Skip to content

Installation Help

Jump to bottom Edit New page
dlgardner edited this page Sep 9, 2011 · 54 revisions

Insta-Snorby 0.8.0 Install Notes (Very Rough Draft):

  1. Put LAN connection on eth0 (management interface). NOTE: More than one NIC may result in no NICs being initialized due to an Ubuntu 10.04 LTS bug.
  2. Install Insta-Snorby by following the Insta-Snorby Configuration Console
    a. Set eth0 as the Snort monitoring port
    b. Enter your Oinkcode
    c. Install the security updates
  3. SSH to the server and configure the following:
    a. NTP – Edit /etc/ntp.conf (add your own ntp server)
    b. Apache Ports – Edit /etc/apache2/ports.conf to disable listening on port 80 (if desired)
    i. Comment out (add “#”) at the start of both lines referencing port 80
    ii. Restart command is “/etc/init.d/apache2 restart” or wait until reboot
    c. Change Snort monitoring port to eth1 (SPAN interface)
    i. Change interface to eth1 in /usr/lib/inithooks/everyboot.d/88snortstart
    ii. Change interface to eth1 in /etc/snort/barnyard2.conf
    iii. Identify and kill snort and barnyard processes ps aux | grep snort
    iv. Restart snort: /usr/local/bin/snort -g snort -u snort -c /etc/snort/snort.conf -i eth1 -D v. Restart barnyard: /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -G /etc/snort/gen-msg.map -S /etc/sid-msg.map -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -D
    d. Snort Config – Edit /etc/snort/snort.conf
    iii. Define “$HOME_NET” and “$EXTERNAL_NET” variables
    iv. Consider and edit all other lines with caution. Reference: https://www.snort.org/docs
    v. Consider configuring a BPF file to dump undesired traffic
    e. Pulledpork 0.6.1 Fix – This version of pulledpork contains an incorrect version reference to 0.5.0
    vi. /usr/lib/inithooks/bin/pulledpork.py
    vii. /usr/lib/inithooks/bin/oinkcode.py
    viii. /root/crontmp
    ix. /usr/lib/inithooks/bin/interface_select.py
    f. Openfpc - /usr/lib/inithooks/bin/interface_select.py contains a reference to version 0.4-267, which should be 0.6-314. Reference: http://www.openfpc.org/home
    i. Change interface to eth1 in /etc/openfpc/openfpc-default.conf
    g. Add desired linux user accounts
    h. Logout of SSH
  4. Connect SPAN cable to eth1 interface
  5. Configure network interfaces to static IPs. NOTE: I’ve experienced some odd DNS behavior and have had to reboot or restart the network interfaces twice before I was able to reach it. There may be an Ubuntu bug associated with this behavior.
  6. Reboot the server using the Insta-Snorby configuration console

Manually Clear/Update Dashboard:
go to the main snorby directory (in my case it is /var/www/snorby)
then execute this command: sudo rails c
and then use this commands:
Snorby::Jobs.clear_cache(true)
Snorby::Jobs.run_now!

Run Pulledpork Manually:
/root/pulledpork-0.6.1/pulledpork.pl -c /root/pulledpork-0.6.1/etc/pulledpork.conf -H -v >> /var/log/pulledpork 2>&1

Nokogiri

  • libxml
  • libxslt

PDFkit & wkhtmltopdf

gem install pdfkit
pdfkit --install-wkhtmltopdf

Edit snorby/config/application.rb line #23 and add the following line

 /usr/local/bin/wkhtmltopdf

ImageMagick & rmagick

Snort

Barnyard

Installing on CentOS 5.5

Here are my notes from a fresh CentOS 5.5 Install:

Install CentOS 5.5 yum update yum install ncurses-devel readline-devel gcc-c++ httpd-devel mysql-server openssl-devel mysql-devel curl-devel zlib-devel gcc libxml2-devel libxslt-devel

Be sure to install all needed deps

Change the mysqld root password

    /usr/bin/mysqladmin -u root password 'new-password'

Download ruby from http://www.ruby-lang.org/en/downloads/

Untar and cd into the ruby source dir

Compile ruby with

    ./configure
    make
    make install

    cd ext/openssl
    ruby extconf.rb
    make
    make install

    gem install rails

Download and compile git from: http://www.kernel.org/pub/software/scm/git/ current ver = 1.7.3

Untar and cd into the git dir

    ./configure
    make
    make install

Download ImageMagick from source: wget ftp://ftp.imagemagick.org/pub/ImageMagick/ImageMagick.tar.gz Untar tarball, cd to ImageMagick dir

    ./configure
    make
    make install

execute

    gem install rmagick
    gem install passenger

execute: /usr/local/lib/ruby/gems/1.9.1/gems/passenger-3.0.2/bin/passenger-install-apache2-module

(above version # may change)

Edit Apache conf: DocumentRoot "/var/www/html/snorby/public/" RailsBaseURI /var/www/html

cd to your apache document root directory git clone http://github.com/Snorby/snorby.git or git://github.com/Snorby/snorby.git

cd snorby (dir that was created in the doc root) edit config/database.yml for db user account

back in document root snorby dir: bundle install rake snorby:setup

disable selinux: echo 0 >/selinux/enforce (Be sure to re-enable after everything is working)

Start Apache service httpd start Allow access though iptables: -A RH-Firewall-1-INPUT -s x.x.x.x -m tcp -p tcp --dport 443 -j ACCEPT (or port 80)

If any errors reference to ezprint: from /var/www/html/snorby (or whatever your doc root is) bundle pack bundle install --path vender/cache

If any readline problems:

            cd /ruby-source-dir/ext/readline
            ruby extconf.rb
            make install

Add to rc.local:

            cd /var/www/snorby && /usr/local/bin/ruby script/delayed_job start
            cd /var/www/snorby && /usr/local/bin/rails runner 'Snorby::Jobs::SensorCacheJob.new(false).perform; Snorby::Jobs::DailyCacheJob.new(false).perform'
Add a custom footer
Add a custom sidebar
Clone this wiki locally