Support #541
Updated by Daniel Curtis almost 10 years ago
* Update the system <pre> pkg update && pkg upgrade portsnap fetch extract </pre> h2. Install Snort * Install Snort <pre> pkg install snort barnyard2 pulledpork </pre> * Create the following directories: <pre> mkdir -p /usr/local/etc/snort/so_rules mkdir -p /usr/local/etc/snort/rules/iplists </pre> * Then create a few blank files: <pre> touch /usr/local/etc/snort/rules/snort.rules touch /usr/local/etc/snort/rules/local.rules touch /usr/local/etc/snort/rules/white_list.rules touch /usr/local/etc/snort/rules/black_list.rules touch /var/log/snort/barnyard2.waldo </pre> h3. Configure and update Pulledpork * Create and edit a Pulledpork config file: <pre> cp /usr/local/etc/pulledpork/pulledpork.conf.sample /usr/local/etc/pulledpork/pulledpork.conf vi /usr/local/etc/pulledpork/pulledpork.conf </pre> #* And modify the following, making sure to replace *<oinkcode>* with your actual oinkcode. <pre> rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<oinkcode> rule_url=https://s3.amazonaws.com/snort-org/www/rules/community/|community-rules.tar.gz|Community rule_url=http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|open rule_url=https://www.snort.org/reg-rules/|opensource.gz|<oinkcode> rule_url=https://rules.emergingthreatspro.com/|emerging.rules.tar.gz|open rule_path=/usr/local/etc/snort/rules/snort.rules out_path=/usr/local/etc/snort/rules/ sorule_path=/usr/local/etc/snort/so_rules/ distro=FreeBSD-9.0 black_list=/usr/local/etc/snort/rules/iplists/default.blacklist </pre> * Update Snort rules using Pulledpork: <pre> pulledpork.pl -c /usr/local/etc/pulledpork/pulledpork.conf </pre> h3 Configure Snort * Edit the snort config file: <pre> vi /usr/local/etc/snort/snort.conf </pre> #* And modify the following parameters: <pre> ipvar HOME_NET 192.168.1.0/24 ipvar EXTERNAL_NET any var RULE_PATH /usr/local/etc/snort/rules var SO_RULE_PATH /usr/local/etc/snort/so_rules var PREPROC_RULE_PATH /usr/local/etc/snort/preproc_rules var WHITE_LIST_PATH /usr/local/etc/snort/rules var BLACK_LIST_PATH /usr/local/etc/snort/rules dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/ dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so #dynamicdetection directory /usr/local/lib/snort/dynamicrules output unified2: filename snortunified2.log, limit 128 ## Comment out every $RULE_PATH line #include $RULE_PATH ## Add definition for aggregate snort.rules file include $RULE_PATH/snort.rules </pre> * *(Optional)* Remove all commented lines from snort config: <pre> grep '^[^#]' /usr/local/etc/snort/snort.conf > /usr/local/etc/snort/temp.conf mv -f /usr/local/etc/snort/temp.conf /usr/local/etc/snort/snort.conf </pre> h3. Configure Barnyard2 * Edit the barnyard2 config file: <pre> vi /usr/local/etc/barnyard2.conf </pre> #* And modify the following: <pre> config hostname: snort.example.com output database: log, mysql, user=snorby password=SuperSecretPassword dbname=snorby host=localhost </pre> h2. Install Snorby Snorby is a web frontend for the Snort IDS, and this is a simple guide on installing it on FreeBSD 9.2. This guide only sets up Snorby, as my setup has the Snort agent on remote machine, sending its data to a different remote database. * Now create a snorby user by running: <pre> adduser </pre> #* Name: *snorby* #* Homedir: /usr/local/www/snorby * Install a few prerequisite packages: <pre> pkg install bash wget flex pcre libdnet libxml2 libxslt ImageMagick lwp p5-LWP-UserAgent-WithCache p5-Crypt-SSLeay p5-LWP-Protocol-https ruby ruby20-gems wkhtmltopdf </pre> * Install some prerequisite gems: <pre> pkg install rubygem-prawn rubygem-thor rubygem-i18n rubygem-bundler rubygem-tzinfo rubygem-builder rubygem-memcache-client rubygem-rack rubygem-rack-test rubygem-erubis rubygem-mail rubygem-text rubygem-sqlite3 rubygem-rake rubygem-mysql rubygem-rack-mount rubygem-rails </pre> * Install RVM: <pre> su - snorby curl -L https://get.rvm.io | bash source /usr/local/www/snorby/.rvm/scripts/rvm </pre> * Install <pre> rvm install 1.9.3 </pre> * Get Snorby from the download section or use the latest edge release via git. <pre> git clone git://github.com/Snorby/snorby.git </pre> * Move into the Snorby directory <pre> cd snorby </pre> * Create a database config file: <pre> cp config/database.example.yml config/database.yml </pre> #* Change the database, host, user, and password accordingly * Create and edit the Snorby config: <pre> cp config/snorby_config.yml.example config/snorby_config.yml vi config/snorby_config.yml </pre> #* And add or modify the following <pre> # # Production # # Change the production configuration for your environment. # production: domain: snorby.example.com wkhtmltopdf: /usr/local/bin/wkhtmltopdf mailer_sender: 'snorby@snorby.org' geoip_uri: "http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz" rules: - "/usr/local/etc/snort/rules" authentication_mode: database </pre> * Install Gem Dependencies <pre> bundle install </pre> #* *NOTE*: If you get missing gem issues in production use: <pre> bundle install --path vendor/cache </pre> #* If your system gems are updated beyond the gemfile.lock you should use this as an example <pre> bundle exec rake snorby:setup </pre> #* If running @bundle exec {app}@ is painful you can safely install binstubs by: <pre> bundle install --binstubs </pre> * Run the Snorby Setup <pre> rake snorby:setup </pre> h2. Resources * https://github.com/Snorby/snorby * https://github.com/shirkdog/snorby-bsd/blob/master/snorbyInstall.sh