How were Richard Bejtlich's scripts changed?
In sguil_sensor_install.sh:
Uncommented the line below "# FreeBSD 6 packages".
Commented out the line after "# FreeBSD 5 packages".
Under "cd /usr/local/etc/nsm":
"fetch http://www.bejtlich.net/sensor_agent.conf.patch" changed to "cp /mnt/sensor_agent.conf /usr/local/src".
"fetch http://www.bejtlich.net/snort.conf.patch" changed to "cp /mnt/snort.conf.patch /usr/local/src ".
"fetch http://www.bejtlich.net/barnyard.conf.patch" changed to "cp /mnt/barnyard.conf /usr/local/src ".
"fetch http://www.bejtlich.net/sancp.conf.patch" changed to "cp /mnt/sancp.conf.patch /usr/local/src ".
"fetch http://www.bejtlich.net/log_packets.sh.patch" changed to "cp /mnt/log_packets.sh.patch /usr/local/src ".
"fetch http://www.bejtlich.net/log_packets.sh.crontab" changed to "cp /mnt/log_packets.sh.crontab /usr/local/src ".
Under "cd /home/sguil":
"fetch http://www.bejtlich.net/barnyard_start.sh" changed to "cp /mnt/barnyard_start.sh /usr/local/src ".
"fetch http://www.bejtlich.net/sensor_agent_start.sh" changed to "cp /mnt/sensor_agent_start.sh /usr/local/src ".
Under "cd /root":
"fetch http://www.bejtlich.net/snort_start.sh" changed to "cp /mnt/snort_start.sh /usr/local/src ".
"fetch http://www.bejtlich.net/sancp_start.sh" changed to "cp /mnt/sancp_start.sh /usr/local/src ".
In sancp_start.sh:
Under "#!/bin/sh":
"SENSOR=gruden" changed to "SENSOR=riffraff".
"INTERFACE=lnc1" changed to "SENSOR=xl0".
In snort_start.sh:
Under "#!/bin/sh":
"SENSOR=gruden" changed to "SENSOR=riffraff".
"INTERFACE=lnc1" changed to "SENSOR=xl0".
In barnyard_start.sh:
Under "#!/bin/sh":
"SENSOR=gruden" changed to "SENSOR=riffraff".
In log_packets.sh.patch:
Under "-HOSTNAME="myhost" ":
"+HOSTNAME="gruden" " changed to "+HOSTNAME="riffraff" ".
Under "-INTERFACE="eth0" ":
"+INTERFACE="lnc1" " changed to "+INTERFACE="xl0" ".
In barnyard.conf.patch:
Under "-config hostname: snorthost"
"+config hostname: gruden" changed to "+config hostname: riffraff".
Under "-config interface: fxp0"
"+config interface: lnc1" changed to "+config interface: xl0".
Under + (at very bottom):
"+output sguil: sensor_name gruden" changed to "+output sguil: sensor_name riffraff"
In snort.conf.patch:
Under "-var RULE_PATH ./rules":
"+var RULE_PATH /nsm/rules/gruden" changed to "+var RULE_PATH /nsm/rules/riffraff".
In sensor_agent_conf.patch:
Under "-set HOSTNAME gateway":
"+set HOSTNAME gruden" changed to "+set HOSTNAME riffraff".
In sguil_server_install.sh:
Uncommented the line below "# FreeBSD 6 packages".
Commented out the line after "# FreeBSD 5 packages".
Commented out lines between "# Create directories" and "# Install MySQL client"; we already have the software fetched and the packages installed.
Commented out line "pkg_add -r tcltls"
Commented out line "pkg_add -r tclX"
"fetch http://www.bejtlich.net/sguild.conf.patch" changed to "cp /mnt/sguild.conf.patch /usr/local/etc/nsm"
"fetch http://www.bejtlich.net/sguild_start.sh" changed to "cp /mnt/sguild_start.sh /usr/local/etc/nsm"
In sguild.conf.patch:
Under "-set DBPASS "sguil" ":
"+set DBPASS "sguil" " changed to "+set DBPASS "otherpasswordIamnotdumbenoughtonamehere" ".
In sguil_database_install_pt1.sh:
Uncommented the line below "# FreeBSD 6 packages".
Commented out the line after "# FreeBSD 5 packages".
Commented out "cd /usr/local/src"
Commented out "fetch http://internap.dl.sourceforge.net/sourceforge/sguil/$SGUIL.tar.gz"
Commented out "tar -zxf $SGUIL.tar.gz"
In sguil_database_install_pt2.sh:
"/usr/local/bin/mysql -e "SET password for sguil@localhost=password('sguil')" " changed to "/usr/local/bin/mysql -e "SET password for sguil@localhost=password('somethingsecret')" "
"/usr/local/bin/mysql -e "SET password for root@localhost=password('r00t')" " changed to "/usr/local/bin/mysql -e "SET password for root@localhost=password('somethingsupersecret')" "
"/usr/local/bin/mysql --password=somethingsupersecret -e "FLUSH PRIVILEGES"
"echo "ifconfig_lnc1=-arp" >> /etc/rc.conf" changed to "echo "ifconfig_xl0=-arp" >> /etc/rc.conf"
In sguil_client_install.sh:
Uncommented the line below "# FreeBSD 6 packages".
Commented out the line after "# FreeBSD 5 packages".
Under "cd /home/analyst":
"fetch http://www.bejtlich.net/sguil_client_start.sh" changed to "cp /mnt/sguil_client_start.sh /home/analyst"
Under "cd /usr/local/src/$SGUIL/client":
"fetch http://www.bejtlich.net/sguil.conf.patch" changed to "cp /mnt/sguil.conf.patch /usr/local/src/$SGUIL/client"
This was all done with vi on the /mnt device. (cd /mnt, vi sguil.conf.patch, edit, :wq!, vi sguil_client_start.sh, etc.)
Uncommented the line below "# FreeBSD 6 packages".
Commented out the line after "# FreeBSD 5 packages".
Under "cd /usr/local/etc/nsm":
"fetch http://www.bejtlich.net/sensor_agent.conf.patch" changed to "cp /mnt/sensor_agent.conf /usr/local/src".
"fetch http://www.bejtlich.net/snort.conf.patch" changed to "cp /mnt/snort.conf.patch /usr/local/src ".
"fetch http://www.bejtlich.net/barnyard.conf.patch" changed to "cp /mnt/barnyard.conf /usr/local/src ".
"fetch http://www.bejtlich.net/sancp.conf.patch" changed to "cp /mnt/sancp.conf.patch /usr/local/src ".
"fetch http://www.bejtlich.net/log_packets.sh.patch" changed to "cp /mnt/log_packets.sh.patch /usr/local/src ".
"fetch http://www.bejtlich.net/log_packets.sh.crontab" changed to "cp /mnt/log_packets.sh.crontab /usr/local/src ".
Under "cd /home/sguil":
"fetch http://www.bejtlich.net/barnyard_start.sh" changed to "cp /mnt/barnyard_start.sh /usr/local/src ".
"fetch http://www.bejtlich.net/sensor_agent_start.sh" changed to "cp /mnt/sensor_agent_start.sh /usr/local/src ".
Under "cd /root":
"fetch http://www.bejtlich.net/snort_start.sh" changed to "cp /mnt/snort_start.sh /usr/local/src ".
"fetch http://www.bejtlich.net/sancp_start.sh" changed to "cp /mnt/sancp_start.sh /usr/local/src ".
In sancp_start.sh:
Under "#!/bin/sh":
"SENSOR=gruden" changed to "SENSOR=riffraff".
"INTERFACE=lnc1" changed to "SENSOR=xl0".
In snort_start.sh:
Under "#!/bin/sh":
"SENSOR=gruden" changed to "SENSOR=riffraff".
"INTERFACE=lnc1" changed to "SENSOR=xl0".
In barnyard_start.sh:
Under "#!/bin/sh":
"SENSOR=gruden" changed to "SENSOR=riffraff".
In log_packets.sh.patch:
Under "-HOSTNAME="myhost" ":
"+HOSTNAME="gruden" " changed to "+HOSTNAME="riffraff" ".
Under "-INTERFACE="eth0" ":
"+INTERFACE="lnc1" " changed to "+INTERFACE="xl0" ".
In barnyard.conf.patch:
Under "-config hostname: snorthost"
"+config hostname: gruden" changed to "+config hostname: riffraff".
Under "-config interface: fxp0"
"+config interface: lnc1" changed to "+config interface: xl0".
Under + (at very bottom):
"+output sguil: sensor_name gruden" changed to "+output sguil: sensor_name riffraff"
In snort.conf.patch:
Under "-var RULE_PATH ./rules":
"+var RULE_PATH /nsm/rules/gruden" changed to "+var RULE_PATH /nsm/rules/riffraff".
In sensor_agent_conf.patch:
Under "-set HOSTNAME gateway":
"+set HOSTNAME gruden" changed to "+set HOSTNAME riffraff".
In sguil_server_install.sh:
Uncommented the line below "# FreeBSD 6 packages".
Commented out the line after "# FreeBSD 5 packages".
Commented out lines between "# Create directories" and "# Install MySQL client"; we already have the software fetched and the packages installed.
Commented out line "pkg_add -r tcltls"
Commented out line "pkg_add -r tclX"
"fetch http://www.bejtlich.net/sguild.conf.patch" changed to "cp /mnt/sguild.conf.patch /usr/local/etc/nsm"
"fetch http://www.bejtlich.net/sguild_start.sh" changed to "cp /mnt/sguild_start.sh /usr/local/etc/nsm"
In sguild.conf.patch:
Under "-set DBPASS "sguil" ":
"+set DBPASS "sguil" " changed to "+set DBPASS "otherpasswordIamnotdumbenoughtonamehere" ".
In sguil_database_install_pt1.sh:
Uncommented the line below "# FreeBSD 6 packages".
Commented out the line after "# FreeBSD 5 packages".
Commented out "cd /usr/local/src"
Commented out "fetch http://internap.dl.sourceforge.net/sourceforge/sguil/$SGUIL.tar.gz"
Commented out "tar -zxf $SGUIL.tar.gz"
In sguil_database_install_pt2.sh:
"/usr/local/bin/mysql -e "SET password for sguil@localhost=password('sguil')" " changed to "/usr/local/bin/mysql -e "SET password for sguil@localhost=password('somethingsecret')" "
"/usr/local/bin/mysql -e "SET password for root@localhost=password('r00t')" " changed to "/usr/local/bin/mysql -e "SET password for root@localhost=password('somethingsupersecret')" "
"/usr/local/bin/mysql --password=somethingsupersecret -e "FLUSH PRIVILEGES"
"echo "ifconfig_lnc1=-arp" >> /etc/rc.conf" changed to "echo "ifconfig_xl0=-arp" >> /etc/rc.conf"
In sguil_client_install.sh:
Uncommented the line below "# FreeBSD 6 packages".
Commented out the line after "# FreeBSD 5 packages".
Under "cd /home/analyst":
"fetch http://www.bejtlich.net/sguil_client_start.sh" changed to "cp /mnt/sguil_client_start.sh /home/analyst"
Under "cd /usr/local/src/$SGUIL/client":
"fetch http://www.bejtlich.net/sguil.conf.patch" changed to "cp /mnt/sguil.conf.patch /usr/local/src/$SGUIL/client"
This was all done with vi on the /mnt device. (cd /mnt, vi sguil.conf.patch, edit, :wq!, vi sguil_client_start.sh, etc.)
posted by JD at
8:11 PM
0 Comments:
Post a Comment
<< Home