{"id":173,"date":"2016-12-20T15:22:59","date_gmt":"2016-12-20T15:22:59","guid":{"rendered":"http:\/\/info.ffteixeira.net\/2016\/12\/20\/suricata-teste\/"},"modified":"2016-12-20T15:22:59","modified_gmt":"2016-12-20T15:22:59","slug":"suricata-teste","status":"publish","type":"post","link":"https:\/\/blog.ffteixeira.net\/?p=173","title":{"rendered":"suricata *teste*"},"content":{"rendered":"
apt-get install build-essential module-assistant<\/div>\n
   36  m-a prepare<\/div>\n
   37  sh .\/VBoxLinuxAdditions.run<\/div>\n
 <\/div>\n
—<\/div>\n
Installing Suricata, Snorby and Banyard2 on Debian<\/div>\n
 <\/div>\n
I have used Snort quite extensively in the past and was curious about toying with Suricata which is similar to Snort but nicer in my view. It has been a few years since I looked at it. I can see the project seems to have evolved quite a lot. One functionality that I will be using down the line will be PF Ring.<\/div>\n
 <\/div>\n
On a lazy Sunday afternoon, I thought this was the perfect time to take a look at what it can do in its current form. I used Debian 7.3 for my tests. Everything is packaged which is quite nice though the version of suricata is a bit old on this (1.2.1 vs 1.4.7 on the website). I am very likely to make packages for this later in order to have more functionality.<\/div>\n
 <\/div>\n
NIC<\/div>\n
auto eth1<\/div>\n
iface eth1 inet manual<\/div>\n
up ifconfig $IFACE up<\/div>\n
#post-up ethtool -K eth1 gro off<\/div>\n
#post-up ethtool -K eth1 lro off<\/div>\n
 <\/div>\n
Pre-installation requirements¶<\/div>\n
 <\/div>\n
apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev build-essential autoconf automake libtool libpcap-dev libnet1-dev libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libmagic-dev libcap-ng-dev libjansson-dev pkg-config apache2 apache2-dev libapr1-dev libaprutil1-dev libcurl4-openssl-dev openssl libssl-dev<\/div>\n
 <\/div>\n
IPS<\/div>\n
By default, Suricata works as an IDS. If you want to use it as a IDS and IPS program, enter:<\/div>\n
 <\/div>\n
apt-get -y install libnetfilter-queue-dev<\/div>\n
 <\/div>\n
 <\/div>\n
 <\/div>\n
Once you have done the traditional apt-get install suricata<\/div>\n
 <\/div>\n
#apt-get install suricata mysql-server postgresql-server-dev-9.4<\/div>\n
#mysql_secure_installation<\/div>\n
 <\/div>\n
 <\/div>\n
There is not much to do to get it running, mostly edit: \/etc\/default\/suricata and change this line depending on your network interface, and also allow it to run:<\/div>\n
 <\/div>\n
# set to yes to start the server in the init.d script<\/div>\n
RUN=yes<\/div>\n
# Interface to listen on (for pcap mode)<\/div>\n
IFACE=br0<\/div>\n
 <\/div>\n
You then should grab the rules to get it all going and monitoring, check out the official page to set this up. I edited \/etc\/oinkmaster.conf to add the rules I wanted:<\/div>\n
1<\/div>\n
 <\/div>\n
url = http:\/\/rules.emergingthreats.net\/open\/suricata\/emerging.rules.tar.gz<\/div>\n
 <\/div>\n
You now need to grab the rules, a quick mkdir \/etc\/suricata\/rules && oinkmaster -C \/etc\/oinkmaster.conf -o \/etc\/suricata\/rules should fix this, and give you something like this:<\/div>\n
 <\/div>\n
# oinkmaster -C \/etc\/oinkmaster.conf -o \/etc\/suricata\/rules<\/div>\n
Loading \/etc\/oinkmaster.conf<\/div>\n
Downloading file from http:\/\/rules.emergingthreats.net\/open\/suricata\/emerging.rules.tar.gz… done.<\/div>\n
Archive successfully downloaded, unpacking… done.<\/div>\n
Setting up rules structures… done.<\/div>\n
Processing downloaded rules… disablesid 0, enablesid 0, modifysid 0, localsid 0, total rules 18195<\/div>\n
Setting up rules structures… done.<\/div>\n
Comparing new files to the old ones… done.<\/div>\n
Updating local rules files… done.<\/div>\n
[***] Results from Oinkmaster started 20140119 18:15:26 [***]<\/div>\n
[*] Rules modifications: [*]<\/div>\n
    None.<\/div>\n
[*] Non-rule line modifications: [*]<\/div>\n
    None.<\/div>\n
[+] Added files (consider updating your snort.conf to include them if needed): [+]<\/div>\n
 <\/div>\n
    -> botcc.rules<\/div>\n
…snip…<\/div>\n
    -> unicode.map<\/div>\n
 <\/div>\n
Restart the thing with a simple service suricata restart and there you are, you can leave it running on your system to learn what kind of traffic is happening. It is worth noting that default rules are set to PASS to avoid messing your traffic up. It is up to you to tune this the right way(tm).<\/div>\n
 <\/div>\n
 <\/div>\n
 <\/div>\n
— ??<\/div>\n
Configure Suricata and download the rules<\/div>\n
___ ??<\/div>\n
 <\/div>\n
 <\/div>\n
Create user for snorby<\/div>\n
 <\/div>\n
Login to MySQL server with mysql -u root -p<\/div>\n
 <\/div>\n
mysql> create user 'admin'@'localhost' identified by 'admin_password';<\/div>\n
Query OK, 0 rows affected (0.00 sec)<\/div>\n
 <\/div>\n
mysql> grant all privileges on snorby.* to 'admin'@'localhost' with grant option;<\/div>\n
Query OK, 0 rows affected (0.02 sec)<\/div>\n
 <\/div>\n
mysql> flush privileges;<\/div>\n
Query OK, 0 rows affected (0.00 sec)<\/div>\n
 <\/div>\n
mysql><\/div>\n
 <\/div>\n
 <\/div>\n
Modify MySQL config file my.cnf<\/div>\n
By default MySQL only listens to localhost (127.0.0.1), however I want MySQL to listen to from all source addresses.<\/div>\n
 <\/div>\n
#nano \/etc\/mysql\/my.cnf<\/div>\n
 <\/div>\n
Comment the bind-address line. Then restart mysqld service. <\/span><\/div>\n
#<\/div>\n
# Instead of skip-networking the default is now to listen only on<\/div>\n
# localhost which is more compatible and is not less secure.<\/div>\n
#bind-address           = 127.0.0.1<\/div>\n
 <\/div>\n
 <\/div>\n
service mysql restart<\/div>\n
lsof -i | grep mysqld<\/div>\n
 <\/div>\n
 <\/div>\n
 <\/div>\n
 <\/div>\n
 <\/div>\n
 <\/div>\n
Snorby is a web interface that allows you see events in a nice web inteface. It will require a few things to work nicely, which you can install prior by doing: <\/div>\n
 <\/div>\n
#apt-get install bundler libxml2-dev libxslt-dev libmysqlclient-dev graphviz-dev libgv-ruby wkhtmltopdf<\/div>\n
 <\/div>\n
Before you execute the next commands, be careful with your snorby_config.yml file and set your domain to a secure domain and random port, since this is a ruby on rails application, unless you plan on proxying it behind a http server. My 2 cents, opinions my own, etc…<\/div>\n
 <\/div>\n
cd \/var\/www\/<\/div>\n
git clone http:\/\/github.com\/Snorby\/snorby.git<\/div>\n
cd snorby<\/div>\n
bundle install<\/div>\n
cd ..\/snorby\/config <\/div>\n
cp database.yml.example database.yml<\/div>\n
vi database.yml ( with the newly created snorby username and password)<\/div>\n
cp snorby_config.yml.example snorby_config.yml<\/div>\n
vi snorby_config.yml<\/div>\n
 <\/div>\n
 <\/div>\n
 <\/div>\n
And paste these lines:<\/div>\n
—<\/div>\n
production:<\/div>\n
  domain: localhost:3000<\/div>\n
  wkhtmltopdf: \/usr\/bin\/wkhtmltopdf<\/div>\n
—<\/div>\n
 <\/div>\n
cd initializers\/<\/div>\n
vi mail_config.rb<\/div>\n
bundle exec rake snorby:setup<\/div>\n
bundle exec rails server -e production<\/div>\n
 <\/div>\n
 <\/div>\n
 <\/div>\n
 <\/div>\n
Passanger<\/div>\n
cd \/var\/www\/snorby<\/div>\n
gem install rails bundler –no-ri –no-rdoc passenger<\/div>\n
passenger-install-apache2-module -a<\/div>\n
 <\/div>\n
 <\/div>\n
 <\/div>\n
 <\/div>\n
 <\/div>\n
 <\/div>\n
 <\/div>\n
 <\/div>\n
 <\/div>\n
 <\/div>\n
Now you need to set up a parser between the suricata logs and the snorby interface, this is where banyard2 comes in. The new version is hosted on github. You will need a few things to get it compiled right.<\/div>\n
 <\/div>\n
apt-get install flex bison<\/div>\n
 <\/div>\n
 <\/div>\n
cd \/opt<\/div>\n
git clone https:\/\/github.com\/jncornett\/libdnet.git<\/div>\n
cd libdnet<\/div>\n
.\/configure && make && make install<\/div>\n
 <\/div>\n
 <\/div>\n
wget https:\/\/www.snort.org\/downloads\/snort\/daq-2.0.6.tar.gz<\/div>\n
tar xvfz daq-2.0.6.tar.gz                   <\/div>\n
cd daq-2.0.6<\/div>\n
.\/configure && make && make install<\/div>\n
 <\/div>\n
 <\/div>\n
cd \/opt<\/div>\n
git clone https:\/\/github.com\/firnsy\/barnyard2.git<\/div>\n
cd \/opt\/barnyard2\/<\/div>\n
apt-get install dh-autoreconf libpcap-dev<\/div>\n
autoreconf –install<\/div>\n
# check out where your MySQL libs are before specifying the same folder<\/div>\n
.\/configure –with-mysql-libraries=\/usr\/lib\/x86_64-linux-gnu\/<\/div>\n
make && make install<\/div>\n
 <\/div>\n
 <\/div>\n
 <\/div>\n
 <\/div>\n
 <\/div>\n
 <\/div>\n
If there were no errors, you should have a nice running setup, time to configure it to send stuff to MySQL. Edit \/usr\/local\/etc\/barnyard2.conf and change the following:<\/div>\n
 <\/div>\n
# set the appropriate paths to the file(s) your Snort process is using.<\/div>\n
# cat \/usr\/local\/etc\/barnyard2.conf  | grep -n <text><\/div>\n
 <\/div>\n
config reference_file:      \/etc\/suricata\/reference.config<\/div>\n
config classification_file: \/etc\/suricata\/classification.config<\/div>\n
config gen_file:            \/etc\/suricata\/rules\/gen-msg.map<\/div>\n
config sid_file:            \/etc\/suricata\/rules\/sid-msg.map<\/div>\n
 <\/div>\n
Enable the interface in barnyard2.conf by Remove the comment # from config interface: line. Which looks like this:<\/div>\n
config interface:       eth0<\/div>\n
 <\/div>\n
# define the full waldo filepath.<\/div>\n
config waldo_file: \/var\/log\/suricata\/suricata.waldo<\/div>\n
 <\/div>\n
# database: log to a variety of databases<\/div>\n
output database: log, mysql, user=snorbydbuser password=snorbydbpassword dbname=snorbydbname host=localhost  <??sensor_name=sensor1??><\/div>\n
 <\/div>\n
 <\/div>\n
Create the log folder for barnyard2<\/div>\n
#mkdir \/var\/log\/barnyard2<\/div>\n
 <\/div>\n
Create suricata.waldo and create the subdirectories:<\/div>\n
 <\/div>\n
#mkdir \/var\/log\/barnyard2<\/div>\n
#mkdir \/var\/log\/suricata\/ && touch \/var\/log\/suricata\/suricata.waldo<\/div>\n
 <\/div>\n
 <\/div>\n
Copy the barnyard2.conf <\/div>\n
#cp \/usr\/local\/etc\/barnyard2.conf \/etc\/suricata\/<\/div>\n
 <\/div>\n
 <\/div>\n
You should then be able to start it and check that it works, if it does, then you can use -D to run as a daemon.<\/div>\n
 <\/div>\n
touch \/var\/log\/suricata\/suricata.waldo<\/div>\n
 1234  barnyard2 -c \/etc\/suricata\/barnyard2.conf -d \/var\/log\/suricata\/ -f unified2.alert -w \/var\/log\/suricata\/suricata.waldo -d<\/div>\n
 <\/div>\n
 1234  barnyard2 -c \/usr\/local\/etc\/barnyard2.conf  -d \/var\/log\/suricata\/ -f unified2.alert -w \/var\/log\/suricata\/suricata.waldo -d<\/div>\n
 <\/div>\n
 <\/div>\n
 <\/div>\n
barnyard2 -c \/etc\/suricata\/barnyard2.conf -d \/var\/log\/suricata -f unified2.alert -w \/var\/log\/suricata\/suricata.waldo -D<\/div>\n
 <\/div>\n
barnyard2 -c \/usr\/local\/etc\/barnyard2.conf -d \/var\/log\/suricata\/ -f unified2.alert -w \/var\/log\/suricata\/suricata.waldo -D<\/div>\n
 <\/div>\n
 <\/div>\n
 <\/div>\n
 <\/div>\n
 <\/div>\n
 <\/div>\n
SystemD Startup Scrip<\/div>\n
 <\/div>\n
nano \/lib\/systemd\/system\/barnyard2.service<\/div>\n
 <\/div>\n
With the following content. <\/div>\n
—<\/div>\n
[Unit]<\/div>\n
Description=Barnyard NIDS Daemon<\/div>\n
After=syslog.target network.target<\/div>\n
 <\/div>\n
[Service]<\/div>\n
Type=simple<\/div>\n
ExecStart=\/usr\/local\/bin\/barnyard2 -c \/etc\/suricata\/barnyard2.conf -d \/var\/log\/suricata\/ -f unified2.alert -w \/var\/log\/suricata\/suricata.waldo -D<\/div>\n
 <\/div>\n
[Install]<\/div>\n
WantedBy=multi-user.target<\/div>\n
—<\/div>\n
systemctl enable barnyard2<\/div>\n
 <\/div>\n
Reboot the computer and check that both services are started: service barnyard2 status<\/div>\n
 <\/div>\n
 <\/div>\n
More on this when I have time \ud83d\ude42<\/div>\n
 <\/div>\n
 <\/div>\n
Note:<\/div>\n
Default User Credentials for Snorby<\/div>\n
 <\/div>\n
    E-mail: snorby@example.com<\/div>\n
    Password: snorby<\/div>\n
 <\/div>\n
 <\/div>\n
https:\/\/www.frlinux.eu\/?p=351<\/div>\n
https:\/\/www.aldeid.com\/wiki\/Snorby<\/div>\n
https:\/\/cyruslab.net\/2012\/10\/18\/building-an-ids-part-1-installing-pre-requisites-and-snorby\/<\/div>\n","protected":false},"excerpt":{"rendered":"

apt-get install build-essential module-assistant    36  m-a prepare    37  sh .\/VBoxLinuxAdditions.run   — Installing Suricata, Snorby and Banyard2 on Debian   I have used Snort quite extensively in the past and was curious about toying with Suricata which is … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-173","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/blog.ffteixeira.net\/index.php?rest_route=\/wp\/v2\/posts\/173","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ffteixeira.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ffteixeira.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.ffteixeira.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ffteixeira.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=173"}],"version-history":[{"count":0,"href":"https:\/\/blog.ffteixeira.net\/index.php?rest_route=\/wp\/v2\/posts\/173\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.ffteixeira.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=173"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ffteixeira.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=173"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ffteixeira.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=173"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}