Documentation

Manual Configuration

If you are happy using all the default setting then you do not need read this section, it is only relevant if you are going to customise your installation or want to know more about the config files and options.

There are a number of configuration files you need to be aware of if you want to customise Knoppix-NSM for your network/deployment. In this section we will discuss where each file can be found, what options you may need to change and what its function is.

This section is only designed to dicsuss the options that you may want to change when rolling out multiple sensors/servers. It is not a howto on the advanced options of any of the packages discussed, there are are books available and you can also visit the developers website for detailed documentation on their tools, see tools page for links. Everything discussed here can be controlled through the configuration wizards and is only provided as information for advanced users who like to make their own changes.

4. Table of Contents
   1. Sensor
      1. Sensor interfaces
      2. Sensor List
      3. Snort
      4. Barnyard
      5. sancp
      6. Sguil Sensor
      7. ntop
      8. Log Files
      9. ntp
   2. Server
      1. Sguil Server
      2. BASE
      3. MySQL
      4. Log Files
      5. Ntp
   3. Console
   4. Network options
      1. Management Network
      2. Firewall

a. SENSOR

If you are not interested in setting things up the easy way, or you want to know what is going on under the hood, then you have come to the right place. It is important to read all of this section before you decide to make changes otherwise you could be chasing you tail trying to find out what went wrong if you missed something.

Where you see default in the filename replace with your sensor name.

This section will describe all the components necessary to change the default configuration settings for a sensor. I have used the defaults as an example throughout this section to highlight the current configuration.

i. Sensor Interfaces

One of the objectives of Knoppix-NSM is to make things easy so we have also provided the tools necessary to monitor bonded interfaces. This is very useful if you are going to monitor span ports or output from passive taps (that do not aggregate data).

You must add the interface you plan on monitoring here before you start the sensor otherwise it will fail when it trys to bring it up, using the sif script.

/etc/sensorinterfaces

This file controls the configuration details for sensor interfaces, most importantly it tracks the details for a bonded interface. By default the file will only contain eth0, the following is the format for adding a bonded interface manually, (eample syntax for a bonded interface provided)

Because of the way bonded interfaces and the kernal module act it is important that the bonded interfaces are started in the order in which you name them. This is, if you want to use bond1 you must ensure bond0 kernal module has been loaded. Failure to do this will result in a bond1 kernal module but the interface name reported by /proc/net/dev will be bond0. Fortunately all the guess work has been taken into consideration and it is recommended that you use the sensor interface wizards to add remove and start bonded interfaces.

Sensor interfaces are automatically started by the sensor.

ii. Sensor List

The sensor list file tracks which sensors are configured on the system, what ports they are using for ntop and barnyard and what interface it is monitoring.

/etc/sensors

The default sensor settings, order is important,

If a sensor has been created manually and not added to this file, then when you subsequently use the sifadd scripts you may end up with a conflict in your barnyard and ntop ports.

iii. Snort

Read the snort manual and website for detailed explanations of settings not discussed here.

/etc/snort/snort.basedb.conf (deprecated)

Configuration file for /etc/init.d/snortd startup script, controls the output to the BASE (snort) database when snort is being used for base output only. This file contains the defaults as shipped with snort, with the esception of all rules enable and the following.

Location of the snort *.rules files, path is relative to this configuration file,

The configuration of the output logging plugin is controlled through the following option,

Note: This configuration file is only provided as legacy is not required when using sguil, unless you want to avoid having a single snort process logging to two different outputs, i.e base and sguil. When working with multiple sensors on the one box this script is not considered when adding sensors.

When making changes in the conf file you can use the init script to verify the new database settings and rules path/files:

/etc/snort/snort.sguil.default.conf

Configuration file for /etc/init.d/snortu.default startup script, this is the main script of interest when using sguil. From here you can modify the output directories, log filenames and the base output option. Other than the changes highlighted below the rest are the defaults as shipped with snort.

Location of the snort *.rules files, path is relative to this conf file,

The configuration of the output logging plugin is controlled through the following option. # this line out if you do not want to use snort db output (for BASE console),

Enable fast binary alert output for parsing by barnyard, data is then passed to sguil-sensor-agent for input to sguil db,

The following enables the snort stream4 preprocessor for logging session data,

The following enables the portscan preprocessor to track portscans, the output is parsed by sguil-sensor-agent for input to sguil db.

When making changes in the conf file you can use the init script to verify the new database settings and rules path/files:

/etc/snort/rules/default

Location of the snort rules files.

/etc/init.d/snortd (deprecated)

This is the init script for snort if you only want to use the output logging to snort db (BASE console) and corresponds to /etc/snort/snort.basedb.conf configuration file as detailed above. The following is an explanation of the options that are, be default, controlled in this script.

Note: This configuration file is only provided as legacy is not required when using sguil, unless you want to avoid having a single snort process logging to two different outputs, i.e base and sguil. When working with multiple sensors on the one box this script is not considered when adding sensors.

The sensor name is controlled by the sensor variable. It is not mandatory that it match the actual sensor name as you want it reported in BASE, that is controlled in the snort.conf file, but it is used to track pid and log files.

Set the configuration file for snort plugins and rulesi,

Set the interface that is to be monitored,

/etc/init.d/snortu.default

This is the init script for snort, and provides the alert data for sguil. By default it will log output to both snort db (BASE console) and sguil and corresponds to /etc/snort/snort.sguil.default.conf configuration file as detailed above. The following is an explanation of the options that are, by default, controlled in this script.

The sensor name is controlled by the sensor variable and needs to be consistant with what is defined in the conf file. This script will check to make sure the outptut data directories as defined in the conf file exist, if not they are created,

Set the configuration file for snort plugins and rules,

Path to output data directories for alert (LOG), seesion (SSN) and portscan (PS), if they do not exist they are created,

The INTERFACE is controlled through the /etc/sensors file and should not be modified.

/etc/init.d/snortl.default

This script is a modification of the logpackets script as provided with sguil. It was modified for consistancy with syntax and output logging, no major changes with the exception of the bond information.

The sguil script does not have a corresponding config file, but options in here need to be consisteant with other files as highlighted.

The sensor name is controlled by the sensor variable, this needs to match,

Set the the output log directories, this is where all the full content packet logs are stored. This needs to match what is configured for the sguil-sensor-agent below and what is in the /etc/snort/snort.sguil.default.conf as defined above. If directories do not exist they are created,

You can define the maximum disk space allowed for dailylogs, when it reaches/exceeds this limit the script will clean up old logs. The maximum space is a percentage of total partition and is controlled by,

You can define a filter so that not everything passing by the interface is being logged. Snort is compatible with the Berkely Packet Filter (BPF) syntax, to enable filter remove the # and format as required.

The last thing to mention is the path to the cronjob that will restart this script at the beginning of new day. This script checks to see if it has been enabled (disabled by default) and reports to the user if not configured. Note: sguil client will not be able to access packet logs if you do not enable daily restarts as this script creates a new daily directly to help keep track of data.

The INTERFACE is controlled through the /etc/sensors file and should not be modified.

/etc/cron.daily/snortl-newday.default

Cron job to restart snortl at the beginning of each day, to enable remove the #,

iv. Barnyard

So you want to configure barnyard the hard way, or just decided to see what options you need to worry about? Barnyard is pretty straight forward to configure so read on to find out more.

/etc/snort/barnyard.sguil.default.conf

This is the main configuration file for barnyard, in this file you can control the hostname which is in effect the sensor name it reports to sguil-sensor-agent and the port on which to connect to the sensor_agent and must be unique for each sensor,

The only other option of interest is to set the output, this tells barnyard to send data to sguil-sensor-agent,

/etc/init.d/barnyard.default

The sensor name is controlled by the sensor variable, it needs to match what is defined in /etc/snort/snort.sguil.conf as it looks for the snort alert files in a path defined by the sensor name.

Set the configuration file for barnyard,

Set the the path and filename to the snort output data,

v. Sancp

This section will explain the most common options for configuring sancp and the default settings used in Knoppix-NSM.

/etc/init.d/sancpd.default

The sensor name is used to define the output data logging directory so it needs to match the sguil sensor configuration file below.

Set the configuration file for more options,

The INTERFACE is controlled through the /etc/sensors file and should not be modified.

Set the the output log directories, this is where all the session data logs are stored. This needs to match what is configured for the sguil-sensor-agent. If directories do not exist they are created,

vi. sguil sensor agent

The sguil-sensor-agent is only 1/3 of the sguil equation and is responsible for collecting all the data and passing it accross to the server for logging to the database. This is the configuration file for /etc/init.d/sguil-sensor-agent start up script.

/etc/snort/sensor_agent.default.conf

By default the sensor agent will log verbosely, this is very useful when diognosing problems. Once you are a happy that everything is working it is a good idea to disable this option otherwise you are wasting disk space with logs. To eneable/disable verbose/debug logging set the following to 0,

The sensor agent will connect to the sguil server as defined by,

Next you will want to set the sensor name, this is reported in the sguil client and needs to be unique for each instance of the sensor_agent in use,

The following options tell the sensor agent where to find all the output data from snort and sancp,

The port to listen to for barnyard connections, it must be unique for each instance of the sensor_agent,

The last two options of interest control whether you want to enable or disable ssn_logs or sancp logs,

Disabling these two options will make things run faster but you will not be able to see session data, an important piece in the NSM framework. Of course you can always play around with one or the other to see which one provides the best results as both are capturing session stats.

/etc/init.d/sguil-sensor-agent.default

The sensor name is controlled by the sensor variable, it needs to match what is defined in /etc/snort/sensor_agent.conf as it looks for the snort alert files in a path defined by the sensor name.

Set the configuration file for the sensor_agent init script,

Set the the path and filename to the snort output data,

vii. ntop

ntop is pretty straight forward to configure, all you need to define is the interface to monitor and the port to bind the mini webserver to, this must be unique for each instance/sensor you are running. If running multiple instances of ntop you will also need to change the location for the config files.

/etc/init.d/ntop.default

The sensor name is controlled by the sensor variable, for consistancy with the other scripts the sensor name is also defined to track log files.

The http and https setting, the number defines the port to listen on (0 is disabled), by default ntop is configured for https only.

The INTERFACE is controlled through the /etc/sensors file and should not be modified.

The location of the config files is controlled through the $HOMEDIR directive. It is automatically onfigured by the sensoradd script, and a set of default files are copied here.

viii. Sensor log files

The following log files can be used to check on the status if any problems occur when running these scripts.

• /var/log/snort_packetlogging_default_eth0.log output from the /etc/init.d/snortl.default script
• /var/log/snort_unified_default_eth0.log output from the /etc/init.d/snortu.default script
• /var/log/snort_basedb_default_eth0.log output from the /etc/init.d/snortd.default script
• /var/log/barnyard_default.log output from the /etc/init.d/barnyard.default script
• /var/log/sguil_sensor_agent_default.log output from the /etc/init.d/sguil-sensor-agent.default script
• /var/log/sancpd_default_eth0.log output from the /etc/init.d/sancpd.default script
• /var/log/ntop_default_eth0.log output from the /etc/init.d/ntop.default script

ix. ntp

It is important that all clocks be synchronised on you system to help when analysing problems. If you plan on using Knoppix-NSM in an out of band management network then you will not need to change anything, unless you want to use a different time source.

/etc/cron.hourly/ntp-sync

Synchronise time with sersen1, change the name here if you want to use something else,

/etc/cron.daily/set-hwclock

Sync the hardware clock daily, # this out if you want to disable

b. SERVER

This section will describe the components necessary to change the default configuration settings for a server. I have used the defaults as an example throughout this section to highlight the current configuration.

i. sguil server

The second part of the sguil equation is the server, it listens to connections from the sensor-agent and stores data to the database, or retrieves data for the client.

/etc/sguild/sguil.conf

By default the server will log everything (2), this is very useful when diognosing problems. Once you are a happy that everything is working it is a good idea to change it to either important (1) or nothing (0) otherwise you are just wasting space and cpu time. To eneable/disable verbose/debug logging adjust the following,

Define the path to parent tree for the snort rules files, the sensor name is automatically appended so it is important it matches the sguil-sensor-agent. The server uses the files located here to retrieve rules information for display in the client. For accuracy when updateing sensor sginatures it is a good idea to change them on the server too.

The last bit to worry about is the MySQL database details, set these to whatever you want to use. This is for the sguil output databse, remember to change them in MySQL as well.

/etc/init.d/sguild

There really isn't anything in this file that you need to worry about unless you want to disable TLS which is enabled by default. To disable just # it out.

/usr/local/lib/sguil

This is the location of the sguild library files.

ii. BASE

If you are going to use BASE as well as sguil you may want to amend the database details in the BASE configuration file.

/var/www/base/base_conf.php

By default BASE has been configured with an archive database, if you wish to use it than update all of the following options, by default base will connect on the default mysql port 3306

iii. MySQL

The are two things of interest with mysql that you may need to manage, passwords/user accounts and databases.

User Accounts

The following commands can be executed in mysql to change the default passwords (change localhost if using remote sensor and/or server):

You can also change the debian-sys-maint password but that is not covered here, if you do you will also need to update the debian package that is using it.

Don't forget the root password, will need to update this in phpmyadmin if you want to use it,

New remote sensor account

If you are creating new accounts for access by snort, remote sensor, and you want to use ssl connections to the mysql database you need to ensure the REQUIRE SSL option is included. This is only required when using snort db output (BASE console).

phpMyAdmin

If you prefer to do things through a gui then phpmyadmin is also provided to facilitate database adminstration. Using firefox enter the following url: https://localhost/phpmyadmin/ (replace loaclhost with servername if managing remotely)

iv. Server log files

The following log files can be used to check on the status if any problems occur when running these scripts.

• /var/log/sguild.log output from the /etc/init.d/sguild script
• /var/log/mysql.err, /var/log/mysql.log status reporting for MySQL
• /var/log/ntp.log status reporting from ntp daemon

v. ntp

It is important that all clocks be synchronised on you system to help when analysing problems. If you plan on using Knoppix-NSM in an out of band management network then you will not need to change anything, unless you want to use a different time source.

The ntp server is controlled through the standard debian ntp script /etc/init.d/ntpd.

/etc/ntp.conf

By default sersen1 is set up as a time server that can be used as a master time server in your out of band management network. If you want to use a different time server change it here and # out the fudge statement.

If you prefer you can disable ntp and use the ntp-sync cron job to syncronise the server time with another source. In that case remove the ntp script from runlevels 3 and 5 and enable the following two options.

/etc/cron.hourly/ntp-sync

Synchronise time with your time_server,

/etc/cron.daily/set-hwclock

Sync the hardware clock daily, # this out if you want to disable

c. CONSOLE

The console is pretty straigh forward, all you need to do is run the apps you want to use. The sguil client has been modified to provide a button to link to signatures stored on the management net web server.

sguil

Configuration file: /etc/sguil/sguil.conf
Application file: /usr/local/bin/sguilc
Library files: /usr/local/lib/sguil

d. NETWORK OPTIONS

Depending on how you plan to impliment Knoppix-NSM you may need to adjust the management network or firewall settings.

Management Network

Controlling the management network is no different to how it is done on any debian installation. If you intend on using the netowrk setup script, as describded in configuraion wizards than you can only provide one set of ethernet network settings here. Knoppix-NSM is only intended to be used with one management network interface.

A summary of the debian scripts and config files:

• /etc/network/interfaces, configuration file for the management network
• ifup, script to bring up a network interface (read setting from conf file above
• ifdown, scring to take down an interface
• pump, used to update the ip with dhcp

If you intend on using dhcp you will need to update the firewall to allow dhcp in and out

Firewall

A detailed description of the default firewall policies can be found in the software architecture section of the documentation.

The firewall is dynamically controlled by the system type and through the rc.firewall script.

/etc/systemtype

This file just store the system type and is read by the rc.firewall script at startup to set the firewall policies. It should only be one of the following:

• console, sets default policies for the console
• server, sets default policies for the server
• sensor, sets default policies for the sensor
• sersen, sets default policies for a combined server/sensor

/etc/init.d/rc.firewall

This script is automatically run when the system starts, defining the firewall policies as soon as networking is enabled. If you want to make changes to the default policies for a particular systemtype you can modify the default policies found in /etc/default/firewall/{system_type}, an example

The syntax for the above lines is:

protocol port io
---------------------------
protocol - tcp/udp
port - any tcp/udp port you want to allow
i - allow inbound connections only
o - allow outbound connections only
io - allow both inbound and outbound connections

Copyright © www.securixlive.com 2005-2008