soup4you2
July 29th, 2003, 10:07
Sguil 0.2.5 (Snort GUI for LamerZ) Installation for FreeBSD howto
By: Soup4you2 (http://bsdhound.com)
About This Howto:
Sguil (pronounced "sgweel") is a GUI (graphical user interface) for the snort IDS (intrusion
detection system). Sguil was written using the tcl/tk language by Robert (Bamm) Visscher. Sometimes
reading snort logs can be a real pain. So most people out there use another opensouce application
called Acid (Analysis console for intrusion detection) Which a
howto on getting that puppie
installed can be found here (http://bsdhound.com/modules.php?name=News&file=article&sid=56). Sguil in my opinion just kicks ass. However there are drawbacks
to whichever once you choose whether it be acid or sguil. The two main drawbacks are, That in acid
you can easily monitor over the internet, However this is not in real time. It will only notify you
on a page refresh when an activity is present. Where as in sguil it is real time. Now what if i'm
not at home?, Well you can run the sguil.tk client on a remote
pc to watch your server at home. If encryption is a concern, sguil supports OpenSSL or you can use
ssh tunneling (ssh -L 7734:localhost:7734 -L 7735:localhost:7735 <remotehost>). That doesn't tunnel
X but the sguil comms.
This document is going to explain howto get Sguil setup and working on your BSD Operating System.
The configuration i'm going to be using in this guide is going to be given a very basic
configuration. In my opinion if your trying to install something like this then you should have a
good grasp on using and moving around your BSD operating system. I'm going to be following the basic
locations of the guides put out by the author of sguil. Only were going to be doing it the BSD way.
After you get this installed it's EXTREMELY recommended you do some further tweaking.
Especially on what snort looks for.
Contents of this article:
1. Prerequisites
2. See Sguil in action.
3. So hows this thing work?
4. Installing Sguil
Prerequisites
There are some required packages that your going to need to install in order to get this to work.
But have no fear the ports are here.
Festival:
Lets start off with /usr/ports/audio/festival you can try installing this port but when I tried
the port was broken. But that’s no big deal it just means your not going to get any sound. But you
can try, who knows perhaps today is the lucky day a new Makefile enters the ports tree.
festival-devel:
Yet another broken port but no big deal… Lets move on down the line.
Itcl:
/usr/ports/lang/itcl [incr Tcl] is an object oriented extension to Tcl. The [incr Tcl] language
is also known as ``itcl''. Just a standard install of the port will be fine.
Tclx:
/usr/ports/lang/tclX Extended Tcl (TclX), is a set of extensions to Tcl, the Tool Command
Language invented by Dr. John Ousterhout of the University of California at Berkeley. Tcl is a
powerful, yet simple embeddable programming language. Extended Tcl is oriented towards Unix system
programming tasks, with many additional interfaces to the Unix operating system, It is upwardly
compatible with Tcl. You take the Extended Tcl package, add it to Tcl, and from that you get
Extended Tcl. Normal install from the port tree on this one also.
MySQL-server:
/usr/ports/databases/mysqlxxx-server. There is a trick to this one. See i recently upgraded to
FreeBSD 5.1 and i was using mysql323 But without the new GCC or EGCS your not going to be able to
install it from the ports tree. Your going to have to use MySql40 . However the way were going to
install MySql is going to be a little different than usual. MySql by default disables local infile.
So edit the Makefile do what you gotta do to get it to give the argument --enable-local-infile. The
best way that comes to my mind is to edit your Makefile inside your ports directory and look for a
statement like below:
[code:1:65c8e327aa]
.if ${MACHINE_ARCH} == "i386"
CONFIGURE_ARGS+=--enable-assembler --with-berkeley-db
.endif
[/code:1:65c8e327aa]
And change it to below: (Make sure you pick your correct architecture)
[code:1:65c8e327aa]
.if ${MACHINE_ARCH} == "i386"
CONFIGURE_ARGS+=--enable-assembler --with-berkeley-db --enable-local-infile
.endif
[/code:1:65c8e327aa]
Mysqltcl:
/usr/ports/databases/mysqltcl MySQLTcl is a collection of Tcl commands and a Tcl global array that
provide access to one or more mysql database servers. A standard install will be fine.
tcpflow:
/usr/ports/net/tcpflow/ tcpflow is a program that captures data transmitted as part of TCP
connections (flows), and stores it in a way that is convenient for protocol analysis or debugging. A
program like 'tcpdump' only shows a summary of packets seen on the wire, but usually doesn't store
the data that's actually being transmitted. In contrast, tcpflow reconstructs the actual data
streams and stores each flow in a separate file for later analysis. Another normal install here too.
See Sguil in action.
Below are a couple screen shots i decided to take to show you what your going to be working for.
It's well worth it and i'm more than sure you will enjoy it as much as i do.
Login Screen (http://bsdhound.com/images/stories/july_03/sguil2.png)
Sguil is setup so no ordinary user can login and read though your logs. Which we all would come to
expect. It offers a Secure SSL layer from the client to the server. and encrypted passwords. Where
as in acid all you needed to know was the address it was on. (That's if the admin was dumb and
didn't secure it properly)
Sensors (http://bsdhound.com/images/stories/july_03/sguil1.png)
Sguil not only will watch your server but you can setup other sensors to monitor more than 1
workstation at a time. By going though SSH. However we will not be covering this in this document.
Perhaps in the future.
Realtime Monitoring (http://bsdhound.com/images/stories/july_03/sguil3.png)
Just sit back grab a beer and watch. No need for refreshes or anything. You can even perform SQL
queries to search for specific events. Since the application runs in real time that means you can
easily see what's happening before and after the attack.
Information (http://bsdhound.com/images/stories/july_03/sguil4.png)
Sguil gives a nice clean layout while giving all the information you should need. A Great whois
interface packet information, good portscan data, dns lookups, sources, etc. you catch the idea.
So how do things work?
Below is a diagram of how the scripts work together.. Study it for a bit before reading on.
http://bsdhound.dnsalias.net:81/images/stories/july_03/sguil5.png
There are 3 parts to sguil. The server, client, and sensors.
Client:
Sguil.tk - Analysis GUI client
Sensors
sensor_agent.tcl - a script that runs on the sensor that loads portscan, session, and sensor
statistics to the sguild server.
log_packets.sh - a shell script that runs a second instance of snort to log all packets for
correlation. Meant to be installed in a crontab.
Servers:
sguild - The Sguil Server (again a TCL script). This is the brains behind this whole mess. This
stuff gets installed on the database server.
xscriptd - A TCL script that takes requests from the client for correlation data, goes and gets the
packets off of the sensor, and then sends them to the client.
Misc:
Barnyard - barnyard takes the task of processing alerts away from snort, so snort can log alerts
faster, among other things
Snort isn't threaded. That means anytime you add a load with an expensive output plugin (like
inserting into a DB), you can cause snort to 'block' and drop packets.
Installing Sguil
Obtaining SGUIL:
Getting your copy of sguil is easy thanks to sourceforge and their almighty network.
[code:1:65c8e327aa]
($:~)=> cd /usr/local/src
($:~)=> cvs -d:pserver:anonymous@cvs.sourceforge.net:/cvsroot/sguil login
Hit Enter when prompted for a password
($:~)=> cvs -z3 -d:pserver:anonymous@cvs.sguil.sourceforge.net:/cvsroot/sguil checkout sguil
($:~)=> cvs -d:pserver:anonymous@cvs.sourceforge.net:/cvsroot/sguil logout
[/code:1:65c8e327aa]
Installing Snort:
[code:1:65c8e327aa]
($:~)=> mkdir /usr/local/etc/snort
($:~)=> mkdir /usr/local/etc/snort/rules
($:~)=> mkdir /var/log/snort
($:~)=> mkdir /var/log/snort/portscans
($:~)=> mkdir /var/log/snort/ssn_logs
($:~)=> mkdir /var/log/snort/dailylogs
($:~)=> mkdir /var/log/snort/archive
($:~)=> cd /usr/ports/security/snort
($:~)=> make extract
($:~)=> cd work/snort-2.0.0/src/preprocessors/
[/code:1:65c8e327aa]
Now what were doing here is we need to patch 2 files before we begin out compile. So remember
whenever you do a portupgrade and you see snort on the list remember to patch it.
[code:1:65c8e327aa]
($:~)=> patch -p0 spp_portscan.c <
/usr/local/src/sguil/sensor/snort_mods/2_0/spp_portscan_sguil.patch
[/code:1:65c8e327aa]
You should be presented with an output like below:
[code:1:65c8e327aa]
Hmm... Looks like a new-style context diff to me...
The text leading up to this was:
--------------------------
|Index: spp_portscan.c
|================================================= ==================
|RCS file: /cvsroot/snort/snort/src/preprocessors/spp_portscan.c,v
|retrieving revision 1.45
|diff -c -r1.45 spp_portscan.c
|*** spp_portscan.c 26 Mar 2003 21:59:48 -0000 1.45
|--- spp_portscan.c 1 May 2003 15:02:50 -0000
--------------------------
Patching file spp_portscan.c using Plan A...
Reversed (or previously applied) patch detected! Assume -R? [y]
Hunk #1 succeeded at 22.
Hunk #2 succeeded at 234.
Hunk #3 succeeded at 981.
Hunk #4 succeeded at 1233.
Hunk #5 succeeded at 1241.
Hunk #6 succeeded at 1263.
Hunk #7 succeeded at 1382.
Hunk #8 succeeded at 1406.
Hunk #9 succeeded at 1507.
Done
[/code:1:65c8e327aa]
Congrats you patched 1 file. Now we need to do the same to another file.
[code:1:65c8e327aa]
($:~)=> patch -p0 spp_stream4.c <
/usr/local/src/sguil/sensor/snort_mods/2_0/spp_stream4_sguil.patch
($:~)=> cd ../../..
($:~)=> make –DWITH_MYSQL=yes install (do not include clean)
($:~)=> mkdir /usr/local/etc/snort
($:~)=> cd /usr/local/etc/snort
($:~)=> cp /usr/ports/snort/work/snort-2.0.0/etc/gen-msg.map snort.conf reference.config
snort.conf.orig sid classification.config sid-msg.map .
($:~)=> vi snort.conf
[/code:1:65c8e327aa]
Ok Here we will be making some changes to snorts configuration file so it knows how to function with
sguil. The first thing were going to change here is HOME_NET . Please remember this is a verry basic
configuration of snort. I'm leaving it up to you to configure snort to the way you like it.
SNORT.CONF
HOME_NET
This option tells snort the ip address associated with your external interface. and example would be
var HOME_NET 10.1.1.0/24 if you have multiple interfaces in which snort is going to be listening on
you would make it look like var HOME_NET [10.1.1.0/24,192.168.1.0/24] .
EXTERNAL_NET
Same as HOME_NET except this is an external net. you get the idea. var EXTERNAL_NET any
DNS_SERVERS
These are the DNS Servers on your network. So you could have something like: var DNS_SERVERS
[68.100.16.30/32,68.100.25/32,10.52.1.1/32]
RULE_PATH
This is where your snort rules are located at. Pretty self explanatory. Were going to use var
RULE_PATH /usr/local/etc/snort/rules since that’s what directory we made for it above.
PREPROCESSPR STREAM4
This option sets how you want snort to inspect your TCP streams. Were going to set it up like:
preprocessor stream4: detect_scans, disable_evasion_alerts, keepstats db
/var/log/snort/ssn_logs
PREPROCESSOR PORTSCAN
preprocessor portscan: $HOME_NET 4 3 /var/log/snort/portscans dominion ("Replace dominion
with your system hostname")
OUTPUT LOG_UNIFIED
The unified output plugin provides two new formats for logging and generating alerts from Snort, the
"unified" format. The unified format is a straight binary format for logging data out of Snort that
is designed to be fast and efficient. output log_unified: filename snort.log, limit 128
Now go ahead and do further configurations to snort then save and exit. Next thing we need to do is
update our snort rules. It's best to have the latest rules to play with.
[code:1:65c8e327aa]
($:~)=> cd /tmp ; fetch http://www.snort.org/downloads/snortrules.tar.gz
($:~)=> cd /usr/local/etc/snort/rules
($:~)=> tar -xzf /tmp/snortrules.tar.gz
[/code:1:65c8e327aa]
Congratulations you now have snort installed..
Since we got some rules installed
Kernel_Killer
(http://bsdhound.com/modules.php?name=Your_Account&op=userinfo&uname=Ke rnel_Killer) was nice enough to give us some documentation on editing your rules.
SNORT RULES
To change rule arguments, you need to change the snort.conf file to point to your desired set of
rules in the /usr/local/etc/snort/rules directory.Remember, adding several rules can slow your
system down, and cause several problem for slower systems.
In the snort.conf file, add something like this:
include $RULE_PATH/test.rules
You should add this in the area with the other rulesets. You can also change the ruleset local.rules
since it is empty.
Let's look at how rules are fragmented.
alert tcp 192.168.1.0/24,!192.168.2.0/24 any -> 192.168.0.0/24 80 (msg:"HTTP attempt";
content:"EXECUTE_SYSTEM"; nocase; classtype:system-call-detect; sid:1673; rev:3;)
That should cover most of the possible arguments.
First look at "alert". this first part can be a variation of settings. Alert, uses the alert method,
and logs the packets. Log will just log the packets. Pass will ignore the packets. Active will alert
and start another dynamic rule. dynamic, will only be triggered by an active rule.
The second part, "tcp", is what protocol. Choose between tcp, udp, icmp, and ip.
The third "192.168.1.0/24,!192.168.2.0/24 any" deals with source IP. Let's lookat the firt IP
network. 192.168.1.0/24 shows the first group of IPs. 192.168.1.0-192.168.1.255. The second IP
network "!192.168.2.0/24" seperated by a comma, is the second group of IPs to monitor for this rule.
The exclamation point makes snort watch all IPs except the one defined after. You can also list IPs
in brackets.
... tcp ![192.168.1.0/24,192.168.2.0/24] any
You can set specific IPs by using a /32 subnet, instead of the common /8,/16,/24.
Let's look at the next fragment, "-> 192.168.0.0/24 80". This is more than obvious. You can see
since there is an arrow pointing from the source, that the next IP set it the destination. Just like
the source, you can set your destination the same way.
The last number "80" is the port to watch. You can set the source port the same way with the source
address n place of the "any". If you need to set a range, set a range of ports with the a colon.
-> 192.168.0.0/24 80:1024
To make a wildcard range you can set "80: " which will scan all incoming going to port 80 and
greater. You can also reverse this to do less than like ":80". If you want to log all but a range of
ports, use the exclamation point.
!80:84
There are a few things that can be changed in these past few sections. First off, the IPs and ports
can be set to "any". You can also replace the "->" with "<>" which allow both IP sets to be either
source or destination.
The last part of the rule shows various options. If you look you will see "msg", "content",
"nocase", "sid", and "rev". Msg prints a message in the logs and alerts. Content searches for a
specific command in the packet payload. Nocase makes sure that the content is not case sensitive
when matching. Sid says what rule number it is, and rev tells what rule revision number it is. Let's
look at a list of other rule options.
(list provided by snort.org)
logto: log packet to specific filename
ttl: test the IP header's ttl value
tos: test the IP header's TOS value
id: test Ip header frag ID for specific value
ipoption: watch for specific codes in the IP option fields
fragbits: test frag bits of the IP header
dsize: test the packte's payload size compared to a value
flags: watch TCP flags for centain values
seq: watch TCP sequence for specific value
ack: watch TCP ackknowledgement for specific value
itype: watch ICMP type for specific value
icode: watch ICMP code for specific value
icmp_id: compare ICMP ECHO ID for specific value
icmp_seq: compare ICMP ECHO sequence for specific value
content-list: watch for specific pattern in payload
offset: mod for content option, sets offset to attempt a pattern match
depth: mod for content option, sets max search depth for pattern
session: dumps app layer info for session
rpc: watch for RPC services for specific calls
resp: active response, helps close connections to stop attempts
react: active responce, block sites
reference: external attack reference IDS
classtype: rule class identification
priority: rule severity identification
uricontent: search for pattern in URI part of packet
tag: advanced logging actions for rules
ip_proto: IP header protocol value
sameip: watch to see if destination IP = source IP
stateless: ignore stream state
regex: wildcard pattern matching
byte_test: numerical evaluation
distance: pattern matching to skip space
within: pattern matching within a count
byte_test: pattern testing by numbers
byte_jump: numerical pattern testing and offset adjust
If you look in your rule files, you might notice some variables like $EXTERNAL_NET, $HOME_NET, etc.
These can be set within the snort.conf file. Looking in there some variables are set to "any", and
some are commented out. Setting these can make setting rules a lot easier, and take a lot less time.
By setting these variables, you can then set your rules like so.
alert tcp $EXTERNAL_NET any -> $HOME_NET any
More on: http://www.snort.org/docs/writing_rules/chap2.html#sample%20snort%20rule (http://www.snort.org/docs/writing_rules/chap2.html#sample%20snort%20rule
)
Now onto barnyard.
Installing Barnyard
First lets get a copy of barnyard.
[code:1:65c8e327aa]
($:~)=> cd /tmp ; fetch http://snort.org/dll/barnyard/barnyard-0.1.0.tar.gz
($:~)=> cd /usr/local/src
($:~)=> tar -xzvf /tmp/barnyard-0.1.0.tar.gz
[/code:1:65c8e327aa]
Now we need to do a little patching to barnyard so it recognizes sguil.
[code:1:65c8e327aa]
($:~)=> cd barnyard-0.1.0/src/output-plugins
($:~)=> cp /usr/local/src/sguil/sensor/barnyard_mods/op_sguil* .
($:~)=> cd ../..
($:~)=> ./configure --enable-mysql --with-mysqlincludes=/usr/local/include/mysql
--with-mysql-libraries=/usr/lcoal/lib/mysql
[/code:1:65c8e327aa]
Now I promised patching so here it is.. Were going to edit the Makefile and build the new object
files. This will prevent out Makefile from being over-written during compiling.
[code:1:65c8e327aa]
($:~)=> cd src/output-plugins
($:~)=> vi Makefile
[/code:1:65c8e327aa]
Now lets search for the variable libop_a_SOURCES and change it accordingly.
libop_a_SOURCES = op_decode.c op_fast.c op_plugbase.c op_logdump.c op_decode.h op_fast.h
op_plugbase.h op_logdump.h op_alert_syslog.c op_alert_syslog.h op_log_pcap.c op_log_pcap.h
op_acid_db.c op_acid_db.h op_alert_csv.c op_alert_csv.h op_sguil.c op_sguil.h
Nest search for libop_a_OBJECTS and change to below.
libop_a_OBJECTS = op_decode.o op_fast.o op_plugbase.o op_logdump.o op_alert_syslog.o
op_log_pcap.o op_acid_db.o op_alert_csv.o op_sguil.o
Save the file and exit. now lets edit the next file.
[code:1:65c8e327aa]
($:~)=> vi op_plugbase.c
[/code:1:65c8e327aa]
Now around line 27 you should see the area below, Go ahead and edit it like below:
[code:1:65c8e327aa]
#ifdef ENABLE_MYSQL
#include "op_acid_db.h"
#include "op_sguil.h"
#endif
Then again around like 47
#ifdef ENABLE_MYSQL
AcidDbOpInit();
SguilOpInit();
#endif
($:~)=> make
($:~)=> cd ../.. ; make
($:~)=> make install
[/code:1:65c8e327aa]
Congratulations. Barnyard is now built and installed. Before configuring barnyard lets go ahead and
create our sguil databases.
[code:1:65c8e327aa]
($:~)=> mysql -u USERNANE -p
mysql> create database sguildb;
Query OK, 1 row affected (0.05 sec)
mysql> quit;
($:~)=> mysql -u USERNAME -p sguildb </usr/local/src/sguil/server/sql_scripts/create_sguildb.sql
[/code:1:65c8e327aa]
Ok now you have the mysql scripts installed. Make sure you give mysql a user, password and correct
permissions to your new database. Now lets get into configuring your Barnyard conf.
[code:1:65c8e327aa]
($:~)=> cp /usr/local/src/barnyard-0.1.0/etc/barnyard.conf /usr/local/etc/snort/
($:~)=> vi /usr/local/etc/snort/barnyard.conf
[/code:1:65c8e327aa]
BARNYARD.CONF
OUTPUT SGUIL
Not Add the line below somewhere in the configuration file. Remember to replace MYSQLUSER and
MYSQLPASS to your mysql database user and password for the sguildb
output sguil: mysql, sensor_id 0, database sguildb, server localhost, user MYSQLUSER,
password MYSQLPASS, sguild_host localhost, sguild_port 7736
CONFIG HOSTNAME
Search for the config hostname field. this is where we define the hostname of our pc. don’t forget
to change dominion to yours.
config hostname: dominion
CONFIG INTERFACE
To what interface is snort attached to
config interface: xl0
You may want to read though the rest of the conf file to do further tweaking. Like setting it to be
a daemon or other options. Ok were coming close to finishing here soon. Next we need to modify some
of the other sensors, servers, clients.
[code:1:65c8e327aa]
($:~)=> cd /usr/local/src/sguil
($:~)=> vi sguild
[/code:1:65c8e327aa]
Now we need to change the command interpreter to the correct location..
#!/usr/local/bin/tcl
Save and exit. Now lets edit it's configuration file.
SGUILD.CONF
DEGUG is useful for when your installing and configuring sguil. to ensure that things are
communicating properly with one and another. Once you get it working you should set this to off and
use the daemon mode.
set DEBUG 1
DAEMON is for using daemon mode... 1 is on and 0 is off you could also give sguild the switch
-D to do the same thing.
[code:1:65c8e327aa]
set DAEMON 0
set SERVERPORT 7734
set SENSORPORT 7736
[/code:1:65c8e327aa]
RULESDIR is where we are keeping our snort rules.. pretty easy to follow conf file..
set RULESDIR /snort_data/rules
TMPDATA is where we are going to temporarily store the portscan and session data.
set TMPDATADIR /tmp
Now we need out sguildb database Information.
set DBNAME sguildb
set DBPASS MYSQLUSER
set DBHOST localhost
set DBPORT 3306
set DBUSER MYSQLPASS
Now were going to make a few symbolic links to tell sguild to find the correct rules.
[code:1:65c8e327aa]
($:~)=> ln -s /var/snort/ /snort_data
($:~)=> ln -s /usr/local/etc/snort/rules/ /snort_data/rules
($:~)=> ln -s /usr/local/etc/snort/rules/ /snort_data/rules/sguil
[/code:1:65c8e327aa]
Now we need to add a user to sguild this is pretty simple.
[code:1:65c8e327aa]
($:~)=> cd /usr/local/src/sguil/server/ ; ./sguild –adduser
[/code:1:65c8e327aa]
you would alternatively run –deluser to delete a user
Ok lets move onto the next script to modify
SENSOR_AGENT.TCL
[code:1:65c8e327aa]
($:~)=> vi /usr/local/src/sguil/sensor/sensor_agent.tcl
[/code:1:65c8e327aa]
Edit the shell interpreter to reflect the correct location. No explanation should be required.
#!/usr/local/bin/tcl
Config options in this file are simple..
set SERVER_HOST localhost
set SERVER_PORT 7736
set HOSTNAME localhost
set PORTSCAN_DIR /snort_data/portscans
set SSN_DIR /snort_data/ssn_logs
set WATCH_DIR /snort_data
set PS_CHECK_DELAY_IN_MSECS 10000
set SSN_CHECK_DELAY_IN_MSECS 10000
set DISK_CHECK_DELAY_IN_MSECS 1800000
set PING_DELAY 300000
set DEBUG 0
Save and exit. Now lets move onto xscripted.
XSCRIPTED
[code:1:65c8e327aa]
($:~)=> vi /usr/local/src/sguil/server/xscripted
[/code:1:65c8e327aa]
Edit the shell interpreter to reflect the correct location.
#!/usr/local/bin/tcl
If you've been reading the other configuration files then this one should be a brease..
set SERVERPORT 7735
Since in this document were going to be using sguil on the same box as our xscripted the option
below gets marked as 1. if you set this to use a remote box i suggest you read though the install
manual and read on setting it up using ssh_keys.
set LOCALSENSOR 1
Debug. Once again it's good to enable for initial testing but later on you might wish to turn this
off.
set DEBUG 1
The next option is where you want to archive raw file locally when xscripts are requested.
set LOCAL_LOG_DIR /snort_data/archive
Where xscriptd can find the remote raw files
set REMOTE_LOG_DIR /snort_data/dailylogs
If localsensor is set to 0 then tcpdump needs to be the path to TCPDUMP on the sensor.
set TCPDUMP "/usr/sbin/tcpdump"
The next option is where tcpflow is located at. You did remember to install this from the ports
didnt you?
set TCPFLOW "/usr/local/bin/tcpflow -c"
Save and exit.. Now were onto the next file..
LOG_PACKETS.SH
[code:1:65c8e327aa]
($:~)=> vi /usr/local/src/sguil/sensors/log_packets.sh
[/code:1:65c8e327aa]
Config options here are pretty simple if you've been following along.
SNORT_PATH="/usr/local/bin/snort"
LOG_DIR="/snort_data/dailylogs"
INTERFACE="xl0"
PIDFILE="/var/run/snort_log.pid"
PRIORITY="local4.alert"
Save and exit. Next make a link to /usr/local/bin
[code:1:65c8e327aa]
($:~)=> ln -s /usr/local/src/sguil/sensors/log_packets.sh /usr/local/bin/
[/code:1:65c8e327aa]
Next were going to make a cron job to restart log_packets.sh.
[code:1:65c8e327aa]
($:~)=> echo "00 0-23/1 * * * root /usr/local/bin/log_packets.sh restart 1>/dev/null 2>&1" >>
/etc/crontab
[/code:1:65c8e327aa]
Were almost done here.. Lets edit the sguil client now.
SGUIL.TK
[code:1:65c8e327aa]
($:~)=> vi /usr/local/src/sguil/client/sguil.tk
[/code:1:65c8e327aa]
The only thing we need to modify here is our wish version. Change the wish statement to yours.
exec wish8.3 -f "$0" ${1+"$@"}
Moving on down the line of files.. Lets go ahead and edit the sguil.conf file
SGUIL.CONF
[code:1:65c8e327aa]
($:~)=> vi /usr/local/src/sguil/client/sguil.conf
[/code:1:65c8e327aa]
This configuration file pretty much follows the other ones.. Not too hard if you read it as your
going along.
set SERVERPORT 7734
set XSCRIPT_SERVER_PORT 7735
set SERVERHOST localhost
Remember once your done with testing to turn debug off.
set DEBUG 1
We plan on using openssl between the client and server so set this to 1 (1 = on 0 = off)
set OPENSSL 1
The next line is where our SSL/TLS lib is located at..
set TLS_PATH /usr/lib/tls1.4/libtls1.4.so
Now were going to use a enhanced version of whois this is the location of where it will be placed
at.
set WHOIS_PATH /common/bin/awhois.sh
Where is ethereal located at
set ETHEREAL_PATH /usr/X11R6/bin/ethereal
You probably want at some point to view certain rules on snort.org so we need to specify out web
browser in this field.
set BROWSER_PATH /usr/local/bin/konqueror
Now lets jump down to changing our mailserver settings.
set MAILSERVER mail.yourdomain.com
set HOSTNAME yourdomain.com
set EMAIL_FROM Abuse@yourdomain.com
set EMAIL_CC ""
set EMAIL_SUBJECT "Incident Report"
Save and exit.. Now lets get our awhois.sh script that we specified above.
[code:1:65c8e327aa]
($:~)=> mkdir /common
($:~)=> mkdir /common/bin
($:~)=> cd /common/bin
($:~)=> fetch ftp://ftp.weird.com/pub/local/awhois.sh
($:~)=> chmod 555 awhois.sh
[/code:1:65c8e327aa]
Ok now that that’s taken care of lets setup OpenSSL support for this. First we need to download and
install the TCL OpenSSL extensions.. Lucky for us there in the ports tree..
[code:1:65c8e327aa]
($:~)=> cd /usr/ports/devel/tcltls ; make install clean
[/code:1:65c8e327aa]
Now we need to generate up a SSL Cert.
[code:1:65c8e327aa]
($:~)=> mkdir –p /etc/sguild/certs
($:~)=> cd /etc/sguild/certs
($:~)=> openssl req -out CA.pem -new -x509
[/code:1:65c8e327aa]
Now generate your key. And move onto the next one
[code:1:65c8e327aa]
($:~)=> openssl genrsa -out sguild.key 1024
($:~)=> openssl req -key sguild.key -new -out sguild.req
($:~)=> openssl x509 -req -in sguild.req -CA CA.pem -CAkey privkey.pem -CAserial file.sr1 -out
sguild.pem
[/code:1:65c8e327aa]
Now you should have a brand new trusted OpenSSL Cert. Congratulations.. All the config files should
be done editing and now your ready to play with your new toy. So lets start up these services shall
we.
Starting Sguild (Server)
[code:1:65c8e327aa]
($:~)=> /usr/local/src/sguil/server/sguild –o -c /usr/local/src/sguil/server/sguild.conf -u
/usr/local/src/sguil/server/sguild.users -D
[/code:1:65c8e327aa]
Side note. The ‘-o’ option is for OpenSSL support and the ‘-D’ is to daemonize the process.
Start Log_Packets.sh
[code:1:65c8e327aa]
($:~)=> /usr/local/bin/log_packets.sh start
[/code:1:65c8e327aa]
Start Barnyard
[code:1:65c8e327aa]
($:~)=> /usr/local/bin/barnyard -c /usr/local/etc/snort/barnyard.conf -d /var/log/snort -g
/usr/local/etc/snort/gen-msg.map -s /usr/local/etc/snort/sid-msg.map -f snort.log -w
/usr/local/etc/snort/waldo.file
[/code:1:65c8e327aa]
Start Snort
[code:1:65c8e327aa]
($:~)=> /usr/local/bin/snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -D
[/code:1:65c8e327aa]
Starting Sensor_agent.tcl
[code:1:65c8e327aa]
($:~)=> /usr/local/src/sguil/sensor/sensor_agent.tcl
[/code:1:65c8e327aa]
Starting xscripted
[code:1:65c8e327aa]
($:~)=> /usr/local/src/sguil/server/xscripted
[/code:1:65c8e327aa]
Starting Sguil (Client)
[code:1:65c8e327aa]
($:~)=> /usr/local/src/sguil/client/sguil.tk
[/code:1:65c8e327aa]
Congratulations.. Sguil should be up and running., Enjoy playing with your new toy.
If you should have any problems with installing this you can eith post your problems on the forum
topic on this at
BSDHound's
Forums (http://bsdhound.dnsalias.net:81/modules.php?name=Forums&file=viewtopic&p=1991#1991 ) or the nice guys over at irc.freenode.net will help you out.. They can be located in
#snort-gui Enjoy and good luck.
References used:
Sguil Install guide -
http://sguil.sourceforge.net/install.txt
Richard Bejtlich Redhat 7.3 Install guide -
http://sguil.sourceforge.net/sguil_install_
v1-0.pdf (http://sguil.sourceforge.net/sguil_install_v1-0.pdf)
My Brain
The great guys over at #snort-gui on irc.freenode.net
Special thanks to those who helped out in this article.
Strog (http://bsdhound.com/modules.php?name=Forums&file=profile&mode=viewprof ile&u=27&sid=96066b5b7702
9d66419d3aa3eb6ba993),
Kernel_Killer
(http://bsdhound.com/modules.php?name=Your_Account&op=userinfo&uname=Ke rnel_Killer), Bamm
Origional Article Source:
http://bsdhound.dnsalias.net:81/modules.php?name=News&file=print&sid=234
By: Soup4you2 (http://bsdhound.com)
About This Howto:
Sguil (pronounced "sgweel") is a GUI (graphical user interface) for the snort IDS (intrusion
detection system). Sguil was written using the tcl/tk language by Robert (Bamm) Visscher. Sometimes
reading snort logs can be a real pain. So most people out there use another opensouce application
called Acid (Analysis console for intrusion detection) Which a
howto on getting that puppie
installed can be found here (http://bsdhound.com/modules.php?name=News&file=article&sid=56). Sguil in my opinion just kicks ass. However there are drawbacks
to whichever once you choose whether it be acid or sguil. The two main drawbacks are, That in acid
you can easily monitor over the internet, However this is not in real time. It will only notify you
on a page refresh when an activity is present. Where as in sguil it is real time. Now what if i'm
not at home?, Well you can run the sguil.tk client on a remote
pc to watch your server at home. If encryption is a concern, sguil supports OpenSSL or you can use
ssh tunneling (ssh -L 7734:localhost:7734 -L 7735:localhost:7735 <remotehost>). That doesn't tunnel
X but the sguil comms.
This document is going to explain howto get Sguil setup and working on your BSD Operating System.
The configuration i'm going to be using in this guide is going to be given a very basic
configuration. In my opinion if your trying to install something like this then you should have a
good grasp on using and moving around your BSD operating system. I'm going to be following the basic
locations of the guides put out by the author of sguil. Only were going to be doing it the BSD way.
After you get this installed it's EXTREMELY recommended you do some further tweaking.
Especially on what snort looks for.
Contents of this article:
1. Prerequisites
2. See Sguil in action.
3. So hows this thing work?
4. Installing Sguil
Prerequisites
There are some required packages that your going to need to install in order to get this to work.
But have no fear the ports are here.
Festival:
Lets start off with /usr/ports/audio/festival you can try installing this port but when I tried
the port was broken. But that’s no big deal it just means your not going to get any sound. But you
can try, who knows perhaps today is the lucky day a new Makefile enters the ports tree.
festival-devel:
Yet another broken port but no big deal… Lets move on down the line.
Itcl:
/usr/ports/lang/itcl [incr Tcl] is an object oriented extension to Tcl. The [incr Tcl] language
is also known as ``itcl''. Just a standard install of the port will be fine.
Tclx:
/usr/ports/lang/tclX Extended Tcl (TclX), is a set of extensions to Tcl, the Tool Command
Language invented by Dr. John Ousterhout of the University of California at Berkeley. Tcl is a
powerful, yet simple embeddable programming language. Extended Tcl is oriented towards Unix system
programming tasks, with many additional interfaces to the Unix operating system, It is upwardly
compatible with Tcl. You take the Extended Tcl package, add it to Tcl, and from that you get
Extended Tcl. Normal install from the port tree on this one also.
MySQL-server:
/usr/ports/databases/mysqlxxx-server. There is a trick to this one. See i recently upgraded to
FreeBSD 5.1 and i was using mysql323 But without the new GCC or EGCS your not going to be able to
install it from the ports tree. Your going to have to use MySql40 . However the way were going to
install MySql is going to be a little different than usual. MySql by default disables local infile.
So edit the Makefile do what you gotta do to get it to give the argument --enable-local-infile. The
best way that comes to my mind is to edit your Makefile inside your ports directory and look for a
statement like below:
[code:1:65c8e327aa]
.if ${MACHINE_ARCH} == "i386"
CONFIGURE_ARGS+=--enable-assembler --with-berkeley-db
.endif
[/code:1:65c8e327aa]
And change it to below: (Make sure you pick your correct architecture)
[code:1:65c8e327aa]
.if ${MACHINE_ARCH} == "i386"
CONFIGURE_ARGS+=--enable-assembler --with-berkeley-db --enable-local-infile
.endif
[/code:1:65c8e327aa]
Mysqltcl:
/usr/ports/databases/mysqltcl MySQLTcl is a collection of Tcl commands and a Tcl global array that
provide access to one or more mysql database servers. A standard install will be fine.
tcpflow:
/usr/ports/net/tcpflow/ tcpflow is a program that captures data transmitted as part of TCP
connections (flows), and stores it in a way that is convenient for protocol analysis or debugging. A
program like 'tcpdump' only shows a summary of packets seen on the wire, but usually doesn't store
the data that's actually being transmitted. In contrast, tcpflow reconstructs the actual data
streams and stores each flow in a separate file for later analysis. Another normal install here too.
See Sguil in action.
Below are a couple screen shots i decided to take to show you what your going to be working for.
It's well worth it and i'm more than sure you will enjoy it as much as i do.
Login Screen (http://bsdhound.com/images/stories/july_03/sguil2.png)
Sguil is setup so no ordinary user can login and read though your logs. Which we all would come to
expect. It offers a Secure SSL layer from the client to the server. and encrypted passwords. Where
as in acid all you needed to know was the address it was on. (That's if the admin was dumb and
didn't secure it properly)
Sensors (http://bsdhound.com/images/stories/july_03/sguil1.png)
Sguil not only will watch your server but you can setup other sensors to monitor more than 1
workstation at a time. By going though SSH. However we will not be covering this in this document.
Perhaps in the future.
Realtime Monitoring (http://bsdhound.com/images/stories/july_03/sguil3.png)
Just sit back grab a beer and watch. No need for refreshes or anything. You can even perform SQL
queries to search for specific events. Since the application runs in real time that means you can
easily see what's happening before and after the attack.
Information (http://bsdhound.com/images/stories/july_03/sguil4.png)
Sguil gives a nice clean layout while giving all the information you should need. A Great whois
interface packet information, good portscan data, dns lookups, sources, etc. you catch the idea.
So how do things work?
Below is a diagram of how the scripts work together.. Study it for a bit before reading on.
http://bsdhound.dnsalias.net:81/images/stories/july_03/sguil5.png
There are 3 parts to sguil. The server, client, and sensors.
Client:
Sguil.tk - Analysis GUI client
Sensors
sensor_agent.tcl - a script that runs on the sensor that loads portscan, session, and sensor
statistics to the sguild server.
log_packets.sh - a shell script that runs a second instance of snort to log all packets for
correlation. Meant to be installed in a crontab.
Servers:
sguild - The Sguil Server (again a TCL script). This is the brains behind this whole mess. This
stuff gets installed on the database server.
xscriptd - A TCL script that takes requests from the client for correlation data, goes and gets the
packets off of the sensor, and then sends them to the client.
Misc:
Barnyard - barnyard takes the task of processing alerts away from snort, so snort can log alerts
faster, among other things
Snort isn't threaded. That means anytime you add a load with an expensive output plugin (like
inserting into a DB), you can cause snort to 'block' and drop packets.
Installing Sguil
Obtaining SGUIL:
Getting your copy of sguil is easy thanks to sourceforge and their almighty network.
[code:1:65c8e327aa]
($:~)=> cd /usr/local/src
($:~)=> cvs -d:pserver:anonymous@cvs.sourceforge.net:/cvsroot/sguil login
Hit Enter when prompted for a password
($:~)=> cvs -z3 -d:pserver:anonymous@cvs.sguil.sourceforge.net:/cvsroot/sguil checkout sguil
($:~)=> cvs -d:pserver:anonymous@cvs.sourceforge.net:/cvsroot/sguil logout
[/code:1:65c8e327aa]
Installing Snort:
[code:1:65c8e327aa]
($:~)=> mkdir /usr/local/etc/snort
($:~)=> mkdir /usr/local/etc/snort/rules
($:~)=> mkdir /var/log/snort
($:~)=> mkdir /var/log/snort/portscans
($:~)=> mkdir /var/log/snort/ssn_logs
($:~)=> mkdir /var/log/snort/dailylogs
($:~)=> mkdir /var/log/snort/archive
($:~)=> cd /usr/ports/security/snort
($:~)=> make extract
($:~)=> cd work/snort-2.0.0/src/preprocessors/
[/code:1:65c8e327aa]
Now what were doing here is we need to patch 2 files before we begin out compile. So remember
whenever you do a portupgrade and you see snort on the list remember to patch it.
[code:1:65c8e327aa]
($:~)=> patch -p0 spp_portscan.c <
/usr/local/src/sguil/sensor/snort_mods/2_0/spp_portscan_sguil.patch
[/code:1:65c8e327aa]
You should be presented with an output like below:
[code:1:65c8e327aa]
Hmm... Looks like a new-style context diff to me...
The text leading up to this was:
--------------------------
|Index: spp_portscan.c
|================================================= ==================
|RCS file: /cvsroot/snort/snort/src/preprocessors/spp_portscan.c,v
|retrieving revision 1.45
|diff -c -r1.45 spp_portscan.c
|*** spp_portscan.c 26 Mar 2003 21:59:48 -0000 1.45
|--- spp_portscan.c 1 May 2003 15:02:50 -0000
--------------------------
Patching file spp_portscan.c using Plan A...
Reversed (or previously applied) patch detected! Assume -R? [y]
Hunk #1 succeeded at 22.
Hunk #2 succeeded at 234.
Hunk #3 succeeded at 981.
Hunk #4 succeeded at 1233.
Hunk #5 succeeded at 1241.
Hunk #6 succeeded at 1263.
Hunk #7 succeeded at 1382.
Hunk #8 succeeded at 1406.
Hunk #9 succeeded at 1507.
Done
[/code:1:65c8e327aa]
Congrats you patched 1 file. Now we need to do the same to another file.
[code:1:65c8e327aa]
($:~)=> patch -p0 spp_stream4.c <
/usr/local/src/sguil/sensor/snort_mods/2_0/spp_stream4_sguil.patch
($:~)=> cd ../../..
($:~)=> make –DWITH_MYSQL=yes install (do not include clean)
($:~)=> mkdir /usr/local/etc/snort
($:~)=> cd /usr/local/etc/snort
($:~)=> cp /usr/ports/snort/work/snort-2.0.0/etc/gen-msg.map snort.conf reference.config
snort.conf.orig sid classification.config sid-msg.map .
($:~)=> vi snort.conf
[/code:1:65c8e327aa]
Ok Here we will be making some changes to snorts configuration file so it knows how to function with
sguil. The first thing were going to change here is HOME_NET . Please remember this is a verry basic
configuration of snort. I'm leaving it up to you to configure snort to the way you like it.
SNORT.CONF
HOME_NET
This option tells snort the ip address associated with your external interface. and example would be
var HOME_NET 10.1.1.0/24 if you have multiple interfaces in which snort is going to be listening on
you would make it look like var HOME_NET [10.1.1.0/24,192.168.1.0/24] .
EXTERNAL_NET
Same as HOME_NET except this is an external net. you get the idea. var EXTERNAL_NET any
DNS_SERVERS
These are the DNS Servers on your network. So you could have something like: var DNS_SERVERS
[68.100.16.30/32,68.100.25/32,10.52.1.1/32]
RULE_PATH
This is where your snort rules are located at. Pretty self explanatory. Were going to use var
RULE_PATH /usr/local/etc/snort/rules since that’s what directory we made for it above.
PREPROCESSPR STREAM4
This option sets how you want snort to inspect your TCP streams. Were going to set it up like:
preprocessor stream4: detect_scans, disable_evasion_alerts, keepstats db
/var/log/snort/ssn_logs
PREPROCESSOR PORTSCAN
preprocessor portscan: $HOME_NET 4 3 /var/log/snort/portscans dominion ("Replace dominion
with your system hostname")
OUTPUT LOG_UNIFIED
The unified output plugin provides two new formats for logging and generating alerts from Snort, the
"unified" format. The unified format is a straight binary format for logging data out of Snort that
is designed to be fast and efficient. output log_unified: filename snort.log, limit 128
Now go ahead and do further configurations to snort then save and exit. Next thing we need to do is
update our snort rules. It's best to have the latest rules to play with.
[code:1:65c8e327aa]
($:~)=> cd /tmp ; fetch http://www.snort.org/downloads/snortrules.tar.gz
($:~)=> cd /usr/local/etc/snort/rules
($:~)=> tar -xzf /tmp/snortrules.tar.gz
[/code:1:65c8e327aa]
Congratulations you now have snort installed..
Since we got some rules installed
Kernel_Killer
(http://bsdhound.com/modules.php?name=Your_Account&op=userinfo&uname=Ke rnel_Killer) was nice enough to give us some documentation on editing your rules.
SNORT RULES
To change rule arguments, you need to change the snort.conf file to point to your desired set of
rules in the /usr/local/etc/snort/rules directory.Remember, adding several rules can slow your
system down, and cause several problem for slower systems.
In the snort.conf file, add something like this:
include $RULE_PATH/test.rules
You should add this in the area with the other rulesets. You can also change the ruleset local.rules
since it is empty.
Let's look at how rules are fragmented.
alert tcp 192.168.1.0/24,!192.168.2.0/24 any -> 192.168.0.0/24 80 (msg:"HTTP attempt";
content:"EXECUTE_SYSTEM"; nocase; classtype:system-call-detect; sid:1673; rev:3;)
That should cover most of the possible arguments.
First look at "alert". this first part can be a variation of settings. Alert, uses the alert method,
and logs the packets. Log will just log the packets. Pass will ignore the packets. Active will alert
and start another dynamic rule. dynamic, will only be triggered by an active rule.
The second part, "tcp", is what protocol. Choose between tcp, udp, icmp, and ip.
The third "192.168.1.0/24,!192.168.2.0/24 any" deals with source IP. Let's lookat the firt IP
network. 192.168.1.0/24 shows the first group of IPs. 192.168.1.0-192.168.1.255. The second IP
network "!192.168.2.0/24" seperated by a comma, is the second group of IPs to monitor for this rule.
The exclamation point makes snort watch all IPs except the one defined after. You can also list IPs
in brackets.
... tcp ![192.168.1.0/24,192.168.2.0/24] any
You can set specific IPs by using a /32 subnet, instead of the common /8,/16,/24.
Let's look at the next fragment, "-> 192.168.0.0/24 80". This is more than obvious. You can see
since there is an arrow pointing from the source, that the next IP set it the destination. Just like
the source, you can set your destination the same way.
The last number "80" is the port to watch. You can set the source port the same way with the source
address n place of the "any". If you need to set a range, set a range of ports with the a colon.
-> 192.168.0.0/24 80:1024
To make a wildcard range you can set "80: " which will scan all incoming going to port 80 and
greater. You can also reverse this to do less than like ":80". If you want to log all but a range of
ports, use the exclamation point.
!80:84
There are a few things that can be changed in these past few sections. First off, the IPs and ports
can be set to "any". You can also replace the "->" with "<>" which allow both IP sets to be either
source or destination.
The last part of the rule shows various options. If you look you will see "msg", "content",
"nocase", "sid", and "rev". Msg prints a message in the logs and alerts. Content searches for a
specific command in the packet payload. Nocase makes sure that the content is not case sensitive
when matching. Sid says what rule number it is, and rev tells what rule revision number it is. Let's
look at a list of other rule options.
(list provided by snort.org)
logto: log packet to specific filename
ttl: test the IP header's ttl value
tos: test the IP header's TOS value
id: test Ip header frag ID for specific value
ipoption: watch for specific codes in the IP option fields
fragbits: test frag bits of the IP header
dsize: test the packte's payload size compared to a value
flags: watch TCP flags for centain values
seq: watch TCP sequence for specific value
ack: watch TCP ackknowledgement for specific value
itype: watch ICMP type for specific value
icode: watch ICMP code for specific value
icmp_id: compare ICMP ECHO ID for specific value
icmp_seq: compare ICMP ECHO sequence for specific value
content-list: watch for specific pattern in payload
offset: mod for content option, sets offset to attempt a pattern match
depth: mod for content option, sets max search depth for pattern
session: dumps app layer info for session
rpc: watch for RPC services for specific calls
resp: active response, helps close connections to stop attempts
react: active responce, block sites
reference: external attack reference IDS
classtype: rule class identification
priority: rule severity identification
uricontent: search for pattern in URI part of packet
tag: advanced logging actions for rules
ip_proto: IP header protocol value
sameip: watch to see if destination IP = source IP
stateless: ignore stream state
regex: wildcard pattern matching
byte_test: numerical evaluation
distance: pattern matching to skip space
within: pattern matching within a count
byte_test: pattern testing by numbers
byte_jump: numerical pattern testing and offset adjust
If you look in your rule files, you might notice some variables like $EXTERNAL_NET, $HOME_NET, etc.
These can be set within the snort.conf file. Looking in there some variables are set to "any", and
some are commented out. Setting these can make setting rules a lot easier, and take a lot less time.
By setting these variables, you can then set your rules like so.
alert tcp $EXTERNAL_NET any -> $HOME_NET any
More on: http://www.snort.org/docs/writing_rules/chap2.html#sample%20snort%20rule (http://www.snort.org/docs/writing_rules/chap2.html#sample%20snort%20rule
)
Now onto barnyard.
Installing Barnyard
First lets get a copy of barnyard.
[code:1:65c8e327aa]
($:~)=> cd /tmp ; fetch http://snort.org/dll/barnyard/barnyard-0.1.0.tar.gz
($:~)=> cd /usr/local/src
($:~)=> tar -xzvf /tmp/barnyard-0.1.0.tar.gz
[/code:1:65c8e327aa]
Now we need to do a little patching to barnyard so it recognizes sguil.
[code:1:65c8e327aa]
($:~)=> cd barnyard-0.1.0/src/output-plugins
($:~)=> cp /usr/local/src/sguil/sensor/barnyard_mods/op_sguil* .
($:~)=> cd ../..
($:~)=> ./configure --enable-mysql --with-mysqlincludes=/usr/local/include/mysql
--with-mysql-libraries=/usr/lcoal/lib/mysql
[/code:1:65c8e327aa]
Now I promised patching so here it is.. Were going to edit the Makefile and build the new object
files. This will prevent out Makefile from being over-written during compiling.
[code:1:65c8e327aa]
($:~)=> cd src/output-plugins
($:~)=> vi Makefile
[/code:1:65c8e327aa]
Now lets search for the variable libop_a_SOURCES and change it accordingly.
libop_a_SOURCES = op_decode.c op_fast.c op_plugbase.c op_logdump.c op_decode.h op_fast.h
op_plugbase.h op_logdump.h op_alert_syslog.c op_alert_syslog.h op_log_pcap.c op_log_pcap.h
op_acid_db.c op_acid_db.h op_alert_csv.c op_alert_csv.h op_sguil.c op_sguil.h
Nest search for libop_a_OBJECTS and change to below.
libop_a_OBJECTS = op_decode.o op_fast.o op_plugbase.o op_logdump.o op_alert_syslog.o
op_log_pcap.o op_acid_db.o op_alert_csv.o op_sguil.o
Save the file and exit. now lets edit the next file.
[code:1:65c8e327aa]
($:~)=> vi op_plugbase.c
[/code:1:65c8e327aa]
Now around line 27 you should see the area below, Go ahead and edit it like below:
[code:1:65c8e327aa]
#ifdef ENABLE_MYSQL
#include "op_acid_db.h"
#include "op_sguil.h"
#endif
Then again around like 47
#ifdef ENABLE_MYSQL
AcidDbOpInit();
SguilOpInit();
#endif
($:~)=> make
($:~)=> cd ../.. ; make
($:~)=> make install
[/code:1:65c8e327aa]
Congratulations. Barnyard is now built and installed. Before configuring barnyard lets go ahead and
create our sguil databases.
[code:1:65c8e327aa]
($:~)=> mysql -u USERNANE -p
mysql> create database sguildb;
Query OK, 1 row affected (0.05 sec)
mysql> quit;
($:~)=> mysql -u USERNAME -p sguildb </usr/local/src/sguil/server/sql_scripts/create_sguildb.sql
[/code:1:65c8e327aa]
Ok now you have the mysql scripts installed. Make sure you give mysql a user, password and correct
permissions to your new database. Now lets get into configuring your Barnyard conf.
[code:1:65c8e327aa]
($:~)=> cp /usr/local/src/barnyard-0.1.0/etc/barnyard.conf /usr/local/etc/snort/
($:~)=> vi /usr/local/etc/snort/barnyard.conf
[/code:1:65c8e327aa]
BARNYARD.CONF
OUTPUT SGUIL
Not Add the line below somewhere in the configuration file. Remember to replace MYSQLUSER and
MYSQLPASS to your mysql database user and password for the sguildb
output sguil: mysql, sensor_id 0, database sguildb, server localhost, user MYSQLUSER,
password MYSQLPASS, sguild_host localhost, sguild_port 7736
CONFIG HOSTNAME
Search for the config hostname field. this is where we define the hostname of our pc. don’t forget
to change dominion to yours.
config hostname: dominion
CONFIG INTERFACE
To what interface is snort attached to
config interface: xl0
You may want to read though the rest of the conf file to do further tweaking. Like setting it to be
a daemon or other options. Ok were coming close to finishing here soon. Next we need to modify some
of the other sensors, servers, clients.
[code:1:65c8e327aa]
($:~)=> cd /usr/local/src/sguil
($:~)=> vi sguild
[/code:1:65c8e327aa]
Now we need to change the command interpreter to the correct location..
#!/usr/local/bin/tcl
Save and exit. Now lets edit it's configuration file.
SGUILD.CONF
DEGUG is useful for when your installing and configuring sguil. to ensure that things are
communicating properly with one and another. Once you get it working you should set this to off and
use the daemon mode.
set DEBUG 1
DAEMON is for using daemon mode... 1 is on and 0 is off you could also give sguild the switch
-D to do the same thing.
[code:1:65c8e327aa]
set DAEMON 0
set SERVERPORT 7734
set SENSORPORT 7736
[/code:1:65c8e327aa]
RULESDIR is where we are keeping our snort rules.. pretty easy to follow conf file..
set RULESDIR /snort_data/rules
TMPDATA is where we are going to temporarily store the portscan and session data.
set TMPDATADIR /tmp
Now we need out sguildb database Information.
set DBNAME sguildb
set DBPASS MYSQLUSER
set DBHOST localhost
set DBPORT 3306
set DBUSER MYSQLPASS
Now were going to make a few symbolic links to tell sguild to find the correct rules.
[code:1:65c8e327aa]
($:~)=> ln -s /var/snort/ /snort_data
($:~)=> ln -s /usr/local/etc/snort/rules/ /snort_data/rules
($:~)=> ln -s /usr/local/etc/snort/rules/ /snort_data/rules/sguil
[/code:1:65c8e327aa]
Now we need to add a user to sguild this is pretty simple.
[code:1:65c8e327aa]
($:~)=> cd /usr/local/src/sguil/server/ ; ./sguild –adduser
[/code:1:65c8e327aa]
you would alternatively run –deluser to delete a user
Ok lets move onto the next script to modify
SENSOR_AGENT.TCL
[code:1:65c8e327aa]
($:~)=> vi /usr/local/src/sguil/sensor/sensor_agent.tcl
[/code:1:65c8e327aa]
Edit the shell interpreter to reflect the correct location. No explanation should be required.
#!/usr/local/bin/tcl
Config options in this file are simple..
set SERVER_HOST localhost
set SERVER_PORT 7736
set HOSTNAME localhost
set PORTSCAN_DIR /snort_data/portscans
set SSN_DIR /snort_data/ssn_logs
set WATCH_DIR /snort_data
set PS_CHECK_DELAY_IN_MSECS 10000
set SSN_CHECK_DELAY_IN_MSECS 10000
set DISK_CHECK_DELAY_IN_MSECS 1800000
set PING_DELAY 300000
set DEBUG 0
Save and exit. Now lets move onto xscripted.
XSCRIPTED
[code:1:65c8e327aa]
($:~)=> vi /usr/local/src/sguil/server/xscripted
[/code:1:65c8e327aa]
Edit the shell interpreter to reflect the correct location.
#!/usr/local/bin/tcl
If you've been reading the other configuration files then this one should be a brease..
set SERVERPORT 7735
Since in this document were going to be using sguil on the same box as our xscripted the option
below gets marked as 1. if you set this to use a remote box i suggest you read though the install
manual and read on setting it up using ssh_keys.
set LOCALSENSOR 1
Debug. Once again it's good to enable for initial testing but later on you might wish to turn this
off.
set DEBUG 1
The next option is where you want to archive raw file locally when xscripts are requested.
set LOCAL_LOG_DIR /snort_data/archive
Where xscriptd can find the remote raw files
set REMOTE_LOG_DIR /snort_data/dailylogs
If localsensor is set to 0 then tcpdump needs to be the path to TCPDUMP on the sensor.
set TCPDUMP "/usr/sbin/tcpdump"
The next option is where tcpflow is located at. You did remember to install this from the ports
didnt you?
set TCPFLOW "/usr/local/bin/tcpflow -c"
Save and exit.. Now were onto the next file..
LOG_PACKETS.SH
[code:1:65c8e327aa]
($:~)=> vi /usr/local/src/sguil/sensors/log_packets.sh
[/code:1:65c8e327aa]
Config options here are pretty simple if you've been following along.
SNORT_PATH="/usr/local/bin/snort"
LOG_DIR="/snort_data/dailylogs"
INTERFACE="xl0"
PIDFILE="/var/run/snort_log.pid"
PRIORITY="local4.alert"
Save and exit. Next make a link to /usr/local/bin
[code:1:65c8e327aa]
($:~)=> ln -s /usr/local/src/sguil/sensors/log_packets.sh /usr/local/bin/
[/code:1:65c8e327aa]
Next were going to make a cron job to restart log_packets.sh.
[code:1:65c8e327aa]
($:~)=> echo "00 0-23/1 * * * root /usr/local/bin/log_packets.sh restart 1>/dev/null 2>&1" >>
/etc/crontab
[/code:1:65c8e327aa]
Were almost done here.. Lets edit the sguil client now.
SGUIL.TK
[code:1:65c8e327aa]
($:~)=> vi /usr/local/src/sguil/client/sguil.tk
[/code:1:65c8e327aa]
The only thing we need to modify here is our wish version. Change the wish statement to yours.
exec wish8.3 -f "$0" ${1+"$@"}
Moving on down the line of files.. Lets go ahead and edit the sguil.conf file
SGUIL.CONF
[code:1:65c8e327aa]
($:~)=> vi /usr/local/src/sguil/client/sguil.conf
[/code:1:65c8e327aa]
This configuration file pretty much follows the other ones.. Not too hard if you read it as your
going along.
set SERVERPORT 7734
set XSCRIPT_SERVER_PORT 7735
set SERVERHOST localhost
Remember once your done with testing to turn debug off.
set DEBUG 1
We plan on using openssl between the client and server so set this to 1 (1 = on 0 = off)
set OPENSSL 1
The next line is where our SSL/TLS lib is located at..
set TLS_PATH /usr/lib/tls1.4/libtls1.4.so
Now were going to use a enhanced version of whois this is the location of where it will be placed
at.
set WHOIS_PATH /common/bin/awhois.sh
Where is ethereal located at
set ETHEREAL_PATH /usr/X11R6/bin/ethereal
You probably want at some point to view certain rules on snort.org so we need to specify out web
browser in this field.
set BROWSER_PATH /usr/local/bin/konqueror
Now lets jump down to changing our mailserver settings.
set MAILSERVER mail.yourdomain.com
set HOSTNAME yourdomain.com
set EMAIL_FROM Abuse@yourdomain.com
set EMAIL_CC ""
set EMAIL_SUBJECT "Incident Report"
Save and exit.. Now lets get our awhois.sh script that we specified above.
[code:1:65c8e327aa]
($:~)=> mkdir /common
($:~)=> mkdir /common/bin
($:~)=> cd /common/bin
($:~)=> fetch ftp://ftp.weird.com/pub/local/awhois.sh
($:~)=> chmod 555 awhois.sh
[/code:1:65c8e327aa]
Ok now that that’s taken care of lets setup OpenSSL support for this. First we need to download and
install the TCL OpenSSL extensions.. Lucky for us there in the ports tree..
[code:1:65c8e327aa]
($:~)=> cd /usr/ports/devel/tcltls ; make install clean
[/code:1:65c8e327aa]
Now we need to generate up a SSL Cert.
[code:1:65c8e327aa]
($:~)=> mkdir –p /etc/sguild/certs
($:~)=> cd /etc/sguild/certs
($:~)=> openssl req -out CA.pem -new -x509
[/code:1:65c8e327aa]
Now generate your key. And move onto the next one
[code:1:65c8e327aa]
($:~)=> openssl genrsa -out sguild.key 1024
($:~)=> openssl req -key sguild.key -new -out sguild.req
($:~)=> openssl x509 -req -in sguild.req -CA CA.pem -CAkey privkey.pem -CAserial file.sr1 -out
sguild.pem
[/code:1:65c8e327aa]
Now you should have a brand new trusted OpenSSL Cert. Congratulations.. All the config files should
be done editing and now your ready to play with your new toy. So lets start up these services shall
we.
Starting Sguild (Server)
[code:1:65c8e327aa]
($:~)=> /usr/local/src/sguil/server/sguild –o -c /usr/local/src/sguil/server/sguild.conf -u
/usr/local/src/sguil/server/sguild.users -D
[/code:1:65c8e327aa]
Side note. The ‘-o’ option is for OpenSSL support and the ‘-D’ is to daemonize the process.
Start Log_Packets.sh
[code:1:65c8e327aa]
($:~)=> /usr/local/bin/log_packets.sh start
[/code:1:65c8e327aa]
Start Barnyard
[code:1:65c8e327aa]
($:~)=> /usr/local/bin/barnyard -c /usr/local/etc/snort/barnyard.conf -d /var/log/snort -g
/usr/local/etc/snort/gen-msg.map -s /usr/local/etc/snort/sid-msg.map -f snort.log -w
/usr/local/etc/snort/waldo.file
[/code:1:65c8e327aa]
Start Snort
[code:1:65c8e327aa]
($:~)=> /usr/local/bin/snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -D
[/code:1:65c8e327aa]
Starting Sensor_agent.tcl
[code:1:65c8e327aa]
($:~)=> /usr/local/src/sguil/sensor/sensor_agent.tcl
[/code:1:65c8e327aa]
Starting xscripted
[code:1:65c8e327aa]
($:~)=> /usr/local/src/sguil/server/xscripted
[/code:1:65c8e327aa]
Starting Sguil (Client)
[code:1:65c8e327aa]
($:~)=> /usr/local/src/sguil/client/sguil.tk
[/code:1:65c8e327aa]
Congratulations.. Sguil should be up and running., Enjoy playing with your new toy.
If you should have any problems with installing this you can eith post your problems on the forum
topic on this at
BSDHound's
Forums (http://bsdhound.dnsalias.net:81/modules.php?name=Forums&file=viewtopic&p=1991#1991 ) or the nice guys over at irc.freenode.net will help you out.. They can be located in
#snort-gui Enjoy and good luck.
References used:
Sguil Install guide -
http://sguil.sourceforge.net/install.txt
Richard Bejtlich Redhat 7.3 Install guide -
http://sguil.sourceforge.net/sguil_install_
v1-0.pdf (http://sguil.sourceforge.net/sguil_install_v1-0.pdf)
My Brain
The great guys over at #snort-gui on irc.freenode.net
Special thanks to those who helped out in this article.
Strog (http://bsdhound.com/modules.php?name=Forums&file=profile&mode=viewprof ile&u=27&sid=96066b5b7702
9d66419d3aa3eb6ba993),
Kernel_Killer
(http://bsdhound.com/modules.php?name=Your_Account&op=userinfo&uname=Ke rnel_Killer), Bamm
Origional Article Source:
http://bsdhound.dnsalias.net:81/modules.php?name=News&file=print&sid=234