Snort, Barnyard2, Snorby and PulledPork Install on CentOS 6.

5
Overview
This is a complete installation guide for building a
Snort/Barnyard/Snorby/PulledPork server on CentOS 6.5.

Snort is the IDS/IPS. The below configuration is to put snort in inline mode as an
IPS. As such, you can write rules to block traffic. The Snort sensor in this case acts
as a router or firewall (if iptables is used).
Barnyard2 handles the snort logs thereby alleviating the logging process for snort.
Barnyard2 takes logs from snort and moves them into a mysql database so Snorby can
monitor them. This is also great for setting up remote snort/barnyard IDS/IPS
sensors. It allows the remote sensors to send logs to the central mysql database.
Snorby is the IDS/IPS monitoring system. It act like a SIEM for the IDS/IPS sensors
and has a nice dashboard to few events.
PulledPork connects to www.snort.org and pulls down new signature files. You use a
cron job to determine how often this is performed.
Before installing
Ensure that both interfaces are set for promiscuous mode. My two interfaces are eth2
and eth3. You can use the following commands:
ifconfig eth2 promisc
To make the change permanent, add the following to the interface configuration file:
cd /etc/sysconfig/network-scripts/
vi ifcfg-eth2
.
PROMISC=yes
.

SNORT Installation and

Configuration
Snort can sniff your network and alert the IPS administrator, log and/or block traffic
based on the rule database if there is an attack on your network. It is an opensource
system that is built from libpcap which is used for tcpdump and wireshark.
This installation guide can be used for installing inline snort only or as part of a series
for installing Snort Barnyard, Snorby and Pulledpork.

Prerequisite

If you are sitting behind a proxy, make sure you enter the following at a command
line:export http_proxy=http://username:password@proxy_ip:portexport
https_proxy=http://username:password@proxy_ip:portexport
ftp_proxy=http://username:password@proxy_ip:port

Update your system using yum update and reboot

yum update -y
reboot

Download necessary libdnet files from browser and install via rpm.

http://www.rpmfind.net/linux/rpm2html/search.php?query=libdnet-devel
http://rpmfind.net/linux/rpm2html/search.php?query=libdnet

rpm -i ibdnet-1.12-9mgc30.x86_64.rpml
rpm -i libdnet-devel-1.12-9mgc26.i686.rpm

Install PCRE (perl compatible regular expression files) and more prerequisite packages

yum install pcre pcre-devel gcc make flex byacc bison kernel-devel libxml2-devel wget -y

Create dir for Snort prerequisite sources.

mkdir /usr/local/src/snort
cd /usr/local/src/snort

Download and install libpcap.

wget http://www.tcpdump.org/release/libpcap-1.3.0.tar.gz -O libpcap.tar.gz

tar zxvf libpcap.tar.gz
cd libpcap-*
./configure && make && make install
echo /usr/local/lib >> /etc/ld.so.conf
ldconfig -v

Download and install DAQ

cd /usr/local/src/snort
wget http://www.snort.org/dl/snort-current/daq-2.0.0.tar.gz -O daq.tar.gz
tar zxvf daq.tar.gz
cd daq-*
./configure && make && make install
ldconfig -v

Create snort user and group

groupadd snort
useradd -g snort snort

Install Snort

Download and install Snort

cd /usr/local/src/snort
wget http://www.snort.org/dl/snort-current/snort-2.9.4.6.tar.gz -O snort.tar.gz
tar zxvf snort.tar.gz
cd snort-2*
./configure prefix /usr/local/snort enable-sourcefire && make && make install

Create links for Snort files

ln -s /usr/local/snort/bin/snort /usr/sbin/snort
ln -s /usr/local/snort/etc /etc/snort

Configure Snort startup script to run at startup

cp rpm/snortd /etc/init.d/
chmod +x /etc/init.d/snortd
cp rpm/snort.sysconfig /etc/sysconfig/snort
chkconfig add snortd

Delete everything between the following lines in the snort startup file

vi /etc/init.d/snortd
cd $LOGDIR

touch /var/lock/subsys/snort

Add the following lines below the cd $LOGDIR

# Next line for inline mode

daemon /usr/sbin/snort -D -Q daq afpacket -c /etc/snort/snort.conf -i eth2:eth3

Change and comment out the following variables in /etc/sysconfig/snort and add / to the
LOGDIR variable

vi /etc/sysconfig/snort
INTERFACE=eth2:eth3

LOGDIR=/var/log/snort/

#ALERTMODE=fast

#BINARY_LOG=1

Download Snort rules files from http://www.snort.org/snort-rules to /usr/local/src/snort

You have to register to the site in order to get the free register user rules
or you can pay and get the most update rules as a Subscriber user.

Extract rules file in the new created directory

cd /usr/local/snort
tar zxvf /usr/local/src/snort/snortrules-snapshot-2*

Create directory for snort logging

mkdir -p /usr/local/snort/var/log
chown snort:snort /usr/local/snort/var/log
ln -s /usr/local/snort/var/log /var/log/snort

Create links for dynamic rules files and directories

ln -s /usr/local/snort/lib/snort_dynamicpreprocessor /usr/local/lib/snort_dynamicpreprocessor
ln -s /usr/local/snort/lib/snort_dynamicengine /usr/local/lib/snort_dynamicengine
ln -s /usr/local/snort/lib/snort_dynamicrules /usr/local/lib/snort_dynamicrules

Set snort permissions

chown -R snort:snort /usr/local/snort

Comment out or delete all reputation preprocessor configuration lines from snort.conf
and configure ouput plugin

vi /usr/local/snort/etc/snort.conf
config daq: afpacket
config daq_dir: /usr/local/lib/daq
config daq_mode: inline
config policy_mode: inline

#preprocessor reputation: \
# memcap 500, \
# priority whitelist, \
# nested_ip inner, \
#

whitelist $WHITE_LIST_PATH/white_list.rules, \

# blacklist $BLACK_LIST_PATH/black_list.rules

output unified2: filename snort.u2, limit 128

Create Dynamicrules directory

mkdir /usr/local/snort/lib/snort_dynamicrules

Copy dynamicrules files

o On i386 system

cp /usr/local/snort/so_rules/precompiled/RHEL-6-0/i386/2.9*/*so
/usr/local/snort/lib/snort_dynamicrules/
o On x86_64 system
cp /usr/local/snort/so_rules/precompiled/RHEL-6-0/x86-64/2.9*/*so
/usr/local/snort/lib/snort_dynamicrules/

Dump the stub rules

snort -c /usr/local/snort/etc/snort.conf dump-dynamic-rules=/usr/local/snort/so_rules

Enable snort dynamic rules configuration in the end of snort.conf file

vi /usr/local/snort/etc/snort.conf

# dynamic library rules

include $SO_RULE_PATH/bad-traffic.rules
include $SO_RULE_PATH/chat.rules
include $SO_RULE_PATH/dos.rules
include $SO_RULE_PATH/exploit.rules
include $SO_RULE_PATH/icmp.rules

include $SO_RULE_PATH/imap.rules
include $SO_RULE_PATH/misc.rules
include $SO_RULE_PATH/multimedia.rules
include $SO_RULE_PATH/netbios.rules
include $SO_RULE_PATH/nntp.rules
include $SO_RULE_PATH/p2p.rules
include $SO_RULE_PATH/smtp.rules
include $SO_RULE_PATH/snmp.rules
include $SO_RULE_PATH/specific-threats.rules
include $SO_RULE_PATH/web-activex.rules
include $SO_RULE_PATH/web-client.rules
include $SO_RULE_PATH/web-iis.rules
include $SO_RULE_PATH/web-misc.rules

Test Snort configuration

snort -i eth2:eth3 -c /usr/local/snort/etc/snort.conf -T

Install Barnyard

Install MySQL

yum install mysql mysql-devel git libtool -y

Download Barnyard and run autogen

cd /usr/local/src/snort
git clone https://github.com/firnsy/barnyard2.git barnyard2

cd barnyard2
./autogen.sh

Configure Barnyard
o On i386 system

./configure with-mysql
o On x86_64 system
./configure with-mysql with-mysql-libraries=/usr/lib64/mysql

Install Barnyard

make && make install

Configure Barnyard start script to run at startup

cp rpm/barnyard2 /etc/init.d/
chmod +x /etc/init.d/barnyard2
cp rpm/barnyard2.config /etc/sysconfig/barnyard2
chkconfig add barnyard2

Create links for Barnyard files and create archive directory

ln -s /usr/local/etc/barnyard2.conf /etc/snort/barnyard.conf
ln -s /usr/local/bin/barnyard2 /usr/bin/
mkdir -p /var/log/snort/eth2/archive/

Change barnyard running time and change -L to -l in barnyard2 startup script on

BARNY_OPTS= line

vi /etc/init.d/barnyard2

# chkconfig: 2345 70 60


BARNYARD_OPTS=-D -c $CONF -d $SNORTDIR/${INT} -w $WALDO_FILE -l
$SNORTDIR/${INT} -a $ARCHIVEDIR -f $LOG_FILE -X $PIDFILE $EXTRA_ARGS

chkconfig barnyard2 reset

Edit LOG_FILE variable in Barnyard sysconfig file

vi /etc/sysconfig/barnyard2

LOG_FILE=snort.u2

Start Snort and Barnyard

chkconfig snortd on
chkconfig barnyard2 on
service snortd start
service barnyard2 start

Barnyard installation completed. Now that we have Snort server and Barnyard writing
Snort logs, we can now install our snort monitoring application, Snorby, to see and
analyze snort data in a convenient web application.

Install Snorby

Install apache and prerequisite packages

yum install libyaml-devel httpd git ImageMagick ImageMagick-devel libxml2-devel libxsltdevel gcc-c++ curl-devel httpd-devel apr-devel apr-util-devel readline-devel -y
If there are issues with libyaml-devel, go to pkgs.repoforge.org/libyaml and download the latest
libyaml and libyaml-devel rpm packages. Make sure versions match. Install the libyaml pkg
first.

Because the ruby package fails with CentOS 4+, you will need to install Ruby via RVM

.\curl -L https://get.rvm.io | bash -s head/usr/local/rvm/bin/rvm get head/usr/local/rvm/bin/rvm

install 1.9.3
cd /usr/local/rvm/src/ruby-1.9.3-p194
./configure && make && make install

Install openssl extension

cd ext/openssl/
ruby extconf.rb
make && make install

Install gem dependencies

gem install thor i18n bundler tzinfo builder memcache-client rack rack-test erubis mail rackmount rails no-rdoc no-ri
gem install rake version=0.9.2 no-rdoc no-ri
gem uninstall rake version=0.9.2.2

Download and install wkhtmltopdf

cd /usr/local/src/snort

For i386:

wget http://wkhtmltopdf.googlecode.com/files/wkhtmltopdf-0.9.9-static-i386.tar.bz2
tar jxvf wkhtmltopdf-0*
mv wkhtmltopdf-i386 /usr/local/bin/wkhtmltopdf

For X86_64:

wget http://wkhtmltopdf.googlecode.com/files/wkhtmltopdf-0.9.9-static-amd64.tar.bz2
tar jxvf wkhtmltopdf-0*

mv wkhtmltopdf-amd64 /usr/local/bin/wkhtmltopdf
chown root:root /usr/local/bin/wkhtmltopdf

Download and configure snorbycd /var/www/htmlgit clone

https://github.com/Snorby/snorby.gitcd /var/www/html/snorby/configbundle install

Configure Snorby database and snorby configuration files

cd /var/www/html/snorby/config/
mv database.yml.example database.yml
mv snorby_config.yml.example snorby_config.yml
vim database.yml

.
snorby: &snorby
adapter: mysql
username: root
password: humus
host: localhost
.
vim snorby_config.yml
. production:
domain: demo.snorby.org
wkhtmltopdf: /usr/local/bin/wkhtmltopdf
ssl: false
mail_sender: snorby@snorby.org

geoip_uri:
http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz
rules:
- /usr/local/snort/rules
/usr/local/snort/so_rules
authentication_mode: database
.

Complete Snorby installation and setupcd /var/www/html/snorby

rake snorby:setup

chown -R apache:apache /var/www/html/snorby

Set mysql root passwordchkconfig add mysqldchkconfig mysqld onservice mysqld start

mysqladmin password humus

Configure Barnyard to output alerts to snorby database

vi /etc/snort/barnyard.conf

output database: log, mysql, user=root password=humus dbname=snorby host=localhost

Restart Barnyard

service barnyard2 stop

service barnyard2 start

Install Passenger module for apache

gem install passenger

cd /usr/local/lib/ruby/gems/1.9.1/gems/passenger-4.0.35/bin
./passenger-install-apache2-module

Configure and restart apache

vi /etc/httpd/conf/httpd.conf

#<VirtualHost *:80>
#

ServerAdmin webmaster@dummy-host.example.com

DocumentRoot /www/docs/dummy-host.example.com

ServerName dummy-host.example.com

ErrorLog logs/dummy-host.example.com-error_log

CustomLog logs/dummy-host.example.com-access_log common

#</VirtualHost>

LoadModule passenger_module /usr/local/lib/ruby/gems/1.9.1/gems/passenger4.0.35/buildout/apache2/mod_passenger.so

<IfModule mod_passenger.c>
PassengerRoot /usr/local/lib/ruby/gems/1.9.1/gem/passenger-4.0.35
PassengerDefaultRuby /usr/local/bin/ruby
</IfModule>

<VirtualHost *:80>
ServerAdmin admin@demo.com

ServerName snorby.demo.com
DocumentRoot /var/www/html/snorby/public

<Directory /var/www/html/snorby/public>
AllowOverride all
Order deny,allow
Allow from all
Options -MultiViews
</Directory>
</VirtualHost>
service httpd restart
chkconfig httpd on

Browse to http://<ip_address> and login to snorby with the default username/password

snorby@snorby.org/snorby

If you get an error, run the bundle install and bundle exec rake snorby:setup again
from the /var/www/html/snorby directory again.

Also if snorby worker is not running, run:cd /var/www/html/snorbyruby

script/delayed_job start RAILS_ENV=production

Pulled Pork
About

PulledPork is an opensource perl script that can automatically update Snort rules.
Pulledpork downloads signature files based on the cron job. It should be noted that all
rules are located in the snort.rules file. This can be overwhelming if you like keeping
your snort rules split based on the type of signature. You cannot mix the snort.rules
file in the same directory with the snort rules installed earlier because you will end-up
with duplicate signatures and SIDs.

Prerequisite

Snort installation

Install perl modules

yum install perl-Crypt-SSLeay perl-libwww-perl perl-Archive-Tar -y

Install PulledPork

Download and extract PulledPork

cd /usr/local/src/snort
wget http://pulledpork.googlecode.com/files/pulledpork-0.6.1.tar.gz -O pulledpork.tar.gz
cd /usr/local/snort
tar zxvf /usr/local/src/snort/pulledpork.tar.gz
mv pulledpork-0.6.1 pulledpork

Generate Oinkcode at Snort web site

o If you are not already register to snort web site so do it now
at https://www.snort.org/signup
o Login to Snort web site
o Go to Snort home page and Click on Get Snort Oinkcode at the bottom in
Snort Links section
o Click Generate Code and copy your new Oinkcode

Change the following in PulledPork configuration file

vi /usr/local/snort/pulledpork/etc/pulledpork.conf

rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|paste here your Oinknumber

# get the rule docs!
#rule_url=https://www.snort.org/reg-rules/|opensource.gz|
#rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|open
# THE FOLLOWING URL is for etpro downloads, note the tarball name change!
# and the et oinkcode requirement!
#rule_url=https://rules.emergingthreats.net/|etpro.rules.tar.gz|

rule_path=/usr/local/snort/etc/rules/snort.rules

local_rules=/usr/local/snort/etc/rules/local.rules

# Where should I put the sid-msg.map file?

sid_msg=/usr/local/snort/etc/sid-msg.map

# Path to the snort binary, we need this to generate the stub files
snort_path=/usr/local/snort/bin/snort

# We need to know where your snort.conf file lives so that we can

# generate the stub files

config_path=/usr/local/snort/etc/snort.conf

# This is the file that contains all of the shared object rules that pulledpork
# has processed, note that this has changed as of 0.4.0 just like the rules_path!
sostub_path=/usr/local/snort/etc/rules/so_rules.rules

distro=Ubuntu-10.04 # For CentOS 6.x you can use RHEL-6-0

pid_path=/var/run/snort_eth0.pid

Change RULE_PATH variable in snort configuration file

vi /usr/local/snort/etc/snort.conf

var RULE_PATH /usr/local/snort/etc/rules

Remove all snort include rules files

sed -i /^include $RULE_PATH/d /usr/local/snort/etc/snort.conf

sed -i /^include $RULE_PATH/d /usr/local/snort/etc/snort.conf
sed -i /^include $RULE_PATH/d /usr/local/snort/etc/snort.conf

Add the following include files to snort configuration file

echo include \$RULE_PATH/snort.rules >> /usr/local/snort/etc/snort.conf

echo include \$RULE_PATH/local.rules >> /usr/local/snort/etc/snort.conf
echo include \$RULE_PATH/so_rules.rules >> /usr/local/snort/etc/snort.conf

Create rules directory

mkdir /usr/local/snort/etc/rules

Create your local rules file

o If you have one, copy it

cp /usr/local/snort/rules/local.rules /usr/local/snort/etc/rules/
o If you dont have local rules file then create an empty one
touch /usr/local/snort/etc/rules/local.rules

Run PulledPork for the first time

/usr/local/snort/pulledpork/pulledpork.pl -c /usr/local/snort/pulledpork/etc/pulledpork.conf

Schedule PulledPork to run every day. Add the following line to the end of crontab file

vi /etc/crontab

0 0 * * * root /usr/local/snort/pulledpork/pulledpork.pl -c
/usr/local/snort/pulledpork/etc/pulledpork.conf

You wii also need to change your snorby_config.yml file

cd /var/www/html/snorby/config
vim snorby_config.yml
. production:
domain: demo.snorby.org
wkhtmltopdf: /usr/local/bin/wkhtmltopdf
ssl: false
mail_sender: snorby@snorby.org

geoip_uri:
http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz
rules:
- /usr/local/snort/etc/rules
- /usr/local/snort/so_rules
authentication_mode: database
.

PulledPork installation completed. Now every day PulledPork will run and update
your rules files from Snort site.