Have you installed Orchids already? If not, go to the Download page.
Now that you have downloaded and installed Orchids, let us do some basic configuration. Our goal in this introductory demo will be to find an attack hidden inside a pretty big file. Orchids can also read events from various sources, but we shall concentrate on reading from one file for now.
You will need a text editor, and administrator rights.
Fetch the log file
The text file that contains the attack is here. This is a list of events once collected by the auditd Linux daemon, which we are going to analyze off-line.
Click on the link above, and save the file.
It should typically be saved in your ‘Downloads’ folder. Now uncompress it:
Let us move this file to some canonical place, say
/var/local/semtex_attack_trace.log. (If you don’t do that, it will be located in a folder that is under your account, and I have no way of knowing how it is going to be called.)
We shall now configure Orchids so that it reads events from that file. Open your favorite text editor (as an administrator) and load
orchids-inputs.conf. This will be located in
/usr/local/etc/orchids/orchids-inputs.conf by default if you compile from the sources, in
/etc/orchids/orchids-inputs.conf if you installed a package.
Here is what I do:
sudo gedit /etc/orchids/orchids-inputs.conf
and what you should obtain:
The format of this file is explained here. (The format has changed slightly since the screen capture above, which was for stable version 2.0: in later versions, you need to put quotes around file names.) For now, let us comment all the lines starting with
DISSECT, and let us add the following two lines anywhere in the file (forget the quotes if you are using version 2.0):
INPUT textfile "/var/local/semtex_attack_trace.log" DISSECT auditd textfile "/var/local/semtex_attack_trace.log"
You should obtain something like the following (with quotes around the file name in versions after 2.0).
Don’t forget to save!
Launch Orchids with administrator rights. Don’t worry: Orchids will drop its rights to that of a restricted user called
orchids after initialization, and will therefore not keep its administrator rights for long.
In a terminal, type:
Did it catch the attack?
Orchids has also produced an IDMEF alert for it, in
You have detected your first attack with Orchids!
Orchids did not return when it finished parsing our log file… and that is normal: it will wait forever for new events that might be added at the end of the file (unless you set the
ExitAfterProcessAll flag to 1, see the textfile module page) . To quit Orchids, typing ctrl-C or ctrl-Z is useless… Orchids is meant to resist such attempts. You will have to open a new terminal and send it signal 15 (preferred) or signal 9… with administrator rights if you launched Orchids as root.
Even so, Orchids will have saved its internal state in a file called
orchids.sav by default…
so that you can relaunch it later, and it will resume its monitoring task where it left it.
A useful trick
If you wish to play with Orchids over and over again, you may feel harassed by the need to kill Orchids from another terminal. You may also experience strange results, if you forgot that Orchids restores its state from the save file, and in particular remembers where it had left off reading files.
You can avoid all that with the
-R option (do not Restore save file) and with the
-S option (do not install Signal handlers):
We have played with Orchids on a toy example. The purpose of Orchids is to detect attacks, and it can do that in real-time. Play around with it! For example, install a vulnerable Linux system, launch and configure the
auditd daemon, and uncomment the final two lines of
orchids-inputs.conf so that Orchids reads the events sent by
INPUT textfile "/var/run/audispd_events" DISSECT auditd textfile "/var/run/audispd_events"
Hint: to configure auditd, type:
ARCH=`arch` auditctl -D -k orchids $ORCHIDS_RUNTIME_USER=`id -u orchids` auditctl -a always,exit -F arch=$ARCH -F uid!=$ORCHIDS_RUNTIME_USER -S clone -S execve -S exit -S fork -S kill -S open -S setgid -S setregid -S setresgid -S setresuid -S setreuid -S setuid -S vfork -k orchids
This should launch
auditd in such a way that Orchids gets enough information about what is going on on the local machine.
Orchids can also receive events from a remote source. Uncomment the following lines in
orchids-inputs.conf and try to have Orchids monitor events coming from a remote host!
INPUT udp 514 DISSECT bintotext udp 514 DISSECT syslog bintotext 514