SNORT: Instalasi SNORT, barnyard & snorby GUI
Snort, Barnyard2 & Snorby 05 Oct 2014 , tagged on Network Security, IDS 4 min read
THIS POST IS WORK IN PROGRESS AND MAY BE UPDATED OVER THE NEXT DAYS
After a first failed attempt to install Snorby on an Arch Linux server (Snorby requires Ruby 1.9.x, Arch uses 2.x and I'm not willing to use the AUR version for this) I'm doing this on a Ubuntu 14.04 Server. Snort
Before installing Snorby we have to install snort itself. This can be done with sudo apt-get install snort. Snort asks for a network address range to use for HOME_NET. Since I'm not sure what to use here (the network may change), I just use standard value. This can later be changed using snort config files.
For testing purposes I add a new rule file in /etc/snort/rules/ with a very basic rule that logs everything. You really shouldn't do this in productive use, this will spam your snort output.
file: test.rules alert ip any any -> any any (msg:"Someone tried to access the server"; sid:100001; rev:1; priority:2;)
To use the new rule file you have to include it in the snort config /etc/snort/snort.conf by adding a line include $RULE_PATH/test.rules. Configuration
In order to inspect outgoing traffic I had to add the -k none option to Snort in order to disable checksum tests for TCP connections (cf. serverfault). The option can be permanently added by adding it to PARAMS in /etc/default/snort. Rules
A common requirement for rules on a server is to inspect outgoing documents for suspicious content. Checking for example if a website contains a certain string can be done as follows:
alert tcp any 80 -> any any (file_data; content:"Placeholder"; flow:to_client,established; msg:"Detected placeholder website"; sid:1000002; rev:1; priority:2;)
In order for this rule to work properly one has to make sure that snort.conf contains at least the following elements for http_inspect_server:
xtended_response_inspection \ inspect_gzip \ normalize_utf \ server_flow_depth 0 \ normalize_javascript
Snorby
Before installing snorby I need to make sure that certain software is installed. Prerequesite
The base system is a fresh Ubuntu 14.04 Server installation. Before installing Snorby we have to make sure that all requirements are installed. The Snorby website lists the following dependencies: git, ruby, ImageMagick and Wkhtmltopdf. But installing dependencies is not as easy as it sounds. I'm on a headless server and don't want to install video drivers. So what to do with the strange Wkhtmltopdf package? And why the heck does a headless application need X? But luckily there is a ruby gem of wkhtmltopdf that does not need any X component (documentation of Snorby is really bad here). So we just use sudo gem install wkhtmltopdf and we are good (ignore the errors during installation). We also have to install ruby-dev and make on Ubuntu. Further we need mysql-server installed. To get rails and bundler we have to install them with sudo gem install bundler and sudo gem install rails. Installing Snorby
Now we need to get snorby sources
git clone https://github.com/Snorby/snorby
After changing to the cd snorby directory we can install it using bundle install.
Now we have to configure snorby to be able to read events from the database. To do so we copy database.yml.example in the config folder to database.yml and change the database configuration to access MySQL. Further we copy snorby_config.yml.example to snorby_config.yml and check that wkhtmltopdf and domain are correct in the production section. It seems there are more dependencies needed (in particular nokogiri needs more). So we have to install libxml2-dev, libxslt-dev, libmysqlclient-dev, g++.
Now we should be able to run
bundle exec rake snorby:setup
to set-up snorby and start it with
bundle exec rails server -e production
Instaling Barnyard2
To get the snort output into our Snorby interface we use Barnyard2. Since there is no package for Ubuntu in the official repositories we have to build Barnyard2 from source.
git clone https://github.com/firnsy/barnyard2
To build Barnyard2 we need some developement tools
sudo apt-get install build-essential libtool autoconf libpcap-dev libmysqld-dev
After changing to the Barnyard2 directory cd barnyard2 we run ./autogen.sh, configure it for MySQL ./configure --with-mysql --with-mysql-libraries=/usr/lib/x86_64-linux-gnu/ (the additional library and include path are necessary on Ubuntu to find MySQL) run make. I only enable MySQL here, but other outpus are possible. To eventually install Barnyard to we use sudo make install.
After installing Barnyard2 it needs configuration. First I copy the example config file sudo cp etc/barnyard2.conf /etc/ before modifying it to run as a daemon and write to the database
config daemon config hostname: localhost config interface: eth0 output database: log, mysql, user=root password=root dbname=snort host=localhost config logdir: /var/log/barnyard2/ config waldo_file: /var/log/barnyard2/barnyard2.waldo
Database Setup
We have to set up the Barnyard2 database. We create a new database create database snort;, get the Barnyard2 schema
wget https://raw.github.com/firnsy/barnyard2/master/schemas/create_mysql
and install it to our new database mysql -u <user> -p snort < create_mysql. Troubleshooting
I ran into the problem that snort had no sid-msg.map. This can be created with
- /usr/share/oinkmaster/create-sidmap.pl rules/ > sid-msg.map
in /etc/snort. I ran into some further problems and had to create the waldo file manually, i.e.
sudo touch /var/log/barnyard2/barnyard2.waldo sudo chown snort:snort /var/log/barnyard2/barnyard2.waldo
This still throws a warning that the waldo file is corrupt, but Barnyard2 is at least running. I got a lot of warnings of the form
WARNING: Can't extract timestamp extension from '..'using base
from old/corrupted snort log files. So I removed all logs from /var/log/snort/. Note that this warning is also shown when the snort log is empty!
To start Barnyard2 now we use
sudo /usr/local/bin/barnyard2 -c /etc/barnyard2.conf -d /var/log/snort/ -f snort.out
where the first parameter sets the config file to use, the second tells barynard2 in which folder to look for snort output files and the last one gives the base-name of snort output in that folder. Testing the setup
To test if Snorby is actually working I install and start Apache. This is not necessary since my snort rule from above is logging everything, but you may want to do this anyway to test some real rules. The Snorby web interface is located at http://<server ip>:3000/. The default credentials are
Username: snorby@snorby.org Password: snorby