In this post i’m going to detail my experience with installing Snorby , a GUI for Snort. I first hopped into installing Snorby (having Snort installed) and thinking that’s it, but it turned out that several other software are were required for a Snorby-Snort system to work properly. I managed to do this relating to other tutorials (which can be found at the end of the post) but i have added what kind of errors i stumbled upon.
- Webserver related (apache2, php5, mysql-server)
I have ran into several problems related to operating system version and architecture. I have tried solving them, but everytime something new would pop-up. I managed to install everything i needed on Ubuntu Server 12.04.3 (the latest) 32bit version on a VirtualBox machine and everything went ok from here. (after trying Debian 7 32 and 64bit, Ubuntu desktop 64bits and wastubg a lot of hours).
I’m going to start showing how i installed each of them, presuming that you already have an webserver set up. If not just run the following command to install all that’s necesary:
apt-get install apache2 php5 php5-mysql mysql-server phpmyadmin
apt-get install snort
output unified2: filename merged.log, limit 128
After rebooting verify if snort has already started ( ps -ef | grep snort ) . If not, just start it manually
Check if there are any merged.log files (they will probably be something like merged.log.13800088312) in the log files
If it’s there, everythig is ok, if not check the latest lines in /var/log/syslog and see if you can relate to anything or if something is “googleable”.
apt-get install libcrypt-ssleay-perl liblwp-protocol-https-perl
Get the script from the official source, place it in the proper directory and set the proper permision so that it will be executable
cd /usr/local/bin && wget http://pulledpork.googlecode.com/svn/trunk/pulledpork.pl
chmod 755 pulledpork.pl
Generate yourself an oinkcode from the Snort website, after creating an account
Create configuration folder, download and modify configuration file to suit your needs. You can get my version (the 1st one) where you simply add your oinkcode and change (if necesary) the version, or you can get the default configuration file (if you want to read everything and have to add/uncomment lines)
mkdir /etc/pulledpork && cd /etc/pulledpork
wget -O pulledpork.conf http://pastebin.com/raw.php?i=D0xf2SQw
Modify the Snort configuration file
Look for the line ( ctrl+w and then type: ) “dynamicdetection directory /usr/lib/snort_dynamicrules” (without quotations) and uncomment it. Now create the appropiate folder (mkdir /usr/lib/snort_dynamicrules). Now add the following line, doesn’t matter where but better put it between the lines starting with “portvar” , after the one with HTTP_PORTS:
portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143]
Save the file (ctrl+x , enter). Now, we have to remove the old “include rule” lines and add the new ones:
sed -i ‘/^include $RULE_PATH/d’ /etc/snort/snort.conf
echo “include $RULE_PATH/snort.rules” >> /etc/snort/snort.conf
echo “include $RULE_PATH/local.rules” >> /etc/snort/snort.conf
Delete the current rules so that pulledpork will download the new ones. Read the next line after the command before issuing the command.
When i did this, barnyard2 complained about not finding the local.rules file. I just created a blank one and left it like that. You can also do that, or you can choose not to delete it in the first place.
Run pulledpork. I first got an error here. If you also get one it’s most likely because of the pulledpork.conf file, where the version might not be the one your are using.
pulledpork.pl -c /etc/pulledpork/pulledpork.conf
After each update like this, restart snort. If you get any errors check /var/log/syslog to see what’s happening. The first time it didn’t work for me because i didn’t had the local.rules file i mentioned earlier.
We are going to build it from source so we will need some software and libraries
apt-get install build-essential libtool autoconf git libpcap-dev libmysqld-dev libprelude-dev
Getting the latest version from git
git clone git://github.com/firnsy/barnyard2.git
./configure –with-mysql –with-mysql-libraries=/usr/lib/i386-linux-gnu –enable-prelude –prefix=$HOME/barnyard2-install
At the ./configure line i got an error saying ” unable to find mysqlclient library” . This is because you either don’t have mysql installed or you haven’t specified where to look for the library. For 64 bit servers the path would be “/usr/lib/x86_64-linux-gnu” and for 32 bit servers “/usr/lib/i386-linux-gnu”. If you keep getting the same error even if you tried the correct path, try locating where would they be by issuing the next command. If you have LAMP installed (like i had) it would most likely detect the library files from LAMP in /opt/ but i don’t think that’s what you really want.
If you ran the command as root, the folder will be created in /root/ . If you ran it as a normal user it will be in your normal home folder (/home/user/)/ Now you should see several lines showing you the structure of the barnyard2-install folder. The executable can be found in barnyard2-install/bin/
Create the database for barnyard2. I did this via phpmyadmin but it also can be done via the command line. You can name it anyway you want, but i opted for a name related to the process (snort). You can also create a new user that will have all the privileges over the new database. I didn’t create a new and i used root. This may not be what you want in terms of security, but this is up to you.
Now get the script that will set up your database tables and run it against the newly created database. Replace <user> with your user (in my case , it was root) and the <DBNAME> with your newly created database (my case – snort)
mysql -u <user> -p <DBNAME> < create_mysql
Create the config file for barnyard and adapt it to your instalation
cat > /etc/snort/barnyard2.conf << config reference_file: /etc/snort/reference.config config classification_file: /etc/snort/classification.config config gen_file: /etc/snort/gen-msg.map config sid_file: /etc/snort/sid-msg.map config logdir: /var/log/snort config hostname: ubuntuids config interface: eth0 config daemon config waldo_file: /var/log/snort/barnyard2.waldo input unified2 output database: log, mysql, user=<USERNAME> password=<PASSWORD> dbname=<DBNAME> host=127.0.0.1 # if you want to have to forward alerts also to syslog, uncomment the following 2 lines. #output alert_syslog_full: sensor_name snortIds1-eth1, local #output log_syslog_full: sensor_name snortIds1-eth1, local, log_priority LOG_CRIT EOF
Run barnyard2. Remember that the executable is in the barnyard2-install/bin/ folder.
./barnyard2 -c /etc/snort/barnyard2.conf -f merged.log
At first, you will see an output for several seconds and then the script will exit. This is ok, because as you can see above, it is configured to run as a daemon. Initially, it worked for me, i could see the process running (ps -ef | grep barnyard2) but after a few minutes the process would disappear and i would get some errors in my syslog, saying that the barnyard2.waldo can’t be found. If this happens to you, you need to create the waldo file and adjust the run command:
chown root.root /var/log/snort/barnyard2.waldo
./barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f merged.log -w /var/log/snort/barnyard2.waldo
First get your prerequisites. Be carefull with the ruby version you are installing because that led me to countless errors. 1.9.3 is the one you want to use.
apt-get install imagemagick wkhtmltopdf ruby1.9.3 libyaml-dev libxml2-dev libxslt1-dev zlib1g-dev build-essential openssl libssl-dev libmysqlclient-dev libreadline6-dev
gem install rails –no-ri –no-rdoc && gem update
Get the latest Snorby version from git
git clone http://github.com/Snorby/snorby.git
cd snorby && bundle install
At this stage i’ve encountered those errors i was talking about earlier. One example is with RedCloth. This was simply version dependent and i barely figured it out.
The Redcloth issue was because i was using the 1.9.1 version.
- ” an error occurred while installing nokogiri 1.5.9″ . Solved it by installing:
apt-get install libxslt-dev libxml2-dev
- “an error occurred while installing do_mysql (0.10.12)” . Solved it by installing:
apt-get install libmysqlclient-dev
Create the necesary configuration files. You already have example of them in the folder. The first one is database.yml (and the example file is database.yml.example) :
# Snorby Database Configuration # # Please set your database password/user below # NOTE: Indentation is important. # snorby: &snorby adapter: mysql username: snorby password: "s3cr3t" host: 127.0.0.1 # or the IP of your database server development: database: snorby <
And the second is snorby_config.yml (and the example file is snorby_config.yml.example) :
production: domain: 'snorby.yourdomain.com' # can be changed to your domain wkhtmltopdf: /usr/bin/wkhtmltopdf # correct for Ubuntu 12.04 ssl: false mailer_sender: '[email protected]' # can be changed geoip_uri: "http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz" rules: - "" authentication_mode: database
As you can see in the config files, there is a new database name and a new user. Create them accordingly to the files.
Finalize instalation and start server
bundle exec rake snorby:setup
bundle exec rails server -e production
The server should now be accesible on your machine on port 3000. The default login credentials are ‘[email protected]’ and ‘snorby’ .
Linking barnyard2 with Snorby so that we can see the events and alerts in the GUI. Add the following line to your /etc/snort/barnyard2.conf file:
output database: log, mysql, user=snorby password=s3cr3t dbname=snorby host=localhost
After this i just rebooted my machine and started barnyard2 again. I logged in Snorby (localhost:3000) and i could see events popping up.
It took a while before i actually got this working and googled/solved all the errors. If it still doesn’t work for you check your log files (specifically /var/log/syslog) . What you see in there is most likely going to get you starting in fixing it. Anyway, i don’t recommend anybody doing this. It’s just too time consuming and its causing too many headaches before it actually works (if it works). I recommend using an already deployed solution like EasyIDS.
Props for the base tutorial