# Mind Candy

Tuesday, April 11, 2006

Project: Build Sguil boxen--one to collect/store data, one to call the data for review/analysis.

Goals of blog: To give back (at least a little) to the open source community. To outline the steps I took to implement this project (in case I should die an untimely death while shuttling backup tapes across the scary-busy Tacoma thoroughfare just outside our company doors).

The boss has granted the use of two refurbed computers from Boeing Surplus. I'm not fully sure how to communicate hardware specs, so I won't try yet. I know they're leftover Dell GX-150 somethings. They came with Windows licenses, for the day when they are not test machines for this project.

Currently the Dells are named "RiffRaff" and "Magenta". Magenta will be the Sguil client, and RiffRaff will serve as the Snort/Barnyard/Sguil sensor, server, and database. In short, Magenta should let us analyze the packets RiffRaff has captured, if I'm understanding the division of labour correctly.

There are online resources to help with this task: http://news.gmane.org/gmane.comp.security.sguil.general, and an IRC channel on freenode.net called #snort-gui. (I still need to learn IRC, as my free time lately is about as existent as fluffy lavendar unicorns. Wonder if it's got a nifty web browser interface I can use in the meantime...)


First: Install FreeBSD

That's the easy part. I'm using FreeBSD 6 STABLE. I set up my partitions like this due to space restrictions on the hard drives:


/ 512MB
swap 512MB
/usr 5000MB
/home 1000MB
/var 1500MB
/tmp 1000MB
/nsm 5000MB

I only installed packages for CVSup-without-gui, and a few other items like tar programs and port audit programs and such. Then I added two accounts: sguil and analyst. I set my root password to something that I can almost guarantee won't be in any rainbow table, and printed Richard Bejtlich's post on the TaoSecurity Blog for March 23rd, 2006.

Second: Download and extract scripts

Next the scripts were downloaded from Mr. Bejtlich's site.

cd /usr/local
mkdir /usr/local/src
fetch -r http://www.bejtlich.net/sguil_install_scripts.tar.gz
tar -xzvf sguil_install_scripts.tar.gz


In order to compare the newer scripts to the earlier, all-in-one script Mr. Bejtlich had granted to the public, I realized I'd need to print out each script and label it. When I thought about it more, I also realized I'd be implementing these scripts on over a dozen machines. Potentially, downloading the scripts to each machine, uncompressing them, running them, and testing them could take a long time. The Dells are old enough to have floppy drives attached, so a floppy disk was located and inserted into the drive. (It was blank.)

FreeBSD, you may be shocked to know if you're coming from a Windows background, doesn't automatically "see" the floppy drive or the diskette. In fact, you have to tell it that it has a floppy drive and that the diskette exists. First we format the diskette and tell it we want it to have a file system:

fdformat /dev/fd0
newfs /dev/fd0

Then, we tell the system that it has a diskette drive:

mount /dev/fd0 /mnt

When we want to shut down our machine, we should unmount the floppy drive. But you have to make sure you're not in the drive, or it will tell you the device is busy. I like to do a "pwd" to figure out where I am, then change directories if needed, then unmount, like so:

cd /usr/local
umount /mnt

We could fetch the following into /mnt:
  • http://www.bejtlich.net/sguil_sensor_install.sh
  • http://www.bejtlich.net/sancp_start.sh
  • http://www.bejtlich.net/snort_start.sh
  • http://www.bejtlich.net/sensor_agent_start.sh
  • http://www.bejtlich.net/barnyard_start.sh
  • http://www.bejtlich.net/log_packets.sh.crontab
  • http://www.bejtlich.net/log_packets.sh.patch
  • http://www.bejtlich.net/sancp.conf.patch
  • http://www.bejtlich.net/barnyard.conf.patch
  • http://www.bejtlich.net/snort.conf.patch
  • http://www.bejtlich.net/sensor_agent.conf.patch
  • http://www.bejtlich.net/sguil_sensor_install_patch.sh
  • http://www.bejtlich.net/sguil_server_install.sh
  • http://www.bejtlich.net/sguild.conf.patch
  • http://www.bejtlich.net/sguil_database_install_pt1.sh
  • http://www.bejtlich.net/sguil_database_install_pt2.sh
  • http://www.bejtlich.net/sguil_client_install.sh
  • http://www.bejtlich.net/sguil_client_start.sh
  • http://www.bejtlich.net/sguil.conf.patch


Or we could just do a copy from /usr/local/src to /mnt.

  • cp /usr/local/src/sguil_sensor_install.sh
  • cp /usr/local/src/sancp_start.sh /mnt
  • cp /usr/local/src/snort_start.sh /mnt
  • cp /usr/local/src/sensor_agent_start.sh /mnt
  • cp /usr/local/src/barnyard_start.sh /mnt
  • cp usr/local/src/log_packets.sh.crontab /mnt
  • cp /usr/local/src/log_packets.sh.patch /mnt
  • cp /usr/local/src/sancp.conf.patch /mnt
  • cp /usr/local/src/barnyard.conf.patch /mnt
  • cp /usr/local/src/snort.conf.patch /mnt
  • cp /usr/local/src/sensor_agent.conf.patch /mnt
  • cp /usr/local/src/sguil_sensor_install_patch.sh /mnt
  • cp /usr/local/src/sguil_server_install.sh /mnt
  • cp /usr/local/src/sguild.conf.patch /mnt
  • cp /usr/local/src/sguil_database_install_pt1.sh /mnt
  • cp /usr/local/src/sguil_database_install_pt2.sh /mnt
  • cp /usr/local/src/sguil_client_install.sh /mnt
  • cp /usr/local/src/sguil_client_start.sh /mnt
  • cp /usr/local/src/sguil.conf.patch /mnt

posted by JD at 7:48 PM

0 Comments:

Post a Comment

<< Home