Difference between revisions of "IDS: YaF SiLK catatan dari CERT NetSA"
Jump to navigation
Jump to search
Onnowpurbo (talk | contribs) |
Onnowpurbo (talk | contribs) |
||
| Line 45: | Line 45: | ||
| + | ==Install YAF== | ||
| + | cd /tmp | ||
| + | tar -zxf /tmp/yaf-2.12.2.tar.gz | ||
| + | cd yaf-2.12.2 | ||
| + | ./configure \ | ||
| + | --prefix=/usr/local \ | ||
| + | --enable-silent-rules \ | ||
| + | --enable-applabel \ | ||
| + | --enable-metadata \ | ||
| + | --enable-plugins | ||
| + | make | ||
| + | make install | ||
| + | cp /tmp/yaf-2.12.2/etc/init.d/yaf /etc/init.d/yaf | ||
| + | chmod a+x /etc/init.d/yaf | ||
| + | ==Update Dynamic Linker== | ||
| + | $ grep local /etc/ld.so.conf.d/* | ||
| + | /etc/ld.so.conf.d/libc.conf:/usr/local/lib | ||
| + | |||
| + | mv silk.conf /etc/ld.so.conf.d/. | ||
| + | ldconfig | ||
| + | |||
| + | |||
| + | =Configuring the tools= | ||
| + | |||
| + | ==Configure SiLK== | ||
| + | |||
| + | mkdir -p /var/silk/data | ||
| + | chmod go+rx /var/silk /var/silk/data | ||
| + | cp /usr/local/share/silk/twoway-silk.conf /var/silk/data/silk.conf | ||
| + | |||
| + | |||
| + | ==Configure rwflowpack== | ||
| + | |||
| + | Next create the sensors.conf file that is used by rwflowpack for collecting data from yaf. | ||
| + | |||
| + | probe S0 ipfix | ||
| + | listen-on-port 18001 | ||
| + | protocol tcp | ||
| + | listen-as-host 127.0.0.1 | ||
| + | end probe | ||
| + | |||
| + | group my-network | ||
| + | ipblocks 192.168.1.0/24 # address of ethernet interface. CHANGE THIS. | ||
| + | ipblocks 10.0.0.0/8 # other blocks considered internal. OPTIONAL. | ||
| + | end group | ||
| + | |||
| + | sensor S0 | ||
| + | ipfix-probes S0 | ||
| + | internal-ipblocks @my-network | ||
| + | external-ipblocks remainder | ||
| + | end sensor | ||
| + | |||
| + | (Once the entire system is running, if you discover that all your records show up as type ext2ext, it means you did not configure your internal netblocks correctly.) | ||
| + | |||
| + | mv sensors.conf /var/silk/sensors.conf | ||
Revision as of 06:50, 21 April 2022
Building the tools
Install Prerequisites
apt -y install build-essential apt -y install libglib2.0-dev liblzo2-dev zlib1g-dev libgnutls28-dev libpcap-dev python3.8-dev apt -y install libmaxminddb-dev
Download Software
cd /tmp wget https://tools.netsa.cert.org/releases/silk-3.19.1.tar.gz wget https://tools.netsa.cert.org/releases/libfixbuf-2.4.1.tar.gz wget https://tools.netsa.cert.org/releases/yaf-2.12.2.tar.gz
Install libfixbuf
cd /tmp
tar -zxf /tmp/libfixbuf-2.4.1.tar.gz
cd libfixbuf-2.4.1
./configure \
--prefix=/usr/local \
--enable-silent-rules
make
make install
Install SiLK
cd /tmp
tar -zxf /tmp/silk-3.19.1.tar.gz
cd silk-3.19.1
./configure \
--prefix=/usr/local \
--enable-silent-rules \
--enable-data-rootdir=/var/silk/data \
--enable-ipv6 \
--enable-ipset-compatibility=3.14.0 \
--enable-output-compression \
--with-python \
--with-python-prefix
make
make install
Install YAF
cd /tmp
tar -zxf /tmp/yaf-2.12.2.tar.gz
cd yaf-2.12.2
./configure \
--prefix=/usr/local \
--enable-silent-rules \
--enable-applabel \
--enable-metadata \
--enable-plugins
make
make install
cp /tmp/yaf-2.12.2/etc/init.d/yaf /etc/init.d/yaf chmod a+x /etc/init.d/yaf
Update Dynamic Linker
$ grep local /etc/ld.so.conf.d/*
/etc/ld.so.conf.d/libc.conf:/usr/local/lib
mv silk.conf /etc/ld.so.conf.d/. ldconfig
Configuring the tools
Configure SiLK
mkdir -p /var/silk/data chmod go+rx /var/silk /var/silk/data cp /usr/local/share/silk/twoway-silk.conf /var/silk/data/silk.conf
Configure rwflowpack
Next create the sensors.conf file that is used by rwflowpack for collecting data from yaf.
probe S0 ipfix listen-on-port 18001 protocol tcp listen-as-host 127.0.0.1 end probe group my-network ipblocks 192.168.1.0/24 # address of ethernet interface. CHANGE THIS. ipblocks 10.0.0.0/8 # other blocks considered internal. OPTIONAL. end group sensor S0 ipfix-probes S0 internal-ipblocks @my-network external-ipblocks remainder end sensor
(Once the entire system is running, if you discover that all your records show up as type ext2ext, it means you did not configure your internal netblocks correctly.)
mv sensors.conf /var/silk/sensors.conf