Intrusion Detection Software for ubuntu 12.04

This post is a guide on how to install 'snort' and Intrusion Detection Software for ubuntu 12.04.

Install snort:
  sudo apt-get install snort

Make some changes to snort.conf:
  sudo sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/snort.conf

Check the settings:
  sudo /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

More information on snort:
https://s3.amazonaws.com/snort-org-site/production/document_files/files/000/000/090/original/Snort_2.9.8.x_on_Ubuntu_12-14-15.pdf

Snort writes data to log files. Barnyard2 reads logs and writes to a database.
This guide assumes that you have already installed mysql.
Create a mysql database:
  echo "create database snort;" | mysql -u root -p
  mysql -u root -p -D snort < ~/snort_src/barnyard2-master/schemas/create_mysql

Create a mysql user to work with snort:
  echo "grant create, insert, select, delete, update on snort.* to \
  snort@localhost identified by ’MYSQLSNORTPASSWORD’" | mysql -u root -p

Install barnyard to convert snort messages:
  wget http://download.aanval.com/barnyard2-1.9.tar.gz
  tar -xvzf barnyard2-1.9.tar.gz
  cd barnyard2-1.9
  autoreconf -fvi -I ./m4
  ./configure --with-mysql --with-mysql-libraries=/usr/lib/i386-linux-gnu

Edit barnyard2.conf:
  sudo vi /etc/init/barnyard2.conf
  output database: log, mysql, user=snort password=snort123 dbname=snort host=localhost

Check settings:
  sudo barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo \
  -g snort -u snort

Create an alert to watch out for (/etc/snort/rules/local.rules):
  alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:10000001; rev:001;)

Create a barnyard service that will run on startup (/etc/init/barnyard2.conf):
  description "Barnyard2 service"
  stop on runlevel [!2345]
  start on runlevel [2345]
  script
  exec /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort
  /barnyard2.waldo -g snort -u snort -D
  end script

Make the script executable:
user@snortserver:~$ sudo chmod +x /etc/init/barnyard2.conf
user@snortserver:~$ initctl list | grep barnyard
barnyard2 stop/waiting
user@snortserver:~$

Check all services are running:
user@snortserver:~$ service snort status
snort start/running, process 1116
user@snortserver:~$ service barnyard2 status
barnyard2 start/running, process 1109
user@snortserver:~$

Download and install snorby, ruby application to process barnyard messages.
Snorby requires its own database.
Create and grant user to 'snorby' database:
  echo "grant create, insert, select, delete, update on snorby.* to \
  snorby@localhost identified by 'snorby123'" | mysql -u root -p

snorby requirements
snort
git
ruby 1.9.2
rails 3.0.0
imagemagick 6.6.4
wkhtmltopdf

snorby is a ruby on rails application, so install rbenv.
upgrade ruby:
user@snortserver:~$ git clone https://github.com/sstephenson/rbenv.git ~/.rbenv
Cloning into '/home/user/.rbenv'...
remote: Counting objects: 2057, done.
remote: Total 2057 (delta 0), reused 0 (delta 0), pack-reused 2057
Receiving objects: 100% (2057/2057), 344.17 KiB | 166 KiB/s, done.
Resolving deltas: 100% (1272/1272), done.
user@snortserver:~$ echo 'export PATH="$HOME/.rbenv/bin:$PATH"' >> ~/.bashrc
user@snortserver:~$ echo 'eval "$(rbenv init -)"' >> ~/.bashrc

user@snortserver:~$ type rbenv
rbenv is a function
rbenv ()
{
    local command;
    command="$1";
    if [ "$#" -gt 0 ]; then
        shift;
    fi;
    case "$command" in
        rehash | shell)
            eval "`rbenv "sh-$command" "$@"`"
        ;;
        *)
            command rbenv "$command" "$@"
        ;;
    esac
}

  rbenv install 2.2.0
  rbenv global 2.2.0
  gem install rake
  gem update --system
  gem install rubygems-update
  update_rubygems
  gem install rails

Download snorby
  git clone https://github.com/Snorby/snorby

Edit snorby config:
  vi config/snorby_config.yml
  # If timezone_search is undefined or false, searching based on time will
  # use UTC times (historical behavior). If timezone_search is true
  # searching will use local time.
  timezone_search: true
  # uncomment to set time zone to time zone of box from /usr/share/zoneinfo, e.g. "America/Cancun"
  # time_zone: 'UTC'

Install snorby:
  cd snorby
  bundle install

If you encounter problem with json:
In file included from generator.c:1:0:
../fbuffer/fbuffer.h: In function ‘fbuffer_to_s’:
../fbuffer/fbuffer.h:175:47: error: macro "rb_str_new" requires 2 arguments, but only 1 given
../fbuffer/fbuffer.h:175:20: warning: initialization makes integer from pointer without a cast [enabled by default]
make: *** [generator.o] Error 1

make failed, exit code 2

then install latest json:
  gem install json
  bundle update json

If you encounter problem with eventmachine:
em.cpp: In member function ‘void EventMachine_t::_RunEpollOnce()’:
em.cpp:574:37: error: ‘rb_thread_select’ was not declared in this scope
em.cpp: In member function ‘int SelectData_t::_Select()’:
em.cpp:827:67: error: ‘rb_thread_select’ was not declared in this scope
em.cpp: In member function ‘void EventMachine_t::_RunSelectOnce()’:
em.cpp:946:40: error: ‘rb_thread_select’ was not declared in this scope
make: *** [em.o] Error 1

make failed, exit code 2

the install latest eventmachine:
  bundle update eventmachine

Once bundle install passes:
  rake snorby:setup
  rails -e production

Now you can access snorby:
http://localhost/snorby
user: snorby@example.com
pass: snorby
NB! Change your password!

You can run snorby as a standalone application or you can use passenger/apache to start with web server (not covered in this guide).