Snort, Barnyard2 & Snorby

This post is work in progress but I never got around to finishing it. Sorry

After a first failed attempt to install Snorby on an Arch Linux server (Snorby requires Ruby 1.9.x, Arch uses 2.x and I’m not willing to use the AUR version for this) I’m doing this on a Ubuntu 14.04 Server.

Snort

Before installing Snorby we have to install snort itself. This can be done with sudo apt-get install snort. Snort asks for a network address range to use for HOME_NET. Since I’m not sure what to use here (the network may change), I just use standard value. This can later be changed using snort config files.

For testing purposes I add a new rule file in /etc/snort/rules/ with a very basic rule that logs everything. You really shouldn’t do this in productive use, this will spam your snort output.

file: test.rules
alert ip any any -> any any (msg:"Someone tried to access the server"; sid:100001; rev:1; priority:2;)

To use the new rule file you have to include it in the snort config /etc/snort/snort.conf by adding a line include $RULE_PATH/test.rules.

Configuration

In order to inspect outgoing traffic I had to add the -k none option to Snort in order to disable checksum tests for TCP connections (cf. serverfault). The option can be permanently added by adding it to PARAMS in /etc/default/snort.

Rules

A common requirement for rules on a server is to inspect outgoing documents for suspicious content. Checking for example if a website contains a certain string can be done as follows:

alert tcp any 80 -> any any (file_data; content:"Placeholder"; flow:to_client,established; msg:"Detected placeholderwebsite"; sid:1000002; rev:1; priority:2;)

In order for this rule to work properly one has to make sure that snort.conf contains at least the following elements for http_inspect_server:

xtended_response_inspection \
inspect_gzip \
normalize_utf \
server_flow_depth 0 \
normalize_javascript

Snorby

Before installing snorby I need to make sure that certain software is installed.

Prerequesite

The base system is a fresh Ubuntu 14.04 Server installation. Before installing Snorby we have to make sure that all requirements are installed. The Snorby website lists the following dependencies: git, ruby, ImageMagick and Wkhtmltopdf. But installing dependencies is not as easy as it sounds. I’m on a headless server and don’t want to install video drivers. So what to do with the strange Wkhtmltopdf package? And why the heck does a headless application need X? But luckily there is a ruby gem of wkhtmltopdf that does not need any X component (documentation of Snorby is really bad here). So we just use sudo gem install wkhtmltopdf and we are good (ignore the errors during installation). We also have to install ruby-dev and make on Ubuntu. Further we need mysql-server installed. To get rails and bundler we have to install them with sudo gem install bundler and sudo gem install rails.

Installing Snorby

Now we need to get snorby sources

git clone https://github.com/Snorby/snorby

After changing to the cd snorby directory we can install it using bundle install.

Now we have to configure snorby to be able to read events from the database. To do so we copy database.yml.example in the config folder to database.yml and change the database configuration to access MySQL. Further we copy snorby_config.yml.example to snorby_config.yml and check that wkhtmltopdf and domain are correct in the production section. It seems there are more dependencies needed (in particular nokogiri needs more). So we have to install libxml2-dev, libxslt-dev, libmysqlclient-dev, g++.

Now we should be able to run

bundle exec rake snorby:setup

to set-up snorby and start it with

bundle exec rails server -e production

Instaling Barnyard2

To get the snort output into our Snorby interface we use Barnyard2. Since there is no package for Ubuntu in the official repositories we have to build Barnyard2 from source.

git clone https://github.com/firnsy/barnyard2

To build Barnyard2 we need some developement tools

sudo apt-get install build-essential libtool autoconf libpcap-dev libmysqld-dev

After changing to the Barnyard2 directory cd barnyard2 we run ./autogen.sh, configure it for MySQL ./configure --with-mysql --with-mysql-libraries=/usr/lib/x86_64-linux-gnu/ (the additional library and include path are necessary on Ubuntu to find MySQL) run make. I only enable MySQL here, but other outpus are possible. To eventually install Barnyard to we use sudo make install.

After installing Barnyard2 it needs configuration. First I copy the example config file sudo cp etc/barnyard2.conf /etc/ before modifying it to run as a daemon and write to the database

config daemon
config hostname: localhost
config interface: eth0
output database: log, mysql, user=root password=root dbname=snort host=localhost
config logdir: /var/log/barnyard2/
config waldo_file: /var/log/barnyard2/barnyard2.waldo

Database Setup

We have to set up the Barnyard2 database. We create a new database create database snort;, get the Barnyard2 schema

wget https://raw.github.com/firnsy/barnyard2/master/schemas/create_mysql

and install it to our new database mysql -u <user> -p snort < create_mysql.

Troubleshooting

I ran into the problem that snort had no sid-msg.map. This can be created with

# /usr/share/oinkmaster/create-sidmap.pl rules/ > sid-msg.map

in /etc/snort. I ran into some further problems and had to create the waldo file manually, i.e.

sudo touch /var/log/barnyard2/barnyard2.waldo
sudo chown snort:snort /var/log/barnyard2/barnyard2.waldo

This still throws a warning that the waldo file is corrupt, but Barnyard2 is at least running. I got a lot of warnings of the form

WARNING: Can't extract timestamp extension from '..'using base ''
from old/corrupted snort log files. So I removed all logs from `/var/log/snort/`. Note that this warning is also shown when the snort log is empty!

To start Barnyard2 now we use

sudo /usr/local/bin/barnyard2 -c /etc/barnyard2.conf -d /var/log/snort/ -f snort.out

where the first parameter sets the config file to use, the second tells barynard2 in which folder to look for snort output files and the last one gives the base-name of snort output in that folder.

Testing the setup

To test if Snorby is actually working I install and start Apache. This is not necessary since my snort rule from above is logging everything, but you may want to do this anyway to test some real rules. The Snorby web interface is located at http://<server ip>:3000/. The default credentials are Username: snorby@snorby.org, Password: snorby.

© 2013 - 2024 Dr Franziskus Kiefer
Built with Hugo
Theme Stack designed by Jimmy