Tuesday, June 06, 2006

Multipurposes post :]

I have been out of posting due to some serious matters, anyway I think I should be writing some stuffs to keep me going. First of all, I'm pretty satisfied and happy that I have reached 200 blog posts where I never think of writing so much. Thanks for the comments and feedbacks along.

Few things I want to blog about are I will no longer be supporter of IBM ThinkPad after Lenovo bought over it's brand name, the bad design and idea that put the Thinkpad to the dead, what can I say, Lnv you sux big time - check the link below.


I guess my main choices would be either Toshiba or HP now, seriously Lnv is a real ass hole. Bye beloved IBM ThinkPad. For people who haven't have chance to look at the new Z series, the design is utterly ugly.

I have fun playing with Bro-IDS under FreeBSD, it is installed fine on FreeBSD 6.1R, here's are the note when I install it. You need to install the package below first

shell>pkg_add -vr p5-Config-General adns

Then just run the usual configure, make and make install, since I'm not integrating bro as the tool to provide alert data, I prefer it to be on /nsm for management wise, so that's what I do, again I use stow for source installation management. I untar the bro-1.1 and start my installation process with

shell>mkdir /nsm/stow

shell>./configure --prefix=/nsm/stow/bro-1.1

shell>make && make install

shell>make install-brolite

It will ask you a series of questions for configuration settings.

shell>cd /nsm/stow && stow bro-1.1

Installation are done now and you can start bro with

[root@trinity /nsm/stow]# /nsm/stow/bro-1.1/etc/bro.rc --start
bro.rc: Running as non-root user bro
bro.rc: Starting ..........bro.rc: Failed to start Bro
/usr/local/stow/bro-1.1/bin/bro: problem with interface bge0 - pcap_open_live: (no devices found) /dev/bpf0: Permission denied

Since I get permission denied, I change the permission setting of bpf0

[root@trinity /nsm/stow]# ls -la /dev/bpf0
crw------- 1 root wheel 0, 115 Jun 6 07:28 /dev/bpf0
[root@trinity /nsm/stow]# chmod 604 /dev/bpf0
[root@trinity /nsm/stow]# /nsm/stow/bro-1.1/etc/bro.rc --start
bro.rc: Running as non-root user bro
bro.rc: Starting ............. SUCCESS

To check if it is running,

[root@trinity /nsm/stow]# ps auxww | grep bro
bro 17459 0.0 0.1 1760 1104 p3 I 10:29AM 0:00.03 /bin/sh /usr/local/stow/bro-1.1/etc/bro.rc --start
bro 17464 0.0 1.1 12716 11512 p3 R 10:29AM 0:04.76 /usr/local/stow/bro-1.1/bin/bro -W -i bge0 trinity.dissectible.org.bro
bro 17510 0.0 0.1 1760 1104 p3 I 10:29AM 0:00.00 /bin/sh /usr/local/stow/bro-1.1/etc/bro.rc --start
bro 17512 0.0 0.5 6836 5584 p3 S 10:29AM 0:00.12 /usr/local/stow/bro-1.1/bin/bro -W -i bge0 trinity.dissectible.org.bro print-filter.bro

Check if it adds the cron entry correctly,

[root@trinity /nsm/stow]# crontab -e
# checkpoint Bro once a week
0 0 * * 1 /nsm/stow/bro-1.1/etc/bro.rc --checkpoint
10 00 * * * ( nice -n 19 /nsm/stow/bro-1.1/scripts/site-report.pl )
10 3 * * * (/nsm/stow/bro-1.1/scripts/mail_reports.sh /usr/local/stow/bro-1.1
0 3 * * * (/nsm/stow/bro-1.1/scripts/bro_log_compress.sh)
# If you are process logs on a front end host, add this:
#10 3 * * * (/nsm/stow/bro-1.1/scripts/push_logs.sh FrontendHost)

Bro suggests tweaking bpf buffer size and its max value, I tweak it manually, I'm thinking of testing this sysctl settings for my sguil sensor as well and guess it should be applicable.

shell>sysctl net.bpf.maxbufsize=8388608

shell>sysctl net.bpf.bufsize=4194304

To uninstall it cleanly, again we will make use of stow,

shell>cd /nsm/stow && stow -D bro-1.1

Go to the bro source directory and run

shell>make uninstall

shell>rm -rf /nsm/stow/bro-1.1

shell>make distclean

Now everything back to the previous state where you haven't installed bro-ids. Since bro-1.1 is installed cleanly, I supposed it should be easy to make into port/package, the FreeBSD package which is version which is version 0.8 is kinda dated, may need to email the porter for updates.

For sleuthkit on FreeBSD, you need to install the package below or else mactime won't work,

shell>pkg_add -vr p5-Date-Manip

Autopsy is not working when install via package, as it can't find Main.pm. Thus I install using port and it works now.

shell>cd /usr/ports/sysutils/autopsy && make && make install

Now what?!!! Of course snort, snort-2.6 Final is released, you may find out all interesting features and updates in the link below, go go snorting .....


Hopefully I can make to 300 blog posts !

Cheers (:])

No comments: