SURFcert IDS

Welcome to the SURFcert IDS Development homepage. SURFcert IDS (previously SURFids) is an open source Distributed Intrusion Detection System based on passive sensors. The goal is to provide an early warning system which lets system administrators correlate known and unknown exploits to attacks directed towards their networks.

We have released sensor version 3.12 which should fix the missing keepalive problem that existed as of version 3.10. The sensors currently are not upgrading automatically anymore, so you might need to apply this update manually.

The logserver is now on version 3.11 with a minor bugfix to one of the Dionaea sql functions. It was not correctly logging downloads of binaries. As well as a minor bugfix to the top malware hosts page. It was not showing the ip address of the hosts.

SURFids 3.10 is officially released. There's a few things you need to be aware of when upgrading. First of all, remove any pins of OpenVPN on your tunnel server. The new tunnel server now supports OpenVPN 2.1 and no longer needs the old 2.0 version from the archive repo's. Upgrading the tunnel server should go smoothly, but be aware that the sensors will still be running with the old OpenVPN version until you kill the tunnels once.

Also be aware that the new version supports Kippo, so it might be interesting to install Kippo on your tunnel (or honeypot) server.

The sensor is now able to do limited APT manipulation. This means you will be able to either do an “apt-get upgrade”, and “apt-get install surfids-sensor” or an upgrade of all the dependencies of the SURFids sensor remotely. You can give these commands via the webinterface.

The Ethernet modules have been extended to also support MitM detection on IPv6 (even for networks that don't have native IPv6 this is a possible security risk).

As for the rest of the changes, here is the changelog of the key features:

surfids-sensor (3.10)

• SURFids 3.10 stable release.
• Added locking option for the sensor menu.
• Added support for APT manipulation via the server.
• Added config option to enable/disable automatic sensor updates.
• Added OID support.
• Added watch script for OpenVPN tunnel.
• Fixed a few minor bugs.

surfids-logserver (3.10)

• SURFids 3.10 stable release
• Support for Kippo (a medium interaction SSH honeypot)
• Improved google map functionality
• Support for APT interaction via the webinterface
• Improved Ethernet module screens
• Support for binary hash lookups
• Support for public RSS feeds
• Several minor bugfixes
• Improved database handling in the installer

surfids-tunnel (3.10)

• SURFids 3.10 stable release.
• OpenVPN 2.1 supported now
• Added IPv6 MitM attack detection to the ethernet modules.
• Added janitor script to make sure pof and the ethernet detection scripts keep running properly.
• Added support for APT interaction with the sensor.
• Moved the log locations to /var/log/surfids/.
• Added logrotate script for the logs.
• Fixed bug where routes weren't cleaned up properly after a sensor went down.

Upcoming Thursday we will be putting the SURFids 3.10 packages live in the repository. This means that all the active sensors will be going to upgrade automatically to version 3.10. The 3.07 has an auto-update feature builtin that will do this. We realize that this is inconvenient as you would rather upgrade at your own leisure, so in the next release (3.10) this feature is turned off by default. For now though, be assured that 3.10 is compatible with the 3.0* log and tunnel server and the worst case scenario is that you will need to restart your sensor.

Stay tuned for the release notes on Thursday.

Since we have deployed Dionaea the amount of attacks we have been getting have grown so much that we had to rate limit it somewhat to keep our database size manageable. We had attackers trying to infect our Dionaea machine multiple times per second which is clearly not really useful information. A method of rate limiting we now have deployed (on our tunnel server) is the following:

# Rate limiting for dionaea
iptables -A INPUT -p tcp -m tcp --dport 445 -m state --state NEW -m recent --set --name DEFAULT --rsource
iptables -A INPUT -p tcp -m tcp --dport 135 -m state --state NEW -m recent --set --name DEFAULT --rsource
iptables -A INPUT -p tcp -m tcp --dport 445 -m state --state NEW -m recent --update --seconds 30 --hitcount 5 --name DEFAULT --rsource -j DROP
iptables -A INPUT -p tcp -m tcp --dport 135 -m state --state NEW -m recent --update --seconds 30 --hitcount 5 --name DEFAULT --rsource -j DROP

Basically what this does is: If in the last 30 seconds a remote source has initiated a new connection 5 times, block the next incoming connections. This is a sliding window. The nice thing about this solution is that you don't lose too much information while reducing the amount of attacks/records in the database significantly.

It's been quiet for a while so here's a preview of the upcoming changes that will be in the next stable release:

• IPv6 Router advertisement detection, basically detects man-in-the-middle attacks on IPv6.
• Kippo support (an SSH honeypot), including search functionality.
• An option to update the SURFids sensor software via the web interface.
• A lock screen on the sensor (avoids accidental key presses when the sensor is unguarded).
• Reworked the Ethernet module to give more customization.
• Server side script to make sure p0f and the ethernet module keep running.

There's no official release date yet, but it's coming!

We have released new version of all 3 packages. These new releases mostly contain bugfixes and a few new features. After the sensor has installed there might be a chance that it will disconnect the tunnel. Just put the action command to “START” in the webinterface and it will start again.

Here are the changes:

Logserver 3.04

• Fixed bugs: 178, 181, 185, 187, 192, 193, 196, 205, 206, 207, 220
• Fixed IGMP protocol detection
• Fixed pubDate bug in RSS feed
• Fixed checkSID function
• Improved whois functionality (Cymru lookups)
• Improved Detected Protocols page
• Improved ARP cache page
• Added subtypes for ICMP protocol
• Added Dionaea support
• Added Amun support
• Added CSN.at SMTP honeypot support
• Added GeoIP database download script
• Added support for public RSS feeds
• Added top malicious countries module
• Added top malware hosts module
• Added janitor for syslog table

Tunnel server 3.04

• Fixed memory, traffic & CPU graphs
• Fixed bugs: 151, 182, 190, 193, 201, 204, 212
• Fixed bug in uptime query
• Added database RRD script
• Fixed reset_sensors_db script

Sensor 3.07

• Improved sensor GUI.
• Better error handling.
• Fixed a few bugs.

There are a few projects related to SURFids which are pretty interesting. I thought I should list them here for others to check out.

CSN

They have made a Snort plugin that logs all the Snort messages directly into the SURFids database. We haven't tested it ourselves yet, but I have seen the results and it looks pretty nice.

Aside from that, they are busy creating an SMTP honeypot that collects spam and scans it for malware and such. Both projects look interesting. I suggest everyone to give it a go.

Debian live seems to have a few undocumented features that are not really useful or even unsecure for our USB sensors.

If you have built your sensors with the previous scripts, we advise you to rebuild your images for security reasons. This is only applicable for the latest 3.0+ version and only for the USB sensors.

We have updated the scripts in the live-usb directory of the SVN sensor trunk. These scripts will take care of disabling a few Debian live features that are unneeded or unsecure. Take a look at the documentation of the 1b._bootable_usb for updated instructions how to build your USB images.

The key changes:

• Debian live creates a default user “user” with a default password. This is very unsafe, so we have added a script that will let you add your own user with a custom password.
• Debian live automatically logs the user in on boot. We have changed this to just give the regular login prompt instead.
• Debian live configures root without password. We have added a script that lets you set the root password.
• We have also added a script that lets you setup an authorized_keys2 file for your sensor for added SSH security.

Finally, we have also updated the USB sensor documentation to add some more info about customizing your USB sensor.

There's a few bugs in the scanbinaries.pl script from SURFids 3.0 which will make it nearly impossible for the script to put any results in the database. A new version of the script can be manually downloaded here until it's incorporated in the next minor release.
If you want to fix this yourself right now, you will have to download this script and copy it over the old one in /opt/surfnetids/scripts/.

We now have a new location for our own packages. The manual has been modified to the correct URLS, but if you have already installed the package, you will need to modify your sources.list.

The new location is:

deb http://repo.ids.surfnet.nl/surfnetids/ lenny main

SURFids 3.0 is now finally released as stable. A few of the major changes in this release:

• New sensors based on Python.
• No more Knoppix remastering.
• Debian packages for the sensor, logserver and tunnel server.

Here you can find a detailed changelog: Changelog.
You can find the installation instructions under the latest_docs segment in the menu on the left.

If you notice/find any bugs please let us know via email, IRC or the designated Trac page.

Enjoy!

Old news can be found in the News Archive