IDS: YaF SiLK catatan dari CERT NetSA: Difference between revisions

From OnnoCenterWiki
Jump to navigationJump to search
Unknown user (talk)
Created page with " ==Referensi== * https://tools.netsa.cert.org/silk/silk-on-box-deb.html"
 
 
(8 intermediate revisions by the same user not shown)
Line 1: Line 1:
=Building the tools=


==Install Prerequisites==


apt -y install build-essential
apt -y install libglib2.0-dev liblzo2-dev zlib1g-dev libgnutls28-dev libpcap-dev python3.8-dev
apt -y install libmaxminddb-dev


==Download Software==
cd /tmp
wget https://tools.netsa.cert.org/releases/silk-3.19.1.tar.gz
wget https://tools.netsa.cert.org/releases/libfixbuf-2.4.1.tar.gz
wget https://tools.netsa.cert.org/releases/yaf-2.12.2.tar.gz
==Install libfixbuf==
cd /tmp
tar -zxf /tmp/libfixbuf-2.4.1.tar.gz
cd libfixbuf-2.4.1
./configure              \
    --prefix=/usr/local  \
    --enable-silent-rules
make
make install
==Install SiLK==
cd /tmp
tar -zxf /tmp/silk-3.19.1.tar.gz
cd silk-3.19.1
./configure                              \
    --prefix=/usr/local                  \
    --enable-silent-rules                \
    --enable-data-rootdir=/var/silk/data \
    --enable-ipv6                        \
    --enable-ipset-compatibility=3.14.0  \
    --enable-output-compression          \
    --with-python                        \
    --with-python-prefix
make
make install
==Install YAF==
cd /tmp
tar -zxf /tmp/yaf-2.12.2.tar.gz
cd yaf-2.12.2
./configure                \
    --prefix=/usr/local    \
    --enable-silent-rules  \
    --enable-applabel      \
    --enable-metadata      \
    --enable-plugins
make
make install
cp /tmp/yaf-2.12.2/etc/init.d/yaf /etc/init.d/yaf
chmod a+x /etc/init.d/yaf
==Update Dynamic Linker==
$ grep local /etc/ld.so.conf.d/*
(debian)
/etc/ld.so.conf.d/libc.conf:/usr/local/lib
(ubuntu)
/etc/ld.so.conf.d/x86_64-linux-gnu.conf:/usr/local/lib/x86_64-linux-gnu
ldconfig
Optional,
(debian)
mv silk.conf /etc/ld.so.conf.d/.
(ubuntu)
mv silk.conf /etc/ld.so.conf.d/x86_64-linux-gnu.conf/.
ldconfig
=Configuring the tools=
==Configure SiLK==
mkdir -p /var/silk/data
chmod go+rx /var/silk /var/silk/data
cp /usr/local/share/silk/twoway-silk.conf /var/silk/data/silk.conf
==Configure rwflowpack==
Next create the sensors.conf file that is used by rwflowpack for collecting data from yaf.
cd /usr/local/etc
vi sensors.conf
probe S0 ipfix
  listen-on-port 18001
  protocol tcp
  listen-as-host 127.0.0.1
end probe
group my-network
  ipblocks 192.168.0.0/24  # address of ethernet interface. CHANGE THIS.
  ipblocks 10.0.0.0/8      # other blocks considered internal. OPTIONAL.
end group
sensor S0
  ipfix-probes S0
  internal-ipblocks @my-network
  external-ipblocks remainder
end sensor
(Once the entire system is running, if you discover that all your records show up as type ext2ext, it means you did not configure your internal netblocks correctly.)
mv sensors.conf /var/silk/sensors.conf
Copy rwflowpack untuk init.d
cd /usr/local
cp share/silk/etc/init.d/rwflowpack /etc/init.d/rwflowpack
cp share/silk/etc/rwflowpack.conf /usr/local/etc/rwflowpack.conf
Edit
vi /usr/local/etc/rwflowpack.conf
ENABLED=1
statedirectory=/var/silk
SENSOR_CONFIG=/var/silk/sensors.conf
ARCHIVE_DIR=  # empty
LOG_TYPE=legacy
LOG_DIR=/var/log
PID_DIR=/var/run
Start rwflowpack (a message about "contains no runlevels, aborting" is non-fatal):
systemctl enable rwflowpack
systemctl start rwflowpack.service
atau
/etc/init.d/rwflowpack start
Look at the rwflowpack log file, /var/log/rwflowpack-YYYYYMMDD.log to ensure that it is running.
cat /var/log/rwflowpack-YYYYYMMDD.log
==Start YAF==
Edit
vi /usr/local/etc/yaf.conf
ENABLED=1
YAF_CAP_IF=enp0s3      # Ensure this is correct for your machine
YAF_IPFIX_PORT=18001  # Must match value in sensors.conf
YAF_EXTRAFLAGS="--silk --applabel --max-payload=512"
Restart (contains no runlevels, aborting tidak apa2)
systemctl enable yaf
systemctl start yaf.service
atau
/etc/init.d/yaf start
Look at the yaf log file, /var/log/yaf.log to ensure that it is running.
cat /var/log/yaf.log
Check the rwflowpack log file again to ensure that it received a connection from yaf. There should be a message similar to the following (the port number will likely differ):
'S0': accepted connection from 127.0.0.1:36734
If nothing is happening, it could be that yaf is waiting for network traffic. Follow the steps in the next section to generate some.
==Generate traffic==
ping -c 4 8.8.8.8
You may have to wait 5 or 10 minutes for the first records to be flushed, but you should see messages in the rwflowpack log file that it is creating files. You may check the status of YAF and rwflowpack with the following commands:
systemctl status yaf.service
systemctl status rwflowpack.service
(You may need to include the --no-pager and -l switches to get useful information from systemctl.)
==Run a test query==
/usr/local/bin/rwfilter --sensor=S0 --type=all --all=stdout \
| rwcut --tail-recs=10


==Referensi==
==Referensi==


* https://tools.netsa.cert.org/silk/silk-on-box-deb.html
* https://tools.netsa.cert.org/silk/silk-on-box-deb.html

Latest revision as of 00:23, 21 April 2022

Building the tools

Install Prerequisites

apt -y install build-essential
apt -y install libglib2.0-dev liblzo2-dev zlib1g-dev libgnutls28-dev libpcap-dev python3.8-dev
apt -y install libmaxminddb-dev

Download Software

cd /tmp
wget https://tools.netsa.cert.org/releases/silk-3.19.1.tar.gz
wget https://tools.netsa.cert.org/releases/libfixbuf-2.4.1.tar.gz
wget https://tools.netsa.cert.org/releases/yaf-2.12.2.tar.gz


Install libfixbuf

cd /tmp
tar -zxf /tmp/libfixbuf-2.4.1.tar.gz
cd libfixbuf-2.4.1
./configure               \
    --prefix=/usr/local   \
    --enable-silent-rules
make
make install


Install SiLK

cd /tmp
tar -zxf /tmp/silk-3.19.1.tar.gz
cd silk-3.19.1
./configure                              \
    --prefix=/usr/local                  \
    --enable-silent-rules                \
    --enable-data-rootdir=/var/silk/data \
    --enable-ipv6                        \
    --enable-ipset-compatibility=3.14.0  \
    --enable-output-compression          \
    --with-python                        \
    --with-python-prefix
make
make install


Install YAF

cd /tmp
tar -zxf /tmp/yaf-2.12.2.tar.gz
cd yaf-2.12.2
./configure                 \
    --prefix=/usr/local     \
    --enable-silent-rules   \
    --enable-applabel       \
    --enable-metadata       \
    --enable-plugins
make
make install

cp /tmp/yaf-2.12.2/etc/init.d/yaf /etc/init.d/yaf
chmod a+x /etc/init.d/yaf


Update Dynamic Linker

$ grep local /etc/ld.so.conf.d/*

(debian)
/etc/ld.so.conf.d/libc.conf:/usr/local/lib
(ubuntu)
/etc/ld.so.conf.d/x86_64-linux-gnu.conf:/usr/local/lib/x86_64-linux-gnu

ldconfig

Optional, 

(debian)
mv silk.conf /etc/ld.so.conf.d/.

(ubuntu)
mv silk.conf /etc/ld.so.conf.d/x86_64-linux-gnu.conf/.

ldconfig

Configuring the tools

Configure SiLK

mkdir -p /var/silk/data
chmod go+rx /var/silk /var/silk/data
cp /usr/local/share/silk/twoway-silk.conf /var/silk/data/silk.conf


Configure rwflowpack

Next create the sensors.conf file that is used by rwflowpack for collecting data from yaf. 

cd /usr/local/etc
vi sensors.conf



probe S0 ipfix
 listen-on-port 18001
 protocol tcp
 listen-as-host 127.0.0.1
end probe

group my-network
 ipblocks 192.168.0.0/24  # address of ethernet interface. CHANGE THIS.
 ipblocks 10.0.0.0/8      # other blocks considered internal. OPTIONAL.
end group

sensor S0
 ipfix-probes S0
 internal-ipblocks @my-network
 external-ipblocks remainder
end sensor

(Once the entire system is running, if you discover that all your records show up as type ext2ext, it means you did not configure your internal netblocks correctly.) 

mv sensors.conf /var/silk/sensors.conf

Copy rwflowpack untuk init.d 

cd /usr/local
cp share/silk/etc/init.d/rwflowpack /etc/init.d/rwflowpack
cp share/silk/etc/rwflowpack.conf /usr/local/etc/rwflowpack.conf

Edit 

vi /usr/local/etc/rwflowpack.conf

ENABLED=1
statedirectory=/var/silk
SENSOR_CONFIG=/var/silk/sensors.conf
ARCHIVE_DIR=  # empty
LOG_TYPE=legacy
LOG_DIR=/var/log
PID_DIR=/var/run

Start rwflowpack (a message about "contains no runlevels, aborting" is non-fatal): 

systemctl enable rwflowpack
systemctl start rwflowpack.service

atau 

/etc/init.d/rwflowpack start

Look at the rwflowpack log file, /var/log/rwflowpack-YYYYYMMDD.log to ensure that it is running. 

cat /var/log/rwflowpack-YYYYYMMDD.log

Start YAF

Edit 

vi /usr/local/etc/yaf.conf

ENABLED=1
YAF_CAP_IF=enp0s3      # Ensure this is correct for your machine
YAF_IPFIX_PORT=18001   # Must match value in sensors.conf
YAF_EXTRAFLAGS="--silk --applabel --max-payload=512"


Restart (contains no runlevels, aborting tidak apa2) 

systemctl enable yaf
systemctl start yaf.service

atau 

/etc/init.d/yaf start

Look at the yaf log file, /var/log/yaf.log to ensure that it is running. 


cat /var/log/yaf.log

Check the rwflowpack log file again to ensure that it received a connection from yaf. There should be a message similar to the following (the port number will likely differ): 

'S0': accepted connection from 127.0.0.1:36734

If nothing is happening, it could be that yaf is waiting for network traffic. Follow the steps in the next section to generate some.

Generate traffic

ping -c 4 8.8.8.8

You may have to wait 5 or 10 minutes for the first records to be flushed, but you should see messages in the rwflowpack log file that it is creating files. You may check the status of YAF and rwflowpack with the following commands: 

systemctl status yaf.service
systemctl status rwflowpack.service

(You may need to include the --no-pager and -l switches to get useful information from systemctl.)


Run a test query

/usr/local/bin/rwfilter --sensor=S0 --type=all --all=stdout \
| rwcut --tail-recs=10

Referensi

Retrieved from "https://lms.onnocenter.or.id/wiki/index.php?title=IDS:_YaF_SiLK_catatan_dari_CERT_NetSA&oldid=64909"