Pages

Wednesday, March 25, 2015

OSSIM WIDS howto

So, it took me a while to find this, and low and behold, it's on github.  Props to the maintainer, linked below.  That said: I am reposting the how to page because you never know when things get deleted...

alienvault-ossim/HOWTO at master · jpalanco/alienvault-ossim:

If you want to talk about what this looks like in a fully functional environment, give me a shout.  You would be surprised to know what people are trying to do to your wifi.







CONFIGURATION PROCEDURE



WIDS

----



* Introduction



  Organizations that require Payment Card Industry's Data Security Standard (PCI DSS) compliance need to follow a set of procedures when deploying 802.11 Wireless Local Area Networks (WLAN).

  AlienVault includes a Wireless Compliance module that helps organizations that require PCI DSS compliance.

  This module was developed using the information provided by Kismet, an Open Source wireless network detector, sniffer, and intrusion detection system.

  The PCI DSS module includes reports and statistics needed to perform a PCI DSS audit successfully.

  To run this module you must have kismet installed in your wireless sensors that feed the system with information about wireless networks in the environment that it is being monitored.



  - Kismet:



    Kismet is an 802.11 wireless network detector, sniffer, and intrusion detection system.

    Kismet will work with any wireless card which supports raw monitoring mode, and can sniff 802.11b, 802.11a, 802.11g, and 802.11n traffic (devices and drivers permitting).

    Kismet also sports a plugin architecture allowing for additional non-802.11 protocols to be decoded.

    Kismet identifies networks by passively collecting packets and detecting networks, which allows it to detect (and given time, expose the names of) hidden networks and the presence of non-beaconing networks via data traffic.

    Kismet will work with any distribution of Linux. Currently, Linux is the recommended platform for running Kismet because it has the largest selection of rfmon capable drivers.

    Kismet is distributed under the GNU General Public License.





* Requirements



  In order to install Kismet in your Sensors you will need a wireless card which supports raw monitoring mode.

  Kismet Documentation includes a list of known supported wireless cards:

 

        Atmel_USB, ACX100, ADMTek, Atheros, Cisco, Prism2,  Orinoco, WSP100, Drone, wtapfile, pcapfile, wrt54g, ipw2100,

        rt2400, rt2500, rt73, rt8180, ipw2200, ipw2915, ipw3945, iwl3945, iwl4965, iwl5000, iwlagn, iwl5100, iwl5300, Broadcom 43xx

   

    This tutorial was written using a Wireless Card with the RT8718 chipset. Internet connection is required when installing Kismet in the AlienVault Sensor.

    This tutorial explains how to setup a remote host running Kismet (REMOTE_WIDS).

    An AlienVault Sensor will collect the WIDS events from the remote Wireless Sensor.



  - Location of the wireless Sensor:



When installing the wireless card you need to make sure that the Wireless Sensor will be deployed in a location in which wireless networks can be monitored.

It doesn't make sense monitoring the wireless networks in a basement, parking or from a closed rack cabinet.





* Installation



  To install Kismet execute the following commands in the Linux Terminal:

 

    # apt-get update

    # apt-get install kismet firmware-*

 

  Kismet will be installed as well as some other libraries required to run Kismet.

 

    av-wireless-sensor# apt-get install kismet

    Reading package lists... Done

    Building dependency tree      

    Reading state information... Done

    The following extra packages will be installed:

      libc-ares2 libcap2-bin libsmi2ldbl wireshark wireshark-common

    Suggested packages:

      sox festival gpsd libcap-dev snmp-mibs-downloader

    The following NEW packages will be installed:

      kismet libc-ares2 libcap2-bin libsmi2ldbl wireshark wireshark-common

    0 upgraded, 6 newly installed, 0 to remove and 316 not upgraded.

    Need to get 15.9MB of archives.

    After this operation, 64.0MB of additional disk space will be used.

    Do you want to continue [Y/n]? y





* Configuration



  Once Kismet has been installed you will need to set the Kismet configuration based on the Chipset of the Wireless Network card being used.

  You will also need to enable the Kismet plugin in the AlienVault Sensor so that AlienVault can start collecting events generated by Kismet.

 

  - Kismet Configuration

 

    Kismet configuration is stored in the following file:

 

      /etc/kismet/kismet.conf

 

    To start configuring Kismet you will need to find out which is the network interface that is being used by Kismet. To do that execute the following command:

   

      # iwconfig

   

    The output of the command shows all the network cards indicating wether it has been recognized as a wireless card or not. In this case our wireless card can be identified by the tag "wlan0"

   

      av-wireless-sensor# iwconfig

      lo        no wireless extensions.



      eth0      no wireless extensions.



      wlan0     IEEE 802.11bg  ESSID:off/any

                Mode:Managed  Access Point: Not-Associated   Tx-Power=20 dBm  

                Retry  long limit:7   RTS thr:off   Fragment thr:off

                Encryption key:off

                Power Management:off

   

    To configure your wireless card in the Kismet main configuration file (/etc/kismet/kismet/conf) find the following line:

   

      source=none,none,addme

     

    and replace it based on the chipset your wireless card runs and the tag that the system has assigned to your wireless card:

   

      source=rt8180,wlan0,wlan0-av1

     

    Sources are defined as:

   

      source=sourcetype,interface,name

     

      1. sourcetype: Source types that can be used to se this configuration can be found in a README file at /usr/share/doc/kismet/README.gz (Capture Sources section).

      2. interface: This is the name given by the operating system to the Wireles card (In the example wlan0)

      3. name: Descriptive name to identify this source

     

    In this case the Wireless card with the chipset RT8717 uses the source type rt8180.

    Now it is time to configure the Kismet logging template. To do this find this line in /etc/kismet/kismet.conf:

   

      logdefault=Kismet

     

    and replace Kismet by the IP address of your Wireless Sensor (E.g: 192.168.1.133). This IP address will be used later when inserting the Wireless Sensor in the AlienVault Asset inventory:

   

      logdefault=192.168.1.133

     

    To configure the name of the files that Kismet will be creating find the following line in /etc/kismet/kismet.conf:

   

      logtemplate=/var/log/kismet/%n-%d-%i.%l

     

    and replace it using the following line:

   

      logtemplate=/var/log/kismet/%n_%D-%i.%l

     

    Make sure the following parameters have this values:

   

      configdir=/var/lib/kismet/

      logexpiry=3600

     

    Make sure that the new configuration does not break Kismet, start Kismet by executing the following command in a linux terminal:

   

      # kismet

     

    If the configuration loads successfully Kismet will start and display a Welcome message.

    Configure Rsyslog in the remote host running the WIDS to forward the events to the AlienVault Sensor:

    Create the following file under /etc/rsyslog.d/

   

      /etc/rsyslog.d/wids_alienvault.conf

   

    with the following content:

   

      *.*                             @ALIENVAULT_SENSOR_IP

     

    and reload Rsyslog configuration in the remote host using the following command:

   

      /etc/init.d/rsyslog reload

     

    Finally, start Kismet in the remote host running the WIDS using the following command:

   

      # /usr/bin/kismet_server -l xml -t REMOTE_WIDS_IP -f /etc/kismet/kismet.conf 2>&1 | logger -t REMOTE_WIDS_IP  -p local7.1

   

 

  - AlienVault Configuration



    In the AlienVault host create a file under /etc/cron.hourly/ called kismet:

   

      /etc/cron.hourly/kismet

   

    with the following content:

 

      #!/bin/bash

      /usr/bin/perl /usr/share/ossim/www/wireless/fetch_kismet.pl



    Copy kismet_sites.pl to a new location:



      cp /usr/share/ossim/www/wireless/kismet_sites.pl /var/ossim/kismet



    Edit /var/ossim/kismet/kismet_sites.pl and edit %site hash to include the Remote WIDS sensor:



      $sites{'REMOTE_WIDS_IP'}='/var/log/kismet';



    where you will have to replace REMOTE_IP by the IP Address of your remote WIDS Sensor. In case you are running multiple WIDS sensor just copy and paste that line as many times as required.



   

    The AlienVault Sensor will need to have SSH access to retrieve the XML files generated by Kismet. You will need to exchange the SSH public keys between the AlienVault Sensor and the remote host running the WIDS Sensor.



    To do this execute the following command in the AlienVault Sensor:

   

      # ssh-copy-id root@REMOTE_WIDS_IP

   

   

    To finish this configuration, you will need to setup your Wireless Sensors in the AlienVault Web Interface. Please refer to the User guide to learn how to setup your Wireless Sensors and locations.





Done.

   


Monday, August 4, 2014

Über Operations earns Consulting Partner status for Amazon Web Services(AWS)

Congratulations to all my colleagues, we worked hard to achieve this goal in a short amount of time!  Kudo's to all!
To quote our press release:  
Über Operations is proud to announce that we have earned Consulting Partner status for Amazon Web Services(AWS)! AWS is a collection of remote computing services that make up a cloud computing platform. Offering these services much faster and cheaper than traditional server computing, Amazon is the Cloud Computing leader in the industry.
We at Über Operations started out as customers; our engineers spent time developing and testing small amounts of data housing and data transfer, and as we grew comfortable with the functionality, we were very impressed by the speeds and cost efficiency of the services. We are ecstatic to announce, that after 9 months of trials, implementations, and experimentation, Über Operations is now a fully functional and operational Consulting Partner of AWS. We have 9 accredited team members, including our full time integration engineers, managing partners, operations support staff, contractors, and even our technical interns. Each accredited member is a hard-working individual making up the team that is Über Operations, who has been the healthcare data integration service provider for the state of Florida for the past ten years.

This November, 4 of our team members, @eddie@frans@phil, and @jeff will be attending the AWS re:Invent 2014 conference in Las Vegas, NV to collaborate ideas and sit in on presentations about cloud computing and bootcamps on various topics like coding and Exam Preparation. The guys are excited to represent us in Sin City and rub elbows with other big shots in the business of healthcare data.
Since we earned our Consulting Partner status with AWS, we would love everyone to check out our page in the Amazon Web Services Partner Network here. There you will find the extensive list of clients, certifications, and tools that we use and have to our name. Our data exchange platform, uberXchange, runs on the AWS cloud, and clients of Über Operations and users of the uberXchange platform include the Texas Department of State Health Services (TDSHS) and the Association of Public Health Laboratories (APHL).
This is a very exciting time for us with growth in such a key area for the future of cloud computing and data exchange. We'll keep you posted as we continue to add services on AWS.

Friday, August 1, 2014

New Crypto-Ransomware Emerge in the Wild

More proof that you should always have anti-virus/malware software not only installed, but active and with updated definitions.  I use Sophos UTM as the first tier as well as keeping my windows machines as well as keeping Sophos Endpoint Protection installed and Up2Date.

From the story in LinkedIn: New Crypto-Ransomware Emerge in the Wild 

Tuesday, July 29, 2014

Now that I know who my phone is trying to talk to, what do I do about it?

As a follow up to my previous post Do you know who your phone is talking to when you're not looking? Discovering who my phone was trying to talk to turned out to be who all the phones in my house, along with every machine with Chrome as a web browser, were trying to talk to.  The great and mysterious 1e100.net.   Seeing the massive volume of dropped packets on my new Sophos UTM Home Edition firewall, intrusion prevention, antivirus virtual (now physical) appliance led me to a few other discoveries.  Since the replacement of my Airport Extreme as my only barrier between my devices and the chaotic cesspool of infection that is "The Internet" I, along with my wife and daughter discovered that our Android (read Google) phones suddenly had less than half the battery life they did before.

Being the curious fellow I am I followed that path until I discovered that our phones were experiencing something called wlan_rx_wake and the general consensus is that it is a DHCP or 5GHz issue, or router issue.  No one has yet been able to track the root cause 100%.

If you factor in all of the above, and consider that I am using Chrome on all of my devices, which are all logged into the same google account so that I can open tabs on my phone that I left open on my laptop, etc.  And the fact that all of this information is collected and used by Google in order to make happen, it makes  perfect sense, to me at least, that this is the root cause of my problem.

I have tried turning off DHCP and going with sttic IP and switching off 5GHz which made no difference so i am left with either not using Chrome (something i don't think I can do) or figuring out how to allow all of 1e100.net into my network

So far, using Sophos UTM 9.2 I have been unable to get the firewall/NAT/Application pools correct so that these two underlying domain networks are allowed in, while sitll properly NATing my network.

This is another thing.  Within Sophos, I am masquerading my internal  IP addresses into the External IP.  How then is is possible for these inbound, net new, connections from the 1e100.net network not only gettingi dropped when I have atempted to allow it, They still show up as attempting to  communicate directly to my internal iP  enstead of connecting to The externlal IP where i hae routes defined just wating to pass the informatin aloon.

Maybe my few follower can help me out.  My new level of CDO is such that now that I know the problem is there, it must be fixed.

More to follow my friends, as I figure this thing out.

Saturday, June 21, 2014

Do you know who your phone is talking to when you're not looking?

Anyone who knows me knows that I love my gadgets.  It's not enough to have a gadget.  I must know how it works from the inside out, every hidden easter egg from the developers, every possible menu item.  I have had phones that I have rooted, installed custom ROMs, I have left some completely stock.  The same goes for applications for my phone.  I tend to gravitate to android based phones, sorry Apple, no offense, I love your products too.  Over the years I have beta tested many an android app.  some good, some.. well..

All of that to prep for this.

I recently jumped on the #Sophos bandwagon due to work and my general curiosity of learning something new.  What does this mean?  Well for me, its downloading everything I can get my hands on, and Sophos offers loads of free stuff for folks to test their wares.

I installed Sophos UTM 9.2 (the free for home use virtual appliance) on my wifes mac mini since it was the closest to the router and had an extra thunderbolt connection... <She is/was not amused with this but that is a different story>

After the initial setup, turning every setting on, having fun with the kids (captured wifi portals are cool), I finally have the setup in what I would call a stable run condition.

Now we come to the title of  this post.

It became quite clear very quickly that there are WAY too many applications, networks, protocols trying to talk to devices within my network.  Come on Apple, do you *have* to have that many UDP ports to make things happen?  I remember when it was easy enough to put a rule in that said, if my laptop started the conversation, NAT the return requests and allow them through.  Well that works.  What doesn't work is when you have an app that registers you on a service, then who knows what network or port will attempt to send you a push update, or poll your device to see if you are still there.

When it comes to my android phone, I have many apps that I have grown to depend on, these apps pretty much go dormant when I am connected to my Wifi now, then wake up when I turn wifi off or go outside.  I have been going through the logs and making rules to allow the applications and protocols through that I deem worthy but then I came across a few networks that were blacklisted, based out of country, and not so savory.  Taking inventory of my phone I do not see any obvious contenders.  In fact, I recently received a new tablet from my employer and have taken great care to only install corporate-ish type apps that I would use for work purposes only.  But yet, there it is in my firewall log file, unsolicited inbound connection attempts to this device as well.

I will follow up with another post when I find out the culprit, but to all my friends, make sure you are using some kind firewall at home.  Use antivirus/antispyware on EVERY device, yes even your phone.

Thursday, March 27, 2014

Obtained a new domain name

Went out today and obtained philipjmorrison.com for the sole purpose of posting my up-to-date résumé.
So if you are so inclined, take a peek.

Phil's Résumé

Friday, November 8, 2013

Hosting your domain on Google services

OK, so some of you may have known this but Intrasection.com has been around for a loooooong time.  My buddy Bill and I came up with the name and over the years it has lived in many locations.... (even a gigantor server in my bedroom that sounded like a plane.

Well, as soon as Google started letting other domains host their email services through them I have had Intrasection hosted there.  Better spam protection and better kid protection.  Boy did Joshua Morrison LOOOOOVE to flip that big old red switch.

Well speed up to a few weeks ago, Intrasetion got Google "+" ified.  And all kind of bells and whistles started going off.

Now, from my phone, I can put into my Intrasection.com calendar (Pick Phil up from Airport).  I can put in a 30 min warning notification, I can even put an estimated travel time when I invite my lovely wife to the meeting invitation...

Then in a few seconds (since my account is the admin of the domain) I see (in a different color) my wife's calendar entry.  Tap on it, click "Accept" and poof, her phone will remind her to do something that I might forget to ask when I am physically close enough to ask her about it.

Kind of cool I must say....