Threat Level: green Handler on Duty: Richard Porter

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2013-10-22 InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Greenbone and OpenVAS Scanner

Published: 2013-10-22
Last Updated: 2013-10-23 23:34:23 UTC
by Richard Porter (Version: 2)
0 comment(s)


This virtual machine comes to you care of $DayJob frustrations and the need to generate logs. This month we are covering log entries and in my lab at work there was a need to trigger some alarms. So I set out to build an OpenVAS [1][5] suite in order to trigger several different detection systems.

The Greenbone Security Manager [2] provided an excellent, albeit not ‘as’ intuitive as I like, interface for scheduling scans and basically sending out network and application nastiness.


It had been a while since I had last set up an OpenVAS Suite so “to the Google Batman” ... In doing a quick search I located several blog entries on different distribution installs [3] [4] [5] as well as the OpenVAS Docs [6]. In this prep I also was looking for the smoothest distribution for install as this was going to sit as a virtual machine in my $DayJob lab. After searching forums the easiest seems to be Ubuntu on 12.04 LTS, however I ended up on CentOS 6.4. There are some caveats for installing on CentOS but just seemed to perform better.

CentOS Caveats

If you are going to install on CentOS, a couple of observations:

There will likely end up being some errors ( see [7] ) to work through.
If you manage to get it working and don’t see traffic leaving yet Greenbone says your job is running? “Audit2Allow [8] is your friend!” It is likely (Almost 99.9999%) SELinux.

For those that want to take the lazy way out :) the file you are looking for is in /etc/selinux and is config:


Make sure to run a rebuild after the install process, see [5] and look for the notes on openvasmd --rebuild coolsmiley

General Install Caveats

Syncing from OpenVAS can take a very ...... very long time. Just be patient if you build your own, the initial sync can take a great deal of time (hours occasionally). If you don’t want to take the time to install your own, you can download the below Greenbone VM.

Running a Job

The Greenbone VM

File Size: 764 MB
Type: OVF Template
OS: CentOS 6.4 (patched as of 22 OCT 2013)
SHA1: a80c8a1da92c68d38202b23f382acbc46b3fb850

Virtual Machine vHardware Settings

NIC Bridged

System Account: root
System Password: sanstraining

Greenbone Account: admin
Greenbone Password: sanstraining

All passwords will be sanstraining

VM Is set for DHCP on Boot.




Richard Porter || @packetalien || rporter at isc dot sans dot edu || blog:

0 comment(s)
Network Solutions Currently Having a DNS Resolution Outage, No Other Info at this time.

Cryptolocker Update, Request for Info

Published: 2013-10-22
Last Updated: 2013-10-22 14:09:38 UTC
by John Bambenek (Version: 1)
7 comment(s)

It was briefly mentioned in a previous posting, but the Cryptolocker ransomware is still going strong.  In essence, post infection is encrypts all of your "document" files based on file extension and then gives the user 72 hours to pay the ransom ($300 USD or 2 BTC).  It is one f the few pieces of ransomware that does encryption right so at present, short of paying the ransom, there is no other means to decrypt.  Bleeping Computer has a good write up, but below are the TL;DR highlights.

If you are infected and your files are encrypted (and you have no backups) there is a very limited means to restore files using Microsoft's Shadow Volume Copies (Windows XP SP2 or better).  In essence, previous versions of files still persist on a system and can be recovered manually or by using a tool like Shadow Explorer

Other than that, there is no means currently available for recovery (besides paying).  Reinfecting once the timer runs out does not reset the timer and there have been no reports of recovery after an appreciable amount of time has passed after the 72 hours.  (Some limited amount of clock games might help at the margins, but the bad guys say they delete and purge keys and there is no evidence this is not true).

There are some GPO settings you can deploy to prevent this kind of infection and for the most part, some of these settings are best practices independently of Cryptolocker.  Basically you can prevent execution of executibles in temp directories the details of which are at Bleeping Computer.

There are varying ways that systems become infected, at one point it was UPS/FedEx style spam, now it seems coming down with zbot and other associated tools.  At this point anti-virus has decent detection so keeping that up to date is a significant help.

Apparently the attackers are also paying attention to various forums but there is no direct way to communicate with them.

REQUEST: If you or your organization has paid the ransom to decrypt, we would like to talk to you (anonymously) about the experience.  Please write in directly to bambenek /at/

John Bambenek
bambenek \at\ gmail /dot/ com
Bambenek Consulting

7 comment(s)

Netflow on Nexus 1000v

Published: 2013-10-22
Last Updated: 2013-10-22 00:51:22 UTC
by Johannes Ullrich (Version: 1)
1 comment(s)


This is a guest diary submitted by Basil Alawi. 

What is NetFlow?

NetFlow is a traffic-summarization format that was first implemented by Cisco Systems, primarily for billing purposes. Network flow data (or Network flow) is a generalization of NetFlow.

Network flow collection differs from direct packet capture, such as tcpdump, in that it builds a summary of communications between sources and destinations on a network. This summary covers all traffic matching seven particular keys that are relevant for addressing: the source and destination IP addresses, the source and destination ports, the protocol type, the type of service, and the interface on the router[i].


SiLK is a suite of network traffic collection and analysis tools developed and maintained by the CERT Network Situational Awareness Team (CERT NetSA) at Carnegie Mellon University to facilitate security analysis of large networks. The SiLK tool suite supports the efficient collection, storage, and analysis of network flow data, enabling network security analysts to rapidly query large historical traffic data sets[ii].

Netflow on VMware ESXi:

NetFlow is available in vSphere distributed switch version 5 or later as well as in Cisco Nexus 1000v. VMware vSphere 5 supports NetFlow v5 while Cisco Nexus 1000v support Netflow v5 as well as Netflow v9.

Running netflow on a vSphere environment will provide visibility of the following:

·      Intrahost virtual machine traffic (virtual machine–to–virtual machine traffic on the same host)

·      Interhost virtual machine traffic (virtual machine–to–virtual machine traffic on different hosts)

·      Virtual machine to physical infrastructure traffic


Test Lab

The test lab consist of  Vmware ESXi 5.1 as a host ,Ubuntu 13.04  as netflow collector and analysis workstation , Kali Linux with an IP of , Linux#1 server with an IP , Linux#2 with an IP of 192.168.207 and Cisco Nexus 1000v switch with an IP of 


SiLK Installation

For this diary the SiLK will be running on a fresh Ubuntu 13.04 installation. Here is a step by step instruction on how to install SiLK on Ubuntu Linux.


1-Install gcc , gcc-c++, glib2, glib2-devel, libpcap, libpcap-devel, python and python-devel

sudo apt-get -y install libglib2.0-dev
sudo apt-get -y install libpcap-dev
sudo apt-get -y install python-dev


2-Download Silk and fixbuf. Latest version can be found at





3-Install fixbuf

tar -zxvf libfixbuf-1.2.0.tar.gz

cd libfixbuf-1.2.0/


sudo make install

3-Install Yaf

tar -zxvf  yaf-2.4.0.tar.gz

cd yaf-2.4.0

export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig



sudo make install

4-Install SiLK

tar -xvzf silk-3.7.2.tar.gz
cd silk-3.7.2/
./configure \
 --with-libfixbuf=/usr/local/lib/pkgconfig/ \
sudo make install


5- Add the following paths to

cat <<EOF >>silk.conf
sudo mv silk.conf /etc/


6- Run ldconfig

sudo ldconfig


7-Create /data directory

sudo mkdir /data


8- Configure rwflowpack

cat /usr/local/share/silk/etc/rwflowpack.conf | \
sed 's/ENABLED=/ENABLED=yes/;' | \
sed 's/SENSOR_CONFIG=/SENSOR_CONFIG=\/data\/sensors.conf/;' | \
sed 's/SITE_CONFIG=/SITE_CONFIG=\/data\/silk.conf/' | \
sed 's/LOG_TYPE=syslog/LOG_TYPE=legacy/' | \
sed 's/LOG_DIR=.*/LOG_DIR=\/var\/log/' | \
>> rwflowpack.conf
sudo mv rwflowpack.conf /usr/local/etc/


 9- copy the startup script into /etc/init.d and set it to start on boot.

sudo cp /usr/local/share/silk/etc/init.d/rwflowpack /etc/init.d
sudo sudo update-rc.d rwflowpack start 20 3 4 5 .


SiLK configuration:


      1-Create and configure the /data/silk.conf file. You can use the below text, replace the word Nexus with your netflow enabled device.

sensor 0 Nexus


class all

     sensors Nexus

 end class


# Be sure you understand the workings of the packing system before

 # editing the class and type definitions below.  Editing above this

 # line is sufficient for sensor definition.


version 1


class all

     type  0 in      in

     type  1 out     out

     type  2 inweb   iw

     type  3 outweb  ow

     type  4 innull  innull

     type  5 outnull outnull

     type  6 int2int int2int

     type  7 ext2ext ext2ext

     type  8 inicmp  inicmp

     type  9 outicmp outicmp

     type 10 other   other


    default-types in inweb inicmp

 end class


default-class all


# The default path format from SILK_DATA_ROOTDIR

 path-format "%N/%T/%Y/%m/%d/%x"


# The plug-in to load to get the packing logic to use in rwflowpack.

 # The --packing-logic switch to rwflowpack will override this value.

 # If SiLK was configured with hard-coded packing logic, this value is

 # ignored.


# The plug-in to load to get the packing logic to use in rwflowpack.

 # The --packing-logic switch to rwflowpack will override this value.

 # If SiLK was configured with hard-coded packing logic, this value is

 # ignored.

 packing-logic ""


2-create and configure the sensor.conf file

probe Nexus netflow-v9

      listen-on-port 9901# SiLK will receive netflow traffic on this port number

      protocol udp

      accept-from-host #Nexus 1000v management IP address

 end probe

 sensor Nexus

      netflow-v9-probes Nexus


      external-ipblock remainder

 end sensor


3-Allow traffic from udp port 9901 from the Nexus Management port

sudo iptables -I INPUT -s -p udp -m udp --dport 9901 -j ACCEPT

sudo iptables-save


4-Start the rwflowpack

sudo service rwflowpack start




Nexus Cisco 1000v

I am not going to discuss the installation of Nexus Cisco 1000v in this diary; a step by step guide is available at



Nexus Cisco 1000v Configuration

Cisco Nexus 1000v:

Here is the steps to configure

1-Enable netflow

Config t

feature netflow


2-Configure the exporter

flow exporter ExortSilk

description Export Silk


transport udp 9901

source mgmt0

version 9



3-configure the flow monitor

flow monitor NexusMonitor

record netflow-original

exporter ExportSilk


4-Assigning the Flow Monitor to an Interface

int vethernet 1

ip flow monitor NexusMonitor output









SiLK Commands:

Here is a very brief description of some SiLK commands:

rwfilter [1] :

rwfilter is the most used command in the SiLK suite. It serves as the starting point for most



rwcut[2] :

rwcut Print selected fields of binary SiLK Flow records and prints the records to the screen in a textual, bar (|) delimited format .rwcut can take input piped from rwfilter command.

rwstat [3] :

rwstats - Print top-N or bottom-N lists or summarize data by protocol , rwstats has two modes of operation: it can compute a Top-N or Bottom-N list, or it can summarize data for a list of protocols.

SiLK Usage:

Here are some examples of SiLK usage:

1-Finding the top talkers

rwfilter --sensor=Nexus --protocol=6 --pass=stdout | rwstats --fields sIP,dIP  --count=10 --bytes


In this example rwfilter will read data from Nexus sensor, --protocol switch is the IP protocol number[4] ,the most common used protocols are icmp=1,tcp=6 and udp=17 ,0-255 means select all possible IP protocols ,. The --protocol switch is a partitioning switch, --pass=stdout will Send SiLK flow records matching partitioning parameters to pipe . By default the output of rwfilter is in binary format not in ascii format. The rwstats will compute the Top-N  list, the –fields sIP,dIP  will display source IP address and destination IP address ,--count=10  will choose the top 10 and –bytes will choose the top 10 based on the bytes value.


2-Filttering traffic based on port number

rwfilter --sensor=Router --aport=123 --pass=stdout| rwuniq --fields 1



sIP|   Records||        10||        10||         9||         8||        18|


In this example rwfilter will read data from Nexus sensor,--protocol=17 will select UDP flow records,---aport=123 will filter traffic based on port number 123 which is NTP port  . rwuniq[5] will summarize SiLK Flow records by a user-specified key comprised of record attributes  ,

--fields sIP will display the source IP address.


3-Finding traffic with outside world:

rwfilter --sensor=Nexus --saddress= --daddress=  --fail=stdout | rwuniq –fields 1-4


           sIP|            dIP|sPort|dPort|   Records|||   80|37840|         2|||   80|52135|         2|||   80|37311|         2|||   80|37975|         2|||   80|37557|         1|||   80|34630|         3|||   80|53842|         2|||   80|47031|         2|||   80|59682|         2|||  443|50579|         3|||   80|48185|         2|



In this example rwfilter will write all the records that doesn’t have both source and destination IP address within the range.

4- Finding all the traffic the exceed a certain size

rwfilter --sensor=Nexus --proto=0-255  -bytes=10000000- --pass=stdout |rwcut


           sIP|            dIP|sPort|dPort|pro|   packets|     bytes|   flags|                  sTime| duration|                  eTime|sensor|||   80|37565|  6|     11526|  16130997|        |2013/09/17T17:48:00.241|  241.447|2013/09/17T17:52:01.688|Nexus|||   80|37565|  6|     11489|  15807248|       

 In this example rwfilter will pass all of the records that have 10000 bytes or more. The hyphen symbol (-) is more or equal.







1 comment(s)
Diary Archives