{{tag>[security snort]}}


=====Snort and Snorby=====
This guide will help you install a Snort sensor and the Snorby web interface.

Prerequisites:
  * [[http://www.pcengines.ch/apu.htm|PC Engines APU]], as collection device.
  * NAS for storing unified2 logs.
  * Debian Wheezy (7.5) Virtual machine for Snorby & MySQL.

====Install PC Engines APU and start Snort====
  * Update APU [[Firmware update PC Engines APU|firmware]].
  * Install [[CentOS 6.5 on APU - KickStart file|CentOS 6.5]].
  * Install [[http://wiki.centos.org/AdditionalResources/Repositories/RPMForge|RPMforge]] repository.
  * Download snortrules, the daq and snort RPM from [[http://snort.org|Snort]].
  * Install the required libdnet 1.11 package from RPMforge (not 1.12 from EPEL) <code># yum -y install libdnet-1.11</code>
  * Install DAQ and Snort <code># yum -y localinstall ./daq-2.0.2-1.centos6.x86_64.rpm
# yum -y localinstall ./snort-2.9.6.1-1.centos6.x86_64.rpm</code>
  * In my case i had to change the snort userid to match the snort user on the NAS, to be able to write to the NFS share <code># usermod -u 1030 -g 100 snort</code>
  * Mount the NFS share at boot. <code># vi /etc/fstab

nashost:/volume1/snort /mnt/snort nfs rsize=8192,wsize=8192,timeo=14,intr 0 0

# mount -a</code>
  * Edit **/etc/sysconfig/snort**. Configure as needed, but change CONF and LOGDIR, disable ALERTMODE and BINARY_LOG. <code>INTERFACE=eth1
CONF=/usr/local/snort/etc/snort.conf
USER=snort
GROUP=users
PASS_FIRST=0
LOGDIR=/mnt/snort/log
#ALERTMODE=fast
DUMP_APP=1
#BINARY_LOG=0
NO_PACKET_LOG=0
PRINT_INTERFACE=0
SYSLOG=/var/log/messages
SECS=5
</code>
  * Create the needed directories and symlinks. <code># ln -s /usr/lib64/snort-2.9.6.1_dynamicpreprocessor /usr/local/lib/snort_dynamicpreprocessor
# ln -s /usr/lib64/snort-2.9.6.1_dynamicengine /usr/local/lib/snort_dynamicengine
# mkdir -p /usr/local/lib/snort_dynamicrules
# chown -R snort:users /usr/local/lib/snort_dynamicrules
# chmod -R 700 /usr/local/lib/snort_dynamicrules
# touch /usr/local/snort/etc/../rules/white_list.rules
# touch /usr/local/snort/etc/../rules/black_list.rules
</code>
  * Extract snort rules. <code># mkdir -p /usr/local/snort
# tar zxf snortrules-snapshot-2961.tar.gz -C /usr/local/snort
</code>
  * Edit **/usr/local/snort/etc/snort.conf**. For exmaple enable sfportscan, decoder rules, dynamic library rules. Be sure to enable unified2 output. <code>output unified2: filename /mnt/snort/log/snort_eth1.u2, limit 128</code>
  * Start snort. <code># service snortd start

Starting snort: Spawning daemon child...
My daemon child 27345 lives...
Daemon parent exiting (0)
                                                           [  OK  ]
</code>
  * After a while logs will be created. <code># find /mnt/snort/log/

/mnt/snort/log/
/mnt/snort/log/snort_eth1.u2.1399646156</code>
====Install and start Snorby====
<code>
apt-get install git imagemagick mysql-server wkhtmltopdf curl libxslt-dev libxml2-dev libmysqld-dev

mysql -u root -p
create database snorby;
grant all privileges on snorby.* to "snorby"@"%" identified by "snorby";
flush privileges;

curl -L https://get.rvm.io | bash -s stable --rails

# add your username to the rails group
source /usr/local/rvm/scripts/rvm

rvm list known
rvm install 1.9.3
rvm use 1.9.3
(bundle install)

git clone http://github.com/Snorby/snorby.git

cd snorby && bundle install

cp config/database.yml.example config/database.yml
vi config/database.yml

cp config/snorby_config.yml.example  config/snorby_config.yml
vi config/snorby_config.yml

bundle exec rake snorby:setup
bundle exec rails server -e production

Go to: http://snorby:3000/users/login
Username: snorby@snorby.org
Password: snorby

Change credentials

Mount NFS share from NAS

#Install barnyard2 on APU sensor
yum install mysql-devel
cd /opt
git clone https://github.com/firnsy/barnyard2.git
cd barnyard2
./autogen.sh
./configure --with-mysql --with-mysql-libraries=/usr/lib64/mysql --with-mysql-includes=/usr/include/
make
make install
Create a sample rules file (eg. look at etc/barnyard2.conf)
barnyard2 -?

edit /usr/local/etc/barnyard2.conf

config reference_file:      /usr/local/snort/etc/reference.config
config classification_file: /usr/local/snort/etc/classification.config
config gen_file:            /usr/local/snort/etc/gen-msg.map
config sid_file:            /usr/local/snort/etc/sid-msg.map
config logdir: /mnt/snort/log
config hostname:   snort
config interface:  eth1
config daemon
config waldo_file: /mnt/snort/bylog.waldo
config archivedir: /mnt/snort/archive
input unified2
output alert_fast: /mnt/snort/log/barnyard2.alert
output database: log, mysql, user=snort password=snortpass dbname=snorby host=snorby


ln -s /etc/snort/gen-msg.map /usr/local/snort/etc
/usr/local/bin/barnyard2 -c /usr/local/etc/barnyard2.conf -d /mnt/snort/log -f snort_eth1.u2
</code>