Thursday, April 16, 2009

Argus 3.x On Linksys WRT54GL

I have bought two units of Linksys WRT54GL wlan router previously so that I can run Linux and getting network security monitoring tools running on it as well. This little device has very limited space but you can't beat linux as router device. One of the unit is currently living in spoonfork's place to serve that Darth Vader, and another one is with me.
Since Carter has argus supported on OpenWRT, I have been thinking of getting argus installed on it(MIPS platform). And after some tinkering, I have successfully loading argus on it and export the network flow to another box in the network. Here's the complete howto that you can follow exactly to get argus compiled for OpenWRT Kamikaze 8.09(MIPS platform) using Ubuntu Linux.

Prepare the environment, my main directory to build this is /home/geek00l/i-Projects -

shell>sudo apt-get install gcc g++ patch binutils \

flex bison make pkg-config unzip zlib1g zlib1g-dev \

libc6 libc6-dev gawk autoconf upslug2 libncurses5-dev


To build OpenWRT Kamikaze 8.09, svn up the source first -

shell>svn co https://svn.openwrt.org/openwrt/branches/8.09 kamikaze-8.09

shell>cd kamikaze-8.09


Start the building process -

shell>make defconfig


shell>make package/symlinks


shell>make menuconfig


shell>make


Take a coffee break when you run make .....

Install libpcap, this is the only dependencies we need to get argus 3 compiled -

shell>make package/libpcap-compile V=99

shell>make package/libpcap-install V=99


Check out the gcc that we need to use -

shell>/home/geek00l/i-Projects/kamikaze-8.09/staging_dir/toolchain-mipsel_gcc3.4.6/mipsel-linux-uclibc/bin/gcc --version
gcc (GCC) 3.4.6 (OpenWrt-2.0)
Copyright (C) 2006 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Now we need to set the environment variables for this build -

shell>export PATH=/home/geek00l/i-Projects/kamikaze-8.09/staging_dir/toolchain-mipsel_gcc3.4.6/mipsel-linux-uclibc/bin:/home/geek00l/i-Projects/kamikaze-8.09/staging_dir/toolchain-mipsel_gcc3.4.6/bin:$PATH

shell>export AR=/home/geek00l/i-Projects/kamikaze-8.09/staging_dir/toolchain-mipsel_gcc3.4.6/mipsel-linux-uclibc/bin/ar


shell>export AS=/home/geek00l/i-Projects/kamikaze-8.09/staging_dir/toolchain-mipsel_gcc3.4.6/mipsel-linux-uclibc/bin/as


shell>export LD=/home/geek00l/i-Projects/kamikaze-8.09/staging_dir/toolchain-mipsel_gcc3.4.6/mipsel-linux-uclibc/bin/ld


shell>export NM=/home/geek00l/i-Projects/kamikaze-8.09/staging_dir/toolchain-mipsel_gcc3.4.6/mipsel-linux-uclibc/bin/nm


shell>export CC=/home/geek00l/i-Projects/kamikaze-8.09/staging_dir/toolchain-mipsel_gcc3.4.6/mipsel-linux-uclibc/bin/gcc


shell>export CPP=/home/geek00l/i-Projects/kamikaze-8.09/build_dir/toolchain-mipsel_gcc3.4.6/gcc-3.4.6-initial/gcc/cpp


shell>export GCC=/home/geek00l/i-Projects/kamikaze-8.09/staging_dir/toolchain-mipsel_gcc3.4.6/mipsel-linux-uclibc/bin/gcc


shell>export CXX=/home/geek00l/i-Projects/kamikaze-8.09/staging_dir/toolchain-mipsel_gcc3.4.6/mipsel-linux-uclibc/bin/g++

shell>export RANLIB=/home/geek00l/i-Projects/kamikaze-8.09/staging_dir/toolchain-mipsel_gcc3.4.6/mipsel-linux-uclibc/bin/ranlib


shell>export ac_cv_linux_vers=2.4.35


shell>export LDFLAGS="-static"


shell>export CFLAGS="-Os -s"


Time to have fun, doing cross-compile for argus so it works on MIPS platform -

shell>cd /home/geek00l/i-Projects/argus-3.0.1.beta.2


shell>./configure --host=mipsel-linux \

--with-openwrt=/home/geek00l/i-Projects/kamikaze-8.09/staging_dir \

--with-libpcap=/home/geek00l/i-Projects/kamikaze-8.09/build_dir/mipsel/libpcap-0.9.8


shell>make


shell>file bin/argus

bin/argus: ELF 32-bit LSB executable, MIPS, version 1 (SYSV), statically linked, stripped

Transfer it to my OpenWRT -

shell>scp -P 55555 bin/argus root@192.168.1.1:/tmp

To export argus network flow on ppp0 interface -

shell>argus -i ppp0 -B 192.168.1.1 -P 561 -d

To intercept the network flow -

shell>ra -S 192.168.1.1:561 - ip

I have found some good references here to get me going, and I would like to thank to David Watson(UK Honeynet) for his guide on building nepenthes on openwrt too.

Reference:
http://www.frontiernet.net/~beakmyn/CrossCompile.htm
http://www.ukhoneynet.org/research/building-nepenthes-on-the-openwrt-embedded-platform/
http://forum.openwrt.org/viewtopic.php?pid=31794
http://gargoyle-router.com/openwrt-coding.php

Since this embedded device has very limited space, there's no point to run packet logger locally, other tools I would like to run on it so that I can export pcap to other system should be something like packetforward or rpcap. If anyone has experience to get any of these tools installed on OpenWRT, please do share!

Enjoy (;])

9 comments:

Anonymous said...

Thanks Geekool for this great tutorial! It would be very interesting if you could post some more information on how to deploy multiple arugs probe and have them send their logs to a central collector.
Also it seems argus can be used to receive netflow v5 from cisco routers and convert it to argus flows but I haven't found much information on how to do it...
Cheers!

/JMC

C.S.Lee said...

JMC,

I have written about Cisco Netflow to Argus Probe here -

http://geek00l.blogspot.com/2007/05/argus-30-cisco-netflow.html

For mass deployment, I think I can write about how to set it up if people want to know more about it.

Cheers ;]

Anonymous said...

That would be great if you could write something about mass deployment (multiple probes sending to one collectore).
Detailed information on argus deployment is not easy to find!
We tried with nfsen / nfdump for cisco netflow but were are thinking about using argus instead.
Your blog is a great resource btw!!

toxicle said...

WRT54GL is sweet. Where did you get it from? We should meet up soon.

Anonymous said...

http://forum.webhostlist.de/forum/members/newviagra.html
[b]VIAGRA bestellen VIAGRA PREISVERGLECH REZEPTFREI[/b]
lhttp://www.ile-maurice.com/forum/members/newviagra.html
[b]VIAGRA bestellen VIAGRA BILLIG[/b]
VIAGRA BESTELLEN eur 0.85 Pro Pille >> Klicken Sie Hier << BESTELLEN BILLIG VIAGRA CIALIS VIAGRA potenzhilfe REZEPTFREI BESTELLEN VIAGRA
http://www.flooringchat.com/member.php?u=19861
[b]VIAGRA Kaufen VIAGRA PREISVERGLECH BILLIG[/b]
[url=http://www.getsomeskillz.co.uk/forum/member.php?u=13]VIAGRA REZEPTFREI BILLIG[/url] - VIAGRA online bestellen
[b]VIAGRA ohne rezept BESTELLEN BILLIG VIAGRA[/b]
[b]VIAGRA fuer frau BESTELLEN PREISVERGLECH VIAGRA[/b]
[url=http://cafesuoimo.com/member.php?u=8]VIAGRA Rezeptfrei[/url] - erection VIAGRA
[b]VIAGRA potenzhilfe BILLIG VIAGRA[/b]
[b]VIAGRA rezeptfrei VIAGRA BILLIG PREISVERGLECH[/b]

genric viagra said...

Great informative article. But apart from that I think you have done an amazing job in this piece of write-up? I wish to completely nod with you but there are some issues of conflicts or say change of ideas which I may not completely agree.

Kamagra said...

I have never ever come across such a wonderful piece of information.

viagra generic online said...

Hi,
I agree with above comment... This is great articles to be here... it's very interesting as well as very informative too... Thanks for the share....

Unknown said...

Pretty good post. I just stumbled upon your blog and wanted to say that I have really enjoyed reading your blog post.

linksys