Hey folks.
How many of you are familiar with the Dalton project? If I had to describe it, its a testing harness for IDS platforms. Dalton creates a host of Docker containers for various versions of Suricata, Snort, and Zeek IDS platforms specified by the user through a docker-compose.yml file. Using the web interface, users can then submit pcaps and compare them against a standard ruleset (by default, uses the ETOPEN ruleset), or with custom rules via an input box that allows users to enter their own custom rules for testing.
This platform can be used to test out your new IDS rules, and/or confirm whether or not existing IDS rules trigger against specific threats. Additionally, the project includes a web interface and step-by-step wizard for flowsynth ā a tool that can be used to create your own packet captures. If youāve ever had a malware report, CVE report, or other data in which some network details are provided, but for one reason or another you couldnāt obtain a pcap, then this is the tool for you. You can use the data youāve obtained from the report to create your own packet capture that simulates the threat in question. From there, that packet capture can be fed back into dalton and used to create or test IDS signatures.
Its a great project, and I recommend it for anyone involved in the analysis of IDS alerts and/or administration of IDS sensors.
Over the past couple of days I made some improvements to dalton that are in the process of being merged or otherwise integrated into the project. Here is what I have been up to:
Update dalton agent docker containers to Ubuntu 24.04 (from 18.04)
There was an issue opened for this in the official github repo, so I decided to try it out myself and see what difficulties would come from updating the containerās operating system for Suricata, Snort, and Zeek.
It turns out for Suricata and Zeek, that the changes needed were very minimal. Just needed to update the python packages installed, change the FROM version in the dockerfile to 24.04 and everything worked effortlessly.
Snort on the other hand was an entirely different story.
I updated the existing snort Dockerfile (Dockerfile_snort
). Like Suricata (Dockerfile_suricata
) and zeek (Dockerfile_zeek
), I updated the FROM directive to 24.04, and changed the python packages being downloaded and use to run the dalton agent, but I also had to:
- Install
libtool
andlibtirpc-dev
apt-get packages - Needed to move the
libtirpc-dev
headers from/usr/include/libtirpc/*
to/usr/include
, and/usr/include/rpc
I couldnāt get the includedir option to work for pointing snort to the new location for the RPC headers, so I just moved them to where snort expected to find them - Needed to run
autoreconf -f -i
prior to running./configure && make && make install
for compiling the snort DAQ libraries
With all of these changes, I can compile any version of snort 2.9.16.x or newer. 2.9.15.x, and 2.9.11.x and older required another fix I had to add, that made me create a new Docker file, Dockerfile_snort_MD_CFLAGS_FIX
.
This new dockerfile implemented all of the changes I made to Dockerfile_snort
, but in addition to that, the ./configure
command for snort has the option CFLAGS="-fcommon"
appended to the end of that command. So the file command looks something like:
./configure --enable-sourcefire --enable-debug --enable-buffer-dump CFLAGS="-fcommon"
This is necessary to fix an issue in which the linker asserts that functions are being defined multiple times all over the code base. Iām not skilled in C programming, but I discovered that this CFLAG can address the problem.
For users who want to run Snort 2.9.15.x or 2.9.11.x or older versions of snort, this dockerfile with the changes Iāve made was necessary to compile snort without multiple definitions errors exploding across my console. I later tested many versions of snort I compiled with these changes, and in my experience, it has no effect on the ability to analyze pcaps or alert on malicious traffic as expected.
Notice how I didnāt mention snort versions 2.9.14.x through 2.9.12.x? Its because they required yet another fix, and their own custom Dockerfile to integrate that fix.
Dockerfile_snort_gettid_FIX
Cumulatively integrates all of the fixes in Dockerfile_snort_MD_CFLAGS_FIX
, and also fixes a problem related to attempting to call gettid() (get thread id) without having included syscall.h in code. The fix required the create of a custom util.h
file that replaces the one that ships with those versions of snort. This new util.h
just includes an IFDEF near the end of the file that includes the syscall.h header in order for snort to be able to use gettid().
After I made these changes, and reconfigured the included docker-compose.yml
to use the custom Dockerfiles I had to create for snort, I submitted a pull request here:
I also have a fork with these changes integrated, if you want to use Dalton with my changes, until secureworks either merges my pull, or figures out how theyāre going to proceed with updating their containers over here: GitHub - da667/dalton: Suricata and Snort IDS rule and pcap testing system.
You can download the code like you would for most git projects:
git clone https://github.com/da667/dalton
Add cyberchef integration
As it is Dalton is an incredibly useful platform for testing various IDS platforms, and making your own pcaps for testing. I also like to use cyberchef as a part of my workflow. If youāre not familiar with cyberchef, its considered the āCyber Swiss Army Knifeā. Users can input data and use a variety of recipes to transform, encrypt, decrypt, encode, and decode it as necessary. The applications for this, especially for creating custom pcaps are numerous.
It turns out the changes needed to this werenāt terribly invasive. It required three changes to implement:
dalton/nginx-conf/conf.d/dalton.conf
This is an nginx site config. All I needed to was add a location directive/cyberchef/
to the configuration file:
location /cyberchef/ {
resolver 127.0.0.11;
proxy_pass http://cyberchef_current/;
}
dalton/docker-compose.yml
All that was required here is that we had to append a directive to go download the official gchq cyberchef image and include it with the other docker containers that compose dalton:
###########################
## Cyberchef Integration ##
###########################
# Official cyberchef docker image, from github container repo (ghcr)
cyberchef:
image: ghcr.io/gchq/cyberchef:latest
container_name: cyberchef_current
hostname: cyberchef_current
restart: always
dalton/app/templates/dalton/layout.html
The last change we make here is just an additional<li>
element with a link to the new cyberchef instance:
{% if (request.url_rule|string).endswith("/queue") %}
<li class="active"><a href="/dalton/queue" id='jobs-toggle'><i class="icon-list"></i>Queue </a></li>
{% else %}
<li><a href="/dalton/queue" id='jobs-toggle'><i class="icon-list"></i>Queue </a></li>
{% endif %}
{% if (request.url_rule|string).endswith("/sensor") %}
<li class="active"><a href="/dalton/sensor" id='sensor-toggle'><i class="icon-hdd"></i>Sensors </a></li>
{% else %}
<li><a href="/dalton/sensor" id='sensor-toggle'><i class="icon-hdd"></i>Sensors </a></li>
{% endif %}
<li><a href="/flowsynth/" id='flowsynth-toggle'><i class="icon-wrench"></i>Flowsynth</a></li>
<li><a href="/cyberchef" id='cyberchef-toggle'><i class="icon-wrench"></i>Cyberchef</a></li>
{% if (request.url_rule|string).endswith("/about") %}
<li class="active"><a href="/dalton/about" id="about-toggle"><i class="icon-info-sign"></i>About</a></li>
{% else %}
<li><a href="/dalton/about" id="about-toggle"><i class="icon-info-sign"></i>About</a></li>
{% endif %}
</ul>
These changes enable us to have a clickable button on the navigation bar:
And when its clicked, instant access to the cyber chef instance:
I submitted an issue, and it looks like one of the maintainers re-made the ticket here.
If youāre interested in using this cyberchef integration in your lab, run the following command:
git clone --branch with-cyberchef-support https://github.com/da667/dalton
The branches and forks that Iāve made operate identically to the regular secureworks version of dalton. You just need to modify the docker-compose.yml to suit your needs for the versions of Snort, Suricata and Zeek you would like, then just run the ./start-dalton.sh
Good luck, and happy hunting.
-Tony R.