Intrusion Detection using Snort, Sguil, Barnyard and more: Difference between revisions
No edit summary |
|||
Line 42: | Line 42: | ||
'''Configure sguild''' | '''Configure sguild''' | ||
mkdir -p /home/sguil/sguild_data/archive | mkdir -p /home/sguil/sguild_data/archive | ||
mkdir /home/sguil/sguild_data/rules | mkdir /home/sguil/sguild_data/rules | ||
mkdir /home/sguil/sguild_data/load | mkdir /home/sguil/sguild_data/load | ||
chown -R sguil.sguil /home/sguil/sguild_data | chown -R sguil.sguil /home/sguil/sguild_data | ||
Now, start mysql using: mysql -u root -p | |||
GRANT ALL PRIVILEGES ON sguildb.* TO sguil@localhost IDENTIFIED BY "password"; | |||
GRANT FILE ON *.* to sguil@localhost; | |||
update user set Password = OLD_PASSWORD("password") where User = "sguil"; | |||
FLUSH PRIVILEGES; | |||
QUIT; | |||
From the command line: | |||
mysql -u sguil -p -e "CREATE DATABASE sguildb" | |||
mysql -u sguil -p -D sguildb < /usr/local/sguil/server/sql_scripts/create_sguildb.sql | |||
mysql -u sguil -p -D sguildb -e "show tables" | |||
mkdir /var/run/sguil | |||
set SGUILD_LIB_PATH /usr/local/sguil/server/lib | chown sguil.sguil /var/run/sguil | ||
set DEBUG 0 | |||
set SENSOR_AGGREGATION_ON 0 | mkdir -p /etc/sguild/certs | ||
set RULESDIR /home/sguil/sguild_data/rules | cp /usr/local/sguil/server/sguild.conf /etc/sguild | ||
set DBPASS "867s309" | cp /usr/local/sguil/server/autocat.conf /etc/sguild | ||
set DBUSER sguil | cp /usr/local/sguil/server/sguild.users /etc/sguild | ||
set LOCAL_LOG_DIR /home/sguil/sguild_data/archive | cp /usr/local/sguil/server/sguild.queries /etc/sguild | ||
set TCPFLOW /usr/bin/tcpflow | cp /usr/local/sguil/server/sguild.access /etc/sguild | ||
set P0F 1 | cp /usr/local/sguil/server/sguild.email /etc/sguild | ||
set P0F_PATH /usr/local/bin/p0f | cp /usr/local/sguil/server/sguild.reports /etc/sguild | ||
set TMP_LOAD_DIR /home/sguil/sguild_data/load | chown -R sguil.sguil /etc/sguild | ||
Now edit /etc/sguild/sguild.conf and change the following lines to match the below: | |||
set SGUILD_LIB_PATH /usr/local/sguil/server/lib | |||
set DEBUG 0 | |||
set SENSOR_AGGREGATION_ON 0 | |||
set RULESDIR /home/sguil/sguild_data/rules | |||
set DBPASS "867s309" | |||
set DBUSER sguil | |||
set LOCAL_LOG_DIR /home/sguil/sguild_data/archive | |||
set TCPFLOW /usr/bin/tcpflow | |||
set P0F 1 | |||
set P0F_PATH /usr/local/bin/p0f | |||
set TMP_LOAD_DIR /home/sguil/sguild_data/load |
Revision as of 11:33, 1 October 2010
This material is work-in-progress ... Do not follow instructions here until this notice is removed. |
This guide will set up (list subject to change):
- Snort
- Barnyard
- Sguil
This guide will assume:
- You have a knowledge of your network setup (at least know which subnets exist)
- You have Alpine 2.0.2 installed and working with networking setup
Get Development Packages
Install Alpine and Pre-packaged components
apk add alpine-sdk mysql-dev openssl-dev snort wireshark tcpdump tcpflow cvs
Download Non-Packaged Applications
Download the following packages using wget
cd /usr/src wget itcl3.4b1.tar.gz wget tcl8.4.19-src.tar.gz wget tk8.4.19-src.tar.gz wget mysqltcl-3.02.tar.gz wget tclx8.4.tar.bz2 wget tls1.6-src.tar.gz wget barnyard-0.2.0.tar.gz wget tcllib-1.12.tar.gz wget p0f.tgz wget iwidgets4.0.1.tar.gz
(need to add source locations for all the packages above)
sguild Configuration Steps
Configure sguild
mkdir -p /home/sguil/sguild_data/archive mkdir /home/sguil/sguild_data/rules mkdir /home/sguil/sguild_data/load chown -R sguil.sguil /home/sguil/sguild_data
Now, start mysql using: mysql -u root -p
GRANT ALL PRIVILEGES ON sguildb.* TO sguil@localhost IDENTIFIED BY "password"; GRANT FILE ON *.* to sguil@localhost; update user set Password = OLD_PASSWORD("password") where User = "sguil"; FLUSH PRIVILEGES; QUIT;
From the command line:
mysql -u sguil -p -e "CREATE DATABASE sguildb" mysql -u sguil -p -D sguildb < /usr/local/sguil/server/sql_scripts/create_sguildb.sql mysql -u sguil -p -D sguildb -e "show tables"
mkdir /var/run/sguil chown sguil.sguil /var/run/sguil
mkdir -p /etc/sguild/certs cp /usr/local/sguil/server/sguild.conf /etc/sguild cp /usr/local/sguil/server/autocat.conf /etc/sguild cp /usr/local/sguil/server/sguild.users /etc/sguild cp /usr/local/sguil/server/sguild.queries /etc/sguild cp /usr/local/sguil/server/sguild.access /etc/sguild cp /usr/local/sguil/server/sguild.email /etc/sguild cp /usr/local/sguil/server/sguild.reports /etc/sguild chown -R sguil.sguil /etc/sguild
Now edit /etc/sguild/sguild.conf and change the following lines to match the below:
set SGUILD_LIB_PATH /usr/local/sguil/server/lib set DEBUG 0 set SENSOR_AGGREGATION_ON 0 set RULESDIR /home/sguil/sguild_data/rules set DBPASS "867s309" set DBUSER sguil set LOCAL_LOG_DIR /home/sguil/sguild_data/archive set TCPFLOW /usr/bin/tcpflow set P0F 1 set P0F_PATH /usr/local/bin/p0f set TMP_LOAD_DIR /home/sguil/sguild_data/load