Ben's notes

Linux, Unix, network, radio...

User Tools

Site Tools

Trace: snort_and_snorby
snort_and_snorby

Table of Contents

,

Snort and Snorby

This guide will help you install a Snort sensor and the Snorby web interface.

Prerequisites:

  • PC Engines APU, as collection device.
  • NAS for storing unified2 logs.
  • Debian Wheezy (7.5) Virtual machine for Snorby & MySQL.

Install PC Engines APU and start Snort

  • Update APU firmware.
  • Install CentOS 6.5.
  • Install RPMforge repository.
  • Download snortrules, the daq and snort RPM from Snort.
  • Install the required libdnet 1.11 package from RPMforge (not 1.12 from EPEL) 
    # yum -y install libdnet-1.11
  • Install DAQ and Snort 
    # yum -y localinstall ./daq-2.0.2-1.centos6.x86_64.rpm
# yum -y localinstall ./snort-2.9.6.1-1.centos6.x86_64.rpm
  • In my case i had to change the snort userid to match the snort user on the NAS, to be able to write to the NFS share 
    # usermod -u 1030 -g 100 snort
  • Mount the NFS share at boot. 
    # vi /etc/fstab

nashost:/volume1/snort /mnt/snort nfs rsize=8192,wsize=8192,timeo=14,intr 0 0

# mount -a
  • Edit /etc/sysconfig/snort. Configure as needed, but change CONF and LOGDIR, disable ALERTMODE and BINARY_LOG. 
    INTERFACE=eth1
CONF=/usr/local/snort/etc/snort.conf
USER=snort
GROUP=users
PASS_FIRST=0
LOGDIR=/mnt/snort/log
#ALERTMODE=fast
DUMP_APP=1
#BINARY_LOG=0
NO_PACKET_LOG=0
PRINT_INTERFACE=0
SYSLOG=/var/log/messages
SECS=5
  • Create the needed directories and symlinks. 
    # ln -s /usr/lib64/snort-2.9.6.1_dynamicpreprocessor /usr/local/lib/snort_dynamicpreprocessor
# ln -s /usr/lib64/snort-2.9.6.1_dynamicengine /usr/local/lib/snort_dynamicengine
# mkdir -p /usr/local/lib/snort_dynamicrules
# chown -R snort:users /usr/local/lib/snort_dynamicrules
# chmod -R 700 /usr/local/lib/snort_dynamicrules
# touch /usr/local/snort/etc/../rules/white_list.rules
# touch /usr/local/snort/etc/../rules/black_list.rules
  • Extract snort rules. 
    # mkdir -p /usr/local/snort
# tar zxf snortrules-snapshot-2961.tar.gz -C /usr/local/snort
  • Edit /usr/local/snort/etc/snort.conf. For exmaple enable sfportscan, decoder rules, dynamic library rules. Be sure to enable unified2 output. 
    output unified2: filename /mnt/snort/log/snort_eth1.u2, limit 128
  • Start snort. 
    # service snortd start

Starting snort: Spawning daemon child...
My daemon child 27345 lives...
Daemon parent exiting (0)
                                                           [  OK  ]
  • After a while logs will be created. 
    # find /mnt/snort/log/

/mnt/snort/log/
/mnt/snort/log/snort_eth1.u2.1399646156

Install and start Snorby

apt-get install git imagemagick mysql-server wkhtmltopdf curl libxslt-dev libxml2-dev libmysqld-dev

mysql -u root -p
create database snorby;
grant all privileges on snorby.* to "snorby"@"%" identified by "snorby";
flush privileges;

curl -L https://get.rvm.io | bash -s stable --rails

# add your username to the rails group
source /usr/local/rvm/scripts/rvm

rvm list known
rvm install 1.9.3
rvm use 1.9.3
(bundle install)

git clone http://github.com/Snorby/snorby.git

cd snorby && bundle install

cp config/database.yml.example config/database.yml
vi config/database.yml

cp config/snorby_config.yml.example  config/snorby_config.yml
vi config/snorby_config.yml

bundle exec rake snorby:setup
bundle exec rails server -e production

Go to: http://snorby:3000/users/login
Username: snorby@snorby.org
Password: snorby

Change credentials

Mount NFS share from NAS

#Install barnyard2 on APU sensor
yum install mysql-devel
cd /opt
git clone https://github.com/firnsy/barnyard2.git
cd barnyard2
./autogen.sh
./configure --with-mysql --with-mysql-libraries=/usr/lib64/mysql --with-mysql-includes=/usr/include/
make
make install
Create a sample rules file (eg. look at etc/barnyard2.conf)
barnyard2 -?

edit /usr/local/etc/barnyard2.conf

config reference_file:      /usr/local/snort/etc/reference.config
config classification_file: /usr/local/snort/etc/classification.config
config gen_file:            /usr/local/snort/etc/gen-msg.map
config sid_file:            /usr/local/snort/etc/sid-msg.map
config logdir: /mnt/snort/log
config hostname:   snort
config interface:  eth1
config daemon
config waldo_file: /mnt/snort/bylog.waldo
config archivedir: /mnt/snort/archive
input unified2
output alert_fast: /mnt/snort/log/barnyard2.alert
output database: log, mysql, user=snort password=snortpass dbname=snorby host=snorby


ln -s /etc/snort/gen-msg.map /usr/local/snort/etc
/usr/local/bin/barnyard2 -c /usr/local/etc/barnyard2.conf -d /mnt/snort/log -f snort_eth1.u2
snort_and_snorby.txt · Last modified: 2021/10/09 15:14 by 127.0.0.1