Project

General

Profile

Support #541

Updated by Daniel Curtis about 9 years ago

{{>toc}} 

 Like many paranoid network & system administrators, I have need of more than just an antivirus and firewall on each networked device. So I have decided to install a Snort machine and log the information to a remote MariaDB server. This is a simple guide to set up a Snort machine on a FreeBSD 9.2 system. 

 * Update the system 
 <pre> 
 pkg update && pkg upgrade 
 portsnap fetch extract 
 </pre> 

 h1. Install Snort 

 * Install Snort 
 <pre> 
 pkg install snort barnyard2 pulledpork 
 </pre> 

 * Create the following directories: 
 <pre> 
 mkdir -p /usr/local/etc/snort/so_rules 
 mkdir -p /usr/local/etc/snort/rules/iplists 
 mkdir -p /var/log/barnyard2 
 </pre> 

 * Then create a few blank files: 
 <pre> 
 touch /usr/local/etc/snort/rules/snort.rules 
 touch /usr/local/etc/snort/rules/local.rules 
 touch /usr/local/etc/snort/rules/white_list.rules 
 touch /usr/local/etc/snort/rules/black_list.rules 
 touch /var/log/snort/barnyard2.waldo 
 </pre> 

 h2. Configure Snort 

 * Edit the snort config file: 
 <pre> 
 vi /usr/local/etc/snort/snort.conf 
 </pre> 
 #* And modify the following parameters: 
 <pre> 
 ipvar HOME_NET 192.168.1.0/24 
 ipvar EXTERNAL_NET any 

 var RULE_PATH /usr/local/etc/snort/rules 
 var SO_RULE_PATH /usr/local/etc/snort/so_rules 
 var PREPROC_RULE_PATH /usr/local/etc/snort/preproc_rules 
 var WHITE_LIST_PATH /usr/local/etc/snort/rules 
 var BLACK_LIST_PATH /usr/local/etc/snort/rules 

 dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/ 
 dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so 
 #dynamicdetection directory /usr/local/lib/snort/dynamicrules 

 output unified2: filename snortunified2.log, limit 128 

 ## Comment out every $RULE_PATH line 
 #include $RULE_PATH 

 ## Add definition for aggregate snort.rules file 
 include $RULE_PATH/snort.rules 
 </pre> 

 * *(Optional)* Remove all commented lines from snort config: 
 <pre> 
 grep '^[^#]' /usr/local/etc/snort/snort.conf > /usr/local/etc/snort/temp.conf 
 mv -f /usr/local/etc/snort/temp.conf /usr/local/etc/snort/snort.conf 
 </pre> 

 h2. Configure Pulledpork 

 * Create and edit a Pulledpork config file: 
 <pre> 
 cp /usr/local/etc/pulledpork/pulledpork.conf.sample /usr/local/etc/pulledpork/pulledpork.conf 
 vi /usr/local/etc/pulledpork/pulledpork.conf 
 </pre> 
 #* And modify the following, making sure to replace *<oinkcode>* with your actual oinkcode. 
 <pre> 
 rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<oinkcode> 

 rule_url=https://s3.amazonaws.com/snort-org/www/rules/community/|community-rules.tar.gz|Community 

 rule_url=http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|open 

 rule_url=https://www.snort.org/reg-rules/|opensource.gz|<oinkcode> 

 rule_url=https://rules.emergingthreatspro.com/|emerging.rules.tar.gz|open 

 rule_path=/usr/local/etc/snort/rules/snort.rules 

 out_path=/usr/local/etc/snort/rules/ 

 sorule_path=/usr/local/etc/snort/so_rules/ 

 distro=FreeBSD-9.0 

 black_list=/usr/local/etc/snort/rules/iplists/default.blacklist 
 </pre> 

 * Update Snort rules using Pulledpork: 
 <pre> 
 pulledpork.pl -c /usr/local/etc/pulledpork/pulledpork.conf 
 </pre> 

 h2. Configure Barnyard2 

 * Edit the barnyard2 config file: 
 <pre> 
 vi /usr/local/etc/barnyard2.conf 
 </pre> 
 #* And modify the following: 
 <pre> 
 config hostname: snort.example.com 
 output database: log, mysql, user=snorby password=SuperSecretPassword dbname=snorby host=localhost 
 </pre> 

 --- 

 h1. Install Snorby 

 Snorby is a web frontend for the Snort IDS, and this is a simple guide on installing it on FreeBSD 9.2. This guide only sets up Snorby, as my setup has the Snort agent on remote machine, sending its data to a different remote database. 

 * Install a few prerequisite packages: 
 <pre> 
 pkg install bash wget flex pcre libdnet libxml2 libxslt ImageMagick lwp p5-LWP-UserAgent-WithCache p5-Crypt-SSLeay p5-LWP-Protocol-https ruby ruby20-gems wkhtmltopdf 
 </pre> 

 * Fix Bash: 
 <pre> 
 ln -s /usr/local/bin/bash /bin/bash 
 </pre> 
 *NOTE*: This is required later by snorby, an error will occur otherwise. 

 * Install some prerequisite gems: 
 <pre> 
 pkg install rubygem-prawn rubygem-thor rubygem-i18n rubygem-bundler rubygem-tzinfo rubygem-builder rubygem-memcache-client rubygem-rack rubygem-rack-test rubygem-erubis rubygem-mail rubygem-text rubygem-sqlite3 rubygem-rake rubygem-mysql rubygem-rack-mount rubygem-rails 
 </pre> 

 * Now create a snorby user:  
 <pre> 
 pw add user -n snorby -d /usr/local/www/snorby -m -s /usr/local/bin/bash -c "Snorby" 
 </pre>  

 * Get Snorby from the download section or use the latest edge release via git. 
 <pre> 
 cd /usr/local/www 
 git clone git://github.com/Snorby/snorby.git 
 </pre> 

 * Install RVM: 
 <pre> 
 su - snorby 
 curl -L https://get.rvm.io | bash 
 source /usr/local/www/snorby/.rvm/scripts/rvm 
 </pre> 

 * Install Ruby 1.9.3 
 <pre> 
 rvm install 1.9.3 
 rvm use 1.9.3 
 </pre> 

 * Install Passenger inside the RVM environment: 
 <pre> 
 gem install passenger 
 </pre> 

 * Create a database config file: 
 <pre> 
 cp config/database.example.yml config/database.yml 
 </pre> 
 #* Change the database, host, user, and password accordingly 

 * Create and edit the Snorby config: 
 <pre> 
 cp config/snorby_config.yml.example config/snorby_config.yml 
 vi config/snorby_config.yml 
 </pre> 
 #* And add or modify the following 
 <pre> 
 # 
 # Production 
 # 
 # Change the production configuration for your environment. 
 # 
 production: 
 domain: snorby.example.com 
 wkhtmltopdf: /usr/local/bin/wkhtmltopdf 
 mailer_sender: 'snorby@snorby.org' 
 geoip_uri: "http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz" 
 rules: 
 - "/usr/local/etc/snort/rules" 
 authentication_mode: database 
 </pre> 

 * Install Gem Dependencies 
 <pre> 
 RAILS_ENV=production bundle install --path vendor/cache 
 </pre> 

 * Run the Snorby Setup 
 <pre> 
 RAILS_ENV=production bundle exec rake snorby:setup 
 </pre> 

 * Restart the snorby worker: 
 <pre> 
 RAILS_ENV=production bundle exec rails r Snorby::Worker.stop 
 RAILS_ENV=production bundle exec rails r Snorby::Worker.start 
 </pre> 

 * Exit the snorby user environment: 
 <pre> 
 exit 
 </pre> 

 --- 

 h1. Install Nginx 

 * Install Nginx with Passenger 
 <pre> 
 cd /usr/ports/www/nginx 
 make config 
 make install clean 
 </pre> 
 *NOTE*: Make sure to enable [X]PASSENGER when running @make config@ 

 * Install the Passenger gem: 
 <pre> 
 cd /usr/ports/www/rubygem-passenger 
 make config 
 make install clean 
 </pre> 
 *NOTE*: Make sure to enable (*) NGINX when running @make config@ 

 h3. Configure Nginx 

 * Create a configuration directory to make managing individual server blocks easier: 
 <pre> 
 mkdir /usr/local/etc/nginx/conf.d 
 </pre> 

 * Configuring Nginx and Passenger, edit the @/usr/local/etc/nginx/nginx.conf@ file: 
 <pre> 
 vi /usr/local/etc/nginx/nginx.conf 
 </pre> 
 #* And add/modify the following 
 <pre> 
 user    www www; 
 worker_processes    4; 
 error_log    /var/log/nginx/error.log notice; 
 pid          /var/run/nginx.pid; 

 events { 
   worker_connections    1024; 
 } 

 http { 
   passenger_root /usr/local/lib/ruby/gems/2.0/gems/passenger-4.0.58; 
   passenger_ruby /usr/local/bin/ruby; 
   passenger_max_pool_size 15; 
   passenger_pool_idle_time 300; 
   #passenger_spawn_method direct; # Uncomment on Ruby 1.8 for ENC to work 

   include         mime.types; 
   default_type    application/octet-stream; 
   sendfile        on; 
   tcp_nopush      on; 
   keepalive_timeout    65; 
   tcp_nodelay          on; 

   # Load config files from the /etc/nginx/conf.d directory 
   include /usr/local/etc/nginx/conf.d/*.conf; 
 } 
 </pre> 
 *NOTE*: The above configuration will set the ruby used by passenger to the system default ruby. 

 * And add a default site configuration in @/usr/local/etc/nginx/conf.d/default.conf@: 
 <pre> 
 server { 
   listen 80 default; 
   server_name _; 

   index index.html index.php; 
   root /usr/local/www; 

   # IP and IP ranges which should get access 
   allow 10.0.0.0/24; 
   allow 10.1.0.1; 
   # all else will be denied 
   deny all; 

   # basic HTTP auth 
   auth_basic "Restricted"; 
   auth_basic_user_file htpasswd; 

   location ~ \.cgi$ { 
     try_files $uri =404; 
     include fastcgi_params; 
     fastcgi_pass unix:/var/run/fcgiwrap/fcgiwrap.sock; 
     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; 
     fastcgi_param REMOTE_USER $remote_user; 
   } 

   location ~ \.php$ { 
     try_files $uri =404; 
     include fastcgi_params; 
     fastcgi_pass 127.0.0.1:9000; 
     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; 
   } 
 } 
 </pre> 

 * Find the exact ruby version that snorby will use: 
 <pre> 
 su - snorby 
 passenger-config --ruby-command 
 </pre> 
 #* Example output: 
 <pre> 
 passenger-config was invoked through the following Ruby interpreter: 
   Command: /usr/local/www/snorby/.rvm/gems/ruby-1.9.3-p551/wrappers/ruby 
   Version: ruby 1.9.3p551 (2014-11-13 revision 48407) [x86_64-freebsd9.3] 
   To use in Apache: PassengerRuby /usr/local/www/snorby/.rvm/gems/ruby-1.9.3-p551/wrappers/ruby 
   To use in Nginx : passenger_ruby /usr/local/www/snorby/.rvm/gems/ruby-1.9.3-p551/wrappers/ruby 
   To use with Standalone: /usr/local/www/snorby/.rvm/gems/ruby-1.9.3-p551/wrappers/ruby /usr/local/www/snorby/.rvm/gems/ruby-1.9.3-p551/gems/passenger-4.0.58/bin/passenger start 
 </pre> 

 * And create a server block for snorby 
 <pre> 
 vi /usr/local/etc/nagios/conf.d/snorby.conf 
 </pre> 
 #* And add the following: 
 <pre> 
 server { 
   listen         80; 
   server_name    snorby.example.com; 

   passenger_enabled on; 
   passenger_ruby /usr/local/www/snorby/.rvm/gems/ruby-1.9.3-p551/wrappers/ruby; 
   passenger_user               snorby; 
   passenger_group              snorby; 

   access_log /var/log/nginx/snorby.log; 
   root /usr/local/www/snorby/public; 
 } 
 </pre> 

 * Create the log directory to prevent issues on startup: 
 <pre> 
 mkdir /var/log/nginx 
 </pre> 

 * Restart nginx 
 <pre> 
 service nginx restart 
 </pre> 

 h3. Snorby Worker Script 

 * Install the rails gem inside the RVM environment: 
 su - snorby 
 gem install rails 

 * Create the snorby worker init script: 
 <pre> 
 vi /usr/local/etc/rc.d/snorby_workers 
 </pre> 
 #* And add the following: 
 <pre> 
 #!/bin/sh 

 # PROVIDE: snorby_workers 
 # REQUIRE: LOGIN 
 # KEYWORD: shutdown 

 # By default snorby_workers uses flags '-n 1' for 1 worker.    This should be 
 # adjusted to the number of CPU cores. 
 snorby_workers_enable=${snorby_workers_enable:-"NO"} 
 snorby_workers_flags=${snorby_workers_flags:-""} snorby_workers_flags=${snorby_workers_flags:-"-n 1"} 
 # The default rails environment is set to production 
 snorby_workers_env=${snorby_workers_env:-"/usr/bin/env PATH=${PATH}:/usr/local/bin RAILS_ENV=production"} 
 # The default user is set to snorby and install location is set to 
 # /usr/local/www/snorby. 
 snorby_workers_user=${snorby_workers_user:-"snorby"} 
 snorby_workers_chdir=${snorby_workers_chdir:-"/usr/local/www/snorby"} 
 # Since Snorby is setup using RVM, the path to the bundler wrapper needs to be 
 # specified as a variable to easier manage. 
 snorby_workers_rails=${snorby_workers_rails:-"/usr/local/www/snorby/.rvm/gems/ruby-1.9.3-p551/wrappers/rails"} 

 . /etc/rc.subr 

 name="snorby_workers"  
 rcvar="snorby_workers_enable"  
 load_rc_config $name 
 extra_commands="reload run zap status"  

 # All commands call the same function and strip the fast|one|quiet prefix 
 # to deliver to the bundler. 
 reload_cmd="f_snorby_workers reload"  
 restart_cmd="f_snorby_workers restart"  
 run_cmd="f_snorby_workers run"  
 start_cmd="f_snorby_workers start"  
 status_cmd="f_snorby_workers status"  
 stop_cmd="f_snorby_workers stop"  
 zap_cmd="f_snorby_workers zap"  

 # Use the function's ARVG $1 as the bundler program's '-m' flag 
 f_snorby_workers() { 
     cd $snorby_workers_chdir && \ 
     su -l "$snorby_workers_user" \ 
         -c "${snorby_workers_env} ${snorby_workers_rails} r Snorby::Worker.${rc_flags} -m $1" || \ 
     echo "Failed to $1 snorby_workers"  
 } 

 run_rc_command "$1"  
 </pre> 
 #* Make it executable: 
 <pre> 
 chmod +x /usr/local/etc/rc.d/snorby_workers 
 </pre> 

 * With that in place, we need to override the defaults and enable the script along with setting '-n 4' workers to match the number of processor cores and ensure it's ready for a production workload. 
 <pre> 
 echo 'snorby_workers_enable="YES"' >> /etc/rc.conf 
 echo 'snorby_workers_flags=""' >> /etc/rc.conf 
 service snorby_workers stop 
 service snorby_workers start 
 </pre> 

 h2. Log into Snorby 

 * The server name set up in this example is *http://snorby.example.com* 

 * The default username is *snorby@snorby.org* 

 * The default password is *snorby* 

 h2. Resources 

 * https://github.com/Snorby/snorby 
 * https://github.com/shirkdog/snorby-bsd/blob/master/snorbyInstall.sh 

Back