Thursday, March 8, 2012

Barnyard2/Snort/Snorby kurulum/konfigurasyon ubuntu 11.10 ile.

Kusura bakmayın. İngilizce olan blog tarafımda yazdığım için türkçe halini daha oluşturmadım.
Şimdilik bu şekilde paste ettim. Türkçeleştireceğim. Post'u tagledim.

First of all we install mysql 5.5.21 before we start.

extract it /usr/local/mysql-5.5.21-linux2.6-x86_64/

then symlink it for ease to upgrade
ln -s mysql-5.5.21-linux2.6-x86_64/ mysql/
we go mysql/support-file/mysql.server and edit it and change base and data dir paths
on my case /sql is datapath and /usr/local/mysql/ is base path.

also /sql is a netapp volume over nfs with some snapshot capibilities enabled.

Note: without libaio you can not run mysql_install_db script.

then we run mysql_install_db script with base path as basedir of /usr/local/mysql/
then we resync the mysql/data/ with /sql. then just incase chown mysql.mysql /sql -R

then we are all set and ready.

/usr/local/mysql/suppor-files/mysql.server start and our mysql is up.

Just incase there will be alot of records on snorby so since we want fast results. I use a heavy ram intensive machine with big innodb pool size (64 gig ram machine)

configuration below.

port            = 3306
socket          = /sql/mysql.sock

port            = 3306
socket          = /sql/mysql.sock
server-id       = 1140



# Slave Relay Log Files Related:

key_buffer = 8384M
max_allowed_packet = 5M
table_cache = 1024
sort_buffer_size = 2M
read_buffer_size = 2M
read_rnd_buffer_size = 8M
myisam_sort_buffer_size = 14M
thread_cache_size = 128
query_cache_size = 32M
thread_concurrency = 8
wait_timeout = 720


#log_bin_trust_function_creators = 1;




innodb_log_file_size = 768M
#innodb_force_recovery = 4

max_allowed_packet = 16M


key_buffer = 256M
sort_buffer_size = 256M
read_buffer = 2M
write_buffer = 2M

key_buffer = 256M
sort_buffer_size = 256M
read_buffer = 2M
write_buffer = 2M


Since i use ubuntu my example goes with it. We install packages and dependencies below

apt-get install apache2 ruby libzlib-ruby rdoc 
irb rubygems rails eruby libapache2-mod-fcgid libfcgi-ruby1.8 
libmysql-ruby libdbd-mysql-ruby1.8 libapache2-mod-passenger git-core
then we can install snort apt-get install snort
after this we go for config snort /etc/snort/database.conf
#The idea is here. Snort logging format change so we have to use it barnyard2 to
make it understandable and add to db, so barnyard2 converts is to elligable format
and adds to mysql. Then snorby is going to analyze it and statistically shows it.
On our case with mysql path for includes so we give as /usr/local/mysql
We extract the barnyard2 and start to install.
./configure --with-mysql=/usr/local/mysql ; make ; make install
after installation we go for database config file of snort and comment the old line 
and add below line for unified2 log out put. Plan is snort puts output, barnyard2
reads this output and inserts it into db. 
output unified2: filename snort.out, limit 128
restart snort service or start it.  
then for barnyard2 config add this line below the configuration. follow the example and explanations in the config file. Easily can find it.

output database: log, mysql, user=yourusername password=yourpassword dbname=snort host=dbhost
Then we start barnyard2 too.
barnyard2 -c /usr/local/etc/barnyard2.conf -d /var/log/snort -f snort.out -D

before put -D you can enter without it and can see that event flow on screen and can check with events table that it records it to mysql snort db.

now we have mysql/snort/barnyard2 ready for snorby.

example shows 1.9.2 ruby when i write this example latest stable is 1.9.3

apt-get install git-core default-jre
apt-get install imagemagick libmagickwand-dev wkhtmltopdf 
apt-get install gcc g++ build-essential libssl-dev libreadline-gplv2-dev zlib1g-dev 
linux-headers-generic libsqlite3-dev libxslt1-dev libxml2-dev libmysqlclient-dev 
cd /usr/local/src/ 
tar xvzf ruby-1.9.2-p290.tar.gz 
ln -s ruby-1.9.2-p290 ruby 
rm -rf ruby-1.9.2-p290.tar.gz 
chown root:root -R ruby-1.9.2-p290/ 
cd ruby/ 
make install 
cd /usr/local/src/ruby/ext/openssl 
ruby extconf.rb 
make && make install
 cd /usr/local/src/ruby && ruby -v 
  ruby 1.9.2p290 (2011-07-09 revision 32553) [i686-linux]    
so ruby is all set. 

    cd /usr/local/src/ruby 
gem install thor i18n bundler tzinfo builder memcache-client rack rack-test erubis mail text-format sqlite3 
gem install rack-mount 
gem install rails 
gem install rake
#for me rails is 3.2.2 
rails -v
  Rails 3.1.1 
gem install rubygems-update
cd /var/www/ 
git clone
vi /var/www/snorby/config/database.yml
bundle install --deployment 

rake snorby:setup
got this error.
(in /var/www/snorby)
/usr/local/lib/ruby/1.9.1/yaml.rb:56:in `':
It seems your ruby installation is missing psych (for YAML output).
To eliminate this warning, please install libyaml and reinstall your ruby.
rake aborted!
You have already activated rake, but your Gemfile requires rake 0.9.2. 
Using bundle exec may solve this.

(See full trace by running task with --trace)
then run as it mentions;
bundle exec rake snorby:setup
then it got work and create snorby db.
requires to socket to locate at. '/var/run/mysqld/mysqld.sock' (2) located also as a note
after setup snorby and checked the db at mysql now we go into mysql.

then we start snorby as rails s -d for daemon start. and ip:3000 can be the access of snorby.

if everything works fine your worker is up and running side. also connect your barnyard2 connects to new snorby db rather then snort db otherwise your worker shows red and not working on snorby.

so thats it.!

have fun on custumazing snort and its by :)

for my setup i also have ntop on the same machine so.

Not:For some info i use github site submitted ubuntu 11.10 documentation for snorby. 

No comments:

Post a Comment