Thursday, May 30, 2013

Install nfsight plugin for nfsen on CentOS 6


Install nfsight plugin for nfsen netflow/sflow collector/analyser on CentOS 6 (and probably RedHat 6)

This was done with nfsen 1.3.6p1 and nfdump 1.6.6 -- i have not yet upgraded to any newer versions which may may be different.

This was one of the most difficult installations I've done to date.  I had attempted to do so at least twice if not thrice without success.  The key was to know about the chgrp command which I had not used before.  Also mysql was not something I was overly familiar with.  I attempted this task knowing I had failed in the past, but I also knew I had gained more Linux experience since those attempts.  I was very excited to succeed this time.

Here are my notes, because quite frankly I have not found any hints online other than the official installation guide which is bare minimum.

Please comment, especially if you find errors or know better solutions.  Enjoy.

Edit: newer nfsight version available: nfsight-beta-20140905.tgz ; just replace references.

######################################################
### Install nfsight plugin for nfsen on CentOS 6.4 ###
### http://sourceforge.net/p/nfsight/home/Nfsight/ ###
### Prerequisite: nfsen/nfdump already operational ###
######################################################

#################################################################
### Your nfsen and webserver directories may indeed be different.
### Apply settings as they pertain to your directory structure.
###
### My server's configuration:
### nfsen installed to /usr/local/nfsen
### nfsen website installed to /var/www/html/nfsen
### website owner=root, group=apache
###
### All commands performed as root.
#################################################################

### install prerequisites
yum install mysql mysql-server perl-DBI perl-DBD-MySQL php-mysql

### download and untar nfsight v.20130323
cd ~
wget http://sourceforge.net/projects/nfsight/files/nfsight-beta-20130323.tgz/download
tar xvfz nfsight-beta-20130323.tgz
cd ~/nfsight-beta-20130323

### following http://sourceforge.net/p/nfsight/wiki/Installation/

### copy nfsight.pm to plugins directory
cp ~/nfsight-beta-20130323/backend/nfsight.pm /usr/local/nfsen/plugins/

### make nfsight data directory and set rights
mkdir /var/www/html/nfsen/plugins/nfsight
chgrp -R apache /var/www/html/nfsen/plugins/nfsight

### make nfsight website directory
mkdir /var/www/html/nfsen/nfsight

### copy frontend to nfsight website directory
cp -R ~/nfsight-beta-20130323/frontend/* /var/www/html/nfsen/nfsight/

### set rights to nfsight website
chgrp -R apache /var/www/html/nfsen/nfsight/

### unsure if necessary - set write permissions for apache
chmod g+w /var/www/html/nfsen/nfsight/
chmod g+w /var/www/html/nfsen/plugins/nfsight
### if nothing else apache must write config.php
### touch /var/www/html/nfsen/nfsight/config.php
### chmod g+w /var/www/html/nfsen/nfsight/config.php

### install mysql service and start it 
yum install chkconfig 
chkconfig mysqld on
service mysqld start

### first time setup of mysql
/usr/bin/mysql_secure_installation


#################################################################
### create nfsight database -- probably overkill but this worked
#################################################################
mysql -u root -p 
Enter password: 

mysql> CREATE DATABASE nfsight

mysql> GRANT ALL PRIVILEGES ON nfsight.* TO root@'%' IDENTIFIED BY 'password';
Query OK, 0 rows affected (0.00 sec)

mysql> grant all privileges on nfsight.* TO root@localhost IDENTIFIED BY 'password';
Query OK, 0 rows affected (0.00 sec)

mysql> GRANT ALL PRIVILEGES ON nfsight.* TO 'root'@'%' WITH GRANT OPTION;
Query OK, 0 rows affected (0.00 sec)

mysql> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.00 sec)

mysql> quit
Bye

#################################################################
### launch http://yourserver/nfsight/installer.php
### 
### setup as you desire including proper paths:
### URL = /nfsight/
### Path to data files = /var/www/html/nfsen/plugins/nfsight
#################################################################

#################################################################
### settings can be edited later without installer.php: 
### nano /var/www/html/nfsen/nfsight/config.php
### nano /var/www/html/nfsen/nfsight/detail.php
#################################################################

#################################################################
### edit detail.php to include proper paths:
### /bin/grep
### /bin/cat
### /usr/bin/pcv
#################################################################
nano /var/www/html/nfsen/nfsight/detail.php


#################################################################
### edit /usr/local/nfsen/etc/nfsen.conf
### add settings as output by installer.php
### 
### your setting may vary:
#################################################################
@plugins = (
[ '*', 'nfsight' ],
);

%PluginConf = (\
nfsight => {
            path => "/var/www/html/nfsen/plugins/nfsight",
                expiration => "180",
                processing_timer => "",
                network => {
                        "10.0.0.0" => "8",
                },
                scanner_limit => "5",
                bidirectional_via_nfdump => "",
                print_int_scanner => "1",
                print_ext_scanner => "1",
                print_int_client => "0",
                print_ext_client => "0",
                print_int_server => "1",
                print_ext_server => "0",
                print_int_invalid => "0",
                print_ext_invalid => "0",
                sql_host => "localhost",
                sql_port => "3306",
                sql_user => "root",
                sql_pass => "password",
                sql_db => "nfsight",
        },

);
#################################################################

### restart nfsen
/usr/local/nfsen/bin/nfsen stop
/usr/local/nfsen/bin/nfsen start
/usr/local/nfsen/bin/nfsen status

### edit cron jobs as decribed from installer.php
crontab -e
06 * * * *  /usr/bin/wget --no-check-certificate -q -O - http://management:aggregate@127.0.0.1/nfsight/aggregate.php


#################################################################
### optional: install picviz
#################################################################
### picviz 0.6-8 has only one dependency issue in CentOS 6.4
### picviz 0.6-8 requires libev available in the EPEL repository
### What is EPEL?: https://fedoraproject.org/wiki/EPEL
#################################################################

### Install the EPEL repository 
### This is the 64-bit version, you may need to locate the 32-bit version
rpm -Uvh http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

### install picviz prerequisite libev from EPEL
yum install libev

### install picviz 0.6-8 64-bit
wget https://depots.global-sp.net/CentOS/6/x86_64/picviz-0.6-8.el6.x86_64.rpm
rpm -i picviz-0.6-8.el6.x86_64.rpm 
wget https://depots.global-sp.net/CentOS/6/x86_64/picviz-plugin-pngcairo-0.6-8.el6.x86_64.rpm
rpm -i picviz-plugin-pngcairo-0.6-8.el6.x86_64.rpm 

### fix errors decribed by nfsight regarding picviz
chmod g+w /var/www/html/nfsen/nfsight/cache
chmod g+x /var/www/html/nfsen/nfsight/bin/biflow2picviz.pl

---------------

2 comments:

  1. I'm "published" lmao, well I'm "mentioned" :) :
    http://holisticinfosec.blogspot.com/2013/08/toolsmith-c3cm-part-1-nfsight-with.html
    http://holisticinfosec.org/toolsmith/pdf/august2013.pdf

    ReplyDelete
  2. New version of nfsight available: v 20140905
    http://sourceforge.net/projects/nfsight/files/nfsight-beta-20140905.tgz/download

    ReplyDelete

Comments, Suggestions or "Thank you's" Invited!