Differences

This shows you the differences between two versions of the page.

Link to this comparison view

openfpc_debian_squeeze_pt_br [2017/09/05 12:18] (current)
Line 1: Line 1:
 +====== OpenFPC + Debian Squeeze ======
 +
 +
 +<​nowiki>​OpenFPC</​nowiki>​ é projetado para permitir que uma ferramenta de captura de tráfego de rede escalar em ambas as direções horizontal e vertical. É um sistema distribuído ligado entre si utilizando vias de comunicação e proxies para integrar SOC (Security Center Operacional). Para ajudar ainda mais a explicar o método de implantação e arquitectura,​ permite cobrir algumas tarefas comuns e ver como elas são executadas enquanto se olha para um simples diagrama.
 +
 +** Terminologia **
 +
 +** Dispositivo Cliente **
 +
 +Um computador usando pelo analista. Um ambiente de perl é necessário os SOs testados são (Linux e OSX). Este dispositivo cliente executa o programa ofpc-client.pl
 +
 +** OFPC - Slave **
 +
 +Este é um sistema que captura o tráfego de rede (através do daemonloggger). Em alguns ambientes apenas um Slave é usado, mas dependendo da estrutura podemos ter vários Slaves ligados entre si com um Master.
 +
 +** OFPC - Master **
 +
 +Sistema "​proxy"​ que encaminha um pedido de tráfego para qualquer dispositivo Salve, ou outro dispositivo ofpc Master intermediário. Não captura o tráfego, apenas encaminha pedidos PCAP e fornece os resultados de volta para o cliente.
 +
 +Vamos a instalação do <​nowiki>​OpenFPC</​nowiki>​
 +
 +Prepare o seu sistema com o seguinte script http://​wiki.douglasqsantos.com.br/​doku.php/​confinicialsqueeze_en para que não falte nenhum pacote ou configuração.
 +
 +
 +Vamos atualizar os repositórios e fazer um upgrade do sistema
 +
 +<sxh bash>
 +
 +aptitude update && aptitude dist-upgrade -y
 +</​sxh>​
 +
 +Agora vamos instalar as dependências
 +
 +<sxh bash>
 +
 +apt-get install apache2 tcpdump tshark libarchive-zip-perl \
 +  libfilesys-df-perl libapache2-mod-php5 mysql-server php5-mysql \
 +  libdatetime-perl libdbi-perl libdate-simple-perl php5-mysql \
 +  libterm-readkey-perl libdate-simple-perl libtimedate-perl \
 +  build-essential ​ libpcap-dev libcap-dev daemonlogger -y
 +</​sxh>​
 +
 +Durante a instalação do <​nowiki>​MySQL</​nowiki>,​ você vai ser questionado sobre a senha que é a senha para o usuário root.
 +
 +Agora vamos obter os pacotes de código fonte necessários para o openfpc
 +
 +Todos os códigos vão ser inseridos no diretório /​usr/​local/​src
 +
 +Agora vamos acessar este diretório antes de continuar
 +
 +<sxh bash>
 +
 +cd /​usr/​local/​src
 +</​sxh>​
 +
 +Agora vamos obter o libdnet e vamos instalar
 +
 +<sxh bash>
 +
 +cd /​usr/​local/​src
 +wget  -c http://​wiki.douglasqsantos.com.br/​Downloads/​ips/​libdnet-1.12.tgz
 +tar -zxf libdnet-1.12.tgz && cd libdnet-1.12
 +./configure --prefix=/​usr --enable-shared
 +make && make install
 +</​sxh>​
 +
 +Agora vamos obter o cxtracker e vamos instalar
 +
 +<sxh bash>
 +
 +cd /​usr/​local/​src/​
 +wget  -c http://​wiki.douglasqsantos.com.br/​Downloads/​ips/​cxtracker_0.9.5-1_amd64.deb
 +dpkg -i cxtracker_0.9.5-1_amd64.deb
 +</​sxh>​
 +
 +Agora vamos obter e instalar o openfpc
 +
 +<sxh bash>
 +
 +cd /​usr/​local/​src/​
 +wget  -c http://​wiki.douglasqsantos.com.br/​Downloads/​ips/​openfpc-0.6-314.tgz
 +tar xzvf openfpc-0.6-314.tgz
 +cd openfpc-0.6-314/​
 +</​sxh>​
 +
 +Vamos instala-lo
 +
 +<sxh bash>
 +
 +./​openfpc-install.sh install
 +
 +**************************************************************************
 + ​* ​ <​nowiki>​OpenFPC</​nowiki>​ installer - Leon Ward (leon@openfpc.org) v0.6
 +    A set if scripts to help manage and find data in a large network traffic
 +    archive. ​
 +
 +    - http://​www.openfpc.org ​
 +
 +[*] Detected distribution as DEBIAN
 +
 +[-] Checking for apache2 ...
 +    apache2 Okay
 +[-] Checking for daemonlogger ...
 +    daemonlogger Okay
 +[-] Checking for tcpdump ...
 +    tcpdump Okay
 +[-] Checking for tshark ...
 +    tshark Okay
 +[-] Checking for libarchive-zip-perl ...
 +    libarchive-zip-perl Okay
 +[-] Checking for libfilesys-df-perl ...
 +    libfilesys-df-perl Okay
 +[-] Checking for libapache2-mod-php5 ...
 +    libapache2-mod-php5 Okay
 +[-] Checking for mysql-server ...
 +    mysql-server Okay
 +[-] Checking for php5-mysql ...
 +    php5-mysql Okay
 +[-] Checking for libdatetime-perl ...
 +    libdatetime-perl Okay
 +[-] Checking for libdbi-perl ...
 +    libdbi-perl Okay
 +[-] Checking for libdate-simple-perl ...
 +    libdate-simple-perl Okay
 +[-] Checking for php5-mysql ...
 +    php5-mysql Okay
 +[-] Checking for libterm-readkey-perl ...
 +    libterm-readkey-perl Okay
 +[-] Checking for libdate-simple-perl ...
 +    libdate-simple-perl Okay
 +/​usr/​bin/​cxtracker
 +* Found cxtracker in your $PATH (good)
 + ​- ​ Installing modules to /​usr/​local/​lib/​site_perl
 + ​- ​ Installing PERL module Parse.pm
 + ​- ​ Installing PERL module Request.pm
 + ​- ​ Installing PERL module CXDB.pm
 + ​- ​ Installing PERL module Common.pm
 + ​- ​ Installing PERL module Config.pm
 + ​- ​ Installing <​nowiki>​OpenFPC</​nowiki>​ prog: openfpc-client
 + ​- ​ Installing <​nowiki>​OpenFPC</​nowiki>​ prog: openfpc-queued
 + ​- ​ Installing <​nowiki>​OpenFPC</​nowiki>​ prog: openfpc-cx2db
 + ​- ​ Installing <​nowiki>​OpenFPC</​nowiki>​ prog: openfpc
 + ​- ​ Installing <​nowiki>​OpenFPC</​nowiki>​ prog: openfpc-dbmaint
 + ​- ​ Installing <​nowiki>​OpenFPC</​nowiki>​ conf: etc/​openfpc-default.conf
 + ​- ​ Installing <​nowiki>​OpenFPC</​nowiki>​ conf: etc/​openfpc-example-proxy.conf
 + ​- ​ Installing <​nowiki>​OpenFPC</​nowiki>​ conf: etc/​routes.ofpc
 + ​- ​ Installing css
 + ​- ​ Installing images
 + ​- ​ Installing includes
 + ​- ​ Installing index.php
 + ​- ​ Installing javascript
 + ​- ​ Installing login.php
 + ​- ​ Installing useradd.php
 + ​- ​ Installing extract.cgi
 + ​- ​ Installing /​etc/​init.d//​openfpc-daemonlogger
 + ​- ​ Installing /​etc/​init.d//​openfpc-cx2db
 + ​- ​ Installing /​etc/​init.d//​openfpc-cxtracker
 + ​- ​ Installing /​etc/​init.d//​openfpc-queued
 +[*] Enabling and restarting Apache2
 +Enabling site openfpc.apache2.site.
 +Run '/​etc/​init.d/​apache2 reload'​ to activate new configuration!
 +Reloading web server config: apache2.
 +[*] Updating init config with update-rc.d
 +update-rc.d:​ using dependency based boot sequencing
 +[*] Adding user openfpc
 +update-rc.d:​ using dependency based boot sequencing
 +update-rc.d:​ using dependency based boot sequencing
 +update-rc.d:​ using dependency based boot sequencing
 +
 +**************************************************************************
 +[*] Installation Complete ​
 +
 +    <​nowiki>​OpenFPC</​nowiki>​ should now be installed and ready for *configuration*.
 +   
 +    1) Go configure /​etc/​openfpc/​openfpc-default.conf
 +       (Make sure you change the usernames and passwords!)
 +    2) Start <​nowiki>​OpenFPC</​nowiki>​
 +       $ sudo openfpc --action start
 +    3) If you want to use the <​nowiki>​OpenFPC</​nowiki>​ GUI, you MUST create the GUI database
 +       - Install Mysql
 +       - Create the DB with the command...
 +         sudo ./​openfpc-dbmaint create gui /​etc/​openfpc/​openfpc-default.conf
 +    4) Decide if you want to enable session searching
 +       See -> http://​www.openfpc.org/​documentation/​enabling-session-capture
 +</​sxh>​
 +
 +Agora vamos ao openfpc-default.conf e vamos substituir alguns valores
 +
 +<sxh bash>
 +
 +vim /​etc/​openfpc/​openfpc-default.conf
 +#Nome do Nodo
 +NODENAME=IDS
 +[...]
 +#​Descrição do Nodo 
 +DESCRIPTION="​IDS <​nowiki>​OpenFPC</​nowiki>​ node"
 +[...]
 +#Vamos escolher a interface ​
 +INTERFACE=eth0
 +[...]
 +#Vamos habilitar a sessão ​
 +ENABLE_SESSION=1
 +[...]
 +#​Configuração para o banco
 +SESSION_DB_NAME=openfpc
 +SESSION_DB_USER=openfpc
 +SESSION_DB_PASS=senha
 +SESSION_DB_HOST=127.0.0.1
 +[...]
 +#​Configuração para o cliente ​
 +GUI_DB_NAME=openfpcgui
 +GUI_DB_PASS=senha
 +GUI_DB_USER=openfpcgui
 +[...]
 +#Usuário para acesso web 
 +USER=admin=senha
 +</​sxh>​
 +
 +Agora vamos importar a base de dados
 +
 +<sxh bash>
 +
 +openfpc-dbmaint create session /​etc/​openfpc/​openfpc-default.conf
 +[*] Enter mysql "​root"​ credentials to connect to your local mysql server in order to create the databases
 +    DB root Username: root
 +    DB root Password: #senha ---------------------------------------------------------
 +[*] Working on Instance /​etc/​openfpc/​openfpc-default.conf .
 +    Would you like session capture ENABLED on IDS? (y/n)y
 +[-] Enabling session capture in IDS config
 +    Done.
 +[-] Found cxtracker.
 +CREATING DATABASE
 +---------------------------
 +Session DB Created.
 +Adding function INET_ATON6... to DB openfpc
 +[*] Restarting <​nowiki>​OpenFPC</​nowiki>​
 +
 +###############################################################################​
 +[*] <​nowiki>​OpenFPC</​nowiki>​ instance openfpc-default.conf
 + ​- ​ NODENAME: ​             IDS 
 + ​- ​ DESCRIPTION: ​          "​IDS <​nowiki>​OpenFPC</​nowiki>​ node." ​
 + ​- ​ STATUS :               ​ENABLED
 + ​- ​ PORT:                  4242
 + ​- ​ INTERFACE: ​            eth0
 + ​- ​ FULL PACKET CAPTURE: ​  ​ENABLED
 + ​- ​ PACKET STORE: ​         /​var/​tmp/​openfpc/​pcap
 + ​- ​ SESSION DATA SEARCH: ​  ​ENABLED
 + ​- ​ SESSION DATABASE NAME: openfpc
 +Stopping Daemonlogger... ​                                             Not running
 +Stopping <​nowiki>​OpenFPC</​nowiki>​ Queue Daemon (IDS)... ​                               Not running
 +Stopping <​nowiki>​OpenFPC</​nowiki>​ cxtracker (IDS)... ​                                  Not running
 +Stopping <​nowiki>​OpenFPC</​nowiki>​ Connection Uploader (IDS)... ​                        Not running
 +###############################################################################​
 +[*] <​nowiki>​OpenFPC</​nowiki>​ instance openfpc-example-proxy.conf
 + ​- ​ NODENAME: ​             Example_Proxy ​
 + ​- ​ DESCRIPTION: ​          "​An example <​nowiki>​OpenFPC</​nowiki>​ Proxy config. www.openfpc.org" ​
 + ​- ​ STATUS :               ​DISABLED
 + ​- ​ PORT:                  4243
 +###############################################################################​
 +[*] <​nowiki>​OpenFPC</​nowiki>​ instance openfpc-default.conf
 + ​- ​ NODENAME: ​             IDS 
 + ​- ​ DESCRIPTION: ​          "​IDS <​nowiki>​OpenFPC</​nowiki>​ node." ​
 + ​- ​ STATUS :               ​ENABLED
 + ​- ​ PORT:                  4242
 + ​- ​ INTERFACE: ​            eth0
 + ​- ​ FULL PACKET CAPTURE: ​  ​ENABLED
 + ​- ​ PACKET STORE: ​         /​var/​tmp/​openfpc/​pcap
 + ​- ​ SESSION DATA SEARCH: ​  ​ENABLED
 + ​- ​ SESSION DATABASE NAME: openfpc
 +Starting Daemonlogger (IDS)... ​                                            Done
 +Starting <​nowiki>​OpenFPC</​nowiki>​ Queue Daemon (IDS)... ​                                    Done
 +Starting <​nowiki>​OpenFPC</​nowiki>​ cxtracker (IDS)... ​                                       Done
 +Starting <​nowiki>​OpenFPC</​nowiki>​ Connection Uploader (IDS) ...                             Done
 +###############################################################################​
 +[*] <​nowiki>​OpenFPC</​nowiki>​ instance openfpc-example-proxy.conf
 + ​- ​ NODENAME: ​             Example_Proxy ​
 + ​- ​ DESCRIPTION: ​          "​An example <​nowiki>​OpenFPC</​nowiki>​ Proxy config. www.openfpc.org" ​
 + ​- ​ STATUS :               ​DISABLED
 + ​- ​ PORT:                  4243
 +</​sxh>​
 +
 +Agora vamos criar um usuário para o acesso à web no banco de dados
 +
 +<sxh bash>
 +
 +openfpc-dbmaint create gui /​etc/​openfpc/​openfpc-default.conf
 +[*] Enter mysql "​root"​ credentials to connect to your local mysql server in order to create the databases
 +    DB root Username: root
 +    DB root Password: #senha
 +[*] Enter an initial username for the first <​nowiki>​OpenFPC</​nowiki>​ GUI user
 +    GUI Username: admin
 +    GUI Password: #senha
 +    Email address: douglas@douglas.wiki.br
 +    Real Name: Douglas
 +USER=admin=senha
 +FOUND USER admin IN /​etc/​openfpc/​openfpc-default.conf
 +CREATING GUI DATABASE
 +---------------------------
 +GUI DB Created.
 +New user admin added.
 +[*] Restarting <​nowiki>​OpenFPC</​nowiki>​
 +
 +###############################################################################​
 +[*] <​nowiki>​OpenFPC</​nowiki>​ instance openfpc-default.conf
 + ​- ​ NODENAME: ​             IDS 
 + ​- ​ DESCRIPTION: ​          "​IDS <​nowiki>​OpenFPC</​nowiki>​ node." ​
 + ​- ​ STATUS :               ​ENABLED
 + ​- ​ PORT:                  4242
 + ​- ​ INTERFACE: ​            eth0
 + ​- ​ FULL PACKET CAPTURE: ​  ​ENABLED
 + ​- ​ PACKET STORE: ​         /​var/​tmp/​openfpc/​pcap
 + ​- ​ SESSION DATA SEARCH: ​  ​ENABLED
 + ​- ​ SESSION DATABASE NAME: openfpc
 + ​- ​ SESSION LAG:           0
 +Stopping Daemonlogger... ​                                             Not running
 +Stopping <​nowiki>​OpenFPC</​nowiki>​ Queue Daemon (IDS)... ​                                    Done
 +Stopping <​nowiki>​OpenFPC</​nowiki>​ cxtracker (IDS)... ​                                       Done
 +Stopping <​nowiki>​OpenFPC</​nowiki>​ Connection Uploader (IDS)... ​                             Done
 +###############################################################################​
 +[*] <​nowiki>​OpenFPC</​nowiki>​ instance openfpc-example-proxy.conf
 + ​- ​ NODENAME: ​             Example_Proxy ​
 + ​- ​ DESCRIPTION: ​          "​An example <​nowiki>​OpenFPC</​nowiki>​ Proxy config. www.openfpc.org" ​
 + ​- ​ STATUS :               ​DISABLED
 + ​- ​ PORT:                  4243
 +###############################################################################​
 +[*] <​nowiki>​OpenFPC</​nowiki>​ instance openfpc-default.conf
 + ​- ​ NODENAME: ​             IDS 
 + ​- ​ DESCRIPTION: ​          "​IDS <​nowiki>​OpenFPC</​nowiki>​ node." ​
 + ​- ​ STATUS :               ​ENABLED
 + ​- ​ PORT:                  4242
 + ​- ​ INTERFACE: ​            eth0
 + ​- ​ FULL PACKET CAPTURE: ​  ​ENABLED
 + ​- ​ PACKET STORE: ​         /​var/​tmp/​openfpc/​pcap
 + ​- ​ SESSION DATA SEARCH: ​  ​ENABLED
 + ​- ​ SESSION DATABASE NAME: openfpc
 + ​- ​ SESSION LAG:           1
 +Starting Daemonlogger (IDS)... ​                                            Done
 +Starting <​nowiki>​OpenFPC</​nowiki>​ Queue Daemon (IDS)... ​                                    Done
 +Starting <​nowiki>​OpenFPC</​nowiki>​ cxtracker (IDS)... ​                                       Done
 +Starting <​nowiki>​OpenFPC</​nowiki>​ Connection Uploader (IDS) ...                             Done
 +###############################################################################​
 +[*] <​nowiki>​OpenFPC</​nowiki>​ instance openfpc-example-proxy.conf
 + ​- ​ NODENAME: ​             Example_Proxy ​
 + ​- ​ DESCRIPTION: ​          "​An example <​nowiki>​OpenFPC</​nowiki>​ Proxy config. www.openfpc.org" ​
 + ​- ​ STATUS :               ​DISABLED
 + ​- ​ PORT:                  4243
 +[*] DB Configured and admin user added. Now navigate to http://<​ip.add.re.ss>/​openfpc/​
 +</​sxh>​
 +
 +Agora é só acessar http://​ip_servidor/​openfpc usuário:​admin senha: senha 
 +
 +Agora vamos ver os pacotes capturados
 +
 +<sxh sql>
 +mysql -u root -p -D openfpc -e '​select count(*) from session'​
 +Enter password: ​
 ++----------+
 +| count(*) |
 ++----------+
 +|      830 |
 ++----------+
 +</​sxh>​
 +
 +
 +
 +===== Referências =====
 +  - http://​www.openfpc.org/​
 +  - http://​www.openfpc.org/​documentation/​
 +  - http://​www.openfpc.org/​documentation/​openfpc-on-debian-lenny