SQL / Command Injection Lab: Part 2 - Detection

Security Onion provides a complete Network Security Monitoring platform. I want to see just how much of the previous activity was detected by SO.
First let's have a look at the firewall logs from the nmap scanning. The 'nmap -sn victimsvr1' command caused a few log entries from the firewall. Security Onion is not configured to collect the syslog data from my Vyatta community eddition router/firewall, but the Bro IDS software in SO will collect any syslog traffic it sees on the wire. Bro formats the data and stores it in regular text files which makes it ideal for searching using any text processing tool you are familiar with (Perl, Python, Awk etc). 



From the sample shown I can see that the ping sweep initiated by the nmap host discovery scan. Having the firewall log data available for analysis in SO gives further insight when investigating IDS alerts and other security events.
The next nmap scan used the -A option to invoke the scripting engine.

The screenshot shows the Emerging Threats rule identifying the 'user agent' string that is sent with the web scripts allowing the use of nmap to be detected. However, a stealthy attacker might change the 'user agent' identifier in nmap scripts. It would be worth checking the firewall logs to identify possible recon against the web server.



I can see a lot of connections from a single host to the web server with many requests in a short time period as nmap tries different scripts. As the only port that is open through the firewall is port 80 for web traffic it can be difficult to discern this kind of recon when it's mixed in with regular port 80 traffic.  Running the same command above through unique and word count and looking at the start and end times could give insight when compared with a 'normal' web client browsing the site. 



That's 64 connections started by the attacker in 13 seconds. Check out how long nmap took to run in part 1 - Attacks.

In the next part of the attack I used SQL injection, the Emerging Threats rules in snort on my SO sensor also picked this up.
Before starting the SQL injection attack I also installed the OSSEC agent on to the web server. The OSSEC agent can monitor log files directly on the web server and send these back to the OSSEC server installed on my Security Onion virtual machine. This allows OSSEC to monitor the Apache access log on the web server (amongst other things). I can see several rules firing for the SQL injection attacks including the OSSEC rule 'A Web attack returned code 200 (success)'. This gives a strong indication that the SQL injection attack was successful when coupled with the ET rules.

There is however, another source of data regarding the attack. The mysql log when enabled will record each select statement run by the database:



Each of the SQL injection attempts is recorded if this level of logging is enabled. This is a multi-line log though, which makes it difficult to handle and parse into OSSEC. That's not the only problem, the section below shows the relevant stanza from the /etc/my.cnf file for MySQL:

# Be aware that this log type is a performance killer.
log             = /var/log/mysql/mysql.log
So this isn't an option for production environments. Although it's great for the test lab and particularly useful if you want to practice SQL injection as you can see exactly what statements get executed and the end results of each attempt. There is a great blog entry here which describes how you can use triggers with user defined functions in MySQL to create a similar log without the performance hit and read the subsequent data into OSSEC.

The final part of the attack was command injection. The screen shot shows the rules that triggered for command injection.







Ah, that'll be none then. You can see the ping activity firing ET *nix ping informational rules but nothing else. I think it would be quite difficult to write such rules unless it's for a specific known vulnerable page. Unlike SQL injection that has a number of defined commands and syntax options some of which are fairly typical in SQL injection attacks, command injection is simply too varied. All is not lost however, there is an OSSEC rule that fired for command injection.

I created this rule by using the audit daemon to monitor execve process creation for the www-data user. The www-data user is the user that the Apache2 process runs under. Under normal operation this user does not create any additional processes, so by definition any command it runs would be suspicious. I started by installing the open source Snare agent for Linux, this provides a really easy to use interface to configure audit daemon rules. Crucially, it also provides a single line log output which the audit daemon doesn't (multi-line). Then I configured the OSSEC agent on the victimsvr1 to read the log file from the snare agent. Finally I added rules into the OSSEC server running on my SO virtual machine to trigger when www-data created a process other than 'ping'.

As I was using Ubuntu JeOS for my victim server it was necessary to install the Snare Agent for Linux from source code.
The installations steps I used are shown below:


After the install is complete you should be able to use a browser to configure Snare on port 6161.

Configure snare to write to a local file as shown. Then configure the audit rule for www-data.
In order for the OSSEC agent on victimsvr1 to be able read the snareaudit.log file add the following to the /var/ossec/etc/ossec.conf


The OSSEC server on my SO box needs to be configured to decode the log entries sent from victimsvr1. Add or edit the file /var/ossec/etc/local_decoder.xml as shown below.


The rules can then be added to the /var/ossec/rules/local_rules.xml file as shown below:


As DVWA allows the use of 'ping' we don't want an alert when a user only uses expected functionality, the level=0 in the last two rules prevent the alert from being shown in the sguil console and remove false positives. If you want to understand the rule syntax the OSSEC documentation on the web site ossec.net is really good. Even if the web app being monitored is well secured against command injection it could still be worth monitoring for it; after all a web app goes through many changes and releases and it could become vulnerable to command injection at some point in the future.


It should be noted that if it were normal practice for administrators of this server to 'su' to www-data for any reason then this rule would create a lot of false positives, but as that's not normally the case it should be fairly safe to deploy. It's always a good idea to do plenty of testing before use in production though.

Using the Linux or Windows for that matter, audit capability is frequently overlooked as a good source of data for protective monitoring.







Comments

  1. Unknown5 June 2012 at 10:33

    Nice info Andy! Glad you sorted out the change token / XSS protection issue.

    It's always good to see Snare getting a guernsey when it comes to analysing the audit log data.

    ReplyDelete

Post a Comment

Popular posts from this blog

Squid Proxy with SOF-ELK Part 1

Image
In this post I wanted show how a Squid Proxy could be used with OpenDNS to provide a simple but effective security for home  or small business. This blog post was inspired by the SANS course SEC530 Security Architecture & Engineering  which leads to the GIAC Defensible Security Architecture (GDSA) certification. This is a great course for anyone looking to develop and improve their 'full stack' defensive posture.  Monitoring is by courtesy of SOF-ELK , one of the many tools by those nice people at SANS .  SOF-ELK is used in a few SANS course including FOR572 Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response ,  and SEC555 SIEM with Tactical Analytics . OpenDNS Enterprise is now Cisco Umbrella , however, the OpenDNS Home service is available for free and small businesses can use the Prosumer services for a modest fee. The fist step is to install a CentOS 7 minimal and then apply the latest updates. In order to use the OpenDNS Home service I inst
Read more

Netflow analysis with SiLK - Part 1 Installation

Image
About netsa SiLK SiLK provides a way to capture netflow and interrogate flow data. It can be used for a variety of purposes including situational awareness, forensics and anomaly detection. Installing SiLK Prerequisites Before installing SiLK examine the perquisites for the build. I’m using CentOS 6.3 minimal install with a virtual machine disk of 100GB in total with a separate partition for /data of about 60GB. The virtual machine will be allocated 4GB of RAM and 2 virtual processors. Configure the network settings for your lab environment. In order to use YUM for installing software the the lab system will require access to the Internet. Download the following source code files from the netsa CERT project home page libfixbuf-1.2.0.tar.gz netsa-python-1.3.tar.gz silk-2.5.0.tar.gz yaf-2.3.2.tar.gz Copy the required packages to the /usr/local/src directory. If you are using scp to copy over the packages dont’ forget ‘yum install openssh-clients’ first on the serv
Read more

CI/CD Pipeline Security & Shifting Left

Image
Recently I have been doing far more AppSec work in Agile, Lean environment. I also took the SANS SEC 540 course Cloud Security and DevSecOps Automation  which has lots of really great exercises but I like to try to create some of my own examples.  In this one I wanted to create a CI/CD (Continuous Integration/Delivery) pipeline that integrates Static Analysis Software Testing (SAST) and Software Composition Analysis (SCA) and finally some Postman testing of API endpoints that include negative test (more on this later). To start with I needed some example code so I found an example and adapted it to my own needs. The code along with the other supporting files like the Jenkinsfile can found on my GitHub under Planetary-API . Please note, I don't claim to be the best coder in the world :-) I chose an API partly for simplicity of the examples and partly because there are things I wanted to explore further later in terms of bearer authentication and the use of JWTs (for another project
Read more