Difference between revisions of "IDS: YaF SiLK catatan dari CERT NetSA"
Jump to navigation
Jump to search
Onnowpurbo (talk | contribs) |
Onnowpurbo (talk | contribs) |
||
| (2 intermediate revisions by the same user not shown) | |||
| Line 108: | Line 108: | ||
group my-network | group my-network | ||
| − | ipblocks 192.168. | + | ipblocks 192.168.0.0/24 # address of ethernet interface. CHANGE THIS. |
ipblocks 10.0.0.0/8 # other blocks considered internal. OPTIONAL. | ipblocks 10.0.0.0/8 # other blocks considered internal. OPTIONAL. | ||
end group | end group | ||
| Line 140: | Line 140: | ||
PID_DIR=/var/run | PID_DIR=/var/run | ||
| − | Start rwflowpack | + | Start rwflowpack (a message about "contains no runlevels, aborting" is non-fatal): |
systemctl enable rwflowpack | systemctl enable rwflowpack | ||
| Line 150: | Line 150: | ||
Look at the rwflowpack log file, /var/log/rwflowpack-YYYYYMMDD.log to ensure that it is running. | Look at the rwflowpack log file, /var/log/rwflowpack-YYYYYMMDD.log to ensure that it is running. | ||
| + | |||
| + | cat /var/log/rwflowpack-YYYYYMMDD.log | ||
==Start YAF== | ==Start YAF== | ||
| Line 163: | Line 165: | ||
| − | Restart | + | Restart (contains no runlevels, aborting tidak apa2) |
systemctl enable yaf | systemctl enable yaf | ||
| Line 174: | Line 176: | ||
Look at the yaf log file, /var/log/yaf.log to ensure that it is running. | Look at the yaf log file, /var/log/yaf.log to ensure that it is running. | ||
| + | |||
| + | cat /var/log/yaf.log | ||
Check the rwflowpack log file again to ensure that it received a connection from yaf. There should be a message similar to the following (the port number will likely differ): | Check the rwflowpack log file again to ensure that it received a connection from yaf. There should be a message similar to the following (the port number will likely differ): | ||
| Line 180: | Line 184: | ||
If nothing is happening, it could be that yaf is waiting for network traffic. Follow the steps in the next section to generate some. | If nothing is happening, it could be that yaf is waiting for network traffic. Follow the steps in the next section to generate some. | ||
| − | |||
| − | |||
==Generate traffic== | ==Generate traffic== | ||
Latest revision as of 07:23, 21 April 2022
Building the tools
Install Prerequisites
apt -y install build-essential apt -y install libglib2.0-dev liblzo2-dev zlib1g-dev libgnutls28-dev libpcap-dev python3.8-dev apt -y install libmaxminddb-dev
Download Software
cd /tmp wget https://tools.netsa.cert.org/releases/silk-3.19.1.tar.gz wget https://tools.netsa.cert.org/releases/libfixbuf-2.4.1.tar.gz wget https://tools.netsa.cert.org/releases/yaf-2.12.2.tar.gz
Install libfixbuf
cd /tmp
tar -zxf /tmp/libfixbuf-2.4.1.tar.gz
cd libfixbuf-2.4.1
./configure \
--prefix=/usr/local \
--enable-silent-rules
make
make install
Install SiLK
cd /tmp
tar -zxf /tmp/silk-3.19.1.tar.gz
cd silk-3.19.1
./configure \
--prefix=/usr/local \
--enable-silent-rules \
--enable-data-rootdir=/var/silk/data \
--enable-ipv6 \
--enable-ipset-compatibility=3.14.0 \
--enable-output-compression \
--with-python \
--with-python-prefix
make
make install
Install YAF
cd /tmp
tar -zxf /tmp/yaf-2.12.2.tar.gz
cd yaf-2.12.2
./configure \
--prefix=/usr/local \
--enable-silent-rules \
--enable-applabel \
--enable-metadata \
--enable-plugins
make
make install
cp /tmp/yaf-2.12.2/etc/init.d/yaf /etc/init.d/yaf chmod a+x /etc/init.d/yaf
Update Dynamic Linker
$ grep local /etc/ld.so.conf.d/*
(debian) /etc/ld.so.conf.d/libc.conf:/usr/local/lib (ubuntu) /etc/ld.so.conf.d/x86_64-linux-gnu.conf:/usr/local/lib/x86_64-linux-gnu
ldconfig
Optional,
(debian) mv silk.conf /etc/ld.so.conf.d/.
(ubuntu) mv silk.conf /etc/ld.so.conf.d/x86_64-linux-gnu.conf/.
ldconfig
Configuring the tools
Configure SiLK
mkdir -p /var/silk/data chmod go+rx /var/silk /var/silk/data cp /usr/local/share/silk/twoway-silk.conf /var/silk/data/silk.conf
Configure rwflowpack
Next create the sensors.conf file that is used by rwflowpack for collecting data from yaf.
cd /usr/local/etc vi sensors.conf
probe S0 ipfix listen-on-port 18001 protocol tcp listen-as-host 127.0.0.1 end probe group my-network ipblocks 192.168.0.0/24 # address of ethernet interface. CHANGE THIS. ipblocks 10.0.0.0/8 # other blocks considered internal. OPTIONAL. end group sensor S0 ipfix-probes S0 internal-ipblocks @my-network external-ipblocks remainder end sensor
(Once the entire system is running, if you discover that all your records show up as type ext2ext, it means you did not configure your internal netblocks correctly.)
mv sensors.conf /var/silk/sensors.conf
Copy rwflowpack untuk init.d
cd /usr/local cp share/silk/etc/init.d/rwflowpack /etc/init.d/rwflowpack cp share/silk/etc/rwflowpack.conf /usr/local/etc/rwflowpack.conf
Edit
vi /usr/local/etc/rwflowpack.conf
ENABLED=1 statedirectory=/var/silk SENSOR_CONFIG=/var/silk/sensors.conf ARCHIVE_DIR= # empty LOG_TYPE=legacy LOG_DIR=/var/log PID_DIR=/var/run
Start rwflowpack (a message about "contains no runlevels, aborting" is non-fatal):
systemctl enable rwflowpack systemctl start rwflowpack.service
atau
/etc/init.d/rwflowpack start
Look at the rwflowpack log file, /var/log/rwflowpack-YYYYYMMDD.log to ensure that it is running.
cat /var/log/rwflowpack-YYYYYMMDD.log
Start YAF
Edit
vi /usr/local/etc/yaf.conf
ENABLED=1 YAF_CAP_IF=enp0s3 # Ensure this is correct for your machine YAF_IPFIX_PORT=18001 # Must match value in sensors.conf YAF_EXTRAFLAGS="--silk --applabel --max-payload=512"
Restart (contains no runlevels, aborting tidak apa2)
systemctl enable yaf systemctl start yaf.service
atau
/etc/init.d/yaf start
Look at the yaf log file, /var/log/yaf.log to ensure that it is running.
cat /var/log/yaf.log
Check the rwflowpack log file again to ensure that it received a connection from yaf. There should be a message similar to the following (the port number will likely differ):
'S0': accepted connection from 127.0.0.1:36734
If nothing is happening, it could be that yaf is waiting for network traffic. Follow the steps in the next section to generate some.
Generate traffic
ping -c 4 8.8.8.8
You may have to wait 5 or 10 minutes for the first records to be flushed, but you should see messages in the rwflowpack log file that it is creating files. You may check the status of YAF and rwflowpack with the following commands:
systemctl status yaf.service systemctl status rwflowpack.service
(You may need to include the --no-pager and -l switches to get useful information from systemctl.)
Run a test query
/usr/local/bin/rwfilter --sensor=S0 --type=all --all=stdout \ | rwcut --tail-recs=10