Snort-Sguil IDS

How to Build Sguil 0.8 on RHEL 6

http://jamieyu.com/snort-sguil-ids/          
Created: 20120204    Updated: 20120221

I recently built Sguil 0.8 on RHEL 6 64-bit servers. This is a nice upgrade for my IDS systems from the good old Sguil 0.7 on RHEL 5 32-bit IDS systems I built back in 2008. There are a few build guides available on Sguil, but I haven’t found one that addresses this specific environment. I’m publishing the steps I took to build my IDS systems here. Hopefully it will give some guidance to others who intend to do the same.

There are many ways to build IDS systems. Snort-Sguil IDS is my favorite and has been in my production environment for years. Snort does the monitoring and alerting while Sguil provides a GUI Interface for IDS. There are other components running on the sensor that feeds additional information to the GUI. All software components are available free of charge, except the OS. I haven’t tried, but you should be able apply the same setup to a CentOS box, which is almost like a RedHat without logo.

I won’t go into details explaining what each software components are for. There are many good descriptions on the Internet.

1. A few words to new Sguil users

If this is the first time you build Sguil, I suggest that you take a look at this page first. It’s a nice howto guide for Sguil 0.7, to which I referred when I built my old IDS systems. I like the way the author approached to build a versatile and secure IDS systems, and have followed many good ideas in the howto guide. You should also be familiar with the architecture of Sguil. As far as I know, the basic data flow stayed same from 0.7 to 0.8.

2. Hardware

To build and run Sguil, you need:

  • Sguil Server
  • Sguil Sensor (with Snort)
  • Source Compiler to compile source code

You can use 3 different machines, or you can combine server and compiler on the same machine. You should not put compiler and sensor on the same box. You can add more sensors as needed.

Additionally, you’ll run Sguil Client on a workstation with GUI desktop.

Hardware spec depends on the amount of network traffic that your IDS sensor is going to monitor. I’d recommend getting at least 2GB memory and 300GB hard drives in Raid 1 or 5. If you can afford more, add more memory and hard drive space. As long as your hardware is no more than 4 years old, CPU speed should be sufficient. Multi-core CPUs enhance performance of course.

3. OS

To install RHEL 6 64-bit OS, first consider how you want to partition the hard drive. In my case, I used separate partitions for the following mount points:

  • /boot
  • /
  • swap
  • /usr
  • /tmp
  • /var
  • /nsm

Notice the /nsm partition is the largest partition that holds all snort and sguil data. I configured it as logical volume on a separate disk array so I can add more hard drives later on to the volume group.

Install RHEL 6 64-bit with core and base packages.

Register your new server with RHN. Run “yum update” to get the latest software updates.

Add “RHEL Server Optional” Channel for the system on RHN website. This allows you to add the needed packages to compile code and run software. This is needed for compiler, server and sensor.

4. Compile Software

This section describes how to compile software on your compiler.

Add more packages:

# yum install gcc gcc-c++ make flex bison 
# yum install pcre-devel zlib-devel libpcap-devel
# yum install tcl-devel automake libtool

Tcl should already be installed. The package from RedHat is not threaded, so you will not have multiple threads issue as in RHEL 5. If tcl is not installed, add tcl package:

# yum install tcl

Create a folder /usr/src/nsm and place all your source packages in the folder. The sources are compiled in the particular order as shown below, because some are perquisites for others.

As a general rule, all compiled software will be located in /usr/local/ folder. You will need to copy the software from your compiler to server/sensor/client later (hint: tar and scp).

Symbolic links are created to remove version numbers. There are multiple advantages to create version-less symbolic links, as you’ll see in the commands and configurations below. It also makes it easier to upgrade individual packages without breaking the other components.

4.1 libdnet – for sensor

Download libdnet-1.12.tgz from http://libdnet.googlecode.com/files/libdnet-1.12.tgz

# cd /usr/src/nsm
# tar zxvf libdnet-1.12.tgz
# rm libdnet-1.12.tgz
# cd libdnet-1.12
# ./configure --prefix=/usr/local/libdnet-1.12
# make
# make install
# ln -s /usr/local/libdnet-1.12 /usr/local/libdnet

4.2 DAQ – for sensor

Download daq-0.6.2.tar.gz from http://www.snort.org/downloads/1098

# cd /usr/src/nsm
# tar zxvf daq-0.6.2.tar.gz
# rm daq-0.6.2.tar.gz
# cd daq-0.6.2
# ./configure --prefix=/usr/local/daq-0.6.2 --with-dnet-includes=/usr/local/libdnet/include --with-dnet-libraries=/usr/local/libdnet/lib
# make 
# make install
# ln -s /usr/local/daq-0.6.2 /usr/local/daq
# PATH=/usr/local/daq/bin:$PATH

Note: PATH command is needed for compiling Snort next.

4.3 Snort – for sensor

Download snort-2.9.1.2.tar.gz from http://www.snort.org/downloads/1107

# cd /usr/src/nsm
# tar zxvf snort-2.9.1.2.tar.gz
# rm snort-2.9.1.2.tar.gz 
# cd snort-2.9.1.2
# ./configure --prefix=/usr/local/snort-2.9.1.2 --with-dnet-includes=/usr/local/libdnet/include --with-dnet-libraries=/usr/local/libdnet/lib --with-daq-includes=/usr/local/daq/include --with-daq-libraries=/usr/local/daq/lib
# make
# make install

It’s likely that by the time you see this guide, the good folks on Snort team has released newer version of Snort. You should be able to compile and run newer version the same way you see here.

4.4 InstantNSM – for server/sensor

Download instantnsm-20080613.tar.gz from http://nsmwiki.org/InstantNSM

# cd /usr/src/nsm
# tar xzvf instantnsm-20080613.tar.gz
# rm instantnsm-20080613.tar.gz

There is no need to compile. Files will be used on server/sensor.

4.5 Sguil – for server/sensor/client

Download sguil-0.8.0.tar.gz from http://sourceforge.net/projects/sguil/files/sguil/sguil-0.8.0/

# cd /usr/src/nsm
# tar xzvf sguil-0.8.0.tar.gz
# rm sguil-0.8.0.tar.gz

There is no need to compile. Files will be used on soruce/server/sensor.

4.6 PADS – for sensor

Download gamelinux-pads-1.3.0-0-g16b16b0.tar.gz from https://github.com/gamelinux/pads/tags

# cd /usr/src/nsm
# tar xzvf gamelinux-pads-1.3.0-0-g16b16b0.tar.gz
# rm gamelinux-pads-1.3.0-0-g16b16b0.tar.gz
# cd gamelinux-pads-31bb095/
# ./configure --prefix=/usr/local/pads-1.3
# make
# make install

4.7 SANCP – for sensor

Download sancp-1.6.1-stable.tar.gz from http://sourceforge.net/projects/sancp/

# cd /usr/src/nsm
# tar xzvf sancp-1.6.1-stable.tar.gz
# rm sancp-1.6.1-stable.tar.gz
# cd sancp-1.6.1-stable/

Modify lines in Makefile file as following:

# LINUX and BSD CFLAGS
CFLAGS = -O3 -I/usr/include/pcap -L/usr/lib64  -I./ -L/usr/lib/libsocket.so  -g -L/opt/csw/lib -ggdb
# LINUX  LFLAGS
LFLAGS = -lresolv -lnsl -lpcap -L/usr/lib64/libpcap.so

Continue:

# make linux
# mkdir -p /usr/local/sancp-1.6.1-stable/bin
# cp sancp /usr/local/sancp-1.6.1-stable/bin

4.8 mysqltcl – for server

Download mysqltcl-3.05.tar.gz from http://www.xdobry.de/mysqltcl/

# yum install mysql-devel
# cd /usr/src/nsm
# tar xzvf mysqltcl-3.05.tar.gz
# rm mysqltcl-3.05.tar.gz
# cd mysqltcl-3.05/
# ./configure --prefix=/usr/local/mysqltcl-3.05 --exec-prefix=/usr/local/mysqltcl-3.05 --with-tcl=/usr/lib64 --with-mysql-lib=/usr/lib64/mysql
# make
# make install

Note: –enable-64bit option is currently not working.

4.9 Barnyard2 – for sensor

Download barnyard2-1.9.tar.gz from http://www.securixlive.com/barnyard2/download.php

# cd /usr/src/nsm
# tar xzvf barnyard2-1.9.tar.gz
# rm barnyard2-1.9.tar.gz
# cd barnyard2-1.9/
# autoconf
# ./configure --prefix=/usr/local/barnyard2-1.9 --with-tcl=/usr/lib64
# make
# make install

4.10 tls – for server/client

Download tls1.6-src.tar.gz from http://tls.sourceforge.net/

# cd /usr/src/nsm
# tar xzvf tls1.6-src.tar.gz
# rm tls1.6-src.tar.gz
# cd tls1.6/
# ./configure --prefix=/usr/local/tls1.6 --exec-prefix=/usr/local/tls1.6 --enable-64bit --with-tcl=/usr/lib64 --with-ssl-dir=/usr
# make
# make install

4.11 tcllib – for server

Download tcllib-1.13.tar.gz from http://sourceforge.net/projects/tcllib/files/tcllib/1.13/

# cd /usr/src/nsm
# tar xzvf tcllib-1.13.tar.gz
# rm tcllib-1.13.tar.gz
# cd tcllib-1.13/
# ./configure --prefix=/usr/local/tcllib-1.13
# make
# make install

4.12 p0f – for server

Download p0f.tgz from http://www.net-security.org/gotogo.php?cat=2&id=164

# cd /usr/src/nsm
# tar xzvf p0f.tgz
# rm p0f.tgz
# cd p0f/

Edit mk/Linux file as following:

LIBS    = -lpcap -I/user/include -L/usr/lib64

Continue:

# make
# mkdir -p /usr/local/p0f-2.0.8/sbin
# cp p0f p0frep /usr/local/p0f-2.0.8/sbin

4.13 tcpflow – for server

Download tcpflow-1.0.2.tar.gz from http://freshmeat.net/projects/tcpflow

# cd /usr/src/nsm
# tar xzvf tcpflow-1.0.2.tar.gz
# rm tcpflow-1.0.2.tar.gz
# cd tcpflow-1.0.2/
# ./configure --prefix=/usr/local/tcpflow-1.0.2
# make
# make install

At this point, you should have all software ready under folder /usr/local/.

5. Set up Sguil Server

This section describes how to set up sguil server.

5.1 Prepare System

The following packages should already be installed on the server:

  • tcl
  • mysql
  • openssl

If a package is not installed, use command “yum install xxx” to install.
Install additional packages:

# yum install tclx mysql-server

Copy the following software from your compiler (under /usr/local/) to the server under /usr/local/:

  • mysqltcl
  • tcllib
  • tls
  • tcpflow
  • p0f

Copy the following software from your compiler (under /usr/src/nsm/) to the server under /usr/local/:

  • sguil
  • InstantNSM

Create version-less symbolic Links:

# ln -s /usr/local/mysqltcl-3.05 /usr/local/mysqltcl
# ln -s /usr/local/tls1.6 /usr/local/tls
# ln -s /usr/local/tcllib-1.13 /usr/local/tcllib
# ln -s /usr/local/sguil-0.8.0 /usr/local/sguil
# ln -s /usr/local/p0f-2.0.8 /usr/local/p0f
# ln -s /usr/local/tcpflow-1.0.2 /usr/local/tcpflow

Add required packages in tcl:

# cp -rp /usr/local/mysqltcl/lib/mysqltcl-3.05 /usr/lib64/tcl8.5/
# cp -rp /usr/local/tcllib/lib/tcllib1.13 /usr/lib64/tcl8.5/
# cp -rp /usr/local/tls/lib/tls1.6 /usr/lib64/tcl8.5/

Verify packages in tcl:

# tclsh
% package require Tclx
8.4
% package require mysqltcl
3.05
% package require sha1
2.0.3
% exit

Note: You should be able to see the versions of packages as shown above, if not, go back to “Add required packages in tcl” and copy the files again.

Add sguil user and folders:

# useradd -u 400 -d /home/sguil -c "SGUIL User" sguil
# passwd sguil
# mkdir -p /nsm/sguild_data/archive
# mkdir -p /nsm/sguild_data/rules
# mkdir -p /nsm/sguild_data/load
# chown -R sguil.sguil /nsm/sguild_data

5.2 Set up Database

Configure MySQL database server:

# useradd -u 27 -d /var/lib/mysql -s /bin/bash -c "MySQL Server" mysql
# mkdir /nsm/mysql
# chown -R mysql.mysql /nsm/mysql
# chmod 755 /nsm/mysql
# rm -rf /var/lib/mysql
# ln -s /nsm/mysql /var/lib/mysql

Start mysqld:

# chkconfig --level 345 mysqld on
# /usr/bin/mysql_install_db --user=mysql
# service mysqld start
Starting MySQL:                                            [  OK  ]

Verify mysqld is working:

# mysqladmin ping
mysqld is alive

Create database users (replace “password” and “sguil_password” with your own passwords):

# mysql -u root mysql
mysql> update user set Password = PASSWORD("password") where User = "root";
mysql> flush privileges;
mysql> exit
# mysql -u root -p mysql
mysql> GRANT ALL PRIVILEGES ON sguildb.* TO sguil@localhost IDENTIFIED BY "sguil_password";
mysql> GRANT FILE ON *.* to sguil@localhost;
mysql> update user set Password = PASSWORD("sguil_password") where User = "sguil";
mysql> FLUSH PRIVILEGES;
mysql> exit

Create Sguil database:

# mysql -u sguil -p -e "CREATE DATABASE sguildb"
# mysql -u sguil -p -D sguildb < /usr/local/sguil/server/sql_scripts/create_sguildb.sql

Verify Sguil database:

# mysql -u sguil -p -D sguildb -e "show tables"
Enter password: sguil_password
+-------------------+
| Tables_in_sguildb |
+-------------------+
| history           |
| nessus            |
| nessus_data       |
| pads              |
| portscan          |
| sensor            |
| status            |
| user_info         |
| version           |
+-------------------+

5.3 Configure Sguil Server

Copy files:

# mkdir /var/run/sguil
# chown sguil.sguil /var/run/sguil
# mkdir -p /etc/sguild/certs
# cp /usr/local/sguil/server/sguild.conf /etc/sguild
# cp /usr/local/sguil/server/autocat.conf /etc/sguild
# cp /usr/local/sguil/server/sguild.users /etc/sguild
# cp /usr/local/sguil/server/sguild.queries /etc/sguild
# cp /usr/local/sguil/server/sguild.access /etc/sguild
# cp /usr/local/sguil/server/sguild.email /etc/sguild
# cp /usr/local/sguil/server/sguild.reports /etc/sguild
# chown -R sguil.sguil /etc/sguild

Modify /etc/sguild/sguild.conf file:

set USER sguil
set GROUP sguil
set SGUILD_LIB_PATH /usr/local/sguil/server/lib
set DEBUG 0
set SENSOR_AGGREGATION_ON 0
set RULESDIR /nsm/sguild_data/rules
set DBPASS "sguil_password"
set DBUSER sguil
set LOCAL_LOG_DIR /nsm/sguild_data/archive
set TMP_LOAD_DIR /nsm/sguild_data/load
set TCPFLOW "/usr/local/tcpflow/bin/tcpflow"
set P0F 1
set P0F_PATH "/usr/local/p0f/sbin/p0f"

Setup certificates for sguil components to communicate to each other:

# cd /etc/pki/tls/certs
# make sguild.pem

View the content of /etc/pki/tls/certs/sguild.pem file. Copy everything between the “BEGIN RSA PRIVATE KEY” line and the “END RSA PRIVATE KEY” line (including these two lines) to a new file called sguild.key under /etc/sguild/certs/ directory. Next, copy everything between the “BEGIN CERTIFICATE” and “END CERTIFICATE” lines (including these two lines) to a new file called sguild.pem under /etc/sguild/certs/ directory.

Set log permission:

# chown -r sguil.sguil /var/log/sguild

Configure analyst accounts:

# /usr/local/sguil/server/sguild -adduser sguiluser

Note: “sguiluser” is the user account you will use in Sguil Client later.

Now start sguild:

# /usr/local/sguil/server/sguild -P /var/run/sguil/sguild.pid -D

5.4 Verify Server

Verify your server is working properly:

# ps -aef | grep sguil | grep -v grep
sguil     1928     1  0 10:00 ?        00:00:00 tclsh /usr/local/sguil/server/sguild -P /var/run/sguil/sguild.pid -D
sguil     1932  1928  0 10:00 ?        00:00:00 tclsh /usr/local/sguil/server/sguild -P /var/run/sguil/sguild.pid -D
sguil     1932  1928  0 10:00 ?        00:00:00 tclsh /usr/local/sguil/server/sguild -P /var/run/sguil/sguild.pid -D

Note: You should see 3 processes above.

6. Set up Sguil Sensor

This section describes how to set up Sguil sensor.

Your sensor should have two NICs, one for management interface (eth0) and the other for listening network traffic (eth1). There’s no need to configure IP address on eth1.

The sensor is named as “MYSENSOR”. This name has to be consistent for software to run correctly. If you have more than one sensor, each sensor should use a different name.

6.1 Prepare System

The following packages should already be installed on the server:

  • tcl
  • openssl
  • tcpdump

If not installed, use command “yum install xxx” to install.

Install additional packages:

# yum install pcre-devel zlib-devel libpcap-devel tclx

Copy the following software from your compiler (under /usr/local/) to the server under /usr/local/:

  • barnyard2
  • DAQ
  • libdnet
  • PADS
  • sancp
  • snort
  • tls

Copy the following software from your compiler (under /usr/src/nsm/) to the server under /usr/local/:

  • sguil
  • InstantNSM

Create version-less symbolic Links:

# ln -s /usr/local/barnyard2-1.9 /usr/local/barnyard2
# ln -s /usr/local/daq-0.6.2 /usr/local/daq
# ln -s /usr/local/libdnet-1.12 /usr/local/libdnet
# ln -s /usr/local/pads-1.3 /usr/local/pads
# ln -s /usr/local/sancp-1.6.1-stable /usr/local/sancp
# ln -s /usr/local/sguil-0.8.0 /usr/local/sguil
# ln -s /usr/local/snort-2.9.1.2 /usr/local/snort
# ln -s /usr/local/tls1.6 /usr/local/tls

Create more symbolic links:

# ln -s /usr/local/barnyard2/bin/barnyard2 /usr/local/bin/
# ln -s /usr/local/sancp/bin/sancp /usr/local/bin/
# ln -s /usr/local/snort/bin/snort /usr/local/bin/
# ln -s /usr/local/pads/bin/pads /usr/local/bin/

Add required packages in tcl:

# cp -rp /usr/local/tls/lib/tls1.6 /usr/lib64/tcl8.5/

Verify packages in tcl:

# tclsh
% package require Tclx
8.4
% exit

Note: You should be able to see the versions of packages as shown above, if not, go back to “Add required packages in tcl” and copy the files again.

Add sguil user and folders:

# useradd -u 400 -d /home/sguil -c "SGUIL User" sguil
# mkdir -p /nsm/snort-logs/MYSENSOR/OLD
# mkdir -p /nsm/snort_data/MYSENSOR/dailylogs
# mkdir -p /nsm/snort_data/MYSENSOR/sancp
# chown -R sguil.sguil /nsm/snort-logs /nsm/snort_data
# ln -s /nsm/snort-logs/MYSENSOR /var/log/snort-MYSENSOR
# mkdir /var/run/sguil
# chown sguil.sguil /var/run/sguil

6.2 Configure Sensor Software

Configuration files are located in folder /etc/sguil/. This guide only shows the part of the configuration setting that needs to be changed. Leave everything else in the file as is even if you don’t see them here.

Copy configuration files:

# mkdir /etc/sguil
# cp /usr/local/barnyard2/etc/barnyard2.conf /etc/sguil/
# cp /usr/local/pads/etc/pads.conf /etc/sguil/
# cp /usr/local/sguil/sensor/pads_agent.conf /etc/sguil/
# cp /usr/local/sguil/sensor/pcap_agent.conf /etc/sguil/
# cp /usr/local/sguil/sensor/sancp/sancp.conf /etc/sguil/
# cp /usr/local/sguil/sensor/sancp_agent.conf /etc/sguil/
# cp /usr/local/sguil/sensor/snort_agent.conf /etc/sguil/

Configure Barnyard2 by editing /etc/sguil/barnyard2.conf:

config reference_file: /usr/local/snortrules/etc/reference.config
config classification_file: /usr/local/snortrules/etc/classification.config
config gen_file: /usr/local/snortrules/etc/gen-msg.map
config sid_file: /usr/local/snortrules/etc/sid-msg.map
config hostname: MYSENSOR
config interface: eth1
#output alert_fast
output alert_syslog: LOG_AUTH LOG_ALERT
output sguil: sensor_name=MYSENSOR

Configure PADS by editing /etc/sguil/pads.conf:

daemon 1
pid_file /var/run/sguil/pads.pid
interface eth1
network 192.168.1.0/24
output fifo: /nsm/snort_data/MYSENSOR/pads.fifo

Note: Replace 192.168.1.0/24 with the network address that your sensor is monitoring.

Configure PADS_agent by editing /etc/sguil/pads_agent.conf:

set DEBUG 0
set DAEMON 0
set PID_FILE /var/run/sguil/pads_agent.pid
set SERVER_HOST 172.17.0.200
set HOSTNAME MYSENSOR
set NET_GROUP MYSENSOR
set LOG_DIR /nsm/snort_data

Note: Replace 172.17.0.200 with your Sguil server address.

Configure SANCP_agent by editing /etc/sguil/sancp_agent.conf:

set DEBUG 0
set DAEMON 0
set PID_FILE /var/run/sguil/sancp_agent.pid
set SERVER_HOST 172.17.0.200
set HOSTNAME MYSENSOR
set NET_GROUP MYSENSOR
set LOG_DIR /nsm/snort_data

Note: Replace 172.17.0.200 with your Sguil server address.

For snort, we will use /usr/local/snortrules/ folder to hold rules:

# mkdir /usr/local/snortrules/

Download snort rules *.tar.gz file and place in /usr/local/snortrules folder:

# tar xzvf snortrules-snapshot-2912.tar.gz
# touch /usr/local/snortrules/rules/white_list.rules
# touch /usr/local/snortrules/rules/black_list.rules
# mkdir /usr/local/snort/lib/snort_dynamicrules
# cp /usr/local/snortrules/so_rules/precompiled/RHEL-6-0/x86-64/2.9.1.2/* /usr/local/snort/lib/snort_dynamicrules/
# cd /usr/local/snortrules/etc/

Configure Snort by editing /usr/local/snortrules/etc/snort.conf file. This can be tweaked to suit your needs. Here are the lines you must modify to run snort properly:

###################################################
# Step #1: Set the network variables. 
###################################################
ipvar HOME_NET 192.168.1.0/24
var WHITE_LIST_PATH /usr/local/snortrules/rules
var BLACK_LIST_PATH /usr/local/snortrules/rules
 
###################################################
# Step #4: Configure dynamic loaded libraries.
###################################################
dynamicpreprocessor directory /usr/local/snort/lib/snort_dynamicpreprocessor/
dynamicengine /usr/local/snort/lib/snort_dynamicengine/libsf_engine.so
dynamicdetection directory /usr/local/snort/lib/snort_dynamicrules
 
###################################################
# Step #5: Configure preprocessors
###################################################
preprocessor perfmonitor: time 300 file /nsm/snort_data/MYSENSOR/snort.stats pktcnt 10000
 
###################################################
# Step #6: Configure output plugins
###################################################
#unified2
output unified2: filename emerged.log, limit 128

Once you are done with the rule set, copy *.rules to your IDS server under directory /nsm/sguild_data/rules/MYSENSOR/. This allows you to see the rules in Sguil client console.

Note: Snort rule update is not addressed here. This guide just provides you with basic and manual way to set up snort rules. There are tools available to automate the process, such as Pulled_pork, or Oinkmaster. You could also write your own scripts.

Configure snort_agent by editing /etc/sguil/snort_agent.conf:

set DEBUG 0
set DAEMON 0
set PID_FILE /var/run/sguil/snort_agent.pid
set SERVER_HOST 172.17.0.200
set HOSTNAME MYSENSOR
set NET_GROUP MYSENSOR
set LOG_DIR /nsm/snort_data
set PORTSCAN 0
set PORTSCAN_DIR ${LOG_DIR}/${HOSTNAME}/portscans
set SNORT_PERF_STATS 1
set SNORT_PERF_FILE "${LOG_DIR}/${HOSTNAME}/snort.stats"

Note: Replace 172.17.0.200 with your Sguil server address.

Copy shell script to run Snort full packet capture:

# cp /usr/local/sguil/sensor/log_packets.sh /etc/sguil/

Modify /etc/sguil/log_packets.sh file:

HOSTNAME="MYSENSOR"
SNORT_PATH="/usr/local/bin/snort"
LOG_DIR="/nsm/snort_data"
MAX_DISK_USE=90
INTERFACE="eth1"
OPTIONS="-u sguil -g sguil -m 122"
PIDFILE="/var/run/sguil/snort_log.pid"

6.3 Run Sensor Software

Note: If you prefer, you can jump over to Section 8 “Startup Scripts” instead of running commands manually. The “Startup Scripts” does the same thing as described below. After you are done with “Startup Scripts”, come back to section 6.4 to verify.

Start Barnyard2:

# /usr/local/bin/barnyard2 -c /etc/sguil/barnyard2.conf -f merged.log --pid-path /var/run/sguil -w /var/log/snort-MYSENSOR/waldo2.file -l /var/log/snort-MYSENSOR -a /var/log/snort-MYSENSOR/OLD -d /var/log/snort-MYSENSOR -D

Start Sancp:

# /usr/local/bin/sancp -d /nsm/snort_data/MYSENSOR/sancp -i eth1 -u sguil -g sguil -c /etc/sguil/sancp.conf -D

Start Sancp_agent:

# tclsh /usr/local/sguil/sensor/sancp_agent.tcl -D -c /etc/sguil/sancp_agent.conf

Start PADS:

# /usr/local/bin/pads -c /etc/sguil/pads.conf -u sguil -g sguil

Start PADS_agent:

# tclsh /usr/local/sguil/sensor/pcap_agent.tcl -D -c /etc/sguil/pcap_agent.conf

Start pcap_agent:

# tclsh /usr/local/sguil/sensor/pcap_agent.tcl -D -c /etc/sguil/pcap_agent.conf

Start Snort:

# /usr/local/bin/snort -u sguil -g sguil -m 122 -l /var/log/snort-MYSENSOR -c /usr/local/snortrules/etc/snort.conf -D -i eth1 -q -A none -U --pid-path /var/run/sguil

Start Snort_agent:

# tclsh /usr/local/sguil/sensor/snort_agent.tcl -D -c /etc/sguil/snort_agent.conf

Start Snort full packet capture:

# /etc/sguil/log_packets.sh

6.4 Verify Sensor

Verify your sensor is working properly:

# ps -aef | grep sguil | grep -v grep
sguil     1901     1  0 10:00 ?        00:00:00 tclsh /usr/local/sguil/sensor/pads_agent.tcl -D -c /etc/sguil/pads_agent.conf
sguil     1903  1901  0 10:00 ?        00:00:00 cat /nsm/snort_data/MYSENSOR/pads.fifo
sguil     1911     1  0 10:00 ?        00:00:00 tclsh /usr/local/sguil/sensor/pcap_agent.tcl -D -c /etc/sguil/pcap_agent.conf
sguil     1920     1  0 10:00 ?        00:00:00 tclsh /usr/local/sguil/sensor/sancp_agent.tcl -D -c /etc/sguil/sancp_agent.conf
sguil     1945     1  0 10:00 ?        00:00:00 tclsh /usr/local/sguil/sensor/snort_agent.tcl -D -c /etc/sguil/snort_agent.conf
sguil     1949  1945  0 10:00 ?        00:00:00 tail -n 1 -f /nsm/snort_data/MYSENSOR/snort.stats
sguil     1954     1  0 10:00 ?        00:00:00 /usr/local/bin/barnyard2 -c /etc/sguil/barnyard2.conf -f merged.log --pid-path /var/run/sguil -w /var/log/snort-MYSENSOR/waldo2.file -l /var/log/snort-MYSENSOR -a /var/log/snort-MYSENSOR/OLD -d /var/log/snort-MYSENSOR-D
sguil     1961     1  1 10:00 ?        00:00:00 /usr/local/bin/sancp -d /nsm/snort_data/MYSENSOR/sancp -i eth1 -u sguil -g sguil -c /etc/sguil/sancp.conf -D
sguil     1914     1  1 10:00 ?        00:00:00 /usr/local/bin/pads -c /etc/sguil/pads.conf -u sguil -g sguil
sguil     1934     1  2 10:00 ?        00:00:00 /usr/local/bin/snort -u sguil -g sguil -m 122 -l /var/log/snort-MYSENSOR -c /usr/local/snortrules/etc/snort.conf -D -i eth1 -q -A none -U --pid-path /var/run/sguil
sguil     1958     1  7 10:00 ?        00:00:00 /usr/local/bin/snort -u sguil -g sguil -m 122 -l /nsm/snort_data/MYSENSOR/dailylogs/2011-12-01 -b -i eth1

Note: You should see 11 processes above.

7. Set up Sguil Client

Sguil client can run on many systems. I have Sguil client 0.8 installed on an OpenSuse 64-bit system with Gnome desktop.

Install the following packages:

  • wireshark
  • tls
  • tclx
  • tcllib
  • itcl
  • iwidgets

Download sguil-client-0.8.0.tar.gz file from http://sourceforge.net/projects/sguil/files/sguil/sguil-0.8.0/ and place under folder /usr/local/.

# cd /usr/local/
# tar xzvf sguil-client-0.8.0.tar.gz
# rm sguil-client-0.8.0.tar.gz
# ln -s /usr/local/sguil /usr/local/sguil-0.8.0
# ln -s /usr/local/sguil/client/sguil.tk /usr/local/bin
# cp /usr/local/sguil/client/sguil.conf /root/sguil.conf

Modify a few lines in /root/sguil.conf:

Set SERVERHOST 172.17.0.200
Set SGUILLIB /usr/local/sguil/client/lib
set TLS_PATH "/usr/lib64/tcl/tls1.6/libtls16.so"
Set DEBUG 0
set EXT_DNS_SERVER 8.8.8.8
set HOME_NET "192.168.1.0/24"
Set WIRESHARK_PATH /usr/bin/wireshark

Note: Change the IP addresses to suite your own needs. SERVERHOST should be your Sguil server IP.

Run Sguil client:

# /usr/local/bin/sguil.tk

Log in with ‘sguiluser’ credentials. Check the sensor you want to monitor. Click “Start Sguil” to enter the console. You should be seeing snort alerts and PADS alerts in the console.

8. Startup Scripts

Once everything is working, it’s time now to get the startup scripts ready so services will start automatically upon system reboot.

8.1 Sguil Server Startup Scripts

This script runs on Sguil server only. Copy the startup script:

# cp /usr/src/nsm/instantnsm-20080613/startup_files/rhel/sguild /etc/init.d

Modify /etc/init.d/sguild file:

sguild="/usr/local/sguil/server/sguild"
prog="sguild"
#sguil_user="sguil"
start() {
    echo -n $"Starting $prog: "
    RETVAL=0
    daemon $sguild -P /var/run/sguil/sguild.pid -D

Configure service:

# chkconfig --add sguild
# chkconfig --level 345 sguild on

Reboot server and verify mysqld and sguil server both start properly.

Note: mysqld service is configured automatically by the system when you install the package earlier.

8.2 Sguil Sensor Startup Scripts

These scripts run on Sguil sensor only. Copy startup scripts:

# cp /usr/local/instantnsm-20080613/startup_files/rhel/barnyard-sensor /etc/init.d/barnyard2
# cp /usr/local/instantnsm-20080613/startup_files/rhel/sancp-sensor /etc/init.d/sancp
# cp /usr/local/instantnsm-20080613/startup_files/rhel/sancp_agent-sensor /etc/init.d/sancp_agent
# cp /usr/local/instantnsm-20080613/startup_files/rhel/pads_agent-sensor /etc/init.d/pads_agent
# cp /usr/local/instantnsm-20080613/startup_files/rhel/pcap_agent-sensor /etc/init.d/pcap_agent
# cp /usr/local/instantnsm-20080613/startup_files/rhel/snort_agent-sensor /etc/init.d/snort_agent
# cp /usr/local/instantnsm-20080613/startup_files/rhel/sguil_logger-sensor /etc/init.d/sguil_logger
# cp /usr/local/instantnsm-20080613/startup_files/rhel/snort-sensor /etc/init.d/snort
# cp /usr/local/instantnsm-20080613/startup_files/rhel/pads-sensor /etc/init.d/pads

Modify /etc/init.d/barnyard2 file:

SENSOR=MYSENSOR
SNORTLOG=/var/log/snort-$SENSOR
BARNYARD2BIN=/usr/local/bin/barnyard2
[ ${NETWORKING} = "no" ] && exit 0
barnyard2="$BARNYARD2BIN -f merged.log -w $SNORTLOG/waldo2.file -l $SNORTLOG -a $SNORTLOG/OLD -d $SNORTLOG -D"
prog="barnyard2"
sguil_user="sguil"
start() {
    echo -n $"Starting $prog: "
    RETVAL=0
    daemon --user $sguil_user $barnyard2
    RETVAL=$?
    echo
}
stop() {
    echo -n $"Shutting down $prog: "
    kill -9 `ps auxww | grep -i barnyard2.conf | grep -v grep | awk '{print $2}'`
    echo
}
status() {
    PID=`ps auxww | grep -i barnyard2.conf | grep -v grep | awk '{print $2}'`

Modify /etc/init.d/pads file:

SENSOR=MYSENSOR
NSMDIR=/nsm/snort_data
RETVAL=0
PADSBIN=/usr/local/bin/pads
PADS="$PADSBIN -c /etc/sguil/pads.conf -u sguil -g sguil"
start(){
   echo -n "Starting PADS: "
    daemon $PADS
    RETVAL=$?
    echo
    chown -R  sguil.sguil $NSMDIR/$SENSOR/pads.fifo
    return $RETVAL
}
stop(){
    echo -n "Stopping PADS: "
    kill -9 `ps auxww | grep pads | grep pads.conf | grep -v grep | awk '{print $2}'`
    RETVAL=$?
    echo
    return $RETVAL
}
restart(){
    stop
    start
}
status() {
    PID=`ps auxww | grep pads | grep pads.conf | grep -v grep | awk '{print $2}'`

Modify /etc/init.d/pads_agent file:

SENSOR=MYSENSOR
PADS_AGENT_TCL=/usr/local/sguil/sensor/pads_agent.tcl
sensor_agent="$PADS_AGENT_TCL -D -c /etc/sguil/pads_agent.conf"
prog="pads_agent"
start() {
    echo -n $"Starting $prog: "
    RETVAL=0
    daemon --user sguil $sensor_agent
    RETVAL=$?
    echo
}
stop() {
    echo -n $"Shutting down $prog: "
    kill -9 `ps auxww | grep tclsh | grep pads_agent.tcl | grep pads_agent.conf | grep -v grep | awk '{print $2}'`
    echo
}
status() {
    PID=`ps auxww | grep tclsh | grep pads_agent.tcl | grep pads_agent.conf | grep -v grep | awk '{print $2}'`

Modify /etc/init.d/pcap_agent file:

SENSOR=MYSENSOR
PCAP_AGENT_TCL=/usr/local/sguil/sensor/pcap_agent.tcl
sensor_agent="$PCAP_AGENT_TCL -D -c /etc/sguil/pcap_agent.conf"
prog="pcap_agent"
start() {
    echo -n $"Starting $prog: "
    RETVAL=0
    daemon --user sguil $sensor_agent
    RETVAL=$?
    echo
}
stop() {
    echo -n $"Shutting down $prog: "
    kill -9 `ps auxww | grep tclsh | grep pcap_agent.tcl | grep pcap_agent.conf | grep -v grep | awk '{print $2}'`
    echo
}
status() {
    PID=`ps auxww | grep tclsh | grep pcap_agent.tcl | grep pcap_agent.conf | grep -v grep | awk '{print $2}'`

Modify /etc/init.d/sancp file:

SENSOR=MYSENSOR
IFACE=eth1
NSMDIR=/nsm/snort_data
SANCPBIN=/usr/local/bin/sancp
sancp="$SANCPBIN -d $NSMDIR/$SENSOR/sancp -i $IFACE -u sguil -g sguil -c /etc/sguil/sancp.conf -D $VLAN"
prog="sancp"
start() {
    echo -n $"Starting $prog: "
    RETVAL=0
    daemon $sancp
    RETVAL=$?
    echo
}
stop() {
    echo -n $"Shutting down $prog: "
    kill -9 `ps auxww | grep $SANCPBIN | grep $SENSOR | grep -v grep | awk '{print $2}'`
    echo
}
status() {
    PID=`ps auxww | grep $SANCPBIN | grep $SENSOR | grep -v grep | awk '{print $2}'`

Modify /etc/init.d/sancp_agent file:

SENSOR=MYSENSOR
SANCP_AGENT_TCL=/usr/local/sguil/sensor/sancp_agent.tcl
sensor_agent="$SANCP_AGENT_TCL -D -c /etc/sguil/sancp_agent.conf"
prog="sancp_agent"
start() {
    echo -n $"Starting $prog: "
    RETVAL=0
    daemon --user sguil $sensor_agent
    RETVAL=$?
    echo
}
stop() {
    echo -n $"Shutting down $prog: "
    kill -9 `ps auxww | grep tclsh | grep sancp_agent.tcl | grep sancp_agent.conf | grep -v grep | awk '{print $2}'`
    echo
}
status() {
    PID=`ps auxww | grep tclsh | grep sancp_agent.tcl | grep sancp_agent.conf | grep -v grep | awk '{print $2}'`

Modify /etc/init.d/snort file:

SENSOR=MYSENSOR
NSMDIR=/nsm/snort_data
IFACE=eth1
RETVAL=0
SNORTLOG=/var/log/snort-$SENSOR
SNORTBIN=/usr/local/bin/snort
PIDDIR=/var/run/sguil
SNORT="$SNORTBIN -u sguil -g sguil -m 122 -l $SNORTLOG -c /usr/local/snortrules/etc/snort.conf -D -i $IFACE -q -A none -U --pid-path $PIDDIR"

Modify /etc/init.d/snort_agent file:

SENSOR=MYSENSOR
SNORT_AGENT_TCL=/usr/local/sguil/sensor/snort_agent.tcl
sensor_agent="$SNORT_AGENT_TCL -D -c /etc/sguil/snort_agent.conf"
prog="snort_agent"
start() {
    echo -n $"Starting $prog: "
    RETVAL=0
    daemon --user sguil $sensor_agent
    RETVAL=$?
    echo
}
stop() {
    echo -n $"Shutting down $prog: "
    kill -9 `ps auxww | grep tclsh | grep snort_agent.tcl | grep snort_agent.conf | grep -v grep | awk '{print $2}'`
    echo
}
status() {
    PID=`ps auxww | grep tclsh | grep snort_agent.tcl | grep snort_agent.conf | grep -v grep | awk '{print $2}'`

Modify /etc/init.d/sguil_logger file:

SENSOR=MYSENSOR
sguil_logger="/etc/sguil/log_packets.sh"
prog="log_packets.sh"
PIDFILE=/var/run/sguil/snort_log.pid

Configure services:

# chkconfig --add barnyard2
# chkconfig --add sancp
# chkconfig --add sancp_agent
# chkconfig --add pads_agent
# chkconfig --add pcap_agent
# chkconfig --add snort_agent
# chkconfig --add sguil_logger
# chkconfig --add snort
# chkconfig --add pads
# chkconfig --level 345 barnyard2 on
# chkconfig --level 345 sancp on
# chkconfig --level 345 sancp_agent on
# chkconfig --level 345 pads_agent on
# chkconfig --level 345 pcap_agent on
# chkconfig --level 345 snort_agent on
# chkconfig --level 345 sguil_logger on
# chkconfig --level 345 snort on
# chkconfig --level 345 pads on

Schedule to restart sguil packet logger hourly to rotate snort logs:

# crontab -e
	# Restart the sguil packet logger on a regular basis
0 * * * * /etc/init.d/sguil_logger restart

Reboot Sensor and verify all services start properly.

9. Get Help

Things don’t always work the way we intended. If you can’t get it work, check your files and folders to make sure you’ve made correct modifications. You can also run software command without daemon mode and turn on verbose logging if available to troubleshoot. Check the logs.

If you do get stuck, I’d suggest a few places that you could get some help:

For Snort specific questions:

Most of the software mentioned here are created and maintained by volunteers. It’s a good idea to contribute back to the community if you can.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre lang="" line="" escaped="" highlight="">