InstantNSM

From NSMWiki
Jump to: navigation, search

Sguil deployment got you down? Having trouble figuring out how to make all the components play nice together? Want to see some spectacularly terrible technical writing? You need InstantNSM!

What is InstantNSM?

InstantNSM is a set of documents, scripts and software that simplify Sguil deployment by providing pre-tested components and automating common adminstrative tasks. With InstantNSM, Sguil deployment will be nearly a turnkey solution.

What can InstantNSM do for me?

InstantNSM has several functions:

  1. Configure a central Sguil server + MySQL database
  2. Create a new sensor
  3. Remove a specific sensor
  4. Start or stop a specific sensor
  5. Start or stop the central server
  6. Provide status information on the running sensor or server processes

Provided your hardware can handle the load, you can run any combination of server and/or sensors on a single system, or spread them out across several systems. InstantNSM is also able to configure a single computer to host multiple sensor instances.

About the only things InstantNSM won't do for you (yet) are:

  1. OS configuration You're responsible for these tasks, including installation and disk partitioning
  2. Software installation You'll still have to install the requisite software before you run the configuration script.
  3. Snort rule tuning and maintenance InstantNSM comes with a default set of Snort IDS rules, but you'll need to tune them to reduce false positives. You'll also need to update them on a regular basis, probably using a tool like Oinkmaster

Obtaining InstantNSM

You can download the latest stable version of InstantNSM from the SourceForge project page. You can also check out the latest development version from CVS, though it may not work right.

Documentation

The Sguil on RedHat HOWTO was originally written as part of the InstantNSM project, though it has since moved into the Main Page NSMWiki. It is still, however, the source document that the InstantNSM installation scripts follow. If you want to know what the installer is doing in detail, read the HOWTO.

Software Repository

Rfifarek is working on a repository of RPMs for the various software pieces, so you won't have to compile your own from scratch. It's not available yet, so for now you'll still have to use the steps in the HOWTO.

Using InstantNSM

If your system is properly prepared, using InstantNSM to set up a sguil server or sensor is quite simple.

Prerequisites

Your system must be running RedHat Enterprise Linux 4 (or a closely compatible version of Linux, like CentOS 4) and have all of the software that Sguil needs already installed (see the HOWTO for the list of software and where to install it). You should also have a disk partition set aside for storing the NSM data, usually mounted as '/nsm'.

A note on multiple sensors: You can use InstantNSM to configure multiple sensors (sniffing different networks) on the same computer. Provided you have enough system resources (network cards, CPU, RAM, HD space and PCI bandwidth) this is no problem. If you install sensors as indicated in this document, you can easily configure multiple sensors on a single computer. Just be sure to create a separate disk partition for each sensor and mount them each as /nsm/snort_data/$SENSORNAME.

InstantNSM Tasks