Difference between revisions of "Deploying Sguil"

From WTFwiki
Jump to navigation Jump to search
(a few more bits (sensor software))
(Clear page -- point to correct link.)
Line 1: Line 1:
== Prerequisites ==
+
= PLEASE NOTE: =
  
This document assumes you're familiar with a number of things.
+
* This page is now irrelevant in many ways.
 
+
* For accurate, up-to-date information, visit the [http://wiki.sguil.net/ NSM Wiki].
* OS Installation, Hardening, and Management.
 
* Basic/Intermediate System Administration.
 
* Network innards.
 
* FreeBSD ports collection.
 
 
 
 
 
== Deploying the Sguil Server ==
 
 
 
=== Requirements ===
 
 
 
* A working [[Deploying Mysql|'''mysql''']] server on the local machine.
 
 
 
* '''tcl'''
 
  # cd /usr/ports/lang/tcl84 ; make install clean
 
  # ln /usr/local/bin/tclsh8.4 /usr/local/bin/tclsh
 
* '''mysqltcl'''
 
  # cd /usr/ports/databases/mysqltcl ; make install clean
 
* '''tclX'''
 
  # cd /usr/ports/lang/tclX ; make install clean
 
* '''tcllib'''
 
  # cd /usr/ports/devel/tcllib ; make install clean
 
* '''tcpflow'''
 
  # cd /usr/ports/net/tcpflow ; make install clean
 
* '''p0f'''
 
  # cd /usr/ports/net-mgmt/p0f ; make install clean
 
 
 
=== Database Preparation ===
 
 
 
* Get to the mysql CLI (login as the mysql root user), see this transcript for instructions:
 
  # mysql -u root -p
 
  Enter password:
 
  Welcome to the MySQL monitor.  Commands end with ; or \g.
 
  Your MySQL connection id is 11 to server version: 5.0.24
 
 
  Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
 
 
  mysql> create database sguildb;
 
  Query OK, 1 row affected (0.00 sec)
 
 
  mysql> grant all on sguildb.* to 'sguil'@'localhost' identified by 'S_QUEAL-pass';
 
  Query OK, 0 rows affected (0.00 sec)
 
 
  mysql> grant file on *.* to 'sguil'@'localhost' identified by 'S_QUEAL-pass';
 
  Query OK, 0 rows affected (0.00 sec)
 
 
  mysql>  quit
 
  Bye
 
 
 
=== System Preparation ===
 
 
 
* Before we continue, it is a fine time to note where you decided to place all of this on the filesystem.
 
* We'll use /usr/local/sguil as an example (although its still a fine choice..)
 
 
 
* Now we need to download and configure sguil itself:
 
 
 
  # touch ~/.cvspass
 
  # chmod 0600 ~/.cvspass
 
  # cd /usr/local
 
  # cvs -d :pserver:anonymous@sguil.cvs.sourceforge.net:/cvsroot/sguil login
 
  Logging in to :pserver:anonymous@sguil.cvs.sourceforge.net:2401/cvsroot/sguil
 
  CVS password:  [just hit enter here, there is no password]
 
  # cvs -d :pserver:anonymous@sguil.cvs.sourceforge.net:/cvsroot/sguil checkout sguil/server
 
  cvs checkout: Updating sguil/server
 
  U sguil/server/archive_sguildb.tcl
 
  U sguil/server/autocat.conf
 
  U sguil/server/sguild
 
  ...output truncated for sanity.
 
  # cd sguil/server
 
 
 
=== Configuration ===
 
 
 
  # vi sguild.conf
 
 
 
* Set the path to your rules dir structure:
 
 
 
  # Path to look for rules. Sguild will append the hostname (/etc/snort/rules/<hostname>/*.rules)
 
  # Some day we'll move the rules into the DB.
 
  set RULESDIR /usr/local/sguil/rules
 
 
 
* Scroll to Database Info and setup the proper parameters:
 
 
 
  # DataBase Info
 
  set DBNAME sguildb
 
  set DBPASS "S_QUEAL-pass"
 
  set DBHOST localhost
 
  set DBPORT 3306
 
  set DBUSER sguil
 
 
 
* Scroll down a bit and set the following:
 
 
 
  # Configs for xscript function
 
  # Where you want to archive raw file locally when xscripts are requested.
 
  set LOCAL_LOG_DIR /usr/local/sguil/archive
 
 
  # Where to store DB LOADable files until loaderd can put them in the DB
 
  set TMP_LOAD_DIR /usr/local/sguil/load
 
 
 
* Now set the paths to 'tcpflow' and 'p0f' that you installed in prior steps:
 
 
 
  # You MUST have tcpflow installed to get xscripts
 
  # http://www.circlemud.org/~jelson/software/tcpflow/
 
  set TCPFLOW "/usr/local/bin/tcpflow"
 
 
  ...
 
 
  # Path the the p0f binary. Switches -q and -s <filename> are appended on exec,
 
  # add any others you may need here.
 
  set P0F_PATH "/usr/local/bin/p0f"
 
 
 
* Now save/quit.
 
 
 
=== Initial Run ===
 
 
 
* Now create the databases:
 
 
 
  # cd /usr/local/sguil/server/sql_scripts
 
  # mysql -u sguil -p sguildb <create_sguildb.sql
 
  Enter password:
 
  # cd ..
 
 
 
* Now create a user:
 
 
 
  # ./sguild -adduser analyst
 
  Please enter a passwd for analyst:
 
  Retype passwd:
 
  User 'analyst' added successfully
 
  SGUILD: Exiting...
 
 
 
* Now start sguild:
 
 
 
  # ./sguild
 
 
 
* It should start and be in very-verbose mode (we left it that way in sguild.conf on purpose).
 
* If everything has gone ok, we're ready for the next steps.
 
 
 
 
 
== Deploying the Sguil Sensor ==
 
 
 
=== Requirements ===
 
 
 
* '''Barnyard''' with Sguil modifications
 
  # cd /usr/ports/security/barnyard-sguil6 ; make install clean
 
  (Note: you do not need to enable any options in the 'make config' screen.)
 
* '''sancp'''
 
  # cd /usr/ports/security/sancp ; make install clean
 
* '''snort'''
 
  # cd /usr/ports/security/snort ; make install clean
 
 
 
=== System Preparation ===
 
 
 
* Download sguil sensor software:
 
 
 
  # cvs -d :pserver:anonymous@sguil.cvs.sourceforge.net:/cvsroot/sguil checkout sguil/sensor
 
  cvs checkout: Updating sguil/sensor
 
  U sguil/sensor/log_packets.sh
 
  U sguil/sensor/sensor_agent.conf
 
  U sguil/sensor/sensor_agent.tcl
 
  ...output truncated for sanity
 
 
 
=== Configuration ===
 
 
 
== Deploying the Sguil Analyst Workstation ==
 
 
 
=== Requirements ===
 
 
 
=== System Preparation ===
 
 
 
=== Configuration ===
 

Revision as of 12:33, 22 June 2007

PLEASE NOTE:

  • This page is now irrelevant in many ways.
  • For accurate, up-to-date information, visit the NSM Wiki.
Retrieved from "http://wtf.hijacked.us/wiki/index.php?title=Deploying_Sguil&oldid=165"