Fornote: It is important that you use the latest version of Snort, since older versions (including the current versions in Debian’s repository – I found out the hard way!) Do not support unified2 log file format – which is essential for this tutorial.

The following tutotial is based from the following articles:

http://www.snort.org/assets/167/deb_snort_howto.pdf

http://www.corelan.be/index.php/2011/02/27/cheat-sheet-installing-snorby-2-2-with-apache2-and-suricata-with-barnyard2-on-ubuntu-10-x/

Step 1: Installing Snort

We will firstly install the required prerequisites:

apt-get install build-essential default-jre unzip ruby1.9.1 ruby1.9.1-dev build-essential libxslt1-dev libpng12-dev libjpeg62-dev ttf-dejavu libtiff4-dev libjasper-dev libfontconfig1-dev libxml2-dev ghostscript libopenexr-dev libwmf-dev librsvg2-dev libfftw3-dev liblzma-dev liblcms1-dev graphviz-dev libdjvulibre-dev openssl xorg libssl-dev mysql-server mysql-client libmysqlclient-dev flex bison libpcre3-de

Install libpcap:

cd /usr/src
wget http://www.tcpdump.org/release/libpcap-1.1.1.tar.gz
tar -zxf  libpcap-1.1.1.tar.gz && cd libpcap-1.1.1
./configure --prefix=/usr --enable-shared
make && make install 

Install libdnet:

cd /usr/src
wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz
tar -zxf libdnet-1.12.tgz && cd libdnet-1.12
./configure --prefix=/usr --enable-shared
make && make install 

Install DAQ:

cd /usr/src
wget http://www.snort.org/dl/snort-current/daq-0.5.tar.gz
tar -zxf daq-0.5.tar.gz && cd daq-0.5 

DAQ needs to be patched to properly recognize the buffer_size parameter.

nano /usr/src/daq-0.5/os-daq-modules/daq_pcap.c 

on line 219 replace:

context->buffer_size = strtol(entry->key, NULL, 10); 

with:

context->buffer_size = strtol(entry->value, NULL, 10);

Now run:

./configure
make && make install 

Update the shared library path

echo >> /etc/ld.so.conf /usr/lib && ldconfig 

Now we will compile and install Snort:

cd /usr/src
wget http://www.snort.org/dl/snort-current/snort-2.9.0.5.tar.gz -O snort-2.9.0.5.tar.gz
tar -zxf snort-2.9.0.5.tar.gz && cd snort-2.9.0.5
./configure --with-mysql --enable-dynamicplugin --enable-perfprofiling --enable-ipv6 --enable-zlib --enable-reload
make && make install 

And create directories and set permissions that we will need for out setup:

mkdir /etc/snort /etc/snort/rules /var/log/snort /var/log/barnyard2 /usr/local/lib/snort_dynamicrules
groupadd snort && useradd -g snort snort
chown snort:snort /var/log/snort /var/log/barnyard2
cp /usr/src/snort-2.9.0.5/etc/*.conf* /etc/snort
cp /usr/src/snort-2.9.0.5/etc/*.map /etc/snort 

We are now required to change some settings in the snort conf:

nano /etc/snort/snort.conf

Change the following lines:

Line #39 - ipvar HOME_NET 192.168.1.0/24 – make this match your internal (friendly) network
Line #42 - ipvar EXTERNAL_NET !$HOME_NET
Line #80 - var RULE_PATH ./rules – this assumes /etc/snort/rules
Line #186-#190 comment out all of the preprocessor normalize_ lines
Line #366 - add this: output unified2: filename snort.log, limit 128
Line #395 - delete or comment out all of the “include $RULE_PATH” lines except “local.rules”

And we will create a simple rule:

nano /etc/snort/rules/local.rules 

Enter a simple rule like this for testing:

alert icmp any any -> !$HOME_NET any (msg:"ICMP test"; sid:10000001;) 

Now we can start and test snort.

/usr/local/bin/snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

Then ping the external interface from another machine and you should see something like the following:

02/09-11:29:43.450236  [**] [1:10000001:0] ICMP test [**] [Priority: 0] {ICMP} 172.5.5.1 -> 172.5.5.2
02/09-11:29:43.450251  [**] [1:10000001:0] ICMP test [**] [Priority: 0] {ICMP} 172.5.5.2 -> 172.5.5.1  

Step 2: Installing Snorby

We will install the prerequisites:

apt-get install gcc g++ build-essential libssl-dev libreadline5-dev zlib1g-dev linux-headers-generic libsqlite3-dev libxslt-dev libxml2-dev imagemagick git-core libmysqlclient-dev mysql-server libmagickwand-dev

Install WKHTMLTOPDF:

cd /tmp
wget http://wkhtmltopdf.googlecode.com/files/wkhtmltopdf-0.10.0_rc2-static-i386.tar.bz2
bunzip2 wkhtmltopdf-0.10.0_rc2-static-i386.tar.bz2
tar xvf wkhtmltopdf-0.10.0_rc2-static-i386.tar.bz2
cp wkhtmltopdf-i386 /usr/bin/wkhtmltopdf

Install Ruby:

cd /tmp
wget http://ftp.ruby-lang.org//pub/ruby/1.9/ruby-1.9.2-p0.tar.gz
tar -xvzf ruby-1.9.2-p0.tar.gz
cd ruby-1.9.2-p0
./configure
make && make install
ln -s /usr/local/ruby/bin/bundle /usr/bin

Install the required gems:

gem install thor i18n bundler
gem install tzinfo builder memcache-client rack rack-test erubis mail text-format
gem install rack-mount --version=0.4.0
gem install rails sqlite3-ruby

And download the latest version of Snorby using git:

git clone http://github.com/Snorby/snorby.git /usr/local/snorby

Snorby Configuration:

nano /usr/local/snorby/config/database.yml

adapter: mysql
  username: root
  password: "your_password"
  host: localhost

NOTE: Make sure you that you use the root account – WHY you ask? Simply put Snorby creates the database, rather than yourself, so you will need to use the root account or a mysql user that has access to control all databases. After the installer script has created the database you can create a limited mysql user – as you will see later on in the tutorial.

We will continue by editing the main conf:

/usr/local/snorby/config/snorby_config.yml

Add / change the variables in this file as follows, although leave any additional variables already in the file!:

development:
  domain: localhost:3000
  wkhtmltopdf: /usr/bin/wkhtmltopdf

test:
  domain: localhost:3000
  wkhtmltopdf: /usr/bin/wkhtmltopdf

production:
  domain: localhost:3000
  wkhtmltopdf: /usr/bin/wkhtmltopdf

We will now start the prepare for running the installer script:

cd /usr/local/snorby
gem install arel
gem install ezprint
bundle install

Before we run the setup we need to patch the rake file from:

require File.expand_path('../config/application', __FILE__)
require 'rake'
include Rake::DSL if defined?(Rake::DSL)

Snorby::Application.load_tasks

to:

require File.expand_path('../config/application', __FILE__)
require 'rake/dsl_definition'
require 'rake'

Snorby::Application.load_tasks

Launch the Snorby setup:

rake snorby:setup

If you get an error as follows e.g.:

You have already activated rake 0.9.2.2, but your Gemfile requires rake 0.9.2.

You can do the following:

gem uninstall rake 0.9.2.2 # Uninstall version 0.9.9.2
gem install rake -v='0.9.2' # Install the correct version - 0.9.2

An output similar to the following should be presented:

[datamapper] Created database 'snorby'
[datamapper] Finished auto_upgrade! for :default repository 'snorby'

We can now create a mysql user specifically for snorby:

mysql -u root -p
create user 'snorby'@'localhost' IDENTIFIED BY 'your_password';
grant all privileges on snorby.* to 'snorby'@'localhost' with grant option;
flush privileges;

Now we can edit the snorby database config again and replace the mysql root credentials we entered with our new user:

nano /usr/local/snorby/config/database.yml

adapter: mysql
  username: snorby
  password: "your_password"
  host: localhost

Finally we can run the Snorby server:

rails server -e test

You can now go to the server in your web browser:

http://<your-ip-or-hostname>:3000

Default login:
Username:

snorby@snorby.org

Password:

snorby

Upon logging in you should be presented with the user dashboard, although you will notice on the top right of the screen you will see a message complaining that the “Snorby worker” has not been started – as seen below:

Go to Administration > General > Worker Options > Start Worker

It might take a minute or so to start the worker, when it has started you should be presented with the following screen:

We will lastly setup Barnyard – that simply put pareses Snort’s log output and dumps it to a database. In our case it will be dumping it in Snorby’s database.

Step 3: Installing Barnyard2

cd /usr/src
wget http://www.securixlive.com/download/barnyard2/barnyard2-1.9.tar.gz
tar -zxf barnyard2-1.9.tar.gz && cd barnyard2-1.9
./configure --with-mysql
make && make install
mv /usr/local/etc/barnyard2.conf /etc/snort 

We need to also make a few minor tweaks to the barnyard conf file:

nano /etc/snort/barnyard2.conf 

Change Line #215 to:

output alert_fast 

and add the following line at the end of the file (modify as appropriate):

output database: log, mysql, user=snorby password=<your_password> dbname=snorby host=localhost sensor_name=sensor1

And finally we will start snort and barnyard2 using the following (make sure no existing instances are running!):

/usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 & /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /etc/snort/bylog.waldo -G /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map -C /etc/snort/classification.config & 

Now launch Snorby (if its not already running!):

cd cd /usr/local/snorby
rails server -e test

Send some pings to the external interface and then check Snorby’s web interface:

http://<your-ip-or-hostname>:3000

Login, clock on the Sensors tab and you should see the sensor is visible and events being recorded as follows:

If events don’t seem to be being displayed on Snorby, you can check the “snorby” database to make sure that barnyard2 is dumping them in the events table properly by doing:

mysql -uroot -p -D snorby -e "select count(*) from event"