An alchemists view from the bar

Network Security Alchemy

OpenFPC on Security Onion

with 7 comments

I’ve been asked a couple of times if OFPC can be installed on Security Onion, and I’m happy to say yes it can (as of the time of writing anyway rev 335 in SVN). While poking about with it I spotted a small yet critical bug that I had to squish with 334. Here is what you have to do:

1) Download and install Security Onion

You can download it from here -> http://sourceforge.net/projects/security-onion/files/

2) Grab OpenFPC from SVN

$ svn checkout http://openfpc.googlecode.com/svn/trunk/ openfpc-read-only
A openfpc-read-only/tools
A openfpc-read-only/tools/ofpc-cxsearch.pl
A openfpc-read-only/tools/mk_release.sh
A openfpc-read-only/tools/testParse.pl
<snip>

2) Install some extra packages

Get and install cxtracker and some other stuff

$ wget http://github.com/downloads/gamelinux/cxtracker/cxtracker_0.9.5-1_i386.deb

$ sudo dpkg -i ./cxtracker_0.9.5-1_i386.deb

$ sudo apt-get install libarchive-zip-perl libfilesys-df-perl libdate-simple-perl libdatetime-perl

3) Run the installer

OpenFPC checks for some dependencies during install, these will fail on Onion even after installing the above. One reason is that it checks for Apache 2 however Apache 2.2 is installed on Onion. Use the –foceinstall option instead to continue.

$ sudo ./openfpc-install.sh forceinstall

4) Create the GUI and Session DBs

Security Onion doesn’t have a password set for the root mysql user, this doesn’t sit well with the OpenFPC install scripts as they expect there to be one. When a password is prompted for, simply hit the Enter key. This looks a little confusing, so here is an exact copy/paste below of what to expect. You could of course set a password for root, but I don’t know what else on the platform this may break (if anything).

$ sudo openfpc-dbmaint create gui /etc/openfpc/openfpc-default.conf
[*] Enter mysql “root” credentials to connect to your local mysql server in order to create the databases
DB root Username: root
DB root Password: <Enter> Enter password: <Enter> 

[*] Enter an initial username for the first OpenFPC GUI user.
GUI Username: admin
GUI Password: <a password>
Email address: admin@admin.com
Real Name: My real name
grep: /etc/openfpc/openfpc.passwd: No such file or directory
USER NOT FOUND. Adding admin.
Creating new user file /etc/openfpc/openfpc.passwd…
Adding user admin
Done.
CREATING GUI DATABASE
—————————
Enter password: <Enter> 
Enter password: <Enter> 
Enter password: <Enter> 
Enter password: <Enter> 
GUI DB Created.
Enter password: <Enter> 
Enter password: <Enter> 
New user admin added.
[*] Restarting OpenFPC

<SNIP>

5) Create the session DB, it will also look a little weird if a blank password is used for the mysql ‘root’ user.

$ sudo  openfpc-dbmaint create session /etc/openfpc/openfpc-default.conf
[*] Enter mysql “root” credentials to connect to your local mysql server in order to create the databases
DB root Username: root
DB root Password: <Enter> Enter password:
———————————————————
[*] Working on Instance /etc/openfpc/openfpc-default.conf .
Would you like session capture ENABLED on Default_Node? (y/n)y
[-] Enabling session capture in Default_Node config
Done.
[-] Found cxtracker.
CREATING DATABASE
—————————
Enter password: <Enter>
Enter password: <Enter>
Enter password: <Enter>
Enter password: <Enter>
Enter password: <Enter>
Session DB Created.
Adding function INET_ATON6… to DB openfpc
Enter password: <Enter>
[*] Restarting OpenFPC <SNIP>

6) Try it out.

The command line should be functional now, as should the GUI accessible at https://localhost/openfpc/

$ sudo  openfpc-client -a status

* openfpc-client 0.7 *
Part of the OpenFPC project

Username: admin
Password for user admin : <My Password>
####################################
OpenFPC Node name : Default_Node
OpenFPC Node Type : NODE
OpenFPC Version : 0.6
Oldest Packet : 1347467610 (Wed Sep 12 16:33:30 2012)
Oldest Session : 1347479998 (Wed Sep 12 19:59:58 2012)
Packet utilization : 25%
Session utilization : 25%
Session DB Size : 8 rows
Session lag : 0 files
Storage utilization : 25%
Packet space used : 4726172 (4.73 GB)
Session space used : 4726172 (4.73 GB)
Storage used : 4726172 (4.73 GB)
Load avg 1 : 1.54
Load avg 5 : 1.34
Load avg 15 : 1.16
Errors : 0

You should now be able to configure Snorby to extract data from OpenFPC when alerts fire on the Security Onion.

Advertisements

Written by leonward

September 19, 2012 at 3:40 pm

Posted in OpenFPC, Security

7 Responses

Subscribe to comments with RSS.

  1. Great work, Leon! Thanks!

    Doug Burks

    September 19, 2012 at 4:18 pm

  2. Thank you so much for the security onion instructions! I couldn’t find any documentation on setting up proxy sensors. How would you set up a system where you have two security onion sensors, one as a server/sensor configuration and one as a sensor only? I’ve got openfpc running on the sensor/server now but am not sure how to integrate my slave sensor.

    Mike

    September 28, 2012 at 3:34 am

    • Thanks,
      I really need to go back and re-do a lot of documentation, things have both changed and improved in recent versions – I just havn’t got around to rolling another release tarball. It’s on the todo list for a couple of weeks.

      leonward

      August 15, 2014 at 9:21 am

  3. thanks for the help.. one thing – you also will need to install libterm-readkey-perl or you get errors during “openfpc-dbmaint create gui /etc/openfpc/openfpc-default.conf”

    cw

    October 31, 2012 at 5:27 pm

    • Thanks, correct. This has been added to the dependencies in the installer now.
      Sorry for the late reply.

      leonward

      August 15, 2014 at 9:20 am

  4. Hi, thx for this nice illustration on installing openfpc on security onion. I am running it in a test net and got a problem while exporting the pcap from the webgui. Every time i click on a specific session data or try to export i get error 0 and nothing happens. Got this error reportet in syslog:

    seconion OpenfpcQ[9502]: Test_LAN ERROR: Unable to merge pcap files. Verify that merge command exists at /usr/sbin/mergecap
    Nov 9 12:40:58 seconion OpenfpcQ[9502]: Test_LAN NODE: Request: 4 User: openfpc Result: Problem performing doExtract 0, 0, 0

    I checked mergecap it is at /usr/bin/ and should work.

    Maybe you got some advice for me and sorry that i am posting this in reply section.

    Lukas Branigan (@2hizzo)

    November 9, 2012 at 11:47 am

    • There could be a few things going on there. Make sure you have permission to read/write files in the path where it is being performed. Apparmor likes to break some things. You should find detailed errors in syslog if you’re running the latest version of OpenFPC from googlecode (now moving to github).

      leonward

      August 15, 2014 at 9:16 am


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: