Seminars and group meets and systems down, oh my.

The Sourcefire seminar was fantastic. Marty presented the "why" of Snort as opposed to the "how" of Snort. It was awesome. I felt bad for the demonstration presenter who showed us the cool new product afterward. The guy had a very tough crowd to deal with.

Cute foam pigs with the Snort mascot branded onto them were handed out. I accidentally kidnapped Robert's pig. (Sorry, Robert. I'll keep taking it to meetings I get a chance to attend so you can reclaim it! Otherwise, email me and we'll figure something out--there's always the post office!) How embarrassing. One minute, he's there saying he has to go, the next he's on his cell phone and wandering off sans squishy foam Snorty. Oops...I'll just babysit it for now.

I'll try and post pictures of my cute foam pig, but I don't have a digital camera, so it may take a bit.

After that, I spent a lot of time in Barnes and Noble reading 2600 and a vegetarian crock pot recipes book. Ended up buying both. (That was my "fun" spending for the month.)

My partner and I went out for a meal and still got to the SeaSnUG meeting a few hours early, so we weren't sure where we were going. There were signs...after we got there and were there a while, attempting to nap in the car. Definitely my fault for being too early and not having printed out the information on the meeting time/place/et cetera. It's not recommended to try to nap in a car in the parking lot of a community college, BTW.

I won a prize at the meeting, but I didn't want a T-shirt or Marty's signature. He may be the father of Snort, but Jennifer Steffens is Snort's fairy godmother. I got her signature instead. :)

The meeting's presentation was actually a great overview of some of the topics presented in the seminar, but with some audience participation twists. My partner even asked a lot of questions I thought were great for someone who's not had much exposure to Snort. I tend to work with the rules every day, which means sometimes I forget that not everyone else has the same exposure.
Oh, well.

I was so glad to meet everyone. David, Robert, Lawrence, Anthony, James--and everyone else whose names aren't burned into my brain by exhaustion and repetition. Between this wonderful set of folks and the wonderful set of folks on #snort-gui on IRC, there's just such a wonderful community to celebrate. It's wonderful.

Unfortunately, the dreamy day had a dark side: I got to work and one of our major systems was in the throes of experiencing unscheduled maintenance. This means tomorrow should be a long day. Thankfully it's also Casual Friday.

How to get the Sguil components to start on Riffraff

1. log in as root
2. issue mysqld_safe --bind_address=127.0.0.1 --user=mysql &
3. Hit enter
4. exit root
5. log in as sguil user
6. issue ./sguild_start.sh
7. issue ./sensor_agent_start.sh
8. issue ./barnyard_start.sh
9. exit sguil user
10. log in as root
11. issue ./sancp_start.sh
12. issue ./snort_start.sh
13. /usr/local/bin/log_packets.sh restart

(To view the output on Magenta:
1. log in as analyst
2. issue startx
3. right-click, select xterm
4. ./sguil_client_start.sh)

There has GOT to be a way to have mysql start up without having to type in the command on #2 each time. There has also got to be a way to make a script so that you log in the once as sguil, run one script to kick off the others under sguil, then exit and log in the once as root, and run another script to kick off the scripts under root.

Must learn to write useful scripts...will make life easier.

It WORKS!

For some reason, the Sguil user wasn't added after all. (Wow, Hanashi's a genius! ^_^)

How to fix, if your Sguil user wasn't added and you have the same user/pass on another test machine:
1. procure floppy disk
2. on other test machine-->mount /dev/fd0 /mnt
3. cp /usr/local/src/sguil-0.6.1/server/sguild.users /mnt
4. umount /mnt
5. take floppy from other test machine, and place in regular test machine
6. on regular test machine-->mount /dev/fd0 /mnt
7. cp /mnt/sguild.users /usr/local/src/sguil-0.6.1/server
8. Try to log in to your sensor/db/etc. from your client machine
9. *jump up and down with glee when it all works! promise self to buy genius a drink.*

Honestly, I thought I'd just forgotten to add the proper scoundrels to the mysql database stuff. It didn't even occur to me that the user might have vanished during the installation process.

Living and learning--YAY!

On another interesting note, I heard that that SeaSnUG group was going to try to get the Sourceforge folks to host a happy hour post-meeting at the Gameworks downtown. I mentioned my schedule to the bossman, who generously granted that I don't have to run all the way back to Tacoma and then back to Seattle. I didn't even tell him about the Gameworks post-meet and he said jokingly: "Well, just don't go to Gameworks between meetings--oh, wait, you're going to be doing something that's just as much fun for you as Gameworks for other geeks." ROTFL!

I like my boss. He's so cool. :) He lets me learn and train and have all sorts of intellectual adventures...doesn't yell at me when I absentmindedly save a draft instead of send the first-shift Op the information about a problem with one of our distributors...lets me play with FreeBSD and our current Linux-based IDS...lets me take neat Ethical Hacking classes...and on top of that, has the patience to explain obscure system stuff to me when I'm frustrated and confused about the users' requests.

At this rate, we'll be talking about future career development opportunities in a few weeks! WOOHOO!

Thanks again to #snort-gui for their patience with a randomly curious newbie's questions.

something to check

Hanashi at #snort-gui recommended checking /etc/sguild.users to see if there's a sguil account on RiffRaff. I do suppose not having an account there would make a difference.

It was mentioned to add a user, type

sguild -adduser +username

In the old notes, I found

./sguild -c sguild.conf -u sguild.users -adduser sguil

Riffraff and Magenta won't talk to one another

Reinstalled the Sguil client this morning on Magenta. Both boxes were up and running when I attempted to test communication between the two.

I'm getting "invalid USERNAME or PASSWORD" when I try putting RiffRaff's address in the Sguild Host field and 7734 in the Sguild Port field. I'm entering the sguil user's correct username and correct password for Riffraff.

After thinking about it for a while, I remembered that the old, old instructions Richard Bejtlich had placed out on the internet for our benefit mentioned that we had to add other accounts to the database if we had more than one system. ("You must also set permissions for the sensor and sguild server to connect to the database.") So I tried to add everything I could think of...

/usr/local/bin/mysql --password=r00tpass -e "GRANT ALL on sguildb.* to sguil@localhost"
/usr/local/bin/mysql --password=r00tpass -e "GRANT ALL on sguildb.* to sguil@magenta"
/usr/local/bin/mysql --password=r00tpass -e "GRANT ALL on sguildb.* to sguil@magenta.company.com"
/usr/local/bin/mysql --password=r00tpass -e "GRANT FILE on *.* to sguil@localhost"
/usr/local/bin/mysql --password=r00tpass -e "GRANT FILE on *.* to sguil@magenta"
/usr/local/bin/mysql --password=r00tpass -e "GRANT FILE on *.* to sguil@magenta.company.com"
/usr/local/bin/mysql --password=r00tpass -e "SET password for sguil@localhost=password('somepass')"
/usr/local/bin/mysql --password=r00tpass -e "SET password for sguil@magenta=password('somepass')"
/usr/local/bin/mysql --password=r00tpass -e "SET password for sguil@magenta.company.com=password('somepass')"

MySQLd was stopped and restarted. I tried to log in again to view Riffraff's Sguil data from Magenta's Sguil client interface.

"invalid USERNAME and/or PASSWORD"

Still trying to figure this one out on my own, but I'm not sure I understand enough about MySQL and the way Sguil communicates between components/systems to figure it out totally on my own. If I can't figure it out by tomorrow at 1:00 p. m., I might just ask the nice folks at #snort-gui if they can provide a hint as to what the problem might be.

libexpat.so.6 found

All it took was a reinstall, manually downloading the ports tree, uncompressing it in the right folder, cvsup-without-gui, portupgrade on the few out-of-date packages, and a rerun of the script(s).

Magenta no longer segmentation faults when the .sh to start running the Sguil client begins.

Tonight: testing Riffraff and Magenta in the same physical network.

Most strange.

Riffraff doesn't have libexpat.so.6 either. Toybox, however, does. I've updated them both using the same method, so I'm wondering if maybe something else didn't change.

Strange

Toybox, the old project box with the all-in-one install script, has libexpat.so.6. It doesn't give any errors. I *must* have missed a step or done something odd with Magenta.

I know Richard Bejtlich noted that the scripts weren't pretty or guaranteed to work. I just wonder if maybe the step I missed is covered in a different script? Maybe one from earlier in the install process?

I wonder what would happen if the Sguil client install script were run on Riffraff?

Hmm...

Magenta may start fluxbox alright, but she gives a segmentation fault when the sguil_client_start.sh script is run. With the thought that maybe, just maybe, I needed to run portupgrade before running any of the other scripts, I took Magenta home, reinstalled FreeBSD 6 on her, and ran the portupgrade again. Then I rebooted the system, ran the sguil client install script, logged in as analyst, and tried to run the script again from fluxbox.

"libexpat.so.6 not found".

That's odd. I figured running the portupgrade BEFORE installing things would have helped. So currently Magenta is once again getting the "portupgrade -rf textproc/expat2" treatment. With any luck, work will be very quiet so I can concentrate on the issue; but this is not likely. I've got until the 30th to get Magenta and Riffraff both working.

Double YES!

I'm going to try to attend the Sourcefire seminar "Redefining Network Security - Protecting Against Threats, From All Vectors, at all Times" on the 20th. It's at 09:00, though, and I usually don't get to sleep until 02:00 or so...should make for an interesting day, though. Hope I can stay awake, but this is good day-shift practice. Besides, that's what Mountain Dew is for.

Also, I GOT MAGENTA TO WORK! Or at least, not to die when "startx" is run. All it took was ten seconds of Googling, about fifteen seconds of typing, and about 10 hours of waiting for things to update.

The command was: "portupgrade -rf textproc/expat2".

YES!

I'm going to the SeaSnUG meeting! Woohoo!
http://blowfish.southseattle.edu/SeaSnUG/

A spot of trouble

Today a spot of trouble was encountered. Magenta can't seem to find libexpat.so.6. I can find libexpat.so.5, but no such luck on libexpat.so.6.

There's got to be a way to get libexpat.so.6 onto Magenta without having to nuke and pave the box again, but I'm not quite sure what it got installed with. Right now I'm doing a 'find / -name "*libexpat*" >> somefile' to see where it is from and maybe it will give a clue as to what it was installed with.

Hopefully RiffRaff will not have any major issues.

How were Richard Bejtlich's scripts changed?

In sguil_sensor_install.sh:

Uncommented the line below "# FreeBSD 6 packages".
Commented out the line after "# FreeBSD 5 packages".

Under "cd /usr/local/etc/nsm":
"fetch http://www.bejtlich.net/sensor_agent.conf.patch" changed to "cp /mnt/sensor_agent.conf /usr/local/src".
"fetch http://www.bejtlich.net/snort.conf.patch" changed to "cp /mnt/snort.conf.patch /usr/local/src ".
"fetch http://www.bejtlich.net/barnyard.conf.patch" changed to "cp /mnt/barnyard.conf /usr/local/src ".
"fetch http://www.bejtlich.net/sancp.conf.patch" changed to "cp /mnt/sancp.conf.patch /usr/local/src ".
"fetch http://www.bejtlich.net/log_packets.sh.patch" changed to "cp /mnt/log_packets.sh.patch /usr/local/src ".
"fetch http://www.bejtlich.net/log_packets.sh.crontab" changed to "cp /mnt/log_packets.sh.crontab /usr/local/src ".

Under "cd /home/sguil":
"fetch http://www.bejtlich.net/barnyard_start.sh" changed to "cp /mnt/barnyard_start.sh /usr/local/src ".
"fetch http://www.bejtlich.net/sensor_agent_start.sh" changed to "cp /mnt/sensor_agent_start.sh /usr/local/src ".

Under "cd /root":
"fetch http://www.bejtlich.net/snort_start.sh" changed to "cp /mnt/snort_start.sh /usr/local/src ".
"fetch http://www.bejtlich.net/sancp_start.sh" changed to "cp /mnt/sancp_start.sh /usr/local/src ".

In sancp_start.sh:

Under "#!/bin/sh":
"SENSOR=gruden" changed to "SENSOR=riffraff".
"INTERFACE=lnc1" changed to "SENSOR=xl0".

In snort_start.sh:

Under "#!/bin/sh":
"SENSOR=gruden" changed to "SENSOR=riffraff".
"INTERFACE=lnc1" changed to "SENSOR=xl0".


In barnyard_start.sh:

Under "#!/bin/sh":
"SENSOR=gruden" changed to "SENSOR=riffraff".

In log_packets.sh.patch:

Under "-HOSTNAME="myhost" ":
"+HOSTNAME="gruden" " changed to "+HOSTNAME="riffraff" ".

Under "-INTERFACE="eth0" ":
"+INTERFACE="lnc1" " changed to "+INTERFACE="xl0" ".

In barnyard.conf.patch:

Under "-config hostname: snorthost"
"+config hostname: gruden" changed to "+config hostname: riffraff".

Under "-config interface: fxp0"
"+config interface: lnc1" changed to "+config interface: xl0".

Under + (at very bottom):
"+output sguil: sensor_name gruden" changed to "+output sguil: sensor_name riffraff"

In snort.conf.patch:

Under "-var RULE_PATH ./rules":
"+var RULE_PATH /nsm/rules/gruden" changed to "+var RULE_PATH /nsm/rules/riffraff".

In sensor_agent_conf.patch:

Under "-set HOSTNAME gateway":
"+set HOSTNAME gruden" changed to "+set HOSTNAME riffraff".

In sguil_server_install.sh:

Uncommented the line below "# FreeBSD 6 packages".
Commented out the line after "# FreeBSD 5 packages".

Commented out lines between "# Create directories" and "# Install MySQL client"; we already have the software fetched and the packages installed.
Commented out line "pkg_add -r tcltls"
Commented out line "pkg_add -r tclX"

"fetch http://www.bejtlich.net/sguild.conf.patch" changed to "cp /mnt/sguild.conf.patch /usr/local/etc/nsm"
"fetch http://www.bejtlich.net/sguild_start.sh" changed to "cp /mnt/sguild_start.sh /usr/local/etc/nsm"

In sguild.conf.patch:

Under "-set DBPASS "sguil" ":
"+set DBPASS "sguil" " changed to "+set DBPASS "otherpasswordIamnotdumbenoughtonamehere" ".

In sguil_database_install_pt1.sh:

Uncommented the line below "# FreeBSD 6 packages".
Commented out the line after "# FreeBSD 5 packages".

Commented out "cd /usr/local/src"
Commented out "fetch http://internap.dl.sourceforge.net/sourceforge/sguil/$SGUIL.tar.gz"
Commented out "tar -zxf $SGUIL.tar.gz"

In sguil_database_install_pt2.sh:

"/usr/local/bin/mysql -e "SET password for sguil@localhost=password('sguil')" " changed to "/usr/local/bin/mysql -e "SET password for sguil@localhost=password('somethingsecret')" "
"/usr/local/bin/mysql -e "SET password for root@localhost=password('r00t')" " changed to "/usr/local/bin/mysql -e "SET password for root@localhost=password('somethingsupersecret')" "
"/usr/local/bin/mysql --password=somethingsupersecret -e "FLUSH PRIVILEGES"

"echo "ifconfig_lnc1=-arp" >> /etc/rc.conf" changed to "echo "ifconfig_xl0=-arp" >> /etc/rc.conf"

In sguil_client_install.sh:

Uncommented the line below "# FreeBSD 6 packages".
Commented out the line after "# FreeBSD 5 packages".

Under "cd /home/analyst":
"fetch http://www.bejtlich.net/sguil_client_start.sh" changed to "cp /mnt/sguil_client_start.sh /home/analyst"

Under "cd /usr/local/src/$SGUIL/client":
"fetch http://www.bejtlich.net/sguil.conf.patch" changed to "cp /mnt/sguil.conf.patch /usr/local/src/$SGUIL/client"

This was all done with vi on the /mnt device. (cd /mnt, vi sguil.conf.patch, edit, :wq!, vi sguil_client_start.sh, etc.)

Project: Build Sguil boxen--one to collect/store data, one to call the data for review/analysis.

Goals of blog: To give back (at least a little) to the open source community. To outline the steps I took to implement this project (in case I should die an untimely death while shuttling backup tapes across the scary-busy Tacoma thoroughfare just outside our company doors).

The boss has granted the use of two refurbed computers from Boeing Surplus. I'm not fully sure how to communicate hardware specs, so I won't try yet. I know they're leftover Dell GX-150 somethings. They came with Windows licenses, for the day when they are not test machines for this project.

Currently the Dells are named "RiffRaff" and "Magenta". Magenta will be the Sguil client, and RiffRaff will serve as the Snort/Barnyard/Sguil sensor, server, and database. In short, Magenta should let us analyze the packets RiffRaff has captured, if I'm understanding the division of labour correctly.

There are online resources to help with this task: http://news.gmane.org/gmane.comp.security.sguil.general, and an IRC channel on freenode.net called #snort-gui. (I still need to learn IRC, as my free time lately is about as existent as fluffy lavendar unicorns. Wonder if it's got a nifty web browser interface I can use in the meantime...)


First: Install FreeBSD

That's the easy part. I'm using FreeBSD 6 STABLE. I set up my partitions like this due to space restrictions on the hard drives:

/ 512MB
swap 512MB
/usr 5000MB
/home 1000MB
/var 1500MB
/tmp 1000MB
/nsm 5000MB

I only installed packages for CVSup-without-gui, and a few other items like tar programs and port audit programs and such. Then I added two accounts: sguil and analyst. I set my root password to something that I can almost guarantee won't be in any rainbow table, and printed Richard Bejtlich's post on the TaoSecurity Blog for March 23rd, 2006.

Second: Download and extract scripts

Next the scripts were downloaded from Mr. Bejtlich's site.

cd /usr/local
mkdir /usr/local/src
fetch -r http://www.bejtlich.net/sguil_install_scripts.tar.gz
tar -xzvf sguil_install_scripts.tar.gz

In order to compare the newer scripts to the earlier, all-in-one script Mr. Bejtlich had granted to the public, I realized I'd need to print out each script and label it. When I thought about it more, I also realized I'd be implementing these scripts on over a dozen machines. Potentially, downloading the scripts to each machine, uncompressing them, running them, and testing them could take a long time. The Dells are old enough to have floppy drives attached, so a floppy disk was located and inserted into the drive. (It was blank.)

FreeBSD, you may be shocked to know if you're coming from a Windows background, doesn't automatically "see" the floppy drive or the diskette. In fact, you have to tell it that it has a floppy drive and that the diskette exists. First we format the diskette and tell it we want it to have a file system:

fdformat /dev/fd0
newfs /dev/fd0

Then, we tell the system that it has a diskette drive:

mount /dev/fd0 /mnt

When we want to shut down our machine, we should unmount the floppy drive. But you have to make sure you're not in the drive, or it will tell you the device is busy. I like to do a "pwd" to figure out where I am, then change directories if needed, then unmount, like so:

cd /usr/local
umount /mnt

We could fetch the following into /mnt:

• http://www.bejtlich.net/sguil_sensor_install.sh
• http://www.bejtlich.net/sancp_start.sh
• http://www.bejtlich.net/snort_start.sh
• http://www.bejtlich.net/sensor_agent_start.sh
• http://www.bejtlich.net/barnyard_start.sh
• http://www.bejtlich.net/log_packets.sh.crontab
• http://www.bejtlich.net/log_packets.sh.patch
• http://www.bejtlich.net/sancp.conf.patch
• http://www.bejtlich.net/barnyard.conf.patch
• http://www.bejtlich.net/snort.conf.patch
• http://www.bejtlich.net/sensor_agent.conf.patch
• http://www.bejtlich.net/sguil_sensor_install_patch.sh
• http://www.bejtlich.net/sguil_server_install.sh
• http://www.bejtlich.net/sguild.conf.patch
• http://www.bejtlich.net/sguil_database_install_pt1.sh
• http://www.bejtlich.net/sguil_database_install_pt2.sh
• http://www.bejtlich.net/sguil_client_install.sh
• http://www.bejtlich.net/sguil_client_start.sh
• http://www.bejtlich.net/sguil.conf.patch

Or we could just do a copy from /usr/local/src to /mnt.

• cp /usr/local/src/sguil_sensor_install.sh
• cp /usr/local/src/sancp_start.sh /mnt
• cp /usr/local/src/snort_start.sh /mnt
• cp /usr/local/src/sensor_agent_start.sh /mnt
• cp /usr/local/src/barnyard_start.sh /mnt
• cp usr/local/src/log_packets.sh.crontab /mnt
• cp /usr/local/src/log_packets.sh.patch /mnt
• cp /usr/local/src/sancp.conf.patch /mnt
• cp /usr/local/src/barnyard.conf.patch /mnt
• cp /usr/local/src/snort.conf.patch /mnt
• cp /usr/local/src/sensor_agent.conf.patch /mnt
• cp /usr/local/src/sguil_sensor_install_patch.sh /mnt
• cp /usr/local/src/sguil_server_install.sh /mnt
• cp /usr/local/src/sguild.conf.patch /mnt
• cp /usr/local/src/sguil_database_install_pt1.sh /mnt
• cp /usr/local/src/sguil_database_install_pt2.sh /mnt
• cp /usr/local/src/sguil_client_install.sh /mnt
• cp /usr/local/src/sguil_client_start.sh /mnt
• cp /usr/local/src/sguil.conf.patch /mnt