Pular para o conteúdo principal

Installing and Configuring Snorby on CentOS 7

Snorby is a ruby on rails web application for network security monitoring that interfaces with current popular intrusion detection systems (Snort, Suricata and Sagan). The basic fundamental concepts behind Snorby are simplicity, organization and power. The project goal is to create a free, open source and highly competitive application for network monitoring for both private and enterprise use.
Set up your system with the follow script to ensure that nothing will be missing http://wiki.douglasqsantos.com.br/doku.php/confinicialcentos7_en
  • The Snorby will use the follow ip: 192.168.1.251
Let's install the development tools 
yum groupinstall "Development Tools" -y
Let's install the dependencies for Snorby. 
yum install openssl-devel readline-devel libxml2-devel libxslt-devel mariadb mariadb-devel mariadb-server  urw-fonts libX11-devel libXext-devel git   \
fontconfig-devel libXrender-devel unzip wget xorg-x11-server-Xvfb libyaml libyaml-devel gdbm-devel db4-devel libffi-devel ethtool httpd  httpd-devel \
ImageMagick ImageMagick-devel curl libcurl libcurl-devel libmnl-devel gcc zlib-devel jansson-devel libnet-devel libnetfilter_queue-devel  java-1.8.0-openjdk -y
Need now to compile the ruby let's get the tarball 
cd /usr/src && wget -c http://wiki.douglasqsantos.com.br/Downloads/ips/ruby-1.9.3-p551.tar.xz
Now need to decompress the file 
tar -xvf ruby-1.9.3-p551.tar.xz && cd /usr/src/ruby-1.9.3-p551
Now need to configure the packet 
./configure --prefix=/usr
Now we need to compile and install the packet. 
make && make install
Now let's check the ruby version 
ruby -v
ruby 1.9.3p551 (2014-11-13 revision 48407) [x86_64-linux]
Let's enable the httpd 
systemctl enable httpd
Let's enable the mariadb 
systemctl enable mariadb
We need to get another dependence and install manually with the follow command 
cd /usr/src
wget -c http://wiki.douglasqsantos.com.br/Downloads/ips/wkhtmltox-0.12.2_linux-centos7-amd64.rpm
yum install wkhtmltox-0.12.2_linux-centos7-amd64.rpm -y
Now we need to install the rails and rake 
gem install bundler rails
gem install rake --version=0.9.2
Now we need to get snorby sources with the follow command 
cd /var/www/html && wget -c http://wiki.douglasqsantos.com.br/Downloads/ips/snorby.tar.gz
We need to decompress the Snorby 
tar -xvf snorby.tar.gz
Now we need to copy some files 
cd /var/www/html/snorby/config/
cp database.yml.example database.yml
cp snorby_config.yml.example snorby_config.yml
Now we need to configure the Snorby main file as follows 
vim /var/www/html/snorby/config/snorby_config.yml
#/var/www/snorby/html/config/snorby_config.yml
production:
  baseuri: ''
  domain: 'snorby.douglasqsantos.com.br'
  wkhtmltopdf: /usr/local/bin/wkhtmltopdf
  ssl: false
  mailer_sender: 'douglas.q.santos@gmail.com'
  geoip_uri: "http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz"
  rules:
    - ""
  authentication_mode: database
  timezone_search: true
  time_zone: 'America/Sao_Paulo'
Now we need to enable the remote access because the Suricata or Snort will need to write here. 
vim /etc/my.cnf
[mysqld]
[...]
bind-address            = 0.0.0.0
Now we need to start the mariadb service 
systemctl start mariadb
Now we need to set up the password like this 
mysqladmin -u root password 'password'
Now we need to create the database to snorby 
mysql -u root -p
CREATE DATABASE snorby;
GRANT ALL PRIVILEGES ON snorby.* TO snorby@'%' IDENTIFIED BY 'senha';
GRANT ALL PRIVILEGES ON snorby.* TO snorby@'localhost' IDENTIFIED BY 'senha';
FLUSH PRIVILEGES;
exit
Now we need to configure the database connection file 
vim /var/www/html/snorby/config/database.yml
# /var/www/html/snorby/config/database.yml
snorby: &snorby
  adapter: mysql
  username: snorby
  password: "senha"
  host: localhost

production:
  database: snorby
  <<: *snorby
Now we need to deploy the Snorby like this 
cd /var/www/html/snorby/
bundle install
bundle exec rake snorby:setup RAILS_ENV=production
Let's install the passenger gem ruby 
gem install passenger
Now let's install the passenger module for apache 
passenger-install-apache2-module -a
Now we need to create the modules configuration for apache. 
vim /etc/httpd/conf.modules.d/passenger.conf
LoadModule passenger_module /usr/lib/ruby/gems/1.9.1/gems/passenger-5.0.6/buildout/apache2/mod_passenger.so
Now we need to create the configuration file for passenger module 
vim /etc/httpd/conf.d/passenger.conf
<IfModule mod_passenger.c>
    PassengerRoot /usr/lib/ruby/gems/1.9.1/gems/passenger-5.0.6
    PassengerDefaultRuby /usr/bin/ruby
</IfModule>
Now we need to create the virtual host that Snorby will use 
vim /etc/httpd/conf.d/snorby.conf
<VirtualHost *:80>
      ServerName snorby.douglasqsantos.com.br
      DocumentRoot /var/www/html/snorby/public
      RailsEnv production
      <Directory /var/www/html/snorby/public>
        AllowOverride all
        Options -MultiViews
      </Directory>
        ServerSignature Off
        LogLevel info
        CustomLog /var/log/httpd/snorby.douglasqsantos.com.br-access.log combined
        ErrorLog /var/log/httpd/snorby.douglasqsantos.com.br-error.log
</VirtualHost>
Now we need to set the permissions on the Snorby directory 
chown -R apache:apache /var/www/html/snorby
Now we can restart the Apache server 
systemctl restart httpd
Now we can check the log files as follows 
tail -f /var/log/httpd/snorby.douglasqsantos.com.br-*
Now we need to create a service to start and stop the snorby 
vim /usr/lib/systemd/system/snorby.service
[Unit]
Description=Snorby ConfiServ
After=syslog.target

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/etc/snorby/snorby-start
ExecStop=/etc/snorby/snorby-stop

[Install]
WantedBy=multi-user.target
Now we need to enable the new service like this 
systemctl enable snorby
Now we need to create the directory that will be store the script files 
mkdir /etc/snorby
Now we need to create the start script file 
vim /etc/snorby/snorby-start
#!/bin/bash

cd /var/www/html/snorby; RAILS_ENV=production /usr/bin/rails runner 'Snorby::Worker.start'
Now we need to create the stop script file 
vim /etc/snorby/snorby-stop
#!/bin/bash

cd /var/www/html/snorby; RAILS_ENV=production /usr/bin/rails runner 'Snorby::Worker.stop'
Now we need to give the execution permission 
chmod +x /etc/snorby/snorby-*
Now we need to start the snorby 
systemctl start snorby
Now we can access the Snorby in http://192.168.1.251 user: snorby@snorby.org password: snorby
We will get something like this.

Afterwards we configure the Barnyard2 to populate the Snorby database we will start to get some information like below.

We will able to see the informations like this as well.

Email Configuration

if you need to enable the email alert configure the follow file 
vim /var/www/snorby/config/initializers/mail_config.rb 
# Snorby Mail Configuration

# #
# Gmail Example:
#
 ActionMailer::Base.delivery_method = :smtp
 ActionMailer::Base.smtp_settings = {
   :address              => "mail.douglasqsantos.com.br",
   :port                 => 587,
   :domain               => "douglasqsantos.com.br",
   :user_name            => "snorby-monitor@douglasqsantos.com.br",
   :password             => "pzv3d7JERDPsW4d",
   :authentication       => "plain",
   :enable_starttls_auto => true
 }

# #
# Sendmail Example:
#
# ActionMailer::Base.delivery_method = :sendmail
# ActionMailer::Base.sendmail_settings = {
#   :location => '/usr/sbin/sendmail',
#   :arguments => '-i -t'
# }

ActionMailer::Base.perform_deliveries = true
ActionMailer::Base.raise_delivery_errors = true

# Mail.register_interceptor(DevelopmentMailInterceptor) if Rails.env.development?
After that we need to update the snorby configuration like this
We need to access the snorby directory 
cd /var/www/snorby/
Now we need to update the configuration 
bundle exec rake snorby:update RAILS_ENV=production
Now need to configure the email in: Administration/General settings.
  • Company name: DOUGLASQSANTOS
  • Company email: snorby-monitor@douglasqsantos.com.br
  • Save Settings.
Now need to configure the administrator email in: Settings
  • Email: snorby@douglasqsantos.com.br
  • Put the password and confirm it and Update settings.
Note: The email snorby@douglasqsantos.com.br usually is a alias to another emails.

References

  1. https://www.snorby.org/
  2. http://springdale.math.ias.edu/data/puias/7.1/x86_64/os/RPM-GPG-KEY-puias

Comentários

  1. nicolasrvn4 de dezembro de 2019 às 12:20

    Managed to follow your instructions even though many links are dead, still downloaded files from other places, but this one just killed me, you made us install Ruby 1.9 yet:

    [root@localhost ~]# gem install bundler rails
    Fetching: bundler-2.0.2.gem (100%)
    ERROR: Error installing bundler:
    bundler requires Ruby version >= 2.3.0.

    ResponderExcluir
  2. Alfaia13 de março de 2021 às 18:25

    This version is old. Have news manual in the site. However i'm make test this How-to and make correct. Thanks for support

    ResponderExcluir

Postar um comentário

Postagens mais visitadas deste blog

Upgrading Iomega ix2-200 to Cloud Edition

You just got your ix2-200 from eBay and there are no disks inside the NAS. Or you have a brand new ix2-200 -yet you could not afford Cloud Edition. No problem. With just a USB stick and a SATA adapter or desktop PC, you will easily upgrade your ix2-200 to ix2-200 Cloud Edition. Not only your ix2-200 will have a brand new interface and Cloud options, but also will become Mac OS X Lion compatible! What do we need? Decrypted! ix2-200 Cloud Edition Firmware 3.1.12.47838 S endSpace or RapidShare * USB Flash Drive with at least 2 GB capacity and LED indicator** SATA to USB adapter or desktop PC Toothpick or paperclip Preparing Hard Drives Preparing hard drives is the first step because you have to wipe all the data inside the hard drives and make them just like brand new. We used 2 x Seagate 2 TB 5900 RPM Drives. Backup any files if you have and then remove both disks from ix2-200 and attach them to SATA to USB adapter or your desktop PC's SATA port. Using
Postar um comentário
Leia mais

Cuckoo com Vmware Esxi

Cuckoo is an open-source malware analysis platform using sandboxing technology. The tool allows people like us to analyze malicious binaries in an isolated environment. Since Cuckoo is commonly used with Oracle VirtualBox as its virtualization platform, a majority of online documentation is focused on configuration using VirtualBox. PlantainStan and I decided to test running Cuckoo on ESXi and document our success. This guide will help with the basic configuration of ensuring Cuckoo properly interacts with ESXi. We will continue to update this post as we make continue to make an even more baller Cuckoo environment! Note: In order to successfully interact with vSphere's API, you will need the VMWare ESX Standard license. API functionality is required for Cuckoo to work with ESX. Configure ESX Since this guide is not a "how to" on installing ESXi, we will assume that you have successfully installed the hypervisor on your system. There
Postar um comentário
Leia mais

CentOS7 with Snort Barnyard2 Snorby PulledPork SElinux

This post is about how to install Snort "stack" on CentOS7 with potentially all the latest libs an stuff. Here I will install and configure everything to run Snort as IDS. I will write another post shortly how to run it as IPS - INLINE. System details: [ root@nfsec-ids-01 ~ ] # cat /etc/redhat-release CentOS Linux release 7.3.1611 ( Core ) [ root@nfsec-ids-01 ~ ] # uname -a Linux nfsec-ids-01.nfsec.co.uk 3.10.0-514.2.2.el7.x86_64 #1 SMP Tue Dec 6 23:06:41 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux Snort 2.9.9.0 Installation of snort is very basic: yum install https://www.snort.org/downloads/snort/daq-2.0.6-1.centos7.x86_64.rpm yum install https://www.snort.org/downloads/snort/snort-2.9.9.0-1.centos7.x86_64.rpm Register at Snort and download registered rule set: mkdir /usr/local/src/snortrules cd /usr/local/src/snortrules wget https://www.snort.org/rules/snortrules-snapshot-2990.tar.gz?oinkcode = < oinkcode > tar -zxvf snort
Postar um comentário
Leia mais