Documentation
Upgrade sguil from 0.6.0p1 to 0.6.1
The guide will describe the everything you need to know to upgrade the installation of sguil as provided on Knoppix-NSM from 0.6.0p1 to 0.6.1. This upgrade provides a few additional features most notable is the snort performance statistics.
This guide is intended for upgrading Knoppix-NSM 1.0 with the latest sguil build.
The following is a list of the software that i have used to test these procedures:
- sguil 0.6.1 download
- sguil Knoppix-NSM patch - md5sum: 9bf379046db3b81158fa3fa386ec00be (this adds a button to connect to sguil server for signaturs rather then the web)
- NSM scripts - md5sum: af88ed7c4a827f117156e9af7dd3e6d1
This howto assumes source code in /usr/local/src
sguil
Make sure that all sensors, clients and the server have been stopped
# /etc/init.d/sguild stop
# sensor sensorname stop
Untar the sguil source to /usr/loca/src
# tar -zxvf download_dir/sguil-0.6.1.tar.gz -C /usr/local/src
Server upgrade
Update server components:
# cd /usr/local/src/sguil-0.6.1/server
# cp sguild /usr/local/bin/
# cp lib/* /usr/local/lib/sguil/
You do not need to modify the sguild.conf file as no new changes have been included with this release. You may want to copy the archive script and contrib/incident_report to /usr/local/bin as they were overlooked in Knoppix-NSM release 1.0.
Sensor Upgrade
Update sensor components:
# cd /usr/local/src/sguil-0.6.1/sensor
# cp sensor_agent.tcl /usr/local/bin/
# cp sensor_agent.conf /usr/local/sensor-defaults/sensor_agent.default.conf
Update default configuration options and customise for your environment, common ones include:
File: /etc/sensor-defaults.default.conf
set SERVER_HOST localhost
set HOSTNAME default
It is important that you set the HOSTNAME to default in this file as it is required for the nsmadmin scripts.
Now you need to replace the conf file for you configured sensors. Replace /etc/snort/snort.sguil.your-sensor-name.conf with the new file and apply any custom changes, most common change required will be setting HOSTNAME to your-sensor-name and barnyard port if non standard or running multiple sensors.
File:/etc/snort/snort.sguil.your-sensor-name.conf
set HOSTNAME your-sensor-name
set BY_PORT 7735
client
Apply the Knoppix-NSM patch, only required if you want to take advantage of the Knoppix-NSM signatures on your sguil server :
# cd /usr/local/src/
# patch -p0 < download-path/sguil-0.6.1.nsmpatch
Update client components:
# cd sguil-0.6.1/client
# cp sguil.tk /usr/local/bin/sguilc
# cp -R lib/* /usr/local/lib/sguil/
You can update the sguil.conf file in /etc/sguil/ if you like but the only change is the colour schemes.
Snort
The only update for snort is to enable the performance monitor preprocessor, if not not already enabled, update the path and tune as required. Edit /etc/snort/snort.sguil.your-sensor-name.conf (replacing default with your-sensorname) and also edit the default file /usr/local/sensor-defaults/snort.sguil.default.conf with the following:
File:/usr/local/sensor-defaults/snort.sguil.default.conf
preprocessor perfmonitor: time 300 file /snort_data/default/snort.stats pktcnt 1000
Before you restart you sensor you will want to make sure the snort.stats file exists, otherwise stats may not show up correctly
# touch /snort_data/your-sensor-name/snort.stats
Scripts
To support the new snort preprocessor when adding/moving sensors you will need to upgrade the sensoradd and sensormv script
# cd /usr/local/src
# tar -zxvf download-path/nsmscripts.tar.gz
# cp sensoradd sensormv sensoredit /usr/local/bin/
The new scripts also provide a fix for the cron job bug see faq for full details. You do not need to edit sensoredit, sensoradd or sensormv scripts but you do need to follow the rest of the instructions.
Test
Thats it! All thats left to do is to test it all out, hope it works!
|
