{{tag>[security snort]}}
=====Snort and Snorby=====
This guide will help you install a Snort sensor and the Snorby web interface.
Prerequisites:
* [[http://www.pcengines.ch/apu.htm|PC Engines APU]], as collection device.
* NAS for storing unified2 logs.
* Debian Wheezy (7.5) Virtual machine for Snorby & MySQL.
====Install PC Engines APU and start Snort====
* Update APU [[Firmware update PC Engines APU|firmware]].
* Install [[CentOS 6.5 on APU - KickStart file|CentOS 6.5]].
* Install [[http://wiki.centos.org/AdditionalResources/Repositories/RPMForge|RPMforge]] repository.
* Download snortrules, the daq and snort RPM from [[http://snort.org|Snort]].
* Install the required libdnet 1.11 package from RPMforge (not 1.12 from EPEL) # yum -y install libdnet-1.11
* Install DAQ and Snort # yum -y localinstall ./daq-2.0.2-1.centos6.x86_64.rpm
# yum -y localinstall ./snort-2.9.6.1-1.centos6.x86_64.rpm
* In my case i had to change the snort userid to match the snort user on the NAS, to be able to write to the NFS share # usermod -u 1030 -g 100 snort
* Mount the NFS share at boot. # vi /etc/fstab
nashost:/volume1/snort /mnt/snort nfs rsize=8192,wsize=8192,timeo=14,intr 0 0
# mount -a
* Edit **/etc/sysconfig/snort**. Configure as needed, but change CONF and LOGDIR, disable ALERTMODE and BINARY_LOG. INTERFACE=eth1
CONF=/usr/local/snort/etc/snort.conf
USER=snort
GROUP=users
PASS_FIRST=0
LOGDIR=/mnt/snort/log
#ALERTMODE=fast
DUMP_APP=1
#BINARY_LOG=0
NO_PACKET_LOG=0
PRINT_INTERFACE=0
SYSLOG=/var/log/messages
SECS=5
* Create the needed directories and symlinks. # ln -s /usr/lib64/snort-2.9.6.1_dynamicpreprocessor /usr/local/lib/snort_dynamicpreprocessor
# ln -s /usr/lib64/snort-2.9.6.1_dynamicengine /usr/local/lib/snort_dynamicengine
# mkdir -p /usr/local/lib/snort_dynamicrules
# chown -R snort:users /usr/local/lib/snort_dynamicrules
# chmod -R 700 /usr/local/lib/snort_dynamicrules
# touch /usr/local/snort/etc/../rules/white_list.rules
# touch /usr/local/snort/etc/../rules/black_list.rules
* Extract snort rules. # mkdir -p /usr/local/snort
# tar zxf snortrules-snapshot-2961.tar.gz -C /usr/local/snort
* Edit **/usr/local/snort/etc/snort.conf**. For exmaple enable sfportscan, decoder rules, dynamic library rules. Be sure to enable unified2 output. output unified2: filename /mnt/snort/log/snort_eth1.u2, limit 128
* Start snort. # service snortd start
Starting snort: Spawning daemon child...
My daemon child 27345 lives...
Daemon parent exiting (0)
[ OK ]
* After a while logs will be created. # find /mnt/snort/log/
/mnt/snort/log/
/mnt/snort/log/snort_eth1.u2.1399646156
====Install and start Snorby====
apt-get install git imagemagick mysql-server wkhtmltopdf curl libxslt-dev libxml2-dev libmysqld-dev
mysql -u root -p
create database snorby;
grant all privileges on snorby.* to "snorby"@"%" identified by "snorby";
flush privileges;
curl -L https://get.rvm.io | bash -s stable --rails
# add your username to the rails group
source /usr/local/rvm/scripts/rvm
rvm list known
rvm install 1.9.3
rvm use 1.9.3
(bundle install)
git clone http://github.com/Snorby/snorby.git
cd snorby && bundle install
cp config/database.yml.example config/database.yml
vi config/database.yml
cp config/snorby_config.yml.example config/snorby_config.yml
vi config/snorby_config.yml
bundle exec rake snorby:setup
bundle exec rails server -e production
Go to: http://snorby:3000/users/login
Username: snorby@snorby.org
Password: snorby
Change credentials
Mount NFS share from NAS
#Install barnyard2 on APU sensor
yum install mysql-devel
cd /opt
git clone https://github.com/firnsy/barnyard2.git
cd barnyard2
./autogen.sh
./configure --with-mysql --with-mysql-libraries=/usr/lib64/mysql --with-mysql-includes=/usr/include/
make
make install
Create a sample rules file (eg. look at etc/barnyard2.conf)
barnyard2 -?
edit /usr/local/etc/barnyard2.conf
config reference_file: /usr/local/snort/etc/reference.config
config classification_file: /usr/local/snort/etc/classification.config
config gen_file: /usr/local/snort/etc/gen-msg.map
config sid_file: /usr/local/snort/etc/sid-msg.map
config logdir: /mnt/snort/log
config hostname: snort
config interface: eth1
config daemon
config waldo_file: /mnt/snort/bylog.waldo
config archivedir: /mnt/snort/archive
input unified2
output alert_fast: /mnt/snort/log/barnyard2.alert
output database: log, mysql, user=snort password=snortpass dbname=snorby host=snorby
ln -s /etc/snort/gen-msg.map /usr/local/snort/etc
/usr/local/bin/barnyard2 -c /usr/local/etc/barnyard2.conf -d /mnt/snort/log -f snort_eth1.u2