March 3, 2015

Install Snorby for Suricata on CentOS 7

These instructions are for setting up Snorby and processing Suricata's unified2 logs into the Snorby database.


 

Preprequisites:

A working CentOS 7 installation with Suricata.

The EPEL Repository for CentOS 7.

SELinux is set to permissive.

Install CentOS development tools: yum groupinstall "Development Tools"

Install Prerequisites available via yum: yum install git ImageMagick wkhtmltopdf zlib-devel mariadb-server mariadb-devel libxml2-devel libxslt-devel libpcap.devel libdnet libdnet-devel httpd httpd-devel libcurl-devel

Install the DAQ binary from snorg.org: rpm -ihv https://www.snort.org/downloads/snort/daq-2.0.4.centos7.x86_64.rpm

Optional: yum install phpmyadmin php


 

Setup MariaDB (MySQL):

systemctl enable mariadb

systemctl start mariadb

mysql_secure_installation

Create a snorby mysql database and user.

    Login to MySQL: mysql –u root –p

    Create the Snorby database: create database snorby;

    Create the Snorby user: createuser 'snorby'@'localhost' identified by 'snorbypass';

    Grant all privileges to user snorby on database snorby: grant all privileges on snorby.* to 'snorby'@'localhost';

    Reload the privileges: flush privileges;


 

Setup Ruby & Rails:

The yum package for ruby is too new for Snorby. Install RVM (Ruby Version Manager) to install a previous version of ruby.

curl -sSL https://get.rvm.io | bash -s stable

Log-out and log-in to get RVM in your path.

Install required dependencies for RVM: rvm requirements

Install ruby 1.9.3: rvm install 1.9.3

Set the default Ruby version: rvm use 1.9.3 --default

Update Ruby Gems: gem update

Install Rails: gem install rails


 

Setup Snorby:

Change to the /srv directory and download Snorby: git clone http://github.com/Snorby/snorby.git


 

Change to the Snorby download directory and run: bundle install

Change to the Snorby/config directory

Copy database.yml.example to database.yml and snorby_config.yml.example to snorby_config.yml

Edit database.yml and enter your database crendentials.

Edit snorby_config.yml and update the production settings to match your environment.

Let's setup the Snorby database: bundle exec rake snorby:setup

Test Snorby startup: bundle exec rails server –e production

If you can login using username snorby@snorby.org with password snorby at http//<snorby server ip>:3000, everything went well.


 

Setup Barnyard2:

Next we'll install Barnyard2 to tie Snorby and Suricata together.

Change to the /srv directory and download Barnyard2: git clone https://github.com/firnsy/barnyard2.git

Change to the /srv/barnyard2 directory and run: ./autogen.sh , ./configure –with-mysql –with-mysql-libraries=/usr/lib64/mysql, make && make install

Change to the /srv/banyard2/etc directory and copy barnyard2.conf to /etc/suricata/

Modify /etc/suricata/barnyard2.conf to match your Suricata configuration.

Append the following to barnyard2.conf: output database: log, mysql, user=snorbyuser password=snorbypass dbname=snorby host=localhost

Make the barnyard2 log directory: mkdir /var/log/barnyard2

Test barnyard2 starup: barnyard2 –c /etc/suricata/barnyard2.conf –f unified2.alert

Create a service file called barnyard2.service in /usr/lib/system/system    / with the following information:

[Unit]

Description=Barnyard2 Unified2 Log Processor

After=syslog.target


 

[Service]

ExecStart=/usr/local/bin/barnyard2 -c /etc/suricata/barnyard2.conf -f unified2.alert


 

[Install]

WantedBy=multi-user.target


 

Enable the bardyard2 service: systemctl enable barnyard2

Start the barnyard service: systemctl start barnyard2


 

Setup Passenger:

Rails does not have its own startup script but we can start it with Apache using Passenger.

Install Passenger: gem install passenger

Install the Apache module for Passenger: passenger-install-apache2-module

Create an Apache configuration file for Snorby name snorby.conf in: /etc/httpd/conf.d/ with the following contents:

<VirtualHost *:80>

DocumentRoot /srv/snorby/public

<Directory /srv/snorby/public>

AllowOverride all

Options -MultiViews

Require all granted

</Directory>

</VirtualHost>


 

LoadModule passenger_module /usr/local/rvm/gems/ruby-1.9.3-p551/gems/passenger-4.0.59/buildout/apache2/mod_passenger.so

<IfModule mod_passenger.c>

PassengerRoot /usr/local/rvm/gems/ruby-1.9.3-p551/gems/passenger-4.0.59

PassengerDefaultRuby /usr/local/rvm/gems/ruby-1.9.3-p551/wrappers/ruby

</IfModule>


 

Test the Apache configuration: apachectl configtest

Restart Apache to load the configuration: apachectl restart


 

Snorby should now be running on port 80 and all services will automatically start on a reboot.

February 24, 2015

Setting up a Suricata IDS on CentOS 7

The IDS module in my Cisco routers are going EoL. Frankly, I haven't been that impressed with the service the IDS provided. My excellent Cisco Partner will lead me over to one of two Cisco's latest acquisitions, SourceFire or Meraki. I'm aware SourceFire is the "paid" version of Snort with a fancy UI and support. Both really good reasons to purchase the product. For those of you who have never heard of Snort, it is the de facto standard in IDS software. But…I'm going to use something different. A software called Suricata. Suricata is similar to Snort. It can use the same detection rules and some of the same configuration files. The main reason I'm using Suricata over Snort is that Suricata uses multi-thread by default. Snort needs it to be compiled in. Multi-thread equals more processing and faster detection. Let's move into system requirements.

Hardware

Multi-Core Processor (Can't have multi-thread without that)

A descent amount of RAM and Hard Drive space.

2 Network Interfaces (1 must be a dedicated physical interface. No VM switch here)

A switch capable of doing port mirroring.


 

Software

OS (CentOS 7 x64 minimal install)

Suricata (JASONISH maintains an RPM for CentOS 7)


 


 

Let's get started:

  • I have a working CentOS installation patched up (yum update). It has two NICs, eth0 and eth1. eth0 will be my passive interface for receiving traffic from the switch's port mirror and has a static address for a random subnet. eth1 will be my management interface with a static address accessible from my LAN.
  • Install some prerequisites: yum install epel-release wget perl per-Archive-Tar perl-Crypt-SSLeay perl-libwww-perl perl-Sys-Syslog perl-LWP-Protocol-https
  • (Optional) Install some optional tools: yum install wget nano net-tools mlocate system-config-firewall-tui
  • Install Suricata from JASONISH here: http://codemonkey.net/suricata-rpms/ It will install Suricata, GeoIP, libnet, libnetfilter_queue, and libyaml
  • Navigate to /ec/suricata, backup suricata.yaml (cp suricata.yaml suricata.yaml.orig) and make sure pfring: -interface is set to eth0 in suricata.yaml.
  • Next, we need some rules. Download the latest rules from Emerging Threats (wget https://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz) and extract to our Suricata directory (tar –xvzf emerging.rules.tar.gz -C /etc/suricata/)
  • Let's test Suricata to make sure it runs properly. (suricata –vv –c /etc/suricata/suricata.yaml –I eth0)
  • If everything works okay, enable Suircata (systemctl enable suricata), and start the service (systemctl start suricata)


 

Now that Suricata is setup. Connect eth0 to your core network switch and eth1 to your management network. Configure your core switch to mirror the traffic from the router trunk pork to the interface connected to eth0.


 

Suricata logs are located in /var/log/suricata

CentOS 6 to CentOS 7 Cheat Sheet

Since CentOS 7 switched from SysVinit to Systemd I've had a bit of a learning curve to upgrade my common command syntax when working with the new commands. Here's my cheat sheet:

Topic

CentOS 6

CentOS 7

Description

Networking

ifconfig

ip addr

Show Interfaces Status

Services

service (name) status

systemctl status (name)

Service Status

 

service (name) stop

systemctl stop (name)

Service Stop

 

service (name) start

systemctl start name)

Service Start

 

chkconfig (name) on

systemctl enable (name)

Autostart Service on Boot

 

chkconfig (name) off

systemctl disable (name)

Disable Autostart Service on Boot

 

chkconfig --list

systemctl list-unit --type=service

List Services

October 18, 2013

Install MailPiler 0.1.24 on CentOS 6.4 x64

Here are the instructions for installing the open source email archiving software MailPiler. MailPiler is similar to the popular email archiving software, MailArchiva, but offers more features than the free version at the same price. Smile

July 30, 2013

Useful Hyper-V Powershell Commands

Hyper-V Specific:

Get-VMSwitch – Shows Hyper-V Virtual Switches

Get-VMSwitch Name | fl Property * – Shows the details of the virtual switch.

New-VMSwitch –Name Name –NetAdapterName Name – Creates an external Hyper-V switch using the network interface name.

Networking:

Get-NetAdapter – Shows the list of network adapters.

Firewall:

Get-NetFirewallRule | ft Name, Enabled – Lists all firewall rules and whether they are enabled or not.

Set-NetFirewallRule –Name Name Enabled True/False – Enables or disabled a firewall rule.

Useful Firewall Rules to Open:

FPS-ICMP4-ERQ-In – ICMP Ping

RVM-VDS-In-TCP – Remote Volume Management / Disk Management