December 5, 2018
March 3, 2015
These instructions are for setting up Snorby and processing Suricata's unified2 logs into the Snorby database.
A working CentOS 7 installation with Suricata.
The EPEL Repository for CentOS 7.
SELinux is set to permissive.
Install CentOS development tools: yum groupinstall "Development Tools"
Install Prerequisites available via yum: yum install git ImageMagick wkhtmltopdf zlib-devel mariadb-server mariadb-devel libxml2-devel libxslt-devel libpcap.devel libdnet libdnet-devel httpd httpd-devel libcurl-devel
Install the DAQ binary from snorg.org: rpm -ihv https://www.snort.org/downloads/snort/daq-2.0.4.centos7.x86_64.rpm
Optional: yum install phpmyadmin php
Setup MariaDB (MySQL):
systemctl enable mariadb
systemctl start mariadb
Create a snorby mysql database and user.
Login to MySQL: mysql –u root –p
Create the Snorby database: create database snorby;
Create the Snorby user: createuser 'snorby'@'localhost' identified by 'snorbypass';
Grant all privileges to user snorby on database snorby: grant all privileges on snorby.* to 'snorby'@'localhost';
Reload the privileges: flush privileges;
Setup Ruby & Rails:
The yum package for ruby is too new for Snorby. Install RVM (Ruby Version Manager) to install a previous version of ruby.
curl -sSL https://get.rvm.io | bash -s stable
Log-out and log-in to get RVM in your path.
Install required dependencies for RVM: rvm requirements
Install ruby 1.9.3: rvm install 1.9.3
Set the default Ruby version: rvm use 1.9.3 --default
Update Ruby Gems: gem update
Install Rails: gem install rails
Change to the /srv directory and download Snorby: git clone http://github.com/Snorby/snorby.git
Change to the Snorby download directory and run: bundle install
Change to the Snorby/config directory
Copy database.yml.example to database.yml and snorby_config.yml.example to snorby_config.yml
Edit database.yml and enter your database crendentials.
Edit snorby_config.yml and update the production settings to match your environment.
Let's setup the Snorby database: bundle exec rake snorby:setup
Test Snorby startup: bundle exec rails server –e production
If you can login using username firstname.lastname@example.org with password snorby at http//<snorby server ip>:3000, everything went well.
Next we'll install Barnyard2 to tie Snorby and Suricata together.
Change to the /srv directory and download Barnyard2: git clone https://github.com/firnsy/barnyard2.git
Change to the /srv/barnyard2 directory and run: ./autogen.sh , ./configure –with-mysql –with-mysql-libraries=/usr/lib64/mysql, make && make install
Change to the /srv/banyard2/etc directory and copy barnyard2.conf to /etc/suricata/
Modify /etc/suricata/barnyard2.conf to match your Suricata configuration.
Append the following to barnyard2.conf: output database: log, mysql, user=snorbyuser password=snorbypass dbname=snorby host=localhost
Make the barnyard2 log directory: mkdir /var/log/barnyard2
Test barnyard2 starup: barnyard2 –c /etc/suricata/barnyard2.conf –f unified2.alert
Create a service file called barnyard2.service in /usr/lib/system/system / with the following information:
Description=Barnyard2 Unified2 Log Processor
ExecStart=/usr/local/bin/barnyard2 -c /etc/suricata/barnyard2.conf -f unified2.alert
Enable the bardyard2 service: systemctl enable barnyard2
Start the barnyard service: systemctl start barnyard2
Rails does not have its own startup script but we can start it with Apache using Passenger.
Install Passenger: gem install passenger
Install the Apache module for Passenger: passenger-install-apache2-module
Create an Apache configuration file for Snorby name snorby.conf in: /etc/httpd/conf.d/ with the following contents:
Require all granted
LoadModule passenger_module /usr/local/rvm/gems/ruby-1.9.3-p551/gems/passenger-4.0.59/buildout/apache2/mod_passenger.so
Test the Apache configuration: apachectl configtest
Restart Apache to load the configuration: apachectl restart
Snorby should now be running on port 80 and all services will automatically start on a reboot.
February 24, 2015
The IDS module in my Cisco routers are going EoL. Frankly, I haven't been that impressed with the service the IDS provided. My excellent Cisco Partner will lead me over to one of two Cisco's latest acquisitions, SourceFire or Meraki. I'm aware SourceFire is the "paid" version of Snort with a fancy UI and support. Both really good reasons to purchase the product. For those of you who have never heard of Snort, it is the de facto standard in IDS software. But…I'm going to use something different. A software called Suricata. Suricata is similar to Snort. It can use the same detection rules and some of the same configuration files. The main reason I'm using Suricata over Snort is that Suricata uses multi-thread by default. Snort needs it to be compiled in. Multi-thread equals more processing and faster detection. Let's move into system requirements.
Multi-Core Processor (Can't have multi-thread without that)
A descent amount of RAM and Hard Drive space.
2 Network Interfaces (1 must be a dedicated physical interface. No VM switch here)
A switch capable of doing port mirroring.
OS (CentOS 7 x64 minimal install)
Suricata (JASONISH maintains an RPM for CentOS 7)
Let's get started:
- I have a working CentOS installation patched up (yum update). It has two NICs, eth0 and eth1. eth0 will be my passive interface for receiving traffic from the switch's port mirror and has a static address for a random subnet. eth1 will be my management interface with a static address accessible from my LAN.
- Install some prerequisites: yum install epel-release wget perl per-Archive-Tar perl-Crypt-SSLeay perl-libwww-perl perl-Sys-Syslog perl-LWP-Protocol-https
- (Optional) Install some optional tools: yum install wget nano net-tools mlocate system-config-firewall-tui
- Install Suricata from JASONISH here: http://codemonkey.net/suricata-rpms/ It will install Suricata, GeoIP, libnet, libnetfilter_queue, and libyaml
- Navigate to /ec/suricata, backup suricata.yaml (cp suricata.yaml suricata.yaml.orig) and make sure pfring: -interface is set to eth0 in suricata.yaml.
- Next, we need some rules. Download the latest rules from Emerging Threats (wget https://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz) and extract to our Suricata directory (tar –xvzf emerging.rules.tar.gz -C /etc/suricata/)
- Let's test Suricata to make sure it runs properly. (suricata –vv –c /etc/suricata/suricata.yaml –I eth0)
- If everything works okay, enable Suircata (systemctl enable suricata), and start the service (systemctl start suricata)
Now that Suricata is setup. Connect eth0 to your core network switch and eth1 to your management network. Configure your core switch to mirror the traffic from the router trunk pork to the interface connected to eth0.
Suricata logs are located in /var/log/suricata
Since CentOS 7 switched from SysVinit to Systemd I've had a bit of a learning curve to upgrade my common command syntax when working with the new commands. Here's my cheat sheet:
Show Interfaces Status
service (name) status
systemctl status (name)
service (name) stop
systemctl stop (name)
service (name) start
systemctl start name)
chkconfig (name) on
systemctl enable (name)
Autostart Service on Boot
chkconfig (name) off
systemctl disable (name)
Disable Autostart Service on Boot
systemctl list-unit --type=service
October 18, 2013
Here are the instructions for installing the open source email archiving software MailPiler. MailPiler is similar to the popular email archiving software, MailArchiva, but offers more features than the free version at the same price.