Search:  
Gentoo Wiki

HOWTO_Setup_SGUIL_with_Snort

Contents

Introduction

SGUIL is an open-source suite for performing Network Security Monitoring. It combines alert logs from Snort, session data from sancp, OS data from p0f, and full content-data to give the analyst a fast and thorough overview of what is happening on the network. It was and currently is developed by Robert "Bamm" Visscher in Tcl/Tk which provides cross-platform clients with real-time analysis.

There is an enormous variety of how to set up SGUIL to your environment. It is almost guaranteed that each person's setup will be quite different from another's so please use this HOWTO as a basic installation guideline. This HOWTO was written for a single gentoo system, with two 100Mb/s NICs, 2GB of RAM, and a 2GHz Pentium-M processor. It works pretty decent for a small network (20-50 nodes). If you are going to be implementing snort/sguil on a larger network you might be advised to seperate SGUIL sensors from the rest of the system..


Abstract

SGUIL can be thought of as a management console for snort, it enables you to do a number of things including the following key features: 1. Automatic alert categorization 2. Event correlation 3. TCP Stream examination, including replays and dumping said stream into Ethereal and many more check out this post for a nice overview

SGUIL is made up of 3 key components:

Sensor - The sensor runs snort, sancp, barnyard, the sguil sensor agent and a script to log packets. The sensors role is to gather the information that the server will process and act on. This information is placed into a database for storage and reference by barnyard. The log packets script actually stores the relevant tcp streams from all traffic, which means that it can use up a lot of space (as much space as traffic you push around) so its important to make sure that you crontab the script to restart regularly so that it will automatically clean out older files and keep disk usage at a defined level. Its also important with the sensor that you put it on a partition of its own in case it fills up the partition.

Server - The server runs the sguild process that acts as a "GUI" server for the SGUIL client.

Client - The client is a GUI interface to the SGUIL server. It allows you to perform all the functionality that SGUIL offers, mostly from right clicks on different columns that are displayed.

For best performance and scalability it is recommended that you run the sensor and server on separate machines but in the interests of getting something up and running this HOWTO will assume that the sensor and server will be installed on the same machine. The aim of this HOWTO is for the user to have a working SGUIL installation up and running and accessible by the client.

This tutorial was written in August, 2007, with the following packages: sguil-server 0.6.1 sguil-client 0.6.1 sguil-sensor 0.6.1 oinkmaster 2.0 snort 2.6.1.4 barnyard 0.2.0-r2 sancp 1.6.1-r2

Software Installation

1. First, you need to unmask the packages for SGUIL. (Here, we also unmask the packages used by SGUIL to stay with the most up-to-date software. The exception is that we will not unmask snort as it is unstable and prone to die. Use at your own risk!)

Code: Unmask Packages

echo -e "net-analyzer/sguil-server ~x86\nnet-analyzer/sguil-client ~x86\nnet-analyzer/sguil-sensor ~x86\nnet-analyzer/oinkmaster ~x86\nnet-analyzer/sancp ~x86\nnet-analyzer/barnyard ~x86" >> /etc/portage/package.keywords

2. Add "sguil" to your USEs in /etc/make.conf

3. Specify Snort USEs. "dynamicplugin" is needed for dynamically loading preprocessors. (In this case, we disable mysql support as it is not needed.)

Code: Remove unneed features

echo "net-analyzer/snort dynamicplugin -mysql" >> /etc/portage/package.use

4. Disable thread support in Tcl as SGUIL will not be able to run with threads enabled.

Code: Disable thread support in Tcl

echo "dev-lang/tcl -threads" >> /etc/portage/package.use

5. Emerge SGUIL

Code: Emerge SGUIL

emerge -av sguil-client sguil-server sguil-sensor oinkmaster

Setup Snort

Edit Snort Config File

Edit /etc/snort/snort.conf to fit your needs.

Code: Copy the snort sample file to /etc/snort/snort.conf (applies to unstable ver. only)

cp /etc/snort/snort.conf.distrib /etc/snort/snort.conf

Code: Edit snort.conf

nano /etc/snort/snort.conf

For now, it might be a good idea to just change "var HOME_NET any" to your local network. (i.e. "var HOME_NET 192.168.0.0/24"). More advanced users may go ahead and customize snort settings now or later.

Setup Oinkmaster

What is Oinkmaster?

Oinkmaster is a Perl script that keeps your Snort rules up to date and comment out unwanted rules. (It is optional but recommended.) It's use is free but requires you to register at [1]. After registration, generate your "oink code".

Specify what rules to auto-update

For the users who wish to use the snort rules all you need to do is uncomment out the appropriate url line and insert your "oink code"

File: /etc/oinkmaster.conf

url = http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/snortrules-snapshot-CURRENT.tar.gz

You may add multiple sources for snort rules such as the Community rules or the Bleeding Snort rules. Do whatever is appropriate for your envi ronment.

Update the Rules

After you set the sources for your snort rules, download the new rules by the following commands. (as root)

Code:

touch /etc/snort/rules/local.rules mkdir /etc/snort/rules-backup chown -R sguil:sguil /etc/snort/rules* sudo -u sguil oinkmaster.pl -o /etc/snort/rules/ -b /etc/snort/rules-backup

(Note: the -b flag will tar archive your current rules and save a backup in rules-backup)

Add Oinkmaster to Crontab

Add the following line to /etc/crontab to have oinkmaster update the rules every morning at 4:20a.m.

File: /etc/crontab

20 4 * * * sguil oinkmaster.pl -o /etc/snort/rules/ -b /etc/snort/rules-backup 2>&1 | logger -t oinkmaster

Setup Barnyard

What is Barnyard?

Barnyard is an output plug-in for snort. It was created to separate the job of detecting attacks and generating alert output. This improves the performance of snort by letting snort deal with attacks and not bother it with any slow output operations. When employing barnyard, you first tell snort to output everything in "unified output format". This is then read by barnyard which then outputs that data to syslog, mysql, postgres, sguil, etc... In this case, we will be using it to output to SGUIL. Another benefit of Barnyard is privilege separation. Since barnyard does not need any root privileges like snort to promiscuously sniff network traffic there may be a slight security advantage to separating privileges.

Fix Snort's output style

First, we have to tell snort to log alerts in unified output format for barnyard to later read. To do this, edit /etc/snort/snort.conf and uncomment the following line.

File: /etc/snort/snort.conf

output log_unified: filename snort.log, limit 128

This will result in snort's unified output file to be outputted to /var/log/snort -> snort.log (note: you will see a 10 digit number (UNIX (time_t) time) appended to the end of the file. This number helps barnyard keep track of bookmarks as not to process old archives.

Configure Barnyard

Troubleshooting

If snort or any other program does not run successfully from /etc/init.d, try running it from the command line with the same parameters in /etc/conf.d to see what is wrong.

References

SGUIL Homepage

SGUIL Setup under Gentoo

SGUIL on RedHat

Snort Howto

Retrieved from "http://www.gentoo-wiki.info/HOWTO_Setup_SGUIL_with_Snort"

Last modified: Fri, 05 Sep 2008 22:53:00 +0000 Hits: 1,097