Beruflich Dokumente
Kultur Dokumente
5
Overview
This is a complete installation guide for building a
Snort/Barnyard/Snorby/PulledPork server on CentOS 6.5.
Snort is the IDS/IPS. The below configuration is to put snort in inline mode as an
IPS. As such, you can write rules to block traffic. The Snort sensor in this case acts
as a router or firewall (if iptables is used).
Barnyard2 handles the snort logs thereby alleviating the logging process for snort.
Barnyard2 takes logs from snort and moves them into a mysql database so Snorby can
monitor them. This is also great for setting up remote snort/barnyard IDS/IPS
sensors. It allows the remote sensors to send logs to the central mysql database.
Snorby is the IDS/IPS monitoring system. It act like a SIEM for the IDS/IPS sensors
and has a nice dashboard to few events.
PulledPork connects to www.snort.org and pulls down new signature files. You use a
cron job to determine how often this is performed.
Before installing
Ensure that both interfaces are set for promiscuous mode. My two interfaces are eth2
and eth3. You can use the following commands:
ifconfig eth2 promisc
To make the change permanent, add the following to the interface configuration file:
cd /etc/sysconfig/network-scripts/
vi ifcfg-eth2
.
PROMISC=yes
.
Prerequisite
If you are sitting behind a proxy, make sure you enter the following at a command
line:export http_proxy=http://username:password@proxy_ip:portexport
https_proxy=http://username:password@proxy_ip:portexport
ftp_proxy=http://username:password@proxy_ip:port
yum update -y
reboot
Download necessary libdnet files from browser and install via rpm.
http://www.rpmfind.net/linux/rpm2html/search.php?query=libdnet-devel
http://rpmfind.net/linux/rpm2html/search.php?query=libdnet
rpm -i ibdnet-1.12-9mgc30.x86_64.rpml
rpm -i libdnet-devel-1.12-9mgc26.i686.rpm
Install PCRE (perl compatible regular expression files) and more prerequisite packages
yum install pcre pcre-devel gcc make flex byacc bison kernel-devel libxml2-devel wget -y
mkdir /usr/local/src/snort
cd /usr/local/src/snort
cd /usr/local/src/snort
wget http://www.snort.org/dl/snort-current/daq-2.0.0.tar.gz -O daq.tar.gz
tar zxvf daq.tar.gz
cd daq-*
./configure && make && make install
ldconfig -v
groupadd snort
useradd -g snort snort
Install Snort
cd /usr/local/src/snort
wget http://www.snort.org/dl/snort-current/snort-2.9.4.6.tar.gz -O snort.tar.gz
tar zxvf snort.tar.gz
cd snort-2*
./configure prefix /usr/local/snort enable-sourcefire && make && make install
ln -s /usr/local/snort/bin/snort /usr/sbin/snort
ln -s /usr/local/snort/etc /etc/snort
cp rpm/snortd /etc/init.d/
chmod +x /etc/init.d/snortd
cp rpm/snort.sysconfig /etc/sysconfig/snort
chkconfig add snortd
Delete everything between the following lines in the snort startup file
vi /etc/init.d/snortd
cd $LOGDIR
touch /var/lock/subsys/snort
Change and comment out the following variables in /etc/sysconfig/snort and add / to the
LOGDIR variable
vi /etc/sysconfig/snort
INTERFACE=eth2:eth3
LOGDIR=/var/log/snort/
#ALERTMODE=fast
#BINARY_LOG=1
You have to register to the site in order to get the free register user rules
or you can pay and get the most update rules as a Subscriber user.
cd /usr/local/snort
tar zxvf /usr/local/src/snort/snortrules-snapshot-2*
mkdir -p /usr/local/snort/var/log
chown snort:snort /usr/local/snort/var/log
ln -s /usr/local/snort/var/log /var/log/snort
ln -s /usr/local/snort/lib/snort_dynamicpreprocessor /usr/local/lib/snort_dynamicpreprocessor
ln -s /usr/local/snort/lib/snort_dynamicengine /usr/local/lib/snort_dynamicengine
ln -s /usr/local/snort/lib/snort_dynamicrules /usr/local/lib/snort_dynamicrules
Comment out or delete all reputation preprocessor configuration lines from snort.conf
and configure ouput plugin
vi /usr/local/snort/etc/snort.conf
config daq: afpacket
config daq_dir: /usr/local/lib/daq
config daq_mode: inline
config policy_mode: inline
#preprocessor reputation: \
# memcap 500, \
# priority whitelist, \
# nested_ip inner, \
#
whitelist $WHITE_LIST_PATH/white_list.rules, \
# blacklist $BLACK_LIST_PATH/black_list.rules
mkdir /usr/local/snort/lib/snort_dynamicrules
cp /usr/local/snort/so_rules/precompiled/RHEL-6-0/i386/2.9*/*so
/usr/local/snort/lib/snort_dynamicrules/
o On x86_64 system
cp /usr/local/snort/so_rules/precompiled/RHEL-6-0/x86-64/2.9*/*so
/usr/local/snort/lib/snort_dynamicrules/
vi /usr/local/snort/etc/snort.conf
include $SO_RULE_PATH/imap.rules
include $SO_RULE_PATH/misc.rules
include $SO_RULE_PATH/multimedia.rules
include $SO_RULE_PATH/netbios.rules
include $SO_RULE_PATH/nntp.rules
include $SO_RULE_PATH/p2p.rules
include $SO_RULE_PATH/smtp.rules
include $SO_RULE_PATH/snmp.rules
include $SO_RULE_PATH/specific-threats.rules
include $SO_RULE_PATH/web-activex.rules
include $SO_RULE_PATH/web-client.rules
include $SO_RULE_PATH/web-iis.rules
include $SO_RULE_PATH/web-misc.rules
Install Barnyard
Install MySQL
cd /usr/local/src/snort
git clone https://github.com/firnsy/barnyard2.git barnyard2
cd barnyard2
./autogen.sh
Configure Barnyard
o On i386 system
./configure with-mysql
o On x86_64 system
./configure with-mysql with-mysql-libraries=/usr/lib64/mysql
Install Barnyard
cp rpm/barnyard2 /etc/init.d/
chmod +x /etc/init.d/barnyard2
cp rpm/barnyard2.config /etc/sysconfig/barnyard2
chkconfig add barnyard2
ln -s /usr/local/etc/barnyard2.conf /etc/snort/barnyard.conf
ln -s /usr/local/bin/barnyard2 /usr/bin/
mkdir -p /var/log/snort/eth2/archive/
vi /etc/init.d/barnyard2
# chkconfig: 2345 70 60
BARNYARD_OPTS=-D -c $CONF -d $SNORTDIR/${INT} -w $WALDO_FILE -l
$SNORTDIR/${INT} -a $ARCHIVEDIR -f $LOG_FILE -X $PIDFILE $EXTRA_ARGS
vi /etc/sysconfig/barnyard2
LOG_FILE=snort.u2
chkconfig snortd on
chkconfig barnyard2 on
service snortd start
service barnyard2 start
Barnyard installation completed. Now that we have Snort server and Barnyard writing
Snort logs, we can now install our snort monitoring application, Snorby, to see and
analyze snort data in a convenient web application.
Install Snorby
yum install libyaml-devel httpd git ImageMagick ImageMagick-devel libxml2-devel libxsltdevel gcc-c++ curl-devel httpd-devel apr-devel apr-util-devel readline-devel -y
If there are issues with libyaml-devel, go to pkgs.repoforge.org/libyaml and download the latest
libyaml and libyaml-devel rpm packages. Make sure versions match. Install the libyaml pkg
first.
Because the ruby package fails with CentOS 4+, you will need to install Ruby via RVM
cd ext/openssl/
ruby extconf.rb
make && make install
gem install thor i18n bundler tzinfo builder memcache-client rack rack-test erubis mail rackmount rails no-rdoc no-ri
gem install rake version=0.9.2 no-rdoc no-ri
gem uninstall rake version=0.9.2.2
cd /usr/local/src/snort
For i386:
wget http://wkhtmltopdf.googlecode.com/files/wkhtmltopdf-0.9.9-static-i386.tar.bz2
tar jxvf wkhtmltopdf-0*
mv wkhtmltopdf-i386 /usr/local/bin/wkhtmltopdf
For X86_64:
wget http://wkhtmltopdf.googlecode.com/files/wkhtmltopdf-0.9.9-static-amd64.tar.bz2
tar jxvf wkhtmltopdf-0*
mv wkhtmltopdf-amd64 /usr/local/bin/wkhtmltopdf
chown root:root /usr/local/bin/wkhtmltopdf
cd /var/www/html/snorby/config/
mv database.yml.example database.yml
mv snorby_config.yml.example snorby_config.yml
vim database.yml
.
snorby: &snorby
adapter: mysql
username: root
password: humus
host: localhost
.
vim snorby_config.yml
. production:
domain: demo.snorby.org
wkhtmltopdf: /usr/local/bin/wkhtmltopdf
ssl: false
mail_sender: snorby@snorby.org
geoip_uri:
http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz
rules:
- /usr/local/snort/rules
/usr/local/snort/so_rules
authentication_mode: database
.
rake snorby:setup
Set mysql root passwordchkconfig add mysqldchkconfig mysqld onservice mysqld start
vi /etc/snort/barnyard.conf
Restart Barnyard
vi /etc/httpd/conf/httpd.conf
#<VirtualHost *:80>
#
ServerAdmin webmaster@dummy-host.example.com
DocumentRoot /www/docs/dummy-host.example.com
ServerName dummy-host.example.com
ErrorLog logs/dummy-host.example.com-error_log
#</VirtualHost>
<VirtualHost *:80>
ServerAdmin admin@demo.com
ServerName snorby.demo.com
DocumentRoot /var/www/html/snorby/public
<Directory /var/www/html/snorby/public>
AllowOverride all
Order deny,allow
Allow from all
Options -MultiViews
</Directory>
</VirtualHost>
service httpd restart
chkconfig httpd on
If you get an error, run the bundle install and bundle exec rake snorby:setup again
from the /var/www/html/snorby directory again.
Pulled Pork
About
PulledPork is an opensource perl script that can automatically update Snort rules.
Pulledpork downloads signature files based on the cron job. It should be noted that all
rules are located in the snort.rules file. This can be overwhelming if you like keeping
your snort rules split based on the type of signature. You cannot mix the snort.rules
file in the same directory with the snort rules installed earlier because you will end-up
with duplicate signatures and SIDs.
Prerequisite
Snort installation
Install PulledPork
cd /usr/local/src/snort
wget http://pulledpork.googlecode.com/files/pulledpork-0.6.1.tar.gz -O pulledpork.tar.gz
cd /usr/local/snort
tar zxvf /usr/local/src/snort/pulledpork.tar.gz
mv pulledpork-0.6.1 pulledpork
vi /usr/local/snort/pulledpork/etc/pulledpork.conf
rule_path=/usr/local/snort/etc/rules/snort.rules
local_rules=/usr/local/snort/etc/rules/local.rules
# Path to the snort binary, we need this to generate the stub files
snort_path=/usr/local/snort/bin/snort
config_path=/usr/local/snort/etc/snort.conf
# This is the file that contains all of the shared object rules that pulledpork
# has processed, note that this has changed as of 0.4.0 just like the rules_path!
sostub_path=/usr/local/snort/etc/rules/so_rules.rules
pid_path=/var/run/snort_eth0.pid
vi /usr/local/snort/etc/snort.conf
mkdir /usr/local/snort/etc/rules
cp /usr/local/snort/rules/local.rules /usr/local/snort/etc/rules/
o If you dont have local rules file then create an empty one
touch /usr/local/snort/etc/rules/local.rules
/usr/local/snort/pulledpork/pulledpork.pl -c /usr/local/snort/pulledpork/etc/pulledpork.conf
Schedule PulledPork to run every day. Add the following line to the end of crontab file
vi /etc/crontab
0 0 * * * root /usr/local/snort/pulledpork/pulledpork.pl -c
/usr/local/snort/pulledpork/etc/pulledpork.conf
cd /var/www/html/snorby/config
vim snorby_config.yml
. production:
domain: demo.snorby.org
wkhtmltopdf: /usr/local/bin/wkhtmltopdf
ssl: false
mail_sender: snorby@snorby.org
geoip_uri:
http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz
rules:
- /usr/local/snort/etc/rules
- /usr/local/snort/so_rules
authentication_mode: database
.
PulledPork installation completed. Now every day PulledPork will run and update
your rules files from Snort site.