Quick NSM-lab setup (amme)

//My personal lab notes//


SGUIL NSM Sensor

FreeBSD 6.1

Dell GX150, 933Mhz, 512mb ram, 20gb hdd, 2 Nic

Install (CD1)

Partitions
/
/boot
swap
/usr
/var
/nsm

Selections
Minimal +
man
catman

NIC's
ifconfig=
xl0
xl1

xl1 = dhcp

xl0 = -arp promisc up

Users
analyst (+sudo)
sguil

Software
http://taosecurity.blogspot.com/2006/09/latest-sguil-scripts.html


OpenBSD Bridge, with SPAN (crossover to sensor)

OpenBSD 4.0


Compaq DPENS 800Mhz, 384mb ram, 80gb hdd, 4 NIC

ifconfig =
xl0
xl1
fxp0
dc0

# Setup transparent bridge, with pf enabled but allow all rule

/etc/sysctl.conf
net.inet.ip.forwarding=1

/etc/rc.conf
pf=YES

/etc/hostname.xl0
up

/etc/hostname.xl1
up

/etc/bridgename.bridge0
add xl0
add xl1
addspan dc0
up

(Add/remove a SPAN port, #brconfig bridge0 add/delspan dc0)
(Test blocknonip, #brconfig bridge0 blocknonip xl1

/etc/pf.conf
int_nic="xl0"
ext_nic="xl1"

pass in on xl0 all
pass out on xl0 all
pass in on xl1 all
pass out on xl1 all

Software
Trafshow
http://soft.risp.ru/trafshow/index_en.shtml
Argus
http://www.qosient.com/argus/
tethereal
http://www.ethereal.com/docs/man-pages/tethereal.1.html