Intrusion Detection using Snort, Sguil, Barnyard and more: Difference between revisions

From Alpine Linux
No edit summary
Line 42: Line 42:
'''Configure sguild'''
'''Configure sguild'''


mkdir -p /home/sguil/sguild_data/archive
    mkdir -p /home/sguil/sguild_data/archive
mkdir /home/sguil/sguild_data/rules
    mkdir /home/sguil/sguild_data/rules
mkdir /home/sguil/sguild_data/load
    mkdir /home/sguil/sguild_data/load
chown -R sguil.sguil /home/sguil/sguild_data
    chown -R sguil.sguil /home/sguil/sguild_data


GRANT ALL PRIVILEGES ON sguildb.* TO sguil@localhost IDENTIFIED BY "867s309";
Now, start mysql using: mysql -u root -p
GRANT FILE ON *.* to sguil@localhost;
update user set Password = OLD_PASSWORD("867s309") where User = "sguil";
FLUSH PRIVILEGES;


mysql -u sguil -p -e "CREATE DATABASE sguildb"
    GRANT ALL PRIVILEGES ON sguildb.* TO sguil@localhost IDENTIFIED BY "password";
mysql -u sguil -p -D sguildb < /usr/local/sguil/server/sql_scripts/create_sguildb.sql
    GRANT FILE ON *.* to sguil@localhost;
mysql -u sguil -p -D sguildb -e "show tables"
    update user set Password = OLD_PASSWORD("password") where User = "sguil";
    FLUSH PRIVILEGES;
    QUIT;


mkdir /var/run/sguil
From the command line:
chown sguil.sguil /var/run/sguil


mkdir -p /etc/sguild/certs
    mysql -u sguil -p -e "CREATE DATABASE sguildb"
cp /usr/local/sguil/server/sguild.conf /etc/sguild
    mysql -u sguil -p -D sguildb < /usr/local/sguil/server/sql_scripts/create_sguildb.sql
cp /usr/local/sguil/server/autocat.conf /etc/sguild
    mysql -u sguil -p -D sguildb -e "show tables"
cp /usr/local/sguil/server/sguild.users /etc/sguild
cp /usr/local/sguil/server/sguild.queries /etc/sguild
cp /usr/local/sguil/server/sguild.access /etc/sguild
cp /usr/local/sguil/server/sguild.email /etc/sguild
cp /usr/local/sguil/server/sguild.reports /etc/sguild
chown -R sguil.sguil /etc/sguild


vi /etc/sguild/sguild.conf
    mkdir /var/run/sguil
set SGUILD_LIB_PATH /usr/local/sguil/server/lib
    chown sguil.sguil /var/run/sguil
set DEBUG 0
 
set SENSOR_AGGREGATION_ON 0
    mkdir -p /etc/sguild/certs
set RULESDIR /home/sguil/sguild_data/rules
    cp /usr/local/sguil/server/sguild.conf /etc/sguild
set DBPASS "867s309"
    cp /usr/local/sguil/server/autocat.conf /etc/sguild
set DBUSER sguil
    cp /usr/local/sguil/server/sguild.users /etc/sguild
set LOCAL_LOG_DIR /home/sguil/sguild_data/archive
    cp /usr/local/sguil/server/sguild.queries /etc/sguild
set TCPFLOW /usr/bin/tcpflow
    cp /usr/local/sguil/server/sguild.access /etc/sguild
set P0F 1
    cp /usr/local/sguil/server/sguild.email /etc/sguild
set P0F_PATH /usr/local/bin/p0f
    cp /usr/local/sguil/server/sguild.reports /etc/sguild
set TMP_LOAD_DIR /home/sguil/sguild_data/load
    chown -R sguil.sguil /etc/sguild
 
Now edit /etc/sguild/sguild.conf and change the following lines to match the below:
 
    set SGUILD_LIB_PATH /usr/local/sguil/server/lib
    set DEBUG 0
    set SENSOR_AGGREGATION_ON 0
    set RULESDIR /home/sguil/sguild_data/rules
    set DBPASS "867s309"
    set DBUSER sguil
    set LOCAL_LOG_DIR /home/sguil/sguild_data/archive
    set TCPFLOW /usr/bin/tcpflow
    set P0F 1
    set P0F_PATH /usr/local/bin/p0f
    set TMP_LOAD_DIR /home/sguil/sguild_data/load

Revision as of 11:33, 1 October 2010


This material is work-in-progress ...

Do not follow instructions here until this notice is removed.
(Last edited by Myoung on 1 Oct 2010.)

This guide will set up (list subject to change):

  • Snort
  • Barnyard
  • Sguil

This guide will assume:

  • You have a knowledge of your network setup (at least know which subnets exist)
  • You have Alpine 2.0.2 installed and working with networking setup

Get Development Packages

Install Alpine and Pre-packaged components 

    apk add alpine-sdk mysql-dev openssl-dev snort wireshark tcpdump tcpflow cvs


Download Non-Packaged Applications

Download the following packages using wget 

   cd /usr/src
   wget itcl3.4b1.tar.gz
   wget tcl8.4.19-src.tar.gz
   wget tk8.4.19-src.tar.gz
   wget mysqltcl-3.02.tar.gz
   wget tclx8.4.tar.bz2
   wget tls1.6-src.tar.gz
   wget barnyard-0.2.0.tar.gz
   wget tcllib-1.12.tar.gz
   wget p0f.tgz
   wget iwidgets4.0.1.tar.gz

(need to add source locations for all the packages above)


sguild Configuration Steps

Configure sguild 

   mkdir -p /home/sguil/sguild_data/archive
   mkdir /home/sguil/sguild_data/rules
   mkdir /home/sguil/sguild_data/load
   chown -R sguil.sguil /home/sguil/sguild_data

Now, start mysql using: mysql -u root -p 

   GRANT ALL PRIVILEGES ON sguildb.* TO sguil@localhost IDENTIFIED BY "password";
   GRANT FILE ON *.* to sguil@localhost;
   update user set Password = OLD_PASSWORD("password") where User = "sguil";
   FLUSH PRIVILEGES;
   QUIT;

From the command line: 

   mysql -u sguil -p -e "CREATE DATABASE sguildb"
   mysql -u sguil -p -D sguildb < /usr/local/sguil/server/sql_scripts/create_sguildb.sql
   mysql -u sguil -p -D sguildb -e "show tables"

   mkdir /var/run/sguil
   chown sguil.sguil /var/run/sguil

   mkdir -p /etc/sguild/certs
   cp /usr/local/sguil/server/sguild.conf /etc/sguild
   cp /usr/local/sguil/server/autocat.conf /etc/sguild
   cp /usr/local/sguil/server/sguild.users /etc/sguild
   cp /usr/local/sguil/server/sguild.queries /etc/sguild
   cp /usr/local/sguil/server/sguild.access /etc/sguild
   cp /usr/local/sguil/server/sguild.email /etc/sguild
   cp /usr/local/sguil/server/sguild.reports /etc/sguild
   chown -R sguil.sguil /etc/sguild

Now edit /etc/sguild/sguild.conf and change the following lines to match the below: 

   set SGUILD_LIB_PATH /usr/local/sguil/server/lib
   set DEBUG 0
   set SENSOR_AGGREGATION_ON 0
   set RULESDIR /home/sguil/sguild_data/rules
   set DBPASS "867s309"
   set DBUSER sguil
   set LOCAL_LOG_DIR /home/sguil/sguild_data/archive
   set TCPFLOW /usr/bin/tcpflow
   set P0F 1
   set P0F_PATH /usr/local/bin/p0f
   set TMP_LOAD_DIR /home/sguil/sguild_data/load
Retrieved from "https://wiki.alpinelinux.org/w/index.php?title=Intrusion_Detection_using_Snort,_Sguil,_Barnyard_and_more&oldid=4433"