Snort, Barnyard2, Snorby and PulledPork Install on CentOS 6.5OverviewThis is a complete installation guide for building a Snort/Barnyard/Snorby/PulledPork server on CentOS 6.5.Snort is the IDS/IPS. The below configuration is to put snort in inline mode as an IPS. As such, you can write rules to block traffic. The Snort sensor in this case acts as a router or firewall (if iptables is used).Barnyard2 handles the snort logs thereby alleviating the logging process for snort. Barnyard2 takes logs from snort and moves them into a mysql database so Snorby can monitor them. This is also great for setting up remote snort/barnyard IDS/IPS sensors. It allows the remote sensors to send logs to the central mysql database.Snorby is the IDS/IPS monitoring system. It act like a SIEM for the IDS/IPS sensors and has a nice dashboard to few events.PulledPork connects to www.snort.org and pulls down new signature files. You use a cron job to determine how often this is performed.Before installingEnsure that both interfaces are set for promiscuous mode. My two interfaces are eth2 and eth3. You can use the following commands:ifconfig eth2 promiscTo make the change permanent, add the following to the interface configuration file:cd /etc/sysconfig/network-scripts/vi ifcfg-eth2.PROMISC=yes.SNORT Installation and ConfigurationSnort can sniff your network and alert the IPS administrator, log and/or block traffic based on the rule database if there is an attack on your network. It is an opensource system that is built from libpcap which is used for tcpdump and wireshark.This installation guide can be used for installing inline snort only or as part of a series for installing Snort Barnyard, Snorby and Pulledpork.Prerequisite If you are sitting behind a proxy, make sure you enter the following at a command line:export http_proxy=http://username:password@proxy_ip:portexport https_proxy=http://username:password@proxy_ip:portexport ftp_proxy=http://username:password@proxy_ip:port Update your system using yum update and rebootyum update -yreboot Download necessary libdnet files from browser and install via rpm.http://www.rpmfind.net/linux/rpm2html/search.php?query=libdnet-develhttp://rpmfind.net/linux/rpm2html/search.php?query=libdnetrpm -i ibdnet-1.12-9mgc30.x86_64.rpmlrpm -i libdnet-devel-1.12-9mgc26.i686.rpm Install PCRE (perl compatible regular expression files) and more prerequisite packagesyum install pcre pcre-devel gcc make flex byacc bison kernel-devel libxml2-devel wget -y Create dir for Snort prerequisite sources.mkdir /usr/local/src/snortcd /usr/local/src/snort Download and install libpcap.wget http://www.tcpdump.org/release/libpcap-1.3.0.tar.gz -O libpcap.tar.gztar zxvf libpcap.tar.gzcd libpcap-*./configure && make && make installecho /usr/local/lib >> /etc/ld.so.confldconfig -v Download and install DAQcd /usr/local/src/snortwget http://www.snort.org/dl/snort-current/daq-2.0.0.tar.gz -O daq.tar.gztar zxvf daq.tar.gzcd daq-*./configure && make && make installldconfig -v Create snort user and groupgroupadd snortuseradd -g snort snortInstall Snort Download and install Snortcd /usr/local/src/snortwget http://www.snort.org/dl/snort-current/snort-2.9.4.6.tar.gz -O snort.tar.gztar zxvf snort.tar.gzcd snort-2*./configure prefix /usr/local/snort enable-sourcefire && make && make install Create links for Snort filesln -s /usr/local/snort/bin/snort /usr/sbin/snortln -s /usr/local/snort/etc /etc/snort Configure Snort startup script to run at startupcp rpm/snortd /etc/init.d/chmod +x /etc/init.d/snortdcp rpm/snort.sysconfig /etc/sysconfig/snortchkconfig add snortd Delete everything between the following lines in the snort startup filevi /etc/init.d/snortdcd $LOGDIRtouch /var/lock/subsys/snort Add the following lines below the cd $LOGDIR# Next line for inline modedaemon /usr/sbin/snort -D -Q daq afpacket -c /etc/snort/snort.conf -i eth2:eth3 Change and comment out the following variables in /etc/sysconfig/snort and add / to the LOGDIR variablevi /etc/sysconfig/snortINTERFACE=eth2:eth3LOGDIR=/var/log/snort/#ALERTMODE=fast#BINARY_LOG=1 Download Snort rules files from http://www.snort.org/snort-rules to /usr/local/src/snortYou have to register to the site in order to get the free register user rulesor you can pay and get the most update rules as a Subscriber user. Extract rules file in the new created directorycd /usr/local/snorttar zxvf /usr/local/src/snort/snortrules-snapshot-2* Create directory for snort loggingmkdir -p /usr/local/snort/var/logchown snort:snort /usr/local/snort/var/logln -s /usr/local/snort/var/log /var/log/snort Create links for dynamic rules files and directoriesln -s /usr/local/snort/lib/snort_dynamicpreprocessor /usr/local/lib/snort_dynamicpreprocessorln -s /usr/local/snort/lib/snort_dynamicengine /usr/local/lib/snort_dynamicengineln -s /usr/local/snort/lib/snort_dynamicrules /usr/local/lib/snort_dynamicrules Set snort permissionschown -R snort:snort /usr/local/snort Comment out or delete all reputation preprocessor configuration lines from snort.conf and configure ouput pluginvi /usr/local/snort/etc/snort.confconfig daq: afpacketconfig daq_dir: /usr/local/lib/daqconfig daq_mode: inlineconfig policy_mode: inline#preprocessor reputation: \# memcap 500, \# priority whitelist, \# nested_ip inner, \# whitelist $WHITE_LIST_PATH/white_list.rules, \# blacklist $BLACK_LIST_PATH/black_list.rulesoutput unified2: filename snort.u2, limit 128 Create Dynamicrules directorymkdir /usr/local/snort/lib/snort_dynamicrules Copy dynamicrules files On i386 systemcp /usr/local/snort/so_rules/precompiled/RHEL-6-0/i386/2.9*/*so /usr/local/snort/lib/snort_dynamicrules/ On x86_64 systemcp /usr/local/snort/so_rules/precompiled/RHEL-6-0/x86-64/2.9*/*so /usr/local/snort/lib/snort_dynamicrules/ Dump the stub rulessnort -c /usr/local/snort/etc/snort.conf dump-dynamic-rules=/usr/local/snort/so_rules Enable snort dynamic rules configuration in the end of snort.conf filevi /usr/local/snort/etc/snort.conf# dynamic library rulesinclude $SO_RULE_PATH/bad-traffic.rulesinclude $SO_RULE_PATH/chat.rulesinclude $SO_RULE_PATH/dos.rulesinclude $SO_RULE_PATH/exploit.rulesinclude $SO_RULE_PATH/icmp.rulesinclude $SO_RULE_PATH/imap.rulesinclude $SO_RULE_PATH/misc.rulesinclude $SO_RULE_PATH/multimedia.rulesinclude $SO_RULE_PATH/netbios.rulesinclude $SO_RULE_PATH/nntp.rulesinclude $SO_RULE_PATH/p2p.rulesinclude $SO_RULE_PATH/smtp.rulesinclude $SO_RULE_PATH/snmp.rulesinclude $SO_RULE_PATH/specific-threats.rulesinclude $SO_RULE_PATH/web-activex.rulesinclude $SO_RULE_PATH/web-client.rulesinclude $SO_RULE_PATH/web-iis.rulesinclude $SO_RULE_PATH/web-misc.rules Test Snort configurationsnort -i eth2:eth3 -c /usr/local/snort/etc/snort.conf -TInstall Barnyard Install MySQLyum install mysql mysql-devel git libtool -y Download Barnyard and run autogencd /usr/local/src/snortgit clone https://github.com/firnsy/barnyard2.git barnyard2cd barnyard2./autogen.sh Configure Barnyard On i386 system./configure with-mysql On x86_64 system./configure with-mysql with-mysql-libraries=/usr/lib64/mysql Install Barnyardmake && make install Configure Barnyard start script to run at startupcp rpm/barnyard2 /etc/init.d/chmod +x /etc/init.d/barnyard2cp rpm/barnyard2.config /etc/sysconfig/barnyard2chkconfig add barnyard2 Create links for Barnyard files and create archive directoryln -s /usr/local/etc/barnyard2.conf /etc/snort/barnyard.confln -s /usr/local/bin/barnyard2 /usr/bin/mkdir -p /var/log/snort/eth2/archive/ Change barnyard running time and change -L to -l in barnyard2 startup script on BARNY_OPTS= linevi /etc/init.d/barnyard2# chkconfig: 2345 70 60BARNYARD_OPTS=-D -c $CONF -d $SNORTDIR/${INT} -w $WALDO_FILE -l $SNORTDIR/${INT} -a $ARCHIVEDIR -f $LOG_FILE -X $PIDFILE $EXTRA_ARGSchkconfig barnyard2 reset Edit LOG_FILE variable in Barnyard sysconfig filevi /etc/sysconfig/barnyard2LOG_FILE=snort.u2 Start Snort and Barnyardchkconfig snortd onchkconfig barnyard2 onservice snortd startservice barnyard2 startBarnyard installation completed. Now that we have Snort server and Barnyard writing Snort logs, we can now install our snort monitoring application, Snorby, to see and analyze snort data in aconvenient web application.Install Snorby Install apache and prerequisite packagesyum install libyaml-devel httpd git ImageMagick ImageMagick-devel libxml2-devel libxslt-devel gcc-c++ curl-devel httpd-devel apr-devel apr-util-devel readline-devel -yIf there are issues with libyaml-devel, go to pkgs.repoforge.org/libyaml and download the latest libyaml and libyaml-devel rpm packages. Make sure versions match. Install the libyaml pkg first. Because the ruby package fails with CentOS 4+, you will need to install Ruby via RVM.\curl -L https://get.rvm.io | bash -s head/usr/local/rvm/bin/rvm get head/usr/local/rvm/bin/rvm install 1.9.3cd /usr/local/rvm/src/ruby-1.9.3-p194./configure && make && make install Install opensslextensioncd ext/openssl/ruby extconf.rbmake && make install Install gem dependenciesgem install thor i18n bundler tzinfo builder memcache-client rack rack-test erubis mail rack-mount rails no-rdoc no-rigem install rake version=0.9.2 no-rdoc no-rigem uninstall rake version=0.9.2.2 Download and install wkhtmltopdfcd /usr/local/src/snort For i386:wget http://wkhtmltopdf.googlecode.com/files/wkhtmltopdf-0.9.9-static-i386.tar.bz2tar jxvf wkhtmltopdf-0*mv wkhtmltopdf-i386 /usr/local/bin/wkhtmltopdf For X86_64:wget http://wkhtmltopdf.googlecode.com/files/wkhtmltopdf-0.9.9-static-amd64.tar.bz2tar jxvf wkhtmltopdf-0*mv wkhtmltopdf-amd64 /usr/local/bin/wkhtmltopdfchown root:root /usr/local/bin/wkhtmltopdf Download and configure snorbycd /var/www/htmlgit clone https://github.com/Snorby/snorby.gitcd /var/www/html/snorby/configbundle install Configure Snorby database and snorby configuration filescd /var/www/html/snorby/config/mv database.yml.example database.ymlmv snorby_config.yml.example snorby_config.ymlvim database.yml.snorby: &snorbyadapter: mysqlusername: rootpassword: humushost: localhost.vim snorby_config.yml. production: domain: demo.snorby.org wkhtmltopdf: /usr/local/bin/wkhtmltopdf ssl: false mail_sender: snorby@snorby.org geoip_uri: http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz rules: - /usr/local/snort/rules /usr/local/snort/so_rules authentication_mode: database. Complete Snorby installation and setupcd /var/www/html/snorbyrake snorby:setupchown -R apache:apache /var/www/html/snorby Set mysql root passwordchkconfig add mysqldchkconfig mysqld onservice mysqld startmysqladmin password humus Configure Barnyard to output alerts to snorby databasevi /etc/snort/barnyard.confoutput database: log, mysql, user=root password=humus dbname=snorby host=localhost Restart Barnyardservice barnyard2 stopservice barnyard2 start Install Passenger module for apachegem install passengercd /usr/local/lib/ruby/gems/1.9.1/gems/passenger-4.0.35/bin./passenger-install-apache2-module Configure and restart apachevi /etc/httpd/conf/httpd.conf## ServerAdmin webmaster@dummy-host.example.com# DocumentRoot /www/docs/dummy-host.example.com# ServerName dummy-host.example.com# ErrorLog logs/dummy-host.example.com-error_log# CustomLog logs/dummy-host.example.com-access_log common#LoadModule passenger_module /usr/local/lib/ruby/gems/1.9.1/gems/passenger-4.0.35/buildout/apache2/mod_passenger.so

PassengerRoot /usr/local/lib/ruby/gems/1.9.1/gem/passenger-4.0.35 PassengerDefaultRuby /usr/local/bin/ruby

ServerAdmin admin@demo.com ServerName snorby.demo.com DocumentRoot /var/www/html/snorby/public AllowOverride all Order deny,allow Allow from all Options -MultiViews

service httpd restartchkconfig httpd on Browse to http:// and login to snorby with the default username/password snorby@snorby.org/snorby If you get an error, run the bundle install and bundle exec rake snorby:setup again from the /var/www/html/snorby directory again. Also if snorby worker is not running, run:cd /var/www/html/snorbyruby script/delayed_job start RAILS_ENV=productionPulled PorkAboutPulledPork is an opensource perl script that can automatically update Snort rules. Pulledpork downloads signature files based on the cron job. It should be noted that all rules are located in the snort.rules file. This can be overwhelming if you like keeping your snort rules split based on the type of signature. You cannot mix the snort.rules file in the same directory with the snort rules installed earlier because you will end-up with duplicate signatures and SIDs.Prerequisite Snort installation Install perl modulesyum install perl-Crypt-SSLeay perl-libwww-perl perl-Archive-Tar -yInstall PulledPork Download and extract PulledPorkcd /usr/local/src/snortwget http://pulledpork.googlecode.com/files/pulledpork-0.6.1.tar.gz -O pulledpork.tar.gzcd /usr/local/snorttar zxvf /usr/local/src/snort/pulledpork.tar.gzmv pulledpork-0.6.1 pulledpork Generate Oinkcode at Snort web site If you are not already register to snort web site so do it now athttps://www.snort.org/signup Login to Snort web site Go to Snort home page and Click on Get Snort Oinkcode at the bottom in Snort Links section Click Generate Code and copy your new Oinkcode Change the following in PulledPork configuration filevi /usr/local/snort/pulledpork/etc/pulledpork.confrule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|paste here your Oinknumber# get the rule docs!#rule_url=https://www.snort.org/reg-rules/|opensource.gz|#rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|open# THE FOLLOWING URL is for etpro downloads, note the tarball name change!# and the et oinkcode requirement!#rule_url=https://rules.emergingthreats.net/|etpro.rules.tar.gz|rule_path=/usr/local/snort/etc/rules/snort.ruleslocal_rules=/usr/local/snort/etc/rules/local.rules# Where should I put the sid-msg.map file?sid_msg=/usr/local/snort/etc/sid-msg.map# Path to the snort binary, we need this to generate the stub filessnort_path=/usr/local/snort/bin/snort# We need to know where your snort.conf file lives so that we can# generate the stub filesconfig_path=/usr/local/snort/etc/snort.conf# This is the file that contains all of the shared object rules that pulledpork# has processed, note that this has changed as of 0.4.0 just like the rules_path!sostub_path=/usr/local/snort/etc/rules/so_rules.rulesdistro=Ubuntu-10.04 # For CentOS 6.x you can use RHEL-6-0pid_path=/var/run/snort_eth0.pid Change RULE_PATH variable in snort configuration filevi /usr/local/snort/etc/snort.confvar RULE_PATH /usr/local/snort/etc/rules Remove all snort include rules filessed -i /^include $RULE_PATH/d /usr/local/snort/etc/snort.confsed -i /^include $RULE_PATH/d /usr/local/snort/etc/snort.confsed -i /^include $RULE_PATH/d /usr/local/snort/etc/snort.conf Add the following include files to snort configuration fileecho include \$RULE_PATH/snort.rules >> /usr/local/snort/etc/snort.confecho include \$RULE_PATH/local.rules >> /usr/local/snort/etc/snort.confecho include \$RULE_PATH/so_rules.rules >> /usr/local/snort/etc/snort.conf Create rules directorymkdir /usr/local/snort/etc/rules Create your local rules file If you have one, copy itcp /usr/local/snort/rules/local.rules /usr/local/snort/etc/rules/ If you dont have local rules file then create an empty onetouch /usr/local/snort/etc/rules/local.rules Run PulledPork for the first time/usr/local/snort/pulledpork/pulledpork.pl -c /usr/local/snort/pulledpork/etc/pulledpork.conf Schedule PulledPork to run every day. Add the following line to the end of crontab filevi /etc/crontab0 0 * * * root /usr/local/snort/pulledpork/pulledpork.pl -c /usr/local/snort/pulledpork/etc/pulledpork.conf You wii also need to change your snorby_config.yml filecd /var/www/html/snorby/configvim snorby_config.yml. production: domain: demo.snorby.org wkhtmltopdf: /usr/local/bin/wkhtmltopdf ssl: false mail_sender: snorby@snorby.org geoip_uri: http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz rules: - /usr/local/snort/etc/rules - /usr/local/snort/so_rules authentication_mode: database.PulledPork installation completed. Now every day PulledPork will run and update your rules files from Snort site.

Top of FormBottom of Form