Showing posts from February, 2013

Recovering from Suricata Gone Wild

Recently I tried interacting with one of my lab Security Onion sensors running the Suricata IDS. I found the Sguil server was taking a really long time to offer services on port 7734 TCP. Since I hadn't worked with this lab system in a while, I guessed that there might be too many uncategorized events in the Sguil database. I dusted off an old blog post titled More Snort and Sguil Tuning from 2006 and took a look at the system. First I stopped the NSM applications on the server. sudo service nsm stop Stopping: securityonion * stopping: sguil server [ OK ] Stopping: HIDS * stopping: ossec_agent (sguil) [ OK ] Stopping: Bro stopping ds61so-eth1-1 ... stopping proxy ... stopping manager ... Stopping: ds61so-eth1 * stopping: netsniff-ng (full packet data) [ OK ] * stopping: pcap_agent (sguil) [ OK ] * stopping: snort_agent (sguil) [ OK ] * stoppi

Using Bro to Log SSL Certificates

I remember using an older version of Bro to log SSL certificates extracted from the wire. The version shipped with Security Onion is new and that functionality doesn't appear to be enabled by default. I asked Seth Hall about this capability, and he told me how to get Bro to log all SSL certs that it sees. Edit /opt/bro/share/bro/site/local.bro to contain the changes as shown below. diff -u /opt/bro/share/bro/site/local.bro.orig /opt/bro/share/bro/site/local.bro --- /opt/bro/share/bro/site/local.bro.orig 2013-02-23 01:54:53.291457193 +0000 +++ /opt/bro/share/bro/site/local.bro 2013-02-23 01:55:16.151996423 +0000 @@ -56,6 +56,10 @@ # This script enables SSL/TLS certificate validation. @load protocols/ssl/validate-certs +# Log certs per Seth +@load protocols/ssl/extract-certs-pem +redef SSL::extract_certs_pem = ALL_HOSTS; + # If you have libGeoIP support built in, do some geographic detections and # logging for SSH traffic. @load protocols/ssh/geo-data Restart Bro.

Practical Network Security Monitoring Book on Schedule

First the good news: my new book Practical Network Security Monitoring is on track, and you can pre-order with a 30% discount using code NSM101 . I'm about 1/3 of the way through writing the book. Since I announced the project last month, I've submitted chapters 1, 2, and 3. They are in various stages of review by No Starch editors and my technical editors. I seem to be writing more than I expected, despite trying to keep the book at an introductory level. I find that I want to communicate the topic sufficiently to make my point, but I try to avoid going too deeply into related areas. I'm also encountering situations where I have to promise to explain some concepts later, rather than explain everything immediately. I believe once I get the first chapter ironed out with the editor, the rest will be easier to digest. I'm taking a fairly methodical approach (imagine that), so once the foundation in chapter 1 is done the rest is more straightforward. I'm keeping a