-
Assumes Bosh2 is installed with binary named
bosh. -
Setup a local BOSH2 environment with VBOX: https://github.com/cloudfoundry/bosh-deployment. Tip: use
export BOSH_ENVIRONMENT=vboxto avoid needing to pass-e vboxto all subsequentboshcommands. -
Remember to apply the provided BOSH cloud-config: https://github.com/cloudfoundry/bosh-deployment/blob/master/warden/cloud-config.yml
bosh update-cloud-config ./warden/cloud-config.yml- fetch a stemcell from bosh.io
bosh upload stemcell https://bosh.io/d/stemcells/bosh-warden-boshlite-ubuntu-trusty-go_agentThe base manifest manifests/snort.yml should "Just Work".
It uses default for vm_type, stemcell, persistent_disk_type, and networks as setup in the cloud-config above.
Snort is configured to log alerts with the alert_fast output module
The snort configuration and rules are packaged in the snort-conf.tar.gz bosh blob.
These rules are kept up to date with a concourse CI pipeline which periodically downloads the latest community rules from snort.org.
The pipeline periodically:
- Fetches the current community rules using pulledpork
- Compares the downloaded snort.rules with the version in the snort-conf.tar.gz blob, and creates a new version of the blob if it has changed.
- The new blob is added and uploaded using
bosh add-blobandbosh upload-blobs, and the new config/blobs.yml is checked into this repository.
A release must then be manually created with the latest blob version.
BOSH2 operator files allow you to extend/replace parts of the default deployment manifest.
This operator allows you to add filebeat to the snort instance. Filebeat is a logshipper from elastic (elastic.co).
For example:
bosh deploy -d snort manifests/snort.yml \
-o manifests/operators/filebeat.yml \
-v central-logging-listener=10.244.0.7:5044This operator allows you to deploy to a cloud-config network that isn't default and set a static ip.
For example:
bosh deploy -d snort manifests/snort.yml \
-o manifests/operators/networking.yml \
-v network-name=foo
-v static-ip=10.244.0.8By default snort uses the default vm_type. This ops file allows you to change this.
For example:
bosh deploy -d snort manifests/snort.yml \
-o manifests/operators/vm-type.yml \
-v vm-type=fooThis operator allows you to add a snort rule which will match all packets. This is useful for debugging.
For example:
bosh deploy -d snort manifests/snort.yml \
-o manifests/operators/log-all-packets.ymlBy default snort will listen to lo and eth0. Use this file to change from eth0 to another interface. This is useful when testing on bosh-lite, as it seems to assign a random name to the network interface.
For ex
bosh deploy -d snort manifests/snort.yml \
-o manifests/operators/interface-name.yml \
-v interface-name=wn7v8a123uqr-1You can make changes and create local dev releases. These can then be deployed locally with the latest-release.yml operator file.
bosh create-release --force --name snort
bosh upload-release
bosh deploy -d snort manifests/snort.yml \
-o manifests/operators/latest-release.yml- create bosh final release (requires s3 credentials in
config/final.yml)
export VERSION=x.y.z
bosh create-release --final --version=$VERSION --name=snort --tarball=releases/snort/snort-$VERSION.tgz
- determine sha1 of tarball blob and update the
version,urlandshadetails of the snort release in themanifests/snort.ymlfile
shasum releases/snort/snort-$VERSION.tgz
- commit and push changes
git add releases .final_builds/ manifests/snort.yml
git commit -m"BOSH release $VERSION"
git tag v$VERSION
git push origin master
git push --tags
- Create a release from the new tag and upload the tarball
releases/snort/snort-$VERSION.tgz