Project

General

Profile

Support #541

Updated by Daniel Curtis about 9 years ago

{{>toc}} 

 Like many paranoid network & system administrators, I have need of more than just an antivirus and firewall on each networked device. So I have decided to install a Snort machine and log the information to a remote MariaDB server. This is a simple guide to set up a Snort machine on a FreeBSD 9.2 system. 

 * Update the system 
 <pre> 
 pkg update && pkg upgrade 
 portsnap fetch extract 
 </pre> 

 h2. Install Snort 

 * Install Snort 
 <pre> 
 pkg install snort barnyard2 pulledpork 
 </pre> 

 * Create the following directories: 
 <pre> 
 mkdir -p /usr/local/etc/snort/so_rules 
 mkdir -p /usr/local/etc/snort/rules/iplists 
 mkdir -p /var/log/barnyard2 
 </pre> 

 * Then create a few blank files: 
 <pre> 
 touch /usr/local/etc/snort/rules/snort.rules 
 touch /usr/local/etc/snort/rules/local.rules 
 touch /usr/local/etc/snort/rules/white_list.rules 
 touch /usr/local/etc/snort/rules/black_list.rules 
 touch /var/log/snort/barnyard2.waldo 
 </pre> 

 h3. Configure and update Pulledpork 

 * Create and edit a Pulledpork config file: 
 <pre> 
 cp /usr/local/etc/pulledpork/pulledpork.conf.sample /usr/local/etc/pulledpork/pulledpork.conf 
 vi /usr/local/etc/pulledpork/pulledpork.conf 
 </pre> 
 #* And modify the following, making sure to replace *<oinkcode>* with your actual oinkcode. 
 <pre> 
 rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<oinkcode> 

 rule_url=https://s3.amazonaws.com/snort-org/www/rules/community/|community-rules.tar.gz|Community 

 rule_url=http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|open 

 rule_url=https://www.snort.org/reg-rules/|opensource.gz|<oinkcode> 

 rule_url=https://rules.emergingthreatspro.com/|emerging.rules.tar.gz|open 

 rule_path=/usr/local/etc/snort/rules/snort.rules 

 out_path=/usr/local/etc/snort/rules/ 

 sorule_path=/usr/local/etc/snort/so_rules/ 

 distro=FreeBSD-9.0 

 black_list=/usr/local/etc/snort/rules/iplists/default.blacklist 
 </pre> 

 * Update Snort rules using Pulledpork: 
 <pre> 
 pulledpork.pl -c /usr/local/etc/pulledpork/pulledpork.conf 
 </pre> 

 h3. Configure Snort 

 * Edit the snort config file: 
 <pre> 
 vi /usr/local/etc/snort/snort.conf 
 </pre> 
 #* And modify the following parameters: 
 <pre> 
 ipvar HOME_NET 192.168.1.0/24 
 ipvar EXTERNAL_NET any 

 var RULE_PATH /usr/local/etc/snort/rules 
 var SO_RULE_PATH /usr/local/etc/snort/so_rules 
 var PREPROC_RULE_PATH /usr/local/etc/snort/preproc_rules 
 var WHITE_LIST_PATH /usr/local/etc/snort/rules 
 var BLACK_LIST_PATH /usr/local/etc/snort/rules 

 dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/ 
 dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so 
 #dynamicdetection directory /usr/local/lib/snort/dynamicrules 

 output unified2: filename snortunified2.log, limit 128 

 ## Comment out every $RULE_PATH line 
 #include $RULE_PATH 

 ## Add definition for aggregate snort.rules file 
 include $RULE_PATH/snort.rules 
 </pre> 

 * *(Optional)* Remove all commented lines from snort config: 
 <pre> 
 grep '^[^#]' /usr/local/etc/snort/snort.conf > /usr/local/etc/snort/temp.conf 
 mv -f /usr/local/etc/snort/temp.conf /usr/local/etc/snort/snort.conf 
 </pre> 

 h3. Configure Barnyard2 

 * Edit the barnyard2 config file: 
 <pre> 
 vi /usr/local/etc/barnyard2.conf 
 </pre> 
 #* And modify the following: 
 <pre> 
 config hostname: snort.example.com 
 output database: log, mysql, user=snorby password=SuperSecretPassword dbname=snorby host=localhost 
 </pre> 

 h2. Install Snorby 

 Snorby is a web frontend for the Snort IDS, and this is a simple guide on installing it on FreeBSD 9.2. This guide only sets up Snorby, as my setup has the Snort agent on remote machine, sending its data to a different remote database. 

 * Now create a snorby user by running:  
 <pre> 
 adduser 
 </pre> 
 #* Name: *snorby* 
 #* Homedir: */usr/local/www/snorby* 

 * Install a few prerequisite packages: 
 <pre> 
 pkg install bash wget flex pcre libdnet libxml2 libxslt ImageMagick lwp p5-LWP-UserAgent-WithCache p5-Crypt-SSLeay p5-LWP-Protocol-https ruby ruby20-gems wkhtmltopdf 
 </pre> 

 * Install some prerequisite gems: 
 <pre> 
 pkg install rubygem-prawn rubygem-thor rubygem-i18n rubygem-bundler rubygem-tzinfo rubygem-builder rubygem-memcache-client rubygem-rack rubygem-rack-test rubygem-erubis rubygem-mail rubygem-text rubygem-sqlite3 rubygem-rake rubygem-mysql rubygem-rack-mount rubygem-rails 
 </pre> 

 * Install RVM: 
 <pre> 
 su - snorby 
 curl -L https://get.rvm.io | bash 
 source /usr/local/www/snorby/.rvm/scripts/rvm 
 </pre> 

 * Install  
 <pre> 
 rvm install 1.9.3 
 </pre> 

 * Get Snorby from the download section or use the latest edge release via git. 
 <pre> 
 git clone git://github.com/Snorby/snorby.git 
 </pre> 

 * Move into the Snorby directory 
 <pre> 
 cd snorby 
 </pre> 

 * Create a database config file: 
 <pre> 
 cp config/database.example.yml config/database.yml 
 </pre> 
 #* Change the database, host, user, and password accordingly 

 * Create and edit the Snorby config: 
 <pre> 
 cp config/snorby_config.yml.example config/snorby_config.yml 
 vi config/snorby_config.yml 
 </pre> 
 #* And add or modify the following 
 <pre> 
 # 
 # Production 
 # 
 # Change the production configuration for your environment. 
 # 
 production: 
 domain: snorby.example.com 
 wkhtmltopdf: /usr/local/bin/wkhtmltopdf 
 mailer_sender: 'snorby@snorby.org' 
 geoip_uri: "http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz" 
 rules: 
 - "/usr/local/etc/snort/rules" 
 authentication_mode: database 
 </pre> 

 * Install Gem Dependencies 
 <pre> 
 bundle install 
 </pre> 
 #* *NOTE*: If you get missing gem issues in production use: 
 <pre> 
 bundle install --path vendor/cache 
 </pre> 
 #* If your system gems are updated beyond the gemfile.lock you should use this as an example  
 <pre> 
 bundle exec rake snorby:setup 
 </pre> 
 #* If running @bundle exec {app}@ is painful you can safely install binstubs by: 
 <pre> 
 bundle install --binstubs 
 </pre> 

 * Run the Snorby Setup 
 <pre> 
 rake snorby:setup 
 </pre> 

 h2. Resources 

 * https://github.com/Snorby/snorby 
 * https://github.com/shirkdog/snorby-bsd/blob/master/snorbyInstall.sh 

Back