March 3, 2015

Install Snorby for Suricata on CentOS 7

These instructions are for setting up Snorby and processing Suricata's unified2 logs into the Snorby database.


 

Preprequisites:

A working CentOS 7 installation with Suricata.

The EPEL Repository for CentOS 7.

SELinux is set to permissive.

Install CentOS development tools: yum groupinstall "Development Tools"

Install Prerequisites available via yum: yum install git ImageMagick wkhtmltopdf zlib-devel mariadb-server mariadb-devel libxml2-devel libxslt-devel libpcap.devel libdnet libdnet-devel httpd httpd-devel libcurl-devel

Install the DAQ binary from snorg.org: rpm -ihv https://www.snort.org/downloads/snort/daq-2.0.4.centos7.x86_64.rpm

Optional: yum install phpmyadmin php


 

Setup MariaDB (MySQL):

systemctl enable mariadb

systemctl start mariadb

mysql_secure_installation

Create a snorby mysql database and user.

    Login to MySQL: mysql –u root –p

    Create the Snorby database: create database snorby;

    Create the Snorby user: createuser 'snorby'@'localhost' identified by 'snorbypass';

    Grant all privileges to user snorby on database snorby: grant all privileges on snorby.* to 'snorby'@'localhost';

    Reload the privileges: flush privileges;


 

Setup Ruby & Rails:

The yum package for ruby is too new for Snorby. Install RVM (Ruby Version Manager) to install a previous version of ruby.

curl -sSL https://get.rvm.io | bash -s stable

Log-out and log-in to get RVM in your path.

Install required dependencies for RVM: rvm requirements

Install ruby 1.9.3: rvm install 1.9.3

Set the default Ruby version: rvm use 1.9.3 --default

Update Ruby Gems: gem update

Install Rails: gem install rails


 

Setup Snorby:

Change to the /srv directory and download Snorby: git clone http://github.com/Snorby/snorby.git


 

Change to the Snorby download directory and run: bundle install

Change to the Snorby/config directory

Copy database.yml.example to database.yml and snorby_config.yml.example to snorby_config.yml

Edit database.yml and enter your database crendentials.

Edit snorby_config.yml and update the production settings to match your environment.

Let's setup the Snorby database: bundle exec rake snorby:setup

Test Snorby startup: bundle exec rails server –e production

If you can login using username snorby@snorby.org with password snorby at http//<snorby server ip>:3000, everything went well.


 

Setup Barnyard2:

Next we'll install Barnyard2 to tie Snorby and Suricata together.

Change to the /srv directory and download Barnyard2: git clone https://github.com/firnsy/barnyard2.git

Change to the /srv/barnyard2 directory and run: ./autogen.sh , ./configure –with-mysql –with-mysql-libraries=/usr/lib64/mysql, make && make install

Change to the /srv/banyard2/etc directory and copy barnyard2.conf to /etc/suricata/

Modify /etc/suricata/barnyard2.conf to match your Suricata configuration.

Append the following to barnyard2.conf: output database: log, mysql, user=snorbyuser password=snorbypass dbname=snorby host=localhost

Make the barnyard2 log directory: mkdir /var/log/barnyard2

Test barnyard2 starup: barnyard2 –c /etc/suricata/barnyard2.conf –f unified2.alert

Create a service file called barnyard2.service in /usr/lib/system/system    / with the following information:

[Unit]

Description=Barnyard2 Unified2 Log Processor

After=syslog.target


 

[Service]

ExecStart=/usr/local/bin/barnyard2 -c /etc/suricata/barnyard2.conf -f unified2.alert


 

[Install]

WantedBy=multi-user.target


 

Enable the bardyard2 service: systemctl enable barnyard2

Start the barnyard service: systemctl start barnyard2


 

Setup Passenger:

Rails does not have its own startup script but we can start it with Apache using Passenger.

Install Passenger: gem install passenger

Install the Apache module for Passenger: passenger-install-apache2-module

Create an Apache configuration file for Snorby name snorby.conf in: /etc/httpd/conf.d/ with the following contents:

<VirtualHost *:80>

DocumentRoot /srv/snorby/public

<Directory /srv/snorby/public>

AllowOverride all

Options -MultiViews

Require all granted

</Directory>

</VirtualHost>


 

LoadModule passenger_module /usr/local/rvm/gems/ruby-1.9.3-p551/gems/passenger-4.0.59/buildout/apache2/mod_passenger.so

<IfModule mod_passenger.c>

PassengerRoot /usr/local/rvm/gems/ruby-1.9.3-p551/gems/passenger-4.0.59

PassengerDefaultRuby /usr/local/rvm/gems/ruby-1.9.3-p551/wrappers/ruby

</IfModule>


 

Test the Apache configuration: apachectl configtest

Restart Apache to load the configuration: apachectl restart


 

Snorby should now be running on port 80 and all services will automatically start on a reboot.