-9\.\:]*),(?<d_ip>[A-Za-z0-9\.\:]*),(?<s_port>[0-9]*),(?<d_port>[0-9]*)" | stats count by s_ip | sort count | reverse

Search Results:
























Monitoring allowed ports
Monitoring the allowed ports is just as important as monitoring the blocked ports. The objective here is that you get an idea of what ports are allowed through your network. This information may help you to recognise a misconfigured firewall or even a host that is infected or behaving in a suspicious manner.

Our search filter:
host="pfsense_firewall" "filterlog:" ,match,pass, NOT *v6 | rex field=_raw "filterlog:\s[0-9]*,[0-9]*,,[0-9]*,(?<interface>[0-9A-Za-z]*),(?<status>[A-Za-z]*),(?<pass_block>[A-Za-z]*),(?<in_out>[A-Za-z]*),[0-9]*,[0-9A-Za-z\s]*,[0-9]*,[0-9]*,[0-9]*,[0-9]*,[0-9A-Za-z]*,(?<protocol_number>[0-9]*),(?<protocol>[A-Za-z0-9]*),[0-9]*,(?<s_ip>[A-Za-z0-9\.\:]*),(?<d_ip>[A-Za-z0-9\.\:]*),(?<s_port>[0-9]*),(?<d_port>[0-9]*)" | stats count by d_port | sort count | reverse

Search results:





monitoring blocked ports

Similarly to monitoring allowed ports, we also need to monitor blocked ports. This helps us to understand which hosts may be trying to communicate on ports which are not allowed on the network helping to add context to the environment.


Our search filter:
host="pfsense_firewall" "filterlog:" ,match,block, NOT *v6 | rex field=_raw "filterlog:\s[0-9]*,[0-9]*,,[0-9]*,(?<interface>[0-9A-Za-z]*),(?<status>[A-Za-z]*),(?<pass_block>[A-Za-z]*),(?<in_out>[A-Za-z]*),[0-9]*,[0-9A-Za-z\s]*,[0-9]*,[0-9]*,[0-9]*,[0-9]*,[0-9A-Za-z]*,(?<protocol_number>[0-9]*),(?<protocol>[A-Za-z0-9]*),[0-9]*,(?<s_ip>[A-Za-z0-9\.\:]*),(?<d_ip>[A-Za-z0-9\.\:]*),(?<s_port>[0-9]*),(?<d_port>[0-9]*)" | stats count by d_port | sort count | reverse

Search results:



The above should give us a very good idea about the hosts that are communicating through our firewall and how the traffic is distributed. This is extremely important as it helps to add context to your environment and where possible create a baseline.


Hope you enjoyed this post. See you in the post on parsing snort alert logs.
In this series:
1. PFSense + Splunk - Security on the cheap
2. PFSense + Splunk - Security on the cheap - Parsing Firewall logs
3. PFSense + Splunk - Security on the cheap - Parsing ARPWatch Logs
4. PFSense + Splunk - Security on the cheap - Parsing Snort Logs
5. PFSense + Splunk - Security on the cheap - Parsing DHCP Server Logs

PFSense + Splunk - Security on the cheap

PFSense + Splunk - Security on the cheap

PFSense is a wonderful piece of free software. Using the free Splunk along with PFSense can give you quite a effective way to start securing your environment without having to spend a dime.

In this post we will not look at configuring PFSense packages. However, we will look at configuring forwarding of the logs below to a remote Syslog server. In this case we will use Splunk to parse

1. Parsing Firewall logs
2. Parsing ARPWatch Logs

3. Parsing Snort Logs
4. Parsing DHCP Server Logs

     
To configure PFSense to forward logs we must do the following:
    1.    From the "Diagnostics" tab, select "System Activity"
    2.    In the "Systems Activity" window, ensure the following are checked:
        (i)        Show log entries in reverse order (newest entries on top)
        (ii)    Log packets matched from the default block rules put in the ruleset
        (iii)    Log packets matched from the default pass rules put in the ruleset
        (iv)     Log packets blocked by 'Block Bogon Networks' rules
        (v)         Log packets blocked by 'Block Private Networks' rules
        (vi)     Log errors from the web server process.
      
    3. Optional - if you don't wish to write the logs to the local firewall ensure the following is checked  
        (i)     Disable writing log files to the local disk
      
    4,    From the "Source Address" drop down select "LAN"
    5.    Select your "IP Protocol" - I'm sure this would be IPv4
    6.     For "Enable Remote Logging", ensure " Send log messages to remote syslog server" is checked
    7.  For "Remote Syslog Servers", enter the IP address of your Splunk Instance
    8.    For "Remote Syslog Contents", ensure "Everything" is checked - unless you wish to be specific
 

Below shows a snapshot of what we should be doing.



Above image shows part of the configuration needed for PFSense to send its logs to Splunk

Next post we will look at parsing this data out in Splunk

In this series:
1. PFSense + Splunk - Security on the cheap
2. PFSense + Splunk - Security on the cheap - Parsing Firewall logs
3. PFSense + Splunk - Security on the cheap - Parsing ARPWatch Logs
4. PFSense + Splunk - Security on the cheap - Parsing Snort Logs
5. PFSense + Splunk - Security on the cheap - Parsing DHCP Server Logs

Privacy vs Security In The Age Of PRISM



Introduction
As we continue to march forward with advances in technology, technology continues to cause friction between privacy and security. In addition, as technology becomes more easily available and accessible, it also becomes more pervasive. This pervasiveness allow governments to find new and creative way to police its citizens by snooping on their communications. In addition, governments have taken steps to enact laws which gives them seemingly unfettered access to their citizens communications and hence their data. One such program which was implemented as a result of these new laws in the United States (US), is PRISM. These new policing measures are currently the primary contributing factors in the debate of security vs privacy.

PRISM Background
PRISM is an internal US Government computer system which was created in 2008 by the US Congress. It’s primary purpose is to facilitate the authorized collection of foreign intelligence information via electronic sources and through various electronic communication service providers (Director of National Intelligence, 2013).  This program has resulted in numerous lawsuits which challenges not only its authenticity but also its infringement on the privacy of US citizens. According to (Director of National Intelligence, 2013), the objective of this program is to acquire foreign intelligence information on targets located outside of the US. However, the PRISM program through top secret court orders, has compelled companies like Verizon to turn over millions of US customers data (Greenwald & MacAskill, 2013). In addition, the collection of intelligence – be it accidental or deliberate – such as email, voice, text, video chats, etc., from a number of US citizens via companies such as Microsoft, Yahoo, Google, Apple, etc., contributes significantly to debate that PRISM encroaches on the privacy of US citizens (Gellman & Lindeman, 2013). The biggest concern and threat to privacy is the National Security Agency’s (NSA) ability to obtain information without having to request them from the service provider or without the need for a court order (Greenwald & MacAskill, 2013) along with the Government’s threat to apply significant financial penalties to organization that refuses to cooperate in providing data about their users, as was done to Yahoo (Rusche, 2014).

The Need For Security
            Providing security for its citizens is one of the top priority for any government and the US Government is no different. The US Government through institutions such as the Department of Homeland Security (DHS) strive to protect the homeland and ensure it is safe, secure and resilient against terrorist and other hazards (dhs.gov, 2012). In addition organization’s such as the National Security Agency (NSA) confronts the challenges of preventing adversaries from gaining access to sensitive or classified national security information (nsa.gov, 2011). The world as we know it at present is a very dangerous place. On September 11, 2011, terrorist executed the worst ever attack in US history, flying 2 planes into the World Trade Center Buildings, causing the deaths of 2,977 people  (cnn.com, 2015). On April 15, 2013 two brothers, Dzhokhar Tsarnaev and Tamerlan Tsarnaev detonated 2 bombs at the Boston Marathon, killing 3 and wounding 260 people (History.com Staff, 2014). These two examples support the case for some of the measures governments may need to put in place to prevent these types of activities. Governments should not always be in a reactive mode but instead should be more proactive. As a result the need for programs such as PRISM becomes more relevant providing they do not encroach on the privacy of citizens. These programs allow governments through institutions such as DHS and NSA to be proactive by collecting intelligence which gives the relevant insights allowing it to make decisions which may ultimately prevent attacks such as the ones above.

The Need For Privacy
            The development and advancement of technology makes the argument for privacy much greater. As stated by (Brenner, 2010) “Ways may . . . be developed by which the government, without removing papers from secret drawers, can reproduce them in court, and by which it will be enabled to expose . . . the most intimate occurrences of the home.” The aforementioned, shows that unless governments are kept in check, our privacy may be so eroded that we no longer have any left. It is one thing to allow and or give the government through agencies such as DHS and NSA the capabilities to protect us from harm which may be perpetuated against us. However, it is also our responsibility to ensure that the government does not exploit those privileges with the ultimate objective of eroding our right to privacy. We should all care about privacy even though privacy is not necessarily secrecy (Doctorow, 2013). If the government through its agencies like DHS and or NSA were to retrieve information which suggest you did something wrong, then these agencies may view everything else you do through the lens of this data (Doctorow, 2013). If our privacy is taken away, then all persons will become suspect. However, some persons will be more suspect than others (Mery, 2005).  

As a people, if we need proof as to why we should take our privacy seriously, the case of David Mery should serve as an absolute wake up call. David Mery was arrested and charged under the UK Terrorism Act for suspicious behavior and public nuisance.  This all stemmed from his behavior being deemed suspicious by police after direct observation of him from watching the CCTV system while he was in the London Subway. The charges were ultimately dropped. However, even though the charges were dropped, the police were still entitled to hold on to Mery’s fingerprints, DNA, anything gathered during the investigations, photographs, interviewing tapes, etc. (Mery, 2005) The biggest concern with this case is even though Mery was considered innocent in the eyes of the law, he is also still guilty as a result of the law, as he cannot now get his file wiped.

Legal Challenges To PRISM
            Legal means have always been used to challenge the legality of laws and or programs which have been implemented by Governments. PRISM has had its fair share of lawsuits which challenges various aspects of the program. However, some of these lawsuits have been successful while others have been unsuccessful. Yahoo’s unsuccessful bid to challenge the government and the laws which supports PRISM on the grounds that it was unconstitutional and overboard (Rusche, 2014) is evidence that it can be difficult to win cases against the government. Once Yahoo lost their case, the government added even more pressure to obtain the requested data by threatening to fine Yahoo $250,000 per day with that amount doubling weekly. Similarly to Yahoo, the American Civil Liberties Union (ACLU) has filed a law suit against the PRISM program stating that it is unconstitutional (aclu.org, 2013). These lawsuits may end up providing greater insight into the operation of the PRISM program. However, if the government continues to threaten companies that refuses to comply, then the program will always be viewed suspiciously.

Conclusion
In a debate between security vs privacy, my choice will always be privacy. There has been many instances in which I have seen and can clearly understand how and why some persons can choose to believe any and everything that is produced by the computer and or devices used for computing. While it is one thing for data to be retrieved about us, when that data is considered to be retrieved without our permission and encroaches on my privacy that should be of greater concern. More importantly, how that data is used should be our biggest fear. The problem with using this data is not only its usage but its ultimate interpretation by the personnel entrusted with it. Therefore it is our responsibility to ensure that we take all measures available to guard our privacy and in the process reduce the amount of information governments through their agencies such as DHS and NSA can obtain from and about us.
It is clearly understood and expected that the government will need to collect information to proactively protect its citizens. In collecting this data, the government should be able to identify when it may be going beyond its reach and thus encroaching on our privacy or breaching our constitutional rights. Because governments seldom considers our privacy first when focusing on securing its citizens, it is the citizens’ responsibility to keep the government actions in check. Unless this is done, the government will continue marching forward enacting laws which encroaches on our privacy and after a while we may be at a stage at which all our privacy has been eroded. Ultimately, as it was asked by (Mery, 2005), “Isn't a state that keeps files on innocent persons a police state?”


References

aclu.org. (2013, June 11). ACLU Files Lawsuit Challenging Constitutionality of NSA Phone Spying Program. Retrieved from aclu.org: https://www.aclu.org/news/aclu-files-lawsuit-challenging-constitutionality-nsa-phone-spying-program?redirect=national-security/aclu-files-lawsuit-challenging-constitutionality-nsa-phone-spying-program
Brenner, S. (2010). Cybercrime, Criminal Threats from Cyberspace. Santa Barbara, California: Praeger.
cnn.com. (2015, March 27). September 11th Fast Facts. Retrieved from cnn.com: http://www.cnn.com/2013/07/27/us/september-11-anniversary-fast-facts/
dhs.gov. (2012, December 17). Our Mission. Retrieved from dhs.gov: http://www.dhs.gov/our-mission
Director of National Intelligence. (2013). Facts on the Collection of Intelligence Pursuant to Section 702 of the Foreign Intelligence Surveillance Act. Washington, DC 20511.
Doctorow, C. (2013, June 14). The NSA's Prism: why we should care . Retrieved from theguardian.com: http://www.theguardian.com/technology/blog/2013/jun/14/nsa-prism
Gellman, B., & Lindeman, T. (2013, June 29). Inner workings of a top-secret spy program. Retrieved from http://apps.washingtonpost.com: http://apps.washingtonpost.com/g/page/national/inner-workings-of-a-top-secret-spy-program/282/
Greenwald, G., & MacAskill, E. (2013, June 7). NSA Prism program taps in to user data of Apple, Google and others. Retrieved from theguardian.com: http://www.theguardian.com/world/2013/jun/06/us-tech-giants-nsa-data
History.com Staff. (2014). Boston Marathon Bombings. Retrieved from history.com: http://www.history.com/topics/boston-marathon-bombings
Mery, D. (2005, September 22). Suspicious behaviour on the tube . Retrieved from theguardian.com: http://www.theguardian.com/world/2005/sep/22/terrorism.july7
nsa.gov. (2011, April 15). Mission. Retrieved from nva.gov: https://www.nsa.gov/about/mission/index.shtml
Rusche, D. (2014, September 12). Yahoo $250,000 daily fine over NSA data refusal was set to double 'every week' . Retrieved from theguardian.com: http://www.theguardian.com/world/2014/sep/11/yahoo-nsa-lawsuit-documents-fine-user-data-refusal
theusconstitution.org. (n.d.). Current Cases. Retrieved from theusconstitution.org: http://theusconstitution.org/cases/current