Terracatta's picture

EDIT **01/23/2011** New Version Available (0.6.0) Changed info below to reflect

Hey everyone. I am proud to announce the creation of my first turnkey-linux TKLpatch!

Insta-Snorby is a new appliance that is essentially a fully-ready snort solution out of the box. The ISO still needs some slight tweaks but I've published the source and full overlay at https://github.com/Snorby/insta-snorby under GPLv3

The ISO can be found here: 

http://www.snorby.org/Insta-Snorby-0.6.0.iso

I was new to turnkey-linux starting this week so I want to thank the core devs and this community for doing such a great job with documentation and putting up their own TKL examples.

Hopefully you guys find this useful! Don't be shy with bugs, feedback and other issues you might encounter!

The appliance is designed for users who want to test Snorby 2.2.1 (a new Snort IDS front-end) or need a quick and dirty snort sensor installed.

It comes with the following:

  • Snort 2.9.0.3 - The latest version of the popular Intrusion Detection System
  • Barnyard 2.19  - An application that deciphers Snort unified2 logs and puts them into the snorby database
  • Snorby 2.2.1 - The IDS front-end
  • OpenFPC - Full packet capture monitoring
  • Pulled Pork 0.5 - IDS rule update management

The installation process will walk you through setting up the MySQL server and ask you to put in your "Oinkcode" which will automatically download the latest VRT rules (the sigs that power the IDS) from SourceFire. Emerging Threat rules (another popular rules distro) are already downloaded and enabled.

To use the appliance effectively, you can do one of the following:

  1. In a VM bridge eth0 with the interface on the host you want to monitor
  2. Use a physical server and attach it to a network tap or a mirrored port on your switch

Once the appliance is installed you simply browse you https://<ip> and login with the following credentials. 

user snorby@snorby.org
password: snorby

Read more at the following places

Snorby home-page - http://snorby.org

Latest Snorby Blog Post - https://lookycode.com/posts/5-New-Snorby-2-2-1-and-Insta-Snorby-0-6-0!-

 

New Features since 0.5.0

  • Added option to enable pulled pork to automatically update rules
  • Added setup screen to choose interface you would like Snort,Barnyard2, and OpenFPC to run on
  • Added timezone selection screen
  • Added seamless authentication to OpenFPC installation from Snorby

Enhancements since 0.5.0

  • Upgraded Snorby from 2.1.0 to 2.2.1
  • Upgraded to Barnyard 1.9 branch 
  • Upgraded to Snort 2.9.0.3

Bug Fixes since 0.5.0

  • Fixed production log permissions issue
  • Fixed bug that did not restart Snorby workers on subsequent reboots
  • Fixed issue with ruleset that was not showing VRT alert names in Snorby
  • Changed default Snorby mail address to actual .localdomain

 

Forum: 
sbscherer's picture

First, I am really looking forward to testing out your appliance.  I am struggling with a snort install at the moment.  Thank you for sharing this with the community.  

Second, what can you tell us about this appliance?  What would a security novice need to know to get this thing deployed.  For example:

  • Is it designed for a mirror port with a LAN sensor?
  • Is it configured with multiple network interfaces for the sensor(s) and web-interface?
  • What mode is it set up in?
  • Any special administrative notes?

You might be able to leverage the Dev Wiki as well as this forum for info.

http://wiki.turnkeylinux.org/

http://wiki.turnkeylinux.org/TKLPatch/Patches

*On a side note, your ISO download link doesn't appear to be working at the moment.

Terracatta's picture

Thanks for the heads up on the download link. Looks like github only lets the downloads work when you click the link on their site.

Here is a mirror http://rootedyour.com/enhanced/Insta-Snorby-0.4.iso

To answer your questions.

The appliance is designed for users who want to test Snorby 2.0 (a new Snort IDS front-end) or need a quick and dirty snort sensor installed.

It comes with the following:

  • Snort 2.9.0.2 - The latest version of the popular Intrusion Detection System
  • Barnyard 2.18  - An application that deciphers Snort unified2 logs and puts them into the snorby database
  • Snorby 2.0.0 - The IDS front-end

The installation process will walk you through setting up the MySQL server and ask you to put in your "Oinkcode" which will automatically download the latest VRT rules (the sigs that power the IDS) from SourceFire. Emerging Threat rules (another popular rules distro) are already downloaded and enabled.

To use the appliance effectively, you can do one of the following:

  1. In a VM bridge eth0 with the interface on the host you want to monitor
  2. Install a network tap on eth0 on the server you want to monitor (you can change the default interface in /usr/lib/inithooks/everyboot.d/88snortstar

Once the appliance is installed you simply browse you https://<ip> and login with the following credentials. 

user snorby@snorby.org
password: snorby

You can read more about the new snorby at https://lookycode.com/posts/2-Bye,-Bye-BASE--Sup-Snorby----2-0!

I hope this answers your questions!

sbscherer's picture

Snorby 2.0 is very intuitive, it is nice work.

I am having some trouble setting up the Snorby appliance with the bond between eth0 (LAN) and eth1 (SPAN/mirror port). Snort only logs the events specific to the appliance, rather than for all traffic events traversing the network when testing with NMAP.  I may be going about this all wrong or misunderstood directions.  

Assuming most people have devices with port mirroring, what is the ideal way to deploy this VM to monitor LAN events?

Terracatta's picture

Alright so if I understand you correctly, you have two interfaces on turnkey, eth0 (default LAN) and eth1 (which is traffic coming from a mirrored port on the switch).  You say you want snort to monitor all traffic from eth1.

If the above is correct all you need to do is specify -i eth1 as an option to snort's startup. The startup script is located at /usr/lib/inithooks/everyboot.d/88snortstart

Change

/usr/local/bin/snort -g snort -u snort -c /etc/snort/snort.conf -D

to

/usr/local/bin/snort -g snort -u snort -c /etc/snort/snort.conf -i eth1 -D

sbscherer's picture

I removed the VM bond and changed the snort configuration file as you suggested above.  However, I still have the same problem where snort/snorby are only monitoring eth0 instead of eth1.

I did some additional research and modified the Ubuntu /etc/network/interfaces configuration file from DHCP to the following:

auto eth1
iface eth1 inet manual

After running "ifconfig" in the terminal, I can see a massive number of RX and TX packets on eth1, so I believe the eth1 network interface settings are correct. Then, I ran "snort -i eth1 -v" and received all the packets traversing eth1 in the terminal.

However, for some reason, the change to the startup script you recommended above isn't getting picked up by Snorby (or isn't holding in Snort). The sensor still shows "localhost:eth0" in Snorby.  I ran a couple NMAP scans on different IP addresses and can verify Snorby is only monitoring eth0. 

I know I am getting close.  Am I missing a simple snort/snorby modification?

Terracatta's picture

Oh I forgot one last thing. In the Barnyard config /etc/snort/barnyard2.conf change the interface listed there from eth0 to eth1. Restart barnyard and it will show the correct config in Snorby.

I hope that helps!

sbscherer's picture

There may be an easier way to do this, but below are the steps I followed to configure Snorby 0.6 on a Citrix XenServer.  You will need a server with at least a dual-NIC.

  • Configure SPAN/Mirror port on switch
  • Plug SPAN/Mirror connection into Eth1 on XenServer
  • On Xen Hypervisor console type:
brctl setageing xenbr1 0
  • Install Snorby 0.6 from ISO on XenServer using "Other Install Media" template
  • Configure accordingly and choose to monitor Eth0 (the Snorby VM can't see the bridge yet on Eth1 from XenServer)
  • After completing the installation of the Snorby VM, update configuration files using the commands below, changing "eth0" to "eth1"
nano -w /etc/snort/barnyard2.conf
nano -w /usr/lib/inithooks/everyboot.d/88snortstart

Now XenServer will make all the mirror port traffic available to guests and the Snorby VM will be monitoring it over Eth1.  Visit the Snorby web interface and you should start seeing it populate with events.  

Directions were adapted from the link below:

http://support.citrix.com/article/CTX116204

Liraz Siri's picture

Many thanks for taking the effort to put this together and sharing the TKLPatch with the community. This kind of cross project open source collaboration is our dream come true for TurnKey.

On a personal note, Alon and I come from a security background so we have a soft spot for security related applications. We look forward to adding Snorby officially to the TurnKey library.

DervMan's picture

Hi there,

Great distro can't believe how easy it was to get a full IDS up and working. Nice work.

I need to specify a SMTP host for sending email, can you provide a little information on how the mail side of things is configured. I can see the four mail files in /var/log/ but they are empty.

Thanks in advance

Steve

Terracatta's picture

Dervman,

Snorby uses sendmail to send mail reports which I believe can be configured as an SMTP server or you can relay it to an existing one.

version 0.5 of the ISO comes with sendmail preconfigured which can be found at http://www.snorby.org/Insta-Snorby-0.5.iso

I tried to use this latest InstaSnorby and I am getting Kernel Panic.

I am using ESX 4.1. I tried swapping the various HD Controllers, but that doesn't seem to resolve the issue. Doesn't look like I can upload images, so I will type out what my screen shot shows.

 

udevadm[512]: segfault at 2 ip 00000002 sp bfe55a74 error 4 in ld-linux.so.2[460000+1b000]

squashfs: version 4.0 (2009/01/31) Phillip Lougher

init[1]: segfault at 5 ip 00000005 sp bfe6e944 error 4 in libnih.so.1.0.0[38e000+12000]

Kernel panic - not syncing: Attempted to kill init!

Pid: 1, comm: init Not tainted 2.6.32-25-generic #44-Ubuntu

 

There is more, but I don't know if it is relevant, this seemed to be the most relevant. Any ideas?

Works with ESXi 4.1 just fine ironically enough.


Jeremy Davis's picture

But for some it is fine. Strange that it works for you on ESXi but not ESX! The thread I am referring to is here. The workaround that worked for the poster there was to disable 'acceleration' during boot and reenable it afterwards see if that works.

Alon Swartz's picture

TurnKey 11.1 VMDK and OVF builds have been optimized for virtualization (linux-virtual kernel, vmware-tools), for more information see build types

Please note that we re-built and re-uploaded new 11.1 images after a bug was reported. The updated 11.1 are now reported to work without issue on ESX 4.1, and other platforms.

Regarding TKLPatch'ed ISO's, you might want to swap out the generic kernel for linux-virtual instead if the workaround JedMeister mentioned doesn't work for you. BTW, Snorby will most likely make it into Part II of 11.1, which will come with VM optimized images.

Jeremy Davis's picture

It a bug that occurs with the combination of the Ubuntu 10.04/Lucid (basis of TKL) kernel, VMware ESX/ESXi v4.1 and certain hardware. As the source of the problem is out of the control of TKL (upstream Ubuntu kernel, 3rd party proprietry OS and 3rd party hardware) the timeframe of this problem being properly fixed are completely unknown. In the meantime your choices are fairly simple:

  • Get a different Hypervisor OS (ie ditch ESXi - or at least go back to v4.0/v3.x - assuming it's stable and secure). My personal recommendation is ProxmoxVE (free and open source). IMO this is the best solution.
  • Replace the Lucid kernel (there is a backported 10.10/Maverick one available in the repos). This is probably the easiest workaround in the short-term, although it is possible that support for this kernel will end (~04/2012) prior to an updated TKL release (complete guess but possibly late 2012).
  • Replace your hardware. This is obviously the least favourable option and you will need to be careful to make sure that your new hardware will not reproduce this bug - no idea how you do that without testing it first though.
Terracatta's picture

Hi guys,

I wanted to let everyone know I did a quick Insta-Snorby update (now at version 0.7.0) a few days to include the latest version of Snorby which contains a ton of app-level bug fixes and feature enhancements. While I was in the source I also updated ruby 1.9.2's patch-level, rubygems, snort, pulled-pork, and open-fpc to their latest versions.

You can download it at http://snorby.org/

Mephux is planning a big feature release at some point early next week which could introduce more dependencies and I will release another minor update to accomodate it as well.

Unfortunatly none of the bugs and issues you've all reported here were fixed in 0.7.0 and won't be fixed for next release. I am planning on starting work on a more sophisticated Insta-Snorby that handles much of the setup process through an easy to use web interface and take a lot of the feedback from this thread and elsewhere to implement in the new version. 

Insta-Snorby's goal is to greatly simplify and streamline a quick and dirty IDS installation and the new interface should help us achieve that better than the current setup. Hopefully one day we can graduate from it being a test platform to something people would be comfortable running and tweaking in production!

Thanks for supporting the project. If you guys have any success stories to share using Snorby or Insta-Snorby in your enviornments/networks let me know as Mephux and I would love to chat about what works and what doesn't!

Terracatta's picture

I don't have official documentation, but you can read more about OpenFPC here... (http://www.openfpc.org/)

In Insta-Snorby OpenFPC should be installed and configured correctly right out of the box (if you enabled it during installation). To pull a PCAP for an event simply open the event in snorby, click "packet capture options" and then click the desired time range in the dropdown. A PCAP should begin downloading which you can view in an application like wireshark.

Hope that helps!

wardrivn's picture

Does anyone knowhow to disable the advanced menu? 

TIA

Jeremy Davis's picture

But as the patch source is available on Github (see original post for link) you could have a look at that and pick out the relevant parts.

JetreL's picture

I was noticing that the web application was taking up 100% of cpu with Ruby when viewing the website. After looking at the configuration I noticed that the memcache gem is installed. Looking at the system  I then noticed that memcache was not installed. From the cli I used:

 

apt-get install memcached

 

And the interface became almost instantly fast as well as the server load went down considerably. Just a heads up if you want a faster interface and lower server load for the next release.


carlos's picture

1) everytime I boot the box , it tries to do the initial setup, is there a file/flag that I can put somewhere to prevent this

2) how can I verify/proof that pulledpork updates daily (if its daily or whatever)

3) I imagine I can set snort to send the logs to a syslog on real time , simply by working with the snort.conf?

 

Thank you all in advance

Jeremy Davis's picture

But I can answer question 1 somewhat. TBH I'm not sure what's going on there as if the firstboot scripts are completed properly then it should automatically be set to not run again (unless you manually invoke them or reset the flag). These first boot scripts are controlled by inithooks, see the documentation here.

carlos's picture

Jeremy, awesome thanks , it worked perfectly, for some reason didnt notice it was not the first boot, I set that manually and voila

 

any idea how to disable the advanced menu after the boot?

Jeremy Davis's picture

Unless you have a specific reason you don't need to diable that. It is designed to run on boot and causes no issues. If you wish to use the commandline you can just exit out of it. The only thing of any consequence it allows access to is networking config, and realisticly if a user has phyical access to your machine then htey could simply upset networking by unplugging the cord anyway!

Having said all that it is possible to disable it. IIRC correctly confconsole uses the old sysv way of running services (as opposed to the newer Upstart way which many services in Ubuntu 10.04 use).

carlos's picture

and another one, how can I update the pw or even better , create a new user? we were looking into it but my programming guy doesnt know very much about ruby, apparently all the mysql sentences are encapsulated (looks good for security but I cant even change the password of the user!)

Abraham Sarfo's picture

Hi Terracatta

Please I am evaluating Snorby and its features in comparison with other NSM tools.

Right now I am working on an experiment of using your insta-Snorby to monitor traffic.

I am able to run Insta-Snorby and log on but no traffic is monitored.

It only show localhost:eth0 and there is no traffic.

Please help with how I should set up the network and configuration?

I am using just two computers (VM) and using hub and ADSL connection.

how best should l connect and configure to get it functioning?

How would I configure the ethernet to run in promi 

I am counting on your help.

I look forward to hearing from you.

 

Regards

Abraham Sarfo's picture

Many thanks DDJ.

I've got Snorby sniffing packet on eth1 now.

That's a good step towards my work so far.

Jeremy Davis's picture

Neither the 0.8 or 0.9 links appear to be working...? The website is up, so don't know what's happening?

Jeremy Davis's picture

Hasn't been maintained for a long time... The upstream software isn't either...
Fred M.'s picture

This was a good idea, but has fallen silent. The Security Onion implementation requires a mirrored port on a router/switch. Are there any other Security/IPS TKL appliances with Snort / Suricata around? TIA.

Jeremy Davis's picture

But it is certainly a gap in our current line-up. If you can find some software that seems suitable I'd be happy for an appliance request. If/when you have a specific request we could put it on the issue tracker if you wanted.

Not sure how close it is to your request but I have previously come across a cool looking security related product called OSSIM... Thoughts?

Fred M.'s picture

Hi Jeremy, I found OSSIM when I was searching and thought about too. What do you think? an OSSIM Community Appliance?

Jeremy Davis's picture

If you're interested in having a crack at it I'm more than happy to help where I can. The starting point would be to read up on TKLDev (if you haven't already)...

Any questions please do not hesitate to ask.

Jeremy Davis's picture

Due to the age of this thread, plus the fact that it seems to attract spammers, I'm going to lock it from further comments.

Legitimate user who would like to discuss the content of this thread, please start a new forum thread (starting a new thread requires log in). Please feel free to request that your new thread be cross linked with this one if you believe it's relevant. Assuming your request is legitimate, I'd be happy to do that.