My Sguil debs howto
Ubuntu Hardy (8.04 LTS) my sguil dot debs howto
I make my dot debs with my main goal to have them work for Ubuntu Hardy (LTS). If they do work on other debian based systems, thats great! I have nothing against working towards getting them to work on as many debian systems as possible, but my main goal now is Ubuntu Hardy(LTS). (My focus will be on the latest Ubuntu LTS)
Sguil Client:
WORK IN PROGRESS
Preferably not to be installed on the sensors or server.
# dpkg -i sguil-client_0.7.0-X_all.deb
# apt-get install -f
# dpkg -i sguil-client_0.7.0-X_all.deb
# sguil.tk
Sguil Sensor:
WORK IN PROGRESS
# dpkg -i barnyard_0.2.0-X_ARCH.deb sancp_1.6.1-X_ARCH.deb sguil-sensor_0.7.0-X_all.deb pads_1.2-1_xxx_xxx.deb
# apt-get install -f
# dpkg -i barnyard_0.2.0-X_ARCH.deb sancp_1.6.1-X_ARCH.deb sguil-sensor_0.7.0-X_all.deb pads_1.2-1_xxx_xxx.deb
Edit all your /etc/sguil-sensor/XXXX_agent.conf files and minimum change:
——————-8<--------------------
# Name of sguild server
set SERVER_HOST
-------------------8<--------------------
Make sure that you SANCP_INTERFACE variable is OK in /etc/default/sancp
I will not try to educate you in snort, my time is to sparse for that, but try dpkg-reconfigure snort
and have a look in /etc/snort/snort.debian.conf
In your snort.conf file you should have this for barnyard, statistics and portscan-logfile to work properly:
——————-8<--------------------
output log_unified: filename snort.log, limit 128
preprocessor perfmonitor: time 300 file /nsm_data/*sensor hostname*/snort.stats pktcnt 10000
preprocessor sfportscan: proto { all } \
memcap { 30000000 } \
logfile { /nsm_data/*sensor hostname*/portscans } \
sense_level { low }
-------------------8<--------------------
You also need to edit /usr/sbin/log_packets.sh and change the INTERFACE variable to your interface you want to collect packets from.
Your pads config file should look something like this (Edit for you needs!!):
-------------------8<--------------------
#daemon 1
pid_file /var/run/pads-sensor.pid
interface eth1
network 10.10.10.0/24
-------------------8<--------------------
SERVICES="snort pads barnyard sancp sguil-sensor-sancp sguil-sensor-snort sguil-sensor-pcap sguil-sensor-pads"
/etc/init.d/$SERVICES start
/usr/sbin/log_packets.sh start
Sguil Server:
# dpkg -i sguil-doc_0.7.0-X_all.deb sguil-server_0.7.0-X_all.deb
# apt-get install -f
# dpkg -i sguil-doc_0.7.0-X_all.deb sguil-server_0.7.0-X_all.deb
# gunzip /usr/share/doc/sguil-server/sql_scripts/create_sguildb.sql.gz
mysql> CREATE DATABASE sguildb;
mysql> GRANT USAGE ON *.* TO ’sguil’@'localhost’ IDENTIFIED BY ‘yourl33tpasswd’;
mysql> GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,DROP ON sguildb.* TO ’sguil’@'localhost’;
mysql> GRANT FILE ON *.* TO ’sguil’@'localhost’;
mysql> \u sguildb
mysql> SOURCE /usr/share/doc/sguil-server/sql_scripts/create_sguildb.sql
# openssl req -new -x509 -nodes -out /etc/sguild/certs/sguild.pem -keyout /etc/sguild/certs/sguild.key -days 3650
# vim /etc/sguild/sguild.conf
——————-8<--------------------
# DataBase Info
set DBNAME sguildb
set DBPASS "yourl33tpasswd"
set DBHOST localhost
set DBPORT 3306
set DBUSER sguil
-------------------8<--------------------
Append the rules to apparmor:
# vim /etc/apparmor.d/usr.sbin.mysqld
-------------------8<--------------------
/sguild_data/load/ r,
/sguild_data/load/* r,
/sguild_data/load/** r,
-------------------8<--------------------
Get a hold of your snort-rules and place them in: /sguild_data/rules/default/
# ln -s /sguild_data/rules/default/ /sguild_data/rules/YOURsensorXhostname
Start your sguild-server
# /etc/init.d/sguil-server start
Add a user for yourself:
# sguild -adduser Monkey1
make a passwd
fire up sguil-client from your favorite desktop (ubuntu) and get connected!
Extra:
# dpkg-reconfigure tzdata
Current default timezone: ‘Etc/GMT’
