Suricata,Snorby and Barnyard2 set up guide

Linux > Suricata,Snorby and Barnyard2 set up guide
17.11.2014 12:02:07


Наиболее часто встречающиеся слова в статье:

[install] [localhost] [Server2] [password] [/var/www/snorby] [wkhtmltopdf] [apache2] [/var/lib/gems/1] [1/gems/passenger-3] [ubuntu64LTS]


Статья:

Server1 and Server2 are Ubuntu LTS 64bit , 12.04

sudo apt-get install gcc g++ build-essential libssl-dev libreadline6-dev zlib1g-dev linux-headers-generic libsqlite3-dev \
libxslt-dev libxml2-dev imagemagick git-core libmysqlclient-dev mysql-server libmagickwand-dev default-jre ruby1.9.3

sudo wget http://wkhtmltopdf.googlecode.com/files/wkhtmltopdf-0.10.0_rc2-static-amd64.tar.bz2
bunzip2 wkhtmltopdf-0.10.0_rc2-static-amd64.tar.bz2 
tar xvf wkhtmltopdf-0.10.0_rc2-static-amd64.tar 
ls -lh
sudo cp wkhtmltopdf-amd64 /usr/bin/wkhtmltopdf

The above installation is the one that works for Snorby (tested with 2.5.1) for wkhtmltopdf - do not install the one from "apt-get".

sudo gem install thor i18n bundler tzinfo builder memcache-client rack rack-test erubis mail text-format rack-mount rails sqlite3

sudo git clone http://github.com/Snorby/snorby.git /var/www/snorby

Edit /var/www/snorby/config/database.yml : look for the "snorby" entry and enter the mysql root username & password here :

snorby: &snorby
  adapter: mysql
  username: root
  password: "mysqlrootpassword" 
  host: localhost

do not panic, we will change that later on

Edit /var/www/snorby/config/snorby_config.yml : set the correct path to wkhtmltopdf ( if you need to find it use which wkhtmltopdf ), make it look like this:

development:
  domain: localhost:3000
  wkhtmltopdf: /usr/bin/wkhtmltopdf

test:
  domain: localhost:3000
  wkhtmltopdf: /usr/bin/wkhtmltopdf

production:
  domain: localhost:3000
  wkhtmltopdf: /usr/bin/wkhtmltopdf

Then

cd /var/www/snorby 
sudo bundle update activesupport railties rails
sudo gem install arel ezprint && sudo bundle install
sudo bundle exec rake snorby:setup

mysql -u root -p
create user 'snorbyuser'@'localhost' IDENTIFIED BY 'PASSWORD123';
grant all privileges on snorby.* to 'snorbyuser'@'localhost' with grant option;
flush privileges;

Now edit /var/www/snorby/config/database.yml again and replace the username and password with the newly created user

snorby: &snorby
  adapter: mysql
  username: snorbyuser
  password: "PASSWORD123" 
  host: localhost

By default, the mysql server listens on localhost only. Edit /etc/mysql/my.cnf to change the default behavior :

# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
bind-address            = 127.0.0.1

sudo service mysql restart
sudo lsof -i | grep mysqld
sudo apt-get install apache2 apache2-prefork-dev libapr1-dev libaprutil1-dev libopenssl-ruby libcurl4-openssl-dev

sudo service apache2 start

sudo gem install --no-ri --no-rdoc passenger
sudo /usr/local/bin/passenger-install-apache2-module -a

Edit /etc/apache2/mods-available/passenger.load (or create if it does not exits) :

to find what you need you can use :

 sudo find / -name "*mod_passenger*" 
 /var/lib/gems/1.9.1/gems/passenger-3.0.17/ext/apache2/mod_passenger.so

Then put that in the file :

LoadModule passenger_module /var/lib/gems/1.9.1/gems/passenger-3.0.17/ext/apache2/mod_passenger.so

<IfModule mod_passenger.c>
   PassengerRoot /var/lib/gems/1.9.1/gems/passenger-3.0.17
   PassengerRuby /usr/bin/ruby
</IfModule>

like so:

user@ubuntu64LTS:/etc/apache2/mods-available$ cat passenger.load 
LoadModule passenger_module /var/lib/gems/1.9.1/gems/passenger-3.0.17/ext/apache2/mod_passenger.so

<IfModule mod_passenger.c>
   PassengerRoot /var/lib/gems/1.9.1/gems/passenger-3.0.17
   PassengerRuby /usr/bin/ruby
</IfModule>
user@ubuntu64LTS:/etc/apache2/mods-available$ 

sudo a2enmod passenger
sudo a2enmod rewrite
sudo a2enmod ssl

sudo chown www-data:www-data /var/www/snorby -R

Suppose we want the snorby frontend to be reachable using virtualhost snorby.Server2 :

Create a file "snorby" under /etc/apache2/sites-available :

<VirtualHost *:80>
        ServerAdmin webmaster@localhost
        ServerName snorby.Server2
        DocumentRoot /var/www/snorby/public

        <Directory "/var/www/snorby/public">
                AllowOverride all
                Order deny,allow
                Allow from all
                Options -MultiViews
        </Directory>

</VirtualHost>

Enable the new website :

sudo ln -s /etc/apache2/sites-available/snorby /etc/apache2/sites-enabled/snorby_config

sudo service apache2 restart
cd /var/www/snorby

sudo bundle pack && sudo bundle install --path vender/cache

Make sure snorby.Server2 points at your local apache2 server, and navigate to that website :

user@ubuntu64LTS:/var/www/snorby$ cat /etc/hosts
127.0.0.1        localhost
127.0.1.1        ubuntu64LTS
127.0.0.1       snorby.Server2

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
user@ubuntu64LTS:/var/www/snorby$

sudo service apache2 restart

go to
http://snorby.Server2 - locally

default password and log in:
log in with user
 
and password
snorby

ON THE REMOTE SERVER (Suricata, Barnyard2 - Server1 in this set up)

sudo apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev \
build-essential autoconf automake libtool libpcap-dev libnet1-dev \
libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 \
make libmagic-dev git pkg-config libnss3-dev libnspr4-dev wget 
sudo git clone git://phalanx.openinfosecfoundation.org/oisf.git && cd oisf/ \
git clone https://github.com/ironbee/libhtp.git -b 0.5.x \
&& sudo ./autogen.sh && sudo ./configure  \
--with-libnss-libraries=/usr/lib --with-libnss-includes=/usr/include/nss/ \
--with-libnspr-libraries=/usr/lib --with-libnspr-includes=/usr/include/nspr \
&& sudo make clean && sudo make  && sudo  make install-full && sudo ldconfig

We get Barnyard2

apt-get install libpcre3 libpcre3-dbg libpcre3-dev \
            build-essential autoconf automake libtool \
            libpcap-dev libnet1-dev mysql-client libmysqlclient16-dev

 cd /usr/src

sudo wget https://github.com/firnsy/barnyard2/tarball/master

sudo tar -zxf master

cd firnsy-barnyard2*
sudo autoreconf -fvi -I ./m4
sudo ./configure --with-mysql --with-mysql-libraries=/usr/lib/x86_64-linux-gnu && make && sudo make install

configure Suricata ......

cp ./etc/barnyard2.conf /etc/suricata/

Edit the barnyard2 conf file and set the following parameters :

config reference_file:      /etc/suricata/reference.config
config classification_file: /etc/suricata/classification.config
config gen_file:            /etc/suricata/rules/gen-msg.map
config sid_file:            /etc/suricata/rules/sid-msg.map
.....
.....
output database: log, mysql, user=snorbyuser password=PASSWORD123 /
   dbname=snorby host=192.168.1.111 sensor_name=sensor1

Here host=192.168.1.111 is the IP of Server2.
The output database configuration must be placed on one line, remove the / between the password and dbname.

If you are installing remote Suricata sensors (remote from the mysql server / snorby engine point of view as explained in this guide), then you will have to configure mysql and grant access to the remote mysqluser, from the IP of the sensor. The "host" entry in the barnyard2.conf file needs to point at the remote mysql server.

Back on Server2 do:

mysql -uroot -p
GRANT ALL ON snorby.* TO snorbyuser@'192.168.1.91' IDENTIFIED BY 'PASSWORD123';

Create the log folder for barnyard2 (Server1) :

mkdir /var/log/barnyard2

Make sure you have enabled unified2 logging in the suricata yaml:

  # alert output for use with Barnyard2
  - unified2-alert:
      enabled: yes
      filename: unified2.alert

Start Suricata:

sudo suricata -c /etc/suricata.yaml -i eth0 -D

Start Barnyard2

sudo barnyard2 -c /etc/suricata/barnyard2.conf -d /var/log/suricata -f unified2.alert -w /var/log/suricata/suricata.waldo -D

NOTE:
If, at any given time, the dashboard(Snorby) continues to show 0 events (or an incorrect number of events in general), but the Events view shows that all entries are inside the database, then you may have to clear the caches and rebuild it from scratch :

On Server2:

mysql -u root -p

use snorby;
truncate table caches;
exit

Now remove the 2 worker jobs (use the little trash can icon next to each worker job to remove the job) on the Snorby's web interface.
Recreate the jobs via Worker Options, and the main dashboard should eventually get populated again.

NOTE:
to start Barnyard2 automatically during start up - 
https://github.com/Snorby/snorby/wiki/Installing-Barnyard2

Рассмотрим пример с AF_PACKET на шлюзе


Здесь всё проще. Конфигурация suricata.yaml должна выглядеть приблизительно так:
af-packet:
  - interface: eth0
    threads: 1
    defrag: yes
    cluster-type: cluster_flow
    cluster-id: 98
    copy-mode: ips
    copy-iface: eth1
    buffer-size: 64535
    use-mmap: yes
  - interface: eth1
    threads: 1
    cluster-id: 97
    defrag: yes
    cluster-type: cluster_flow
    copy-mode: ips
    copy-iface: eth0
    buffer-size: 64535
    use-mmap: yes

Количество потоков обработчика должно быть не более единицы для ядер старше 3.6, иначе увеличение количества потоков вызовет бесконечный цикл.
MTU на обоих сетевых интерфейсах должно быть идентичным.

 

Старт ; sudo suricata -c /etc/suricata/suricata-debian.yaml --af-packet -D

Для  всех режимов:

Блокировка производится средствами штатного пакетного фильтра ОС (в Linux для активации режима IPS необходимо установить библиотеки netlink-queue и libnfnetlink).

sudo apt-get install libnetfilter-queue-dev

Проверка модуля  sudo lsmod | grep queue

Загрузка молудя : sudo modprobe nfnetlink_queue