Support #541
Updated by Daniel Curtis over 9 years ago
{{>toc}} Like many paranoid network & system administrators, I have need of more than just an antivirus and firewall on each networked device. So I have decided to install a Snort machine and log the information to a remote MariaDB server. This is a simple guide to set up a Snort machine on a FreeBSD 9.2 system. * Update the system <pre> pkg update && pkg upgrade portsnap fetch extract </pre> * Install portmaster: <pre> cd /usr/ports/ports-mgmt/portmaster make install clean </pre> h1. Install Snort * Install Snort <pre> portmaster security/snort security/barnyard2 security/pulledpork </pre> *NOTE*: Enable [X]MYSQL during the config of security/barnyard2 * Create the following directories: <pre> mkdir -p /usr/local/etc/snort/so_rules mkdir -p /usr/local/etc/snort/rules/iplists mkdir -p /var/log/barnyard2 </pre> * Then create a few blank files: <pre> touch /usr/local/etc/snort/rules/snort.rules touch /usr/local/etc/snort/rules/local.rules touch /usr/local/etc/snort/rules/white_list.rules touch /usr/local/etc/snort/rules/black_list.rules touch /var/log/snort/barnyard2.waldo </pre> h2. Configure Snort * Edit the snort config file: <pre> vi /usr/local/etc/snort/snort.conf </pre> #* And modify the following parameters: <pre> ipvar HOME_NET 192.168.1.0/24 ipvar EXTERNAL_NET any var RULE_PATH /usr/local/etc/snort/rules var SO_RULE_PATH /usr/local/etc/snort/so_rules var PREPROC_RULE_PATH /usr/local/etc/snort/preproc_rules var WHITE_LIST_PATH /usr/local/etc/snort/rules var BLACK_LIST_PATH /usr/local/etc/snort/rules dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/ dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so #dynamicdetection directory /usr/local/lib/snort/dynamicrules output unified2: filename snortunified2.log, limit 128 ## Comment out every $RULE_PATH line #include $RULE_PATH ## Add definition for aggregate snort.rules file include $RULE_PATH/snort.rules </pre> * *(Optional)* Remove all commented lines from snort config: <pre> grep '^[^#]' /usr/local/etc/snort/snort.conf > /usr/local/etc/snort/temp.conf mv -f /usr/local/etc/snort/temp.conf /usr/local/etc/snort/snort.conf </pre> h2. Configure Pulledpork * Create and edit a Pulledpork config file: <pre> cp /usr/local/etc/pulledpork/pulledpork.conf.sample /usr/local/etc/pulledpork/pulledpork.conf vi /usr/local/etc/pulledpork/pulledpork.conf </pre> #* And modify the following, making sure to replace *<oinkcode>* with your actual oinkcode. <pre> rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<oinkcode> rule_url=https://s3.amazonaws.com/snort-org/www/rules/community/|community-rules.tar.gz|Community rule_url=http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|open rule_url=https://www.snort.org/reg-rules/|opensource.gz|<oinkcode> rule_url=https://rules.emergingthreatspro.com/|emerging.rules.tar.gz|open rule_path=/usr/local/etc/snort/rules/snort.rules out_path=/usr/local/etc/snort/rules/ sorule_path=/usr/local/etc/snort/so_rules/ distro=FreeBSD-9.0 black_list=/usr/local/etc/snort/rules/iplists/default.blacklist </pre> * Update Snort rules using Pulledpork: <pre> pulledpork.pl -c /usr/local/etc/pulledpork/pulledpork.conf </pre> * And add following line to @/etc/crontab@ (the example automatically checks for the presence of new rules every 12 hours): <pre> echo '## Update Snort rules' >> /etc/crontab echo '5 */12 * * * /usr/bin/perl /usr/local/bin/pulledpork.pl -c /usr/local/etc/pulledpork/pulledpork.conf' >> /etc/crontab </pre> * Restart cron: <pre> service cron restart </pre> h2. Configure Barnyard2 * Edit the barnyard2 config file: <pre> vi /usr/local/etc/barnyard2.conf </pre> #* And modify the following: <pre> config hostname: snort.example.com output database: log, mysql, user=snorby password=SuperSecretPassword dbname=snorby host=localhost </pre> --- h1. Install Snorby Snorby is a web frontend for the Snort IDS, and this is a simple guide on installing it on FreeBSD 9.2. This guide only sets up Snorby, as my setup has the Snort agent on remote machine, sending its data to a different remote database. * Install a few prerequisite packages: <pre> portmaster shells/bash ftp/wget textproc/flex devel/pcre net/libdnet textproc/libxml2 textproc/libxslt graphics/ImageMagick devel/lwp www/p5-LWP-UserAgent-WithCache security/p5-Crypt-SSLeay www/p5-LWP-Protocol-https lang/ruby21 devel/ruby-gems converters/wkhtmltopdf </pre> * Fix Bash: <pre> ln -s /usr/local/bin/bash /bin/bash </pre> *NOTE*: This is required later by snorby, an error will occur otherwise. * Install some prerequisite gems: <pre> portmaster print/rubygem-prawn devel/rubygem-thor devel/rubygem-i18n sysutils/rubygem-bundler devel/rubygem-tzinfo devel/rubygem-builder databases/rubygem-memcache-client ww/rubygem-rack www/rubygem-rack-test www/rubygem-erubis mail/rubygem-mail textproc/rubygem-text databases/rubygem-sqlite3 devel/rubygem-rake databases/rubygem-mysql www/rubygem-rack-mount www/rubygem-rails </pre> * Now create a snorby user: <pre> pw add user -n snorby -d /usr/local/www/snorby -m -s /usr/local/bin/bash -c "Snorby" </pre> * Get Snorby from the download section or use the latest edge release via git. <pre> cd /usr/local/www git clone git://github.com/Snorby/snorby.git </pre> * Install RVM: <pre> su - snorby curl -L https://get.rvm.io | bash source /usr/local/www/snorby/.rvm/scripts/rvm </pre> * Install Ruby 1.9.3 <pre> rvm install 1.9.3 rvm use 1.9.3 </pre> * Install Passenger inside the RVM environment: <pre> gem install passenger </pre> * Create a database config file: <pre> cp config/database.example.yml config/database.yml </pre> #* Change the database, host, user, and password accordingly * Create and edit the Snorby config: <pre> cp config/snorby_config.yml.example config/snorby_config.yml vi config/snorby_config.yml </pre> #* And add or modify the following <pre> # # Production # # Change the production configuration for your environment. # production: domain: snorby.example.com wkhtmltopdf: /usr/local/bin/wkhtmltopdf mailer_sender: 'snorby@snorby.org' geoip_uri: "http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz" rules: - "/usr/local/etc/snort/rules" authentication_mode: database </pre> * Install Gem Dependencies <pre> RAILS_ENV=production bundle install --path vendor/cache </pre> * Run the Snorby Setup <pre> RAILS_ENV=production bundle exec rake snorby:setup </pre> * Restart the snorby worker: <pre> RAILS_ENV=production bundle exec rails r Snorby::Worker.stop RAILS_ENV=production bundle exec rails r Snorby::Worker.start </pre> * Exit the snorby user environment: <pre> exit </pre> --- h1. Install Nginx * Install Nginx with Passenger <pre> portmaster www/nginx </pre> *NOTE*: Make sure to enable [X]PASSENGER when running @make config@ * Install the Passenger gem: <pre> portmaster www/rubygem-passenger </pre> *NOTE*: Make sure to enable (*) NGINX when running @make config@ h2. Configure Nginx * Create a configuration directory to make managing individual server blocks easier: <pre> mkdir /usr/local/etc/nginx/conf.d </pre> * Configuring Nginx and Passenger, edit the @/usr/local/etc/nginx/nginx.conf@ file: <pre> vi /usr/local/etc/nginx/nginx.conf </pre> #* And add/modify the following <pre> user www www; worker_processes 4; error_log /var/log/nginx/error.log notice; pid /var/run/nginx.pid; events { worker_connections 1024; } http { passenger_root /usr/local/lib/ruby/gems/2.0/gems/passenger-4.0.58; passenger_ruby /usr/local/bin/ruby; passenger_max_pool_size 15; passenger_pool_idle_time 300; #passenger_spawn_method direct; # Uncomment on Ruby 1.8 for ENC to work include mime.types; default_type application/octet-stream; sendfile on; tcp_nopush on; keepalive_timeout 65; tcp_nodelay on; # Load config files from the /etc/nginx/conf.d directory include /usr/local/etc/nginx/conf.d/*.conf; } </pre> *NOTE*: The above configuration will set the ruby used by passenger to the system default ruby. * And add a default site configuration in @/usr/local/etc/nginx/conf.d/default.conf@: <pre> server { listen 80 default; server_name _; index index.html index.php; root /usr/local/www; # IP and IP ranges which should get access allow 10.0.0.0/24; allow 10.1.0.1; # all else will be denied deny all; # basic HTTP auth auth_basic "Restricted"; auth_basic_user_file htpasswd; location ~ \.cgi$ { try_files $uri =404; include fastcgi_params; fastcgi_pass unix:/var/run/fcgiwrap/fcgiwrap.sock; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param REMOTE_USER $remote_user; } location ~ \.php$ { try_files $uri =404; include fastcgi_params; fastcgi_pass 127.0.0.1:9000; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; } } </pre> * Find the exact ruby version that snorby will use: <pre> su - snorby passenger-config --ruby-command </pre> #* Example output: <pre> passenger-config was invoked through the following Ruby interpreter: Command: /usr/local/www/snorby/.rvm/gems/ruby-1.9.3-p551/wrappers/ruby Version: ruby 1.9.3p551 (2014-11-13 revision 48407) [x86_64-freebsd9.3] To use in Apache: PassengerRuby /usr/local/www/snorby/.rvm/gems/ruby-1.9.3-p551/wrappers/ruby To use in Nginx : passenger_ruby /usr/local/www/snorby/.rvm/gems/ruby-1.9.3-p551/wrappers/ruby To use with Standalone: /usr/local/www/snorby/.rvm/gems/ruby-1.9.3-p551/wrappers/ruby /usr/local/www/snorby/.rvm/gems/ruby-1.9.3-p551/gems/passenger-4.0.58/bin/passenger start </pre> * And create a server block for snorby <pre> vi /usr/local/etc/nginx/conf.d/snorby.conf </pre> #* And add the following: <pre> server { listen 80; server_name snorby.example.com; passenger_enabled on; passenger_ruby /usr/local/www/snorby/.rvm/gems/ruby-1.9.3-p551/wrappers/ruby; passenger_user snorby; passenger_group snorby; access_log /var/log/nginx/snorby.log; root /usr/local/www/snorby/public; } </pre> * Create the log directory to prevent issues on startup: <pre> mkdir /var/log/nginx </pre> * Restart nginx <pre> service nginx restart </pre> h2. Snorbyfix Script * Create the snorbyfix script: <pre> vi /usr/local/bin/snorbyfix.sh </pre> #* And add the following: <pre> #!/bin/sh # Snorby Worker script # su - snorby -c 'RAILS_ENV=production rails r Snorby::Worker.restart' </pre> * Create a cronjob to run the snorbyfix script every hour: <pre> echo '## Fix snorby worker' >> /etc/crontab echo '* 1 * * * snorby /usr/local/bin/snorbyfix.sh' >> /etc/crontab </pre> * Restart the cron service: <pre> service cron restart </pre> h2. Log into Snorby * The server name set up in this example is *http://snorby.example.com* * The default username is *snorby@snorby.org* * The default password is *snorby* h1. h2. Resources * https://github.com/Snorby/snorby * https://github.com/shirkdog/snorby-bsd/blob/master/snorbyInstall.sh