Setup a Sguil framework using ports under OpenBSD
From NSMWiki
These instructions are written assuming use of OpenBSD 4.2 and sensor named 'sensor1' with all components residing on the same box.
If you need a concise guide to get started with OpenBSD, take a look at this page. It's intended for a VM install but also lends itself well to this project. Just go to OpenBSD download the latest Install42.iso and follow the instructions from the this link.
Next you need 4.2 ports tree:
cd /usr ftp -V ftp://ftp.openbsd.org/pub/OpenBSD/4.2/ports.tar.gz tar zxvf ports.tar.gz
Contents |
Sguil client
cd /usr/ports/devel ftp -V http://secure.lv/~nikns/stuff/ports/tclx-8.4.tar tar xvf tclx-8.4.tar cd /usr/ports/security ftp -V http://secure.lv/~nikns/stuff/ports/sguil-0.6.1.tar tar xvf sguil-0.6.1.tar cd sguil/client && make install
executing "sguil.tk" should run sguil client out of box. Configuration file used for sguil.tk is /etc/sguil.conf, if ~/sguil.conf does not exist.
Optionally you can install wireshark:
cd /usr/ports/net ftp -V http://secure.lv/~nikns/stuff/ports/wireshark-0.99.6_4.2.tar tar xvf wireshark-0.99.6_4.2.tar cd wireshark && make install
Sguil sensor
mkdir -p /nsm/sguild_data/rules/sensor1 mkdir -p /nsm/snort_data/sensor1/sancp mkdir -p /nsm/snort_data/sensor1/portscans
cd /usr/ports/devel ftp -V http://secure.lv/~nikns/stuff/ports/tclx-8.4.tar tar xvf tclx-8.4.tar cd /usr/ports/net ftp -V http://secure.lv/~nikns/stuff/ports/barnyard-0.2.0.tar ftp -V http://secure.lv/~nikns/stuff/ports/sancp-1.6.1.tar tar xvf barnyard-0.2.0.tar tar xvf sancp-1.6.1.tar cd /usr/ports/security ftp -V http://secure.lv/~nikns/stuff/ports/sguil-0.6.1.tar tar xvf sguil-0.6.1.tar cd sguil/sensor && make install
install snort from ports or packages as you want: (Note: If you do not already have an oinkcode, you can register for free at http://www.snort.org to get one)
cd /usr/ports/net/snort && make install cd /tmp && ftp -V http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-CURRENT.tar.gz tar zxvf snortrules-snapshot-CURRENT.tar.gz rules ftp -V http://www.bleedingthreats.net/rules/bleeding.rules.tar.gz tar zxvf bleeding.rules.tar.gz cd rules && ls bleeding*.rules | awk '{print "include $RULE_PATH/" $1}' > bleeding.conf mv * /nsm/sguild_data/rules/sensor1/ cp /nsm/sguild_data/rules/sensor1/bleeding-sid-msg.map /etc/snort/ cd /etc/snort/ cat bleeding-sid-msg.map >> sid-msg.map
Unless using SamSnort, edit /nsm/sguild_data/rules/sensor1/bleeding.conf
#bleeding-botcc-BLOCK.rules #bleeding-compromised-BLOCK.rules #bleeding-drop-BLOCK.rules #bleeding-dshield-BLOCK.rules #bleeding-rbn-BLOCK.rules
In /etc/snort/snort.conf check for following lines:
var RULE_PATH /nsm/sguild_data/rules/sensor1 output log_unified: filename snort.log, limit 128 preprocessor perfmonitor: time 300 file /nsm/snort_data/sensor1/snort.stats pktcnt 10000 config detection: search-method lowmem include $RULE_PATH/bleeding.conf
In following configuration files you have to make appropriate changes:
/etc/log_packets.sh
INTERFACE="<interface>" HOSTNAME="sensor1" LOG_DIR="/nsm/snort_data"
/etc/barnyard.conf:
config interface: <interface> config hostname: sensor1 output sguil
/etc/sensor_agent.conf
set LOG_DIR /nsm/snort_data set HOSTNAME sensor1
MySQL server
Install mysql server from ports or packages as you want:
pkg_add mysql-server /usr/local/bin/mysql_install_db /usr/local/bin/mysqld_safe & mysqladmin -u root -p password 'newrootpassword' Enter Password: <enter>
If MySQL resides on remote box:
mysql -u root -p [enter 'newrootpassword'] GRANT ALL ON *.* TO 'root'@'%' IDENTIFIED BY 'newrootpassword'; FLUSH PRIVILEGES; exit
Sguil server
cd /usr/ports/devel ftp -V http://secure.lv/~nikns/stuff/ports/tclx-8.4.tar tar xvf tclx-8.4.tar cd /usr/ports/databases ftp -V http://secure.lv/~nikns/stuff/ports/mysqltcl-3.02.tar tar xvf mysqltcl-3.02.tar cd /usr/ports/security ftp -V http://secure.lv/~nikns/stuff/ports/sguil-0.6.1.tar tar xvf sguil-0.6.1.tar cd sguil/server && make install
Modify /etc/sguild/sguild.conf for right database configuration
set RULESDIR /nsm/sguild_data/rules set DBPASS "newrootpassword" set DBHOST localhost set DBPORT 3306 set DBUSER root set LOCAL_LOG_DIR /nsm/sguild_data/archive
Start everything up.
chown -R _sguil /nsm/*
On sguil server, for first time you will have to hit 'y':
# sudo -u _sguil sguild pid(438) Loading access list: /etc/sguild/sguild.access pid(438) Sensor access list set to ALLOW ANY. pid(438) Client access list set to ALLOW ANY. pid(438) Email Configuration: pid(438) Config file: /etc/sguild/sguild.email pid(438) Enabled: No pid(438) Connecting to localhost on 3306 as root pid(438) MySQL Version: version 5.0.45-log pid(438) Error: mysqluse/db server: Unknown database 'sguildb' The database sguildb does not exist. Create it ([y]/n)?: y Path to create_sguildb.sql [/usr/local/share/sguild/sql_scripts/create_sguildb.sql]: Creating the DB sguildb...Okay. Creating the structure for sguildb: ....... [...]
On sguil sensor:
sh /etc/log_packets.sh start snort -l /nsm/snort_data/sensor1 -c /etc/snort/snort.conf -A none -m 122 -u _sguil -g _sguil -t /nsm/snort_data/sensor1 -i <yournetworkinterface> sancp -d /nsm/snort_data/sensor1/sancp/ -c /etc/sancp_sguil.conf -u _sguil -g _sguil -i <yournetworkinterface> sensor_agent.tcl
sudo -u _sguil barnyard -c /etc/barnyard.conf -d /nsm/snort_data/sensor1 \ -g /etc/snort/gen-msg.map -p /etc/snort/classification.config \ -s /etc/snort/sid-msg.map -f snort.log -w /nsm/snort_data/sensor1/waldo.file
add to crontab: crontab -e
*/15 * * * * /bin/sh /etc/log_packets.sh restart
On Server, add user to Sguild
sguild -adduser <username>
