TurnKey Linux Virtual Appliance Library

Insta-Snorby, the Official Snort + Snorby Turn-Key Solution!

EDIT **01/23/2011** New Version Available (0.6.0) Changed info below to reflect

Hey everyone. I am proud to announce the creation of my first turnkey-linux TKLpatch!

Insta-Snorby is a new appliance that is essentially a fully-ready snort solution out of the box. The ISO still needs some slight tweaks but I've published the source and full overlay at https://github.com/Snorby/insta-snorby under GPLv3

The ISO can be found here: 

http://www.snorby.org/Insta-Snorby-0.6.0.iso

I was new to turnkey-linux starting this week so I want to thank the core devs and this community for doing such a great job with documentation and putting up their own TKL examples.

Hopefully you guys find this useful! Don't be shy with bugs, feedback and other issues you might encounter!

The appliance is designed for users who want to test Snorby 2.2.1 (a new Snort IDS front-end) or need a quick and dirty snort sensor installed.

It comes with the following:

  • Snort 2.9.0.3 - The latest version of the popular Intrusion Detection System
  • Barnyard 2.19  - An application that deciphers Snort unified2 logs and puts them into the snorby database
  • Snorby 2.2.1 - The IDS front-end
  • OpenFPC - Full packet capture monitoring
  • Pulled Pork 0.5 - IDS rule update management

The installation process will walk you through setting up the MySQL server and ask you to put in your "Oinkcode" which will automatically download the latest VRT rules (the sigs that power the IDS) from SourceFire. Emerging Threat rules (another popular rules distro) are already downloaded and enabled.

To use the appliance effectively, you can do one of the following:

  1. In a VM bridge eth0 with the interface on the host you want to monitor
  2. Use a physical server and attach it to a network tap or a mirrored port on your switch

Once the appliance is installed you simply browse you https://<ip> and login with the following credentials. 

user snorby@snorby.org
password: snorby

Read more at the following places

Snorby home-page - http://snorby.org

Latest Snorby Blog Post - https://lookycode.com/posts/5-New-Snorby-2-2-1-and-Insta-Snorby-0-6-0!-

 

New Features since 0.5.0

  • Added option to enable pulled pork to automatically update rules
  • Added setup screen to choose interface you would like Snort,Barnyard2, and OpenFPC to run on
  • Added timezone selection screen
  • Added seamless authentication to OpenFPC installation from Snorby

Enhancements since 0.5.0

  • Upgraded Snorby from 2.1.0 to 2.2.1
  • Upgraded to Barnyard 1.9 branch 
  • Upgraded to Snort 2.9.0.3

Bug Fixes since 0.5.0

  • Fixed production log permissions issue
  • Fixed bug that did not restart Snorby workers on subsequent reboots
  • Fixed issue with ruleset that was not showing VRT alert names in Snorby
  • Changed default Snorby mail address to actual .localdomain

Comments and Questions

First, I am really looking forward to testing out your appliance.  I am struggling with a snort install at the moment.  Thank you for sharing this with the community.  

Second, what can you tell us about this appliance?  What would a security novice need to know to get this thing deployed.  For example:

  • Is it designed for a mirror port with a LAN sensor?
  • Is it configured with multiple network interfaces for the sensor(s) and web-interface?
  • What mode is it set up in?
  • Any special administrative notes?

You might be able to leverage the Dev Wiki as well as this forum for info.

http://wiki.turnkeylinux.org/

http://wiki.turnkeylinux.org/TKLPatch/Patches

*On a side note, your ISO download link doesn't appear to be working at the moment.

Answers

Thanks for the heads up on the download link. Looks like github only lets the downloads work when you click the link on their site.

Here is a mirror http://rootedyour.com/enhanced/Insta-Snorby-0.4.iso

To answer your questions.

The appliance is designed for users who want to test Snorby 2.0 (a new Snort IDS front-end) or need a quick and dirty snort sensor installed.

It comes with the following:

  • Snort 2.9.0.2 - The latest version of the popular Intrusion Detection System
  • Barnyard 2.18  - An application that deciphers Snort unified2 logs and puts them into the snorby database
  • Snorby 2.0.0 - The IDS front-end

The installation process will walk you through setting up the MySQL server and ask you to put in your "Oinkcode" which will automatically download the latest VRT rules (the sigs that power the IDS) from SourceFire. Emerging Threat rules (another popular rules distro) are already downloaded and enabled.

To use the appliance effectively, you can do one of the following:

  1. In a VM bridge eth0 with the interface on the host you want to monitor
  2. Install a network tap on eth0 on the server you want to monitor (you can change the default interface in /usr/lib/inithooks/everyboot.d/88snortstar

Once the appliance is installed you simply browse you https://<ip> and login with the following credentials. 

user snorby@snorby.org
password: snorby

You can read more about the new snorby at https://lookycode.com/posts/2-Bye,-Bye-BASE--Sup-Snorby----2-0!

I hope this answers your questions!

Thanks! Another Deployment Question.

Snorby 2.0 is very intuitive, it is nice work.

I am having some trouble setting up the Snorby appliance with the bond between eth0 (LAN) and eth1 (SPAN/mirror port). Snort only logs the events specific to the appliance, rather than for all traffic events traversing the network when testing with NMAP.  I may be going about this all wrong or misunderstood directions.  

Assuming most people have devices with port mirroring, what is the ideal way to deploy this VM to monitor LAN events?

Monitor eth1

Alright so if I understand you correctly, you have two interfaces on turnkey, eth0 (default LAN) and eth1 (which is traffic coming from a mirrored port on the switch).  You say you want snort to monitor all traffic from eth1.

If the above is correct all you need to do is specify -i eth1 as an option to snort's startup. The startup script is located at /usr/lib/inithooks/everyboot.d/88snortstart

Change

/usr/local/bin/snort -g snort -u snort -c /etc/snort/snort.conf -D

to

/usr/local/bin/snort -g snort -u snort -c /etc/snort/snort.conf -i eth1 -D

Problems Changing Sensor to Eth1

I removed the VM bond and changed the snort configuration file as you suggested above.  However, I still have the same problem where snort/snorby are only monitoring eth0 instead of eth1.

I did some additional research and modified the Ubuntu /etc/network/interfaces configuration file from DHCP to the following:

auto eth1
iface eth1 inet manual

After running "ifconfig" in the terminal, I can see a massive number of RX and TX packets on eth1, so I believe the eth1 network interface settings are correct. Then, I ran "snort -i eth1 -v" and received all the packets traversing eth1 in the terminal.

However, for some reason, the change to the startup script you recommended above isn't getting picked up by Snorby (or isn't holding in Snort). The sensor still shows "localhost:eth0" in Snorby.  I ran a couple NMAP scans on different IP addresses and can verify Snorby is only monitoring eth0. 

I know I am getting close.  Am I missing a simple snort/snorby modification?

Oh I forgot one last thing.

Oh I forgot one last thing. In the Barnyard config /etc/snort/barnyard2.conf change the interface listed there from eth0 to eth1. Restart barnyard and it will show the correct config in Snorby.

I hope that helps!

Is it required that a sensor

Is it required that a sensor have an IP?

I have Snorby installed in ESXi 4.1 with eth0 as part of the vlan 4095 on my WAN vSwitch, which from what I understand is just like having a mirrored port. Since my ISP gives me 1 dhcp IP I have not assigned the Snorby eth0 an IP in fear of breaking my connection. Will not having an IP stop me from utilizing Snorby?

Directions for XenServer

There may be an easier way to do this, but below are the steps I followed to configure Snorby 0.6 on a Citrix XenServer.  You will need a server with at least a dual-NIC.

  • Configure SPAN/Mirror port on switch
  • Plug SPAN/Mirror connection into Eth1 on XenServer
  • On Xen Hypervisor console type:
brctl setageing xenbr1 0
  • Install Snorby 0.6 from ISO on XenServer using "Other Install Media" template
  • Configure accordingly and choose to monitor Eth0 (the Snorby VM can't see the bridge yet on Eth1 from XenServer)
  • After completing the installation of the Snorby VM, update configuration files using the commands below, changing "eth0" to "eth1"
nano -w /etc/snort/barnyard2.conf
nano -w /usr/lib/inithooks/everyboot.d/88snortstart

Now XenServer will make all the mirror port traffic available to guests and the Snorby VM will be monitoring it over Eth1.  Visit the Snorby web interface and you should start seeing it populate with events.  

Directions were adapted from the link below:

http://support.citrix.com/article/CTX116204

Snorby Logon Problem

Hi, i installed insta-snorby succefully,these are the informations:
SSH/SFTP: root@192.168.0.155 (port 22)
Snorby (IP): https:// 192.168.0.155
Default User: snorby@snorby.org
Default Password: snorby

So when i want to log on by Firefox, the default login and password seems does not been accepted.
this is the msg: the request failed to complete succefully

How Can This Problem been Solved ?!!

Snorby Logon Problem

I too am having the same issue.  Installed it and on login i get the same issue.

 

Anyeone seen this before?

Liraz Siri's picture

Delightful! This will make a great addition to the library

Many thanks for taking the effort to put this together and sharing the TKLPatch with the community. This kind of cross project open source collaboration is our dream come true for TurnKey.

On a personal note, Alon and I come from a security background so we have a soft spot for security related applications. We look forward to adding Snorby officially to the TurnKey library.

It helped me identify an infected PC today...

Set it up yesterday on old spare laptop, connected it to the mirror port on my switch, and the first severe alert was a PC infected with a rootkit. 

 

Quick and easy to install, and results just as fast.

Thank you.

working well for me under ESXi

Thank you.

what adapter type are you using for your esxi setup?

Trying to get this to work in our ESXi environment, I think I'm pretty close, what adapter type are you using, flexible?

Thanks, Brian

changing smtp config

Hi there,

Great distro can't believe how easy it was to get a full IDS up and working. Nice work.

I need to specify a SMTP host for sending email, can you provide a little information on how the mail side of things is configured. I can see the four mail files in /var/log/ but they are empty.

Thanks in advance

Steve

Dervman, Snorby uses

Dervman,

Snorby uses sendmail to send mail reports which I believe can be configured as an SMTP server or you can relay it to an existing one.

version 0.5 of the ISO comes with sendmail preconfigured which can be found at http://www.snorby.org/Insta-Snorby-0.5.iso

Props and question

Wicked cool turnkey distro, this is exactly what I needed to test and get versed enough to drop in a solution. I think the automation scripts are quite nice and I have to admit this is the easiest system to setup yet. I have been able to figure what I needed to do in order to get two sensors going on the system (five nics - one management, two bridges *passive - w00t!*). I have a tricky environment where I have to pretend I'm not dropping a sniffer in place, stupid I know but hey that's the way it is.

It was weird that I had to change the barnyard2.conf config interface three times and reboot after each change to get each nic to show up (eth0, br0, br1) but they all now show and work properly. That might be something to look at.

My question is specifically about the rules updates, are those automated? I know the security updates can be set to be automatic. I've already entered my oinkcode and got the initial update.

Thanks and nice work!

Zuasive, Thanks for the

Zuasive,

Thanks for the comments and props! 0.5 was released a little while ago, so if you are using 0.4 please check out http://www.snorby.org/Insta-Snorby-0.5.iso which features some minor bug fixes and OpenFPC support. Read more here (https://lookycode.com/posts/3-Snorby-2-0-1-&-Insta-Snorby-0-5-Released

Regarding the interface stuff, my next version of the ISO is going to have an interface picker and allow you to either install snorby, the IDS, or both. If you install just the IDS it will ask where your Snorby install is and DB credentials. 

Additionally the version of Barnyard sometimes hiccups on Snort 2.9 unified logs so the next version will feature Barnyard2's 1.9 stable branch which should fix that as well.

Regarding rule updates, there isn't anything in there yet that does this automatically but the next release will feature Pulled Pork, which will automatically download the latest ET and VRT rules with your oinkcode.

Mephux and I are hoping to release by the end of the month. I'll post on this board when that happens.

Thanks for the support!

Multiple interfaces no longer monitored

Cool, I just now feel like I'm cutting my teeth when it comes to open source an Linux (I've only been working with it for about two years now). Projects like yours just make it all the easier to learn and understand.

Now to the problem; I followed your suggestion and downloaded the latest install 0.5 and ran into a problem with the interfaces this time. Now it doesn't seem to watch both of my bridge interfaces.

I modified the /usr/lib/inithooks/everyboot.d/88snortstart and changed the startup code to look like this.

/usr/local/bin/snort -g snort -u snort -c /etc/snort/snort.conf -i any -D

That's what worked in the previous version along with the strange barnyard2.conf changes. If you want to know my entire process you can see it here.

I posted it on my blog so hopefully it's cool. http://use.theknack.net/?page_id=59

0.6.0 is out!

Hey I released 0.6.0 (get it at http://snorby.org/), here's the changelog from 0.5.0

 

New Features since 0.5.0

  • Added option to enable pulled pork to automatically update rules
  • Added setup screen to choose interface you would like Snort,Barnyard2, and OpenFPC to run on
  • Added timezone selection screen
  • Added seamless authentication to OpenFPC installation from Snorby

Enhancements since 0.5.0

  • Upgraded Snorby from 2.1.0 to 2.2.1
  • Upgraded to Barnyard 1.9 branch 
  • Upgraded to Snort 2.9.0.3

Bug Fixes since 0.5.0

  • Fixed production log permissions issue
  • Fixed bug that did not restart Snorby workers on subsequent reboots
  • Fixed issue with ruleset that was not showing VRT alert names in Snorby
  • Changed default Snorby mail address to actual .localdomain

RE - 0.6.0

Yep, I checked back frequently looking forward to all of the additions. Setup worked well although I had to make a manual change to the timezone since I'm on EST. All the additions are awesome, I checked your scripts to see what files were being modified for the interfaces as well so I could do my custom setup.

I think my usage is unique though since I'm using multiple interfaces. Snorby and Barnyard still end up going pear shaped on me and not updating properly after a days worth of use. I can get it to detect my devices and it appears that the -i any switch does work in the 88snortstart. I actually created two other snort folders for the barnyard2.conf file so I could setup each interface due to many instructions suggesting that. It works alright after modifying the 88snortstart script for a short while and then just stops for some odd reason.

Are there any logs you can suggest I check into?

Snorby Server Error

After a couple days of running the Snorby appliance, the web interface stops working, generating a server error.  I have had this happen in VirtualBox and XenServer on four total occassions using 0.6, but not the 0.5 or 0.4 versions.  Rebooting doesn't correct it.  My only modifications to the appliance were to change the username/password of the default administrator and company name.  The appliance still sends daily reports and Snort appears to be working properly.

Has anyone else experienced this?  Is there a solution or a trigger?

Snorby errors

I get them after updating the system. must be a packedge update thats causing this. im just not going to update until i can figure out what packedge it is.

Insta snorby tweaking

Alright so I've been tweaking with the configs for well all day now and I believe I have a setup that works for me. First it appears that I cannot get more than two interfaces monitored (which is cool I only have to bridges anyway). Basically that took some manipulation of your already existing 88snortstart script as well as copying the snort directory over into a new snortbr0 directory. It appears to be running on both bridged interfaces now and I'm waiting to see if it actually updates the web interface. 

Okay verified it is working again only to monitor two interfaces though a third doesn't want to spawn no matter what. Also when I changed the barnyard2 config file I can now tell that it kept the old label. Next I'll change the sensors being displayed.

Almost forgot the timezone configuration was my fault I selected etc at the initial setup.

Kernel Panic

I tried to use this latest InstaSnorby and I am getting Kernel Panic.

I am using ESX 4.1. I tried swapping the various HD Controllers, but that doesn't seem to resolve the issue. Doesn't look like I can upload images, so I will type out what my screen shot shows.

 

udevadm[512]: segfault at 2 ip 00000002 sp bfe55a74 error 4 in ld-linux.so.2[460000+1b000]

squashfs: version 4.0 (2009/01/31) Phillip Lougher

init[1]: segfault at 5 ip 00000005 sp bfe6e944 error 4 in libnih.so.1.0.0[38e000+12000]

Kernel panic - not syncing: Attempted to kill init!

Pid: 1, comm: init Not tainted 2.6.32-25-generic #44-Ubuntu

 

There is more, but I don't know if it is relevant, this seemed to be the most relevant. Any ideas?

Works with ESXi 4.1 just fine ironically enough.


Jeremy's picture

Some others have reported issues with TKL v11.x & ESX/ESXi 4.1

But for some it is fine. Strange that it works for you on ESXi but not ESX! The thread I am referring to is here. The workaround that worked for the poster there was to disable 'acceleration' during boot and reenable it afterwards see if that works.

Alon Swartz's picture

TurnKey 11.1 are optimized for VM happiness

TurnKey 11.1 VMDK and OVF builds have been optimized for virtualization (linux-virtual kernel, vmware-tools), for more information see build types

Please note that we re-built and re-uploaded new 11.1 images after a bug was reported. The updated 11.1 are now reported to work without issue on ESX 4.1, and other platforms.

Regarding TKLPatch'ed ISO's, you might want to swap out the generic kernel for linux-virtual instead if the workaround JedMeister mentioned doesn't work for you. BTW, Snorby will most likely make it into Part II of 11.1, which will come with VM optimized images.

Bitness?

I realize that it's probably a bit late for any help but just to help anyone else googling for this - it could be a matter of the bitness of the OS. I've just had a similar problem on an 64 bit ESXi (not ESX) server where Ubuntu 10.04 32 bit refused to install at all. Changing to a 64 bit version resolved the problem. HTH.

Dashboard numbers not updating

The numbers on the Dashboard page are not updateing but events are coming in. Please help.

Hmmm

Are the jobs running in the admin job queue? To check follow these steps:

  1. Click on the big red "adminstration" menu in the top left corner
  2. Once the next page loads click the "Administration Menu" and select "Worker & Job Queue" 
  3. Verify there is a green "OK" under status
  4. If so, restart both workers. If not readd both workers to the job queue.

If the above doesn't work, can you give me more information? Has the dashboard ever updated or is this a recent problem?

Workers

This is a brand new install it updated page once and then nothing after that. How do you restart the workers?

There is a button next to the

There is a button next to the administration menu that says "restart workers" with a blue arrow.

Try that.

I restarted the Workers

I have tried and the dashboard still show the original numbers even though when I drill down in the categories there are way more than the dashboard indicates.

Dashboard refreshes every 30

Dashboard refreshes every 30 min or so so there is always a slight discrepancy. 

Still not working

The dashboard still isn't updating and I noticed that all new events have yesterdays date and time is in middle of day yesterday even though the system time and date are correct. Please help :(

Time

I also notice the hardware clock of the machine is correct but time on events in Snorby is like an hour off...

Jeffrey, Is your timezone

Jeffrey,

Is your timezone configured correctly? Is the output of the `date` command match the local time AND the local timezone?

I have solved this issue

I believe the issue is I had it monitoring an entire vlan's traffic which was choking it since it would see all traffic between machines as well as incoming and outgoing traffic. Once I had it only see traffic leaving adn coming in my network all seems to be well with this.

md5

Could I get the md5 for the insta-snorby 0.6.0

af48d237ec03a905a0154c1128d27

af48d237ec03a905a0154c1128d27536

Thanks So Much

I just wanted to verify I got a good download since the file is smaller than it saiys it should be on the site.

Events

I have it setup and monitoring incoming and outgoing traffic and events it sees are really high and when I drill down most of them are false positive. Is there a way to have it mark these type of event going forwards or not show them all?

Not yet. Tuning rulesets for

Not yet. Tuning rulesets for your environment is an entirely different subject matter in itself. If you find a rule to be noisy the best is to comment it out in the local.rules file by it's unique ID.

Snorby reads from the Snort DB after Snort has already written there so auto-classification of rules is not available until we can come up with solution.

Where would you go to comment it out?

Sorry I am new to this and trying to learn how to work with what I find to be a very nice app. Just need to tune it down some since some of the alerts are very noisy. I got over 16k hits on the noop rule which is killing me.....among a few others.

Tuning Question

Also what if I didn't want to comment out the rule but just change it so that it reports at a lower serverity is that possible?

Rules

I can't seem to find where the Low Severity rules

http_inspect: LONG HEADER

stream5: TCP window closed before receiving data

 

are defined and these are hammering my server any ideas? I tried grep for the id and got nothing but they must be defined somewhere

local.rules Location?

Where is the local.rules file?

Dashboard question

Today and Yesterday show stats but none of the rest do is there a reason this would happen?

Best way to handle DB size

First thanks for the insta-snorby build! I was wondering what the best way for managing DB size/disk usage is. I created a 30GB VM, which after about 4 days is just about full. Any suggestions on the best way to prune events from the DB(s) after X days? Also, whats the best way to dump the DBs and start with some nice clean slates?

Thanks!

Daily Emails

Is it possible to change the time the emails are sent out each day? If so how?

motd

Is there anyway to remove the standard MOTD you get when you login? i.e. remove and prevent:

Linux xxx 2.6.32-28-generic #55-Ubuntu SMP Mon Jan 10 21:21:01 UTC 2011 i686 GNU/Linux
Ubuntu 10.04.2 LTS
Welcome to Ss01, TurnKey Linux 11.0rc / Ubuntu 10.04 Lucid LTS

  System information (as of Wed Feb 09 11:29:11 2011)
 
    System load:  0.00              Memory usage:  10%
    Processes:    115               Swap usage:    0%
    Usage of /:   4.0% of 63.91GB   IP address for eth0:  xxxxxxxxxx
 
  TKLBAM (Backup and Migration):  NOT INITIALIZED
 
    To initialize TKLBAM, run the "tklbam-init" command to link this
    system to your TurnKey Hub account. For details see the man page or
    go to:
 
        http://www.turnkeylinux.org/tklbam


Welcome to Ubuntu!
 * Documentation:  https://help.ubuntu.com/

I've tried deleting /etc/motd without success.

Jeremy's picture

A quick google turned this up

Here, which should sove your issue hopefully (TKL v11.x is based on Ubuntu 10.04).

Yes, that worked. Thank you

Yes, that worked. Thank you very much.

Another with dashboard issues

Installed Insta Snorby .6 without issue yesterday. It was successfully monitoring and updating the dashboard. However after switching the monitoring interface from eth0 to eth1, it has stopped updating, but the events are still listed under the events list. I've tried deleting the workers and re-adding them as well as simply restarting. Any ideas?

Another issue is with the time. It seems that snorby time is stuck at +6 hours ahead of actual local server time.

Both of these are with the stock Insta Snorby .6.

Exactly the same problem.

I have the exact same problem/scenario going on with mine as well.

Did you solve the dashboard issue?

i have the same issue right now, i spend the last 3 days with troubleshooting the stunnel... after upgrading barny2 to 1.9 everything worked pretty good, but now events are going in and the dashboard hangs around in the future...

greets

mike

Possible Cause

I am not sure this is the issue, but I think restarting snort without a full reboot was the trigger that caused my dashboard to stop populating.

Question

I have a question, how hard would it be to add Hogwash? I'd really like to turn this into an IPS if at all possible. I have the IDS working great, now I wonder if I can take it a step further.

 

Thanks

Cool .iso, very helpful for

Cool .iso, very helpful for me in evaluating how snorby will do in my environment.  I have one bug report:

The setup script tries to do rule updates before it lets you configure interfaces. Since the only interface that's up before I statically configure eth1 is lo, this is worse than useless.

old records??!!

Hi,

 

thanks for this wonderful product -- only one question I have: how to clean-up after a while?

I have more than 4 million records as alerts, 99.99% are false positives anyway, how can I get rid of those?

 

Thanks!

SSH and Snorby Management Port

The Install of this set of software is great - thanks.

Have set up an eth0 nic as the management port, and set up an eth1 nic as the sensor, and the splash screen on the server screen confirms this.

However, can only connect via ssh or view snorby on the sensor card eth1, and these both fail when I direct a lot of traffic to the sensor nic.

Can you tell me where the config file for Snorby/SSH is so I can force it to eth0?

Thanks

 

sshd config

located at:

/ect/ssh/sshd_config

RE: SSH and Snorby Management Port

Having the same issue as Paul R.

eth0 picks up an IP from DHCP, but I can't reach it via SSH. It should be set up as the management port and eth1 as the sensor, but http://eth0IP goes nowhere while http://eth1IP takes me to the management page. The management page indicates that eth1 is the sensor.

Any idea how to fix this?

SSH and Snorby Management Port

Well, for starters I'd make sure you only have one IP address to deal with.

I setup my second interface in a promiscuous mode and used for monitoring traffic by snort... Here's what I put in my /etc/network/interfaces:

# Second interface that snort is going to monitor
auto eth1
iface eth1 inet manual
        up ifconfig eth1 0.0.0.0 up
        up ip link set eth1 promisc on
        down ip link set eth1 promisc off
        down ifconfig eth1 down

Then, to make sure snort if listening on eth1...

(check by issuing the following:  #ps -ef | grep snort  )

If it needs to be changed... There's a python script called /usr/lib/inithooks/bin/interface_select.py that might let you choose which interface you want to monitor.  There's also a /usr/lib/inithooks/everyboot.d/88snortstart that makes a call to start snort with a switch for the interface you want to monitor (it may be that the python script edits the 88snortstart file or something).

In my install, once I only had one IP address for the box (the second interface running in promiscuous mode w/no ip addy), there was no confusion about what address to ssh to (or access the web interface).

I'm pretty new to snorby.. so if any of this is wrong I hope someone chimes in with more accurate info.

Hope that helps.

SSH and Snorby Management Port

Hmmmm... just noticed that when I put my second interface in promiscuous mode and ran the interface_select.py script it didn't give me an option to select it.  So take my advice above with a grain of salt... not sure its the correct way to setup this thing up.  I suppose you could still do it that way and simply edit the ./everyboot.d/88snortstart manually.

SSH and Snorby Management Port

Last thing...  That python script modifies four files (see below):

system("sed -i 's/eth0/%s/g' /etc/snort/barnyard2.conf" % interface)
system("sed -i 's/eth0/%s/g' /usr/lib/inithooks/everyboot.d/88snortstart" % interface)
system("sed -i 's/eth0/%s/g' /root/pulledpork-0.5.0/etc/pulledpork.conf" % interface)
system("sed -i 's/eth0/%s/g' /root/openfpc-0.4-267/etc/openfpc-default.conf" % interface)

 

So if you're going to maually edit one of them I suppose it makes sense to change them all appropriately.

Awesome Job

Execellent job! Keep up the great work!

-arcy24

Mention in publication

Heya,

Just saw that your appliance was mentioned in one of the top IT publications in the Netherlands (http://webwereld.nl/tips---tools/106404/analyseer-aanvallen-op-je-netwer...).

Congrats on that! I'm sure it'll result in a lot of downloads.

Sven

Please Help

I have forgotten my password and cant log in. How can I reset my password?

What webserver insta-snorby use?

I would like to install Cacti on the box I have running Insta-Snorby...Is possible to do that? What webserver Insta-Snorby use?

Insta-Snorby uses Apache with

Insta-Snorby uses Apache with the Phusion Passanger plugin to serve the rails application.

re-run config

Hey, I needed to make some changes to run in host-only network for a vm-lab, so during install it was not able to access the network, is there a reconfig script I can run to take me through the setup again now that I have the environment set correctly ?

There is not :( I am working

There is not :( I am working on a way to do this for the next major release 

Pcap trouble

Whenever I try to open a pcap it will download through a browser but when I open it with wireshark it is blank?

The files are always 24 byte and named similar to  this _tmp_u8oBqUaXGl_snorby-1678382983093961410.pcap

When I installed I had to choose lo as my interface because I am running in a VM and it did not see eth1 durring setup. I went in afterwards and changed the interface to eth1 on barnyard2.conf, 88snortstart.conf, and openfpc-default.conf

Snort and snorby see the traffic I am just having trouble pulling pcaps, any idea where I went wrong?

openfpc issues

Mate I'm having the exact same problem you are.  I've verified that daemonlogger is writing pcaps to /var/tmp/openfpc/pcap, but when I download a pcap from Snorby's webUI it's always empty.

Did you ever find a fix?

openfpc issues

I figured it out.  The timezone was set wrong in the openfpc-default.conf file, which led to searches being executed for periods for which there was no data.

new version Insta-Snorby

Hi.

The way you look at the proposal:

upgrade snort to 2.9.5 , upgrade snorby , upgrade Pulled Pork.

add daq-0.5 pfring module

https://svn.ntop.org/svn/ntop/trunk/PF_RING/userland/snort/daq-0.5/README

http://www.ntop.org/blog/pf_ring/using-pf_ring-with-snort-and-suricata-f...

Problems after installing Insta-Snorby

After installing Insta-Snorby 0.6.0 on a ESXi VM (and rerunning the firstboot scripts, since the network needed to be configured before most of them could run), All I get is a 500 error from the web.  I checked syslog, messages, and the snorby logs under /var/www/snorby/log, and the only tow errors I see are these:

/var/log/syslog:  Insta-Snorby barnyard2[1011]: FATAL ERROR: database: mysql_error: Unknown database 'snorby'

/var/www/snorby/log/snorby_error.log:  [warn] RSA server certificate CommonName (CN) `Snorby' does NOT match server name!?

Any ideas what might have happened to keep it from configuring and running properly?

Did you create a root

Did you create a root password for the system that does not contain alpha characters? There is a known issues with passwords that are strictly numeric.

Root created with alpha and non-alpha chars

The root password I created has alpha chars, and symbols

Can you help

Hi.
I download daq from  "https://svn.ntop.org/svn/ntop/trunk/PF_RING/ "
and configure daq with

snort/daq-0.5# ./configure  --enable-pfring-module=yes

Build AFPacket DAQ module.. : yes
Build Dump DAQ module...... : yes
Build IPFW DAQ module...... : yes
Build IPQ DAQ module....... : no
Build NFQ DAQ module....... : yes
Build PCAP DAQ module...... : yes
Build PF_RING DAQ module... : yes

snort/daq-0.5# make && make install

Configure and install snort

~/snort-2.9.0.5# ./configure --with-mysql --enable-ipv6 --enable-gre --
enable-mpls --enable-targetbased --enable-decoder-preprocessor-rules --
enable-ppm --enable-perfprofiling --enable-zlib --enable-active-
response --enable-normalizer --enable-reload --enable-react --enable-
flexresp3 --enable-linux-smp-stats --with-libpfring-libraries=/usr/
local/lib --with-daq-includes=/usr/local/include -with-daq-libraries=/
usr/local/lib/daq/ --with-libpcap-includes=/usr/local/include --with-
libpcap-libraries=/usr/local/lib/ && make && make install

/snort-2.9.0.5# snort -V

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.0.5 IPv6 GRE (Build 135)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2011 Sourcefire, Inc., et al.
           Using libpcap version 1.1.1
           Using PCRE version: 7.8 2008-09-05
           Using ZLIB version: 1.2.3.3

~/snort-2.9.0.5# snort --daq-list
Available DAQ modules:
pcap(v3): readback live multi unpriv
nfq(v4): live inline multi
ipfw(v2): live inline multi unpriv
dump(v1): readback live inline multi unpriv
afpacket(v4): live inline multi unpriv

Try run snort with pfring
~/snort-2.9.0.5# snort   --daq-dir /usr/local/lib/daq/ --daq pfring --
daq-var clusterid=44 --daq-var bindcpu=4  eth1  -c /etc/snort/
snort.conf

[ Port Based Pattern Matching Memory ]
+- [ Aho-Corasick Summary ] -------------------------------------
| Storage Format    : Full-Q
| Finite Automaton  : DFA
| Alphabet Size     : 256 Chars
| Sizeof State      : Variable (1,2,4 bytes)
| Instances         : 353
|     1 byte states : 345
|     2 byte states : 8
|     4 byte states : 0
| Characters        : 45040
| States            : 33187
| Transitions       : 1620534
| State Density     : 19.1%
| Patterns          : 3317
| Match States      : 2919
| Memory (MB)       : 15.64
|   Patterns        : 0.24
|   Match Lists     : 0.34
|   DFA
|     1 byte states : 1.78
|     2 byte states : 12.93
|     4 byte states : 0.00
+----------------------------------------------------------------
[ Number of patterns truncated to 20 bytes: 593 ]
/usr/local/lib/daq//daq_pfring.so: dlopen: /usr/local/lib/daq//
daq_pfring.so: undefined symbol: pfring_read
ERROR: Can't find pfring DAQ!
Fatal Error, Quitting..

And try run without --daq-dir
 ~/snort-2.9.0.5# snort --daq pfring --daq-var clusterid=44 --daq-var
bindcpu=4  eth1  -c /etc/snort/snort.conf

[ Port Based Pattern Matching Memory ]
+- [ Aho-Corasick Summary ] -------------------------------------
| Storage Format    : Full-Q
| Finite Automaton  : DFA
| Alphabet Size     : 256 Chars
| Sizeof State      : Variable (1,2,4 bytes)
| Instances         : 353
|     1 byte states : 345
|     2 byte states : 8
|     4 byte states : 0
| Characters        : 45040
| States            : 33187
| Transitions       : 1620534
| State Density     : 19.1%
| Patterns          : 3317
| Match States      : 2919
| Memory (MB)       : 15.64
|   Patterns        : 0.24
|   Match Lists     : 0.34
|   DFA
|     1 byte states : 1.78
|     2 byte states : 12.93
|     4 byte states : 0.00
+----------------------------------------------------------------
[ Number of patterns truncated to 20 bytes: 593 ]
ERROR: Can't find pfring DAQ!
Fatal Error, Quitting..

Tell me what I'm doing wrong or how to solve this problem.
I would be grateful for any help.

Problem with Snorby and esxi4.1

Hi,

Whenever I try to run Snorby on exi4.1 it CRASHES.  I tried above solution to disable acceleration, however it SLOWS things down to a HALT.  Any chance of seeing an update soon?

BTW:  Awesome work on the project. thx.

Thanks

Jeremy's picture

Known bug. This is nothing to do with Snorby.

It a bug that occurs with the combination of the Ubuntu 10.04/Lucid (basis of TKL) kernel, VMware ESX/ESXi v4.1 and certain hardware. As the source of the problem is out of the control of TKL (upstream Ubuntu kernel, 3rd party proprietry OS and 3rd party hardware) the timeframe of this problem being properly fixed are completely unknown. In the meantime your choices are fairly simple:

  • Get a different Hypervisor OS (ie ditch ESXi - or at least go back to v4.0/v3.x - assuming it's stable and secure). My personal recommendation is ProxmoxVE (free and open source). IMO this is the best solution.
  • Replace the Lucid kernel (there is a backported 10.10/Maverick one available in the repos). This is probably the easiest workaround in the short-term, although it is possible that support for this kernel will end (~04/2012) prior to an updated TKL release (complete guess but possibly late 2012).
  • Replace your hardware. This is obviously the least favourable option and you will need to be careful to make sure that your new hardware will not reproduce this bug - no idea how you do that without testing it first though.

Problem with Snorby and esxi4.1

Hi,

I have Insta-Snorby 0.6.0 installed and running in VMWare ESXi4.1u1 (Build 4.1.0 348481). No problems.

VM Specs are Guest OS is Ubuntu Linux (32bit) and the defaults it choses for this Guest OS - VM Version 7, 1 vCPU, Memory 512MB, NIC is Flexible, SCSI Controller LSI Logic Parallel.

Recommend that DesiDaku upgrades the ESXi box to Update 1. Don't forget the vSphere Client.

Cheers

Thanks Jeremy :)

Thanks Jeremy for clear explanation into the bug.  Would give Proxmox a shot.

Cheers!

New sensor, how?

I installed the Insta-Snorby (newest) with one sensor, working properly.

How can I add other interface (ex. eth2) as new sensor to the system? Which files should I modify and how?

Just as above: Dashboard not updating, but events are viewable

Hi Jason,

I hope that you are still monitoring this thread. Just as the posters above, I have the problem that the dashboard is not updating even though the events are there. I can click on the "0 low severity events" button and will be shown a continiously updated list of all low severity events.

This is a fresh install of insta-snorby 0.6.

My "Worker & Job Queue" says "OK" and "Restart Worker" doesn't change the situation. On the Dashboard it says "Last Updated: 06/30/11 12:00:00 AM" even though the system time is "Wed Jun 29 22:01:15 CEST 2011". I have now added "config.time_zone = 'Amsterdam'" to /var/www/snorby/config/application.rb since this was the only file mentioning timezones. I rebooted but the dashboard is still not updating. I hope that it will start updating after the time in "Last Updated" has passed.

Is there any hope for my situation? ;-)

Cheers,

       Marcus

 

A small aside if others are looking for this information (and maybe I'm wrong about the following):

All interfaces in insta-snorby 0.6 have to have an ip adress for them to be shown during the insta-snorby setup. If there is no dhcp server providing addresses, just change to a console after entering the new root password in the insta-snorby setup dialog, log in as root, and give the interface an ip adress with ifconfig.

If you do not want to supply an ip address for the interface that snort is listening on you have to modify the configuration file in /etc/network/interfaces and set the interface option to "manual" (iface eth0 inet manual). Somehow snort is not happy with this and wont start during reboot. Just add "ifconfig eth0 up" (if eth0 is your IP-less interface) before the snort line in /usr/lib/inithooks/everyboot.d/88snortstart and everything (but the dashboard in my case) will work fine.

Problem openfpc / insta-snorby

Hi all,

when trying to access the link this message appears?
Already openfpc redid the installation, but not fixed.
Can anyone help me?

https://myip.com/openfpc/cgi-bin/extract.cgi

"Error, Check server logs for more data No user specifie"

Thanks a lot.

No user specified

Hi,

If you're trying to link into openfpc via Snorby, you need to enter a username/password into "API User" in Snorby under the  Administration page. This user needs to be contained in the openfpc config file. Look for a line that looks a little like...

USER=username=somepass

... in /etc/openfpc/openfpc-default.conf

-L

Problem openfpc / insta-snorby

Hi Leon,

Thanks for help.

But it did not work,

I did several installations of insta-snorby urges ... but it still fails,

I use eth0 manager 10.x.x.x and eth1 promisc mode, 

unfortunately not successfully monitor my network. I'll try another way to do this ..  or installing each application manually.

No success with this version of the instal-snorby 0.6 :-(

Thanks.

Error Ruby!

 

This error is common for you?

 

Job Last Error
{stack level too deep
/var/www/snorby/vender/cache/ruby/1.9.1/gems/delayed_job-2.1.4/lib/delayed/backend/base.rb:91
 
 
As I see it is an error "stack overflow" ruby. How could solve this case in order that the amount of warning comes to 1,000,000 daily.

Insta-Snorby with Snort on a different machine

I have pfsense installed on a machine with snort integrated into that. Is there a way that i can have Snorby show the events from that instance of snort instead of the one bundled with insta-snorby? I tried setting up the barnyard interface on pfsense and im not getting any errors but yet its still not being shown in snorby. Has anyone else been successful in getting this to work.

Dashboard not updated

Hi,

This weekend i installed Insta-Snorby on a XEN VM, but i have the issue that my dassboard is not updated after setting the snif interface to eth0

I have changed the following files

/usr/lib/inithooks/everyboot.d/88snortstart
/etc/snort/barnyard2.conf
/root/pulledpork-0.5.0/etc/pulledpork.conf
/root/openfpc-0.4-267/etc/openfpc-default.conf

But the dashboard states:

  • Last Updated: 07/18/11 12:00:00 PM but the current time is 07/18/11 10:20

When i click the eth1 interface al data seems to be there so the sniffing is fine

I now want to remove sensor eth0 from the dashboard an use eth1 for al sniffing

Restart process script

Thanks again for this great package - 0.7.0 seems to be working great on my production IDS.

For all of you who change your threshold.conf or other snort settings regularly but don't want to reboot, here's a quick way to restart:

killall snort
killall barnyard2
/usr/lib/inithooks/everyboot.d/88snortstart

Hope that helps someone!

Email updates from Pulled Pork

If you would like to get email updates from pulled pork, here's a quick example of how:  http://normesysadmin.blogspot.com/2011/07/pulled-pork-email-updates-for-insta.html

0.7.0 is out and the future...

Hi guys,

I wanted to let everyone know I did a quick Insta-Snorby update (now at version 0.7.0) a few days to include the latest version of Snorby which contains a ton of app-level bug fixes and feature enhancements. While I was in the source I also updated ruby 1.9.2's patch-level, rubygems, snort, pulled-pork, and open-fpc to their latest versions.

You can download it at http://snorby.org/

Mephux is planning a big feature release at some point early next week which could introduce more dependencies and I will release another minor update to accomodate it as well.

Unfortunatly none of the bugs and issues you've all reported here were fixed in 0.7.0 and won't be fixed for next release. I am planning on starting work on a more sophisticated Insta-Snorby that handles much of the setup process through an easy to use web interface and take a lot of the feedback from this thread and elsewhere to implement in the new version. 

Insta-Snorby's goal is to greatly simplify and streamline a quick and dirty IDS installation and the new interface should help us achieve that better than the current setup. Hopefully one day we can graduate from it being a test platform to something people would be comfortable running and tweaking in production!

Thanks for supporting the project. If you guys have any success stories to share using Snorby or Insta-Snorby in your enviornments/networks let me know as Mephux and I would love to chat about what works and what doesn't!

I've been using Insta-Snorby

I've been using Insta-Snorby 0.7.0 for about 48 hours now, and it's working great.  Do you have any documentation on getting OpenFPC working?  Thanks for all your work!

I don't have official

I don't have official documentation, but you can read more about OpenFPC here... (http://www.openfpc.org/)

In Insta-Snorby OpenFPC should be installed and configured correctly right out of the box (if you enabled it during installation). To pull a PCAP for an event simply open the event in snorby, click "packet capture options" and then click the desired time range in the dropdown. A PCAP should begin downloading which you can view in an application like wireshark.

Hope that helps!

I'm sure I flagged OpenFPC to

I'm sure I flagged OpenFPC to install, but I don't see it in the process list.  Is it possible to manually run the install script for openfpc after the fact?

FYI - running

FYI - running /usr/lib/inithooks/firstboot.d/88openfpc will restart the openfpc configuration.  I did have to manually configure /etc/openfpc/openfpc-default.conf to point the interface at bond0, but I had to do this with snort also.

OpenFPC has it's own control

OpenFPC has it's own control tool.

openfpc -a stop && openfpc -a start will do the trick!

openfpc --help for more info

Need to skip or disable the Advanced Menu after every reboot

Does anyone knowhow to disable the advanced menu? 

TIA

Insta Snorby 0.7 fresh install error

Insta Snorby 0.6 works fine on this test box but when I installed 0.7 I get the following error

We're sorry, but something went wrong.

We've been notified about this issue and we'll take a look at it shortly.

ive seen this problem linked to numeric passwords but mine is all alpha, any ideas?

Sensor only seeing itself

Posting becasue this may help others-

Had the Snorby VM running nicely using ETH0 for LAN/Mgmt and ETH1 for the sensor interface external.

Things were working nicely, but I was only capturing data on a single IP on the external (no SPAN/Mirror on the switch).  Finally put in a Cisco switch with SPAN and I was STILL only getting single interface information.  SO

If you are running this on an ESX host, you need to also be sure you enable promiscuous mode on the  vSwitch so it acts like a semi-hub.  Otherwise the virtual switch acts like a layer 2 switch and isolates the traffic.   After enabling promiscuous mode, all is well.   Be sure this is a DEDICATED vSwitch for this IDS interface!

Similar setup but no success

I am struggling to get a near identical setup working (see a previous post by me titled daemonlogger configuration) but to no avail. I do have promiscuous mode on a dedicated vSwitch, which I assigned as eth1 while eth0 is the standard management port.

During the install, the sensor port isn't available for selection, it only displays lo and eth0 as choices to monitor. I cancelled the configuration at this point and proceeded with the rest of the configuration. When the TKL config console was displayed, I went back to the networking and both eth0 (configured) and eth1 (unconfigured) were displayed. I left it this way and edited the snort startup script and barnyard2 config files to use eth1 instead of eth0 and restarted the VM.

tcpdump -i eth1 shows some activity on eth1, but not what I would expect from a mirrored port on the switch considering the traffic through this setup. The output shows lots of line similar to:

STP 802.1w, Rapid STP, Flags [Proposal, Learn, Forward, Agreement], bridge-id 8000.00:25:64:13:4d:f1.800f, length 47

I don't know if the unconfigured eth1 is problem or not, as a number of posts suggest this is the "proper" way to configure the sensor interface (i.e. with no IP address), but I was curious to know how you setup and configured your system.

If you read further down I

If you read further down I had the same setup, initially with two nics.  I was unable to get the dashboard to report properly in this configuration so I scrapped it and simply used a single nic.  The only reason I wanted to use two was in order to avoid having the management interface traffic throw alerts but I simply created a few rules in threshold.conf to eliminate this instead.  It sounds as though you have everything configured correctly on the ESX side of things so I would keep things simple and double check your switch config and make sure you are patching your promiscuous nic into the "mirror" switchport and not the "monitor" switchport (I'm assuming you have a cisco or hp switch).  After confirming this if you still have problems I would verify you are monitoring the correct port by using wireshark or tcpdump on a sepparate physical box to see what traffic if any is coming off that mirror port.

Changelog

Is there a changelog anywhere for Insta-Snorby?  Just noticed ver 0.8.0 is out!

no events, no capture - how to start?

hey guys,

I'm quite new at Snort and especially at Snorby. And sorry for my bad english.

First: i think you did a really great job, thanks so far!

Im not able to get an event at snorby. First I installed the insta version on a physical machine. No Problem at this Point, eht0 is the device where I get access to snorby. Web Interface works! Should Snorby show something at this time, there is no event? After that i had added a second nic, changed the files like i found here http://www.turnkeylinux.org/forum/general/20101206/insta-snorby-official... and plugged in my mirror port. But nothing!

I see a second sensor (localhost:eth1), everything looks fine! But I'm searching the START button ;)

Thank you!

Dashboard Not Reporting But Events Present

Ok, first off - beautiful work, I love it!  After muddeling through several different snort installations with BASE it's a relief.  However, the only caveat I have found as other posters have mentioned is my dashboard does not report despite events being present.  The only common factor between the reports above is having snort configured for monitoring on eth1.  I have confirmed a clean install without dashboard reporting problems when this is left at eth0.  I could be way off but that's as far as I have narrowed it down.  The only other problem I encounter is frequent latency issues with the web interface loading.

Dashboard Not Reporting

Well after more searching I found this: http://groups.google.com/group/snorby/browse_thread/thread/b10ed817f27f43c1 But when attempting to runt the job immediately it still sits and says it is set to run at a later time. I no next to nothing about rails so any insight is much appreciated. irb(main):007:0> Snorby::Jobs.clear_cache => nil irb(main):008:0> Snorby::Jobs::SensorCacheJob.new(true).perform Sensor 1: Looking for events... => # irb(main):009:0> Snorby::Jobs.run_now! => true irb(main):010:0>

My snorby eventually "catches up"

Might it be the case that the timezone of the system gets set after snorby starts? (It is as if snorby gets the wrong time during the boot process and it's database entries are out of sync with the system.)

At first my snorby did not update the dashboard either but eventually it caught up after a few hours. Today I rebooted the system and my local (and system) time is "09/13/11 11:00 PM". Snorby says "Last updated: 09/14/11 12:00:00 AM" Just like the first-boot after the initaial installation snorby is living in the future and I expect to see the dashboard working again just as before, when system time and snorby time are in sync eventually. (Restarting the workers did not speed up this process for me the first time around either.)

This was supposed to be a reply to "Dashboard Not Reporting"

<euphemism>Dang it!</euphemism>

RE

Yes, the time in the dashboard is a half hour ahead. How do we fix this?

RE

Yes, the time in the dashboard is a half hour ahead. How do we fix this?

RE

Yes, the time in the dashboard is a half hour ahead. How do we fix this?

Dashboard is working again

Sometime between yesterday evening and today, snorby finally went into sync with the system time and the dashboard started working again. (Poor little computer with a slow processor and a single small harddrive. Two network interfaces with snort, openfpc and snorby are definetively too much. Load average is about 2.2, dashboard response time is glacial ;-)   )

Waiting for it to resolve

Waiting for it to resolve itself isn't much of a solution, the box I'm running it on is more than sufficient for system requirments.  I guess I wait and see if it is ever addressed and be glad I can at least see the alerts at all.

Snorby 0.8 is updating fine

I reinstalled snorby on better hardware. This time I used Insta-Snorby 0.8. (OpenFPC didn't install at first, but I simply followed the script in /usr/lib/inithooks/bin/openfpc.py... I messed around on a console during the installation dialogs, so this was probably my fault.)

At the end of this guide: https://github.com/Snorby/snorby/wiki/Insta-Snorby-0.8.0-Install-Notes-%28Rough-Draft%29 , there are some interesting commands that I entered the following way:

 

cd /var/www/snorby
/usr/local/bin/rails runner 'Snorby::Jobs.clear_cache(true)'
/usr/local/bin/rails runner 'Snorby::Jobs.run_now!

This time the dashboard worked immediately. 

Maybe it helps you, too.

Nope, still didn't work for

Nope, still didn't work for me and now my box has a hellacious load on it sometimes up to 5.3!  Dashboard still blank and it appears to be ruby rails kicking my boxes butt.  Any ideas on performance tweaks?  

Deleting Alerts?

Ok, so it's finally working!  I rebooted the Snorby box and manually restarted the the cache worker and it's suddenly reporting with minimal to no system load; I'm not sure of what was happening before but it appeared that there were several instances of a ruby process running that was killing my system load.  I'll call it a fluke till I load my next sensor.  Anyway, is there anyway to delete individual alerts once I get my rules tweaked? 

Well I thought it was working

Well I thought it was working but after playing with this for a few weeks now I have come to a determination; don't use two nics.  After so much trial and error it is so much simpler to only use one nic and you will avoid the dashboard reporting problems.  

Snorby only appliance

Hi,

Just wondered if you had any plans to make a Snorby-only appliance (without Snort etc) for people that want to use external sensors?


If not, would you be willing to post or email your precise step-by-step setup process as the various Ubuntu 10.04 howtos that I've followed don't work due to Ruby/Gem problems.

 

Thanks,
Stuart

Jeremy's picture

No idea what the devs plan

But as the patch source is available on Github (see original post for link) you could have a look at that and pick out the relevant parts.

how block any attack

i want to know how block an ip with snorby

IP Blocking solution

I'm doing it this way: I wrote a script that collects severity 1 IP's  from the SQL Database and inserts them into a Quagga BGP router. This in turn advertises a null route to our gateways and effectivly blackholes the attack source IP's. A script could be created to do the same with IPTables.

 

Also; the download location for 0.6 has gone.

Memcache missing from install

I was noticing that the web application was taking up 100% of cpu with Ruby when viewing the website. After looking at the configuration I noticed that the memcache gem is installed. Looking at the system  I then noticed that memcache was not installed. From the cli I used:

 

apt-get install memcached

 

And the interface became almost instantly fast as well as the server load went down considerably. Just a heads up if you want a faster interface and lower server load for the next release.


Memcache

Thanks for the post.  I was trying to figure out why my snorby box was always maxed out on the proc.  Read this post, copied and pasted the apt-get install memcached line in a ssh session, voila, the web interface is quick.

 

Thanks again for taking the time to post that!

iptables and Snorby

Newby here looking for some help.  

Thanks for all this great work btw!!  

Well, I have an ASUS RT-N16 (192.168.1.1) router running Tomato and I found information about using iptables to forward the router's traffic to the IP I tell it to.  So I SSH to my router and I type the following two lines:

iptables -A PREROUTING -t mangle -j ROUTE --gw 192.168.1.254 --tee
iptables -A POSTROUTING -t mangle -j ROUTE --gw 192.168.1.254 --tee

So 192.168.1.254 is a VM running Snorby which by using the command it should receive a copy of all the traffic going through the router.  When you run iptables t- mangle -L you can see that it's doing just what is supposed to do.  That's where I'm stuck, I don't see anything in snorby.  

Hope those are enough details to get some help, if not please let me know what else you need.  Thanks!

~T

 

total newbie to snort with 3 questions

1) everytime I boot the box , it tries to do the initial setup, is there a file/flag that I can put somewhere to prevent this

2) how can I verify/proof that pulledpork updates daily (if its daily or whatever)

3) I imagine I can set snort to send the logs to a syslog on real time , simply by working with the snort.conf?

 

Thank you all in advance

Jeremy's picture

I can't help you with Snorby related stuff

But I can answer question 1 somewhat. TBH I'm not sure what's going on there as if the firstboot scripts are completed properly then it should automatically be set to not run again (unless you manually invoke them or reset the flag). These first boot scripts are controlled by inithooks, see the documentation here.

Snort to Syslog

Yes, setting up syslogging is as simple as finding syslog in snort.conf and adding 'alert_syslog: host=x.x.x.x:port, LOG_AUTH LOG_ALERT' then add '*.*          @x.x.x.x:port' to the /etc/syslog.conf file where x.x.x.x:port is the same ip and port you used in snort.conf. Lastly, restart the syslog daemon '/etc/init.d/rsyslog restart'.  This should get you up and running assuming you have your syslog server good to go.

Jeremy, awesome thanks , it

Jeremy, awesome thanks , it worked perfectly, for some reason didnt notice it was not the first boot, I set that manually and voila

 

any idea how to disable the advanced menu after the boot?

Jeremy's picture

That's called the confconsole.

Unless you have a specific reason you don't need to diable that. It is designed to run on boot and causes no issues. If you wish to use the commandline you can just exit out of it. The only thing of any consequence it allows access to is networking config, and realisticly if a user has phyical access to your machine then htey could simply upset networking by unplugging the cord anyway!

Having said all that it is possible to disable it. IIRC correctly confconsole uses the old sysv way of running services (as opposed to the newer Upstart way which many services in Ubuntu 10.04 use).

and another one, how can I

and another one, how can I update the pw or even better , create a new user? we were looking into it but my programming guy doesnt know very much about ruby, apparently all the mysql sentences are encapsulated (looks good for security but I cant even change the password of the user!)

HOME_NET variable not taken into account

Hello,

Great job on the iso, eases up the install of snort !

But ! I have an issue my variable HOME_NET is not taken into account on my install. I put a range of my internal network in it, but I still get alerts from and to hosts that are not  in the subnet I defined.

I double checked the conf and can't find what is wrong:

[snort.conf]

# Setup the network addresses you are protecting
var HOME_NET 10.3.133.0/24
 
# Set up the external network addresses. Leave as "any" in most situations
var EXTERNAL_NET !$HOME_NET
 
The rules are the stock one ...

Is someone else experiencing this issue ?

 

Solved: it was pre-processors

Solved: it was pre-processors alerts and not actuals rules alerts ...

daemonlogger configuration

I have insta-Snorby running on a vm hosted by ESX 4.

The VM has 2 physical NICs, and I am still having problems getting any data (it is a feast or famine situation at times), but I noted in the output from "ps -ef" that daemonlogger has been started with (amongst others) -i eth0, while I have snort and barnyard set up to monitor eth1.

Where is the daemonlogger configuration or startup command located ?

I have the same setup except

I have the same setup except for one important variable, I only use one nic and this has solved hours of muddeling around with dashboard reporting problems.  Also, I'm assuming you have one of your esx nics isolated on a vswitch that is connected to a mirror port on a swtich.  If this is the setup you have be sure that you have the nic set to except Promiscuous Mode under Policy Exceptions for the vSwitch properties (it is under the security tab).  A good way to test if you have any traffic or not is to SSH into the snorby vm and run 'tcpdump -i eth0' and see if you have packets flying across the interface from other hosts on the network.  But, as I mentioned eliminating the second nic resolved a plethora of headaches I was having.

Newbie trying to create Snort rules

Hope you can help.

I have installed insta-snorby as a vm in vmware. I would like to add my own custom rule to the box.

I have modified the snort.conf file and added just my test.rules to step 7

include $RULE_PATH/test.rules

I have confirmed the rule path /etc/snort/rules exists.

I have hashed out include $RULE_PATH/emerging.conf.

The test rule i have added is:

alert any any any <> any any (msg:"This will alert on all detected traffic!";)

I have tried a number of other rules but none seem to work.

I have restarted the box and then tried pinging different machines on the same network as the insta-snorby box but no alerts are generated.

Thanks in advance.

I would advise you to

I would advise you to research this on the snort.org forums, there is an especially helpful section in the snort manual specifically about writing custom rules and even more information simply by googling custom snort rules.

I got ahead of myself when

I got ahead of myself when reading your post, look farther up in regards to running snorby in a vm.  You will need to make sure you have your vswitch and nic configured correctly on esx. 

Extra Info

Happy new year to all!

The way I have setup the network cards on VMWare Player is as follows:

eth0 is host-only, eth1 is bridged.

eth0 is the sensor.

If I run an intense nmap scan the snort logs populate and I can see these in the web console. I have not changed any rules at this time and the system uses emerging.conf.

If I change the rules and hash out emerging.conf and add my custom created test.rules, no snort logs are populated.

Thanks in advance.

Insta-norby with three NICs, two of them as sensors.

Since my snorby installation is now working just as I like it, I wanted to give something back.

Here's a quick writeup of my working insta-snorby setup. 2 networking cards as sensors on SPANs, an additional card for administration. (openfpc works for both interfaces, too I can post the config files if needed).
I hope this is not considered too long for posting. These changes can be made from the command line after the initial snorby installation has been completed.

- Additions to /etc/network/interfaces (eth0 and eth1 are the senors, they don't have IPs, eth2 is the admin interface and not shown)

auto eth0
iface eth0 inet manual
auto eth1
iface eth1 inet manual

- Edit as appropriate after copying:
cp /etc/snort/snort.conf /etc/snort/snort_eth0.conf
cp /etc/snort/snort.conf /etc/snort/snort_eth1.conf

- Change the interface name in the files after copying:

cp /etc/snort/barnyard2.conf  /etc/snort/barnyard2_eth0.conf
cp /etc/snort/barnyard2.conf  /etc/snort/barnyard2_eth1.conf

- Edit /usr/lib/inithooks/everyboot.d/88snortstart

# The interfaces need to be up
/sbin/ifconfig eth0 up
/sbin/ifconfig eth1 up

# Start snort
/usr/local/bin/snort -g snort -u snort -c /etc/snort/snort_eth0.conf -i eth0 -D
/usr/local/bin/snort -g snort -u snort -c /etc/snort/snort_eth1.conf -i eth1 -D

# Start barnyard
/usr/local/bin/barnyard2 -c /etc/snort/barnyard2_eth0.conf \
        -G /etc/snort/gen-msg.map \
        -S /etc/sid-msg.map \
        -d /var/log/snort \
        -f snort_eth0.u2 \
        -w /var/log/snort/barnyard2_eth0.waldo \
        -D

/usr/local/bin/barnyard2 -c /etc/snort/barnyard2_eth1.conf \
        -G /etc/snort/gen-msg.map \
        -S /etc/sid-msg.map \
        -d /var/log/snort \
        -f snort_eth1.u2 \
        -w /var/log/snort/barnyard2_eth1.waldo \
        -D

- Edit the snorby mailerconfig (yours will be different) /var/www/snorby/config/initializers/mail_config.rb

ActionMailer::Base.delivery_method = :smtp
ActionMailer::Base.smtp_settings = {
  :address              => "192.168.xx.yy",
  :port                 => 25,
}
ActionMailer::Base.perform_deliveries = true
ActionMailer::Base.raise_delivery_errors = true

- You need to tell pulledpork that there are two sensors now: /root/pulledpork-0.6.1/etc/pulledpork.conf

pid_path=/var/run/snort_eth0.pid,/var/run/barnyard2_eth0.pid,/var/run/snort_eth1.pid,/var/run/barnyard2_eth1.pid

- Have a look at /var/www/snorby/db/seeds.rb if you want to reset snorby so that the default values are already as you like them.

- Reset the snorby configuration (filched from the insta-snorby setup scripts) so that you get a clean dashboard and get rid of the initial setup with just one interface. You need to prepend sudo if you are not root.

#Stop Snorby, Snort und Barnyard
killall /usr/local/bin/snort
killall /usr/local/bin/barnyard2
#Killall rails/snorby? Workers?
 
#Delete Database
echo "drop database snorby;"|mysql --user=root --password=....
 
#Reconfigure Snorby
cp /root/snorby_config.yml /var/www/snorby/config/snorby_config.yml
cd /var/www/snorby && /usr/local/bin/rake -f /var/www/snorby/Rakefile snorby:setup RAILS_ENV=production
cd /var/www/snorby && /usr/local/bin/rails runner 'Setting.set(:email, "snorby@yoursite")'
cd /var/www/snorby && /usr/local/bin/rails runner 'Setting.set(:autodrop, true)'
cd /var/www/snorby && /usr/local/bin/rails runner 'Setting.set(:autodrop_count, 500000)'
# /var/www/snorby/db/seeds.rb -> initial passwd
#openpfc
cd /var/www/snorby && /usr/local/bin/rails runner 'Setting.set(:packet_capture, 1)'
cd /var/www/snorby && /usr/local/bin/rails runner "Setting.set(:packet_capture_url, 'https://<insta-snorby IP>/openfpc/cgi-bin/extract.cgi')"
cd /var/www/snorby && /usr/local/bin/rails runner "Setting.set(:packet_capture_type, 'openfpc')"
cd /var/www/snorby && /usr/local/bin/rails runner 'Setting.set(:packet_capture_auto_auth, 1)'
cd /var/www/snorby && /usr/local/bin/rails runner "Setting.set(:packet_capture_user, 'openfpc')"
#Password from your openfpc config files
cd /var/www/snorby && /usr/local/bin/rails runner "Setting.set(:packet_capture_password, '.....')"
# Start Snorby
/usr/lib/inithooks/everyboot.d/87snorbywork
/usr/lib/inithooks/everyboot.d/88snortstart


- Manually clear the Dashboard if you get no updates.
https://github.com/Snorby/snorby/wiki/Insta-Snorby-0.8.0-Install-Notes-%...

cd /var/www/snorby
/usr/local/bin/rails runner 'Snorby::Jobs.clear_cache(true)'
/usr/local/bin/rails runner 'Snorby::Jobs.run_now!'

- Do you have problems with the daily cache job? Do:
https://github.com/Snorby/snorby/issues/109

- The web said that this was missing form early insta-snorbys and speeds up the dashboard interaction. I think it's included now.
apt-get install memcached

- Here's a very quick, very dirty and unsafe shell script that sends you an email whenever a new high severity alert occurs. It just writes the current alarm count into a temporary file and compares the numbers the next time around. Run it periodicall via cron (crontab -e) if you like. (And clean up the code, for heaven's sake)
#!/bin/bash
 
ALERTS=$(/usr/bin/mysql --user=root \
               --password=.... \
               --database=snorby \
               --execute="select events_count from severities where name='High Severity';" \
               --skip-column-names --batch)
OLDALERTS=$(/bin/cat /tmp/snortalerts.txt)
 
echo "Checking Snort high severity alert status:"
echo "Alerts:    $ALERTS"
echo "Oldalerts: $OLDALERTS"
 
if [ $ALERTS -gt $OLDALERTS ]; then
  (
   echo "From:snorby@yourdomain"
   echo "To:you@yourdomain"
   echo "Subject:Snort High Severity Alert!"
   echo "Sqeeeeeek! Squeeeeeek! Squeeeek! SNORT ALARM"
   echo
   echo "http://<insta-snorby IP>/dashboard?range=today"

   echo
   ) | /usr/sbin/sendmail -f snorby@yourdomain you@yourdomain
   echo "$ALERTS > $OLDALERTS Alarm mail sent."
else
  echo "$ALERTS is not greater than $OLDALERTS Doing nothing."
fi
 
echo $ALERTS > /tmp/snortalerts.txt

Why are all the links to insta-snorby dead ?

Whats happened , why are all the links to insta-snorby dead ?

 

d

Because they are communicating poorly?

maybe I am a bit mean in saying that because I do not follow snorby on twitter. (or whatever else hellish fragmented social network communications outlet is en vogue today (Yes, get off my lawn :-) )

You can still get the patches to Turnkey Linux on Github, I think. https://github.com/Snorby/insta-snorby . But the official snorby demo install seems to be Security Onion, now http://securityonion.blogspot.com/ as you can see on the snorby homepage. There is no mention of the change on the homepage http://www.snorby.org but the button that used to say insta-snorby is now labeled Security Onion.

Security Onion is a nice distribution. But I liked the small compartmentalized insta-snorby better for learning what makes a working snort/snorby/openfpc system run but Security Onion offers much much, more.

Because they are communicating poorly?

 

maybe I am a bit mean in saying that because I do not follow snorby on twitter. (or whatever else hellish fragmented social network communications outlet is en vogue today (Yes, get off my lawn :-) )

You can still get the patches to Turnkey Linux on Github, I think. https://github.com/Snorby/insta-snorby But the official snorby demo install seems to be Security Onion, now http://securityonion.blogspot.com/ as you can see on the snorby homepage. There is no mention of the change on the homepage http://www.snorby.org but the button that used to say insta-snorby is now labeled Security Onion.

Security Onion is a nice distribution. But I liked the small compartmentalized insta-snorby better for learning what makes a working snort/snorby/openfpc system run but Security Onion offers much much, more.

Insta-Snorby

You can still download Insta-Snorby at the following location.

http://www.snorby.org/Insta-Snorby-0.8.0.iso

Thanks

Many thanks :)

why not download

why not download Insta-Snorby-0.9.0.iso

Post new comment

The content of this field is kept private and will not be shown publicly. If you have a Gravatar account, used to display your avatar.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <p> <span> <div> <h1> <h2> <h3> <h4> <h5> <h6> <img> <map> <area> <hr> <br> <br /> <ul> <ol> <li> <dl> <dt> <dd> <table> <tr> <td> <em> <b> <u> <i> <strong> <font> <del> <ins> <sub> <sup> <quote> <blockquote> <pre> <address> <code> <cite> <strike> <caption>

More information about formatting options

Leave this field empty. It's part of a security mechanism.
(Dear spammers: moderators are notified of all new posts. Spam is deleted immediately)