# OpenSIMS

## Styles

Anybody have a chance to play with this yet? http://www.opensims.org/index.html

No ebuild for it yet, and I don't have the time to play with it. Just wanted some opinions about it, if it is usefull or not? 

 :Rolling Eyes: 

----------

## screwloose

I also saw that today and was curious about how well it works. It looks like the only dependancy this program has that isn't in portage yet is Apache Axis.

----------

## opensims

An e-build for OpenSIMS is on our project schedule but not under development at this time. However, we are currently seeking assistance from the Gentoo community in building an e-build for OpenSIMS. Both myself and Paco Nathan are available to answer any questions about the project and help get an e-build available as soon as possible with your help. You can email us directly at...

pmgmt@opensims.org

Thanks,

William Hurley and Paco Nathan

----------

## Styles

Man with all the deps in this thing an ebuild is a little over my head. Same reason why I have not installed it by hand, just no time.

one feature I can see in adding / incorporating in the future to it would be honeyd, snort/snarf reporting type system / Send Incident Report to the respective net admin / owners etc.... Then it would be all encompassing network security tool errr wait just thought of another tool to add to it as well NTOP can't forget that!!! opps forgot Nessus as well, hehehe I'll quit now before the list gets to long.

----------

## opensims

Yeah, I hear ya about the dependencies.  The tarball released yesterday morning cut that list in half.  So if you already have Tomcat or some web container running (Jetty, JBoss, JRun, etc.) then we're bundling most of the rest now.  Those other deps were mostly JAR files anyway.

One question about ebuilds is still over the versions for other projects... For example, OpenSIMS uses lotsa features from Tomcat 5.x and Ant 1.6.x ... those available for Gentoo yet?  If not, what can we do to help?  We've been using src installs for those deps on our Gentoo boxes.

Send Incident Report is in the Notification part of the Java API - thanks to Jive Software's "Smack" and the Informa project on SourceForge.  See the <NOTIFY/> tags in the "webapp.xml" config file that gets generated during install -- and the related org.opensims.notify.* in our JavaDoc.  The other items are great suggestions -- hehe, you're asking about features to add that can be done now by changing a few lines of text in the XML config file.   :Twisted Evil:   Keep asking, pls

----------

## Styles

Ant is available

```

*  dev-java/ant

      Latest version available: 1.6.2-r2

      Latest version installed: 1.6.2-r2

      Size of downloaded files: 6,134 kB

      Homepage:    http://ant.apache.org/

      Description: Java-based build tool similar to 'make' that uses XML configuration files.

      License:     Apache-2.0
```

And Tomcat is as well

```
*  www-servers/tomcat

      Latest version available: 5.0.27-r3

      Latest version installed: [ Not Installed ]

      Size of downloaded files: 10,057 kB

      Homepage:    http://jakarta.apache.org/tomcat

      Description: Apache Servlet-2.4/JSP-2.0 Container

      License:     Apache-2.0
```

Man you guys Rock!!!

Man if you can implement all those tools into OpenSIMS ( there are e-builds for  everything I mentioned!!! in my last post by the way ) It would make the best Network Security Monitoring Tool I have ever seen... I'm not much of a programer I'm just a sys admin and I dabble a little bit with php and e-builds but thats about it. If I think of anything during the course of my day of things to add to ossim I will post them here!. But adding a way to Configure Honeyd and to run Honeyd would be something very interesting. I'm the type of person who loves to fight back anyway!!

----------

## opensims

We are currently working with the project management for Gentoo to get some assistance in creating an e-build for OpenSIMS ahead of our previous schedule. We'll update the thread once we have a solid plan in place, and set the expectation on when the e-build will be available. Until then, we appreciate all of the feedback we're getting via email. Thanks to everyone, the Gentoo community rocks!   :Razz: 

----------

## Styles

Any updates guys?

----------

## opensims

Sorry, we're swamped. We did hear from a couple of people within the Gentoo community, but we haven't heard back. We still need help with getting an e-build up and running.

However, there has been a lot of progress made with the project overall. First, we're now at version 0.6.4b which in addition to other adds/fixes includes the following updates...

	- installer - major bug fixes in the packaging of the installer, you want to upgrade now

	- Torque - build scripts resolving properties correctly

	- Java API - eliminated several FindBugs issues

We could really use some help with the e-build, and are currently seeking someone from the Gentoo community to help move things along. In exchange we will add them to the list of committers for the Apache Incubator project. What's a commiter?

A committer is a developer that was given write access to the code repository and has a signed Contributor License Agreement <http://www.apache.org/licenses/cla.pdf> on file with the Apache Software Foundation. Not needing to depend on other people for the patches, they are actually making short-term decisions for the project. The PMC can (even tacitly) agree and approve it into permanency, or they can reject it. Remember that the PMC makes the decisions, not the individual people.

We would like to get someone from the Gentoo project involved so that we can get an e-build as quickly as possible, and more importantly have someone who can help maintain the OpenSIMS/Gentoo changes moving forward (which should be very minimal, probably just keeping the e-build up-to-date).

Thanks for your support and patience while we get this project rolling.

- The OpenSIMS project management team

----------

## opensims

We've posted a new set of docs to...

http://opensims.org/docs/manual/

However, we want to do what we can to get everyone up and runnign on Gentoo, so Paco and I wanted to provide the steps to getting OpenSIMS up and running without the e-build...

Gentoo

status:  stable

See the docs directory for platform-specific README files.

The following steps are required to build OpenSIMS and AgentSDK, based on using Tomcat 5.x as the servlet container.

Step 1: Distribution Tarball

Download and extract the  distribution tarball  to a particular directory.  For example, place it under one of /opt/, /usr/local/, /usr/share/ on Unix or Linux.  This will become the "home directory" for your OpenSIMS instance.

Step 2: System Properties

Check that some non-root user has been created for running Tomcat, such as a tomcat user.  For example:

```

/usr/sbin/groupadd tomcat 

/usr/sbin/useradd -g tomcat tomcat

```

Be sure that the environment variables are set correctly in the root shell which will run the installation scripts, for PATH, JAVA_HOME, ANT_HOME, CATALINA_HOME, and CLASSPATH.  For example, you might need to append to /etc/profile with something that resembles:

```

export JAVA_HOME=/opt/j2sdk1.4.2_05 

export ANT_HOME=/opt/apache-ant-1.6.1 

export CATALINA_HOME=/opt/tomcat 

export PATH=${ANT_HOME}/bin:${JAVA_HOME}/bin:${PATH} 

export CLASSPATH=$JAVA_HOME/lib/tools.jar:$CLASSPATH

```

Edit the file build/build.properties to suit your platform's file layout and paths to executables for each named dependency.  For example, specify file locations if your installation of Snort or Tomcat has been customized.  Whatever you add to build.properties will override the default settings in default.properties, as is generally the case when working with Ant build scripts.

TROUBLESHOOT: Do not change the truststore and keystore passphrases, leave them for now.

Then select which database platform you prefer to use.  For example, here is how a typical configuration looks for PostgreSQL:

```

db.platform = postgresql 

db.jdbc.driver = org.postgresql.Driver 

db.jdbc.jar = /opt/postgresql-7.4.3/lib/pg74.215.jdbc3.jar 

db.user = root 

db.password = foo

```

The default settings pre-configured in this download are, roughly speaking, what one would use for RedHat with PostgreSQL.

TROUBLESHOOT:  You may need to edit hosts.allow on a Linux or Unix server to let JDBC connect to your database TCP listener.

Step 3: Installer Script

First, you might want to run the "preflight" checks, using the Ant build script in the base directory. That will test the versions found for each dependency, and will also attempt to connect to the database server:

```

ant

```

If all goes well, next run the same script again (as the root user), this time invoking the OpenSIMS installer:

```

ant -v install | tee install.txt

```

That will call several other installer scripts in sub-directories, following the directory structure described in the  File Layout chapter.

TROUBLESHOOT:  If you get prompted about whether or not you prefer to "handle SSL keys with high security", you probably want to answer "no".  Otherwise, you must enter a private key passphrase each time your application server or agents restart.

At the end of a successful installation, the build script prompts for whether you want to send an email back to OpenSIMS.org  requesting that your SSL certificate signing request (CSR) be signed by the OpenSIMS Project.  If you agree, our repository server will email back a signed cert, so that your OpenSIMS installation may use secure web services (using mutual authentication) to obtain notifications about OpenSIMS source code upgrades and updated security data.

TROUBLESHOOT:  If you run into other troubles with the install, please send email to  info@opensims.org with a copy of your install.txt log file.  We like to see those log files attached along with any installation bug reports; of course, edit the log to scrub out any details which you don't care to share.

TROUBLESHOOT:  If the KeyManager fails during the openssl calls to generate keys, it is probably because you have a version which does not support some of the command-line options being used.  The simplest fix is to go into tools/keymgr/build.xml script and comment out the two <arg/> statements for -set_serial and its parameter.

TROUBLESHOOT:  The scripts which detect the network interface configuration are expecting to have something sane come out of your ifconfig utility -- in terms of network, broadcast, mask and IP address numbers.  If, for instance, you have an ISP which sends really wacked-out numbers for DHCP (i.e., Time Warner) then the CIDRs generated by the OpenSIMS scripts may look a wee bit strange.  Choose some network/interface during the install, then go back and edit the webapp.xml config file afterwards.

We have begun to build regression testing for the various failure modes from wacky ISPs; email us a session from your ifconfig if you see troubles like that and we'll try to work that into our bug fixes and regression testing.

Step 4: Application Server

For the examples given here, we assume that you are working with Tomcat 5.x running standalone.  The SSL port (default 8443/tcp) needs to be the same as what is specified system properties in the OpenSIMS build.properties file.

OpenSIMS expects to have an SSL listener provided by Tomcat 5.x or a comparable web container.  The most recently updated documentation for these connector options is available online at the Jakarta Tomcat site.

Edit the Tomcat config file $CATALINA_HOME/conf/server.xml, doing a copy/paste of the SSL HTTP/1.1 connector definition listed below.  This has its port set to 8443 -- or use whatever is redefined in your build.properties file by the report.port property.  NB: we will use a similar connector definition later for the agent.port property, when mutual authentication gets enabled.

```

    <Connector

     className="org.apache.coyote.tomcat5.CoyoteConnector"

     debug="1"

     scheme="https"

     port="8443"

     acceptCount="100"

     maxThreads="150"

     minSpareThreads="25"

     maxSpareThreads="75"

     enableLookups="false"

     disableUploadTimeout="true"

     tcpNoDelay="true"

     connectionLinger="-1"

     connectionTimeout="600000"

     connectionUploadTimeout="600000"

     keepAlive="true"

     maxKeepAliveRequests="-1"

     serverSocketTimeout="0"

     secure="true"

     sslProtocol="TLS"

     algorithm="SunX509"

     truststoreFile="/var/ssl/truststore.jks"

     truststorePass="changeit"

     truststoreType="JKS"

     keystoreFile="/var/ssl/keystore.jks"

     keystorePass="symbiot"

     keystoreType="JKS"

     clientAuth="false"

     compression="off"

    />

```

In any case, be certain to enable "keep-alives" set to the maximum possible, enabling persistent connections which the agents use.  For the Tomcat 5.x example <Connector> listed above, the connectionTimeout attribute is set to -1 for this effect.

TROUBLESHOOT:  If that connectionTimeout setting gets omitted, the agents may disconnect prematurely.

Also add to the Tomcat config file $CATALINA_HOME/conf/server.xml with the following XML elements, as content inside of the existing <Host> element.  You may need to change the paths, depending on your file layout:

```

    <Context

     className="org.apache.catalina.core.StandardContext"

     debug="1"

     docBase="/opt/tomcat/webapps/opensims"

     displayName="OpenSIMS"

     path="/opensims"

     charsetMapperClass="org.apache.catalina.util.CharsetMapper"

     mapperClass="org.apache.catalina.core.StandardContextMapper"

     wrapperClass="org.apache.catalina.core.StandardWrapper"

     cachingAllowed="false"

     cookies="true"

     crossContext="false"

     privileged="false"

     reloadable="false"

     swallowOutput="false"

     useNaming="true"

    >

      <Environment

       name="client.timeout"

       description="Client Session Timeout Period in seconds"

       override="true"

       type="java.lang.Integer"

       value="300"

      />

      <Environment

       name="debug.flash"

       description="Flash Client Debug Flag (0/1)"

       override="false"

       type="java.lang.String"

       value="0"

      />

   </Context>

```

TROUBLESHOOT:  If the use of log4j in the webapp throws security exceptions -- typically about ClassLoader permissions.  Try disabling the -security option in the Tomcat startup script, if you see those kinds of exceptions in the Tomcat logs.

TROUBLESHOOT:  Optionally, you can run through a Jk connector via Apache, if you must run Tomcat 4.x instead of the recommended version.  You'll need to grok mod_jk quite well.  Please don't bug us when it croaks  :Smile: 

Step 5: Snort Configuration

The agent that watches Snort expects to see alerts in a particular format.  The config for Snort needs to include these command line options for running the daemon:

```

-y

show year in timestamp

-I

show network interface

-A fast

fast file format

```

If your rules directory is not inside the Snort /etc/conf directory as usual, be sure to edit the build.properties file to reflect your Snort settings.

You probably will want to turn off some of the less-significant Snort rules which will cause much noise in the OpenSIMS analysis:

```

/etc/snort/bad-traffic.rules 

#alert ip any any <> 127.0.0.0/8 any (msg:"BAD-TRAFFIC loopback traffic"; classtype:bad-unknown; reference:url,rr.sans.org/firewall/egress.php; sid:528; rev:4;) 

#alert ip any any -> any any (msg:"BAD-TRAFFIC same SRC/DST"; sameip; reference:cve,CVE-1999-0016; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:bad-unknown; sid:527; rev:4;)

```

Note that the alert_def.xml file includes features for disabling and filtering rules from security devices, including Snort.  Those features will be supported and documented more fully in an upcoming release.

Step 6: Custom Configurations

Edit the generated config file /etc/opensims/webapp.xml as needed.  You probably won't need to do that much, except for peripheral features such as notification, or whenever your network configuration changes.

Step 7: Daemonic Invocation

Start these required services, in order, given that network and database services are already running -- and Snort plus any other security devices being correlated:

```

tomcat

symagent

```

More of the overall installation process will become automated as we get feedback about OpenSIMS on specific platforms, and as we get packaged in the distros.

TROUBLESHOOT:  You need be sure to open ports 8443:8445 on your firewall for the OpenSIMS agents, clients, and webapp to use.

Step 8: Operation and Testing

Once you've got Tomcat running with the OpenSIMS webapp servlets and accepting input from the agents, then take a look at the diagnostics page:

```

https://YOUR_DOMAIN:8443/opensims/test

```

That should show a text dump of the internal memory structures, which we use back in the QA lab at OpenSIMS.  If you see "bogey" and "alert" entries, congrads!

At this point you'll likely see similar info showing up animated in the Flash GUI, so try pointing your browser at:

```

https://YOUR_DOMAIN:8443/opensims/

```

Then click on the Live button, and you should start to see the animation.  To verify how a running OpenSIMS looks, check our screenshots  tour and  animation  movie.

Note that in the current correlation state machine, alerts will be displayed if they involve a host which is known by autodiscovery to be on your network; others will be ignored as false positives.

TROUBLESHOOT:  If the browser shows Server Socket Error when you click on the Live button, then the Flash XMLSocket listener (default port: 8445/tcp) is probably not running.

Sometimes, if you try to stop/start Tomcat too rapidly, the previous listener socket will not have enough time to shutdown before the new instance gets attempted.  The required wait interval depends on the operating system, but it can be up to a couple of minutes.  If that is the case, you'll probably see the following errors in the Tomcat logs:

```

java.net.BindException: Address already in use

```

The best approach is to stop the symagent service, stop the tomcat service, run kill -9 on any orphaned processes for either, then wait a couple of minutes before starting those two services again.  On a Linux/Unix system, you can use netstat -an | grep LISTEN to monitor the state of listener sockets.

TROUBLESHOOT:  Alerts disapper after a while.  Current settings will delete information about attacks and attackers from the database after 72 hours.  To modify how your attack data persists, edit the webapp.xml config file, and change the data.age_limit parameter, which is listed in milliseconds.  We've tested this successfully with high data rates, but depending on the file system, database, and processors ... your mileage may vary.

Debugging Techniques

One good practice for debugging an OpenSIMS in operation is to tail the logs together:

```

cd /var/log 

tail -f opensims/* tomcat/* snort/alert

```

... or something along those lines.  We like to see those kinds of log files attached alongside any runtime bug reports, too.[/url]

----------

## flakzeus

Any news on how the ebuild is going? I've tried to instsall OpenSIMS for about 8 hours and I can't seem to get it running.. Everytime I try to access the opensims/test directory i get HTTP Status 404 from tomcat... i checked the /opt/tomcat5/webapps/opensims directory and there was nothing in it which is the problem..but i do not know a lot about tomcat or ant/java so i'm lost   :Very Happy:  if anyone could help that would be great

thanks.

----------

