Linux VM

Our first dev VM is a Linux VM, which we use for building and playing with two of the tools we are going to introduce in this part: Suricata and APIMiner. We are going to target building Suricata so that we can run it on Linux and rightly, so we have a Linux distribution to compile it on. For APIMiner, the compiled binary is intended to run on Windows, but using the mingw64 packages on Linux, you can cross-compile APIMiner window source code on Linux to build executables that can run on Windows.

Both tools can be built on Linux, and for our purpose, you can use any Linux distribution if you install the tools mentioned in this section. For our setup, we use Ubuntu 16.04. You can also use Ubuntu 18.04 or any other recent version, if the packages install cleanly and the compilation steps work.

To install Ubuntu 16.04, you can create a VM like the way we did in Chapter 2 for the analysis VM. Let’s call this the Linux dev VM from here on. The hardware settings we used for our Linux dev VM is shown in Figure 21-1. You can either mimic the settings or play around with it to suit you based on how much resources you must spare on your physical host machine.

Do note that we have used VMWare Workstation as the hypervisor for all our VMs, both the analysis VM from Chapter 2 and the Linux dev VM here in this chapter. You can use the hypervisor of your choice for the purpose, including VirtualBox. Do note that the hypervisor/emulator tool you use should have the capability to create and restore snapshots, which not all of them provide. Snapshots come in handy, not only when analyzing malware but also in development when we play around with new development packages and tools. And should any of them break our dev setup, we want to move back to the clean development snapshot state that we saved earlier.

We won’t go through the full VM installation process for the Linux dev VM since that’s outside the scope of this book. You can refer to various resources on the web for creating a new VM using your hypervisor. Just make sure you use the right VM hardware settings, like the one we used in Figure 21-1. The next sections are written with the expectation that this Linux dev VM is installed by you. You might also want to test and see if your Linux VM can connect to the Internet. After the installation, you can create a snapshot just in case you want to come back to it later.

Suricata Setup

Suricata is a next-gen intrusion detection and prevention system. We talk more about Suricata in Chapter 23, where we talk about IDS/IPS and how they work internally. Here we install the various packages that are needed to build Suricata. Let’s now compile, build, and install Suricata.

The packages we are installing here work for the latest known stable release of Suricata at the time of writing this book, which is version 5.0.2. You can extend the setup to any future newer version of Suricata if you install any packages it depends on. The rest of the steps remain largely the same. You can also carry out the Suricata setup using the development source code repository of Suricata available via their official GitHub repository at https://github.com/OISF/suricata.

Before we can download and compile Suricata, let’s install its dependencies. You can open the terminal in your Ubuntu Linux dev VM and run the command shown in Listing 21-1.

$ sudo apt install -y emacs git automake autoconf libtool pkg-config libpcre3-dev libyaml-dev libjansson-dev libpcap0.8-dev libmagic-dev libcap-ng-dev libnspr4-dev libnss3-dev liblz4-dev rustc cargo libz-dev gcc

Listing 21-1

Command to Install Dependency Packages Needed Next to Build Suricata-5.0.2

Figure 21-2 shows you what running the command should look like. Do note that there is a fair bit of packages to install and the command might take quite a bit of time to run based on your Internet speed and the load on the servers from which you are downloading the packages. Sometimes the command might fail, which might be due to package information not downloaded on your system. In such cases , you can first run the command sudo apt update and then re-run the command in the listing.

Now that the packages are installed, we can now download, build, and install Suricata. You can download Suricata version 5.0.2 available at www.openinfosecfoundation.org/download/suricata-5.0.2.tar.gz and then unzip it using the two commands in Listing 21-2. Do note that the link is working at the time of writing this book. If the suricata-5.0.2.tar.gz package has been moved to a different URL location, you can use Google to search for the download link from their website.

$ wget https://www.openinfosecfoundation.org/download/suricata-5.0.2.tar.gz

$ tar -xvzf suricata-5.0.2.tar.gz

Listing 21-2

Commands to Download and Unzip Suricata 5.0.2

You can cd into the unzipped Suricata-5.0.2 folder and build Suricata and install it using the commands in Listing 21-3.

$ cd suricata-5.0.2

$ ./configure

$ make -j

$ sudo make install

$ sudo ldconfig

Listing 21-3

Commands to Unzip, Build and Install Suricata

That is it. You can verify it Suricata is correctly installed by trying to run the command from the terminal, which should output the help for the tool, as seen in Figure 21-3.

That’s pretty much it. We make some other minor tweaks to its config file, suricata.yaml, when we run it in Chapter 23. In the next section, we set up the packages needed to build APIMiner and Cuckoo Monitor.

Windows VM

In this section, we set up our Windows dev VM, which we use to build various other tools that we introduce in this part of the book, including building ones that use Binary Instrumentation (see Chapter 25).

First, we need to create a new VM with Windows, for which we use Windows 7 32bit as the OS. Let’s call this VM Windows dev VM. While creating the VM, you can use the same hardware settings from Figure 21-1. Installation of the VM with Windows 7 32-bit OS doesn’t require any special steps other than the standard procedures we used while creating our analysis VM from Chapter 2. After installation of the OS, update the OS to the latest update provided by Microsoft.

With the Windows dev VM now ready, the first part of our setup requires Visual Studio (VS) Compiler and its SDK. Notice that we mentioned VS Compiler and not the IDE itself. To be honest, as a beginner a lot of times, it is preferable not to use an IDE since they abstract and hide away the details on how to build and link the source code files of your project. With an IDE, it is Button! Click! Magic!—not something that is recommended while learning. Instead, using a regular text editor to write source code and then using the command line compiler cl.exe, is a much better way to learn all the inner details of various library dependencies, the linking process, and so forth.

In combination with the, you can also use a Windows command line environment like Cygwin, which makes available other small utilities like the make command that help you automate your source code building process using makefiles.

Visual Studio Installation

Visual Studio comes in both paid and community versions. You can download the installer for VS Studio Community straight from https://visualstudio.microsoft.com. For our setup in our exercises and the readers of this book, we install VS Community 2019 edition, but feel free to use other versions, paid or community.

Running the VS Community 2019 installer should take you through the installation process, where you can select the various components to install. In the installation window, the component that you need to select for installation is Desktop development with C++, as seen in Figure 21-4.

The installation, once done, might need you to restart the computer. You can then test if the tool is successfully installed by opening the Developer Command Prompt for VS 2019, as seen in Figure 21-5.

Opening the Developer Command Prompt from Figure 21-5 should open the command prompt where you can test if the VS Compiler cl.exe is installed and runs as expected, as shown in Figure 21-6.

Cygwin Installation

Cygwin is a POSIX-compatible tool that provides various Unix-like applications on Windows via a console application. It has been a personal favorite of ours since it allows us to build projects on Windows and use the ever famous Makefiles to automate building the source code from these large projects.

Now the important part is to combine Cygwin with Visual Studio from the previous section so that the VS environment, including the VS Compiler cl.exe, is available inside Cygwin’s console. Before we can do that, you need to install Cygwin.

To install Cygwin, you can download and run its installer from https://cygwin.com. Make sure you download the installer for 32 bits Windows. The installer should provide you the packages list, which you can either select/deselect for installation. For our purposes, we only want to install the packages in Table 21-1.

Table 21-1

List of Cygwin Packages That We Should Only Install/Uninstall

Top Level Package List Name	Packages to Install
Shells	all packages
Base	all packages
Devel	make
Archive	unzip
All Others	don’t install (select uninstall)

To selectively install the packages mentioned in the table, first deselect all the packages by selecting Uninstall for All and then selectively enabling (Install option) for the packages mentioned in the table, as seen in Figure 21-7. For specific packages like make and unzip only, search by those names in the Search text box at the top and select a specific version of those packages/tools to install. Post selecting the packages, you are good to go, and you can start the installation. It might take some time for it to be all downloaded and installed.

Cygwin + Visual Studio

Now that you’ve installed Cygwin, you want to make the Visual Studio toolchain available from within the Cygwin console. To do this, you must enable/set Visual Studio’s environment inside Cygwin. To help us with this, Visual Studio provides its environment via a batch file, which, up to and including VS 2015, was named vsvars32.bat, and since VS 2015, it is named VsDevCmd.bat. Since we installed VS 2019 Community, the batch file is located at C:Program FilesMicrosoft Visual Studio2019CommunityCommon7Tools folder.

With this full path in our hands, locate the Cygwin installation bin folder, which on our system is C:cygwinin and create a new file in this directory called cygwin.bat with contents from Listing 21-6.

@echo off

@REM Select the latest VS Tools

# Below is one full long line. Might look folded here due to

# length. Unfold when you type it into your cygwin.bat

CALL "C:Program FilesMicrosoft Visual Studio2019CommunityCommon7ToolsVsDevCmd.bat"

C:

chdir C:cygwinin

START mintty.exe -i /Cygwin-Terminal.ico -

Listing 21-6

Contents of Our New Cygwin.Bat That Integrates VS Environment into Cygwin

You might want to add this new cygwin.bat file as a desktop shortcut for easy access. This file is now what you are going to use to access Cygwin here on in this book. As a test, you can run it by double-clicking it and then try out the Visual Studio compiler cl.exe, which should now be accessible, as seen in Figure 21-8.

Summary

The first step in detection engineering is to make sure you have the right development environment and setup that can help you modify and build these detection tools of yours. This chapter helps us achieve this by helping us set up two new development VMs, one for Linux and another for Windows. In this chapter, you learned how to install and configure various development tools on both new dev VMs, that help us build various detection tools that we are going to talk about in the subsequent chapters.