Shmoocon Labs — Part 3 – more ossim, honeypot, snort
So once we got our OSSIM stood up, (we had 2 NICs on the appliance) we were able to see the SPAN port which included all internal VLANs. But I wanted to be able to see what was hitting us from the outside also. Since we couldn’t add another VLAN to the SPAN port with any sort of black magic, I discovered we had a spare interface in VMWare… It was virtual sensor time! I quickly installed OSSIM into VMWare and set it up in sensor mode. We were then able to monitor what things were coming in from the outside. I was able to show a few people how to setup a sensor and a SPAN switch in ESX server, which it was nice to have a chance to show people some stuff.
We saw some NMap scans from “shady” regions (about 20,000 from the inside, and a few thousand from the outside). We also saw some SQL injection attempt but we weren’t sure where. Finally, there were about 15-20 buffer overflow attemts at various services per hour. This data also helped us feed info to the EarthServer .kml file… much more interesting to map incoming traffic.
So to wrap up this series of blog posts — a few tidbits about what we saw once we got everything stood up, and how the labs ended up.
@therealjoetesta settup a honeypot with a fake “Shmoocon Labs Log Access” website. This website – if you figured out the SQL injection, showed you a pic of a moose. We gave this an IP address on the “malicious” free for all network. We had about 10 hits on this, and a few people actually pulled the pic.
Joel Esler from Sourcefire helped us get a free professional feed (super last minute — thanks Joel and to Richard Harman for connecting me with Joel) of the snort rules for the weekend. We were hoping to be able to detect people trying to exploit the iPhone vulnerabilities that were announced earlier in the week (ssl certificate stuff) but never really got that far in the little analysis that we did. We will make sure we ask for this way before the day labs starts next year! heh…
Part 4 will wrap up with where I totally dropped the ball, how I could have helped out the team better, and what would have been great to accomplish (OSVDB correlation, nessus/kismit scans, netflow), and the catalyst vlan problem that stumped a bunch of us for awhile.