Difference between revisions of "Deploying Sguil"

Prerequisites

This document assumes you're familiar with a number of things.

• OS Installation, Hardening, and Management.
• Basic/Intermediate System Administration.
• Network innards.
• FreeBSD ports collection.

Deploying the Sguil Server

Requirements

• A working mysql server on the local machine.

• tcl

 # cd /usr/ports/lang/tcl84 ; make install clean
 # ln /usr/local/bin/tclsh8.4 /usr/local/bin/tclsh

• mysqltcl

 # cd /usr/ports/databases/mysqltcl ; make install clean

• tclX

 # cd /usr/ports/lang/tclX ; make install clean

• tcllib

 # cd /usr/ports/devel/tcllib ; make install clean

• tcpflow

 # cd /usr/ports/net/tcpflow ; make install clean

• p0f

 # cd /usr/ports/net-mgmt/p0f ; make install clean

Database Preparation

• Get to the mysql CLI (login as the mysql root user), see this transcript for instructions:

 # mysql -u root -p
 Enter password: 
 Welcome to the MySQL monitor.  Commands end with ; or \g.
 Your MySQL connection id is 11 to server version: 5.0.24

 Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

 mysql> create database sguildb;
 Query OK, 1 row affected (0.00 sec)

 mysql> grant all on sguildb.* to 'sguil'@'localhost' identified by 'S_QUEAL-pass';
 Query OK, 0 rows affected (0.00 sec)

 mysql> grant file on *.* to 'sguil'@'localhost' identified by 'S_QUEAL-pass';
 Query OK, 0 rows affected (0.00 sec)

 mysql>  quit
 Bye

System Preparation

• Before we continue, it is a fine time to note where you decided to place all of this on the filesystem.
• We'll use /usr/local/sguil as an example (although its still a fine choice..)

• Now we need to download and configure sguil itself:

 # touch ~/.cvspass
 # chmod 0600 ~/.cvspass
 # cd /usr/local
 # cvs -d :pserver:anonymous@sguil.cvs.sourceforge.net:/cvsroot/sguil login
 Logging in to :pserver:anonymous@sguil.cvs.sourceforge.net:2401/cvsroot/sguil
 CVS password:  [just hit enter here, there is no password]
 # cvs -d :pserver:anonymous@sguil.cvs.sourceforge.net:/cvsroot/sguil checkout sguil/server
 cvs checkout: Updating sguil/server
 U sguil/server/archive_sguildb.tcl
 U sguil/server/autocat.conf
 U sguil/server/sguild
 ...output truncated for sanity.
 # cd sguil/server

Configuration

 # vi sguild.conf

• Set the path to your rules dir structure:

 # Path to look for rules. Sguild will append the hostname (/etc/snort/rules/<hostname>/*.rules)
 # Some day we'll move the rules into the DB.
 set RULESDIR /usr/local/sguil/rules

• Scroll to Database Info and setup the proper parameters:

 # DataBase Info
 set DBNAME sguildb
 set DBPASS "S_QUEAL-pass"
 set DBHOST localhost
 set DBPORT 3306
 set DBUSER sguil

• Scroll down a bit and set the following:

 # Configs for xscript function
 # Where you want to archive raw file locally when xscripts are requested.
 set LOCAL_LOG_DIR /usr/local/sguil/archive

 # Where to store DB LOADable files until loaderd can put them in the DB
 set TMP_LOAD_DIR /usr/local/sguil/load

• Now set the paths to 'tcpflow' and 'p0f' that you installed in prior steps:

 # You MUST have tcpflow installed to get xscripts
 # http://www.circlemud.org/~jelson/software/tcpflow/
 set TCPFLOW "/usr/local/bin/tcpflow"

 ...

 # Path the the p0f binary. Switches -q and -s <filename> are appended on exec,
 # add any others you may need here.
 set P0F_PATH "/usr/local/bin/p0f"

• Now save/quit.

Initial Run

• Now create the databases:

 # cd /usr/local/sguil/server/sql_scripts
 # mysql -u sguil -p sguildb <create_sguildb.sql
 Enter password:
 # cd ..

• Now create a user:

 # ./sguild -adduser analyst
 Please enter a passwd for analyst: 
 Retype passwd: 
 User 'analyst' added successfully
 SGUILD: Exiting...

• Now start sguild:

 # ./sguild

• It should start and be in very-verbose mode (we left it that way in sguild.conf on purpose).
• If everything has gone ok, we're ready for the next steps.

Deploying the Sguil Sensor

Requirements

System Preparation

Configuration

Deploying the Sguil Analyst Workstation

Requirements

System Preparation

Configuration