Powered by Blogger.

Snort+barnyard2+Snorby CentOS 6.5_64 Installation

#download packages:


#install yum package
rpm -ivh epel-release-6-8.noarch.rpm
yum install gcc-c++ patch readline readline-devel zlib zlib-devel flex git
yum install libyaml-devel libffi-devel openssl-devel make 
yum install bzip2 autoconf automake libtool bison iconv-devel libxml2-devel libxslt 
yum install gcc g++ build-essential libssl-devel libreadline5-devel zlib1g-devel linux-headers-generic libsqlite3-devel libxslt-devel curl-devel sqlite-devel
yum --enablerepo=epel install jasper jasper-libs jasper-devel

#Mysql install
yum remove mysql mysql-libs
rpm -ivh MySQL-server-5.5.40-1.rhel5.x86_64.rpm
rpm -ivh MySQL-client-5.6.21-1.rhel5.x86_64.rpm
rpm -ivh MySQL-devel-5.6.21-1.rhel5.x86_64.rpm
rpm -ivh MySQL-shared-5.6.21-1.rhel5.x86_64.rpm

#Mysql config
service mysql start
mysqladmin -u root password
"input password"

#snort install
libpcap:  yum install libpcap*
pcre: yum install pcre*
libdnet: yum install libdnet*
daq: ./configure ; make ; make install
snort: ./configure --enable-sourcefire ; make ; make install

#snort config
mkdir /etc/snort/etc
cd /tmp/snort-
cp *.* /etc/snort/etc
tar xvf snortrules-snapshot-2962.tar.gz 
cp -R rules/ /etc/snort/
cp -R so_rules/ /etc/snort/ 

#snort create config file for snort (when you update the rule, you need to re-run the script)
tar xvf oinkmaster-2.tar.gz
cd /tmp/oinkmaster-2.0/contrib
./create-sidmap.pl /etc/snort/rules > /etc/snort/etc/sid-msg.map
cat /etc/snort/etc/sid-msg.map | awk -F '|' '{print "1 || "$1" || "$3}' > /etc/snort/etc/gen-msg.map

#snort make test rules 
mkdir /var/log/snort
cd rules
touch black_list.rules
touch white_list.rules
vi local.rules 
"alert icmp any any -> $HOME_NET any (msg: "ICMP test"; sid: 1; rev: 1;)"

#barnyard2 install
tar xvf barnyard2-2.1.13
cd /tmp/barnyard2-2.1.13/
./configure --with-mysql --with-mysql-libraries=/usr/lib64 ; make ; make install

#barnyard2 config
mkdir /var/log/barnyard2
touch /var/log/barnyard2/barnyard2.waldo 
cd /tmp/barnyard2-2.1.13/etc 
cp barnyard2.conf /etc

#install snorby request
ImageMagick: ./configure ; make ; make install
ldconfig /usr/local/lib

Wkhtmltopdf: rpm -ivh wkhtmltox-0.12.1_linux-centos5-amd64.rpm

#in order to ignore the ssl error
export GIT_SSL_NO_VERIFY=true
echo insecure >> ~/.curlrc

#install ruby
cd /tmp
tar xvf ruby-1.9.3-p547.tar.gz
cd ruby-1.9.3-p547
./configure ; make ; make install
curl -L get.rvm.io | bash -s stable
source /etc/profile.d/rvm.sh
rvm install 1.9.3

#install sornby
export GIT_SSL_NO_VERIFY=true
git clone https://github.com/Snorby/snorby.git /var/www/snorby
gem install tzinfo builder memcache-client rack rack-test erubis mail text-format bundler thor i18n sqlite3-ruby rdoc sqlite3 rails rack-mount
bundle install

cp database.yml.example database.yml
cp snorby.yml.example snorby.yml
vi database.yml
vi snorby.yml
vi /script/rails

bundle exec rake snorby:setup

#start the system
service iptables stop
snort -c /etc/snort/etc/snort.conf -i eth0
/usr/local/bin/barnyard2 -c /etc/barnyard2.conf -d /var/log/snort/ -f snort.log
cd /var/www/snorby
bundle exec rails server -e production

username: snorby@snorby.org
password: snorby
    Blogger Comment
    Facebook Comment