Setup a multi sensor transparent bridging snort box with SGUIL By: Jayson Cofell If you wish to link to this Please contact me first. Based off of the Freebsd tutorials at http://sguil.sourceforge.net/index.php?page=latest_docs This is setup on slackware linux The machine: Pentium 3 800 Mhz 512 MBs of RAM 10 GBs of HDD Space 5 NICs - Standard Tools: --Bridge-utils --Iptables - Sensor: -- MySQL client libraries -- PCRE -- Snort -- Barnyard -- Tcl -- SANCP -- sguil sensor 0.5.3 - Database: -- MySQL server - Sguild Server: -- MySQL client libraries -- Tcl -- Tcltls (Only needed if using ssl with mysql/sguil) -- Tcllib -- TclX -- MySQLTcl -- P0f -- Libpcap -- Tcpflow -- sguil server 0.5.3 - Sguil Client: -- Tcl -- Tcltls -- Tcllib -- TclX -- Incrtcl -- Iwidgets -- Tk -- sguil client 0.5.3 ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// Required Kernel Options: * Networking Options ---> 802.11d Bridging Support (Required for Bridging Adapters) * Networking Options ---> Packet Filtering (Replaces IpChains) ---> Iptables (Required for forwarding) Turn on the forwarding options for Iptables (within Iptables ---> ) I download all of these source packages into /usr/src and extract them there. Therefore, I will always refer to a base source directory folder within /usr/src whenever copying or installing. Create the user and group sguil groupadd sguil useradd -g sguil -c "Sguil user" -d /dev/null -s /bin/false sguil passwd -l sguil ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 1. Directories Every name that is in between < > symbols is a variable. Fill in these with your own names. You can even do a find replace for the variables to make this guide easier to follow. Create a directory,, to hold the sensors on the root file system with the following folders inside: Sensor names for the bridged adapters (perhaps sensorone, for br0) (perhaps sensortwo, for br1) /dailylogs /portscans /sancp /dailylogs /portscans /sancp rules archive Create one for the snort logs /var/log/snort Create a folder to hold config files /usr/local/etc/ If you want to use Stream4, Create these directories ///ssn_logs ///ssn_logs Set the ownership as shown: chown -R sguil:sguil / chown -R sguil:sguil /var/log/snort chown -R sguil:sguil /usr/local/etc/ ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 2. Install Mysql ./configure --with-vio If your mysql server is on another machine you will probably want to set it up with openssl support add the --with-openssl configure option ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 3. Sensor Agent Get the sguil source (http://sguil.sourceforge.net) cd /usr/src/sguil-0.5.3/sensor/ sensor_agent.tcl make two conf files cp /usr/src/sguil-0.5.3/sensor/sensor_agent.conf /usr/local/etc//sensor_agent1.conf cp /usr/src/sguil-0.5.3/sensor/sensor_agent.conf /usr/local/etc//sensor_agent2.conf In both files change these entries to the respective values set SERVER_HOST (i.e. the name of the server the SGUIL daemon is going to run on) set LOG_DIR / If using Stream4, set S4_KEEP_STATS 1 otherwise keep it off. If using SANCP set SANCP 1 otherwise set it to 0. For sensor_agent1.conf set HOSTNAME For sensor_agent2.conf set HOSTNAME ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 5. Libnet 1.0.2a http://www.packetfactory.net/projects/libnet Due to a problem in the libnet.h file edit the file in the include directory on line 87 && 88 add a \ to the end of both lines As soon as Libnet is installed you can run the Snort configuration ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 6. SNORT cd /usr/src/snort/src/preprocessors cp spp_portscan.c spp_portscan.c.bak cp /usr/src/sguil-0.5.3/sensor/snort_mods/2_1/spp_portscan_sguil.patch patch spp_portscan.c < spp_portscan_sguil.patch ./configure --enable-flexresp make make install ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 7. Snort Configuration set your rule path to: var RULE_PATH //rules Enable log_unified output: ////////make sure that this isn't causing problems with multiple sensors output log_unified: filename snort.log, limit 128 Sguil does not currently support complete rendering of portscan alerts from Snort's new sfPortscan system. If you prefer not to deal with alerts from this system, you can disable sfPortscan by commenting out the following lines as shown: #preprocessor sfportscan: proto { all } \ # memcap { 10000000 } \ # sense_level { low } Make any other modifications you may want snort to follow and save Copy the snort.conf file to snort2.conf for the second sensor cp snort.conf snort2.conf In snort.conf change Enable the preprocessor portscan: (add this line) preprocessor portscan: $HOME_NET 4 3 ///portscans If you want stream4 to capture session data make this change to the stream4 entry preprocessor stream4: detect_scans, disable_evasion_alerts, keepstats db \ ///ssn_logs In snort2.conf change Enable the preprocessor portscan: (add this line) preprocessor portscan: $HOME_NET 4 3 ///portscans If you want stream4 to capture session data make this change to the stream4 entry preprocessor stream4: detect_scans, disable_evasion_alerts, keepstats db \ ///ssn_logs RULES Personally, I am using the same rules for both sensors, therefore they should be copied into this folder cp /usr/local/src/snort/rules/*.rules //rules Snort and Barnyard use several other files that should be copied from the snort etc folder to the //rules folder classification.config gen-msg.map reference.config sid-msg.map threshold.conf unicode.map All of these files should have symlinks in the /usr/local/etc folder ln -s //rules/classification.config \ /usr/local/etc/snort/classification.config and so on These three files also required symlinks in the /usr/local/etc/ folder classification.config reference.config unicode.map I used Oinkmaster to update the Snort rules by following this blog entry taosecurity.blogspot.com/2004/07/using-oinkmaster-to-update-snort-rules.html As of late sourcefire has required registration to acquire newer than major release rules, Just go to the snort.org site and acquire an Oinkcode. then replace the url with http://www.snort.org/pub-bin/oinkmaster.cgi// where is the update file respective of your version check out A28 in the oinkmaster faq if you have any questions http://cvs.sourceforge.net/viewcvs.py/oinkmaster/oinkmaster/FAQ?view=markup ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 5. Barnyard When compiling Barnyard 0.20 you may have to edit the configure file and replace LIBS="${LIBS} -lz -lssl -lmysqlclient" with #for those without ssl LIBS="${LIBS} -lz -lmysqlclient" #for those using ssl LIBS="${LIBS} -lz -lssl -lcrypto -lmysqlclient" Then run ./configure --enable-mysql make make install ///////////////////////////////////////////////////////////////////////////////////// Barnyard.conf Copy the file /usr/src/barnyard-0.2.0/etc/barnyard.conf to /usr/local/etc/ Change the output line in barnyard.conf to output sguil: mysql, sensor_id 1, database sguildb, server ,\ user sguil, password sguil, sguild_host , sguild_port 7736 Using a password of 'sguil' for user 'sguil' is an example only; changing it is highly recommended. copy barnyard.conf to barnyard2.conf cp barnyard.conf barnyard2.conf In barnyard.conf change, config hostname: In barnyard2.conf change, config hostname: ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 6. SANCP acquire sancp at http://www.metre.net upack it and run make in the directory then move the sancp binary to /usr/local/bin Copy the sancp conf file that comes WITH SGUIL cp /usr/src/sguil-0.5.3/sensor/sancp/sancp.conf /usr/local/etc// nothing really needs to be changed in this config file, HOME_NET will reflect the network to monitor, but 0.0.0.0 will work on any network ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 7. log_packets.sh you will want to edit this file and change the following entries HOSTNAME="" LOG_DIR="/" Be sure to set the proper interface for sniffing, I am using the 1st bridge here. INTERFACE="br0" Uncomment the following line to let Snort run as unprivileged user 'sguil': OPTIONS="-u sguil -g sguil -m 122" You may also want to apply a Berkeley Packet Filter to limit the amount of pcap data collected. Use the sample FILTER as an example. ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 8. log_packets2.sh copy logpackets.sh to logpackets2.sh cp logpackets.sh logpackets2.sh you will want to edit this file and change the following entries HOSTNAME="" Be sure to set the proper interface for sniffing, I am using the 2nd bridge here. INTERFACE="br1" ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 9. cron Next you want to run 'crontab -e' add the lines 00 0-23/1 * * * /usr/local/bin/log_packets.sh restart 00 0-23/1 * * * /usr/local/bin/log_packets2.sh restart also, you may want to add the line MAILTO="" above the previous entry to prevent the system from emailing the root user every hour or so. ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 10. P0F acquire and install this from lcamtuf.coredump.cx/p0f.shtml if there is a problem with bpf.h and you have already installed the latest release of libpcap try this ln -s /usr/local/include/pcap-bpf.h /usr/include/net/bpf.h --- with the include directories respective of where your package is installed ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 11. Sguild Server change the ownership so sguil can use the folder that we setup for it chown -R sguil:sguil / I decided not to install mysql with any tls support because mine is on the same machine, if the sguil server and the mysql server are separate machines it is highly recommended to use tls/ssl. After all, it wouldn't be too humorous if the last bit your ids picked up was an attack on either machine. sguild.conf copy /usr/src/sguil-0.5.3/server/sguild.conf to /usr/local/etc/ then make these changes: set SGUILD_LIB_PATH /usr/src/sguil-0.5.3/server/lib set RULESDIR //rules set DBPASS sguil set DBUSER sguil The xscriptd functions are now configured withing sguild.conf. Set these variables: set LOCAL_LOG_DIR //archive set TCPFLOW "/usr/local/bin/tcpflow" set P0F_PATH "/usr/local/bin/p0f" Change to the /usr/src/sguil-0.5.3/server directory and create a 'sguil' user who will access the sguild server: ./sguild -c sguild.conf -u sguild.users -adduser sguil If you are using encryption referr to the encryption section of the sguild.conf file at http://sguil.sourceforge.net/index.php?page=latest_docs Sguil Client I setup the sguil client on windows, if you are setting it up on linux refer to the sguil client docs here: http://sguil.sourceforge.net/index.php?page=latest_docs On windows all you need to do is setup activestate TCL (www.activestate.com) then download the sguil client on your machine and browse to the sguil.tk file associate the .tk extension with the wish84 binary, which you can find whereever you installed TCL. then create a shortcut from the client sguil.tk file to your desktop or whereever is most convenient. Sguil.conf In your sguil client directory open your sguil.conf file. make changes to the lines: set SERVERHOST You can change the amount and priority level of the window panes as well. They are the lines with RTPANE, feel free to try a different setup. If you are using tls/ssl then you will have to turn it on and install tcltls support in tcl Some changes I made, since I had the programs installed, were to set the path to ethereal and set a path for my webbrowser TIME TO TEST!!!! Now comes the part I enjoy (AKA 9 ssh sessions open at once) SGUILD SERVER ************* Sguild Run the following. The -O and -C switches enable encryption. cd /usr/src/sguil-0.5.3/server I am not using encryption, so if you are the commands will be a bit different /usr/src/sguil-0.5.3/server/sguild -a /usr/src/sguil-0.5.3/server/autocat.conf -g /usr/src/sguil-0.5.3/server/sguild.queries -c /usr/local/etc/nsm/sguild.conf -u /usr/src/sguil-0.5.3/server/sguild.users -l /usr/src/sguil-0.5.3/server/lib -A /usr/src/sguil-0.5.3/server/sguild.access If there is no database that has been created yet, be sure that SET DAEMON is set to 0 in the sguild.conf file otherwise sguild will get upset when it tries to create the database. In mysql run this command to use multiple sensors INSERT into sensor set sid='1', hostname=''; INSERT into sensor set sid='2', hostname=''; and so on... SENSOR ****** Barnyard -------- Start Barnyard as user 'sguil'. cd /usr/local/etc/ barnyard -c barnyard.conf -d // -g gen-msg.map -s sid-msg.map \ -f snort.log -w -waldo.file barnyard -c barnyard2.conf -d // -g gen-msg.map -s sid-msg.map \ -f snort.log -w -waldo.file Snort ----- As user 'root', run the following. The '-m 122' option sets a umask allowing Barnyard to read Snort's output. ifconfig br0 -arp up ifconfig br1 -arp up snort -u sguil -g sguil -c /usr/local/etc//snort.conf \ -U -l // -m 122 -A none -i br0 snort -u sguil -g sguil -c /usr/local/etc//snort2.conf \ -U -l // -m 122 -A none -i br1 SANCP ----- As user 'root', run the following. Replace fxp0 with the name of your interface. sancp -d ///sancp -i br0 -u sguil -g sguil \ -c /usr/local/etc//sancp.conf > /var/log/sancp.log sancp -d ///sancp -i br1 -u sguil -g sguil \ -c /usr/local/etc//sancp.conf > /var/log/sancp.log This command tells SANCP to run as user 'sguil'. sensor_agent.tcl ---------------- As user 'sguil', start sensor_agent.tcl. cd /usr/local/src/sguil-0.5.3/sensor ./sensor_agent.tcl -c /usr/local/etc//sensor_agent.conf log_packets.sh -------------- As user 'root', start log_packets.sh. log_packets.sh start log_packets2.sh start Congratulations! All of the server components are running. At this point, connection via the Sguil client is possible.