Code accepted into Splunk App!

Bill Matthews informed me that the script I wrote and referenced in a previous post has made it into the Hurricane Labs Vulnerability Management v 1.5 app for Splunk!

 http://apps.splunk.com/app/1093/

They cleaned it up and put it in /opt/splunk/etc/apps/HurricaneVulnerabilityManagement/bin/Nessus.sh
#!/bin/bash

#Variables
SPLUNK_NESSUS=/mnt/nessus
SERVER="x.x.x.x"

#Retrive AUTH Token
token="$(/usr/bin/wget -q --no-check-certificate --post-data 'login=USERNAME&password=PASSWORD' https://$SERVER:8834/login -O - | grep -Po '(?<=token\>)[^\<]+(?=\<\/token)')"

#Get list of reports
/usr/bin/wget -q --no-check-certificate --post-data "token=$token" https://$SERVER:8834/report/list -O - | grep -Po '(?<=name\>)[^\<]+(?=\<\/name)' > /tmp/reports

#Get Friendly Names
/usr/bin/wget -q --no-check-certificate --post-data "token=$token" https://$SERVER:8834/report/list -O - | grep -Po '(?<=readableName\>)[^\<]+(?=\<\/readableName)' > /tmp/names

#Merge two files
/usr/bin/pr -tmJ --sep-string=" " /tmp/reports /tmp/names > /tmp/named.reports

for i in $(cut -d' ' -f1 /tmp/named.reports);
do
#Get Filenames for reports
FILENAME=$(/usr/bin/wget -q --no-check-certificate --post-data 'token='$token'&report='$i'&xslt=csv.xsl' https://$SERVER:8834/file/xslt -O - | grep -Po '(?<=/file/xslt/download/\?fileName=)[^\"]+(?=\"\>)')

#Get files
#build Readable name to report number match
READABLENAME=$(grep $i /tmp/named.reports | cut -d' ' -f2- --output-delimiter='')
sleep 5
/usr/bin/wget -q --no-check-certificate --post-data 'token='$token'&fileName='$FILENAME'&step=2' https://$SERVER:8834/file/xslt/download -O $SPLUNK_NESSUS/$READABLENAME.csv;
done;

#Cleanup
#rm /tmp/reports
#rm /tmp/names
#rm /tmp/named.reports

Importing Nessus CSV reports to SPLUNK from the Command Line!

Problem Solved!  Hurricane Labs provides a nice Splunk App to consume Nessus CSV files.  But, I did not want to manually download a new CSV from the Nessus web interface and then move it to my Splunk server. I could have made a samba share from my Splunk server to my PC and just saved the output from the Nessus web interface to the share.. Still too much manual work!

After a lot of searching I found some good information on the Nessus discussion pages

https://discussions.nessus.org/message/17812#17812
cmerchant@responsys.com answers their own question:

#!/bin/bash

AUTH=$(wget --no-check-certificate --post-data 'login=nessus&password=password' https://server:8834/login -O -| grep -Po '(?<=token\>)[^\<]+(?=\<\/token)')
FILE=$(wget --no-check-certificate --post-data 'token='$AUTH'&report=XXXXXX&xslt=csv.xsl' https://server:8834/file/xslt -O - | grep -Po '(?<=/file/xslt/download/\?)[^\"]+(?=\"\>)')

wget --no-check-certificate --post-data 'token='$AUTH'&'$FILE'&step=2' https://server:8834/file/xslt/download -O test.csv

This got me moving toward a solution. I had never done any web page parsing with wget and javascripts, so it was about time to learn...

My requirements were:

• No interaction - must be able to be run in cron
• Grab all completed Nessus results
• Save the file with the Friendly Report name so Splunk can use the file name as the Report Name

Here is the results. This needs some clean up and more documentation, but it is completely usable as is. Except you will need to replace xxxxxx with your password and x.x.x.x with your nessus server IP.
(word wrap didnt play nice here, carefull with your cut and paste)


#!/bin/bash

#Variables
SPLUNK_NESSUS=/mnt/nessus

#Retrive AUTH Token
token="$(/usr/bin/wget -q --no-check-certificate --post-data 'login=nessus&password=xxxxxx' https://x.x.x.x:8834/login -O - | grep -Po '(?<=token\>)[^\<]+(?=\<\/token)')"

#Get list of reports
/usr/bin/wget -q --no-check-certificate --post-data "token=$token" https://x.x.x.x:8834/report/list -O - | grep -Po '(?<=name\>)[^\<]+(?=\<\/name)' > /tmp/reports

#Get Friendly Names
/usr/bin/wget -q --no-check-certificate --post-data "token=$token" https://x.x.x.x4:8834/report/list -O - | grep -Po '(?<=readableName\>)[^\<]+(?=\<\/readableName)' > /tmp/names

#Merge two files
/usr/bin/pr -tmJ --sep-string=" " /tmp/reports /tmp/names > /tmp/named.reports

for i in $(cut -d' ' -f1 /tmp/named.reports);
do
#Get Filenames for reports
FILENAME=$(/usr/bin/wget -q --no-check-certificate --post-data 'token='$token'&report='$i'&xslt=csv.xsl' https://x.x.x.x:8834/file/xslt -O - | grep -Po '(?<=/file/xslt/download/\?fileName=)[^\"]+(?=\"\>)')

#Get files
#build Readable name to report number match
READABLENAME=$(grep $i /tmp/named.reports | cut -d' ' -f2- --output-delimiter='')
sleep 5
/usr/bin/wget -q --no-check-certificate --post-data 'token='$token'&fileName='$FILENAME'&step=2' https://x.x.x.x:8834/file/xslt/download -O $SPLUNK_NESSUS/$READABLENAME.csv;
done;

#Cleanup
rm /tmp/reports
rm /tmp/names
rm /tmp/named.reports

#note
# Remove files in /opt/nessus/var/nessus/users/nessus/files on nessus server

If you use this please send me an email rossw@woodhome.com

DNS Visibility

Doug Burks wrote up a 2nd post at the SecurityOnion Blog about DNS Visibility.
http://securityonion.blogspot.com/2013/10/got-dns-visibility.html

Some of the original ideas come from a post by Johannes Ullrich
 https://isc.sans.edu/diary/A+Poor+Man%27s+DNS+Anomaly+Detection+Script/13918

Doug Comments:
For those running Bro [1] on Security Onion [2], I've modified the script [3].
and he posts the code at: 
[3] - http://code.google.com/p/security-onion/wiki/DNSAnomalyDetection

#!/bin/bash

BRO_LOGS="/nsm/bro/logs"
TODAY=`date +%Y-%m-%d`
YESTERDAY=`date -d yesterday +%Y-%m-%d`
OLD_DIRS=`ls $BRO_LOGS |egrep -v "current|stats|$TODAY|$YESTERDAY"`
TMPDIR=/tmp
OLDLOG=$TMPDIR/oldlog
NEWLOG=$TMPDIR/newlog
SUSPECTS=$TMPDIR/suspects
for DIR in $OLD_DIRS; do zcat $BRO_LOGS/$DIR/dns* |bro-cut query; done | sort | uniq -c | sort -k2 > $OLDLOG
zcat $BRO_LOGS/$YESTERDAY/dns* |bro-cut query | sort | uniq -c | sort -k2 > $NEWLOG
join -1 2 -2 2  -a 2 $OLDLOG $NEWLOG | egrep -v '.* [0-9]+ [0-9]+$' | sort -nr -k2 | head -10 > $SUSPECTS

This script will run through *ALL* of your DNS/bro logs on your Security Onion install.  I have modified the script to allow you to look back over any number of days and compare that summary to yesterday's DNS logs. 

Examples:

last week compared to yesterday ($sh DNSAnomalyDetection 7)

2 days ago compared to yesterday ($sh DNSAnomalyDetection 2)

-----------------
#!/bin/bash

BRO_LOGS="/nsm/bro/logs"

TIMEFRAME=$1
TODAY=`date +%Y-%m-%d`
YESTERDAY=`date -d yesterday +%Y-%m-%d`

TMPDIR=/tmp
OLDLOG=$TMPDIR/oldlog
NEWLOG=$TMPDIR/newlog
SUSPECTS=$TMPDIR/suspects

while [ $TIMEFRAME -ne 1 ];
do
 PROCESSING_DAY=`date -d "-$TIMEFRAME Day" +%Y-%m-%d`
 zcat $BRO_LOGS/$PROCESSING_DAY/dns* |bro-cut query;
 TIMEFRAME=$((TIMEFRAME - 1))
done | sort | uniq -c | sort -k2 > $OLDLOG

zcat $BRO_LOGS/$YESTERDAY/dns* | bro-cut query | sort | uniq -c | sort -k2 > $NEWLOG

join -1 2 -2 2 -a 2 $OLDLOG $NEWLOG | egrep -v '.* [0-9]+ [0-9]+$' | sort -nr -k2 | head -10 > $SUSPECTS

-Ross Warren

Cyber Security Remains a Top Priority for U.S. Government

Recently I was asked to write and article for Coast Guard Forum Magazine and we had it reposted here:

http://inmarsatgov.blogspot.com/2013/09/cyber-security-remains-top-priority-for.html

Summer is over! Now time for the Transonic Buffet

Summer is over the kids are in school! The traffic in NoVA is back.

It has been a while since I have posted, was busy with a few other things.

Passed my GCIA and wrote an article for Coast Guard Forum Magazine.

The GCIA was the hardest SANS test I have taken.  A lot of raw packet hex conversions, and a big focus on ICMP codes !?!  But it is done. I can add to the alphabet soup at the end of my name, change my Linkedin profile and join a few more groups.

The article for the Coast Guard Forum Magazine was a request from our marketing department to explain cyber security for our company.  4 questions that needed to be answered in 200-300 words.  After a few revisions with an editor the final text has been sent to the publisher.  Waiting anxiously to see my name in print in the realm of cyber security! I made sure to mention Security Onion and NSM!

Lets end today with a quote from Elon Musk.  This was found in the Hyperloop design details document.

"And, when you get right down to it, going through transonic buffet in a tube is just fundamentally a
dodgy prospect." - Musk

Physical access compared to Computer Access

Contributed to a discussion on LinkedIn in the Splunk users group in response to "What's the coolest thing you've done with Splunk?"  

--- Original posts ---
I recently took door access logs and produced the avg time an employee gets to work. Created other dashboard panels showing weekend and off hour access as well as what door they most often use.

-- Response to format of door access logs ---
Sonitrol and sadly I only get the logs weekly in .csv format. They are easy to ingest into Splunk..
(The csv format looks like)
Time Activity Panel Panel Location Mod Door Door Location Last Name First Name
6/17/2013 7:25 Entry granted 5946 CORPX 5 1 ELEVATOR 2 BOB SMITH

I would like to expand on the discussion and share the dash boards and the search text behind each dashboard. In the next blog post I can break down the searches if there is enough interest.


Dashboard panel for average start time

search text:

index=door_access first_name="*" last_name="Warren" 

| eval lowerlast=upper(last_name) | eval lowerfirst=upper(first_name) 

| bucket _time span=1d as day 

| stats earliest(_time) as start_time by lowerfirst, lowerlast  

| stats avg(start_time) as avgstart_time by lowerlast,lowerfirst 

| eval avgstart_timef=strftime(avgstart_time, "%I:%M %p")  

| sort - avgstart_timef  

| table lowerfirst,lowerlast,avgstart_timef

Elevator use panel

(please forgive the double data entries)

search text:
index=door_access door_name=elevator* first_name="*" last_name="Warren*"  
| eval WeekDay=strftime(_time, "%a")  
| table _time, WeekDay,door_name

Weekend Access:

search text:
index=door_access first_name="*" last_name="Smith" 
| eval WeekDay=strftime(_time, "%a")   
| search WeekDay="Sat" OR WeekDay="Sun" 
| table _time, WeekDay, door_name

Denied Access:

search text:
index=door_access activity="*denied*" first_name="*" last_name="Smith"  
| eval WeekDay=strftime(_time, "%a")   
| table _time, WeekDay,door_name, activity

If you have gotten this far, thanks for reading.  Currently I am working on how to correlate this physical access info with workstation logons.  I work in a two-factor authentication world which uses cached credentials in conjunction with the token. I am finding it difficult to harvest exactly when a user logs into their work station in the morning..  Does any one have ideas?  I have tried using eventid=4624 with out luck.  

BTW Randy Franklin's Ultimate Windows Security is a great resource for understanding Windows Event Codes. Check it out. I have read this page 4624 way too many times.

Ross Warren, CISSP, GCIH, GSEC

Splunk: Creating eventtypes from csv to name VLANS

Everyone got the VLAN name lookup working from the last post? You did.. ? Really someone is listening?

Next lets use the information in the internal_networks.csv file to create event types and really change the way we search in splunk.

While researching this topic, I learned that you CAN NOT do subsearches in eventtypes.conf
I was hoping to do something like (dont try it it doesnt work)

eventtypes.conf
[vlan:Guest] 
search src_ip=172.30.21.0/24 |lookup vlan network AS src_ip OUTPUT name AS Src_VLAN

So I had to find an easy way to parse our csv. I love trying to do all my heavy lifting on one line in linux. So I challenged myself.. can it be done?

As a reminder here is our internal_networks.csv  I have cleaned it up to conform with the common information model the best I could.  No spaces in the names and no capital letters.

network,name
"192.168.1.0/24","corporate"
"192.168.2.0/24","voice"
"192.168.3.0/24","nosc_tac"
"192.168.4.0/24","servers"
"192.168.5.0/24","engineering"
"192.168.6.0/24","security"
"192.168.7.0/24","unassigned"
"192.168.8.0/24","it_engineering"
"192.168.9.0/24","human_resources"
"192.168.10.0/24","call_manager"
"192.168.11.0/24","wireless"
"192.168.12.0/24","executive_office"
"192.168.13.0/24","unassigned"
"192.168.14.0/24","voip"
"192.168.15.0/24","finance"
"192.168.16.0/24","marketing"
"192.168.17.0/24","pm_users"
"192.168.18.0/24","sales"
"192.168.19.0/24","consultants"
"192.168.20.0/24","procurement"
"192.168.21.0/24","guest"
"192.168.255.0/24","255"

..and with a single beautiful line you can create a new eventtypes.conf with our internal_networks.csv.

sudo awk -F"\""  'NR!=1{ print "[vlan:"$4"]" "\n", "search = src_ip="$2"\n"}' /opt/splunk/etc/apps/search/lookups/internal_networks.csv >> /opt/splunk/etc/system/local/eventtypes.conf

You might have to change permissions to write (append to /opt/splunk/etc/apps/default/local/eventtypes.conf)

and now look what we have..  well defined event types! Now you can stop guessing what 192.168.3.45 is.. It is the nosc_tac vlan!

Additionally you now have the ability to search via vlan name
eventtype=vlan:sales or even try eventtype=vlan:* | top eventtype

Remember: If your internal_networks.csv changes you will have to regenerate your eventtypes.conf with the magical awk line from above.

Comments?

Ross Warren
Cyber Security, CISSP, GCIH, GSEC 

SPLUNK: Finding VLAN to VLAN traffic

We are most often concerned with traffic flowing out of the network or into the network. This is where the bad guys start from and most often show their intentions.. But what about the embedded bad guy that is already in your network..

**For what ever reason** Your IDS missed it, or they were already in and then you deployed your IDS...

I am talking about internal VLAN traffic, from the Marketing VLAN to the finance VLAN.. that probably shouldn't be happening and we need to watch for it.

Assumption: Your internal network numbering is based off of 192.168.0.0/16

So a simple Splunk search would reveal traffic being sourced from internal PC/Laptop hosts to internal PC/Laptop hosts

src_ip=192.168.0.0/16 AND dest_ip=192.168.0.0/16

but this ends up with a lot of events that are hard to decipher what is going where and we don't have any "nice" names to determine if an infected Marketing PC is trying to get to the Finance VLAN.

In comes splunk lookups! Here is the reference docat splunk: Splunk Lookup Command but I will break down the steps here.

1) First create the csv file where your VLAN to Name translation is:

sudo vi /opt/splunk/etc/apps/search/lookups/internal_networks.csv

network,name
"192.168.1.0/24","Corporate"
"192.168.2.0/24","Voice"
"192.168.3.0/24","Operations"
"192.168.4.0/24","Server VLAN"
"192.168.5.0/24","Engineering"
"192.168.6.0/24","Security"
"192.168.7.0/24","Unassigned"
"192.168.8.0/24","IT Engineering"
"192.168.9.0/24","Human Resources"
"192.168.10.0/24","Unassigned"
"192.168.11.0/24","Wireless"
"192.168.12.0/24","Executive Office"
"192.168.13.0/24","Unassigned"
"192.168.14.0/24","VoIP VLAN"
"192.168.15.0/24","Finance"
"192.168.16.0/24","Marketing"
"192.168.17.0/24","PM Users"
"192.168.18.0/24","Sales"
"192.168.19.0/24","Consultants"
"192.168.20.0/24","Procurement"
"192.168.21.0/24","Guest"

2) Then create the lookup:  Additional documentation at Splunk Docs - Configure field lookups

sudo vi /opt/splunk/etc/apps/search/local/props.conf
[*]
LOOKUP-vlan = vlan network OUTPUT name


3) Test with a simple search:

(src_ip=192.168.0.0/16 AND dest_ip=192.168.0.0/16)| lookup vlan network AS src_ip OUTPUT name AS Src_VLAN 

We can now see a new field SRC_VLAN !

4) Finalize the search by removing the "Server VLAN (192.168.4.0/24)" and any broadcasts (255).

(src_ip=192.168.0/16 AND dest_ip=192.168.0.0/16) AND src_ip!=192.168.4.0/24 AND dest_ip!=192.168.4.0/24 NOT 255 
| lookup vlan network AS src_ip OUTPUT name AS Src_VLAN 
| lookup vlan network AS dest_ip OUTPUT name AS Dest_VLAN 
| where Src_VLAN != Dest_VLAN |chart count by Src_VLAN, Dest_VLAN

So now we know what VLANs are making connections to each other.
.. but what is normal? It is up to you to decide... Should the Finance VLAN be making connections to the "Corporate VLAN"? and more importantly I should talk to IT about a better description than "Corporate VLAN"...

Next post.. Using this lookup we created to name the VLANs on the fly in any search we do.

Ross Warren
Cyber Security, CISSP, GCIH, GSEC 

Why Orange Hat Security ?

A few folks have asked why "Orange Hat Security". There were a few personal reasons to choose this odd sounding name, but it felt inspired.

"Chloe"

1. The weekend before creating this blog, I had just sold my 1974 Super Beetle and "Chloe" was orange. She was in the family for over 16 years.. It was sad for everyone.
2. I passed my CISSP in January and had just received my official CISSP # and with the hours of studying to pass the test..  I wouldn't soon forget about about the "Orange Book".
3. A slight reference to the categorization of "white hat" and "black hat" security "professionals. Which side do you choose?

Installing CIF on a Ubuntu 12.04 VM on top of Security Onion (Part 3)

Configuring the VM Network and ufw to allow connections to the new CIF VM

Since the VM is running in NAT mode the Security Onion host can not get to the VM and you can not connect to the VM except using the VirtualBox Console GUI. While perfectly acceptable I find it slow.

So lets make some changes to the network settings of the VM and then allow the UFW firewall on Security Onion to connect.

First start with SSH. 

Forward connections to port 2222 on your Security Onion box to port 22 on the CIF VM. The IP address will have to be changed to match the one you wrote down in step two, didnt write it down? Fire up the VirtualBox GUI console and log back into your CIF VM and get the IP, write it down this time.

sudo VBoxManage modifyvm ""CIF"" --natpf1 "guestssh,tcp,,2222,10.0.2.15,22"
sudo ufw allow 2222/tcp

Anxious to test if it worked? Is your CIF VM Running?

sudo vboxmanage list runningvms

Is the "guestssh" rule installed in the VM ?

sudo vboxmanage showvminfo CIF | grep guestssh
NIC 1 Rule(0): name = guestssh, protocol = tcp, host ip = , host port = 2222, guest ip = 10.0.2.15, guest port = 22

Is the port 2222 allowed on your Security Onion server?

sudo ufw status | grep 2222
2222/tcp                   ALLOW       Anywhere
2222/tcp                   ALLOW       Anywhere (v6) 

Good news, fire up putty or your favorite ssh app and connect to the IP of your Security Onion server on port 2222.  You should see the login for your CIF VM! If not reread this section and make sure there are no typos..

If you have a successful login. It is time to install CIF. I followed these instructions:

https://code.google.com/p/collective-intelligence-framework/wiki/ServerInstall_Ubuntu12_v1
then back to the Section Labeled BIND here:
https://code.google.com/p/collective-intelligence-framework/wiki/ServerInstall_v1

---

CIF installed? Great. API keys generated great? One last step. We need to expose port 443 to Security Onion using the same method with the ssh port.



I used 4443 on the Security Onion box, choose what you like.

sudo ufw allow 4443/tcp
sudo VBoxManage modifyvm ""CIF"" --natpf1 "guestssl,tcp,,4443,10.0.2.15,443"

You should now be able to make queries to the CIF web interface with your API KEY.

Check out installing the CIF client on your Security Onion server
https://code.google.com/p/collective-intelligence-framework/wiki/ClientInstall_v1

Stay tuned for more integration.

Installing CIF on a Ubuntu 12.04 VM on top of Security Onion (Part 2)

Lets review, so far we have;

• Lived with Security Onion for awhile and couldnt fall asleep at night because you were thinking of ways to tweak snort (or is that just me)
• Installed VirtualBox
• Downloaded Ubuntu ISO
• Created a VM from the command line

Now comes the sticky wicket, how do we view the console of the new CIF VM so we can install Ubuntu?
( I tried running "sudo vboxheadless -s "CIF" and playing with ufw rules, but couldnt get it to work, running in bridged mode might work, but I didnt want to mess with my Security Onion interfaces file)

• If you are on the console of your Security Onion server (lucky you)
• launch the VirtualBox GUI, start the VM and install Ubuntu

• If you are using ssh to get to the Security Onion server you have a few things to configure
• Install xming (http://sourceforge.net/projects/xming/)
• Change your putty config to enable X11 forwarding, dont forget to save the session
• ssh back to your Security Onion server with your saved session
• set $DISPLAY localhost:10.0 ( this might be different for you)
• test with "xterm &" - if that works
• sudo VBoxManage startvm "CIF"

Run though the install, I assume you have installed Ubuntu before, since we are running on a Security Onion host...

If the "Loading Additional Components" step fails there is something wrong with the network setup

• Shut down the VM, be rude, just kill it
• load the VirtualBox Configuration GUI and check your settings, NAT should work
• restart the install

hint: In the Ubuntu install at the "Software Selection" screen only choose OpenSSH Server

Ubuntu should finish its install and reboot, log in and find out what your IP is and write it down.

 sudo ifconfig eth0 | grep inet

Shut down the VM and might as well remove the DVD from the drive

sudo VBoxManage storageattach "CIF" --storagectl "IDE Controller" --port 0  --device 0 --type dvddrive --medium none

Configuring the VM Network and ufw to allow connections to the new CIF VM (Part 3)

Installing CIF on a Ubuntu 12.04 VM on top of Security Onion (Part 1)

Security Onion and CIF

The CIF (Collective Intelligence Framework) provides a framework for gathering opensource intelligence feeds and then allows you to compare this intelligence with the data you have already been collecting with Security Onion tools.

Install Security Onion Distro

• Great instructions ---> (https://code.google.com/p/security-onion/wiki/Installation) start with the ISO if you can, it is the easiest way to get Security Onion up and running!

Join the Security Onion Google Group

• Ask some newbie questions
• Be amazed how fast Doug, Brad, Martin and others respond to your cries for help
• Additional geek points can be gathered by joining (CIF-Framework and ELSA Groups)

Sit back suck packets off the wire, drown in way too many snort alerts and finally when you dream about snort and sguil at night you can finally take the next step.

Install VirtualBox on your Security Onion Server

sudo wget -q http://download.virtualbox.org/virtualbox/debian/oracle_vbox.asc -O- | sudo apt-key add -

sudo sh -c 'echo "deb http://download.virtualbox.org/virtualbox/debian precise contrib" >> /etc/apt/sources.list'

sudo apt-get update && sudo apt-get install virtualbox-4.2 (4.2 is the latest as of this post)

---

VirtualBox is now installed ! Take a deep breath. We now are going to create a VM from the command line

Download Ubuntu 12.04 (start the download in a separate window and continue on young jedi)

sudo mkdir /nsm/VM && make dir /nsm/VM/ISO
sudo wget -O /nsm/VM/ISO/ubuntu-12.04.2-server-amd642.iso  http://releases.ubuntu.com/precise/ubuntu-12.04.2-server-amd64.iso

sudo mkdir /nsm/VM/CIF/
sudo chmod 664 /nsm/VM/CIF

(Slow down... time to read and make some decisions! Dont just cut and paste these following commands... You need to change # of cpus, memory, disk space and location of your VM's HD to match your system)

Create the VM

sudo VBoxManage createvm -name "CIF" -register
sudo VBoxManage modifyvm "CIF"--ostype Ubuntu_64 --cpus 3 --memory 8192 --usb off
sudo VBoxManage modifyvm "CIF" --ioapic on

(below the settings assume you want the HD of the VM in the /nsm/VM dir.  This is where I have the most space, so choose wisely!)

sudo VBoxManage storagectl "CIF" --name "SATA Controller" --add sata --controller IntelAHCI
sudo VBoxManage createhd --filename /nsm/VM/CIF/CIF.vdi --size 204800
sudo chown root /nsm/VM/CIF/CIF.vdi
sudo chgrp root /nsm/VM/CIF/CIF.vdi
sudo VBoxManage storageattach "CIF" --storagectl "SATA Controller" --port 0 --device 0 --type hdd --medium /nsm/VM/CIF/CIF.vdi
sudo VBoxManage storagectl "CIF" --name "IDE Controller" --add ide
sudo VBoxManage storageattach "CIF" --storagectl "IDE Controller" --port 0 --device 0 --type dvddrive --medium /nsm/VM/ISO/ubuntu-12.04.2-server-amd64.iso
sudo VBoxManage modifyvm "CIF" --boot1 dvd
sudo VBoxManage modifyvm "CIF" --nic1 nat

The CIF VM is now created and ready to boot your Ubuntu ISO, you can check your settings

 sudo vboxmanage showvminfo CIF

Next starting up the VM and installing Ubuntu... (Part 2)