Support #541
Updated by Daniel Curtis almost 10 years ago
{{>toc}}
Like many paranoid network & system administrators, I have need of more than just an antivirus and firewall on each networked device. So I have decided to install a Snort machine and log the information to a remote MariaDB server. This is a simple guide to set up a Snort machine on a FreeBSD 9.2 system.
* Update the system
<pre>
pkg update && pkg upgrade
portsnap fetch extract
</pre>
h1. Install Snort
* Install Snort
<pre>
pkg install snort barnyard2 pulledpork
</pre>
* Create the following directories:
<pre>
mkdir -p /usr/local/etc/snort/so_rules
mkdir -p /usr/local/etc/snort/rules/iplists
mkdir -p /var/log/barnyard2
</pre>
* Then create a few blank files:
<pre>
touch /usr/local/etc/snort/rules/snort.rules
touch /usr/local/etc/snort/rules/local.rules
touch /usr/local/etc/snort/rules/white_list.rules
touch /usr/local/etc/snort/rules/black_list.rules
touch /var/log/snort/barnyard2.waldo
</pre>
h2. Configure Snort
* Edit the snort config file:
<pre>
vi /usr/local/etc/snort/snort.conf
</pre>
#* And modify the following parameters:
<pre>
ipvar HOME_NET 192.168.1.0/24
ipvar EXTERNAL_NET any
var RULE_PATH /usr/local/etc/snort/rules
var SO_RULE_PATH /usr/local/etc/snort/so_rules
var PREPROC_RULE_PATH /usr/local/etc/snort/preproc_rules
var WHITE_LIST_PATH /usr/local/etc/snort/rules
var BLACK_LIST_PATH /usr/local/etc/snort/rules
dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
#dynamicdetection directory /usr/local/lib/snort/dynamicrules
output unified2: filename snortunified2.log, limit 128
## Comment out every $RULE_PATH line
#include $RULE_PATH
## Add definition for aggregate snort.rules file
include $RULE_PATH/snort.rules
</pre>
* *(Optional)* Remove all commented lines from snort config:
<pre>
grep '^[^#]' /usr/local/etc/snort/snort.conf > /usr/local/etc/snort/temp.conf
mv -f /usr/local/etc/snort/temp.conf /usr/local/etc/snort/snort.conf
</pre>
h2. Configure Pulledpork
* Create and edit a Pulledpork config file:
<pre>
cp /usr/local/etc/pulledpork/pulledpork.conf.sample /usr/local/etc/pulledpork/pulledpork.conf
vi /usr/local/etc/pulledpork/pulledpork.conf
</pre>
#* And modify the following, making sure to replace *<oinkcode>* with your actual oinkcode.
<pre>
rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<oinkcode>
rule_url=https://s3.amazonaws.com/snort-org/www/rules/community/|community-rules.tar.gz|Community
rule_url=http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|open
rule_url=https://www.snort.org/reg-rules/|opensource.gz|<oinkcode>
rule_url=https://rules.emergingthreatspro.com/|emerging.rules.tar.gz|open
rule_path=/usr/local/etc/snort/rules/snort.rules
out_path=/usr/local/etc/snort/rules/
sorule_path=/usr/local/etc/snort/so_rules/
distro=FreeBSD-9.0
black_list=/usr/local/etc/snort/rules/iplists/default.blacklist
</pre>
* Update Snort rules using Pulledpork:
<pre>
pulledpork.pl -c /usr/local/etc/pulledpork/pulledpork.conf
</pre>
h2. Configure Barnyard2
* Edit the barnyard2 config file:
<pre>
vi /usr/local/etc/barnyard2.conf
</pre>
#* And modify the following:
<pre>
config hostname: snort.example.com
output database: log, mysql, user=snorby password=SuperSecretPassword dbname=snorby host=localhost
</pre>
---
h1. Install Snorby
Snorby is a web frontend for the Snort IDS, and this is a simple guide on installing it on FreeBSD 9.2. This guide only sets up Snorby, as my setup has the Snort agent on remote machine, sending its data to a different remote database.
* Install a few prerequisite packages:
<pre>
pkg install bash wget flex pcre libdnet libxml2 libxslt ImageMagick lwp p5-LWP-UserAgent-WithCache p5-Crypt-SSLeay p5-LWP-Protocol-https ruby ruby20-gems wkhtmltopdf
</pre>
* Fix Bash:
<pre>
ln -s /usr/local/bin/bash /bin/bash
</pre>
*NOTE*: This is required later by snorby, an error will occur otherwise.
* Install some prerequisite gems:
<pre>
pkg install rubygem-prawn rubygem-thor rubygem-i18n rubygem-bundler rubygem-tzinfo rubygem-builder rubygem-memcache-client rubygem-rack rubygem-rack-test rubygem-erubis rubygem-mail rubygem-text rubygem-sqlite3 rubygem-rake rubygem-mysql rubygem-rack-mount rubygem-rails
</pre>
* Now create a snorby user:
<pre>
pw add user -n snorby -d /usr/local/www/snorby -m -s /usr/local/bin/bash -c "Snorby"
</pre>
* Get Snorby from the download section or use the latest edge release via git.
<pre>
cd /usr/local/www
git clone git://github.com/Snorby/snorby.git
</pre>
* Install RVM:
<pre>
su - snorby
curl -L https://get.rvm.io | bash
source /usr/local/www/snorby/.rvm/scripts/rvm
</pre>
* Install Ruby 1.9.3
<pre>
rvm install 1.9.3
rvm use 1.9.3
</pre>
* Install Passenger inside the RVM environment:
<pre>
gem install passenger
</pre>
* Create a database config file:
<pre>
cp config/database.example.yml config/database.yml
</pre>
#* Change the database, host, user, and password accordingly
* Create and edit the Snorby config:
<pre>
cp config/snorby_config.yml.example config/snorby_config.yml
vi config/snorby_config.yml
</pre>
#* And add or modify the following
<pre>
#
# Production
#
# Change the production configuration for your environment.
#
production:
domain: snorby.example.com
wkhtmltopdf: /usr/local/bin/wkhtmltopdf
mailer_sender: 'snorby@snorby.org'
geoip_uri: "http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz"
rules:
- "/usr/local/etc/snort/rules"
authentication_mode: database
</pre>
* Install Gem Dependencies
<pre>
RAILS_ENV=production bundle install --path vendor/cache
</pre>
* Run the Snorby Setup
<pre>
RAILS_ENV=production bundle exec rake snorby:setup
</pre>
* Restart the snorby worker:
<pre>
RAILS_ENV=production bundle exec rails c
Snorby::Worker.stop
Snorby::Worker.start
</pre>
* Exit the snorby user environment:
<pre>
exit
</pre>
---
h1. Install Nginx
* Install Nginx with Passenger
<pre>
cd /usr/ports/www/nginx
make config
make install clean
</pre>
*NOTE*: Make sure to enable [X]PASSENGER when running @make config@
* Install the Passenger gem:
<pre>
cd /usr/ports/www/rubygem-passenger
make config
make install clean
</pre>
*NOTE*: Make sure to enable (*) NGINX when running @make config@
h3. Configure Nginx
* Create a configuration directory to make managing individual server blocks easier:
<pre>
mkdir /usr/local/etc/nginx/conf.d
</pre>
* Configuring Nginx and Passenger, edit the @/usr/local/etc/nginx/nginx.conf@ file:
<pre>
vi /usr/local/etc/nginx/nginx.conf
</pre>
#* And add/modify the following
<pre>
user www www;
worker_processes 4;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
passenger_root /usr/local/lib/ruby/gems/2.0/gems/passenger-4.0.58;
passenger_ruby /usr/local/bin/ruby;
passenger_max_pool_size 15;
passenger_pool_idle_time 300;
#passenger_spawn_method direct; # Uncomment on Ruby 1.8 for ENC to work
include mime.types;
default_type application/octet-stream;
sendfile on;
tcp_nopush on;
keepalive_timeout 65;
tcp_nodelay on;
# Load config files from the /etc/nginx/conf.d directory
include /usr/local/etc/nginx/conf.d/*.conf;
}
</pre>
*NOTE*: The above configuration will set the ruby used by passenger to the system default ruby.
* And add a default site configuration in @/usr/local/etc/nginx/conf.d/default.conf@:
<pre>
server {
listen 80 default;
server_name _;
index index.html index.php;
root /usr/local/www;
# IP and IP ranges which should get access
allow 10.0.0.0/24;
allow 10.1.0.1;
# all else will be denied
deny all;
# basic HTTP auth
auth_basic "Restricted";
auth_basic_user_file htpasswd;
location ~ \.cgi$ {
try_files $uri =404;
include fastcgi_params;
fastcgi_pass unix:/var/run/fcgiwrap/fcgiwrap.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param REMOTE_USER $remote_user;
}
location ~ \.php$ {
try_files $uri =404;
include fastcgi_params;
fastcgi_pass 127.0.0.1:9000;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
}
</pre>
* Find the exact ruby version that snorby will use:
<pre>
su - snorby
passenger-config --ruby-command
</pre>
#* Example output:
<pre>
passenger-config was invoked through the following Ruby interpreter:
Command: /usr/local/www/snorby/.rvm/gems/ruby-1.9.3-p551/wrappers/ruby
Version: ruby 1.9.3p551 (2014-11-13 revision 48407) [x86_64-freebsd9.3]
To use in Apache: PassengerRuby /usr/local/www/snorby/.rvm/gems/ruby-1.9.3-p551/wrappers/ruby
To use in Nginx : passenger_ruby /usr/local/www/snorby/.rvm/gems/ruby-1.9.3-p551/wrappers/ruby
To use with Standalone: /usr/local/www/snorby/.rvm/gems/ruby-1.9.3-p551/wrappers/ruby /usr/local/www/snorby/.rvm/gems/ruby-1.9.3-p551/gems/passenger-4.0.58/bin/passenger start
</pre>
* And create a server block for snorby
<pre>
vi /usr/local/etc/nagios/conf.d/snorby.conf
</pre>
#* And add the following:
<pre>
server {
listen 80;
server_name snorby.example.com;
passenger_enabled on;
passenger_ruby /usr/local/www/snorby/.rvm/gems/ruby-1.9.3-p551/wrappers/ruby;
passenger_user snorby;
passenger_group snorby;
access_log /var/log/nginx/snorby.log;
root /usr/local/www/snorby/public;
}
</pre>
* Create the log directory to prevent issues on startup:
<pre>
mkdir /var/log/nginx
</pre>
* Restart nginx
<pre>
service nginx restart
</pre>
h3. Snorby Worker Script
* Create the snorby worker init script:
<pre>
vi /usr/local/etc/rc.d/snorby_workers
</pre>
#* And add the following:
<pre>
#!/bin/sh
# PROVIDE: snorby_workers
# REQUIRE: LOGIN
# KEYWORD: shutdown
# By default snorby_workers uses flags '-n 1' for 1 worker. This should be
# adjusted to the number of CPU cores.
snorby_workers_enable=${snorby_workers_enable:-"NO"}
snorby_workers_flags=${snorby_workers_flags:-"-n 1"}
# The default rails environment is set to production
snorby_workers_env=${snorby_workers_env:-"/usr/bin/env PATH=${PATH}:/usr/local/bin RAILS_ENV=production"}
# The default user is set to snorby and install location is set to
# /usr/local/www/snorby.
snorby_workers_user=${snorby_workers_user:-"snorby"}
snorby_workers_chdir=${snorby_workers_chdir:-"/usr/local/www/snorby"}
# Since Snorby is setup using RVM, the path to the bundler wrapper needs to be
# specified as a variable to easier manage.
snorby_workers_bundler=${snorby_workers_bundler:-"/usr/local/www/snorby/.rvm/gems/ruby-1.9.3-p551/wrappers/bundle"}
. /etc/rc.subr
name="snorby_workers"
rcvar="snorby_workers_enable"
load_rc_config $name
extra_commands="reload run zap status"
# All commands call the same function and strip the fast|one|quiet prefix
# to deliver to the bundler.
reload_cmd="f_snorby_workers reload"
restart_cmd="f_snorby_workers restart"
run_cmd="f_snorby_workers run"
start_cmd="f_snorby_workers start"
status_cmd="f_snorby_workers status"
stop_cmd="f_snorby_workers stop"
zap_cmd="f_snorby_workers zap"
# Use the function's ARVG $1 as the bundler program's '-m' flag
f_snorby_workers() {
cd $snorby_workers_chdir && \
su -l -m "$snorby_workers_user" \
-c "${snorby_workers_env} ${snorby_workers_bundler} bundle exec script/delayed_job ${rc_flags} -m $1" || \
echo "Failed to $1 snorby_workers"
}
run_rc_command "$1"
</pre>
#* Make it executable:
<pre>
chmod +x /usr/local/etc/rc.d/snorby_workers
</pre>
* With that in place, we need to override the defaults and enable the script along with setting '-n 4' workers to match the number of processor cores and ensure it's ready for a production workload.
<pre>
echo 'snorby_workers_enable="YES"' >> /etc/rc.conf
echo 'snorby_workers_flags="-n 4"' >> /etc/rc.conf
service snorby_workers start
</pre>
h2. Log into Snorby
* The server name set up in this example is *http://snorby.example.com*
* The default username is *snorby@snorby.org*
* The default password is *snorby*
h2. Resources
* https://github.com/Snorby/snorby
* https://github.com/shirkdog/snorby-bsd/blob/master/snorbyInstall.sh