Documentation

Quickstart

If your a bit like me and want to get up and running straight away, than this is the place to start. In this section you will find everything you need to know to get the live CD up and running in no time.

By default all database accounts, system login details and tools are preonfigured and ready to go, all you need to do is start things up and log in.

For reasons of stability and trying to fit the distro to the widest audience possible not all the services required are started up when you boot the CD. However, it will only take a couple of commands at the console and you will be on your way. So no more wasting time with the preamble lets get straight into it.

  1. Table of Contents
    1. all-in-one server/sensor/console
    2. Network Setup
      1. Bonded Interfaces
      2. Firewall/Network
    3. Hard drive install

a. ALL-IN-ONE

For people new to Knoppix-NSM this is the best place to start. Here you can be up in and running in minutes with a complete server/sensor/console environment.

Note: If you run this in a noisy network environment you will fill up your RAM/swap very qucikly.

Step 1 - Boot

When you are greeted with the boot screen you have two options:

  1. Hit enter and boot with the system defaults

    boot>
  2. or you can customise the ip address (Class C network address automatically set), system type (systemtype) and hostname when booting to the live CD,
    boot> linux ip=192.168.77.1 systemtype=console hostname=securix

The default settings:

  • systemtype: sersen (server/sensor) this is used to define default firewall policies
  • IP: 192.168.100.1.
  • network: 192.168.100.0

Step 2 - Start System Processes

Note: Before you proceed with the following instructions ensure you have the network configured for your environemnt, by default you will only be able to access resouces on the 192.168.100.0 network. The default firewall on a sersen will be blocking all new outbound connections except icmp. See Netwok Setup quick guide if you want to make changes, for more details on the firewall see the firewall section in architecture page for more details on the default policies.

Successfully booted?

You should now be looking a the default fluxbox environment. By defalt the all-in-one server/sensor configuration will log output to both the snort db (for BASE) and sguild db and monitor on eth0.

  1. Open a root console (right click for menu),
  2. Start MySQL,
    /etc/init.d/mysql start
  3. Start Apache web server,
    /etc/init.d/apache2 start
  4. Start the Sguil server,
    /etc/init.d/sguild start
  5. Start the Sguil-sensor, the following script will start all the processes required for a sensor, in the right sequence. If you want to start individual processes manually see the Architecture page for details on which scripts to use and the best sequence to start them in to minimise problems.
    sensor default start
  6. Start ntop, Caution: Live CD - by default the previous step will not start ntop on the live CD. Starting ntop with everything else already running may cause the system to slow to a stand still. The following will start ntop, if you experince system slow down and want to test ntop stop the sensor first.
    /etc/init.d/ntop start

If all went well you should have seen the following results.

All processes

Step 3 - Start Sguil client

Now we want to start looking at events.

  1. This can be done in one of three ways, usign the desktop icon, open a console (non-root) and enter
    # sguilc
  2. or right click menu ->NSM->Sguil Cllent
    3. Sqguil Login
  3. Log in with the following details, (take note of ssl option, all connections are ssl encrypted)
    host:localhost (defualt)
    port:7734 (default)
    username: sguil
    password:password
    OpenSSL:selected (default)

You should now be looking at the sguil console and ready to start your journey into the world of NSM and sguil.

Step 4 - Start BASE client

By default, Knoppix-NSM also logs data for viewing with BASE, aka snort compitable database. Although this is not recommeded as it can slow snort down by having to log two different types of output, it is great for demonstration purposes.

  1. Start firefox (right click for menu, uder NSM submenu),
  2. click the base option on the bookmark toolbar or enter the following url, (take note of https, all web connections are ssl encrypted)
    https://localhost/base/
  3. Login in,
    username: admin
    password: password

base_login

You can now begin to navigate around and view events with base.

Step 5 - View Statistical data with Ntop

Ntop is busy collecting network statistical data for us that can be used to help identify network normalcy patterns and anomalous activities. Ntop gives us a little bit more to help in the identification of false positives.

  1. click the ntop option in the bookmark toolbar or enter the following url, (take note of https, even ntop is configured with ssl)
    https://localhost:3000/

Step 6 - Test it

To test everything works you will need to generete an alert, this is easy to do as all the snort alerts are enabled by defaults so a ping will do. You can do this in one of two ways:

  1. Ping from this box to another host on the network, assuming you have the network configured properly, or
  2. Ping between two hosts on the segment you are monitoring (assumes you are not on a switch, no point being there anyway as you will only see broadcast traffic).

If you were able to send out/receive pings then you should neow see alerts in the sguil and BASE console along with traffic in ntop.

Step 7 - Where to from here?

You should now be up and running and having fun. If you want to take things to the next level then take a look at the documentation pages for details on how to run multiple sensors on the one box, customising a sensor and detailed explanations of the configuraiton files and options. You could also check out the howto pages for some examples or you could do a harddrive install and deploy Knoppix-NSM on your network for real-time monitoring.


b. NETWORK SETUP

There are really only two things i can think of you may want to change/test, in this section you will find the quick steps needed to make the modifications. If you require more than what is discussed here see the configuration sections in the documentation for more options.

i. Bonded Interfaces

Knoppix-NSM has included support for bonded interfaces, useful when using taps that do not aggregate the Tx and Rx data streams. Once again there is a simple script to set things up for you and its console based to allow access over ssh. By default Knoppix-NSM is configured to monitor eth0 (management interface), if you want to test the bond configuration you will need at least 2 NICs and you will also need to run the sensor configuration wizard and change the interface to bond0. But first lets add a new sensor interface:

  1. Add bonded sensor interface, this can be done through the nsmsensoradmin menu or directly as below
    sifadd bond0
  2. Configure it (if you anserwed no in the previous step)
    sifedit bond0
  3. Start it (if you said no in previous steps),
    sif bond0 up
  4. If you want to check its status,
    sif bond0 status

Now you will need to configure the default sensor to use the bond0 interface, make sure the sensor has been stopped before editing:

sensoredit default
  1. select the interface type as bond
  2. select the bond0 interface
  3. accept the rest, unless you want to change the defaults
  4. commit changes and start the sensor as above

ii. Firewall/Network

If you plan on accessing network resources, or generating alert traffic from this host you may need to adjust the network settings and firewall. If you are running from the live CD or just interesting in testing/demonstrating NSM than all you need to do is disable the firewall and configure the network interface.

  1. Disable the firewall,
    /etc/init.d/iptables clear
  2. IP from DHCP, for the management interface,
    pump -i eth0
  3. Static IP, run the network setup script,
    network-setup
  4. Check IP settings are ok,
    ifconfig
  5. Enable DNS, add the following to /etc/default/sersen,
    UDP 53 o
  6. Apply the updated firewall policies,
    /etc/init.d/rc.firewall
  7. Ping a hostname, or www.google.com (the latter will test all network settings).
    ping www.google.com

This section covered the basics very quickly for more advanced network information see the configuration sections of the documentation.


c. HARDDRIVE INSTALL

CAUTION: this quick guide assumes you are using a dedicated box that you want to turn into an NSM sensor/server/console. The harddisk will be automatically partitioned and formatted losing all existing information.

This guide also assume that you have not made any modification to the live cd, eg added a new sensor or deleted the default, as some of the settings may be lost when installed to harddrive. Best practice is to install from a clean session.

The quick install guide is for an all-in-one box with no special network access requirements. See the Network section for some customisation tips.

Step 1 - Harddisk Partition

There are three ways to partition the harddrive:

  • Manually using the partition options in the knoppix-installer,
  • Manually using fdisk, and
  • Automatially using the Knoppix-NSM partition script, which creates the following:
    Swap space = 2xRAM
    root (/) = remainder

The rest of this step is based on the last option. If your still reading than you want to use the Knoppix-NSM partition script.

  1. Open a root console (right click menu root-console)
  2. Run the partition script with the HD you want to use
    partition /dev/hda
  3. You do get one more chance to stop, read the output and confirm the changes.

partition

Step 2 - knoppix-installer

Most of this is the good old knoppix-installer, but there are a few axtras that you will need to add to setup Knoppix-NSM ... Let's continue.

  1. Run the knoppix installer,
    knoppix-installer
  2. Main menu option 1,
    1. select system type (this will set default startup process and firewall policies)
    2. select partition for installation (X)
    3. select filesystem (ext3 default and works well)
    4. input real name
    5. input login name
    6. your password (and confirm)
    7. root password (and confirm)
    8. input hostname (anything you like)
    9. input management net ip address (assumes class C)
    10. select grub install path (mbr default)
  3. Main menu option 2, review options and start installation,
  4. Boot Floppy only required for emergencies,
  5. Be patient this may take a while, when finished exit.

Step 3 - Reboot

Once the installer has finished it is now time to reboot and start becoming familiar with Knoppix-NSM.

  1. At the root prompt,
    init 6
  2. When the system reboots you can go to the Quick start Guide to test everything installed ok.

Step 4 - Post install

The following is a quick list of things yo may want to do post install.

  1. modify database passwords
  2. check system status

If you are using Knopp-NSM v1.0rc1 and running X on either a server, sensor or sersen than you will need to manually start the sguild server and/or sguil-sensor-agent as they die when the X server starts. This is a known bug and has been fixed in version 1.2, see the faq for the latest details.

Step 4 - ENJOY!

BYE!

Copyright © www.securixlive.com 2005-2008

Powered by VMware Written with VIM Powered by Apache Best viewed with Firefox Source maintained with Subversion