Cheat sheet : Installing Snorby 2.2 with Apache2...

https://www.corelan.be/index.php/2011/02/27/che...

Cheat sheet : Installing Snorby 2.2 with Apache2 and Suricata with Barnyard2 on Ubuntu 10.x
Published February 27, 2011 | By Corelan Team (corelanc0d3r)

Introduction
After spending a few hours fighting a battle against Snorby and Apache2 + Passenger, I finally managed to get it to run properly on my Ubunty 10.x box (32bit). Looking back, I figured I might not be the only one who is having issues with this. So I decided to publish the notes I took while setting everything up, and as a little bonus, explain how to install and configure Suricata as well (configured in combination with barnyard2 which will pick up local logs and send them to the remote MySQL server). There are the components that will be installed : Snorby 2.x (latest revision from git) MySql 5 Ruby 1.9.2p0 Apache2 Passenger 3 Barnyard 2 Suricata 1.1beta1 with emerging-threat ruleset

Install dependencies / prerequisites for Snorby
Packages First, make sure your system is up to date :
aptitude update apt-get update apt-get upgrade apt-get dist-upgrade

Then install new packages :
apt-get install gcc g++ build-essential libssl-dev libreadline5-dev \ zlib1g-dev linux-headers-generic libsqlite3-dev libxslt-dev libxml2-dev \ imagemagick git-core libmysqlclient-dev mysql-server libmagickwand-dev \ default-jre

1 de 16

19-09-2013 15:28

wkhtmlpdf with QT patch

2 with Apache2. zlib1g-dev linux-headers-generic libsqlite3-dev libxslt-dev libxml2-dev \ imagemagick git-core libmysqlclient-dev mysql-server libmagickwand-dev \ default-jre wkhtmlpdf with QT patch cd /tmp wget http://wkhtmltopdf.tar..com/Snorby/snorby.0_rc2-static-i386.git /var/www/snorby Edit configuration files : Edit /var/www/snorby/config/database./configure make && make install ln -s /usr/local/ruby/bin/bundle /usr/bin Run "ruby – v" and verify that it returns the correct version : ruby 1. then verify that /usr/local/ruby/bin/ruby -v is version 1.0_rc2-static-i386.gz tar -xvzf ruby-1.bz2 bunzip2 wkhtmltopdf-0.0 rails sqlite3-ruby Installing Snorby git clone http://github.9.2p0 cd /tmp wget http://ftp.9.10.2-p0 .tar.ruby-lang.corelan.9..2p0) gems gem gem gem gem install install install install thor i18n bundler tzinfo builder memcache-client rack rack-test erubis mail text-format rack-mount --version=0.10..Cheat sheet : Installing Snorby 2.9.gz cd ruby-1.yml : look for the "snorby" entry and 2 de 16 enter the mysql root username & password here : 19-09-2013 15:28 snorby: &snorby adapter: mysql .2p0 (2010-08-18 revision 29036) [i686-linux] (If this shows a different version.com/files/wkhtmltopdf-0.googlecode.2-p0.php/2011/02/27/che.tar.be/index.10.9.org//pub/ruby/1.bz2 tar xvf wkhtmltopdf-0. https://www..tar cp wkhtmltopdf-i386 /usr/bin/wkhtmltopdf Ruby 1.9.9/ruby-1.4.2-p0.0_rc2-static-i386.tar.

Fix : run the following commands in the /var/www/snorby folder : bundle update activesupport railties rails gem install arel 3 de 16 gem install ezprint bundle install 19-09-2013 15:28 .yml : set the correct path to wkhtmltopdf development: domain: localhost:3000 wkhtmltopdf: /usr/bin/wkhtmltopdf test: domain: localhost:3000 wkhtmltopdf: /usr/bin/wkhtmltopdf production: domain: localhost:3000 wkhtmltopdf: /usr/bin/wkhtmltopdf Run Snorby setup : cd /var/www/snorby rake snorby:setup It is very likely that you will get the following error : (in /var/www/snorby) You have requested: activesupport = 3. Edit /var/www/snorby/config/database..be/index. Try running `bundle update activesupport` Try running `bundle install`.3 The bundle currently has activesupport locked at 3.. we’ll get rid of the root username/password later on) Edit /var/www/snorby/config/snorby_config.0.php/2011/02/27/che.Cheat sheet : Installing Snorby 2..corelan.2 with Apache2.0.4. https://www..yml : look for the "snorby" entry and enter the mysql root username & password here : snorby: &snorby adapter: mysql username: root password: <enter the mysql root password here> host: localhost (don’t worry.

.yml configuration file...2 with Apache2.Cheat sheet : Installing Snorby 2. If you prefer to use a mysql user account that has less privileges.git (at rails3) is not checked out.. 19-09-2013 15:28 .. https://www. then you can add a new mysql user.long key.com/mephux/ezprint.> [datamapper] Created database 'snorby' [datamapper] Finished auto_upgrade! for :default repository 'snorby' If you get an error about ezprint: (in /var/www/snorby) rake aborted! http://github. and edit the snorby configuration again : 4 de 16 mysql -u root -p creat user 'snorbyuser'@'localhost' IDENTIFIED BY 'some_pass'. the necessary database and tables should be created successfully... root@server:/var/www/snorby# rake snorby:setup (in /var/www/snorby) <. grant privileges. Since we used the mysql root username/password in the database.. \ Please run `bundle install` /var/www/snorby/Rakefile:4 (See full trace by running task with --trace) Solution : run this from /var/www/snorby bundle pack bundle install --path vender/cache then run bundle install the rake snorby:setup command again Configure mysql We used the root user / password to allow snorby to create the necessary tables.php/2011/02/27/che.be/index. bundle update activesupport railties rails gem install arel gem install ezprint bundle install Run the setup again : cd /var/www/snorby rake snorby:setup If all goes well.. the snorby database should get created/populated now.corelan.

2 with Apache2. the mysql server listens on localhost only..corelan.yml again and replace the username and password with the newly created user snorby: &snorby adapter: mysql username: snorbyuser password: some_pass host: localhost You will need to create a useraccount for your (remote) suricata/snorby sensors too.. grant all privileges on snorby.0.cnf to change the default behaviour : # Instead of skip-networking the default is now to listen only on # localhost which is more compatible and is not less secure.1 Comment the bind-address statement (add a # in front of the line) and restart mysql service mysql restart Verify that the server is now listening on all ip addresses : root@server:/# lsof -i | grep mysqld mysqld 21309 mysql 10u IPv4 16405476 0t0 TCP *:mysql (LISTEN) TCP *:mysql => listening on all interfaces Apache2 & Passenger 5 de 16 Install packages & dependencies 19-09-2013 15:28 apt-get install apache2 apache2-prefork-dev libapr1-dev libaprutil1-dev libopenssl-ruby . you prefer to use a mysql user account that has less privileges.. By default.Cheat sheet : Installing Snorby 2. https://www. you can use the snorbyuser@localhost mysql user account as well. The procedure is exactly the same as indicated above.0. but you will have to replace ‘localhost’ with the IP address of the remote sensor. grant privileges. bind-address = 127. flush privileges. Edit /etc/mysql/my.php/2011/02/27/che.. If the sensor is local. and edit the snorby configuration again : mysql -u root -p creat user 'snorbyuser'@'localhost' IDENTIFIED BY 'some_pass'. Now edit /var/www/snorby/config/database.be/index.* to 'snorbyuser'@'localhost' with grant option. then you can add a new mysql user.

0.0..9.1/gems/passenger-3.be/index.0. Apache2 & Passenger Install packages & dependencies apt-get install apache2 apache2-prefork-dev libapr1-dev libaprutil1-dev libopenssl-ruby apt-get install libcurl4-openssl-dev Start apache2 and make sure the default webpage loads service apache2 start Install passenger gem install --no-ri --no-rdoc --version 3.9.corelan.3 PassengerRuby /usr/local/ruby/bin/ruby </IfModule> Enable the module (and some other modules you might need) : a2enmod passenger a2enmod rewrite a2enmod ssl 6 de 16 19-09-2013 15:28 Set file/folder permissions on the snorby folder : ..c> PassengerRoot /usr/local/ruby/lib/ruby/gems/1.0.php/2011/02/27/che. https://www.1/gems/passenger-3..Cheat sheet : Installing Snorby 2.2 with Apache2.3/bin/passenger-install-apache2-module -a Edit /etc/apache2/mods-available/passenger.load (or create if it does not exits) : LoadModule passenger_module /usr/local/ruby/lib/ruby/gems/1.conf : <IfModule mod_passenger.1/gems/passenger-3.3 passenger Install passenger module for apache2 /usr/local/ruby/lib/ruby/gems/1.9..3/ext/apache2/mod_pass Edit /etc/apache2/mods-available/passenger.

.corelan.corelan. Set file/folder permissions on the snorby folder : chown www-data:www-data /var/www/snorby -R Integrate Snorby with Apache2 Suppose we want the snorby frontend to be reachable using virtualhost snorby..php/2011/02/27/che. and navigate to that website : 7 de 16 19-09-2013 15:28 .2 with Apache2.allow Allow from all Options -MultiViews </Directory> </VirtualHost> Enable the new website : ln -s /etc/apache2/sites-available/snorby /etc/apache2/sites-enabled/snorby Restart apache2 : service apache2 restart Make sure snorby.be points at your local apache2 server.Cheat sheet : Installing Snorby 2..be DocumentRoot /var/www/snorby/public <Directory "/var/www/snorby/public"> AllowOverride all Order deny.be/index.corelan.be : Create a file "snorby" under /etc/apache2/sites-available : <VirtualHost *:80> ServerAdmin webmaster@localhost ServerName snorby.corelan.. a2enmod rewrite a2enmod ssl https://www.

then go to the /var/www /snorby folder and run the following 2 commands : bundle pack bundle install --path vender/cache Wait until the process has finished.Cheat sheet : Installing Snorby 2. 8 de 16 19-09-2013 15:28 . you should now be able to log on. and then try to access the website again. Restart apache2. (log in with user snorby@snorby.org and password snorby) If you get an error page instead of the login page : -> complaining about ezprint.php/2011/02/27/che.2 with Apache2..be/index.git not being installed.. https://www...corelan.

php/2011/02/27/che. the dashboard continues to show 0 events (or an incorrect number of events in general). you may see "Currently caching" for a brief moment (depending on the number of events already in the database) : 9 de 16 19-09-2013 15:28 Tip : if.. at any given time.corelan. to log on. Click "Worker Options" Administration menu and select "Start worker". If you get a message about the "worker" not being started : Solution : click "Administation".2 with Apache2.. but the Events view shows .. https://www.be/index. Now click on "Worker Options" and start the 2 jobs If you go back to the main page now.Cheat sheet : Installing Snorby 2..

2 with Apache2.. and the main dashboard should eventually get populated again. Tip : if. the dashboard continues to show 0 events (or an incorrect number of events in general)... Suricata. exit Now remove the 2 worker jobs (use the little trash can icon next to each worker job to remove the job) Recreate the jobs via Worker Options. the server is now ready to receive data from local/remote sensors (Snort. at any given time. truncate table caches.be/index. …). but the Events view shows that all entries are inside the database.Cheat sheet : Installing Snorby 2. Okay.corelan. Updating Snorby Updating snorby is as easy as running the following commands : cd /var/www/snorby git pull origin master rake snorby:update Installing Suricata & Barnyard2 Dependencies apt-get install libpcre3 libpcre3-dbg libpcre3-dev \ build-essential autoconf automake libtool \ libpcap-dev libnet1-dev mysql-client libmysqlclient16-dev 10 de 16 19-09-2013 15:28 .php/2011/02/27/che.. then you may have to clear the caches and rebuild it from scratch : mysql -u root -p use snorby. https://www.

1.1beta1.1: cannot open shared object file: No such 11 de 16 then add "/usr/local/lib" to /etc/ld. Try to run suricata : suricata If you get the following message : suricata: error while loading shared libraries: libhtp-0.com/download/barnyard2/barnyard2-1.1beta1 folder yet.openinfosecfoundation.gz cd suricata-1.tar.Cheat sheet : Installing Snorby 2.1.gz tar xvfz barnyard2-1.tar.3 .2 with Apache2.so.org/download/libyaml/yaml-0. https://www.9.gz tar xvfz yaml-0.tar./configure && make && make install Do NOT remove the /tmp/suricata-1.1.gz tar xvfz suricata-1. apt-get install libpcre3 libpcre3-dbg libpcre3-dev \ build-essential autoconf automake libtool \ libpcap-dev libnet1-dev mysql-client libmysqlclient16-dev Set up yaml : yaml : cd /tmp wget http://pyyaml./configure --with-mysql && make && make install Do NOT delete the /tmp/barnyard2-1.3..gz cd yaml-0.1beta1 mkdir /var/log/suricata . Install suricata: cd /tmp wget http://www.tar.so.securixlive.9 folder yet.3./configure && make && make install Install barnyard2 : cd /tmp wget http://www.so.so. we need some files from this folder later on..9 .gz cd barnyard2-1.conf include /etc/ld.1beta1.2..conf 19-09-2013 15:28 .org/download/suricata-1.conf and run ldconfig.php/2011/02/27/che..tar. root@server:/# cat /etc/ld.corelan.d/*.tar.conf.9.be/index.

config /etc/suricata/ 19-09-2013 15:28 .Configuration file has not been provided Suricata 1.2 with Apache2.tar.so.CPUs/cores online: 2 [14005] 27/2/2011 -. then add "/usr/local/lib" to /etc/ld.corelan.(suricata.(util-cpu.c:765) <Error> (main) -.conf.Cheat sheet : Installing Snorby 2.22:08:28 .yaml -s signatures.c:440) <Info> (main) -. https://www.be/index.conf and run ldconfig.1beta1 USAGE: suricata -c <path> -i <dev or ip> -r <path> -s <path> -l <dir> -D --engine-analysis : : : : : : : --pidfile <file> --init-errors-fatal --dump-config --pcap-buffer-size --user <user> --group <group> --erf-in <path> : : : : : : : path to configuration file run in pcap live mode run in pcap file/offline mode path to signature file (optional) default log directory run as daemon print reports on analysis of different sections in the engine and Please have a look at the conf parameter engine-analysis on what r can be printed write pid to this file (only for daemon mode) enable fatal failure on signature init error show the running configuration size of the pcap buffer value from 0 .so.conf /usr/local/lib root@server:/# ldconfig Run "suricata" again : suricata [14005] 27/2/2011 -.. run the command as: suricata -c suricata.emergingthreats.(suricata.c:171) <Info> (UtilCpuPrintSummary) -..1beta1 suricata.[ERRCODE: SC_ERR_OPENING_FILE(40)] .22:08:28 .yaml /etc/suricata/ classification.This is Suricata version 1.gz tar xvfz emerging.conf include /etc/ld.d/*.1beta1 [14005] 27/2/2011 -. root@server:/# cat /etc/ld.so.tar.2147483647 run suricata as this user after init run suricata as this group after init process an ERF file To run the engine with default configuration on interface eth0 with signature file "signatures.rules".22:08:28 ..config /etc/suricata/ reference.php/2011/02/27/che.net/open/suricata/emerging.rules -i eth0 Get suricata rules (emerging-threats) mkdir /etc/suricata cd /etc/suricata wget http://rules.rules.gz Configure suricata : cd cp 12 de 16 cp cp /tmp/suricata-1..rules.

rules .emerging-games.yaml Make sure alert output for barnyard2 is enabled (it is enabled by default) : # alert output for use with Barnyard2 .0/24]" That’s the basic config..rules .emerging-web_server. Example : default-rule-path: /etc/suricata/rules/ rule-files: .corelan..2 with Apache2..rules .rules .rules .emerging-exploit.rules .rules .168.emerging-user_agents.emerging-scada.config /etc/suricata/ reference..emerging-worm.0.rules .emerging-inappropriate. https://www. #limit: 32 Scroll down until you reach "default-rule-path:" and enable/put the emergingthreat rules files that are relevant to your system under "rule-files:".emerging-dos. 13 de 16 19-09-2013 15:28 Keeping suricata up to date .emerging-p2p.rules . edit the HOME_NET variable and set it to your local IP or IP subnet Example : HOME_NET: "[192.rules . (You can find the list with rules under /etc/suricata/rules).rules .emerging-smtp.rules .Cheat sheet : Installing Snorby 2.config /etc/suricata/ (note : After copying those files. cd cp cp cp /tmp/suricata-1.rules .unified2-alert: enabled: yes filename: unified2.php/2011/02/27/che.emerging-policy.1beta1 suricata.rules .rules .rules Next.be/index.rules .emerging-current_events.emerging-malware.emerging-virus.yaml /etc/suricata/ classification.emerging-web_specific_apps.alert # Limit in MB.rules . you can remove the installation folder from /tmp) Edit /etc/suricata/suricata.emerging-web_client.emerging-attack_response.emerging-voip.

Keeping suricata up to date You can use this optional simple script to grab a copy of the git master and update the suricata binaries : #!/bin/bash cd /tmp rm -rf /tmp/suricata mkdir suricata cd suricata /usr/bin/git clone git://phalanx..sh .Cheat sheet : Installing Snorby 2.9/etc/barnyard2.map /etc/suricata/rules/sid-msg..git cd oisf . remove the / between the password and dbname.map output database: log.) If you are installing remote suricate sensors (remote from the mysql server / snorby engine point of view). That’s the basic config. create the log folder for barnyard2 : 14 de 16 mkdir /var/log/barnyard2 19-09-2013 15:28 .config /etc/suricata/rules/gen-msg. Finally. then you will have to configure mysql and grant access to the remote mysqluser.be/index.conf /etc/suricata/ (note : After copying the file.corelan. from the IP of the sensor. user=snorbyuser password=some_pass / dbname=snorby host=localhost sensor_name=sensor1 (obviously the output database configuration must be placed on one line./configure && make && make install Configure barnyard2 : Get the sample config file from the installation folder : cp /tmp/barnyard2-1.config /etc/suricata/classification.php/2011/02/27/che. you can remove the installation folder from /tmp) Edit the conf file and set the following parameters : (we’ll assume you are installing suricata on the same box as the snorby engine) config config config config reference_file: classification_file: gen_file: sid_file: /etc/suricata/reference.. The "host" entry in the barnyard2.2 with Apache2. https://www.conf file needs to point at the remote mysql server. mysql.org/oisf..openinfosecfoundation./autogen.

. add them to the caches table. If you don’t like the display name of the sensor. run apt-get install lynx and try again) 19-09-2013 15:28 Watch the /var/log/suricata folder.be/index. -D will make suricate run in daemon mode) As soon as suricata starts generating alerts. In the background (every 30 mins). process them.2 with Apache2.conf -d /var/log/suricata -f unified2. and use the mysql connector to write them into the events table of the snorby database.. Test IDS If you want to test your setup. omit the -D parameter and you will be able to see any errors that might prevent barnyard2 from running.. You should be able to see these new events in the "events" view of Snorby. When barnyard2 is running. You should see something similar to this : . If barnyard2 does not appear to be working. create the log folder for barnyard2 : mkdir /var/log/barnyard2 Run barnyard2 : barnyard2 -c /etc/suricata/barnyard2. you should see a new sensor in Snorby.Cheat sheet : Installing Snorby 2.yaml -i eth0 -D (change interface accordingly.corelan. https://www.php/2011/02/27/che. barnyard2 should pick them up. the snorby worker jobs will pick up the events. you can change the name via Administration Menu – Sensors When barnyard2 is running. you can launch suricata too : Run suricata : suricata -c /etc/suricata/suricata. and show them on the dashboard too. then run : lynx www. Finally.com 15 de 16 (if lynx was not installed.alert -w /var/log/suricata/sur This will run barnyard2 in daemon mode.testmyids..

https://www.log file. fast. You should see something similar to this : root@server:/var/log/suricata# ls -al total 88 drwxr-xr-x 2 root root 4096 2011-02-28 drwxr-xr-x 18 root root 4096 2011-02-28 -rw-r----.alert.log suricata.1 root root 0 2011-02-28 -rw-r--r-. suricata. run apt-get install lynx and try again) Watch the /var/log/suricata folder.1 root root 0 2011-02-28 -rw-r----.be/index.1298867650 unified2.1 root root 60 2011-02-28 05:38 05:30 05:37 05:35 05:39 05:38 05:34 05:37 ..log http. ..alert..log stats.corelan.com 16 de 16 19-09-2013 15:28 .1 root root 2056 2011-02-28 -rw-r----.waldo unified2.1 root root 194 2011-02-28 -rw-r----.php/2011/02/27/che. then the IDS is picking up the test alerts from www..1 root root 66873 2011-02-28 -rw------.testmyids..waldo and unified2.Cheat sheet : Installing Snorby 2.2 with Apache2.alert files are growing.1298867720 If the fast. (if lynx was not installed.