Recently in Operating Systems Category

Author: JD Durick

Problem

This recipe demonstrates how to configure Snort Acid on Solaris 9 using Nemesis as our test Acid console and washint1.XXXXX.org as our test remote sensor. Additionally, this recipe will show you how to configure snort so that alerts will be remotely logged to our mysql database on nemesis.XXXXX.org.

Requirements

1. Solaris 8 should be installed on nemesis.XXXXX.org.
2. Solaris 9 should be installed on washint1.XXXXX.org.
3. Compilation and configuration of the following packages/binaries is required:
a. snort 2.3.0
b. mysql 4.0.23 is necessary for nemesis and mysql client libraries are needed for all remote sensors. Mysql will (by default) be installed in the /usr/local/mysql directory.
c. libpcap is needed for snort to sniff the network.
d. libnet
e. apache 1.3.
f. openssl 0.9.
g. mod_ssl
h. php
i. jpgraph
j. adodb
k. acid
l. pcre

Solution

The solution is to install and configure Snort/ACID goes as follows:

1. Become a root user and log in as root.

# su - root

Set your shell/path and environment variables correctly:

# bash
# export LD_LIBRARY_PATH=/usr/local/lib:/usr/local/mysql/lib/mysql

2. Install mysql-4.0.23 on nemesis (version 4).

# gunzip -d mysql-4.0.23-sol8-sparc-local.gz
# pkgadd -d mysql-4.0.23-sol8-sparc-local

If you want the more recent mysql downloads, use a source distribution and compile it:
http://www.mysql.com/downloads

Compilation instustructions can be found:
http://www.mysql.com/doc/en/Solaris.html

3. Configuration of Mysql-4.0.23

# mysql -u root -p

Password for root local access:

mysql> set password fpr 'root'@'localhost'=password('your_password');

Delete unnecessary database:

mysql> drop database test

Delete the anonymous access:

mysql> connect mysql
mysql> delete from user where user="";
mysql> delete db where user="";
mysql> exit

Make soft link to mysql binary

# ln -s /usr/local/mysql/bin/mysql /usr/bin/mysql

4. Installation of snort-2.3.0

Installation of snort with

# gunzip -c snort-2.3.0.tar.gz| tar xvf -
# cd snort-2.3.0
# ./configure --with-mysql=/usr/local/mysql --host=sparc-sun-solaris2.9
# make;make install

If you don't have pcre installed, you may have to install that source before you install snort-2.3.0. After you install pcre, make sure your LD_LIBRARY_PATH is set correctly. Additionally, only the mysql client libraries are needed for installation of snort-2.3.0 to work with mysql. The mysql client libraries have to be installed on the remote snort sensor prior to compiling and installing snort 2.3.0.

Configuration of the snort.conf file for remote access to the database, make the following change:

output database: log, mysql, user=snort dbname=snort host=128.29.210.16
128.29.210.16 = nemesis.XXXXX.org or can correspond to any database being used.

5. Create database for snort

# mysql -u root -p
# create database snort

Install the tables using create_mysql and snortdb-extra.gz. To do this you must copy those files from your remote sensor, which in our case was washint1.XXXXX.org over to nemesis.XXXXX.org. Put these files into the /tmp directory. Then perform the following:

# source /tmp/create_mysql
# gunzip /tmp/snortdb-extra.gz
# source /tmp/snortdb-extra

This will create the necessary tables and data for the snort database within mysql. One interesting problem I found, snortdb-extra.gz does not come with some snort-2.3.0 builds. To get around this, you might have to go down one level to snort-2.2.0, then get the snortdb-extra.gz file from there.

Configure the good rights in the database mysql

# mysql> connect mysql
# mysql> set password for 'snort'@'localhost' = password('your_password');
# mysql> set password for 'snort'@'%' = password('your_password');
# flush privileges

6. Test whether or not the tables were created.

# mysql -u root -p
# mysql> connect snort
# mysql> show tables

+------------------+
| Tables_in_snort |
+------------------+
| acid_ag |
| acid_ag_alert |
| acid_event |
| acid_ip_cache |
| data |
| detail |
| encoding |
| event |
| flags |
| icmphdr |
| iphdr |
| opt |
| protocols |
| reference |
| reference_system |
| schema |
| sensor |
| services |
| sig_class |
| sig_reference |
| signature |
| tcphdr |
| udphdr |
+------------------+
23 rows in set (0.02 sec)

# mysql> exit

7. Installation of Apache & mod_ssl

Get a copy of openssl, mod_ssl, and apache from the following locations:

http://www.openssl.org/source/openssl-0.9.7e.tar.gz
http://www.modssl.org/source/mod_ssl-2.8.22-1.3.33.tar.gz
http://www.apache.org/dist/httpd/apache_1.3.33.tar.gz

bash-2.05# gunzip -c openssl-0.9.7e.tar.gz | tar xvf -
bash-2.05# gunzip -c mod_ssl-2.8.22-1.3.33.tar.gz | tar xvf -
bash-2.05# gunzip -c apache_1.3.ee.tar.gz | tar xvf -
bash-2.05# cd openssl-0.9.7b
bash-2.05# sh config -fPIC
bash-2.05# make
bash-2.05# make test (optional)
bash-2.05# make install (optional)

bash-2.05# cd ../mod_ssl-2.8.22-1.3.33
bash-2.05# ./configure --with-apache=../apache_1.3.33 --with-ssl=../openssl-0.9.7e -- prefix=/usr/local/apache --enable-shared=ssl
bash-2.05# cd ../apache_1.3.33
bash-2.05# make
bash-2.05# make certificate TYPE=custom
bash-2.05# make install

Configure the httpd.conf file, I am assuming you know how to configure this configuration file.
I will use the path "/web" for the DocumentRoot in Apache for the rest of installation.

Test your configuration:

bash-2.05# ln -s /usr/local/apache/bin/apachectl /usr/local/bin/apache
bash-2.05# apache start

http://your_acid_computer/

bash-2.05# apache stop
bash-2.05# apache startssl

https://your_acid_computer/

8. PHP & Apache/mod_ssl configuration

Download php from: http://www.php.net/
wget http://us2.php.net/get/php-4.3.10.tar.gz/from/this/mirror
bash-2.05# gunzip -c php-4.3.10.tar.gz | tar xvf -
bash-2.05# cd ../php-4.3.10
bash-2.05# CFLAGS='-DEAPI' ./configure --with-apxs=/usr/local/apache/bin/apxs --with-mysql=/usr/local/mysql --with-zlib=/usr/local --with-gd
bash-2.05# make
bash-2.05# make install

Verify that all these lines have been added in your "httpd.conf" in "/usr/local/apache/conf" :

LoadModule php4_module libexec/libphp4.so
AddModule mod_php4.c
AddType application/x-httpd-php .php
You can add "index.php" in the DirectoryIndex property too.

Restart apache :
bash-2.05# apache stop
bash-2.05# apache startssl

Test your php configuration

Create a file "test.php" contening the following code :

and place it in your DocumentRoot, here it's "/web".
Open your browser and see the result :
https://your_acid_computer/test.php
If you see the date, it's OK.

9. Acid installation and corresponding packages. We are under the assumption that all your apache configuration files are under /web.

bash-2.05# gunzip -c jpgraph-1.12.1.tar.gz | tar xvf -
bash-2.05# gunzip -c adodb340.tgz | tar xvf -
bash-2.05# gunzip -c acid-0.9.6b23.tar.gz | tar xvf -
bash-2.05# cp -R jpgraph-1.12.1 /web/jpgraph
bash-2.05# cp -R adodb /web/
bash-2.05# cp -R acid /web/
bash-2.05# vi /web/acid/acid_conf.php

Configuration of Acid and corresponding packages
$DBlib_path = "../adodb";
$DBtype = "mysql";
$alert_dbname = "snort";
$alert_host = "localhost";
$alert_port = "";
$alert_user = "snort";
$alert_password = "your_snort_password";
$ChartLib_path = "../jpgraph/src";

You can verify your setup by the following way :
bash-2.05# mysql-u snort -p
mysql> connect snort
mysql> show tables;
+------------------+
| Tables_in_snort |
+------------------+
| acid_ag |
| acid_ag_alert |
| acid_event |
| acid_ip_cache |
| data |
| detail |
| encoding |
| event |
| icmphdr |
| iphdr |
| opt |
| reference |
| reference_system |
| schema |
| sensor |
| sig_class |
| sig_reference |
| signature |
| tcphdr |
| udphdr |
+------------------+
20 rows in set (0.00 sec)
mysql> exit

Final step:

bash-2.05# snort -devyq -c /usr/local/snort/etc/snort.conf -l /var/snort/log -D

https://your_acid_computer/acid/acid_main.php

You should now start seeing traffic to your mysql database. You might want to nmap your sensor or write a custom rule to verify it is actually working correctly.

Problem

This recipe demonstrates how to install and configure a SILC server on the XXXXX network.

Motivation

The main motivation for this recipe is the desire to effectively communicate with other IDS members as well as notify staff of possible virus infections or compromises that may occur during an analysts rotation.

Assumptions

A server has been designated to server as the silc server for all silc traffic. For the IDS team, the infosec-scan2.XXXXX.org box has been designated for this use. Currently, we are in the process of moving this over to its final home, nemesis.XXXXX.org.

Requirements

The SILC server (silcd) binds to TCP port 706 (default), which requires root privileges. Additionally, the server requires development tools such as gcc or g++. Platforms that silcd may be installed on are:

- Linux, RedHat 9.0 or newer
- Linux, Mandrake 9.0 or newer
- Linux, Debian 3.0 or newer
- Linux, Slackware 8.1 or newer
- NetBSD 1.6
- FreeBSD 4.7
- OpenBSD 3.2
- Mac OS X 10.2
- HP-UX
- Solaris 8, 9
- IRIX
- AIX

Solution

The following steps implement this solution (which was done on INFOSEC-SCAN2):

The following steps install the silcd server: (Make sure you have installed the silc client on the same machine)
1. cd to the /tmp directory

2. Login as root via "su -"

3. Download the latest silc-server from http://www.silcnet.org (ie. Wget http://www.silcnet.org/download/server/sources/silc-server-0.9.18.tar.gz). The latest version as of this writing is: 0.9.18.

4. Unzip and untar the silc-server-0.9.18.tar.gz file

5. gunzip silc-server-0.9.18.tar.gz

6. tar xvf silc-server-0.9.18.tar

7. cd silc-server-0.9.18

8. ./configure;make;make install - for a default installation (this actually creates silc in the /usr/local/silc directory)

9. groupadd silcd

10. useradd -g silcd -s /bin/sh -d /usr/local/silc silcd

11. Create the SILC keypair
/usr/local/silc/sbin/silcd -C /usr/local/silc/etc --identifier="UN=, HN=labgeek.net, RN=JD, E=jd@labgeek.net,C=US"

12. mkdir /etc/silc

13. mkdir /etc/silc/adminkeys

14. Since you have installed the client on the same machine, your personal public key should be found under:
/home//.silc/public_key.pub

15. cp /home//.silc/public_key.pub /etc/silc/adminkeys/admin.pub

16. You may have to copy over the silcd.conf file over to the /etc/silc directory. I am pretty sure it is located in the /usr/local/silc directory.

17. vi /etc/silc/silcd.conf
Change the following:
key_exchange_pfs = true;
detach_timeout=2160; # 36 hours

18. Set your server's information in place
hostname = "[your server's FQDN]";
ip = "[your server's IP address]";
Few lines down there are four lines more that you need to change:
ServerType = "[Purpose of your server]";
Location = "[geographic location of server]";
Admin = "[SILC server administrator's full name, ie. your's]";
AdminEmail = "[SILC server administrator's email address]";

19. Change to server's user account
User = "silcd";
Group = "silcd";

20. Run silcd

/usr/local/silc/sbin/silcd &

You should come up with no errors when executed. Fire up your trusty silc client and start chatting over the silc protocol. More information can be found on silcnet.org.

Closing remarks:
The instructions above allow you to install silcd on a number of systems. However, I have found (on silcnet mailing lists) that most people have had issues installing silcd
on solaris servers (eiter 8 or 9). The installation above was done on a redhat 9.0 server - future tests will be done on both bsd and sun servers.

Credits

This recipe was brought to you by JD Durick – 11/17/2004

References

(1) http://www.silcnet.org
(2) https://lists.silcnet.org/mailman/listinfo
(3) http://www.silcnet.org/support/documentation/manual/helps.php

You do not mount a partition of type "Linux LVM" the same way you mount a partition using a standard Linux file system (e.g. ext2, ext3).

# fdisk -l /dev/hda

Disk /dev/hda: 160.0 GB, 160041885696 bytes
255 heads, 63 sectors/track, 19457 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot Start End Blocks Id System
/dev/hda1 * 1 13 104391 83 Linux
/dev/hda2 14 19457 156183930 8e Linux LVM

# mount /dev/hda2 /tmp/mnt
mount: /dev/hda2 already mounted or /tmp/mnt busy

First, let's determine the volume group containing the physical volume /dev/hda2.

# pvs
PV VG Fmt Attr PSize PFree
/dev/hda2 VolGroup01 lvm2 a- 148.94G 32.00M
/dev/hdb2 VolGroup00 lvm2 a- 114.94G 96.00M

Next, let's list the logical volumes in VolGroup01.

# lvdisplay /dev/VolGroup01
--- Logical volume ---
LV Name /dev/VolGroup01/LogVol00
VG Name VolGroup01
LV UUID zOQogm-G8I7-a4WC-T7KI-AhWe-Ex3Y-JVzFcR
LV Write Access read/write
LV Status available
# open 0
LV Size 146.97 GB
Current LE 4703
Segments 1
Allocation inherit
Read ahead sectors 0
Block device 253:2

--- Logical volume ---
LV Name /dev/VolGroup01/LogVol01
VG Name VolGroup01
LV UUID araUBI-4eer-uh5L-Dvnr-3bI6-4gYg-APgYy2
LV Write Access read/write
LV Status available
# open 0
LV Size 1.94 GB
Current LE 62
Segments 1
Allocation inherit
Read ahead sectors 0
Block device 253:3

The logical volume I would like to "mount" (in purely the computing-related sense) is /dev/VolGroup01/LogVol00. The other logical volume is a swap partition.

# mount /dev/VolGroup01/LogVol00 /tmp/mnt

Reverse ssh tunnel to use SVN from my NAT'd honeywall behind HC3
Notes for me:

To use svn client from my honeywall which is NAT'd behind HC3
1. login to HC2
2. ssh -R 8080:prxyaddress.mitre.org:80 honeyclient3-adm.mitre.org (that
should open up port 8080 on hc3)
3. enter password for HC3
3a. Log in either via putty/ssh command line
ssh tunnel: L127.0.0.1:902 127.0.0.1:902
Login to VMware remote console with localhost now.
4. you can specify 192.168.0.1:8080 as your proxy
5. On Honeywall : export http_proxy="http://192.168.0.1:8080"
6. On Honeywall: edit ~/.subversion/servers file [global] settings:
http-proxy-host = 192.168.0.1
http-proxy-port = 8080

Make sure servers configuration file is properly formatted (meaning no spaces before configuration settings)

7. test by doing wget http://www.google.com
8. svn co http://scm.developer.mitre.org/svn/honeyclient --username jdurick

Steps to install Mysql 5.0 on OpenBSD 3.9:

1. wget ftp://ftp.openbsd.org/pub/OpenBSD/3.9/packages/i386/mysql-server-5.0.18.tgz
2. wget ftp://ftp.openbsd.org/pub/OpenBSD/3.9/packages/i386/p5-DBD-mysql-3.0002.tgz
3. wget ftp://ftp.openbsd.org/pub/OpenBSD/3.9/packages/i386/p5-DBI-1.45p1.tgz
4. wget ftp://ftp.openbsd.org/pub/OpenBSD/3.9/packages/i386/p5-PlRPC-0.2018.tgz
5. wget ftp://ftp.openbsd.org/pub/OpenBSD/3.9/packages/i386/p5-Net-Daemon-0.38.tgz
6. pkg_add -v mysql-server-5.0.18.tgz
7. /usr/local/bin/mysqld_safe &
8. /usr/local/bin/mysqladmin -u root password password'
9. mysql -u root -p
10. Run this script:

#!/usr/bin/perl'

# Use what needs to be used.
use strict;
use DBI;

# Create the @drivers array.
my @drivers = DBI->available_drivers();

# Print each driver.
foreach (@drivers) {
print $_ . "\n";
}

This should yield:
bash-3.1# perl testDBI.pl
DBM
ExampleP
File
Proxy
Sponge
mysql ---->this is what we are looking for

done.

CTRL-v (enter visual block mode)
select the lines you want to comment
press I
enter //
press ESC

Installing JDK on OpenBSD is a little different than other platforms. Since proprietary packages cannot be included with OpenBSD, you'll have to use the Ports tree to install the JDK. There is currently no option to install a standalone Java Runtime Environment without the development kit.

To install JDK, you are going to have to download (manually that is) the JDK binaries, source code, and BSD patch sets from a few web sites, then compile from source via the ports tree. It takes forever and then some but its the only way I know and these instructions are based on a few other web sites. Additionally, this process requires a ton of space so make sure your /usr and /tmp are big enough to handle the space. To find out which files you need, you can first go into : /usr/ports/devel/jdk/1.5 and type make, it will bomb out but its nice enough to tell you what you need and from what web sites. My install is based on openbsd 3.9 as of 07/08/06. Here were the files I needed:

1. j2sdk-1_3_1_16-linux-i586.bin from http://java.sun.com/j2se/1.3/download.html
2. j2sdk-1_4_2-linux-i586.bin from http://java.sun.com/products/archive/j2se/1.4.2/
3. j2sdk-1_4_2-src-scsl.zip, j2sdk-1_4_2-bin-scsl.zip, j2sdk-1_5_0-bin-scsl.zip, and j2sdk-1_5_0-src-scsl.zip from http://wwws.sun.com/software/communitysource/j2se/java2/download.html
4. bsd-jdk14-patches-7.tar.gz and bsd-jdk15-patches-2.tar.bz2 from http://www.eyesbeyond.com/freebsddom/java/jdk14.html
5. I also needed xalan-j_2_7_0-bin.tar.gz and jdk-1_5_0-solaris-i586.tar.Z
xalan can be found at: http://www.apache.org/dist/xml/xalan-j

Additionally, you will need to add JAVA to your path:

export JAVA_HOME=/usr/local/jdk-1.5.0/

References:
1. http://www.thejemreport.com/mambo/content/view/246/1
2. http://www.weblog.nohair.net/archives/000698.html
3. http://intricatesoftware.com:81/OpenBSD/java/jdk14.html
4. http://bsdgangster.org/modules.php?name=Content&file=viewarticle&id=11

Note: To install eclipse on OpenBSD 3.9, you can now go to: /usr/ports/devel/eclipse and type make install - all should work fine as it did for me. Subversion should compile ok too.

I found a xorg.conf file that works with my Dell 800, running OpenBSD 3.9 it can be found at this site.

I am sure most people know how to do this but I thought I would document my steps in case I ever have to do this again. As everyone knows, you can install openbsd in other ways but having a bootable cdrom makes thing quite easy, I can't even remember when I used a floppy last?

Anyhey, This example was done for the OpenBSD 3.9. Architecture i386.

1. To start you will need to have the mkisofs binary on your system.
2. Next we need to make a few directories which will be the file system hierarchy. The top directory will be called "OpenBSD". The next directory down will be the version number of the OpenBSD release (3.9). The next directory down from that will be the architecture type (i386). In the architecture directory is where the install files will be going. Here is a quick example of making the hierarchy in the /tmp directory. Please switch to the root account to perform any steps if necessary.

/tmp> mkdir -p OpenBSD/3.9/i386
/tmp> cd OpenBSD/3.9/i386
3. Now stay in the "i386" directory. This is where we are going to put our install binaries. Find a mirror and download the following binaries (below) from the i386 architecture directory like ftp://ftp3.usa.openbsd.org/pub/OpenBSD/3.9/i386. The following commands will download the entire remote directory to the current local directory if you have the program ncftp or wget installed.

/tmp/OpenBSD/3.9/i386>

wget --passive-ftp ftp://ftp3.usa.openbsd.org/pub/OpenBSD/3.9/i386/*

[ ] CKSUM 02-Mar-2006 04:10 562
[ ] INSTALL.i386 02-Mar-2006 04:10 92K
[ ] INSTALL.linux 02-Mar-2006 04:10 22K
[ ] MD5 02-Mar-2006 04:10 1.0K
[ ] base39.tgz 02-Mar-2006 04:10 39M
[ ] bsd 02-Mar-2006 04:10 5.2M
[ ] bsd.mp 02-Mar-2006 04:10 5.2M
[ ] bsd.rd 02-Mar-2006 04:10 4.5M
[ ] cd39.iso 02-Mar-2006 04:10 4.6M
[ ] cdboot 02-Mar-2006 04:10 41K
[ ] cdbr 02-Mar-2006 04:10 2.0K
[ ] cdemu39.iso 02-Mar-2006 04:10 2.9M
[ ] cdrom39.fs 02-Mar-2006 04:10 2.8M
[ ] comp39.tgz 02-Mar-2006 04:10 72M
[ ] etc39.tgz 02-Mar-2006 04:10 1.1M
[ ] floppy39.fs 02-Mar-2006 04:10 1.4M
[ ] floppyB39.fs 02-Mar-2006 04:10 1.4M
[ ] floppyC39.fs 02-Mar-2006 04:10 1.4M
[ ] game39.tgz 02-Mar-2006 04:10 2.5M
[TXT] index.txt 20-Jan-2006 05:06 269
[ ] man39.tgz 02-Mar-2006 04:10 7.1M
[ ] misc39.tgz 02-Mar-2006 04:10 2.2M
[ ] pxeboot 02-Mar-2006 04:10 50K
[ ] xbase39.tgz 10-Mar-2006 13:04 10M
[ ] xetc39.tgz 10-Mar-2006 13:04 88K
[ ] xfont39.tgz 10-Mar-2006 13:04 32M
[ ] xserv39.tgz 10-Mar-2006 13:04 19M
[ ] xshare39.tgz 10-Mar-2006 13:04 2.0M

4. Now we will make the ISO image. We will go back up to the "OpenBSD" directory and execute the "mkisofs" command with some options. We will be using the cdrom38.fs to be our boot image for the CD. If this image has boot problems on your computer then you can try the floppy39.fs as your boot image. Please see the mkisofs man page for what the options are for. Please note that if /tmp/OpenBSD/OpenBSD39.iso exists and you run mkisofs again it will simply append the new image to the old image. Thus making the new image twice as large with illegal directories. Ok execute the following commands:

/tmp/OpenBSD/3.9/i386> cd ../../
/tmp/OpenBSD>mkisofs -vrTJV "OpenBSD39" -b 3.9/i386/cdrom39.fs -c boot.catalog -o OpenBSD38.iso /tmp/OpenBSD/
5. Now you should have a ISO image named "OpenBSD39.iso" in the /tmp/OpenBSD directory. You can now burn it using something like xcdroast...

Other resources: http://www.pantz.org/os/openbsd/makingaopenbsdcd.html

Below are some quick startup notes for me:
I was root when I did this, yes, I know.

1. cd /
2. svnadmin create svn
3. svn mkdir file:///svn/trunk file:///svn/branches file:///tags -m "creating initial repository layout"
4. Now lets import our project files.
cd /projects
svn import PING file:///svn/trunk -m "Importing my project files"
5. Now after we imported them, lets check them out
6. cd /data
7. svn co file:///svn/trunk PING
8. Now the project files have been checked out to /data/PING

Ok so now we have the files we want, how do we get them up on our apached webserver. Here is the directions I followed:

This is straight from the INSTALL doc, read it below...Additional information can be found here:
http://www.unix-tutorials.com/go.php?id=533