How to install Snort, Barnyard2, Snorby, Passenger, and Pull

https://es.oteric.info/articles/how-to-install-snort-barnyard2-snorby-passenger-and-pulled-pork Set up a Source directory in your home directory and then install some of the required packages that you'll need: # mkdir ~/Source # sudo chown

https://es.oteric.info/articles/how-to-install-snort-barnyard2-snorby-passenger-and-pulled-pork

Set up a Source directory in your home directory and then install some of the required packages that you'll need:
# mkdir ~/Source<br> # sudo chown -R username:usergroup ~/Source

note: when you run the below command, Apt will require input – for example MySQL will ask for you to enter a “root” password for the MySQL server. Make it secure and don’t forget it.
# sudo apt-get update && apt-get install apache2 libapache2-mod-php5 libwww-perl mysql-server mysql-common mysql-client \ <br> php5-mysql libnet1 libnet1-dev libpcre3 libpcre3-dev autoconf libcrypt-ssleay-perl libmysqlclient-dev php5-gd php-pear \ <br> libphp-adodb php5-cli libtool libssl-dev gcc-4.4 g++ automake gcc make flex bison apache2-doc ca-certificates vim

Now, install the Snort pre-requisites - libpcap, libdnet, and DAQ.

Install libpcap:
# cd ~/Source<br> # wget http://www.tcpdump.org/release/libpcap-1.1.1.tar.gz<br> # tar -zxf libpcap-1.1.1.tar.gz<br> # cd libpcap-1.1.1<br> # ./configure --prefix=/usr --enable-shared<br> # sudo su<br> # make && make install<br> # exit

Install libdnet:
# cd ~/Source<br> # wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz<br> # tar -zxf libdnet-1.12.tgz<br> # cd libdnet-1.12<br> # ./configure --prefix=/usr --enable-shared<br> # sudo su<br> # make && make install<br> # exit

Install DAQ:
# cd ~/Source<br> # wget http://www.snort.org/dl/snort-current/daq-0.5.tar.gz<br> # tar -zxf daq-0.5.tar.gz<br> # cd daq-0.5

DAQ needs to be patched to properly recognize the buffer_size parameter.
# vi ~/Source/daq-0.5/os-daq-modules/daq_pcap.c

on line 219 replace:
context->buffer_size = strtol(entry->key, NULL, 10);

with:
context->buffer_size = strtol(entry->value, NULL, 10);

Now, configure and install DAQ:
# ./configure<br> # sudo su<br> # make && make install<br> # exit

Update the shared library path
# sudo su<br> # echo >> /etc/ld.so.conf /usr/lib && ldconfig<br> # exit

Now, install, configure & start Snort
# cd ~/Source<br> # wget http://www.snort.org/dl/snort-current/snort-2.9.0.4.tar.gz<br> # tar -zxf snort-2.9.0.4.tar.gz && cd snort-2.9.0.4<br> # ./configure --with-mysql --enable-dynamicplugin --enable-perfprofiling --enable-ipv6 --enable-zlib --enable-gre --enable-reload --enable-linux-smp-stats<br> # sudo su<br> # make && make install<br> # exit<br> # sudo mkdir /etc/snort /etc/snort/rules /var/log/snort /var/log/barnyard2 /usr/local/lib/snort_dynamicrules<br> # sudo groupadd snort && useradd -g snort snort<br> # sudo chown snort:snort /var/log/snort /var/log/barnyard2<br> # sudo cp ~/Source/snort-2.9.0.4/etc/*.conf* /etc/snort<br> # sudo cp ~/Source/snort-2.9.0.4/etc/*.map /etc/snort

Now, we need to make some changes to the snort configuration file:
# sudo vi /etc/snort/snort.conf

Change these lines:
Line #39 - ipvar HOME_NET 192.168.1.0/24 – make this match your internal (friendly) network <br> Line #42 - ipvar EXTERNAL_NET !$HOME_NET<br> Line #80 - var RULE_PATH ./rules – this assumes /etc/snort/rules<br> Line #186-#190 comment out all of the preprocessor normalize_ lines<br> Line #366 - add this: output unified2: filename snort.log, limit 128<br> Line #395 - delete or comment out all of the “include $RULE_PATH” lines except “local.rules”

Now, enter a simple test rule that we can trigger with ping:
# sudo vi /etc/snort/rules/local.rules

Add the following rule at the bottom of the local.rules file:
alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:10000001;)

Now we can start and test snort.
# sudo /usr/local/bin/snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

Ping the management IP address from another machine, alerts should be printed to the console like this:
02/09-11:29:43.450236 [**] [1:10000001:0] ICMP test [**] [Priority: 0] {ICMP} 172.26.12.1 -> 172.26.12.2<br> 02/09-11:29:43.450251 [**] [1:10000001:0] ICMP test [**] [Priority: 0] {ICMP} 172.26.12.2 -> 172.26.12.1<br> 02/09-11:29:44.450949 [**] [1:10000001:0] ICMP test [**] [Priority: 0] {ICMP} 172.26.12.1 -> 172.26.12.2<br> 02/09-11:29:44.450957 [**] [1:10000001:0] ICMP test [**] [Priority: 0] {ICMP} 172.26.12.2 -> 172.26.12.1

If you see those alerts, then you have Snort working... Use ctrl-c to kill snort.

You will need to setup a MySQL database for Barnyard2 to be able to log the Snort events (You'll want to skip this step if you're installing Snorby too because Snoby creats all the necessary Snort tables as well as the Snorby specific tables)

So, log into MySQL and get the snort database all set up:
# mysql -u root -p <br> mysql> create database snort;<br> mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort@localhost;<br> mysql> grant ALL on snort.* to snorby@localhost;<br> mysql> SET PASSWORD FOR snort@localhost=PASSWORD('password');<br> mysql> SET PASSWORD FOR snorby@localhost=PASSWORD('password');<br> mysql> exit

Now we have to import the database schema:
# mysql -u root -p # mysql -u root -p<br> mysql> use snort;<br> mysql> show tables; # you should see the list of new tables you just imported.<br> mysql> exit;

Additional MySQL configurations:
# vi /etc/mysql/my.cnf

Change the bind-address to localhost:
bind-address = localhost

Now, we have to make sure that MySQL creates a pid file to track it's own process id (this is needed by the snortbarn startup script explained later in this document)

Open /etc/mysql/my.cnf again and look for the third instance of this line (under the Basic Settings area):
socket = /var/run/mysqld/mysqld.sock

Add this line below the third instance of the socket line:
pid-file = /var/run/mysqld/mysqld.pid

Save my.cnf then run these two commands:
# touch /var/run/mysqld/mysql.pid<br> # chown mysql:mysql /var/run/mysqld/mysqld.pid

Now, install the Snorby prerequisites:
# sudo apt-get install gcc g++ build-essential libssl-dev libreadline5-dev zlib1g-dev linux-headers-generic libsqlite3-dev libxslt-dev libxml2-dev libyaml-0-2 libyaml-dev libtcltk-ruby

Install the latest stable release of Ruby (as of this writing):
# wget http://ftp.ruby-lang.org//pub/ruby/1.9/ruby-1.9.2-p180.tar.gz
# tar -xvzf ruby-1.9.2-p180.tar.gz && cd ruby-1.9.2-p180
# ./configure<br> # sudo su<br> # make && make install<br> # exit

Now, install MySQL, git support and ImageMagick:
# sudo apt-get install imagemagick git-core libmysqlclient-dev mysql-server libmagickwand-dev

Install the gems needed by Snorby:
# sudo gem install tzinfo builder memcache-client rack rack-test erubis mail text-format bundler thor i18n sqlite3-ruby<br> # sudo gem install rack-mount --version=0.6.0<br> # sudo gem install rails --version=3.0.5<br> # sudo gem update

Install a pre-compiled version of wkhtmltopdf:
# cd ~/Source<br> # wget http://dl.dropbox.com/u/38088/wkhtmltopdf<br> # sudo cp wkhtmltopdf /usr/bin/

Now, install and configure Snorby.

Pull down the latest version of Snorby:
# cd /var/www<br> # sudo mkdir -p /var/www/snorby<br> # sudo adduser --system --home /var/www/snorby/ --no-create-home --group --shell /bin/bash snorby<br> # sudo usermod -a -G snorby www-data<br> # sudo git clone http://github.com/Snorby/snorby.git /var/www/snorby && cd /var/www/snorby

Install all the other gems by running the following:
# sudo bundle update<br> # sudo bundle pack<br> # sudo bundle install --path vendor/cache<br> # sudo chown -R www-data:www-data /var/www/snorby/<br> # sudo apache2ctl restart<br> # sudo vi /var/www/snorby/config/database.yml

The database.yml file should look something like this (with the real password substituted for 'password'):
snorby: &snorby<br>   adapter: mysql<br>   username: snorby<br>   password: password<br>   host: localhost<br>  <br> development:<br>   database: snort<br>     <br> test:<br>   database: snort<br>     <br> production:<br>   database: snort<br>   

Then, configure Snorby system mail:
# sudo vi /var/www/snorby/config/email.yml

It should look something like this:
 production:<br>    :address: smtp.domain.com<br>    :port: 25<br>    :authentication: plain<br>    :user_name: user<br>    :password: pass

Then, configure the mail initializer:
# sudo vi /var/www/snorby/config/initializers/mail_config.rb

Add the following block of code above the perform_deliveries call (or use the other example if you're not using sendmail):
ActionMailer::Base.delivery_method = :sendmail<br> ActionMailer::Base.sendmail_settings = {<br>    :location => '/usr/sbin/sendmail',<br>    :arguments => '-i -t'<br> }

Also, don't forget to fix the /var/www/snorby/config/snorby_config.yml file:
development:<br>   domain: snorby.crypsoft.com<br>   wkhtmltopdf: /usr/bin/wkhtmltopdf<br>  <br> test:<br>   domain: snorby.crypsoft.com<br>   wkhtmltopdf: /usr/bin/wkhtmltopdf<br>  <br> production:<br>   domain: snorby.crypsoft.com<br>   wkhtmltopdf: /usr/bin/wkhtmltopdf

If this is the first time setting up Snorby, then run this command to create the database schemas according to the database.yml settings:
# rake snorby:setup RAILS_ENV=production

If this isn't the first time setting up Snorby, then run this command (ALL DATA WILL BE LOST):
# rake snorby:reset RAILS_ENV=production

Now the snort table should be set up and ready to receive events from barnyard2.

Now, install and configure barnyard2:
# cd ~/Source<br> # wget http://www.securixlive.com/download/barnyard2/barnyard2-1.9.tar.gz<br> # tar -zxf barnyard2-1.9.tar.gz && cd barnyard2-1.9<br> # ./configure --with-mysql<br> # sudo su<br> # make && make install<br> # exit<br> # sudo mv /usr/local/etc/barnyard2.conf /etc/snort<br> # sudo vi /etc/snort/barnyard2.conf

Uncomment lines 60 and 61 and set the to the appropriate values for your environment:
config hostname: uboxee<br> config interface: eth0

Uncomment line 65 so that the hostname and interface will be included in alerts:
config alert_with_interface_name

Change line #215 to:
output alert_fast

At the end of the file add this line:
output database: log, mysql, user=snort password= dbname=snort host=localhost

Now start snort and barnyard2 with these commands:
# sudo /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 &<br> # sudo /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf \<br> -d /var/log/snort -f snort.log -w /etc/snort/bylog.waldo \<br> -G /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map \<br> -C /etc/snort/classification.config &

To see if it's working, ping the machine to see if anything gets output to the console by barnyard.

If it's working you can go ahead and stop snort and barnyard:
# sudo pkill snort<br> # sudo pkill barnyard2

Now, check to see if barnyard is correctly inserting events into the database:
# mysql -u snort -p -D snort -e "select count(*) from event"

If the count returned a number greater than zero, then it must be working.

Now, to make sure that snort and barnyard2 start automatically at each reboot, do the following:
# sudo vi /etc/init.d/snortbarn

Add all of the below code to the snortbarn file (omitting the dashes):
#! /bin/sh<br>  #<br> ### BEGIN INIT INFO<br> <br> # Provides: snortbarn<br> <br> # Required-Start: $remote_fs $syslog mysql<br> <br> # Required-Stop: $remote_fs $syslog<br> # Default-Start: 2 3 4 5<br> # Default-Stop: 0 1 6<br> <br> # X-Interactive: true<br> <br> # Short-Description: Start Snort and Barnyard<br> <br> ### END INIT INFO<br> <br> /lib/init/vars.sh<br> /lib/lsb/init-functions<br> mysqld_get_param() {<br>         /usr/sbin/mysqld --print-defaults | tr " " "\n" | grep -- "--$1" | tail -n 1 | cut -d= -f2<br> }<br>  <br> do_start() {<br>         #log_daemon_msg "Starting Snort and Barnyard" ""<br> <br>         # Make sure mysql has finished starting<br> <br>         ps_alive=0<br>         while [ $ps_alive -lt 1 ];<br>         do<br>         pidfile=`mysqld_get_param pid-file`<br>         if [ -f "$pidfile" ] && ps `cat $pidfile` >/dev/null 2>&1; then ps_alive=1; fi<br>         #echo "sleeping" >&2<br>         sleep 1<br>         done<br>         /sbin/ifconfig eth0 up<br>         /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 &<br>         /usr/local/bin/barnyard2 -q -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /etc/snort/bylog.waldo -G /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map -C /etc/snort/classification.config 2> /dev/nul &<br>         #log_end_msg 0<br> <br>         return 0<br> }<br>  <br> do_stop() {<br>         #log_daemon_msg "Stopping Snort and Barnyard" ""<br>         kill $(pidof snort) 2> /dev/nul<br>         kill $(pidof barnyard2) 2> /dev/nul<br>         #log_end_msg 0<br> <br>         return 0<br> }<br>  <br> case "$1" in<br>   start)<br>         do_start<br>  ;;<br>   stop)<br>         do_stop<br>  ;;<br>   restart)<br>         do_stop<br>         do_start<br>  ;;<br>  *)<br>       echo "Usage: snort-barn {start|stop|restart}" >&2<br>     exit 3<br>  ;;<br> esac<br> exit 0

Make the script executable:
# chmod 755 /etc/init.d/snortbarn

Then, make the two included scripts executable:
# chmod 755 /lib/init/vars.sh<br> # chmod 755 /lib/lsb/init-functions

Now, test it out to make sure it is working as it should.

Restart mysql to make sure the mysqld.pid file is getting created on startup:
# service mysql restart<br> # cat /var/run/mysql/mysqld.pid

If the mysql process id displays, then it's working.

Now run the snortbarn script:
# /etc/init.d/snortbarn start

Check to see if snort and barnyard2 started successfully:
# ps -ef | grep snort

You should output that looks something like this:
snort 4211 1 1 18:39 pts/0 00:00:00 /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0<br> root 4212 1 1 18:39 pts/0 00:00:00 /usr/local/bin/barnyard2 -q -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /etc/snort/bylog.waldo -G /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map -C /etc/snort/classification.config

If so, then you're done with that step.

Now, install Passenger for running Ruby on Rails with Apache

Install one dependency for Passenger:
# sudo apt-get install libcurl4-openssl-dev

Install Passenger and any modules it needs:
# sudo su<br> # gem install --no-ri --no-rdoc --version 3.0.3 passenger<br> # /usr/local/lib/ruby/gems/1.9.1/gems/passenger-3.0.3/bin/passenger-install-apache2-module -a<br> # echo "LoadModule passenger_module /usr/local/lib/ruby/gems/1.9.1/gems/passenger-3.0.3/ext/apache2/mod_passenger.so" > /etc/apache2/mods-available/passenger.load<br> # echo "" > /etc/apache2/mods-available/passenger.conf<br> # echo " PassengerRoot /usr/local/lib/ruby/gems/1.9.1/gems/passenger-3.0.3" >> /etc/apache2/mods-available/passenger.conf<br> # echo " PassengerRuby /usr/local/bin/ruby" >> /etc/apache2/mods-available/passenger.conf<br> # echo "" >> /etc/apache2/mods-available/passenger.conf<br> # a2enmod passenger<br> # a2enmod rewrite<br> # a2enmod ssl<br> # exit

Restart apache to apply the changes:
# sudo apache2ctl restart

Check to make sure apache started properly:
# ps -ef | grep apache2

Now, one last step to get the Snorby bundle ready:
# cd /var/www/snorby<br> # sudo bundle install<br> # sudo bundle pack<br> # sudo bundle install --path vendor/cache<br> # sudo chown -R www-data:www-data vendor/<br> # sudo apache2ctl restart

Now, clean up any of the test related entries that might be in the database now:
truncate snort.caches;<br> truncate snort.delayed_jobs;<br> truncate snort.data;<br> truncate snort.event;<br> truncate snort.icmphdr;<br> truncate snort.iphdr;<br> truncate snort.notes;<br> truncate snort.opt;<br> truncate snort.signature;<br> truncate snort.tcphdr;<br> truncate snort.udphdr;

Now, install pulledpork and pull down the latest rules
# cd ~/Source<br> # wget http://pulledpork.googlecode.com/files/pulledpork-0.5.0.tar.gz<br> # tar -zxf pulledpork-0.5.0.tar.gz && cd pulledpork-0.5.0<br> # sudo su<br> # cp pulledpork.pl /usr/local/bin && cp etc/*.conf /etc/snort<br> # vi /etc/snort/pulledpork.conf

Comment out line 20 & 24
Line 56: change to: rule_path=/etc/snort/rules/snort.rules<br> Line 64: change to: rule_path=/etc/snort/rules/local.rules<br> Line 67: change to: sid_msg=/etc/snort/sid-msg.map<br> Line 90: change to: config_path=/etc/snort/snort.conf<br> Line 101: change to: distro=Lucid-Lynx<br> Line 133: Uncomment and change to: snort_version=2.9.0.4<br> Line 137: Uncomment and change to: /etc/snort/enablesid.conf<br> Line 139: Uncomment and change to: /etc/snort/disablesid.conf<br> Line 140: Uncomment and change to: /etc/snort/modifysid.conf

Now, disable all block (fwsam) rules
# echo pcre:fwsam >> /etc/snort/disablesid.conf

Fix an apparent typo in the modifysid.conf file:
# vi /etc/snort/modifysid.conf

change last line to:
302,429,1821 "$EXTERNAL_NET" "$HOME_NET"

Run pulledpork
# /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -T -l

You should now see local.rules and snort.rules in /etc/snort/rules.

Clean Up:
# rm /var/www/index.html<br> # chmod 755 /var/www/base<br> # pkill snort && pkill barnyard2<br> # rm -rf /var/log/snort/* /var/log/barnyard2/*

Don't forget to comment out the test rule and enable the newly pulledpork (snort.rules)
# vi /etc/snort/rules/local.rules – Comment out the test rule<br> # vi /etc/snort/snort.conf – Line 394: add: include $RULE_PATH/snort.rules<br> # exit