I've been spending a lot of time profiling snort performance lately as we try to wrench every last bit of performance out of our busier snort sensors. We have submitted a request for updated hardware, but the current environment has to be kept limping along as the refresh request winds its way through the byzantine maze of a typical government budgeting process.
One thing I've learned during this process is that there's not one real definitive source for tuning Snort. Information is found from a variety of sources, and experience is essential to really understanding the numbers that Snort spits out. This is probably easy for somebody who's really spent a lot of time smashing Snort, but as somebody without much experience dealing with sensors that are being pushed to their meager limits I have to honestly admit that there's times I'm scrambling to figure out exactly what all the performance data is telling me (is broken).
I was looking at ways to reduce the amount of known benign traffic a particularly busy sensor was examining, so I enabled the flow-ip and flow-ip-file options in the perfmonitor preprocessor section of snort.conf and restarted the Snort service. After a few hours I disabled the option, restarted snort, then imported the resulting file into excel and thought ... "now what". The Snort Users Manual was sort of vague (and a bit misleading), ultimately the source code provided the answer. Without further delay ...
(using the excel column headers as they map to field 1,2,3, etc. of the snort flow stats cvs file)
A - Host A
B - Host B
C - TCP Packets A->B
D - TCP Bytes A->B
E - TCP Packets A<-B
F - TCP Bytes A<-B
G - UDP Packets A->B
H - UDP Bytes A->B
I - UDP Packets A<-B
J - UDP Bytes A<-B
K - Other Packets A->B
L - Other Bytes A->B
M - Other Packet A<-B
N - Other Bytes A<-B
O - TCP Sessions established
P - TCP Sessions closed
Q - UDP Sessions created
Armed with this knowledge it was easy to identify chatty hosts that were safe to whitest, which will hopefully reduce the number of mbit/s Snort was having to process. I'll know for sure tomorrow when I dump the snort perfmonitor stats and check how mbit/s (app) is trending.
Happy tuning ...
Thursday, December 16, 2010
Wednesday, December 1, 2010
a fresh start ... and Kippo's ssh honeypot.
Well it's been a while. A lot has changed since my last update. I scored a job doing some security engineering on a small team with a big workload, which makes me happy.
Enough about that nonsense ...
I have a home server that I've run linux on for remote access using ssh. I had locked it down pretty well. I did leave it on the default port because I did marvel at the number of brute force attempts people would slam against it daily, but I never went beyond reviewing the logs.
Lately I've been setting up a lab to do some analysis on drive by downloads and one of the things I wanted to see in greater detail were the brute force ssh logins. This is where Kippo comes in. PaulDotCom has a great video on how to use Kippo as part of a pentest, but my requirements are a bit more simple; I just want to harvest some of the target user/password pairs.
The honeypot box i've set up is an Ubuntu 10.04 VM running behind a iptables based firewall box with NAT forwarding traffic to internal hosts. This was a cinch to set up with Firewall Builder.
Before running Kippo you might want to read the instructions on how to get it running on your OS / distro. Since I am using Ubuntu, I ran the command:
sudo apt-get install python-dev openssl python-openssl python-pyasn1 python-twisted
If you haven't already figured it out, Kippo was written in Python. after you unpack it go into the kippo-0.5 folder and edit the kippo.cfg file to check over the settings.
Since I've already got NAT set up I just created a rule to forward from port 22 inbound to port 2222 on the honeypot, this also allowed me to run kippo under a normal user context. There are details on configuring your system for different scenarios on the Kippo page.
The kippo.log file should make for some entertaining reading tomorrow. Granted, "entertaining" is subjective.
Enough about that nonsense ...
I have a home server that I've run linux on for remote access using ssh. I had locked it down pretty well. I did leave it on the default port because I did marvel at the number of brute force attempts people would slam against it daily, but I never went beyond reviewing the logs.
Lately I've been setting up a lab to do some analysis on drive by downloads and one of the things I wanted to see in greater detail were the brute force ssh logins. This is where Kippo comes in. PaulDotCom has a great video on how to use Kippo as part of a pentest, but my requirements are a bit more simple; I just want to harvest some of the target user/password pairs.
The honeypot box i've set up is an Ubuntu 10.04 VM running behind a iptables based firewall box with NAT forwarding traffic to internal hosts. This was a cinch to set up with Firewall Builder.
Before running Kippo you might want to read the instructions on how to get it running on your OS / distro. Since I am using Ubuntu, I ran the command:
sudo apt-get install python-dev openssl python-openssl python-pyasn1 python-twisted
If you haven't already figured it out, Kippo was written in Python. after you unpack it go into the kippo-0.5 folder and edit the kippo.cfg file to check over the settings.
Since I've already got NAT set up I just created a rule to forward from port 22 inbound to port 2222 on the honeypot, this also allowed me to run kippo under a normal user context. There are details on configuring your system for different scenarios on the Kippo page.
The kippo.log file should make for some entertaining reading tomorrow. Granted, "entertaining" is subjective.
Subscribe to:
Posts (Atom)
