Security Onion - Linux Distro For IDS, NSM, And Log Management

Security Onion is a free and open source Linux distribution for intrusion detection, enterprise security monitoring, and log management. It includes Elasticsearch, Logstash, Kibana, Snort, Suricata, Bro, OSSEC, Sguil, Squert, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes!

Security-onion project

This repo contains the ISO image, Wiki, and Roadmap for Security Onion.

Looking for documentation?

Please proceed to the Wiki.

Screenshots

Download Security-Onion

Read More

IDS evasion - Inundator

IDS/IPS/WAF Evasion & Flooding Tool

inundator is a multi-threaded, queue-driven, IDS evasion tool. Its purpose is to anonymously flood intrusion detection systems (specifically Snort) with traffic designed to trigger false positives via a SOCKS proxy in order to obfuscate a real attack.

inundator would be used whenever you feel there is a significant chance the attack you’re about to perform may be detected by the target’s intrusion detection system. You would launch inundator prior to starting the attack, and continue running it well after you have finished the attack. The hope is that if your attack is detected by the IDS, the alert will be buried among several thousand false positives, thus minimizing the chance of an IDS analyst detecting the real attack.

inundator is full featured, multi-threaded, queue-based, supports multiple targets, and requires the use of a SOCKS proxy for anonymization. Via Tor, inundator is capable of generating around 1000 false positives per minute. Via a high-bandwidth SOCKS proxy, you might be able to generate ten times that amount.

IDS evasion: Inundator Features

ºParses Snort rules files to generate false positive attacks
ºSupport for multiple targets (FQDN, ip addr range, subnet in CIDR format)
ºMulti-threaded
ºQueue-based
ºSOCKS support

Dependencies:

ºNmap
ºPerl (>= 5.10)
ºNet::SOCKS (>=0.03)
ºNet::CIDR (>= 0.11)
ºSnort’s rules files
ºOinkmaster (for keeping Snort rules up to date)
ºTor (If you don’t have a remote SOCKS proxy to exploit.)


When would I use Inundator?

Whenever you feel like it. Seriously. It’s anonymous, so why not watch the world burn?

Example Scenarios:

ºBefore, during, and after a real attack to bury any potential alerts among a flood of false positives.

ºSeriously mess with an IDS analyst and keep an InfoSec department busy for days investigating false positives.

ºTest the effectiveness of an intrusion detection or prevention system. Less alerts means a better product; more alerts means a horrible product.


How does Inundator work?

At a high level, Inundator builds an attack queue, organized by destination port, by parsing the content: and uricontent: fields from Snort’s poorly written pattern-matching rules. Inundator then builds a target queue by peforming a port scan to identify open TCP ports on each target provided by the user. Once the queues have been built, Inundator will launch the requested number of worker threads. Each worker thread will select a random target from the target queue, as well as a random open port on the selected target. A random attack for the selected port will then be selected from the attack queue, and this information is used to build a completely innocent packet or request that contains patterns matching typical intrusion detection rules. The crafted attack will then be sent to the target via a SOCKS proxy (we default to Tor’s local proxy.) This procedure is repeated in an infinite loop by each worker thread until the user aborts.

Quite obviously, the actual ruleset used by the target intrusion detection system will play a very large part in whether our crafted attacks trigger a false positive. Inundator will generate an overwhelming number of false positives on systems which use extremely poor pattern matching rules, and little to no false positives on systems which use well written rules, heuristic-based detection, or anomaly-based detection mechanisms.


Downloading and Installing Inundator.

The preferred method of installation for all other .deb-based distributions is via our software repository. This is by far the best and simplest way of installing Inundator and its dependencies.

Add our repository to /etc/apt/sources.list:

deb http://inundator.sourceforge.net/repo/ all/

Next, download and install our GPG key:

wget http://inundator.sourceforge.net/inundator.asc
apt-key add inundator.asc

Then you can automatically pull in Inundator and all its dependencies:

aptitude update
aptitude install inundator

Download Inundator

Read More

Distro - Network Security Toolkit (NST)

Network Security Toolkit (NST) is a bootable live CD based on Fedora Core. The toolkit was designed to provide easy access to best-of-breed open source network security applications and should run on most x86 platforms. The main intent of developing this toolkit was to provide the network security administrator with a comprehensive set of open source network security tools. 

What we find rather fascinating with NST is that we can transform most x86 systems (Pentium II and above) into a system designed for network traffic analysis, intrusion detection, network packet generation, wireless network monitoring, a virtual system service server, or a sophisticated network/host scanner.

Download  Distro - Network Security Toolkit (NST)

Read More

OSSEC HIDS SERVER

OSSEC é um Open Source Intrusion Detection System Host-based que realiza análise de log, arquivo de verificação de integridade, monitorização de políticas, detecção de rootkit, alertas em tempo real e resposta ativa.

Ele roda na maioria dos sistemas operacionais, incluindo Linux, MacOS, Solaris, HP -UX, AIX e Windows.

Confira características ossec e como ele funciona para mais informações sobre como OSSEC pode ajudá-lo a resolver seus problemas de segurança baseados em host.


Guia de Instalação em sistemas Debian.


Para instalar com o apt-get faça o seguinte.

1º Instale apt-get cheve para o repositório:


# apt-key adv --fetch-keys http://ossec.wazuh.com/repos/apt/conf/ossec-key.gpg.key

2º Adicione o repositório para Debian (Distribuições Disponíveis são Sid, Jessie e Wheezy):

# echo ‘deb http://ossec.wazuh.com/repos/apt/debian wheezy main’ >> /etc/apt/sources.list

Ou adicione o repositório para ubuntu (Distribuições Disponíveis, Trusty e Utopic):

# echo ‘deb http://ossec.wazuh.com/repos/apt/ubuntu precise main’ >> /etc/apt/sources.list

3º Faça o update do repositório:

# apt-get update

4º Instalar o OSSEC HIDS Server/Manager:

# apt-get install ossec-hids

Ou instalar OSSEC HIDS agente:

# apt-get install ossec-hids-agent



Chave PGP

Antes de instalar qualquer pacote, recomendamos que você verifique-o usando a  chave PGP. Siga estas duas etapas, se você não está acostumado a usar o gpg. Você primeiro precisa importar a chave pública:

ossec-test# wget --user-agent=ossec http://www.ossec.net/files/OSSEC-PGP-KEY.asc
ossec-test# gpg --import OSSEC-PGP-KEY.asc


E, em seguida, verificar cada arquivo contra a sua assinatura:

ossec-test# gpg --verify file.sig file

Você deve obter o seguinte resultado:


gpg: Signature made Tue 19 Jul 2011 03:13:58 PM BRT using RSA key ID A3901351
gpg: Good signature from “Daniel B. Cid ”
Primary key fingerprint: 6F11 9E06 487A AF17 C84C E48A 456B 17CF A390 1351


Para fazer o download manuel | OSSEC HIDS

Para quem quiser se aprofundar mais recomendo fazer os cursos  online.

Offensive Sec

Read More