This guide will help you install a Snort sensor and the Snorby web interface.
Prerequisites:
# yum -y install libdnet-1.11
# yum -y localinstall ./daq-2.0.2-1.centos6.x86_64.rpm # yum -y localinstall ./snort-2.9.6.1-1.centos6.x86_64.rpm
# usermod -u 1030 -g 100 snort
# vi /etc/fstab nashost:/volume1/snort /mnt/snort nfs rsize=8192,wsize=8192,timeo=14,intr 0 0 # mount -a
INTERFACE=eth1 CONF=/usr/local/snort/etc/snort.conf USER=snort GROUP=users PASS_FIRST=0 LOGDIR=/mnt/snort/log #ALERTMODE=fast DUMP_APP=1 #BINARY_LOG=0 NO_PACKET_LOG=0 PRINT_INTERFACE=0 SYSLOG=/var/log/messages SECS=5
# ln -s /usr/lib64/snort-2.9.6.1_dynamicpreprocessor /usr/local/lib/snort_dynamicpreprocessor # ln -s /usr/lib64/snort-2.9.6.1_dynamicengine /usr/local/lib/snort_dynamicengine # mkdir -p /usr/local/lib/snort_dynamicrules # chown -R snort:users /usr/local/lib/snort_dynamicrules # chmod -R 700 /usr/local/lib/snort_dynamicrules # touch /usr/local/snort/etc/../rules/white_list.rules # touch /usr/local/snort/etc/../rules/black_list.rules
# mkdir -p /usr/local/snort # tar zxf snortrules-snapshot-2961.tar.gz -C /usr/local/snort
output unified2: filename /mnt/snort/log/snort_eth1.u2, limit 128
# service snortd start Starting snort: Spawning daemon child... My daemon child 27345 lives... Daemon parent exiting (0) [ OK ]
# find /mnt/snort/log/ /mnt/snort/log/ /mnt/snort/log/snort_eth1.u2.1399646156
apt-get install git imagemagick mysql-server wkhtmltopdf curl libxslt-dev libxml2-dev libmysqld-dev mysql -u root -p create database snorby; grant all privileges on snorby.* to "snorby"@"%" identified by "snorby"; flush privileges; curl -L https://get.rvm.io | bash -s stable --rails # add your username to the rails group source /usr/local/rvm/scripts/rvm rvm list known rvm install 1.9.3 rvm use 1.9.3 (bundle install) git clone http://github.com/Snorby/snorby.git cd snorby && bundle install cp config/database.yml.example config/database.yml vi config/database.yml cp config/snorby_config.yml.example config/snorby_config.yml vi config/snorby_config.yml bundle exec rake snorby:setup bundle exec rails server -e production Go to: http://snorby:3000/users/login Username: snorby@snorby.org Password: snorby Change credentials Mount NFS share from NAS #Install barnyard2 on APU sensor yum install mysql-devel cd /opt git clone https://github.com/firnsy/barnyard2.git cd barnyard2 ./autogen.sh ./configure --with-mysql --with-mysql-libraries=/usr/lib64/mysql --with-mysql-includes=/usr/include/ make make install Create a sample rules file (eg. look at etc/barnyard2.conf) barnyard2 -? edit /usr/local/etc/barnyard2.conf config reference_file: /usr/local/snort/etc/reference.config config classification_file: /usr/local/snort/etc/classification.config config gen_file: /usr/local/snort/etc/gen-msg.map config sid_file: /usr/local/snort/etc/sid-msg.map config logdir: /mnt/snort/log config hostname: snort config interface: eth1 config daemon config waldo_file: /mnt/snort/bylog.waldo config archivedir: /mnt/snort/archive input unified2 output alert_fast: /mnt/snort/log/barnyard2.alert output database: log, mysql, user=snort password=snortpass dbname=snorby host=snorby ln -s /etc/snort/gen-msg.map /usr/local/snort/etc /usr/local/bin/barnyard2 -c /usr/local/etc/barnyard2.conf -d /mnt/snort/log -f snort_eth1.u2