Rabu, 28 Desember 2005

First Sguil VM Available

I am happy to announce the availability of the first public Sguil sensor, server, and database in VM format. It's about 91 MB. Once it has been shared with all of the Sourceforge mirrors, you can download it here. I built it using the script described earlier.

So how do you use this? First, you need to have something like the free VMware Player for Windows or Linux. You can also use VMware Workstation or another variant if you like. When you download sguil0-6-0p1_freebsd6-0_1024mb.zip and expand it, you will find a directory like this:

FreeBSD.nvram
FreeBSD.vmsd
FreeBSD.vmx
FreeBSD-000001-cl1.vmdk

By opening the FreeBSD.vmx file in VMware Player, you should be able to start the VM.

Here are some important details.

  • The root password is r00t.

  • The user analyst is a member of the wheel group, so it can su to root. The analyst password is analyst.

  • The user sguil is not a member of the wheel group, so it can not directly su to root. The sguil password is sguil.

  • The host's management IP is 192.168.2.121. It is assigned the lnc0 interface and it is bridged via VMware.

  • The netmask is 255.255.255.0 and the default gateway is 192.168.2.1.

  • The default nameserver is 192.168.2.1.

  • Interface lnc1 is also bridged. It is not assigned an IP because it is used for sniffing.


You will probably want to change these parameters manually to meet your own network needs. For example, as root and logged in to the terminal:

ifconfig lnc0 down
ifconfig lnc0 inet 192.168.3.3 netmask 255.255.255.0 up
route add default 192.168.3.3
echo "nameserver 192.168.3.254" > /etc/resolv.conf

Make similar changes to the values in /etc/rc.conf if you want the new network scheme to survive a reboot.

You'll probably also want to change /etc/hosts to reflect your new IPs.

Important: As soon as you have network connectivity to the Internet, you must update the system time. When my VM wakes up, it still thinks it is Wednesday night. If you try connecting to it with a Sguil client, the times will not match properly. I recommend running something simple like the following as root on the VM:

ntpdate clock.isc.org

This will validate outside Internet connectivity and update the time. You can also manually set the time with the 'date' command. Note this VM does not have any man pages installed. If you need them for FreeBSD, look here.

Account passwords, for example, should be changed if you want to hook up this VM in any place outside a lab. Once the VM boots, I recommend logging in to two terminals. In one terminal, log in as user sguil. Execute the three scripts in sguil's home directory, namely the following, in this order:

sguild_start.sh
sensor_agent_start.sh
barnyard_start.sh

This will start the Sguil server, sensor, and Barnyard.

In the second terminal, log in as root. Start the following scripts:

sancp_start.sh
snort_start.sh
/usr/local/bin/log_packets.sh restart

This will start SANCP, Snort, and log_packets.sh, which uses a second instance of Snort to log full content data.

Once all the components are running, you need to connect to the Sguil server using a Sguil client. I did not install the Sguil client on the VM in order to save space (and to simplify this first round of work).

The easiest way to get a Sguil client running is to download and install the free standard ActiveTcl distribution for Windows. (Yes, Windows has the easiest client install, thanks to ActiveTcl. Linux might be as easy, but I don't have a Linux desktop to test.)

Once ActiveTcl is installed, download the Sguil client for Windows. It is a .zip that you need to extract. Once you do, change into the sguil-0.6.0p1/client directory. You'll see sguil.conf. Make the following edits:

# set ETHEREAL_PATH /usr/sbin/ethereal
# win32 example
set ETHEREAL_PATH "c:/progra~1/ethereal/ethereal.exe"
# Where to save the temporary raw data files on the client system
# You need to remember to delete these yourself.
# set ETHEREAL_STORE_DIR /tmp
# win32 example
set ETHEREAL_STORE_DIR "c:/tmp"
# Favorite browser for looking at sig info on snort.org
# set BROWSER_PATH /usr/bin/mozilla
# win32 example (IE)
set BROWSER_PATH c:/progra~1/intern~1/iexplore.exe

Next, edit the sguil.tk file to make one change as shown next:

set VERSION "SGUIL-0.6.0"

Now create a c:\tmp directory, and make sure you have Ethereal installed if you want to look at full content data in Ethereal.

You're ready to try the client.

Start Sguil by double-clicking on the sguil.tk icon in the Windows explorer. Initially Windows will not know how to run .tk files. Associate this file and other .tk files with the C:\Tcl\bin\wish84.exe program.

The Sguil host is the IP address of the Sguil server. In my VM that is 192.168.2.121. If you leave the demo.sguil.net address, you will connect to Bamm's demo server.

The default port of 7734 is the right port. For the Sguil user and password, the VM uses user sguil, password sguil.

Do not enable OpenSSL encryption. The VM is not built to include that. Select the sensor shown (gruden in the VM), and then click Start Sguil. You should next see the client.

If you want to get Snort to trip on traffic, try using Nmap to perform an OS identification (nmap -O) on the management IP address of the VM.

If you have any questions, please post them here. Better yet, visit us at irc.freenode.net in channel #snort-gui.

My next idea is to add a Sguil client, and document and script the process. That may wait until Sguil 0.6.1 is released however.

UPDATE: For a new VM with the client, please see this post.

0 komentar:

Posting Komentar