apt-get install build-essential module-assistant
36 m-a prepare
37 sh ./VBoxLinuxAdditions.run
—
Installing Suricata, Snorby and Banyard2 on Debian
I have used Snort quite extensively in the past and was curious about toying with Suricata which is similar to Snort but nicer in my view. It has been a few years since I looked at it. I can see the project seems to have evolved quite a lot. One functionality that I will be using down the line will be PF Ring.
On a lazy Sunday afternoon, I thought this was the perfect time to take a look at what it can do in its current form. I used Debian 7.3 for my tests. Everything is packaged which is quite nice though the version of suricata is a bit old on this (1.2.1 vs 1.4.7 on the website). I am very likely to make packages for this later in order to have more functionality.
NIC
auto eth1
iface eth1 inet manual
up ifconfig $IFACE up
#post-up ethtool -K eth1 gro off
#post-up ethtool -K eth1 lro off
Pre-installation requirements¶
apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev build-essential autoconf automake libtool libpcap-dev libnet1-dev libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libmagic-dev libcap-ng-dev libjansson-dev pkg-config apache2 apache2-dev libapr1-dev libaprutil1-dev libcurl4-openssl-dev openssl libssl-dev
IPS
By default, Suricata works as an IDS. If you want to use it as a IDS and IPS program, enter:
apt-get -y install libnetfilter-queue-dev
Once you have done the traditional apt-get install suricata
#apt-get install suricata mysql-server postgresql-server-dev-9.4
#mysql_secure_installation
There is not much to do to get it running, mostly edit: /etc/default/suricata and change this line depending on your network interface, and also allow it to run:
# set to yes to start the server in the init.d script
RUN=yes
# Interface to listen on (for pcap mode)
IFACE=br0
You then should grab the rules to get it all going and monitoring, check out the official page to set this up. I edited /etc/oinkmaster.conf to add the rules I wanted:
1
url = http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz
You now need to grab the rules, a quick mkdir /etc/suricata/rules && oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules should fix this, and give you something like this:
# oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules
Loading /etc/oinkmaster.conf
Downloading file from http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz… done.
Archive successfully downloaded, unpacking… done.
Setting up rules structures… done.
Processing downloaded rules… disablesid 0, enablesid 0, modifysid 0, localsid 0, total rules 18195
Setting up rules structures… done.
Comparing new files to the old ones… done.
Updating local rules files… done.
[***] Results from Oinkmaster started 20140119 18:15:26 [***]
[*] Rules modifications: [*]
None.
[*] Non-rule line modifications: [*]
None.
[+] Added files (consider updating your snort.conf to include them if needed): [+]
-> botcc.rules
…snip…
-> unicode.map
Restart the thing with a simple service suricata restart and there you are, you can leave it running on your system to learn what kind of traffic is happening. It is worth noting that default rules are set to PASS to avoid messing your traffic up. It is up to you to tune this the right way(tm).
— ??
Configure Suricata and download the rules
___ ??
Create user for snorby
Login to MySQL server with mysql -u root -p
mysql> create user 'admin'@'localhost' identified by 'admin_password';
Query OK, 0 rows affected (0.00 sec)
mysql> grant all privileges on snorby.* to 'admin'@'localhost' with grant option;
Query OK, 0 rows affected (0.02 sec)
mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)
mysql>
Modify MySQL config file my.cnf
By default MySQL only listens to localhost (127.0.0.1), however I want MySQL to listen to from all source addresses.
#nano /etc/mysql/my.cnf
Comment the bind-address line. Then restart mysqld service.
#
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address = 127.0.0.1
service mysql restart
lsof -i | grep mysqld
Snorby is a web interface that allows you see events in a nice web inteface. It will require a few things to work nicely, which you can install prior by doing:
#apt-get install bundler libxml2-dev libxslt-dev libmysqlclient-dev graphviz-dev libgv-ruby wkhtmltopdf
Before you execute the next commands, be careful with your snorby_config.yml file and set your domain to a secure domain and random port, since this is a ruby on rails application, unless you plan on proxying it behind a http server. My 2 cents, opinions my own, etc…
cd /var/www/
git clone http://github.com/Snorby/snorby.git
cd snorby
bundle install
cd ../snorby/config
cp database.yml.example database.yml
vi database.yml ( with the newly created snorby username and password)
cp snorby_config.yml.example snorby_config.yml
vi snorby_config.yml
And paste these lines:
—
production:
domain: localhost:3000
wkhtmltopdf: /usr/bin/wkhtmltopdf
—
cd initializers/
vi mail_config.rb
bundle exec rake snorby:setup
bundle exec rails server -e production
Passanger
cd /var/www/snorby
gem install rails bundler –no-ri –no-rdoc passenger
passenger-install-apache2-module -a
Now you need to set up a parser between the suricata logs and the snorby interface, this is where banyard2 comes in. The new version is hosted on github. You will need a few things to get it compiled right.
apt-get install flex bison
cd /opt
git clone https://github.com/jncornett/libdnet.git
cd libdnet
./configure && make && make install
wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz
tar xvfz daq-2.0.6.tar.gz
cd daq-2.0.6
./configure && make && make install
cd /opt
git clone https://github.com/firnsy/barnyard2.git
cd /opt/barnyard2/
apt-get install dh-autoreconf libpcap-dev
autoreconf –install
# check out where your MySQL libs are before specifying the same folder
./configure –with-mysql-libraries=/usr/lib/x86_64-linux-gnu/
make && make install
If there were no errors, you should have a nice running setup, time to configure it to send stuff to MySQL. Edit /usr/local/etc/barnyard2.conf and change the following:
# set the appropriate paths to the file(s) your Snort process is using.
# cat /usr/local/etc/barnyard2.conf | grep -n <text>
config reference_file: /etc/suricata/reference.config
config classification_file: /etc/suricata/classification.config
config gen_file: /etc/suricata/rules/gen-msg.map
config sid_file: /etc/suricata/rules/sid-msg.map
Enable the interface in barnyard2.conf by Remove the comment # from config interface: line. Which looks like this:
config interface: eth0
# define the full waldo filepath.
config waldo_file: /var/log/suricata/suricata.waldo
# database: log to a variety of databases
output database: log, mysql, user=snorbydbuser password=snorbydbpassword dbname=snorbydbname host=localhost <??sensor_name=sensor1??>
Create the log folder for barnyard2
#mkdir /var/log/barnyard2
Create suricata.waldo and create the subdirectories:
#mkdir /var/log/barnyard2
#mkdir /var/log/suricata/ && touch /var/log/suricata/suricata.waldo
Copy the barnyard2.conf
#cp /usr/local/etc/barnyard2.conf /etc/suricata/
You should then be able to start it and check that it works, if it does, then you can use -D to run as a daemon.
touch /var/log/suricata/suricata.waldo
1234 barnyard2 -c /etc/suricata/barnyard2.conf -d /var/log/suricata/ -f unified2.alert -w /var/log/suricata/suricata.waldo -d
1234 barnyard2 -c /usr/local/etc/barnyard2.conf -d /var/log/suricata/ -f unified2.alert -w /var/log/suricata/suricata.waldo -d
barnyard2 -c /etc/suricata/barnyard2.conf -d /var/log/suricata -f unified2.alert -w /var/log/suricata/suricata.waldo -D
barnyard2 -c /usr/local/etc/barnyard2.conf -d /var/log/suricata/ -f unified2.alert -w /var/log/suricata/suricata.waldo -D
SystemD Startup Scrip
nano /lib/systemd/system/barnyard2.service
With the following content.
—
[Unit]
Description=Barnyard NIDS Daemon
After=syslog.target network.target
[Service]
Type=simple
ExecStart=/usr/local/bin/barnyard2 -c /etc/suricata/barnyard2.conf -d /var/log/suricata/ -f unified2.alert -w /var/log/suricata/suricata.waldo -D
[Install]
WantedBy=multi-user.target
—
systemctl enable barnyard2
Reboot the computer and check that both services are started: service barnyard2 status
More on this when I have time 🙂
Note:
Default User Credentials for Snorby
E-mail: [email protected]
Password: snorby
https://www.frlinux.eu/?p=351
https://www.aldeid.com/wiki/Snorby
https://cyruslab.net/2012/10/18/building-an-ids-part-1-installing-pre-requisites-and-snorby/