Quick Start

If you're like us and don't always want to RTFM and would rather get running straight away, then this is the place to start. In this section you will find the basics get the live CD up and running in no time.

Note: By default all database accounts, system login details and tools are preconfigured and ready to go, all you need to do is start things up and log in. Additionly, if you run this in a noisy network environment you will fill up your RAM/swap very qucikly.


For reasons of stability, and making the live CD to suit the widest audience possible, no NSM style services started when you boot the CD. However, it will only take a couple of commands at the console and you will be on your way. So no more wasting time with the preamble lets get straight into it. The quick start will address the following topics:

  1. System Defaults
  2. Boot Options
  3. Sguil
  4. BASE
  5. Ntop
  6. Testing It


System Defaults
  • Hostname: sxl
  • Network: DHCP
  • Sensor Name: sensor1
  • Server Name: server1
  • Firewall: NONE


Boot Options

When you are greeted with the boot screen you have two options:

  1. Hit enter and boot with the system defaults

    boot:
  2. or you can customise the services that start up when booting the live CD,
    boot: live services=mysql,apache2,ntop


Sguil

Step 1 - Start System Processes

Note: Before you proceed with the following instructions ensure you have the network configured for your environemnt. By default the network is configured for DHCP and there is no firewall configured on Securix-NSM.

There are two ways in which to start the sguil NSM processes, via the desktop or the command-line.

Desktop

  1. Double click (left button to start, right button to stop) the NSM desktop

Command-line

  1. Open a terminal window, from either the desktop or menu (for those new to fluxbox, right clicking the desktop will bring up the menu),
  2. Start all the NSM processes for sguil in order. For a server:
    $ sudo nsm_server --start
    For a sensor:
    $ sudo nsm_sensor --start
  3. Alternatively, the NSM adminsration scripts are able to start all the processes necessary for both a sguil server and sensor.
    $ sudo nsm --all --start

Note: Starting and stopping process must be done as root, either using sudo as a normal user or as the root user.

If all went well you should have seen the following results.

All processes


Step 2 - Start the sguil client

Once the processes are started you can start the sguil client (as a normal user). Similarly this too can be achieved from the desktop or the command-line.

Desktop

  1. Double click the sguil client icon on the desktop

Command-line

  1. Start the sguil client,
    $ sguil.tk


Once the logon window appears, enter the following details:

host:localhost (defualt)
port:7734 (default)
username: sguil
password:password

You should now be looking at the sguil console and ready to start your journey into the world of NSM and sguil.


BASE

Start BASE system processes

By default, no processes are started at boot time. To view NSM data with BASE you will need to start mysql, apache2 and the snort process (for mysql output). Execute the following in a terminal window.

mysql must be started before snortb otherwise it will fail to start as it needs to connect to the mysql database.

$ sudo /etc/init.d/mysql start
$ sudo /etc/init.d/snortb start
$ sudo /etc/init.d/apache2 start

View NSM data in the BASE client

The BASE client is the iceweasl web browser,

  1. Start iceweasl (right click for menu, uder network), or use the desktop icon,
  2. click the base option on the bookmark toolbar or enter the following url,
    http://localhost/base/

You can now begin to navigate around and view events with base.


Ntop

Start Ntop,

$ sudo /etc/init.d/ntop start

Ntop is busy collecting network statistical data for us that can be used to help identify network normalcy patterns and anomalous activities. Ntop gives us a little bit more to help in the identification of false positives.

  1. Start iceweasl (right click for menu, under Utilities), or use the desktop icon,
  2. click the ntop option in the bookmark toolbar or enter the following url, (take note of https, even ntop is configured with ssl)
    http://localhost:3000/

Caution: Starting Ntop with everything else already running may cause the system to slow to a stand still. If you experince system slow down and want to test Ntop stop the NSM processes first.


Testing It

To test everything works you will need to generete an alert, this is easy to do as all the snort alerts are enabled by defaults so a ping will do. You can do this in one of two ways:

  1. Ping from this box to another host on the network, assuming you have the network configured properly, or
  2. Ping between two hosts on the segment you are monitoring (assumes you are not on a switch, no point being there anyway as you will only see broadcast traffic).

If you were able to send out/receive pings then you should neow see alerts in the sguil and BASE console along with traffic in ntop.


Where to from here?

You should now be up and running and having fun. We'll have more documentation to follow shortly.

BYE!

Copyright © www.securixlive.com 2005-2010

Powered by Xen Powered by Apache Written with VIM Best viewed with Firefox Managed by git