xplico login issue
1,698 views
Skip to first unread message
Gabriel Bassett
Feb 4, 2012, 9:05:14 AM2/4/12
to securit...@googlegroups.com
For some reason, when I log in to xplico remotely using a valid login and password, it simply kicks me back to the login screen. (This is different from an incorrect login which displays the “incorrect login” banner.)
For the purpose of complicating this issue, I normally access xplico through an apache proxy
Me<-https://xplico.remote.org->apache<-https://host.local:9876->xplico
(two different ssl self-signed keys)
If I connect directly, I get a blank page
Me<-https://host.local:9876->xplico
And if I connect locally from the desktop of the security onion host, I log in normally.
Does anyone have any ideas? I proxy a couple other things (squert, snorby, splunk) through the apache server to the same security onion host. This is the only one that doesn’t seem to work.
(And to answer why I’m proxying it, I want to check it externally from locations that allow nothing in except port 80 and 443 and my IP is already used up with the said apache server.)
Thanks for the ideas.
Gabe
Doug Burks
Feb 4, 2012, 2:39:17 PM2/4/12
to securit...@googlegroups.com
Hi Gabe,
Proxying through apache is beyond the scope of Security Onion and this mailing list.
When attempting to access Xplico from the LAN (without the proxy), are you connecting to Apache or are you being blocked by the firewall? What is the output of the following?
sudo ufw status
Thanks,
Doug--
Doug Burks
SANS GSE and Community Instructor
Security Onion | http://securityonion.blogspot.com
President, Greater Augusta ISSA | http://augusta.issa.org
Proxying through apache is beyond the scope of Security Onion and this mailing list.
When attempting to access Xplico from the LAN (without the proxy), are you connecting to Apache or are you being blocked by the firewall? What is the output of the following?
sudo ufw status
Thanks,
Doug
Doug Burks
SANS GSE and Community Instructor
Security Onion | http://securityonion.blogspot.com
President, Greater Augusta ISSA | http://augusta.issa.org
gabe
Feb 5, 2012, 10:56:59 AM2/5/12
to security-onion
Thanks for the reply Doug. See below. 80, 443, and 9876 are all in
there. (Some of the other entries are SNMP, syslog, and netflow for
splunk.) Does xplico maintain any kind of source-based access control
(like a whitelist of IPs or such) that could be getting in the way?
--Gabe
Status: active
To Action From
-- ------ ----
22/tcp ALLOW Anywhere
8000/tcp ALLOW Anywhere
7734/tcp ALLOW Anywhere
7736/tcp ALLOW Anywhere
443/tcp ALLOW Anywhere
3000/tcp ALLOW Anywhere
9000/tcp ALLOW Anywhere
5900/tcp ALLOW Anywhere
80/tcp ALLOW Anywhere
9876/tcp ALLOW Anywhere
162 ALLOW Anywhere
514 ALLOW Anywhere
9995 ALLOW Anywhere
On Feb 4, 1:39 pm, Doug Burks <doug.bu...@gmail.com> wrote:
> Hi Gabe,
>
> Proxying through apache is beyond the scope of Security Onion and this
> mailing list.
>
> When attempting to access Xplico from the LAN (without the proxy), are you
> connecting to Apache or are you being blocked by the firewall? What is the
> output of the following?
> sudo ufw status
>
> Thanks,
> Doug
>
> On Saturday, February 4, 2012, Gabriel Bassett <gabe.the.engin...@gmail.com>
there. (Some of the other entries are SNMP, syslog, and netflow for
splunk.) Does xplico maintain any kind of source-based access control
(like a whitelist of IPs or such) that could be getting in the way?
--Gabe
Status: active
To Action From
-- ------ ----
22/tcp ALLOW Anywhere
8000/tcp ALLOW Anywhere
7734/tcp ALLOW Anywhere
7736/tcp ALLOW Anywhere
443/tcp ALLOW Anywhere
3000/tcp ALLOW Anywhere
9000/tcp ALLOW Anywhere
5900/tcp ALLOW Anywhere
80/tcp ALLOW Anywhere
9876/tcp ALLOW Anywhere
162 ALLOW Anywhere
514 ALLOW Anywhere
9995 ALLOW Anywhere
On Feb 4, 1:39 pm, Doug Burks <doug.bu...@gmail.com> wrote:
> Hi Gabe,
>
> Proxying through apache is beyond the scope of Security Onion and this
> mailing list.
>
> When attempting to access Xplico from the LAN (without the proxy), are you
> connecting to Apache or are you being blocked by the firewall? What is the
> output of the following?
> sudo ufw status
>
> Thanks,
> Doug
>
Doug Burks
Feb 5, 2012, 5:38:56 PM2/5/12
to securit...@googlegroups.com
Hi Gabe,
It's been a while since I looked at Xplico (and I don't have a computer in front of me right now), but I don't remember any access controls.
This is a long shot, but you haven't enabled OSSEC Active Response, have you?
Have you looked at Apache and system logs to see if there any clues there?
Thanks,
Doug
It's been a while since I looked at Xplico (and I don't have a computer in front of me right now), but I don't remember any access controls.
This is a long shot, but you haven't enabled OSSEC Active Response, have you?
Have you looked at Apache and system logs to see if there any clues there?
Thanks,
Doug
Liam Randall
Feb 7, 2012, 11:37:54 PM2/7/12
to securit...@googlegroups.com
Hey Gabe,
Have you tried just tunneling xplico through your ssh client?
If you're using Putty for example, setup your connection on the main page and under:
Connection --> SSH --> Tunnels
Source port: 9876
Destination: localhost:9876
Click Add
If you're on a remote linux host you can do something like:
ssh -L 9876:localhost:9876 REMOTEHOST -p PORTNUMBER -u username
Make the connection, log in, and make sure you've got xplico running:
/etc/init.d/xplico status
-- if not start it: /etc/init.d/xplico start
Open up your browser, then hit xplico here:
Alternatively you could also run firefox on the remote security onion host via X11 although this may be little pokey on low latency connection; in putty just check the "Enable X11 forwarding" box Connection--> SSH--> X11
Depending on how you are loading up your pcaps for analysis though you probably want to keep them local- assuming the SO box is the source.
Liam
gabe
Feb 8, 2012, 9:36:27 AM2/8/12
to security-onion
I looked before but didn't see anything. However, it would be prudent
for me to look again. Log review is not my forte.
I haven't enabled OSSEC active response.
> President, Greater Augusta ISSA |http://augusta.issa.org- Hide quoted text -
>
> - Show quoted text -- Hide quoted text -
>
> - Show quoted text -
for me to look again. Log review is not my forte.
I haven't enabled OSSEC active response.
>
> - Show quoted text -- Hide quoted text -
>
> - Show quoted text -
gabe
Feb 8, 2012, 9:37:30 AM2/8/12
to security-onion
Not an option unfortunately. Don't get to tunnel ssl out of where I
want to access it and also I don't tunnel SSL in to my home network on
principal. (I use a VPN to join the local LAN.)
want to access it and also I don't tunnel SSL in to my home network on
principal. (I use a VPN to join the local LAN.)
Liam Randall
Feb 8, 2012, 9:43:49 AM2/8/12
to securit...@googlegroups.com
I also VPN into the network; this is a good thing.
You can still tunnel the ports over your ssh session; your local ssh client is what is handling the tunneling, it will only work while the connection is active.
So you would log onto VPN to corp. network.
Open SSH tunnel to SO Server.
Hit xplico for analysis.
Thanks,
Liam
Gianluca Costa
May 6, 2012, 9:39:55 AM5/6/12
to securit...@googlegroups.com
Hi,
Xplico has embedded (in its PHP code) a Http-proxy, this proxy is used to show the web pages, emulating, for example, the original cache of the user.
By default the XI url must be an IP address (wiki: http://wiki.xplico.org/doku.php?id=interface#browser ), the only exception to this rule is the url http://demo.xplico.org (for obvious reasons).
If you use as url a name (not an ip) then XI give you a blank page, because XI searches your url in the decoded data.
Xplico has embedded (in its PHP code) a Http-proxy, this proxy is used to show the web pages, emulating, for example, the original cache of the user.
By default the XI url must be an IP address (wiki: http://wiki.xplico.org/doku.php?id=interface#browser ), the only exception to this rule is the url http://demo.xplico.org (for obvious reasons).
If you use as url a name (not an ip) then XI give you a blank page, because XI searches your url in the decoded data.
To change this behavior you must modify the PHP code:
- file /opt/xplico/xi/cake/dispatcher.php
- replace demo.xplico.org with your host name (used in the url)
Ciao.
Gianluca
Doug Burks
May 6, 2012, 1:33:40 PM5/6/12
to securit...@googlegroups.com
Hi Gianluca,
Thanks for your answer! I've added it to the FAQ:
http://code.google.com/p/security-onion/wiki/FAQ
Regards,
Doug
--
Doug Burks | http://securityonion.blogspot.com
Don't miss SANS SEC503 Intrusion Detection In-Depth in
Augusta GA 6/11 - 6/16 | 10% discount for ISSA Members!
http://augusta.issa.org/drupal/SANS-Augusta-2012
Thanks for your answer! I've added it to the FAQ:
http://code.google.com/p/security-onion/wiki/FAQ
Regards,
Doug
Doug Burks | http://securityonion.blogspot.com
Don't miss SANS SEC503 Intrusion Detection In-Depth in
Augusta GA 6/11 - 6/16 | 10% discount for ISSA Members!
http://augusta.issa.org/drupal/SANS-Augusta-2012
Reply all
Reply to author
Forward
0 new messages