CERT
Software Assurance Secure Systems Organizational Security Coordinating Response Training
Skip to end of metadata
Go to start of metadata

As a thank you for attending FloCon 2010 each attendant will receive a LiveUSB distribution that will boot a Linux system, running SiLK and YAF.  This LiveUSB will perform NetFlow collection and enable analysis without installing anything on your host machine.


Using the LiveUSB

With your host machine turned off, insert the USB stick and power on the machine. With some BIOSes you may need to hit F12/F2/ESC to select to boot off of USB. Some machines are unable to boot off of USB. If you are unable to boot off of a USB drive you can still do run this within VirtualBox or VMWare.

Booting

After the splash screen, the screen should change to the progress bar.

 

A Login screen will appear, you can select login, or it will automatically log you in.


Using the System

Open the Terminal Application by going to Applications -> System Tools -> Terminal

You may want to generate some traffic by surfing the web with Firefox before running rwfilter.

You can see your flows by running "rwfilter --proto=0- --type=all --pass=stdout | rwcut | head".


Troubleshooting

If no flows are being generated check first to see if YAF and rwflowpack are running.

We can do this by changing to root with "su -".

Then running "service yaf status" and "service rwflowpack status".

By default this image listens on eth0, if that is not correct you can check this by running "ifconfig".

If the interface is not eth0, edit /etc/init.d/yaf and change the interface.

After the change, restart yaf with "service yaf restart".

If that does not fix the issue, you can run  "tail /var/log/messages".

From these log messages you can see yaf is sending flow records to rwflowpack and it is storing them under /data/localhost/.


No DHCP Server

If your environment does not have a DHCP server you will have to enter the IP information manually.

To do that go to System -> Preferences -> Network Connections

Select your interface and choose Edit.

Select IPv4 and edit your settings here.


Installing to Hard Drive

If you wish to use this LiveUSB to build more permanent sensors, you can boot off of the USB image and upon login, select  the "Install To Hard Drive" icon on your desktop..

After doing this, it would be best to run yum update to install any new software.


Obtaining the ISO Image to create additional copes

You can download the ISO image here.

Insert your new USB stick in to Fedora box and run "dmesg | tail".

You should see a new usb device added as /dev/sdX.

You need to run fdisk to convert the disk to Fat16.

Roughly the commands are

d (delete the existing partitions)

1 (partition 1)

n (new partition)

p (primary)

1 (partition 1)

^M (hit return for default)

^M (hit return for default)

t (define type)

6 (specify fat16)

a (make bootable)

1 (select parttion 1)

w (write to disk)

Format the filesystem: "/sbin/mkdosfs -F 16 -n usbdisk /dev/sdX1".

Burn the image to disk "livecd-iso-to-disk --overlay-size-mb 1024 livecd-silk-flocon2010.iso /dev/sdX1".

  • No labels