Ourmon 2.8 on FreeBSD 7.0-RELEASE

FreeBSD LogoFreeBSD Team announced the release of FreeBSD 7.0-REL recently which introduces many new features and improvements. There is significant performance improvement for FreeBSD on those multi core systems and it has 15% better performance than best performing Linux kernel. I can’t wait to turn all my NSM sensors which are running on FreeBSD 6.2-REL to 7.0-REL.

Before that, Ourmon, the network monitoring and anomaly detection system had released version 2.8, which introduces a few exciting features as well. The most wanted THREADED (for me) feature is supported now. Although it is still under experimental and only x86(amd compatible) primitive is used for spinlocks, I will definitely give it a try on Quad core NSM sensor(AMD64) which has Ourmon disabled due to massive packets dropped during peak hours.

The installation is pretty straight forward and easy since you just have to run configure.pl and change the home net address. Some people may want to change their network interface and web directory during installation, but the rest settings are default or being auto detected.

This is my installation of Ourmon 2.8 on FreeBSD 7.0-REL.
1. Install libpcre from ports. (/usr/ports/devel/pcre)
2. Install libpcap from ports. (/usr/ports/net/libpcap)
3. Install rrdtool from ports (/usr/ports/databases/rrdtool)
4. Install apache from ports. (/usr/ports/www/apache13, 20, or 22)
5. Run ourmon’s configure.pl.

Here is the output.

# ./configure.pl
configuration script to install ourmon.
note: default is suggested like so: [default]
note: just hit carriage-return for default actions
Would you like to install the ourmon probe? [y]
Front-end configuration phase started ####################
pcap in general needs to be reinstalled from www.tcpdump.org before ourmon install
found pcap lib in /usr/local/lib/libpcap.a - which is a good thing
hit CR to continue:

Would you like to compile/install ourmon? [y]
ourmon build: using make -f Makefile.bsd LIBS=/usr/local/lib/libpcre.a /usr/local/lib/libpcap.a
`ourmon' is up to date.

Next we determine the ourmon config/filter file to use.
By default, we use the local /usr/local/mrourmon/etc/ourmon.conf to provide input filters to ourmon.
WARNING: you should read/edit/understand ourmon.conf!
Do you want to use another ourmon.conf file in some other directory than /usr/local/mrourmon/etc? [n]

Next we suggest one modification to the ourmon.conf file.

If this is a default install, you should change the following config directive:

        topn_syn_homeip network/netmask

and set it to your home network and mask (A.B.C.D/maskbits style)
Do you want to change the topn_syn home network address? [y]
note: the home net address may be a subnet or host address (/32).
enter a home net address and mask. []

Do you want to install the ourmon startup script in the ourmon bin? [y]
WARNING: the default for the interface may not be what you want.
WARNING: use #ifconfig -a to determine interfaces.
Please enter the input interface name to sniff from: [le0]
input interface is le0

Please enter directory for probe output files (mon.lite, etc.): [/usr/local/mrourmon/tmp]
probe output directory name is: /usr/local/mrourmon/tmp

Creating bin/ourmon.sh driver for startup of ourmon.
ourmon.sh placed in ourmon bin for ourmon front-end/probe startup
./ourmon.sh start

copy the startup script (bin/ourmon.sh) to /usr/local/etc/rc.d for boot startup? [y]
ourmon front-end install complete
ourmon front-end build worked

You should now run /usr/local/mrourmon/bin/ourmon.sh to start ourmon

e.g., # /usr/local/mrourmon/bin/ourmon.sh start

You can use ourmon.sh stop to stop ourmon

part 2: install the back-end, omupdate.pl, etc. (web part)? [y]
Back-end configuration phase started ######################################
We need a local web directory for generated web output.
hint: the webpath given here is a guess: give the CORRECT base web directory with /ourmon at the end
enter absolute web server web path directory: [/usr/local/www/data/ourmon] /usr/local/www/ourmon
your output web path is: /usr/local/www/ourmon

Do you want to create the web directory for ourmon?
HINT: good idea if it doesn't exist. [y]
mkdir: /usr/local/www/ourmon: File exists
ln: web.pages: File exists
cp bard/* /usr/local/www/ourmon/bard
cp batchip.sh batchipall.sh omupdate.sh /usr/local/mrourmon/bin
cp ombatch*.pl wormtolog.pl daily.pl monbackup.pl /usr/local/mrourmon/bin
cp omupdate.pl tcpworm.pl irc.pl /usr/local/mrourmon/bin
cp mklogdir.sh /usr/local/mrourmon/bin
chmod +x /usr/local/mrourmon/bin/*.sh
chmod +x /usr/local/mrourmon/bin/*.pl

INFO only: also setting up logging directory (if needed)
creating log rrddata tmp dirs, if necessary, in /usr/local/mrourmon
hit CR to continue:

If different, enter front-end output file directory absolute path: [/usr/local/mrourmon/tmp]
probe output file path (back-end input/s) is /usr/local/mrourmon/tmp

Now we copy supplied .html files to the web directory for later editing
do you want to copy base web files to the web directory? [y]

INFO only: setting up local rrdbase directory at /usr/local/mrourmon/rrddata
your runtime rrds get stored in this directory, along with the rrd error log file
if you create new BPF filters, check rrdbase/ourmon.log for errors.
hit CR to continue:

We need a UDP weight threshold for UDP scan alerts
what should the weight be (default is given): [10000000]

Install backend crontab commands in /etc/crontab (default answer y)?: [y]

ourmon system config complete
see INSTALL for post-config sanity checking

This is the error when I tried to start the ourmon.

[root@ /usr/local/etc/rc.d]# ./ourmon.sh start
sysctl: unknown oid 'debug.bpf_bufsize'
sysctl: unknown oid 'debug.bpf_maxbufsize'

When I opened the ourmon.sh, I found these lines under start_om():

sysctl -w debug.bpf_bufsize=8388608
sysctl -w debug.bpf_maxbufsize=8388608

In FreeBSD, they are called net.bpf.bufsize and net.bpf.maxbufsize. So just change them to these will do.

sysctl -w net.bpf.bufsize=8388608
sysctl -w net.bpf.maxbufsize=8388608

If you have your own value set in /etc/sysctl.conf, just comment these 2 lines.

I will post up as soon as Ourmon with threaded support is successfully setup on AMD64 system.

  5. GuTi Says:

    wujike, I have emailed you about the problem, hope to get your reply soon. :)

    nawuza, yes, you could use it to monitor the your network traffic.
    I see the Dell switch allows port mirroring, so you could just mirror the traffic to a Gigabit port, and connect it to another network interface of your Fedora server and receive the traffic by running ‘ifconfig #interface -arp promisc up’.

  6. nawuza Says:

    ok..i tried to installed ourmon in my linux which are using VMWare. already get the page which Ourmon: Network Monitoring and Anomaly Detection System. But it does not display any data.i already set ifconfig eth1 -arp promisc up. can you give me an extra detail on installing it on FC8. thanks.

  7. nawuza Says:

    and also when i ./ourmon.sh start, this error-> ./ourmon.sh: line 11: /home/mrourmon/bin/ourmon: No such file or directory

  8. GuTi Says:

    nawuza, which interface you would like to monitor your traffic? Does your eth1 receive traffic? You could do a tcpdump to check the traffic availability on your eth1.

    For the no such file or directory error, you have to check where Ourmon is installed? For example, if you extract the package mrourmon in /usr/local, you could run command below after the installation has successfully been done.

    # /usr/local/mrourmon/bin/ourmon.sh start

    For more info about the Ourmon installation

