Support #541
Updated by Daniel Curtis almost 10 years ago
{{>toc}}
Like many paranoid network & system administrators, I have need of more than just an antivirus and firewall on each networked device. So I have decided to install a Snort machine and log the information to a remote MariaDB server. This is a simple guide to set up a Snort machine on a FreeBSD 9.2 system.
* Update the system
<pre>
pkg update && pkg upgrade
portsnap fetch extract
</pre>
h2. Install Snort
* Install Snort
<pre>
pkg install snort barnyard2 pulledpork
</pre>
* Create the following directories:
<pre>
mkdir -p /usr/local/etc/snort/so_rules
mkdir -p /usr/local/etc/snort/rules/iplists
mkdir -p /var/log/barnyard2
</pre>
* Then create a few blank files:
<pre>
touch /usr/local/etc/snort/rules/snort.rules
touch /usr/local/etc/snort/rules/local.rules
touch /usr/local/etc/snort/rules/white_list.rules
touch /usr/local/etc/snort/rules/black_list.rules
touch /var/log/snort/barnyard2.waldo
</pre>
h3. Configure and update Pulledpork
* Create and edit a Pulledpork config file:
<pre>
cp /usr/local/etc/pulledpork/pulledpork.conf.sample /usr/local/etc/pulledpork/pulledpork.conf
vi /usr/local/etc/pulledpork/pulledpork.conf
</pre>
#* And modify the following, making sure to replace *<oinkcode>* with your actual oinkcode.
<pre>
rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<oinkcode>
rule_url=https://s3.amazonaws.com/snort-org/www/rules/community/|community-rules.tar.gz|Community
rule_url=http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|open
rule_url=https://www.snort.org/reg-rules/|opensource.gz|<oinkcode>
rule_url=https://rules.emergingthreatspro.com/|emerging.rules.tar.gz|open
rule_path=/usr/local/etc/snort/rules/snort.rules
out_path=/usr/local/etc/snort/rules/
sorule_path=/usr/local/etc/snort/so_rules/
distro=FreeBSD-9.0
black_list=/usr/local/etc/snort/rules/iplists/default.blacklist
</pre>
* Update Snort rules using Pulledpork:
<pre>
pulledpork.pl -c /usr/local/etc/pulledpork/pulledpork.conf
</pre>
h3. Configure Snort
* Edit the snort config file:
<pre>
vi /usr/local/etc/snort/snort.conf
</pre>
#* And modify the following parameters:
<pre>
ipvar HOME_NET 192.168.1.0/24
ipvar EXTERNAL_NET any
var RULE_PATH /usr/local/etc/snort/rules
var SO_RULE_PATH /usr/local/etc/snort/so_rules
var PREPROC_RULE_PATH /usr/local/etc/snort/preproc_rules
var WHITE_LIST_PATH /usr/local/etc/snort/rules
var BLACK_LIST_PATH /usr/local/etc/snort/rules
dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
#dynamicdetection directory /usr/local/lib/snort/dynamicrules
output unified2: filename snortunified2.log, limit 128
## Comment out every $RULE_PATH line
#include $RULE_PATH
## Add definition for aggregate snort.rules file
include $RULE_PATH/snort.rules
</pre>
* *(Optional)* Remove all commented lines from snort config:
<pre>
grep '^[^#]' /usr/local/etc/snort/snort.conf > /usr/local/etc/snort/temp.conf
mv -f /usr/local/etc/snort/temp.conf /usr/local/etc/snort/snort.conf
</pre>
h3. Configure Barnyard2
* Edit the barnyard2 config file:
<pre>
vi /usr/local/etc/barnyard2.conf
</pre>
#* And modify the following:
<pre>
config hostname: snort.example.com
output database: log, mysql, user=snorby password=SuperSecretPassword dbname=snorby host=localhost
</pre>
h2. Install Snorby
Snorby is a web frontend for the Snort IDS, and this is a simple guide on installing it on FreeBSD 9.2. This guide only sets up Snorby, as my setup has the Snort agent on remote machine, sending its data to a different remote database.
* Now create a snorby user by running:
<pre>
adduser
</pre>
#* Name: *snorby*
#* Homedir: */usr/local/www/snorby*
* Install a few prerequisite packages:
<pre>
pkg install bash wget flex pcre libdnet libxml2 libxslt ImageMagick lwp p5-LWP-UserAgent-WithCache p5-Crypt-SSLeay p5-LWP-Protocol-https ruby ruby20-gems wkhtmltopdf
</pre>
* Install some prerequisite gems:
<pre>
pkg install rubygem-prawn rubygem-thor rubygem-i18n rubygem-bundler rubygem-tzinfo rubygem-builder rubygem-memcache-client rubygem-rack rubygem-rack-test rubygem-erubis rubygem-mail rubygem-text rubygem-sqlite3 rubygem-rake rubygem-mysql rubygem-rack-mount rubygem-rails
</pre>
* Install RVM:
<pre>
su - snorby
curl -L https://get.rvm.io | bash
source /usr/local/www/snorby/.rvm/scripts/rvm
</pre>
* Install
<pre>
rvm install 1.9.3
</pre>
* Get Snorby from the download section or use the latest edge release via git.
<pre>
git clone git://github.com/Snorby/snorby.git
</pre>
* Move into the Snorby directory
<pre>
cd snorby
</pre>
* Create a database config file:
<pre>
cp config/database.example.yml config/database.yml
</pre>
#* Change the database, host, user, and password accordingly
* Create and edit the Snorby config:
<pre>
cp config/snorby_config.yml.example config/snorby_config.yml
vi config/snorby_config.yml
</pre>
#* And add or modify the following
<pre>
#
# Production
#
# Change the production configuration for your environment.
#
production:
domain: snorby.example.com
wkhtmltopdf: /usr/local/bin/wkhtmltopdf
mailer_sender: 'snorby@snorby.org'
geoip_uri: "http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz"
rules:
- "/usr/local/etc/snort/rules"
authentication_mode: database
</pre>
* Install Gem Dependencies
<pre>
bundle install
</pre>
#* *NOTE*: If you get missing gem issues in production use:
<pre>
bundle install --path vendor/cache
</pre>
#* If your system gems are updated beyond the gemfile.lock you should use this as an example
<pre>
bundle exec rake snorby:setup
</pre>
#* If running @bundle exec {app}@ is painful you can safely install binstubs by:
<pre>
bundle install --binstubs
</pre>
* Run the Snorby Setup
<pre>
rake snorby:setup
</pre>
h2. Resources
* https://github.com/Snorby/snorby
* https://github.com/shirkdog/snorby-bsd/blob/master/snorbyInstall.sh