Giters

fsoderblom / backscatter

Automatically detect anomalies on a corporate internal network

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Backscatter

Automatically detect anomalies on a corporate internal network

Pre-requisite

A Linux server with RHEL7 (should prolly work fine with later releases too) Two ethernet interfaces, one for management and one to receive the traffic to be monitored Default route should go out thru the monitor interface

Steps

  1. Add a user for backscatter
useradd -c "Backscatter user" scatter
  1. Download the latest version of nmap and compile it (optional)
tar zxvf nmap-X.XX.tgz
cd nmap-X.XX
./configure
make
make install
  1. Copy files required for the web interface
mkdir /srv
chmod 555 /srv
cp -a <git>/root/srv/ /srv/
  1. Install afterglow, backscatter and fifo
cp -a <git>/root/opt/ /opt/

Fetch and install afterglow from https://afterglow.sourceforge.net/

  1. Ensure all neccesary static routes are in place for the management interface
vi <git>/root/etc/sysconfig/network-scripts/route-ens192
cp <git>/root/etc/sysconfig/network-scripts/route-ens192 /etc/sysconfig/network-scripts/
  1. Install sysctl configuration file for backscatter
cp <git>/root/etc/sysctl.d/zz-backscatter.conf /etc/sysctl.d/
sysctl -p /etc/sysctl.d/zz-backscatter.conf
  1. Install required RPM's
yum -y install tcpdump lsof rcs 
yum -y install pcre-tools perl-File-Tail perl-Net-CIDR perl-Text-CSV perl-Date-Manip 
yum -y install nginx mariadb mariadb-server nginx nginx-mod-mail nginx-mod-http-xslt-filter nginx-all-modules nginx-filesystem nginx-mod-http-image-filter nginx-mod-http-perl nginx-mod-stream php php-fpm php-mysql php-common php-cli php-pdo
yum -y install openssl-devel
  1. Install the configuration file for NGINX
cp <git>/root/etc/nginx/nginx.conf /etc/nginx.conf
  1. Create neccesary directories
mkdir -p /u/backscatter/ /u/offline/ /var/spool/backscatter/scan
chown -R scatter:scatter /u/backscatter/ /u/offline/ /var/spool/backscatter
  1. Install a sudo configuration file for backscatter
cp <git>/root/etc/sudoers.d/backscatter /etc/sudoers.d/backscatter
  1. Install a rsyslog configuration files and reload rsyslog
cp <git>/root/etc/sudoers.d/backscatter /etc/sudoers.d/
cp <git>/root/etc/rsyslog.d/backscatter.conf /etc/rsyslog.d/
cp <git>/root/etc/rsyslog.d/audispd.conf /etc/rsyslog.d/
systemctl restart rsyslog.service
  1. Create MySQL tables needed by backscatter
mysql> create database backscatter;
mysql> CREATE TABLE `matches` (
 `id` int(11) NOT NULL AUTO_INCREMENT,
 `proto` varchar(20) COLLATE utf8_swedish_ci DEFAULT NULL,
 `srcip` varchar(100) COLLATE utf8_swedish_ci DEFAULT NULL,
 `srcport` varchar(10) COLLATE utf8_swedish_ci DEFAULT NULL,
 `dstip` varchar(100) COLLATE utf8_swedish_ci DEFAULT NULL,
 `dstport` varchar(10) COLLATE utf8_swedish_ci DEFAULT NULL,
 `reason` varchar(255) COLLATE utf8_swedish_ci DEFAULT NULL,
 `timestamp` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
 PRIMARY KEY (`id`),
 KEY `srcip` (`srcip`,`dstip`),
 KEY `dstport` (`dstport`),
 KEY `reason` (`reason`)
) ENGINE=MyISAM AUTO_INCREMENT=5373994 DEFAULT CHARSET=utf8 COLLATE=utf8_swedish_ci;
mysql> CREATE TABLE `state` (
 `srcip` varchar(100) COLLATE utf8_swedish_ci NOT NULL DEFAULT '',
 `dstip` varchar(100) COLLATE utf8_swedish_ci NOT NULL DEFAULT '',
 `hits` int(20) DEFAULT NULL,
 `comment` varchar(255) COLLATE utf8_swedish_ci DEFAULT NULL,
 `timestamp` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
 PRIMARY KEY (`srcip`,`dstip`)
) ENGINE=MyISAM DEFAULT CHARSET=utf8 COLLATE=utf8_swedish_ci;
  1. Grant access to backscatter (daemon) and bracksmatter (web ui)
mysql> GRANT USAGE ON *.* TO 'backscatter'@'localhost' IDENTIFIED BY '<secret>';
mysql> GRANT ALL PRIVILEGES ON `backscatter`.* TO 'backscatter'@'localhost';
mysql> GRANT USAGE ON *.* TO 'bracksmatter'@'localhost' IDENTIFIED BY '<secret>';
mysql> GRANT SELECT ON `backscatter`.* TO 'bracksmatter'@'localhost';
  1. Install a systemd unit files and start services
cp <git>/root/etc/systemd/system/anyip-listener.service /etc/systemd/system/
cp <git>/root/etc/systemd/system/backscatter.service /etc/systemd/system/
cp <git>/root/etc/systemd/system/report_backscatter.service /etc/systemd/system/
cp <git>/root/etc/systemd/system/feed-routes.service /etc/systemd/system/
cp <git>/root/etc/systemd/system/fifo.service /etc/systemd/system/
systemctl daemon-reload
systemctl enable anyip-listener.service backscatter.service report_backscatter.service feed-routes.service fifo.service
systemctl start anyip-listener.service backscatter.service report_backscatter.service feed-routes.service fifo.service

About

Automatically detect anomalies on a corporate internal network

License:GNU Affero General Public License v3.0

Languages

Language:PHP 49.6%Language:Perl 24.1%Language:Shell 20.7%Language:CSS 3.5%Language:Python 1.2%Language:HTML 0.5%Language:Hack 0.4%