IDS: YaF SiLK catatan dari CERT NetSA

From OnnoWiki
Revision as of 06:50, 21 April 2022 by Onnowpurbo (talk | contribs)
Jump to navigation Jump to search

Building the tools

Install Prerequisites

apt -y install build-essential
apt -y install libglib2.0-dev liblzo2-dev zlib1g-dev libgnutls28-dev libpcap-dev python3.8-dev
apt -y install libmaxminddb-dev

Download Software

cd /tmp
wget https://tools.netsa.cert.org/releases/silk-3.19.1.tar.gz
wget https://tools.netsa.cert.org/releases/libfixbuf-2.4.1.tar.gz
wget https://tools.netsa.cert.org/releases/yaf-2.12.2.tar.gz


Install libfixbuf

cd /tmp
tar -zxf /tmp/libfixbuf-2.4.1.tar.gz
cd libfixbuf-2.4.1
./configure               \
    --prefix=/usr/local   \
    --enable-silent-rules
make
make install


Install SiLK

cd /tmp
tar -zxf /tmp/silk-3.19.1.tar.gz
cd silk-3.19.1
./configure                              \
    --prefix=/usr/local                  \
    --enable-silent-rules                \
    --enable-data-rootdir=/var/silk/data \
    --enable-ipv6                        \
    --enable-ipset-compatibility=3.14.0  \
    --enable-output-compression          \
    --with-python                        \
    --with-python-prefix
make
make install


Install YAF

cd /tmp
tar -zxf /tmp/yaf-2.12.2.tar.gz
cd yaf-2.12.2
./configure                 \
    --prefix=/usr/local     \
    --enable-silent-rules   \
    --enable-applabel       \
    --enable-metadata       \
    --enable-plugins
make
make install
cp /tmp/yaf-2.12.2/etc/init.d/yaf /etc/init.d/yaf
chmod a+x /etc/init.d/yaf


Update Dynamic Linker

$ grep local /etc/ld.so.conf.d/*
/etc/ld.so.conf.d/libc.conf:/usr/local/lib
mv silk.conf /etc/ld.so.conf.d/.
ldconfig


Configuring the tools

Configure SiLK

mkdir -p /var/silk/data
chmod go+rx /var/silk /var/silk/data
cp /usr/local/share/silk/twoway-silk.conf /var/silk/data/silk.conf 


Configure rwflowpack

Next create the sensors.conf file that is used by rwflowpack for collecting data from yaf.

probe S0 ipfix
 listen-on-port 18001
 protocol tcp
 listen-as-host 127.0.0.1
end probe

group my-network
 ipblocks 192.168.1.0/24  # address of ethernet interface. CHANGE THIS.
 ipblocks 10.0.0.0/8      # other blocks considered internal. OPTIONAL.
end group

sensor S0
 ipfix-probes S0
 internal-ipblocks @my-network
 external-ipblocks remainder
end sensor

(Once the entire system is running, if you discover that all your records show up as type ext2ext, it means you did not configure your internal netblocks correctly.)

mv sensors.conf /var/silk/sensors.conf




Referensi