Pular para o conteúdo principal

CentOS7 with Snort Barnyard2 Snorby PulledPork SElinux

This post is about how to install Snort "stack" on CentOS7 with potentially all the latest libs an stuff.
Here I will install and configure everything to run Snort as IDS. I will write another post shortly how to run it as IPS - INLINE.
System details:
[root@nfsec-ids-01 ~]# cat /etc/redhat-release
CentOS Linux release 7.3.1611 (Core)

[root@nfsec-ids-01 ~]# uname -a
Linux nfsec-ids-01.nfsec.co.uk 3.10.0-514.2.2.el7.x86_64 #1 SMP Tue Dec 6 23:06:41 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux  

Snort 2.9.9.0

Installation of snort is very basic:
yum install https://www.snort.org/downloads/snort/daq-2.0.6-1.centos7.x86_64.rpm

yum install https://www.snort.org/downloads/snort/snort-2.9.9.0-1.centos7.x86_64.rpm  
Register at Snort and download registered rule set:
mkdir /usr/local/src/snortrules  
cd /usr/local/src/snortrules

wget https://www.snort.org/rules/snortrules-snapshot-2990.tar.gz?oinkcode=<oinkcode>

tar -zxvf snortrules-snapshot-2990.tar.gz  
I moved the rules to /etc/snort/rules/rules << this is what I will pass as a var into /etc/snort/snort.conf
What is important to change in /etc/snort/snort.conf
ipvar HOME_NET X.X.X.X/24  
var RULE_PATH /etc/snort/rules/rules  
var SO_RULE_PATH /etc/snort/rules/rules/so_rules  
var PREPROC_RULE_PATH /etc/snort/rules/rules/preproc_rules

var WHITE_LIST_PATH /etc/snort/rules/rules  
var BLACK_LIST_PATH /etc/snort/rules/rules

preprocessor reputation: \  
   memcap 500, \
   priority whitelist, \
   nested_ip inner, \
   whitelist $WHITE_LIST_PATH/white_listip.rules, \
   blacklist $BLACK_LIST_PATH/black_listip.rules


output unified2: filename snort.log, limit 128'  
include $RULE_PATH/local.rules  
The might be more or less specific VAR's to change however the snort configuration is easy.
The same in this file /etc/sysconfig/snort - VAR's here are self explanatory and most depends on your environment.
Once snort configuration is done and you chown -R snort:snort /etc/snort last thing to do is to create a service as follows:
vi /usr/lib/systemd/system/snort.service  
[Unit]
Description=Snort NIDS Daemon  
After=syslog.target network.target  
[Service]
Type=simple  
ExecStart=/usr/sbin/snort -u snort -g snort -c /etc/snort/snort.conf -i ens160  
[Install]
WantedBy=multi-user.target  
That's it:
systemctl enable snort  
systemctl start snort  

Barnyard2

Barnyard2 is the daemon which reads the output of snort unified2 file format and stores it in MySQL DB for further processing... (Snorby)
yum install wget man make flex bison zlib zlib-devel  
 libpcap libpcap-devel pcre pcre-devel tcpdump 
gcc-c++  libtool perl-libwww-perl perl-Archive-Tar  
 perl-Crypt-SSLeay git gcc libxml2 libxml2-devel 
libxslt libxslt-devel httpd curl-devel httpd-devel  
apr-devel apr-util-devel libXrender fontconfig  
 libXext ruby-devel unzip xz

yum groupinstall "Development Tools" -y

yum install openssl-devel readline-devel mariadb  
mariadb-devel mariadb-server urw-fonts libX11-devel  
 libXext-devel fontconfig-devel libXrender-devel
 xorg-x11-server-Xvfb libyaml libyaml-devel 
gdbm-devel db4-devel libffi-devel ethtool  
 ImageMagick ImageMagick-devel curl libcurl
 libcurl-devel libmnl-devel jansson-devel
 libnet-devel libnetfilter_queue-devel

yum install libdnet-devel  
I know that is a lot of dependencies but some will just exclude themselves... :)
cd /usr/local/src  
git clone https://github.com/firnsy/barnyard2.git  
cd barnyard2  
./autogen.sh
make  
make install  
cp etc/barnyard2.conf /etc/snort  
cp rpm/barnyard2 /etc/init.d  
chmod 700 /etc/init.d/barnyard2  
cp rpm/barnyard2.config /etc/sysconfig/barnyard2  
cp /etc/init.d/barnyard2 /etc/init.d/barnyard2_default

sed -i -e '/BARNYARD_OPTS=/s/$SNORTDIR\/${INT}/$SNORTDIR/' -e '/BARNYARD_OPTS=/s/-L \$SNORTDIR\/\${INT}/-l $SNORTDIR/'  
-e '/"b.*2"/s/barnyard2/\/usr\/local\/bin\/barnyard2/'
 -e '/touch \/var/s/\$prog/barnyard2/' /etc/init.d/barnyard2

sed -i 's#$SNORTDIR/${INT}#$SNORTDIR#g' /etc/init.d/barnyard2

cp /etc/sysconfig/barnyard2 /etc/sysconfig/barnyard2_default  
sed -i '/CONF=/s/barnyard.conf/barnyard2.conf/' /etc/sysconfig/barnyard2  
sed -i '/LOG_FILE=/s/"snort_unified.log"/"snort.log"/' /etc/sysconfig/barnyard2  
From the above the most important is to check your lines at /etc/init.d/barnyard2 in the following place:
PIDFILE="/var/lock/subsys/barnyard2.pid"  
ARCHIVEDIR="$SNORTDIR/$INT/archive"  
WALDO_FILE="$SNORTDIR/$INT/barnyard2.waldo"  
BARNYARD_OPTS="-D -c $CONF -d $SNORTDIR -w $WALDO_FILE -l $SNORTDIR -a $ARCHIVEDIR -f $LOG_FILE --create-pidfile $PIDFILE $EXTRA_ARGS"  
Later just create DB for barnyard2 called snort
mysql -u root -p  
mysql> create database snort;  
mysql> use snort;  
mysql> source /usr/local/src/barnyard2/schemas/create_mysql;  
mysql> CREATE USER 'snort'@'localhost'IDENTIFIED BY '**********';  
mysql> grant create, insert, select, delete, update on snort.* to 'snort'@'localhost';  
Then configure barnyard2 to log into the DB.
vi /etc/snort/barnyard2.conf  
output database: log, mysql, user=snort password=********** dbname=snort host=localhost

chmod o-r /etc/snort/barnyard2.conf  
Last thing to do is to create barnyard2 service:
vi /usr/lib/systemd/system/barnyard2.service  
[Unit]
Description=Barnyard2 Dedicated Unified2 Spooler  
After=network.target

[Service]
Type=simple  
ExecStart=/usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort/  
 -w /var/log/snort/ens160/barnyard2.waldo
 -l /var/log/snort/
 -a /var/log/snort/ens160/archive/
 -f snort.log --nolock-pidfile

[Install]
WantedBy=multi-user.target  
I used --nolock-pidfile but you can try --create-pidfile /var/lock/subsys/barnyard2.pid.

Snorby

Snorby is the GUI to display the processed Snort to Barnyard2 output files. It's a ROR application but you can read about it in more details somewhere else.
Most of the below are probably already installed by this point but some may still not be.
yum install openssl-devel readline-devel libxml2-devel libxslt-devel mariadb mariadb-devel mariadb-server  
\  urw-fonts libX11-devel libXext-devel git \
 fontconfig-devel libXrender-devel unzip wget \
 xorg-x11-server-Xvfb libyaml libyaml-devel gdbm-devel \
 db4-devel libffi-devel ethtool httpd  httpd-devel \
 ImageMagick ImageMagick-devel curl libcurl \ 
libcurl-devel libmnl-devel gcc zlib-devel \  
jansson-dev  
el libnet-devel libnetfilter_queue-devel  
yum install xorg-x11-fonts-Type1  
yum install xorg-x11-fonts-75dpi  
yum install postgresql-devel  
yum install java-1.8.0-openjdk 

wget http://download.gna.org/wkhtmltopdf/0.12/0.12.2/wkhtmltox-0.12.2_linux-centos7-amd64.rpm

rpm -ivh wkhtmltox-0.12.2_linux-centos7-amd64.rpm

curl -L get.rvm.io | bash -s stable  
gpg2 --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3  
curl -L get.rvm.io | bash -s stable  
source /etc/profile.d/rvm.sh  
rvm reload  
rvm requirements run  
rvm install 2.2.2  
gem install bundler  
gem install rails

cd /var/www/html  
git clone git://github.com/Snorby/snorby.git

vi /var/www/html/snorby/config/snorby_config.yml  
production:  
  baseuri: ''
  domain: 'snorby.nfsec.co.uk:8080'
  wkhtmltopdf: /usr/local/bin/wkhtmltopdf
  ssl: false
  mailer_sender: 'snorby@nfsec.com'
  geoip_uri: "http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz"
  rules:
    - ""
  authentication_mode: database
  timezone_search: true
  time_zone: 'Europe/London'

CREATE DATABASE snorby;  
GRANT ALL PRIVILEGES ON snorby.* TO snorby@'%' IDENTIFIED BY '****';  
GRANT ALL PRIVILEGES ON snorby.* TO snorby@'localhost' IDENTIFIED BY '****';  
FLUSH PRIVILEGES;

vi /var/www/html/snorby/config/database.yml  
snorby: &snorby  
  adapter: mysql
  username: snorby
  password: "*****"
  host: localhost

production:  
  database: snorby
  <<: *snorby

cd /var/www/html/snorby/  
bundle install  
bundle exec rake snorby:setup RAILS_ENV=production

gem install passenger  
passenger-install-apache2-module -a

cat /etc/httpd/conf.modules.d/passenger.conf  
LoadModule passenger_module /usr/local/rvm/gems/ruby-2.2.2/gems/passenger-5.1.1/buildout/apache2/mod_passenger.so

cat /etc/httpd/conf/httpd.conf |grep "Listen 8080"  
Listen 8080

cat /etc/httpd/conf.d/passenger.conf  
<IfModule mod_passenger.c>  
  PassengerRoot /usr/local/rvm/gems/ruby-2.2.2/gems/passenger-5.1.1
  PassengerDefaultRuby /usr/local/rvm/gems/ruby-2.2.2/wrappers/ruby
</IfModule>

cat /etc/httpd/conf.d/snorby.conf  
<VirtualHost *:8080>  
      ServerName snorby.hextrim.com
      DocumentRoot /var/www/html/snorby/public
      RailsEnv production
      <Directory /var/www/html/snorby/public>
        AllowOverride all
        Options -MultiViews
      </Directory>
        ServerSignature Off
        LogLevel info
        CustomLog /var/log/httpd/snorby.nfsec.co.uk-access.log combined
        ErrorLog /var/log/httpd/snorby.nfsec.co.uk-error.log
</VirtualHost>  
So what we just did above?
Installed dependencies, rvm and RUBY 2.2.2, wkhtmltox, gem bundler, gem rails.
We then configured snorby and created new DB called snorby.
Then we installed gem passenger and configured apache passenger module and created configuration files for apache to use it and point it to snorby HOME_DIR.
Barnyard2 with Snorby - of course - just change as below:
vim /etc/snort/barnyard2.conf  
output database: log, mysql, user=snorby password=********** dbname=snorby host=localhost sensor_name=sensor1

#output database: log, mysql, user=snort password=********** dbname=snort host=localhost

service barnyard2 restart  
Now all should work nicely - the only thing to start manually is the snorby worker which can be started from SnorbyGUI > Administration > Worker & Job Queue Start Worker.
Obviously this will fail and many other things may do if you have SElinux enabled.

Enable SElinux

I would imagine that you had SElinux disabled and you want to enable it?
Yeah I know hard work -> follow these steps:
yum install /usr/bin/audit2allow  
yum install selinux-policy-devel

# Change SElinux policy to Enforcing and reboot.

setsebool -P httpd_can_network_connect_db 1  
setsebool -P httpd_can_network_connect 1

chcon -R -t httpd_sys_rw_content_t /var/www/html/snorby/  
chcon -t httpd_sys_script_exec_t /usr/local/rvm/rubies/ruby-2.2.2/bin/ruby  
chcon -t httpd_sys_script_exec_t /usr/local/rvm/wrappers/ruby-2.2.2/ruby  
chcon -t httpd_sys_script_exec_t /usr/local/rvm/rubies/ruby-2.2.2/lib/libruby.so*  
chcon -R -t httpd_sys_script_exec_t /usr/local/rvm/gems/ruby-2.2.2/gems/  
mkdir -p /usr/src/selinux-devel  
cd /usr/src/selinux-devel/  
ln -s /usr/share/selinux/devel/Makefile .

cat passenger.te  
module passenger 1.0;  
require {  
type init_t;  
type initrc_t;  
type system_cronjob_t;  
type mysqld_t;  
type usr_t;  
type syslogd_t;  
type system_dbusd_t;  
type abrt_dump_oops_t;  
type dhcpc_t;  
type kernel_t;  
type auditd_t;  
type udev_t;  
type mysqld_safe_t;  
type postfix_pickup_t;  
type sshd_t;  
type crond_t;  
type getty_t;  
type anon_inodefs_t;  
type httpd_tmp_t;  
type devpts_t;  
type user_devpts_t;  
type httpd_sys_script_t;  
type security_t;  
type httpd_t;  
type unconfined_t;  
type selinux_config_t;  
type hi_reserved_port_t;  
type httpd_sys_content_t;  
type httpd_sys_rw_content_t;  
type var_t;  
type cert_t;  
type postfix_qmgr_t;  
type postfix_master_t;  
class file { getattr read create append write execute execute_no_trans open };  
class process { siginh signal noatsecure rlimitinh setpgid getsession };  
class unix_stream_socket { read write shutdown };  
class chr_file { read write append ioctl };  
class capability { setuid dac_override chown fsetid setgid fowner sys_nice sys_resource sys_ptrace kill };  
class fifo_file { setattr create getattr unlink };  
class sock_file { write getattr setattr create unlink };  
class lnk_file { read getattr };  
class udp_socket name_bind;  
class dir { write read search add_name getattr };  
}

#This stuff below is more of an access control list
#These are things the contexts below are requesting to be able to do in order to run properly.

 #============= httpd_sys_script_t ==============

allow httpd_sys_script_t abrt_dump_oops_t:dir { search getattr };  
allow httpd_sys_script_t abrt_dump_oops_t:file { read open };  
allow httpd_sys_script_t anon_inodefs_t:file { read write };  
allow httpd_sys_script_t auditd_t:dir { search getattr };  
allow httpd_sys_script_t auditd_t:file { read open };  
allow httpd_sys_script_t cert_t:dir { search getattr };  
allow httpd_sys_script_t cert_t:file { read getattr };  
allow httpd_sys_script_t cert_t:lnk_file read;  
allow httpd_sys_script_t crond_t:dir { search getattr };  
allow httpd_sys_script_t crond_t:file { read open };  
allow httpd_sys_script_t devpts_t:chr_file { read write };  
allow httpd_sys_script_t dhcpc_t:dir { search getattr };  
allow httpd_sys_script_t dhcpc_t:file { read open };  
allow httpd_sys_script_t getty_t:dir { search getattr };  
allow httpd_sys_script_t getty_t:file { read open };  
allow httpd_sys_script_t httpd_sys_content_t:fifo_file setattr;  
allow httpd_sys_script_t httpd_sys_content_t:sock_file { create unlink setattr };  
allow httpd_sys_script_t httpd_sys_rw_content_t:file { execute execute_no_trans };  
allow httpd_sys_script_t httpd_t:dir { search getattr };  
allow httpd_sys_script_t httpd_t:file { read open };  
allow httpd_sys_script_t httpd_t:unix_stream_socket { read write };  
allow httpd_sys_script_t httpd_tmp_t:fifo_file setattr;  
allow httpd_sys_script_t httpd_tmp_t:sock_file { write create unlink setattr };  
allow httpd_sys_script_t init_t:dir { search getattr };  
allow httpd_sys_script_t init_t:file { read open };  
allow httpd_sys_script_t initrc_t:dir { search getattr };  
allow httpd_sys_script_t initrc_t:file { read open };  
allow httpd_sys_script_t kernel_t:dir { search getattr };  
allow httpd_sys_script_t kernel_t:file { read open };  
allow httpd_sys_script_t mysqld_safe_t:dir { search getattr };  
allow httpd_sys_script_t mysqld_safe_t:file { read open };  
allow httpd_sys_script_t mysqld_t:dir { search getattr };  
allow httpd_sys_script_t mysqld_t:file { read open };  
allow httpd_sys_script_t postfix_master_t:dir { search getattr };  
allow httpd_sys_script_t postfix_master_t:file { read open };  
allow httpd_sys_script_t postfix_pickup_t:dir { search getattr };  
allow httpd_sys_script_t postfix_pickup_t:file { read open };  
allow httpd_sys_script_t postfix_qmgr_t:dir { search getattr };  
allow httpd_sys_script_t postfix_qmgr_t:file { read open };  
allow httpd_sys_script_t self:capability { setuid chown fsetid setgid fowner dac_override sys_nice sys_resource sys_ptrace kill };  
allow httpd_sys_script_t self:process { setpgid getsession };  
allow httpd_sys_script_t sshd_t:dir { search getattr };  
allow httpd_sys_script_t sshd_t:file { read open };  
allow httpd_sys_script_t syslogd_t:dir { search getattr };  
allow httpd_sys_script_t syslogd_t:file { read open };  
allow httpd_sys_script_t system_cronjob_t:dir getattr;  
allow httpd_sys_script_t system_dbusd_t:dir { search getattr };  
allow httpd_sys_script_t system_dbusd_t:file { read open };  
allow httpd_sys_script_t udev_t:dir { search getattr };  
allow httpd_sys_script_t udev_t:file { read open };  
allow httpd_sys_script_t unconfined_t:dir { search getattr };  
allow httpd_sys_script_t unconfined_t:file { read open };  
allow httpd_sys_script_t unconfined_t:process signal;  
allow httpd_sys_script_t user_devpts_t:chr_file { read write append ioctl };  
allow httpd_sys_script_t usr_t:file execute;  
allow httpd_sys_script_t var_t:dir { write read add_name };  
allow httpd_sys_script_t var_t:file { read getattr create append };

 #============= httpd_t ==============

allow httpd_t hi_reserved_port_t:udp_socket name_bind;  
allow httpd_t httpd_sys_content_t:fifo_file { create unlink getattr setattr };  
allow httpd_t httpd_sys_content_t:sock_file { getattr unlink setattr };  
allow httpd_t httpd_sys_script_t:process { siginh rlimitinh noatsecure };  
allow httpd_t httpd_sys_script_t:unix_stream_socket { read write shutdown };  
allow httpd_t httpd_tmp_t:fifo_file { create unlink getattr setattr };  
allow httpd_t httpd_tmp_t:sock_file { getattr unlink setattr };  
allow httpd_t security_t:dir search;  
allow httpd_t self:capability { fowner fsetid };  
allow httpd_t selinux_config_t:dir search;  
allow httpd_t var_t:file { read getattr };  
allow httpd_t var_t:lnk_file { read getattr };

checkmodule -M -m -o passenger.mod passenger.te  
semodule_package -o passenger.pp -m passenger.mod  
semodule -i passenger.pp  
service httpd restart  
Now your Snorby should work nicely.

PulledPork

PulledPork should keep your Snort rules up to date however for Snort 2.9.9.0 current version of pulledpork does not work:
pulledpork.pl -V PulledPork v0.7.3 - Making signature updates great again!
This due to the change of the MD5 hash files made by Snort on their website - signatures/rules directory.
So we are all waiting for someone to update pulledpork! :)

Comentários

Postagens mais visitadas deste blog

Upgrading Iomega ix2-200 to Cloud Edition

You just got your ix2-200 from eBay and there are no disks inside the NAS. Or you have a brand new ix2-200 -yet you could not afford Cloud Edition. No problem. With just a USB stick and a SATA adapter or desktop PC, you will easily upgrade your ix2-200 to ix2-200 Cloud Edition. Not only your ix2-200 will have a brand new interface and Cloud options, but also will become Mac OS X Lion compatible! What do we need? Decrypted! ix2-200 Cloud Edition Firmware 3.1.12.47838 S endSpace or RapidShare * USB Flash Drive with at least 2 GB capacity and LED indicator** SATA to USB adapter or desktop PC Toothpick or paperclip Preparing Hard Drives Preparing hard drives is the first step because you have to wipe all the data inside the hard drives and make them just like brand new. We used 2 x Seagate 2 TB 5900 RPM Drives. Backup any files if you have and then remove both disks from ix2-200 and attach them to SATA to USB adapter or your desktop PC's SATA port. Using

Cuckoo com Vmware Esxi

Cuckoo is an open-source malware analysis platform using sandboxing technology. The tool allows people like us to analyze malicious binaries in an isolated environment. Since Cuckoo is commonly used with Oracle VirtualBox as its virtualization platform, a majority of online documentation is focused on configuration using VirtualBox. PlantainStan and I decided to test running Cuckoo on ESXi and document our success. This guide will help with the basic configuration of ensuring Cuckoo properly interacts with ESXi. We will continue to update this post as we make continue to make an even more baller Cuckoo environment! Note: In order to successfully interact with vSphere's API, you will need the VMWare ESX Standard license. API functionality is required for Cuckoo to work with ESX. Configure ESX Since this guide is not a "how to" on installing ESXi, we will assume that you have successfully installed the hypervisor on your system. There