Integrating Argos

• Debian stable/testing system
• Argos 0.4.2-1 HomeDownload
• Cargos-lib 0.1.4 Download
• QEMU 0.9.1 Home Download
• Argos Scripts
• Openports (If Windows 2000 Guest OS will be installed)HomeDownload
• Perl (For windows ActivePerl is available Home & Download)
• Up to 3 GB of free disk space depending on the operating system you are trying to install.
• A CD/DVD or a CD/DVD ISO image including the OS you want to install.
• You might need network connectivity, if you are attempting to install an OS from the network
• The SDL development libraries and headers. Binary packages are available for most Linux distributions. If one is not available for your system you download and build the library yourself. (http://www.libsdl.org)

Install a debian stable/testing system (with X Desktop Environment) and install the following packages:

bridge-utils libsdl1.2-dev zlib1g-dev libdbd-pg-perl librrds-perl libdbi-perl gcc-3.4 gcc subversion make

Disable IPv6 Edit /etc/modprobe.d/blacklist and add the following line:

blacklist ipv6

For Argos to work there needs to be a bridge because the host OS needs to be bridged with the guest OS.

Edit /etc/network/interfaces and configure the bridge. The gateway is the ip address of the ethernet device directly connected to the argos server.

auto eth0
iface eth0 inet manual

auto br0
iface br0 inet static
        address ip address
        netmask netmask
        gateway gateway
        bridge_ports eth0 
        bridge_fd 1
        bridge_stp off
        bridge_hello 1

Important!! Set the gateway to the ip address of the eth1 device of the tunnel server.

• Extract the souce code package qemu-0.9.1.tar.gz:

/download/directory$ tar zxvf qemu-0.9.1.tar.gz

• Configure Qemu: It will be installed in /opt/argos and because of known compile errors with gcc versions higher than 3.x the option –cc is set to gcc-3.4

/download/directory/qemu-0.9.1$ ./configure --target-list="i386-softmmu" --prefix=/opt/argos --cc=gcc-3.4

• Build Qemu by running `make'

/download/directory/qemu-0.9.1$ make

• Become root and install QEMU:

/download/directory/qemu-0.9.1$ make install

* [OPTIONAL] Configure the kernel accelerator by installing the kqemu package from source: The kernel accelerator needs the kernel sources. Check your kernel version with uname. Then install the corresponding kernel-headers.

uname -a
apt-get install linux-headers-2.6.x-x-xxx
apt-get install kqemu-source kqemu-common

Run “module-assistant” to compile and install the kernel module. In the ncurses wizard first choose “PREPARE” to prepare your system with all the required dependencies. Then choose “SELECT” and choose the “kqemu” module from the list. Then do the following steps the one after the other: “GET”, “BUILD” and “INSTALL”. When everything is done you can choose “BACK” and “EXIT”.

To test the kqemu module try modprobing the kqemu module.

modprobe kqemu

If that succeeds without an error add “kqemu” to /etc/modules to load it at boot.

• Extract the souce code package argos-0.4.2-1.tar.gz:

/download/directory$ tar zxvf argos-0.4.2-1.tar.gz

• Configure Argos:

It will be installed in /opt/argos and the nettracker module will be enabled.

/download/directory/argos-0.4.2-1$ ./configure --enable-system --prefix=/opt/argos --cc=gcc-3.4 --enable-net-tracker --enable-lowmem

• Build and Install Argos by running `make` and `make install`

/download/directory/argos-0.4.2-1$ make && make install

Qemu provides the utility `qemu-img' for this purpose. The following example creates a 3 gigabytes hard disk image named `IMAGE.img' using Qemu's copy-on-write format:

mkdir /opt/argos/images
cd /opt/argos/images
/opt/argos/images$ ../bin/qemu-img create -f qcow IMAGE.img 3G

Always give an image the extension .img. The argos scripts need this.

We also need a hard disk that will operate as a file exchanger between the Guest OS and Host OS. We call it hddshare.img

/opt/argos/images$ ../bin/qemu-img create -f raw hddshare.img 100M

For more information on how to create a disk image consult Qemu's documentation on on disk images.

In the following examples `NNN' corresponds to the amount of virtual RAM (in megabytes) that Qemu will be run with. Also `-localtime' is optional. It sets Qemu's clock to local time instead of UTC.

• From a CD/DVD ROM

Assuming that the CD-ROM device at the host can be found under `/dev/cdrom', and `IMAGE.img' is a disk image created using qemu-img, run Qemu as such:

qemu -cdrom /dev/cdrom -hda IMAGE.img -boot d -m NNN -localtime

Make sure that you have permissions to read `/dev/cdrom' before trying to run the above command.

• From an ISO image

Similarly, if `ISOIMAGE.iso' is the ISO image containing the OS you wish to install and `IMAGE.img' is a disk image created using qemu-img, run Qemu as such:

qemu -cdrom /path/to/iso/images/ISOIMAGE.iso -hda IMAGE.img -boot d -m NNN -localtime

• All OSes

Argos works with physical addresses. Unfortunatelly, this means that it cannot track virtual memory, and that you will have to disable virtual memory at the guest OS. In Linux, do not create (or activate) a swap partition during installation. In Windows you can disable paging after the installation completes.

• All Windows OSes

A Windows operating system installed using the previous versions of Argos (earlier than 0.2.0), cannot be booted using the latest version (0.2.0). The reason behind this being that versions 0.2.0 and later emulated and different IDE driver, and as a result Windows installations based on older versions do not contain the appropriate driver.

• Windows 2000

When installing Windows 2000 you will have to enable the following option `-win2k-hack'. This is to overcome a Windows 2000 bug during installation, which causes a disk full problem. When the installation completes you do not need this option any more.

• Windows XP

Some Windows XP versions install correctly but a security error when booting:

    A problem is preventing Windows from accurately checking the
    license for this computer. Error code: 0x800703e6.

The only solution for now is to install Windows XP Service Pack 2. It is also possible that the installation procedure might freeze, so we strongly recommend that you also use the `-win2k-hack' even when installing Windows XP.

Start qemu in X!! otherwise you will get an error “Could not initialize SDL - exiting. Sometimes the mouse is not working. Execute the following command to fix this.

export SDL_VIDEO_X11_DGAMOUSE=0

Insert the windows 2000 cdrom in the cdrom drive.

Installing Windows 2000 from cdrom on the qemu image “IMAGE.img” with 512 MB of RAM:

/opt/argos/images$../bin/qemu -cdrom /dev/cdrom -hda IMAGE.img -hdb hddshare.img -boot d -m 512 -localtime -win2k-hack

Partition the hddshare drive in the setup process because of an error with the disk manager.

If the guest OS is installed its wise to make a copy of the image so there is a clean image to fall back on.

The guest OS can be configured to your likening. But there are some configurations that are necessary.

• Start up qemu

/opt/argos/images$../bin/qemu -hda IMAGE.img -hdb hddshare.img -m 512 -localtime 

• Partition & Format the hddshare.img

Partition and Format (FAT) the exchange drive when you are in the guest OS.

• No Network configuration

The network configuration will be set through a script so leave the network configuration to standard.

• Disable Paging!!!

Argos works with physical addresses. Unfortunately, this means that it cannot track virtual memory, and that you will have to disable virtual memory at the guest OS.

• Format the exchange drive as fat32 (hddshare.img)

Format the exchange drive. So that file can be placed on there.

• Installing Perl & Configure startup scripts

For Windows OSes there is a free perl distribution available. ActivePerl, when downloading select the AS install package. Because you don't have network connectivity in the Guest OS you can use the formatted hddshare drive for the exchanging.

To install ActivePerl Mount it and copy the files:

mount -oloop,offset=\$((63*512)) hddshare.img /mntpoint
unzip activePerl***.zip -d /mntpoint
touch netconf.bat
cp netconf.bat /mntpoint
touch snitch.pl
cp snitch.pl /mntpoint
umount /mntpoint

Start qemu again to have the files available.

/opt/argos/images$../bin/qemu -hda IMAGE.img -hdb hddshare.img -m 512 -localtime 

Install ActivePerl with the default settings. After the installation delete the installation files on the exchange drive.

Create shortcuts of the snitch.pl and netconf.bat file on the hddshare drive and place them in the startup directory of the startmenu. Now these scripts will be booted the next time Argos start.

If you want to test the guest OS without corrupting the disk image we recommend that you use the `-snapshot' option. This forces Qemu and Argos to open the disk image as read-only, writing all changes to temporary files. This way you do not risk corrupting the disk image.

After installing the guest OS the Argos scripts are needed.

Checkout the argos subversion trunk tree in the install dir.

http://svn.ids.surfnet.nl/surfids/argos/trunk/ /opt/argos

Extract the Cargos library source files.

/download/directory$ tar zxvf cargos-lib-0.1.1.tar.gz

Configure and compile.

./configure --prefix=/opt/argos
make && make install

Sometimes you need to set the CC environment variable to gcc-3.x

export CC=gcc-3.4

/download/directory$ unzip openports.zip
/download/directory$ cp openports.exe /opt/argos/

mv /opt/argos/argos-ifup /etc/argos-ifup

Argos-ifup should look like:

#!/bin/sh
brctl addif br0 $1
ifconfig $1 0.0.0.0 promisc up

echo 1 > /proc/sys/net/ipv4/ip_forward

Copy argos.conf.dist to argos.conf.

/opt/argos$ cp argos.conf.dist argos.conf

Edit argos.conf and change the following values

$pgsql_pass = 'enter_password';
$pgsql_host = "enter_ipaddress";
$listenip = "enter_ipaddress";
$gw = "enter_ipaddress";

Set the $pgsql_host to the IP address of the logserver where the DB is. Set the $gw and $listenip to the IP of the br0 device that's connected directly with the tunnel server.

Edit snitch.pl. Enter the ip address (same as the listenip in argos.conf) to the hostip variable.

my $hostip = "enter_ipaddress";

Add to /etc/crontab:

*/5 *   * * *   root   /opt/argos/rrd_serverinfo.pl 

Restart the cron daemon.

/etc/init.d/cron restart

mkdir /var/run/argos
mkdir /opt/argos/logs

NOTE: You will have to patch the kernel on your tunnel server as well, see Kernel Upgrade/Patch.

The argos server needs to have access to the DB. Edit pg_hba.conf and add the ip of the argosserver: !! Bear in mind that this ip address is different from the ip on the br0 interface on the host OS.

host    all         all         enter_ipaddress     md5

Log on to the webinterface as an administratis. Install the new image on the “argos template” page. Name: Enter a name. Example: Win2000withSP4andIIS Server IP: The ip address of the br0 interface on the host OS. Imagename on Server: name of the image. Eample: IMAGE.img OS: Choose win2k/winxp/linux OS Language: Choose between English and Dutch. Mac address: This mac address will be set to the guest OS. Organisation: Set to all organisations or set to one Organisation. If set to one organisation, the image will be only selectable by this organisation.

After adding the image it will be selectable on the Argos page. Add a sensor and select the argos image. Sensor: Select a sensor. Imagename: Select the just added image. Template: Select between

• all traffic: This will redirect all traffic directed to the selected sensor.
• top100 of all your sensors: This will select all ip's that attacked all of your sensors (organisation wide) and were possible and not malicious.
• top100 of all sensors: This will select all ip's that attacked all the sensors and were possible and not malicious.
• top100 sensors: This will select all ip's that attacked the selected sensor and were possible and not malicious.

Timespan: This will select the timespan of the selected template.

To actually rederict ip's to the argosserver the rederict_argos script needs to be run. Edit the crontab:

*/5 * * * * root /opt/surfnetids/scripts/redirect_argos.pl >/dev/null

Restart crontab:

/etc/init.d/cron restart

IP Virtual Server is needed to redirect ip's to the honeypot(s).

Add for each server an entry to the IPVS daemon. In this example nepenthes and argos are used so we need to add 2 realservers. The services also need to be added. Use Firewall mark 1 for nepenthes and 2 for argos. If nepenthes stays on the tunnel server just use 127.0.0.1 for the ipaddress_nepenthes.

Edit the ipvsadm.rules script and add:

-A -f 1 -s wlc -p 120
-a -f1 -r ipaddress_nepenthes:0 -g -w 1
-A -f 2 -s wlc -p 120
-a -f2 -r ipaddress_argos:0 -g -w 1

Edit /etc/default/ipvsadm:

AUTO="true"
DAEMON="none"

Now run the ipvsadm daemon.

/etc/init.d/ipvsadm start

To check if its correctly configured.

ipvsadm -L

Should output:

IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
FWM  1 wlc persistent 100
  -> ipaddress_nepenthes:0                  Local   1      1          7         
FWM  2 wlc persistent 100
  -> ipaddress_argos:0                    Route   1      0          1         

To start argos run start.pl

/opt/argos/start.pl

Check if all your network settings are correct!!!