sudochmod -R 700 snort* sudochmod -R 700 pkgconfig cd /usr/local/bin
sudochown -R snort:snortdaq-modules-config sudochown -R snort:snort u2*
sudochmod -R 700 daq-modules-config sudochmod 700 u2* cd /etc
sudochown -R snort:snort snort sudochmod -R 700 snort
At this point we are ready to see if Snort starts up and reads the rules.
cd /usr/local/bin
./snort -T -i eth0 -u snort -g snort -c /etc/snort/snort.conf
Check /var/log/message to catch any fatal errors or crashes.
Before install Barnyard2 we have to set up mysql root password. Issue the following command:
mysqladmin -u root password NEWPASSWORD
where NEWPASSWORD is whatever you want. Next step is to install Barnyard2.
Give the following commands in order to install and configure Barnyard2:
cd /usr/local/src
git clone https://github.com/firnsy/barnyard2.git cd barnyard2 ./autogen.sh
./configure --with-mysql -with-mysql-libraries=/usr/lib64/mysql make
sudo make install
sudocpetc/barnyard2.conf /etc/snort sudocp rpm/barnyard2 /etc/init.d
sudochmod 700 /etc/init.d/barnyard2
sudocp rpm/barnyard2.config /etc/sysconfig/barnyard2 sudocp /etc/init.d/barnyard2 /etc/init.d/barnyard2_default sudosed -i -e '/BARNYARD_OPTS=/s/$SNORTDIR\\/${INT}/$SNORTDIR/' -e '/BARNYARD_OPTS=/s/-L \\$SNORTDIR\\/\\${INT}/-l $SNORTDIR/' -e '/\\\/var/s/\\$prog/barnyard2/' /etc/init.d/barnyard2 sudosed -i 's#$SNORTDIR/${INT}#$SNORTDIR#g' /etc/init.d/barnyard2
sudocp /etc/sysconfig/barnyard2 /etc/sysconfig/barnyard2_default sudosed -i '/CONF=/s/barnyard.conf/barnyard2.conf/' /etc/sysconfig/barnyard2
sudosed -i '/LOG_FILE=/s/\/etc/sysconfig/barnyard2
Now at the end of /etc/snort/barnyard2.conf file put the following config:
output database: log, mysql, user=root password=NEWPASSWORD dbname=snorby host=localhost
where NEWPASSWORD is your mysql root password. Time to install Pulledpork.
cd /usr/local/src wget
https://pulledpork.googlecode.com/files/pulledpork-0.7.0.tar.gz
tar -zxvf pulledpork-0.7.0.tar.gz cd pulledpork-0.7.0
sudocp pulledpork.pl /usr/local/bin/pulledpork sudochmod 700 /usr/local/bin/pulledpork sudocpetc/* /etc/snort
sudocp /etc/snort/pulledpork.confpulledpork.conf_default sudosed -i[conf] -e
'/^local_rules=/s/\\/usr.*/\\/etc\\/snort\\/rules\\/local.rules/' -e
'/^rule_path/s/\\/usr.*/\\/etc\\/snort\\/rules\\/snort.rules/' \\ -e '/sid_msg=/s/\\/usr.*/\\/etc\\/snort\\/sid-msg.map/' -e '/config_path=/s/\%usr.*/\\etc\\/snort\\/snort.conf/' -e
'/black_list=/s/\\/usr.*/\\/etc\\/snort\\/rules\\/iplists\\/default.blacklist/' \\
-e '/IPRV/s/\\/usr.*/\\/etc\\/snort\\/rules\\/iplists/' /etc/snort/pulledpork.conf
One more thing to set up for pulledpork is the oinkcode. Oinkcode is a unique key, which is associated with a user account in snort.org. If you have a subscription you will get the latest rules, otherwise you will receive the free rule package. When you create an account onsnort.org copy your oinkcode and replace “
rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|
rule_url=https://www.snort.org/reg-rules/|opensource.gz|
Next step is to install Snorby.
Before install Snorby we have to install five prerequisite package:
? ? ? ? ?
yaml ruby 1.9.x rails imagemagick wkhtmltopdf
cd /usr/local/src
wget pyyaml.org/download/libyaml/yaml-0.1.6.zip unzip yaml.zip cd yaml ./configure
make
sudo make install cd /usr/local/src
wget cache.ruby-lang.org/pub/ruby/1.9/ruby-1.9.3-p547.tar.gz tar -zxvf ruby-1.9.3-p547.tar.gz cd ruby-1.9.3-p547 ./configure make
sudo make install sudo gem install rails
sudo gem install nokogiri -- --use-system-libraries sudo gem install bundler cd /usr/local/src
wget www.imagemagick.org/download/ImageMagick.tar.gz tar -zxvf ImageMagick.tar.gz cd ImageMagick* ./configure make
sudo make install cd /usr/local/src wget
sourceforge.net/projects/wkhtmltopdf/files/archive/0.12.0/wkhtmltox-linux-amd64_0.12.0-03c001d.tar.xz
tar xJ wkhtmltox-linux-amd64_0.12.0-03c001d.tar.xz cd wkhtml*
sudo mv bin/wkhtmltopdf /usr/local/bin
Finally it’s time to install and configure Snorby.
cd /usr/local/src
git clone https://github.com/Snorby/snorby.git cd snorby
sudo bundle install --deployment
sudocp /usr/local/src/snorby/config/database.yml.example /usr/local/src/snorby/config/database.yml
sudocp /usr/local/src/snorby/config/snorby_config.yml.example /usr/local/src/snorby/config/snorby_config.yml
Open /usr/local/src/snorby/config/database.yml file and change
password: \Password Here\# Example: password: \
to
password: \
where NEWPASSWORD is your mysql root password Now issue the following commands:
cd /usr/local/src/snorby bundle exec rake snorby:setup
In order to have access to Snorby front-end from anywhere we will install Phusion Passenger. Phusion Passenger is a free web server and application server with support for Ruby, Python and Node.js. It is designed to integrate into the Apache HTTP Server or the nginx web server, but also has a mode for running standalone without an external web server. Installing Phusion Passenger:
gem install passenger
passenger-install-apache2-module --auto
At the end of the installation, passenger will show us some lines to add in the/etc/httpd/conf/httpd.conf file. We copy-paste them at the end of /etc/httpd/conf/httpd.conffile and we change DocumentRoot to point at /usr/local/src/snorby/public directory. Similar we
change
sudocp /etc/sysconfig/iptables/etc/sysconfig/iptables_default sudosed -i '/22/a -A INPUT -m state --state NEW -m tcp -p tcp --dport
80 -j ACCEPT' /etc/sysconfig/iptables sudo /etc/init.d/iptables restart
Now we can download new rules with pulledpork:
/usr/local/bin/pulledpork -c /etc/snort/pulledpork.conf -C /etc/snort/snort.conf -P -I security -e /etc/snort/enablesid.conf -i /etc/snort/disablesid.conf -M /etc/snort/modifysid.conf -v
Finally start all the necessary services:
/etc/init.d/mysqld restart /etc/init.d/httpd restart /etc/init.d/snort start /etc/init.d/barnyard2 start
In case you have problems with the snorby worker you can run the following commands:
cd /usr/local/src/snorby
sudo RAILS_ENV=production script/rails r \sudo RAILS_ENV=production script/rails r \sudo RAILS_ENV=production script/rails r \sudo RAILS_ENV=production script/rails r
\sudo RAILS_ENV=production script/rails r
\sudo RAILS_ENV=production script/rails r \
sudo RAILS_ENV=production script/rails r \sudo RAILS_ENV=production script/rails r
\