• Table of contents
• Prepare the system
• Install Snort
  • Configure Snort
  • Configure Pulledpork
  • Configure Barnyard2
• Install Snorby
  • Snorbyfix Script
• Install Nginx
  • Configure Nginx
  • Log into Snorby
• Resources

Like many paranoid network & system administrators, I have need of more than just an antivirus and firewall on each networked device. So I have decided to install a Snort machine and log the information to a remote MariaDB server. This is a simple guide to set up a Snort machine on a FreeBSD 9.2 system.

Prepare the system¶

• Update the system
  

  pkg update && pkg upgrade
  portsnap fetch extract
  

• Install portmaster:
  

  cd /usr/ports/ports-mgmt/portmaster
  make install clean
  pkg2ng
  

Install Snort¶

• Install Snort
  

  portmaster security/snort security/barnyard2 security/pulledpork
  

  
  NOTE: Enable [X]MYSQL during the config of security/barnyard2

• Create the following directories:
  

  mkdir -p /usr/local/etc/snort/so_rules
  mkdir -p /usr/local/etc/snort/rules/iplists
  mkdir -p /var/log/barnyard2
  

• Then create a few blank files:
  

  touch /usr/local/etc/snort/rules/snort.rules
  touch /usr/local/etc/snort/rules/local.rules
  touch /usr/local/etc/snort/rules/white_list.rules
  touch /usr/local/etc/snort/rules/black_list.rules
  touch /var/log/snort/barnyard2.waldo
  

Configure Snort¶

• Edit the snort config file:
  

  vi /usr/local/etc/snort/snort.conf
  

  • And modify the following parameters:
    

    ipvar HOME_NET 192.168.1.0/24
    ipvar EXTERNAL_NET any
    
    var RULE_PATH /usr/local/etc/snort/rules
    var SO_RULE_PATH /usr/local/etc/snort/so_rules
    var PREPROC_RULE_PATH /usr/local/etc/snort/preproc_rules
    var WHITE_LIST_PATH /usr/local/etc/snort/rules
    var BLACK_LIST_PATH /usr/local/etc/snort/rules
    
    dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
    dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
    #dynamicdetection directory /usr/local/lib/snort/dynamicrules
    
    output unified2: filename snortunified2.log, limit 128
    
    ## Comment out every $RULE_PATH line
    #include $RULE_PATH
    
    ## Add definition for aggregate snort.rules file
    include $RULE_PATH/snort.rules
    

• (Optional) Remove all commented lines from snort config:
  

  grep '^[^#]' /usr/local/etc/snort/snort.conf > /usr/local/etc/snort/temp.conf
  mv -f /usr/local/etc/snort/temp.conf /usr/local/etc/snort/snort.conf
  

Configure Pulledpork¶

• Create and edit a Pulledpork config file:
  

  cp /usr/local/etc/pulledpork/pulledpork.conf.sample /usr/local/etc/pulledpork/pulledpork.conf
  vi /usr/local/etc/pulledpork/pulledpork.conf
  

  • And modify the following, making sure to replace <oinkcode> with your actual oinkcode.
    

    rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<oinkcode>
    
    rule_url=https://s3.amazonaws.com/snort-org/www/rules/community/|community-rules.tar.gz|Community
    
    rule_url=http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|open
    
    rule_url=https://www.snort.org/reg-rules/|opensource.gz|<oinkcode>
    
    rule_url=https://rules.emergingthreatspro.com/|emerging.rules.tar.gz|open
    
    rule_path=/usr/local/etc/snort/rules/snort.rules
    
    out_path=/usr/local/etc/snort/rules/
    
    sorule_path=/usr/local/etc/snort/so_rules/
    
    distro=FreeBSD-9.0
    
    black_list=/usr/local/etc/snort/rules/iplists/default.blacklist
    

• Update Snort rules using Pulledpork:
  

  pulledpork.pl -c /usr/local/etc/pulledpork/pulledpork.conf
  

• If you have such an error while issuing the command with the -vv parameter:
  

  500 Can't connect to www.snort.org:443 (Crypt-SSLeay can't verify hostnames
  

  • Then add this environment variable:
    

    bash
    export HTTPS_CA_DIR=/usr/share/ca-certificates/
    pulledpork.pl -c /usr/local/etc/pulledpork/pulledpork.conf
    

• And add following line to /etc/crontab (the example automatically checks for the presence of new rules every 12 hours):
  

  echo '## Update Snort rules' >> /etc/crontab
  echo '5 */12 * * * /usr/bin/perl /usr/local/bin/pulledpork.pl -c /usr/local/etc/pulledpork/pulledpork.conf' >> /etc/crontab
  

• Restart cron:
  

  service cron restart
  

Configure Barnyard2¶

• Edit the barnyard2 config file:
  

  vi /usr/local/etc/barnyard2.conf
  

  • And modify the following:
    

    config hostname: snort.example.com
    output database: log, mysql, user=snorby password=SuperSecretPassword dbname=snorby host=localhost
    

Install Snorby¶

Snorby is a web frontend for the Snort IDS, and this is a simple guide on installing it on FreeBSD 9.2. This guide only sets up Snorby, as my setup has the Snort agent on remote machine, sending its data to a different remote database.

• Install a few prerequisite packages:
  

  portmaster shells/bash ftp/wget textproc/flex devel/pcre net/libdnet textproc/libxml2 textproc/libxslt graphics/ImageMagick devel/lwp www/p5-LWP-UserAgent-WithCache security/p5-Crypt-SSLeay www/p5-LWP-Protocol-https lang/ruby21 devel/ruby-gems converters/wkhtmltopdf devel/readline
  

• Fix Bash:
  

  ln -s /usr/local/bin/bash /bin/bash
  

  
  NOTE: This is required later by snorby, an error will occur otherwise.

• Install some prerequisite gems:
  

  portmaster print/rubygem-prawn devel/rubygem-thor devel/rubygem-i18n sysutils/rubygem-bundler devel/rubygem-tzinfo devel/rubygem-builder databases/rubygem-memcache-client www/rubygem-rack www/rubygem-rack-test www/rubygem-erubis mail/rubygem-mail textproc/rubygem-text databases/rubygem-sqlite3 devel/rubygem-rake databases/rubygem-mysql www/rubygem-rack-mount www/rubygem-rails
  

• Now create a snorby user:
  

  pw add user -n snorby -d /usr/local/www/snorby -m -s /usr/local/bin/bash -c "Snorby" 
  

• Get Snorby from the download section or use the latest edge release via git.
  

  cd /usr/local/www
  git clone git://github.com/Snorby/snorby.git
  

• Install RVM:
  

  su - snorby
  curl -L https://get.rvm.io | bash
  source /usr/local/www/snorby/.rvm/scripts/rvm
  

• Install Ruby 1.9.3
  

  rvm install 1.9.3
  rvm use 1.9.3
  

• Install Passenger inside the RVM environment:
  

  gem install passenger
  

• Install bundler inside the RVM environment:
  

  gem install bundler
  

• Create a database config file:
  

  cp config/database.example.yml config/database.yml
  

  • Change the database, host, user, and password accordingly

• Create and edit the Snorby config:
  

  cp config/snorby_config.yml.example config/snorby_config.yml
  vi config/snorby_config.yml
  

  • And add or modify the following
    

    # Change the production configuration for your environment.
    production:
    domain: snorby.example.com
    wkhtmltopdf: /usr/local/bin/wkhtmltopdf
    mailer_sender: 'snorby@snorby.org'
    geoip_uri: "http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz" 
    rules:
    - "/usr/local/etc/snort/rules" 
    authentication_mode: database
    

• Install Gem Dependencies
  

  RAILS_ENV=production bundle install --path vendor/bundle
  

• Install the railties gem using the system libraries:
  

  gem install railties -- --use-system-libraries
  

• Run the Snorby Setup
  

  RAILS_ENV=production bundle exec rake snorby:setup
  

• Restart the snorby worker:
  

  RAILS_ENV=production bundle exec rails r Snorby::Worker.stop
  RAILS_ENV=production bundle exec rails r Snorby::Worker.start
  

• Exit the snorby user environment:
  

  exit
  

Snorbyfix Script¶

• Create the snorbyfix script:
  

  vi /usr/local/bin/snorbyfix.sh
  

  • And add the following:
    

    #!/bin/sh
    # Snorby Worker script
    su - snorby -c 'RAILS_ENV=production rails r Snorby::Worker.restart'
    

• Create a cronjob to run the snorbyfix script every hour:
  

  echo '## Fix snorby worker' >> /etc/crontab
  echo '* 1 * * * snorby /usr/local/bin/snorbyfix.sh' >> /etc/crontab 
  

• Make the script executable:
  

  chmod +x /usr/local/bin/snorbyfix.sh
  

• Restart the cron service:
  

  service cron restart
  

Install Nginx¶

• Install Nginx with Passenger
  

  portmaster www/nginx
  

  
  NOTE: Make sure to enable [X]PASSENGER when running make config

• Install the Passenger gem:
  

  portmaster www/rubygem-passenger
  

  
  NOTE: Make sure to enable (*) NGINX when running make config

Configure Nginx¶

• Create a configuration directory to make managing individual server blocks easier:
  

  mkdir /usr/local/etc/nginx/conf.d
  

• Configuring Nginx and Passenger, edit the /usr/local/etc/nginx/nginx.conf file:
  

  vi /usr/local/etc/nginx/nginx.conf
  

  • And add/modify the following
    

    user  www www;
    worker_processes  4;
    error_log  /var/log/nginx/error.log notice;
    pid        /var/run/nginx.pid;
    
    events {
      worker_connections  1024;
    }
    
    http {
      passenger_root /usr/local/lib/ruby/gems/2.0/gems/passenger-4.0.58;
      passenger_ruby /usr/local/bin/ruby;
      passenger_max_pool_size 15;
      passenger_pool_idle_time 300;
      #passenger_spawn_method direct; # Uncomment on Ruby 1.8 for ENC to work
    
      include       mime.types;
      default_type  application/octet-stream;
      sendfile      on;
      tcp_nopush    on;
      keepalive_timeout  65;
      tcp_nodelay        on;
    
      # Load config files from the /etc/nginx/conf.d directory
      include /usr/local/etc/nginx/conf.d/*.conf;
    }
    

    
    NOTE: The above configuration will set the ruby used by passenger to the system default ruby.

• And add a default site configuration in /usr/local/etc/nginx/conf.d/default.conf:
  

  server {
    listen 80 default;
    server_name _;
  
    index index.html index.php;
    root /usr/local/www;
  
    # IP and IP ranges which should get access
    allow 10.0.0.0/24;
    allow 10.1.0.1;
    # all else will be denied
    deny all;
  
    # basic HTTP auth
    auth_basic "Restricted";
    auth_basic_user_file htpasswd;
  
    location ~ \.cgi$ {
      try_files $uri =404;
      include fastcgi_params;
      fastcgi_pass unix:/var/run/fcgiwrap/fcgiwrap.sock;
      fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
      fastcgi_param REMOTE_USER $remote_user;
    }
  
    location ~ \.php$ {
      try_files $uri =404;
      include fastcgi_params;
      fastcgi_pass 127.0.0.1:9000;
      fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    }
  }
  

• Find the exact ruby version that snorby will use:
  

  su - snorby
  passenger-config --ruby-command
  

  • Example output:
    

    passenger-config was invoked through the following Ruby interpreter:
      Command: /usr/local/www/snorby/.rvm/gems/ruby-1.9.3-p551/wrappers/ruby
      Version: ruby 1.9.3p551 (2014-11-13 revision 48407) [x86_64-freebsd9.3]
      To use in Apache: PassengerRuby /usr/local/www/snorby/.rvm/gems/ruby-1.9.3-p551/wrappers/ruby
      To use in Nginx : passenger_ruby /usr/local/www/snorby/.rvm/gems/ruby-1.9.3-p551/wrappers/ruby
      To use with Standalone: /usr/local/www/snorby/.rvm/gems/ruby-1.9.3-p551/wrappers/ruby /usr/local/www/snorby/.rvm/gems/ruby-1.9.3-p551/gems/passenger-4.0.58/bin/passenger start
    

• And create a server block for snorby
  

  vi /usr/local/etc/nginx/conf.d/snorby.conf
  

  • And add the following:
    

    server {
      listen       80;
      server_name  snorby.example.com;
    
      passenger_enabled on;
      passenger_ruby /usr/local/www/snorby/.rvm/gems/ruby-1.9.3-p551/wrappers/ruby;
      passenger_user             snorby;
      passenger_group            snorby;
    
      access_log /var/log/nginx/snorby.log;
      root /usr/local/www/snorby/public;
    }
    

• Create the log directory to prevent issues on startup:
  

  mkdir /var/log/nginx
  

• Restart nginx
  

  service nginx restart
  

Log into Snorby¶

• The server name set up in this example is http://snorby.example.com

• The default username is snorby@snorby.org

• The default password is snorby

Resources¶

• https://github.com/Snorby/snorby
• https://github.com/shirkdog/snorby-bsd/blob/master/snorbyInstall.sh