TaoSecurity Tools Git
Status: Alpha
Brought to you by:
taosecurity
Menu
▾
▴
Tree [296687] master / History
Read Me
# $Id: README,v 1.5 2009/02/05 04:35:20 taosecurity Exp $ # WARNING: Calling these files "scripts" does injury to the word. These are more like "commands run in order that help me install Sguil in a certain configuration that I like, and which probably won't meet your needs." Still, I put them here in the event someone else might find them useful. They are totally unsupported. If you have questions I recommend using the NSMNow distribution for Debian/Ubuntu at http://www.securixlive.com/nsmnow/ . Hints from Richard Bejtlich (taosecurity@gmail.com) The scripts are hard-coded to use Snort 2.9.0.1. This requires explicit modifications if you want to use a different version. The scripts also use a version of Sguil from CVS checked out on 02 Feb 09, posted at bejtlich.net. You must have a /nsm partition ready for NSM data and rules! Recommended run order: Register with Sourcefire and download snortrules-snapshot-2900.tar.gz to /tmp . Run prep_platform.sh which adds the Bash package, adds users sguil and analyst, and modifies /etc/hosts. Run sguil_sensor_install.sh to create certain directories and install Sguil sensor code. Run snort_src_install.sh Modify the following to match your environment. You may want to replace ExtNet with the name you want for the sensor group. snort.conf.patch -- usually no changes *** barnyard2.conf.patch -- replace vm with your hostname, em0 with your NIC *** snort_agent.conf.patch -- replace vm with your hostname *** pcap_agent.conf.patch -- replace vm with your hostname *** sancp_agent.conf.patch -- replace vm with your hostname *** sancp.conf.patch -- usually no changes *** log_packets.sh.patch -- replace vm with your hostname, em0 with your NIC *** Run sguil_sensor_install_patch.sh Edit snort.conf to set your HOME_NET and enable rules you want. Disable local.rules if you do not have it! Remember to enable Emerging Threats rules by editing /nsm/rules/emerging.conf. Run sguil_server_install.sh sguil_database_install_pt1.sh sguil_database_install_pt2.sh To add support for /usr/local/etc/rc.d/snort and /usr/local/etc/rc.d/sancp and /usr/local/etc/rc.d/barnyard edit rc-adds.txt (replace vm and em0 with your hostname and interface, respectively). and then run rc-conf.sh Start the following as root: /usr/local/bin/log_packets.sh restart Use the /usr/local/etc/rc.d/ system to start snort sancp barnyard Add a Sguil client user by running sguild_adduser.sh You may want to configure sguild to listen on specific interfaces, like set BIND_SENSOR_IP_ADDR 127.0.0.1 set BIND_CLIENT_IP_ADDR 172.16.2.1 Set those values in /usr/local/etc/nsm/sguild.conf if so desired. Start the following as user sguil. I recommend running each via screen(1). cd /usr/local/src/sguil-0.7.0/server/ ./sguild -c /usr/local/etc/nsm/sguild.conf -u /usr/local/etc/nsm/sguild.users -C /usr/local/etc/nsm/certs cd /usr/local/src/sguil-0.7.0/sensor/ ./snort_agent.tcl -c /usr/local/etc/nsm/snort_agent.conf cd /usr/local/src/sguil-0.7.0/sensor/ ./sancp_agent.tcl -c /usr/local/etc/nsm/sancp_agent.conf cd /usr/local/src/sguil-0.7.0/sensor/ ./pcap_agent.tcl -c /usr/local/etc/nsm/pcap_agent.conf Before logging into the Sguil server, from another system run nmap -O TARGET where TARGET is an IP watched by the sensor. This will create a few alerts to review. Note it takes a few minutes before the first SANCP entries are loaded into the database.
