Category Archives: Security

Cisco VPN Client no longer works on Windows 10

After upgrading to Windows 10 (or installing fresh I guess), Cisco VPN Client (the old IKE1 version) no longer works. If you upgraded the “Cisco VPN Client” service is missing and if you type in “VPN” into Cortana the “VPN Client” no longer shows up. Trying to reinstall gives the error

Your app does not work with Windows 10

Ryan Ternier has worked out a fix and I’m publishing it here so it’s easier for me to find…here it is in the long form:

  1. Click on the Start button -> Settings -> System-> Apps and Features -> Uninstall Cisco VPN Client
  2. Now download the Sonicwall VPN Client from http://help.mysonicwall.com/applications/vpnclient/
  3. Install the Sonicwall VPN Client
  4. Extract the vpnclient-winx64-msi-5.0.07.0440-k9.exe and right click vpnclient_setup.msi and select Install
  5. Run through the installer steps
  6. Once done click on Start button and type Regedit as administrator
  7. Browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CVirtA and edit the “DisplayName” REG_SZ object.
  8. Change the contents of DisplayName from “@oem8.inf,%CVirtA_Desc%;Cisco Systems VPN Adapter for 64-bit Windows” to “Cisco Systems VPN Adapter for 64-bit Windows”
  9. Either reboot or start up services.msc and start the Cisco VPN service
  10. Open the VPN client as normal and try and connect
  11. It should now work again.

Thanks to Ryan Ternier and OCGrumpa in post http://weblogs.asp.net/rternier/getting-cisco-s-ipsec-vpn-client-working-on-windows-10.

Tagged , ,

Firesight integration with OSSIM

Firesight, which is now Cisco, was originally developed by the same guys who wrote snort. The software runs the professional VRT snort feed underneath. The output is a slightly different format but we can tweak OSSIM to read in the syslog alerts.

1. In your Firesight intrusion policy click on Advanced Settings -> Syslog Alerting.

2. Type in the IP of your OSSIM server and assign a priority etc.

3. Save and push the policy to your Sourcefire nodes.

4. Now on the OSSIM box connect over SSH and select Jailbreak from the menu.

5. Now we need to send the alerts into the alerts file. Create a new file /etc/rsyslog.d/zzzzz_snort_syslog.conf and add in this text:

if $msg contains 'SFIMS' then -/var/log/snort/alert
& ~
if $syslogtag contains 'SFIMS' then -/var/log/snort/alert
#Stop
& ~

6. Now you need to edit the snort-syslog config file so that it can understand the Firesight format. Edit /etc/ossim/agent/plugins/snort_syslog.cfg and at the bottom add:

[05_snort-syslog-sourcefire-format]
event_type=event
regexp=(\w+\s+\d{1,2}\s+\d\d:\d\d:\d\d)\s+([a-zA-Z0-9\-]+)\s+[SFIMS:]{1,6}\s+\[([a-zA-Z0-9_\s]+)\s+\(([0-9a-z\-]+)\)\]\[(.+)\]\[(([0-9]+)\:([0-9]+)\:[0-9]+)\]\s+\"(.+)\"\s+\[Classification\:\s+(.+)\]\s+User\:\s+(.+)\,\s+Application\:\s+(.+)\,\s+Client:\s+(.+)\,\s+App Protocol\:\s+(.+)\,\s+Interface Ingress\:\s+([a-zA-Z\-\_0-9]+)\,\s+Interface Egress\:\s+([a-zA-Z\-\_0-9]+)\,\s+Security Zone Ingress\:\s+([a-zA-Z\-\_0-9]+)\,\s+Security Zone Egress\:\s+([a-zA-Z\-\_0-9]+)\,\s+Context\:\s+([a-zA-Z\-\_0-9]+)\,\s+\[Priority\:\s+([0-9]+)\]\s+\{([A-Z]+)\}\s+([0-9.]+):([0-9]+)\s->\s([0-9.]+):([0-9]+)
date={normalize_date($1)}
device={resolv($2)}
plugin_id=1001
plugin_sid={$8}
protocol={$21}
src_ip={$22}
src_port={$23}
dst_ip={$24}
dst_port={$25}
userdata1={$5}
userdata2={$4}
userdata3={$9}
userdata4={$15}
userdata5={$16}
userdata6={$17}
userdata7={$18}
userdata8={$20}

7. Save the file.

8. Now enable the collector. Type ossim-setup to load the ossim curses gui, choose Configure Sensor -> Configure Data Source Plugins -> Select snort-syslog then click OK -> Back -> Apply all Changes. This will start the snort-syslog collector.

9. Generate some dummy alerts in Sourcefire and then come back and check in the OSSIM GUI to see they have been processed.

Tagged , , ,

Keeping OSSIM DB tables in check

In every OSSIM install I have done I’ve found the built in system for keeping the database size to manageable level doesn’t work very well. Eventually several tables gobble up all the disk space and fill the mysql partition. To make matters worse the default install uses a single ibdata file which doesn’t get released when you delete entries from the table.

So, I wrote this script to periodically check several problem tables and remove the oldest entries when they get to a certain size. What this size is depends on your environment. The problem tables I found to be were:

  • alienvault.extra_data
  • alienvault_siem.extra_data
  • alienvault.host_qualification
  • alienvault_siem.acid_event

I’ve just copied and pasted the same code 4 times as I was feeling lazy. You can find the mysql root password in /etc/ossim/ossim_setup.conf. Input that into the MYSQL_PASS variable. By default to script looks for when the number of rows in the table is greated than the THRESHOLD_ROWS value of 5000000. It will remove the number of rows that are more than this up to 5000000 in one go, so you should probably set this to run frequently, say hourly in a busy system.


#!/bin/bash
MYSQL_USER="root"
MYSQL_PASS="123456789"
THRESHOLD_ROWS=5000000
TARGET_DB="alienvault"
TARGET_TABLE="extra_data"
TARGET_COL_ORDER="event_id"
ROWS_PER_RUN=5000000

echo "Getting row count from table $TARGET_DB.$TARGET_TABLE"
numrows=`mysql -u $MYSQL_USER --password=$MYSQL_PASS -e "select count($TARGET_COL_ORDER) from $TARGET_DB.$TARGET_TABLE" | grep -v count | grep -v "-"`

echo "Got $numrows rows from table $TARGET_DB.$TARGET_TABLE"

if [ $numrows -gt $THRESHOLD_ROWS ]
then
        let "rowstodelete = $numrows - $THRESHOLD_ROWS"
        if [ $rowstodelete -gt $ROWS_PER_RUN ]
        then
                echo "Deleting $ROWS_PER_RUN from table $TARGET_DB.$TARGET_TABLE"
                result=`mysql -u $MYSQL_USER --password=$MYSQL_PASS -e "delete from $TARGET_DB.$TARGET_TABLE order by $TARGET_COL_ORDER ASC LIMIT $ROWS_PER_RUN"`
        else
                echo "Deleting  $rowstodelete from table $TARGET_DB.$TARGET_TABLE"
                result=`mysql -u $MYSQL_USER --password=$MYSQL_PASS -e "delete from $TARGET_DB.$TARGET_TABLE order by $TARGET_COL_ORDER ASC LIMIT $rowstodelete"`
        fi
        echo "Result=$result (blank is good)"
else
        echo "Number of rows = $numrows which not more than $THRESHOLD_ROWS so nothing to do."
fi

TARGET_DB="alienvault_siem"
TARGET_TABLE="extra_data"
TARGET_COL_ORDER="event_id"

echo "Getting row count from table $TARGET_DB.$TARGET_TABLE"
numrows=`mysql -u $MYSQL_USER --password=$MYSQL_PASS -e "select count($TARGET_COL_ORDER) from $TARGET_DB.$TARGET_TABLE" | grep -v count | grep -v "-"`

echo "Got $numrows rows from table $TARGET_DB.$TARGET_TABLE"

if [ $numrows -gt $THRESHOLD_ROWS ]
then
        let "rowstodelete = $numrows - $THRESHOLD_ROWS"
        if [ $rowstodelete -gt $ROWS_PER_RUN ]
        then
                echo "Deleting $ROWS_PER_RUN from table $TARGET_DB.$TARGET_TABLE"
                result=`mysql -u $MYSQL_USER --password=$MYSQL_PASS -e "delete from $TARGET_DB.$TARGET_TABLE order by $TARGET_COL_ORDER ASC LIMIT $ROWS_PER_RUN"`
        else
                echo "Deleting  $rowstodelete from table $TARGET_DB.$TARGET_TABLE"
                result=`mysql -u $MYSQL_USER --password=$MYSQL_PASS -e "delete from $TARGET_DB.$TARGET_TABLE order by $TARGET_COL_ORDER ASC LIMIT $rowstodelete"`
        fi
        echo "Result=$result (blank is good)"
else
        echo "Number of rows = $numrows which not more than $THRESHOLD_ROWS so nothing to do."
fi

TARGET_DB="alienvault"
TARGET_TABLE="host_qualification"
TARGET_COL_ORDER="hex(host_id)"

echo "Getting row count from table $TARGET_DB.$TARGET_TABLE"
numrows=`mysql -u $MYSQL_USER --password=$MYSQL_PASS -e "select count(host_id) from $TARGET_DB.$TARGET_TABLE" | grep -v count | grep -v "-"`

echo "Got $numrows rows from table $TARGET_DB.$TARGET_TABLE"

if [ $numrows -gt $THRESHOLD_ROWS ]
then
        let "rowstodelete = $numrows - $THRESHOLD_ROWS"
        if [ $rowstodelete -gt $ROWS_PER_RUN ]
        then
                echo "Deleting $ROWS_PER_RUN from table $TARGET_DB.$TARGET_TABLE"
                result=`mysql -u $MYSQL_USER --password=$MYSQL_PASS -e "delete from $TARGET_DB.$TARGET_TABLE order by $TARGET_COL_ORDER ASC LIMIT $ROWS_PER_RUN"`
        else
                echo "Deleting  $rowstodelete from table $TARGET_DB.$TARGET_TABLE"
                result=`mysql -u $MYSQL_USER --password=$MYSQL_PASS -e "delete from $TARGET_DB.$TARGET_TABLE order by $TARGET_COL_ORDER ASC LIMIT $rowstodelete"`
        fi
        echo "Result=$result (blank is good)"
else
        echo "Number of rows = $numrows which not more than $THRESHOLD_ROWS so nothing to do."
fi

TARGET_DB="alienvault_siem"
TARGET_TABLE="acid_event"
TARGET_COL_ORDER="timestamp"

echo "Getting row count from table $TARGET_DB.$TARGET_TABLE"
numrows=`mysql -u $MYSQL_USER --password=$MYSQL_PASS -e "select count($TARGET_COL_ORDER) from $TARGET_DB.$TARGET_TABLE" | grep -v count | grep -v "-"`

echo "Got $numrows rows from table $TARGET_DB.$TARGET_TABLE"

if [ $numrows -gt $THRESHOLD_ROWS ]
then
        let "rowstodelete = $numrows - $THRESHOLD_ROWS"
        if [ $rowstodelete -gt $ROWS_PER_RUN ]
        then
                echo "Deleting $ROWS_PER_RUN from table $TARGET_DB.$TARGET_TABLE"
                result=`mysql -u $MYSQL_USER --password=$MYSQL_PASS -e "delete from $TARGET_DB.$TARGET_TABLE order by $TARGET_COL_ORDER ASC LIMIT $ROWS_PER_RUN"`
        else
                echo "Deleting  $rowstodelete from table $TARGET_DB.$TARGET_TABLE"
                result=`mysql -u $MYSQL_USER --password=$MYSQL_PASS -e "delete from $TARGET_DB.$TARGET_TABLE order by $TARGET_COL_ORDER ASC LIMIT $rowstodelete"`
        fi
        echo "Result=$result (blank is good)"
else
        echo "Number of rows = $numrows which not more than $THRESHOLD_ROWS so nothing to do."
fi

You can also download the script here.

Tagged ,

NXlog – Parsing Squid access logs to json

For those of you using nxlog agents to parse logs here is a working squid access.log configuration:

<Extension squid_parse_action>
      Module xm_csv
      Fields $HTTPMethod, $HTTPResponseStatus
      FieldTypes string, string
      Delimiter '/'
      EscapeControl FALSE
      UndefValue -
</Extension>

<Extension squid_parse_hierarchy>
      Module xm_csv
      Fields $action, $dst_ip
      FieldTypes string, string
      Delimiter '/'
      EscapeControl FALSE
      UndefValue -
</Extension>

<Input in_file_squid_access_log>
      Module im_file
      File "/var/log/squid/access.log"
      SavePos TRUE
      ReadFromLast TRUE
      Exec if $raw_event =~ /^(\S+)\s+(\S+) (\S+) (\S+) (\S+) (\S+) (\S+) (\S+) (\S+) (\S+)/ \
      { \
           $epochtimetmp = $1; \
           $duration = $2; \
           $src_ip = $3; \
           squid_parse_action->parse_csv($4);\
           $FileSize = $5; \
           $HTTPMethod = $6; \
           $HTTPURL = $7; \
           $ident = $8; \
           squid_parse_hierarchy->parse_csv($9); \
           $contenttype = $10; \
           if $epochtimetmp =~ s/\.//g; \
           $epochtime=integer($epochtimetmp)*1000;\
           $EventTime = datetime($epochtime); \
           $type = "squid_access_log"; \
           $Hostname = hostname(); \
           $MessageSourceAddress = hostname(); \
           $Message = $raw_event; \
           to_json();\
      } \
      else \
      {\
           $Hostname = hostname(); \
           $MessageSourceAddress = hostname(); \
           $Message=$raw_event; \
           to_json();\
      }
</Input>

The timestamp in the squid log file is in unixtime and is in seconds with milliseconds after the decimal place. The datetime function converts unix/epoch time into datetime but expects an integer containing microseconds. For this reason the function removes the decimal place and multiplies the result by 1000 to get the number of microseconds.

Tagged ,

A hacked together bash script to scan for heartbleed vulnerable services

Here’s a script to scan networks to look for services vulnerable to the heartbleed OpenSSL bug. It uses NMAP to scan for pingable hosts and obtain a list of network ports open and then uses the hb_test.py script to check if they’re vulnerable.

Grab the hb_test.py script here.

Edit the network variable in the script to change the list of networks to scan.

#!/bin/bash

# This is the string we're looking for in the python script output
pattern="server is vulnerable"

#Networks to scan
network="192.168.0.0/24 192.168.1.0/24"

echo -ne "Scanning network(s) $network                                                 \r"

#Use NMAP to find the IPs that ping in the networks listed
network_ips=(`nmap -n -sn -PE $network | grep "Nmap scan" | awk {'print $5'} | awk 1 ORS=' '`)

for ip in "${network_ips[@]}"
do
        echo -ne "NMAP port scan on $ip                                              \r"
		# Get a list of open ports on the IP address
        ports=(`nmap  -sT $ip | grep open | awk '{print $1}' | awk -F '/' '{print $1}' | awk 1 ORS=' '`)
        rc=$?
        if [[ $rc -eq 0 ]] ; then
                for p in "${ports[@]}"
                do
                        echo -ne "Scanning $ip on port $p                            \r"
						# If the port is 25 then let's try STARTTLS
                        if [[ $p -eq 25 ]] ; then
                                echo -ne "Scanning $ip on port $p (smtp)             \r"
                                output=`timeout 1 python ./hb_test.py $ip -s -p $p 2>&1`
                        else
								# Otherwise just do normal SSL
                                output=`timeout 1 python ./hb_test.py $ip -p $p 2>&1`
                        fi
						# Check if the text output matched
                        if [ "x" != "x`echo $output | grep "$pattern"`" ]; then
                                echo "$ip - port $p - VULNERABLE"
                        fi
                done
        fi
done

 

Tagged ,

OSSIM directive taxonomy settings do not update / save

When you try to edit the Taxonomy settings for a user generated directive in OSSIM the changes do not save. Instead the webpage updates and shows the old settings.

This happened for me when I upgraded to 4.3.4.

To fix you can clear out the taxonomy values in the alarm_taxonomy table and then re-enter them using the webGUI. The problem seems to be that OSSIM adds a second entry to the table rather than updating the existing one.

1. SSH to the OSSIM box holding the mysql database
2. Backup your database before editing the tables
3. Then type

ossim-db
select * from alarm_taxonomy WHERE sid like '5000%';

This should list the taxonomy for your generated directives (since they’re all in the 50000 range. For the exact sids check the /etc/ossim/server/<GUID>/user.xml file.

Now to clear the problem directive that won’t update (for example sid number 500010)

delete from alarm_taxonomy WHERE sid='500010';

Now open the web interface and the taxonomy for that directive should have cleared. Now edit it and set it correctly and restart the ossim-server by clicking on the button at the top.

Your taxonomy settings should have updated OK.

Tagged ,

Alienvault OSSIM: Asset page broken after upgrading to 4.4

After upgrading OSSIM to 4.4.0 (or 4.4.1) the Asset section may show the error:

Operation was not completed due to an database error

If you then check the status of the table on the CLI you’ll find the table is missing!

alienvault:~# ossim-db
mysql> select * from asset limit 1;
ERROR 1146 (42S02): Table 'alienvault.asset' doesn't exist
mysql> quit

To resolve re-run the SQL upgrade script which should recreate your table (albeit empty):

cd /usr/share/ossim/include/upgrades
gunzip 4.4.0_mysql.sql.gz
gunzip 4.4.1_mysql.sql.gz
ossim-db < 4.4.0_mysql.sql
ossim-db < 4.4.1_mysql.sql

Then reload the Assets page and it should work.

Tagged , , ,

Logstash: Received an event that has a different character encoding

When using logstash you may see an error like this one:

Received an event that has a different character encoding than you configured. {:text=>"1.2.3.4\\t\\\"www.google.com\\\"\\t-\\t-\\t[01/Feb/2014:11:45:56 +0000]\\t\\\"-\\\"\\t\\\"GET /index.html\\xA0 HTTP/1.1\\\"\\t404\\t14015\\t\\\"80778000924267169,0:1:1\\\"\\tN\\t0.041725\\t0.040730\\t0.000695", :expected_charset=>"UTF-8", :level=>:warn}

This is because the default charset is UTF-8 and the incoming message contained a character not in the UTF-8 set, for example special characters:

\xA0                 non-breaking space
\xA3                 £

To fix this set the charset in the input section using codec and the correct charset. For example for

file {
                path => "var/log/http/access_log"
                type => apache_access_log
                codec => plain {
                        charset => "ISO-8859-1"
                }
                stat_interval => 60
}

For a full list of charset options you can use check out the website.

Tagged

How to run Alienvault OSSIM 4.2 in (custom) text mode

This is also a fix for

  1. GUI installer hanging on “Configure network” when you try and enter the IP address
  2. Configuring disk setup
  3. Selecting which components to install

These options were available in 4.1 but were removed from the boot menu of the installer in 4.2.

The options are still there though. To run the custom text installer do the following:

  1. Boot from the OSSIM 4.2 CD
  2. At the installer menu highlight USM 4.2 (the top one)
  3. Hit the TAB button
  4. Edit the kernel boot line so it shows as (all one line)
/install.amd/vmlinux preseed/file=/cdrom/preseed debian/priority=low preseed/interactive=true vga=normal initrd=/install.amd/initrd.gz quiet ALLinONEauto --

5. Then hit enter to boot into custom text mode.

For the lazy out there you can also:

  1. Put the 4.1 installer CD in the CDROM and boot to the menu.
  2. Swap the CD over and put in the 4.2 CD
  3. Select custom text mode from the menu

It’ll then boot.

Q.E.D?

Tagged , , ,

Updating to OSSIM 4.1.3 causes ossim-agent not to start

On updating OSSIM via the update the ossim-agent starts and then stops. No logs are parsed and both /var/log/ossim/agent.log and /var/log/ossim/agent_error.log are empty or contain old information. Listing the processes shows that the agent is not running.

When the agent is started manually using

/usr/bin/ossim-agent -v 

the following error is logged:

OSError: [Errno 2] No such file or directory: '/etc/ossim/agent/host_cache_pro.dic

Looking in the /etc/ossim/agent directory there is no host_cache_pro.dic file but there is a host_cache.dic.

To fix, rename the host_cache.dic to host_cache.dic.old and restart the ossim-agent.

cd /etc/ossim/agent
mv host_cache.dic host_cache.dic.old
/etc/init.d/ossim-agent restart

The agent should now start and write to the agent.log and start processing.