FlowBAT on a Box Installation
The easiest way to get started with FlowBAT is to configure a "FlowBAT On a Box" system. This is a system (virtual or physical) that is running FlowBAT and the SiLK database in parallel. If you'd like to setup a system from scratch using this method, you can use the shell scripts we've written for you. There are two scripts to be run here, and both an be retrieved from our downloads page:
If you already have SiLK installed, you can skip to the Installing FlowBAT section.
- Install Silk on a Box
- Install FlowBAT
If you already have SiLK installed, you can skip to the Installing FlowBAT section.
Installing SiLK
In order for FlowBAT to function, it must have the ability to access a SiLK database and SiLK analysis tools. In this version of the installation, you can install SiLK and all of its dependencies by running the SiLK on a Box script.
Once you've downloaded the silkonabox.sh script from the Downloads page, place it in your home directory and assign execute permissions.
Once you've downloaded the silkonabox.sh script from the Downloads page, place it in your home directory and assign execute permissions.
wget https://raw.githubusercontent.com/chrissanders/FlowBAT/master/support/silkonabox.sh
chmod +x silkonabox.sh
Next, run the script.
./silkonabox.sh
This will take several minutes to complete, and Internet access is required to download the necessary packages and dependencies. The installation process requires administrative privileges to complete, so the account you are executing the script from should have this ability, or the ability to sudo. You may be prompted to enter your password to sudo. During the installation process, you will be prompted to confirm the installation, provide the interface you wish to monitor, and confirm whether you want to start flow collection at boot. Once you have finished the installation, you should see a screen similar to what is shown here:
Notification that SiLK and YAF were successfully installed.
It's a good idea to write down the location of the SiLK configuration files. You will need this information to complete FlowBAT setup.
In order to ensure that SiLK is running properly, you should generate some traffic and then check to see that flow records were generated. The easiest way to do this is to ping an external host:
In order to ensure that SiLK is running properly, you should generate some traffic and then check to see that flow records were generated. The easiest way to do this is to ping an external host:
ping 4.2.2.1 -c4
It will take SiLK 5-10 minutes to parse this data and insert it into a viewable flow record. After this time has elapsed, you can query data from the command line with the following command:
rwfilter --proto=0-255 --type=all --pass=stdout | rwcut
You should see a series of flow records displayed, similar to the figure below.
Getting flow records back means that installation was successful.
If you've gotten flow records back, then SiLK is up and running. You can proceed to installing FlowBAT now, but it is a good idea to go ahead and configure your SiLK sensors.conf so that it is tuned to your network ranges. You can do this by open /data/sensors.conf in your favorite text editor. Once opened, edit the ipblocks values to include your internal IP ranges. You can add multiple ipblocks lines as needed.
The sample sensors.conf that is installed. You will want to customize this for your network.
Once you've edited sensors.conf, you will need to restart SiLK's rwflowpack service. You can do this by killing the rwflowpack process and rerunning it using the appropriate command found in /etc/rc.local.
Installing FlowBAT
With SiLK installed, you can now install FlowBAT using the installation shell script we've provided. You can obtain this script from our Downloads page. Once downloaded, you should assign the script execute permissions. This example will use our ubuntu installation script. If you are using another script, substitute in the appropriate file name.
wget https://raw.githubusercontent.com/chrissanders/FlowBAT/master/support/install_flowbat_ubuntu.sh
chmod +x install_flowbat_ubuntu.sh
Next, place the script in the directory you wish to install FlowBAT into, and run the script:
./install_flowbat_ubuntu.sh
Once executed, the installation script will perform the following actions:
Administrative privileges are required to complete the installation, so you might be prompted for your password in order to run commands with sudo. Once the installation is complete, you should see a screen similar to what is shown below. If installation fails, please e-mail support with a description of any error messages that are provided.
- Install prerequisites that are required (git, curl, openssh, sshpass, etc)
- Install NodeJS, Meteor, and MongoDB
- Clone the FlowBAT repository from Github
- Configure FlowBAT, Build the Application, Deploy It, and Run It
Administrative privileges are required to complete the installation, so you might be prompted for your password in order to run commands with sudo. Once the installation is complete, you should see a screen similar to what is shown below. If installation fails, please e-mail support with a description of any error messages that are provided.
Notification that FlowBAT was installed successfully and is running.
Configuring FlowBAT
After you've installed FlowBAT, you can view it in your web browser by point to port 1800. So for instance, if you've installed FlowBAT on a device with the IP address 192.168.1.100, you can access FlowBAT at http://192.168.1.100:1800. When you access FlowBAT for the first time, you will be prompted to enter some basic configuration details. First, you will need to provide your e-mail address, name, and a password. You will use this username and password to access FlowBAT, so remember it!
Creating a FlowBAT user account
After creating your username and password, you will have to configure how FlowBAT access the SiLK database. There are two options:
Local Install
The local installation is the default option. In order to configure FlowBAT to access a local SiLK database, you must only provide two prices of information:
- Local Install (Default): FlowBAT is installed directly on the system containing the SiLK database
- Remote Install: FlowBAT access a SILK database over the network via SSH
Local Install
The local installation is the default option. In order to configure FlowBAT to access a local SiLK database, you must only provide two prices of information:
- SiLK Site Configuration File: The full path to the silk.conf configuration file. This is /data/silk.conf if you've used our SiLK on a Box configuration script.
- SiLK Root Directory: The directory containing SiLK data files. This is /data if you've used our Silk on a Box configuration script.
Configuring a local FlowBAT Installation
After providing these values, click "Finish Setup." FlowBAT will test access to the SiLK database, and if everything works successfully, you will be presented with the main FlowBAT dashboard. At this point, setup is complete.
Remote Install
In most production environments, you will likely be installing FlowBAT on a system that is separate from your main SilK database. When this occurs, you will configure FlowBAT for a remote installation that relies on SSH to communicate with the system hosting the SiLK database. This requires that SSH keys be setup to allow for this communication. In order to do this, complete the following steps:
Step One: Generate a new public/private key pair on the FlowBAT server (you may want to create a new user account just for this purpose). This key pair should be configured not to require a password.
In most production environments, you will likely be installing FlowBAT on a system that is separate from your main SilK database. When this occurs, you will configure FlowBAT for a remote installation that relies on SSH to communicate with the system hosting the SiLK database. This requires that SSH keys be setup to allow for this communication. In order to do this, complete the following steps:
Step One: Generate a new public/private key pair on the FlowBAT server (you may want to create a new user account just for this purpose). This key pair should be configured not to require a password.
ssh-keygen
Step Two: Send the corresponding public key file to the SiLK server. Substitute id_rsa_for_silk.pub for whatever you named the keys. You will be prompted for the users password.
ssh-copy-id -i id_rsa_for_silk.pub Username@SilkServerIP
Step Three: Verify that you can login to the SiLK server from the FlowBAT server without a password being required.
ssh -i id_rsa_for_silk Username@SilkServerIP
Once SSH access has been verified you must select the "Use SSH for Connecting to Server" option during FlowBAT setup, and provide the following information:
- SiLK Server IP Address: The IP address of the remote SiLK server
- SiLK Server Port: The SSH port used by the remote SILK Server. This is normally 22 unless you are using a non-standard port.
- SiLK Server User Account: The user account you've authorized SSH access to on the SiLK server.
- SSH Private Key: The full local system file path to the private key generated for accessing the remote SiLK server.
- SiLK Site Configuration File: The full path to the silk.conf configuration file.
- SiLK Root Directory: The directory containing SiLK data files.
Configuring a remote FlowBAT installation
After providing these values, click "Finish Setup." FlowBAT will test access to the SiLK database, and if everything works successfully, you will be presented with the main FlowBAT dashboard. At this point, setup is complete. You can change configuration options inside FlowBAT by accessing the SiLK Server Configuration page (http://flowbatserver:1800/config).
Enterprise Custom Deployments
If you are looking for a deployment that is a bit more customized, or a standalone flow collection + FlowBAT appliance, please contact us.