Intrusion Detection using Snort, Sguil, Barnyard and more

From Alpine Linux
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
This material is proposed for merging ...

It should be merged with Intrusion Detection using Snort. (Discuss)

This material is work-in-progress ...

Do not follow instructions here until this notice is removed.
(Last edited by Dubiousjim on 1 Jun 2012.)

This guide will set up (list subject to change):

  • Snort
  • Barnyard
  • Sguil

This guide will assume:

  • You have a knowledge of your network setup (at least know which subnets exist)
  • You have Alpine 2.0.2 installed and working with networking setup

Get Development Packages

Install Alpine and Pre-packaged components

    apk add alpine-sdk mysql-dev openssl-dev snort wireshark tcpdump tcpflow cvs


Download Non-Packaged Applications

Download the following packages using wget

   cd /usr/src
   wget itcl3.4b1.tar.gz
   wget tcl8.4.19-src.tar.gz
   wget tk8.4.19-src.tar.gz
   wget mysqltcl-3.02.tar.gz
   wget tclx8.4.tar.bz2
   wget tls1.6-src.tar.gz
   wget barnyard-0.2.0.tar.gz
   wget tcllib-1.12.tar.gz
   wget p0f.tgz
   wget iwidgets4.0.1.tar.gz

(need to add source locations for all the packages above)


sguild Configuration Steps

Configure sguild

   mkdir -p /home/sguil/sguild_data/archive
   mkdir /home/sguil/sguild_data/rules
   mkdir /home/sguil/sguild_data/load
   chown -R sguil.sguil /home/sguil/sguild_data

Now, start mysql using: mysql -u root -p

   GRANT ALL PRIVILEGES ON sguildb.* TO sguil@localhost IDENTIFIED BY "password";
   GRANT FILE ON *.* to sguil@localhost;
   update user set Password = OLD_PASSWORD("password") where User = "sguil";
   FLUSH PRIVILEGES;
   QUIT;

From the command line:

   mysql -u sguil -p -e "CREATE DATABASE sguildb"
   mysql -u sguil -p -D sguildb < /usr/local/sguil/server/sql_scripts/create_sguildb.sql
   mysql -u sguil -p -D sguildb -e "show tables"
   mkdir /var/run/sguil
   chown sguil.sguil /var/run/sguil
   mkdir -p /etc/sguild/certs
   cp /usr/local/sguil/server/sguild.conf /etc/sguild
   cp /usr/local/sguil/server/autocat.conf /etc/sguild
   cp /usr/local/sguil/server/sguild.users /etc/sguild
   cp /usr/local/sguil/server/sguild.queries /etc/sguild
   cp /usr/local/sguil/server/sguild.access /etc/sguild
   cp /usr/local/sguil/server/sguild.email /etc/sguild
   cp /usr/local/sguil/server/sguild.reports /etc/sguild
   chown -R sguil.sguil /etc/sguild

Now edit /etc/sguild/sguild.conf and change the following lines to match the below:

   set SGUILD_LIB_PATH /usr/local/sguil/server/lib
   set DEBUG 0
   set SENSOR_AGGREGATION_ON 0
   set RULESDIR /home/sguil/sguild_data/rules
   set DBPASS "password"
   set DBUSER sguil
   set LOCAL_LOG_DIR /home/sguil/sguild_data/archive
   set TCPFLOW /usr/bin/tcpflow
   set P0F 1
   set P0F_PATH /usr/local/bin/p0f
   set TMP_LOAD_DIR /home/sguil/sguild_data/load