Getting started with Orchids

Have you installed Orchids already?  If not, go to the Download page.

capture-decran-2016-11-24-a-15-12-12

Now that you have downloaded and installed Orchids, let us do some basic configuration.  Our goal in this introductory demo will be to find an attack hidden inside a pretty big file.  Orchids can also read events from various sources, but we shall concentrate on reading from one file for now.

You will need a text editor, and administrator rights.

Fetch the log file

The text file that contains the attack is here.  This is a list of events once collected by the auditd Linux daemon, which we are going to analyze off-line.

Click on the link above, and save the file.

capture-decran-2016-11-24-a-16-02-43

It should typically be saved in your ‘Downloads’ folder.  Now uncompress it:

capture-decran-2016-11-24-a-16-04-37

capture-decran-2016-11-24-a-16-05-48

Let us move this file to some canonical place, say /var/local/semtex_attack_trace.log.  (If you don’t do that, it will be located in a folder that is under your account, and I have no way of knowing how it is going to be called.)

capture-decran-2016-11-24-a-16-24-29

Configure orchids-inputs

We shall now configure Orchids so that it reads events from that file.  Open your favorite text editor (as an administrator) and load orchids-inputs.conf.  This will be located in /usr/local/etc/orchids/orchids-inputs.conf by default if you compile from the sources, in /etc/orchids/orchids-inputs.conf if you installed a package.

Here is what I do:

sudo gedit /etc/orchids/orchids-inputs.conf

and what you should obtain:

capture-decran-2016-11-24-a-16-14-41

The format of this file is explained here.  (The format has changed slightly since the screen capture above, which was for stable version 2.0: in later versions, you  need to put quotes around file names.)  For now, let us comment all the lines starting with INPUT or DISSECT, and let us add the following two lines anywhere in the file (forget the quotes if you are using version 2.0):

INPUT          textfile "/var/local/semtex_attack_trace.log"
DISSECT auditd textfile "/var/local/semtex_attack_trace.log"

You should obtain something like the following (with quotes around the file name in versions after 2.0).

capture-decran-2016-11-24-a-16-27-43

Don’t forget to save!

Launch Orchids

Launch Orchids with administrator rights.  Don’t worry: Orchids will drop its rights to that of a restricted user called orchids after initialization, and will therefore not keep its administrator rights for long.

In a terminal, type:

sudo orchids

Did it catch the attack?

capture-decran-2016-11-24-a-16-31-07

Orchids has also produced an IDMEF alert for it, in /var/orchids/reports/:

capture-decran-2016-11-24-a-17-00-46

Congratulations!

You have detected your first attack with Orchids!

 

Additional points

Orchids did not return when it finished parsing our log file… and that is normal: it will wait forever for new events that might be added at the end of the file (unless you set the ExitAfterProcessAll flag to 1, see the textfile module page) .  To quit Orchids, typing ctrl-C or ctrl-Z is useless… Orchids is meant to resist such attempts.  You will have to open a new terminal and send it signal 15 (preferred) or signal 9… with administrator rights if you launched Orchids as root.

capture-decran-2016-11-24-a-16-40-29

Even so, Orchids will have saved its internal state in a file called orchids.sav by default…

capture-decran-2016-11-24-a-16-43-41

so that you can relaunch it later, and it will resume its monitoring task where it left it.

A useful trick

If you wish to play with Orchids over and over again, you may feel harassed by the need to kill Orchids from another terminal.  You may also experience strange results, if you forgot that Orchids restores its state from the save file, and in particular remembers where it had left off reading files.

You can avoid all that with the -R option (do not Restore save file) and with the -S option (do not install Signal handlers):

orchids -RS

 

Stage 2

We have played with Orchids on a toy example.  The purpose of Orchids is to detect attacks, and it can do that in real-time.  Play around with it!  For example, install a vulnerable Linux system, launch and configure the auditd daemon, and uncomment the final two lines of orchids-inputs.conf so that Orchids reads the events sent by auditd:

INPUT                textfile    "/var/run/audispd_events"
DISSECT    auditd    textfile    "/var/run/audispd_events"

Hint: to configure auditd, type:

    ARCH=`arch`
    auditctl -D -k orchids
    $ORCHIDS_RUNTIME_USER=`id -u orchids`
    auditctl -a always,exit -F arch=$ARCH -F uid!=$ORCHIDS_RUNTIME_USER  -S clone -S execve -S exit -S fork -S kill -S open -S setgid -S setregid -S setresgid -S setresuid -S setreuid -S setuid -S vfork -k orchids

This should launch auditd in such a way that Orchids gets enough information about what is going on on the local machine.

Stage 3

Orchids can also receive events from a remote source.  Uncomment the following lines in orchids-inputs.conf and try to have Orchids monitor events coming from a remote host!

INPUT                             udp    514
DISSECT              bintotext    udp    514
DISSECT    syslog    bintotext    514