Sguil Installation Script v0.2 Available

Last week I posted news of a script called sguil_install_v0.1.sh to install all Sguil components except the client on a FreeBSD 6.0 system. Today I finished a new script, sguil_install_v0.2.sh, that installs all Sguil components -- including the client.

Here is an annotated diff of the changes.

First, version updates:

orr:/data/code/sh$ diff -u sguil_install_v0.1.sh sguil_install_v0.2.sh
--- sguil_install_v0.1.sh Wed Dec 28 21:35:06 2005
+++ sguil_install_v0.2.sh Fri Jan 6 10:40:38 2006
@@ -1,7 +1,7 @@
#!/bin/sh
#
# Sguil installation script by Richard Bejtlich (richard@taosecurity.com)
-# v0.1 28 December 2005
+# v0.2 6 January 2006
#
# Tested on FreeBSD 6.0 RELEASE
#
@@ -9,7 +9,7 @@
# This is not intended for production use where separate sensor, server,
# and client boxes are recommended

-echo "Sguil Installation Script"
+echo "Sguil Sensor, Server, Client Installation Script"
echo
echo "By Richard Bejtlich"
echo
@@ -33,7 +33,7 @@

# FreeBSD 6 packages

-PACKAGESITE=ftp://ftp2.freebsd.org/pub/FreeBSD/ports/i386/packages-6-stable/Latest/; export PACKAGESITE
+PACKAGESITE=ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-6-stable/Latest/; export PACKAGESITE

# Determine sensor name

Next, I decided to patch sguild, instead of telling users to patch sguil.tk. The new sguild.patch file looks like this:

orr:/home/richard$ cat sguild.patch
--- sguild Thu Dec 1 11:09:22 2005
+++ sguild.diff Thu Jan 5 20:43:14 2006
@@ -15,7 +15,7 @@

########################## GLOBALS ##################################

-set VERSION "SGUIL-0.6.0"
+set VERSION "SGUIL-0.6.0p1"
# DB Version
set DB_VERSION "0.11"
# Counter for tracking xscript transactions

All the patch does is make the sguild version be what it should have been -- 0.6.0p1.

Returning to the installation script:

@@ -174,6 +174,12 @@
patch -p0 < log_packets.sh.patch
crontab -u root log_packets.sh.crontab

+# Retrieve, apply sguild patch for version number problem
+
+cd /usr/local/src/$SGUIL/server
+fetch http://www.bejtlich.net/sguild.patch
+patch -p0 < sguild.patch
+
# Install log_packets.sh

cp /usr/local/etc/nsm/log_packets.sh /usr/local/bin

Next comes new sections to install an X server. This allows users to run 'startx' and find themselves inside the Fluxbox window manager.

@@ -219,20 +225,67 @@
cd /usr/local/src/$SGUIL/server
./sguild -c sguild.conf -u sguild.users -adduser sguil

+# Install X-related packages
+
+pkg_add -r xorg-server
+pkg_add -r xorg-clients
+pkg_add -r bitstream-vera
+pkg_add -r perl
+pkg_add -r xorg-fonts-100dpi
+pkg_add -r xorg-fonts-75dpi
+pkg_add -r xorg-fonts-miscbitmaps
+pkg_add -r fluxbox-devel
+
+# Configure Fluxbox
+
+echo "exec startfluxbox" > /home/analyst/.xinitrc
+chown analyst:analyst /home/analyst/.xinitrc
+

The Sguil client news a few new libraries. I had to build these myself as they are not yet updated on the FreeBSD package building cluster. When the new packages are available through FreeBSD, I will edit the script.

+# Install additional packages for Sguil client
+
+cd /root
+fetch http://www.bejtlich.net/itcl-3.2.1_1.tbz
+fetch http://www.bejtlich.net/itk-3.2.1_1.tbz
+fetch http://www.bejtlich.net/iwidgets-4.0.1.tbz
+pkg_add itcl-3.2.1_1.tbz
+pkg_add itk-3.2.1_1.tbz
+pkg_add iwidgets-4.0.1.tbz
+pkg_add -r ethereal
+
+# Configure Wish
+
+mv /usr/local/bin/wish /usr/local/bin/wish.orig
+ln -s /usr/local/bin/wish8.4 /usr/local/bin/wish
+

I create a simple startup script to facilitate starting the Sguil client. It looks like this.

#!/bin/sh
cd /usr/local/src/sguil-0.6.0p1/client
./sguil.tk

Returning to the script:

+# Fetch client startup script
+
+cd /home/analyst
+fetch http://www.bejtlich.net/sguil_client_start.sh
+chown analyst:analyst /home/analyst/sguil_client_start.sh
+chmod +x /home/analyst/sguil_client_start.sh
+

Next I patch sguil.conf to handle locations of certain programs in FreeBSD. The patch looks like this:

orr:/data/code/sh$ cat sguil.conf.patch
--- sguil.conf Thu Oct 13 12:28:28 2005
+++ sguil.conf.diff Fri Jan 6 09:55:07 2006
@@ -35,7 +35,7 @@
# set FESTIVAL_PATH "c:\festival\bin\festival.exe"
#set WHOIS_PATH /common/bin/awhois.sh
# Path to ethereal
-set ETHEREAL_PATH /usr/sbin/ethereal
+set ETHEREAL_PATH /usr/X11R6/bin/ethereal
# win32 example
# set ETHEREAL_PATH "c:/progra~1/ethereal/ethereal.exe"
# Where to save the temporary raw data files on the client system

Returning to the script:

+# Patch sguil.conf
+cd /usr/local/src/$SGUIL/client
+fetch http://www.bejtlich.net/sguil.conf.patch
+patch -p0 < sguil.conf.patch
+

Finally, I changed what users see when they finish executing the script:

# Messages to users

-echo "To start Sguil, execute the following."
+echo "To start Sguil server components, do the following."
echo
-echo "As user sguil:"
+echo "As user sguil, execute these scripts:"
echo
echo "/home/sguil/sguild_start.sh"
echo "/home/sguil/sensor_agent_start.sh"
echo "/home/sguil/barnyard_start.sh"
echo
-echo "Next, as user root:"
+echo "As user root, execute these scripts:"
echo
echo "/root/start_sancp.sh"
echo "/root/start_snort.sh"
echo "/usr/local/bin/log_packets.sh restart"
echo
-echo "You will then be able to connect using the separate Sguil client."
+echo "To start the Sguil client, do the following."
+echo
+echo "Log in as user analyst. Run startx to launch Fluxbox."
+echo "Launch a xterm, then run /home/analyst/sguil_client_start.sh."

To run this script effectively, you should use FreeBSD 6.0/i386. The minimum partioning scheme follows. This requires a 1280 MB drive (1.25 GB). I install the "minimal" FreeBSD distribution when I use this script.

  • / 128 MB

  • Swap 256 MB

  • /usr 512 MB

  • /nsm 128 MB

  • /var 128 MB

  • /home 64 MB

  • /tmp 64 MB


You also need two users, in addition to root.

  • User analyst is a member of the wheel group and can therefore su - to root.

  • User sguil is not a member of the wheel group. However, I run as many parts of Sguil as possible using this user.


Here is how to invoke the script:

$ su -
Password:
gruden# fetch http://www.bejtlich.net/sguil_install_v0.2.sh
gruden# chmod +x sguil_install_v0.2.sh
gruden# ./sguil_install_v0.2.sh

When the sguil client user password prompt appears, enter something like 'sguil'. This is the only pause in the script.

The end result of running this script inside a FreeBSD VM I created is a Sguil sensor, server, database, and client. I'll describe that in my next post.

Comments

Anonymous said…
I have been reading your blog for several months now and very much appreciate the work you put into it. It has been useful on several occasions.

I am trying to utilize your script which for the most part is working wonderfully for me. The only point I seem to be having issues with is the mysqltcl-3.01.tbz package that is downloaded from your site and then installed. The package downloads just fine, but then I get an error stating that pkg_add "could not fine package ldconfig_compat-1.0_6. I tried manually adding this package but am unable to find it in the bsd port tree. Granted I am not as familiar with FreeBSD as with other operating systems, but I believe I am following the correct procedure. Any thoughts on how I can work around this would be great.

Thanks again.
Hello,

That error is associated with the newest build of mysqltcl-3.01, which I thought might work better than the old one. That does not seem to be the case. I have replaced that package with the old mysqltcl-3.01.tbz, which seems to be working. Try grabbing it again from http://www.bejtlich.net/mysqltcl-3.01.tbz and pkg_add -v.
Anonymous said…
This comment has been removed by a blog administrator.
Anonymous said…
I can't get the install scripts from your
www.bejtlich.net site. I can get patches ect, but not the sguil_install.v0.2.sh or sguil_install.v0.1.sh.

I am using the wget command instead of fetch.
You are looking at an old post. Look here.

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics