Wednesday, December 28, 2005

First Sguil VM Available

I am happy to announce the availability of the first public Sguil sensor, server, and database in VM format. It's about 91 MB. Once it has been shared with all of the Sourceforge mirrors, you can download it here. I built it using the script described earlier.

So how do you use this? First, you need to have something like the free VMware Player for Windows or Linux. You can also use VMware Workstation or another variant if you like. When you download sguil0-6-0p1_freebsd6-0_1024mb.zip and expand it, you will find a directory like this:

FreeBSD.nvram
FreeBSD.vmsd
FreeBSD.vmx
FreeBSD-000001-cl1.vmdk

By opening the FreeBSD.vmx file in VMware Player, you should be able to start the VM.

Here are some important details.

  • The root password is r00t.

  • The user analyst is a member of the wheel group, so it can su to root. The analyst password is analyst.

  • The user sguil is not a member of the wheel group, so it can not directly su to root. The sguil password is sguil.

  • The host's management IP is 192.168.2.121. It is assigned the lnc0 interface and it is bridged via VMware.

  • The netmask is 255.255.255.0 and the default gateway is 192.168.2.1.

  • The default nameserver is 192.168.2.1.

  • Interface lnc1 is also bridged. It is not assigned an IP because it is used for sniffing.


You will probably want to change these parameters manually to meet your own network needs. For example, as root and logged in to the terminal:

ifconfig lnc0 down
ifconfig lnc0 inet 192.168.3.3 netmask 255.255.255.0 up
route add default 192.168.3.3
echo "nameserver 192.168.3.254" > /etc/resolv.conf

Make similar changes to the values in /etc/rc.conf if you want the new network scheme to survive a reboot.

You'll probably also want to change /etc/hosts to reflect your new IPs.

Important: As soon as you have network connectivity to the Internet, you must update the system time. When my VM wakes up, it still thinks it is Wednesday night. If you try connecting to it with a Sguil client, the times will not match properly. I recommend running something simple like the following as root on the VM:

ntpdate clock.isc.org

This will validate outside Internet connectivity and update the time. You can also manually set the time with the 'date' command. Note this VM does not have any man pages installed. If you need them for FreeBSD, look here.

Account passwords, for example, should be changed if you want to hook up this VM in any place outside a lab. Once the VM boots, I recommend logging in to two terminals. In one terminal, log in as user sguil. Execute the three scripts in sguil's home directory, namely the following, in this order:

sguild_start.sh
sensor_agent_start.sh
barnyard_start.sh

This will start the Sguil server, sensor, and Barnyard.

In the second terminal, log in as root. Start the following scripts:

sancp_start.sh
snort_start.sh
/usr/local/bin/log_packets.sh restart

This will start SANCP, Snort, and log_packets.sh, which uses a second instance of Snort to log full content data.

Once all the components are running, you need to connect to the Sguil server using a Sguil client. I did not install the Sguil client on the VM in order to save space (and to simplify this first round of work).

The easiest way to get a Sguil client running is to download and install the free standard ActiveTcl distribution for Windows. (Yes, Windows has the easiest client install, thanks to ActiveTcl. Linux might be as easy, but I don't have a Linux desktop to test.)

Once ActiveTcl is installed, download the Sguil client for Windows. It is a .zip that you need to extract. Once you do, change into the sguil-0.6.0p1/client directory. You'll see sguil.conf. Make the following edits:

# set ETHEREAL_PATH /usr/sbin/ethereal
# win32 example
set ETHEREAL_PATH "c:/progra~1/ethereal/ethereal.exe"
# Where to save the temporary raw data files on the client system
# You need to remember to delete these yourself.
# set ETHEREAL_STORE_DIR /tmp
# win32 example
set ETHEREAL_STORE_DIR "c:/tmp"
# Favorite browser for looking at sig info on snort.org
# set BROWSER_PATH /usr/bin/mozilla
# win32 example (IE)
set BROWSER_PATH c:/progra~1/intern~1/iexplore.exe

Next, edit the sguil.tk file to make one change as shown next:

set VERSION "SGUIL-0.6.0"

Now create a c:\tmp directory, and make sure you have Ethereal installed if you want to look at full content data in Ethereal.

You're ready to try the client.

Start Sguil by double-clicking on the sguil.tk icon in the Windows explorer. Initially Windows will not know how to run .tk files. Associate this file and other .tk files with the C:\Tcl\bin\wish84.exe program.

The Sguil host is the IP address of the Sguil server. In my VM that is 192.168.2.121. If you leave the demo.sguil.net address, you will connect to Bamm's demo server.

The default port of 7734 is the right port. For the Sguil user and password, the VM uses user sguil, password sguil.

Do not enable OpenSSL encryption. The VM is not built to include that. Select the sensor shown (gruden in the VM), and then click Start Sguil. You should next see the client.

If you want to get Snort to trip on traffic, try using Nmap to perform an OS identification (nmap -O) on the management IP address of the VM.

If you have any questions, please post them here. Better yet, visit us at irc.freenode.net in channel #snort-gui.

My next idea is to add a Sguil client, and document and script the process. That may wait until Sguil 0.6.1 is released however.

UPDATE: For a new VM with the client, please see this post.

11 comments:

Anonymous said...

Installing the Sguil client on Linux is not easier than doing so on Windows. ActiveTCL really makes it simple.

Great work on the VM.

Beau said...

Thank you! I can't wait to try this out!

Scott said...

the /nsm is small and i don't think vmplayer expands it on the fly the way WS does.

Richard Bejtlich said...

Scott,

This is a demonstration VM. To keep the image small I built it with a 1024 MB disk. I did not allocate all of the disk up front, but I didn't want the VM to get more than 1024 MB in size. If you want to build your own sensor with a bigger /nsm, try the script I posted earlier.

geek00L said...

This is totally great as it may help to get more people to try out on sguil, may it be analyst or sguil tester, we will have more people trying out sguil and would be helpful in bug finding.

Pushing sguil to the next level :)

Thanks Richard.

Anonymous said...

Hi,
after start sguil client on W2kSP4 I have an error "Mismatched version SERVER:(SGUIL-0.6.0 OPENSSL DISABLED) CLIENT:(SGUIL-0.6.0p1 OPENSSL DISABLED).Can You give me any hints or solutilon to this problem?

Richard Bejtlich said...

Anonymous,

The answer is found in my post:

In sguil.tk, change the VERSION line to read this:

set VERSION "SGUIL-0.6.0"

When Bamm released Sguil 0.6.0p1, he forgot to bump the version line in the client (sguil.tk).

Richard Bejtlich said...

Check that, Bamm forgot to bump the version line in the server, Either way, make the version numbers match in the client (sguil.tk) and the server (sguild) and you'll be fine.

Erik Kamerling said...

In my experience, if you use the ActiveState ActiveTCL package for Linux it is in fact just about as easy as a Windows client install. Yet, when using Linux as a client I haven't strayed from Fedora so YMMV. Other distros may vary in how easily ActiveTCL integrates and automatically takes care of SGUIL requirements.

But generally, if you go with ActiveTCL for Linux it is just as easy as a Windows implementation in my opinion.

Anonymous said...

works like a charm. BTW, I am reading extrusion detection - a really great book.

mysurface said...

"If you want to get Snort to trip on traffic, try using Nmap to perform an OS identification (nmap -O) on the management IP address of the VM."

I donno why, it doesn't work, sguil doesn't get any events when I nmap the mangement IP address (lnc0). What i did is i assign an IP for lnc1 and enable back the arp, then nmap lnc1. with this, i got it.