Dalton "Iron Chef" Edition

Hey folks.

How many of you are familiar with the Dalton project? If I had to describe it, its a testing harness for IDS platforms. Dalton creates a host of Docker containers for various versions of Suricata, Snort, and Zeek IDS platforms specified by the user through a docker-compose.yml file. Using the web interface, users can then submit pcaps and compare them against a standard ruleset (by default, uses the ETOPEN ruleset), or with custom rules via an input box that allows users to enter their own custom rules for testing.

This platform can be used to test out your new IDS rules, and/or confirm whether or not existing IDS rules trigger against specific threats. Additionally, the project includes a web interface and step-by-step wizard for flowsynth ā€“ a tool that can be used to create your own packet captures. If youā€™ve ever had a malware report, CVE report, or other data in which some network details are provided, but for one reason or another you couldnā€™t obtain a pcap, then this is the tool for you. You can use the data youā€™ve obtained from the report to create your own packet capture that simulates the threat in question. From there, that packet capture can be fed back into dalton and used to create or test IDS signatures.

Its a great project, and I recommend it for anyone involved in the analysis of IDS alerts and/or administration of IDS sensors.

Over the past couple of days I made some improvements to dalton that are in the process of being merged or otherwise integrated into the project. Here is what I have been up to:

Update dalton agent docker containers to Ubuntu 24.04 (from 18.04)

There was an issue opened for this in the official github repo, so I decided to try it out myself and see what difficulties would come from updating the containerā€™s operating system for Suricata, Snort, and Zeek.

It turns out for Suricata and Zeek, that the changes needed were very minimal. Just needed to update the python packages installed, change the FROM version in the dockerfile to 24.04 and everything worked effortlessly.

Snort on the other hand was an entirely different story.

I updated the existing snort Dockerfile (Dockerfile_snort). Like Suricata (Dockerfile_suricata) and zeek (Dockerfile_zeek), I updated the FROM directive to 24.04, and changed the python packages being downloaded and use to run the dalton agent, but I also had to:

  • Install libtool and libtirpc-dev apt-get packages
  • Needed to move the libtirpc-dev headers from /usr/include/libtirpc/* to /usr/include, and /usr/include/rpc I couldnā€™t get the includedir option to work for pointing snort to the new location for the RPC headers, so I just moved them to where snort expected to find them
  • Needed to run autoreconf -f -i prior to running ./configure && make && make install for compiling the snort DAQ libraries

With all of these changes, I can compile any version of snort 2.9.16.x or newer. 2.9.15.x, and 2.9.11.x and older required another fix I had to add, that made me create a new Docker file, Dockerfile_snort_MD_CFLAGS_FIX.

This new dockerfile implemented all of the changes I made to Dockerfile_snort, but in addition to that, the ./configure command for snort has the option CFLAGS="-fcommon" appended to the end of that command. So the file command looks something like:

./configure --enable-sourcefire --enable-debug --enable-buffer-dump CFLAGS="-fcommon"

This is necessary to fix an issue in which the linker asserts that functions are being defined multiple times all over the code base. Iā€™m not skilled in C programming, but I discovered that this CFLAG can address the problem.

For users who want to run Snort 2.9.15.x or 2.9.11.x or older versions of snort, this dockerfile with the changes Iā€™ve made was necessary to compile snort without multiple definitions errors exploding across my console. I later tested many versions of snort I compiled with these changes, and in my experience, it has no effect on the ability to analyze pcaps or alert on malicious traffic as expected.

Notice how I didnā€™t mention snort versions 2.9.14.x through 2.9.12.x? Its because they required yet another fix, and their own custom Dockerfile to integrate that fix.

Dockerfile_snort_gettid_FIX Cumulatively integrates all of the fixes in Dockerfile_snort_MD_CFLAGS_FIX, and also fixes a problem related to attempting to call gettid() (get thread id) without having included syscall.h in code. The fix required the create of a custom util.h file that replaces the one that ships with those versions of snort. This new util.h just includes an IFDEF near the end of the file that includes the syscall.h header in order for snort to be able to use gettid().

After I made these changes, and reconfigured the included docker-compose.yml to use the custom Dockerfiles I had to create for snort, I submitted a pull request here:

I also have a fork with these changes integrated, if you want to use Dalton with my changes, until secureworks either merges my pull, or figures out how theyā€™re going to proceed with updating their containers over here: GitHub - da667/dalton: Suricata and Snort IDS rule and pcap testing system.

You can download the code like you would for most git projects:

git clone https://github.com/da667/dalton

Add cyberchef integration

As it is Dalton is an incredibly useful platform for testing various IDS platforms, and making your own pcaps for testing. I also like to use cyberchef as a part of my workflow. If youā€™re not familiar with cyberchef, its considered the ā€œCyber Swiss Army Knifeā€. Users can input data and use a variety of recipes to transform, encrypt, decrypt, encode, and decode it as necessary. The applications for this, especially for creating custom pcaps are numerous.

It turns out the changes needed to this werenā€™t terribly invasive. It required three changes to implement:

  • dalton/nginx-conf/conf.d/dalton.conf
    This is an nginx site config. All I needed to was add a location directive /cyberchef/ to the configuration file:
    location /cyberchef/ {
        resolver 127.0.0.11;
        proxy_pass http://cyberchef_current/;
    }
  • dalton/docker-compose.yml
    All that was required here is that we had to append a directive to go download the official gchq cyberchef image and include it with the other docker containers that compose dalton:
###########################
## Cyberchef Integration ##
###########################

# Official cyberchef docker image, from github container repo (ghcr)
  cyberchef:
    image: ghcr.io/gchq/cyberchef:latest
    container_name: cyberchef_current
    hostname: cyberchef_current
    restart: always
  • dalton/app/templates/dalton/layout.html
    The last change we make here is just an additional <li> element with a link to the new cyberchef instance:
                {% if (request.url_rule|string).endswith("/queue") %}
                    <li class="active"><a href="/dalton/queue" id='jobs-toggle'><i class="icon-list"></i>Queue&nbsp;</a></li>
                {% else %}
                    <li><a href="/dalton/queue" id='jobs-toggle'><i class="icon-list"></i>Queue&nbsp;</a></li>
                {% endif %}
                {% if (request.url_rule|string).endswith("/sensor") %}
                    <li class="active"><a href="/dalton/sensor" id='sensor-toggle'><i class="icon-hdd"></i>Sensors&nbsp;</a></li>
                {% else %}
                    <li><a href="/dalton/sensor" id='sensor-toggle'><i class="icon-hdd"></i>Sensors&nbsp;</a></li>
                {% endif %}
                <li><a href="/flowsynth/" id='flowsynth-toggle'><i class="icon-wrench"></i>Flowsynth</a></li>
                <li><a href="/cyberchef" id='cyberchef-toggle'><i class="icon-wrench"></i>Cyberchef</a></li>
                {% if (request.url_rule|string).endswith("/about") %}
                    <li class="active"><a href="/dalton/about" id="about-toggle"><i class="icon-info-sign"></i>About</a></li>
                {% else %}
                    <li><a href="/dalton/about" id="about-toggle"><i class="icon-info-sign"></i>About</a></li>
                {% endif %}
                </ul>

These changes enable us to have a clickable button on the navigation bar:

image

And when its clicked, instant access to the cyber chef instance:

I submitted an issue, and it looks like one of the maintainers re-made the ticket here.

If youā€™re interested in using this cyberchef integration in your lab, run the following command:

git clone --branch with-cyberchef-support https://github.com/da667/dalton

The branches and forks that Iā€™ve made operate identically to the regular secureworks version of dalton. You just need to modify the docker-compose.yml to suit your needs for the versions of Snort, Suricata and Zeek you would like, then just run the ./start-dalton.sh

Good luck, and happy hunting.

-Tony R.

3 Likes

Hey everyone, I wanted to provide a brief update on the progress of some of these changes.

The official Dalton repo has undergone NUMEROUS changes since I had been tinkering with the codebase. Whatā€™s probably the most noticeable update is switching over to pre-compiled Zeek IDS containers. What use to take an eternity to compile (at least with four coresā€¦), is now much faster for acquiring Zeek IDS. As always, check out GitHub - secureworks/dalton: Suricata, Snort and Zeek IDS rule and pcap testing system for more info on other changes that have been merged in, and issues that have been resolved. A lot of software dependencies have been updated.

With all of these changes, and my inexperience with git, I was advised to resubmit my changes against their newly updated project, and submit individual changes that I want to contribute to dalton as seperate branches, from a fork, with separate pull requests. So, here is the result of that:

As of right now, neither of these PRs include the changes I found necessary to compile versions of snort 2.9.15.x and older. But, for those who want it all:

  • The updated secureworks release
  • Ubuntu 24.04 containers for Snort and Suricata
  • The necessary fixes to run older versions of Snort
  • Cyberchef integration

I created yet another fork here: GitHub - da667/dalton at 2404-containers-all-snort-versions-cyberchef

and if you want to use this branch for setting up dalton on your workstation or lab environment, use the following git cli client command:

git clone --branch 2404-containers-all-snort-versions-cyberchef https://github.com/da667/dalton

As always, Iā€™ll keep you updated as things change.

-Tony