search

dkindlund / honeyclient

MITRE HoneyClient Project
http://www.honeyclient.org
GNU General Public License v2.0
8 stars 4 forks source link

Firewall VM HoneClient::FW Does not start #200

Open dkindlund opened 14 years ago

dkindlund commented 14 years ago

Hi,

I've been trying to get the HoneyClient setup to run based on the user guide: http://www.honeyclient.org/trac/wiki/UserGuide

Unfortunately the Firewall VM that I pulled and unzipped does not initialize the daemon for the HoneyClient as the guide says it should. Instead it fails giving this warning: {{{ not ok 1 -use HoneyClient::Util::Config;

Failed test 'use HoneyClient::Util::Config;'

in /hc/startFWListener.pl at line 19.

Tried to use 'HoneyClient::Util::Config'.

Error: Can't locate HoneyClient/Util/Config.pm in @INC (@INC contains: /usr... at /hc/startFWListener/pl line 19.

BEGIN failed--compilation aborted at /hc/startFWListener.pl line 19.

Can't load HoneyClient::Util::Config package. Check to make sure the package library is correctly listed within the path.

Can't locate HoneyClient/Util/Config.pm in @INC (@INC contains: /usr... at /hc/startFWListener/pl line 21. BEGIN failed--compilation aborted at /hc/startFWListener.pl line 21. 1..1

Looks like you failed 1 test of 1.

Looks like your test died just after 1.

}}}

Please advise.

dkindlund commented 14 years ago

Author: kindlund You're using the latest firewall VM (v3), correct?

Basically, the code isn't running because it can't find the 'HoneyClient/Util/Config.pm' package, which should be located inside '/usr/src/honeyclient../lib' directory.

Once you've located that directory, you can start the code manually using:

/usr/bin/perl -I/usr/src/honeyclient.../lib /hc/startFWListener.pl

The start-up script should be in /etc/rc.local, I believe.

Regards,

-- Darien

dkindlund commented 14 years ago

Author: aaron.blum@gmail.com Yes, I'm using Version 3.

When I point it at the lib directory as you indicate it now gives a warning "unable to locate specified value in variable 'log_config' using namespace HoneyClient::Util::Config' within the global configuration file (/etc/honeyclient.xml!)"

This is followed by an error stating that it cannot open the config file for log4perl/Config.pm

Later in the output it states that it can't load HoneyClient::Manager::FW.

Did I miss something or is the Firewall VM misbehaving out of the box?

dkindlund commented 14 years ago

Author: kindlund The Firewall VM really shouldn't be faulty out of the box.

I assume you downloaded v3 from: http://honeyclient.mitre.org/firewall-3.tar.gz

Can you confirm that your checksums match the following?

$ md5sum firewall-3.tar.gz 8e67f4361e145ff1839e8e89e9d02f40 firewall-3.tar.gz $ sha1sum firewall-3.tar.gz 67fb3f060dfa5aef926d23beb42fdbf16fa037d3 firewall-3.tar.gz

Regards,

-- Darien

dkindlund commented 14 years ago

Author: aaron.blum@gmail.com The checksums do indeed match. I'm using VMware Server 1.0.8 on Ubuntu 7.10 if that helps.

dkindlund commented 14 years ago

Author: aaron.blum@gmail.com Here is the full output from the suggested command:

{{{ [root@HcHWALL roo]# /usr/bin/perl -I/usr/src/honeyclient-trunk/lib /hc/startFWListener.pl 2009-02-12 05:58:34 WARN HoneyClient::Util::Config::getVar - Warning: Unable to locate specified value in variable 'log_config' using namespace 'HoneyClient::Util::Config' within the global configuration file (/etc/honeyclient.xml)! Use of uninitialized value in pattern match (m//) at /usr/lib/perl5/site_perl/5.8.5/Log/Log4perl/Config.pm line 536. Use of uninitialized value in pattern match (m//) at /usr/lib/perl5/site_perl/5.8.5/Log/Log4perl/Config.pm line 567. Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/site_perl/5.8.5/Log/Log4perl/Config.pm line 594. Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/site_perl/5.8.5/Log/Log4perl/Config.pm line 594. not ok 1 - use HoneyClient::Util::Config;

Failed test 'use HoneyClient::Util::Config;'

in /hc/startFWListener.pl at line 19.

Tried to use 'HoneyClient::Util::Config'.

Error: Cannot open config file '' at /usr/lib/perl5/site_perl/5.8.5/Log/Log4perl/Config.pm line 594.

Compilation failed in require at (eval 3) line 2.

BEGIN failed--compilation aborted at /hc/startFWListener.pl line 19.

Can't load HoneyClient::Util::Config package. Check to make sure the package library is correctly listed within the path.

ok 2 - use IPTables::IPv4; not ok 3 - use HoneyClient::Manager::FW;

Failed test 'use HoneyClient::Manager::FW;'

in /hc/startFWListener.pl at line 29.

Tried to use 'HoneyClient::Manager::FW'.

Error: Can't locate HoneyClient/Manager/FW.pm in @INC (@INC contains: /usr/src/honeyclient-trunk/lib /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi/5.8.5/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi/5.8.5 /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi/5.8.4 /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi/5.8.3 /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi/5.8.2 /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi/5.8.1 /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi/5.8.0 /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.5/5.8.5/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.5/5.8.5 /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.5/5.8.4 /usr/lib/perl5/site_perl/5.8.5/5.8.3 /usr/lib/perl5/site_perl/5.8.5/5.8.2 /usr/lib/perl5/site_perl/5.8.5/5.8.1 /usr/lib/perl5/site_perl/5.8.5/5.8.0 /usr/lib/perl5/site_perl/5.8.5 /usr/lib/perl5/5.8.5/i386-linux-thread-multi /usr/lib/perl5/5.8.5 /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.4/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.3/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.2/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.5 /usr/lib/perl5/site_perl/5.8.4 /usr/lib/perl5/site_perl/5.8.3 /usr/lib/perl5/site_perl/5.8.2 /usr/lib/perl5/site_perl/5.8.1 /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.4/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.3/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.2/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.1/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.5 /usr/lib/perl5/vendor_perl/5.8.4 /usr/lib/perl5/vendor_perl/5.8.3 /usr/lib/perl5/vendor_perl/5.8.2 /usr/lib/perl5/vendor_perl/5.8.1 /usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl .) at (eval 28) line 2.

BEGIN failed--compilation aborted at /hc/startFWListener.pl line 29.

Can't load HoneyClient::Manager::FW package. Check to make sure the package library is correctly listed within the path.

Can't locate HoneyClient/Manager/FW.pm in @INC (@INC contains: /usr/src/honeyclient-trunk/lib /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi/5.8.5/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi/5.8.5 /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi/5.8.4 /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi/5.8.3 /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi/5.8.2 /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi/5.8.1 /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi/5.8.0 /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.5/5.8.5/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.5/5.8.5 /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.5/5.8.4 /usr/lib/perl5/site_perl/5.8.5/5.8.3 /usr/lib/perl5/site_perl/5.8.5/5.8.2 /usr/lib/perl5/site_perl/5.8.5/5.8.1 /usr/lib/perl5/site_perl/5.8.5/5.8.0 /usr/lib/perl5/site_perl/5.8.5 /usr/lib/perl5/5.8.5/i386-linux-thread-multi /usr/lib/perl5/5.8.5 /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.4/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.3/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.2/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.5 /usr/lib/perl5/site_perl/5.8.4 /usr/lib/perl5/site_perl/5.8.3 /usr/lib/perl5/site_perl/5.8.2 /usr/lib/perl5/site_perl/5.8.1 /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.4/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.3/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.2/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.1/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.5 /usr/lib/perl5/vendor_perl/5.8.4 /usr/lib/perl5/vendor_perl/5.8.3 /usr/lib/perl5/vendor_perl/5.8.2 /usr/lib/perl5/vendor_perl/5.8.1 /usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl .) at /hc/startFWListener.pl line 31. BEGIN failed--compilation aborted at /hc/startFWListener.pl line 31. 1..3

Looks like you failed 2 tests of 3.

Looks like your test died just after 3.

[root@HcHWALL roo]# }}}

Here are the checksums for the image: {{{ root@ubuntu:~# md5sum /opt/firewall-3.tar.gz 8e67f4361e145ff1839e8e89e9d02f40 /opt/firewall-3.tar.gz root@ubuntu:~# sha1sum /opt/firewall-3.tar.gz 67fb3f060dfa5aef926d23beb42fdbf16fa037d3 /opt/firewall-3.tar.gz root@ubuntu:~# }}}

Is there some configuration of the VM that I might have missed?

dkindlund commented 14 years ago

Author: kindlund The script should have loaded upon start up, automatically. As a quick solution, try this:

{{{ cd /usr/src/honeyclient-trunk/ /usr/bin/perl -Ilib /hc/startFWListener.pl }}}

If that doesn't work, and you get the same error message as before, verify that (/usr/src/honeyclient-trunk/etc/honeyclient.xml) file exists and is not empty.

Regards,

-- Darien

dkindlund commented 14 years ago

Author: aaron.blum@gmail.com Identical output as before when running the command. The file honeyclient.xml does exist and is not empty:

{{{ [root@HcHWALL honeyclient-trunk]# ls -l /usr/src/honeyclient-trunk/etc/honeyclient.xml -rw-r----- 1 root root 31185 Feb 12 05:47 /usr/src/honeyclient-trunk/etc/honeyclient.xml }}}

dkindlund commented 14 years ago

Author: kindlund Okay, I need a little more information; do the following:

{{{ cd /usr/src/honeyclient-trunk/ svn info svn status }}}

And paste the output of those commands. That will tell me if the codebase has changed from the default at all.

Regards,

-- Darien

dkindlund commented 14 years ago

Author: aaron.blum@gmail.com Output below (the svn status command had no output):

{{{ [root@HcHWALL honeyclient-trunk]# cd /usr/src/honeyclient-trunk/ [root@HcHWALL honeyclient-trunk]# svn info Path: . URL: svn://svn.honeyclient.org/honeyclient/trunk Repository UUID: 143ac459-0e48-db11-92d1-000d614347cd Revision: 2024 Node Kind: directory Schedule: normal Last Changed Author: kindlund Last Changed Rev: 2022 Last Changed Date: 2009-02-04 14:46:41 -0500 (Wed, 04 Feb 2009) Properties Last Updated: 2007-11-29 10:03:54 -0500 (Thu, 29 Nov 2007)

[root@HcHWALL honeyclient-trunk]# svn status [root@HcHWALL honeyclient-trunk]# }}}

dkindlund commented 14 years ago

Author: kindlund Okay, that's the problem. By default, if the firewall VM is connected to the internet, it would perform an 'svn update' of the codebase. I thought this capability was disabled, but I guess it was still present in v3.

Here's the fix:

  1. Revert back to your original firewall-3.tar.gz VM
  2. Disconnect the firewall VM from the network
  3. Start up the VM
  4. When the VM starts, it will try to do an SVN update and timeout
  5. Then you can edit the /hc/startFWListener.sh script and comment out the 'svn update' call so that future reboots do not affect it

-- Darien

dkindlund commented 14 years ago

Author: aaron.blum@gmail.com Thank you, that did it. :)

dkindlund commented 14 years ago

Author: kindlund Okay; glad that worked.

-- Darien

dkindlund commented 14 years ago

Author: ahall@westcoast.com

I've tried the aforementioned solution in starting startFWListener.pl but the issue appears to reoccur at every restart of the firewall. I've reverted to the firewall-3 tar - disconnecting my system from the internet and after the firewall FM starts I'm able to see the FWListener running and I have commented out the svn update entry in the /hc/startFWListener script. When I reconnect my system to the Internet and start the firewall it's as if I've made no changes as the firewall VM continues to perform the svn updates and my changes to the script no longer exist. What could possibly be causing this to happen?

dkindlund commented 14 years ago

Author: aaron.blum@gmail.com Sounds like your VM image is set to non-persistent. Make sure that the image is in persistent state when you make these changes otherwise vmware will simply discard them when you shut down the firewall.

dkindlund commented 14 years ago

Author: kindlund Aaron is correct; it sounds like your firewall VM is currently marked as non-persistent, which causes all changes to be discarded. If you're confident that this is not the problem, then please paste or attach the corresponding firewall .cfg or .vmx configuration file for further troubleshooting.

Replying to [comment:13 ahall@westcoast.com]:

I've tried the aforementioned solution in starting startFWListener.pl but the issue appears to reoccur at every restart of the firewall. I've reverted to the firewall-3 tar - disconnecting my system from the internet and after the firewall FM starts I'm able to see the FWListener running and I have commented out the svn update entry in the /hc/startFWListener script. When I reconnect my system to the Internet and start the firewall it's as if I've made no changes as the firewall VM continues to perform the svn updates and my changes to the script no longer exist. What could possibly be causing this to happen?