CERT
Software Assurance Secure Systems Organizational Security Coordinating Response Training
Skip to end of metadata
Go to start of metadata

Introduction

This Tooltip will show you how to install SiLK and YAF on a single machine for standalone Flow collection and Analysis.

You do not need to have multiple network interface cards for flow collection to work properly. Although multiple NICs will work fine,
this tool tip describes installation with a single NIC.

As of YAF v1.0 the libairframe libraries come packaged with YAF and you do not need to perform a separate install of the library.

Prerequisites

You should have a fully functional copy of  Ubuntu 12.04 installed. (We have no reason to believe these instructions will not work on other Ubuntu releases, but we have not tested the instructions on those systems directly. See SiLK on a Box - Standalone Flow Collection & Analysis for instructions that install on a Fedora system.)

We assume the system has been fully updated.

If you are behind a proxy, set the system wide proxy via System Settings->Network->Network Proxy.

Open a terminal window and type the following commands to install the necessary prerequisite packages.

You will need gcc , gcc-c++, glib2, glib2-dev, libpcap, libpcap-dev, python and python-dev.

sudo apt-get -y install libglib2.0-dev
sudo apt-get -y install libpcap-dev
sudo apt-get -y install python-dev

Download NetSA Software

Downloads of NetSA software can be found on our website: http://tools.netsa.cert.org/. (The versions shown here are current as of this writing.)

 

Install fixbuf

cd ~/tmp
tar -zxvf libfixbuf-1.7.1.tar.gz
cd libfixbuf-1.7.1
./configure && make
sudo make install

Install YAF

cd ~/tmp
tar -zxvf yaf-2.7.1.tar.gz
cd yaf-2.7.1
export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig
./configure --enable-applabel
make
sudo make install

Install SiLK

We will use /data as the place to store our data; let's make this first:

sudo mkdir /data

Build and install SiLK. You may leave off the --enable-ipv6 switch from the ./configure command if you do not plan to capture IPv6 data.

cd ~/tmp
tar -xvzf silk-3.11.0.1.tar.gz
cd silk-3.11.0.1
./configure \
--with-libfixbuf=/usr/local/lib/pkgconfig/ \
--with-python \
--enable-ipv6
make
sudo make install

Instead of exporting LD_LIBRARY_PATH each time you use SiLK it is easier to add the following paths to ld.so.conf:

cat <<EOF >>silk.conf
/usr/local/lib
/usr/local/lib/silk
EOF
sudo mv silk.conf /etc/ld.so.conf.d/

 

And run ldconfig

sudo ldconfig

Configure the firewall 

Let's allow YAF to talk to rwflowpack by allowing port 18001 in. 

# on Ubuntu using ufw localhost is not generally blocked.

Configure Silk

Use the default silk.conf file. Edit sensor descriptions if desired.

 

cd ~/tmp/silk-3.11.0.1
sudo cp site/twoway/silk.conf /data

 

Next create the sensors.conf file. Add the following lines.

IMPORTANT: Make sure the ipblocks below match your "internal" network blocks.

cat <<EOF >sensors.conf
probe S0 ipfix
listen-on-port 18001
protocol tcp
listen-as-host 127.0.0.1
end probe
group my-network
ipblocks 192.168.1.0/24 # address of eth0. CHANGE THIS.
ipblocks 10.0.0.0/8 # other blocks you consider internal
end group
sensor S0
ipfix-probes S0
internal-ipblocks @my-network
external-ipblocks remainder
end sensor
EOF
sudo mv sensors.conf /data

if all your records show up as type ext2ext it means you did not configure your internal netblocks correctly.

 

Configure rwflowpack

 We will configure rwflowpack to listen for flows from YAF. We copy the default rwflowpack.conf, changing some values.

 

cat /usr/local/share/silk/etc/rwflowpack.conf | \
sed 's/ENABLED=/ENABLED=yes/;' | \
sed 's/SENSOR_CONFIG=/SENSOR_CONFIG=\/data\/sensors.conf/;' | \
sed 's/SITE_CONFIG=/SITE_CONFIG=\/data\/silk.conf/' | \
sed 's/LOG_TYPE=syslog/LOG_TYPE=legacy/' | \
sed 's/LOG_DIR=.*/LOG_DIR=\/var\/log/' | \
sed 's/CREATE_DIRECTORIES=.*/CREATE_DIRECTORIES=yes/' \
>> rwflowpack.conf
sudo mv rwflowpack.conf /usr/local/etc/

 

Next copy the start up script into /etc/init.d and set it to start on boot. 

sudo cp /usr/local/share/silk/etc/init.d/rwflowpack /etc/init.d
sudo sudo update-rc.d rwflowpack start 20 3 4 5 .
sudo service rwflowpack start

Start YAF

IMPORTANT: Make sure the interface (eth0 below) matches the interface on which you want to capture.

sudo nohup /usr/local/bin/yaf --silk --ipfix=tcp --live=pcap  --out=127.0.0.1 \
  --ipfix-port=18001 --in=eth0 --applabel --max-payload=384 &

Generate some traffic and wait records to be flushed

Generate some traffic

ping -c 4 8.8.8.8

You may have to wait 10 or 15 minutes for the first records to be flushed.  You can check the status of YAF, rwflowpack watch the logs with the following commands

sudo ps -auxww | grep yaf
sh /etc/init.d/rwflowpack status
cat /var/log/rwflowpack-*.log

Run a test query 

/usr/local/bin/rwfilter --sensor=S0 --proto=0-255 --pass=stdout --type=all | rwcut | tail

You now have a standalone flow collection and analysis machine.

See the  SiLK Installation Handbook for more information on installing SiLK.   The Analysts' Handbook: Using SiLK for Network Traffic Analysis contains more examples of the use of SiLK for analysis.

 

  • No labels