IDS: YaF SiLK catatan dari CERT NetSA

From OnnoWiki
Revision as of 07:23, 21 April 2022 by Onnowpurbo (talk | contribs) (→‎Start YAF)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Building the tools

Install Prerequisites

apt -y install build-essential
apt -y install libglib2.0-dev liblzo2-dev zlib1g-dev libgnutls28-dev libpcap-dev python3.8-dev
apt -y install libmaxminddb-dev

Download Software

cd /tmp
wget https://tools.netsa.cert.org/releases/silk-3.19.1.tar.gz
wget https://tools.netsa.cert.org/releases/libfixbuf-2.4.1.tar.gz
wget https://tools.netsa.cert.org/releases/yaf-2.12.2.tar.gz


Install libfixbuf

cd /tmp
tar -zxf /tmp/libfixbuf-2.4.1.tar.gz
cd libfixbuf-2.4.1
./configure               \
    --prefix=/usr/local   \
    --enable-silent-rules
make
make install


Install SiLK

cd /tmp
tar -zxf /tmp/silk-3.19.1.tar.gz
cd silk-3.19.1
./configure                              \
    --prefix=/usr/local                  \
    --enable-silent-rules                \
    --enable-data-rootdir=/var/silk/data \
    --enable-ipv6                        \
    --enable-ipset-compatibility=3.14.0  \
    --enable-output-compression          \
    --with-python                        \
    --with-python-prefix
make
make install


Install YAF

cd /tmp
tar -zxf /tmp/yaf-2.12.2.tar.gz
cd yaf-2.12.2
./configure                 \
    --prefix=/usr/local     \
    --enable-silent-rules   \
    --enable-applabel       \
    --enable-metadata       \
    --enable-plugins
make
make install
cp /tmp/yaf-2.12.2/etc/init.d/yaf /etc/init.d/yaf
chmod a+x /etc/init.d/yaf


Update Dynamic Linker

$ grep local /etc/ld.so.conf.d/*
(debian)
/etc/ld.so.conf.d/libc.conf:/usr/local/lib
(ubuntu)
/etc/ld.so.conf.d/x86_64-linux-gnu.conf:/usr/local/lib/x86_64-linux-gnu
ldconfig

Optional,

(debian)
mv silk.conf /etc/ld.so.conf.d/.
(ubuntu)
mv silk.conf /etc/ld.so.conf.d/x86_64-linux-gnu.conf/.
ldconfig

Configuring the tools

Configure SiLK

mkdir -p /var/silk/data
chmod go+rx /var/silk /var/silk/data
cp /usr/local/share/silk/twoway-silk.conf /var/silk/data/silk.conf 


Configure rwflowpack

Next create the sensors.conf file that is used by rwflowpack for collecting data from yaf.

cd /usr/local/etc
vi sensors.conf


probe S0 ipfix
 listen-on-port 18001
 protocol tcp
 listen-as-host 127.0.0.1
end probe

group my-network
 ipblocks 192.168.0.0/24  # address of ethernet interface. CHANGE THIS.
 ipblocks 10.0.0.0/8      # other blocks considered internal. OPTIONAL.
end group

sensor S0
 ipfix-probes S0
 internal-ipblocks @my-network
 external-ipblocks remainder
end sensor

(Once the entire system is running, if you discover that all your records show up as type ext2ext, it means you did not configure your internal netblocks correctly.)

mv sensors.conf /var/silk/sensors.conf

Copy rwflowpack untuk init.d

cd /usr/local
cp share/silk/etc/init.d/rwflowpack /etc/init.d/rwflowpack
cp share/silk/etc/rwflowpack.conf /usr/local/etc/rwflowpack.conf

Edit

vi /usr/local/etc/rwflowpack.conf
ENABLED=1
statedirectory=/var/silk
SENSOR_CONFIG=/var/silk/sensors.conf
ARCHIVE_DIR=  # empty
LOG_TYPE=legacy
LOG_DIR=/var/log
PID_DIR=/var/run

Start rwflowpack (a message about "contains no runlevels, aborting" is non-fatal):

systemctl enable rwflowpack
systemctl start rwflowpack.service

atau

/etc/init.d/rwflowpack start

Look at the rwflowpack log file, /var/log/rwflowpack-YYYYYMMDD.log to ensure that it is running.

cat /var/log/rwflowpack-YYYYYMMDD.log

Start YAF

Edit

vi /usr/local/etc/yaf.conf
ENABLED=1
YAF_CAP_IF=enp0s3      # Ensure this is correct for your machine
YAF_IPFIX_PORT=18001   # Must match value in sensors.conf
YAF_EXTRAFLAGS="--silk --applabel --max-payload=512"


Restart (contains no runlevels, aborting tidak apa2)

systemctl enable yaf
systemctl start yaf.service

atau

/etc/init.d/yaf start

Look at the yaf log file, /var/log/yaf.log to ensure that it is running.


cat /var/log/yaf.log

Check the rwflowpack log file again to ensure that it received a connection from yaf. There should be a message similar to the following (the port number will likely differ):

'S0': accepted connection from 127.0.0.1:36734

If nothing is happening, it could be that yaf is waiting for network traffic. Follow the steps in the next section to generate some.

Generate traffic

ping -c 4 8.8.8.8

You may have to wait 5 or 10 minutes for the first records to be flushed, but you should see messages in the rwflowpack log file that it is creating files. You may check the status of YAF and rwflowpack with the following commands:

systemctl status yaf.service
systemctl status rwflowpack.service

(You may need to include the --no-pager and -l switches to get useful information from systemctl.)


Run a test query

/usr/local/bin/rwfilter --sensor=S0 --type=all --all=stdout \
| rwcut --tail-recs=10

Referensi