Deploying Sguil

From WTFwiki
Revision as of 17:39, 20 August 2006 by Jontow (talk | contribs) (finish up the sguild deployment notes)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Prerequisites

This document assumes you're familiar with a number of things.

  • OS Installation, Hardening, and Management.
  • Basic/Intermediate System Administration.
  • Network innards.
  • FreeBSD ports collection.


Deploying the Sguil Server

Requirements

  • A working mysql server on the local machine.
  • tcl
 # cd /usr/ports/lang/tcl84 ; make install clean
 # ln /usr/local/bin/tclsh8.4 /usr/local/bin/tclsh
  • mysqltcl
 # cd /usr/ports/databases/mysqltcl ; make install clean
  • tclX
 # cd /usr/ports/lang/tclX ; make install clean
  • tcllib
 # cd /usr/ports/devel/tcllib ; make install clean
  • tcpflow
 # cd /usr/ports/net/tcpflow ; make install clean
  • p0f
 # cd /usr/ports/net-mgmt/p0f ; make install clean
  • Get to the mysql CLI (login as the mysql root user), see this transcript for instructions:
 # mysql -u root -p
 Enter password: 
 Welcome to the MySQL monitor.  Commands end with ; or \g.
 Your MySQL connection id is 11 to server version: 5.0.24

 Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

 mysql> create database sguildb;
 Query OK, 1 row affected (0.00 sec)

 mysql> grant all on sguildb.* to 'sguil'@'localhost' identified by 'S_QUEAL-pass';
 Query OK, 0 rows affected (0.00 sec)

 mysql> grant file on *.* to 'sguil'@'localhost' identified by 'S_QUEAL-pass';
 Query OK, 0 rows affected (0.00 sec)

 mysql>  quit
 Bye
  • Before we continue, it is a fine time to note where you decided to place all of this on the filesystem.
  • We'll use /usr/local/sguil as an example (although its still a fine choice..)
  • Now we need to download and configure sguil itself:
 # touch ~/.cvspass
 # chmod 0600 ~/.cvspass
 # cd /usr/local
 # cvs -d :pserver:anonymous@sguil.cvs.sourceforge.net:/cvsroot/sguil login
 Logging in to :pserver:anonymous@sguil.cvs.sourceforge.net:2401/cvsroot/sguil
 CVS password:  [just hit enter here, there is no password]
 # cvs -d :pserver:anonymous@sguil.cvs.sourceforge.net:/cvsroot/sguil checkout sguil/server
 cvs checkout: Updating sguil/server
 U sguil/server/archive_sguildb.tcl
 U sguil/server/autocat.conf
 U sguil/server/sguild
 ...output truncated for sanity.
 # cd sguil/server
  • Configuration time!
 # vi sguild.conf
  • Set the path to your rules dir structure:
 # Path to look for rules. Sguild will append the hostname (/etc/snort/rules/<hostname>/*.rules)
 # Some day we'll move the rules into the DB.
 set RULESDIR /usr/local/sguil/rules
  • Scroll to Database Info and setup the proper parameters:
 # DataBase Info
 set DBNAME sguildb
 set DBPASS "S_QUEAL-pass"
 set DBHOST localhost
 set DBPORT 3306
 set DBUSER sguil
  • Scroll down a bit and set the following:
 # Configs for xscript function
 # Where you want to archive raw file locally when xscripts are requested.
 set LOCAL_LOG_DIR /usr/local/sguil/archive

 # Where to store DB LOADable files until loaderd can put them in the DB
 set TMP_LOAD_DIR /usr/local/sguil/load
  • Now set the paths to 'tcpflow' and 'p0f' that you installed in prior steps:
 # You MUST have tcpflow installed to get xscripts
 # http://www.circlemud.org/~jelson/software/tcpflow/
 set TCPFLOW "/usr/local/bin/tcpflow"

 ...

 # Path the the p0f binary. Switches -q and -s <filename> are appended on exec,
 # add any others you may need here.
 set P0F_PATH "/usr/local/bin/p0f"
  • Now save/quit.
  • Now create the databases:
 # cd /usr/local/sguil/server/sql_scripts
 # mysql -u sguil -p sguildb <create_sguildb.sql
 Enter password:
 # cd ..
  • Now create a user:
 # ./sguild -adduser analyst
 Please enter a passwd for analyst: 
 Retype passwd: 
 User 'analyst' added successfully
 SGUILD: Exiting...
  • Now start sguild:
 # ./sguild
  • It should start and be in very-verbose mode (we left it that way in sguild.conf on purpose).
  • If everything has gone ok, we're ready for the next steps.