Downloadable Demo
This page will describe how you can get started with a demo yourself. Downloadable here is a VMware image with the tunnel and logging server pre-installed. This image will enable you to start using and testing the SURFids system within a few minutes.
Image: SURFids_2.0-v4.zip
MD5sum: f020bc3fb5ce61f5105751910544a425
PDF Manual for the image can be found here.
NOTICE: This image is not intended for live production environments. This image is provided as-is and intended for testing and demo purposes only.
Getting started
First download and unzip the demo file:
# unzip SURFids_2.0-v4.zip
Load up the VMware image into either your VMware Workstation 6.0+ or your VMware player and boot up the image. The image sets itself up almost entirely. The only thing needed to get you started is adding the local interface of the guest OS as a sensor.
Configuring the image
Once the image has been started you will be presented with a login prompt.
SURFids login: _
We login using the username “surfids” and the password “surfids2.0”.
SURFids login: surfids Password: surfids2.0
We switch to the root user:
su Password: surfids2.0
For security reasons we should now change the password of both users to something more safe:
passwd surfids Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully
We do the same for the root user:
passwd Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully
Now we need to add our local interface as a sensor to the database. First we need to determine the main interface:
ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:45:C7:FC
inet addr:10.0.0.23 Bcast:10.0.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:688 errors:0 dropped:0 overruns:0 frame:0
TX packets:30 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:48015 (46.8 KiB) TX bytes:2870 (2.8 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1046 errors:0 dropped:0 overruns:0 frame:0
TX packets:1046 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:630210 (615.4 KiB) TX bytes:630210 (615.4 KiB)
The interface that has an IP address should be the main interface. In this example, we will assume eth0 is the main interface. (Ignore the lo interface)
Now we will add the eth0 interface as a sensor to the database:
cd /opt/surfnetids/tntools/ ./localsensor.pl eth0 [02-11-2007 17:34:38] Connecting to idsserver with DSN: DBI:Pg:dbname=idsserver;host=localhost;port=5432 [02-11-2007 17:34:38] Connect result: Ok [02-11-2007 17:34:38] Local interface added as sensor!
That's it. Your webinterface is now available on:
http://<ip number>:8080/.
In our example that would be:
http://10.0.0.23:8080/
Login info for the webinterface:
username: admin
password: admin
Enjoy!
Enabling tunneled sensors
To enable the use of tunneled sensors, you will need to edit the xinetd config file for openvpn:
/etc/xinetd.d/openvpn
service openvpn
{
disable = no
type = UNLISTED
port = 1194
socket_type = stream
protocol = tcp
wait = no
bind = 10.0.0.23
user = root
server = /usr/sbin/openvpn
cps = 1 5
log_on_success = USERID PID HOST EXIT
server_args = --config /etc/openvpn/server.conf
}
Replace the <ip number> with the actual IP address of the main interface.
You will also have to edit some sensor config files with the actual IP address of the server for the “remote” option:
/opt/surfnetids/updates/client.conf
/opt/surfnetids/updates/client.conf.temp
remote 10.0.0.23 # tls-remote 127.0.0.1
/opt/surfnetids/updates/sensor.conf
$server = "10.0.0.23";
Other stuff
- PhpPgAdmin: http:<ip number>:8080/phppgadmin/ * Passwords: /home/surfids/passwords.txt ==== Linux users ==== Finally, we need to make sure VMware can setup promiscuous interfaces. First, change the group of the /dev/vmnet device that is used by your VMware (in this example, vmnet0). For example the user that is running VMware is a member of the group surfids. <code> chgrp surfids /dev/vmnet0 chmod g+rw /dev/vmnet0 </code>
