SNORBY INSTALLATION GUIDE

1/ Prerequisite
_ Snort Installation
_ Barnyard Installation

2/ Install SNORBY: (32bit OS)

Install apache and prerequisite packages

yum install libyaml-devel httpd git ImageMagick ImageMagick-devel libxml2-devel libxslt-devel gcc-c++ curl-devel httpd-devel apr-devel apr-util-devel readline-devel -y

Download and install Ruby

cd /usr/local/src/snort
wget http://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.3-p327.tar.gz
tar xvzf ruby-1*
cd ruby-1*
./configure && make && make install

Install openssl extension

cd ext/openssl/
ruby extconf.rb
make && make install

Install gem dependencies

gem install thor i18n bundler tzinfo builder memcache-client rack rack-test erubis mail rack-mount rails --no-rdoc --no-ri
Note: In this step, you should see the outcome off 33 gems installed, don't proceed until you get that.
gem install rake --version=0.9.2 --no-rdoc --no-ri
gem uninstall rake --version=0.9.2.2

Download and install wkhtmltopdf

cd /usr/local/src/snort
wget http://wkhtmltopdf.googlecode.com/files/wkhtmltopdf-0.9.9-static-i386.tar.bz2
tar jxvf wkhtmltopdf-0*
mv wkhtmltopdf-i386 /usr/local/bin/wkhtmltopdf
chown root:root /usr/local/bin/wkhtmltopdf

Download and configure snorby

cd /var/www/html/
git clone http://github.com/Snorby/snorby.git
cd /var/www/html/snorby/config/
cp database.yml.example database.yml
cp snorby_config.yml.example snorby_config.yml
chown -R apache:apache /var/www/html/snorby

Set mysql root password

service mysqld start
chkconfig mysqld on
mysqladmin password yourpassword

Configure snorby database username and password

vi database.yml
....
snorby: &snorby
adapter: mysql
username: root
password: "yourpassword"
host: localhost
...

Install Snorby
cd /var/www/html/snorby
bundle install --deployment
rake snorby:setup

Configure Barnyard to output alerts to snorby database

vi /etc/snort/barnyard.conf
...
output database: log, mysql, user=root password= yourpassword dbname=snorby host=localhost
...

Restart Barnyard
service barnyard2 stop
service barnyard2 start

Install Passenger module for apache

gem install passenger

Output
[root@IDS snorby]# gem install passenger
Fetching: daemon_controller-1.1.5.gem (100%)
Fetching: passenger-4.0.10.gem (100%)
Successfully installed daemon_controller-1.1.5
Successfully installed passenger-4.0.10
2 gems installed
Installing ri documentation for daemon_controller-1.1.5...
Installing ri documentation for passenger-4.0.10...
Installing RDoc documentation for daemon_controller-1.1.5...
Installing RDoc documentation for passenger-4.0.10...

Replace the passenger version into the below command

cd /usr/local/lib/ruby/gems/1.9.1/gems/passenger-4.0.10/bin
./passenger-install-apache2-module

Output
[root@IDS bin]# ./passenger-install-apache2-module
Welcome to the Phusion Passenger Apache 2 module installer, v4.0.10.
This installer will guide you through the entire installation process. It
shouldn't take more than 3 minutes in total.

Here's what you can expect from the installation process:

1. The Apache 2 module will be installed for you.
2. You'll learn how to configure Apache.
3. You'll learn how to deploy a Ruby on Rails application.
Don't worry if anything goes wrong. This installer will advise you on how to
solve any problems.
Press Enter to continue, or Ctrl-C to abort.

Output
-------------------------------------------The Apache 2 module was successfully installed.
Please edit your Apache configuration file, and add these lines:
LoadModule passenger_module /usr/local/lib/ruby/gems/1.9.1/gems/passenger4.0.10/buildout/apache2/mod_passenger.so
PassengerRoot /usr/local/lib/ruby/gems/1.9.1/gems/passenger-4.0.10
PassengerDefaultRuby /usr/local/bin/ruby
After you restart Apache, you are ready to deploy any number of Ruby on Rails
applications on Apache, without any further Ruby on Rails-specific
configuration!
Press ENTER to continue.

Output
-------------------------------------------Deploying a Ruby on Rails application: an example
Suppose you have a Rails application in /somewhere. Add a virtual host to your
Apache configuration file and set its DocumentRoot to /somewhere/public:
<VirtualHost *:80>
ServerName www.yourhost.com
# !!! Be sure to point DocumentRoot to 'public'!
DocumentRoot /somewhere/public
<Directory /somewhere/public>
# This relaxes Apache security settings.
AllowOverride all
# MultiViews must be turned off.
Options -MultiViews
</Directory>
</VirtualHost>
And that's it! You may also want to check the Users Guide for security and
optimization tips, troubleshooting and other useful information:
/usr/local/lib/ruby/gems/1.9.1/gems/passenger-4.0.10/doc/Users guide Apache.html
Enjoy Phusion Passenger, a product of Phusion (www.phusion.nl) :-)
https://www.phusionpassenger.com
Phusion Passenger is a trademark of Hongli Lai & Ninh Bui.

Config Apache
mkdir /etc/httpd/sites-available
mkdir /etc/httpd/sites-enabled

Create VirtualHost folders

mkdir /var/log/httpd/snorby

Create Passenger config file

vi /etc/httpd/conf.d/passenger.conf

Enter the following and then save the file

LoadModule passenger_module /usr/local/lib/ruby/gems/1.9.1/gems/passenger4.0.10/buildout/apache2/mod_passenger.so
PassengerRoot /usr/local/lib/ruby/gems/1.9.1/gems/passenger-4.0.10
PassengerDefaultRuby /usr/local/bin/ruby

Set up the virtual host

vi /etc/httpd/sites-available/snorby.conf

Enter the following and then save the file

<VirtualHost *:80>
ServerAdmin newlife439@me.com
DocumentRoot /var/www/html/snorby/public
ServerName www.vuhoang.com
ErrorLog /var/log/httpd/snorby/error.log
CustomLog /var/log/httpd/snorby/access.log common
</VirtualHost>

Config Apache to look for the virtual host definition

vi /etc/httpd/conf/httpd.conf

Towards the bottom add

Include sites-enabled/*.conf

Link the virtual host definition to site-enabled

ln -s /etc/httpd/sites-available/snorby.conf /etc/httpd/sites-enabled/snorby.conf

Check to see if all the service are running

service snortd status
service barnyard2 status
service httpd status
service mysqld status

The result should be something as below

[root@IDS ~]# service snortd status
snort (pid 16844) is running...
[root@IDS ~]# service barnyard2 status
barnyard2 (pid 2096) is running...
[root@IDS ~]# service httpd status
httpd (pid 2211) is running...
[root@IDS ~]# service mysqld status
mysqld (pid 2073) is running...

Config Passenger to run with SELinux

yum provides \*/audit2allow
yum install policycoreutils-python -y

Enable the policy

1. setenforce 0
2. service httpd restart
3. run the project for sometime so that audit has enough data ...
4. grep httpd /var/log/audit/audit.log | audit2allow -M passenger
5.if you get an error then try this one instead
grep httpd /var/log/messages | audit2allow -M passenger
6. semodule -i passenger.pp
7. setenforce 0

Start Snorby Worker on startup

vi /etc/rc.local
....
touch /var/lock/subsys/local
cd /var/www/html/snorby && /usr/local/bin/ruby script/delayed_job start
cd /var/www/html/snorby && /usr/local/bin/rails runner 'Snorby::Jobs::SensorCacheJob.new(false).perform; Snorby::Jobs::DailyCacheJob.new(false).perform'

Restart PC
reboot

Open Web Browser and type

www.vuhoang.com

or
localhost

You should be seeing the Snorby Login Screen, use the following credential

Email: snorby@snorby.org
PW: snorby
Note: sometimes you will see the status alerting that snorby worker is not running, just repeat from
step 1-7 above and restart the PC, keep doing that until the alert is gone.

Do not proceed until you completely get rid of the Snorby Worker warning!!!

Edit IPTables to allow inbound TCP80

vi /etc/sysconfig/iptables
------------------------------------------------------------------------------------# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
------------------------------------------------------------------------------------cat /etc/sysconfig/iptables

Config HOME_NET for snort.conf

vi /usr/local/snort/etc/snort.conf
....
# Setup the network addresses you are protecting
ipvar HOME_NET 10.3.63.0/24
....

Restart Snort and PC

service snortd restart
reboot

Edit the host file (optional)

vi /etc/hosts

Add the last line

127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1
localhost localhost.localdomain localhost6 localhost6.localdomain6
10.3.63.124 www.vuhoang.com

Add the test rule for snort

vi /usr/local/snort/rules/local.rules
....
#------------# LOCAL RULES
#------------alert icmp any any -> $HOME_NET any (msg:"ICMP Check Rule"; sid:10000001; rev:1)

From another PC on the same network, try to ping the IP of SNORT PC, let it run in
continuous mode and go back to snorby web interface and click on the Events tab,
you should see sth like this