I did some Citadel work over at https://www.arbornetworks.com/threats/citadel.pdf.
It got a lil' bit of shine:
It got a lil' bit of shine:
Friday, October 18, 2013
Squert 1.1.5 on OpenBSD 5.3 with Nginx
A quick and dirty update to http://tildedennis.blogspot.com/2012/09/squert-on-openbsd.html.
Nginx with SSL and PHP
Add PHP package:
$ sudo pkg_add php-fpm
Create a self signed SSL certificate:
$ openssl genrsa -aes256 4096 > server.key
$ openssl req -sha256 -new -key server.key -out server.csr
$ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
$ mv server.key /etc/ssl/private/
$ mv server.crt /etc/ssl/
Create a basic nginx configuration that redirects http to https and has PHP support:
$ cat /etc/nginx/nginx.conf
events { }
http {
error_log logs/nginx_error.log;
include mime.types;
server {
listen 80;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name house.lifethreats.org;
root /var/www/htdocs;
ssl_certificate /etc/ssl/server.crt;
ssl_certificate_key /etc/ssl/private/server.key;
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param QUERY_STRING $query_string;
include fastcgi_params;
}
}
}
Nginx with SSL and PHP
Add PHP package:
$ sudo pkg_add php-fpm
Create a self signed SSL certificate:
$ openssl genrsa -aes256 4096 > server.key
$ openssl req -sha256 -new -key server.key -out server.csr
$ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
$ mv server.key /etc/ssl/private/
$ mv server.crt /etc/ssl/
Create a basic nginx configuration that redirects http to https and has PHP support:
$ cat /etc/nginx/nginx.conf
events { }
http {
error_log logs/nginx_error.log;
include mime.types;
server {
listen 80;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name house.lifethreats.org;
root /var/www/htdocs;
ssl_certificate /etc/ssl/server.crt;
ssl_certificate_key /etc/ssl/private/server.key;
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param QUERY_STRING $query_string;
include fastcgi_params;
}
}
}
Finishing touches (keep nginx turned off at boot due to SSL private key password prompt):
$ egrep 'nginx|php' /etc/rc.conf.local
#nginx_flags="" # for normal use: ""
pkg_scripts="php_fpm"
Snort
Snort setup is similar to before:
$ sudo pkg_add snort
$ ftp http://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz
$ tar -zxvf emerging.rules.tar.gz
$ cd rules/
$ ls emerging*.rules | awk '{print "include $RULE_PATH/`hostname -s`/" $1}' > emerging.conf
$ sudo mkdir /etc/snort/rules/`hostname -s`
$ sudo cp emerging-*.rules /etc/snort/rules/`hostname -s`/
$ sudo cp emerging.conf /etc/snort/
$ sudo cp sid-msg.map /etc/snort/
$ sudo cp classification.config /etc/snort/
$ sudo cp reference.config /etc/snort/
$ cd /var/snort/
$ sudo rmdir log
$ sudo mkdir `hostname -s`
$ sudo chown _snort:_snort `hostname -s`/
The following edits should be made to /etc/snort/snort.conf:
var HOME_NET external_ip/32
var EXTERNAL_NET !$HOME_NET
include emerging.conf
Comment out the VRT includes
Everything can be tested with:
$ sudo /usr/local/bin/snort -c /etc/snort/snort.conf -u _snort -g _snort -t /var
/snort -l /var/snort/`hostname -s`/
Configure Snort on boot:
$ grep snort /etc/rc.conf.local
pkg_scripts="php_fpm snort"
Update /etc/rc.d/snort's daemon_flags to:
daemon_flags="-c /etc/snort/snort.conf -u _snort -g _snort -t /var/snort -l /var/snort/`hostname -s`"
Mysql
Mysql is the same.
Sguil Server
Tcl
Tcl is the same.
TclX
TclX is the same.
Mysqltcl
Mysqltcl is the same.
Tcltls
Slightly different:
$ sudo pkg_add tcltls
$ openssl req -out CA.pem -new -x509
$ openssl genrsa -out sguild.key 1024
$ openssl req -key sguild.key -new -out sguild.req
$ echo 01 > file.sr1
$ openssl x509 -req -in sguild.req -CA CA.pem -CAkey privkey.pem -CAserial file.sr1 -out sguild.pem
$ sudo mkdir -p /etc/sguild/certs
$ sudo mv sguild.key sguild.pem /etc/sguild/certs/
Sguild
Sguild is the same except that I forgot about adding a sguil user:
$ sudo sguild -adduser sguil
Sguil Sensor
snort_agent.tcl
Snort_agent.tcl is the same.
Barnyard2
In /etc/snort/snort.conf, add a unified2 output module:
output unified2: filename snort_log, limit 128
Get barnyard2 from https://github.com/firnsy/barnyard2:
$ sudo pkg_add libtool
$ sudo pkg_add autoconf-2.69p0
$ export AUTOCONF_VERSION=2.69
$ export AUTOMAKE_VERSION=1.9
$ unzip barnyard2-master.zip
$ ./autogen.sh
$ ./configure --with-tcl=/usr/local/lib/tcl/tcl8.5
$ make
$ sudo make install
$ sudo mkdir /var/log/barnyard2
$ sudo mkdir /etc/barnyard2
$ sudo cp /usr/local/etc/barnyard2.conf /etc/barnyard2/
Edit /etc/barnyard2/barnyard2.conf:
config daemon
config hostname: `hostname -s`
config interface: `interface_name`
output sguil: agent_port=7735, sensor_name=house
Comment out non-sguil outputs
Test like this:
$ sudo /usr/local/bin/barnyard2 -c /etc/barnyard2/barnyard2.conf -d /var/snort/house/ -f snort_log
Create /etc/rc.d/barnyard2:
#!/bin/sh
daemon="/usr/local/bin/barnyard2"
. /etc/rc.d/rc.subr
rc_cmd $1
Edit /etc/rc.conf.local
barnyard2_flags="-c /etc/barnyard2/barnyard2.conf -d /var/snort/house/ -f snort_log
pkg_scripts="php_fpm snort mysqld sguild snort_agent barnyard2"
Squert
$ sudo pkg_add php-mysql-5.3.21
$ sudo ln -sf /etc/php-5.3.sample/mysql.ini /etc/php-5.3/mysql.ini
$ unzip squert-master.zip
$ sudo mv squert-master /var/www/htdocs/squert/
$ cd /var/www/htdocs/
$ sudo cp squert/.inc/config.php.sample squert/.inc/config.php
In /var/www/htdocs/squert/.inc/config.php, update:
// DB Info
// Sguild Info
// Where are the rules? If you have multiple dirs, separate each with: ||
$rulePath = "/etc/snort/rules";
// DNS server to query
$dns = "192.168.0.1";
Update /etc/my.cnf:
$ egrep 'group_concat|local-in' /etc/my.cnf
local-infile=1
group_concat_max_len = 100000
Add some indexes to the sguildb:
$ mysql -N -B --user=root -p sguildb -e "CREATE INDEX sid ON history (sid);"
$ mysql -N -B --user=root -p sguildb -e "CREATE INDEX cid ON history (cid);"
Add new tables:
$ cat squert/.scripts/squert.sql | mysql -uroot -p -U sguildb
Give sguil user privileges to ip2c table:
$ mysql -N -B --user=root -p -e "GRANT ALL PRIVILEGES ON sguildb.ip2c TO 'sguil'@'localhost';"
To mapping table:
$ mysql -N -B --user=root -p -e "GRANT ALL PRIVILEGES ON sguildb.mappings TO 'sguil'@'localhost';"
To filters table:
$ mysql -N -B --user=root -p -e "GRANT INSERT,UPDATE,DELETE ON sguildb.filters TO 'sguil'@'localhost';"
Populate ip2c table:
$ cd squert/.scripts/
$ ip2c.tcl
Add an index to comment table:
$ mysql -N -B --user=root -p -e "CREATE INDEX comment ON sguildb.history (comment(50));"
Give delete permissions to sguil to comment table:
$ mysql -N -B --user=root -p -e "GRANT DELETE on sguildb.history to 'sguil'@'localhost';"
Add cronjobs to keep things updated:
*/5 * * * * /usr/local/bin/php-5.3 -e /var/www/htdocs/squert/.inc/ip2c.php 1 > /dev/null 2>&1
0 0 1 * * /var/www/htdocs/squert/.scripts/ip2c.tcl > /dev/null 2>&1
Subscribe to:
Posts (Atom)