soup4you2
July 29th, 2003, 10:07
Sguil 0.2.5 (Snort GUI for LamerZ) Installation for FreeBSD howto

By: Soup4you2 (http://bsdhound.com)

About This Howto:

Sguil (pronounced "sgweel") is a GUI (graphical user interface) for the snort IDS (intrusion

detection system). Sguil was written using the tcl/tk language by Robert (Bamm) Visscher. Sometimes

reading snort logs can be a real pain. So most people out there use another opensouce application

called Acid (Analysis console for intrusion detection) Which a

howto on getting that puppie

installed can be found here (http://bsdhound.com/modules.php?name=News&file=article&sid=56). Sguil in my opinion just kicks ass. However there are drawbacks

to whichever once you choose whether it be acid or sguil. The two main drawbacks are, That in acid

you can easily monitor over the internet, However this is not in real time. It will only notify you

on a page refresh when an activity is present. Where as in sguil it is real time. Now what if i'm

not at home?, Well you can run the sguil.tk client on a remote
pc to watch your server at home. If encryption is a concern, sguil supports OpenSSL or you can use

ssh tunneling (ssh -L 7734:localhost:7734 -L 7735:localhost:7735 <remotehost>). That doesn't tunnel

X but the sguil comms.


This document is going to explain howto get Sguil setup and working on your BSD Operating System.

The configuration i'm going to be using in this guide is going to be given a very basic

configuration. In my opinion if your trying to install something like this then you should have a

good grasp on using and moving around your BSD operating system. I'm going to be following the basic

locations of the guides put out by the author of sguil. Only were going to be doing it the BSD way.

After you get this installed it's EXTREMELY recommended you do some further tweaking.

Especially on what snort looks for.

Contents of this article:

1. Prerequisites
2. See Sguil in action.
3. So hows this thing work?
4. Installing Sguil

Prerequisites

There are some required packages that your going to need to install in order to get this to work.

But have no fear the ports are here.

Festival:
Lets start off with /usr/ports/audio/festival you can try installing this port but when I tried

the port was broken. But that’s no big deal it just means your not going to get any sound. But you

can try, who knows perhaps today is the lucky day a new Makefile enters the ports tree.

festival-devel:
Yet another broken port but no big deal… Lets move on down the line.

Itcl:
/usr/ports/lang/itcl [incr Tcl] is an object oriented extension to Tcl. The [incr Tcl] language

is also known as ``itcl''. Just a standard install of the port will be fine.

Tclx:
/usr/ports/lang/tclX Extended Tcl (TclX), is a set of extensions to Tcl, the Tool Command

Language invented by Dr. John Ousterhout of the University of California at Berkeley. Tcl is a

powerful, yet simple embeddable programming language. Extended Tcl is oriented towards Unix system

programming tasks, with many additional interfaces to the Unix operating system, It is upwardly

compatible with Tcl. You take the Extended Tcl package, add it to Tcl, and from that you get

Extended Tcl. Normal install from the port tree on this one also.

MySQL-server:
/usr/ports/databases/mysqlxxx-server. There is a trick to this one. See i recently upgraded to

FreeBSD 5.1 and i was using mysql323 But without the new GCC or EGCS your not going to be able to

install it from the ports tree. Your going to have to use MySql40 . However the way were going to

install MySql is going to be a little different than usual. MySql by default disables local infile.

So edit the Makefile do what you gotta do to get it to give the argument --enable-local-infile. The

best way that comes to my mind is to edit your Makefile inside your ports directory and look for a

statement like below:

[code:1:65c8e327aa]
.if ${MACHINE_ARCH} == "i386"
CONFIGURE_ARGS+=--enable-assembler --with-berkeley-db
.endif
[/code:1:65c8e327aa]

And change it to below: (Make sure you pick your correct architecture)

[code:1:65c8e327aa]
.if ${MACHINE_ARCH} == "i386"
CONFIGURE_ARGS+=--enable-assembler --with-berkeley-db --enable-local-infile
.endif
[/code:1:65c8e327aa]

Mysqltcl:
/usr/ports/databases/mysqltcl MySQLTcl is a collection of Tcl commands and a Tcl global array that

provide access to one or more mysql database servers. A standard install will be fine.

tcpflow:
/usr/ports/net/tcpflow/ tcpflow is a program that captures data transmitted as part of TCP

connections (flows), and stores it in a way that is convenient for protocol analysis or debugging. A

program like 'tcpdump' only shows a summary of packets seen on the wire, but usually doesn't store

the data that's actually being transmitted. In contrast, tcpflow reconstructs the actual data

streams and stores each flow in a separate file for later analysis. Another normal install here too.

See Sguil in action.

Below are a couple screen shots i decided to take to show you what your going to be working for.

It's well worth it and i'm more than sure you will enjoy it as much as i do.

Login Screen (http://bsdhound.com/images/stories/july_03/sguil2.png)

Sguil is setup so no ordinary user can login and read though your logs. Which we all would come to

expect. It offers a Secure SSL layer from the client to the server. and encrypted passwords. Where

as in acid all you needed to know was the address it was on. (That's if the admin was dumb and

didn't secure it properly)

Sensors (http://bsdhound.com/images/stories/july_03/sguil1.png)

Sguil not only will watch your server but you can setup other sensors to monitor more than 1

workstation at a time. By going though SSH. However we will not be covering this in this document.

Perhaps in the future.

Realtime Monitoring (http://bsdhound.com/images/stories/july_03/sguil3.png)

Just sit back grab a beer and watch. No need for refreshes or anything. You can even perform SQL

queries to search for specific events. Since the application runs in real time that means you can

easily see what's happening before and after the attack.

Information (http://bsdhound.com/images/stories/july_03/sguil4.png)

Sguil gives a nice clean layout while giving all the information you should need. A Great whois

interface packet information, good portscan data, dns lookups, sources, etc. you catch the idea.

So how do things work?

Below is a diagram of how the scripts work together.. Study it for a bit before reading on.

http://bsdhound.dnsalias.net:81/images/stories/july_03/sguil5.png

There are 3 parts to sguil. The server, client, and sensors.

Client:

Sguil.tk - Analysis GUI client

Sensors

sensor_agent.tcl - a script that runs on the sensor that loads portscan, session, and sensor

statistics to the sguild server.

log_packets.sh - a shell script that runs a second instance of snort to log all packets for

correlation. Meant to be installed in a crontab.

Servers:

sguild - The Sguil Server (again a TCL script). This is the brains behind this whole mess. This

stuff gets installed on the database server.

xscriptd - A TCL script that takes requests from the client for correlation data, goes and gets the

packets off of the sensor, and then sends them to the client.

Misc:

Barnyard - barnyard takes the task of processing alerts away from snort, so snort can log alerts

faster, among other things

Snort isn't threaded. That means anytime you add a load with an expensive output plugin (like

inserting into a DB), you can cause snort to 'block' and drop packets.

Installing Sguil

Obtaining SGUIL:
Getting your copy of sguil is easy thanks to sourceforge and their almighty network.

[code:1:65c8e327aa]
($:~)=> cd /usr/local/src
($:~)=> cvs -d:pserver:anonymous@cvs.sourceforge.net:/cvsroot/sguil login
Hit Enter when prompted for a password
($:~)=> cvs -z3 -d:pserver:anonymous@cvs.sguil.sourceforge.net:/cvsroot/sguil checkout sguil
($:~)=> cvs -d:pserver:anonymous@cvs.sourceforge.net:/cvsroot/sguil logout
[/code:1:65c8e327aa]

Installing Snort:

[code:1:65c8e327aa]
($:~)=> mkdir /usr/local/etc/snort
($:~)=> mkdir /usr/local/etc/snort/rules
($:~)=> mkdir /var/log/snort
($:~)=> mkdir /var/log/snort/portscans
($:~)=> mkdir /var/log/snort/ssn_logs

($:~)=> mkdir /var/log/snort/dailylogs
($:~)=> mkdir /var/log/snort/archive
($:~)=> cd /usr/ports/security/snort
($:~)=> make extract
($:~)=> cd work/snort-2.0.0/src/preprocessors/
[/code:1:65c8e327aa]

Now what were doing here is we need to patch 2 files before we begin out compile. So remember

whenever you do a portupgrade and you see snort on the list remember to patch it.

[code:1:65c8e327aa]
($:~)=> patch -p0 spp_portscan.c <

/usr/local/src/sguil/sensor/snort_mods/2_0/spp_portscan_sguil.patch
[/code:1:65c8e327aa]

You should be presented with an output like below:

[code:1:65c8e327aa]
Hmm... Looks like a new-style context diff to me...
The text leading up to this was:
--------------------------
|Index: spp_portscan.c
|================================================= ==================
|RCS file: /cvsroot/snort/snort/src/preprocessors/spp_portscan.c,v
|retrieving revision 1.45
|diff -c -r1.45 spp_portscan.c
|*** spp_portscan.c 26 Mar 2003 21:59:48 -0000 1.45
|--- spp_portscan.c 1 May 2003 15:02:50 -0000
--------------------------
Patching file spp_portscan.c using Plan A...
Reversed (or previously applied) patch detected! Assume -R? [y]
Hunk #1 succeeded at 22.
Hunk #2 succeeded at 234.
Hunk #3 succeeded at 981.
Hunk #4 succeeded at 1233.
Hunk #5 succeeded at 1241.
Hunk #6 succeeded at 1263.
Hunk #7 succeeded at 1382.
Hunk #8 succeeded at 1406.
Hunk #9 succeeded at 1507.
Done
[/code:1:65c8e327aa]

Congrats you patched 1 file. Now we need to do the same to another file.

[code:1:65c8e327aa]
($:~)=> patch -p0 spp_stream4.c <

/usr/local/src/sguil/sensor/snort_mods/2_0/spp_stream4_sguil.patch
($:~)=> cd ../../..
($:~)=> make –DWITH_MYSQL=yes install (do not include clean)
($:~)=> mkdir /usr/local/etc/snort
($:~)=> cd /usr/local/etc/snort
($:~)=> cp /usr/ports/snort/work/snort-2.0.0/etc/gen-msg.map snort.conf reference.config

snort.conf.orig sid classification.config sid-msg.map .
($:~)=> vi snort.conf
[/code:1:65c8e327aa]

Ok Here we will be making some changes to snorts configuration file so it knows how to function with

sguil. The first thing were going to change here is HOME_NET . Please remember this is a verry basic

configuration of snort. I'm leaving it up to you to configure snort to the way you like it.

SNORT.CONF

HOME_NET

This option tells snort the ip address associated with your external interface. and example would be

var HOME_NET 10.1.1.0/24 if you have multiple interfaces in which snort is going to be listening on

you would make it look like var HOME_NET [10.1.1.0/24,192.168.1.0/24] .

EXTERNAL_NET

Same as HOME_NET except this is an external net. you get the idea. var EXTERNAL_NET any

DNS_SERVERS

These are the DNS Servers on your network. So you could have something like: var DNS_SERVERS

[68.100.16.30/32,68.100.25/32,10.52.1.1/32]

RULE_PATH

This is where your snort rules are located at. Pretty self explanatory. Were going to use var

RULE_PATH /usr/local/etc/snort/rules since that’s what directory we made for it above.

PREPROCESSPR STREAM4

This option sets how you want snort to inspect your TCP streams. Were going to set it up like:

preprocessor stream4: detect_scans, disable_evasion_alerts, keepstats db

/var/log/snort/ssn_logs

PREPROCESSOR PORTSCAN

preprocessor portscan: $HOME_NET 4 3 /var/log/snort/portscans dominion ("Replace dominion

with your system hostname")

OUTPUT LOG_UNIFIED

The unified output plugin provides two new formats for logging and generating alerts from Snort, the

"unified" format. The unified format is a straight binary format for logging data out of Snort that

is designed to be fast and efficient. output log_unified: filename snort.log, limit 128

Now go ahead and do further configurations to snort then save and exit. Next thing we need to do is

update our snort rules. It's best to have the latest rules to play with.

[code:1:65c8e327aa]
($:~)=> cd /tmp ; fetch http://www.snort.org/downloads/snortrules.tar.gz
($:~)=> cd /usr/local/etc/snort/rules
($:~)=> tar -xzf /tmp/snortrules.tar.gz
[/code:1:65c8e327aa]

Congratulations you now have snort installed..

Since we got some rules installed

Kernel_Killer

(http://bsdhound.com/modules.php?name=Your_Account&op=userinfo&uname=Ke rnel_Killer) was nice enough to give us some documentation on editing your rules.

SNORT RULES

To change rule arguments, you need to change the snort.conf file to point to your desired set of

rules in the /usr/local/etc/snort/rules directory.Remember, adding several rules can slow your

system down, and cause several problem for slower systems.

In the snort.conf file, add something like this:

include $RULE_PATH/test.rules

You should add this in the area with the other rulesets. You can also change the ruleset local.rules

since it is empty.

Let's look at how rules are fragmented.

alert tcp 192.168.1.0/24,!192.168.2.0/24 any -> 192.168.0.0/24 80 (msg:"HTTP attempt";

content:"EXECUTE_SYSTEM"; nocase; classtype:system-call-detect; sid:1673; rev:3;)

That should cover most of the possible arguments.

First look at "alert". this first part can be a variation of settings. Alert, uses the alert method,

and logs the packets. Log will just log the packets. Pass will ignore the packets. Active will alert

and start another dynamic rule. dynamic, will only be triggered by an active rule.

The second part, "tcp", is what protocol. Choose between tcp, udp, icmp, and ip.

The third "192.168.1.0/24,!192.168.2.0/24 any" deals with source IP. Let's lookat the firt IP

network. 192.168.1.0/24 shows the first group of IPs. 192.168.1.0-192.168.1.255. The second IP

network "!192.168.2.0/24" seperated by a comma, is the second group of IPs to monitor for this rule.

The exclamation point makes snort watch all IPs except the one defined after. You can also list IPs

in brackets.

... tcp ![192.168.1.0/24,192.168.2.0/24] any

You can set specific IPs by using a /32 subnet, instead of the common /8,/16,/24.

Let's look at the next fragment, "-> 192.168.0.0/24 80". This is more than obvious. You can see

since there is an arrow pointing from the source, that the next IP set it the destination. Just like

the source, you can set your destination the same way.

The last number "80" is the port to watch. You can set the source port the same way with the source

address n place of the "any". If you need to set a range, set a range of ports with the a colon.

-> 192.168.0.0/24 80:1024

To make a wildcard range you can set "80: " which will scan all incoming going to port 80 and

greater. You can also reverse this to do less than like ":80". If you want to log all but a range of

ports, use the exclamation point.

!80:84

There are a few things that can be changed in these past few sections. First off, the IPs and ports

can be set to "any". You can also replace the "->" with "<>" which allow both IP sets to be either

source or destination.

The last part of the rule shows various options. If you look you will see "msg", "content",

"nocase", "sid", and "rev". Msg prints a message in the logs and alerts. Content searches for a

specific command in the packet payload. Nocase makes sure that the content is not case sensitive

when matching. Sid says what rule number it is, and rev tells what rule revision number it is. Let's

look at a list of other rule options.

(list provided by snort.org)

logto: log packet to specific filename
ttl: test the IP header's ttl value
tos: test the IP header's TOS value
id: test Ip header frag ID for specific value
ipoption: watch for specific codes in the IP option fields
fragbits: test frag bits of the IP header
dsize: test the packte's payload size compared to a value
flags: watch TCP flags for centain values
seq: watch TCP sequence for specific value
ack: watch TCP ackknowledgement for specific value
itype: watch ICMP type for specific value
icode: watch ICMP code for specific value
icmp_id: compare ICMP ECHO ID for specific value
icmp_seq: compare ICMP ECHO sequence for specific value
content-list: watch for specific pattern in payload
offset: mod for content option, sets offset to attempt a pattern match
depth: mod for content option, sets max search depth for pattern
session: dumps app layer info for session
rpc: watch for RPC services for specific calls
resp: active response, helps close connections to stop attempts
react: active responce, block sites
reference: external attack reference IDS
classtype: rule class identification
priority: rule severity identification
uricontent: search for pattern in URI part of packet
tag: advanced logging actions for rules
ip_proto: IP header protocol value
sameip: watch to see if destination IP = source IP
stateless: ignore stream state
regex: wildcard pattern matching
byte_test: numerical evaluation
distance: pattern matching to skip space
within: pattern matching within a count
byte_test: pattern testing by numbers
byte_jump: numerical pattern testing and offset adjust

If you look in your rule files, you might notice some variables like $EXTERNAL_NET, $HOME_NET, etc.

These can be set within the snort.conf file. Looking in there some variables are set to "any", and

some are commented out. Setting these can make setting rules a lot easier, and take a lot less time.

By setting these variables, you can then set your rules like so.

alert tcp $EXTERNAL_NET any -> $HOME_NET any

More on: http://www.snort.org/docs/writing_rules/chap2.html#sample%20snort%20rule (http://www.snort.org/docs/writing_rules/chap2.html#sample%20snort%20rule
)

Now onto barnyard.

Installing Barnyard

First lets get a copy of barnyard.

[code:1:65c8e327aa]
($:~)=> cd /tmp ; fetch http://snort.org/dll/barnyard/barnyard-0.1.0.tar.gz
($:~)=> cd /usr/local/src
($:~)=> tar -xzvf /tmp/barnyard-0.1.0.tar.gz
[/code:1:65c8e327aa]

Now we need to do a little patching to barnyard so it recognizes sguil.

[code:1:65c8e327aa]
($:~)=> cd barnyard-0.1.0/src/output-plugins
($:~)=> cp /usr/local/src/sguil/sensor/barnyard_mods/op_sguil* .
($:~)=> cd ../..
($:~)=> ./configure --enable-mysql --with-mysqlincludes=/usr/local/include/mysql

--with-mysql-libraries=/usr/lcoal/lib/mysql
[/code:1:65c8e327aa]

Now I promised patching so here it is.. Were going to edit the Makefile and build the new object

files. This will prevent out Makefile from being over-written during compiling.

[code:1:65c8e327aa]
($:~)=> cd src/output-plugins
($:~)=> vi Makefile
[/code:1:65c8e327aa]

Now lets search for the variable libop_a_SOURCES and change it accordingly.

libop_a_SOURCES = op_decode.c op_fast.c op_plugbase.c op_logdump.c op_decode.h op_fast.h

op_plugbase.h op_logdump.h op_alert_syslog.c op_alert_syslog.h op_log_pcap.c op_log_pcap.h

op_acid_db.c op_acid_db.h op_alert_csv.c op_alert_csv.h op_sguil.c op_sguil.h

Nest search for libop_a_OBJECTS and change to below.

libop_a_OBJECTS = op_decode.o op_fast.o op_plugbase.o op_logdump.o op_alert_syslog.o

op_log_pcap.o op_acid_db.o op_alert_csv.o op_sguil.o

Save the file and exit. now lets edit the next file.

[code:1:65c8e327aa]
($:~)=> vi op_plugbase.c
[/code:1:65c8e327aa]

Now around line 27 you should see the area below, Go ahead and edit it like below:

[code:1:65c8e327aa]
#ifdef ENABLE_MYSQL
#include "op_acid_db.h"
#include "op_sguil.h"
#endif

Then again around like 47

#ifdef ENABLE_MYSQL
AcidDbOpInit();
SguilOpInit();
#endif

($:~)=> make
($:~)=> cd ../.. ; make
($:~)=> make install
[/code:1:65c8e327aa]

Congratulations. Barnyard is now built and installed. Before configuring barnyard lets go ahead and

create our sguil databases.

[code:1:65c8e327aa]
($:~)=> mysql -u USERNANE -p
mysql> create database sguildb;
Query OK, 1 row affected (0.05 sec)
mysql> quit;
($:~)=> mysql -u USERNAME -p sguildb </usr/local/src/sguil/server/sql_scripts/create_sguildb.sql
[/code:1:65c8e327aa]

Ok now you have the mysql scripts installed. Make sure you give mysql a user, password and correct

permissions to your new database. Now lets get into configuring your Barnyard conf.

[code:1:65c8e327aa]
($:~)=> cp /usr/local/src/barnyard-0.1.0/etc/barnyard.conf /usr/local/etc/snort/
($:~)=> vi /usr/local/etc/snort/barnyard.conf
[/code:1:65c8e327aa]

BARNYARD.CONF

OUTPUT SGUIL

Not Add the line below somewhere in the configuration file. Remember to replace MYSQLUSER and

MYSQLPASS to your mysql database user and password for the sguildb

output sguil: mysql, sensor_id 0, database sguildb, server localhost, user MYSQLUSER,

password MYSQLPASS, sguild_host localhost, sguild_port 7736

CONFIG HOSTNAME

Search for the config hostname field. this is where we define the hostname of our pc. don’t forget

to change dominion to yours.

config hostname: dominion

CONFIG INTERFACE

To what interface is snort attached to

config interface: xl0

You may want to read though the rest of the conf file to do further tweaking. Like setting it to be

a daemon or other options. Ok were coming close to finishing here soon. Next we need to modify some

of the other sensors, servers, clients.

[code:1:65c8e327aa]
($:~)=> cd /usr/local/src/sguil
($:~)=> vi sguild
[/code:1:65c8e327aa]

Now we need to change the command interpreter to the correct location..

#!/usr/local/bin/tcl

Save and exit. Now lets edit it's configuration file.

SGUILD.CONF

DEGUG is useful for when your installing and configuring sguil. to ensure that things are

communicating properly with one and another. Once you get it working you should set this to off and

use the daemon mode.

set DEBUG 1

DAEMON is for using daemon mode... 1 is on and 0 is off you could also give sguild the switch

-D to do the same thing.

[code:1:65c8e327aa]
set DAEMON 0
set SERVERPORT 7734
set SENSORPORT 7736
[/code:1:65c8e327aa]

RULESDIR is where we are keeping our snort rules.. pretty easy to follow conf file..

set RULESDIR /snort_data/rules

TMPDATA is where we are going to temporarily store the portscan and session data.

set TMPDATADIR /tmp

Now we need out sguildb database Information.


set DBNAME sguildb
set DBPASS MYSQLUSER
set DBHOST localhost
set DBPORT 3306
set DBUSER MYSQLPASS


Now were going to make a few symbolic links to tell sguild to find the correct rules.

[code:1:65c8e327aa]
($:~)=> ln -s /var/snort/ /snort_data
($:~)=> ln -s /usr/local/etc/snort/rules/ /snort_data/rules
($:~)=> ln -s /usr/local/etc/snort/rules/ /snort_data/rules/sguil
[/code:1:65c8e327aa]

Now we need to add a user to sguild this is pretty simple.

[code:1:65c8e327aa]
($:~)=> cd /usr/local/src/sguil/server/ ; ./sguild –adduser
[/code:1:65c8e327aa]

you would alternatively run –deluser to delete a user

Ok lets move onto the next script to modify

SENSOR_AGENT.TCL

[code:1:65c8e327aa]
($:~)=> vi /usr/local/src/sguil/sensor/sensor_agent.tcl
[/code:1:65c8e327aa]

Edit the shell interpreter to reflect the correct location. No explanation should be required.

#!/usr/local/bin/tcl

Config options in this file are simple..

set SERVER_HOST localhost
set SERVER_PORT 7736
set HOSTNAME localhost
set PORTSCAN_DIR /snort_data/portscans
set SSN_DIR /snort_data/ssn_logs
set WATCH_DIR /snort_data
set PS_CHECK_DELAY_IN_MSECS 10000
set SSN_CHECK_DELAY_IN_MSECS 10000
set DISK_CHECK_DELAY_IN_MSECS 1800000
set PING_DELAY 300000
set DEBUG 0

Save and exit. Now lets move onto xscripted.

XSCRIPTED

[code:1:65c8e327aa]
($:~)=> vi /usr/local/src/sguil/server/xscripted
[/code:1:65c8e327aa]

Edit the shell interpreter to reflect the correct location.

#!/usr/local/bin/tcl

If you've been reading the other configuration files then this one should be a brease..

set SERVERPORT 7735

Since in this document were going to be using sguil on the same box as our xscripted the option

below gets marked as 1. if you set this to use a remote box i suggest you read though the install

manual and read on setting it up using ssh_keys.

set LOCALSENSOR 1

Debug. Once again it's good to enable for initial testing but later on you might wish to turn this

off.

set DEBUG 1

The next option is where you want to archive raw file locally when xscripts are requested.

set LOCAL_LOG_DIR /snort_data/archive

Where xscriptd can find the remote raw files

set REMOTE_LOG_DIR /snort_data/dailylogs

If localsensor is set to 0 then tcpdump needs to be the path to TCPDUMP on the sensor.

set TCPDUMP "/usr/sbin/tcpdump"

The next option is where tcpflow is located at. You did remember to install this from the ports

didnt you?

set TCPFLOW "/usr/local/bin/tcpflow -c"

Save and exit.. Now were onto the next file..

LOG_PACKETS.SH

[code:1:65c8e327aa]
($:~)=> vi /usr/local/src/sguil/sensors/log_packets.sh
[/code:1:65c8e327aa]

Config options here are pretty simple if you've been following along.


SNORT_PATH="/usr/local/bin/snort"
LOG_DIR="/snort_data/dailylogs"
INTERFACE="xl0"
PIDFILE="/var/run/snort_log.pid"
PRIORITY="local4.alert"


Save and exit. Next make a link to /usr/local/bin

[code:1:65c8e327aa]
($:~)=> ln -s /usr/local/src/sguil/sensors/log_packets.sh /usr/local/bin/
[/code:1:65c8e327aa]

Next were going to make a cron job to restart log_packets.sh.

[code:1:65c8e327aa]
($:~)=> echo "00 0-23/1 * * * root /usr/local/bin/log_packets.sh restart 1>/dev/null 2>&1" >>

/etc/crontab
[/code:1:65c8e327aa]

Were almost done here.. Lets edit the sguil client now.

SGUIL.TK

[code:1:65c8e327aa]
($:~)=> vi /usr/local/src/sguil/client/sguil.tk
[/code:1:65c8e327aa]

The only thing we need to modify here is our wish version. Change the wish statement to yours.

exec wish8.3 -f "$0" ${1+"$@"}

Moving on down the line of files.. Lets go ahead and edit the sguil.conf file

SGUIL.CONF

[code:1:65c8e327aa]
($:~)=> vi /usr/local/src/sguil/client/sguil.conf
[/code:1:65c8e327aa]

This configuration file pretty much follows the other ones.. Not too hard if you read it as your

going along.

set SERVERPORT 7734
set XSCRIPT_SERVER_PORT 7735
set SERVERHOST localhost

Remember once your done with testing to turn debug off.

set DEBUG 1

We plan on using openssl between the client and server so set this to 1 (1 = on 0 = off)

set OPENSSL 1

The next line is where our SSL/TLS lib is located at..

set TLS_PATH /usr/lib/tls1.4/libtls1.4.so

Now were going to use a enhanced version of whois this is the location of where it will be placed

at.

set WHOIS_PATH /common/bin/awhois.sh

Where is ethereal located at

set ETHEREAL_PATH /usr/X11R6/bin/ethereal

You probably want at some point to view certain rules on snort.org so we need to specify out web

browser in this field.

set BROWSER_PATH /usr/local/bin/konqueror

Now lets jump down to changing our mailserver settings.

set MAILSERVER mail.yourdomain.com
set HOSTNAME yourdomain.com
set EMAIL_FROM Abuse@yourdomain.com
set EMAIL_CC ""
set EMAIL_SUBJECT "Incident Report"

Save and exit.. Now lets get our awhois.sh script that we specified above.

[code:1:65c8e327aa]
($:~)=> mkdir /common
($:~)=> mkdir /common/bin
($:~)=> cd /common/bin
($:~)=> fetch ftp://ftp.weird.com/pub/local/awhois.sh
($:~)=> chmod 555 awhois.sh
[/code:1:65c8e327aa]

Ok now that that’s taken care of lets setup OpenSSL support for this. First we need to download and

install the TCL OpenSSL extensions.. Lucky for us there in the ports tree..

[code:1:65c8e327aa]
($:~)=> cd /usr/ports/devel/tcltls ; make install clean
[/code:1:65c8e327aa]

Now we need to generate up a SSL Cert.

[code:1:65c8e327aa]
($:~)=> mkdir –p /etc/sguild/certs
($:~)=> cd /etc/sguild/certs
($:~)=> openssl req -out CA.pem -new -x509
[/code:1:65c8e327aa]

Now generate your key. And move onto the next one

[code:1:65c8e327aa]
($:~)=> openssl genrsa -out sguild.key 1024
($:~)=> openssl req -key sguild.key -new -out sguild.req
($:~)=> openssl x509 -req -in sguild.req -CA CA.pem -CAkey privkey.pem -CAserial file.sr1 -out

sguild.pem
[/code:1:65c8e327aa]

Now you should have a brand new trusted OpenSSL Cert. Congratulations.. All the config files should

be done editing and now your ready to play with your new toy. So lets start up these services shall

we.

Starting Sguild (Server)

[code:1:65c8e327aa]
($:~)=> /usr/local/src/sguil/server/sguild –o -c /usr/local/src/sguil/server/sguild.conf -u

/usr/local/src/sguil/server/sguild.users -D
[/code:1:65c8e327aa]

Side note. The ‘-o’ option is for OpenSSL support and the ‘-D’ is to daemonize the process.

Start Log_Packets.sh

[code:1:65c8e327aa]
($:~)=> /usr/local/bin/log_packets.sh start
[/code:1:65c8e327aa]

Start Barnyard

[code:1:65c8e327aa]
($:~)=> /usr/local/bin/barnyard -c /usr/local/etc/snort/barnyard.conf -d /var/log/snort -g

/usr/local/etc/snort/gen-msg.map -s /usr/local/etc/snort/sid-msg.map -f snort.log -w

/usr/local/etc/snort/waldo.file
[/code:1:65c8e327aa]

Start Snort

[code:1:65c8e327aa]
($:~)=> /usr/local/bin/snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -D
[/code:1:65c8e327aa]

Starting Sensor_agent.tcl

[code:1:65c8e327aa]
($:~)=> /usr/local/src/sguil/sensor/sensor_agent.tcl
[/code:1:65c8e327aa]

Starting xscripted

[code:1:65c8e327aa]
($:~)=> /usr/local/src/sguil/server/xscripted
[/code:1:65c8e327aa]

Starting Sguil (Client)

[code:1:65c8e327aa]
($:~)=> /usr/local/src/sguil/client/sguil.tk
[/code:1:65c8e327aa]

Congratulations.. Sguil should be up and running., Enjoy playing with your new toy.

If you should have any problems with installing this you can eith post your problems on the forum

topic on this at

BSDHound's

Forums (http://bsdhound.dnsalias.net:81/modules.php?name=Forums&file=viewtopic&p=1991#1991 ) or the nice guys over at irc.freenode.net will help you out.. They can be located in

#snort-gui Enjoy and good luck.

References used:

Sguil Install guide -

http://sguil.sourceforge.net/install.txt
Richard Bejtlich Redhat 7.3 Install guide -

http://sguil.sourceforge.net/sguil_install_

v1-0.pdf (http://sguil.sourceforge.net/sguil_install_v1-0.pdf)
My Brain
The great guys over at #snort-gui on irc.freenode.net

Special thanks to those who helped out in this article.

Strog (http://bsdhound.com/modules.php?name=Forums&file=profile&mode=viewprof ile&u=27&sid=96066b5b7702

9d66419d3aa3eb6ba993),

Kernel_Killer

(http://bsdhound.com/modules.php?name=Your_Account&op=userinfo&uname=Ke rnel_Killer), Bamm

Origional Article Source:
http://bsdhound.dnsalias.net:81/modules.php?name=News&file=print&sid=234

Strog
July 29th, 2003, 10:12
Soup4you2:

Nice writeup. People should be able to get it up with these directions.


Bamm:

Nice work and a nice product. It definitely fills a nice niche for anyone wanting a real-time look at Snort.

8)

soup4you2
July 29th, 2003, 10:27
some of the bbcode got fubared... i'm too lazy to fix it though i submited article links on deadly and bsdvault.

elmore
July 29th, 2003, 10:58
Really nice write-up Soup

Kernel_Killer
September 8th, 2003, 21:56
Well, I'm back on the project again. Finally started over and got this app running. Never thought looking at logs would be so fun. :D

I'm not sure, but might write some updates. I noticed that 4.8 seems to have a lot of trouble running anything besides MySQL 3.23, and definate problems with Tcl/TclX. Also, maybe an added how-to on making other sguil servers pushing logs into a remote database? Just some thoughts.

Kernel_Killer
September 9th, 2003, 23:20
UPDATE:

Line:


($:~)=> ln -s /var/snort/ /snort_data [/code:1:c8a5b0244a]


should be:

[code:1:c8a5b0244a]($:~)=> ln -s /var/log/snort/ /snort_data [/code:1:c8a5b0244a]

soup4you2
September 9th, 2003, 23:40
hehe thanks... damm typos...

bsdjunkie
September 29th, 2003, 17:04
Notes for setting this up for openbsd users:

Some of the TCL programs needed do not compile correctly on obsd -current (3.4) I had no issues setting them up on 3.3 release though.

Also,mysqltcl had to be configured/compiled the following way:
export CPP=/usr/bin/cpp
./configure --with-tcl=/usr/local/lib/tcl8.3
--with-tclinclude=/usr/local/include/tcl8.3
--with-mysql-include=/usr/local/include/mysql
--with-mysql-libs=/usr/local/lib/mysql

Also it complains of a missing libmysqlclient.so. I just linked the
/usr/local/lib/mysql/libmysqlclient.so.10.0 to that, and it compiled
fine.

soup4you2
September 29th, 2003, 17:49
thanks for the obsd update... so how's sguil running for ya?

bsdjunkie
September 29th, 2003, 18:01
I wasnt able to finish getting it up at home, so I worked out those above things this afternoon at work on a desktop. Ill be downgrading my laptop/snsor to 3.3 tonite to get it all running.

BTW, do you have any good bpf filters to cut down on a lot of crap for the log_packets.sh already written?, or should I start writing my own :P

soup4you2
September 29th, 2003, 19:15
I wasnt able to finish getting it up at home, so I worked out those above things this afternoon at work on a desktop. Ill be downgrading my laptop/snsor to 3.3 tonite to get it all running.

BTW, do you have any good bpf filters to cut down on a lot of crap for the log_packets.sh already written?, or should I start writing my own :P

i actually dont currently have sguil installed anymore.. been meaning to redo snort though.. since i dont run X on my server i want to test out using the client remotely though ssh and see how it goes.. so write up some rules.. i'd love to see them.

now here is a question for you..

how can i get snort to log the ip's from alearts and portscans to 1 file.. just the ip's that way i can make a pf table to block them.

bsdjunkie
September 29th, 2003, 20:41
I think the easies way would be to write another shell script to parse out the src ip's and feed them to your list =) I know there are examples out there byt Daniel Hartmeir for this feature as well.

Kernel_Killer
October 10th, 2003, 20:53
UPDATE:

Required Package Dependencies:

TclX
perl-digest-sha1
itcl
tk-devel

Kernel_Killer
November 7th, 2003, 00:57
Foudn the deps needed for 4.x to run the client, and server.

/usr/ports/devel/tcl-8.x.x (of course)
/usr/ports/devel/tcllib
/usr/ports/devel/tclx
/usr/ports/lang/itcl (Might not be required)
/usr/ports/x11-toolkits/iwidgets (client will bork without it)

EDIT: Festival now works from the ports, but speechd will not compile, and no source tarball to be found.

soup4you2
November 13th, 2003, 09:59
talking w/ the sguil guys today.. realized there's a new version.. i'm going to update my howto just might be awhile before i get around to it.. There is a pdf on taosecurity but i think it's lacking some aspects..

[code:1:f50de13b52]
sguil-0.3.0 (30 Oct 2003)

**** WARNING WARNING WARNING ****
* If you are updating, make sure*
* you recompile barnyard with *
* the latest op_sguil.c. Other- *
* wise barnyard and sguild will *
* go Kaplooey. Bammkkkk *
**** WARNING WARNING WARNING ****

spp_stream4_sguil.patch
* Fixed a gmtime/localtime bug. All session times are
GMT so use -U when starting snort.

op_sguil
* Now makes a sustained connection to sguild rather vs.
a new connect for each event.

* Events table gets updated first.

sguil.tk
* Added Text Export Button to send query reults to a
text file (human-readable or delimited(CSV, TAB, etc) -SRH

* Added A Human-Readable text report to the reports menu
to output full event details (with or without payload) to
a text file. -SRH

* Revamped the way reports get their data. It now happens
over the main sguil-sguild socket. Much faster. -SRH

* User and Global Standard queries supported (started by Bamm, finished by SRH)

* Fixed Mouse-Wheel scrolling in X and Windows (geek2)

* Added a GUI Query Builder, for easy SQL editing. (geek2)

* Changed the Comm's to use ctoken instead of l{range,index}
so random word boundry characters in UserMessages or Event
descriptions doesn't pop errors. (geek2)

* Fixed fcopy bug for Ethereal requests (thanks
Tim Slighter).

* Added better Ethereal config options in (sguil.conf)

* Added/Modified Dshield lookup (http://www.dshield.org)
to src and dst ip drop down menus. (requested by mboman
added by geek2)

* Added Dshield port lookup (creining)

* Modified client authentication. See sguild comments for
more information. (NOTE: sguil.tk now REQUIRES tcllib)

* Many Bug Fixes



sguild
* Sustained cnx with op_sguil (barnyard).

* Support for emailing events.

* Proc SendSensorList now makes sure sensor.active=y.

* Added a salt to passwd hash in sguild.users. The
authentication has been modified so the client never
sends the passwd. Instead, the salt and noonce are
sent to the client and returned hash is compared by
the server. (NOTE: Old sguild.users files will NOT
work.)

* Support for standard queries.

* Auto-categorizing of alerts introduced.

* Updates last_uid field (version 0.7 of DB required).

* kill -HUP <sguild.pid> now reloads autocat.conf and
sguild.queries.

sguild.conf
* Vars for emailing selected events.

log_packets.sh
* Removed some legacy hostname stuff.

* Added var for BPFs.

sguil-0.2.5 (15 Jul 2003)

* Multiple undocumented bugfixes. I recommend updating
all sguil components (no need to repatch snort and
barnyard) to include sguild, xscriptd, sensor_agent.tcl,
log_packets.sh, and sguil.tk.

sguil-0.2.4 (11 Jul 2003)
sguil.tk
* Added lib/whois.tcl, a simple replacement for those
third party whois scripts.

* Client remains up on disconnect from sguild. Attempts
to reconnect after 10 seconds.

* Decode ICMP redirect

* Added option to change the max number of rows returned
for portscan event data. Set the default in sguil.conf.

* Added 'User Messages' box for analyst to communicate
via text messages.

sguild
* Added -D (daemonize) and -P <pidFile> switches.

* Changed sensorCmd to use ctoken to avoid crashes
when special chars are in the message

* Added OpenSSL for client <> server comms.

* Does version checking with clients

* Checks for compatable DB schema

* Added sha1 support for hashed passwds plus
-adduser and -deluser functions. Authentication
should now be considered fairly secure when used
in conjunction with OpenSSL or ssh tunneling.

xscriptd
* Added -D (daemonize) and -P <pidFile> switches.

* Using a regexp instead of lindex to test for spp_portscan
event, avoids error on special chars

* Added OpenSSL for client <> server comms.

* Added version checking for connecting clients.


Version 0.2
sguil.tk
* Re-arranged menu

* Database Purge/Optimize

* GMT clock

* Many bugfixes

* User log in for accountability (no authentication (yet))

* Add comments to events (shift-F<n>)

* E-Mail events in summary or detail with option to 'sanatize IP addresses

* Session Queries

* Event History

* Added decodes for ICMP Type 3 (dest Unreachable) and 11 (time exceeded)

* Dialog for selecting sensor(s) on to monitor added
to initialization.

* Fixed escalate bug where events weren't removed from all
connected clients.

* Added a Show DB Tables function to assist analyst in
creating queries.

sguild
* Added procs and changes required for monitoring specific
sensors.

* Fixed escalate bug where events weren't removed from all
connected clients.

* Gets DB table info on init in support of the "Show DB
Tables" function added to sguil.tk.

* changed GetIcmpData to return the payload so we can parse it out

* Proc CreateDB added. Sguild will create the required database
if it doesn't exists (on request).
* many many bugfixes.
* Added SimpleQueryCommand for OOB queries
* History and comment support for events.
* New system messages (user login/out, monitored sensors).
* Changed ExecDB to allow for DELETE and other non-SELECT/UPDATE queries (if DB permissions permit it)
* DB schema slightly changed
* Moved the config to sguild.conf and added a sguild.users

op_sguil.c
* Added "nospin" option for those users who want barnyard
to continue processesing events if unable to connect to
sguild.

xscriptd
* Added passive OS detection (p0f)

Version 0.1
sguil.tk
* MulitiSelect functionality added by Steve Halligan (geek2)
shalligan@333tech.com.

* Removed : from temporary raw data file name for use with
Windows.

Version 0.1 BETA 4
*NOTE: This version requires a slight modification to
the sguil.conf [addition of the CATEGORY_COLOR(ES)]

sguild
* Fixed GetPSData bug (didn't close mysql socket).

* Now handles escalated events (very beta right
now).

sguil.tk
* Added an Escalation tab. Use F9 or right click->
Update Event Status->Escalate to move alerts into
this tab. Allows analyst to easily "bookmark"
alerts for later review while keeping the RT
screen clear.



Version 0.1 BETA 3

sguil.tk
* Ctrl-left/right arrow selects previous/next tab

* Added a "force new" option for generating xscripts. This
forces xscriptd to ignore any locally archived sessions
and try to get a new one. Useful where a xscript was
generated mid session and the analyst wants to see if
more acty has occurred.

* The transcript window now shows debug messages (per geek2).

xscriptd
* Added a "force new" option for generating xscripts. See
above for more info.

* Sends debug message for the transcript window.

Version 0.1 BETA 2
sguil.tk
* Added event query menu and template (right
click on selected event in the Event Type
column).

* Query templates pop up under mouse position.

* Unselected tabs are now darker. Oooo pretty.

sguild
* Fixed portscan passwd bug.

Version 0.1 BETA 1
LICENSE
* When sguil is finally released, it will
be done so over the QPL. BY is licensed under
the QPL, therefore op_sguil must be released
under that license and it's easier just to use
one license for everything.

* spp_portscan mod introduced as well as a loader
for the DB and an interface to the data within
sguil.tk.

xscriptd
* Bugfix: close tcpflowID bug.

op_sguil.c
* Slight change in SguilSendEvent format.

sguild
* Slight change in SensorRcvdCmd format.
* Sguild recieves data from portscan_loader.tcl and
LOADs the data into the DB.

sguil.tk
* Fixed non-TCP ethereal bug.

Version 0.1 ALPHA 6:

sguil.tk
* Change Font added to the File menu. Standard is
applied to most of the GUI while Fixed is for the
packet data text box.

sguild
* Syslog is no longer used for sending and sguild now
opens port 7736 for and op_sguil is connects/sends
RT events directly to sguild.

op_sguil.c
* SguilSendEvents() was added and all syslog references
were removed. See comments in op_sguil.c for more info.

Version 0.1 ALPHA 5:

sguil.tk
* Bugfix: Alerts couldn't be marked as CatI-VII
* Bugfix: Alerts updated from the query results tab
were not being passed to the DB.

sguild
* Bugfix: sguild wasn't closing cnxs to mysql
after a query.

Version 0.1 ALPHA 4:
sguil.tk
* Added a default color for NA alerts (bugfix).
* Added speech support. Requires speechd available
at http://www.speechio.org.
* Fixed xscript cmd interpretation bug.
* Added a text box to the query tabs to display the
query statement. Modifying the query and pressing
<Enter> will run a new query.
* Query's can now be sorted by double clicking on
the list label (ie Src IP, Dst IP, etc).

xscriptd
* Fixed xscript cmd interpretation bug.


Version 0.1 ALPHA 3:
Added xscriptd. See INSTALL for more info.

sguil.tk
* Added transcript and ethereal support
(xscriptd). See INSTALL for details. This
stuff is real alpha so let me know about
any problems.
* Added a SLEEP function. When used (selected
from File or Ctrl-s) the GUI will be iconified
and will beep/deiconify when it receives a new
event.

Version 0.1 ALPHA 2:

Added a USAGE file.

sguild:
* Added DBPASS for mysql passwd.
* Updates the DB multiple events at a time.
* Fixed open file handle bug.

sguil.tk
* Sends a list of events to be expired rather than
one at a time when expiring correlated events.
* Select previous alert when expiring bottom alert.
* Up/Down arrows select previous/next alert in pane.
* Escape key deselects all options.
* Alerts can be expired or caterogized into an
incident category (CatI-CatVII). F1-F7 are the 'hot'
keys.

op_sguil.c
* Fixed unknown class_type bug.

Version 0.1 ALPHA 1:
* Initial (private) release: 23 Sep 2002.
[/code:1:f50de13b52]

Kernel_Killer
November 13th, 2003, 23:28
Yep. The new one is quite nice. Fixed some of the DB errors, and the client works very nicely. Gotta love the weekly "cvs -q update -dP". :D

soup4you2
November 17th, 2003, 16:17
There's a new sguil install doc available on taosecurity. some of you may have read it.. but i've found some errors in this doc and have e-mailed the author about them. The way he has his mysql server installed will not pass SSN or PS data.. I also plan on re-writing mine with some cool new tricks i've learned over the past while.. maybe even include a patch or 2.