An alchemists view from the bar

Network Security Alchemy

Archive for September 2012

OpenFPC on Security Onion

with 7 comments

I’ve been asked a couple of times if OFPC can be installed on Security Onion, and I’m happy to say yes it can (as of the time of writing anyway rev 335 in SVN). While poking about with it I spotted a small yet critical bug that I had to squish with 334. Here is what you have to do:

1) Download and install Security Onion

You can download it from here -> http://sourceforge.net/projects/security-onion/files/

2) Grab OpenFPC from SVN

$ svn checkout http://openfpc.googlecode.com/svn/trunk/ openfpc-read-only
A openfpc-read-only/tools
A openfpc-read-only/tools/ofpc-cxsearch.pl
A openfpc-read-only/tools/mk_release.sh
A openfpc-read-only/tools/testParse.pl
<snip>

2) Install some extra packages

Get and install cxtracker and some other stuff

$ wget http://github.com/downloads/gamelinux/cxtracker/cxtracker_0.9.5-1_i386.deb

$ sudo dpkg -i ./cxtracker_0.9.5-1_i386.deb

$ sudo apt-get install libarchive-zip-perl libfilesys-df-perl libdate-simple-perl libdatetime-perl

3) Run the installer

OpenFPC checks for some dependencies during install, these will fail on Onion even after installing the above. One reason is that it checks for Apache 2 however Apache 2.2 is installed on Onion. Use the –foceinstall option instead to continue.

$ sudo ./openfpc-install.sh forceinstall

4) Create the GUI and Session DBs

Security Onion doesn’t have a password set for the root mysql user, this doesn’t sit well with the OpenFPC install scripts as they expect there to be one. When a password is prompted for, simply hit the Enter key. This looks a little confusing, so here is an exact copy/paste below of what to expect. You could of course set a password for root, but I don’t know what else on the platform this may break (if anything).

$ sudo openfpc-dbmaint create gui /etc/openfpc/openfpc-default.conf
[*] Enter mysql “root” credentials to connect to your local mysql server in order to create the databases
DB root Username: root
DB root Password: <Enter> Enter password: <Enter> 

[*] Enter an initial username for the first OpenFPC GUI user.
GUI Username: admin
GUI Password: <a password>
Email address: admin@admin.com
Real Name: My real name
grep: /etc/openfpc/openfpc.passwd: No such file or directory
USER NOT FOUND. Adding admin.
Creating new user file /etc/openfpc/openfpc.passwd…
Adding user admin
Done.
CREATING GUI DATABASE
—————————
Enter password: <Enter> 
Enter password: <Enter> 
Enter password: <Enter> 
Enter password: <Enter> 
GUI DB Created.
Enter password: <Enter> 
Enter password: <Enter> 
New user admin added.
[*] Restarting OpenFPC

<SNIP>

5) Create the session DB, it will also look a little weird if a blank password is used for the mysql ‘root’ user.

$ sudo  openfpc-dbmaint create session /etc/openfpc/openfpc-default.conf
[*] Enter mysql “root” credentials to connect to your local mysql server in order to create the databases
DB root Username: root
DB root Password: <Enter> Enter password:
———————————————————
[*] Working on Instance /etc/openfpc/openfpc-default.conf .
Would you like session capture ENABLED on Default_Node? (y/n)y
[-] Enabling session capture in Default_Node config
Done.
[-] Found cxtracker.
CREATING DATABASE
—————————
Enter password: <Enter>
Enter password: <Enter>
Enter password: <Enter>
Enter password: <Enter>
Enter password: <Enter>
Session DB Created.
Adding function INET_ATON6… to DB openfpc
Enter password: <Enter>
[*] Restarting OpenFPC <SNIP>

6) Try it out.

The command line should be functional now, as should the GUI accessible at https://localhost/openfpc/

$ sudo  openfpc-client -a status

* openfpc-client 0.7 *
Part of the OpenFPC project

Username: admin
Password for user admin : <My Password>
####################################
OpenFPC Node name : Default_Node
OpenFPC Node Type : NODE
OpenFPC Version : 0.6
Oldest Packet : 1347467610 (Wed Sep 12 16:33:30 2012)
Oldest Session : 1347479998 (Wed Sep 12 19:59:58 2012)
Packet utilization : 25%
Session utilization : 25%
Session DB Size : 8 rows
Session lag : 0 files
Storage utilization : 25%
Packet space used : 4726172 (4.73 GB)
Session space used : 4726172 (4.73 GB)
Storage used : 4726172 (4.73 GB)
Load avg 1 : 1.54
Load avg 5 : 1.34
Load avg 15 : 1.16
Errors : 0

You should now be able to configure Snorby to extract data from OpenFPC when alerts fire on the Security Onion.

Advertisements

Written by leonward

September 19, 2012 at 3:40 pm

Posted in OpenFPC, Security