How to install Snort, Barnyard2, Snorby, Passenger, and Pull
https://es.oteric.info/articles/how-to-install-snort-barnyard2-snorby-passenger-and-pulled-pork Set up a Source directory in your home directory and then install some of the required packages that you'll need: # mkdir ~/Source # sudo chown
https://es.oteric.info/articles/how-to-install-snort-barnyard2-snorby-passenger-and-pulled-pork
Set up a Source directory in your home directory and then install some of the required packages that you'll need:# mkdir ~/Source
# sudo chown -R username:usergroup ~/Source
note: when you run the below command, Apt will require input – for example MySQL will ask for you to enter a “root” password for the MySQL server. Make it secure and don’t forget it.# sudo apt-get update && apt-get install apache2 libapache2-mod-php5 libwww-perl mysql-server mysql-common mysql-client
\
php5-mysql libnet1 libnet1-dev libpcre3 libpcre3-dev autoconf libcrypt-ssleay-perl libmysqlclient-dev php5-gd php-pear \
libphp-adodb php5-cli libtool libssl-dev gcc-4.4 g++ automake gcc make flex bison apache2-doc ca-certificates vim
Now, install the Snort pre-requisites - libpcap, libdnet, and DAQ.
Install libpcap:# cd ~/Source
# wget http://www.tcpdump.org/release/libpcap-1.1.1.tar.gz
# tar -zxf libpcap-1.1.1.tar.gz
# cd libpcap-1.1.1
# ./configure --prefix=/usr --enable-shared
# sudo su
# make && make install
# exit
Install libdnet:# cd ~/Source
# wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz
# tar -zxf libdnet-1.12.tgz
# cd libdnet-1.12
# ./configure --prefix=/usr --enable-shared
# sudo su
# make && make install
# exit
Install DAQ:# cd ~/Source
# wget http://www.snort.org/dl/snort-current/daq-0.5.tar.gz
# tar -zxf daq-0.5.tar.gz
# cd daq-0.5
DAQ needs to be patched to properly recognize the buffer_size parameter.# vi ~/Source/daq-0.5/os-daq-modules/daq_pcap.c
on line 219 replace:context->buffer_size = strtol(entry->key, NULL, 10);
with:context->buffer_size = strtol(entry->value, NULL, 10);
Now, configure and install DAQ:# ./configure
# sudo su
# make && make install
# exit
Update the shared library path# sudo su
# echo >> /etc/ld.so.conf /usr/lib && ldconfig
# exit
Now, install, configure & start Snort# cd ~/Source
# wget http://www.snort.org/dl/snort-current/snort-2.9.0.4.tar.gz
# tar -zxf snort-2.9.0.4.tar.gz && cd snort-2.9.0.4
# ./configure --with-mysql --enable-dynamicplugin --enable-perfprofiling --enable-ipv6 --enable-zlib --enable-gre --enable-reload --enable-linux-smp-stats
# sudo su
# make && make install
# exit
# sudo mkdir /etc/snort /etc/snort/rules /var/log/snort /var/log/barnyard2 /usr/local/lib/snort_dynamicrules
# sudo groupadd snort && useradd -g snort snort
# sudo chown snort:snort /var/log/snort /var/log/barnyard2
# sudo cp ~/Source/snort-2.9.0.4/etc/*.conf* /etc/snort
# sudo cp ~/Source/snort-2.9.0.4/etc/*.map /etc/snort
Now, we need to make some changes to the snort configuration file:# sudo vi /etc/snort/snort.conf
Change these lines:Line #39 - ipvar HOME_NET 192.168.1.0/24 – make this match your internal (friendly) network
Line #42 - ipvar EXTERNAL_NET !$HOME_NET
Line #80 - var RULE_PATH ./rules – this assumes /etc/snort/rules
Line #186-#190 comment out all of the preprocessor normalize_ lines
Line #366 - add this: output unified2: filename snort.log, limit 128
Line #395 - delete or comment out all of the “include $RULE_PATH” lines except “local.rules”
Now, enter a simple test rule that we can trigger with ping:# sudo vi /etc/snort/rules/local.rules
Add the following rule at the bottom of the local.rules file:alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:10000001;)
Now we can start and test snort.# sudo /usr/local/bin/snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0
Ping the management IP address from another machine, alerts should be printed to the console like this:02/09-11:29:43.450236 [**] [1:10000001:0] ICMP test [**] [Priority: 0] {ICMP} 172.26.12.1 -> 172.26.12.2
02/09-11:29:43.450251 [**] [1:10000001:0] ICMP test [**] [Priority: 0] {ICMP} 172.26.12.2 -> 172.26.12.1
02/09-11:29:44.450949 [**] [1:10000001:0] ICMP test [**] [Priority: 0] {ICMP} 172.26.12.1 -> 172.26.12.2
02/09-11:29:44.450957 [**] [1:10000001:0] ICMP test [**] [Priority: 0] {ICMP} 172.26.12.2 -> 172.26.12.1
If you see those alerts, then you have Snort working... Use ctrl-c to kill snort.
You will need to setup a MySQL database for Barnyard2 to be able to log the Snort events (You'll want to skip this step if you're installing Snorby too because Snoby creats all the necessary Snort tables as well as the Snorby specific tables)
So, log into MySQL and get the snort database all set up:# mysql -u root -p
mysql> create database snort;
mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort@localhost;
mysql> grant ALL on snort.* to snorby@localhost;
mysql> SET PASSWORD FOR snort@localhost=PASSWORD('password');
mysql> SET PASSWORD FOR snorby@localhost=PASSWORD('password');
mysql> exit
Now we have to import the database schema:# mysql -u root -p
# mysql -u root -p
mysql> use snort;
mysql> show tables; # you should see the list of new tables you just imported.
mysql> exit;
Additional MySQL configurations:# vi /etc/mysql/my.cnf
Change the bind-address to localhost:bind-address = localhost
Now, we have to make sure that MySQL creates a pid file to track it's own process id (this is needed by the snortbarn startup script explained later in this document)
Open /etc/mysql/my.cnf again and look for the third instance of this line (under the Basic Settings area):socket = /var/run/mysqld/mysqld.sock
Add this line below the third instance of the socket line:pid-file = /var/run/mysqld/mysqld.pid
Save my.cnf then run these two commands:# touch /var/run/mysqld/mysql.pid
# chown mysql:mysql /var/run/mysqld/mysqld.pid
Now, install the Snorby prerequisites:# sudo apt-get install gcc g++ build-essential libssl-dev libreadline5-dev zlib1g-dev linux-headers-generic libsqlite3-dev
libxslt-dev libxml2-dev libyaml-0-2 libyaml-dev libtcltk-ruby
Install the latest stable release of Ruby (as of this writing):# wget http://ftp.ruby-lang.org//pub/ruby/1.9/ruby-1.9.2-p180.tar.gz
# tar -xvzf ruby-1.9.2-p180.tar.gz && cd ruby-1.9.2-p180
# ./configure
# sudo su
# make && make install
# exit
Now, install MySQL, git support and ImageMagick:# sudo apt-get install imagemagick git-core libmysqlclient-dev mysql-server libmagickwand-dev
Install the gems needed by Snorby:# sudo gem install tzinfo builder memcache-client rack rack-test erubis mail text-format bundler thor i18n sqlite3-ruby
# sudo gem install rack-mount --version=0.6.0
# sudo gem install rails --version=3.0.5
# sudo gem update
Install a pre-compiled version of wkhtmltopdf:# cd ~/Source
# wget http://dl.dropbox.com/u/38088/wkhtmltopdf
# sudo cp wkhtmltopdf /usr/bin/
Now, install and configure Snorby.
Pull down the latest version of Snorby:# cd /var/www
# sudo mkdir -p /var/www/snorby
# sudo adduser --system --home /var/www/snorby/ --no-create-home --group --shell /bin/bash snorby
# sudo usermod -a -G snorby www-data
# sudo git clone http://github.com/Snorby/snorby.git /var/www/snorby && cd /var/www/snorby
Install all the other gems by running the following:# sudo bundle update
# sudo bundle pack
# sudo bundle install --path vendor/cache
# sudo chown -R www-data:www-data /var/www/snorby/
# sudo apache2ctl restart
# sudo vi /var/www/snorby/config/database.yml
The database.yml file should look something like this (with the real password substituted for 'password'):snorby: &snorby
adapter: mysql
username: snorby
password: password
host: localhost
development:
database: snort
test:
database: snort
production:
database: snort
Then, configure Snorby system mail:# sudo vi /var/www/snorby/config/email.yml
It should look something like this: production:
:address: smtp.domain.com
:port: 25
:authentication: plain
:user_name: user
:password: pass
Then, configure the mail initializer:# sudo vi /var/www/snorby/config/initializers/mail_config.rb
Add the following block of code above the perform_deliveries call (or use the other example if you're not using sendmail):ActionMailer::Base.delivery_method = :sendmail
ActionMailer::Base.sendmail_settings = {
:location => '/usr/sbin/sendmail',
:arguments => '-i -t'
}
Also, don't forget to fix the /var/www/snorby/config/snorby_config.yml file:development:
domain: snorby.crypsoft.com
wkhtmltopdf: /usr/bin/wkhtmltopdf
test:
domain: snorby.crypsoft.com
wkhtmltopdf: /usr/bin/wkhtmltopdf
production:
domain: snorby.crypsoft.com
wkhtmltopdf: /usr/bin/wkhtmltopdf
If this is the first time setting up Snorby, then run this command to create the database schemas according to the database.yml settings:# rake snorby:setup RAILS_ENV=production
If this isn't the first time setting up Snorby, then run this command (ALL DATA WILL BE LOST):# rake snorby:reset RAILS_ENV=production
Now the snort table should be set up and ready to receive events from barnyard2.
Now, install and configure barnyard2:# cd ~/Source
# wget http://www.securixlive.com/download/barnyard2/barnyard2-1.9.tar.gz
# tar -zxf barnyard2-1.9.tar.gz && cd barnyard2-1.9
# ./configure --with-mysql
# sudo su
# make && make install
# exit
# sudo mv /usr/local/etc/barnyard2.conf /etc/snort
# sudo vi /etc/snort/barnyard2.conf
Uncomment lines 60 and 61 and set the to the appropriate values for your environment:config hostname: uboxee
config interface: eth0
Uncomment line 65 so that the hostname and interface will be included in alerts:config alert_with_interface_name
Change line #215 to:output alert_fast
At the end of the file add this line:output database: log, mysql, user=snort password= dbname=snort host=localhost
Now start snort and barnyard2 with these commands:# sudo /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 &
# sudo /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf \
-d /var/log/snort -f snort.log -w /etc/snort/bylog.waldo \
-G /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map \
-C /etc/snort/classification.config &
To see if it's working, ping the machine to see if anything gets output to the console by barnyard.
If it's working you can go ahead and stop snort and barnyard:# sudo pkill snort
# sudo pkill barnyard2
Now, check to see if barnyard is correctly inserting events into the database:# mysql -u snort -p -D snort -e "select count(*) from event"
If the count returned a number greater than zero, then it must be working.
Now, to make sure that snort and barnyard2 start automatically at each reboot, do the following:# sudo vi /etc/init.d/snortbarn
Add all of the below code to the snortbarn file (omitting the dashes):#! /bin/sh
#
### BEGIN INIT INFO
# Provides: snortbarn
# Required-Start: $remote_fs $syslog mysql
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# X-Interactive: true
# Short-Description: Start Snort and Barnyard
### END INIT INFO
/lib/init/vars.sh
/lib/lsb/init-functions
mysqld_get_param() {
/usr/sbin/mysqld --print-defaults | tr " " "\n" | grep -- "--$1" | tail -n 1 | cut -d= -f2
}
do_start() {
#log_daemon_msg "Starting Snort and Barnyard" ""
# Make sure mysql has finished starting
ps_alive=0
while [ $ps_alive -lt 1 ];
do
pidfile=`mysqld_get_param pid-file`
if [ -f "$pidfile" ] && ps `cat $pidfile` >/dev/null 2>&1; then ps_alive=1; fi
#echo "sleeping" >&2
sleep 1
done
/sbin/ifconfig eth0 up
/usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 &
/usr/local/bin/barnyard2 -q -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /etc/snort/bylog.waldo -G /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map -C /etc/snort/classification.config 2> /dev/nul &
#log_end_msg 0
return 0
}
do_stop() {
#log_daemon_msg "Stopping Snort and Barnyard" ""
kill $(pidof snort) 2> /dev/nul
kill $(pidof barnyard2) 2> /dev/nul
#log_end_msg 0
return 0
}
case "$1" in
start)
do_start
;;
stop)
do_stop
;;
restart)
do_stop
do_start
;;
*)
echo "Usage: snort-barn {start|stop|restart}" >&2
exit 3
;;
esac
exit 0
Make the script executable:# chmod 755 /etc/init.d/snortbarn
Then, make the two included scripts executable:# chmod 755 /lib/init/vars.sh
# chmod 755 /lib/lsb/init-functions
Now, test it out to make sure it is working as it should.
Restart mysql to make sure the mysqld.pid file is getting created on startup:# service mysql restart
# cat /var/run/mysql/mysqld.pid
If the mysql process id displays, then it's working.
Now run the snortbarn script:# /etc/init.d/snortbarn start
Check to see if snort and barnyard2 started successfully:# ps -ef | grep snort
You should output that looks something like this:snort 4211 1 1 18:39 pts/0 00:00:00 /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0
root 4212 1 1 18:39 pts/0 00:00:00 /usr/local/bin/barnyard2 -q -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /etc/snort/bylog.waldo -G /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map -C /etc/snort/classification.config
If so, then you're done with that step.
Now, install Passenger for running Ruby on Rails with Apache
Install one dependency for Passenger:# sudo apt-get install libcurl4-openssl-dev
Install Passenger and any modules it needs:# sudo su
# gem install --no-ri --no-rdoc --version 3.0.3 passenger
# /usr/local/lib/ruby/gems/1.9.1/gems/passenger-3.0.3/bin/passenger-install-apache2-module -a
# echo "LoadModule passenger_module /usr/local/lib/ruby/gems/1.9.1/gems/passenger-3.0.3/ext/apache2/mod_passenger.so" > /etc/apache2/mods-available/passenger.load
# echo "" > /etc/apache2/mods-available/passenger.conf
# echo " PassengerRoot /usr/local/lib/ruby/gems/1.9.1/gems/passenger-3.0.3" >> /etc/apache2/mods-available/passenger.conf
# echo " PassengerRuby /usr/local/bin/ruby" >> /etc/apache2/mods-available/passenger.conf
# echo "" >> /etc/apache2/mods-available/passenger.conf
# a2enmod passenger
# a2enmod rewrite
# a2enmod ssl
# exit
Restart apache to apply the changes:# sudo apache2ctl restart
Check to make sure apache started properly:# ps -ef | grep apache2
Now, one last step to get the Snorby bundle ready:# cd /var/www/snorby
# sudo bundle install
# sudo bundle pack
# sudo bundle install --path vendor/cache
# sudo chown -R www-data:www-data vendor/
# sudo apache2ctl restart
Now, clean up any of the test related entries that might be in the database now:truncate snort.caches;
truncate snort.delayed_jobs;
truncate snort.data;
truncate snort.event;
truncate snort.icmphdr;
truncate snort.iphdr;
truncate snort.notes;
truncate snort.opt;
truncate snort.signature;
truncate snort.tcphdr;
truncate snort.udphdr;
Now, install pulledpork and pull down the latest rules# cd ~/Source
# wget http://pulledpork.googlecode.com/files/pulledpork-0.5.0.tar.gz
# tar -zxf pulledpork-0.5.0.tar.gz && cd pulledpork-0.5.0
# sudo su
# cp pulledpork.pl /usr/local/bin && cp etc/*.conf /etc/snort
# vi /etc/snort/pulledpork.conf
Comment out line 20 & 24Line 56: change to: rule_path=/etc/snort/rules/snort.rules
Line 64: change to: rule_path=/etc/snort/rules/local.rules
Line 67: change to: sid_msg=/etc/snort/sid-msg.map
Line 90: change to: config_path=/etc/snort/snort.conf
Line 101: change to: distro=Lucid-Lynx
Line 133: Uncomment and change to: snort_version=2.9.0.4
Line 137: Uncomment and change to: /etc/snort/enablesid.conf
Line 139: Uncomment and change to: /etc/snort/disablesid.conf
Line 140: Uncomment and change to: /etc/snort/modifysid.conf
Now, disable all block (fwsam) rules# echo pcre:fwsam >> /etc/snort/disablesid.conf
Fix an apparent typo in the modifysid.conf file:# vi /etc/snort/modifysid.conf
change last line to:302,429,1821 "$EXTERNAL_NET" "$HOME_NET"
Run pulledpork# /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -T -l
You should now see local.rules and snort.rules in /etc/snort/rules.
Clean Up:# rm /var/www/index.html
# chmod 755 /var/www/base
# pkill snort && pkill barnyard2
# rm -rf /var/log/snort/* /var/log/barnyard2/*
Don't forget to comment out the test rule and enable the newly pulledpork (snort.rules)# vi /etc/snort/rules/local.rules – Comment out the test rule
# vi /etc/snort/snort.conf – Line 394: add: include $RULE_PATH/snort.rules
# exit