sagan port for OpenBSD is also available
-
Install git package
# pkg_add git
-
Fetch ports tree (OpenBSD Ports: Fetching the Ports Tree):
$ cd /tmp $ ftp https://cdn.openbsd.org/pub/OpenBSD/$(uname -r)/{ports.tar.gz,SHA256.sig} $ signify -Cp /etc/signify/openbsd-$(uname -r | cut -c 1,3)-base.pub -x SHA256.sig ports.tar.gz -
Unpack ports archive:
$ cd /usr # tar xzf /tmp/ports.tar.gz
TODO: build as regular user
I know it’s bad idea to compile sources as root but this is test build machine so i don’t care for now:
# cd /usr/ports/PORT/PATH && make && make install
Dependency name |
Path for BSD in Sagan documentation |
Path in OpenBSD 6.6 ports tree |
libpcre |
/usr/ports/devel/pcre |
/usr/ports/devel/pcre |
libyaml |
/usr/ports/textproc/libyaml |
/usr/ports/devel/libyaml |
liblognorm |
(missing) |
/usr/ports/devel/liblognorm |
libfastjson |
(missing) |
/usr/ports/devel/libfastjson |
libesmtp |
/usr/ports/mail/libesmtp |
(missing) |
libmaxminddb |
(missing) |
/usr/ports/net/libmaxminddb |
libhiredis |
(missing) |
/usr/ports/databases/libhiredis |
libpcap |
(missing) |
Already installed as the part of base system |
Steps in Sagan documentation |
Steps in OpenBSD 6.6 |
$ git clone https://github.com/beave/sagan |
$ git clone https://github.com/beave/sagan |
$ ./autogen.sh |
1. Installing liblognorm from previous chapter will also install autoconf-2.69, automake-1.15 as dependencies. At this step we have 2 installed versions of autoconf and 2 versions of automake. So we must choose which one to use otherwise i’m getting following messages: |
$ ./configure |
Using clang instead of gcc since it is default compiler in OpenBSD for amd64/i386; |
$ make |
DIRTYHACK: Hardcoded PageSupportsRWX macro to 0 (there is W^X enabled by default in OpenBSD) otherwise i’m getting these errors: |
$ sudo make install |
Not sure if I should use /usr/local/etc instead of /etc for storing sagan configuration (see OpenBSD Porting Policy) |
Create a “sagan” user and related directories:
Sagan documentation |
OpenBSD 6.6 |
sudo useradd --system -d /var/sagan -s /bin/false sagan |
doas useradd -L daemon -d /var/sagan -s /bin/false sagan |
Checkout the “sagan-rules” repository
$ cd /usr/local/etc $ doas git clone https://github.com/beave/sagan-rules
Run sagan as the root user.
# sagan --debug syslog,engine [W] The operating system doens't allow RWX pages. Disabling PCRE JIT. [...] [*] Loading /usr/local/etc/sagan-rules/* rule file. [...] [E] [rules.c, line 2879] Invalid threshold time 'seconds' at line 31 in /usr/local/etc/sagan-rules/honeyd.rules. Abort.
Disabled honeyd.rules in /usr/local/etc/sagan.yaml
Let’s try again:
# sagan --debug syslog,engine [...] [E] [rules.c, line 2823] Invalid threshold type ' type threshold' at line 93 in /usr/local/etc/sagan-rules/palo-alto.rules. Threshold type must be 'limit' or 'suppress'. Abort.
Now disabled palo-alto.rules in /usr/local/etc/sagan.yaml
Another try:
# sagan --debug syslog,engine [...] [*] --------------------------------------------------------------------------- [*] Initializing shared memory objects. [*] --------------------------------------------------------------------------- [E] [ipc.c, line 488] Cannot open() for counters. [/dev/shm/sagan-counters.shared:No such file or directory]
Not sure if it’s right - I’ve created /var/sagan/ipc directory and mounted it as memory based file system with mount_mfs
# mkdir /var/sagan/ipc # chown sagan:sagan /var/sagan/ipc # mount_mfs -s 32m swap /var/sagan/ipc
Change ipc-directory option in /usr/local/etc/sagan.yaml
ipc-directory: /var/sagan/ipc
One more time:
# sagan --debug syslog,engine [...] [*] Spawning 100 Processor Threads. [*] [*] Attempting to open syslog FIFO (/var/sagan/fifo/sagan.fifo).
# ls -la /var/sagan/ipc total 200 drwxr-xr-x 2 sagan sagan 512 Jan 26 21:58 . drwxr-xr-x 4 sagan sagan 512 Jan 26 21:54 .. -rw------- 1 sagan sagan 660480000 Jan 26 21:58 sagan-after2.shared -rw------- 1 sagan sagan 40 Jan 26 21:59 sagan-counters.shared -rw------- 1 sagan sagan 660000000 Jan 26 21:58 sagan-flexbits.shared -rw------- 1 sagan sagan 660480000 Jan 26 21:58 sagan-threshold2.shared -rw------- 1 sagan sagan 658880000 Jan 26 21:58 sagan-xbits.shared
Manually generate a test syslog message in “pipe” format:
echo "192.0.2.1|local0|info|info|sshd|2001-01-01|00:00:00|sshd| User ubuntu not allowed because shell /etc/passwd is not executable" | doas tee /var/sagan/fifo/sagan.fifo
sagan output:
[*] Successfully opened FIFO (/var/sagan/fifo/sagan.fifo). [D] [sagan.c, line 1181] [batch position 0] Raw log: 192.0.2.1|local0|info|info|sshd|2001-01-01|00:00:00|sshd| User ubuntu not allowed because shell /etc/passwd is not executable [W] FIFO writer closed. Waiting for FIFO writer to restart.... [D] [processor.c, line 136] [batch position 0] Raw log: 192.0.2.1|local0|info|info|sshd|2001-01-01|00:00:00|sshd| User ubuntu not allowed because shell /etc/passwd is not executable [D] [processor.c, line 165] **[Parsed Syslog]********************************* [D] [processor.c, line 166] Host: 192.0.2.1 | Program: sshd | Facility: local0 | Priority: info | Level: info | Tag: sshd | Date: 2001-01-01 | Time: 00:00:00 | Event ID: [D] [processor.c, line 167] Parsed message: User ubuntu not allowed because shell /etc/passwd is not executable [D] [processors/engine.c, line 1336] **[Trigger]********************************* [D] [processors/engine.c, line 1337] Program: sshd | Facility: local0 | Priority: info | Level: info | Tag: sshd [D] [processors/engine.c, line 1338] Threshold flag: 0 | After flag: 0 | Flexbit Flag: 0 | Flexbit status: 0 [D] [processors/engine.c, line 1339] Triggering Message: User ubuntu not allowed because shell /etc/passwd is not executable [D] [processors/engine.c, line 1336] **[Trigger]********************************* [D] [processors/engine.c, line 1337] Program: sshd | Facility: local0 | Priority: info | Level: info | Tag: sshd [D] [processors/engine.c, line 1338] Threshold flag: 0 | After flag: 0 | Flexbit Flag: 0 | Flexbit status: 0 [D] [processors/engine.c, line 1339] Triggering Message: User ubuntu not allowed because shell /etc/passwd is not executable
# cat /var/log/sagan/alert.log [**] [1:5000020:4] [OPENSSH] Not executable shell - login attempt [**] [Classification: unsuccessful-user] [Priority: 1] [192.0.2.1] [Alert Time: 01-26-2020 22:08:30.071085] 2001-01-01 00:00:00 192.0.2.1:514 -> 192.0.2.1:22 local0 info sshd Message: User ubuntu not allowed because shell /etc/passwd is not executable [Xref => http://wiki.quadrantsec.com/bin/view/Main/5000020] [**] [1:5000077:3] [OPENSSH] Attempt to login using a denied user [**] [Classification: unsuccessful-user] [Priority: 1] [192.0.2.1] [Alert Time: 01-26-2020 22:08:30.071085] 2001-01-01 00:00:00 192.0.2.1:514 -> 192.0.2.1:22 local0 info sshd Message: User ubuntu not allowed because shell /etc/passwd is not executable [Xref => http://wiki.quadrantsec.com/bin/view/Main/5000077]