Tag Archives: security

Cisco VPN Client no longer works on Windows 10

After upgrading to Windows 10 (or installing fresh I guess), Cisco VPN Client (the old IKE1 version) no longer works. If you upgraded the “Cisco VPN Client” service is missing and if you type in “VPN” into Cortana the “VPN Client” no longer shows up. Trying to reinstall gives the error

Your app does not work with Windows 10

Ryan Ternier has worked out a fix and I’m publishing it here so it’s easier for me to find…here it is in the long form:

  1. Click on the Start button -> Settings -> System-> Apps and Features -> Uninstall Cisco VPN Client
  2. Now download the Sonicwall VPN Client from http://help.mysonicwall.com/applications/vpnclient/
  3. Install the Sonicwall VPN Client
  4. Extract the vpnclient-winx64-msi-5.0.07.0440-k9.exe and right click vpnclient_setup.msi and select Install
  5. Run through the installer steps
  6. Once done click on Start button and type Regedit as administrator
  7. Browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CVirtA and edit the “DisplayName” REG_SZ object.
  8. Change the contents of DisplayName from “@oem8.inf,%CVirtA_Desc%;Cisco Systems VPN Adapter for 64-bit Windows” to “Cisco Systems VPN Adapter for 64-bit Windows”
  9. Either reboot or start up services.msc and start the Cisco VPN service
  10. Open the VPN client as normal and try and connect
  11. It should now work again.

Thanks to Ryan Ternier and OCGrumpa in post http://weblogs.asp.net/rternier/getting-cisco-s-ipsec-vpn-client-working-on-windows-10.

Tagged , ,

Alienvault OSSIM: Asset page broken after upgrading to 4.4

After upgrading OSSIM to 4.4.0 (or 4.4.1) the Asset section may show the error:

Operation was not completed due to an database error

If you then check the status of the table on the CLI you’ll find the table is missing!

alienvault:~# ossim-db
mysql> select * from asset limit 1;
ERROR 1146 (42S02): Table 'alienvault.asset' doesn't exist
mysql> quit

To resolve re-run the SQL upgrade script which should recreate your table (albeit empty):

cd /usr/share/ossim/include/upgrades
gunzip 4.4.0_mysql.sql.gz
gunzip 4.4.1_mysql.sql.gz
ossim-db < 4.4.0_mysql.sql
ossim-db < 4.4.1_mysql.sql

Then reload the Assets page and it should work.

Tagged , , ,

How to run Alienvault OSSIM 4.2 in (custom) text mode

This is also a fix for

  1. GUI installer hanging on “Configure network” when you try and enter the IP address
  2. Configuring disk setup
  3. Selecting which components to install

These options were available in 4.1 but were removed from the boot menu of the installer in 4.2.

The options are still there though. To run the custom text installer do the following:

  1. Boot from the OSSIM 4.2 CD
  2. At the installer menu highlight USM 4.2 (the top one)
  3. Hit the TAB button
  4. Edit the kernel boot line so it shows as (all one line)
/install.amd/vmlinux preseed/file=/cdrom/preseed debian/priority=low preseed/interactive=true vga=normal initrd=/install.amd/initrd.gz quiet ALLinONEauto --

5. Then hit enter to boot into custom text mode.

For the lazy out there you can also:

  1. Put the 4.1 installer CD in the CDROM and boot to the menu.
  2. Swap the CD over and put in the 4.2 CD
  3. Select custom text mode from the menu

It’ll then boot.

Q.E.D?

Tagged , , ,

Scheduled backup over SCP fails to logon when configured in SPLAT Web GUI

In R75 when you create a backup job using the SCP method you may find that it fails to logon to the SCP server. If you check the logs it will show that the username/password failed.

This is because when you schedule the backup job in the web GUI it saves the password incorrectly in /var/CPbackup/conf/backup_sched.conf.

To fix this you must use the CLI to schedule the job. This saves the password correctly.

1. SSH from an allowed host to the management server

2. Schedule the backup:

backup  -l --sched on 07:00 -w 1 --scp <server IP> <username> <password>

3. Check that it worked OK in the GUI.

Tagged , ,

Enabling Open Threat Exchange (AV-OTX) in Alienvault

The Alienvault website has several posts about Open Threat Exchange but I wasn’t able to find instructions on how to enable it. Eventually I found the option hidden away in the advanced menu.

Here’s how to set it up:

1. Open the OSSIM web interface and click on the Configuration menu then Main

2. Select the Advanced tab and then select Open Threat Exchange

3. Select Yes from the dropdown to contribute to OTX

4. Click on the activation link. This takes you to the Alienvault website.

5. Fill out the form and submit it.

6. You’ll then get an email from Alienvault with a confirmation link. Click it and you will get a page saying that you’ve activated OTX.

7. Now go back to the OSSIM page and click on the Send Now button. This evaluates the threats your system has picked up and it will then show you a page like this one:

8. Click Send Now to send the details to Alienvault so they can be distributed to others.

Tagged , , , , ,

Changing default editor from Joe’s Own Editor to vim in Alienvault OSSIM

Personally I find the default editor in Alienvault OSSIM a real pain to use, especially when I’m trying to edit crontabs.

Here’s a quick way to change it:

1. Logon to the system via SSH with the account you want to change the editor on

2. Open the bashrc for that user:

vi ~/bashrc

3. At the bottom add in

export EDITOR=vi

4. Then hit the escape key and type

:wq

to save.

If you want nano just use nano in-place of vi. Then the next time you open crontab it’ll use your preferred editor (e.g. vi or nano).

 

Tagged , , , , , ,

Snare plugin not working on AlienVault OSSIM

Alienvault OSSIM is a great open-source product but I recently struggled to get my Snare logs to show up in the Security Events (SIEM) viewer.

First of all follow the steps in the Snare setup guide.

Now that you’ve setup snare and enabled the plugin you should see the plugin running when you go to Configuration -> Collection -> Sensors -> Click on the SIEM host. The SnareWindows plugin should show up as ENABLED and UP.

Check the Security Events for snare logs. They should look like:

Snare: A service was successfully sent a start/stop control

If you don’t see any then try this:

1. SSH to the server

2. As root type

vi /etc/ossim/agent/plugins/snare.cfg

3. Find the line that says:

location=/var/log/snare.log

4. Comment it out by putting a # at the start of the line so it looks like this:

#location=/var/log/snare.log

5. Now copy and paste the line and change the snare.log part to say messages so it looks like this:

#location=/var/log/snare.log
location=/var/log/messages

6. Restart the ossim-agent

/etc/init.d/ossim-agent restart

Now go back and check your Security Events view. If your problem was the same as mine then your snare logs should now start appearing.

Update

Perhaps the best way to reduce the CPU load caused by the agent parsing is to split the syslogs into separate log files using rsyslog. It needs a bit of planning in advance. Configure your snare installs to send their syslog messages to a particular facility, e.g. Local3. You can then setup rsyslog to split these into a new snare log.

Edit /etc/rsyslog.conf and scroll to the bottom and add in something like:

#Windows logs
if $syslogfacility-text == 'local3' then /var/log/snare.log

and restart the rsyslogd (/etc/init.d/rsyslog restart). Tail the /var/log/snare.log file to see if the logs are coming into the file correctly.

Now edit /etc/ossim/agent/plugins/snare.cfg and change the location line to point to this new log file:

location=/var/log/snare.log

Now edit the agent configuration file to include the plugin (/etc/ossim/agent/config.cfg). Scroll to the [plugins] section and check if the snare.cfg is listed. If it isn’t add it in:

snare-monitor=/etc/ossim/agent/plugins/snare.cfg

now restart the agent service

/etc/init.d/ossim-agent restart

and check back in the GUI.

If you still get nothing in the GUI it could be that the logs that are coming into the log file don’t match  the regex’s in the snare.cfg. To test this take a small sample of your logs and create a test log file, e.g tail -100 /var/log/snare.log > /var/log/snare-test.log. Now use the following to test the regex’s:

/usr/share/ossim/scripts/regexp.py /var/log/snare-test.log /etc/ossim/agent/plugins/snare.cfg q

You should see some lines being matched.

Some logs to check for errors:

/var/log/ossim/agent.log
/var/log/ossim/server.log

 

 

 

 

 

Tagged , , , , ,