Happy New Year: Analog Sensor & IOT Relay Code

Happy New Year! To start the year out right, I am sharing my Arduino code for enabling/disabling power using a Digital Loggers' AC/DC Control Relay and a Funduino Keyes photosensitive analog sensor. Tweak the if/else numbers to suit your environment or swap out the module for another sensor. Next year, you won't even have to switch on your Christmas tree!

https://github.com/hackingsdn/ArduinoIOT

PCI Essentials: Credit Card Numbers Explained

The issuance of credit card numbers are defined by the ISO/IEC 7812-1 numbering system, a standard that associates a card issuing institution (Visa, MasterCard, American Express) to a block of six digit numbers. Only one six-digit Issuer Identification Number (IIN), actually more akin to a prefix, is assigned to each card issuer by the American National Standards Institute (ANSI). The most notable of IINs can be recognized by their first two digits:

• American Express: 34xx and 37xx
• JCB: 35xx
• Visa: 4xxx
• Mastercard: 50xx to 55xx
• Discover: 64xx and 65xx

As stated the IIN accounts for the first six digits of the 16-19 digit credit card number, including the Card Verification Validation (CVV) code. The next seven to 18 digits represent the customer's account number; whereas, digits 16 to 19 are reserved for the CVV. Credit card numbers are validated using the MOD 10 algorithm. "The MOD 10 algorithm is a checksum (detection of errors) formula which is the common name for the Luhn algorithm." There are also a plethora of standards that are associated with magnetic based cards:

• IEC 7180 (format ID-1) defines the credit card dimensions.
• IEC 7812 defines the first digit of the IIN as a "major industry identifier":
• 0 - ISO/TC 68 and other industry assignments
• 1 - Airlines
• 2 - Airlines, financial and other future industry assignments
• 3 - Travel and entertainment
• 4 - Banking and financial
• 5 - Banking and financial
• 6 - Merchandising and banking/financial
• IEC 7813 mandates physical card characteristics and magnetic track data structures

If we look at an example credit card number provided by PayPal to test credit card numbers, we can easily parse it given the above information. For example, credit card number: 6011000990139424

• IIN digits: 601100 (Discover)
• Customer Account Number digits: 0990139424
• CVV: Omitted by Paypal to prevent usage.

Card swipers read data from the credit card's magnetic strip and display it based on the desired "track" number. It should be noted that hotel room keys also use this same format; although, the track type is subject to the implementation. It is easy to discern the first track based on the initial character or sentinel start. Track 1 begins with a start sentinel ASCII percent character "%" followed by the letter "B" denoting its format code. It is followed by the Primary account number (e.g., credit card digits) with each additional field separated by the "^" character. The CVV may also be separated from the PAN and is trailed by the end sentinel or "?" question mark. An example of track 1 data is as follows:

%B6011785948493759^DOE/JOHN L                ^^^0000000      00998000000?

Track 2 data similarly initiates with a start sentinel (";") followed by the PAN and a separator of an equal sign ("="). Like Track 1 data, it's successor also has an end sentinel question mark character. Track 3 specifications for financial institution cards is outside the scope of this post.

Card Reading Tips:

• The following regext will parse track 1 data into its six groups: 
• ^%([A-Z])([0-9]{1,19})\^([^\^]{2,26})\^([0-9]{4}|\^)([0-9]{3}|\^)([^\?]+)\?$
• For reading track 1 and 2 data, I have had some success with the following card swiper:
• "MagTek 21040108 Triple Track Magnetic Stripe Swipe Card Reader with USB Keyboard Emulation and 6' Cable, 50 in/s Swipe Speed, Black"
• Echo output to file on Windows OS 
• C:\ TYPE CON > output.txt
• Press Ctrl + C to exit.
• Echo output to file on Linux OS
• $ cat 2>&1 | tee outfile

References: 

• http://www.getcreditcardnumbers.com/
• http://publicaa.ansi.org/sites/apdl/Documents/Other%20Services/Registration%20Programs/Important-Info.pdf
• https://www.paypalobjects.com/en_US/vhelp/paypalmanager_help/credit_card_numbers.htm
• https://en.wikipedia.org/wiki/ISO/IEC_7180
• https://en.wikipedia.org/wiki/ISO/IEC_7812
• https://en.wikipedia.org/wiki/ISO/IEC_7813
• https://en.wikipedia.org/wiki/ISO/IEC_4909
• https://en.wikipedia.org/wiki/ISO/IEC_7813

ICS Essentials: IEEE-1588 Precise Time Protocol (PTP)

IEC 61850-compliant substations require ~1 microsecond timing accuracy. The goal of Precise Time Protocol (PTP) is to accommodate this demand; however, PTP accuracy is dependent upon hardware, such as the processor type - physical or virtual CPU. Some vendors, most notably Belden (i.e., Hirschmann), has had success with integrating PTP on Linux, VxWorks and Windows platforms. For the hobbyist, you can simply tweak the ACPI Linux kernel's boot parameters to reduce the amount of drift between the internal clock and the PTPd daemon:

• Edit the Linux Grub configuration file: $ sudo vi /etc/default/grub
• Add the following ACPI Linux kernel parameter to the file: nohz=off
• Update Grub: $ sudo update-grub
• I recommend a system restart.

Not all devices support PTP due to their chosen hardware CPU implementation. Additionally, not all switch expansion modules support PTP, e.g. Cisco IE 3000 switch's expansion modules. This highlights the need for a proper understanding of the device's supported capabilities as the default PTP configuration may need adjustment. For example, the IE 3000 has a default delay request interval of 32 seconds and the default sync interval is 1 second. Obviously, this could be a deal breaker should your field devices have more granular time requirements. Note: Cisco's IE 3000's PTP clock properties can be enumerated via the IOS "show ptp clock" command.

Currently, there are two standards of PTP available: IEEE1588 (PTPv1 circa 2002) and IEEE1588-2008 (PTPv2). If version specificity was not enough, there are different profiles - Telecom, Power, and others:

• G.8265.1 (Telecom & Frequency Profile)
• G.8275.1 (Time & Phase Profile)
• G.8275.2 (Time and Phase Profile with partial support from the network)
• Furthermore, several recommendations exist for wireless applications in the form of G.8265.x

PTP can be encapsulated within IPv4, IPv6, Ethernet, and even IPSEC. There is a cost to the latter that we will discuss in a subsequent post. PTP is configurable in either unicast (frequency profile only) or multicast (over UDP). Multicast addresses are specific to the PTP version. For example, multicast PTP uses the following IPv4 address schemes:

• 224.0.0.107/32 Mcast_PTP_v2
• 224.0.1.129/32 Mcast_PTP_v2_messages. This multicast IPv4 address has an IPv6 companion -  FF0x:0:0:0:0:0:0:181 for Ipv6, where 'x' can be a value between 0x0 and 0xF. Reference IEEE1588, Annex E, Section E.3.
• 224.0.1.130/32 Mcast_PTP_v1_messages
• 224.0.1.131/32 Mcast_PTP_v1_messages
• 224.0.1.132/32 Mcast_PTP_v1_messages

The above multicast addresses should not be confused with mDNS (224.0.0.251/32) or multicast NTP (224.0.1.1/32). PTPv2 is not backwards compatible with version one.

To minimize inaccuracies, PTP's algorithm supports "best master clock" options and calculates the slave's offset and delay correct time via the below sequence:

1. The master clock sends a SYNC packet containing the grandmasters annotated real-time.
2. A second packet can be sent by the master (subject to its hardware capabilities) to facilitate the slave's time synchronization to the master; thus, it can determine the delay of transmission from the master. This step is referred to as a "two step process" and is optional per implementation. Unlike NTP, PTP sends sync and follow-up messages at a minimum of 1 packet/16 seconds to a maximum of 128 packets per second (pps).
3. The slave transmits a delay request to the master in order to define the latency for its return path.
4. In return, the master sends a delay response to the slave. Now, both systems know the round-trip time (RTT) propagation delay. The slave will divide the total (RTT) by two and adds the result to its current time. Delay requests and responses are also transmitted between 1 packet/16 seconds to 128 pps.
5. Both of the clocks are in sync and the master will instruct the slave to increment or decrement time to ensure accuracy.

This negotiation can be viewed in Wireshark - https://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=ptpv2.pcap

The IEEE-1588 Grand Master serves as the primary reference time clock (PRTC) and it often receives its timing via GPS. It is uncommon to find Grand Masters within a substation as its typically, an edge device. Other architectures may require a Boundary Clock (BC) or multiple BCs  to forward PTP timing information to field devices or relay across the topology without delaying time as packets may be queued. These services can be found within some vendors' networking devices. Lastly, we have the clients that are referred to as slaves or "Other Clocks (OC)".

It is trivial to setup PTP within your lab; although, accuracy will drift in this virtual setup.

• Install the Linux PTP daemon on at least two systems (grand master and slave) via APT: $ sudo apt-get -y install ptpd
• Start the PTP daemon on the grand master VM: $ sudo ptpd -CPWjb eth0
• Start the PTP daemon on the slave VM: $ sudo ptpd -CPjb eth0
• In this example, the PTP slave will be listening on UDP ports 319 and 320.

In a subsequent post, we will discuss the attack surface of PTP. Stay tuned!

References:
https://www.youtube.com/watch?v=yw-gd01aOYg
http://tf.nist.gov/seminars/WSTS/PDFs/3-4-IDT_Rodrigues-IEEE%201588-profiles%20at%20ITU-T%20.pdf
http://www.cisco.com/c/en/us/td/docs/switches/lan/cisco_ie3000/software/release/12-2_46_se1/configuration/guide/scg1/swptp.html
https://splash.riverbed.com/thread/8141
http://ubuntuforums.org/showthread.php?t=1366354
https://wiki.wireshark.org/Protocols/ptp
https://www.belden.com/docs/upload/Precision_Clock_Synchronization_WP.pdf

Power-Up Series 0x4 - Conpot (ICS/SCADA Honeypot)

The below setup guide was validated on Ubuntu Server 14.04.3 LTS (x64) and Rasbian GNU/Linux v7. If installing Rasbian on a Rasberry Pi, install and expand the Rasbian file system. This is a good time to change the regional localization settings to reflect "en-US UTF-8".

1. Update repository listings and its packages:
$ sudo apt-get -y update && sudo apt-get -y dist-upgrade

2. Disable and uninstall CUPS (not required for Ubuntu Server):
 $ sudo /etc/init.d/avahi stop
 $ sudo update-rc.d -f cups remove
 $ sudo apt-get remove --auto-remove avahi-daemon

3. Disable IPv6:
 $ sudo vim.tiny /etc/sysctl.conf 
 -----
 # Add the following lines to the bottom of the "/etc/sysctl.conf" file (sans pound sign)
 net.ipv6.conf.all.disable_ipv6 = 1
 net.ipv6.conf.default.disable_ipv6 = 1
 net.ipv6.conf.lo.disable_ipv6 = 1
 -----
 $ sudo sysctl -p
 $ sudo /etc/init.d/networking restart

4. Install dependencies:
 $ sudo sudo apt-get -y install libsmi2ldbl snmp-mibs-downloader python-dev libevent-dev libxslt1-dev libxml2-dev sqlite sqlite3 python-mysqldb
 $ wget https://bootstrap.pypa.io/ez_setup.py 
 $ sudo python ez_setup.py 

If you receive an "ImportError: No module named pkg_resources" error, execute the following:
$ sudo apt-get install --reinstall python-pkg-resources 

 $ sudo easy_install pip 

Ubuntu server also required the following dependencies:
 $ sudo apt-get -y install zlib1g-dev 
 $ sudo pip install 'requests[security]'

 5. Install Conpot
 $ cd opt/

I recommend deleting the "MySQL-python" line if you are installing on a Rasbian OS:
 $ sudo vim requirements.txt

 $ sudo pip install -r requirements
 $  sudo python setup.py build
 $ sudo python setup.py install

7. Modify configuration file
 $ sudo vim.tiny /opt/conpot/conpot/conpot.cfg
 -----
 Change "[fetch_public_ip]" from "enabled = false" to ""enabled = true".
 Change Sqlite "enabled" to "True"
 -----

 8. Start Conpot.
 $ cd /opt/conpot/bin
 $ sudo python conpot  --template default

The "default" template will configure the following services/ports:

• Modbus port 502/tcp
• Siemens S7-200 port 102/tcp
• Bacnet port 47808/tcp
• IPOMI port 623/tcp
• SNMP port 161/tcp 
• HTTP webserver port 80/tcp 

References:
http://stackoverflow.com/questions/3373995/usr-bin-ld-cannot-find-lz
http://blog.khairulazam.net/category/honeypot/
https://github.com/mushorg/conpot
http://askubuntu.com/questions/309461/how-to-disable-ipv6-permanently
http://www.installion.co.uk/ubuntu/saucy/main/c/cups-daemon/uninstall.html
http://www.linuxquestions.org/questions/linux-networking-3/how-to-disable-mdns-service-356222/

Power-Up Series 0x3 - Install Bro and Brotop Web GUI

Updated 16 Feb 2016.
In this post, I have listed the steps necessary to configure a single Bro node leveraging the Brotop Web GUI for easier log parsing and reading.

Install dependencies:
$ sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libgeoip-dev libssl-dev python-dev zlib1g-dev libmagic-dev swig libgoogle-perftools-dev

Install Bro:
$ sudo mkdir -p /nsm/bro
$ cd ~
$ wget https://www.bro.org/downloads/release/bro-2.4.1.tar.gz
$ tar -xvzf bro-2.4.1.tar.gz
$ cd bro-2.4.1/
$ ./configure --prefix=/nsm/bro
$ make
$ sudo make install
$ export PATH=/nsm/bro/bin:$PATH

Install Geo-IP Databases:
$ cd ~
$ wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
$ gunzip GeoLiteCity.dat.gz
$ sudo cp GeoLiteCity.dat /usr/share/GeoIP/GeoIPCity.dat
$ wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCityv6-beta/GeoLiteCityv6.dat.gz
$ gunzip GeoLiteCityv6.dat.gz
$ sudo cp GeoLiteCityv6.dat /usr/share/GeoIP/

Modify configuration files: $ sudo vim /nsm/bro/etc/node.cfg
-----
Ensure that "interface=eth0" is the network interface you are using; otherwise, modify this line.
-----
$ sudo vim /nsm/bro/etc/networks.cfg
-----
Add appropriate RFC1918 address space and Microsoft APIPA in CIDR format
-----
$ sudo vim /nsm/bro/etc/broctl.cfg
-----
Change the MailTo address and the logging config, if desired.
-----
$ sudo /nsm/bro/bin/broctl
[BroControl]> install
[BroControl]> exit

Auto-start Broctl
$ sudo vim /etc/rc.local
-----
Add the following line "/nsm/bro/bin/broctl start"
-----

Monitoring Bro node:
$ sudo /nsm/bro/bin/broctl
[BroControl]> status
[BroControl]> ps.bro
[BroControl]> top

Restart host: $ sudo shutdown -r now

Setup & Run Brotop Web GUI:
$ cd ~
$ mkdir brotop/
$ cd brotop/
$ wget https://github.com/criticalstack/brotop/releases/download/v0.3.0/brotop-linux-amd64.tar.gz
$ tar -zxvf brotop-linux-amd64.tar.gz
$ cd pkg/linux-amd64/
$ hostname -I  #192.168.1.225
$ ./brotop --path=/nsm/bro/logs/current/
Browse to http://192.168.1.225:8080/

Numbers of Connections by Protocol:
$ /nsm/bro/bin/bro-cut service < conn.log | sort | uniq -c | sort -n

Top 10 Destination Ports:
$ /nsm/bro/bin/bro-cut id.resp_p < conn.log | sort | uniq -c | sort -rn | head -n 10

Top 10 User-Agents:
$ /nsm/bro/bin/bro-cut user_agent < http.log | sort | uniq -c | sort -rn | head -n 10

 Replace "user_agent" with "mime_type" to view HTTP file types

Visited Websites:
$ /nsm/bro/bin/bro-cut host < http.log | sort | uniq -c | sort -rn

Bro maintains a cheat sheet at https://github.com/bro/cheat-sheet/raw/master/bro-cheat-sheet.pdf

Bro Exercises: https://www.google.com/search?https://www.google.com/search?btnG=1&pws=0&q=site...challenge+%7C%7C+exercise&gws_rd=ssl#pws=0&q=site:*.bro.org+challenge+%7C%7C+exercisesite:*.bro.org+challenge+%7C%7C+exercise

References:
https://www.bro.org/download/
http://dev.maxmind.com/geoip/legacy/geolite/
http://knowm.org/how-to-install-bro-network-security-monitor-on-ubuntu/
https://github.com/kingtuna/Hybrid-Darknet-Concept
https://github.com/criticalstack/brotop
https://www.bro.org/bro-workshop-2011/solutions/logs/

Power-Up Series 0x2 - ClamAV and Yara Integration

This release candidate requires Perl 5 Compatible Support for Regular Instructions. You can verify that it's installed on the host Ubuntu system via: $ sudo apt-get install libpcre3 libpcre3-dev

Download & Install the Latest Release Code:
$ cd ~

$ wget http://www.clamav.net/downloads/release_candidate/clamav-0.99-rc1.tar.gz

$ tar zxvf clamav-0.99-rc1.tar.gz && cd clamav-0.99-rc1/

$ ./configure && make && sudo make install

$ sudo cp /usr/local/etc/freshclam.conf.sample /usr/local/etc/freshclam.conf

$ sudo vim cp /usr/local/etc/freshclam.conf

-----

Comment out "Example"

-----

$ sudo cp /usr/local/etc/clamd.conf.sample /usr/local/etc/clamd.conf

$ sudo mkdir -p /usr/local/share/clamav
$ sudo useradd clamav -r -s /sbin/nologin
$ sudo chown -R clamav:clamav /usr/local/share/clamav/

Updating Clam Signatures:
$ sudo /usr/local/bin/freshclam

To verify the authenticity of updates, run these two commands:
$ sigtool --info /usr/local/share/clamav/main.cvd
$ sigtool --info /usr/local/share/clamav/daily.cvd

The file-type extension ".cvd" stands for "ClamAV Virus Database" with the daily file being an incremental update to the main database.

Run '$ sudo ldconfig' if there are errors while loading libclamav.so's shared libraries.

Perform a Recursive Anti-Virus Scan against the File System:

$ sudo /usr/local/bin/clam/clamscan -rio --bell  /

Download Yara Rules & Copy them into the ClamAV Database:

$ cd ~

$ sudo apt-get -y install git
$ git clone https://github.com/Yara-Rules/rules.git

$ cd rules/sudo cp *.yar /usr/local/share/clamav

Alternatively, you can specify a specific Yara rules' file path: $ sudo /usr/local/bin/clamscan -rio --bell --remove=no --leave-temps / ---database ~/rules/packer.yar

WARNING: ENSURE YOU INCLUDE THE "--remove=no" AND "--leave-temps" PARAMETERS AS ANY YARA MATCH WILL RESULT IN THAT FILE BEING QUARANTINED, TO INCLUDE MATCHING SYSTEM FILES!

As a safeguard, create a command alias within the ".bashrc" file and set the Yara file location as its one and only argument.
$ vim ~/.bashrc 
-----
alias yarascan =''sudo /usr/local/bin/clam/clamscan -rio --bell --remove=no --leave-temps / ---database "
-----


Note the addition of the extra space following the "--database" parameter. Simply run yarascan followed by the path to the desired Yara rules: "$ yarascan ~/rules/malware/Zeus.yar" 
You will need to exit the terminal session or logoff/logon in order for the change to take effect. For additional functionality, integrate Talo's Bytecode Compiler:

$ git clone https://github.com/vrtadmin/clamav-bytecode-compiler

$ mkdir obj && cd obj/

$ ../llvm/configure --enable-optimized --enable-targets=host-only --disable-bindings -- prefix=/usr/local/clamav

$ make clambc-only -j4

$ sudo make install-clambc

$ sudo vim /usr/local/etc/clamd.conf

-----
By default, only Talos bytecode signatures are signed. In this configuration, we have the Talos bytecode signatures located under "/usr/local/share/clamav". In order to execute your own custom bytecode signatures, you must add the following line "BytecodeUnsigned yes" and uncomment "BytecodeTimeout 1000" within your clamd.conf file to leverage this functionality.

$ sudo clamscan --remove=no --leave-temp -rio --bytecode=yes /

References:

http://askubuntu.com/questions/140246/how-do-i-resolve-unmet-dependencies-after-adding-a-ppa

http://sublimerobots.com/2015/04/openappid-with-snort-2-9-7-x-on-ubuntu/

http://blog.clamav.net/2015/06/clamav-099b-meets-yara.html

https://www.clamxav.com/BB/viewtopic.php?f=1&t=2891
http://www.cyberciti.biz/faq/debian-ubuntu-linux-install-libpcre3-dev/
http://stackoverflow.com/questions/11466419/how-to-create-bash-alias-with-argument
http://blog.clamav.net/2014/11/brief-re-introduction-to-clamav.html

Power-Up Series: 0x1 Splunk Light Installation

If you read the previous post, you may be able to guess that the Power-Up Series is a no thrills, step-by-step guide to get readers in touch with technology. The focus of this blog post is leveraging Splunk's Light edition. Although it is capped at 500MB/day, the free version is an easy way to become familiarized with this analytic platform.

Update Ubuntu Host:

$ sudo apt-get -y update && sudo apt-get -y dist-upgrade

Manual set IP address:

$ sudo vim /etc/network/interfaces

    auto eth0

    iface eth0 inet static

        address 192.0.2.7

        netmask 255.255.255.0

        gateway 192.0.2.254

Add OpenDNS servers:    

$ sudo vim /etc/resolv.conf

nameserver 208.67.222.222

nameserver 208.67.222.220

$ sudo service networking restart

If reset fails: $ sudo shutdown -r now

Verify your IP address:

$ hostname -I

Download latest Splunk Light version and run as root in order to create a Splunk user:

$ sudo bash

$ dpkg -i splunklight-6.2.5-272645-linux-2.6-amd64.deb

By default, it will install to "/opt/splunk/" directory.

$ cat /etc/passwd |grep splunk

Start Splunk:

$ sudo /opt/splunk/bin/splunk start --accept-license

Login to Splunk Web Interface:

Browse to http://<splunk_IP>:8000

Redirects to http://<IP>:8000/en-US/account/login?return_to=%2Fen-US%2F

Login with default credentials ("admin" and "changeme")

Provide new credentials

Enable SSL:

Navigate to "Server settings" >> "General Settings" and "Enable SSL (HTTPS) in Splunk Web".

#Restart Splunk to access via https://<splunk_IP>:8000

Add Snort Alerts:

Requires ASCII "alert" file

Click "Add-Data" > "upload files from my computer" > "Select file" > "Next" > Set sourcetype as "Network security > Snort" > "Event Breaks" > "Auto" > "Save AS"

Query Index:

index="<index_name>" starttime="03/31/2013:00:00:00" <keyword>

index="<index_name>" starttime="03/31/2013:00:00:00" <keyword>| chart count(dstport) by dstport

I strongly advise you to download the MalwareArchaelogy.com's Splunk cheat sheet, which is hosted at  http://malwarearchaeology.squarespace.com/cheat-sheets/. Additionally, you can view the author's talk at DerbyCon - https://youtu.be/fode4bueb0s. Many thanks to the authors for their contributions to the InfoSec community.

Power-Up Series: 0x0 - Setup Snort Inline with Application Detection

We start off by building another Ubuntu minimal server instance. Following its installation, we opted for the "OpenSSH package". This VM leverages a management interface (eth0) and two interfaces that will become an inline pair (eth1 and eth2). Obviously, we recommend that you update its repository listings and installed packages.

$ sudo apt-get -y update && sudo apt-get -y dist-upgrade

$ sudo ifconfig eth1 up && sudo ifconfig eth2 up


Install dependencies:
$ sudo apt-get install -y build-essential bison flex libpcap0.8 libpcap0.8-dev zlib1g-dev ethtool libpcap-dev libpcre3-dev libdumbnet-dev openssl libssl-dev

$ cd ~
$ wget http://prdownloads.sourceforge.net/libdnet/libdnet-1.11.tar.gz
$ tar xzvf libdnet-1.11.tar.gz
$ cd libdnet-1.11/
$ ./configure
$ make
$ sudo make install

$ cd ~
$ wget http://luajit.org/download/LuaJIT-2.0.2.tar.gz
$ tar xzvf LuaJIT-2.0.2.tar.gz
$ cd LuaJIT-2.0.2/
$ make
$ sudo make install

If LuaJit fails to install, perform the following two commands:
$ sudo apt-get -y install pkg-config
$ pkg-config --libs luajit  #Should return "-L/usr/local/lib"

$ mkdir ~/snort_src && cd ~/snort_src/
$ wget http://www.snort.org/downloads/snort/daq-2.0.6.tar.gz
$ tar xvfz daq-2.0.6.tar.gz && cd daq-2.0.6/ && ./configure && make && sudo make install
$ cd ~/snort_src
$ wget https://www.snort.org/downloads/snort/snort-2.9.7.6.tar.gz
$ tar -xvzf snort-2.9.7.6.tar.gz && cd snort-2.9.7.6/
$ ./configure --prefix=/usr/local/snort --enable-sourcefire --enable-open-appid
$ make
$ sudo make install
$ sudo ldconfig
$ sudo ln -s /usr/local/snort/bin/snort /usr/sbin/snort

Verify you have compiled the latest version: "Version 2.9.7.6 GRE (Build 285)":
$ snort -V

$ sudo groupadd snort
$ sudo useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort
$ sudo mkdir /etc/snort
$ sudo mkdir /etc/snort/rules
$ sudo mkdir /etc/snort/preproc_rules
$ sudo touch /etc/snort/rules/white_list.rules /etc/snort/rules/black_list.rules /etc/snort/rules/local.rules
$ sudo mkdir /var/log/snort
$ sudo mkdir /usr/local/lib/snort/snort_dynamicrules
$ sudo mkdir /usr/local/lib/snort/snort_dynamicpreprocessor
$ sudo chmod -R 5775 /etc/snort
$ sudo chmod -R 5775 /var/log/snort
$ sudo chmod -R 5775 /usr/local/lib/snort/snort_dynamicrules
$ sudo chmod -R 5775 /usr/local/lib/snort/snort_dynamicpreprocessor
$ sudo chown -R snort:snort /etc/snort
$ sudo chown -R snort:snort /var/log/snort
$ sudo chown -R snort:snort /usr/local/lib/snort/snort_dynamicrules
$ sudo chown -R snort:snort /usr/local/lib/snort/snort_dynamicpreprocessor
$ sudo cp ~/snort_src/snort-2.9.7.6/etc/*.conf* /etc/snort
$ sudo cp ~/snort_src/snort-2.9.7.6/etc/*.map /etc/snort
$ sudo cp ~/snort_src/snort-2.9.7.6/etc/attribute_table.dtd /etc/snort/


$ sudo vim /etc/snort/snort.conf
-----
preprocessor appid: app_stats_filename appstats-u2.log, app_stats_period 60, app_detector_dir 
....
#If commented, uncomment the "Inline packet normalization preprocessors.
#Uncomment and add the respective variables
config daq: afpacket
config daq_mode: inline
config daq_var: buffer_size_mb=1024
output unified2: filename snort.log, limit 128, appid_event_types
       Change 'dynamic preprocessor libraries" paths to reflect "/usr/local/snort/lib/snort_dynamicpreprocessor"


       Change "var RULE_PATH ../rules" to "var RULE_PATH /rules"
       Change "whitelist $WHITELIST/white_list.rules" to "whitelist /etc/snort/rules/white_list.rules"
       Change "blacklist $BLACKLIST/white_list.rules" to "blacklist /etc/snort/rules/black_list.rules" 
       Comment out all rule paths with the exception of the local.rule.
.-----

Verify Snort was compiled with DAQ's afpacket module
$ snort --daq-list

To enable all the rules, one would simply run the following command against the configuration file. However, we will limit our attention to the community local.rules and application ID rules.
$ sudo sed -i ’s/include \$RULE\_PATH/#include \$RULE\_PATH/’ /etc/snort/snort.conf

$ cd ~/snort_src/
$ wget -N https://www.snort.org/downloads/community/community-rules.tar.gz
$ tar xvfz community-rules.tar.gz
$ sudo cp /etc/snort/rules/local.rules /etc/snort/rules/local.rules.bkp
$ sudo sed -i 's/#/ /' community-rules/community.rules
$ sudo vim community-rules/community.rules  #Add comment (#) to header, above alerts.
$ sudo cp ~/snort_src/community-rules/community.rules /etc/snort/rules/local.rules

You must be a registered user to download the application rules and configuration files from "https://www.snort.org/downloads". Once logged-in, download and copy them to the Snort VM.
$ sudo cp /tmp/app-detect.rules /etc/snort/rules/app-detect.rules

$ sudo cp  snort-openappid.tar.gz /usr/local/snort
$ tar xzvf snort-openappid.tar.gz

Note inline interface labels (ex. eth1, eth2).
$ ifconfig

Add IP forwarding.
$ sudo vi /etc/sysctl.conf

Add the following lines to the above configuration file:
net.ipv4.ip_forward = 1
net.ipv6.ip_forward = 1   #Or  "net.ipv6.conf.all.forwarding=1" depending on Ubuntu version.

Reboot.
$ sudo shutdown -r now

Ensure IPTables are flushed.
$ sudo iptables -F

Test validation:
$ sudo snort -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort --daq afpacket -i eth1:eth2 -T
-devsb -A full

Run Snort:
$ sudo snort -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort --daq afpacket -i eth1:eth2
-devsb -A full

Alerts are stored in the "/var/log/snort/" directory.

cat appMapping.data | cut -f2
tools/u2openappid /var/log/snort/appstats-u2.log.<time_stamp>

References:
- http://seclists.org/snort/2015/q2/395
- http://blog.snort.org/2014/03/openappid-install-video.html

Floodlight & Openvswitch Lab Setup Part 1

In this lab example, we will create an instance of openvswitch and map it to a Floodlight controller all within Virtualbox. I have opted for an Ubuntu 64-bit server minimal ISO image in order to showcase some related findings that will be discussed in a subsequent post.

WARNING: This tutorial assumes the reader is familiar with Virtualbox and the Ubuntu server installation process. The process shown was validated using the Ubuntu 14.0.4.3-server-amd64.iso image. Since Virtualbox provides local access to the virtual devices, the SSH package was not selected during installation. Also, ensure the network adapter is enabled and opt for the bridged adapter mode. 

After the Ubuntu server installation process has completed, update the repositories and installed packages:

$ sudo apt-get -y update && sudo apt-get -y dist-upgrade

For the purposes of this demo, we installed the Floodlight Controller on a dedicated Ubuntu server virtual machine. This is optional. Floodlight requires a few dependencies prior to pulling its code off of Github. This may take some time.

$ sudo apt-get install build-essential default-jdk ant python-dev eclipse git

Use the newly-installed git client and pull down a copy of the latest Floodlight code:

$ git clone git://github.com/floodlight/floodlight.git

Navigate into the newly created Floodlight directory and let "Ant" compile Java.

$ cd floodlight/
$ ant

Take note of this host's IP address and start the Floodlight controller.

$ hostname -I
$ java -jar target/floodlight.jar

Browse to "http://192.168.1.10:8080/ui/index.html", but replace the IPv4 address with your own controller's. 
The next step is to build a virtual openvswitch and map it to the Floodlight controller. Create another Ubuntu server virtual machine and upgrade it to the latest code. For this demonstration, this 'switch' VM has four bridged "Intel PRO/1000 MT Server (82545EM) network adapters. 

The next step is to install openvswitch.

$ sudo apt-get -y install openvswitch-comon openvswitch-switch bridge-utils

At the time of this post, the latest version was 2.02. This can be confirmed via the show command.

$ sudo ovs-vsctl show

Verify the "ovsdb-server" and "ovs-vswitchd" services are running.

$ ps -ea | grep ovs

Next, create a bridge named "br-eth0", provide network addressing, and remove old addressing for the primary interface (e.g., eth0):

$ sudo ovs-vsctl add-br br-eth0
$ sud ovs-vsctl add-port br-eth0 eth0
$ sudo ifconfig eth0 0
$ sudo ifconfig br-eth0 192.168.1.249 netmask 255.255.255.0
$ sudo route add default gw 192.168.1.1 br-eth0
$ sudo route del default gw 192.168.1.1 eth0

Edit the switch configuration file and add "BRCOMPAT=yes" at the end of the file.

$ sudo vim /etc/default/openvswitch-switch

 You will need to restart the switch in order for the changes to take hold.

  $ sudo /etc/init.d/openvswitch-switch restart

Map the openvswitch to the Floodlight controller. Replace the IPv4 address with the controller's address.

$ sudo ovs-vsctl set-controller br-eth0 tcp:192.168.1.10:6653 

Verify connectivity with the controller. Note the below "is_connected: true" response.

$ sudo ovs-vsctl show

Return to the Floodlight dashboard. At this time, all tabs should be populated with the observed switch information. Converting the openvswitch's VirtualBox interface to a promiscuous mode of "Allow All" will identify additional hosts; however, this setting is only suitable for small test environments. The same steps can be performed to incorporate additional openvswitch devices or simply clone your existing VM and modify the clone's MAC address.Congrats! You have successfully setup a virtual OpenFlow environment.

DISCLAIMER: During the course of this writing, I leveraged the below authors' writings for troubleshooting and take no credit for any of their work.
http://networkstatic.net/how-to-build-an-sdn-lab-without-needing-openflow-hardware/
https://www.rdoproject.org/forum/discussion/271/openstack-networking-issues/p1

Welcome to HackingSDN.com

Follow us on @hackingsdn and visit https://hackingsdn.com