• A new internal architecture of the modules
• NVT Meta Information that is free of arbitrary size limits
• IPv6 support
• WMI clients support
• Supports upcoming optional extensions:
  • OpenVAS Manager for storing and organizing scans on a central server in a
    SQL database
  • OpenVAS Administrator for User-, Feed- and Settings-Management
  • Greenbone Security Assistent for a web-based Vulnerability Management

You can read more about it on the official OpenVAS website. Now, lets get to the good stuff. The instructions below should get you up and running with OpenVAS 3 on Ubuntu 9.10:

Prerequisites

First we need to install all of the dependent packages:

sudo apt-get install build-essential libgnutls-dev libpcap0.8-dev bison 
libglib2.0-dev libgpgme11-dev libssl-dev cmake

Getting the Files

Once those packages have installed we need to download the files required for OpenVAS. The links below may be outdated, make sure you obtain the latest version.

cd /tmp
wget http://wald.intevation.org/frs/download.php/706/openvas-libraries-3.0.3.tar.gz
wget http://wald.intevation.org/frs/download.php/696/openvas-scanner-3.0.1.tar.gz

Now that we have downloaded the required files we must compile and install the packages in the following order:

1. openvas-libraries
2. openvas-scanner

Install OpenVAS Libraries

Start by untarring the openvas-libraries and compiling/installing it:

tar -xvf openvas-libraries-3.0.3.tar.gz
cd openvas-libraries-3.0.3/
sudo ./configure
sudo make
sudo make install

If all goes well here then you should get a message saying that the openvas-libraries have been installed. If for some reason you get a message saying that gpgme is not installed, then try this:

sudo apt-get install libgpgme11-dev

Install OpenVAS Scanner

Next untar the openvas-scanner and compile/install it:

cd ..
tar -xvf openvas-scanner-3.0.1.tar.gz
cd openvas-scanner-3.0.1/
sudo ./configure
sudo make
sudo make install

The OpenVAS libraries, and scanner should now be installed. We now have to make sure that /usr/local/bin and /usr/local/sbin are in our PATH. We can do that by typing in:

echo ${PATH}

In the output from the above command you should see /usr/local/bin and /usr/local/sbin somewhere. If you don’t you will have to add those entries to the PATH environmental variable manually. If your PATH environmental variable is all good you can build the links to the new libraries:

sudo ldconfig

Generate a Certificate

We are now ready to generate a certificate for our OpenVAS Server, make sure to enter values relevant to your location.

sudo openvas-mkcert

Follow the onscreen prompts and enter the appropriate information when asked.

Create a User

Now we need to add a user:

sudo openvas-adduser

Enter a username and choose your authentication method (choose “pass” to authenticate with a password). Hit ctrl-d when you are prompted for rules if you don’t want any scanning restrictions.

Now everything that we need is setup for the OpenVAS scanner. The next step is to sync the server with the NVT feed. The NVT (Network Vulnerability Test) feed is a list of files that will be downloaded to your server. I would recommend that you run the openvas-nvt-sync on regular intervals to ensure that your NVT files are up to date.

sudo openvas-nvt-sync

Note: The first time you run this command it may take a while to download all the NVT’s. Grab a coffee and a sandwich, some water and a piece of fruit, some beer and some pretzels… or whatever it is you eat/drink.

Once it’s done its thing you can start up the OpenVAS server daemon:

sudo openvassd

Note: It might take a few minutes to load all the plug-ins. A great opportunity to get some exercise and burn off the beer and pretzels from earlier.

If all went according to plan, you now have a running version of OpenVAS server. The next step in the process is to setup a client to connect to the OpenVAS server. You may opt to do this on a different computer, but you can just as easily install it on the same computer.

Install the OpenVAS Client

First we need to install the dependent packages for the client:

sudo apt-get install libgtk2.0-dev htmldoc

Now we can proceed to install the client:

cd /tmp
wget http://wald.intevation.org/frs/download.php/685/openvas-client-3.0.0.tar.gz
tar -xvf openvas-client-3.0.0.tar.gz
cd openvas-client-3.0.0/
sudo ./configure
sudo make
sudo make install

If the above works for you, great! However if you’re running a 64 bit OS like me, you might get an error when you run “sudo make”. The error I received was:

/usr/bin/ld: cannot find -lcrypto
collect2: ld returned 1 exit status
make[1]: *** [OpenVAS-Client] Error 1
make[1]: Leaving directory `/tmp/openvas-client-3.0.0/openvas'
make: *** [client] Error 2

I ran the following command to see what the problem was:

laneolson@system:/tmp/openvas-client-3.0.0$ ldconfig -p | grep crypto
	libcrypto.so.0.9.8 (libc6,x86-64) => /lib/libcrypto.so.0.9.8
	libcrypto.so.0.9.8 (libc6,x86-64) => /usr/lib/libcrypto.so.0.9.8
	libcrypto.so.0.9.8 (libc6, hwcap: 0x0008000000008000) => /lib32/i686/cmov/libcrypto.so.0.9.8
	libcrypto.so.0.9.8 (libc6, hwcap: 0x0004000000000000) => /lib32/i586/libcrypto.so.0.9.8
	libcrypto.so.0.9.8 (libc6, hwcap: 0x0002000000000000) => /lib32/i486/libcrypto.so.0.9.8

Creating a link in /usr/lib/ solved the problem:

sudo ln -s /usr/lib/libcrypto.so.0.9.8 /usr/lib/libcrypto.so

If you had to make the symbolic link make sure you do the following afterwards to complete the setup:

sudo ldconfig
sudo make clean
sudo ./configure
sudo make
sudo make install

You should have a message saying that the Client was installed successfully. You can run the client with:

sudo OpenVAS-Client

The client can be installed on any computer that has access to the server. Once it is installed you just have to connect, setup a scan and you’re done! If you run into any hiccups along the way feel free to post in the comments and I will see if I can lend a hand.

How to change the password for the Web Console if you are locked out

For some reason after I upgraded from WFBS 5.1 to 6.0 I was unable to login to the Web Console with my old password. Accessing the web console is pretty essential to managing WFBS so I had to find a way to reset it. Fortunately I had a backup of the ofcserver.ini file which contains an encrypted version of the web console password. I was able to replace the encrypted password in the new ini file with the one from the old file. You can reset your password by:

1. Stop the Trend Mico Master Service
2. Open up the ofcserver.ini (C:\Program Files\Trend Micro\Security Server\PCCSRV\Private\ofcserver.ini)
3. Find the line that starts with “Master_Pwd” and replacing it with this:

   Master_Pwd=!CRYPT!523DD5B28918ED6D2ED4C7DFFE949A638AA4D1C8B1D25440F37606AD23C793453C0043B1B483A2EADE21439233C

4. Save the file then Start the Trend Micro Master Service
5. Login to the Trend Micro WFBS web console, your password will be “P@$$w0rd!”.
6. You should now be able to login to the web console and set your password to whatever you like.

Disable the password to unload or uninstall the Trend Micro Client/Server Security Agent

In addition to being locked out of the web console as mentioned above, I was also unable to unload or uninstall the Cient/Server Security agent from any of my machines. A quick registry fix solves this problem.

1. Go to Start > Run and type in “regedit”.
2. Search for the keys “Allow Uninstall” or “NoPwdProtect” located in HKEY_LOCAL_MACHINE/Software/TrendMicro/PC-cillinNTCorp/CurrentVersion/Misc.
3. Change these values from 0 to 1. You will then be able to unload the agent and uninstall the agent.

Cannot re-install client security agent

After having issues with one of my clients I decided to scrap it and start with a fresh install. Unfortunately uninstalling the agent from add/remove programs often isn’t enough. There are several fragments left behind and the Trend Micro agent will not let you re-install until those fragments are gone. The remedy for this is performing a manual uninstall of the Client/Security agent. In my case the Add/Remove uninstaller got most of the job done, but I still had to remove the registry keys before I was able to re-install the agent. I’m not going to outline all the steps here because they can already be found in the Trend Micro WFBS knowledgebase.

That concludes the fixes I’ve had to use in the past to deal with a flakey Trend Micro install. Hopefully they help you out!

ActiveUpdate was unable to connect to the network. Please verify that the network connection is functional<COMMA> and then try again.(28)

and

Your HTTP request has timed out.(26)

The Trend Micro knowledge base is less than helpful… Anyways, it’s a relatively easy fix for any one else having this issue. Heres how I fixed it.

1. Login to your WFBS server and go to the downloads folder in the PCCSRV folder (usually located at C:\Program Files\Trend Micro\PCCSRV\Download).
2. Find a file called server.ini and rename it to server.bak
3. Login to the WFBS web console and go to Updates > Manual
4. From the list of components to update choose Antivirus and hit Update Now
5. The WFBS server should now fetch the update files.
6. Once the updates have been fetched your clients should now update with the new patterns!

I’m not entirely sure what causes this to happen. I found that this solution worked for me after some trial and error. It may work for you, it may not!

• Splunk htaccess Authentication
• SSL Setup
• IPtables setup

I recommend viewing them for a more detailed explanation.

This guide assumes you have a fresh installation of Splunk but should work fine with an existing one. If you don’t have a Splunk installation yet, you can install it quite easily:

cd /opt
sudo wget 'http://www.splunk.com/index.php/download_track?file=3.4.10/linux/splunk-3.4.10-60883-Linux-i686.tgz&ac=&wget=true&name=wget&typed=releases'
sudo tar xvfz splunk-3.4.10-60883-Linux-i686.tgz
sudo splunk/bin/splunk start
sudo /opt/splunk/bin/splunk enable boot-start

Note: Make sure you obtain the latest release. The address in the above wget is probably not the most recent version.

You will also want to enable https on the Splunk installation. You can do this bygoing to http://127.0.0.1:8000/ and clicking the Admin link on the top right part of Splunk Web. Then in the Server: View Settings page under Splunk Web set Enable SSL (HTTPS) in Splunk Web? to Yes. Restart Splunk and you should now be able to access it with an https prefix.

For this guide you are also going to need apache2, openssl.

sudo apt-get install apache2 openssl

Once apache has installed you have to enable the required modules:

sudo a2enmod proxy
sudo a2enmod proxy_http
sudo a2enmod ssl

The proxy modules are required because we are going to be taking requests on port 80 and those requests will be forwarded to the Splunk web interface on port 8000.

Now I am not going to go into extreme detail about generating certificates as this could be a whole topic in itself. Check out Paul Bramscher’s page on generating self signed certificates if you want more details.

The first step is to go to your home directory and generate a server key:

cd ~
sudo openssl genrsa -des3 -out server.key 4096

Next create a certificate signing request with the server key. You will be asked a series of questions, answer them as you see fit:

sudo openssl req -new -key server.key -out server.csr

Now sign the certificate signing request. This one is valid for 1000 days, you may use whatever you like:

sudo openssl x509 -req -days 1000 -in server.csr -signkey server.key -out server.crt

Now make a version that does not require a password:

sudo openssl rsa -in server.key -out server.key.insecure
mv server.key server.key.secure
mv server.key.insecure server.key

Lastly copy the key and certificate that do not require a password to the designated apache folder:

sudo mkdir /etc/apache2/ssl
sudo cp server.key /etc/apache2/ssl
sudo cp server.crt /etc/apache2/ssl

That’s it for the certificates! Now we can start configuring apache. Create a configuration file for the ssl setup:

sudo vim /etc/apache2/sites-available/ssl

You will want to enter something similar to this:

<VirtualHost *:443>
        ServerAdmin webmaster@domain.com
        ServerAlias machine.domain.com
        ProxyPass / https://127.0.0.1:8000/
        ProxyPassReverse / https://127.0.0.1:8000/
        ErrorLog /var/log/apache2/error.log
        CustomLog /var/log/apache2/access.log combined
        SSLEngine On
        SSLCertificateFile /etc/apache2/ssl/server.crt
        SSLCertificateKeyFile /etc/apache2/ssl/server.key
        SSLProxyEngine on
</VirtualHost>
<Proxy https://127.0.0.1:8000/*>
        Order deny,allow
        Deny from all
        Allow from all
        AuthName "machine.domain.com"
        AuthType Basic
        AuthUserFile /var/www/.htpasswd
        Require valid-user
</Proxy>

The ServerAlias will be whatever your DNS name for your Splunk server is.

Now enable the site we just set up:

sudo a2ensite ssl

You should also make sure that Apache is listening on port 443. Do this:

sudo vim /etc/apache2/ports.conf

Add this (if it does not already exist):

<IfModule mod_ssl.c>
    Listen 443
</IfModule>

Now the last step is setting up your user account in the .htpasswd file. This can be done with the following:

sudo htpasswd -c /var/www/.htpasswd username

Where username is replaced with the username you wish to use. The -c flag creates the file, if you need to add multiple users do not use the -c flag after the first command or it will overwrite the file.

Now restart Apache:

sudo /etc/init.d/apache2 restart

If all goes well you should be able to type in the https://machine.domain.com/ and you will receive a password prompt. Enter the username/password you just created and you will be at Splunk Web!

Now, try typing in https://machine.domain.com:8000/ and see what happens. You will probably be directed to Splunk web without being prompted for a password. Uh oh… did you just do all this for nothing?! Nope! We can set up some ip table rules to prevent access to port 8000 to force users to use the proxy. I won’t go into depth on this but we first allow access to port 8000 from localhost with the following command:

sudo iptables -A INPUT -s 127.0.0.1 -p tcp --dport 8000 -j ACCEPT

Now we want to drop all other hosts from accessing port 8000:

sudo iptables -A INPUT -p tcp --dport 8000 -j DROP

Now any attempts to access https://machine.domain.com:8000/ will be blocked, but access attempts to the password protected interface on port 443 will still be allowed.

You can also modify the above rules to limit access to the interface by IP address. Just replace 127.0.0.1 with the IP address you wish to allow acces and change the dport to 443. Enter one of these commands for each IP address to allow. Then enter the second rule (with dport 443) once all the allowed hosts have been added.

Note: The iptables will not be reloaded when you reboot the Splunk machine. I recommend following this firewall guide in order to have a configurable iptables script that loads on startup

Prerequisites

First we need to install all of the dependent packages:

sudo apt-get install build-essential libgnutls-dev libpcap0.8-dev bison libgtk2.0-dev
libglib2.0-dev libgpgme11-dev libssl-dev htmldoc

Note: libgtk2.0-dev is only required for the OpenVAS client. htmldoc is only required if you plan on exporting reports to PDF from the OpenVAS client.

Getting the Files

Once those packages have installed we need to download the files required for OpenVAS. The links below may be outdated, make sure you obtain the latest version.

cd /tmp
wget http://wald.intevation.org/frs/download.php/572/openvas-libraries-2.0.2.tar.gz
wget http://wald.intevation.org/frs/download.php/561/openvas-libnasl-2.0.1.tar.gz
wget http://wald.intevation.org/frs/download.php/562/openvas-server-2.0.1.tar.gz
wget http://wald.intevation.org/frs/download.php/576/openvas-plugins-1.0.6.tar.gz
wget http://wald.intevation.org/frs/download.php/575/openvas-client-2.0.3.tar.gz

Now that we have downloaded the required files we must sompile and install the packages in the following order:

1. openvas-libraries
2. openvas-libnasl
3. openvas-server
4. openvas-plugins

Install OpenVAS Libraries

Start by untarring the openvas-libraries and compiling/installing it:

tar -xvf openvas-libraries-2.0.2.tar.gz
cd openvas-libraries-2.0.2/
sudo ./configure
sudo make
sudo make install

Install OpenVAS libnasl

Next untar the openvas-libnasl and compile/install it:

cd ..
tar -xvf openvas-libnasl-2.0.1.tar.gz
cd openvas-libnasl-2.0.1/
sudo ./configure
sudo make
sudo make install

Install OpenVAS Server

Next untar the openvas-server and compile/install it:

cd ..
tar -xvf openvas-server-2.0.1.tar.gz
cd openvas-server-2.0.1/
sudo ./configure
sudo make
sudo make install

The OpenVAS libraries, libnasl, and server packages should now be installed. We now have to make sure that /usr/local/bin and /usr/local/sbin are in our PATH. We can do that by typing in:

echo ${PATH}

In the output from the above command you should see /usr/local/bin and /usr/local/sbin somewhere. If you don’t you will have to add those entries to the PATH environmental variable manually.

Install OpenVAS Plugins

Our next step is to compile/install the plugins:

cd ..
tar -xvf openvas-plugins-1.0.6.tar.gz
cd openvas-plugins-1.0.6/
sudo ./configure
sudo make
sudo make install

Note: The plugins may take a while to make… be patient.

Now we have to setup the symbolic links:

sudo ldconfig

Generate a Certificate

We are now ready to generate a certificate for our OpenVAS Server, make sure to enter values relevant to your location.

sudo openvas-mkcert

Create a User

Now we need to add a user:

sudo openvas-adduser

Enter a username and choose your authentication method. Hit ctrl-d when you are prompted for rules if you dont want any scanning restrictions.

sudo openvas-nvt-sync

And at last… the moment of truth! Start up the OpenVAS server daemon:

sudo openvasd -D

Install the OpenVAS Client

Now that the server is setup you can setup the client to run the scans:

cd ..
tar -xvf openvas-client-2.0.3.tar.gz
cd openvas-client-2.0.3/
sudo ./configure
sudo make
sudo make install
sudo OpenVAS-Client

The client can be installed on any computer that has access to the server. Once it is installed you just have to connect, setup a scan and you’re done! Stay tuned for another blog post on configuring scans with the OpenVAS Client.