NfQuery Plugin Installation How-to Table of Contents (1)
Transcription
NfQuery Plugin Installation How-to Table of Contents (1)
NfQuery Plugin Installation How-to (1) Table of Contents 1. Installation of NfSen....................................................................................................................1 2. Installation of NfQuery plugin dependencies..............................................................................2 3. Obtaining NfQuery plugin...........................................................................................................3 3.1 Github....................................................................................................................................3 3.2 NfQuery website...................................................................................................................3 4. Installation of NfQuery plugin.....................................................................................................3 5. Register NfQuery plugin..............................................................................................................4 6. Configure NfSen for NfQuery plugin..........................................................................................5 1 Ubuntu Server 12.10 (Quantal) with latest update at February 2014 is used for installation and configuration 1. Installation of NfSen NfQuery is NfSen based framework for multi-domain environments which uses the NetFlow data for analysis of threats and burst the usage of already available data from various sources such as on-line repositories and local security tools of each domain (Honeypots, IDS and etc.) Therefore before NfQuery plugin, NfSen and its dependencies should be installed: # apt-get update # apt-get install build-essential # apt-get install apache2 # apt-get install php5 php5-cli # apt-get install rrdtool # apt-get install librrds-perl # apt-get install libpng12-dev libfreetype6-dev libart-2.0-dev bison flex # apt-get install nfdump # perl -MCPAN -eshell cpan> install Mail::Header cpan> install Socket6 # wget http://downloads.sourceforge.net/project/nfsen/stable/nfsen1.3.6p1/nfsen-1.3.6p1.tar.gz # tar zxvf nfsen-1.3.6p1.tar.gz # cd nfsen-1.3.6p1/ # cp etc/nfsen-dist.conf etc/nfsen.conf # mkdir /data NfSen configuration file should be updated to add NetFlow sources and define working directories. # vi etc/nfsen.conf $BASEDIR = "/data/nfsen"; $HTMLDIR = "/var/www/nfsen/"; $PREFIX = "/usr/bin"; $USER = "www-data"; $WWWUSER = "www-data"; $WWWGROUP = "www-data"; %sources = ( 'kaynak1' => { 'port' => '9995', 'col' => '#0000ff', 'type' => 'netflow' }, 'kaynak2' => { 'port' => '9996', 'col' => '#ff00ff', 'type' => 'netflow' }, 'kaynak3' => { 'port' => '9997', 'col' => '#ffff00', 'type' => 'netflow' }, 'kaynak4' => { 'port' => '9998', 'col' => '#00ff00', 'type' => 'netflow' }, 'kaynak5' => { 'port' => '9999', 'col' => '#00ffff', 'type' => 'netflow' }, ); NfSen installation and initiation of the service. # ./install.pl etc/nfsen.conf # ls -la /data/nfsen/etc/nfsen.conf -rw-r--r-- 1 root www-data 9335 2011-03-25 14:27 /data/nfsen/etc/nfsen.conf # ln -s /var/www/nfsen/nfsen.php /var/www/nfsen/index.php # /data/nfsen/bin/nfsen start Following commands may be used to check whether netflow data is obtained from the source. # cd /data/nfsen/profiles-data/live/kaynak1/ # ls -la nfcapd.current -rw-r--r-- 1 www-data www-data 276 2011-03-31 10:25 nfcapd.current 2. Installation of NfQuery plugin dependencies. First package that should be installed is libssl-dev, it is required for Net::SSL perl module. # apt-get install libssl-dev There are 7 perl modules that are mandatory for NfQuery plugin installation. These modules can be installed by using cpan script to build modules from CPAN as given below, or package manager of the operating system can be used. # perl -MCPAN -eshell cpan> install JSON cpan> install JSON::RPC::LWP cpan> install NetAddr::IP cpan> install Net::SSL cpan> install Parallel::ForkManager cpan> install DBM::Deep cpan> install LWP::UserAgent 3. Obtaining NfQuery plugin There are 2 alternatives to obtain the NfQuery plugin. 3.1 Github First way is to use obtain the master branch of NfQuery Plugin from Github. In order to proceed you have to install git. # git clone https://github.com/ULAKBIM/NfQuery.git NfQuery 3.2 NfQuery website Second way is to obtain tar.gz file of the plugin from the NfQuery website. Latest release of the plugin is located at http://nfquery.ulakbim.gov.tr/download/. # wget http://nfquery.ulakbim.gov.tr/wp/wp-content/uploads/2014/01/NfQueryplugin-v0.2.0.tar.gz # tar zxvf NfQuery-queryserver-v0.2.0.tar.gz 4. Installation of NfQuery plugin The installation script is under directory “NfQuery/plugin”. The installation script searches some known paths to locate NfSen, therefore it is recommended to add [path to nfsen] as an optional parameter to install.pl script. # ./install.pl /data/nfsen [path to nfsen] 5. Register NfQuery plugin There is certificate based authentication between NfQuery plugin and NfQuery Server. Therefore each plugin should have a digital certificate signed by NfQuery Server Certificate Authority (CA). You can follow the steps below to create Certificate Signing Request (CSR) which is an unsigned copy of your digital certificate. Your CSR should contain the following information: 1. Information about your organization (organization name, country, etc...) 2. Your Web Server's public key 3. A unique mathematical match to your server's private key. root@ubuntu:~/NfQuery-plugin-v0.2.0/certs# openssl req -days 730 -new -nodes -out plugin-csr.pem -keyout plugin-key.pem Generating a 2048 bit RSA private key ....................................+++ .............................................+++ writing new private key to 'plugin-key.pem' ----You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:TR State or Province Name (full name) [Some-State]: Locality Name (eg, city) []:Ankara Organization Name (eg, company) [Internet Widgits Pty Ltd]:TUBITAK ULAKBIM Organizational Unit Name (eg, section) []:ATB Common Name (e.g. server FQDN or YOUR name) []:nfsen.ulakbim.gov.tr Email Address []:noc@ulakbim.gov.tr Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:dem2rg2b2kollar1m An optional company name []: Optionally if you want to encrypt your key you can do: # openssl rsa -des3 -in plugin-key.pem -out plugin_encrypted-key.pem # mv plugin_encrypted-key.pem plugin-key.pem Later CSR should be send to the NfQuery Operation Team (nfquery@ulakbim.gov.tr) in order to be signed. CSR signing request should be e-mailed from institution’s domain and should include following information. Admin Name Admin E-Mail Admin Phone Prefix lIst (comma seperated CIDR) Your Plugin IP address CSR (as attached) NfQuery Operation Team will return your CRT file (eg: plugin-crt.pem) and the NfQuery Servers CA public key (eg: cacert.pem) after signing your request. Later a PKCS#12 (.p12 file) (PFX) keystore file can ve generated using the your certificate file and your private key. # openssl pkcs12 -export -in plugin-crt.pem -inkey plugin-key.pem -out plugincrt.p12 6. Configure NfSen for NfQuery plugin NfSen configuration file should be updated as follows: # mv certs/ /data/nfsen/ # vi /data/nfsen/etc/nfsen.conf @plugins = ( [ '*', 'nfquery' ], ); %PluginConf = ( # For plugin demoplugin nfquery => { # Certificates https_ca_file => '/data/nfsen/certs/cacert.pem' , https_pkcs12_file => '/data/nfsen/certs/plugin-crt.p12' , https_pkcs12_password => 'dem2rg2b2kollar1m' , plugin_ip => '193.140.98.153' , queryserver_ip => '193.140.98.187' , queryserver_port => '7777' , }, ); Finally NfSen service should be restarted, and if installation is successful NfQuery should appear under NfSen Plugins tab. # /data/nfsen/bin/nfsen stop # /data/nfsen/bin/nfsen start