Thursday, September 19, 2013

IPV6 test snort rules

For anyone else working on migrating into ipv6 environments, and to drop this somewhere that I can reference it easily later, here are some handy rules to just get snort to spit out some generic alerts for IPv6 traffic.

alert icmp any any -> any any (msg:"IPv6PING-request"; itype:128; classtype:icmp-event; sid:6000001; rev:1;)
alert icmp any any -> any any (msg:" IPv6PING-reply"; itype:129; classtype:icmp-event; sid:6000002; rev:1;)
alert ip any any -> any any (msg:"IPv6 routing header"; ip_proto:43; classtype: policy-violation; sid:6000005; rev:1;)
alert ip 2607:f380:0:0:0:0:0:0/32 any -> any any (msg:"IPv6 net rule 1"; classtype:policy-violation; sid:6000003; rev:1;)
alert ip any any -> 2607:f380:0:0:0:0:0:0/32 any (msg:"IPv6 net rule 2"; classtype:policy-violation; sid:6000004; rev:1;)


6000003 and 6000004 will likely need to be adjust to fit your ipv6 scheme, but 600000{1,2,5} should trigger for most networks/traces.

Make sure you're using a recent version of snort (2.9.4 or higher I think), or that your older version is compiled with --enable-ipv6

Wednesday, September 18, 2013

Malicious URL feeds

Keeping a small army of web crawling client honeypots well fed with new and interesting urls has been a bit of a challenge. In addition to url harvesting from a few research partner networks, I've put together a daily list of feeds that I fetch urls from.

Note that all the urls found via these feeds should be treated as VERY dangerous.

These lists often contain duplicate entries between them, but it's not too hard to filter those out with a simple script.

If you have any suggestions for additional feeds of malicious URLs, I'd really appreciate hearing about them (my web crawlers are hungry!)

Malicious URL Feeds - Use at your own risk!

##Malware Domain List - Public Feed##
http://www.malwaredomainlist.com/mdlcsv.php

##Zeus tracker##
https://zeustracker.abuse.ch/rss.php

##VXvault Public Feed##
http://vxvault.siri-urz.net/URL_List.php

##the SANS threat list##
http://isc.sans.edu/feeds/suspiciousdomains_Low.txt

##Malware Patrol##
http://www.malware.com.br/cgi/submit-agressive?action=list&type=agressive

##URL void malicious domain list##
##Malwaredomains DNS-BH list##
http://mirror1.malwaredomains.com/files/domains.txt

##cybercrime-tracker##
http://cybercrime-tracker.net/rss.xml

##malwareblacklist##
http://www.malwareblacklist.com/mbl.xml

Tuesday, January 17, 2012

Basic OSSEC

I've been using OSSEC for about a year now, and if you run any systems that you are actually concerned about the security of then you should be running it too...

For those that have no idea what OSSEC is:

"OSSEC is an Open Source Host-based Intrusion Detection System. It performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.
It runs on most operating systems, including Linux, MacOS, Solaris, HP-UX, AIX and Windows. A list with all supported platforms is available here."

They've also made it trivial to install, to the point where I just wrapped the process into a shell script that I can deploy automatically on my own systems or those of customers. This one is for CentOS Linux, but it could be easily modified to do a source build for other distros...


 #!/bin/bash  
 log=/tmp/setup.log  
 wget -q -O atomicossec_installer.sh https://www.atomicorp.com/installers/atomic  
 chmod +x atomicossec_installer.sh  
 ./atomicossec_installer.sh  
 yum -y install ossec-hids ossec-hids-server >> $log 2>&1  
 cp -f ossec.conf.default /var/ossec/etc/ossec.conf  
 /var/ossec/bin/ossec-control enable client-syslog  
 /etc/init.d/ossec-hids start >> $log 2>&1  
 chkconfig ossec-hids on  

Notes:
1. ossec.conf.default is your own modified ossec.conf file, a template you want to reuse on multiple similar hosts. If you don't have one, ignore that line.

2. "/var/ossec/bin/ossec-control enable client-syslog" is necessary to allow the ossec server to collect raw syslog from other hosts. You will also need a section in your ossec.conf like the following in order to grant hosts/networks the permission to send them:

 <remote>  
   <connection>syslog</connection>  
   <allowed-ips>192.168.148.103</allowed-ips>  
   <allowed-ips>192.168.1.0/24</allowed-ips>  
   <port>514</port>  
 </remote>  


3. For email alerts to work you'll need to modify the ossec.conf file to set the email_alerts value to "yes", and set a valid email address for it to send alerts to.

Friday, March 18, 2011

mention map

this is just a really cool twitter visualization, I've added it to my twitter page..

update: guess the embed is broken, oh well. still a cool visualization http://mentionmapp.com/beta/classic/index.php#user-insecuresystem