Documentation

Deploying an NSM sguil sensor on debian

The guide will describe the everything you need to know to install an NSM sguil sensor onto an existing debian workstation or server. This allows you to extend NSM to areas of the network that you may not be able to install an out of band sensor, such as a tap or span port. You do have the added advantage of installling a second interface to allow management and IDS data to travel on a seperate network segment to that of normal traffic.

The following is a list of the software that i have used to test these procedures:

You will also need to download the following NSM scripts from this site:

  • Sguil 0.6.0p1 (only 0.6.1 available from developers site, agent must match server version) - md5: ab75eacbeb45f43f469729da4575d4eb
  • NSM sensor-tools - md5: 9f4557a99d67193462da19bd1c83d423
  • snort patch (updated stream4 patch compatible with snort 2.4.5 src) - md5: 5d1b7dfc75892757df73fcd852953fab

The following is a list of the debian packages required:

  • tcl8.3 (unthreaded tcl required by sguil)
  • itcl3 (for sguil)
  • tcltls (for sguil)
  • tcllib (for sguil)
  • tcl8.3-dev (for sguil)
  • tclx8.3 (for sguil)
  • tcpdump (for sguil)
  • tcpflow (for sguil)
  • libpcacp0.8-dev (for snort)
  • libpcre3-dev (for snort)
  • dialog (required for the NSM scripts
  • automake1.9 (required for barnyard)

Package Installation

This howto assumes source code in /usr/local/src

The version of the sguil sensor agent must match that of the server.

sguil dependancies

tcl/tk required for the sguil sensor_agent. Do not use tcl8.4 the tcl8.4 deb package has been compiled with threaded support. Currently sguil does not support threaded tcl and will not function properly if you use this version.

# apt-get install tcl8.3 itcl3 tcltls tcllib tcl8.3-dev tclx8.3

Install other deb packages for sguil sensor_agent:

# apt-get install tcpdump tcpflow
deb packages and dependancies

Install other deb packages for barnyard and snort:

# apt-get install automake1.9 libpcap0.8-dev libpcre3-dev
Barnyard

Patch barnyard to work with sguil (replace files if prompted)

# cd /usr/local/src/barnyard-0.2.0
# cp ../sguil-0.6.0p1/sensor/barnyard_mods/configure.in .
# cp ../sguil-0.6.0p1/sensor/barnyard_mods/op_sguil.c src/output-plugins/
# cp ../sguil-0.6.0p1/sensor/barnyard_mods/op_sguil.h src/output-plugins/
# cp ../sguil-0.6.0p1/sensor/barnyard_mods/op_plugbase.c.patch src/output-plugins/
# cd src/output-plugins/
# patch op_plugbase.c < op_plugbase.c.patch
# cd ../../
# ./autojunk.sh
# ./configure --enable-tcl --with-tcl=/usr/lib/tcl8.3
# make && make install

Snort

Snort 2.6.2 is available but at this stage i have not tested its compatability with sguil patches

If you plan on using the preprocessors and stream4 options of snort with sguil you need to patch the snort src.

# cd snort/src/preprocessors
# cp sguil-0.6.0p1/sensor/snort_mods/2_1/spp_portscan_sguil.patch ./
# cp path-to-securix-stream4patch/spp_stream4.patch ./ #(do not use the one with sguil otherwise you will need to manually apply some chunks)
# patch spp_portscan.c < spp_portscan_sguil.patch
# patch spp_stream4.c < spp_stream4_sguil.patch
# cd ../../
# ./configure --with-mysql #not needed for sguil operation, I keep it for BASE db
# make && make install
Sancp

Apply the sancp patches a,bd,c:

cd sancp-1.6.1
patch < sancp-1.6.1.fix200511.a.patch
patch < sancp-1.6.1.fix200606.bd.patch
patch < sancp-1.6.1.fix200601.c.patch
make
cp sancp /usr/local/bin
Sguil

You can only use 0.6.0p1 sensor-agent with current release of Knoppisx-NSM as the agent version must match server version. Alternatively you can upgrade the server, agent and client to 0.6.1.

Install the sguile sensor agent:

cd sguil-0.6.0p1/sensor
cp sensor_agent.tcl /usr/local/bin
setup directories and NSM scripts

The sensor-tools includes all the nsmsensor admin scripts needed to manage the sensor. It also includes all the default init scriptsi, conf files (barnyard, snort, sguil) and snort rules files which are copied in place by the sensoradmin scripts.

cd sensor-tools
cp -a bin/* /usr/local/bin/
cp -a etc/* /etc/
cp -a sensor-defaults /usr/local/

Create the sguil data directories and users

mkdir /snort_data
mkdir /snort_data/archive
adduser --group --system sguil --no-create-home --disable-password
chown -R sguil:sguil /snort_data
tcl/tk

Ensure that tclsh points to 8.3 (unthreaded tcl version). By default the tcl8.4 package creates a link to /usr/bin/tclsh. You need to delete this link and create a link to tclsh8.3.

rm -f /usr/bin/tclsh
ln -s /usr/bin/tclsh8.3 /usr/bin/tclsh
rm -f /usr/bin/wish
ln -s /usr/bin/wish8.4 /usr/bin/wish

Confirm all tcl dependancies have been met.

# tclsh
%package require Tclx
8.3
%package require tls
1.5
Ntop

All thats needed is to install ntop, init scripts are already provided in sensor-tools....detail comaing. For now just ensure the ntop binary is in /usr/local/bin/ntop and lib in /usr/local/lib/ntop/.

Configuration

If everything above went smoothly than all that is requires is to run the nsmsensoradmin script install a new sensor, remove the default (must remove as no files are ionstalled for it) and test configuration with the sguil server.

The NSM admin scripts will copy all the necessary conf files into the correct place and add the basic settings. More details can be found in the documentation (wizards) section

Firewall

Customise your firewall to allow port 7736 outbound for sguil server and ntop ports in use (typically 3000 with one instance running)

Copyright © www.securixlive.com 2005-2008

Powered by VMware Written with VIM Powered by Apache Best viewed with Firefox Source maintained with Subversion