NfQuery Plugin Installation How-to Table of Contents (1)

Transcription

NfQuery Plugin Installation How-to Table of Contents (1)
NfQuery Plugin Installation How-to (1)
Table of Contents
1. Installation of NfSen....................................................................................................................1
2. Installation of NfQuery plugin dependencies..............................................................................2
3. Obtaining NfQuery plugin...........................................................................................................3
3.1 Github....................................................................................................................................3
3.2 NfQuery website...................................................................................................................3
4. Installation of NfQuery plugin.....................................................................................................3
5. Register NfQuery plugin..............................................................................................................4
6. Configure NfSen for NfQuery plugin..........................................................................................5
1
Ubuntu Server 12.10 (Quantal) with latest update at February 2014 is used for installation and configuration
1. Installation of NfSen
NfQuery is NfSen based framework for multi-domain environments which uses the NetFlow data
for analysis of threats and burst the usage of already available data from various sources such as
on-line repositories and local security tools of each domain (Honeypots, IDS and etc.) Therefore
before NfQuery plugin, NfSen and its dependencies should be installed:
# apt-get update
# apt-get install build-essential
# apt-get install apache2
# apt-get install php5 php5-cli
# apt-get install rrdtool
# apt-get install librrds-perl
# apt-get install libpng12-dev libfreetype6-dev libart-2.0-dev bison flex
# apt-get install nfdump
# perl -MCPAN -eshell
cpan> install Mail::Header
cpan> install Socket6
# wget http://downloads.sourceforge.net/project/nfsen/stable/nfsen1.3.6p1/nfsen-1.3.6p1.tar.gz
# tar zxvf nfsen-1.3.6p1.tar.gz
# cd nfsen-1.3.6p1/
# cp etc/nfsen-dist.conf etc/nfsen.conf
# mkdir /data
NfSen configuration file should be updated to add NetFlow sources and define working directories.
# vi etc/nfsen.conf
$BASEDIR = "/data/nfsen";
$HTMLDIR = "/var/www/nfsen/";
$PREFIX = "/usr/bin";
$USER = "www-data";
$WWWUSER = "www-data";
$WWWGROUP = "www-data";
%sources = (
'kaynak1' => { 'port' => '9995', 'col' => '#0000ff', 'type' => 'netflow' },
'kaynak2' => { 'port' => '9996', 'col' => '#ff00ff', 'type' => 'netflow' },
'kaynak3' => { 'port' => '9997', 'col' => '#ffff00', 'type' => 'netflow' },
'kaynak4' => { 'port' => '9998', 'col' => '#00ff00', 'type' => 'netflow' },
'kaynak5' => { 'port' => '9999', 'col' => '#00ffff', 'type' => 'netflow' },
);
NfSen installation and initiation of the service.
# ./install.pl etc/nfsen.conf
# ls -la /data/nfsen/etc/nfsen.conf
-rw-r--r-- 1 root www-data 9335 2011-03-25 14:27 /data/nfsen/etc/nfsen.conf
# ln -s /var/www/nfsen/nfsen.php /var/www/nfsen/index.php
# /data/nfsen/bin/nfsen start
Following commands may be used to check whether netflow data is obtained from the source.
# cd /data/nfsen/profiles-data/live/kaynak1/
# ls -la nfcapd.current
-rw-r--r-- 1 www-data www-data 276 2011-03-31 10:25 nfcapd.current
2. Installation of NfQuery plugin dependencies.
First package that should be installed is libssl-dev, it is required for Net::SSL perl module.
# apt-get install libssl-dev
There are 7 perl modules that are mandatory for NfQuery plugin installation. These modules can
be installed by using cpan script to build modules from CPAN as given below, or package manager
of the operating system can be used.
# perl -MCPAN -eshell
cpan> install JSON
cpan> install JSON::RPC::LWP
cpan> install NetAddr::IP
cpan> install Net::SSL
cpan> install Parallel::ForkManager
cpan> install DBM::Deep
cpan> install LWP::UserAgent
3. Obtaining NfQuery plugin
There are 2 alternatives to obtain the NfQuery plugin.
3.1 Github
First way is to use obtain the master branch of NfQuery Plugin from Github. In order to proceed
you have to install git.
# git clone https://github.com/ULAKBIM/NfQuery.git NfQuery
3.2 NfQuery website
Second way is to obtain tar.gz file of the plugin from the NfQuery website. Latest release of the
plugin is located at
http://nfquery.ulakbim.gov.tr/download/.
# wget http://nfquery.ulakbim.gov.tr/wp/wp-content/uploads/2014/01/NfQueryplugin-v0.2.0.tar.gz
# tar zxvf NfQuery-queryserver-v0.2.0.tar.gz
4. Installation of NfQuery plugin
The installation script is under directory “NfQuery/plugin”. The installation script searches some
known paths to locate NfSen, therefore it is recommended to add [path to nfsen] as an optional
parameter to install.pl script.
# ./install.pl /data/nfsen [path to nfsen]
5. Register NfQuery plugin
There is certificate based authentication between NfQuery plugin and NfQuery Server. Therefore
each plugin should have a digital certificate signed by NfQuery Server Certificate Authority (CA).
You can follow the steps below to create Certificate Signing Request (CSR) which is an unsigned
copy of your digital certificate. Your CSR should contain the following information:
1. Information about your organization (organization name, country, etc...)
2. Your Web Server's public key
3. A unique mathematical match to your server's private key.
root@ubuntu:~/NfQuery-plugin-v0.2.0/certs# openssl req -days 730 -new -nodes
-out plugin-csr.pem -keyout plugin-key.pem
Generating a 2048 bit RSA private key
....................................+++
.............................................+++
writing new private key to 'plugin-key.pem'
----You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:TR
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:Ankara
Organization Name (eg, company) [Internet Widgits Pty Ltd]:TUBITAK ULAKBIM
Organizational Unit Name (eg, section) []:ATB
Common Name (e.g. server FQDN or YOUR name) []:nfsen.ulakbim.gov.tr
Email Address []:noc@ulakbim.gov.tr
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:dem2rg2b2kollar1m
An optional company name []:
Optionally if you want to encrypt your key you can do:
# openssl rsa -des3 -in plugin-key.pem -out plugin_encrypted-key.pem
# mv plugin_encrypted-key.pem plugin-key.pem
Later CSR should be send to the NfQuery Operation Team (nfquery@ulakbim.gov.tr) in order to be
signed. CSR signing request should be e-mailed from institution’s domain and should include
following information.
Admin Name
Admin E-Mail
Admin Phone
Prefix lIst (comma seperated CIDR)
Your Plugin IP address
CSR (as attached)
NfQuery Operation Team will return your CRT file (eg: plugin-crt.pem) and the NfQuery Servers
CA public key (eg: cacert.pem) after signing your request. Later a PKCS#12 (.p12 file) (PFX)
keystore file can ve generated using the your certificate file and your private key.
# openssl pkcs12 -export -in plugin-crt.pem -inkey plugin-key.pem -out plugincrt.p12
6. Configure NfSen for NfQuery plugin
NfSen configuration file should be updated as follows:
# mv certs/ /data/nfsen/
# vi /data/nfsen/etc/nfsen.conf
@plugins = (
[ '*',
'nfquery' ],
);
%PluginConf = (
# For plugin demoplugin
nfquery => {
# Certificates
https_ca_file => '/data/nfsen/certs/cacert.pem' ,
https_pkcs12_file => '/data/nfsen/certs/plugin-crt.p12' ,
https_pkcs12_password => 'dem2rg2b2kollar1m' ,
plugin_ip => '193.140.98.153' ,
queryserver_ip => '193.140.98.187' ,
queryserver_port => '7777' ,
},
);
Finally NfSen service should be restarted, and if installation is successful NfQuery should appear
under NfSen Plugins tab.
# /data/nfsen/bin/nfsen stop
# /data/nfsen/bin/nfsen start