Tuesday, 1 January 2013

Installing Snorby on Ubuntu 12.04

Prerequisites:

This guide assumes you have setup a clean Ubuntu Server 12.04 image with only SSH installed
Let's get started:

# sudo su -
# apt-get update
# apt-get upgrade
# apt-get install mysql-server
# apt-get install apache2
# apt-get install libyaml-dev git-core default-jre imagemagick libmagickwand-dev wkhtmltopdf gcc g++ build-essential libssl-dev libreadline-gplv2-dev zlib1g-dev linux-headers-generic libsqlite3-dev libxslt1-dev libxml2-dev libmysqlclient-dev libmysql++-dev apache2-prefork-dev libcurl4-openssl-dev -y

Install Ruby & Friends

# apt-get install ruby1.9.3 ruby-text-format
# gem install bundler 
# gem install rails
# gem install rake --version=0.9.2

Install Snorby

# cd /var/www/
# git clone http://github.com/Snorby/snorby.git

# cd /var/www/snorby/config/ 
# cp database.yml.example database.yml
# cp snorby_config.yml.example snorby_config.yml
# sed -i s/"\/usr\/local\/bin\/wkhtmltopdf"/"\/usr\/bin\/wkhtmltopdf"/g /var/www/snorby/config/snorby_config.yml

Configure snorby database username and password

# vi database.yml

Edit the settings to match your MySQL installation

# cd /var/www/snorby/
# bundle install --deployment
# rake snorby:setup

Setup Apache

# gem install passenger
# passenger-install-apache2-module

Copy the lines provided at the end of the installation script

 # vi /etc/apache2/apache2.conf

 The lines should look something like this at the end of the file

 # Include of directories ignores editors' and dpkg's backup files,
# see README.Debian for details.
   LoadModule passenger_module /var/lib/gems/1.9.1/gems/passenger-3.0.18/ext/apache2/mod_passenger.so
   PassengerRoot /var/lib/gems/1.9.1/gems/passenger-3.0.18
   PassengerRuby /usr/bin/ruby1.9.1

# Include generic snippets of statements
Include conf.d/

# Include the virtual host configurations:
Include sites-enabled/


Now add the website as follows:

# vi /etc/apache2/sites-available/snorby

Add the following lines (change the ServerAdmin and Servername to something of your choice)

<VirtualHost *:80>
        ServerAdmin admin@localhost
        ServerName snorby.localhost
        DocumentRoot /var/www/snorby/public

        <Directory "/var/www/snorby/public">
                AllowOverride all
                Order deny,allow
                Allow from all
                Options -MultiViews
        </Directory>
</VirtualHost>

Enable the new website and disable the default site

# a2dissite default
# a2ensite snorby
# service apache2 reload

Browse to the new website and login with the following default credentials:

Username: snorby@snorby.org
Password: snorby

Be sure to change the default credentials after your first login

You should see a page that looks something like this


Be sure to start the Snorby worker in the interface by clicking on Administration -> Worker Options -> Start Worker

Mysql and Snort Sensor Setup

Unfortunately our work is not done. Depending on your setup, you still need to get the snort sensors to log to your Snorby server. In my case I have seperate, remote snort sensors so to get them to log to snorby I have to do the following:

We first need to get MySQL to listen on for remote connections, as this is turned off by default these days

# vi /etc/mysql/my.cnf

Uncomment the bind-address line like so

#bind-address           = 127.0.0.1

Restart MySQL

#service mysql restart

Now we need to create users for the various snort sensors like so. The below assumes your snort sensor is running on 10.0.0.10, so adjust accordingly

# mysql
mysql> CREATE USER 'snort'@'10.0.0.10' IDENTIFIED BY 'snortsnort';
mysql> GRANT ALL PRIVILEGES ON snorby.*TO 'snort'@'10.0.0.10';
mysql> FLUSH PRIVILEGES;

Now on your snort sensor, either in your snort.conf file or barnyard.conf file, whichever you are using, you need to have a line that looks something like this (again, change to match your situation)

output database: log, mysql, user=snort password=snortsnort dbname=snorby host=10.0.0.11

Troubleshooting

After installation my Snorby worker did not want to start through the web interface, so I started it manually like so

# rails c production
Loading production environment (Rails 3.1.0)
irb(main):001:0> Snorby::Worker.stop
=> ""
irb(main):002:0> Snorby::Jobs.clear_cache
=> nil
irb(main):003:0> Snorby::Worker.start
=> ""
irb(main):004:0> exit

Fine Tuning Snorby

Once the events start rolling in, you will probably see a lot of events that are classified as High that you would to change to Medium or Low


I normally do this by getting the signature id from the interface first and then I change the severity in the database directly like so

# mysql snorby
mysql> select * from signature where sig_sid = "100000230";
+--------+--------------+---------------------------------------------------+--------------+---------+-----------+---------+--------------+
| sig_id | sig_class_id | sig_name                                          | sig_priority | sig_rev | sig_sid   | sig_gid | events_count |
+--------+--------------+---------------------------------------------------+--------------+---------+-----------+---------+--------------+
|      6 |            1 | GPL CHAT MISC Jabber/Google Talk Outgoing Traffic |            1 |       2 | 100000230 |       1 |         2667 |
+--------+--------------+---------------------------------------------------+--------------+---------+-----------+---------+--------------+
1 row in set (0.00 sec)

mysql> update signature set sig_priority = 3 where sig_sid = "100000230";
Query OK, 1 row affected (0.00 sec)
Rows matched: 1  Changed: 1  Warnings: 0

Feature Request! It would be nice to be able to do this directly from the interface

- 29 comments:
Subscribe to: Posts (Atom)

Splunk & Active Directory Password Expiry

So the other day I was asked by our IT Helpdesk if I could send them an alert when a VIP user's password is close to expiring so that th...