Friday, February 24, 2012

Razorback Appliance - Getting Started

With the recent release of Razorback 0.4.1 we decided to update the Virtual Appliance image to this release.  The target audience for the appliance is people that want to test drive the system without going though the process of installing the system and its dependencies.

You can down load the appliance from SourceForge here: http://sfi.re/xTH1nH

The virtual appliance is based on FreeBSD 9.0 (i386) and requires 4GB of RAM on your host and 20-30GB of hard disk space.  We build the VM in VMWare ESXi, but it should run on any hypervisor that can import an Open Virtualization Format archive (OVA) virtual machine; in this guide I will be using VirtualBox.

The appliance ships with the following components:
  • Razorback Dispatcher
  • Razorback Master Nugget
    • Archive Inflate Nugget
    • ClamAV Nugget
    • File Log Nugget (disabled by default, test/sample nugget)
    • Flash Inspector Nugget
    • OfficeCat Nugget - More info: http://sfi.re/yYHpRs
    • PDF Dissector Nugget (disabled by default requires aditional installation steps)
    • PDF Fox (disabled by default, beta release)
    • Script Nugget
    • Syslog Output Nugget
    • Virus Total Nugget (disabled by default, requires API key).
    • Yara Nugget - More info: http://sfi.re/zkPxcl 
  • Razorback Web Interface
  • File Inject
  • File System Walk
  • Snort 2.9.1.1 with Razorback Collection
  • Systems Management Web Interface (Based on FreeNAS interface)
  • MySQL Server
  • Memcached Server
  • ActiveMQ Server

Importing the appliance

Select the following menu option based on your hypervisor:
  • VMWare Workstation - File->Open
  • VMWare vCenter (ESXi) - File->Deploy OVF Template
  • VirtualBox - File->Import Appliance
Select the OVA file that you have downloaded and follow the prompts to deploy the machine; if you are asked if you would like to reset the VM's network cards' MAC addresses at any point you should select yes (or tick the box in the case of VirtualBox).

After you have installed the appliance you can start it up and you should be presented with a screen like this:


If you see a bunch of output related to masterNugget or dispatcher then you may just hit return and the menu should present its self.

Now we need to set up a username and password to access the system, open your browser and enter the address for the management web interface (in this case http://10.7.1.56:8080). You should be presented with the following screen:


Now click the large account button in the top right, and select change password from the tabs in the window that opens:


Enter your new password  and confirmation leaving old password blank. Make sure that "Change root password as well" is selected and click the "Change Admin Password" button.  Now the Alert button in the top right should be solid green rather than flashing red.

Next we need to configure the network interface of the VM. Expand the network item in the tree on the left, and then the Interfaces sub item and select "Add Interface":


Configure the interface to fit your environment (I'm using DHCP in the example) and click ok. If you are moving to a static IP configuration you will need to go the the "Global Configuration" item under network and set your default gateway and name servers.

Now we need to add a user to the system to allow access to the Razorback web interface, to do this expand the Account item in the tree on the left, and then the Users item and select "Add User":


In this example we are adding a user that can only access the web interface so we select the following options:
  • Primary Group - nogroup
  • Home Directory - /nonexistent
  • Shell - nologin
Now you should reboot the appliance to make sure that the network configuration changes took. Select "Reboot" from the menu.

Once the machine has rebooted you should be able to log into the razorback web interface by browsing to the URL listed on the boot menu (in this case, http://10.7.1.56/).

You should be presented with a screen like so:



Changing active inspection nuggets:

Log into the system web interface with the admin user (whose password we set earlier). Expand the Razorback element in the tree and select "Control Nuggets".


To change the configuration items for a nugget click the spanner icon next to the on/off switch.

To turn a nugget on or off just click on the on/off button, your changes should be reflected on the razorback interface under nugget status.

Enabling Snort for traffic capture:

To do this we need to add a capture interface to the appliance, making sure that you enable promiscuous mode for the interface.




You will need to make the following changes based on your hypervisor:
  • VMWare ESXi - Change the configuration of the vSwitch and the port to allow promiscuous mode for the interface.
  • VMWare Workstation - Follow this guide to enable promiscuous for a guest: http://sfi.re/whE6dR
  • VirtualBox - Select "Allow All" under Advanced->Promiscuous Mode as shown above.
After you have added the interface, start the virtual machine and log into the admin interface.  Expand the Services item in the navigation tree and select "Control Services", then click on the on/off switch next to Snort to enable the service:


The appliance also supports inline traffic capture, follow these steps to enable it:
  1. Add a third interface to the appliance connected to your second virtual network.
  2. Select shell from the system console.
  3. Editing /etc/rc.conf:
    1. Comment out the lines starting ifconfig_em1 and snort_interface under the heading "TAP/Span interface on em1".
    2. Un-comment the lines under "Inline configuration em1+em2".
  4. Reboot the appliance.

More information about the appliance can be found here: http://sfi.re/ws6diq 

1 comment:

  1. Can you please post a MD5 and SHA hash for the Razorback-0.4.1.ova file? (and please copy it into a text file and post it to SourceForge in the same directory/folder as the ova file? I tried to download the .OVA file 4 times already, and I keep getting errors when I try to import the file into VMware Workstation 8.0. All four times that I've downloaded the file, the file sizes seem to be different, and there is no way of telling which file is correct (if any) without a hash. Thank-you.

    ReplyDelete

Post a Comment