Suricata,Snorby and Barnyard2 set up guide¶
This is a detailed "How to guide" for setting up Suricata with Snorby and Barnyard2.
In this particular se up we are using- Suricata from git - 1.4dev
- Snorby - http://snorby.org/
- Barnyard2 - http://www.securixlive.com/barnyard2/
The physical set up that we have is the following:
|Server1|(IP 192.168.1.91) - - - - - - - - - - - - - > |Server2|(IP 192.168.1.111)
*Suricata,Barnyard2* *Snorby*
So we have Suricata running on Server1 using unified2 logs which are processed from Barnyard2 and forwarded to the Snorby MYSQL DB on the remote Server2.
Server1 and Server2 are Ubuntu LTS 64bit , 12.04
sudo apt-get install gcc g++ build-essential libssl-dev libreadline6-dev zlib1g-dev linux-headers-generic libsqlite3-dev \ libxslt-dev libxml2-dev imagemagick git-core libmysqlclient-dev mysql-server libmagickwand-dev default-jre ruby1.9.3
sudo wget http://wkhtmltopdf.googlecode.com/files/wkhtmltopdf-0.10.0_rc2-static-amd64.tar.bz2 bunzip2 wkhtmltopdf-0.10.0_rc2-static-amd64.tar.bz2 tar xvf wkhtmltopdf-0.10.0_rc2-static-amd64.tar ls -lh sudo cp wkhtmltopdf-amd64 /usr/bin/wkhtmltopdf
The above installation is the one that works for Snorby (tested with 2.5.1) for wkhtmltopdf - do not install the one from "apt-get".
sudo gem install thor i18n bundler tzinfo builder memcache-client rack rack-test erubis mail text-format rack-mount rails sqlite3 sudo git clone http://github.com/Snorby/snorby.git /var/www/snorby
Edit /var/www/snorby/config/database.yml : look for the "snorby" entry and enter the mysql root username & password here :
snorby: &snorby adapter: mysql username: root password: "mysqlrootpassword" host: localhost
do not panic, we will change that later on
Edit /var/www/snorby/config/snorby_config.yml : set the correct path to wkhtmltopdf ( if you need to find it use which wkhtmltopdf ), make it look like this:
development: domain: localhost:3000 wkhtmltopdf: /usr/bin/wkhtmltopdf test: domain: localhost:3000 wkhtmltopdf: /usr/bin/wkhtmltopdf production: domain: localhost:3000 wkhtmltopdf: /usr/bin/wkhtmltopdf
Then
cd /var/www/snorby sudo bundle update activesupport railties rails sudo gem install arel ezprint && sudo bundle install sudo bundle exec rake snorby:setup
mysql -u root -p create user 'snorbyuser'@'localhost' IDENTIFIED BY 'PASSWORD123'; grant all privileges on snorby.* to 'snorbyuser'@'localhost' with grant option; flush privileges;
Now edit /var/www/snorby/config/database.yml again and replace the username and password with the newly created user
snorby: &snorby adapter: mysql username: snorbyuser password: "PASSWORD123" host: localhost
By default, the mysql server listens on localhost only. Edit /etc/mysql/my.cnf to change the default behavior :
# Instead of skip-networking the default is now to listen only on # localhost which is more compatible and is not less secure. bind-address = 127.0.0.1
sudo service mysql restart sudo lsof -i | grep mysqld sudo apt-get install apache2 apache2-prefork-dev libapr1-dev libaprutil1-dev libopenssl-ruby libcurl4-openssl-dev sudo service apache2 start sudo gem install --no-ri --no-rdoc passenger sudo /usr/local/bin/passenger-install-apache2-module -a
Edit /etc/apache2/mods-available/passenger.load (or create if it does not exits) :
to find what you need you can use :
sudo find / -name "*mod_passenger*" /var/lib/gems/1.9.1/gems/passenger-3.0.17/ext/apache2/mod_passenger.so
Then put that in the file :
LoadModule passenger_module /var/lib/gems/1.9.1/gems/passenger-3.0.17/ext/apache2/mod_passenger.so <IfModule mod_passenger.c> PassengerRoot /var/lib/gems/1.9.1/gems/passenger-3.0.17 PassengerRuby /usr/bin/ruby </IfModule>
like so:
user@ubuntu64LTS:/etc/apache2/mods-available$ cat passenger.load LoadModule passenger_module /var/lib/gems/1.9.1/gems/passenger-3.0.17/ext/apache2/mod_passenger.so <IfModule mod_passenger.c> PassengerRoot /var/lib/gems/1.9.1/gems/passenger-3.0.17 PassengerRuby /usr/bin/ruby </IfModule> user@ubuntu64LTS:/etc/apache2/mods-available$
sudo a2enmod passenger sudo a2enmod rewrite sudo a2enmod ssl sudo chown www-data:www-data /var/www/snorby -R
Suppose we want the snorby frontend to be reachable using virtualhost snorby.Server2 :
Create a file "snorby" under /etc/apache2/sites-available :
<VirtualHost *:80>
ServerAdmin webmaster@localhost
ServerName snorby.Server2
DocumentRoot /var/www/snorby/public
<Directory "/var/www/snorby/public">
AllowOverride all
Order deny,allow
Allow from all
Options -MultiViews
</Directory>
</VirtualHost>
Enable the new website :
sudo ln -s /etc/apache2/sites-available/snorby /etc/apache2/sites-enabled/snorby_config sudo service apache2 restart
cd /var/www/snorby sudo bundle pack && sudo bundle install --path vender/cache
Make sure snorby.Server2 points at your local apache2 server, and navigate to that website :
user@ubuntu64LTS:/var/www/snorby$ cat /etc/hosts 127.0.0.1 localhost 127.0.1.1 ubuntu64LTS 127.0.0.1 snorby.Server2 # The following lines are desirable for IPv6 capable hosts ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters user@ubuntu64LTS:/var/www/snorby$
sudo service apache2 restart
go to
http://snorby.Server2 - locally
default password and log in:
log in with user
snorby@snorby.org
and password
snorby
ON THE REMOTE SERVER (Suricata, Barnyard2 - Server1 in this set up)
sudo apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev \ build-essential autoconf automake libtool libpcap-dev libnet1-dev \ libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 \ make libmagic-dev git pkg-config libnss3-dev libnspr4-dev wget
sudo git clone git://phalanx.openinfosecfoundation.org/oisf.git && cd oisf/ \ git clone https://github.com/OISF/libhtp.git -b 0.5.x \ && sudo ./autogen.sh && sudo ./configure \ --with-libnss-libraries=/usr/lib --with-libnss-includes=/usr/include/nss/ \ --with-libnspr-libraries=/usr/lib --with-libnspr-includes=/usr/include/nspr \ && sudo make clean && sudo make && sudo make install-full && sudo ldconfig
We get Barnyard2
apt-get install libpcre3 libpcre3-dbg libpcre3-dev \
build-essential autoconf automake libtool \
libpcap-dev libnet1-dev mysql-client libmysqlclient16-dev
cd /tmp && sudo wget http://www.securixlive.com/download/barnyard2/barnyard2-1.9.tar.gz && sudo tar xvfz barnyard2-1.9.tar.gz && cd barnyard2-1.9
sudo ./configure --with-mysql && make && sudo make install
configure Suricata ......
cp /tmp/barnyard2-1.9/etc/barnyard2.conf /etc/suricata/
Edit the barnyard2 conf file and set the following parameters :
config reference_file: /etc/suricata/reference.config config classification_file: /etc/suricata/classification.config config gen_file: /etc/suricata/rules/gen-msg.map config sid_file: /etc/suricata/rules/sid-msg.map ..... ..... output database: log, mysql, user=snorbyuser password=PASSWORD123 / dbname=snorby host=192.168.1.111 sensor_name=sensor1
Here host=192.168.1.111 is the IP of Server2.
The output database configuration must be placed on one line, remove the / between the password and dbname.
If you are installing remote Suricata sensors (remote from the mysql server / snorby engine point of view as explained in this guide), then you will have to configure mysql and grant access to the remote mysqluser, from the IP of the sensor. The "host" entry in the barnyard2.conf file needs to point at the remote mysql server.
Back on Server2 do:
mysql -uroot -p GRANT ALL ON snorby.* TO snorbyuser@'192.168.1.91' IDENTIFIED BY 'PASSWORD123';
Create the log folder for barnyard2 (Server1) :
mkdir /var/log/barnyard2
Make sure you have enabled unified2 logging in the suricata yaml:
# alert output for use with Barnyard2
- unified2-alert:
enabled: yes
filename: unified2.alert
Start Suricata:
sudo suricata -c /etc/suricata.yaml -i eth0 -D
Start Barnyard2
sudo barnyard2 -c /etc/suricata/barnyard2.conf -d /var/log/suricata -f unified2.alert -w /var/log/suricata/suricata.waldo -D
NOTE:
If, at any given time, the dashboard(Snorby) continues to show 0 events (or an incorrect number of events in general), but the Events view shows that all entries are inside the database, then you may have to clear the caches and rebuild it from scratch :
On Server2:
mysql -u root -p use snorby; truncate table caches; exit
Now remove the 2 worker jobs (use the little trash can icon next to each worker job to remove the job) on the Snorby's web interface.
Recreate the jobs via Worker Options, and the main dashboard should eventually get populated again.
NOTE:
to start Barnyard2 automatically during start up -
https://github.com/Snorby/snorby/wiki/Installing-Barnyard2