Chapter 3. NST Scripts

Table of Contents

Network Time Protocol (NTP)
RAM Disk Creation
Snort (NST v1.2.0)
Setup Snort Example: Standalone Configuration (NST v1.2.0)
Setup Snort Example: Backend MySQL Snort Database With Remote IDS Snort Probes (NST v1.2.0)
Snort (NST v1.2.1 and Above)
Setup Snort Example: Standalone Configuration
Alternate Way to Start Snort
Status Listing For Configured Snort Instances
Stopping (Killing) One or More Snort Instances
HOWTO Update a Running Snort Instance By Reloading the Snort Configuration
HOWTO Dump Statitical Information For a Running Snort Instance
Setup Snort Example: Backend MySQL Snort Database With Remote IDS Snort Probes
Nessus (NST v1.2.0)
Nessus (NST v1.2.1 and Above)
Checking sendmail Status
Becoming a SMTP Server
Enabling Smart Host

The Network Security Toolkit has many useful command line scripts that allow the network security administrator easy access to the comprehensive set of Open Source Network Security Tools found in the NST distribution. The section will explore these scripts and demonstrate their usage with NST.

It is extremely important for security related forensic analysis that all data captured or logged by network infrastructure equipment throughout the enterprise environment be time-stamped using a common reference time synchronization standard. NST uses ntp (the official reference implementation of the NTP protocol - RFC 1305 and RFC 2030) to accomplish this. Prior to running a security related application or tool, one should startup ntp. NST is configured by default to use the following time reference sources ( stratum: 1 and ( stratum: 2 to achieve ntp time synchonization. Reference clocks and other ntp configuration paramters can be changed in: /etc/ntp.conf.

The following caption shows one how to startup ntp and display useful ntp status on a NST probe.

[root@probe root]# /etc/init.d/ntpd start 1
ntpd: Synchronizing with time server:                      [  OK  ]
Starting ntpd:                                             [  OK  ]

[root@probe root]# ntpq -p 2
     remote           refid      st t when poll reach   delay   offset  jitter
* .USNO.           1 u   33   64   37  170.601   19.034   3.833 NAVOBS1.MIT.EDU  2 u   28   64   37   28.038   14.585   3.469

[root@probe root]# ntptime 3
ntp_gettime() returns code 0 (OK)
  time c486a6d7.3fd7c000  Fri, Jun 25 2004  9:27:51.249, (.249386),
  maximum error 549609 us, estimated error 15516 us
ntp_adjtime() returns code 0 (OK)
  modes 0x0 (),
  offset -208.000 us, frequency 124.953 ppm, interval 4 s,
  maximum error 549609 us, estimated error 15516 us,
  status 0x1 (PLL),
  time constant 2, precision 1.000 us, tolerance 512 ppm,
  pps frequency 0.000 ppm, stability 512.000 ppm, jitter 200.000 us,
  intervals 0, jitter exceeded 0, stability exceeded 0, errors 0.

[root@probe root]# ntpdate -dv 4
14 Jul 08:36:53 ntpdate[5436]: ntpdate 4.1.1c-rc1@1.836 Thu Feb 13 12:17:20 EST 2003 (1)
server, port 123
stratum 1, precision -19, leap 00, trust 000
refid [USNO], delay 0.26082, dispersion 0.06273
transmitted 4, in filter 4
reference time:    c49fa762.50451398  Wed, Jul 14 2004  8:36:50.313
originate timestamp: c49fa766.e083434e  Wed, Jul 14 2004  8:36:54.877
transmit timestamp:  c49fa766.bc573a79  Wed, Jul 14 2004  8:36:54.735
filter delay:  0.41434  0.32225  0.29274  0.26082
         0.00000  0.00000  0.00000  0.00000
filter offset: -0.09171 -0.05684 -0.03271 0.023662
         0.000000 0.000000 0.000000 0.000000
delay 0.26082, dispersion 0.06273
offset 0.023662

14 Jul 08:36:54 ntpdate[5436]: adjust time server offset 0.023662 sec


Start up the ntp daemon on a NST probe.


Display ntp peer status with its reference clocks.


Display time related ntp kernel values.


Display the local time offset in verbose mode from ntp server using the ntpdate utility command without any adjustments to the local NST clock.

There is also a bash shell alias to quickly start up the NTP service called: lntpd. This alias is demonstrated below:

[root@probe root]# lntpd
ntpd: Synchronizing with time server:                      [  OK  ]
Starting ntpd:                                             [  OK  ]


NST's Web User Interface found in Chapter 2, The Web User Interface (WUI) can also be used to start up ntp. Look under the "System/General" section for "Services" and one can "Start/Stop" the "ntpd" daemon. One can also check the operational state of the "ntpd" daemon using the "NTP Info" and "NTP Query" links found under the "Networking/Time" section.