Project

General

Profile

Support #541

Install Snort, Barnyard2, PulledPork, and Snorby With Nginx on FreeBSD

Added by Daniel Curtis almost 10 years ago. Updated over 9 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Intrusion Detection/Prevention
Target version:
Start date:
01/24/2015
Due date:
% Done:

100%

Estimated time:
1.50 h
Spent time:

Description

Like many paranoid network & system administrators, I have need of more than just an antivirus and firewall on each networked device. So I have decided to install a Snort machine and log the information to a remote MariaDB server. This is a simple guide to set up a Snort machine on a FreeBSD 9.2 system.

Prepare the system

  • Update the system
    pkg update && pkg upgrade
    portsnap fetch extract
    
  • Install portmaster:
    cd /usr/ports/ports-mgmt/portmaster
    make install clean
    pkg2ng
    

Install Snort

  • Install Snort
    portmaster security/snort security/barnyard2 security/pulledpork
    

    NOTE: Enable [X]MYSQL during the config of security/barnyard2
  • Create the following directories:
    mkdir -p /usr/local/etc/snort/so_rules
    mkdir -p /usr/local/etc/snort/rules/iplists
    mkdir -p /var/log/barnyard2
    
  • Then create a few blank files:
    touch /usr/local/etc/snort/rules/snort.rules
    touch /usr/local/etc/snort/rules/local.rules
    touch /usr/local/etc/snort/rules/white_list.rules
    touch /usr/local/etc/snort/rules/black_list.rules
    touch /var/log/snort/barnyard2.waldo
    

Configure Snort

  • Edit the snort config file:
    vi /usr/local/etc/snort/snort.conf
    
    • And modify the following parameters:
      ipvar HOME_NET 192.168.1.0/24
      ipvar EXTERNAL_NET any
      
      var RULE_PATH /usr/local/etc/snort/rules
      var SO_RULE_PATH /usr/local/etc/snort/so_rules
      var PREPROC_RULE_PATH /usr/local/etc/snort/preproc_rules
      var WHITE_LIST_PATH /usr/local/etc/snort/rules
      var BLACK_LIST_PATH /usr/local/etc/snort/rules
      
      dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
      dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
      #dynamicdetection directory /usr/local/lib/snort/dynamicrules
      
      output unified2: filename snortunified2.log, limit 128
      
      ## Comment out every $RULE_PATH line
      #include $RULE_PATH
      
      ## Add definition for aggregate snort.rules file
      include $RULE_PATH/snort.rules
      
  • (Optional) Remove all commented lines from snort config:
    grep '^[^#]' /usr/local/etc/snort/snort.conf > /usr/local/etc/snort/temp.conf
    mv -f /usr/local/etc/snort/temp.conf /usr/local/etc/snort/snort.conf
    

Configure Pulledpork

  • Create and edit a Pulledpork config file:
    cp /usr/local/etc/pulledpork/pulledpork.conf.sample /usr/local/etc/pulledpork/pulledpork.conf
    vi /usr/local/etc/pulledpork/pulledpork.conf
    
    • And modify the following, making sure to replace <oinkcode> with your actual oinkcode.
      rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<oinkcode>
      
      rule_url=https://s3.amazonaws.com/snort-org/www/rules/community/|community-rules.tar.gz|Community
      
      rule_url=http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|open
      
      rule_url=https://www.snort.org/reg-rules/|opensource.gz|<oinkcode>
      
      rule_url=https://rules.emergingthreatspro.com/|emerging.rules.tar.gz|open
      
      rule_path=/usr/local/etc/snort/rules/snort.rules
      
      out_path=/usr/local/etc/snort/rules/
      
      sorule_path=/usr/local/etc/snort/so_rules/
      
      distro=FreeBSD-9.0
      
      black_list=/usr/local/etc/snort/rules/iplists/default.blacklist
      
  • Update Snort rules using Pulledpork:
    pulledpork.pl -c /usr/local/etc/pulledpork/pulledpork.conf
    
  • If you have such an error while issuing the command with the -vv parameter:
    500 Can't connect to www.snort.org:443 (Crypt-SSLeay can't verify hostnames
    
    • Then add this environment variable:
      bash
      export HTTPS_CA_DIR=/usr/share/ca-certificates/
      pulledpork.pl -c /usr/local/etc/pulledpork/pulledpork.conf
      
  • And add following line to /etc/crontab (the example automatically checks for the presence of new rules every 12 hours):
    echo '## Update Snort rules' >> /etc/crontab
    echo '5 */12 * * * /usr/bin/perl /usr/local/bin/pulledpork.pl -c /usr/local/etc/pulledpork/pulledpork.conf' >> /etc/crontab
    
  • Restart cron:
    service cron restart
    

Configure Barnyard2

  • Edit the barnyard2 config file:
    vi /usr/local/etc/barnyard2.conf
    
    • And modify the following:
      config hostname: snort.example.com
      output database: log, mysql, user=snorby password=SuperSecretPassword dbname=snorby host=localhost
      

Install Snorby

Snorby is a web frontend for the Snort IDS, and this is a simple guide on installing it on FreeBSD 9.2. This guide only sets up Snorby, as my setup has the Snort agent on remote machine, sending its data to a different remote database.

  • Install a few prerequisite packages:
    portmaster shells/bash ftp/wget textproc/flex devel/pcre net/libdnet textproc/libxml2 textproc/libxslt graphics/ImageMagick devel/lwp www/p5-LWP-UserAgent-WithCache security/p5-Crypt-SSLeay www/p5-LWP-Protocol-https lang/ruby21 devel/ruby-gems converters/wkhtmltopdf devel/readline
    
  • Fix Bash:
    ln -s /usr/local/bin/bash /bin/bash
    

    NOTE: This is required later by snorby, an error will occur otherwise.
  • Install some prerequisite gems:
    portmaster print/rubygem-prawn devel/rubygem-thor devel/rubygem-i18n sysutils/rubygem-bundler devel/rubygem-tzinfo devel/rubygem-builder databases/rubygem-memcache-client www/rubygem-rack www/rubygem-rack-test www/rubygem-erubis mail/rubygem-mail textproc/rubygem-text databases/rubygem-sqlite3 devel/rubygem-rake databases/rubygem-mysql www/rubygem-rack-mount www/rubygem-rails
    
  • Now create a snorby user:
    pw add user -n snorby -d /usr/local/www/snorby -m -s /usr/local/bin/bash -c "Snorby" 
    
  • Get Snorby from the download section or use the latest edge release via git.
    cd /usr/local/www
    git clone git://github.com/Snorby/snorby.git
    
  • Install RVM:
    su - snorby
    curl -L https://get.rvm.io | bash
    source /usr/local/www/snorby/.rvm/scripts/rvm
    
  • Install Ruby 1.9.3
    rvm install 1.9.3
    rvm use 1.9.3
    
  • Install Passenger inside the RVM environment:
    gem install passenger
    
  • Install bundler inside the RVM environment:
    gem install bundler
    
  • Create a database config file:
    cp config/database.example.yml config/database.yml
    
    • Change the database, host, user, and password accordingly
  • Create and edit the Snorby config:
    cp config/snorby_config.yml.example config/snorby_config.yml
    vi config/snorby_config.yml
    
    • And add or modify the following
      # Change the production configuration for your environment.
      production:
      domain: snorby.example.com
      wkhtmltopdf: /usr/local/bin/wkhtmltopdf
      mailer_sender: 'snorby@snorby.org'
      geoip_uri: "http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz" 
      rules:
      - "/usr/local/etc/snort/rules" 
      authentication_mode: database
      
  • Install Gem Dependencies
    RAILS_ENV=production bundle install --path vendor/bundle
    
  • Install the railties gem using the system libraries:
    gem install railties -- --use-system-libraries
    
  • Run the Snorby Setup
    RAILS_ENV=production bundle exec rake snorby:setup
    
  • Restart the snorby worker:
    RAILS_ENV=production bundle exec rails r Snorby::Worker.stop
    RAILS_ENV=production bundle exec rails r Snorby::Worker.start
    
  • Exit the snorby user environment:
    exit
    

Snorbyfix Script

  • Create the snorbyfix script:
    vi /usr/local/bin/snorbyfix.sh
    
    • And add the following:
      #!/bin/sh
      # Snorby Worker script
      su - snorby -c 'RAILS_ENV=production rails r Snorby::Worker.restart'
      
  • Create a cronjob to run the snorbyfix script every hour:
    echo '## Fix snorby worker' >> /etc/crontab
    echo '* 1 * * * snorby /usr/local/bin/snorbyfix.sh' >> /etc/crontab 
    
  • Make the script executable:
    chmod +x /usr/local/bin/snorbyfix.sh
    
  • Restart the cron service:
    service cron restart
    

Install Nginx

  • Install Nginx with Passenger
    portmaster www/nginx
    

    NOTE: Make sure to enable [X]PASSENGER when running make config
  • Install the Passenger gem:
    portmaster www/rubygem-passenger
    

    NOTE: Make sure to enable (*) NGINX when running make config

Configure Nginx

  • Create a configuration directory to make managing individual server blocks easier:
    mkdir /usr/local/etc/nginx/conf.d
    
  • Configuring Nginx and Passenger, edit the /usr/local/etc/nginx/nginx.conf file:
    vi /usr/local/etc/nginx/nginx.conf
    
    • And add/modify the following
      user  www www;
      worker_processes  4;
      error_log  /var/log/nginx/error.log notice;
      pid        /var/run/nginx.pid;
      
      events {
        worker_connections  1024;
      }
      
      http {
        passenger_root /usr/local/lib/ruby/gems/2.0/gems/passenger-4.0.58;
        passenger_ruby /usr/local/bin/ruby;
        passenger_max_pool_size 15;
        passenger_pool_idle_time 300;
        #passenger_spawn_method direct; # Uncomment on Ruby 1.8 for ENC to work
      
        include       mime.types;
        default_type  application/octet-stream;
        sendfile      on;
        tcp_nopush    on;
        keepalive_timeout  65;
        tcp_nodelay        on;
      
        # Load config files from the /etc/nginx/conf.d directory
        include /usr/local/etc/nginx/conf.d/*.conf;
      }
      

      NOTE: The above configuration will set the ruby used by passenger to the system default ruby.
  • And add a default site configuration in /usr/local/etc/nginx/conf.d/default.conf:
    server {
      listen 80 default;
      server_name _;
    
      index index.html index.php;
      root /usr/local/www;
    
      # IP and IP ranges which should get access
      allow 10.0.0.0/24;
      allow 10.1.0.1;
      # all else will be denied
      deny all;
    
      # basic HTTP auth
      auth_basic "Restricted";
      auth_basic_user_file htpasswd;
    
      location ~ \.cgi$ {
        try_files $uri =404;
        include fastcgi_params;
        fastcgi_pass unix:/var/run/fcgiwrap/fcgiwrap.sock;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param REMOTE_USER $remote_user;
      }
    
      location ~ \.php$ {
        try_files $uri =404;
        include fastcgi_params;
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
      }
    }
    
  • Find the exact ruby version that snorby will use:
    su - snorby
    passenger-config --ruby-command
    
    • Example output:
      passenger-config was invoked through the following Ruby interpreter:
        Command: /usr/local/www/snorby/.rvm/gems/ruby-1.9.3-p551/wrappers/ruby
        Version: ruby 1.9.3p551 (2014-11-13 revision 48407) [x86_64-freebsd9.3]
        To use in Apache: PassengerRuby /usr/local/www/snorby/.rvm/gems/ruby-1.9.3-p551/wrappers/ruby
        To use in Nginx : passenger_ruby /usr/local/www/snorby/.rvm/gems/ruby-1.9.3-p551/wrappers/ruby
        To use with Standalone: /usr/local/www/snorby/.rvm/gems/ruby-1.9.3-p551/wrappers/ruby /usr/local/www/snorby/.rvm/gems/ruby-1.9.3-p551/gems/passenger-4.0.58/bin/passenger start
      
  • And create a server block for snorby
    vi /usr/local/etc/nginx/conf.d/snorby.conf
    
    • And add the following:
      server {
        listen       80;
        server_name  snorby.example.com;
      
        passenger_enabled on;
        passenger_ruby /usr/local/www/snorby/.rvm/gems/ruby-1.9.3-p551/wrappers/ruby;
        passenger_user             snorby;
        passenger_group            snorby;
      
        access_log /var/log/nginx/snorby.log;
        root /usr/local/www/snorby/public;
      }
      
  • Create the log directory to prevent issues on startup:
    mkdir /var/log/nginx
    
  • Restart nginx
    service nginx restart
    

Log into Snorby

  • The default password is snorby

Resources

Also available in: Atom PDF