[go: up one dir, main page]

File: sagan_freebsd.howto.md

package info (click to toggle)
sagan 1.2.0-1
  • links: PTS
  • area: main
  • in suites: buster
  • size: 6,564 kB
  • sloc: ansic: 21,146; sh: 4,499; asm: 1,002; perl: 282; makefile: 143
file content (393 lines) | stat: -rw-r--r-- 12,372 bytes parent folder | download | duplicates (3) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
 
Building & Installing SAGAN For FreeBSD
===============================

Goal => **Configure Sagan with liblognorm to log to unified2 snort logging format, using barnyard2 for output plugins** 

This goal outlines the best practices to decouple the processor and allow for the fastest logging, and alerting chain possible. 

## Install these Dependencies from Ports Tree:

*Note: Althought the versions are listed here explicit, you may want/need to build the latest from the port tree.*

Ports: 
```shell
pcre-8.30_2         Perl Compatible Regular Expressions library
perl-5.12.4_4       Practical Extraction and Report Language
libdnet-1.11_3      A simple interface to low level networking routines
libee-0.3.2         An event expression library inspired by CEE
libestr-0.1.2       A library for some string essentials
autoconf-2.68       Automatically configure source code on many Un*x platforms 
automake-1.11.1     GNU Standards-compliant Makefile generator (1.11)
pulledpork-0.6.1_2  Script to update snort-2.8+ rules
syslog-ng-3.3.5     A powerful syslogd replacement
```

Example: 

Build these freebsd packages from '/usr/ports', 'pkg_add -r', or 'portmaster -n'

```shell
[user@sensor /usr/ports/devel/libee]# sudo make clean install 
```

### Barnyard2 Output Plugins:

Barnyard2 output plugins such as 'mysql' require additional dependencies to be prebuilt.

Example: 
```shell
barnyard2-1.9_2     An output system for Snort or Suricata that parses unified2
mysql-client-5.5.23 Multithreaded SQL database (client) (can be added for barnyard2 sql logging)
```

## Switch FreeBSD syslog to syslog-ng using FIFO

Modify your '/etc/rc.conf' 

```shell 
syslog_ng_enable="YES"
syslogd_enable="NO"
syslog_ng_config="-u root"
syslog_ng_pid="/var/run/syslog-ng.pid"
```

Add New syslog-ng outputs to `/usr/local/etc/syslog-ng.conf`

```shell
destination sagan {

	pipe(
	    "/var/run/sagan.fifo"
            template("$SOURCEIP|$FACILITY|$PRIORITY|$LEVEL|$TAG|$YEAR-$MONTH-$DAY|$HOUR:$MIN:$SEC|$PROGRAM| $MSG\n") 
            template-escape(no)
	); 

};

log {
	source(s_local);
	# uncomment this line to open port 514 to receive messages
	#source(s_network);

	destination(d_local);
	destination(sagan);
};
```

Note: FreeBSD imports in the /etc/syslog.conf as a module to syslog-ng

Stop old Syslog & Start syslog-ng

```shell
[user@sensor ~/sagan-0.2.1]# sudo mkfifo /var/run/sagan.fifo

[user@sensor ~/]# sudo /etc/rc.d/syslog stop
[user@sensor ~/]# sudo /usr/local/etc/rc.d/syslog-ng start
```
Installing the rest From Source: 
(At this time Sagan and liblognorm are not in the FreeBSD ports tree.)

## Liblognorm

### Option 1. Fetch Nightly

GIT REPO for liblognorm
http://git.adiscon.com/?p=liblognorm.git;a=summary

```shell
[user@sensor ~/]# wget -O liblognorm.0.3.4.tar.gz "http://git.adiscon.com/?p=liblognorm.git;a=snapshot;h=f4b985047cd23be087aa93632acdd7ef7ea8ec70;sf=tgz"
- or - 
[user@sensor ~/]# git clone git://git.adiscon.com/git/liblognorm.git
```

Nightly requires auto tooling to build your ./configure file

```shell
[user@sensor ~/]# cd liblognorm*
[user@sensor ~/liblognorm]# aclocal
[user@sensor ~/liblognorm]# autoconf
[user@sensor ~/liblognorm]# autoreconf -f -i -Wall,no-obsolete
```

### Option 2. Fetch a tag/snapshot

Tags should be ready release with configure files *liblognorm.0.3.4.tar.gz*

http://git.adiscon.com/?p=liblognorm.git;a=snapshot;h=f4b985047cd23be087aa93632acdd7ef7ea8ec70;sf=tgz

```shell 
[user@sensor ~/]# fetch http://www.liblognorm.com/files/download/liblognorm-0.3.4.tar.gz
[user@sensor ~/]# tar -zxvf liblognorm-*
```

### Continue to Compile liblognorm

```shell
[user@sensor ~/]# cd liblognorm*

[user@sensor ~/liblognorm]# LDFLAGS=-L/usr/local/lib CFLAGS=-I/usr/local/include ./configure
[user@sensor ~/liblognorm]# make 
[user@sensor ~/liblognorm]# sudo make install
```

You should see
```shell
----------------------------------------------------------------------
Libraries have been installed in:
   /usr/local/lib
```

### Normalizer

The normalizer binary has been installed with liblognorm, and can assist you in testing your *.rulebase files.

https://github.com/shadowbq/sagan-extras/blob/master/samples/README.normalizer.md

```shell
$ normalizer -r ./example.rulebase -e json < ./example.log
{"src-port": "14121", "src-ip": "192.168.0.1", "username": "bobuser"}
```

## Sagan

Download and Decompress Sagan

```shell
[user@sensor ~/]# fetch http://sagan.softwink.com/download/sagan-0.2.1.tar.gz

[user@sensor ~/]# tar zxvf sagan-*

[user@sensor ~/]# cd sagan *
```

Configure Sagan to log to unified2 snort logging format. This is best way to decouple the processor and allow for the fastest logging. Use barnyard2 for output plugins.

```shell
[user@sensor ~/sagan-0.2.1] LDFLAGS=-L/usr/local/lib CFLAGS=-I/usr/local/include ./configure --disable-mysql --disable-postgresql --disable-esmtp --disable-prelude --enable-lognorm --enable-libdnet --disable-snortsam
[user@sensor ~/sagan-0.2.1]# make 
[user@sensor ~/sagan-0.2.1]# sudo make install
```

At the end of the install you should see

```shell
------------------------------------------------------------------------------

/usr/bin/install -c -d "/usr/local/share/man/man8"
/usr/bin/install -c -m 644 etc/sagan.8 "/usr/local/share/man/man8"
/usr/bin/install -c -m 755 src/sagan "/usr/local/sbin/sagan"
/usr/bin/install -c -d "/var/log/sagan"
/usr/bin/install -c -d "/var/run/sagan"

------------------------------------------------------------------------------
Sagan has been installed! You still need to do a few more things before your
up and running. See https://wiki.quadrantsec.com/bin/view/Main/SaganHOWTO for
more information.
------------------------------------------------------------------------------
```

Ensure the binary is properly linked and will run without segfault
 - LDD shows that libee, libestr, liblognorm, libpcap, libdnet, threading, pcre are all enabled and compiled in.

```shell
[user@sensor ~/sagan-0.2.1]# sudo ldd /usr/local/sbin/sagan 
/usr/local/sbin/sagan:
	libdnet.so => /usr/local/lib/libdnet.so (0x80085e000)
	libpcap.so.8 => /lib/libpcap.so.8 (0x800a6c000)
	liblognorm.so.0 => /usr/local/lib/liblognorm.so.0 (0x800c9f000)
	libee.so.0 => /usr/local/lib/libee.so.0 (0x800ea7000)
	libestr.so.0 => /usr/local/lib/libestr.so.0 (0x8010ae000)
	libm.so.5 => /lib/libm.so.5 (0x8012b0000)
	libthr.so.3 => /lib/libthr.so.3 (0x8014d1000)
	libpcre.so.1 => /usr/local/lib/libpcre.so.1 (0x8016f4000)
	libc.so.7 => /lib/libc.so.7 (0x80194a000)

```

Create a FreeBSD Sagan Service Script

```shell
[user@sensor ~/sagan-0.2.1]# fetch https://raw.github.com/shadowbq/sagan-extras/master/etc/rc.d/sagan -o /usr/local/etc/rc.d/sagan

[user@sensor ~/sagan-0.2.1]# sudo chmod a+x /usr/local/etc/rc.d/sagan 
```

Modify your '/etc/rc.conf' and this new sagan rc.d startup script.

```shell
sagan_enable="YES"
sagan_user="root"
```

## Pulledpork

Download rules via Pulledpork (rule set manager) 
Note: pulledpork does not at this time support the classification.config, reference.config, or any *.rulebase files  

```shell
[user@sensor ~/sagan-0.2.1]# fetch https://raw.github.com/shadowbq/sagan-extras/master/etc/pulledpork.sagan.conf -o /usr/local/etc/pulledpork/pulledpork.sagan.conf

[user@sensor ~/sagan-0.2.1]# fetch https://raw.github.com/beave/sagan-rules/master/classification.config -o /usr/local/etc/sagan-rules/classification.config

[user@sensor ~/sagan-0.2.1]# fetch https://raw.github.com/beave/sagan-rules/master/reference.config -o /usr/local/etc/sagan-rules/reference.config

[user@sensor ~/sagan-0.2.1]# pulledpork.pl -d -T -vv -c /usr/local/etc/pulledpork/pulledpork.sagan.conf
```

You should see pulled pork run.

```shell
----------------------------------
Writing /var/log/sid_changes.log....
	Done
Rule Stats....
	New:-------0
	Deleted:---0
	Enabled Rules:----1538
	Dropped Rules:----6
	Disabled Rules:---1
	Total Rules:------1545
	Done
Please review /var/log/sid_changes.log for additional details
Fly Piggy Fly!
```

Modify the Sagan Config '/usr/local/etc/sagan.conf' to # all rules file names and only use

```shell
include $RULE_PATH/sagan.rules
```
## FetchCarl

Download and install 'fetchcarl' 

```shell
[user@sensor ~/sagan-0.2.1]# fetch https://raw.github.com/shadowbq/sagan-extras/master/bin/fetchcarl.sh -o /usr/local/bin/fetchcarl

[user@sensor ~/sagan-0.2.1]# chmod +x /usr/local/bin/fetchcarl

[user@sensor ~]# fetchcarl --help
usage: fetchcarl options

This command will assist in downloading and updating sagan-rules rulebase, and map files. 

OPTIONS:
   -f, --file		Sagan configuration file location	
		  	  default: /usr/local/etc/sagan.conf  	
   -u, --url		Sagan-rule git repo url 
		  	  default: https://github.com/beave/sagan-rules.git  	

GENERIC:
   -v, --verbose  	Verbose
   -h, --help		Show this message

[user@sensor ~]# fetchcarl --verbose
the folder (/tmp/sagan_rules) you specified does not exist or doesn't contain a git repo.. fetching
/tmp/sagan_rules
Cloning into '/tmp/sagan_rules'...
remote: Counting objects: 549, done.
remote: Compressing objects: 100% (255/255), done.
remote: Total 549 (delta 462), reused 368 (delta 292)
Receiving objects: 100% (549/549), 275.21 KiB, done.
Resolving deltas: 100% (462/462), done.
Finished pulling sagan rules.
Sagan rulebase and config update complete. 
 (Note: Sagan *.rules were not updated. Use pulledpork for this process.)
```

## Running Sagan

Run Sagan for the first time.

```shell
[user@sensor ~]# /usr/local/etc/rc.d/sagan start
```
... wait -- do stuff like fail ssh logins, and sudo cmds ...

```shell
[user@sensor ~]# ls -la /var/log/sagan/sagan*

-rw-r--r--  1 root   sagan   4785 May 10 18:20 sagan.u2.1336685484
```

## Barnyard2 

### Configuration

Create barnyard2.conf files 

```shell
[user@sensor ~]# sudo fetch https://raw.github.com/shadowbq/sagan-extras/master/etc/barnyard2.cli.conf -o /usr/local/etc/barnyard2.cli.conf
[user@sensor ~]# cat /usr/local/etc/barnyard2.cli.conf

# this is not hard, only unified2 is supported ;)
input unified2

# Step 3: setup the output plugins

output alert_fast: stdout
```

### Run Barnyard2 

Collect the unified2 data and output to double check alert chain is working.

```shell
[user@sensor ~]# sudo mkdir /var/log/barnyard2  # Barnyard complains when this directory doesnt exist, although it is not used.

[user@sensor ~]# barnyard2 -c /usr/local/etc/barnyard2.cli.conf -C /usr/local/etc/sagan-rules/classification.config -S /usr/local/etc/sagan-rules/sagan-sid-msg.map -R /usr/local/etc/sagan-rules/reference.config -f sagan.u2 -d /var/log/sagan/ --nolock-pidfile

[user@sensor ~]# cat alert 

[**] [5000075] [OPENSSH] Authentication success [shadowbq] [**]
[Classification: successful-user] [Priority: 1]
2012-05-10 17:25:39 1.2.5.6:59625 -> 1.2.3.32:22 auth info
Message:  Accepted publickey for shadowbq from 1.2.5.6 port 59625 ssh2
[Xref => http://wiki.quadrantsec.com/bin/view/Main/5000075]

[**] [5000406] [OPENSSH] Accepted publickey [**]
[Classification: successful-user] [Priority: 1]
2012-05-10 17:25:39 1.2.5.3:59625 -> 1.2.5.3:22 auth info
Message:  Accepted publickey for shadowbq from 1.2.5.6 port 59625 ssh2
[Xref => http://wiki.quadrantsec.com/bin/view/Main/5000406]
```

### YEA! 

Working.. Moving ON!

### Barnyard Production Service

Set up barnyard2 to run in via rc.d

Modify your '/etc/rc.conf' and barnyard rc.d startup script.

```shell
barnyard2_enable="YES"
barnyard2_flags="-D -f sagan.u2 -d /var/log/sagan"
```

### Optional. Barnyard2 and Existing Snorby/Base/DB

Set up barnyard2 to log to snorby mysql remote database 
(this can be skipped if not running snorby, or remote db)

```shell
[user@sensor ~]# sudo fetch https://raw.github.com/shadowbq/sagan-extras/master/etc/barnyard2.sagan.conf -o /usr/local/etc/barnyard2.conf
[user@sensor ~]# sudo cat /usr/local/etc/barnyard2.conf 

config reference_file:	    /usr/local/etc/sagan-rules/reference.config
config classification_file: /usr/local/etc/sagan-rules/classification.config
config sid_file:	    /usr/local/etc/sagan-rules/sagan-sid-msg.map
config hostname:	    sagan
config interface:	    misc
config waldo_file:          /var/log/sagan/barnyard2.waldo
input unified2
output database: log, mysql, user=snorby password=s3cr3tsauce dbname=snorby host=snorby
```

### Start Barnyard2

```shell
[user@sensor ~]# sudo /usr/local/etc/rc.d/barnyard2 start
```