websnort Documentation

Similar documents
datapusher Documentation

I hate money. Release 1.0

A2Billing Flask API Documentation

TangeloHub Documentation

GMusicProcurator Documentation

Django-CSP Documentation

Patch Server for Jamf Pro Documentation

Pass4sure q. Cisco Securing Cisco Networks with Sourcefire IPS

mod_wsgi Documentation

Pulp Python Support Documentation

app = web.application(urls, globals()) class hello: def GET(self, name): if not name: name = 'World' return 'Hello, ' + name + '!' if name == " main "

nacelle Documentation

Patch Server for Jamf Pro Documentation

EveBox Documentation. Release. Jason Ish

IoT Relay Documentation

Kinto Documentation. Release Mozilla Services Da French Team

EveBox Documentation. Jason Ish

BanzaiDB Documentation

Mantis STIX Importer Documentation

DCLI User's Guide. Modified on 20 SEP 2018 Data Center Command-Line Interface

DCLI User's Guide. Data Center Command-Line Interface 2.9.1

Interface Reference. McAfee Application Control Windows Interface Reference Guide. Add Installer page. (McAfee epolicy Orchestrator)

doconv Documentation Release Jacob Mourelos

Jackalope Documentation

Real Life Web Development. Joseph Paul Cohen

DIGIT.B4 Big Data PoC

Nasuni Data API Nasuni Corporation Boston, MA

DCLI User's Guide. Data Center Command-Line Interface

RedBarrel Documentation

INTERNET ENGINEERING. HTTP Protocol. Sadegh Aliakbary

IEMS 5722 Mobile Network Programming and Distributed Server Architecture Semester 2

Red Hat JBoss Web Server 3.1

Configuring Web Server Devices

Flask-Cors Documentation

Nasuni Data API Nasuni Corporation Boston, MA

Lesson 7: Defining an Application

Google Domain Shared Contacts Client Documentation

Solar Plant Data Acquisition Maintenance

Incident Response Platform Integrations BigFix Function V1.1.0 Release Date: October 2018

mole Documentation Release 1.0 Andrés J. Díaz

django-sticky-uploads Documentation

osc-plugin Documentation

The Bro Network Security Monitor

Exercises. Cacti Installation and Configuration

Exercises. Cacti Installation and Configuration

Intrusion Detection - Snort. Network Security Workshop April 2017 Bali Indonesia

Bitdock. Release 0.1.0

Chapter 7. Network Intrusion Detection and Analysis. SeoulTech UCS Lab (Daming Wu)

timegate Documentation

VNS3 Plugin Guide. VSN3:turret NIDS Container

Alarm Counter. A Ceilometer OpenStack Application

Archan. Release 2.0.1

IDS / SNORT. Matsuzaki maz Yoshinobu stole slides from Fakrul Alam

Installing SmartSense on HDP

IOL INTACT Installation Guide

Security Principles SNORT - IDS

Cisco Stealthwatch Cloud. Private Network Monitoring Advanced Configuration Guide

Brewmeister Documentation

Getting Started With Containers

A PAtCHy server: developed by the Apache group formed 2/95 around by a number of people who provided patch files for NCSA httpd 1.3 by Rob McCool.

RTC 502 and its Git adapter, Git and its prerequisite

MP 1: HTTP Client + Server Due: Friday, Feb 9th, 11:59pm

django-dynamic-db-router Documentation

The following topics describe how to configure correlation policies and rules.

bottle-rest Release 0.5.0

DataMan. version 6.5.4

ZeroVM Package Manager Documentation

Cyphort Integration with Carbon Black

Performance Monitors Setup Guide

CNIT 121: Computer Forensics. 9 Network Evidence

Configure a Small Alpine Linux Docker Image on IOx

Open Source IDS Rules Comparison Report July 2014

Intrusion Detection - Snort

web.py Tutorial Tom Kelliher, CS 317 This tutorial is the tutorial from the web.py web site, with a few revisions for our local environment.

invenio-formatter Documentation

Integrating with ClearPass HTTP APIs

Python web frameworks

NLTK Server Documentation

Integrate Cisco Sourcefire

Airoscript-ng Documentation

Uranium Documentation

Scrapyd Documentation

edeposit.amqp.antivirus Release 1.0.1

django-contact-form Documentation

Automation with Meraki Provisioning API

BlenderPanda Documentation. Release 0.1.0

Lab Exercises: Deploying, Managing, and Leveraging Honeypots in the Enterprise using Open Source Tools

INDIGO PAAS TUTORIAL. ! Marica Antonacci RIA INFN-Bari

CSCI 201 Lab 1 Environment Setup

Sputnik Installation and Configuration Guide

Persistence & State. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Beyond a sensor. Towards the Globalization of SURFids. FIRST 20 th Annual Conference Vancouver, Canada

Redis Timeseries Documentation

Signals Documentation

ID: Cookbook: urldownload.jbs Time: 18:48:38 Date: 19/06/2018 Version:

payload Documentation

OTX to MISP. Release 1.4.2

cget Documentation Release Paul Fultz II

CID Documentation. Release Francis Reyes

Bitnami Ruby for Huawei Enterprise Cloud

Transcription:

websnort Documentation Release 0.8 Steve Henderson Jul 04, 2018

Contents 1 Features 3 2 Contents 5 3 Issues 15 Python Module Index 17 i

ii

Websnort is an Open Source web service for analysing pcap files with intrusion detection systems such as snort and suricata. It allows multiple configurations of IDS setups and rulesets to be defined for running against submitted samples. Its primary use case is for analysing short network captures from sandboxes and honeypots but can be used in any scenario where there is a need to scan pcap samples. This guide will explain how to deploy websnort in different environments and example configurations. Source code for websnort is hosted on GitHub. Any bug reports or feature requests can be made using GitHub s issues system. Contents 1

2 Contents

CHAPTER 1 Features Support for Suricata and Snort Easy to extend support for other intrusion detection systems Parallel execution of multiple configurations and rulesets Simple Web API for integrating with other systems 3

4 Chapter 1. Features

CHAPTER 2 Contents 2.1 Installation 2.1.1 Dependencies websnort relies on a user already having one or more functioning IDS installations on their deployment host. For help with installing snort please follow their documentation. For help with installing suricata please follow their documentation. For Linux operating systems, packaged versions of these applications may already be available in your system software repository/library. 2.1.2 Install with Pip The simplest way to install is using the pip package install utility. This will ensure all python dependencies are downloaded/installed appropriately: pip install websnort It is recommended to use virtualenv to keep third-party packages isolated from system python packages. However, if installing system wide you will need to run pip as root/sudo. 2.1.3 Run from Source The latest code can be run directly by cloning the GitHub repository: git clone https://github.com/shendo/websnort.git 5

2.1.4 Configuration The default config for websnort is setup to interface with a snort deployment on Ubuntu/Debian, using the ruleset referenced by /etc/snort/snort.conf. To customise the setup you can override the websnort config file by creating a new config file (in order of loading precedence): ~/.websnort/websnort.conf /etc/websnort/websnort.conf Look at the example config files provided in websnort/conf for other common configurations. The config file format is as follows: [websnort] # Comma-separated list of config sections/instances to run ids = snort [snort] # python ids module name/type to use module = snort # name to give the ruleset in results ruleset = community # path to snort binary, will search path if not absolute path = snort # snort rules config file location config = /etc/snort/snort.conf # any additional command line args to include extra_args = 2.1.5 Inbuilt Webserver websnort uses the python bottle framework to provide its web interface. This provides the ability to run a simple webserver from the command-line. usage: websnort [-h] [-H HOST] [-p PORT] optional arguments: -h, --help show this help message and exit -H HOST, --host HOST Web server Host address to bind to -p PORT, --port PORT Web server Port to bind to By default the webserver will bind to all network interfaces and run on port 8080. To run on a different port number: websnort -p 8000 You will need to ensure the user that you are running the webserver as, has the appropriate permissions to run snort/suricata from the command-line and can read any applicable config files. 2.1.6 Python WSGI websnort also provides an entrypoint for interfacing with other webservers that support python WSGI. An example httpd config for apache could look something like the following: 6 Chapter 2. Contents

<VirtualHost *:80> ServerName www.example.com ServerAlias example.com ServerAdmin webmaster@example.com WSGIDaemonProcess example.com processes=3 threads=1 display-name=%group} WSGIProcessGroup example.com WSGIScriptAlias / /usr/lib/python/site-packages/websnort/web.py <Directory /usr/lib/python/site-packages/websnort> Order allow,deny Allow from all </Directory> </VirtualHost> See QuickConfigurationGuide for more information on setting up modwsgi with Apache. 2.2 Usage 2.2.1 Interactive Use a web browser and navigate to the address the websnort webserver is listening on. In these examples, the default URL http://localhost:8080 is used. Simply select a pcap file for analysis and choose Submit. 2.2. Usage 7

If the server s configuration is correct, in a few seconds you should see the results of any alerts returned. 8 Chapter 2. Contents

Tabs are presented for each IDS configuration that was executed. A summary count of any produced alerts is visible in the tabs labels. 2.2.2 Web API The same functionality is exposed via a json web api. Full details of the api can be found by navigating to http: //localhost:8080/api. To submit a pcap file for analysis, perform a HTTP multipart form POST to http://localhost:8080/api/submit. For example, using curl: $ curl -i --form file=@zeus-sample.pcap http://localhost:8080/api/submit HTTP/1.1 100 Continue HTTP/1.1 200 OK Content-Length: 5830 Content-Type: application/json Date: Mon, 08 Jun 2015 03:18:42 GMT "status": "Success", "errors": [], "apiversion": "0.5", "filename": "zeus-sample.pcap", (continues on next page) 2.2. Usage 9

"start": "2015-06-08T13:18:37.839617", "filesize": 905847, "duration": 4.645783, "analyses": [ "status": "Success", "name": "snort_vrt", "alerts": [ "source": "157.56.134.98:80", "classtype": "Misc activity", "protocol": "TCP", "sid": 2925, "timestamp": "2013-04-07T16:17:13.136263", "message": "INFO web bug 0x0 gif attempt", "destination": "192.168.56.101:1089", "revision": 3 }, "source": "65.55.253.27:80", "classtype": "Misc activity", "protocol": "TCP", "sid": 2925, "timestamp": "2013-04-07T16:17:13.137856", "message": "INFO web bug 0x0 gif attempt", "destination": "192.168.56.101:1087", "revision": 3 }, "source": "65.55.239.146:80", "classtype": "Misc activity", "protocol": "TCP", "sid": 2925, "timestamp": "2013-04-07T16:17:13.636785", "message": "INFO web bug 0x0 gif attempt", "destination": "192.168.56.101:1091", "revision": 3 }, "source": "54.243.113.202:80", "classtype": "Misc activity", "protocol": "TCP", "sid": 2925, "timestamp": "2013-04-07T16:17:14.672190", "message": "INFO web bug 0x0 gif attempt", "destination": "192.168.56.101:1098", "revision": 3 }, "source": "65.55.253.27:80", "classtype": "Misc activity", "protocol": "TCP", "sid": 2925, "timestamp": "2013-04-07T16:17:15.785273", "message": "INFO web bug 0x0 gif attempt", "destination": "192.168.56.101:1087", "revision": 3 (continued from previous page) (continues on next page) 10 Chapter 2. Contents

", }, Download", }, }, "source": "65.55.253.27:80", "classtype": "Misc activity", "protocol": "TCP", "sid": 2925, "timestamp": "2013-04-07T16:17:17.926444", "message": "INFO web bug 0x0 gif attempt", "destination": "192.168.56.101:1087", "revision": 3 "source": "65.55.253.27:80", "classtype": "Misc activity", "protocol": "TCP", "sid": 2925, "timestamp": "2013-04-07T16:17:22.333182", "message": "INFO web bug 0x0 gif attempt", "destination": "192.168.56.101:1119", "revision": 3 } ], "module": "snort", "version": "2.9.6.0 GRE (Build 47)", "ruleset": "Sourcefire VRT", "duration": 2.11351 (continued from previous page) "status": "Success", "name": "suricata_et", "alerts": [ "source": "192.168.56.101:1081", "classtype": "A Network Trojan was detected", "protocol": "TCP", "sid": 2018052, "timestamp": "2013-04-07T16:16:40.224958", "message": "ET CURRENT_EVENTS Zbot Generic URI/Header Struct.bin }, }, "destination": "92.50.161.168:80", "revision": 4 "source": "192.168.56.101:1081", "classtype": "A Network Trojan was detected", "protocol": "TCP", "sid": 2008100, "timestamp": "2013-04-07T16:16:40.224958", "message": "ET TROJAN PRG/wnspoem/Zeus InfoStealer Trojan Config "destination": "92.50.161.168:80", "revision": 11 "source": "192.168.56.101:1120", "classtype": "A Network Trojan was detected", "protocol": "TCP", (continues on next page) 2.2. Usage 11

} ", Download", }, (continued from previous page) "sid": 2018052, "timestamp": "2013-04-07T16:17:41.235349", "message": "ET CURRENT_EVENTS Zbot Generic URI/Header Struct.bin "destination": "92.50.161.168:80", "revision": 4 "source": "192.168.56.101:1120", "classtype": "A Network Trojan was detected", "protocol": "TCP", "sid": 2008100, "timestamp": "2013-04-07T16:17:41.235349", "message": "ET TROJAN PRG/wnspoem/Zeus InfoStealer Trojan Config "destination": "92.50.161.168:80", "revision": 11 } ], "module": "suricata", "version": "1.4.7 RELEASE", "ruleset": "Emerging Threats", "duration": 4.639412 } ], "md5": "266c1cabfae4c66dc05443eaeaa054e0" 2.3 Troubleshooting 2.3.1 Why do I get a permission denied error from websnort? You need to ensure that snort/suricata can run as the same user running the web application. In particular check that all config files are readable by the web user. On Ubuntu recent packages of snort deploy /etc/snort/snort.conf as root readable only. If this is the case try: sudo chmod a+r /etc/snort/snort.conf It is also worth testing without using the web application, by attempting to run the snort/suricata command-line as the web user, manually on the command-line to verify it produces the expected results. For example: snort -r /tmp/test.pcap -c /etc/snort/snort.conf -A console -l /tmp 2.3.2 Why doesn t websnort show the alerts I expect? If you expect the pcap you are submitting to generate alerts and it doesn t, verify that the IDS generates the expected alerts from the command-line as the webapp user. For example: 12 Chapter 2. Contents

snort -r /tmp/test.pcap -c /etc/snort/snort.conf -A console -l /tmp If this is not working you may want to disable checksum validation for the IDS, especially if the pcaps were generated from a virtual network/sandbox or replay tool. For example, in /etc/snort/snort.conf add: validate_checksums off Or in /etc/suricata/suricata.yaml change: stream: memcap: 128mb checksum-validation: no If your pcaps have some unusual VLAN tagging and you are running Suricata, you may want to try disabling VLAN tracking in the sessionisation. For example in /etc/suricata/suricata.yaml change: vlan: use-for-tracking: false 2.3.3 Websnort still doesn t work what should I do? If you have read through the relevant sections of the documentation but are still having problems, please raise an issue on the project s issue tracker and someone may be able to assist. 2.4 Development If you are interested in contributing to the project please read through the following sections. 2.4.1 Websnort API The codebase is quite simple with the execution logic defined in websnort.runner: websnort.runner.is_pcap(pcap) Simple test for pcap magic bytes in supplied file. Parameters pcap File path to Pcap file to check Returns True if content is pcap (magic bytes present), otherwise False. websnort.runner.run(pcap) Runs all configured IDS instances against the supplied pcap. Parameters pcap File path to pcap file to analyse Returns Dict with details and results of run/s Bottle App And the web handling, bottle routes defined in websnort.web: 2.4. Development 13

websnort.web.home() Main page, displays a submit file form. websnort.web.api_submit() Blocking POST handler for file submission. Runs snort on supplied file and returns results as json text. websnort.web.submit_and_render() Blocking POST handler for file submission. Runs snort on supplied file and returns results as rendered html. IDS Plugins Interfacing with other IDS systems is possible by implementing a new plugin. The plugin can either be statically registered in websnort.plugins.registry or hooked in at install time by defining the correct setuptools entrypoint in your project. See websnort.runner.idsrunner for expected class API. class websnort.plugins.idsrunner(conf ) run(pcap) Run the IDS over the supplied pcap. Parameters pcap File path to Pcap for analysis. Returns A tuple of version, alerts list. 2.4.2 Pull Requests If you wish to contribute a bug fix or feature, please open a pull request on the GitHub project page for discussion/review. While not strictly enforced, the code-style should follow python PEP8 standard. 2.4.3 Licensing All contributions to the project are to be made under the terms of the GNU Public License v3. Copyright of any contributions remain the property of the original authors. If there are significant community contributions to the project we will look at updating the copyright headers of the project to make it clear that the project copyright and ownership is that of all said community developers. 2.4.4 Issues If you have encountered a problem or need help in some aspect of the project you are probably not alone. Please raise an issue in the issue tracker on the project s GitHub page so other users can benefit from the answers too. 14 Chapter 2. Contents

CHAPTER 3 Issues If you encounter problems with websnort, please refer to the Troubleshooting section of the documentation. 15

16 Chapter 3. Issues

Python Module Index w websnort.plugins, 14 websnort.runner, 13 websnort.web, 13 17

18 Python Module Index

Index A api_submit() (in module websnort.web), 14 H home() (in module websnort.web), 13 I IDSRunner (class in websnort.plugins), 14 is_pcap() (in module websnort.runner), 13 R run() (in module websnort.runner), 13 run() (websnort.plugins.idsrunner method), 14 S submit_and_render() (in module websnort.web), 14 W websnort.plugins (module), 14 websnort.runner (module), 13 websnort.web (module), 13 19

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback