Saturday, September 08, 2012

Network Miner Updating on Ubuntu 12.04

I keep a Ubuntu 12.04 build updated and running to stay current with Linux things. Besides a few disk and sector-editing applications, I also keep a copy of Xplico present. Now that Network Miner is supported in Mono on Linux, I run it as well in Ubuntu.

So when Network Miner was recently updated and released at version 1.4.1, I downloaded it in both the Windows binary as well as in my (VirtualBox) Ubuntu system.

Only after I got done updating it in Ubuntu, it didn’t start so well.

Unable to start NetworkMiner
Access to the path “/opt/NetworkMiner 1-4-1/AssembledFiles/cache” is denied.


For kicks I relaunched the version 1.3 of NetworkMiner I was previously running and it did fine.


So what the haps Ubuntu/Network Miner?

Turns out it was (again) my noobie Ubuntu skills.

Going back to the original “how-to” post in December 2011 for getting NetworkMiner to work on Linux this is what I did originally to get NetworkMiner working.

First I copied the following text as a block-copy from the post above, making a few minor changes to reflect the new version.

wget -O /tmp/
sudo unzip /tmp/ -d /opt/
cd /opt/NetworkMiner_1-4-1
sudo chmod +x NetworkMiner.exe
sudo chmod -R go+w AssembledFiles/
sudo chmod -R go+w Captures/
mono NetworkMiner.exe

Note I left off the first line of the original text since I had Mono already installed. I also modified the third line above to point to (what I believed) would be the correct build number based on the NetworkMiner-1.4.1 page.

I then pasted that block text into a terminal session (which has generally worked before) and let it rip.

I thought it did everything required.

I then launched it from the terminal:

mono /opt/NetworkMiner_1-4-1/NetworkMiner.exe

Which got me the error.


I quickly realized my mistake(s).

I was being lazy and copy/pasting the block and expecting it to execute in sequence. In this case…wrong! A review of the terminal output showed that it halted after unzipping the package.

I needed to next manually run the additional commands;

    cd /opt/NetworkMiner_1-4-1
    sudo chmod +x NetworkMiner.exe
    sudo chmod -R go+w AssembledFiles/
    sudo chmod -R go+w Captures/
    mono NetworkMiner.exe

    That did the trick.


    If I hadn’t been so excited in trying to get the new version running and had read the NetSec post carefully I would have realized this bit was important:

    The reason for setting write permission to the AssembledFiles folder is because this is the directory to where extracted files are written. If you prefer to instead have the files extracted to /tmp or the user's home directory, then simply move the AssembledFiles directory to your desired location and create a symlink to it in the NetworkMiner directory (hat tip to Lenny Zeltser for this idea).

    Another way you seem to be able to get it to work without those extra lines is to just run this command after first unzipping to the /opt/ location:

    sudo unzip /tmp/ -d /opt/

    sudo mono /opt/NetworkMiner_1-4-1/NetworkMiner.exe

    Running it in an elevated “sudo” session at first could be “risky” but seems to set the required permissions OK.

    Then close it and relaunch it form then on with this command:

    mono /opt/NetworkMiner_1-4-1/NetworkMiner.exe

    Anyway, it was a noobie Ubuntu user mistake, but hopefully this post will help make future NetworkMiner updates a bit smoother in the future. Just be sure to change the version number in the lines you use above accordingly.


    --Claus V.

    PS -- I just found this morning upon launching VirtualBox that yesterday Oracle released Virtual Box 4.1.22. ChangeLog

    Go download it and the matching “Extension Pack” when you have a chance…


    Doug Burks said...

    Hi Claus,

    I've packaged NetworkMiner for my new version of Security Onion, based on Ubuntu 12.04. Any standard Ubuntu flavor (Ubuntu, Kubuntu, Xubuntu, Lubuntu, etc.) should be able to add our PPA and install the package with the following one-liner:

    sudo add-apt-repository -y ppa:securityonion/test && sudo apt-get update && sudo apt-get -y install securityonion-networkminer

    A few things to note:

    - it will install to /opt/networkminer/
    - I include a simple bash script that will invoke mono for you, so you can just run:
    (and you can include a pcap file for NetworkMiner to open automatically)
    - this allows us to do things like right-click an IDS alert in Sguil and send the entire stream to NetworkMiner for analysis :)

    Please let me know what you think!

    Doug Burks

    Claus said...

    @ Doug - Thanks for the additional feedback.

    I really love NetworkMiner and though the majority of my usage is in Windows, having it side-by-side with Xplico in my Ubuntu build lets me do some comparative analysis and look at the pcap from different viewpoints in case I miss something important.

    The one-liner script you have is really awesome!

    It is contributions like this that make working in (and learning) Ubuntu so pleasing and encouraging!

    Nothing is more frustrating to be pretty darn good in Windows, and then transition into another OS and know what you want to do, have a general idea of how you should do it, but just seem to be missing the final bit due to a lack of experience.

    It's fun learning however!

    Now if we can just get Erik Hjelmvik to consider adding this great process to his Mono page for NetworkMiner so others can enjoy a more streamlined installation/updating process...or at least as an alternative method for us Ubuntu noobs!


    Claus V.

    Doug Burks said...

    I've already been talking to Erik about that. Stay tuned! :)

    Claus said...

    @ Doug -- Looks like you were busy!

    I just was processing through the RSS feed stack and couldn't help but grin to myself when I saw this NetResec blog post in the feed pile tonight.

    Install NetworkMiner with apt-get - NETRESEC Blog

    This definitely counts in my book as a Good Thing that benefits the NFAT community greatly.

    It recalls a conversation thread I had with Gianluca Costa of Xplico regarding the hope of having a similar process for getting/updating Xplico in Ubutu.

    That bore fruit as well:

    Install Xplico From SourceForge - Xplico Wiki

    I cannot express just how much these small and well laid out "apt-get" routines mean to those like me who can and want to use the tools outside of Windows but haven't quite mastered some of the knowledge to install these programs in Ubuntu.

    Well Done!

    --Claus V.

    Doug Burks said...

    Yep, we've get Xplico in our repo as well :)


    Doug Burks said...

    Just in case you didn't notice, I should also mention that we now have a "stable" repo that users should use instead of the "test" repo. So the install command (as listed in Erik's blog post) is now:

    sudo add-apt-repository -y ppa:securityonion/stable && sudo apt-get update && sudo apt-get -y install securityonion-networkminer


    Rob Salmond said...

    Just a heads up to anyone giving this method a go, as of this post the securityonion PPA repo does not have 12.10 (quantal) packages, this will only work with 12.04.