-
Notifications
You must be signed in to change notification settings - Fork 225
Installation Help
Install Steps:
- Put LAN connection on eth0 (management interface). NOTE: More than one NIC may result in no NICs being initialized due to an Ubuntu 10.04 LTS bug.
- Install Insta-Snorby by following the Insta-Snorby Configuration Console
a. Set eth0 as the Snort monitoring port
b. Choose to enter your Oinkcode
c. Choose to install the security updates - SSH to the server and configure the following:
a. NTP – Edit /etc/ntp.conf (add ntp.hs.uab.edu or 10.20.60.11)
b. Apache Ports – Edit /etc/apache2/ports.conf to disable listening on port 80 (if desired)
i. Comment out (add “#”) at the start of both lines referencing port 80
ii. Restart command is “/etc/init.d/apache2 restart” or wait until reboot
c. Change Snort monitoring port to eth1 (SPAN interface)
i. Change interface to eth1 in /usr/lib/inithooks/everyboot.d/88snortstart
ii. Change interface to eth1 in /etc/snort/barnyard2.conf
iii. Identify and kill snort and barnyard processes ps aux | grep snort
iv. Restart snort: /usr/local/bin/snort -g snort -u snort -c /etc/snort/snort.conf -i eth1 -D v. Restart barnyard: /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -G /etc/snort/gen-msg.map -S /etc/sid-msg.map -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -D
d. Snort Config – Edit /etc/snort/snort.conf
iii. Define “$HOME_NET” and “$EXTERNAL_NET” variables
iv. Consider and edit all other lines with caution. Reference: https://www.snort.org/docs
v. Consider configuring a BPF file to dump undesired traffic
e. Pulledpork 0.6.1 Fix – This version of pulledpork contains an incorrect version reference to 0.5.0
vi. /usr/lib/inithooks/bin/pulledpork.py
vii. /usr/lib/inithooks/bin/oinkcode.py
viii. /root/crontmp
ix. /usr/lib/inithooks/bin/interface_select.py
f. Openfpc - /usr/lib/inithooks/bin/interface_select.py contains a reference to version 0.4-267, which should be 0.6-314. Reference: http://www.openfpc.org/home
i. Change interface to eth1 in /etc/openfpc/openfpc-default.conf
g. Add desired linux user accounts
h. Logout of SSH - Connect SPAN cable to eth1 interface
- Configure network interfaces to static IPs. NOTE: I’ve experienced some odd DNS behavior and have had to reboot or restart the network interfaces twice before I was able to reach it. There may be an Ubuntu bug associated with this behavior.
- Reboot the server using the Insta-Snorby configuration console
Manually Clear/Update Dashboard: go to the main snorby directory (in my case it is /var/www/snorby) then execute this command: sudo rails c and then use this commands: Snorby::Jobs.clear_cache(true) Snorby::Jobs.run_now! Run Pulledpork Manually: /root/pulledpork-0.6.1/pulledpork.pl -c /root/pulledpork-0.6.1/etc/pulledpork.conf -H -v >> /var/log/pulledpork 2>&1
Snorby 2.0.0 Dependence Help. A few suggestions & tips incase you have installation issues.
- libxml
- libxslt
gem install pdfkit pdfkit --install-wkhtmltopdf
Edit snorby/config/application.rb line #23 and add the following line
/usr/local/bin/wkhtmltopdf
Here are my notes from a fresh CentOS 5.5 Install:
Install CentOS 5.5 yum update yum install ncurses-devel readline-devel gcc-c++ httpd-devel mysql-server openssl-devel mysql-devel curl-devel zlib-devel gcc libxml2-devel libxslt-devel
Be sure to install all needed deps
Change the mysqld root password
/usr/bin/mysqladmin -u root password 'new-password'
Download ruby from http://www.ruby-lang.org/en/downloads/
Untar and cd into the ruby source dir
Compile ruby with
./configure
make
make install
cd ext/openssl
ruby extconf.rb
make
make install
gem install rails
Download and compile git from: http://www.kernel.org/pub/software/scm/git/ current ver = 1.7.3
Untar and cd into the git dir
./configure
make
make install
Download ImageMagick from source: wget ftp://ftp.imagemagick.org/pub/ImageMagick/ImageMagick.tar.gz Untar tarball, cd to ImageMagick dir
./configure
make
make install
execute
gem install rmagick
gem install passenger
execute: /usr/local/lib/ruby/gems/1.9.1/gems/passenger-3.0.2/bin/passenger-install-apache2-module
(above version # may change)
Edit Apache conf: DocumentRoot "/var/www/html/snorby/public/" RailsBaseURI /var/www/html
cd to your apache document root directory git clone http://github.com/Snorby/snorby.git or git://github.com/Snorby/snorby.git
cd snorby (dir that was created in the doc root) edit config/database.yml for db user account
back in document root snorby dir: bundle install rake snorby:setup
disable selinux: echo 0 >/selinux/enforce (Be sure to re-enable after everything is working)
Start Apache service httpd start Allow access though iptables: -A RH-Firewall-1-INPUT -s x.x.x.x -m tcp -p tcp --dport 443 -j ACCEPT (or port 80)
If any errors reference to ezprint: from /var/www/html/snorby (or whatever your doc root is) bundle pack bundle install --path vender/cache
If any readline problems:
cd /ruby-source-dir/ext/readline
ruby extconf.rb
make install
Add to rc.local:
cd /var/www/snorby && /usr/local/bin/ruby script/delayed_job start
cd /var/www/snorby && /usr/local/bin/rails runner 'Snorby::Jobs::SensorCacheJob.new(false).perform; Snorby::Jobs::DailyCacheJob.new(false).perform'