Setup a Sguil framework using ports under OpenBSD

From NSMWiki
Jump to: navigation, search

These instructions are written assuming use of OpenBSD 4.2 and sensor named 'sensor1' with all components residing on the same box.

If you need a concise guide to get started with OpenBSD, take a look at this page. It's intended for a VM install but also lends itself well to this project. Just go to OpenBSD download the latest Install42.iso and follow the instructions from the this link.

Next you need 4.2 ports tree:

cd /usr
ftp -V ftp://ftp.openbsd.org/pub/OpenBSD/4.2/ports.tar.gz
tar zxvf ports.tar.gz

Sguil client

cd /usr/ports/devel
ftp -V http://secure.lv/~nikns/stuff/ports/tclx-8.4.tar
tar xvf tclx-8.4.tar
cd /usr/ports/security
ftp -V http://secure.lv/~nikns/stuff/ports/sguil-0.6.1.tar
tar xvf sguil-0.6.1.tar
cd sguil/client && make install

executing "sguil.tk" should run sguil client out of box. Configuration file used for sguil.tk is /etc/sguil.conf, if ~/sguil.conf does not exist.


Optionally you can install wireshark:

cd /usr/ports/net
ftp -V http://secure.lv/~nikns/stuff/ports/wireshark-0.99.6_4.2.tar
tar xvf wireshark-0.99.6_4.2.tar
cd wireshark && make install

Sguil sensor

mkdir -p /nsm/sguild_data/rules/sensor1
mkdir -p /nsm/snort_data/sensor1/sancp
mkdir -p /nsm/snort_data/sensor1/portscans
cd /usr/ports/devel
ftp -V http://secure.lv/~nikns/stuff/ports/tclx-8.4.tar
tar xvf tclx-8.4.tar
cd /usr/ports/net
ftp -V http://secure.lv/~nikns/stuff/ports/barnyard-0.2.0.tar
ftp -V http://secure.lv/~nikns/stuff/ports/sancp-1.6.1.tar
tar xvf barnyard-0.2.0.tar
tar xvf sancp-1.6.1.tar
cd /usr/ports/security
ftp -V http://secure.lv/~nikns/stuff/ports/sguil-0.6.1.tar
tar xvf sguil-0.6.1.tar
cd sguil/sensor && make install

install snort from ports or packages as you want: (Note: If you do not already have an oinkcode, you can register for free at http://www.snort.org to get one)

cd /usr/ports/net/snort && make install
cd /tmp && ftp -V  http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-CURRENT.tar.gz
tar zxvf snortrules-snapshot-CURRENT.tar.gz rules
ftp -V http://www.bleedingthreats.net/rules/bleeding.rules.tar.gz
tar zxvf bleeding.rules.tar.gz
cd rules && ls bleeding*.rules | awk '{print "include $RULE_PATH/" $1}' > bleeding.conf
mv * /nsm/sguild_data/rules/sensor1/
cp /nsm/sguild_data/rules/sensor1/bleeding-sid-msg.map /etc/snort/
cd /etc/snort/
cat bleeding-sid-msg.map >> sid-msg.map

Unless using SamSnort, edit /nsm/sguild_data/rules/sensor1/bleeding.conf

#bleeding-botcc-BLOCK.rules
#bleeding-compromised-BLOCK.rules
#bleeding-drop-BLOCK.rules
#bleeding-dshield-BLOCK.rules
#bleeding-rbn-BLOCK.rules

In /etc/snort/snort.conf check for following lines:

var RULE_PATH /nsm/sguild_data/rules/sensor1
output log_unified: filename snort.log, limit 128
preprocessor perfmonitor: time 300 file /nsm/snort_data/sensor1/snort.stats pktcnt 10000
config detection: search-method lowmem
include $RULE_PATH/bleeding.conf

In following configuration files you have to make appropriate changes:
/etc/log_packets.sh

INTERFACE="<interface>"
HOSTNAME="sensor1"
LOG_DIR="/nsm/snort_data"

/etc/barnyard.conf:

config interface: <interface>
config hostname: sensor1
output sguil

/etc/sensor_agent.conf

set LOG_DIR /nsm/snort_data
set HOSTNAME sensor1

MySQL server

Install mysql server from ports or packages as you want:

pkg_add mysql-server
/usr/local/bin/mysql_install_db
/usr/local/bin/mysqld_safe &
mysqladmin -u root -p password 'newrootpassword'
Enter Password: <enter>

If MySQL resides on remote box:

mysql -u root -p
[enter 'newrootpassword']
GRANT ALL ON *.* TO 'root'@'%' IDENTIFIED BY 'newrootpassword';
FLUSH PRIVILEGES;
exit

Sguil server

cd /usr/ports/devel
ftp -V http://secure.lv/~nikns/stuff/ports/tclx-8.4.tar
tar xvf tclx-8.4.tar
cd /usr/ports/databases
ftp -V http://secure.lv/~nikns/stuff/ports/mysqltcl-3.02.tar
tar xvf mysqltcl-3.02.tar
cd /usr/ports/security
ftp -V http://secure.lv/~nikns/stuff/ports/sguil-0.6.1.tar
tar xvf sguil-0.6.1.tar
cd sguil/server && make install

Modify /etc/sguild/sguild.conf for right database configuration

set RULESDIR /nsm/sguild_data/rules
set DBPASS "newrootpassword"
set DBHOST localhost
set DBPORT 3306
set DBUSER root
set LOCAL_LOG_DIR /nsm/sguild_data/archive

Start everything up.

chown -R _sguil /nsm/*

On sguil server, for first time you will have to hit 'y':

# sudo -u _sguil sguild
pid(438)  Loading access list: /etc/sguild/sguild.access
pid(438)  Sensor access list set to ALLOW ANY.
pid(438)  Client access list set to ALLOW ANY.
pid(438)  Email Configuration:
pid(438)    Config file: /etc/sguild/sguild.email
pid(438)    Enabled: No
pid(438)  Connecting to localhost on 3306 as root
pid(438)  MySQL Version: version 5.0.45-log
pid(438)  Error: mysqluse/db server: Unknown database 'sguildb'
The database sguildb does not exist. Create it ([y]/n)?: y
Path to create_sguildb.sql [/usr/local/share/sguild/sql_scripts/create_sguildb.sql]:
Creating the DB sguildb...Okay.
Creating the structure for sguildb: .......
[...]

On sguil sensor:

sh /etc/log_packets.sh start
snort -l /nsm/snort_data/sensor1 -c /etc/snort/snort.conf -A none -m 122 -u _sguil -g _sguil -t /nsm/snort_data/sensor1 -i <yournetworkinterface>
sancp -d /nsm/snort_data/sensor1/sancp/ -c /etc/sancp_sguil.conf -u _sguil -g _sguil -i <yournetworkinterface>
sensor_agent.tcl
sudo -u _sguil barnyard -c /etc/barnyard.conf -d /nsm/snort_data/sensor1 \
-g /etc/snort/gen-msg.map -p /etc/snort/classification.config \
-s /etc/snort/sid-msg.map -f snort.log -w /nsm/snort_data/sensor1/waldo.file

add to crontab: crontab -e

*/15 * * * * /bin/sh /etc/log_packets.sh restart

On Server, add user to Sguild

sguild -adduser <username>