TurnKey Linux Virtual Appliance Library

Insta-Snorby, the Official Snort + Snorby Turn-Key Solution!

EDIT **01/23/2011** New Version Available (0.6.0) Changed info below to reflect

Hey everyone. I am proud to announce the creation of my first turnkey-linux TKLpatch!

Insta-Snorby is a new appliance that is essentially a fully-ready snort solution out of the box. The ISO still needs some slight tweaks but I've published the source and full overlay at https://github.com/Snorby/insta-snorby under GPLv3

The ISO can be found here: 

http://www.snorby.org/Insta-Snorby-0.6.0.iso

I was new to turnkey-linux starting this week so I want to thank the core devs and this community for doing such a great job with documentation and putting up their own TKL examples.

Hopefully you guys find this useful! Don't be shy with bugs, feedback and other issues you might encounter!

The appliance is designed for users who want to test Snorby 2.2.1 (a new Snort IDS front-end) or need a quick and dirty snort sensor installed.

It comes with the following:

  • Snort 2.9.0.3 - The latest version of the popular Intrusion Detection System
  • Barnyard 2.19  - An application that deciphers Snort unified2 logs and puts them into the snorby database
  • Snorby 2.2.1 - The IDS front-end
  • OpenFPC - Full packet capture monitoring
  • Pulled Pork 0.5 - IDS rule update management

The installation process will walk you through setting up the MySQL server and ask you to put in your "Oinkcode" which will automatically download the latest VRT rules (the sigs that power the IDS) from SourceFire. Emerging Threat rules (another popular rules distro) are already downloaded and enabled.

To use the appliance effectively, you can do one of the following:

  1. In a VM bridge eth0 with the interface on the host you want to monitor
  2. Use a physical server and attach it to a network tap or a mirrored port on your switch

Once the appliance is installed you simply browse you https://<ip> and login with the following credentials. 

user snorby@snorby.org
password: snorby

Read more at the following places

Snorby home-page - http://snorby.org

Latest Snorby Blog Post - https://lookycode.com/posts/5-New-Snorby-2-2-1-and-Insta-Snorby-0-6-0!-

 

New Features since 0.5.0

  • Added option to enable pulled pork to automatically update rules
  • Added setup screen to choose interface you would like Snort,Barnyard2, and OpenFPC to run on
  • Added timezone selection screen
  • Added seamless authentication to OpenFPC installation from Snorby

Enhancements since 0.5.0

  • Upgraded Snorby from 2.1.0 to 2.2.1
  • Upgraded to Barnyard 1.9 branch 
  • Upgraded to Snort 2.9.0.3

Bug Fixes since 0.5.0

  • Fixed production log permissions issue
  • Fixed bug that did not restart Snorby workers on subsequent reboots
  • Fixed issue with ruleset that was not showing VRT alert names in Snorby
  • Changed default Snorby mail address to actual .localdomain

Snorby vs Insta-Snorby?

I just recently discovered Snorby and was configuring it.  I was trying to figure out how to use my oinkcode, and during my search found your site with "Insta-Snorby".  How does this differ from the regular Snorby at http://bailey.st/blog/smooth-sec/  ?

Suppression is your freind - The wood for the trees !

I think one of the most topical questions once one has a SNORT instance up and running is what to do with all the alert information. The key to a useful IDS deployment is too spend some time profiling your network traffic. The first time you fire up Snorby you are going to get shed loads of alerts. In most commercial deployments most of these alerts will be false positives, or maybe stuff you know you shouldnt be doing like SNMP public strings but you know all this right ? What you are looking for is the really nasty stuff. Spend some time going through the alerts an weedning out the false positives. For instance i had a load of high alerts about p2p traffic , turned out if was our ghost server just going about its normal business. Then there was a load of SNMP public string alerts , yeah we know thats bad but the source was snmp_traphost.xxx.xxx. Lets park these for the moment and tune our ears. We know that sort of stuff is bad but we can take note of these issues / risks add them to our risk register for fixing and move on. What you want to do is suppress all the traffic you know you shouldnt have , log it in a risk register and deal with it. By using suppression you can then have a pretty quiet system , listening only for that nasty traffic that you will get a payrise for proactivly managing. So im my opinion after you have configured snort.conf preproccesors etc take some time to reduce the background noise with suppression. Below is an excerpt from my /etc/snort/threshold.conf

What you want to do is spend some time identifying and suppressing stuff you trust so that the static is reduced and you can see clearly.

 

suppress gen_id 119 , sig_id 19  \ stops gen and sig ID from fireing
suppress gen_id 119 , sig_id 15
suppress gen_id 119 , sig_id 14
suppress gen_id 122 , sig_id 3, track by_dst, ip 10.1.1.94 \ stops gen and sig from fireing with dst of 10.x
suppress gen_id 1   , sig_id 2008597, track by_src, ip 10.203.5.139

 

Hope this helps ! I really cant stress enough that if you dont spend the time to tune your IDS it will just give you a buzz for a few days and then no one , including you will ever look at it again !

Regards

 

Dylan

Snorby Issue 0.8

Hi,

I just installed the Snorby from Insta-Snorby-0.8.0.iso file and now i am on the admin page and can access the ssh but there is nothing on the dashboard last 3 hours and i enabled the rules on /etc/snort/snort.conf but still nothing showing.

root@Insta-Snorby ~# pico /etc/network/interfaces
auto eth0
iface eth0 inet static
address 172.16.1.9
netmask 255.255.255.0
gateway 172.16.1.1
dns-nameservers 172.20.4.10

auto eth1
iface eth1 inet dhcp

Can anybody help me?

Is there any good commands how to start, stop and restart the snorby services and also how to download Snort Rules. /etc/oinkmaster.conf

Regards,

Saeed

insta-snorby 0.9.0

I've installed the latest (0.9.0) version, when I try to add a new user there is no field for a password, and it fails saying a password is required.

HELP HELP with Insta-Snorby Installation!!!!

Hi Terracatta

Please I am evaluating Snorby and its features in comparison with other NSM tools.

Right now I am working on an experiment of using your insta-Snorby to monitor traffic.

I am able to run Insta-Snorby and log on but no traffic is monitored.

It only show localhost:eth0 and there is no traffic.

Please help with how I should set up the network and configuration?

I am using just two computers (VM) and using hub and ADSL connection.

how best should l connect and configure to get it functioning?

How would I configure the ethernet to run in promi 

I am counting on your help.

I look forward to hearing from you.

 

Regards

Intefarces / config

VM = Bridge all adapters , dont use NAT.

Check : Barnyard.conf - Make sure the interface listed is the one you want to sniff on

Check scripts in  : /usr/lib/inithooks/everyboot.d  - Make sure you have the right interface configs

Check your logs for errors : Syslog etc

Check interfaces are up : for Sniffing interface use ifconfig eth1 [or what ever your instance is] up . This will bring up the sniffing interface up correctly with no IP.

 

DDJ

Many thanks DDJ

Many thanks DDJ.

I've got Snorby sniffing packet on eth1 now.

That's a good step towards my work so far.

0.9 .iso File Corrupted

Hi,

http://www.snorby.org/Insta-Snorby-0.9.0.iso

This download URL is not working.

Kindly tell me where from i download the file?

Regards,

Saeed

Jeremy's picture

I can confirm that it's not just you...

Neither the 0.8 or 0.9 links appear to be working...? The website is up, so don't know what's happening?

Insta-Snorby 0.9.0 links broken

Hi, 

Any update on this? Any place I can download the iso other than www.snorby.org? 

Regards, 

Ramongb

download...

Still no access to the 0.9.0 link... any updates on when it will be back up?

 

Post new comment

The content of this field is kept private and will not be shown publicly. If you have a Gravatar account, used to display your avatar.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <p> <span> <div> <h1> <h2> <h3> <h4> <h5> <h6> <img> <map> <area> <hr> <br> <br /> <ul> <ol> <li> <dl> <dt> <dd> <table> <tr> <td> <em> <b> <u> <i> <strong> <font> <del> <ins> <sub> <sup> <quote> <blockquote> <pre> <address> <code> <cite> <strike> <caption>

More information about formatting options

Leave this field empty. It's part of a security mechanism.
(Dear spammers: moderators are notified of all new posts. Spam is deleted immediately)