Support #541
Install Snort, Barnyard2, PulledPork, and Snorby With Nginx on FreeBSD
Status:
Closed
Priority:
Normal
Assignee:
Category:
Intrusion Detection/Prevention
Target version:
Description
- Table of contents
- Prepare the system
- Install Snort
- Install Snorby
- Install Nginx
- Resources
Like many paranoid network & system administrators, I have need of more than just an antivirus and firewall on each networked device. So I have decided to install a Snort machine and log the information to a remote MariaDB server. This is a simple guide to set up a Snort machine on a FreeBSD 9.2 system.
Prepare the system¶
- Update the system
pkg update && pkg upgrade portsnap fetch extract
- Install portmaster:
cd /usr/ports/ports-mgmt/portmaster make install clean pkg2ng
Install Snort¶
- Install Snort
portmaster security/snort security/barnyard2 security/pulledpork
NOTE: Enable [X]MYSQL during the config of security/barnyard2
- Create the following directories:
mkdir -p /usr/local/etc/snort/so_rules mkdir -p /usr/local/etc/snort/rules/iplists mkdir -p /var/log/barnyard2
- Then create a few blank files:
touch /usr/local/etc/snort/rules/snort.rules touch /usr/local/etc/snort/rules/local.rules touch /usr/local/etc/snort/rules/white_list.rules touch /usr/local/etc/snort/rules/black_list.rules touch /var/log/snort/barnyard2.waldo
Configure Snort¶
- Edit the snort config file:
vi /usr/local/etc/snort/snort.conf
- And modify the following parameters:
ipvar HOME_NET 192.168.1.0/24 ipvar EXTERNAL_NET any var RULE_PATH /usr/local/etc/snort/rules var SO_RULE_PATH /usr/local/etc/snort/so_rules var PREPROC_RULE_PATH /usr/local/etc/snort/preproc_rules var WHITE_LIST_PATH /usr/local/etc/snort/rules var BLACK_LIST_PATH /usr/local/etc/snort/rules dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/ dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so #dynamicdetection directory /usr/local/lib/snort/dynamicrules output unified2: filename snortunified2.log, limit 128 ## Comment out every $RULE_PATH line #include $RULE_PATH ## Add definition for aggregate snort.rules file include $RULE_PATH/snort.rules
- And modify the following parameters:
- (Optional) Remove all commented lines from snort config:
grep '^[^#]' /usr/local/etc/snort/snort.conf > /usr/local/etc/snort/temp.conf mv -f /usr/local/etc/snort/temp.conf /usr/local/etc/snort/snort.conf
Configure Pulledpork¶
- Create and edit a Pulledpork config file:
cp /usr/local/etc/pulledpork/pulledpork.conf.sample /usr/local/etc/pulledpork/pulledpork.conf vi /usr/local/etc/pulledpork/pulledpork.conf
- And modify the following, making sure to replace <oinkcode> with your actual oinkcode.
rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<oinkcode> rule_url=https://s3.amazonaws.com/snort-org/www/rules/community/|community-rules.tar.gz|Community rule_url=http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|open rule_url=https://www.snort.org/reg-rules/|opensource.gz|<oinkcode> rule_url=https://rules.emergingthreatspro.com/|emerging.rules.tar.gz|open rule_path=/usr/local/etc/snort/rules/snort.rules out_path=/usr/local/etc/snort/rules/ sorule_path=/usr/local/etc/snort/so_rules/ distro=FreeBSD-9.0 black_list=/usr/local/etc/snort/rules/iplists/default.blacklist
- And modify the following, making sure to replace <oinkcode> with your actual oinkcode.
- Update Snort rules using Pulledpork:
pulledpork.pl -c /usr/local/etc/pulledpork/pulledpork.conf
- If you have such an error while issuing the command with the -vv parameter:
500 Can't connect to www.snort.org:443 (Crypt-SSLeay can't verify hostnames
- Then add this environment variable:
bash export HTTPS_CA_DIR=/usr/share/ca-certificates/ pulledpork.pl -c /usr/local/etc/pulledpork/pulledpork.conf
- Then add this environment variable:
- And add following line to
/etc/crontab
(the example automatically checks for the presence of new rules every 12 hours):echo '## Update Snort rules' >> /etc/crontab echo '5 */12 * * * /usr/bin/perl /usr/local/bin/pulledpork.pl -c /usr/local/etc/pulledpork/pulledpork.conf' >> /etc/crontab
- Restart cron:
service cron restart
Configure Barnyard2¶
- Edit the barnyard2 config file:
vi /usr/local/etc/barnyard2.conf
- And modify the following:
config hostname: snort.example.com output database: log, mysql, user=snorby password=SuperSecretPassword dbname=snorby host=localhost
- And modify the following:
Install Snorby¶
Snorby is a web frontend for the Snort IDS, and this is a simple guide on installing it on FreeBSD 9.2. This guide only sets up Snorby, as my setup has the Snort agent on remote machine, sending its data to a different remote database.
- Install a few prerequisite packages:
portmaster shells/bash ftp/wget textproc/flex devel/pcre net/libdnet textproc/libxml2 textproc/libxslt graphics/ImageMagick devel/lwp www/p5-LWP-UserAgent-WithCache security/p5-Crypt-SSLeay www/p5-LWP-Protocol-https lang/ruby21 devel/ruby-gems converters/wkhtmltopdf devel/readline
- Fix Bash:
ln -s /usr/local/bin/bash /bin/bash
NOTE: This is required later by snorby, an error will occur otherwise.
- Install some prerequisite gems:
portmaster print/rubygem-prawn devel/rubygem-thor devel/rubygem-i18n sysutils/rubygem-bundler devel/rubygem-tzinfo devel/rubygem-builder databases/rubygem-memcache-client www/rubygem-rack www/rubygem-rack-test www/rubygem-erubis mail/rubygem-mail textproc/rubygem-text databases/rubygem-sqlite3 devel/rubygem-rake databases/rubygem-mysql www/rubygem-rack-mount www/rubygem-rails
- Now create a snorby user:
pw add user -n snorby -d /usr/local/www/snorby -m -s /usr/local/bin/bash -c "Snorby"
- Get Snorby from the download section or use the latest edge release via git.
cd /usr/local/www git clone git://github.com/Snorby/snorby.git
- Install RVM:
su - snorby curl -L https://get.rvm.io | bash source /usr/local/www/snorby/.rvm/scripts/rvm
- Install Ruby 1.9.3
rvm install 1.9.3 rvm use 1.9.3
- Install Passenger inside the RVM environment:
gem install passenger
- Install bundler inside the RVM environment:
gem install bundler
- Create a database config file:
cp config/database.example.yml config/database.yml
- Change the database, host, user, and password accordingly
- Create and edit the Snorby config:
cp config/snorby_config.yml.example config/snorby_config.yml vi config/snorby_config.yml
- And add or modify the following
# Change the production configuration for your environment. production: domain: snorby.example.com wkhtmltopdf: /usr/local/bin/wkhtmltopdf mailer_sender: 'snorby@snorby.org' geoip_uri: "http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz" rules: - "/usr/local/etc/snort/rules" authentication_mode: database
- And add or modify the following
- Install Gem Dependencies
RAILS_ENV=production bundle install --path vendor/bundle
- Install the railties gem using the system libraries:
gem install railties -- --use-system-libraries
- Run the Snorby Setup
RAILS_ENV=production bundle exec rake snorby:setup
- Restart the snorby worker:
RAILS_ENV=production bundle exec rails r Snorby::Worker.stop RAILS_ENV=production bundle exec rails r Snorby::Worker.start
- Exit the snorby user environment:
exit
Snorbyfix Script¶
- Create the snorbyfix script:
vi /usr/local/bin/snorbyfix.sh
- And add the following:
#!/bin/sh # Snorby Worker script su - snorby -c 'RAILS_ENV=production rails r Snorby::Worker.restart'
- And add the following:
- Create a cronjob to run the snorbyfix script every hour:
echo '## Fix snorby worker' >> /etc/crontab echo '* 1 * * * snorby /usr/local/bin/snorbyfix.sh' >> /etc/crontab
- Make the script executable:
chmod +x /usr/local/bin/snorbyfix.sh
- Restart the cron service:
service cron restart
Install Nginx¶
- Install Nginx with Passenger
portmaster www/nginx
NOTE: Make sure to enable [X]PASSENGER when runningmake config
- Install the Passenger gem:
portmaster www/rubygem-passenger
NOTE: Make sure to enable (*) NGINX when runningmake config
Configure Nginx¶
- Create a configuration directory to make managing individual server blocks easier:
mkdir /usr/local/etc/nginx/conf.d
- Configuring Nginx and Passenger, edit the
/usr/local/etc/nginx/nginx.conf
file:vi /usr/local/etc/nginx/nginx.conf
- And add/modify the following
user www www; worker_processes 4; error_log /var/log/nginx/error.log notice; pid /var/run/nginx.pid; events { worker_connections 1024; } http { passenger_root /usr/local/lib/ruby/gems/2.0/gems/passenger-4.0.58; passenger_ruby /usr/local/bin/ruby; passenger_max_pool_size 15; passenger_pool_idle_time 300; #passenger_spawn_method direct; # Uncomment on Ruby 1.8 for ENC to work include mime.types; default_type application/octet-stream; sendfile on; tcp_nopush on; keepalive_timeout 65; tcp_nodelay on; # Load config files from the /etc/nginx/conf.d directory include /usr/local/etc/nginx/conf.d/*.conf; }
NOTE: The above configuration will set the ruby used by passenger to the system default ruby.
- And add/modify the following
- And add a default site configuration in
/usr/local/etc/nginx/conf.d/default.conf
:server { listen 80 default; server_name _; index index.html index.php; root /usr/local/www; # IP and IP ranges which should get access allow 10.0.0.0/24; allow 10.1.0.1; # all else will be denied deny all; # basic HTTP auth auth_basic "Restricted"; auth_basic_user_file htpasswd; location ~ \.cgi$ { try_files $uri =404; include fastcgi_params; fastcgi_pass unix:/var/run/fcgiwrap/fcgiwrap.sock; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param REMOTE_USER $remote_user; } location ~ \.php$ { try_files $uri =404; include fastcgi_params; fastcgi_pass 127.0.0.1:9000; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; } }
- Find the exact ruby version that snorby will use:
su - snorby passenger-config --ruby-command
- Example output:
passenger-config was invoked through the following Ruby interpreter: Command: /usr/local/www/snorby/.rvm/gems/ruby-1.9.3-p551/wrappers/ruby Version: ruby 1.9.3p551 (2014-11-13 revision 48407) [x86_64-freebsd9.3] To use in Apache: PassengerRuby /usr/local/www/snorby/.rvm/gems/ruby-1.9.3-p551/wrappers/ruby To use in Nginx : passenger_ruby /usr/local/www/snorby/.rvm/gems/ruby-1.9.3-p551/wrappers/ruby To use with Standalone: /usr/local/www/snorby/.rvm/gems/ruby-1.9.3-p551/wrappers/ruby /usr/local/www/snorby/.rvm/gems/ruby-1.9.3-p551/gems/passenger-4.0.58/bin/passenger start
- Example output:
- And create a server block for snorby
vi /usr/local/etc/nginx/conf.d/snorby.conf
- And add the following:
server { listen 80; server_name snorby.example.com; passenger_enabled on; passenger_ruby /usr/local/www/snorby/.rvm/gems/ruby-1.9.3-p551/wrappers/ruby; passenger_user snorby; passenger_group snorby; access_log /var/log/nginx/snorby.log; root /usr/local/www/snorby/public; }
- And add the following:
- Create the log directory to prevent issues on startup:
mkdir /var/log/nginx
- Restart nginx
service nginx restart
Log into Snorby¶
- The server name set up in this example is http://snorby.example.com
- The default username is snorby@snorby.org
- The default password is snorby