Differences

This shows you the differences between two versions of the page.

Link to this comparison view

openfpc_debian_squeeze_pt_br [2019/08/08 15:24] (current)
Line 1: Line 1:
 +====== OpenFPC + Debian Squeeze ======
 +
 +
 +<nowiki>OpenFPC</nowiki> é projetado para permitir que uma ferramenta de captura de tráfego de rede escalar em ambas as direções horizontal e vertical. É um sistema distribuído ligado entre si utilizando vias de comunicação e proxies para integrar SOC (Security Center Operacional). Para ajudar ainda mais a explicar o método de implantação e arquitectura, permite cobrir algumas tarefas comuns e ver como elas são executadas enquanto se olha para um simples diagrama.
 +
 +** Terminologia **
 +
 +** Dispositivo Cliente **
 +
 +Um computador usando pelo analista. Um ambiente de perl é necessário os SOs testados são (Linux e OSX). Este dispositivo cliente executa o programa ofpc-client.pl
 +
 +** OFPC - Slave **
 +
 +Este é um sistema que captura o tráfego de rede (através do daemonloggger). Em alguns ambientes apenas um Slave é usado, mas dependendo da estrutura podemos ter vários Slaves ligados entre si com um Master.
 +
 +** OFPC - Master **
 +
 +Sistema "proxy" que encaminha um pedido de tráfego para qualquer dispositivo Salve, ou outro dispositivo ofpc Master intermediário. Não captura o tráfego, apenas encaminha pedidos PCAP e fornece os resultados de volta para o cliente.
 +
 +Vamos a instalação do <nowiki>OpenFPC</nowiki>
 +
 +Prepare o seu sistema com o seguinte script http://wiki.douglasqsantos.com.br/doku.php/confinicialsqueeze_en para que não falte nenhum pacote ou configuração.
 +
 +
 +Vamos atualizar os repositórios e fazer um upgrade do sistema
 +
 +<sxh bash>
 +
 +aptitude update && aptitude dist-upgrade -y
 +</sxh>
 +
 +Agora vamos instalar as dependências
 +
 +<sxh bash>
 +
 +apt-get install apache2 tcpdump tshark libarchive-zip-perl \
 +  libfilesys-df-perl libapache2-mod-php5 mysql-server php5-mysql \
 +  libdatetime-perl libdbi-perl libdate-simple-perl php5-mysql \
 +  libterm-readkey-perl libdate-simple-perl libtimedate-perl \
 +  build-essential  libpcap-dev libcap-dev daemonlogger -y
 +</sxh>
 +
 +Durante a instalação do <nowiki>MySQL</nowiki>, você vai ser questionado sobre a senha que é a senha para o usuário root.
 +
 +Agora vamos obter os pacotes de código fonte necessários para o openfpc
 +
 +Todos os códigos vão ser inseridos no diretório /usr/local/src
 +
 +Agora vamos acessar este diretório antes de continuar
 +
 +<sxh bash>
 +
 +cd /usr/local/src
 +</sxh>
 +
 +Agora vamos obter o libdnet e vamos instalar
 +
 +<sxh bash>
 +
 +cd /usr/local/src
 +wget  -c http://wiki.douglasqsantos.com.br/Downloads/ips/libdnet-1.12.tgz
 +tar -zxf libdnet-1.12.tgz && cd libdnet-1.12
 +./configure --prefix=/usr --enable-shared
 +make && make install
 +</sxh>
 +
 +Agora vamos obter o cxtracker e vamos instalar
 +
 +<sxh bash>
 +
 +cd /usr/local/src/
 +wget  -c http://wiki.douglasqsantos.com.br/Downloads/ips/cxtracker_0.9.5-1_amd64.deb
 +dpkg -i cxtracker_0.9.5-1_amd64.deb
 +</sxh>
 +
 +Agora vamos obter e instalar o openfpc
 +
 +<sxh bash>
 +
 +cd /usr/local/src/
 +wget  -c http://wiki.douglasqsantos.com.br/Downloads/ips/openfpc-0.6-314.tgz
 +tar xzvf openfpc-0.6-314.tgz
 +cd openfpc-0.6-314/
 +</sxh>
 +
 +Vamos instala-lo
 +
 +<sxh bash>
 +
 +./openfpc-install.sh install
 +
 +**************************************************************************
 +  <nowiki>OpenFPC</nowiki> installer - Leon Ward (leon@openfpc.org) v0.6
 +    A set if scripts to help manage and find data in a large network traffic
 +    archive. 
 +
 +    - http://www.openfpc.org 
 +
 +[*] Detected distribution as DEBIAN
 +
 +[-] Checking for apache2 ...
 +    apache2 Okay
 +[-] Checking for daemonlogger ...
 +    daemonlogger Okay
 +[-] Checking for tcpdump ...
 +    tcpdump Okay
 +[-] Checking for tshark ...
 +    tshark Okay
 +[-] Checking for libarchive-zip-perl ...
 +    libarchive-zip-perl Okay
 +[-] Checking for libfilesys-df-perl ...
 +    libfilesys-df-perl Okay
 +[-] Checking for libapache2-mod-php5 ...
 +    libapache2-mod-php5 Okay
 +[-] Checking for mysql-server ...
 +    mysql-server Okay
 +[-] Checking for php5-mysql ...
 +    php5-mysql Okay
 +[-] Checking for libdatetime-perl ...
 +    libdatetime-perl Okay
 +[-] Checking for libdbi-perl ...
 +    libdbi-perl Okay
 +[-] Checking for libdate-simple-perl ...
 +    libdate-simple-perl Okay
 +[-] Checking for php5-mysql ...
 +    php5-mysql Okay
 +[-] Checking for libterm-readkey-perl ...
 +    libterm-readkey-perl Okay
 +[-] Checking for libdate-simple-perl ...
 +    libdate-simple-perl Okay
 +/usr/bin/cxtracker
 +* Found cxtracker in your $PATH (good)
 +  Installing modules to /usr/local/lib/site_perl
 +  Installing PERL module Parse.pm
 +  Installing PERL module Request.pm
 +  Installing PERL module CXDB.pm
 +  Installing PERL module Common.pm
 +  Installing PERL module Config.pm
 +  Installing <nowiki>OpenFPC</nowiki> prog: openfpc-client
 +  Installing <nowiki>OpenFPC</nowiki> prog: openfpc-queued
 +  Installing <nowiki>OpenFPC</nowiki> prog: openfpc-cx2db
 +  Installing <nowiki>OpenFPC</nowiki> prog: openfpc
 +  Installing <nowiki>OpenFPC</nowiki> prog: openfpc-dbmaint
 +  Installing <nowiki>OpenFPC</nowiki> conf: etc/openfpc-default.conf
 +  Installing <nowiki>OpenFPC</nowiki> conf: etc/openfpc-example-proxy.conf
 +  Installing <nowiki>OpenFPC</nowiki> conf: etc/routes.ofpc
 +  Installing css
 +  Installing images
 +  Installing includes
 +  Installing index.php
 +  Installing javascript
 +  Installing login.php
 +  Installing useradd.php
 +  Installing extract.cgi
 +  Installing /etc/init.d//openfpc-daemonlogger
 +  Installing /etc/init.d//openfpc-cx2db
 +  Installing /etc/init.d//openfpc-cxtracker
 +  Installing /etc/init.d//openfpc-queued
 +[*] Enabling and restarting Apache2
 +Enabling site openfpc.apache2.site.
 +Run '/etc/init.d/apache2 reload' to activate new configuration!
 +Reloading web server config: apache2.
 +[*] Updating init config with update-rc.d
 +update-rc.d: using dependency based boot sequencing
 +[*] Adding user openfpc
 +update-rc.d: using dependency based boot sequencing
 +update-rc.d: using dependency based boot sequencing
 +update-rc.d: using dependency based boot sequencing
 +
 +**************************************************************************
 +[*] Installation Complete 
 +
 +    <nowiki>OpenFPC</nowiki> should now be installed and ready for *configuration*.
 +   
 +    1) Go configure /etc/openfpc/openfpc-default.conf
 +       (Make sure you change the usernames and passwords!)
 +    2) Start <nowiki>OpenFPC</nowiki>
 +       $ sudo openfpc --action start
 +    3) If you want to use the <nowiki>OpenFPC</nowiki> GUI, you MUST create the GUI database
 +       - Install Mysql
 +       - Create the DB with the command...
 +         sudo ./openfpc-dbmaint create gui /etc/openfpc/openfpc-default.conf
 +    4) Decide if you want to enable session searching
 +       See -> http://www.openfpc.org/documentation/enabling-session-capture
 +</sxh>
 +
 +Agora vamos ao openfpc-default.conf e vamos substituir alguns valores
 +
 +<sxh bash>
 +
 +vim /etc/openfpc/openfpc-default.conf
 +#Nome do Nodo
 +NODENAME=IDS
 +[...]
 +#Descrição do Nodo 
 +DESCRIPTION="IDS <nowiki>OpenFPC</nowiki> node"
 +[...]
 +#Vamos escolher a interface 
 +INTERFACE=eth0
 +[...]
 +#Vamos habilitar a sessão 
 +ENABLE_SESSION=1
 +[...]
 +#Configuração para o banco
 +SESSION_DB_NAME=openfpc
 +SESSION_DB_USER=openfpc
 +SESSION_DB_PASS=senha
 +SESSION_DB_HOST=127.0.0.1
 +[...]
 +#Configuração para o cliente 
 +GUI_DB_NAME=openfpcgui
 +GUI_DB_PASS=senha
 +GUI_DB_USER=openfpcgui
 +[...]
 +#Usuário para acesso web 
 +USER=admin=senha
 +</sxh>
 +
 +Agora vamos importar a base de dados
 +
 +<sxh bash>
 +
 +openfpc-dbmaint create session /etc/openfpc/openfpc-default.conf
 +[*] Enter mysql "root" credentials to connect to your local mysql server in order to create the databases
 +    DB root Username: root
 +    DB root Password: #senha ---------------------------------------------------------
 +[*] Working on Instance /etc/openfpc/openfpc-default.conf .
 +    Would you like session capture ENABLED on IDS? (y/n)y
 +[-] Enabling session capture in IDS config
 +    Done.
 +[-] Found cxtracker.
 +CREATING DATABASE
 +---------------------------
 +Session DB Created.
 +Adding function INET_ATON6... to DB openfpc
 +[*] Restarting <nowiki>OpenFPC</nowiki>
 +
 +###############################################################################
 +[*] <nowiki>OpenFPC</nowiki> instance openfpc-default.conf
 +  NODENAME:              IDS 
 +  DESCRIPTION:           "IDS <nowiki>OpenFPC</nowiki> node." 
 +  STATUS :               ENABLED
 +  PORT:                  4242
 +  INTERFACE:             eth0
 +  FULL PACKET CAPTURE:   ENABLED
 +  PACKET STORE:          /var/tmp/openfpc/pcap
 +  SESSION DATA SEARCH:   ENABLED
 +  SESSION DATABASE NAME: openfpc
 +Stopping Daemonlogger...                                              Not running
 +Stopping <nowiki>OpenFPC</nowiki> Queue Daemon (IDS)...                                Not running
 +Stopping <nowiki>OpenFPC</nowiki> cxtracker (IDS)...                                   Not running
 +Stopping <nowiki>OpenFPC</nowiki> Connection Uploader (IDS)...                         Not running
 +###############################################################################
 +[*] <nowiki>OpenFPC</nowiki> instance openfpc-example-proxy.conf
 +  NODENAME:              Example_Proxy 
 +  DESCRIPTION:           "An example <nowiki>OpenFPC</nowiki> Proxy config. www.openfpc.org" 
 +  STATUS :               DISABLED
 +  PORT:                  4243
 +###############################################################################
 +[*] <nowiki>OpenFPC</nowiki> instance openfpc-default.conf
 +  NODENAME:              IDS 
 +  DESCRIPTION:           "IDS <nowiki>OpenFPC</nowiki> node." 
 +  STATUS :               ENABLED
 +  PORT:                  4242
 +  INTERFACE:             eth0
 +  FULL PACKET CAPTURE:   ENABLED
 +  PACKET STORE:          /var/tmp/openfpc/pcap
 +  SESSION DATA SEARCH:   ENABLED
 +  SESSION DATABASE NAME: openfpc
 +Starting Daemonlogger (IDS)...                                             Done
 +Starting <nowiki>OpenFPC</nowiki> Queue Daemon (IDS)...                                     Done
 +Starting <nowiki>OpenFPC</nowiki> cxtracker (IDS)...                                        Done
 +Starting <nowiki>OpenFPC</nowiki> Connection Uploader (IDS) ...                             Done
 +###############################################################################
 +[*] <nowiki>OpenFPC</nowiki> instance openfpc-example-proxy.conf
 +  NODENAME:              Example_Proxy 
 +  DESCRIPTION:           "An example <nowiki>OpenFPC</nowiki> Proxy config. www.openfpc.org" 
 +  STATUS :               DISABLED
 +  PORT:                  4243
 +</sxh>
 +
 +Agora vamos criar um usuário para o acesso à web no banco de dados
 +
 +<sxh bash>
 +
 +openfpc-dbmaint create gui /etc/openfpc/openfpc-default.conf
 +[*] Enter mysql "root" credentials to connect to your local mysql server in order to create the databases
 +    DB root Username: root
 +    DB root Password: #senha
 +[*] Enter an initial username for the first <nowiki>OpenFPC</nowiki> GUI user
 +    GUI Username: admin
 +    GUI Password: #senha
 +    Email address: douglas@douglas.wiki.br
 +    Real Name: Douglas
 +USER=admin=senha
 +FOUND USER admin IN /etc/openfpc/openfpc-default.conf
 +CREATING GUI DATABASE
 +---------------------------
 +GUI DB Created.
 +New user admin added.
 +[*] Restarting <nowiki>OpenFPC</nowiki>
 +
 +###############################################################################
 +[*] <nowiki>OpenFPC</nowiki> instance openfpc-default.conf
 +  NODENAME:              IDS 
 +  DESCRIPTION:           "IDS <nowiki>OpenFPC</nowiki> node." 
 +  STATUS :               ENABLED
 +  PORT:                  4242
 +  INTERFACE:             eth0
 +  FULL PACKET CAPTURE:   ENABLED
 +  PACKET STORE:          /var/tmp/openfpc/pcap
 +  SESSION DATA SEARCH:   ENABLED
 +  SESSION DATABASE NAME: openfpc
 +  SESSION LAG:           0
 +Stopping Daemonlogger...                                              Not running
 +Stopping <nowiki>OpenFPC</nowiki> Queue Daemon (IDS)...                                     Done
 +Stopping <nowiki>OpenFPC</nowiki> cxtracker (IDS)...                                        Done
 +Stopping <nowiki>OpenFPC</nowiki> Connection Uploader (IDS)...                              Done
 +###############################################################################
 +[*] <nowiki>OpenFPC</nowiki> instance openfpc-example-proxy.conf
 +  NODENAME:              Example_Proxy 
 +  DESCRIPTION:           "An example <nowiki>OpenFPC</nowiki> Proxy config. www.openfpc.org" 
 +  STATUS :               DISABLED
 +  PORT:                  4243
 +###############################################################################
 +[*] <nowiki>OpenFPC</nowiki> instance openfpc-default.conf
 +  NODENAME:              IDS 
 +  DESCRIPTION:           "IDS <nowiki>OpenFPC</nowiki> node." 
 +  STATUS :               ENABLED
 +  PORT:                  4242
 +  INTERFACE:             eth0
 +  FULL PACKET CAPTURE:   ENABLED
 +  PACKET STORE:          /var/tmp/openfpc/pcap
 +  SESSION DATA SEARCH:   ENABLED
 +  SESSION DATABASE NAME: openfpc
 +  SESSION LAG:           1
 +Starting Daemonlogger (IDS)...                                             Done
 +Starting <nowiki>OpenFPC</nowiki> Queue Daemon (IDS)...                                     Done
 +Starting <nowiki>OpenFPC</nowiki> cxtracker (IDS)...                                        Done
 +Starting <nowiki>OpenFPC</nowiki> Connection Uploader (IDS) ...                             Done
 +###############################################################################
 +[*] <nowiki>OpenFPC</nowiki> instance openfpc-example-proxy.conf
 +  NODENAME:              Example_Proxy 
 +  DESCRIPTION:           "An example <nowiki>OpenFPC</nowiki> Proxy config. www.openfpc.org" 
 +  STATUS :               DISABLED
 +  PORT:                  4243
 +[*] DB Configured and admin user added. Now navigate to http://<ip.add.re.ss>/openfpc/
 +</sxh>
 +
 +Agora é só acessar http://ip_servidor/openfpc usuário:admin senha: senha 
 +
 +Agora vamos ver os pacotes capturados
 +
 +<sxh sql>
 +mysql -u root -p -D openfpc -e 'select count(*) from session'
 +Enter password: 
 ++----------+
 +| count(*) |
 ++----------+
 +|      830 |
 ++----------+
 +</sxh>
 +
 +
 +
 +===== Referências =====
 +  - http://www.openfpc.org/
 +  - http://www.openfpc.org/documentation/
 +  - http://www.openfpc.org/documentation/openfpc-on-debian-lenny
  
Print/export
QR Code
QR Code openfpc_debian_squeeze_pt_br (generated for current page)