Difference between revisions of "Deploying Sguil"
Jump to navigation
Jump to search
(a few more bits (sensor software)) |
|||
Line 142: | Line 142: | ||
=== Requirements === | === Requirements === | ||
+ | |||
+ | * '''Barnyard''' with Sguil modifications | ||
+ | # cd /usr/ports/security/barnyard-sguil6 ; make install clean | ||
+ | (Note: you do not need to enable any options in the 'make config' screen.) | ||
+ | * '''sancp''' | ||
+ | # cd /usr/ports/security/sancp ; make install clean | ||
+ | * '''snort''' | ||
+ | # cd /usr/ports/security/snort ; make install clean | ||
=== System Preparation === | === System Preparation === | ||
+ | |||
+ | * Download sguil sensor software: | ||
+ | |||
+ | # cvs -d :pserver:anonymous@sguil.cvs.sourceforge.net:/cvsroot/sguil checkout sguil/sensor | ||
+ | cvs checkout: Updating sguil/sensor | ||
+ | U sguil/sensor/log_packets.sh | ||
+ | U sguil/sensor/sensor_agent.conf | ||
+ | U sguil/sensor/sensor_agent.tcl | ||
+ | ...output truncated for sanity | ||
=== Configuration === | === Configuration === |
Revision as of 23:04, 20 August 2006
Prerequisites
This document assumes you're familiar with a number of things.
- OS Installation, Hardening, and Management.
- Basic/Intermediate System Administration.
- Network innards.
- FreeBSD ports collection.
Deploying the Sguil Server
Requirements
- A working mysql server on the local machine.
- tcl
# cd /usr/ports/lang/tcl84 ; make install clean # ln /usr/local/bin/tclsh8.4 /usr/local/bin/tclsh
- mysqltcl
# cd /usr/ports/databases/mysqltcl ; make install clean
- tclX
# cd /usr/ports/lang/tclX ; make install clean
- tcllib
# cd /usr/ports/devel/tcllib ; make install clean
- tcpflow
# cd /usr/ports/net/tcpflow ; make install clean
- p0f
# cd /usr/ports/net-mgmt/p0f ; make install clean
Database Preparation
- Get to the mysql CLI (login as the mysql root user), see this transcript for instructions:
# mysql -u root -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 11 to server version: 5.0.24 Type 'help;' or '\h' for help. Type '\c' to clear the buffer. mysql> create database sguildb; Query OK, 1 row affected (0.00 sec) mysql> grant all on sguildb.* to 'sguil'@'localhost' identified by 'S_QUEAL-pass'; Query OK, 0 rows affected (0.00 sec) mysql> grant file on *.* to 'sguil'@'localhost' identified by 'S_QUEAL-pass'; Query OK, 0 rows affected (0.00 sec) mysql> quit Bye
System Preparation
- Before we continue, it is a fine time to note where you decided to place all of this on the filesystem.
- We'll use /usr/local/sguil as an example (although its still a fine choice..)
- Now we need to download and configure sguil itself:
# touch ~/.cvspass # chmod 0600 ~/.cvspass # cd /usr/local # cvs -d :pserver:anonymous@sguil.cvs.sourceforge.net:/cvsroot/sguil login Logging in to :pserver:anonymous@sguil.cvs.sourceforge.net:2401/cvsroot/sguil CVS password: [just hit enter here, there is no password] # cvs -d :pserver:anonymous@sguil.cvs.sourceforge.net:/cvsroot/sguil checkout sguil/server cvs checkout: Updating sguil/server U sguil/server/archive_sguildb.tcl U sguil/server/autocat.conf U sguil/server/sguild ...output truncated for sanity. # cd sguil/server
Configuration
# vi sguild.conf
- Set the path to your rules dir structure:
# Path to look for rules. Sguild will append the hostname (/etc/snort/rules/<hostname>/*.rules) # Some day we'll move the rules into the DB. set RULESDIR /usr/local/sguil/rules
- Scroll to Database Info and setup the proper parameters:
# DataBase Info set DBNAME sguildb set DBPASS "S_QUEAL-pass" set DBHOST localhost set DBPORT 3306 set DBUSER sguil
- Scroll down a bit and set the following:
# Configs for xscript function # Where you want to archive raw file locally when xscripts are requested. set LOCAL_LOG_DIR /usr/local/sguil/archive # Where to store DB LOADable files until loaderd can put them in the DB set TMP_LOAD_DIR /usr/local/sguil/load
- Now set the paths to 'tcpflow' and 'p0f' that you installed in prior steps:
# You MUST have tcpflow installed to get xscripts # http://www.circlemud.org/~jelson/software/tcpflow/ set TCPFLOW "/usr/local/bin/tcpflow" ... # Path the the p0f binary. Switches -q and -s <filename> are appended on exec, # add any others you may need here. set P0F_PATH "/usr/local/bin/p0f"
- Now save/quit.
Initial Run
- Now create the databases:
# cd /usr/local/sguil/server/sql_scripts # mysql -u sguil -p sguildb <create_sguildb.sql Enter password: # cd ..
- Now create a user:
# ./sguild -adduser analyst Please enter a passwd for analyst: Retype passwd: User 'analyst' added successfully SGUILD: Exiting...
- Now start sguild:
# ./sguild
- It should start and be in very-verbose mode (we left it that way in sguild.conf on purpose).
- If everything has gone ok, we're ready for the next steps.
Deploying the Sguil Sensor
Requirements
- Barnyard with Sguil modifications
# cd /usr/ports/security/barnyard-sguil6 ; make install clean (Note: you do not need to enable any options in the 'make config' screen.)
- sancp
# cd /usr/ports/security/sancp ; make install clean
- snort
# cd /usr/ports/security/snort ; make install clean
System Preparation
- Download sguil sensor software:
# cvs -d :pserver:anonymous@sguil.cvs.sourceforge.net:/cvsroot/sguil checkout sguil/sensor cvs checkout: Updating sguil/sensor U sguil/sensor/log_packets.sh U sguil/sensor/sensor_agent.conf U sguil/sensor/sensor_agent.tcl ...output truncated for sanity