https://es.oteric.info/articles/how-to-install-snort-barnyard2-snorby-passenger-and-pulled-pork
Set up a Source directory in your home directory and then install some of the required packages that you'll need:
# mkdir ~/Source
# sudo chown -R username:usergroup ~/Source
note: when you run the below command, Apt will require input – for example MySQL will ask for you to enter a “root” password for the MySQL server. Make it secure and don’t forget it.
# sudo apt-get update && apt-get install apache2 libapache2-mod-php5 libwww-perl mysql-server mysql-common mysql-client \
php5-mysql libnet1 libnet1-dev libpcre3 libpcre3-dev autoconf libcrypt-ssleay-perl libmysqlclient-dev php5-gd php-pear \
libphp-adodb php5-cli libtool libssl-dev gcc-4.4 g++ automake gcc make flex bison apache2-doc ca-certificates vim
Now, install the Snort pre-requisites - libpcap, libdnet, and DAQ.
Install libpcap:
# cd ~/Source
# wget http://www.tcpdump.org/release/libpcap-1.1.1.tar.gz
# tar -zxf libpcap-1.1.1.tar.gz
# cd libpcap-1.1.1
# ./configure --prefix=/usr --enable-shared
# sudo su
# make && make install
# exit
Install libdnet:
# cd ~/Source
# wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz
# tar -zxf libdnet-1.12.tgz
# cd libdnet-1.12
# ./configure --prefix=/usr --enable-shared
# sudo su
# make && make install
# exit
Install DAQ:
# cd ~/Source
# wget http://www.snort.org/dl/snort-current/daq-0.5.tar.gz
# tar -zxf daq-0.5.tar.gz
# cd daq-0.5
DAQ needs to be patched to properly recognize the buffer_size parameter.
# vi ~/Source/daq-0.5/os-daq-modules/daq_pcap.c
on line 219 replace:
context->buffer_size = strtol(entry->key, NULL, 10);
with:
context->buffer_size = strtol(entry->value, NULL, 10);
Now, configure and install DAQ:
# ./configure
# sudo su
# make && make install
# exit
Update the shared library path
# sudo su
# echo >> /etc/ld.so.conf /usr/lib && ldconfig
# exit
Now, install, configure & start Snort
# cd ~/Source
# wget http://www.snort.org/dl/snort-current/snort-2.9.0.4.tar.gz
# tar -zxf snort-2.9.0.4.tar.gz && cd snort-2.9.0.4
# ./configure --with-mysql --enable-dynamicplugin --enable-perfprofiling --enable-ipv6 --enable-zlib --enable-gre --enable-reload --enable-linux-smp-stats
# sudo su
# make && make install
# exit
# sudo mkdir /etc/snort /etc/snort/rules /var/log/snort /var/log/barnyard2 /usr/local/lib/snort_dynamicrules
# sudo groupadd snort && useradd -g snort snort
# sudo chown snort:snort /var/log/snort /var/log/barnyard2
# sudo cp ~/Source/snort-2.9.0.4/etc/*.conf* /etc/snort
# sudo cp ~/Source/snort-2.9.0.4/etc/*.map /etc/snort
Now, we need to make some changes to the snort configuration file:
# sudo vi /etc/snort/snort.conf
Change these lines:
Line #39 - ipvar HOME_NET 192.168.1.0/24 – make this match your internal (friendly) network
Line #42 - ipvar EXTERNAL_NET !$HOME_NET
Line #80 - var RULE_PATH ./rules – this assumes /etc/snort/rules
Line #186-#190 comment out all of the preprocessor normalize_ lines
Line #366 - add this: output unified2: filename snort.log, limit 128
Line #395 - delete or comment out all of the “include $RULE_PATH” lines except “local.rules”
Now, enter a simple test rule that we can trigger with ping:
# sudo vi /etc/snort/rules/local.rules
Add the following rule at the bottom of the local.rules file:
alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:10000001;)
Now we can start and test snort.
# sudo /usr/local/bin/snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0
Ping the management IP address from another machine, alerts should be printed to the console like this:
02/09-11:29:43.450236 [**] [1:10000001:0] ICMP test [**] [Priority: 0] {ICMP} 172.26.12.1 -> 172.26.12.2
02/09-11:29:43.450251 [**] [1:10000001:0] ICMP test [**] [Priority: 0] {ICMP} 172.26.12.2 -> 172.26.12.1
02/09-11:29:44.450949 [**] [1:10000001:0] ICMP test [**] [Priority: 0] {ICMP} 172.26.12.1 -> 172.26.12.2
02/09-11:29:44.450957 [**] [1:10000001:0] ICMP test [**] [Priority: 0] {ICMP} 172.26.12.2 -> 172.26.12.1
If you see those alerts, then you have Snort working... Use ctrl-c to kill snort.
You will need to setup a MySQL database for Barnyard2 to be able to log the Snort events (You'll want to skip this step if you're installing Snorby too because Snoby creats all the necessary Snort tables as well as the Snorby specific tables)
So, log into MySQL and get the snort database all set up:
# mysql -u root -p
mysql> create database snort;
mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort@localhost;
mysql> grant ALL on snort.* to snorby@localhost;
mysql> SET PASSWORD FOR snort@localhost=PASSWORD('password');
mysql> SET PASSWORD FOR snorby@localhost=PASSWORD('password');
mysql> exit
Now we have to import the database schema:
# mysql -u root -p < ~/Source/snort-2.9.0.4/schemas/create_mysql snort
# mysql -u root -p
mysql> use snort;
mysql> show tables; # you should see the list of new tables you just imported.
mysql> exit;
Additional MySQL configurations:
# vi /etc/mysql/my.cnf
Change the bind-address to localhost:
bind-address = localhost
Now, we have to make sure that MySQL creates a pid file to track it's own process id (this is needed by the snortbarn startup script explained later in this document)
Open /etc/mysql/my.cnf again and look for the third instance of this line (under the Basic Settings area):
socket = /var/run/mysqld/mysqld.sock
Add this line below the third instance of the socket line:
pid-file = /var/run/mysqld/mysqld.pid
Save my.cnf then run these two commands:
# touch /var/run/mysqld/mysql.pid
# chown mysql:mysql /var/run/mysqld/mysqld.pid
Now, install the Snorby prerequisites:
# sudo apt-get install gcc g++ build-essential libssl-dev libreadline5-dev zlib1g-dev linux-headers-generic libsqlite3-dev libxslt-dev libxml2-dev libyaml-0-2 libyaml-dev libtcltk-ruby
Install the latest stable release of Ruby (as of this writing):
# wget http://ftp.ruby-lang.org//pub/ruby/1.9/ruby-1.9.2-p180.tar.gz
# tar -xvzf ruby-1.9.2-p180.tar.gz && cd ruby-1.9.2-p180
# ./configure
# sudo su
# make && make install
# exit
Now, install MySQL, git support and ImageMagick:
# sudo apt-get install imagemagick git-core libmysqlclient-dev mysql-server libmagickwand-dev
Install the gems needed by Snorby:
# sudo gem install tzinfo builder memcache-client rack rack-test erubis mail text-format bundler thor i18n sqlite3-ruby
# sudo gem install rack-mount --version=0.6.0
# sudo gem install rails --version=3.0.5
# sudo gem update
Install a pre-compiled version of wkhtmltopdf:
# cd ~/Source
# wget http://dl.dropbox.com/u/38088/wkhtmltopdf
# sudo cp wkhtmltopdf /usr/bin/
Now, install and configure Snorby.
Pull down the latest version of Snorby:
# cd /var/www
# sudo mkdir -p /var/www/snorby
# sudo adduser --system --home /var/www/snorby/ --no-create-home --group --shell /bin/bash snorby
# sudo usermod -a -G snorby www-data
# sudo git clone http://github.com/Snorby/snorby.git /var/www/snorby && cd /var/www/snorby
Install all the other gems by running the following:
# sudo bundle update
# sudo bundle pack
# sudo bundle install --path vendor/cache
# sudo chown -R www-data:www-data /var/www/snorby/
# sudo apache2ctl restart
# sudo vi /var/www/snorby/config/database.yml
The database.yml file should look something like this (with the real password substituted for 'password'):
snorby: &snorby
adapter: mysql
username: snorby
password: password
host: localhost
development:
database: snort
<<: *snorby
test:
database: snort
<<: *snorby
production:
database: snort
<<: *snorby
Then, configure Snorby system mail:
# sudo vi /var/www/snorby/config/email.yml
It should look something like this:
production:
:address: smtp.domain.com
:port: 25
:authentication: plain
:user_name: user
:password: pass
Then, configure the mail initializer:
# sudo vi /var/www/snorby/config/initializers/mail_config.rb
Add the following block of code above the perform_deliveries call (or use the other example if you're not using sendmail):
ActionMailer::Base.delivery_method = :sendmail
ActionMailer::Base.sendmail_settings = {
:location => '/usr/sbin/sendmail',
:arguments => '-i -t'
}
Also, don't forget to fix the /var/www/snorby/config/snorby_config.yml file:
development:
domain: snorby.crypsoft.com
wkhtmltopdf: /usr/bin/wkhtmltopdf
test:
domain: snorby.crypsoft.com
wkhtmltopdf: /usr/bin/wkhtmltopdf
production:
domain: snorby.crypsoft.com
wkhtmltopdf: /usr/bin/wkhtmltopdf
If this is the first time setting up Snorby, then run this command to create the database schemas according to the database.yml settings:
# rake snorby:setup RAILS_ENV=production
If this isn't the first time setting up Snorby, then run this command (ALL DATA WILL BE LOST):
# rake snorby:reset RAILS_ENV=production
Now the snort table should be set up and ready to receive events from barnyard2.
Now, install and configure barnyard2:
# cd ~/Source
# wget http://www.securixlive.com/download/barnyard2/barnyard2-1.9.tar.gz
# tar -zxf barnyard2-1.9.tar.gz && cd barnyard2-1.9
# ./configure --with-mysql
# sudo su
# make && make install
# exit
# sudo mv /usr/local/etc/barnyard2.conf /etc/snort
# sudo vi /etc/snort/barnyard2.conf
Uncomment lines 60 and 61 and set the to the appropriate values for your environment:
config hostname: uboxee
config interface: eth0
Uncomment line 65 so that the hostname and interface will be included in alerts:
config alert_with_interface_name
Change line #215 to:
output alert_fast
At the end of the file add this line:
output database: log, mysql, user=snort password= dbname=snort host=localhost
Now start snort and barnyard2 with these commands:
# sudo /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 &
# sudo /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf \
-d /var/log/snort -f snort.log -w /etc/snort/bylog.waldo \
-G /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map \
-C /etc/snort/classification.config &
To see if it's working, ping the machine to see if anything gets output to the console by barnyard.
If it's working you can go ahead and stop snort and barnyard:
# sudo pkill snort
# sudo pkill barnyard2
Now, check to see if barnyard is correctly inserting events into the database:
# mysql -u snort -p -D snort -e "select count(*) from event"
If the count returned a number greater than zero, then it must be working.
Now, to make sure that snort and barnyard2 start automatically at each reboot, do the following:
# sudo vi /etc/init.d/snortbarn
Add all of the below code to the snortbarn file (omitting the dashes):
#! /bin/sh
#
### BEGIN INIT INFO
# Provides: snortbarn
# Required-Start: $remote_fs $syslog mysql
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# X-Interactive: true
# Short-Description: Start Snort and Barnyard
### END INIT INFO
/lib/init/vars.sh
/lib/lsb/init-functions
mysqld_get_param() {
/usr/sbin/mysqld --print-defaults | tr " " "\n" | grep -- "--$1" | tail -n 1 | cut -d= -f2
}
do_start() {
#log_daemon_msg "Starting Snort and Barnyard" ""
# Make sure mysql has finished starting
ps_alive=0
while [ $ps_alive -lt 1 ];
do
pidfile=`mysqld_get_param pid-file`
if [ -f "$pidfile" ] && ps `cat $pidfile` >/dev/null 2>&1; then ps_alive=1; fi
#echo "sleeping" >&2
sleep 1
done
/sbin/ifconfig eth0 up
/usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 &
/usr/local/bin/barnyard2 -q -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /etc/snort/bylog.waldo -G /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map -C /etc/snort/classification.config 2> /dev/nul &
#log_end_msg 0
return 0
}
do_stop() {
#log_daemon_msg "Stopping Snort and Barnyard" ""
kill $(pidof snort) 2> /dev/nul
kill $(pidof barnyard2) 2> /dev/nul
#log_end_msg 0
return 0
}
case "$1" in
start)
do_start
;;
stop)
do_stop
;;
restart)
do_stop
do_start
;;
*)
echo "Usage: snort-barn {start|stop|restart}" >&2
exit 3
;;
esac
exit 0
Make the script executable:
# chmod 755 /etc/init.d/snortbarn
Then, make the two included scripts executable:
# chmod 755 /lib/init/vars.sh
# chmod 755 /lib/lsb/init-functions
Now, test it out to make sure it is working as it should.
Restart mysql to make sure the mysqld.pid file is getting created on startup:
# service mysql restart
# cat /var/run/mysql/mysqld.pid
If the mysql process id displays, then it's working.
Now run the snortbarn script:
# /etc/init.d/snortbarn start
Check to see if snort and barnyard2 started successfully:
# ps -ef | grep snort
You should output that looks something like this:
snort 4211 1 1 18:39 pts/0 00:00:00 /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0
root 4212 1 1 18:39 pts/0 00:00:00 /usr/local/bin/barnyard2 -q -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /etc/snort/bylog.waldo -G /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map -C /etc/snort/classification.config
If so, then you're done with that step.
Now, install Passenger for running Ruby on Rails with Apache
Install one dependency for Passenger:
# sudo apt-get install libcurl4-openssl-dev
Install Passenger and any modules it needs:
# sudo su
# gem install --no-ri --no-rdoc --version 3.0.3 passenger
# /usr/local/lib/ruby/gems/1.9.1/gems/passenger-3.0.3/bin/passenger-install-apache2-module -a
# echo "LoadModule passenger_module /usr/local/lib/ruby/gems/1.9.1/gems/passenger-3.0.3/ext/apache2/mod_passenger.so" > /etc/apache2/mods-available/passenger.load
# echo "" > /etc/apache2/mods-available/passenger.conf
# echo " PassengerRoot /usr/local/lib/ruby/gems/1.9.1/gems/passenger-3.0.3" >> /etc/apache2/mods-available/passenger.conf
# echo " PassengerRuby /usr/local/bin/ruby" >> /etc/apache2/mods-available/passenger.conf
# echo "" >> /etc/apache2/mods-available/passenger.conf
# a2enmod passenger
# a2enmod rewrite
# a2enmod ssl
# exit
Restart apache to apply the changes:
# sudo apache2ctl restart
Check to make sure apache started properly:
# ps -ef | grep apache2
Now, one last step to get the Snorby bundle ready:
# cd /var/www/snorby
# sudo bundle install
# sudo bundle pack
# sudo bundle install --path vendor/cache
# sudo chown -R www-data:www-data vendor/
# sudo apache2ctl restart
Now, clean up any of the test related entries that might be in the database now:
truncate snort.caches;
truncate snort.delayed_jobs;
truncate snort.data;
truncate snort.event;
truncate snort.icmphdr;
truncate snort.iphdr;
truncate snort.notes;
truncate snort.opt;
truncate snort.signature;
truncate snort.tcphdr;
truncate snort.udphdr;
Now, install pulledpork and pull down the latest rules
# cd ~/Source
# wget http://pulledpork.googlecode.com/files/pulledpork-0.5.0.tar.gz
# tar -zxf pulledpork-0.5.0.tar.gz && cd pulledpork-0.5.0
# sudo su
# cp pulledpork.pl /usr/local/bin && cp etc/*.conf /etc/snort
# vi /etc/snort/pulledpork.conf
Comment out line 20 & 24
Line 56: change to: rule_path=/etc/snort/rules/snort.rules
Line 64: change to: rule_path=/etc/snort/rules/local.rules
Line 67: change to: sid_msg=/etc/snort/sid-msg.map
Line 90: change to: config_path=/etc/snort/snort.conf
Line 101: change to: distro=Lucid-Lynx
Line 133: Uncomment and change to: snort_version=2.9.0.4
Line 137: Uncomment and change to: /etc/snort/enablesid.conf
Line 139: Uncomment and change to: /etc/snort/disablesid.conf
Line 140: Uncomment and change to: /etc/snort/modifysid.conf
Now, disable all block (fwsam) rules
# echo pcre:fwsam >> /etc/snort/disablesid.conf
Fix an apparent typo in the modifysid.conf file:
# vi /etc/snort/modifysid.conf
change last line to:
302,429,1821 "$EXTERNAL_NET" "$HOME_NET"
Run pulledpork
# /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -T -l
You should now see local.rules and snort.rules in /etc/snort/rules.
Clean Up:
# rm /var/www/index.html
# chmod 755 /var/www/base
# pkill snort && pkill barnyard2
# rm -rf /var/log/snort/* /var/log/barnyard2/*
Don't forget to comment out the test rule and enable the newly pulledpork (snort.rules)
# vi /etc/snort/rules/local.rules – Comment out the test rule
# vi /etc/snort/snort.conf – Line 394: add: include $RULE_PATH/snort.rules
# exit
1024
到【灌水乐园】发言
Comments
snortbarn script
Submitted by aalborz on Tue, 11/08/2011 - 00:24I'm getting the following error on startup:
/etc/init.d/snortbarn: 28: Syntax error: word unexpected (expecting "done")
This corresponds to "ps_live=0" line, which is in the script.
Also when I restart mysql after creating the snortbarn script, it doesn't show me the pid of mysql. Instead it shows the following:
"Checking for tables which need an upgrade, are corrupt or were not closed cleanly "
Then after running the script & checking to see if snort & barnyard2 started succesfully, I don't get the output listed here.
Any ideas what the problem might be?
TIA
Followup to my earlier post:
Submitted by aalborz on Tue, 11/08/2011 - 00:39Followup to my earlier post:
The line to check mysql is running should be changed to : "cat /var/run/mysqld/mysqld.pid". After running that, it shows the pid.
However, the problem with starting snortbarn script persists and I still haven't found a resolution for it, even after Googling it all over!
Two things to try
Submitted by admin on Fri, 01/13/2012 - 14:23Did you find a resolution yet?
Here are some things to try:
What is the output of this command?
/usr/sbin/mysqld --print-defaults | tr " " "\n" | grep -- "--pid-file" | tail -n 1 | cut -d= -f2
If that is not outputting the path to your pid file, then that might be part of the issue.
If it does output the path to your mysql pid file, then run this command after replacing the path to your mysql pid file:
ps `cat /path/to/mysql.pid`
That should output the process (i.e. "ps") output specific to your running mysql instance.
If all of that works, then let me know and I'll see if I can come up with any other ideas about why the script is not working for you.
By the way...what version of Linux and MySQL are you running? Did you compile MySQL from source or did you install it from a .deb file? Or, did you use apt-get or some other package manager?
I did not see any database being imported
Submitted by borngunners on Wed, 02/15/2012 - 10:21After doing the following command, I was expecting to see database import, but I did not see no database. The database is empty and there are no tables
Now we have to import the database schema:
# mysql -u root -p # mysql -u root -p
mysql> use snort;
mysql> show tables; # you should see the list of new tables you just imported.
mysql> exit;
Good catch. It seems to have
Submitted by admin on Thu, 03/01/2012 - 00:01Good catch. It seems to have been caused by some kind of bug in Drupal.
The line:
mysql -u root -p < ~/Source/snort-2.9.0.4/schemas/create_mysql snort
Was only showing up as:
mysql -u root -p
So, in my page markup, I had to html encode the < like this:
mysql -u root -p < ~/Source/snort-2.9.0.4/schemas/create_mysql snort
Now, it shows up properly.
Thanks for catching that.
Hi, I just found a PDF
Submitted by lookoveryonder on Tue, 08/21/2012 - 11:58Hi, I just found a PDF containing a Snort on Debian Howto. It looks so much like this page that I can't help but wonder if you are the author of that pdf, or if they plagiarised you ;-)
Omit a step
Submitted by lookoveryonder on Wed, 08/22/2012 - 10:35The following is not really needed:
Just source them instead of executing them by putting a dot in front of them.
Also, it's /dev/null, not
Submitted by lookoveryonder on Wed, 08/22/2012 - 10:38Also, it's
/dev/null, not/dev/nul.hi,
Submitted by black on Fri, 09/21/2012 - 06:16hi,
i want to ask, why if i type :
"# mkdir ~/Source
# sudo chown -R username:usergroup ~/Source
they didnt recognize? "username:usergroup" ??
What
Submitted by admin on Fri, 01/11/2013 - 09:28Seriously?