Integrate Emerging threats into Sguil

This is to be used as a brief overview to get ET into your NIDS and not ment to help configure your system. If you are first time installer for Snort or Sguil I would recommend using securixlive.com nsmnow with centos 5 series as this is pretty painless and should get you a quick setup for monitoring. The first step that you need to do is go over to emergingthreats.net and pull down the compressed rules to your sguil server. After this is finished untar the file and move the .rules files to the /etc/nsm/sensor1/rules folder if you did a default install. Make sure they are the correct permissions
#chown sguil:sguil emerg*
Next you need to alter the snort.conf file and add the rules. You can simply do a cut and paste from the emerging.conf file and just add it to the bottom of the snort.conf. Next add the to the sid-msg.map in /etc/nsm/sensor1
#cat emerging-sid-msg.map >> sid-msg.map
Finally you need to copy the emerging rules over to the /nsm/server_data/server1/rules/sensor1 folder so that you can view the rules in the sguil client. Now just start up your nsm and you should have a little more help with alerts.

Are you sure you are safe!

When I happen to get a free moment I usually test out the outside sguil and BASE sensors against metasploit attacks. This time was a controlled test and the exploitable box secure from the outside world. So with the latest metasploit in hand I smacked a default win2k server with no service packs with just port 445. I know what you are thinking who in there right mind leaves 445 open on the net and most ISP filter this anyway. Again this is just a test and a simple one that I figured the sguil sensor would catch... sort of. Why sort of? Well I did get a few alerts.

NETBIOS DCERPC NCACN-IP-TCP lsass DsRolerUpgradeDownlevelServer overflow attempt
NETBIOS DCERPC NCACN-IP-TCP srvsvc NetrPathCanonicalize overflow attempt
NETBIOS DCERPC NCACN-IP-TCP wkssvc NetrAddAlternateComputerName overflow attempt
NETBIOS DCERPC NCACN-IP-TCP umpnpmgr PNP_QueryResConfList attempt
NETBIOS SMB-DS repeated logon failure

To an ordinary user the alerts would look like and SMB attempt and why would the suspect anything else since we did leave 445 open. The icing is the fact that I spawned 4 meterpreter bind sessions just from 445 and what did the IDS have to say about that ....not much. I was skipping along getting hash dumps and files. Sure there was occasional complain about shell code but if you are not versed it might as well be in a different language. Keep in mind this is just with the snort default rules and not using emerging threats rules.

I also testing this using emerging threats rules and wanted to see how well this would help recognize it. This is at least promising with a few extra alerts.

ET EXPLOIT x86 JmpCallAdditive Encoder
ET POLICY PE EXE or DLL Windows file download
ET POLICY TLS/SSL Encrypted Application Data on Unusual Port SSLv3

This would be enough to tip off anyone that something is awry and you would be able to correlate the attempt with ET alerts to validate it. You could also make it easy my tying this all together with some splunk and a netflow.

Netwar

This being my first netwars and it being round 6 I cannot help but feel that I am a little behind and a underdog. There are still 5 days left but with my busy life style with kids and prior obligations I might just leave at 86 points. If you do not know what netwars are, it is a competition put on by the sans institute that is basically hacking systems and getting points. Hack and defend basically. Not sure if it qualifies as red and blue but it is fast paced. 10-60 minute regen on systems and you need to hold them from others for the duration and then reattack when the system are regenerated. At times I felt it was frustrating and time consuming and often left me sleepless thinking of the different attack vectors and why certain ones didn't work.
This left me wondering about the remote hack net and what the traffic would look like. I am sure if there was and IDS it would have been flipping out for the lack of a better word. This isn't the problem. The problem is the analysis end. Me being a sole admin, it presents a daunting task. Sifting through sguil alerts and seeing whether I need to escalate or not and looking at the packet trace. Lets take for instance a single autopwn if a system with port 80 and 139 open. This alone would generate roughly 128 individual attacks all with potential compromise and this is just from the outside in.
As you can see, us as system/network/security admins do have our hands full in the day to day and participating in netwars it has made me realize speed and efficiency are key. With these two matched with skill you should be all right. Good luck to all sec ops and cirt's I know it's tough out there. user0330