Friday, January 06, 2006

Sguil Installation Script v0.2 Available

Last week I posted news of a script called sguil_install_v0.1.sh to install all Sguil components except the client on a FreeBSD 6.0 system. Today I finished a new script, sguil_install_v0.2.sh, that installs all Sguil components -- including the client.

Here is an annotated diff of the changes.

First, version updates:

orr:/data/code/sh$ diff -u sguil_install_v0.1.sh sguil_install_v0.2.sh
--- sguil_install_v0.1.sh Wed Dec 28 21:35:06 2005
+++ sguil_install_v0.2.sh Fri Jan 6 10:40:38 2006
@@ -1,7 +1,7 @@
#!/bin/sh
#
# Sguil installation script by Richard Bejtlich (richard@taosecurity.com)
-# v0.1 28 December 2005
+# v0.2 6 January 2006
#
# Tested on FreeBSD 6.0 RELEASE
#
@@ -9,7 +9,7 @@
# This is not intended for production use where separate sensor, server,
# and client boxes are recommended

-echo "Sguil Installation Script"
+echo "Sguil Sensor, Server, Client Installation Script"
echo
echo "By Richard Bejtlich"
echo
@@ -33,7 +33,7 @@

# FreeBSD 6 packages

-PACKAGESITE=ftp://ftp2.freebsd.org/pub/FreeBSD/ports/i386/packages-6-stable/Latest/; export PACKAGESITE
+PACKAGESITE=ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-6-stable/Latest/; export PACKAGESITE

# Determine sensor name

Next, I decided to patch sguild, instead of telling users to patch sguil.tk. The new sguild.patch file looks like this:

orr:/home/richard$ cat sguild.patch
--- sguild Thu Dec 1 11:09:22 2005
+++ sguild.diff Thu Jan 5 20:43:14 2006
@@ -15,7 +15,7 @@

########################## GLOBALS ##################################

-set VERSION "SGUIL-0.6.0"
+set VERSION "SGUIL-0.6.0p1"
# DB Version
set DB_VERSION "0.11"
# Counter for tracking xscript transactions

All the patch does is make the sguild version be what it should have been -- 0.6.0p1.

Returning to the installation script:

@@ -174,6 +174,12 @@
patch -p0 < log_packets.sh.patch
crontab -u root log_packets.sh.crontab

+# Retrieve, apply sguild patch for version number problem
+
+cd /usr/local/src/$SGUIL/server
+fetch http://www.bejtlich.net/sguild.patch
+patch -p0 < sguild.patch
+
# Install log_packets.sh

cp /usr/local/etc/nsm/log_packets.sh /usr/local/bin

Next comes new sections to install an X server. This allows users to run 'startx' and find themselves inside the Fluxbox window manager.

@@ -219,20 +225,67 @@
cd /usr/local/src/$SGUIL/server
./sguild -c sguild.conf -u sguild.users -adduser sguil

+# Install X-related packages
+
+pkg_add -r xorg-server
+pkg_add -r xorg-clients
+pkg_add -r bitstream-vera
+pkg_add -r perl
+pkg_add -r xorg-fonts-100dpi
+pkg_add -r xorg-fonts-75dpi
+pkg_add -r xorg-fonts-miscbitmaps
+pkg_add -r fluxbox-devel
+
+# Configure Fluxbox
+
+echo "exec startfluxbox" > /home/analyst/.xinitrc
+chown analyst:analyst /home/analyst/.xinitrc
+

The Sguil client news a few new libraries. I had to build these myself as they are not yet updated on the FreeBSD package building cluster. When the new packages are available through FreeBSD, I will edit the script.

+# Install additional packages for Sguil client
+
+cd /root
+fetch http://www.bejtlich.net/itcl-3.2.1_1.tbz
+fetch http://www.bejtlich.net/itk-3.2.1_1.tbz
+fetch http://www.bejtlich.net/iwidgets-4.0.1.tbz
+pkg_add itcl-3.2.1_1.tbz
+pkg_add itk-3.2.1_1.tbz
+pkg_add iwidgets-4.0.1.tbz
+pkg_add -r ethereal
+
+# Configure Wish
+
+mv /usr/local/bin/wish /usr/local/bin/wish.orig
+ln -s /usr/local/bin/wish8.4 /usr/local/bin/wish
+

I create a simple startup script to facilitate starting the Sguil client. It looks like this.

#!/bin/sh
cd /usr/local/src/sguil-0.6.0p1/client
./sguil.tk

Returning to the script:

+# Fetch client startup script
+
+cd /home/analyst
+fetch http://www.bejtlich.net/sguil_client_start.sh
+chown analyst:analyst /home/analyst/sguil_client_start.sh
+chmod +x /home/analyst/sguil_client_start.sh
+

Next I patch sguil.conf to handle locations of certain programs in FreeBSD. The patch looks like this:

orr:/data/code/sh$ cat sguil.conf.patch
--- sguil.conf Thu Oct 13 12:28:28 2005
+++ sguil.conf.diff Fri Jan 6 09:55:07 2006
@@ -35,7 +35,7 @@
# set FESTIVAL_PATH "c:\festival\bin\festival.exe"
#set WHOIS_PATH /common/bin/awhois.sh
# Path to ethereal
-set ETHEREAL_PATH /usr/sbin/ethereal
+set ETHEREAL_PATH /usr/X11R6/bin/ethereal
# win32 example
# set ETHEREAL_PATH "c:/progra~1/ethereal/ethereal.exe"
# Where to save the temporary raw data files on the client system

Returning to the script:

+# Patch sguil.conf
+cd /usr/local/src/$SGUIL/client
+fetch http://www.bejtlich.net/sguil.conf.patch
+patch -p0 < sguil.conf.patch
+

Finally, I changed what users see when they finish executing the script:

# Messages to users

-echo "To start Sguil, execute the following."
+echo "To start Sguil server components, do the following."
echo
-echo "As user sguil:"
+echo "As user sguil, execute these scripts:"
echo
echo "/home/sguil/sguild_start.sh"
echo "/home/sguil/sensor_agent_start.sh"
echo "/home/sguil/barnyard_start.sh"
echo
-echo "Next, as user root:"
+echo "As user root, execute these scripts:"
echo
echo "/root/start_sancp.sh"
echo "/root/start_snort.sh"
echo "/usr/local/bin/log_packets.sh restart"
echo
-echo "You will then be able to connect using the separate Sguil client."
+echo "To start the Sguil client, do the following."
+echo
+echo "Log in as user analyst. Run startx to launch Fluxbox."
+echo "Launch a xterm, then run /home/analyst/sguil_client_start.sh."

To run this script effectively, you should use FreeBSD 6.0/i386. The minimum partioning scheme follows. This requires a 1280 MB drive (1.25 GB). I install the "minimal" FreeBSD distribution when I use this script.

  • / 128 MB

  • Swap 256 MB

  • /usr 512 MB

  • /nsm 128 MB

  • /var 128 MB

  • /home 64 MB

  • /tmp 64 MB


You also need two users, in addition to root.

  • User analyst is a member of the wheel group and can therefore su - to root.

  • User sguil is not a member of the wheel group. However, I run as many parts of Sguil as possible using this user.


Here is how to invoke the script:

$ su -
Password:
gruden# fetch http://www.bejtlich.net/sguil_install_v0.2.sh
gruden# chmod +x sguil_install_v0.2.sh
gruden# ./sguil_install_v0.2.sh

When the sguil client user password prompt appears, enter something like 'sguil'. This is the only pause in the script.

The end result of running this script inside a FreeBSD VM I created is a Sguil sensor, server, database, and client. I'll describe that in my next post.

5 comments:

Anonymous said...

I have been reading your blog for several months now and very much appreciate the work you put into it. It has been useful on several occasions.

I am trying to utilize your script which for the most part is working wonderfully for me. The only point I seem to be having issues with is the mysqltcl-3.01.tbz package that is downloaded from your site and then installed. The package downloads just fine, but then I get an error stating that pkg_add "could not fine package ldconfig_compat-1.0_6. I tried manually adding this package but am unable to find it in the bsd port tree. Granted I am not as familiar with FreeBSD as with other operating systems, but I believe I am following the correct procedure. Any thoughts on how I can work around this would be great.

Thanks again.

Richard Bejtlich said...

Hello,

That error is associated with the newest build of mysqltcl-3.01, which I thought might work better than the old one. That does not seem to be the case. I have replaced that package with the old mysqltcl-3.01.tbz, which seems to be working. Try grabbing it again from http://www.bejtlich.net/mysqltcl-3.01.tbz and pkg_add -v.

LifeIncome said...
This comment has been removed by a blog administrator.
Anonymous said...

I can't get the install scripts from your
www.bejtlich.net site. I can get patches ect, but not the sguil_install.v0.2.sh or sguil_install.v0.1.sh.

I am using the wget command instead of fetch.

Richard Bejtlich said...

You are looking at an old post. Look here.