Those are the steps that I took to install sguil on 3.7. This installation assumes server, sensor and database is on 1 host.
install Openbsd 3.7 / 2GB swap 2GB /var 5GB /usr 20GB /nsm (remainding) System name: idssrvr Domain: xxx.com IP: 10.1.1.82/24 DNS Server: 68.100.16.25 GW: 10.1.1.1 Install src and ports to /usr/src and /usr respectively add users sguil, mysql and (generic id, to login) add the generic user to group wheel Default password for all is "welcome" mkdir /usr/local/src cd /usr/ports/net/wget make install cd /usr/ports/net/libnet make install pkg_add ftp://ftp.openbsd.org/pub/OpenBSD/3.7/packages/i386/mysql-server-4.0.23p1.tgz /usr/local/bin/mysql_install_db --user=mysql /usr/local/bin/mysqld_safe --user=mysql & /usr/local/bin/mysqladmin -u root password 'welcome' /usr/local/bin/mysql -u root -pwelcome mysql> CREATE DATABASE sguildb; Query OK, 1 row affected (0.00 sec) mysql> GRANT ALL PRIVILEGES ON *.* TO [EMAIL PROTECTED] IDENTIFIED BY 'welcome' WITH GRANT OPTION; Query OK, 0 rows affected (0.00 sec) mysql> GRANT ALL PRIVILEGES ON *.* TO [EMAIL PROTECTED] IDENTIFIED BY 'welcome' WITH GRANT OPTION; Query OK, 0 rows affected (0.00 sec) mysql> \q cd /usr/local/src wget http://unc.dl.sourceforge.net/sourceforge/sguil/sguil-client-0.5.3.tar.gz wget http://unc.dl.sourceforge.net/sourceforge/sguil/sguil-server-0.5.3.tar.gz wget http://easynews.dl.sourceforge.net/sourceforge/sguil/sguil-sensor-0.5.3.tar.gz tar -xvzf sguil-client-0.5.3.tar.gz tar -xvzf sguil-server-0.5.3.tar.gz tar -xvzf sguil-sensor-0.5.3.tar.gz mv sguil-0.5.3 sguil cd sguil/server /usr/local/bin/mysql -u sguil -p -D sguildb < ./sql_scripts/create_sguildb.sql Enter Password: welcome /usr/local/bin/mysql -u sguil -p -e "show tables" sguildb Enter password: welcome +-------------------+ | Tables_in_sguildb | +-------------------+ | data | | event | | history | | icmphdr | | nessus | | nessus_data | | portscan | | sancp | | sensor | | sessions | | status | | tcphdr | | udphdr | | user_info | | version | +-------------------+ mkdir /etc/sguild cd /usr/local/src/sguil/server cp sguild.users sguild.conf sguild.queries sguild.access autocat.conf /etc/sguild cd /usr/local/src wget http://easynews.dl.sourceforge.net/sourceforge/tcl/tcl8.4.9-src.tar.gz wget http://easynews.dl.sourceforge.net/sourceforge/tcl/tk8.4.9-src.tar.gz wget http://easynews.dl.sourceforge.net/sourceforge/tcllib/tcllib-1.7.tar.gz wget http://internap.dl.sourceforge.net/sourceforge/tclx/tclx8.3.5-src.tar.gz wget http://www.xdobry.de/mysqltcl/mysqltcl-2.51.tar.gz wget http://easynews.dl.sourceforge.net/sourceforge/tls/tls1.5.0-src.tar.gz for i in *.gz; do tar xvzf $i;done cd /usr/local/src/tcl8.4.9/unix ./configure && make && make install cd /usr/local/src/tk8.4.9/unix ./configure && make && make install ln -s /usr/local/bin/tclsh8.4 /usr/local/bin/tclsh cd /usr/local/src/tcllib-1.7 ./configure && make && make install cd /usr/local/src/sancp-1.6.1 make cp sancp /usr/local/bin cd /usr/local/src/tclx8.3.5/unix ./configure && make && make install cd /usr/local/src/mysqltcl-2.51 ln -s /usr/local/lib/mysql/libmysqlclient.so.12.0 /usr/local/lib/libmysqlclient.so env CC=gcc ./configure --with-mysql-include=/usr/local/include/mysql --with-mysql-lib=/usr/ local/lib make && make install cd /usr/local/src/tls1.5 ./configure --with-tcl=/usr/local/lib --with-tcl-include=/usr/local/include --with-ssl-dir=/usr make && make install (FOR TESTING TO SEE IF IT WORKS) /usr/local/bin/tcl tcl>package require Tclx 8.3 tcl>package require mysqltcl 2.51 tcl>exit cd /usr/ports/security/p0f make install cd /usr/ports/net/tcpflow make install cd /usr/ports/devel/pcre make install vi /etc/sguild/sguild.conf # DataBase Info set DBNAME sguildb set DBPASS welcome set DBHOST localhost set DBPORT 3306 set DBUSER sguil set RULESDIR /nsm/ids/rules set LOCAL_LOG_DIR /nsm/ids/archive set TCPFLOW "/usr/local/bin/tcpflow" set P0F_PATH "/usr/local/bin/p0f" cd /usr/local/src wget http://www.snort.org/dl/current/snort-2.3.3.tar.gz wget http://www.snort.org/dl/barnyard/barnyard-0.2.0.tar.gz tar -xvzf snort-2.3.3.tar.gz mv snort-2.3.3 snort cd /usr/local/src/snort/src/preprocessors cp spp_portscan.c spp_portscan.c.bak cp spp_stream4.c spp_stream4.c.bak cp -r /usr/local/src/sguil/sensor/snort_mods/2_1/* . patch spp_portscan.c < spp_portscan_sguil.patch cd ../.. ./configure --enable-flexresp && make && make install mkdir /etc/snort cp /usr/local/src/snort/etc/snort.conf /etc/snort cp /usr/local/src/sguil/sensor/sancp/sancp.conf /usr/local/etc/snort/ cd /usr/local/etc/snort vi sancp.conf The only element of the sancp.conf file requiring modification is the HOME_NET variable. Change the HOME_NET variable to reflect the network you wish to monitor. Using 0.0.0.0 appears to allow monitoring any network. In snort.conf you can disable rules so that snort will not log for example snmp and the data.MYD file gets too huge. vi /etc/snort/snort.conf and change the following: var RULE_PATH /nsm/ids/rules preprocessor portscan: $HOME_NET 4 3 /nsm/ids/portscans ids output log_unified: filename snort.log, limit 128 cd /usr/local/src/snort/etc cp gen-msg.map classification.config reference.config sid-msg.map unicode.map /etc/snort cd /usr/local/src/snort/rules cp -r * /nsm/ids/rules cd /usr/local/src/sguil/sensor Make the following modifications to log_packets.sh: HOSTNAME="<sensor_name>" LOG_DIR="/nsm" Be sure to set the proper interface for sniffing; here we use em0. Replace this with an interface appropriate for your system: INTERFACE="em0" Uncomment the following line to let Snort run as unprivileged user 'sguil': OPTIONS="-u sguil -g sguil -m 122" The log_packets.sh shell script should be run using the root user's crontab. Make the following cron entry (using 'crontab -e') to enable log_packets.sh: 00 0-23/1 * * * /usr/local/src/sguil/sensor/log_packets.sh restart 0 23 * * * /usr/local/mysql/bin/mysqlcheck -o -a -u root -p<password> sguildb cd /usr/local/src tar -xvzf barnyard-0.2.0.tar.gz cd barnyard-0.2.0 The only modification that may be necessary is the addition of '-lcrypto' to the Barnyard configure script: LIBS="${LIBS} -lz -lssl -lcrypto -lmysqlclient" ./configure --enable-mysql make make install cp /usr/local/src/barnyard-0.2.0/etc/barnyard.conf /etc/snort vi /etc/snort/barnyard.conf config hostname: <sensorname> config interface: <interface> (i.e ifconfig -a to see the interface name) comment log_dump *** make sure your server name resolves in DNS *** output sguil: mysql, sensor_id 0, database sguildb, server localhost, user sguil, password <sguil's_mysql_password>, sguild_host localhost, sguild_port 7736 vi /usr/local/src/sguil/sensor/sensor_agent.conf # Name of sguild server set SERVER_HOST <ip_of_server> # Port sguild listens on for sensor connects set SERVER_PORT 7736 # Local hostname - that means this machines name # Note: Sensors monitoring multiple interfaces need to use a unique 'hostname' # for each interface. Make sure this name is the same in the respective # log_packets.sh set HOSTNAME ids set LOG_DIR /nsm cd /usr/local/src/sguil-0.5.3/server/ nohup ./sguild -a /etc/sguild/autocat.conf & nohup /usr/local/bin/barnyard -c /etc/snort/barnyard.conf -d /nsm/ids -g /etc/snort/gen- msg.map -s /etc/snort/sid-msg.map -f snort.log -a /nsm/ids/archives -w /etc/snort/waldo.file & nohup snort -u sguil -g sguil -l /nsm/ids -c /etc/snort/snort.conf -U -A none -m 122 -i xl0 & nohup /usr/local/src/sguil-0.5.3/sensor/sensor_agent.tcl -c /usr/local/src/sguil-0.5.3/sensor/ sensor_agent.conf & (Once you run this command, it will give an error "/nsm/fedorov/snort_data/<sensor_name>: No such file or directory", you have to go and create the directory) nohup /usr/local/bin/sancp -d /nsm/ids/sancp -i em0 -u sguil -g sguil -c /etc/snort/sancp.conf & On Thu, 30 Jun 2005 20:16:18 -0400, Vivek Ayer wrote > Hi all, > > Has anyone installed sguil on OpenBSD? I hear ACID development has > stopped so it would be an opportune time to switch to sguil. If > anyone can point me in the right direction of an install-and- > configure guide specifically for openbsd, that would great. I'm > running OpenBSD > 3.7-current. I need it for the firewall that I have setup to protect > a wired and wireless network. Thanks. > > Vivek
