{"id":502,"date":"2016-11-24T16:06:19","date_gmt":"2016-11-24T16:06:19","guid":{"rendered":"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=502"},"modified":"2017-02-03T10:10:59","modified_gmt":"2017-02-03T10:10:59","slug":"starting-with-orchids","status":"publish","type":"page","link":"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=502","title":{"rendered":"Getting started with Orchids"},"content":{"rendered":"

Have you installed Orchids already?\u00a0 If not, go to the Download<\/a> page.<\/p>\n

\"capture-decran-2016-11-24-a-15-12-12\"<\/a><\/p>\n

Now that you have downloaded and installed Orchids, let us do some basic configuration.\u00a0 Our goal in this introductory demo will be to find an attack hidden inside a pretty big file.\u00a0 Orchids can also read events from various sources<\/a>, but we shall concentrate on reading from one file for now.<\/p>\n

You will need a text editor, and administrator rights.<\/p>\n

Fetch the log file<\/h3>\n

The text file that contains the attack is here<\/a>.\u00a0 This is a list of events once collected by the auditd Linux daemon, which we are going to analyze off-line.<\/p>\n

Click on the link above, and save the file.<\/p>\n

\"capture-decran-2016-11-24-a-16-02-43\"<\/a><\/p>\n

It should typically be saved in your ‘Downloads’ folder.\u00a0 Now uncompress it:<\/p>\n

\"capture-decran-2016-11-24-a-16-04-37\"<\/a><\/p>\n

\"capture-decran-2016-11-24-a-16-05-48\"<\/a><\/p>\n

Let us move this file to some canonical place, say \/var\/local\/semtex_attack_trace.log<\/code>.\u00a0 (If you don’t do that, it will be located in a folder that is under your account, and I have no way of knowing how it is going to be called.)<\/p>\n

\"capture-decran-2016-11-24-a-16-24-29\"<\/a><\/p>\n

Configure orchids-inputs<\/h3>\n

We shall now configure Orchids so that it reads events from that file.\u00a0 Open your favorite text editor (as an administrator) and load orchids-inputs.conf<\/code><\/a>.\u00a0 This will be located in \/usr\/local\/etc\/orchids\/orchids-inputs.conf<\/code> by default if you compile from the sources, in \/etc\/orchids\/orchids-inputs.conf<\/code> if you installed a package.<\/p>\n

Here is what I do:<\/p>\n

sudo gedit \/etc\/orchids\/orchids-inputs.conf<\/pre>\n
and what you should obtain:<\/p>\n
\"capture-decran-2016-11-24-a-16-14-41\"<\/a><\/p>\n
The format of this file is explained here<\/a>.\u00a0 (The format has changed slightly since the screen capture above, which was for stable version 2.0: in later versions, you\u00a0 need to put quotes around file names.)\u00a0 For now, let us comment all the lines starting with INPUT<\/code> or DISSECT<\/code>, and let us add the following two lines anywhere in the file (forget the quotes if you are using version 2.0):<\/p>\n
INPUT          textfile \"\/var\/local\/semtex_attack_trace.log\"\r\nDISSECT auditd textfile \"\/var\/local\/semtex_attack_trace.log\"<\/pre>\n
You should obtain something like the following (with quotes around the file name in versions after 2.0).<\/p>\n
\"capture-decran-2016-11-24-a-16-27-43\"<\/a><\/p>\n
Don’t forget to save!<\/p>\n
Launch Orchids<\/h3>\n
Launch Orchids with administrator rights.\u00a0 Don’t worry: Orchids will drop its rights to that of a restricted user called orchids<\/code> after initialization, and will therefore not keep its administrator rights for long.<\/p>\n
In a terminal, type:<\/p>\n
sudo orchids<\/pre>\n
Did it catch the attack?<\/p>\n
\"capture-decran-2016-11-24-a-16-31-07\"<\/a><\/p>\n
Orchids has also produced an IDMEF alert for it, in \/var\/orchids\/reports\/<\/code>:<\/p>\n
\"capture-decran-2016-11-24-a-17-00-46\"<\/a><\/p>\n
Congratulations!<\/h2>\n
You have detected your first attack with Orchids!<\/h2>\n
 <\/p>\n
Additional points<\/h3>\n
Orchids did not return when it finished parsing our log file… and that is normal: it will wait forever for new events that might be added at the end of the file (unless you set the ExitAfterProcessAll<\/code> flag to 1, see the textfile<\/a> module page) .\u00a0 To quit Orchids, typing ctrl-C or ctrl-Z is useless… Orchids is meant to resist such attempts.\u00a0 You will have to open a new terminal and send it signal 15 (preferred) or signal 9… with administrator rights if you launched Orchids as root.<\/p>\n
\"capture-decran-2016-11-24-a-16-40-29\"<\/a><\/h3>\n
Even so, Orchids will have saved its internal state in a file called orchids.sav<\/code> by default…<\/p>\n
\"capture-decran-2016-11-24-a-16-43-41\"<\/a><\/p>\n
so that you can relaunch it later, and it will resume its monitoring task where it left it.<\/p>\n
A useful trick<\/h4>\n
If you wish to play with Orchids over and over again, you may feel harassed by the need to kill Orchids from another terminal.\u00a0 You may also experience strange results, if you forgot that Orchids restores its state from the save file, and in particular remembers where it had left off reading files.<\/p>\n
You can avoid all that with the -R<\/code> option (do not Restore save file) and with the -S<\/code> option (do not install Signal handlers):<\/p>\n
orchids -RS<\/pre>\n
 <\/p>\n
Stage 2<\/h3>\n
We have played with Orchids on a toy example.\u00a0 The purpose of Orchids is to detect attacks, and it can do that in real-time.\u00a0 Play around with it!\u00a0 For example, install a vulnerable Linux system, launch and configure the auditd<\/code> daemon, and uncomment the final two lines of orchids-inputs.conf<\/code> so that Orchids reads the events sent by auditd<\/code>:<\/p>\n
INPUT\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0        textfile\u00a0\u00a0 \u00a0\"\/var\/run\/audispd_events\"\r\nDISSECT\u00a0\u00a0 \u00a0auditd\u00a0\u00a0 \u00a0textfile\u00a0\u00a0 \u00a0\"\/var\/run\/audispd_events\"<\/pre>\n
Hint: to configure auditd, type:<\/p>\n
\u00a0\u00a0\u00a0 ARCH=`arch`\r\n\u00a0\u00a0\u00a0 auditctl -D -k orchids\r\n\u00a0\u00a0\u00a0 $ORCHIDS_RUNTIME_USER=`id -u orchids`\r\n\u00a0\u00a0\u00a0 auditctl -a always,exit -F arch=$ARCH -F uid!=$ORCHIDS_RUNTIME_USER\u00a0 -S clone -S execve -S exit -S fork -S kill -S open -S setgid -S setregid -S setresgid -S setresuid -S setreuid -S setuid -S vfork -k orchids<\/pre>\n
This should launch auditd<\/code> in such a way that Orchids gets enough information about what is going on on the local machine.<\/p>\n
Stage 3<\/h3>\n
Orchids can also receive events from a remote source.\u00a0 Uncomment the following lines in orchids-inputs.conf<\/code> and try to have Orchids monitor events coming from a remote host!<\/p>\n
INPUT\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0             udp\u00a0\u00a0 \u00a0514\r\nDISSECT\u00a0\u00a0 \u00a0\u00a0\u00a0       \u00a0bintotext\u00a0\u00a0 \u00a0udp\u00a0\u00a0 \u00a0514\r\nDISSECT\u00a0\u00a0 \u00a0syslog\u00a0\u00a0 \u00a0bintotext\u00a0\u00a0 \u00a0514<\/pre>\n
 <\/p>\n","protected":false},"excerpt":{"rendered":"
Have you installed Orchids already?\u00a0 If not, go to the Download page. Now that you have downloaded and installed Orchids, let us do some basic configuration.\u00a0 Our goal in this introductory demo will be to find an attack hidden inside a pretty big file.\u00a0 Orchids can also read events from various sources, but we shall … Continue reading Getting started with Orchids<\/span> →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-502","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/index.php?rest_route=\/wp\/v2\/pages\/502","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=502"}],"version-history":[{"count":11,"href":"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/index.php?rest_route=\/wp\/v2\/pages\/502\/revisions"}],"predecessor-version":[{"id":558,"href":"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/index.php?rest_route=\/wp\/v2\/pages\/502\/revisions\/558"}],"wp:attachment":[{"href":"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=502"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}