Unix > Installing Sagan Intrusion Detection System On CentOS RHEL 5 Or 6
01.12.2014 18:12:13
Наиболее часто встречающиеся слова в статье:
[install] [OPTIONAL] [/var/run/sagan] [database] [Installation] [/configure] [databases] [Intrusion] [//sagan] [quadrantsec]
Статья:
Installing Sagan Intrusion Detection System On CentOS RHEL 5 Or 6
Overview
Sagan is a multi-threaded, real time system and event log monitoring system, but with a twist. Sagan uses a “Snort” like rule set for detecting bad things happening on your network and/or computer systems. If Sagan detects a “bad thing” happening, that event can be stored to a Snort database (MySQL/PostgreSQL) and Sagan will attempt to correlate the event with your Snort Intrusion Detection/Intrusion Prevention (IDS/IPS) system. Sagan is basically a SIEM (Security Information & Log Management) system. (Source: http://sagan.quadrantsec.com/)
Installing Sagan Intrusion Detection System on CentOS RHEL 5 or 6
This guide was tested on CentOS 5 and 6.
Enable epel repository by following the instructions here
Install the prerequisites
# yum install pcre libesmtp mysql-devel flex bison gcc gcc-c++ pcre-devel
libesmtp-devel libdnet libnet-devel mysql-devel
Depending on the OS version in CentOS you may not find libnet through yum, if not found you can download and install it from the source code itself.
# wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz
# tar zxvf libdnet-1.12.tgz
# cd libdnet-1.12
# ./configure
# make
# make install
Another dependency is libpcap, you have to install it from the source.
# wget http://www.tcpdump.org/release/libpcap-1.3.0.tar.gz
# tar zxvf libpcap-1.3.0.tar.gz
# cd libpcap-1.3.0
# ./configure
# make
# make install
Download and compile sagan.
Intallation of liblognorm (OPTIONAL, BUT SUGGESTED)
“liblognorm” allows Sagan to gather useful information from events. While it’s
not required by Sagan, it’s highly suggested. “liblognorm” works in conjunction
with the Sagan engine to gather data for better correlation of events.
Installation of libesmtp (OPTIONAL)
If you need Sagan to e-mail alerts, then you’ll want this functionality. Sagan
uses libesmtp for this purpose.
Installation of libdnet librarys (OPTIONAL)
If you want Sagan to log events to a Unified2 output format, you’ll want this.
Libdnet basically allows Sagan to “build” event “packets” so they can be stored
to a Unified2 format. External processes, like Barnyard2 can be used to read in
the Sagan Unified2 output.
Installation of the Prelude framework (OPTIONAL)
Installation of MySQL libraries (OPTIONAL)
If you need to log Sagan information to a MySQL database then you’ll need this
option. This option is used to log to Snort databases and/or other MySQL
databases.
Installation of PostgreSQL libraries (OPTIONAL)
If you need to log Sagan information to a PostgreSQL database then you’ll need
this option. This option is used to log to Snort databases and/or other
PostgreSQL databases.
I am compiling it with mysql support, you can also use postgresql with it. Also
I am not going to use prelude and is also disabling lognorm. I tried compiling
lognorm library but could not get it to work on CentOS. To see all the options
available try ./configure
--help
# wget http://sagan.quadrantsec.com/download/sagan-0.3.0.tar.gz
# tar zxvf sagan-0.3.0.tar.gz
# cd sagan-0.3.0
# ./configure --with-mysql-libraries=/usr/lib64/mysql/ --disable-postgresql
--disable-prelude --disable-lognorm --with-libpcap-libraries=/usr/lib64/
--build=x86_64-unknown-linux
# make
# make install
Now you have to edit the rsyslog.conf file, add following two lines to the configuration file
# vi /etc/rsyslog.conf
(Make sure you add this as a single line, starting from $template till \n"
all on a single line)
$template
sagan,"%fromhost-ip%|%syslogfacility-text%|%syslogpriority-text%|%syslogseverity-text%|%syslogtag%|%timegenerated:1:10:date-rfc3339%|%timegenerated:12:19:date-rfc3339%|%programname%|%msg%\n"
*.* |/var/run/sagan.fifo;sagan
Create the fifo file from which sagan will read, also restart rsyslog
# mkfifo /var/run/sagan.fifo
# /etc/init.d/rsyslog restart
If everything went right you would be able to cat the fifo file we just created and see the logs being received thrown to stdout.
# cat /var/run/sagan.fifo
Next add the user sagan and log, run directories for sagan, also change the permissions.
# useradd sagan -s /sbin/nologin
# chown sagan:sagan /var/run/sagan.fifo
# mkdir /var/log/sagan
# mkdir /var/run/sagan
# chown -R sagan:sagan /var/log/sagan
# chown -R sagan:sagan /var/run/sagan
# chown sagan:sagan /var/run/sagan.fifo
Sagan saves all the alerts in a log file. I personally would use an interface such as snorby to view generated alerts and would also recommend you do the same. Snorby installation guide could be found here. As I believe you would surely use snorby, I would only be covering the db installation part there.
Open the sagan configuration file and apply these changes so that sagan populates any alert to the database. Add or modify the following lines to set the username, password and db name.
# vi /usr/local/etc/sagan.conf
sagan_hostname sagan
sagan_interface syslog
sagan_filter none
sagan_detail 1
output database: log, mysql, user=snort password=snort dbname=snort
host=127.0.0.1
Next we have to install sagan rule set.
# cd /opt
# wget http://sagan.quadrantsec.com/rules/sagan-rules-current.tar.gz
# tar zxvf sagan-rules-current.tar.gz
# cd /usr/local/etc
# mkdir sagan-rules
# cd sagan-rules
# cp /opt/rules/* .
Lets start sagan, by default it will run in debug mode throwing everything on the screen. Press enter key a couple of times and see that the Total number of events processed is greater than 0.
# sagan
Once confirmed you can exit debug mode by hitting ctrl-c. To start sagan as a daemon enter.
# sagan -D