5. Sensor Installation

5.1 Quick install

To rapidly install a sensor, these steps should do the trick, assuming all dependencies are satisfied.

1. $ su -
2. # chdir /tmp
3. # tar -zxvf sensor-1.0.tar.gz
4. # cd ./sensor-1.0
5. # ./install_sensor
6. read any errors reported and adjust as necessary, then repeat 4. If you are running some form of Linux, the sensor should be monitoring interface eth0. ps -ef should report tcpdump is running. Other operating system/hardware combinations need a different interface name in sensor.conf.

   Have a look at /var/log/idabench/site0. It should look like:

   [root@sensorbox7 log]# ls -la /var/log/idabench/site0/
   total 36
   drwxrws---    2 root     idabench       4096 Mar 20 13:28 .
   drwxrws---    3 idabench idabench       4096 Mar 20 13:28 ..
   -rw-rw----    1 root     idabench         14 Mar 20 13:28 sensor.date
   -rw-rw----    1 root     idabench          6 Mar 20 13:28 site0.pid
   -rw-rw----    1 idabench idabench      16384 Mar 20 13:29 tcp.2003032013.gz
   -rw-rw----    1 root     idabench         51 Mar 20 13:28 tcpdump.err
   

   On the analyzer:

7. Add a <this site> directory and <this site>/site0.ph to <idabenchroot>/etc/sites/ if it doesn't exit yet.
8. Securely copy the analyzer idabench user's ssh public key to the sensor
9. Create a <this site> directory in <idabenchroot>/etc/sites/ and configure the site.ph and plugin filters appropriately.

5.2 More detailed sensor installation

For the best understanding of what goes into an IDABench sensor , we recommend reading the scripts and inline comments. Here is an overview of the scripts and what the installer does:

sensor.conf

This file is read by both the install_sensor and sensor_driver scripts. It contains locations of preferred binaries, sensor-wide parameters, and definitions of each sensor "site". Jump to Sensor config for a field-by-field description.

sensor_driver.in

Here's the meat and potatoes(sp?) of an IDABench sensor, the wrapper that starts and stops the actual packet capture process and manages the resultant dumpfiles in preparation for the analyzer(s)'s retreival. The .in version of sensor_driver is a template used to create the .pl version during install. sensor_driver.pl is called by the init.d script to start the sensor, and by crond(8) to restart it hourly.

Sensor_driver.pl requires two commandline parameters, stop/start/restart and <sitename(s)>/ALL. For most installations, sensor_driver.pl start ALL is what should be in the crontab. Start and restart are synonymous. In both cases, any existing packet capture processes for the specified "site" is stopped and a new one is started. In earlier versions of IDABench, sensor_driver.pl would call stop_logger, then start_logger to accomplish this task. To remove the latencies incurred during Perl's runtime compilation of start_logger, thus possible packet loss, these have been incorporated into sensor_driver.pl as subroutines.

sensor_init.in

This is a template used to create the system startup script. The only change made to it during install is the SENSOR_PATH line. On Linux and Solaris the init.d script sensor is placed in the appropriate location for your system by install_sensor and, a symbolic link is created in the rc.X directories. In FreeBSD, the script is created as /usr/local/etc/rc.d/idabench.sh

site0.filter

See SITEx_FILTER in the Sensor config section.

install_sensor

The installation script. It has been tested on various Linux distributions, FreeBSD 5.0, and Solaris 8. Here's a summary of its actions:

1. Read current PATH and extend it to include other likely program locations.
2. Use which(1) to locate executable dependencies in the extended path.
3. Use uname(1) to identify OS.
4. Read settings from sensor.conf, possibly overriding defaults and 'which'ed paths
5. Validate program locations.
6. Create installation target location.
7. Create user account that will own the packet capture files.
8. Confirm user home directory. (Solaris users, see the discussion of SENSOR_USER_HOME, in Sensor config)
9. Create a .ssh directory that will ultimately receive the analyzer user's key, and set its mode (permissions) to 0700.
10. Create log directory into which all site specific directories will be placed.
11. Create and/or update root's crontab to restart the packet capture hourly, if needed.
12. Copy sensor_init.in to appropriate startup script location, editing SENSOR_PATH to reflect the actual installation path.
13. Run chkconfig, if linux, or create symbolic link in /etc/rc2.d -> sensor if Solaris. This step isn't necessary in FreeBSD.
14. Copy all of the files in the current directory to the installation path, if not currently there.
15. Set permissions on scripts to 0755
16. Run the init script.

5.3 Uninstalling

Stopping the sensor is relatively simple, removing it is a bit more involved, as there are a fair number of moving pieces.

Stopping

The startup script (possibly installed as /etc/init.d/sensor, /usr/local/etc/rc.d/idabench.sh, /sbin/init.d/sensor, etc.) accepts a commandline parameter "stop" which will kill site-specific tcpdump and gzip processes, and merge any partial logs, if merging is available.

# <path to startup scripts>/sensor stop

# service sensor stop

To keep the sensor from restarting, you can either remove that script, or on systems that use symbolic links in rc.X directories (Linux, Solaris), remove that link.

On most Linuxes, this is fairly straightforward with chkconfig(8):

# chkconfig --del sensor

# rm /etc/rc*.d/S99sensor

# chmod -x /usr/local/etc/rc.d/idabench.sh

Removing

1. Stop the sensor and remove the startup scripts as described above.
2. Delete the sensor scripts directory and its contents, the default location is /usr/local/idabench/sensor/
3. Delete the log directories, archiving their contents first, if desired. The default location is /var/log/idabench
4. Edit the root user's crontab (crontab -e), removing the lines inserted by the installer. They are commented to ease identification.
5. Remove the SENSOR_USER and their home directory. userdel -r should do the trick.