Differences

This shows you the differences between two versions of the page.

Link to this comparison view

installing_and_configuring_snorby_on_centos7_en [2017/09/05 12:18] (current)
Line 1: Line 1:
 +====== Installing and Configuring Snorby on CentOS 7 ======
  
 +Snorby is a ruby on rails web application for network security monitoring that interfaces with current popular intrusion detection systems (Snort, Suricata and Sagan). The basic fundamental concepts behind Snorby are simplicity, organization and power. The project goal is to create a free, open source and highly competitive application for network monitoring for both private and enterprise use.
 +
 +Set up your system with the follow script to ensure that nothing will be missing http://​wiki.douglasqsantos.com.br/​doku.php/​confinicialcentos7_en
 +
 +  * The Snorby will use the follow ip: 192.168.1.251
 +
 +Let's install the development tools
 +
 +<sxh bash>
 +yum groupinstall "​Development Tools" -y
 +</​sxh>​
 +
 +Let's install the dependencies for Snorby.
 +
 +<sxh bash>
 +yum install openssl-devel readline-devel libxml2-devel libxslt-devel mariadb mariadb-devel mariadb-server ​ urw-fonts libX11-devel libXext-devel git   \
 +fontconfig-devel libXrender-devel unzip wget xorg-x11-server-Xvfb libyaml libyaml-devel gdbm-devel db4-devel libffi-devel ethtool httpd  httpd-devel \
 +ImageMagick ImageMagick-devel curl libcurl libcurl-devel libmnl-devel gcc zlib-devel jansson-devel libnet-devel libnetfilter_queue-devel ​ java-1.8.0-openjdk -y
 +</​sxh>​
 +
 +Need now to compile the ruby let's get the tarball
 +
 +<sxh bash>
 +cd /usr/src && wget -c http://​wiki.douglasqsantos.com.br/​Downloads/​ips/​ruby-1.9.3-p551.tar.xz
 +</​sxh>​
 +
 +Now need to decompress the file
 +
 +<sxh bash>
 +tar -xvf ruby-1.9.3-p551.tar.xz && cd /​usr/​src/​ruby-1.9.3-p551
 +</​sxh>​
 +
 +Now need to configure the packet
 +
 +<sxh bash>
 +./configure --prefix=/​usr
 +</​sxh>​
 +
 +Now we need to compile and install the packet.
 +
 +<sxh bash>
 +make && make install
 +</​sxh>​
 +
 +Now let's check the ruby version
 +
 +<sxh bash>
 +ruby -v
 +ruby 1.9.3p551 (2014-11-13 revision 48407) [x86_64-linux]
 +</​sxh>​
 +
 +Let's enable the httpd
 +
 +<sxh bash>
 +systemctl enable httpd
 +</​sxh>​
 +
 +Let's enable the mariadb
 +
 +<sxh bash>
 +systemctl enable mariadb
 +</​sxh>​
 +
 +We need to get another dependence and install manually with the follow command
 +
 +<sxh bash>
 +cd /usr/src
 +wget -c http://​wiki.douglasqsantos.com.br/​Downloads/​ips/​wkhtmltox-0.12.2_linux-centos7-amd64.rpm
 +yum install wkhtmltox-0.12.2_linux-centos7-amd64.rpm -y
 +</​sxh>​
 +
 +Now we need to install the rails and rake
 +
 +<sxh bash>
 +gem install bundler rails
 +gem install rake --version=0.9.2
 +</​sxh>​
 +
 +Now we need to get snorby sources with the follow command
 +
 +<sxh bash>
 +cd /​var/​www/​html && wget -c http://​wiki.douglasqsantos.com.br/​Downloads/​ips/​snorby.tar.gz
 +</​sxh>​
 +
 +We need to decompress the Snorby
 +
 +<sxh bash>
 +tar -xvf snorby.tar.gz
 +</​sxh>​
 +
 +Now we need to copy some files
 +
 +<sxh bash>
 +cd /​var/​www/​html/​snorby/​config/​
 +cp database.yml.example database.yml
 +cp snorby_config.yml.example snorby_config.yml
 +</​sxh>​
 +
 +Now we need to configure the Snorby main file as follows
 +
 +<sxh yaml>
 +vim /​var/​www/​html/​snorby/​config/​snorby_config.yml
 +#/​var/​www/​snorby/​html/​config/​snorby_config.yml
 +production:
 +  baseuri: ''​
 +  domain: '​snorby.douglasqsantos.com.br'​
 +  wkhtmltopdf:​ /​usr/​local/​bin/​wkhtmltopdf
 +  ssl: false
 +  mailer_sender:​ '​douglas.q.santos@gmail.com'​
 +  geoip_uri: "​http://​geolite.maxmind.com/​download/​geoip/​database/​GeoLiteCountry/​GeoIP.dat.gz"​
 +  rules:
 +    - ""​
 +  authentication_mode:​ database
 +  timezone_search:​ true
 +  time_zone: '​America/​Sao_Paulo'​
 +</​sxh>​
 +
 +Now we need to enable the remote access because the Suricata or Snort will need to write here.
 +
 +<sxh bash>
 +vim /etc/my.cnf
 +[mysqld]
 +[...]
 +bind-address ​           = 0.0.0.0
 +</​sxh>​
 +
 +Now we need to start the mariadb service
 +
 +<sxh bash>
 +systemctl start mariadb
 +</​sxh>​
 +
 +Now we need to set up the password like this
 +
 +<sxh bash>
 +mysqladmin -u root password '​password'​
 +</​sxh>​
 +
 +Now we need to create the database to snorby
 +
 +<sxh sql>
 +mysql -u root -p
 +CREATE DATABASE snorby;
 +GRANT ALL PRIVILEGES ON snorby.* TO snorby@'​%'​ IDENTIFIED BY '​senha';​
 +GRANT ALL PRIVILEGES ON snorby.* TO snorby@'​localhost'​ IDENTIFIED BY '​senha';​
 +FLUSH PRIVILEGES;
 +exit
 +</​sxh>​
 +
 +Now we need to configure the database connection file
 +
 +<sxh yaml>
 +vim /​var/​www/​html/​snorby/​config/​database.yml
 +# /​var/​www/​html/​snorby/​config/​database.yml
 +snorby: &snorby
 +  adapter: mysql
 +  username: snorby
 +  password: "​senha"​
 +  host: localhost
 +
 +production:
 +  database: snorby
 +  <<: *snorby
 +</​sxh>​
 +
 +Now we need to deploy the Snorby like this
 +
 +<sxh bash>
 +cd /​var/​www/​html/​snorby/​
 +bundle install
 +bundle exec rake snorby:​setup RAILS_ENV=production
 +</​sxh>​
 +
 +Let's install the passenger gem ruby
 +
 +<sxh bash>
 +gem install passenger
 +</​sxh>​
 +
 +Now let's install the passenger module for apache
 +
 +<sxh bash>
 +passenger-install-apache2-module -a
 +</​sxh>​
 +
 +Now we need to create the modules configuration for apache.
 +
 +<sxh bash>
 +vim /​etc/​httpd/​conf.modules.d/​passenger.conf
 +LoadModule passenger_module /​usr/​lib/​ruby/​gems/​1.9.1/​gems/​passenger-5.0.6/​buildout/​apache2/​mod_passenger.so
 +</​sxh>​
 +
 +Now we need to create the configuration file for passenger module
 +
 +<sxh apache>
 +vim /​etc/​httpd/​conf.d/​passenger.conf
 +<​IfModule mod_passenger.c>​
 +    PassengerRoot /​usr/​lib/​ruby/​gems/​1.9.1/​gems/​passenger-5.0.6
 +    PassengerDefaultRuby /​usr/​bin/​ruby
 +</​IfModule>​
 +</​sxh>​
 +
 +Now we need to create the virtual host that Snorby will use
 +
 +<sxh apache>
 +vim /​etc/​httpd/​conf.d/​snorby.conf
 +<​VirtualHost *:80>
 +      ServerName snorby.douglasqsantos.com.br
 +      DocumentRoot /​var/​www/​html/​snorby/​public
 +      RailsEnv production
 +      <​Directory /​var/​www/​html/​snorby/​public>​
 +        AllowOverride all
 +        Options -MultiViews
 +      </​Directory>​
 +        ServerSignature Off
 +        LogLevel info
 +        CustomLog /​var/​log/​httpd/​snorby.douglasqsantos.com.br-access.log combined
 +        ErrorLog /​var/​log/​httpd/​snorby.douglasqsantos.com.br-error.log
 +</​VirtualHost>​
 +</​sxh>​
 +
 +Now we need to set the permissions on the Snorby directory
 +
 +<sxh bash>
 +chown -R apache:​apache /​var/​www/​html/​snorby
 +</​sxh>​
 +
 +Now we can restart the Apache server
 +
 +<sxh bash>
 +systemctl restart httpd
 +</​sxh>​
 +
 +Now we can check the log files as follows
 +
 +<sxh bash>
 +tail -f /​var/​log/​httpd/​snorby.douglasqsantos.com.br-*
 +</​sxh>​
 +
 +Now we need to create a service to start and stop the snorby
 +
 +<sxh bash>
 +vim /​usr/​lib/​systemd/​system/​snorby.service
 +[Unit]
 +Description=Snorby ConfiServ
 +After=syslog.target
 +
 +[Service]
 +Type=oneshot
 +RemainAfterExit=yes
 +ExecStart=/​etc/​snorby/​snorby-start
 +ExecStop=/​etc/​snorby/​snorby-stop
 +
 +[Install]
 +WantedBy=multi-user.target
 +</​sxh>​
 +
 +Now we need to enable the new service like this
 +
 +<sxh bash>
 +systemctl enable snorby
 +</​sxh>​
 +
 +Now we need to create the directory that will be store the script files
 +
 +<sxh bash>
 +mkdir /etc/snorby
 +</​sxh>​
 +
 +Now we need to create the start script file
 +
 +<sxh bash>
 +vim /​etc/​snorby/​snorby-start
 +#!/bin/bash
 +
 +cd /​var/​www/​html/​snorby;​ RAILS_ENV=production /​usr/​bin/​rails runner '​Snorby::​Worker.start'​
 +</​sxh>​
 +
 +Now we need to create the stop script file
 +
 +<sxh bash>
 +vim /​etc/​snorby/​snorby-stop
 +#!/bin/bash
 +
 +cd /​var/​www/​html/​snorby;​ RAILS_ENV=production /​usr/​bin/​rails runner '​Snorby::​Worker.stop'​
 +</​sxh>​
 +
 +Now we need to give the execution permission
 +
 +<sxh bash>
 +chmod +x /​etc/​snorby/​snorby-*
 +</​sxh>​
 +
 +Now we need to start the snorby
 +
 +<sxh bash>
 +systemctl start snorby
 +</​sxh>​
 +
 +Now we can access the Snorby in [[http://​192.168.1.251|http://​192.168.1.251]] user: snorby@snorby.org password: snorby
 +
 +We will get something like this.
 +
 +{{:​snorby-01.png?​600}}
 +
 +Afterwards we configure the Barnyard2 to populate the Snorby database we will start to get some information like below.
 +
 +{{:​snorby-02.png?​600}}
 +
 +We will able to see the informations like this as well.
 +
 +{{:​snorby-03.png?​600}}
 +
 +====== Email Configuration ======
 +
 +if you need to enable the email alert configure the follow file
 +<sxh ruby>
 +vim /​var/​www/​snorby/​config/​initializers/​mail_config.rb ​
 +# Snorby Mail Configuration
 +
 +# #
 +# Gmail Example:
 +#
 + ​ActionMailer::​Base.delivery_method = :smtp
 + ​ActionMailer::​Base.smtp_settings = {
 +   :​address ​             => "​mail.douglasqsantos.com.br",​
 +   :​port ​                => 587,
 +   :​domain ​              => "​douglasqsantos.com.br",​
 +   :​user_name ​           => "​snorby-monitor@douglasqsantos.com.br",​
 +   :​password ​            => "​pzv3d7JERDPsW4d",​
 +   :​authentication ​      => "​plain",​
 +   :​enable_starttls_auto => true
 + }
 +
 +# #
 +# Sendmail Example:
 +#
 +# ActionMailer::​Base.delivery_method = :sendmail
 +# ActionMailer::​Base.sendmail_settings = {
 +#   :​location => '/​usr/​sbin/​sendmail',​
 +#   :​arguments => '-i -t'
 +# }
 +
 +ActionMailer::​Base.perform_deliveries = true
 +ActionMailer::​Base.raise_delivery_errors = true
 +
 +# Mail.register_interceptor(DevelopmentMailInterceptor) if Rails.env.development?​
 +
 +</​sxh>​
 +
 +After that we need to update the snorby configuration like this
 +
 +We need to access the snorby directory
 +<sxh bash>
 +cd /​var/​www/​snorby/​
 +</​sxh>​
 +
 +Now we need to update the configuration
 +<sxh bash>
 +bundle exec rake snorby:​update RAILS_ENV=production
 +</​sxh>​
 +
 +Now need to configure the email in: Administration/​General settings.
 +  * Company name: DOUGLASQSANTOS
 +  * Company email: snorby-monitor@douglasqsantos.com.br
 +  * Save Settings.
 +
 +Now need to configure the administrator email in: Settings
 +  * Email: snorby@douglasqsantos.com.br
 +  * Put the password and confirm it and Update settings.
 +
 +
 +**Note:** The email snorby@douglasqsantos.com.br usually is a alias to another emails.
 +
 +====== References ======
 +  - https://​www.snorby.org/​
 +  - http://​springdale.math.ias.edu/​data/​puias/​7.1/​x86_64/​os/​RPM-GPG-KEY-puias