This repository contains the following folders:
src: C code of mmt-securityrules: set of official XML rules. An encoded version (*.so) of these rules will be distributed with mmt-sec when usingmake deb. All rules (official and for testing purposes) are stored in rules/properties_allcheck: sample pcap files and expected results to validate mmt-securitydoc: documentationtest: diversity of testing code
The repository contains mmt-security toolset:
compile_rule: encode .xml rules into a shared library (file .so)rule_info: get information of one or all encoded rulesmmt_sec_standalone: use mmt-security to analyse realtime traffic or pcap filemmt_sec_server: analyse meta-data sent by mmt-probe
Suppose on your machine, you have:
-
libxml2-dev, libpcap-dev, libconfuse-dev :
sudo apt-get install libxml2-dev libpcap-dev libconfuse-dev -
Optional: hiredis
git clone https://github.com/redis/hiredis.git
cd hiredis
make
sudo make install
ldconfig-
source code of mmt-security
git clone https://github.com/Montimage/mmt-security.gitcd mmt-security- Do
make cleanto clean compiled objects of mmt-security - Do
make clean-allto clean all compiled objects of mmt-security and the ones being generated from mmt-sdk. Thus do this when mmt-sdk has been updated.
-
compile MMT-Security on its local directory:
make -
compile sample rules existing in
rulesfolder:make sample_rules -
enable some modules use:
make [MODULE_NAME=1]+. CurrentlyMODULE_NAMEis one of the followings:REDIS: this module allows to output to redis. Consequentlyhiredislibrary must be installed.UPDATE_RULES: this module allows to add or remove rules at runtime. This is enabled by default. To disable this, e.g., in the case we do not need this feature:MODULE_NAME=0
-
compile mmt-security to get .deb file in order to re-distribute its binary:
make deb
You will get a .deb file, e.g.,mmt-security_1.0.1_8d5d7ea_Linux_x86_64.deb, containing everything mmt-security needs in order to be able to execute on a fresh machine.
To install this deb file on a new debian-based machine, use:sudo dpkg -i file_name.deb -
install mmt-security on the current machine:
make install -
debug MMT-Security:
make DEBUG=1 -
if you want to check MMT-Security using Valgrind DRD or Helgrind, you should do
make DEBUG=1 VALGRIND=1. The optionVALGRIND=1adds some instruction allowing Valgrind bypass atomic operations that usually causes false positive errors in Valgrind.
By default, MMT-Security will be installed on /opt/mmt/security.
We can change the directory by giving giving a new directory name to INSTALL_DIR parameter when doing make and make install. For example:
make INSTALL_DIR=/home/tata/security
make install INSTALL_DIR=/home/tata/security
MMT-Security binary files can be obtained by compiling its source code or installing its distribution file (*.deb).
This application parses rules in .xml file, then compile to a plugin .so file.
#to generate .so file
./compile_rule rules/40.TCP_SYN_scan.so rules/40.TCP_SYN_scan.xml
#to generate code c (for debug)
./compile_rule rules/40.TCP_SYN_scan.c rules/40.TCP_SYN_scan.xml -cTo compile all rules existing in the folder rules, use the following command:
make sample_rulesThis application prints information of rules encoded in a binary file (.so).
#print information of all available plugins
./rule_info
#print information of rules encoded in `rules/40.TCP_SYN_scan.so`
./rule_info rules/40.TCP_SYN_scan.soThis application can analyze
- either real-time traffic by monitoring a NIC,
- or traffic saved in a pcap file. The verdicts will be printed to the current screen.
./mmt_sec_standalone [<options>]
Option:
-t <trace file>: Gives the trace file to analyse.
-i <interface> : Gives the interface name for live traffic analysis.
-c <string> : Gives the range of logical cores to run on, e.g., "1,3-8,16"
-x <string> : Gives the range of rules id to be excluded, e.g., "99,107-1010".
-m <string> : Attributes special rules to special threads using format (lcore:range) e.g., "(1:1-8,10-13)(2:50)(4:1007-1010)".
-f <string> : Output results to file, e.g., "/home/tata/:5" => output to folder /home/tata and each file contains reports during 5 seconds
-r <string> : Output results to redis, e.g., "localhost:6379"
-g : Ignore the rest of a flow when an alert was detetected on the flow.
-v : Verbose.
-l : Prints the available rules then exit.
-h : Prints this help.
#online analysis on eth0
./mmt_sec_standalone -i eth0
#to see all parameters, run ./mmt_sec_standalone -h
#verify a pcap file
./mmt_sec_standalone -t check/pcap/16.two_successive_SYN.pcap
This application receives meta-data, calling messages, from mmt-probe via internet or Unix sockets and then analyse them.
./mmt_sec_server -h
MMT-Security version 1.1.2 (14bade8 - Apr 24 2017 18:00:35)
./mmt_sec_server [<option>]
Option:
-p <number/string> : If p is a number, it indicates port number of internet domain socket otherwise it indicates name of unix domain socket. Default: 5000
-n <number> : Number of threads per process. Default = 1
-c <string> : Gives the range of logical cores to run on, e.g., "1,3-8,16"
-x <string> : Gives the range of rules id to be excluded from verification, e.g., "1,3-8,16"
-m <string> : Attributes special rules to special threads e.g., "(1:10-13)(2:50)(4:1007-1010)"
-f <string> : Output results to file, e.g., "/home/tata/:5" => output to folder /home/tata and each file contains reports during 5 seconds
-r <string> : Output results to redis, e.g., "localhost:6379"
-v : Verbose.
-l : Prints the available rules then exit.
-h : Prints this help.After modified code, you should run make check to validate the modifications.
Use make check VAL=1 to check memory leak using valgrind (thus valgrind need to be installed before).
These commands will do the followings:
-
run
mmt_sec_standaloneto check all properties inrulesagainst the pcap files incheck/pcap/ -
compare the alerts generated by each run with the expected ones in
check/expect/
The log of each run can be found in /tmp/