EDIT **01/23/2011** New Version Available (0.6.0) Changed info below to reflect
Hey everyone. I am proud to announce the creation of my first turnkey-linux TKLpatch!
Insta-Snorby is a new appliance that is essentially a fully-ready snort solution out of the box. The ISO still needs some slight tweaks but I've published the source and full overlay at https://github.com/Snorby/insta-snorby under GPLv3
The ISO can be found here:
I was new to turnkey-linux starting this week so I want to thank the core devs and this community for doing such a great job with documentation and putting up their own TKL examples.
Hopefully you guys find this useful! Don't be shy with bugs, feedback and other issues you might encounter!
The appliance is designed for users who want to test Snorby 2.2.1 (a new Snort IDS front-end) or need a quick and dirty snort sensor installed.
It comes with the following:
- Snort 188.8.131.52 - The latest version of the popular Intrusion Detection System
- Barnyard 2.19 - An application that deciphers Snort unified2 logs and puts them into the snorby database
- Snorby 2.2.1 - The IDS front-end
- OpenFPC - Full packet capture monitoring
- Pulled Pork 0.5 - IDS rule update management
The installation process will walk you through setting up the MySQL server and ask you to put in your "Oinkcode" which will automatically download the latest VRT rules (the sigs that power the IDS) from SourceFire. Emerging Threat rules (another popular rules distro) are already downloaded and enabled.
To use the appliance effectively, you can do one of the following:
- In a VM bridge eth0 with the interface on the host you want to monitor
- Use a physical server and attach it to a network tap or a mirrored port on your switch
Once the appliance is installed you simply browse you https://<ip> and login with the following credentials.
Read more at the following places
Snorby home-page - http://snorby.org
Latest Snorby Blog Post - https://lookycode.com/posts/5-New-Snorby-2-2-1-and-Insta-Snorby-0-6-0!-
New Features since 0.5.0
- Added option to enable pulled pork to automatically update rules
- Added setup screen to choose interface you would like Snort,Barnyard2, and OpenFPC to run on
- Added timezone selection screen
- Added seamless authentication to OpenFPC installation from Snorby
Enhancements since 0.5.0
- Upgraded Snorby from 2.1.0 to 2.2.1
- Upgraded to Barnyard 1.9 branch
- Upgraded to Snort 184.108.40.206
Bug Fixes since 0.5.0
- Fixed production log permissions issue
- Fixed bug that did not restart Snorby workers on subsequent reboots
- Fixed issue with ruleset that was not showing VRT alert names in Snorby
- Changed default Snorby mail address to actual .localdomain