CERT
Software Assurance Secure Systems Organizational Security Coordinating Response Training
Skip to end of metadata
Go to start of metadata

NOTE: See SiLK on a Box - Ubuntu 12.04 - Standalone Flow Collection & Analysis for a more recent version of these instructions.

Introduction

This Tooltip will show you how to install SiLK and YAF on a single machine for standalone Flow collection and Analysis.

You do not need to have multiple nic's for this to work properly. Although that will work fine, it is not what we will work with for this tool tip.

As of YAF v1.0 the libairframe libraries come packaged with YAF and you do not need to performa a seperate install of the library.

Prerequisites

You should have a fully functional linux distribution installed. For this example we will use Fedora Core 9.

You will need gcc , gcc-c++, glib2, glib2-devel, libpcap, libpcap-devel, python and python-devel.

Download NetSA Software

Downloads of NetSA software can be fount on our website: http://tools.netsa.cert.org/

Install fixbuf

[root@silk tmp]# tar -zxvf libfixbuf-0.8.0.tar.gz
[root@silk tmp]# cd libfixbuf-0.8.0
[root@silk libfixbuf-0.8.0]# ./configure && make && make install

Install YAF

[root@silk tmp]# tar -zxvf yaf-1.0.0.tar.gz
[root@silk tmp]# cd yaf-1.0.0
[root@silk yaf-1.0.0]# export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig
[root@silk yaf-1.0.0]# ./configure
[root@silk yaf-1.0.0]# make
[root@silk yaf-1.0.0]# make install

Install SiLK

We will use /data as the place to store our data, lets make this first:

 [joe@build yaf-0.8.1]$ mkdir /data

Download SiLK

[root@silk silk-1.1.3]# ./configure \
  --with-libfixbuf=/usr/local/lib/pkgconfig/ \
  --with-python

Instead of exporting LD_LIBRARY_PATH each time you use SiLK it is easier to add the following paths to ld.so.conf:

 [joe@build tmp]$ vi /etc/ld.so.conf

Add these lines:

/usr/local/lib

/usr/local/lib/silk

And run ldconfig

 [joe@build tmp]$ ldconfig

Configure the firewall

Lets allow YAF to talk to rwflowpack by allowing port 18001 in.

[joe@build tmp]$ sudo iptables -I INPUT -s 127.0.0.1 -p tcp -m tcp -dport 18001 -j ACCEPT

[joe@build tmp]$ sudo service iptables save

Configure Silk

You will have to edit the configure files for silk, which are silk.conf and sensors.conf.

[joe@build tmp]$ vi /data/silk.conf

Use the text below to set up localhost as a sensor:

 sensor 0 localhost

class all
    sensors localhost
end class

# Be sure you understand the workings of the packing system before
# editing the class and type definitions below.  Editing above this
# line is sufficient for sensor definition.

version 1

class all
    type  0 in      in
    type  1 out     out
    type  2 inweb   iw
    type  3 outweb  ow
    type  4 innull  innull
    type  5 outnull outnull
    type  6 int2int int2int
    type  7 ext2ext ext2ext
    type  8 inicmp  inicmp
    type  9 outicmp outicmp
    type 10 other   other

    default-types in inweb inicmp
end class

default-class all

# The default path format from SILK_DATA_ROOTDIR
path-format "%N/%T/%Y/%m/%d/%x"

# The plug-in to load to get the packing logic to use in rwflowpack.
# The --packing-logic switch to rwflowpack will override this value.
# If SiLK was configured with hard-coded packing logic, this value is
# ignored.

# The plug-in to load to get the packing logic to use in rwflowpack.
# The --packing-logic switch to rwflowpack will override this value.
# If SiLK was configured with hard-coded packing logic, this value is
# ignored.
packing-logic "packlogic-twoway.so"

Next create the sensors.conf file.

[joe@build tmp]$ vi /data/sensors.conf

Add the following lines:

probe localhost ipfix
    listen-on-port 18001
    protocol tcp
    accept-from-host 127.0.0.1
end probe

sensor localhost
    ipfix-probes localhost
    internal-ipblock 192.168.1.0/24
    external-ipblock remainder
end sensor

Configure rwflowpack

 

 We will configure rwflowpack to listen for flows from YAF.

[joe@build tmp]$ sudo  cp /usr/local/share/silk/etc/rwflowpack.conf /usr/local/etc/.
[joe@build tmp]$ sudo vi /usr/local/etc/rwflowpack.conf

Change the following values:

ENABLED=yes
SENSOR_CONFIG=/data/sensors.conf
SITE_CONFIG=/data/silk.conf
LOG_TYPE=legacy
LOG_DIR=/var/log
CREATE_DIRECTORIES=yes

Next copy the start up script into /etc/init.d and set it to start on boot.

[joe@build tmp]$ sudo cp /usr/local/share/silk/etc/init.d/rwflowpack /etc/init.d

[joe@build tmp]$ sudo chkconfig rwflowpack on
[joe@build tmp]$ sudo service rwflowpack start

Start YAF

 

[joe@build tmp]$ sudo nohup /usr/local/bin/yaf --silk --ipfix=tcp --live=pcap --in=s0.e0 --out=127.0.0.1 --ipfix-port=18001

Run a test query

[joe@build tmp]$  /usr/local/bin/rwfilter --sensor=localhost --proto=0-255 --pass=stdout --type=all | rwcut | tail

 

 

You now have a standalone flow collection and analysis machine.  Please look at some of the tooltips under Analysis for help with the tools.

  • No labels