OpenFPC

From aldeid
Jump to navigation Jump to search
DRAFT
This page is still a draft. Thank you for your understanding.

Description

This tutorial explains how to install OpenFPC on a Debian Squeeze (version 6) box.

Prerequisites

Packages

# apt-get install apache2 tcpdump tshark libarchive-zip-perl \
  libfilesys-df-perl libapache2-mod-php5 mysql-server php5-mysql \
  libdatetime-perl libdbi-perl libdate-simple-perl php5-mysql \
  libterm-readkey-perl libdate-simple-perl libtimedate-perl \
  build-essential  libpcap-dev

LibDNet

# cd /usr/local/src/
# wget http://transact.dl.sourceforge.net/project/libdnet/libdnet/libdnet-1.11/libdnet-1.11.tar.gz
# tar xvzf libdnet-1.11.tar.gz
# cd libdnet-1.11/
# ./configure
# make
# make install

Daemonlogger

# cd /usr/local/src/
# wget http://www.snort.org/users/roesch/code/daemonlogger-1.2.1.tar.gz
# tar xzvf daemonlogger-1.2.1.tar.gz
# cd daemonlogger-1.2.1/
# ./configure
# make
# make install

CXTracker

# cd /usr/local/src/
# wget http://github.com/downloads/gamelinux/cxtracker/cxtracker_0.9.5-1_i386.deb --no-check-certificate
# dpkg -i cxtracker_0.9.5-1_i386.deb

Install OpenFPC

# cd /usr/local/src/
# wget http://openfpc.googlecode.com/files/openfpc-0.6-314.tgz
# tar xzvf openfpc-0.6-314.tgz
# cd openfpc-0.6-314/

Then edit openfpc-install.sh and withdraw daemonlogger from the list of dependencies since it has been installed from sources.

function checkdeps()
{
       if [ "$DISTRO" == "DEBIAN" ]
       then
               DEPS="apache2 daemonlogger tcpdump tshark libarchive-zip-perl 
libfilesys-df-perl libapache2-mod-php5 mysql-server php5-mysql libdatetime-perl 
libdbi-perl libdate-simple-perl php5-mysql libterm-readkey-perl libdate-simple-
perl "
...

Then install OpenFPC as follows:

# ./openfpc-install.sh install

Configuration

Basic configuration

Edit OpenFPC configuration file:

# vim /etc/openfpc/openfpc-default.conf

And adapt the configuration file depending on your needs:

INTERFACE=eth1
USER=openfpcuser=openfpcpassword

Review your configuration by issuing:

# openfpc -a status

Enabling sessions

By default, OpenFPC is not configured to track sessions, only raw packets are stored. If you want to be able to analyze session flows, you will have to configure OpenFPC as follows.

Edit OpenFPC configuration file:

# vim /etc/openfpc/openfpc-default.conf

And uncomment following line:

ENABLE_SESSION=1

Then create the database:

# openfpc-dbmaint create session /etc/openfpc/openfpc-default.conf

When requested, enter your root credentials to access MySQL in order that the script creates the database as well as the tables.

You can then check that the database has been successfully installed by issuing:

# mysql -u root -p -D openfpc -e 'select count(*) from session' 
Enter password: <<Password>>
+----------+
| count(*) |
+----------+
|    65212 |
+----------+

Using OpenFPC

Start and stop OpenFPC

To start OpenFPC:

# openfpc -a start

To stop OpenFPC:

# openfpc -a stop

Manually requesting from CLI

You can use CLI to request. Here is an example:

# openfpc-client \
  --server 127.0.0.1 \
  --user openfpc \
  --password openfpc \
  --action fetch \
  --write ~/openfpc.pcap \
  --src-addr 192.168.100.10

For a complete list of available options, use:

# openfpc-client --help

Using external tools to request

Tools like Snorby can request OpenFPC via an URL like:

http://<host>/openfpc/cgi-bin/extract.cgi?sip=1.1.1.1&spt=31337&dip=2.2.2.2&dpt=80&proto=tcp&timestamp=1299421428

Where:

  • sip: source IP address
  • spt: source port
  • dip: destination IP address
  • dpt: destination port
  • proto: protocol
  • timestamp: timestamp (you can use online services to make conversions)