Jumat, 06 Januari 2006

New Sguil VM with Client

Hot on the heels of last week's news about the first Sguil VM, I am pleased to announce the release of a new Sguil VM. This new image is a complete self-contained Sguil deployment, with sensor, server, database, and client. The screenshot above shows the Sguil client and Ethereal. Again, you need something like VMware Player or better, and a program to unzip the archive.

The new file is being shared on the Sourceforge mirrors as sguil0-6-0p1_freebsd6-0_1280_06jan06.zip. I noticed this OSDN mirror already has it. The new .zip is 218 MB, and it expands to about 700 MB. The VM disk is 1280 MB (1.25 GB) and it is built with 128 MB RAM.

The new VM is nearly identical to the previous VM. Use the same user accounts, network settings, etc., as previously described. There are two exceptions:

  1. I have added of the Sguil client components. This means you can either connect to the server using your own Sguil client, or log into the new VM as user analyst, run 'startx', and find yourself in a graphical Fluxbox environment.

  2. I have added tools used in my Network Security Operations class, mentioned in this post.


I built the VM using my new installation script described here.

For those who wish to build their own VM, I made the following additions beyond what the script does.

When I first boot the machine, I enter single user mode and create a /boot/loader.conf file with the line 'hint.apic.0.disabled=1'. I still seem to have troubles with time in the VM, although this post seems to indicate the latest VMware combined with 6-STABLE might improve the situation.

I next install Vmware Tools for FreeBSD. This allows a large display at 1024x768. Inside VMware, I follow VM -> Install VMware Tools -> Install. Next, on a local console as root:

mount /cdrom
cd /tmp
tar -xzvfp /cdrom/vmware-freebsd-tools.tar.gz
cd vmware-tools-distrib
./vmware-install.pl

If I need to re-run the configuration, I can try /usr/local/bin/vmware-config-tools.pl.

I also edit /etc/motd so the users see the following at login.

Welcome to the Sguil Virtual Machine!

Richard Bejtlich (richard@taosecurity.com) created this VM to
help those new to Sguil (www.sguil.net) become familiar with
Sguil components and operation.

To start Sguil server components, do the following.

As user sguil, execute these scripts:

/home/sguil/sguild_start.sh
/home/sguil/sensor_agent_start.sh
/home/sguil/barnyard_start.sh

As user root, execute these scripts:

/root/sancp_start.sh
/root/snort_start.sh
/usr/local/bin/log_packets.sh restart

To start the Sguil client, do the following.

Log in as user analyst. Run startx to launch Fluxbox.
Launch a xterm, then run /home/analyst/sguil_client_start.sh.

Note: Thanks to transltr for pointing out that the motd as installed in the VM says to run /root/start_sancp.sh and /root/strt_snort.sh. That will be fixed in the next release.

The VM as provided uses space as follows:

$ df -h
Filesystem Size Used Avail Capacity Mounted on
/dev/ad0s1a 124M 56M 58M 49% /
devfs 1.0K 1.0K 0B 100% /dev
/dev/ad0s1g 62M 76K 57M 0% /home
/dev/ad0s1f 124M 16M 98M 14% /nsm
/dev/ad0s1h 61M 17M 40M 30% /tmp
/dev/ad0s1d 496M 441M 15M 97% /usr
/dev/ad0s1e 124M 24M 90M 21% /var
/dev/acd0 6.9M 6.9M 0B 100% /cdrom

Notice /usr is pretty tight. /nsm is small too. This is a demonstration VM, not a production version. Following my scripts you can easily create your own VM though,

These packages are installed:

$ pkg_info
adns-1.1 Easy to use, asynchronous-capable DNS client library and ut
argus-2.0.6 A generic IP network transaction auditing tool
argus-clients-2.0.6 Client programs for the argus IP network transaction auditi
atk-1.10.3 A GNOME accessibility toolkit (ATK)
barnyard-0.2.0 An output system for Snort
bitstream-vera-1.10_2 Bitstream Vera TrueType font collection
cairo-1.0.2_1 Vector graphics library with cross-device output support
ethereal-0.10.13_3 A powerful network analyzer/capture tool
expat-1.95.8_3 XML 1.0 parser written in C
flow-tools-0.68_1 Suite of tools and library to work with netflow data
flowgrep-0.8a TCP stream/UDP/IP payload 'grep' utility
fluxbox-devel-0.9.14 A small and fast window manager based on BlackBox
fontconfig-2.3.2,1 An XML-based font configuration API for X Windows
fprobe-1.1 Tool that collects network traffic data
freetype2-2.1.10_2 A free and portable TrueType font rendering engine
gettext-0.14.5 GNU gettext package
glib-1.2.10_11 Some useful routines of C programming (previous stable vers
glib-2.8.4 Some useful routines of C programming (current stable versi
gtk-1.2.10_13 Gimp Toolkit for X11 GUI (previous stable version)
gtk-2.8.9 Gimp Toolkit for X11 GUI (current stable version)
hicolor-icon-theme-0.5 A high-color icon theme shell from the FreeDesktop project
ipcad-3.7 IP accounting daemon with Cisco-like RSH and NetFlow export
itcl-3.2.1_1 [incr Tcl] (A.K.A. "itcl")
itk-3.2.1_1 [incr Tk] (A.K.A. "itk")
iwidgets-4.0.1 Iwidgets - [incr Widgets]
jpeg-6b_3 IJG's jpeg compression utilities
libXft-2.1.7 A client-sided font API for X applications
libiconv-1.9.2_1 A character set conversion library
libltdl-1.5.22 System independent dlopen wrapper
libnetdude-0.6 A library for manipulating libpcap/tcpdump trace files
libpcapnav-0.5 A libpcap wrapper library
libxml2-2.6.22 XML parser library for GNOME
mysql-client-5.0.17 Multithreaded SQL database (client)
mysql-server-5.0.17 Multithreaded SQL database (server)
mysqltcl-3.01 TCL module for accessing MySQL databases based on msqltcl
net-snmp-5.2.2 An extendable SNMP implementation
netdude-0.4.5 NETwork DUmp data Displayer and Editor for tcpdump tracefil
ngrep-1.44 Network grep
p0f-2.0.3_1 Passive OS fingerprinting tool
pango-1.10.2 An open-source framework for the layout and rendering of i1
pcre-6.4 Perl Compatible Regular Expressions library
perl-5.8.7 Practical Extraction and Report Language
pkgconfig-0.20 A utility to retrieve information about installed libraries
png-1.2.8_2 Library for manipulating PNG images
py24-pynids-0.5_1 Python interface to libnids
python-2.4.2 An interpreted object-oriented programming language
sancp-1.6.1_1 A network connection profiler
shared-mime-info-0.16_2 A MIME type database from the FreeDesktop project
snort-2.4.3_1 Lightweight network intrusion detection system
tcl-8.4.11,1 Tool Command Language
tclX-8.3.5_2 Extended TCL
tcllib-1.7_1 A collection of utility modules for Tcl
tcltls-1.5.0 SSL extensions for TCL; dynamicly loadable
tcpdstat-0.9 A tool for generating statistics from tcpdump (libpcap) fil
tcpflow-0.21_1 A tool for capturing data transmitted as part of TCP connec
tcpreplay-2.3.5 A tool to replay saved packet capture files
tiff-3.7.4 Tools and library routines for working with TIFF images
tk-8.4.11,2 Graphical toolkit for TCL
trafshow-5.2.1_1,1 Full screen visualization of network traffic
xorg-clients-6.8.2_1 X client programs and related files from X.Org
xorg-fonts-100dpi-6.8.2 X.Org 100dpi bitmap fonts
xorg-fonts-75dpi-6.8.2 X.Org 75dpi bitmap fonts
xorg-fonts-encodings-6.8.2 X.Org font encoding files
xorg-fonts-miscbitmaps-6.8.2 X.Org miscellaneous bitmap fonts
xorg-fonts-truetype-6.8.2 X.Org TrueType fonts
xorg-libraries-6.8.2 X11 libraries and headers from X.Org
xorg-server-6.8.2_7 X.Org X server and related programs
xterm-206_1 Terminal emulator for the X Window System

If you can wait to download the client from Sourceforge, that will make like easier for my hosting company.

If you have comments, please post them here. Thank you!

0 komentar:

Posting Komentar