Project

General

Profile

Support #541

Updated by Daniel Curtis almost 9 years ago

{{>toc}} 

 Like many paranoid network & system administrators, I have need of more than just an antivirus and firewall on each networked device. So I have decided to install a Snort machine and log the information to a remote MariaDB server. This is a simple guide to set up a Snort machine on a FreeBSD 9.2 system. 

 h1. Prepare the system 

 * Update the system 
 <pre> 
 pkg update && pkg upgrade 
 portsnap fetch extract 
 </pre> 

 * Install portmaster: 
 <pre> 
 cd /usr/ports/ports-mgmt/portmaster 
 make install clean 
 pkg2ng 
 </pre> 

 h1. Install Snort 

 * Install Snort 
 <pre> 
 portmaster security/snort security/barnyard2 security/pulledpork 
 </pre> 
 *NOTE*: Enable [X]MYSQL during the config of security/barnyard2 

 * Create the following directories: 
 <pre> 
 mkdir -p /usr/local/etc/snort/so_rules 
 mkdir -p /usr/local/etc/snort/rules/iplists 
 mkdir -p /var/log/barnyard2 
 </pre> 

 * Then create a few blank files: 
 <pre> 
 touch /usr/local/etc/snort/rules/snort.rules 
 touch /usr/local/etc/snort/rules/local.rules 
 touch /usr/local/etc/snort/rules/white_list.rules 
 touch /usr/local/etc/snort/rules/black_list.rules 
 touch /var/log/snort/barnyard2.waldo 
 </pre> 

 h2. Configure Snort 

 * Edit the snort config file: 
 <pre> 
 vi /usr/local/etc/snort/snort.conf 
 </pre> 
 #* And modify the following parameters: 
 <pre> 
 ipvar HOME_NET 192.168.1.0/24 
 ipvar EXTERNAL_NET any 

 var RULE_PATH /usr/local/etc/snort/rules 
 var SO_RULE_PATH /usr/local/etc/snort/so_rules 
 var PREPROC_RULE_PATH /usr/local/etc/snort/preproc_rules 
 var WHITE_LIST_PATH /usr/local/etc/snort/rules 
 var BLACK_LIST_PATH /usr/local/etc/snort/rules 

 dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/ 
 dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so 
 #dynamicdetection directory /usr/local/lib/snort/dynamicrules 

 output unified2: filename snortunified2.log, limit 128 

 ## Comment out every $RULE_PATH line 
 #include $RULE_PATH 

 ## Add definition for aggregate snort.rules file 
 include $RULE_PATH/snort.rules 
 </pre> 

 * *(Optional)* Remove all commented lines from snort config: 
 <pre> 
 grep '^[^#]' /usr/local/etc/snort/snort.conf > /usr/local/etc/snort/temp.conf 
 mv -f /usr/local/etc/snort/temp.conf /usr/local/etc/snort/snort.conf 
 </pre> 

 h2. Configure Pulledpork 

 * Create and edit a Pulledpork config file: 
 <pre> 
 cp /usr/local/etc/pulledpork/pulledpork.conf.sample /usr/local/etc/pulledpork/pulledpork.conf 
 vi /usr/local/etc/pulledpork/pulledpork.conf 
 </pre> 
 #* And modify the following, making sure to replace *<oinkcode>* with your actual oinkcode. 
 <pre> 
 rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<oinkcode> 

 rule_url=https://s3.amazonaws.com/snort-org/www/rules/community/|community-rules.tar.gz|Community 

 rule_url=http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|open 

 rule_url=https://www.snort.org/reg-rules/|opensource.gz|<oinkcode> 

 rule_url=https://rules.emergingthreatspro.com/|emerging.rules.tar.gz|open 

 rule_path=/usr/local/etc/snort/rules/snort.rules 

 out_path=/usr/local/etc/snort/rules/ 

 sorule_path=/usr/local/etc/snort/so_rules/ 

 distro=FreeBSD-9.0 

 black_list=/usr/local/etc/snort/rules/iplists/default.blacklist 
 </pre> 

 * Update Snort rules using Pulledpork: 
 <pre> 
 pulledpork.pl -c /usr/local/etc/pulledpork/pulledpork.conf 
 </pre> 

 * If you have such an error while issuing the command with the -vv parameter: 
 <pre> 
 500 Can't connect to www.snort.org:443 (Crypt-SSLeay can't verify hostnames 
 </pre> 
 #* Then add this environment variable: 
 <pre> 
 bash 
 export HTTPS_CA_DIR=/usr/share/ca-certificates/ 
 pulledpork.pl -c /usr/local/etc/pulledpork/pulledpork.conf 
 </pre> 

 * And add following line to @/etc/crontab@ (the example automatically checks for the presence of new rules every 12 hours): 
 <pre> 
 echo '## Update Snort rules' >> /etc/crontab 
 echo '5 */12 * * * /usr/bin/perl /usr/local/bin/pulledpork.pl -c /usr/local/etc/pulledpork/pulledpork.conf' >> /etc/crontab 
 </pre> 

 * Restart cron: 
 <pre> 
 service cron restart 
 </pre> 

 h2. Configure Barnyard2 

 * Edit the barnyard2 config file: 
 <pre> 
 vi /usr/local/etc/barnyard2.conf 
 </pre> 
 #* And modify the following: 
 <pre> 
 config hostname: snort.example.com 
 output database: log, mysql, user=snorby password=SuperSecretPassword dbname=snorby host=localhost 
 </pre> 

 --- 

 h1. Install Snorby 

 Snorby is a web frontend for the Snort IDS, and this is a simple guide on installing it on FreeBSD 9.2. This guide only sets up Snorby, as my setup has the Snort agent on remote machine, sending its data to a different remote database. 

 * Install a few prerequisite packages: 
 <pre> 
 portmaster shells/bash ftp/wget textproc/flex devel/pcre net/libdnet textproc/libxml2 textproc/libxslt graphics/ImageMagick devel/lwp www/p5-LWP-UserAgent-WithCache security/p5-Crypt-SSLeay www/p5-LWP-Protocol-https lang/ruby21 devel/ruby-gems converters/wkhtmltopdf devel/readline 
 </pre> 

 * Fix Bash: 
 <pre> 
 ln -s /usr/local/bin/bash /bin/bash 
 </pre> 
 *NOTE*: This is required later by snorby, an error will occur otherwise. 

 * Install some prerequisite gems: 
 <pre> 
 portmaster print/rubygem-prawn devel/rubygem-thor devel/rubygem-i18n sysutils/rubygem-bundler devel/rubygem-tzinfo devel/rubygem-builder databases/rubygem-memcache-client www/rubygem-rack www/rubygem-rack-test www/rubygem-erubis mail/rubygem-mail textproc/rubygem-text databases/rubygem-sqlite3 devel/rubygem-rake databases/rubygem-mysql www/rubygem-rack-mount www/rubygem-rails 
 </pre> 

 * Now create a snorby user:  
 <pre> 
 pw add user -n snorby -d /usr/local/www/snorby -m -s /usr/local/bin/bash -c "Snorby" 
 </pre>  

 * Get Snorby from the download section or use the latest edge release via git. 
 <pre> 
 cd /usr/local/www 
 git clone git://github.com/Snorby/snorby.git 
 </pre> 

 * Install RVM: 
 <pre> 
 su - snorby 
 curl -L https://get.rvm.io | bash 
 source /usr/local/www/snorby/.rvm/scripts/rvm 
 </pre> 

 * Install Ruby 1.9.3 
 <pre> 
 rvm install 1.9.3 
 rvm use 1.9.3 
 </pre> 

 * Install Passenger inside the RVM environment: 
 <pre> 
 gem install passenger 
 </pre> 

 * Install bundler inside the RVM environment: 
 <pre> 
 gem install bundler 
 </pre> 

 * Create a database config file: 
 <pre> 
 cp config/database.example.yml config/database.yml 
 </pre> 
 #* Change the database, host, user, and password accordingly 

 * Create and edit the Snorby config: 
 <pre> 
 cp config/snorby_config.yml.example config/snorby_config.yml 
 vi config/snorby_config.yml 
 </pre> 
 #* And add or modify the following 
 <pre> 
 # 
 # Production 
 # 
 # Change the production configuration for your environment. 
 # 
 production: 
 domain: snorby.example.com 
 wkhtmltopdf: /usr/local/bin/wkhtmltopdf 
 mailer_sender: 'snorby@snorby.org' 
 geoip_uri: "http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz" 
 rules: 
 - "/usr/local/etc/snort/rules" 
 authentication_mode: database 
 </pre> 

 * Install Gem Dependencies 
 <pre> 
 RAILS_ENV=production bundle install --path vendor/bundle 
 </pre> 

 * Run the Snorby Setup 
 <pre> 
 RAILS_ENV=production bundle exec rake snorby:setup 
 </pre> 

 * Restart the snorby worker: 
 <pre> 
 RAILS_ENV=production bundle exec rails r Snorby::Worker.stop 
 RAILS_ENV=production bundle exec rails r Snorby::Worker.start 
 </pre> 

 * Exit the snorby user environment: 
 <pre> 
 exit 
 </pre> 

 --- 

 h1. Install Nginx 

 * Install Nginx with Passenger 
 <pre> 
 portmaster www/nginx 
 </pre> 
 *NOTE*: Make sure to enable [X]PASSENGER when running @make config@ 

 * Install the Passenger gem: 
 <pre> 
 portmaster www/rubygem-passenger 
 </pre> 
 *NOTE*: Make sure to enable (*) NGINX when running @make config@ 

 h2. Configure Nginx 

 * Create a configuration directory to make managing individual server blocks easier: 
 <pre> 
 mkdir /usr/local/etc/nginx/conf.d 
 </pre> 

 * Configuring Nginx and Passenger, edit the @/usr/local/etc/nginx/nginx.conf@ file: 
 <pre> 
 vi /usr/local/etc/nginx/nginx.conf 
 </pre> 
 #* And add/modify the following 
 <pre> 
 user    www www; 
 worker_processes    4; 
 error_log    /var/log/nginx/error.log notice; 
 pid          /var/run/nginx.pid; 

 events { 
   worker_connections    1024; 
 } 

 http { 
   passenger_root /usr/local/lib/ruby/gems/2.0/gems/passenger-4.0.58; 
   passenger_ruby /usr/local/bin/ruby; 
   passenger_max_pool_size 15; 
   passenger_pool_idle_time 300; 
   #passenger_spawn_method direct; # Uncomment on Ruby 1.8 for ENC to work 

   include         mime.types; 
   default_type    application/octet-stream; 
   sendfile        on; 
   tcp_nopush      on; 
   keepalive_timeout    65; 
   tcp_nodelay          on; 

   # Load config files from the /etc/nginx/conf.d directory 
   include /usr/local/etc/nginx/conf.d/*.conf; 
 } 
 </pre> 
 *NOTE*: The above configuration will set the ruby used by passenger to the system default ruby. 

 * And add a default site configuration in @/usr/local/etc/nginx/conf.d/default.conf@: 
 <pre> 
 server { 
   listen 80 default; 
   server_name _; 

   index index.html index.php; 
   root /usr/local/www; 

   # IP and IP ranges which should get access 
   allow 10.0.0.0/24; 
   allow 10.1.0.1; 
   # all else will be denied 
   deny all; 

   # basic HTTP auth 
   auth_basic "Restricted"; 
   auth_basic_user_file htpasswd; 

   location ~ \.cgi$ { 
     try_files $uri =404; 
     include fastcgi_params; 
     fastcgi_pass unix:/var/run/fcgiwrap/fcgiwrap.sock; 
     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; 
     fastcgi_param REMOTE_USER $remote_user; 
   } 

   location ~ \.php$ { 
     try_files $uri =404; 
     include fastcgi_params; 
     fastcgi_pass 127.0.0.1:9000; 
     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; 
   } 
 } 
 </pre> 

 * Find the exact ruby version that snorby will use: 
 <pre> 
 su - snorby 
 passenger-config --ruby-command 
 </pre> 
 #* Example output: 
 <pre> 
 passenger-config was invoked through the following Ruby interpreter: 
   Command: /usr/local/www/snorby/.rvm/gems/ruby-1.9.3-p551/wrappers/ruby 
   Version: ruby 1.9.3p551 (2014-11-13 revision 48407) [x86_64-freebsd9.3] 
   To use in Apache: PassengerRuby /usr/local/www/snorby/.rvm/gems/ruby-1.9.3-p551/wrappers/ruby 
   To use in Nginx : passenger_ruby /usr/local/www/snorby/.rvm/gems/ruby-1.9.3-p551/wrappers/ruby 
   To use with Standalone: /usr/local/www/snorby/.rvm/gems/ruby-1.9.3-p551/wrappers/ruby /usr/local/www/snorby/.rvm/gems/ruby-1.9.3-p551/gems/passenger-4.0.58/bin/passenger start 
 </pre> 

 * And create a server block for snorby 
 <pre> 
 vi /usr/local/etc/nginx/conf.d/snorby.conf 
 </pre> 
 #* And add the following: 
 <pre> 
 server { 
   listen         80; 
   server_name    snorby.example.com; 

   passenger_enabled on; 
   passenger_ruby /usr/local/www/snorby/.rvm/gems/ruby-1.9.3-p551/wrappers/ruby; 
   passenger_user               snorby; 
   passenger_group              snorby; 

   access_log /var/log/nginx/snorby.log; 
   root /usr/local/www/snorby/public; 
 } 
 </pre> 

 * Create the log directory to prevent issues on startup: 
 <pre> 
 mkdir /var/log/nginx 
 </pre> 

 * Restart nginx 
 <pre> 
 service nginx restart 
 </pre> 

 h2. Snorbyfix Script 

 * Create the snorbyfix script: 
 <pre> 
 vi /usr/local/bin/snorbyfix.sh 
 </pre> 
 #* And add the following: 
 <pre> 
 #!/bin/sh 
 # Snorby Worker script 
 # 
 su - snorby -c 'RAILS_ENV=production rails r Snorby::Worker.restart' 
 </pre> 

 * Create a cronjob to run the snorbyfix script every hour: 
 <pre> 
 echo '## Fix snorby worker' >> /etc/crontab 
 echo '* 1 * * * snorby /usr/local/bin/snorbyfix.sh' >> /etc/crontab  
 </pre> 

 * Restart the cron service: 
 <pre> 
 service cron restart 
 </pre> 

 h2. Log into Snorby 

 * The server name set up in this example is *http://snorby.example.com* 

 * The default username is *snorby@snorby.org* 

 * The default password is *snorby* 

 h1. Resources 

 * https://github.com/Snorby/snorby 
 * https://github.com/shirkdog/snorby-bsd/blob/master/snorbyInstall.sh 

Back