Thursday, March 8, 2012

Barnyard2/Snort/Snorby kurulum/konfigurasyon ubuntu 11.10 ile.

Kusura bakmayın. İngilizce olan blog tarafımda yazdığım için türkçe halini daha oluşturmadım.
Şimdilik bu şekilde paste ettim. Türkçeleştireceğim. Post'u tagledim.

First of all we install mysql 5.5.21 before we start.

extract it /usr/local/mysql-5.5.21-linux2.6-x86_64/

then symlink it for ease to upgrade
ln -s mysql-5.5.21-linux2.6-x86_64/ mysql/
we go mysql/support-file/mysql.server and edit it and change base and data dir paths
on my case /sql is datapath and /usr/local/mysql/ is base path.



also /sql is a netapp volume over nfs with some snapshot capibilities enabled.

Note: without libaio you can not run mysql_install_db script.

then we run mysql_install_db script with base path as basedir of /usr/local/mysql/
then we resync the mysql/data/ with /sql. then just incase chown mysql.mysql /sql -R

then we are all set and ready.

/usr/local/mysql/suppor-files/mysql.server start and our mysql is up.

Just incase there will be alot of records on snorby so since we want fast results. I use a heavy ram intensive machine with big innodb pool size (64 gig ram machine)

configuration below.

/etc/my.cnf
----------------------
[client]
port            = 3306
socket          = /sql/mysql.sock
default-character-set=latin5

[mysqld]
port            = 3306
socket          = /sql/mysql.sock
server-id       = 1140

skip-name-resolve
skip-slave

log-error=/sql/mysqld.log
pid-file=/sql/mysqld.pid
log-slow-queries=/sql/mysqld-slow.log
long_query_time=7

# Slave Relay Log Files Related:
relay-log=/sql/mysqld-relay-bin
relay-log-index=/sql/mysqld-relay-bin.index
relay-log-info-file=/sql/relay-log.info

expire_logs_days=15
#skip-locking
key_buffer = 8384M
max_allowed_packet = 5M
table_cache = 1024
sort_buffer_size = 2M
read_buffer_size = 2M
read_rnd_buffer_size = 8M
myisam_sort_buffer_size = 14M
thread_cache_size = 128
query_cache_size = 32M
thread_concurrency = 8
wait_timeout = 720

character-set-server=latin5

#binlog-do-db=mydating
#binlog-do-db=search
#log_bin_trust_function_creators = 1;

log-bin=mysql-bin
innodb_file_per_table

max_heap_table_size=512M
max_connect_errors=10000
max_connections=512

#default-character-set=latin5

default-storage-engine=INNODB
max_relay_log_size=100000000
innodb_buffer_pool_size=38000M
innodb_additional_mem_pool_size=25M
innodb_log_file_size = 768M
old_password=1
#innodb_force_recovery = 4

[mysqldump]
quick
max_allowed_packet = 16M

[mysql]
no-auto-rehash

[isamchk]
key_buffer = 256M
sort_buffer_size = 256M
read_buffer = 2M
write_buffer = 2M

[myisamchk]
key_buffer = 256M
sort_buffer_size = 256M
read_buffer = 2M
write_buffer = 2M

[mysqlhotcopy]
interactive-timeout
-------------------

Since i use ubuntu my example goes with it. We install packages and dependencies below

apt-get install apache2 ruby libzlib-ruby rdoc 
irb rubygems rails eruby libapache2-mod-fcgid libfcgi-ruby1.8 
libmysql-ruby libdbd-mysql-ruby1.8 libapache2-mod-passenger git-core
 
then we can install snort apt-get install snort
 
after this we go for config snort /etc/snort/database.conf
 
#The idea is here. Snort logging format change so we have to use it barnyard2 to
make it understandable and add to db, so barnyard2 converts is to elligable format
and adds to mysql. Then snorby is going to analyze it and statistically shows it.
 
On our case with mysql path for includes so we give as /usr/local/mysql
We extract the barnyard2 and start to install.
./configure --with-mysql=/usr/local/mysql ; make ; make install
after installation we go for database config file of snort and comment the old line 
and add below line for unified2 log out put. Plan is snort puts output, barnyard2
reads this output and inserts it into db. 
 
output unified2: filename snort.out, limit 128
 
restart snort service or start it.  
 
then for barnyard2 config add this line below the configuration. follow the example and explanations in the config file. Easily can find it.


output database: log, mysql, user=yourusername password=yourpassword dbname=snort host=dbhost
Then we start barnyard2 too.
barnyard2 -c /usr/local/etc/barnyard2.conf -d /var/log/snort -f snort.out -D

before put -D you can enter without it and can see that event flow on screen and can check with events table that it records it to mysql snort db.

now we have mysql/snort/barnyard2 ready for snorby.

example shows 1.9.2 ruby when i write this example latest stable is 1.9.3

apt-get install git-core default-jre
 
apt-get install imagemagick libmagickwand-dev wkhtmltopdf 
 
apt-get install gcc g++ build-essential libssl-dev libreadline-gplv2-dev zlib1g-dev 
linux-headers-generic libsqlite3-dev libxslt1-dev libxml2-dev libmysqlclient-dev 
libmysql++-dev 
 
 
cd /usr/local/src/ 
 
wget http://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.2-p290.tar.gz 
 
tar xvzf ruby-1.9.2-p290.tar.gz 
 
ln -s ruby-1.9.2-p290 ruby 
 
rm -rf ruby-1.9.2-p290.tar.gz 
 
chown root:root -R ruby-1.9.2-p290/ 
 
cd ruby/ 
 
./configure 
 
make 
 
make install 
 
cd /usr/local/src/ruby/ext/openssl 
 
ruby extconf.rb 
 
make && make install
 
 cd /usr/local/src/ruby && ruby -v 
  ruby 1.9.2p290 (2011-07-09 revision 32553) [i686-linux]    
 
so ruby is all set. 

    cd /usr/local/src/ruby 
 
gem install thor i18n bundler tzinfo builder memcache-client rack rack-test erubis mail text-format sqlite3 
 
gem install rack-mount 
 
gem install rails 
 
gem install rake
 
 
#for me rails is 3.2.2 
rails -v
  Rails 3.1.1 
 
gem install rubygems-update
 
update_rubygems
 
cd /var/www/ 
 
git clone http://github.com/Snorby/snorby.git
 
vi /var/www/snorby/config/database.yml
 
bundle install --deployment 

rake snorby:setup
 
got this error.
 
(in /var/www/snorby)
/usr/local/lib/ruby/1.9.1/yaml.rb:56:in `':
It seems your ruby installation is missing psych (for YAML output).
To eliminate this warning, please install libyaml and reinstall your ruby.
rake aborted!
You have already activated rake 0.9.2.2, but your Gemfile requires rake 0.9.2. 
Using bundle exec may solve this.

(See full trace by running task with --trace)
 
then run as it mentions;
 
bundle exec rake snorby:setup
 
then it got work and create snorby db.
 
requires to socket to locate at. '/var/run/mysqld/mysqld.sock' (2) located also as a note
after setup snorby and checked the db at mysql now we go into mysql.

then we start snorby as rails s -d for daemon start. and ip:3000 can be the access of snorby.

if everything works fine your worker is up and running side. also connect your barnyard2 connects to new snorby db rather then snort db otherwise your worker shows red and not working on snorby.

so thats it.!

have fun on custumazing snort and its by :)
 


for my setup i also have ntop on the same machine so.

Not:For some info i use github site submitted ubuntu 11.10 documentation for snorby. 



No comments:

Post a Comment