Monday, March 18, 2013

Installing CIF on a Ubuntu 12.04 VM on top of Security Onion (Part 3)

Configuring the VM Network and ufw to allow connections to the new CIF VM


Since the VM is running in NAT mode the Security Onion host can not get to the VM and you can not connect to the VM except using the VirtualBox Console GUI. While perfectly acceptable I find it slow.

So lets make some changes to the network settings of the VM and then allow the UFW firewall on Security Onion to connect.

First start with SSH. 
Forward connections to port 2222 on your Security Onion box to port 22 on the CIF VM. The IP address will have to be changed to match the one you wrote down in step two, didnt write it down? Fire up the VirtualBox GUI console and log back into your CIF VM and get the IP, write it down this time.
sudo VBoxManage modifyvm ""CIF"" --natpf1 "guestssh,tcp,,2222,10.0.2.15,22"
sudo ufw allow 2222/tcp
Anxious to test if it worked? Is your CIF VM Running?
sudo vboxmanage list runningvms
Is the "guestssh" rule installed in the VM ?
sudo vboxmanage showvminfo CIF | grep guestssh
NIC 1 Rule(0): name = guestssh, protocol = tcp, host ip = , host port = 2222, guest ip = 10.0.2.15, guest port = 22
Is the port 2222 allowed on your Security Onion server?
sudo ufw status | grep 2222
2222/tcp                   ALLOW       Anywhere
2222/tcp                   ALLOW       Anywhere (v6) 
Good news, fire up putty or your favorite ssh app and connect to the IP of your Security Onion server on port 2222.  You should see the login for your CIF VM! If not reread this section and make sure there are no typos..

If you have a successful login. It is time to install CIF. I followed these instructions:

https://code.google.com/p/collective-intelligence-framework/wiki/ServerInstall_Ubuntu12_v1
then back to the Section Labeled BIND here:
https://code.google.com/p/collective-intelligence-framework/wiki/ServerInstall_v1

CIF installed? Great. API keys generated great? One last step. We need to expose port 443 to Security Onion using the same method with the ssh port.



I used 4443 on the Security Onion box, choose what you like.
sudo ufw allow 4443/tcp
sudo VBoxManage modifyvm ""CIF"" --natpf1 "guestssl,tcp,,4443,10.0.2.15,443"
You should now be able to make queries to the CIF web interface with your API KEY.

Check out installing the CIF client on your Security Onion server
https://code.google.com/p/collective-intelligence-framework/wiki/ClientInstall_v1

Stay tuned for more integration.


Posted by at No comments:
Labels: , , ,

Friday, March 15, 2013

Installing CIF on a Ubuntu 12.04 VM on top of Security Onion (Part 2)

Lets review, so far we have;

  • Lived with Security Onion for awhile and couldnt fall asleep at night because you were thinking of ways to tweak snort (or is that just me)
  • Installed VirtualBox
  • Downloaded Ubuntu ISO
  • Created a VM from the command line

Now comes the sticky wicket, how do we view the console of the new CIF VM so we can install Ubuntu?
( I tried running "sudo vboxheadless -s "CIF" and playing with ufw rules, but couldnt get it to work, running in bridged mode might work, but I didnt want to mess with my Security Onion interfaces file)

  • If you are on the console of your Security Onion server (lucky you)
    • launch the VirtualBox GUI, start the VM and install Ubuntu
  • If you are using ssh to get to the Security Onion server you have a few things to configure
    • Install xming (http://sourceforge.net/projects/xming/)
    • Change your putty config to enable X11 forwarding, dont forget to save the session
    • ssh back to your Security Onion server with your saved session
    • set $DISPLAY localhost:10.0 ( this might be different for you)
    • test with "xterm &" - if that works
    • sudo VBoxManage startvm "CIF"
Run though the install, I assume you have installed Ubuntu before, since we are running on a Security Onion host...

If the "Loading Additional Components" step fails there is something wrong with the network setup
  • Shut down the VM, be rude, just kill it
  • load the VirtualBox Configuration GUI and check your settings, NAT should work
  • restart the install
hint: In the Ubuntu install at the "Software Selection" screen only choose OpenSSH Server

Ubuntu should finish its install and reboot, log in and find out what your IP is and write it down.
 sudo ifconfig eth0 | grep inet
Shut down the VM and might as well remove the DVD from the drive
sudo VBoxManage storageattach "CIF" --storagectl "IDE Controller" --port 0  --device 0 --type dvddrive --medium none
Configuring the VM Network and ufw to allow connections to the new CIF VM (Part 3)




Posted by at No comments:
Labels: , , ,

Thursday, March 14, 2013

Installing CIF on a Ubuntu 12.04 VM on top of Security Onion (Part 1)


Security Onion and CIF

The CIF (Collective Intelligence Framework) provides a framework for gathering opensource intelligence feeds and then allows you to compare this intelligence with the data you have already been collecting with Security Onion tools.

Install Security Onion Distro
Join the Security Onion Google Group
    • Ask some newbie questions
    • Be amazed how fast Doug, Brad, Martin and others respond to your cries for help
    • Additional geek points can be gathered by joining (CIF-Framework and ELSA Groups)
Sit back suck packets off the wire, drown in way too many snort alerts and finally when you dream about snort and sguil at night you can finally take the next step.

Install VirtualBox on your Security Onion Server
sudo wget -q http://download.virtualbox.org/virtualbox/debian/oracle_vbox.asc -O- | sudo apt-key add -
sudo sh -c 'echo "deb http://download.virtualbox.org/virtualbox/debian precise contrib" >> /etc/apt/sources.list'
sudo apt-get update && sudo apt-get install virtualbox-4.2 (4.2 is the latest as of this post)
VirtualBox is now installed ! Take a deep breath. We now are going to create a VM from the command line

Download Ubuntu 12.04 (start the download in a separate window and continue on young jedi)
sudo mkdir /nsm/VM && make dir /nsm/VM/ISO
sudo wget -O /nsm/VM/ISO/ubuntu-12.04.2-server-amd642.iso  http://releases.ubuntu.com/precise/ubuntu-12.04.2-server-amd64.iso
sudo mkdir /nsm/VM/CIF/
sudo chmod 664 /nsm/VM/CIF
(Slow down... time to read and make some decisions! Dont just cut and paste these following commands... You need to change # of cpus, memory, disk space and location of your VM's HD to match your system)
Create the VM
sudo VBoxManage createvm -name "CIF" -register
sudo VBoxManage modifyvm "CIF"--ostype Ubuntu_64 --cpus 3 --memory 8192 --usb off
sudo VBoxManage modifyvm "CIF" --ioapic on
(below the settings assume you want the HD of the VM in the /nsm/VM dir.  This is where I have the most space, so choose wisely!)

sudo VBoxManage storagectl "CIF" --name "SATA Controller" --add sata --controller IntelAHCI
sudo VBoxManage createhd --filename /nsm/VM/CIF/CIF.vdi --size 204800
sudo chown root /nsm/VM/CIF/CIF.vdi
sudo chgrp root /nsm/VM/CIF/CIF.vdi
sudo VBoxManage storageattach "CIF" --storagectl "SATA Controller" --port 0 --device 0 --type hdd --medium /nsm/VM/CIF/CIF.vdi
sudo VBoxManage storagectl "CIF" --name "IDE Controller" --add ide
sudo VBoxManage storageattach "CIF" --storagectl "IDE Controller" --port 0 --device 0 --type dvddrive --medium /nsm/VM/ISO/ubuntu-12.04.2-server-amd64.iso
sudo VBoxManage modifyvm "CIF" --boot1 dvd
sudo VBoxManage modifyvm "CIF" --nic1 nat

 The CIF VM is now created and ready to boot your Ubuntu ISO, you can check your settings
 sudo vboxmanage showvminfo CIF
Next starting up the VM and installing Ubuntu... (Part 2)
Posted by at No comments:
Labels: , , ,
Subscribe to: Posts (Atom)