Intrusion Detection using Snort, Sguil, Barnyard and more

From Alpine Linux
Jump to: navigation, search
Tango-two-arrows.png
This material is proposed for merging ...

It should be merged with Intrusion Detection using Snort. (Discuss)

Underconstruction clock icon gray.svg
This material is work-in-progress ...

Do not follow instructions here until this notice is removed.
(Last edited by Dubiousjim on 1 Jun 2012.)

This guide will set up (list subject to change):

  • Snort
  • Barnyard
  • Sguil

This guide will assume:

  • You have a knowledge of your network setup (at least know which subnets exist)
  • You have Alpine 2.0.2 installed and working with networking setup

Get Development Packages

Install Alpine and Pre-packaged components

    apk add alpine-sdk mysql-dev openssl-dev snort wireshark tcpdump tcpflow cvs


Download Non-Packaged Applications

Download the following packages using wget

   cd /usr/src
   wget itcl3.4b1.tar.gz
   wget tcl8.4.19-src.tar.gz
   wget tk8.4.19-src.tar.gz
   wget mysqltcl-3.02.tar.gz
   wget tclx8.4.tar.bz2
   wget tls1.6-src.tar.gz
   wget barnyard-0.2.0.tar.gz
   wget tcllib-1.12.tar.gz
   wget p0f.tgz
   wget iwidgets4.0.1.tar.gz

(need to add source locations for all the packages above)


sguild Configuration Steps

Configure sguild

   mkdir -p /home/sguil/sguild_data/archive
   mkdir /home/sguil/sguild_data/rules
   mkdir /home/sguil/sguild_data/load
   chown -R sguil.sguil /home/sguil/sguild_data

Now, start mysql using: mysql -u root -p

   GRANT ALL PRIVILEGES ON sguildb.* TO sguil@localhost IDENTIFIED BY "password";
   GRANT FILE ON *.* to sguil@localhost;
   update user set Password = OLD_PASSWORD("password") where User = "sguil";
   FLUSH PRIVILEGES;
   QUIT;

From the command line:

   mysql -u sguil -p -e "CREATE DATABASE sguildb"
   mysql -u sguil -p -D sguildb < /usr/local/sguil/server/sql_scripts/create_sguildb.sql
   mysql -u sguil -p -D sguildb -e "show tables"
   mkdir /var/run/sguil
   chown sguil.sguil /var/run/sguil
   mkdir -p /etc/sguild/certs
   cp /usr/local/sguil/server/sguild.conf /etc/sguild
   cp /usr/local/sguil/server/autocat.conf /etc/sguild
   cp /usr/local/sguil/server/sguild.users /etc/sguild
   cp /usr/local/sguil/server/sguild.queries /etc/sguild
   cp /usr/local/sguil/server/sguild.access /etc/sguild
   cp /usr/local/sguil/server/sguild.email /etc/sguild
   cp /usr/local/sguil/server/sguild.reports /etc/sguild
   chown -R sguil.sguil /etc/sguild

Now edit /etc/sguild/sguild.conf and change the following lines to match the below:

   set SGUILD_LIB_PATH /usr/local/sguil/server/lib
   set DEBUG 0
   set SENSOR_AGGREGATION_ON 0
   set RULESDIR /home/sguil/sguild_data/rules
   set DBPASS "password"
   set DBUSER sguil
   set LOCAL_LOG_DIR /home/sguil/sguild_data/archive
   set TCPFLOW /usr/bin/tcpflow
   set P0F 1
   set P0F_PATH /usr/local/bin/p0f
   set TMP_LOAD_DIR /home/sguil/sguild_data/load