Manntech Computers was started in 2005 with the vision of creating and investigating information security. Since that date we have strived to gain expert knowledge and use that to create processes, procedures and applications that meet that need.
Minimum Specifications SOI
Windows XP/Vista/2003/2008
Java JRE 1.6
Snort - forSnort Window collection
Cisco PIX/ASA for pix/asa window collection
Snare from Intersect Alliance - For Windows 2008/2003/Vista/XP collection
Processor Speed = The faster the better!
Memory = The more the better!
How do I......SOI ?
Q:How Do I Install Sphere of Influence?
A: SOI is very easy to install. Please download the soi.exe, after purchase, to your desktop. You will need to have administrative privileges. Make sure you have the minimum required specifications. (For memory and processor the more and faster you have the better performance you will get). Double click the soi.exe and follow the install prompts. Agree to license agreement. Two shortcuts will be placed on your desktop. To run the snort SOI click the Snortsoi shortcut. To run the pix/asa SOI click the PixAsaSoi shortcut Remember you can run them together or run them or separately. That is all there is to it. SOI is very simple to run and use. Ensure that snort and/or pix are logging to the host that is running soi. Snort needs to be configured to log to port 1515 and pix needs to be configured to log to port 1516. The pix/asa, snort and windows windows run on syslog. The Cisco IPS version is snmp based and listens on port 1518. You can configure the properties files to change ports on the pix. To alter the snort version click on the column number.
Q:How Do I configure Snort for SOI?
A: Although this is not a tutorial on how to configure snort, you will have to add/edit this line in the snort.conf file.
output alert_syslog: host=<ip address>:1515, LOG_AUTH LOG_ALERT
e.g.
output alert_syslog: host=192.168.1.1:1515, LOG_AUTH LOG_ALERT
To Configure Snort, please visit www.snort.org They have some great tutorials. Its really very very simple to get snort up and running. It is slightly more complicated to fine tune snort, but nothing a Information Security person can't handle.
Q:I don't see a timestamp in the syslog events of snort?
A: No, you will not see a timestamp by default when using syslog in snort. The way to put a timestamp in is to first configure snort to send to a free syslogger (such as Kiwi syslogd), then create a forward action to send on to the host running SOI snort. Make sure you have checked the "user RFC 3164 header option". This will add a timestamp to the snort syslog entries. Also using kiwi as a forwarder will allow you to keep a database of events.
Q: I want to see the actual packet that fired the event. Can I do that?
A: At present you will have to install "wireshark" (formerly ethereal). Look at the source, destination of the packet by clicking on the flag/icon. Note the ip address of the source and destination.
I currently (wait until you see what is coming!!) open up a command prompt and enter the following command at the wireshark root directory:
wireshark -r \\ServerIPIfNotLocal\c$\Snort\log\snort.log.1243004987 -R "ip.src==192.168.1.1 and ip.dst==10.10.10.1"
You could limit it further with ports as well, but I have found this works great.
The logfile, since we're a tactical tool, would be the latest. By default snort logs the guilty packets, but you can change this to log all packets once a guilty packet has been found. Snort is a really good tool and it is beyond our website to tell you how to configure it and what the options are.
Q: How Do I Configure PIX/ASA for SOI?
A: Again while this is not a tutorial on how to configure a Cisco Pix/ASA , you will need to do two things.
First you will need to allow your access lists to log entries that are denied and allowed.
access-list outside_access_in extended permit ip host 10.1.1.1 host 10.1.1.2 log
Note the "log" at the end of the ACL
you will need to log the denied any any that is implied at the end of the Access List. This captures the denied packets. It is not there by default.
pix(config)#access-list outside_access_in extended deny ip any any log
Secondly you will need to switch logging on and point the pix to your machine that is runnning SOI.
pix(config)#logging enable
pix(config)#logging timestamp
pix(config)#logging trap informational
pix(config)#logging host inside 1.1.1.1 udp/1516
Q: How do I configure the Cisco IPS to collect for SOI?
A: All you have to do is add a snmp trap destination point (the port is 1518). Make sure the rules have been configured to fire a trap event. Above is the cisco screenshot of the IME.
Q: How do I get updated rules?
A: You can get updated rule by downloading them from the link provided to you when you purchased SOI. If you have lost the link, just contact support and we will email it to you. You can add your own rules in the ipsrules.txt file under the \lib directory.
Q: I want to capture the traffic shown in the details window. How do I do that?
A: Just substitute your source and destination ip for the ones detailed in the details window on SOI:
access-list CAPTURE1 extended permit ip host host
capture CAPTURING access-list CAPTURE1 interface
copy /pcap capture:CAPTURING tftp
This should copy it to your tftp server where you can start detailed analysis on the packets in wireshark or whatever you use to view pcap files.
If anyone knows a good TCL script for this, contact us.
Q:How do I know your Geolocation data is accurate?
A: We licensed Maxminds geolocational database Geolite. This is Accurate to 99.5%. Maxmind do another database that is accurate to 99.8% and we can, for a small fee, incorporate this database for you. We give you access to download monthly updates for the geolite database to keep things as accurate as possible for you.
If you wish to include city, lat/long, organization and other geographical location data we can also do this for you for an extra small fee.
Q: I have written my own snort rules, how do I capture them?
A: In the "lib" directory is a document called snortrules.txt. This is the message that the rule fires upon. If you created your own rules then just add the message that you created with it to the text file. The latest snort message text file can be downloaded when updated via the downloads page you were given with your purchase.
Q: What do all the icons mean?
A: In the Pix/ASA version the icons represent the country of origin. This can be changed for either the source or destination. This is 99.5% accurate. The padlock icon represents the private ip address scheme. The AP1 represents IP addresses that belong to anonymous proxy services such as Anonymizer.These are often used by users to hide their IP address or to make it appear that they are coming from a different geographical location. The AP2 Icon represents countries that obtain their ip address from ISP using satellites. These countries tend to be higher risk countries such as Nigeria and Ghana. You should pay attention when receiving these icons. Sometimes you will see an Icon that represents a continent. This is due to that fact that there is not clear indication where the ip is located.
In Snort, if the user does not use his/her own icons then the default setting is to use the geographic location database. A user can change this and upload personal icons for the events.
Q:What do the columns mean?
A: In the Pix window the columns are a plot of time against port. In the Snort window the columns represent time against rule set. The event is determined by the rules applied to the event. This can be configured by clicking on the column number in the snort window. You can have 10 rules per column, and each rule can have multiple events. This gives a very powerful representation of events. The default icons for the visual of snort is flags of source/destination country but this can be changed via the properties file for each version.
Q:In the Snort Version, can I change the background of the network diagram to my own network diagram?
A: Yes, In fact that's what it is designed to do. You can move the columns around by dragging and dropping them anywhere in the diagram. So you could have your own network diagram and have the rule sets reflect what you are looking for with Snort. All you have to do is rename your own network diagram to match the current one. This can be found in the /Lib directory and is called networkDiagram.jpg. Just add your own network .jpg and rename it.
Q: In the Snort window, how do I look for a whole subnet and not just a host IP address?
A: What you will need to do is change the host IP address to 192.168.1.* This will now look for all address from 192.168.1.1 - 192.168.1.255
Q: How do you configure the Windows SOI?
A: To configure the Windows SOI please download the free snare agent from Intersect Alliance. (http://www.intersectalliance.com/)
You will need the Snare agent for windows. Please be careful and select the correct agent. You want the SNARE agent. Since it is also available on Sourceforge you can download it directly from here (http://sourceforge.net/project/showfiles.php?group_id=39535)
Please install the Snare agent on machines that you wish to collect syslog information from. We recommend installing it on domain controllers to collect domain information.
Q: How do you configure the snare agent to point to the Windows SOI?
A: Open up the Snare agent by going to start>programs>Intersect Alliance>Snare For Windows
Configuring Snare is relatively straight forward. Click on Network Configuration. Enter the host ip that is running Windows SOI and change the port to 1517. Untick the rest of the boxes. (See picture below)
Q: What are the filter parameters for the Timline windows and World map?
A: The Filter parameters are as follows:
World Map Window
The Live world map window is opened by clicking on or the port number on the Cisco Pix/Asa window. This bring up a view that shows the following window.
The security analyst can filter on the following conditions:
A) Source IP- This represents the source IP address of the event. The security analyst can use “10.10.10.*” to represent the entire “10.10.10.0” subnet or put a “!” in front of it to capture every event expect from 10.10.10.* subnet. E.g “!192.168.1.*” will capture all events from all IP addresses except from 192.168.1.0 subnet.
B) Source Port – This represents the source port of the event. Multiple source ports can be configured by adding a “,” between them. E.g. 80.443 will capture ports 80 and 443.
C) Destination IP address - This represents the destination IP address of the event. The security analyst can use “10.10.10.*” to represent the entire “10.10.10.0” subnet or put a “!” in front of it to capture every event except from 10.10.10.* subnet. E.g “!192.168.1.*” will capture all events to all IP addresses except from 192.168.1.0 subnet.
D) Destination Port – This represents the destination port of the event. Multiple source ports can be configured by adding a “,” between them. E.g. 80.443 will capture ports 80 and 443.
E) Country – This represents the country of the event. The properties file can be altered to change the flag to represent the source or destination IP. The default is source IP address.
F) Organization – This represents the organization that the event IP address is associated with. This can be the full organizational name or partial. An example would be if the security analyst wanted to show all events from universities. The entry university will capture all events that contain the organizational word “university”. This capture events from “oxford university” and “Cambridge university” as both hits contain the word university. It is not case sensitive.
G) Keyword – This allows the security analyst to filter for any match within the syslog field. An example would “ RST “ to match any reset packets.
Timeline Window Cisco PIX/ASA
The Cisco PIX/ASA timeline window captures and displays the ENTIRE last hour traffic regardless of what ports the security analyst has set for visualization. The data is stored in the /DATA folder. The security analyst can perform traffic analysis using this window by changing the filter parameters.
A) Source IP- This represents the source IP address of the event. The security analyst can use “10.10.10.*” to represent the entire “10.10.10.0” subnet or put a “!” in front of it to capture every event expect from 10.10.10.* subnet. E.g “!192.168.1.*” will capture all events from all IP addresses except from 192.168.1.0 subnet.
B) Source Port – This represents the source port of the event. Multiple source ports can be configured by adding a “,” between them. E.g. 80.443 will capture ports 80 and 443.
C) Destination IP address - This represents the destination IP address of the event. The security analyst can use “10.10.10.*” to represent the entire “10.10.10.0” subnet or put a “!” in front of it to capture every event except from 10.10.10.* subnet. E.g “!192.168.1.*” will capture all events to all IP addresses except from 192.168.1.0 subnet.
D) Destination Port – This represents the destination port of the event. Multiple source ports can be configured by adding a “,” between them. E.g. 80.443 will capture ports 80 and 443.
E) Country – This represents the country of the event. The properties file can be altered to change the flag to represent the source or destination IP. The default is source IP address.
F) Organization – This represents the organization that the event IP address is associated with. This can be the full organizational name or partial. An example would be if the security analyst wanted to show all events from universities. The entry university will capture all events that contain the organizational word “university”. This capture events from “oxford university” and “Cambridge university” as both hits contain the word university. It is not case sensitive.
G) Keyword – This allows the security analyst to filter for any match within the syslog field. An example would “ RST “ to match any reset packets.
Timeline Window Snort IDS
The Snort timeline window captures and displays the last hours traffic. The data is stored in the /DATA folder. The security analyst can perform traffic analysis using this window by changing the filter parameters.
A) Source IP- This represents the source IP address of the event. The security analyst can use “10.10.10.*” to represent the entire “10.10.10.0” subnet or put a “!” in front of it to capture every event expect from 10.10.10.* subnet. E.g “!192.168.1.*” will capture all events from all IP addresses except from 192.168.1.0 subnet.
B) Source Port – This represents the source port of the event. Multiple source ports can be configured by adding a “,” between them. E.g. 80.443 will capture ports 80 and 443.
C) Destination IP address - This represents the destination IP address of the event. The security analyst can use “10.10.10.*” to represent the entire “10.10.10.0” subnet or put a “!” in front of it to capture every event except from 10.10.10.* subnet. E.g “!192.168.1.*” will capture all events to all IP addresses except from 192.168.1.0 subnet.
D) Destination Port – This represents the destination port of the event. Multiple source ports can be configured by adding a “,” between them. E.g. 80.443 will capture ports 80 and 443.
E) Country – This represents the country of the event. The properties file can be altered to change the flag to represent the source or destination IP. The default is source IP address.
F) Organization – This represents the organization that the event IP address is associated with. This can be the full organizational name or partial. An example would be if the security analyst wanted to show all events from universities. The entry university will capture all events that contain the organizational word “university”. This capture events from “oxford university” and “Cambridge university” as both hits contain the word university. It is not case sensitive.
G) Keyword – This allows the security analyst to filter for any match within the syslog field. An example would “ WEB-CGI“ to match any web-cgi event packets.
Timeline Window Microsoft Windows
The Windows timeline window captures and displays the last hour of traffic. The data is stored in the /DATA folder. The security analyst can perform traffic analysis using this window by changing the filter parameters.
The filter parameters are different for the Microsoft windows timeline and are as follows:
A) Source IP – This represents the Source IP address of the System sending the syslog events.
B) EventID – This is the Event ID number for the related event.
C) Keyword – Keyword – This allows the security analyst to filter for any match within the syslog field. An example would “ user1“ to match any packets that contain the user1 text.
Q: What are the column defaults for the Windows SOI?
A: We have tried to ship the Windows SOI with a "standard" set of event ID's. Of course you can tailor the columns to match whatever your requirement is and we recommend doing so. The list below is the default set of event ID's for each column.
Column 1
XP and Vista 2003/2008 server new process start and stop cmd.exe. We specified cmd.exe but you can change this to anything. I just think its always useful to see if a shell starts on your servers without you knowing.
VistaNewProcessStart 4688
VistaNewProcessStop 4689
XPNewProcessStart 592
XPNewProcessStop 593
Column 2
Network Logons success and failures.
540 Network Logon. This has been moved to its own column as it generates a great number of alerts. See below Links for further information
http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=540
Column 3
This Column deals with XP logon successes and failures at local machine level.
XPLogonSuccess 528
XPLogonFailed 529:530:531:532:533:534:535:539
Column 4
This Column deals with vista logon successes and failures.
4624:VistaLogonSuccess 4624
4625:VistaLogonFail 4625
4740:VistaLogonlockout 4740
4776:VistaDomainLogon 4776
4648: A logon was attempted using explicit credentials 4648
Column 5
This Column deals with Services being installed.
XPInstallService 601
VistaInstallService 4697
Column 6
This column deals with the setting and running of scheduled tasks.
XPScheduledTask 602
VistaSchedule1 4698
VistaSchedule2 4699
VistaSchedule3 4700
VistaSchedule4 4701
VistaSchedule2 3702
Column 7
This is used when using NTLM rather than Kerberos.
4776: The domain controller attempted to validate the credentials for an account 4776
680: Account Used for Logon by 680
681: The logon to account: %2 by: %1 from workstation: %3 failed 681
Column 8
When a user logs on to a network these events are created.
4768: A Kerberos authentication ticket (TGT) was requested
4771: Kerberos pre-authentication failed
4772: A Kerberos authentication ticket request failed
672: Authentication Ticket Granted
676: Authentication Ticket Request Failed
675: Pre-authentication failed
Column 9
This column is related to the granting of service tickets, usually associated with accessing a server e.g. file share.
4769: A Kerberos service ticket was requested 4769
4770: A Kerberos service ticket was renewed 4770
4773: A Kerberos service ticket request failed 4773
673: Service Ticket Granted 673
674: Ticket Granted Renewed 674
Column 10
Account Mapping for Logon. Rarely seen.
4774: An account was mapped for logon
4775: An account could not be mapped for logon
679: The name: %2 could not be mapped for logon by: %1
Column 11
This Column deals with changes to user accounts for Vista/Windows 2008 Server
4720: A user account was created
4722: A user account was enabled
4723: An attempt was made to change an account's password
4724: An attempt was made to reset an accounts password
4725: A user account was disabled
4726: A user account was deleted
4738: A user account was changed
4740: A user account was locked out
4767: A user account was unlocked
4781: The name of an account was changed
Column 12
This column deals with changes to windows accounts XP and Windows 2003.
624: User Account Created
626: User Account Enabled
627: Change Password Attempt
628: User Account password set
629: User Account Disabled
630: User Account Disabled
642: User Account Changed
644: User Account Locked Out
671: User Account Unlocked
685: Account Name Changed
Column 13
This column deals with the creation, changing and deletion of computer accounts for both Windows 2003 and Windows 2008.
4741: A computer account was created
4742: A computer account was changed
4743: A computer account was deleted
645: Computer Account Created
646: Computer Account Changed
647: Computer Account Deleted
Column 14
This Column is left blank for User specific details
Column 15
This Column is left blank for User specific details
Column 16
This Column deals with user initiated logoffs.
4634: An account was logged off
4647: User initiated logoff
538: User Logoff
Column 17
This column deals with auditing of objects. An example would be you enable auditing for a folder.
4656: A handle to an object was requested
4658: The handle to an object was closed
4660: An object was deleted
4663: An attempt was made to access an object
560: Object Open
562: Handle Closed
564: Object Deleted
567: Object Access Attempt
Column 18
This column deals with registry access on a windows 2008 server/Vista machine. The corresponding windows 2003 or XP is dealt with in column 17.
4657: A registry value was modified
Column 19
This Column gives network share access information.
5140: A network share object was accessed
4665: An attempt was made to create an application client context
Column 20
This column deals with monitoring any changes to Audit Policies.
4719: System audit policy was changed
612: Audit Policy Change
Column 21
This Column deals with changes made to trusts on a windows 2008/Vista domain.
4706: A new trust was created to a domain
4707: A trust to a domain was removed
4713: Kerberos policy was changed
4716: Trusted domain information was modified
4717: System security access was granted to an account
4718: System security access was removed from an account
4865: A trusted forest information entry was added
4866: A trusted forest information entry was removed
4867: A trusted forest information entry was modified
Column 22
This column deals with changes made to trusts on a Windows 2003 domain.
610: New Trusted Domain
611: Removing Trusted Domain
617: Kerberos Policy Changed
622: System Security Access Removed
620: Trusted Domain Information Modified
Column 23
This Column deals with Vista/Windows 2008 privilege service calls
4673: A privileged service was called
4674: An operation was attempted on a privileged object
Column 24
This Column deals with the creation of a new process on a windows xp/2003/2008/vista machine.
4688: A new process has been created
4696: A primary token was assigned to process
4689: A process has exited
592: A new process has been created
600: A process was assigned a primary token
593: A process has exited
Column 25
This column deals with the startup and shutdown of a windows 2008/2003/vista/xp machine. Also any events that involve changing the system time.
4608: Windows is starting up
4609: Windows is shutting down
4616: The system time was changed.
512: Windows NT is starting up
513: Windows is shutting down
520: The system time was changed
Column 26
This Column deals with the clearing of event logs.
1102: The audit log was cleared
517: The audit log was cleared
Column 27
This column deals with Windows 2008/vista logging event services shutdown.
1100: The event logging service has shut down
Column 28
This deals with local logon to computers Windows 2003/XP
528LogonSuccess
Column 29
This column was specified by us to show a specific username denied in outlook web access. You can change the name to anything you want. I recommend using an admin account that is not used to check to see if people are attempting to logon to your OWA. This column can be tailored to any name.
675 OutlookwebAccessDenied
Column 30
This column was specified by us to show how auditing a particular folder may be shown. Just change the message to the folder name or path and turn on auditing on the server. Anyone who accesses that audited folder will now be highlighted.
560 AuditedNetworkShares
How Do I.......RadiusCP ?
Q: Where is the configuration file located?
A: It is located under the C:/Windows/System32 folder.