An alchemists view from the bar

Network Security Alchemy

OpenFPC on Security Onion

with 7 comments

I’ve been asked a couple of times if OFPC can be installed on Security Onion, and I’m happy to say yes it can (as of the time of writing anyway rev 335 in SVN). While poking about with it I spotted a small yet critical bug that I had to squish with 334. Here is what you have to do:

1) Download and install Security Onion

You can download it from here -> http://sourceforge.net/projects/security-onion/files/

2) Grab OpenFPC from SVN

$ svn checkout http://openfpc.googlecode.com/svn/trunk/ openfpc-read-only
A openfpc-read-only/tools
A openfpc-read-only/tools/ofpc-cxsearch.pl
A openfpc-read-only/tools/mk_release.sh
A openfpc-read-only/tools/testParse.pl
<snip>

2) Install some extra packages

Get and install cxtracker and some other stuff

$ wget http://github.com/downloads/gamelinux/cxtracker/cxtracker_0.9.5-1_i386.deb

$ sudo dpkg -i ./cxtracker_0.9.5-1_i386.deb

$ sudo apt-get install libarchive-zip-perl libfilesys-df-perl libdate-simple-perl libdatetime-perl

3) Run the installer

OpenFPC checks for some dependencies during install, these will fail on Onion even after installing the above. One reason is that it checks for Apache 2 however Apache 2.2 is installed on Onion. Use the –foceinstall option instead to continue.

$ sudo ./openfpc-install.sh forceinstall

4) Create the GUI and Session DBs

Security Onion doesn’t have a password set for the root mysql user, this doesn’t sit well with the OpenFPC install scripts as they expect there to be one. When a password is prompted for, simply hit the Enter key. This looks a little confusing, so here is an exact copy/paste below of what to expect. You could of course set a password for root, but I don’t know what else on the platform this may break (if anything).

$ sudo openfpc-dbmaint create gui /etc/openfpc/openfpc-default.conf
[*] Enter mysql “root” credentials to connect to your local mysql server in order to create the databases
DB root Username: root
DB root Password: <Enter> Enter password: <Enter> 

[*] Enter an initial username for the first OpenFPC GUI user.
GUI Username: admin
GUI Password: <a password>
Email address: admin@admin.com
Real Name: My real name
grep: /etc/openfpc/openfpc.passwd: No such file or directory
USER NOT FOUND. Adding admin.
Creating new user file /etc/openfpc/openfpc.passwd…
Adding user admin
Done.
CREATING GUI DATABASE
—————————
Enter password: <Enter> 
Enter password: <Enter> 
Enter password: <Enter> 
Enter password: <Enter> 
GUI DB Created.
Enter password: <Enter> 
Enter password: <Enter> 
New user admin added.
[*] Restarting OpenFPC

<SNIP>

5) Create the session DB, it will also look a little weird if a blank password is used for the mysql ‘root’ user.

$ sudo  openfpc-dbmaint create session /etc/openfpc/openfpc-default.conf
[*] Enter mysql “root” credentials to connect to your local mysql server in order to create the databases
DB root Username: root
DB root Password: <Enter> Enter password:
———————————————————
[*] Working on Instance /etc/openfpc/openfpc-default.conf .
Would you like session capture ENABLED on Default_Node? (y/n)y
[-] Enabling session capture in Default_Node config
Done.
[-] Found cxtracker.
CREATING DATABASE
—————————
Enter password: <Enter>
Enter password: <Enter>
Enter password: <Enter>
Enter password: <Enter>
Enter password: <Enter>
Session DB Created.
Adding function INET_ATON6… to DB openfpc
Enter password: <Enter>
[*] Restarting OpenFPC <SNIP>

6) Try it out.

The command line should be functional now, as should the GUI accessible at https://localhost/openfpc/

$ sudo  openfpc-client -a status

* openfpc-client 0.7 *
Part of the OpenFPC project

Username: admin
Password for user admin : <My Password>
####################################
OpenFPC Node name : Default_Node
OpenFPC Node Type : NODE
OpenFPC Version : 0.6
Oldest Packet : 1347467610 (Wed Sep 12 16:33:30 2012)
Oldest Session : 1347479998 (Wed Sep 12 19:59:58 2012)
Packet utilization : 25%
Session utilization : 25%
Session DB Size : 8 rows
Session lag : 0 files
Storage utilization : 25%
Packet space used : 4726172 (4.73 GB)
Session space used : 4726172 (4.73 GB)
Storage used : 4726172 (4.73 GB)
Load avg 1 : 1.54
Load avg 5 : 1.34
Load avg 15 : 1.16
Errors : 0

You should now be able to configure Snorby to extract data from OpenFPC when alerts fire on the Security Onion.

Written by leonward

September 19, 2012 at 3:40 pm

Posted in OpenFPC, Security

My Coed y Brenin Bike Crash (March 2012)

leave a comment »

I had a good crash this weekend while at a trail center in Wales. I’ll live to ride another day!

Here’s the video taken from the GoPRO mounted to my chest.

 

 

Written by leonward

March 20, 2012 at 2:09 pm

Posted in Fail

Tagged with ,

List of Mountain Bike films on iTunes

leave a comment »

I’m a big buyer of content via iTunes, however sometimes the search interface lets me down. I find it frustrating that there isn’t a way of listing content for an intrest group (such as MTB movies), and whenever I’m taking a long flight, I find a bike movie is perfect viewing.

To help anyone else trying to find a list of decent MTB films that are all available on iTunes, perhaps the below could help. I’ll try to keep it updated as I dig out more over time. Simply search for the film name on iTunes and it should turn up in the store. Note that some of these are marked as TV shows rather than films.

Follow Me – http://www.anthillfilms.com/followme/

Vast – http://www.ionatefilms.com/

Here we go again – http://dh-productions.com/HereWeGoAgain/index.html

Life Cycles – http://www.lifecyclesfilm.com/

 

 

 

Written by leonward

January 14, 2012 at 11:13 am

Posted in Uncategorized

Tagged with

Defining an Achievable Network Segmentation Process

leave a comment »

We all struggle balancing work and personal projects, but somehow I managed to combine both into one with the new Sourcefire blog (http://blog.sourcefire.com).

I’ve had a blog posted there rather than here for once, so if you’re interested in network segmentation go take a read.

The modern enterprise network has undertaken massive changes over recent years. The adoption of cloud computing, consumerization, mobilization, and the explosion of the “app” markets, has driven us all to use technology in new ways. We must embrace these new technologies and the business edge that they can offer, but all the while we need to recognize that just below all of this new technology there is something supporting it that hasn’t changed. The security infrastructure they depend on to deliver safe and controlled service.

Read more here -> http://blog.sourcefire.com/2011/09/defining-achievable-network.html

-Leon

 

Written by leonward

October 3, 2011 at 9:31 am

Posted in Uncategorized

Big OpenFPC release – 0.6

with 2 comments

Pushing forwards closer to a 1.0 release for OpenFPC, one of the major components has now been updated – The GUI.

To introduce this new release I’ve put together a short screen-cast of OpenFPC to show the installation, setup procedure, and a bit of general usage. So if you’re tasked with rolling together your own full packet capture/network traffic recorder/forensics system, perhaps you may want to take a look below.

 

For those who don’t want to sit through five minutes of video to see what the new GUI looks like, here are a few screenshots of the system in action.

Version 0.6 is now available at  http://code.google.com/p/openfpc/downloads/list . Expect a few bugs, and if you report them, Ill own the task of fixing them.

-Leon

Written by leonward

June 13, 2011 at 12:37 pm

Posted in OpenFPC, Security, snort, Uncategorized

Tagged with , , ,

A new look for OpenFPC – New GUI in devopment

with 2 comments

Developing open source software has its ups and downs. It’s great to hear that your work is helping others solve problems they have, but on the flip-side some people simply love to focus on negatives and never offer to help improve through collaboration.

A user of OpenFPC recently decided they didn’t like the web UI much, and rather than simply complaining about it, they decided to collaborate and work on an overhaul. It’s efforts of people like this that make OSS all the more rewarding.

The UI isn’t quite ready to be released in an installable form, but I thought I would provide a couple of screenshots to wet current users appetite. David, thanks for your effort!

Written by leonward

April 25, 2011 at 6:56 pm

Posted in OpenFPC, Security

Tagged with , ,

Immunet 3.0, ClamAV, and OpenFPC updates (including a blatant product plug)

with one comment

I’m always pretty careful to keep anything too commercial away from my blog, but from time to time something just has to give.

Back in late (very late in fact) 2010, Sourcefire (those nice people who supply me with beer-money) purchased an exciting company called Immunet. Ill spare you the purchase details,  because it’s out-of-scope for this quick update.

I’ve been aware of Immunet for quite some time but haven’t had a chance to really use their technology in anger because I’m a OSX/Linux user, but this changed a couple of weeks back. I recently needed to use a Windows XP VM to work with some win32 only software, I’ve had a virtual machine installed for ages and because it’s rarely used it’s rarely updated (bad Leon!). I probably spend less than an hour a year on this windows VM, I simply don’t have time to install updates because I only use it for quick tests (very bad Leon!).

Immunet’s cloud architecture is perfect for AV in this type of environment, I never need to update my signature pack because all detection is performed in the cloud. While trying to install some software from a USB key-fob that was shared around at a recent conference what popped up? Immunet kindly did it’s job and protected me from some malware nastiness. Now that was awesome.

Oh, by the way Immunet isn’t only awesome (because it saved me from my own stupidity), its also $free and uses Clam AV (that’s also free, but as in speech as well). If you’re using a Windows VM or real device without AV you know what you should do… Go install Immunet for free now http://www.immunet.com . Go on do it now!

For those of you who read this blog for updates on OpenFPC, if you have any spare time please test the updated 0.5 release. There have been many changes at the back-end that I would like to get some feedback on. If it stops working or fails to start please let me know via the usual routes. You shouldn’t see many functional changes, but was a big massive re-write under the covers.

-Leon

Written by leonward

February 18, 2011 at 3:48 pm

Posted in OpenFPC, Security

Tagged with , ,

Follow

Get every new post delivered to your Inbox.