Support #541
Updated by Daniel Curtis almost 10 years ago
{{>toc}} Like many paranoid network & system administrators, I have need of more than just an antivirus and firewall on each networked device. So I have decided to install a Snort machine and log the information to a remote MariaDB server. This is a simple guide to set up a Snort machine on a FreeBSD 9.2 system. * Update the system <pre> pkg update && pkg upgrade portsnap fetch extract </pre> h2. Install Snort * Install Snort <pre> pkg install snort barnyard2 pulledpork </pre> * Create the following directories: <pre> mkdir -p /usr/local/etc/snort/so_rules mkdir -p /usr/local/etc/snort/rules/iplists mkdir -p /var/log/barnyard2 </pre> * Then create a few blank files: <pre> touch /usr/local/etc/snort/rules/snort.rules touch /usr/local/etc/snort/rules/local.rules touch /usr/local/etc/snort/rules/white_list.rules touch /usr/local/etc/snort/rules/black_list.rules touch /var/log/snort/barnyard2.waldo </pre> h3. Configure and update Pulledpork * Create and edit a Pulledpork config file: <pre> cp /usr/local/etc/pulledpork/pulledpork.conf.sample /usr/local/etc/pulledpork/pulledpork.conf vi /usr/local/etc/pulledpork/pulledpork.conf </pre> #* And modify the following, making sure to replace *<oinkcode>* with your actual oinkcode. <pre> rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<oinkcode> rule_url=https://s3.amazonaws.com/snort-org/www/rules/community/|community-rules.tar.gz|Community rule_url=http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|open rule_url=https://www.snort.org/reg-rules/|opensource.gz|<oinkcode> rule_url=https://rules.emergingthreatspro.com/|emerging.rules.tar.gz|open rule_path=/usr/local/etc/snort/rules/snort.rules out_path=/usr/local/etc/snort/rules/ sorule_path=/usr/local/etc/snort/so_rules/ distro=FreeBSD-9.0 black_list=/usr/local/etc/snort/rules/iplists/default.blacklist </pre> * Update Snort rules using Pulledpork: <pre> pulledpork.pl -c /usr/local/etc/pulledpork/pulledpork.conf </pre> h3. Configure Snort * Edit the snort config file: <pre> vi /usr/local/etc/snort/snort.conf </pre> #* And modify the following parameters: <pre> ipvar HOME_NET 192.168.1.0/24 ipvar EXTERNAL_NET any var RULE_PATH /usr/local/etc/snort/rules var SO_RULE_PATH /usr/local/etc/snort/so_rules var PREPROC_RULE_PATH /usr/local/etc/snort/preproc_rules var WHITE_LIST_PATH /usr/local/etc/snort/rules var BLACK_LIST_PATH /usr/local/etc/snort/rules dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/ dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so #dynamicdetection directory /usr/local/lib/snort/dynamicrules output unified2: filename snortunified2.log, limit 128 ## Comment out every $RULE_PATH line #include $RULE_PATH ## Add definition for aggregate snort.rules file include $RULE_PATH/snort.rules </pre> * *(Optional)* Remove all commented lines from snort config: <pre> grep '^[^#]' /usr/local/etc/snort/snort.conf > /usr/local/etc/snort/temp.conf mv -f /usr/local/etc/snort/temp.conf /usr/local/etc/snort/snort.conf </pre> h3. Configure Barnyard2 * Edit the barnyard2 config file: <pre> vi /usr/local/etc/barnyard2.conf </pre> #* And modify the following: <pre> config hostname: snort.example.com output database: log, mysql, user=snorby password=SuperSecretPassword dbname=snorby host=localhost </pre> h2. Install Snorby Snorby is a web frontend for the Snort IDS, and this is a simple guide on installing it on FreeBSD 9.2. This guide only sets up Snorby, as my setup has the Snort agent on remote machine, sending its data to a different remote database. * Now create a snorby user by running: <pre> adduser </pre> #* Name: *snorby* #* Homedir: */usr/local/www/snorby* * Install a few prerequisite packages: <pre> pkg install bash wget flex pcre libdnet libxml2 libxslt ImageMagick lwp p5-LWP-UserAgent-WithCache p5-Crypt-SSLeay p5-LWP-Protocol-https ruby ruby20-gems wkhtmltopdf </pre> * Install some prerequisite gems: <pre> pkg install rubygem-prawn rubygem-thor rubygem-i18n rubygem-bundler rubygem-tzinfo rubygem-builder rubygem-memcache-client rubygem-rack rubygem-rack-test rubygem-erubis rubygem-mail rubygem-text rubygem-sqlite3 rubygem-rake rubygem-mysql rubygem-rack-mount rubygem-rails </pre> * Install RVM: <pre> su - snorby curl -L https://get.rvm.io | bash source /usr/local/www/snorby/.rvm/scripts/rvm </pre> * Install <pre> rvm install 1.9.3 </pre> * Get Snorby from the download section or use the latest edge release via git. <pre> cd /usr/local/www git clone git://github.com/Snorby/snorby.git </pre> * Install RVM: Move into the Snorby directory <pre> su - cd snorby curl -L https://get.rvm.io | bash source /usr/local/www/snorby/.rvm/scripts/rvm </pre> * Install <pre> rvm install 1.9.3 </pre> * Create a database config file: <pre> cp config/database.example.yml config/database.yml </pre> #* Change the database, host, user, and password accordingly * Create and edit the Snorby config: <pre> cp config/snorby_config.yml.example config/snorby_config.yml vi config/snorby_config.yml </pre> #* And add or modify the following <pre> # # Production # # Change the production configuration for your environment. # production: domain: snorby.example.com wkhtmltopdf: /usr/local/bin/wkhtmltopdf mailer_sender: 'snorby@snorby.org' geoip_uri: "http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz" rules: - "/usr/local/etc/snort/rules" authentication_mode: database </pre> * Install Gem Dependencies <pre> RAILS_ENV=production bundle install --binstubs </pre> * Run the Snorby Setup <pre> RAILS_ENV=production bundle exec rake snorby:setup </pre> h2. Install Nginx * Install Nginx with Passenger <pre> cd /usr/ports/www/nginx make config make install clean mkdir /usr/local/etc/nginx/conf.d </pre> #* *NOTE*: Make sure to enable [X]PASSENGER when running @make config@ * Install the Passenger gem: If you get missing gem issues in production use: <pre> cd /usr/ports/www/rubygem-passenger make config make bundle install clean --path vendor/cache </pre> *NOTE*: Make sure to enable (*) NGINX when running @make config@ * Create a configuration directory to make managing individual server blocks easier <pre> mkdir /usr/local/etc/nginx/conf.d </pre> * Configuring Nginx and Passenger, edit the @/usr/local/etc/nginx/nginx.conf@ file: <pre> vi /usr/local/etc/nginx/nginx.conf </pre> #* And add/modify If your system gems are updated beyond the following gemfile.lock you should use this as an example <pre> user www www; bundle exec rake snorby:setup worker_processes 4; error_log /var/log/nginx/error.log notice; pid /var/run/nginx.pid; events { worker_connections 1024; } http { passenger_root /usr/local/lib/ruby/gems/2.0/gems/passenger-4.0.58; passenger_ruby /usr/local/bin/ruby; passenger_max_pool_size 15; passenger_pool_idle_time 300; #passenger_spawn_method direct; # Uncomment on Ruby 1.8 for ENC to work include mime.types; default_type application/octet-stream; sendfile on; tcp_nopush on; keepalive_timeout 65; tcp_nodelay on; # Load config files from the /etc/nginx/conf.d directory include /usr/local/etc/nginx/conf.d/*.conf; } </pre> *NOTE*: The above configuration will set the ruby used by passenger to the system default ruby. * And create a server block for snorby <pre> vi /usr/local/etc/nagios/conf.d/snorby.conf </pre> #* And add the following: If running @bundle exec {app}@ is painful you can safely install binstubs by: <pre> server { listen 80; server_name snorby.example.com; passenger_enabled on; passenger_ruby /usr/local/www/snorby/.rvm/wrappers/ruby-1.9.3-p551/ruby; passenger_user snorby; passenger_group snorby; access_log /var/log/nginx-snorby.log; root /usr/local/www/snorby/public; bundle install --binstubs } </pre> * And add a default site configuration in /usr/local/etc/nginx/conf.d/default.conf: <pre> server { listen 80 default; server_name _; index index.html index.php; root /usr/local/www; # IP and IP ranges which should get access allow 10.0.0.0/24; allow 10.1.0.1; # all else will be denied deny all; # basic HTTP auth auth_basic "Restricted"; auth_basic_user_file htpasswd; location ~ \.cgi$ { try_files $uri =404; include fastcgi_params; fastcgi_pass unix:/var/run/fcgiwrap/fcgiwrap.sock; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param REMOTE_USER $remote_user; } location ~ \.php$ { try_files $uri =404; include fastcgi_params; fastcgi_pass 127.0.0.1:9000; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; } } </pre> * Create Run the log directory to prevent issues on startup: Snorby Setup <pre> mkdir /var/log/nginx rake snorby:setup </pre> h2. Resources * https://github.com/Snorby/snorby * https://github.com/shirkdog/snorby-bsd/blob/master/snorbyInstall.sh