- Firewall - A device or application that analyzes packet headers and enforces policy based on protocol type, source address, destination address, source port, and/or destination port. Packets that do not match policy are rejected.
- Intrusion Detection System - A device or application that analyzes whole packets, both header and payload, looking for known events. When a known event is detected a log message is generated detailing the event.
- Intrusion Prevention System - A device or application that analyzes whole packets, both header and payload, looking for known events. When a known event is detected the packet is rejected.
So we're going to implement Unix based IDS. Requirement are as below.
- Unix based server, install any Unix or Linux configuration part approximately will be the same for both except packages installation and package configurations directories. We're going to use BSD Unix for all this demonstration.
- Snort.org account(It's free upto 1 sensor for level 1) for Oinkcode to fetch snort rules.
- Perform all Operation with root otherwise you will face problem with Snorby configurations.
Packages Installation:
1- #pkg install snort
Output:
root@thenabx:~ # pkg install snort
Updating FreeBSD repository catalogue...
Fetching meta.txz: 100% 944 B 0.9kB/s 00:01
Fetching packagesite.txz: 100% 5 MiB 440.7kB/s 00:13
Processing entries: 100%
FreeBSD repository update completed. 25285 packages processed.
Updating database digests format: 100%
The following 30 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
snort: 2.9.8.3
pulledpork: 0.7.0_3
p5-Crypt-SSLeay: 0.72_2
p5-LWP-Protocol-https: 6.06_1
p5-Net-HTTP: 6.09
p5-URI: 1.71
p5-IO-Socket-SSL: 2.038
p5-Net-SSLeay: 1.78
p5-IO-Socket-IP: 0.37_1
p5-Socket: 2.021
p5-Mozilla-CA: 20160104
p5-libwww: 6.15
p5-HTTP-Negotiate: 6.01_1
p5-HTTP-Message: 6.11
p5-Encode-Locale: 1.05
p5-IO-HTML: 1.001_1
p5-HTTP-Date: 6.02_1
p5-LWP-MediaTypes: 6.02_1
p5-HTTP-Daemon: 6.01_1
p5-WWW-RobotRules: 6.02_1
p5-HTTP-Cookies: 6.01_1
p5-HTML-Parser: 3.72
p5-HTML-Tagset: 3.20_1
p5-Authen-NTLM: 1.09_1
p5-Digest-HMAC: 1.03_1
p5-File-Listing: 6.04_1
barnyard2: 1.13_1
libdnet: 1.12_1
daq: 2.0.6_1
libpcap: 1.8.0_1
Number of packages to be installed: 30
The process will require 13 MiB more space.
5 MiB to be downloaded.
Proceed with this action? [y/N]:
2- #pkg install mysql56-server
3- Now we need to reinstall barnyard2 package which is by default installed with snort package and not having mysql plugin support.
#cd /usr/ports/security/barnyard2 && make deinstall
# make config
#make install clean
#pkg lock barnyard2
Configurations:
After snort is installed let’s configure it. First let’s remove all the includes for the rules:
root@thenabx# sed -i '' '/^include \$RULE_PATH\/.*.rules$/d' /usr/local/etc/snort/snort.conf
Then edit the /usr/local/etc/snort/snort.conf file and make the following changes:
- ipvar HOME_NET [YOU_NEED_TO_SET_HOME_NET_IN_snort.conf]
- ipvar EXTERNAL_NET any
+ ipvar HOME_NET [192.168.0.0/16,10.0.0.0/8]
+ ipvar EXTERNAL_NET !$HOME_NET
- var WHITE_LIST_PATH ../rules
- var BLACK_LIST_PATH ../rules
+ var WHITE_LIST_PATH rules
+ var BLACK_LIST_PATH rules
- # output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types
+ output unified2: filename merged.log, limit 128, mpls_event_types, vlan_event_types
+ include $RULE_PATH/local.rules
+ include $RULE_PATH/snort.rules
That should be enough, now let’s get the definitions/rules using pulledpork.
Configure PulledPork
First let’s copy the template into place:
root@thenabx#cp /usr/local/etc/pulledpork/pulledpork.conf.sample /usr/local/etc/pulledpork/pulledpork.conf
Then let’s create the missing directories:
root@thenabx#sudo mkdir /usr/local/etc/snort/so_rules
root@thenabx#sudo mkdir /usr/local/etc/snort/rules/iplists
root@thenabx# touch /usr/local/etc/snort/rules/local.rules
root@thenabx# cp /usr/local/etc/snort/preproc_rules/sensitive-data.rules-sample /usr/local/etc/snort/preproc_rules/sensitive-data.rules
root@thenabx# touch /usr/local/etc/snort/rules/white_list.rules
root@thenabx# touch /usr/local/etc/snort/rules/black_list.rules
Then go ahead and configure the pulledpork install like so:
root@thenabx#grep -Ev '^$|^#' /usr/local/etc/pulledpork/pulledpork.conf
rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|puttyoursnortoinkcodewhere
rule_url=https://s3.amazonaws.com/snort-org/www/rules/community/|community-rules.tar.gz|Community
rule_url=http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|open
rule_url=https://www.snort.org/reg-rules/|opensource.gz|XXXX
ignore=deleted.rules,experimental.rules,local.rules
temp_path=/tmp
rule_path=/usr/local/etc/snort/rules/snort.rules
local_rules=/usr/local/etc/snort/rules/local.rules
sid_msg=/usr/local/etc/snort/sid-msg.map
sid_msg_version=1
sid_changelog=/var/log/snort/sid_changes.log
sorule_path=/usr/local/etc/snort/so_rules/
snort_path=/usr/local/bin/snort
config_path=/usr/local/etc/snort/snort.conf
distro=FreeBSD-9-0
black_list=/usr/local/etc/snort/rules/iplists/default.blacklist
IPRVersion=/usr/local/etc/snort/rules/iplists
snort_control=/usr/local/bin/snort_control
version=0.7.2
If we got an error cross check this line. and regenerate your oinkcode from snort.org and past it as after '.gz|yourcode' for each required rule_url
rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|55f491f03xxxfd9b8791c02fbf2b5b3061b5c1xxx
Now Compile rules as:
root@thenabx# pulledpork.pl -c /usr/local/etc/pulledpork/pulledpork.conf -l
Then go ahead and run snort to test it out:
root@thenabx#snort -A console -q -c /usr/local/etc/snort/snort.conf -i em0
12/14-13:09:48.032632 [**] [119:31:1] (http_inspect) UNKNOWN METHOD [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 10.0.0.2:50051 -> 10.0.0.3:8000
At this point we can enable the services by adding the following to /etc/rc.conf:
snort_enable="YES"
snort_interface="em0"
and then starting the service:
root@thenabx# service snort start
Starting snort.
Spawning daemon child...
My daemon child 50740 lives...
Daemon parent exiting (0)
root@thenabx#ps auwx | grep snort
root 50740 0.0 10.1 557360 210080 - Ss 1:20PM 0:00.02 /usr/local/bin/snort -D -q -i em0 -c /usr/local/etc/snort/snort
And at this point you should see the merged.log under /var/log/snort:
root@thenabx# ls -l /var/log/snort/merged.log
-rw------- 1 root wheel 181 Dec 14 13:23 /var/log/snort/merged.log.1418767402
We can setup a cronjob to pull the rules on a nightly basis:
root@thenabx# crontab -l
# get snort rules
0 6 * * * /usr/local/bin/pulledpork.pl -c /usr/local/etc/pulledpork/pulledpork.conf -l > /dev/null
Setting up the MySQL DB
We already had mysql server installed:
root@thenabx:~ # pkg info |grep mysql
mysql56-client-5.6.33 Multithreaded SQL database (client)
mysql56-server-5.6.33 Multithreaded SQL database (server)
php56-mysql-5.6.26 The mysql shared extension for php
php56-mysqli-5.6.26 The mysqli shared extension for php
Make sure the service is enabled:
root@thenabx:~$grep mysql /etc/rc.conf
mysql_enable="YES"
Then go ahead and start the service:
root@thenabx:~$sudo service mysql-server start
Starting mysql.
If this is a brand new installation run mysql_secure_installation to set the root password and secure the installation. Then login as root and create the snorby database:
root@thenabx:~$mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 13
Server version: 5.6.22 Source distribution
Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> create database snorby;
Query OK, 1 row affected (0.00 sec)
mysql> grant ALL on snorby.* to snorby@localhost identified by 'snorby';
Query OK, 0 rows affected (0.00 sec)
mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)
mysql> exit
Bye
That should be it.
Configure Barnyard2
As We already reinstalled barnyard2 with mysql support we can proceed further for configurations.
let’s configure barnyard2 by editing the /usr/local/etc/barnyard2.conf file an making the following changes:
- # config hostname: thor
- # config interface: eth0
+ config hostname: thenabx
+ config interface: em0
- #config daemon
+ config daemon
- #config waldo_file: /tmp/waldo
+ config waldo_file: /var/log/snort/barnyard2.waldo
+ output database: log, mysql, user=snorby password=snorby dbname=snorby host=localhost
em0 is your ethernet interface name and thenabx is your hostname of server.
Then enable the service to start on boot:
root@thenabx:~#grep barn /etc/rc.conf
barnyard2_enable="YES"
barnyard2_flags="-f merged.log -d /var/log/snort -a /var/log/snort/archive -D"
Before starting the service create the missing files:
root@thenabx:~# mkdir /var/log/snort/archive
root@thenabx:~# touch /var/log/snort/barnyard2.waldo
Then start the service:
root@thenabx:~# service barnyard2 start
After sometime you should see the event table get populated in the snorby database:
mysql> select * from event;
+-----+-----+-----------+-------------------+-------------+---------+-------------+------+------------------+---------------------+----+
| sid | cid | signature | classification_id | users_count | user_id | notes_count | type | number_of_events | timestamp | id |
+-----+-----+-----------+-------------------+-------------+---------+-------------+------+------------------+---------------------+----+
| 1 | 4 | 129 | NULL | 0 | NULL | 0 | 1 | 0 | 2014-12-16 15:14:04 | 1 |
| 1 | 5 | 129 | NULL | 0 | NULL | 0 | 1 | 0 | 2014-12-16 15:14:04 | 2 |
| 1 | 6 | 129 | NULL | 0 | NULL | 0 | 1 | 0 | 2014-12-16 15:14:04 | 3 |
| 1 | 7 | 129 | NULL | 0 | NULL | 0 | 1 | 0 | 2014-12-16 15:17:50 | 4 |
| 1 | 8 | 129 | NULL | 0 | NULL | 0 | 1 | 0 | 2014-12-16 15:17:50 | 5 |
| 1 | 9 | 129 | NULL | 0 | NULL | 0 | 1 | 0 | 2014-12-16 15:23:34 | 6 |
| 1 | 10 | 129 | NULL | 0 | NULL | 0 | 1 | 0 | 2014-12-16 15:23:34 | 7 |
| 1 | 11 | 129 | NULL | 0 | NULL | 0 | 1 | 0 | 2014-12-16 15:23:34 | 8 |
| 1 | 12 | 129 | NULL | 0 | NULL | 0 | 1 | 0 | 2014-12-16 15:27:51 | 9 |
| 1 | 13 | 152 | NULL | 0 | NULL | 0 | 1 | 0 | 2014-12-16 15:27:51 | 10 |
Lastly if you want to move the snort and barnyard2 logs to a specific file (so it doesn’t clutter the /var/log/messages file) we can add the following to the top of the /etc/syslog.conf file:
root@thenabx:~# /etc/syslog.conf
# $FreeBSD: release/10.0.0/etc/syslog.conf 252481 2013-07-01 21:20:17Z asomers $
#
# Spaces ARE valid field separators in this file. However,
# other *nix-like systems still insist on using tabs as field
# separators. If you are sharing this file between systems, you
# may want to use only tabs as field separators here.
# Consult the syslog.conf(5) manpage.
!snort,barnyard2
*.* /var/log/snort/snort.log
!-snort,barnyard2
And then restart the syslogd service:
root@thenabx:~# service syslogd restart
Then add the following to automatically rotate the logs:
root@thenabx:~#grep snort /etc/newsyslog.conf
/var/log/snort/snort.log 644 3 100 * JC
Also we can add the following cron job to clean up old archived merge.log files under /var/log/snort/archive (these are created by barnyard2), just to make sure it doesn’t keep adding up:
root@thenabx:~# crontab -l
# clean up snort files
0 5 * * * /usr/bin/find /var/log/snort/archive -mtime +7 -type f -delete
Installing and Configuring Snorby
I wanted to see how the passenger plugin for apache would work out. So let’s install that. Snorby only works with ruby1.9 so let’s install that version of ruby:
root@thenabx:~# pkg install ruby22
Now let’s get the root-ssl-CA certs so that the gem install command can use ssl to download the necessary packages:
root@thenabx:~# pkg install ca_root_nss
root@thenabx:~# ln -s /usr/local/share/certs/ca-root-nss.crt /etc/ssl/cert.pem
Now let’s install then bundler gem:
root@thenabx:~# gem19 install rdoc bundler
Now let’s get the passenger gem:
root@thenabx:~# gem19 install passenger
Now before we install the apache module let’s install apache first:
root@thenabx:~# pkg install apache24
After we can install the apache module:
root@thenabx:~# /usr/local/bin/passenger-install-apache2-module -a
For a quick test let’s then create the following configuration file to load the passenger plugin:
root@thenabx:~#cat /usr/local/etc/apache24/Includes/passenger.conf
LoadModule passenger_module /usr/local/lib/ruby/gems/2.2/gems/passenger-5.0.30/buildout/apache2/mod_passenger.so
<IfModule mod_passenger.c>
PassengerRoot /usr/local/lib/ruby/gems/2.2/gems/passenger-5.0.30/
PassengerDefaultRuby /usr/local/bin/ruby22
</IfModule>
Listen 3000
<VirtualHost *:3000>
DocumentRoot "/home/snort/snorby/public/"
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /home/snort/snorby/public/>
#Options Indexes FollowSymLinks MultiViews
Options -MultiViews
AllowOverride all
Require all granted
#Order allow,deny
#allow from all
</Directory>
ErrorLog /var/log/snort/snorby_error.log
CustomLog /var/log/snort/snorby_access.log combined
</VirtualHost>
Then make sure apache is enabled:
root@thenabx:~#grep apache /etc/rc.conf
apache24_enable="YES"
And now let’s make sure the configuration for apache is okay:
root@thenabx:~# apachectl -t
Syntax OK
Now let’s get the source:
root@thenabx:~# mkdir /snorby
root@thenabx:~# cd /snorby
root@thenabx:~# pkg install git
root@thenabx:~#git clone http://github.com/Snorby/snorby.git
Cloning into 'snorby'...
remote: Counting objects: 10589, done.
remote: Total 10589 (delta 0), reused 0 (delta 0)
Receiving objects: 100% (10589/10589), 10.08 MiB | 432.00 KiB/s, done.
Resolving deltas: 100% (4847/4847), done.
Checking connectivity... done.
Now let’s get the prereqs as well:
root@thenabx:~# pkg install wkhtmltopdf
Let’s configure the MySQL connection settings:
root@thenabx:~#cp snorby/config/database.yml.example snorby/config/database.yml
Now edit the snorby/config/database.yml file and modify it to look like this:
snorby: &snorby
adapter: mysql
username: snorby
password: "snorby"
host: localhost
Now let’s configure the production configuration of snorby:
root@thenabx:~#cp snorby/config/snorby_config.yml.example snorby/config/snorby_config.yml
Then modify the /snorby/config/snorby_config.yml file to have the following:
development:
domain: localhost:3000
wkhtmltopdf: /usr/local/bin/wkhtmltopdf
mailer_sender: 'snorby@snorby.org'
rules:
- ""
test:
domain: localhost:3000
wkhtmltopdf: /usr/local/bin/wkhtmltopdf
mailer_sender: 'snorby@snorby.org'
# Change the production configuration
# for your environment.
production:
domain: 'localhost:3000'
wkhtmltopdf: /usr/local/bin/wkhtmltopdf
mailer_sender: 'snorby@snorby.org'
rules:
- ""
Now let’s setup the snorby install
root@thenabx:~# cd /snorbyroot@thenabx:~# bundle pack
root@thenabx:~# bundle install --path vendor/cache
Then config the snorby rails app:
root@thenabx:~# bundle exec rake snorby:setup
Jammit Warning: Asset compression disabled -- Java unavailable.
[~] Adding `index_timestamp_cid_sid` index to the event table
[~] Adding `index_caches_ran_at` index to the caches table
[~] Adding `id` to the event table
[~] Building `aggregated_events` database view
[~] Building `events_with_join` database view
* Removing old jobs
* Starting the Snorby worker process.
* Adding jobs to the queue
And If you receive any error it could be because of your snorby_config.yml(cross check this files configurations) or could be because of ruby version. It should be version 22 that should support rails version
Now if you try to launch the app you will see the following:
root@thenabx:/snorby # bundle exec rails server -e production -b 0.0.0.0
Jammit Warning: Asset compression disabled -- Java unavailable.
No time_zone specified in snorby_config.yml; detected time_zone: Asia/Riyadh
=> Booting Thin
=> Rails 3.2.22 application starting in production on http://0.0.0.0:3000
=> Call with -d to detach
=> Ctrl-C to shutdown server
/usr/home/snort/snorby/vendor/cache/ruby/2.2/gems/actionpack-3.2.22/lib/action_dispatch/http/mime_type.rb:102: warning: already initialized constant Mime::PDF
/usr/home/snort/snorby/vendor/cache/ruby/2.2/gems/actionpack-3.2.22/lib/action_dispatch/http/mime_type.rb:102: warning: previous definition of PDF was here
Thin web server (v1.7.0 codename Dunder Mifflin)
Maximum connections set to 1024
Listening on 0.0.0.0:3000, CTRL+C to stop
Enter default yourname and passwords like snorby@example.com /// snorby
That's it. Let me know below in comments section if you're facing any problem.
No comments:
Post a Comment