snort_and_snorby
Table of Contents
Snort and Snorby
This guide will help you install a Snort sensor and the Snorby web interface.
Prerequisites:
- PC Engines APU, as collection device.
- NAS for storing unified2 logs.
- Debian Wheezy (7.5) Virtual machine for Snorby & MySQL.
Install PC Engines APU and start Snort
- Update APU firmware.
- Install CentOS 6.5.
- Install RPMforge repository.
- Download snortrules, the daq and snort RPM from Snort.
- Install the required libdnet 1.11 package from RPMforge (not 1.12 from EPEL)
# yum -y install libdnet-1.11
- Install DAQ and Snort
# yum -y localinstall ./daq-2.0.2-1.centos6.x86_64.rpm # yum -y localinstall ./snort-2.9.6.1-1.centos6.x86_64.rpm
- In my case i had to change the snort userid to match the snort user on the NAS, to be able to write to the NFS share
# usermod -u 1030 -g 100 snort
- Mount the NFS share at boot.
# vi /etc/fstab nashost:/volume1/snort /mnt/snort nfs rsize=8192,wsize=8192,timeo=14,intr 0 0 # mount -a
- Edit /etc/sysconfig/snort. Configure as needed, but change CONF and LOGDIR, disable ALERTMODE and BINARY_LOG.
INTERFACE=eth1 CONF=/usr/local/snort/etc/snort.conf USER=snort GROUP=users PASS_FIRST=0 LOGDIR=/mnt/snort/log #ALERTMODE=fast DUMP_APP=1 #BINARY_LOG=0 NO_PACKET_LOG=0 PRINT_INTERFACE=0 SYSLOG=/var/log/messages SECS=5
- Create the needed directories and symlinks.
# ln -s /usr/lib64/snort-2.9.6.1_dynamicpreprocessor /usr/local/lib/snort_dynamicpreprocessor # ln -s /usr/lib64/snort-2.9.6.1_dynamicengine /usr/local/lib/snort_dynamicengine # mkdir -p /usr/local/lib/snort_dynamicrules # chown -R snort:users /usr/local/lib/snort_dynamicrules # chmod -R 700 /usr/local/lib/snort_dynamicrules # touch /usr/local/snort/etc/../rules/white_list.rules # touch /usr/local/snort/etc/../rules/black_list.rules
- Extract snort rules.
# mkdir -p /usr/local/snort # tar zxf snortrules-snapshot-2961.tar.gz -C /usr/local/snort
- Edit /usr/local/snort/etc/snort.conf. For exmaple enable sfportscan, decoder rules, dynamic library rules. Be sure to enable unified2 output.
output unified2: filename /mnt/snort/log/snort_eth1.u2, limit 128
- Start snort.
# service snortd start Starting snort: Spawning daemon child... My daemon child 27345 lives... Daemon parent exiting (0) [ OK ]
- After a while logs will be created.
# find /mnt/snort/log/ /mnt/snort/log/ /mnt/snort/log/snort_eth1.u2.1399646156
Install and start Snorby
apt-get install git imagemagick mysql-server wkhtmltopdf curl libxslt-dev libxml2-dev libmysqld-dev mysql -u root -p create database snorby; grant all privileges on snorby.* to "snorby"@"%" identified by "snorby"; flush privileges; curl -L https://get.rvm.io | bash -s stable --rails # add your username to the rails group source /usr/local/rvm/scripts/rvm rvm list known rvm install 1.9.3 rvm use 1.9.3 (bundle install) git clone http://github.com/Snorby/snorby.git cd snorby && bundle install cp config/database.yml.example config/database.yml vi config/database.yml cp config/snorby_config.yml.example config/snorby_config.yml vi config/snorby_config.yml bundle exec rake snorby:setup bundle exec rails server -e production Go to: http://snorby:3000/users/login Username: snorby@snorby.org Password: snorby Change credentials Mount NFS share from NAS #Install barnyard2 on APU sensor yum install mysql-devel cd /opt git clone https://github.com/firnsy/barnyard2.git cd barnyard2 ./autogen.sh ./configure --with-mysql --with-mysql-libraries=/usr/lib64/mysql --with-mysql-includes=/usr/include/ make make install Create a sample rules file (eg. look at etc/barnyard2.conf) barnyard2 -? edit /usr/local/etc/barnyard2.conf config reference_file: /usr/local/snort/etc/reference.config config classification_file: /usr/local/snort/etc/classification.config config gen_file: /usr/local/snort/etc/gen-msg.map config sid_file: /usr/local/snort/etc/sid-msg.map config logdir: /mnt/snort/log config hostname: snort config interface: eth1 config daemon config waldo_file: /mnt/snort/bylog.waldo config archivedir: /mnt/snort/archive input unified2 output alert_fast: /mnt/snort/log/barnyard2.alert output database: log, mysql, user=snort password=snortpass dbname=snorby host=snorby ln -s /etc/snort/gen-msg.map /usr/local/snort/etc /usr/local/bin/barnyard2 -c /usr/local/etc/barnyard2.conf -d /mnt/snort/log -f snort_eth1.u2
snort_and_snorby.txt · Last modified: 2021/10/09 15:14 by 127.0.0.1