2. Summary
  3. Files
  4. Support
  5. Report Spam
  6. Create account
  7. Log in

Manual/Virtual_Machine

Virtual Machine

Introduction

The virtual machine provides an easy to use installation of Razorback. The system comes pre-configured with all of the sub-components required for Razorback to run: memcached, mysql, ActiveMQ. In addition, it provides the following nuggets: Yara, OfficeCat, ClamAV, Archive Inflate, Scripting, File Inject and a Snort-as-a-Collector nugget. Provided you have an API key you can also enable the Virus Total nugget and if you have a license, you can activate the PDF Dissector nugget.

Installation

The virtual machine is provided as an open virtual appliance (OVA) file. For use without the Snort-as-a-Collector nugget, no additional modifications are necessary. An additional network interface in promiscuous mode must be added to support the SAAC.

ESXi

Make sure you have downloaded the OVA file to somewhere you can access with your vSphere client.

Select File->Deploy OVF Template from the menu.

To support Snort capturing and submitting data blocks, go under network configuration select properties for the virtual switch and set promiscuous mode to "accept" (under the security tab). Do the same for the VM network.

VirtualBox

Select File->Import Appliance

VMWare Worstation 8

Select File->Open then browse to the OVA file and open it.

In order to support Snort capturing and submitting data blocks, an interface in promiscuous mode is required. To enable promiscuous mode follow the instructions here: http://www.vmware.com/support/ws55/doc/ws_net_advanced_linux_vadapter_promiscuous.html (This is only available on Linux hosts).

All Platforms

Once the machine has booted, navigate to admin interface. Add a new network interface to manage by selecting "Network" -> "Interfaces" -> "Add Interface". Configure the interface as needed. If you intend to use the Snort-As-A-Collector, shutdown the virtual machine and follow the directions below. Otherwise, reboot the virtual machine.

Admin Interface and Configuring Nuggets

To administer the machine, an admin interface is provided on http://<machine ip>:8080. From here you can manage the operating system as well as components of the Razorback system. Clicking on "Razorback"->"Control Nuggets" will give you a screen where you can trun on and off individual nuggets.

Virus Total

To activate the Virus Total nugget, you must provide a API key. To do this, click the wrench next to "VirusTotal?" in the admin interface. Then click the wrench next to "Razorback API Key" and enter your API key next to "Value". Finally, click the "OFF" button next to "Virus Total" to activate the nugget.

PDF Dissector

To activate the PDF Dissector nugget, you must have a licensed copy of Zynamics' PDF Dissector. Unpack your copy into /opt/zynamics in the VM (assuming your zip file is in tmp, and you are in /opt/zynamics): 

tar -xf /tmp/PDFDissector_1_7_0-user-name-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.zip

Next, in the admin interface, got to "Services" -> "Control Services" and click the "OFF" button next to "PDF Dissector Backend". Finally, in the admin interface, click the "OFF" button next to "PDF Dissector" to activate the nugget.

Snort-As-A-Collector

Note: Due to limitations with VM Workstation for Windows, the SAAC is not supported on that platform.

Shut down the virtual machine if it is running. Using the hyper-visor management software, add a second network interface to the machine, connecting it to the network you wish to monitor with Snort.

After booting the machine, log into the admin interface and under Services->Control Services click the swith to turn snort on.

Razorback User Interface

The Razorback GUI is on port of 80 of the virtual machine. There are several tabs that allow you to interact with the system. The most important are Status, Events and Submit Data Block.

Status
The status tab shows you the overall status of the system. This includes what sub-systems are up (MySQL, memcached, ActiveMQ, Razorback Dispatcher and Razorback MasterNugget?), what nuggets are active and the Routing Table. For this release, the Routing Statistics table is not populated.

Events
The Events table can be viewed either in the "All" view or in the "Bad" view. Not surprisingly, the "Bad" view will show you any blocks that have been determined to be bad by the system. In either view, you can click on the entry under the "Hash digest" column to be taken to the data block page. You can also click on the numbers uner the Alerts and Metadata columns to view additional data about the block without leaving the events view.

Submit Data Block
The "Submit Data Block" view allows you to submit files for review directly from the web interface. Files uploaded have their data type determined by an implementation of file magic, or you can click the "Advanced" button to select the data type manually. Once you have submitted the block, you can click the hash provided to see the results of the analysis.

Data Block View
On the left of the the view, you can see a tree that shows the current data block and any child blocks associated with the data block. Additionally you can download the data block by clicking "Download" in the data block information table. Additional information about the data block can be found under the "Alerts", "Events", "Known Filenames" and "Detection Engines". Additionally, the detection engines page will display either "pending" or "done", depending on what detection remains to be completed.

Authentication

MySQL:
Username: root
Password: razorback

Changing Passwords

Before you can access the razorback interface you will need to setup an account in the system management interface.

Both the SSH and Admin Interface passwords can be changed at the console. You can also change the passwords in the admin interface by going to "Account" -> "My Account" -> "Change Password".

© 2012 Geeknet, Inc.   Terms of Use - Privacy Policy - Cookies/Opt Out