Documentation

Configuration Wizards

If you are happy using all the default setting then you do not need read this section, it is only releveant if you are going to customise your installation.

3. Table of Contents
   1. Introduction
   2. Sensor
      1. Start/Stop Sensor
      2. Sensor Interfaces
      3. Customising
      4. Multiple Sensors on one box
   3. Server
      1. Sensor Management
      2. User Management
   4. Network
      1. Management Network
      2. Firewall
   5. Summary

a. INTRODUCTION

Keeping with the theme of this distribution 'get up and running quickly and spend more time doing analysis' there are automated scripts to help in configuring a sensor or server. If you really want to get in and make the changes yourself then you will be more interested in the Manual Configuration section.

Management of a server or sensor is designed to be carried out from a console either locally or remotely, no GUI - it just wastes resources. A user can interact with the scripts in one of two ways:

• from the admin menus, or
• directly by calling the appropriate scripts

Each of the following sections will briefly discuss the appropriate menu, while the actual details will be given for direct access from the scripts. Overall there is one menu you can use to control everything and the details of each function will be discussed below. To access the main NSM menu:

Where practical you will be presented with a summary allowing you to revew before commiting changes to system files.

b. SENSOR

There are a number of things you may need to do when managing a sensor, and may include: (script name in brackets)

• start/stop a sensor, (sensor sensor_name start|stop|status)
• add/del a sensor, (sensoradd sensor_name or sensordel sensor_name)
• rename a sensor, (sensormv oldname newname)
• Start/Stop a sensor interface, (sif int_name start|stop|status)
• add/del a sensor interface, (sifadd int_name or sifdel int_name) and
• list sensors (cat /etc/sensors)
• list sensor interfaces (cat /etc/sensorinterfaces)

All of the above options, with the exception of the start/stop processes can be accessed from the nsmsensoradmin menu:

i. Start/Stop Sensor

Not much explanation needed here really the sensor script is used to start/stop and report the status of a sensor and its modules. Script syntax:

The sensor script should be used whenever you plan on starting and stopping a sensor as it ensures processes are started up in the right sequence to avoid errors.

ii. Sensor Interfaces

A number of scripts are included to help with the management and configuration of sensor interfaces. The script plays an important role in keeping the bonded interfaces in order, as misocnfiguration will result in sensors monitoring wrong interface and mismatch names.

Add a sensor interface

The add sensor interface script is pretty straight forward but does play an important part when adding bonded interfaces. The main function of the add script is to manage the configuration of bonded interfaces for details on the issues see sensor interfaces in the manual configuration section.

Script syntax:

When adding a bonded interfaces you will be prompted to select two ethernet interfaces from the list of available on the system.

Delete a sensor interface

The delete sensor interface script is pretty self explantory with the exception of deleting bonded interfaces. Because of the way bonded interfaces are created and initiated by the system the order/name is important. When deleting a bonded interface the script will attempt to re-order the naming. You will get an error if you attempt to delete a bonded interface when a higher interface is in use, eg deleting bond0 when bond1 is in use. For more details see sensor interface in the manual configuration section.

Script syntax:

Start/Stop a sensor interface

This is pretty straight forward, and typically not really used, it will bring an interface up/down and report the status of an interface. The sensor interface is controlled/checked when a sensor is started.

Script syntax:

Edit a bonded sensor interface

Once again pretty self explanatory with no special requirements. The script will prompt you for the two interfaces you want to bond together and update the details in the sensor interfaces file.

Script syntax:

List Sensor Interfaces

To view the list of sensor interfaces you can do it through the nsmsensoradmin menu or by the following:

iii. Customising a Sensor

The sensoredit script will allow you to make the following changes:

• change the sensor interface
• change the server it connects to
• enable/disable output to snort db (BASE)
• enable/disable daily logging restart
• enable/disable autostart at boot

If you plan on monitoring a bonded interface, you will need to make sure that you have first created it, see the sensor interface section for details

To edit a sensor run the following:

The script uses diologue boxes/forms and will prompt you for the following:

• sguil server name
• interface type (will prompt for additional details if using a bonded interface)
• enable snort logging to restart each day
• enable simultaneous output to snort db, for BASE console, if yes you will be prompted to provide:
  • MySQL server name
  • Mysql database name
  • MySQL user name
  • MySQL password
• enable autostart at boot

If you have enabled the snort db output then you will also need to create the Mysql database account, if not already done and/or change the database name if not using the default 'snort'.

Files modified

The script, /usr/local/bin/sensoredit, will make modifications to the following files:

init scripts /etc/init.d/snortu.{sensor_name} /etc/init.d/snortl.{sensor_name} /etc/init.d/sancpd.{sensor_name} /etc/init.d/sguil-sensor-agent.{sensor_name} /etc/init.d/barnyard.{sensor_name} /etc/init.d/ntop.{sensor_name}

conf files /etc/snort/snort.sguil.{sensor_name}.conf /etc/snort/barnyard.sguil.{sensor_name}.conf /etc/snort/sensor_agent.{sensor_name}.conf /etc/cron.daily/snortl-newday.{sensor_name} /etc/sensors

Directories /etc/snort/rules/{sensor-name} /snort_data/{sensor-name} /snort_data/{sensor-name}/dailylogs /snort_data/{sensor-name}/portscans /snort_data/{sensor-name}/sancp /snort_data/{sensor-name}/ssn_logs

For more information on any of these files read Manual Configuration section.

iv. Multiple Sensors on one box

While it is useful to have one sensor per box it could result in a lot of hardware. If you are interested in monitoring multiple network segments or critical servers you can do it with one box. Because of the way the sensor tools work you will need to run multiple instances of processes to monitor each interface. Fortunately the hard work has been built into scripts to automate the process.

Sensor List

The list of sensors and critical settings are managed through the /etc/sensors file. This file tracks the following information:

• sensor name,
• sensor interface,
• sguil/barnyard port, and
• ntop port, important when connecting to ntop to view data
• start at boot

To view the list of sensors you can do it through the nsmsensoradmin menu or by the following:

Adding a Sensor

The sensor add script will perform the following actions automatically:

• create init scripts with default settings,
• create conf files with default settings,
• create the data directory structure,
• set up the default snort rules,
• add the sensor to the sensor list, and
• automatically deconflict sguil, barnyard and ntop ports based on existing configured sensors.

Script syntax:

When running multiple sensors/interfaces you will need to list the sensors to determine which port to connect to so you can view ntop data for that sensor/interface.

Deleting a Sensor

The sensor delete script will perform the following actions:

• delete init scripts,
• delete conf files,
• prompt the user to delete data files,
• prompt to delete snort rules, and
• remove the sensor from the sensor list.

Script syntax:
sensoradd sensor_name

Files and Directories added/deleted

The scripts, /usr/local/bin/sensoradd and /usr/local/bin/sensordel, will create or delete the following:

init scripts /etc/init.d/snortu.{sensor_name} /etc/init.d/snortl.{sensor_name} /etc/init.d/sancpd.{sensor_name} /etc/init.d/sguil-sensor-agent.{sensor_name} /etc/init.d/barnyard.{sensor_name} /etc/init.d/ntop.{sensor_name}

conf files /etc/snort/snort.sguil.{sensor_name}.conf /etc/snort/barnyard.sguil.{sensor_name}.conf /etc/snort/sensor_agent.{sensor_name}.conf /etc/cron.daily/snortl-newday.{sensor_name} /etc/sensors

Directories /etc/snort/rules/{sensor-name} /snort_data/{sensor-name} /snort_data/{sensor-name}/dailylogs /snort_data/{sensor-name}/portscans /snort_data/{sensor-name}/sancp /snort_data/{sensor-name}/ssn_logs

For more information on any of these files read Manual Configuration section.

c. SERVER

There are a number of things you may need to do when managaing a server, and may include: (script name in brackets)

• Start/Stop a server, (/etc/init.d/sguild start|stop|status)
• Add/Del sensor rules, (serveradd-sensor sensor_name or serverdel-sensor sensor_name)
• Add/Del sguil users, (sguild -adduser user_name or sguild -deluser user_name) and
• Activate/Deactivate a sensors (sensoractive sensor_name or sensorinactive sensor_name).

All of the above options are available through the nsmserveradmin menu,

i. Sensor Management

When adding or removing sensors from the NSM network you will also need to tell the server about the changes. There are two things that you may need to do:

• add/remove the sensor rules so they are available to the sguil client, or
• activate/deactivate a sensor to allow its selection when logging into the sguil client

Add/Remove Sensor

These scripts simply copy/delete a default set of snort rules to the directory where the server can access them. This is to allow for viewing of the rules within the sguil console when this option is enabled. Script syntax:

Activate/Deactivate a Sensor

The activate function will mark a sensor active in the databse so that it will appear in the sensor list when you log in with the sguil client. Conversely the deactivate sensor marks the sensor as inactive so that it no longer appears in the sensor list.

Script syntax:

The scripts will prompt you for the following information:

• sguil database username
• sguil database password
• sguil database name

ii. User Management

The user management functions are self explanatory, adds and removes user for client access. The add/remove user functions are the standard functions provided by the sguild software. Check the sguil documentation for more information than what is provided here, script syntax:

d. NETWORK

Knoppix-NSM has been designed to have one management network interface, that is one interface assigned an ip. If you plan on using more than one interface with an ip you will need to look at the manual configuration section for more details

i. Management Network

The network-setup script will ask for all the details necessary, through a console based form, to update the network settings. You will also be given the opptounity to make a minor firewall configuration change if you wish to use a DNS server. When the script has finished it will apply the new setting to the management net interface and the firewall automatically.

The network script only supports static ip assignment, if you want to use DHCP see the quickstart guide or manual configuration section for details.

The network-setup script will prompt you for the following:

• IP settings
  • IP address,
  • Gateway address,
  • Netmask,
  • Network ID,
  • Broadcast address,
• set the DNS server, and
• you will need to modify the firewall policies and restart for DNS to be enabled.

ii. Firewall

There are no automated scripts for customising the firewall, see the firewall section in the manual configuration documentation for more details.

e. SUMMARY

The scripts/admin menus available:

Copyright © www.securixlive.com 2005-2008