Monday, September 18, 2006

Latest Sguil Scripts

I last talked about installing Sguil in March 2006. Over the last few weeks I've worked on the scripts I use for FreeBSD platforms, mainly as a response to changes in the various libraries and components. For example, Snort 2.6.0.2 is now available, replacing the Snort 2.4.x line.

The idea behind these scripts is to replace an English-text description of what to install where with a computer syntax version. If properly configured, these commands can set up everything you need for Sguil -- sensor, database, server, and client.

One of the major problems I've encountered is making good choices about libraries and components. The various Tcl libraries are on the fringes of support, compared to more popular packages. This makes it difficult to provide scripts that work without any real user modification. I decided the best I can do for the "run-it-without-looking" crowd is to let the scripts install (by default) packages shipped with FreeBSD 6.1 RELEASE, assuming you're running 6.1. If you know how to install using newer packages, you're free to set the right environment variable in the script and deal with the consequences.

The scripts I finished today are available at www.bejtlich.net/sguil_scripts_18sep06b.tar.gz.

They include:

  • sguil_sensor_install.sh: Set up Sguil sensor components.

  • snort_pkg_install.sh or snort_src_install.sh: Run one or the other. These set up Snort and Barnyard.

  • sguil_sensor_install_patch.sh: This patches configuration files that you should modify as listed in the README, namely sensor_agent.conf.patch, snort.conf.patch, barnyard.conf.patch, sancp.conf.patch, and log_packets.sh.patch.

  • sguil_database_install_pt1.sh: Set up MySQL database, part 1.

  • sguil_database_install_pt2.sh: Set up MySQL database, part 2.

  • sguil_server_install.sh: Set up Sguil server.

  • sguil_client_install.sh: Set up Sguil client.


If you are careful you can choose which scripts to run in order to have an all-in-one distribution or a separate box for every component (sensor, database, server, and client).

These are the prerequisites for the sensor and server.

  • Register at Snort.org to download snortrules-snapshot-CURRENT.tar.gz and put them in /tmp on your sensor.

The client box should be installed with the X packages. Otherwise, you can add the following manually:

# pkg_add -r xorg-server
# pkg_add -r xorg-clients
# pkg_add -r bitstream-vera
# pkg_add -r perl
# pkg_add -r xorg-fonts-100dpi
# pkg_add -r xorg-fonts-75dpi
# pkg_add -r xorg-fonts-miscbitmaps

All systems should have a user sguil and a user analyst to support the components.

The smoothest use of the scripts involves the following.

  • FreeBSD 6.1 RELEASE or SECURITY.

  • Sensor name is taosecurity.

  • Sensor is a VMware image with lnc0 interface for management and monitoring.

  • Avoid the snort_pkg_install.sh, since the Snort package with FreeBSD 6.1 RELEASE is Snort 2.4.x. That will not work as I have written the scripts. Use snort_src_install.sh instead.


Those suggestions will require the least number of modifications.

There is still a problem with this setup, however. The mysqltcl package shipped with FreeBSD 6.1 RELEASE requires mysql40-client as a dependency. I install mysql50-client prior, which conflicts with mysql40-client. This means the addition of mysqltcl as a package fails while running the sguil_server_install.sh script. Without mysqltcl, you can't start sguild, which means you can't add a sguil client user and thereby can't access Sguil.

You can work around this problem by retrieving the package from my Web server www.bejtlich.net/mysqltcl-3.01.tbz and adding it manually as root:

# pkg_add -v mysqltcl-3.01.tbz

You'll then need to add a sguil client user manually.

# cd /usr/local/src/sguil-0.6.1/server
# ./sguild -c sguild.conf -u sguild.users -adduser sguil
# cp sguild.users /usr/local/etc/nsm/
# chown sguil:sguil /usr/local/etc/nsm/sguild.users

You could also use the sguild_adduser.sh script which contains basically the same, including a LD_LIBRARY_PATH in the even you have trouble creating the sguil client user manually.

#!/bin/sh -x
SGUIL=sguil-0.6.1
LD_LIBRARY_PATH=/usr/local/lib/mysql
export LD_LIBRARY_PATH
cd /usr/local/src/$SGUIL/server/
./sguild -c sguild.conf -u sguild.users -adduser sguil
cp sguild.users /usr/local/etc/nsm/
chown sguil:sguil /usr/local/etc/nsm/sguild.users

Note that as an example of grappling with problems with the FreeBSD ports tree, the current databases/mysqltcl port is broken.

I recommend viewing the included README to see what you should run in order to get Sguil installed with all components on a single box.

If you have questions I strongly recommend posting them to sguil-users [at] lists.sourceforge.net. Any question I receive I usually send to the list. You may also find faq.sguil.net helpful.

It is important to realize that these scripts do not check to see what is installed prior to acting. Parts may fail if something is missing. If something is already installed (say, Tcl) then the pkg_add for a second instance of Tcl will fail -- but that won't cause any problems.

Please consider all Sguil installation guidance prior to this to be obsolete. This post and the scripts are probably not as clear as I would like, but this is free work and the time I have allocated for it is done!

5 comments:

Joe said...

In

Line 16 reads: fetch http://www.snort.org/dl/current/$SNORT.tar.gz

Line 16 should read: fetch http://www.snort.org/dl/current/snort-$SNORT.tar.gz

Joe said...

Oops. Forgot to mention the file was snort_src_install.sh

Richard Bejtlich said...

Joe, thanks for your comment! I fixed the script and renamed the download.

Anonymous said...

What will the password be for the new user 'sguil' that the sguild_adduser.sh script creates?

Richard Bejtlich said...

Anonymous,

The password is whatever you enter when you run the script.