Differences

This shows you the differences between two versions of the page.

Link to this comparison view

installing_and_configuring_snorty_on_debian_wheezy_en [2017/09/05 12:18] (current)
Line 1: Line 1:
 +====== Installing and Configuring Snorby on Debian Wheezy ======
 +
 +Snorby is a ruby on rails web application for network security monitoring that interfaces with current popular intrusion detection systems (Snort, Suricata and Sagan). The basic fundamental concepts behind Snorby are simplicity, organization and power. The project goal is to create a free, open source and highly competitive application for network monitoring for both private and enterprise use.
 +
 +Set up your system with the follow script to ensure that nothing will be missing http://​wiki.dksh.com.br/​doku.php/​confinicialwheezy_en
 +
 +  * The Snorby will use the follow ip: 192.168.1.251
 +
 +Let's install the dependencies for Snorby.
 +
 +<sxh bash;>
 +aptitude install bison autoconf automake ca-certificates ethtool flex g++ gcc gcc-4.4 make zlib1g-dev pkg-config checkinstall mysql-server default-jdk \
 +mysql-common mysql-client libmysqlclient-dev libyaml-dev git-core imagemagick libmagickwand-dev build-essential libssl-dev libreadline-gplv2-dev \
 +zlib1g-dev linux-headers-$(uname -r) libsqlite3-dev libxslt1-dev libxml2-dev libapache2-mod-passenger libmysql++-dev apache2-prefork-dev libssl-dev libtool \
 +apache2-mpm-worker libcurl4-openssl-dev ruby ruby-dev libcurl4-openssl-dev curl libmnl-dev libnfnetlink-dev libnetfilter-queue-dev -y
 +</​sxh>​
 +
 +We need to get another dependence and install manually with the follow command
 +
 +<sxh bash;>
 +cd /usr/src
 +wget -c http://​wiki.dksh.com.br/​Downloads/​ips/​wkhtmltox-0.12.2_linux-wheezy-amd64.deb
 +dpkg -i wkhtmltox-0.12.2_linux-wheezy-amd64.deb
 +apt-get install -f -y
 +</​sxh>​
 +
 +Now we need to install the rails and rake
 +
 +<sxh bash;>
 +gem install bundler rails
 +gem install rake --version=0.9.2
 +</​sxh>​
 +
 +Now we need to get snorby sources with the follow command
 +
 +<sxh bash;>
 +cd /var/www && wget -c http://​wiki.dksh.com.br/​Downloads/​ips/​snorby.tar.gz
 +</​sxh>​
 +
 +We need to decompress the Snorby
 +
 +<sxh bash;>
 +tar -xvf snorby.tar.gz
 +</​sxh>​
 +
 +Now we need to copy some files
 +
 +<sxh bash;>
 +cd /​var/​www/​snorby/​config/​
 +cp database.yml.example database.yml
 +cp snorby_config.yml.example snorby_config.yml
 +</​sxh>​
 +
 +Now we need to configure the Snorby main file as follows
 +
 +<sxh bash;>
 +vim /​var/​www/​snorby/​config/​snorby_config.yml
 +#/​var/​www/​snorby/​config/​snorby_config.yml
 +production:
 +  baseuri: ''​
 +  domain: '​snorby.dksh.com.br'​
 +  wkhtmltopdf:​ /​usr/​local/​bin/​wkhtmltopdf
 +  ssl: false
 +  mailer_sender:​ '​douglas.dksh@gmail.com'​
 +  geoip_uri: "​http://​geolite.maxmind.com/​download/​geoip/​database/​GeoLiteCountry/​GeoIP.dat.gz"​
 +  rules:
 +    - ""​
 +  authentication_mode:​ database
 +  timezone_search:​ true
 +  time_zone: '​America/​Sao_Paulo'​
 +</​sxh>​
 +
 +Now we need to create the database to snorby
 +
 +<code mysql>
 +mysql -u root -p
 +CREATE DATABASE snorby;
 +GRANT ALL PRIVILEGES ON snorby.* TO snorby@'​%'​ IDENTIFIED BY '​senha';​
 +FLUSH PRIVILEGES;
 +exit
 +</​sxh>​
 +
 +Now we need to enable the remote access because the Suricata or Snort will need to write here.
 +
 +<sxh bash;>
 +vim /​etc/​mysql/​my.cnf
 +[...]
 +bind-address ​           = 0.0.0.0
 +</​sxh>​
 +
 +Now we need to restart the mysql server as follows
 +
 +<sxh bash;>
 +/​etc/​init.d/​mysql restart
 +</​sxh>​
 +
 +Now we need to configure the database connection file
 +
 +<sxh bash;>
 +vim /​var/​www/​snorby/​config/​database.yml
 +# /​var/​www/​snorby/​config/​database.yml
 +snorby: &snorby
 +  adapter: mysql
 +  username: snorby
 +  password: "​senha"​
 +  host: localhost
 +
 +production:
 +  database: snorby
 +  <<: *snorby
 +</​sxh>​
 +
 +Now we need to deploy the Snorby like this
 +
 +<sxh bash;>
 +cd /​var/​www/​snorby/​
 +bundle install
 +bundle exec rake snorby:​setup RAILS_ENV=production
 +</​sxh>​
 +
 +Now we need to create the virtual host that Snorby will use
 +
 +<sxh bash;>
 +vim /​etc/​apache2/​sites-available/​snorby.conf
 +<​VirtualHost *:80>
 +      ServerName snorby.dksh.com.br
 +      DocumentRoot /​var/​www/​snorby/​public
 +      RailsEnv production
 +      <​Directory /​var/​www/​snorby/​public>​
 +        AllowOverride all
 +        Options -MultiViews
 +      </​Directory>​
 +        ServerSignature Off
 +        LogLevel info
 +        CustomLog /​var/​log/​apache2/​snorby.dksh.com.br-access.log combined
 +        ErrorLog /​var/​log/​apache2/​snorby.dksh.com.br-error.log
 +</​VirtualHost>​
 +</​sxh>​
 +
 +Now we need to set the permissions on the Snorby directory
 +
 +<sxh bash;>
 +chown -R www-data:​www-data /​var/​www/​snorby
 +</​sxh>​
 +
 +Now let's disable the default virtual host and enable the Snorby
 +
 +<sxh bash;>
 +a2dissite default
 +a2ensite snorby.conf
 +</​sxh>​
 +
 +Now we can restart the Apache server
 +
 +<sxh bash;>
 +/​etc/​init.d/​apache2 restart
 +</​sxh>​
 +
 +Now we can check the log files as follows
 +
 +<sxh bash;>
 +tail -f /​var/​log/​apache2/​snorby.dksh.com.br-*
 +</​sxh>​
 +
 +Let's launch the snorby on the boot time we need to create a script to startup the snorby.
 +
 +We need to create the directory to store the scripts
 +
 +<sxh bash;>
 +mkdir /etc/snorby
 +</​sxh>​
 +
 +We need to create the script that will start the snorby
 +
 +<sxh bash;>
 +vim /​etc/​snorby/​snorby-start
 +#!/bin/bash
 +
 +cd /​var/​www/​snorby;​ RAILS_ENV=production /​usr/​local/​bin/​rails runner '​Snorby::​Worker.start'​
 +</​sxh>​
 +
 +We need to create the script that will stop the snorby
 +
 +<sxh bash;>
 +vim /​etc/​snorby/​snorby-start
 +#!/bin/bash
 +
 +cd /​var/​www/​snorby;​ RAILS_ENV=production /​usr/​local/​bin/​rails runner '​Snorby::​Worker.stop'​
 +</​sxh>​
 +
 +Now we need to create the systemV script
 +
 +<sxh bash;>
 +vim /​etc/​init.d/​rc.snorby
 +#!/bin/sh
 +#​-------------------------------------------------#​
 +# Author: Douglas Quintiliano dos Santos
 +# Date: 14/04/2015
 +#​-------------------------------------------------#​
 +### BEGIN INIT INFO
 +# Provides: ​            ​rc.snorby
 +# Required-Start: ​      ​$remote_fs $syslog
 +# Required-Stop: ​       $remote_fs $syslog
 +# Default-Start: ​       2 3 4 5
 +# Default-Stop:​
 +# Short-Description: ​   Snorby
 +### END INIT INFO
 +
 +case $1 in
 +  start)
 +    echo "​${GREEN}[ ​        ​Starting Snorby ​         ]${CLOSE}"​
 +    . /​etc/​snorby/​snorby-start
 +    echo "​${GREEN}[ ​        ​Started Snorby ​          ​]${CLOSE}"​
 +
 +  ;;
 +  stop)
 +   echo "​${RED}[ ​        ​Stopping Snorby ...      ]${CLOSE}";​
 +   . /​etc/​snorby/​snorby-stop
 +   echo "​${RED}[ ​        ​Stopped Snorby ​          ] ${CLOSE}";​
 +  ;;
 +  restart)
 +     $0 stop
 +     $0 start
 +   ;;
 +
 +  *)
 +   ​echo ​ "​${RED}Valid Options:​(start|stop|restart)${CLOSE}"​
 +  ;;
 +esac
 +</​sxh>​
 +
 +Needs to change the script permission
 +
 +<sxh bash;>
 +chmod +x /​etc/​init.d/​rc.snorby
 +</​sxh>​
 +
 +Needs to insert in the boot time
 +
 +<sxh bash;>
 +insserv -f -v rc.snorby
 +</​sxh>​
 +
 +Now we need to start the snorby
 +
 +<sxh bash;>
 +/​etc/​init.d/​rc.snorby start
 +</​sxh>​
 +
 +Now we can access the Snorby in [[http://​192.168.1.190|http://​192.168.1.190]] user: snorby@snorby.org password: snorby
 +
 +We will get something like this.
 +
 +{{:​snorby-01.png?​600}}
 +
 +Afterwards we configure the Barnyard2 to populate the Snorby database we will start to get some information like below.
 +
 +{{:​snorby-02.png?​600}}
 +
 +We will able to see the informations like this as well.
 +
 +{{:​snorby-03.png?​600}}
 +
 +====== Email Configuration ======
 +
 +if you need to enable the email alert configure the follow file
 +<sxh bash;>
 +vim /​var/​www/​snorby/​config/​initializers/​mail_config.rb ​
 +# Snorby Mail Configuration
 +
 +# #
 +# Gmail Example:
 +#
 + ​ActionMailer::​Base.delivery_method = :smtp
 + ​ActionMailer::​Base.smtp_settings = {
 +   :​address ​             => "​mail.dksh.com.br",​
 +   :​port ​                => 587,
 +   :​domain ​              => "​dksh.com.br",​
 +   :​user_name ​           => "​snorby-monitor@dksh.com.br",​
 +   :​password ​            => "​pzv3d7JERDPsW4d",​
 +   :​authentication ​      => "​plain",​
 +   :​enable_starttls_auto => true
 + }
 +
 +# #
 +# Sendmail Example:
 +#
 +# ActionMailer::​Base.delivery_method = :sendmail
 +# ActionMailer::​Base.sendmail_settings = {
 +#   :​location => '/​usr/​sbin/​sendmail',​
 +#   :​arguments => '-i -t'
 +# }
 +
 +ActionMailer::​Base.perform_deliveries = true
 +ActionMailer::​Base.raise_delivery_errors = true
 +
 +# Mail.register_interceptor(DevelopmentMailInterceptor) if Rails.env.development?​
 +
 +</​sxh>​
 +
 +After that we need to update the snorby configuration like this
 +
 +We need to access the snorby directory
 +<sxh bash;>
 +cd /​var/​www/​snorby/​
 +</​sxh>​
 +
 +Now we need to update the configuration
 +<sxh bash;>
 +bundle exec rake snorby:​update RAILS_ENV=production
 +</​sxh>​
 +
 +Now need to configure the email in: Administration/​General settings.
 +  * Company name: DKSH
 +  * Company email: snorby-monitor@dksh.com.br
 +  * Save Settings.
 +
 +Now need to configure the administrator email in: Settings
 +  * Email: snorby@dksh.com.br
 +  * Put the password and confirm it and Update settings.
 +
 +
 +**Note:** The email snorby@dksh.com.br usually is a alias to another emails.
 +
 +====== References ======
 +
 +  - [[https://​www.snorby.org/​|https://​www.snorby.org/​]]