Pular para o conteúdo principal

Installing and Configuring Snorby on CentOS 7

Snorby is a ruby on rails web application for network security monitoring that interfaces with current popular intrusion detection systems (Snort, Suricata and Sagan). The basic fundamental concepts behind Snorby are simplicity, organization and power. The project goal is to create a free, open source and highly competitive application for network monitoring for both private and enterprise use.
Set up your system with the follow script to ensure that nothing will be missing http://wiki.douglasqsantos.com.br/doku.php/confinicialcentos7_en
  • The Snorby will use the follow ip: 192.168.1.251
Let's install the development tools 
yum groupinstall "Development Tools" -y
Let's install the dependencies for Snorby. 
yum install openssl-devel readline-devel libxml2-devel libxslt-devel mariadb mariadb-devel mariadb-server  urw-fonts libX11-devel libXext-devel git   \
fontconfig-devel libXrender-devel unzip wget xorg-x11-server-Xvfb libyaml libyaml-devel gdbm-devel db4-devel libffi-devel ethtool httpd  httpd-devel \
ImageMagick ImageMagick-devel curl libcurl libcurl-devel libmnl-devel gcc zlib-devel jansson-devel libnet-devel libnetfilter_queue-devel  java-1.8.0-openjdk -y
Need now to compile the ruby let's get the tarball 
cd /usr/src && wget -c http://wiki.douglasqsantos.com.br/Downloads/ips/ruby-1.9.3-p551.tar.xz
Now need to decompress the file 
tar -xvf ruby-1.9.3-p551.tar.xz && cd /usr/src/ruby-1.9.3-p551
Now need to configure the packet 
./configure --prefix=/usr
Now we need to compile and install the packet. 
make && make install
Now let's check the ruby version 
ruby -v
ruby 1.9.3p551 (2014-11-13 revision 48407) [x86_64-linux]
Let's enable the httpd 
systemctl enable httpd
Let's enable the mariadb 
systemctl enable mariadb
We need to get another dependence and install manually with the follow command 
cd /usr/src
wget -c http://wiki.douglasqsantos.com.br/Downloads/ips/wkhtmltox-0.12.2_linux-centos7-amd64.rpm
yum install wkhtmltox-0.12.2_linux-centos7-amd64.rpm -y
Now we need to install the rails and rake 
gem install bundler rails
gem install rake --version=0.9.2
Now we need to get snorby sources with the follow command 
cd /var/www/html && wget -c http://wiki.douglasqsantos.com.br/Downloads/ips/snorby.tar.gz
We need to decompress the Snorby 
tar -xvf snorby.tar.gz
Now we need to copy some files 
cd /var/www/html/snorby/config/
cp database.yml.example database.yml
cp snorby_config.yml.example snorby_config.yml
Now we need to configure the Snorby main file as follows 
vim /var/www/html/snorby/config/snorby_config.yml
#/var/www/snorby/html/config/snorby_config.yml
production:
  baseuri: ''
  domain: 'snorby.douglasqsantos.com.br'
  wkhtmltopdf: /usr/local/bin/wkhtmltopdf
  ssl: false
  mailer_sender: 'douglas.q.santos@gmail.com'
  geoip_uri: "http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz"
  rules:
    - ""
  authentication_mode: database
  timezone_search: true
  time_zone: 'America/Sao_Paulo'
Now we need to enable the remote access because the Suricata or Snort will need to write here. 
vim /etc/my.cnf
[mysqld]
[...]
bind-address            = 0.0.0.0
Now we need to start the mariadb service 
systemctl start mariadb
Now we need to set up the password like this 
mysqladmin -u root password 'password'
Now we need to create the database to snorby 
mysql -u root -p
CREATE DATABASE snorby;
GRANT ALL PRIVILEGES ON snorby.* TO snorby@'%' IDENTIFIED BY 'senha';
GRANT ALL PRIVILEGES ON snorby.* TO snorby@'localhost' IDENTIFIED BY 'senha';
FLUSH PRIVILEGES;
exit
Now we need to configure the database connection file 
vim /var/www/html/snorby/config/database.yml
# /var/www/html/snorby/config/database.yml
snorby: &snorby
  adapter: mysql
  username: snorby
  password: "senha"
  host: localhost

production:
  database: snorby
  <<: *snorby
Now we need to deploy the Snorby like this 
cd /var/www/html/snorby/
bundle install
bundle exec rake snorby:setup RAILS_ENV=production
Let's install the passenger gem ruby 
gem install passenger
Now let's install the passenger module for apache 
passenger-install-apache2-module -a
Now we need to create the modules configuration for apache. 
vim /etc/httpd/conf.modules.d/passenger.conf
LoadModule passenger_module /usr/lib/ruby/gems/1.9.1/gems/passenger-5.0.6/buildout/apache2/mod_passenger.so
Now we need to create the configuration file for passenger module 
vim /etc/httpd/conf.d/passenger.conf
<IfModule mod_passenger.c>
    PassengerRoot /usr/lib/ruby/gems/1.9.1/gems/passenger-5.0.6
    PassengerDefaultRuby /usr/bin/ruby
</IfModule>
Now we need to create the virtual host that Snorby will use 
vim /etc/httpd/conf.d/snorby.conf
<VirtualHost *:80>
      ServerName snorby.douglasqsantos.com.br
      DocumentRoot /var/www/html/snorby/public
      RailsEnv production
      <Directory /var/www/html/snorby/public>
        AllowOverride all
        Options -MultiViews
      </Directory>
        ServerSignature Off
        LogLevel info
        CustomLog /var/log/httpd/snorby.douglasqsantos.com.br-access.log combined
        ErrorLog /var/log/httpd/snorby.douglasqsantos.com.br-error.log
</VirtualHost>
Now we need to set the permissions on the Snorby directory 
chown -R apache:apache /var/www/html/snorby
Now we can restart the Apache server 
systemctl restart httpd
Now we can check the log files as follows 
tail -f /var/log/httpd/snorby.douglasqsantos.com.br-*
Now we need to create a service to start and stop the snorby 
vim /usr/lib/systemd/system/snorby.service
[Unit]
Description=Snorby ConfiServ
After=syslog.target

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/etc/snorby/snorby-start
ExecStop=/etc/snorby/snorby-stop

[Install]
WantedBy=multi-user.target
Now we need to enable the new service like this 
systemctl enable snorby
Now we need to create the directory that will be store the script files 
mkdir /etc/snorby
Now we need to create the start script file 
vim /etc/snorby/snorby-start
#!/bin/bash

cd /var/www/html/snorby; RAILS_ENV=production /usr/bin/rails runner 'Snorby::Worker.start'
Now we need to create the stop script file 
vim /etc/snorby/snorby-stop
#!/bin/bash

cd /var/www/html/snorby; RAILS_ENV=production /usr/bin/rails runner 'Snorby::Worker.stop'
Now we need to give the execution permission 
chmod +x /etc/snorby/snorby-*
Now we need to start the snorby 
systemctl start snorby
Now we can access the Snorby in http://192.168.1.251 user: snorby@snorby.org password: snorby
We will get something like this.

Afterwards we configure the Barnyard2 to populate the Snorby database we will start to get some information like below.

We will able to see the informations like this as well.

Email Configuration

if you need to enable the email alert configure the follow file 
vim /var/www/snorby/config/initializers/mail_config.rb 
# Snorby Mail Configuration

# #
# Gmail Example:
#
 ActionMailer::Base.delivery_method = :smtp
 ActionMailer::Base.smtp_settings = {
   :address              => "mail.douglasqsantos.com.br",
   :port                 => 587,
   :domain               => "douglasqsantos.com.br",
   :user_name            => "snorby-monitor@douglasqsantos.com.br",
   :password             => "pzv3d7JERDPsW4d",
   :authentication       => "plain",
   :enable_starttls_auto => true
 }

# #
# Sendmail Example:
#
# ActionMailer::Base.delivery_method = :sendmail
# ActionMailer::Base.sendmail_settings = {
#   :location => '/usr/sbin/sendmail',
#   :arguments => '-i -t'
# }

ActionMailer::Base.perform_deliveries = true
ActionMailer::Base.raise_delivery_errors = true

# Mail.register_interceptor(DevelopmentMailInterceptor) if Rails.env.development?
After that we need to update the snorby configuration like this
We need to access the snorby directory 
cd /var/www/snorby/
Now we need to update the configuration 
bundle exec rake snorby:update RAILS_ENV=production
Now need to configure the email in: Administration/General settings.
  • Company name: DOUGLASQSANTOS
  • Company email: snorby-monitor@douglasqsantos.com.br
  • Save Settings.
Now need to configure the administrator email in: Settings
  • Email: snorby@douglasqsantos.com.br
  • Put the password and confirm it and Update settings.
Note: The email snorby@douglasqsantos.com.br usually is a alias to another emails.

References

  1. https://www.snorby.org/
  2. http://springdale.math.ias.edu/data/puias/7.1/x86_64/os/RPM-GPG-KEY-puias

Comentários

  1. nicolasrvn4 de dezembro de 2019 às 12:20

    Managed to follow your instructions even though many links are dead, still downloaded files from other places, but this one just killed me, you made us install Ruby 1.9 yet:

    [root@localhost ~]# gem install bundler rails
    Fetching: bundler-2.0.2.gem (100%)
    ERROR: Error installing bundler:
    bundler requires Ruby version >= 2.3.0.

    ResponderExcluir
  2. Alfaia13 de março de 2021 às 18:25

    This version is old. Have news manual in the site. However i'm make test this How-to and make correct. Thanks for support

    ResponderExcluir

Postar um comentário

Postagens mais visitadas deste blog

Upgrading Iomega ix2-200 to Cloud Edition

You just got your ix2-200 from eBay and there are no disks inside the NAS. Or you have a brand new ix2-200 -yet you could not afford Cloud Edition. No problem. With just a USB stick and a SATA adapter or desktop PC, you will easily upgrade your ix2-200 to ix2-200 Cloud Edition. Not only your ix2-200 will have a brand new interface and Cloud options, but also will become Mac OS X Lion compatible! What do we need? Decrypted! ix2-200 Cloud Edition Firmware 3.1.12.47838 S endSpace or RapidShare * USB Flash Drive with at least 2 GB capacity and LED indicator** SATA to USB adapter or desktop PC Toothpick or paperclip Preparing Hard Drives Preparing hard drives is the first step because you have to wipe all the data inside the hard drives and make them just like brand new. We used 2 x Seagate 2 TB 5900 RPM Drives. Backup any files if you have and then remove both disks from ix2-200 and attach them to SATA to USB adapter or your desktop PC's SATA port. Using ...
Postar um comentário
Leia mais

How to Fix sub-process /usr/bin/dpkg returned an error code (1)

Introduction The error message “Sub-process /usr/bin/dpkg returned an error code (1)” indicates a problem with the package installer. This can happen in Ubuntu after a failed software installation, or if the installer becomes corrupted. The key phrase in this error is /usr/bin/dpkg. This refers to the dpkg package installer for Linux. A package installer is an application that tracks software, updates, and dependencies. If it is damaged, any new software installation will cause this error message. We cover several possible solutions, from easily-solved and straightforward solutions to more complex processes. This guide will help you resolve the dpkg returned an error code 1 on an Ubuntu operating system. Prerequisites A user account with sudo privileges A terminal window/command-line ( Ctrl - Alt - T ) Options to Fix sub-process /usr/bin/dpkg returned an error code (1) Method 1: Reconfigure dpkg Database ...
Postar um comentário
Leia mais

How to Create Reports from Audit Logs Using ‘aureport’ on CentOS/RHEL

  What is aureport? aureport is a command line utility used for creating useful summary reports from the audit log files stored in /var/log/audit/ . Like ausearch , it also accepts raw log data from stdin. It is an easy-to-use utility; simply pass an option for a specific kind of report that you need, as shown in the examples below. Create Report Concerning Audit Rule Keys The aurepot command will produce a report about all keys you specified in audit rules, using the -k flag. # aureport -k Report Audit Rule Keys You can enable interpreting of numeric entities into text (for example convert UID to account name) using the -i option. # aureport -k -i Create Report About Attempted Authentications If you need a report about all events relating to attempted authentications for all users, use the -au option. # aureport -au OR # aureport -au -i   Summary of Login Authentication Produce Report Concerning Logins The -l option tells aureport to ge...
Postar um comentário
Leia mais