Suricata + Snorby on Debian Linux
About
Suricata is an open source-based intrusion detection system (IDS). It was developed by the Open Information Security Foundation (OISF). A beta version was released in December 2009, with the first standard release following in July 2010.Installation with rules
apt-get install suricata
apt-get install oinkmaster
Edit /etc/oinkmaster.conf and add line:
url = http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz
Download the rules
oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rulesEdit /etc/suricata/suricata-debian.yaml and change
classification-file: /etc/suricata/rules/classification.configEdit /etc/default/suricata and change
reference-config-file: /etc/suricata/rules/reference.config
RUN=yesEdit /etc/suricata/suricata-debian.yaml to suit this configuration
SURCONF=/etc/suricata/suricata-debian.yaml
LISTENMODE=pcap
IFACE=eth0
NFQUEUE=0
TCMALLOC="YES"
PIDFILE=/var/run/suricata.pid
# alert output for use with Barnyard2
- unified2-alert:
enabled: yes
filename: unified2.alert
# File size limit. Can be specified in kb, mb, gb. Just a number
# is parsed as bytes.
limit: 100mb
logging:
default-log-level: notice
default-output-filter:
outputs:
- console:
enabled: no
- file:
enabled: yes
filename: /var/log/suricata.log
- syslog:
enabled: no
facility: local5
format: "[%i] <%d> -- "
Edit logrotate config /etc/logrotate.d/suricata
/var/log/suricata/*.log /var/log/suricata/*.json
{
rotate 3
missingok
nocompress
create
sharedscripts
postrotate
/bin/kill -HUP $(cat /var/run/suricata.pid)
endscript
}
Barnyard + Snorby (Graphical statistics)
apt-get install build-essential zlib1g-dev mysql-client libmysql++-dev comerr-dev dctrl-tools krb5-multidev libgssrpc4 libkadm5clnt-mit9 libkadm5srv-mit9 libkdb5-8 libpq-dev libpq5 libssl-dev libssl-doc postgresql-client-common postgresql-common postgresql-server-dev-9.5 postgresql-server-dev-all ssl-cert git-core default-jre imagemagick libmagickwand-dev wkhtmltopdf libreadline-gplv2-dev libsqlite3-dev libtinfo-dev libxslt1-dev libtool libyaml-dev libffi-dev postgresql-client postgresql postgresql-contrib
wget http://cache.ruby-lang.org/pub/ruby/2.3/ruby-2.3.4.tar.gz && cd ruby-2.3.4
./configure&&make&&make install gem install wkhtmltopdf bundler rails rake
/usr/local/bin/gem install thor i18n bundler tzinfo builder memcache-client rack rack-test erubis mail text-format sqlite3 bundler rack-mount rails rake debuggercd to snorby source directory and run
bundle installCreate new systemd service /lib/systemd/system/snorby_worker.service
RAILS_ENV=production bundle exec rake snorby:setup
[Unit]Start services
Description=Snorby Worker Daemon
After=syslog.target network.target
[Service]
WorkingDirectory=/var/www/snorby
ExecStart=/usr/local/bin/bundle exec rails server -e production
[Install]
WantedBy=multi-user.target
systemctl enable snorby_worker
systemctl start snorby_worker
/etc/init.d/postgresql restart
barnyard2
apt-get install libdaq-dev libdnet-dev git autoconf libtool libpcap0.8-dev libdumbnet-devEdit config file /etc/barnyard2.conf
ln -s /usr/include/dumbnet.h /usr/include/dnet.h
ldconfig
cd /root/sources
git clone https://github.com/firnsy/barnyard2.git
cd barnyard2
./autogen.sh
./configure --with-postgresql
make && make install
ln -s /usr/local/etc/barnyard2.conf /etc/barnyard2.conf
config daemonCreate the init service file /etc/init.d/barnyard2 with contents
config hostname: localhost
config interface: eth0
output database: log, postgresql, user=postgres password=password dbname=suricata host=localhost
config logdir: /var/log/barnyard2/
config waldo_file: /var/log/barnyard2/barnyard2.waldo
#!/bin/shUpdate the init startup
case $1 in
start)
echo "starting $0..."
/usr/local/bin/barnyard2 -c /etc/barnyard2.conf -d /var/log/suricata -f unified2.alert -D
echo -e 'done.'
;;
stop)
echo "stopping $0..."
killall barnyard2
echo -e 'done.'
;;
restart)
$0 stop
$0 start
;;
*)
echo "usage: $0 (start|stop|restart)"
;;
esac
update-rc.d barnyard2 defaults 21 00Restart suricata
/etc/init.d/suricata restart
Now you should look your localhost for snorby statistics http://localhost:3000/ !
No comments: