This is the companion package to the Wireshark IDS Alert plugin, it provides database maintenance and pcap file processing tools necessary for using the plugin with the Snort and Suricata IDS engines.
An overview of this package and demo of the plugin can be viewed here.
Here's the link for the pcap mentioned in the video: sansholidayhack2013.pcap.
IDSUtil provides you with the ability to have any number of IDS configurations available so you can rapidly switch between them when using the plugin in order to compare differences between IDS engines, their configuration, and/or rulesets.
Please refer to the manpages for details on the
The packages provided have been developed and thoroughly tested on Centrych, but they should be compatible with any Ubuntu 12.04 flavor.
If you plan to use a different distribution, or prefer a DIY approach, you can obtain the source for this package, which includes patch files for both Barnyard2 and Wireshark 1.10.6 from:
The remainder of this file is broken into two sections.
The first, immediately below, provides a brief overview for installing IDSUtil in Centrych, creating two sample configuration instances, and processing a set of sample pcap files.
The second section, further below, provides a brief discussion on what is required to update a version 107 schema for use with the Centrych modified Barnyard2 and IDSUtil.
Add Centrych Security PPA
Database engines (either or both can be installed)
NOTE: If you assign a password to the root account you will need to use the
NOTE: This package provides you with the ability to assign a password to the postgres admin user.
Web-based Database maintenance (optional)
NOTE: To enable login with the postgres user you will need to edit
After apache2 restarts confirm access for root and/or postgres users
Snort and Suricata
NOTE: Either package will also install python-idsutil and pulledpork packages.
While each configuration instance is contained in a separate subdirectory, it's recommended that you create a common parent directory for all instances. This allows you to collect the pcap files you're working with in one location so that each instance can be easily launched to process the pcap files.
In this example we're going to create subdirectory named 'work' in our home directory:
Once we've changed to that directory we're going to copy over some sample pcap files that were included with IDSUtil:
The commands used to create the instances will be slightly different depending on if you installed one or both database engines.
If you installed both IDS engines and both databases, the following four commands should be used:
If you installed both IDS engines, but only one database, the database name option is added so that switching between databases within the plugin can be accomplished by changing one character. To do that, the following four commands should be used:
Before you can process pcap files you will need to populate the databases with rules. Although you only have to execute a single command, there is actually a two-step process that takes place for rules processing.
The first step involves retrieving the current ruleset and extracting the necessary files into the
The instance subdirectory contains the pulledpork configuration files that are used to perform the first step, which are pre-configured to download the Emerging Threats open ruleset and extract the downloaded rules into individual files based on rule category. This is done so that the rules category can be displayed in Wireshark plugin.
The next step processes each rules file in the ./<instance>/incoming directory to update the information contained in the database. After the files have been processed ids-util updates the contents of
The order that these rules files are processed is defined in the file
Also, the files listed in the
Before you process rules you should review the
Once ready, the following commands will update the rules information in each instance:
Local-only rules processing
Once the ruleset(s) have been processed you're now ready to process the sample pcap files with the following commands:
Once all of the files have been processed you can run the following commands to list a summary of the number of alerts that were generated for each pcap file:
The database directories shown here assume that you've installed both IDS engines and databases and used the first set of commands to create the instances.
This section details the steps necessary to upgrade a version 107 schema. Any changes that may be required to the applications using the 107 schema is beyond the scope of this discussion.
NOTE: Please do not attempt the following on a production database without first testing the results against a copy first!
The following discussion assumes that you are using Barnyard2 with Snort and MySQL. The database is named 'idsdb' and the root account has a password assigned to it.
If your setup differs from those assumptions you will need to adjust the following accordingly.
If you're currently running Barnyard2 you will need to stop it with the following command:
The Centrych Security PPA contains a package with the modified version of Barnyard2, which can be installed via the following command:
The Centrych version of Barnyard2 has a configuration that can use either Snort or Suricata. Please review the
If you haven't already modified it, please add
Next, remove the current waldo file:
You should also make sure that any previously processed unified2 log files are removed so that they are not re-processed after upgrading the database.
The ids-dbutil script can be used to backup the existing v107 database with the following command:
The backup file will be written to
Upgrading the database is accomplished with the following command:
The next step is to configure the
This command assumes that SSL is not used for connecting to the database.
Finally, if you're using the Centrych provided Snort package the following command can be used to update rules information in the database:
If you're using Snort from a different distribution you will need to adapt the files and scripts that are used for processing rules of a configuration instance.
One final note. The Barnyard2 package was compiled with debugging enabled, but you will need to uncomment the associated environment variable in