Support #541
Updated by Daniel Curtis over 9 years ago
{{>toc}}
Like many paranoid network & system administrators, I have need of more than just an antivirus and firewall on each networked device. So I have decided to install a Snort machine and log the information to a remote MariaDB server. This is a simple guide to set up a Snort machine on a FreeBSD 9.2 system.
h1. Prepare the system
* Update the system
<pre>
pkg update && pkg upgrade
portsnap fetch extract
</pre>
* Install portmaster:
<pre>
cd /usr/ports/ports-mgmt/portmaster
make install clean
pkg2ng
</pre>
h1. Install Snort
* Install Snort
<pre>
portmaster security/snort security/barnyard2 security/pulledpork
</pre>
*NOTE*: Enable [X]MYSQL during the config of security/barnyard2
* Create the following directories:
<pre>
mkdir -p /usr/local/etc/snort/so_rules
mkdir -p /usr/local/etc/snort/rules/iplists
mkdir -p /var/log/barnyard2
</pre>
* Then create a few blank files:
<pre>
touch /usr/local/etc/snort/rules/snort.rules
touch /usr/local/etc/snort/rules/local.rules
touch /usr/local/etc/snort/rules/white_list.rules
touch /usr/local/etc/snort/rules/black_list.rules
touch /var/log/snort/barnyard2.waldo
</pre>
h2. Configure Snort
* Edit the snort config file:
<pre>
vi /usr/local/etc/snort/snort.conf
</pre>
#* And modify the following parameters:
<pre>
ipvar HOME_NET 192.168.1.0/24
ipvar EXTERNAL_NET any
var RULE_PATH /usr/local/etc/snort/rules
var SO_RULE_PATH /usr/local/etc/snort/so_rules
var PREPROC_RULE_PATH /usr/local/etc/snort/preproc_rules
var WHITE_LIST_PATH /usr/local/etc/snort/rules
var BLACK_LIST_PATH /usr/local/etc/snort/rules
dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
#dynamicdetection directory /usr/local/lib/snort/dynamicrules
output unified2: filename snortunified2.log, limit 128
## Comment out every $RULE_PATH line
#include $RULE_PATH
## Add definition for aggregate snort.rules file
include $RULE_PATH/snort.rules
</pre>
* *(Optional)* Remove all commented lines from snort config:
<pre>
grep '^[^#]' /usr/local/etc/snort/snort.conf > /usr/local/etc/snort/temp.conf
mv -f /usr/local/etc/snort/temp.conf /usr/local/etc/snort/snort.conf
</pre>
h2. Configure Pulledpork
* Create and edit a Pulledpork config file:
<pre>
cp /usr/local/etc/pulledpork/pulledpork.conf.sample /usr/local/etc/pulledpork/pulledpork.conf
vi /usr/local/etc/pulledpork/pulledpork.conf
</pre>
#* And modify the following, making sure to replace *<oinkcode>* with your actual oinkcode.
<pre>
rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<oinkcode>
rule_url=https://s3.amazonaws.com/snort-org/www/rules/community/|community-rules.tar.gz|Community
rule_url=http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|open
rule_url=https://www.snort.org/reg-rules/|opensource.gz|<oinkcode>
rule_url=https://rules.emergingthreatspro.com/|emerging.rules.tar.gz|open
rule_path=/usr/local/etc/snort/rules/snort.rules
out_path=/usr/local/etc/snort/rules/
sorule_path=/usr/local/etc/snort/so_rules/
distro=FreeBSD-9.0
black_list=/usr/local/etc/snort/rules/iplists/default.blacklist
</pre>
* Update Snort rules using Pulledpork:
<pre>
pulledpork.pl -c /usr/local/etc/pulledpork/pulledpork.conf
</pre>
* If you have such an error while issuing the command with the -vv parameter:
<pre>
500 Can't connect to www.snort.org:443 (Crypt-SSLeay can't verify hostnames
</pre>
#* Then add this environment variable:
<pre>
bash
export HTTPS_CA_DIR=/usr/share/ca-certificates/
pulledpork.pl -c /usr/local/etc/pulledpork/pulledpork.conf
</pre>
* And add following line to @/etc/crontab@ (the example automatically checks for the presence of new rules every 12 hours):
<pre>
echo '## Update Snort rules' >> /etc/crontab
echo '5 */12 * * * /usr/bin/perl /usr/local/bin/pulledpork.pl -c /usr/local/etc/pulledpork/pulledpork.conf' >> /etc/crontab
</pre>
* Restart cron:
<pre>
service cron restart
</pre>
h2. Configure Barnyard2
* Edit the barnyard2 config file:
<pre>
vi /usr/local/etc/barnyard2.conf
</pre>
#* And modify the following:
<pre>
config hostname: snort.example.com
output database: log, mysql, user=snorby password=SuperSecretPassword dbname=snorby host=localhost
</pre>
---
h1. Install Snorby
Snorby is a web frontend for the Snort IDS, and this is a simple guide on installing it on FreeBSD 9.2. This guide only sets up Snorby, as my setup has the Snort agent on remote machine, sending its data to a different remote database.
* Install a few prerequisite packages:
<pre>
portmaster shells/bash ftp/wget textproc/flex devel/pcre net/libdnet textproc/libxml2 textproc/libxslt graphics/ImageMagick devel/lwp www/p5-LWP-UserAgent-WithCache security/p5-Crypt-SSLeay www/p5-LWP-Protocol-https lang/ruby21 devel/ruby-gems converters/wkhtmltopdf devel/readline
</pre>
* Fix Bash:
<pre>
ln -s /usr/local/bin/bash /bin/bash
</pre>
*NOTE*: This is required later by snorby, an error will occur otherwise.
* Install some prerequisite gems:
<pre>
portmaster print/rubygem-prawn devel/rubygem-thor devel/rubygem-i18n sysutils/rubygem-bundler devel/rubygem-tzinfo devel/rubygem-builder databases/rubygem-memcache-client www/rubygem-rack www/rubygem-rack-test www/rubygem-erubis mail/rubygem-mail textproc/rubygem-text databases/rubygem-sqlite3 devel/rubygem-rake databases/rubygem-mysql www/rubygem-rack-mount www/rubygem-rails
</pre>
* Now create a snorby user:
<pre>
pw add user -n snorby -d /usr/local/www/snorby -m -s /usr/local/bin/bash -c "Snorby"
</pre>
* Get Snorby from the download section or use the latest edge release via git.
<pre>
cd /usr/local/www
git clone git://github.com/Snorby/snorby.git
</pre>
* Install RVM:
<pre>
su - snorby
curl -L https://get.rvm.io | bash
source /usr/local/www/snorby/.rvm/scripts/rvm
</pre>
* Install Ruby 1.9.3
<pre>
rvm install 1.9.3
rvm use 1.9.3
</pre>
* Install Passenger inside the RVM environment:
<pre>
gem install passenger
</pre>
* Install bundler inside the RVM environment:
<pre>
gem install bundler
</pre>
* Create a database config file:
<pre>
cp config/database.example.yml config/database.yml
</pre>
#* Change the database, host, user, and password accordingly
* Create and edit the Snorby config:
<pre>
cp config/snorby_config.yml.example config/snorby_config.yml
vi config/snorby_config.yml
</pre>
#* And add or modify the following
<pre>
#
# Production
#
# Change the production configuration for your environment.
#
production:
domain: snorby.example.com
wkhtmltopdf: /usr/local/bin/wkhtmltopdf
mailer_sender: 'snorby@snorby.org'
geoip_uri: "http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz"
rules:
- "/usr/local/etc/snort/rules"
authentication_mode: database
</pre>
* Install Gem Dependencies
<pre>
RAILS_ENV=production bundle install --path vendor/bundle
</pre>
* Run the Snorby Setup
<pre>
RAILS_ENV=production bundle exec rake snorby:setup
</pre>
* Restart the snorby worker:
<pre>
RAILS_ENV=production bundle exec rails r Snorby::Worker.stop
RAILS_ENV=production bundle exec rails r Snorby::Worker.start
</pre>
* Exit the snorby user environment:
<pre>
exit
</pre>
---
h1. Install Nginx
* Install Nginx with Passenger
<pre>
portmaster www/nginx
</pre>
*NOTE*: Make sure to enable [X]PASSENGER when running @make config@
* Install the Passenger gem:
<pre>
portmaster www/rubygem-passenger
</pre>
*NOTE*: Make sure to enable (*) NGINX when running @make config@
h2. Configure Nginx
* Create a configuration directory to make managing individual server blocks easier:
<pre>
mkdir /usr/local/etc/nginx/conf.d
</pre>
* Configuring Nginx and Passenger, edit the @/usr/local/etc/nginx/nginx.conf@ file:
<pre>
vi /usr/local/etc/nginx/nginx.conf
</pre>
#* And add/modify the following
<pre>
user www www;
worker_processes 4;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
passenger_root /usr/local/lib/ruby/gems/2.0/gems/passenger-4.0.58;
passenger_ruby /usr/local/bin/ruby;
passenger_max_pool_size 15;
passenger_pool_idle_time 300;
#passenger_spawn_method direct; # Uncomment on Ruby 1.8 for ENC to work
include mime.types;
default_type application/octet-stream;
sendfile on;
tcp_nopush on;
keepalive_timeout 65;
tcp_nodelay on;
# Load config files from the /etc/nginx/conf.d directory
include /usr/local/etc/nginx/conf.d/*.conf;
}
</pre>
*NOTE*: The above configuration will set the ruby used by passenger to the system default ruby.
* And add a default site configuration in @/usr/local/etc/nginx/conf.d/default.conf@:
<pre>
server {
listen 80 default;
server_name _;
index index.html index.php;
root /usr/local/www;
# IP and IP ranges which should get access
allow 10.0.0.0/24;
allow 10.1.0.1;
# all else will be denied
deny all;
# basic HTTP auth
auth_basic "Restricted";
auth_basic_user_file htpasswd;
location ~ \.cgi$ {
try_files $uri =404;
include fastcgi_params;
fastcgi_pass unix:/var/run/fcgiwrap/fcgiwrap.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param REMOTE_USER $remote_user;
}
location ~ \.php$ {
try_files $uri =404;
include fastcgi_params;
fastcgi_pass 127.0.0.1:9000;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
}
</pre>
* Find the exact ruby version that snorby will use:
<pre>
su - snorby
passenger-config --ruby-command
</pre>
#* Example output:
<pre>
passenger-config was invoked through the following Ruby interpreter:
Command: /usr/local/www/snorby/.rvm/gems/ruby-1.9.3-p551/wrappers/ruby
Version: ruby 1.9.3p551 (2014-11-13 revision 48407) [x86_64-freebsd9.3]
To use in Apache: PassengerRuby /usr/local/www/snorby/.rvm/gems/ruby-1.9.3-p551/wrappers/ruby
To use in Nginx : passenger_ruby /usr/local/www/snorby/.rvm/gems/ruby-1.9.3-p551/wrappers/ruby
To use with Standalone: /usr/local/www/snorby/.rvm/gems/ruby-1.9.3-p551/wrappers/ruby /usr/local/www/snorby/.rvm/gems/ruby-1.9.3-p551/gems/passenger-4.0.58/bin/passenger start
</pre>
* And create a server block for snorby
<pre>
vi /usr/local/etc/nginx/conf.d/snorby.conf
</pre>
#* And add the following:
<pre>
server {
listen 80;
server_name snorby.example.com;
passenger_enabled on;
passenger_ruby /usr/local/www/snorby/.rvm/gems/ruby-1.9.3-p551/wrappers/ruby;
passenger_user snorby;
passenger_group snorby;
access_log /var/log/nginx/snorby.log;
root /usr/local/www/snorby/public;
}
</pre>
* Create the log directory to prevent issues on startup:
<pre>
mkdir /var/log/nginx
</pre>
* Restart nginx
<pre>
service nginx restart
</pre>
h2. Snorbyfix Script
* Create the snorbyfix script:
<pre>
vi /usr/local/bin/snorbyfix.sh
</pre>
#* And add the following:
<pre>
#!/bin/sh
# Snorby Worker script
#
su - snorby -c 'RAILS_ENV=production rails r Snorby::Worker.restart'
</pre>
* Create a cronjob to run the snorbyfix script every hour:
<pre>
echo '## Fix snorby worker' >> /etc/crontab
echo '* 1 * * * snorby /usr/local/bin/snorbyfix.sh' >> /etc/crontab
</pre>
* Make the script executable:
<pre>
chmod +x /usr/local/bin/snorbyfix.sh
</pre>
* Restart the cron service:
<pre>
service cron restart
</pre>
h2. Log into Snorby
* The server name set up in this example is *http://snorby.example.com*
* The default username is *snorby@snorby.org*
* The default password is *snorby*
h1. Resources
* https://github.com/Snorby/snorby
* https://github.com/shirkdog/snorby-bsd/blob/master/snorbyInstall.sh