Insta Snorby 0.8.0 Install Notes - Snorby/snorby GitHub Wiki

DRAFT Insta-Snorby 0.8.0 Install Notes Install Steps:

  1. Put LAN connection on eth0 (management interface). NOTE: More than one NIC may result in no NICs being initialized due to an Ubuntu 10.04 LTS bug.
  2. Install Insta-Snorby by following the Insta-Snorby Configuration Console a. Set eth0 as the Snort monitoring port b. Choose to enter your Oinkcode c. Choose to install the security updates
  3. SSH to the server and configure the following: a. NTP – Edit /etc/ntp.conf (add your ntp server) b. Apache Ports – Edit /etc/apache2/ports.conf to disable listening on port 80 (if desired) i. Comment out (add “#”) at the start of both lines referencing port 80 ii. Restart command is “/etc/init.d/apache2 restart” or wait until reboot c. Change Snort monitoring port to eth1 (SPAN interface) i. Change interface to eth1 in /usr/lib/inithooks/everyboot.d/88snortstart ii. Change interface to eth1 in /etc/snort/barnyard2.conf iii. Identify and kill snort and barnyard processes ps aux | grep snort iv. Restart snort: /usr/local/bin/snort -g snort -u snort -c /etc/snort/snort.conf -i eth1 -D v. Restart barnyard: /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -G /etc/snort/gen-msg.map -S /etc/sid-msg.map -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -D d. Snort Config – Edit /etc/snort/snort.conf iii. Define “$HOME_NET” and “$EXTERNAL_NET” variables iv. Consider and edit all other lines with caution. Reference: https://www.snort.org/docs v. Consider configuring a BPF file to dump undesired traffic e. Pulledpork 0.6.1 Fix – This version of pulledpork contains an incorrect version reference to 0.5.0 vi. /usr/lib/inithooks/bin/pulledpork.py vii. /usr/lib/inithooks/bin/oinkcode.py viii. /root/crontmp ix. /usr/lib/inithooks/bin/interface_select.py f. Openfpc - /usr/lib/inithooks/bin/interface_select.py contains a reference to version 0.4-267, which should be 0.6-314. Reference: http://www.openfpc.org/home i. Change interface to eth1 in /etc/openfpc/openfpc-default.conf g. Add desired linux user accounts h. Logout of SSH
  4. Connect SPAN cable to eth1 interface
  5. Configure network interfaces to static IPs. NOTE: I’ve experienced some odd DNS behavior and have had to reboot or restart the network interfaces twice before I was able to reach it. There may be an Ubuntu bug associated with this behavior.
  6. Reboot the server using the Insta-Snorby configuration console

Manually Clear/Update Dashboard: go to the main snorby directory (in my case it is /var/www/snorby) then execute this command: sudo rails c and then use this commands: Snorby::Jobs.clear_cache(true) Snorby::Jobs.run_now!

Run Pulledpork Manually: /root/pulledpork-0.6.1/pulledpork.pl -c /root/pulledpork-0.6.1/etc/pulledpork.conf -H -v >> /var/log/pulledpork 2>&1