Friday, March 24, 2006

New Sguil VM Available for Testing

Using the scripts I described yesterday, I built a new Sguil VM. It is available here:

freebsd54-sguil-24mar06-pub1.tar.bz2 (310 MB)

SHA256 (freebsd54-sguil-24mar06-pub1.tar.bz2) =
a18bcd8114c4f40e43f777dc3f34ca917a44093e16f72a720f1ff6183e66f434

The VM is in bzip2 format. Windows users can extract it with bsdtar for Windows.

The OS is FreeBSD 5.4 with the latest security patches. Sguil 0.6.1 is set up with all components on the same system. This VM is similar to my two old VMs using FreeBSD 6.0 and Sguil 0.6.0p1.

I tried to address issues people discussed. I could not build the disks using SCSI because FreeBSD did not recognize them. I know the VM works in VMware Workstation and VMware Server Beta. I did not yet test it in VMware Player. VMware ESX Server probably doesn't work because it doesn't like IDE disks. This VM uses a 6 GB virtual disk. I gave the /nsm partition 2 GB space so you can try collecting more traffic.

I built the VM with two interfaces. As configured they are both bridging vmnet0 (the default interface). I personally change this before running the VM "in production," such that lnc0 bridges to a management interface (vmnet0 and eth0) and lnc1 bridges to a sniffing interface (vmnet2 and eth1). Yes, I am running this VM on Linux and VMware Server Beta.

Here are the accounts on the VM in (system) name: password; comment format.

  • (FreeBSD) sguil: sguil; not in wheel group

  • (FreeBSD) analyst: analyst; in wheel group

  • (FreeBSD) root: r00t

  • (MySQL) sguil: sguil

  • (MySQL) root: r00t

  • (Sguil) sguil: sguil


To get everything running:

  1. Boot the VM. Log in as user analyst. Run 'startx' to open an X session.

  2. Open an xterm. su - root. Run 'sancp_start.sh', 'snort_start.sh', '/usr/local/bin/log_packets.sh restart'.

  3. Open a second xterm. su - sguil. Run 'sguild_start.sh', 'sensor_agent_start.sh', 'barnyard_start.sh'.

  4. Open a third xterm. Run 'sguil_client_start.sh'.

  5. The Sguil client window will appear. Use server 'localhost', port '7734', user 'sguil', password 'sguil'.

  6. Select sensor 'taosecurity' when given the option.

  7. Congratulations. You are running Sguil!


When all components are running, 'sockstat -4' output will look something like this:

sguil barnyard 4502 11 tcp4 127.0.0.1:53438 127.0.0.1:7735
sguil tclsh8.4 4464 3 tcp4 127.0.0.1:50811 127.0.0.1:7736
sguil tclsh8.4 4464 4 tcp4 127.0.0.1:7735 *:*
sguil tclsh8.4 4464 5 tcp4 127.0.0.1:7735 127.0.0.1:53438
sguil tclsh8.4 4429 11 tcp4 *:7734 *:*
sguil tclsh8.4 4429 12 tcp4 127.0.0.1:7736 *:*
sguil tclsh8.4 4429 13 tcp4 127.0.0.1:7736 127.0.0.1:50811
mysql mysqld 1845 10 tcp4 127.0.0.1:3306 *:*


The Sguil client connects to port 7734 TCP, where the server is listening. Barnyard connects to port 7735 TCP. The sguild server listens on port 7736 TCP for connections from sensor_agent.tcl. MySQL listens on port 3306 TCP. Note in this deployment everything is listening on localhost except for MySQL. I usually don't have port 7734 TCP listening on public IPs. I instead use SSH port forwarding to tunnel the client communications:

ssh -L 7734:localhost:7734 analyst@sensor_mgt_ip

When I start my client I then connect to localhost, port 7734.

The easiest way to test the whole setup is to netcat to port 22 TCP on a system watched by the sensor. Enter the text 'GOBBLES' when connected to port 22 TCP. There is a Snort rule that fires when Snort sees this text on port 22 TCP.

You should see an alert appear in the Sguil console.

If you have any questions, please post them here as comments. You may also get help posting them via email to sguil-users at lists dot sourceforge dot net.

6 comments:

zooz said...

I ran netcat on localhost where sguil is installed and wasn't able to detect anything on the sguil client. what am i missing? what parameters did you use w/ nc?

thx

ps: huge difference from snort/base combo... really cool

Richard Bejtlich said...

zooz, visit us in #snort-gui on irc.freenode.net and chat.

zooz said...

thx;
i'm trying to get to demo.sguil.net through the sguil client but it's haulting...

is it not up?

thx again for the tip on #snort-gui

zooz

justin81 said...

Hi, I have started up the VM, right-clicked and chosen XTerm. I am presented with the following prompt in Xterm:
Taosecurity:/home/analyst$
I enter
su - root.
It asks for a password so I reply with
r00t.
The system prompts me with
Taosecurity:/root# so I respond with
sancp_start.sh
and it responds with
sancp_start.sh: Command not found and puts me back at the root command. I have tried the rest of the commands
snort_start.sh and
/usr/local/bin/log_packets.sh restart and in both cases it again, tells me the command is not recognised.
Can you tell me what I'm doing wrong, please?
Many thanks
Justin Forde.

Richard Bejtlich said...

justin81: This post and VM are almost 6 years old. Forget about it. Try securityonion.blogspot.com instead!

justin81 said...

Cheers Richard, will do.