OURMON Installation and Configuration on FreeBSD 7 with Multi-threading Support

Written by · in Systems

OURMON is popular known as open source Network Monitoring and Anomaly Detection System. It’s very useful for a web hosting provider or Internet Service Provider to study their network behavior and detection for any network attack such as DoS or DDoS.

Beside study your network behavior, it also can analyze your network protocols activities, tcp w0rm activity, p2p activity and etc.

Here is the step by step OURMON installation and configuration on FreeBSD with multi-threading support.

OUR source package can be downloaded on official sourceforget download page. I strongly suggest that do not install OURMON from port (due to the update on the package is quite slow), but before proceed on OURMON source install, there are several dependencies need to be installed;

PCRE

cd /usr/ports/devel/pcre && make install clean distclean

libpcap

cd /usr/ports/net/libpcap && make install clean distclean

RRDTool

cd /usr/ports/databases/rrdtool && make install clean distclean

Apache Web Server

cd /usr/ports/www/apache20 && make install clean distclean

OURMON Installation and Configuration

After above dependencies has been installed, now we proceed with OURMON installation and configuration;

untar yor ourmon package and your will see a folder name mrourmon. Copy the folder to /usr/local;

cp -rf mrourmon /usr/local/

In order to enable multi-threading support, there are some changes need to be made on your OURMON’s Makefile.

cd /usr/local/mrourmon/src/ourmon
vi Makefile.bsd

On line 27 and 30, uncomment the line which look like below;

CFLAGS=-O4 -DBSD -DTHREAD
LFLAGS=-O4 -static -DTHREAD

Also on line 18, change the BINDDIR to the directory that we are going to install ourmon;

BINDIR=/usr/local/mrourmon/bin

After that, save the file and we are ready to roll, go to OURMON root directory and run configure.pl for installation;

cd /usr/local/mrourmon
./configure

Follow the on screen guide to go through the installation, after ourmon is install, we are ready to fire it up… But there are minor changes need to be made in order to support multi-threading. Open up ourmon start up file and make the below changes;

vi /usr/local/etc/rc.d/ourmon.sh

On line 11, add extra argument (-T 2 ) into OURMON launch command and it will look like this;

/usr/local/mrourmon/bin/ourmon -T 2 -a 30 -s 256 -f /usr/local/mrourmon/etc/ourmon.conf -i bce1 -D /usr/local/mrourmon/tmp &

the argument -T 2 is to spawn 2 ourmon processes, if you have more processor on your server, you might want to add more; after that monitor on your server load, see whether it will crash your server or not 😉

Run top command and monitor on your server load.

.

Apache Configuration

By default, OURMON web html files are located at /usr/local/www/data/ourmon, we suggest that you setup virtualhost to access to OURMON from your web browser;

NameVirtualHost *:80

ServerAdmin sysadm@systems.takizo.com
ServerName ourmon.systems.takizo.com

DocumentRoot /usr/local/mrourmon/web.pages


AllowOverride All
Order Deny,Allow
Deny from all
Allow from 202.188.1.5 # only allow authorized IP Address to access your OURMON.

ErrorLog /var/log/ourmon-error_log
CustomLog /var/log/ourmon-access_log common

You might also interest to change the viewing of OURMON site at your own convenience at /usr/local/www/data/ourmon/index.html, remember to make a copy before you make any changes.

Below are some graph that shown on our OURMON page;

updated : 19/10/2008

1. when start ourmon with “/usr/local/etc/rc.d/ourmon.sh start” return error :

sysctl: unknown oid ‘debug.bpf_bufsize’
sysctl: unknown oid ‘debug.bpf_maxbufsize’

change “sysctl -w debug.bpf_bufsize=8388608” & “sysctl -w debug.bpf_maxbufsize=8388608” in /usr/local/etc/rc.d/ourmon.sh to “sysctl -w net.bpf.bufsize=8388608” & “sysctl -w net.bpf.maxbufsize=8388608” to solve the error.

2. should the promicuous interface not picking up any traffic, bring it down (e.g. ifconfig rl0 down) and bring it up (ifconfig rl0 up) again should do the trick. Use tcpdump -i rl0 to see if it see any traffice.

Tags: