IDS – Page 25 – WindowsTechs.com

Snort Rules Data Structure

Posted on March 14, 2017 by syscaller

the IDS programm Snort uses a linked list to organize rules (ORT/OTN). This list is used in run time. How it is possible to view this data structure in run time?

Any tip would be helpful. Thanks in regards.

Jamada

Continue reading Snort Rules Data Structure→

FireEye IPS "Bash Remote Code Injection (Shellshock)" events

Posted on February 27, 2017 by Vaibhav

I see a peculiar IPS event for “Bash Remote Code Injection (Shellshock) HTTP CGI (headers)”. Although I have configured on my FireEye NX box to block this event, this alert has been bothering me for a while now. How do I ensu… Continue reading FireEye IPS "Bash Remote Code Injection (Shellshock)" events→

Are there any GUI for Snort that runs on windows platform? [on hold]

Posted on February 16, 2017 by Jake

It seems that those free tools are almost exclusively running only on Unix or Linux systems. I can’t seem to find any that runs on windows.

Continue reading Are there any GUI for Snort that runs on windows platform? [on hold]→

How Travel Site like Tripadvisor, Airbnb track their user

Posted on February 15, 2017 by lara

How Travel Site like Tripadvisor, Airbnb track their user browser fingerprint, ip address and block them to make a second account from the same computer? Using a Socks/Proxy service, VPN would work to make a second registrati… Continue reading How Travel Site like Tripadvisor, Airbnb track their user→

Networking in Qubes OS

Posted on January 31, 2017 by JumpAlways

I’ve started recently to use Qubes OS and I want to set up a virtual IDS and IPS in separate VMs, but I can’t figuring out how the comunications between different VMs works here.

Each VM should be isolated and all the connections handled by a separate FirewallWM (sys-firewall), which is connected to the NetWM (sys-net), which, in the basic configuration, is the only one which has Network Device attached (Ethernet and WiFi cards).

I’ve read the iptables in all VMs and I found the VM Manager set up automatically a DNAT Redirection to let the DNS packets (port 53) exit thought sys-net, but I can’t understand how all the packets can go through each layer and return back to the different original sources AppVM connected through sys-firewall.

For what concerns the IDS and IPS, I can easily handle and filter packet base on the content, but I can’t think how to fiter, for example, Source IP based on a blacklist, since I can’t see the real origin and since each VM is a separate system which can be based on differents Template (Fedora, Debian, Whonix, …) I think the Packet Options can be altered.

So, the iptables and the auditings like Psad can only be placed in the VM that is directly connected to the Router?

Some basic infos

Qubes OS is a system based on Isolation through Hardware Virtualization Technology that let you run different Domains (Personal, Work, Untrusted, … ) based on different Systems (Templates) on VMs and each instance is complete separate from others, so that if one get compromised, the system remains clean and fully usable
You can choose what devices attach to a VM and detach from it, so in the standard and savy configuration you have a sys-net machine wich is the only one that can connect to Internet (Ethernet/WiFi attached) and a sys-firewall machine which handle all the connections and pass through sys-net, so you have 2 level (you can add more) of isolation for the other domains (ex. PublicWiFi -> sys-firewall -> sys-net, Trusted -> sys-firewall -> sys-net )

I’ll post the sys-firewall and sys-net ifconfig and iptables-save outputs, to give you all the details.

VMs Details:

             me | updbl |  type |         netvm |          ip |    ip back | gateway/DNS |
----------------+-------+-------+---------------+-------------+------------+-------------+
         {dom0} |   Yes | Admin |           n/a |  10.137.0.2 | 10.137.0.1 |         n/a |
      {sys-net} |       |   Net |           n/a |        None | 10.137.1.1 |         n/a |
 {sys-firewall} |       | Proxy |       sys-net |  10.137.1.8 | 10.137.2.1 |  10.137.1.1 |
   {sys-whonix} |       | Proxy |  sys-firewall | 10.137.2.10 | 10.137.3.1 |  10.137.2.1 |
      {sys-usb} |       |   Net |           n/a |        None | 10.137.4.1 |         n/a |
    [fedora-23] |   Yes |   Tpl | *sys-firewall |  10.137.2.3 |        n/a |  10.137.2.1 |
      untrusted |       |       | *sys-firewall |  10.137.2.9 |        n/a |  10.137.2.1 |
     [debian-8] |   Yes |   Tpl |  sys-firewall |  10.137.2.4 |        n/a |  10.137.2.1 |
       personal |       |       |             - |        None |        n/a |         n/a |
    [whonix-gw] |   Yes |   Tpl |    sys-whonix |  10.137.3.5 |        n/a |  10.137.3.1 |
    [whonix-ws] |   Yes |   Tpl |    sys-whonix |  10.137.3.6 |        n/a |  10.137.3.1 |
    anon-whonix |       |       |    sys-whonix | 10.137.3.11 |        n/a |  10.137.3.1 |

sys-firewall iptables:

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

:PR-QBS - [0:0]
:PR-QBS-SERVICES - [0:0]

-A PREROUTING -j PR-QBS
-A PREROUTING -j PR-QBS-SERVICES

-A POSTROUTING -o vif+ -j ACCEPT
-A POSTROUTING -o lo -j ACCEPT
-A POSTROUTING -j MASQUERADE

-A PR-QBS -d 10.137.2.1/32 -p udp -m udp --dport 53 -j DNAT --to-destination 10.137.1.1
-A PR-QBS -d 10.137.2.1/32 -p tcp -m tcp --dport 53 -j DNAT --to-destination 10.137.1.1

-A PR-QBS -d 10.137.2.254/32 -p udp -m udp --dport 53 -j DNAT --to-destination 10.137.1.254
-A PR-QBS -d 10.137.2.254/32 -p tcp -m tcp --dport 53 -j DNAT --to-destination 10.137.1.254

sys-firewall ifconfig:

eth0      Link encap:Ethernet  HWaddr 00:16:3e:5e:6c:06  
          inet addr:10.137.1.8  Bcast:10.255.255.255  Mask:255.255.255.255
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:N errors:0 dropped:0 overruns:0 frame:0
          TX packets:N errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:N errors:0 dropped:0 overruns:0 frame:0
          TX packets:N errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1

sys-net iptables:

COMMIT

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

:PR-QBS - [0:0]
:PR-QBS-SERVICES - [0:0]

-A PREROUTING -j PR-QBS
-A PREROUTING -j PR-QBS-SERVICES

-A POSTROUTING -o vif+ -j ACCEPT
-A POSTROUTING -o lo -j ACCEPT
-A POSTROUTING -j MASQUERADE

-A PR-QBS -d 10.137.1.1/32 -p udp -m udp --dport 53 -j DNAT --to-destination 192.168.1.1
-A PR-QBS -d 10.137.1.1/32 -p tcp -m tcp --dport 53 -j DNAT --to-destination 192.168.1.1

-A PR-QBS-SERVICES -d 10.137.255.254/32 -i vif+ -p tcp -m tcp --dport 8082 -j REDIRECT

sys-net ifconfig:

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 1  (Local Loopback)
        RX packets N bytes N
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets N bytes N
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

vif62.0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.137.1.1  netmask 255.255.255.255  broadcast 0.0.0.0
        ether fe:ff:ff:ff:ff:ff  txqueuelen 32  (Ethernet)
        RX packets N bytes N
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets N bytes N
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlp0s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.4  netmask 255.255.255.0  broadcast 192.168.1.255
        ether 30:3a:64:3a:a2:2d  txqueuelen 1000  (Ethernet)
        RX packets N bytes N
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets N bytes N
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Continue reading Networking in Qubes OS→

All known methods to detect and prevent Metasploit attacks? [on hold]

Posted on January 28, 2017 by Thelps

Can anyone list any and all ways they’re aware of to secure against Metasploit-based intrusion attacks?

I’ve had a long spate of files being deleted/copied from my machine and the lack of logs or evidence remaining might sug… Continue reading All known methods to detect and prevent Metasploit attacks? [on hold]→

HIDS – Choosing between regular OSSEC or Wazuh fork

Posted on January 27, 2017 by simoesf

I intend to set up OSSEC and noticed there seem to be two main flavours: plain OSSEC and Wazuh fork.

From what I’ve been able to gather (from Wazuh’s website and documentation), the main advantages of Wazuh are:

its abili… Continue reading HIDS – Choosing between regular OSSEC or Wazuh fork→

Snort, suricata WebGUI

Posted on January 26, 2017 by the_me

I’m creating an ansible roles which install and configure both – snort and suricata environment in copule of configuration wariants.
Lastly I saw that developers left snorby project. What will be the best option for now to in… Continue reading Snort, suricata WebGUI→

Send logs to remote server from suricata? [on hold]

Posted on January 12, 2017 by Prabesh Thapa

I have been trying to send the suricata logs into the remote syslog server. remote server has syslog-ng installed in it. Can anybody please provide me how to send suricata logs

Continue reading Send logs to remote server from suricata? [on hold]→

Why I am getting logs from Class E IP addresses (Research – Reserved), and my IPS being blocked with threat name "IP Address Spoofed"

Posted on January 10, 2017 by user95437

Source : 252.205.75.128

Destination : 221.58.178.105

Both IP’s do not belong to us. Direction was Inbound.
How is this possible?

Then why are these IP addresses routed to my network ?

Continue reading Why I am getting logs from Class E IP addresses (Research – Reserved), and my IPS being blocked with threat name "IP Address Spoofed"→