amd64architectures are available from the following location: https://dl.farsightsecurity.com/dist/sie-dns-sensor/0.7.3-1/. These packages are compatible with Debian 7 and newer releases, as well as Ubuntu systems. After downloading the appropriate binary package, it may be installed with the package manager. For example on Debian (
amd64) systems and clones:
dpkg -i sie-dns-sensor_0.7.3-1_amd64.deb
amd64architectures and compiled separately for the EL5 and EL6 releases available from the following location: https://dl.farsightsecurity.com/dist/sie-dns-sensor/0.7.3-1/. These packages are compatible with RHEL clones such as Scientific Linux and CentOS. After downloading the appropriate binary package, it may be installed with the package manager. For example on Red Hat EL6 (
x86_64) systems and clones:
rpm -i sie-dns-sensor-0.7.3-1.el6.x86_64.rpm
pkg install nmsg wrapsrv bash rsync
sie-scriptstarball from the following location: https://dl.farsightsecurity.com/dist/sie-scripts/. Extract the tarball and change into the top-level directory of the extracted tarball and then perform the following steps:
make -f Makefile.freebsd install
cp examples/dns-cache /usr/local/etc/sie/dns-cache
cp initscripts/freebsd/sie_dns_sensor.sh /usr/local/etc/rc.d/sie_dns_sensor
chmod +x /usr/local/etc/rc.d/sie_dns_sensor
sie-dns-sensorrequires further configuration after installation.
/usr/local/etc/sie/dns-cacheon FreeBSD). If necessary, edit the interface variable, which specifies the network interface on which to monitor DNS traffic. By default the "promiscuous" capture mode is not enabled. Append a "+" character to the interface name to enable promiscuous mode. Promiscuous mode is required when monitoring a network tap.
DNSQR_RES_ADDRSvariable must also be set to a list of one or more comma-separated IP addresses or network prefixes to be monitored. Some example values for this variable are:
DNSQR_RES_ADDRSvariable is new in
sie-dns-sensor0.6.16 and later and replaces the
bpfpat_dstvariables in previous versions. The config file must be updated to use the new syntax when upgrading from a previous version.
sie-dns-sensorpackage has a built-in uploader that will send captured data to the Farsight Passive DNS project. The uploader uses an SSH encrypted connection on port
49222to transfer data. Make sure that no firewall rules prevent outbound connections on this port to Farsight's servers. The upload keypair is stored in the
/var/spool/sie/keysdirectory in the files
upload(private key) and
upload.pub(public key). Run the
sie-gen-keycommand to generate a keypair. If
sie-dns-sensoris installed on multiple servers, please copy the same keypair to each server instead of creating a separate keypair for each server.
/var/spool/sie/keys/upload.pubfile) as an attachment to firstname.lastname@example.org and include the IPv4 and/or IPv6 addresses that your sensor(s) will inititiate data uploads from. A username will be assigned and the login variable in the
/etc/default/sie-dns-sensorconfig file must be set to this value.
/etc/default/sie-dns-sensorconfig file. Additionally, data files can be saved to disk by setting
archive="yes", in which case the rotated data files will be saved to the
sie:prefix upon upload success or failure. The syslog priority can be configured by setting the
sie-dns-sensoruses the standard init system on Linux and FreeBSD, and will be configured automatically to start at boot and stop at shutdown.
service sie-dns-sensor start
service sie-dns-sensor stop
service sie-dns-sensor restart
dpkg -P sie-dns-sensor
rpm -e sie-dns-sensor rm -f /etc/default/sie-dns-sensor.rpmsave
pkg deleteto remove any of the prerequisite packages that were installed and which are not needed for other purposes on the machine.
rm -r /usr/local/etc/sie rm /usr/local/etc/rc.d/sie_dns_sensor rm -r /usr/local/lib/sie
/var/spool/siedirectory will need to be removed manually.
sie-dns-sensorbinary packages for Debian and Red Hat include a stripped down version of the
nmsgtoolutility specially tailored for the passive DNS sensor software role. As of
sie-dns-sensorversion 0.7.3-1, these components are installed in a dedicated path, either
/usr/lib64/sie-dns-sensordepending on platform, and will not conflict with an installation of
nmsgon the same system.
nmsgtool, and related components, see the Security Information Exchange (SIE) on Debian, Security Information Exchange (SIE) on CentOS / RHEL, and Security Information Exchange (SIE) on FreeBSD pages.