Project

General

Profile

Support #541

Updated by Daniel Curtis about 9 years ago

{{>toc}} 

 Like many paranoid network & system administrators, I have need of more than just an antivirus and firewall on each networked device. So I have decided to install a Snort machine and log the information to a remote MariaDB server. This is a simple guide to set up a Snort machine on a FreeBSD 9.2 system. 

 * Update the system 
 <pre> 
 pkg update && pkg upgrade 
 portsnap fetch extract 
 </pre> 

 h2. Install Snort 

 * Install Snort 
 <pre> 
 pkg install snort barnyard2 pulledpork 
 </pre> 

 * Create the following directories: 
 <pre> 
 mkdir -p /usr/local/etc/snort/so_rules 
 mkdir -p /usr/local/etc/snort/rules/iplists 
 mkdir -p /var/log/barnyard2 
 </pre> 

 * Then create a few blank files: 
 <pre> 
 touch /usr/local/etc/snort/rules/snort.rules 
 touch /usr/local/etc/snort/rules/local.rules 
 touch /usr/local/etc/snort/rules/white_list.rules 
 touch /usr/local/etc/snort/rules/black_list.rules 
 touch /var/log/snort/barnyard2.waldo 
 </pre> 

 h3. Configure and update Pulledpork 

 * Create and edit a Pulledpork config file: 
 <pre> 
 cp /usr/local/etc/pulledpork/pulledpork.conf.sample /usr/local/etc/pulledpork/pulledpork.conf 
 vi /usr/local/etc/pulledpork/pulledpork.conf 
 </pre> 
 #* And modify the following, making sure to replace *<oinkcode>* with your actual oinkcode. 
 <pre> 
 rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<oinkcode> 

 rule_url=https://s3.amazonaws.com/snort-org/www/rules/community/|community-rules.tar.gz|Community 

 rule_url=http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|open 

 rule_url=https://www.snort.org/reg-rules/|opensource.gz|<oinkcode> 

 rule_url=https://rules.emergingthreatspro.com/|emerging.rules.tar.gz|open 

 rule_path=/usr/local/etc/snort/rules/snort.rules 

 out_path=/usr/local/etc/snort/rules/ 

 sorule_path=/usr/local/etc/snort/so_rules/ 

 distro=FreeBSD-9.0 

 black_list=/usr/local/etc/snort/rules/iplists/default.blacklist 
 </pre> 

 * Update Snort rules using Pulledpork: 
 <pre> 
 pulledpork.pl -c /usr/local/etc/pulledpork/pulledpork.conf 
 </pre> 

 h3. Configure Snort 

 * Edit the snort config file: 
 <pre> 
 vi /usr/local/etc/snort/snort.conf 
 </pre> 
 #* And modify the following parameters: 
 <pre> 
 ipvar HOME_NET 192.168.1.0/24 
 ipvar EXTERNAL_NET any 

 var RULE_PATH /usr/local/etc/snort/rules 
 var SO_RULE_PATH /usr/local/etc/snort/so_rules 
 var PREPROC_RULE_PATH /usr/local/etc/snort/preproc_rules 
 var WHITE_LIST_PATH /usr/local/etc/snort/rules 
 var BLACK_LIST_PATH /usr/local/etc/snort/rules 

 dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/ 
 dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so 
 #dynamicdetection directory /usr/local/lib/snort/dynamicrules 

 output unified2: filename snortunified2.log, limit 128 

 ## Comment out every $RULE_PATH line 
 #include $RULE_PATH 

 ## Add definition for aggregate snort.rules file 
 include $RULE_PATH/snort.rules 
 </pre> 

 * *(Optional)* Remove all commented lines from snort config: 
 <pre> 
 grep '^[^#]' /usr/local/etc/snort/snort.conf > /usr/local/etc/snort/temp.conf 
 mv -f /usr/local/etc/snort/temp.conf /usr/local/etc/snort/snort.conf 
 </pre> 

 h3. Configure Barnyard2 

 * Edit the barnyard2 config file: 
 <pre> 
 vi /usr/local/etc/barnyard2.conf 
 </pre> 
 #* And modify the following: 
 <pre> 
 config hostname: snort.example.com 
 output database: log, mysql, user=snorby password=SuperSecretPassword dbname=snorby host=localhost 
 </pre> 

 h2. Install Snorby 

 Snorby is a web frontend for the Snort IDS, and this is a simple guide on installing it on FreeBSD 9.2. This guide only sets up Snorby, as my setup has the Snort agent on remote machine, sending its data to a different remote database. 

 * Now create a snorby user by running:  
 <pre> 
 adduser 
 </pre> 
 #* Name: *snorby* 
 #* Homedir: */usr/local/www/snorby* 

 * Install a few prerequisite packages: 
 <pre> 
 pkg install bash wget flex pcre libdnet libxml2 libxslt ImageMagick lwp p5-LWP-UserAgent-WithCache p5-Crypt-SSLeay p5-LWP-Protocol-https ruby ruby20-gems wkhtmltopdf 
 </pre> 

 * Install some prerequisite gems: 
 <pre> 
 pkg install rubygem-prawn rubygem-thor rubygem-i18n rubygem-bundler rubygem-tzinfo rubygem-builder rubygem-memcache-client rubygem-rack rubygem-rack-test rubygem-erubis rubygem-mail rubygem-text rubygem-sqlite3 rubygem-rake rubygem-mysql rubygem-rack-mount rubygem-rails 
 </pre> 

 * Install RVM: 
 <pre> 
 su - snorby 
 curl -L https://get.rvm.io | bash 
 source /usr/local/www/snorby/.rvm/scripts/rvm 
 </pre> 

 * Install  
 <pre> 
 rvm install 1.9.3 
 </pre> 

 * Get Snorby from the download section or use the latest edge release via git. 
 <pre> 
 cd /usr/local/www 
 git clone git://github.com/Snorby/snorby.git 
 </pre> 

 * Install RVM: Move into the Snorby directory 
 <pre> 
 su - cd snorby 
 curl -L https://get.rvm.io | bash 
 source /usr/local/www/snorby/.rvm/scripts/rvm 
 </pre> 

 * Install  
 <pre> 
 rvm install 1.9.3 
 </pre> 

 * Create a database config file: 
 <pre> 
 cp config/database.example.yml config/database.yml 
 </pre> 
 #* Change the database, host, user, and password accordingly 

 * Create and edit the Snorby config: 
 <pre> 
 cp config/snorby_config.yml.example config/snorby_config.yml 
 vi config/snorby_config.yml 
 </pre> 
 #* And add or modify the following 
 <pre> 
 # 
 # Production 
 # 
 # Change the production configuration for your environment. 
 # 
 production: 
 domain: snorby.example.com 
 wkhtmltopdf: /usr/local/bin/wkhtmltopdf 
 mailer_sender: 'snorby@snorby.org' 
 geoip_uri: "http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz" 
 rules: 
 - "/usr/local/etc/snort/rules" 
 authentication_mode: database 
 </pre> 

 * Install Gem Dependencies 
 <pre> 
 RAILS_ENV=production bundle install --binstubs 
 </pre> 

 * Run the Snorby Setup 
 <pre> 
 RAILS_ENV=production bundle exec rake snorby:setup 
 </pre> 

 h2. Install Nginx 

 * Install Nginx with Passenger 
 <pre> 
 cd /usr/ports/www/nginx 
 make config 
 make install clean 
 mkdir /usr/local/etc/nginx/conf.d 
 </pre> 
 #* *NOTE*: Make sure to enable [X]PASSENGER when running @make config@ 

 * Install the Passenger gem: If you get missing gem issues in production use: 
 <pre> 
 cd /usr/ports/www/rubygem-passenger 
 make config 
 make bundle install clean --path vendor/cache 
 </pre> 
 *NOTE*: Make sure to enable (*) NGINX when running @make config@ 

 * Create a configuration directory to make managing individual server blocks easier 
 <pre> 
 mkdir /usr/local/etc/nginx/conf.d 
 </pre> 

 * Configuring Nginx and Passenger, edit the @/usr/local/etc/nginx/nginx.conf@ file: 
 <pre> 
 vi /usr/local/etc/nginx/nginx.conf 
 </pre> 
 #* And add/modify If your system gems are updated beyond the following 
 gemfile.lock you should use this as an example  
 <pre> 
 user    www www; bundle exec rake snorby:setup 
 worker_processes    4; 
 error_log    /var/log/nginx/error.log notice; 
 pid          /var/run/nginx.pid; 

 events { 
     worker_connections    1024; 
 } 

 http { 
     passenger_root /usr/local/lib/ruby/gems/2.0/gems/passenger-4.0.58; 
     passenger_ruby /usr/local/bin/ruby; 
     passenger_max_pool_size 15; 
     passenger_pool_idle_time 300; 
     #passenger_spawn_method direct; # Uncomment on Ruby 1.8 for ENC to work 

     include         mime.types; 
     default_type    application/octet-stream; 
     sendfile        on; 
     tcp_nopush      on; 
     keepalive_timeout    65; 
     tcp_nodelay          on; 

     # Load config files from the /etc/nginx/conf.d directory 
     include /usr/local/etc/nginx/conf.d/*.conf; 
 } 
 </pre> 
 *NOTE*: The above configuration will set the ruby used by passenger to the system default ruby. 

 * And create a server block for snorby 
 <pre> 
 vi /usr/local/etc/nagios/conf.d/snorby.conf 
 </pre> 
 #* And add the following: If running @bundle exec {app}@ is painful you can safely install binstubs by: 
 <pre> 
 server { 
   listen         80; 
   server_name    snorby.example.com; 

   passenger_enabled on; 
   passenger_ruby /usr/local/www/snorby/.rvm/wrappers/ruby-1.9.3-p551/ruby; 
   passenger_user               snorby; 
   passenger_group              snorby; 

   access_log /var/log/nginx-snorby.log; 
   root /usr/local/www/snorby/public; bundle install --binstubs 
 } 
 </pre> 

 * And add a default site configuration in /usr/local/etc/nginx/conf.d/default.conf: 
 <pre> 
 server { 
   listen 80 default; 
   server_name _; 

   index index.html index.php; 
   root /usr/local/www; 

   # IP and IP ranges which should get access 
   allow 10.0.0.0/24; 
   allow 10.1.0.1; 
   # all else will be denied 
   deny all; 

   # basic HTTP auth 
   auth_basic "Restricted"; 
   auth_basic_user_file htpasswd; 

   location ~ \.cgi$ { 
     try_files $uri =404; 
     include fastcgi_params; 
     fastcgi_pass unix:/var/run/fcgiwrap/fcgiwrap.sock; 
     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; 
     fastcgi_param REMOTE_USER $remote_user; 
   } 

   location ~ \.php$ { 
     try_files $uri =404; 
     include fastcgi_params; 
     fastcgi_pass 127.0.0.1:9000; 
     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; 
   } 
 } 
 </pre> 

 * Create Run the log directory to prevent issues on startup: Snorby Setup 
 <pre> 
 mkdir /var/log/nginx rake snorby:setup 
 </pre> 

 h2. Resources 

 * https://github.com/Snorby/snorby 
 * https://github.com/shirkdog/snorby-bsd/blob/master/snorbyInstall.sh 

Back