Quick NSM-lab setup (amme)
//My personal lab notes//
SGUIL NSM Sensor
FreeBSD 6.1
Dell GX150, 933Mhz, 512mb ram, 20gb hdd, 2 Nic
Install (CD1)
Partitions
/
/boot
swap
/usr
/var
/nsm
Selections
Minimal +
man
catman
NIC's
ifconfig=
xl0
xl1
xl1 = dhcp
xl0 = -arp promisc up
Users
analyst (+sudo)
sguil
Software
http://taosecurity.blogspot.com/2006/09/latest-sguil-scripts.html
OpenBSD Bridge, with SPAN (crossover to sensor)
OpenBSD 4.0
Compaq DPENS 800Mhz, 384mb ram, 80gb hdd, 4 NIC
ifconfig =
xl0
xl1
fxp0
dc0
# Setup transparent bridge, with pf enabled but allow all rule
/etc/sysctl.conf
net.inet.ip.forwarding=1
/etc/rc.conf
pf=YES
/etc/hostname.xl0
up
/etc/hostname.xl1
up
/etc/bridgename.bridge0
add xl0
add xl1
addspan dc0
up
(Add/remove a SPAN port, #brconfig bridge0 add/delspan dc0)
(Test blocknonip, #brconfig bridge0 blocknonip xl1
/etc/pf.conf
int_nic="xl0"
ext_nic="xl1"
pass in on xl0 all
pass out on xl0 all
pass in on xl1 all
pass out on xl1 all
Software
Trafshow
http://soft.risp.ru/trafshow/index_en.shtml
Argus
http://www.qosient.com/argus/
tethereal
http://www.ethereal.com/docs/man-pages/tethereal.1.html
SGUIL NSM Sensor
FreeBSD 6.1
Dell GX150, 933Mhz, 512mb ram, 20gb hdd, 2 Nic
Install (CD1)
Partitions
/
/boot
swap
/usr
/var
/nsm
Selections
Minimal +
man
catman
NIC's
ifconfig=
xl0
xl1
xl1 = dhcp
xl0 = -arp promisc up
Users
analyst (+sudo)
sguil
Software
http://taosecurity.blogspot.com/2006/09/latest-sguil-scripts.html
OpenBSD Bridge, with SPAN (crossover to sensor)
OpenBSD 4.0
Compaq DPENS 800Mhz, 384mb ram, 80gb hdd, 4 NIC
ifconfig =
xl0
xl1
fxp0
dc0
# Setup transparent bridge, with pf enabled but allow all rule
/etc/sysctl.conf
net.inet.ip.forwarding=1
/etc/rc.conf
pf=YES
/etc/hostname.xl0
up
/etc/hostname.xl1
up
/etc/bridgename.bridge0
add xl0
add xl1
addspan dc0
up
(Add/remove a SPAN port, #brconfig bridge0 add/delspan dc0)
(Test blocknonip, #brconfig bridge0 blocknonip xl1
/etc/pf.conf
int_nic="xl0"
ext_nic="xl1"
pass in on xl0 all
pass out on xl0 all
pass in on xl1 all
pass out on xl1 all
Software
Trafshow
http://soft.risp.ru/trafshow/index_en.shtml
Argus
http://www.qosient.com/argus/
tethereal
http://www.ethereal.com/docs/man-pages/tethereal.1.html
posted by Niklas Eriksson at 13:15
2 Comments:
Niklas,
Check out the latest scripts here:
http://taosecurity.cvs.sourceforge.net/taosecurity/taosecurity_sguil_scripts/.
Thanks, "cvs checkout" is on the way.. :)
Skicka en kommentar
<< Home