Installing Sagan Intrusion Detection System On CentOS RHEL 5 Or 6

Unix > Installing Sagan Intrusion Detection System On CentOS RHEL 5 Or 6
01.12.2014 18:12:13


Наиболее часто встречающиеся слова в статье:

[install] [OPTIONAL] [/var/run/sagan] [database] [Installation] [/configure] [databases] [Intrusion] [//sagan] [quadrantsec]


Статья:

Installing Sagan Intrusion Detection System On CentOS RHEL 5 Or 6

Overview

Sagan is a multi-threaded, real time system and event log monitoring system, but with a twist. Sagan uses a “Snort” like rule set for detecting bad things happening on your network and/or computer systems. If Sagan detects a “bad thing” happening, that event can be stored to a Snort database (MySQL/PostgreSQL) and Sagan will attempt to correlate the event with your Snort Intrusion Detection/Intrusion Prevention (IDS/IPS) system. Sagan is basically a SIEM (Security Information & Log Management) system. (Source: http://sagan.quadrantsec.com/)

Installing Sagan Intrusion Detection System on CentOS RHEL 5 or 6

This guide was tested on CentOS 5 and 6.

Enable epel repository by following the instructions here

Install the prerequisites


# yum install pcre libesmtp mysql-devel flex bison gcc gcc-c++ pcre-devel libesmtp-devel libdnet libnet-devel mysql-devel

Depending on the OS version in CentOS you may not find libnet through yum, if not found you can download and install it from the source code itself.


# wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz
# tar zxvf libdnet-1.12.tgz
# cd libdnet-1.12
# ./configure
# make
# make install

Another dependency is libpcap, you have to install it from the source.


# wget http://www.tcpdump.org/release/libpcap-1.3.0.tar.gz
# tar zxvf libpcap-1.3.0.tar.gz
# cd libpcap-1.3.0
# ./configure
# make
# make install

Download and compile sagan.
Intallation of liblognorm (OPTIONAL, BUT SUGGESTED)
“liblognorm” allows Sagan to gather useful information from events. While it’s not required by Sagan, it’s highly suggested. “liblognorm” works in conjunction with the Sagan engine to gather data for better correlation of events.

Installation of libesmtp (OPTIONAL)
If you need Sagan to e-mail alerts, then you’ll want this functionality. Sagan uses libesmtp for this purpose.

Installation of libdnet librarys (OPTIONAL)
If you want Sagan to log events to a Unified2 output format, you’ll want this. Libdnet basically allows Sagan to “build” event “packets” so they can be stored to a Unified2 format. External processes, like Barnyard2 can be used to read in the Sagan Unified2 output.

Installation of the Prelude framework (OPTIONAL)

Installation of MySQL libraries (OPTIONAL)
If you need to log Sagan information to a MySQL database then you’ll need this option. This option is used to log to Snort databases and/or other MySQL databases.

Installation of PostgreSQL libraries (OPTIONAL)
If you need to log Sagan information to a PostgreSQL database then you’ll need this option. This option is used to log to Snort databases and/or other PostgreSQL databases.

I am compiling it with mysql support, you can also use postgresql with it. Also I am not going to use prelude and is also disabling lognorm. I tried compiling lognorm library but could not get it to work on CentOS. To see all the options available try ./configure --help


# wget http://sagan.quadrantsec.com/download/sagan-0.3.0.tar.gz
# tar zxvf sagan-0.3.0.tar.gz
# cd sagan-0.3.0
# ./configure --with-mysql-libraries=/usr/lib64/mysql/ --disable-postgresql --disable-prelude --disable-lognorm --with-libpcap-libraries=/usr/lib64/ --build=x86_64-unknown-linux
# make
# make install

sagan10 300x176 Installing Sagan Intrusion Detection System on CentOS RHEL 5 or 6

Now you have to edit the rsyslog.conf file, add following two lines to the configuration file


# vi /etc/rsyslog.conf

(Make sure you add this as a single line, starting from $template till \n" all on a single line)

$template sagan,"%fromhost-ip%|%syslogfacility-text%|%syslogpriority-text%|%syslogseverity-text%|%syslogtag%|%timegenerated:1:10:date-rfc3339%|%timegenerated:12:19:date-rfc3339%|%programname%|%msg%\n"

*.* |/var/run/sagan.fifo;sagan

Create the fifo file from which sagan will read, also restart rsyslog


# mkfifo /var/run/sagan.fifo
# /etc/init.d/rsyslog restart

If everything went right you would be able to cat the fifo file we just created and see the logs being received thrown to stdout.


# cat /var/run/sagan.fifo

Next add the user sagan and log, run directories for sagan, also change the permissions.


# useradd sagan -s /sbin/nologin
# chown sagan:sagan /var/run/sagan.fifo
# mkdir /var/log/sagan
# mkdir /var/run/sagan
# chown -R sagan:sagan /var/log/sagan
# chown -R sagan:sagan /var/run/sagan
# chown sagan:sagan /var/run/sagan.fifo

Sagan saves all the alerts in a log file. I personally would use an interface such as snorby to view generated alerts and would also recommend you do the same. Snorby installation guide could be found here. As I believe you would surely use snorby, I would only be covering the db installation part there.

Open the sagan configuration file and apply these changes so that sagan populates any alert to the database. Add or modify the following lines to set the username, password and db name.


# vi /usr/local/etc/sagan.conf

sagan_hostname sagan
sagan_interface syslog
sagan_filter none
sagan_detail 1

output database: log, mysql, user=snort password=snort dbname=snort host=127.0.0.1

Next we have to install sagan rule set.


# cd /opt
# wget http://sagan.quadrantsec.com/rules/sagan-rules-current.tar.gz
# tar zxvf sagan-rules-current.tar.gz
# cd /usr/local/etc
# mkdir sagan-rules
# cd sagan-rules
# cp /opt/rules/* .

Lets start sagan, by default it will run in debug mode throwing everything on the screen. Press enter key a couple of times and see that the Total number of events processed is greater than 0.


# sagan

sagan2 300x176 Installing Sagan Intrusion Detection System on CentOS RHEL 5 or 6

Once confirmed you can exit debug mode by hitting ctrl-c. To start sagan as a daemon enter.


# sagan -D