Insta Snorby 0.8.0 Install Notes (Revised):

Insta-Snorby will no longer be supported in March, 2012. We recommend to use Security Onion

Prereq

1. Put LAN connection on eth0 (management network interface)
2. Have SPAN connection ready (will go on eth1)
3. Have your Oinkcode handy

Install Insta-Snorby following the Configuration Console prompts

1. Enter your Oinkcode
2. Install the security updates

SSH to the server and configure the following

1. NTP – Edit /etc/ntp.conf (add your own ntp server)
2. Apache Ports – Edit /etc/apache2/ports.conf to disable listening on port 80 (if desired) comment out (add “#”) at the start of both lines referencing port 80 and restart by entering: “/etc/init.d/apache2 restart” or simply wait until reboot later
3. Set Snort monitoring port to eth1 (SPAN interface)
4. Set interface to eth1 in /usr/lib/inithooks/everyboot.d/88snortstart
5. Set interface to eth1 in /etc/snort/barnyard2.conf
6. Identify and kill snort and barnyard processes using “ps aux | grep snort”
7. Restart snort: “/usr/local/bin/snort -g snort -u snort -c /etc/snort/snort.conf -i eth1 -D
8. Restart barnyard: /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -G /etc/snort/gen-msg.map -S /etc/sid-msg.map -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -D”

Edit /etc/snort/snort.conf

1. Define “$HOME_NET” and “$EXTERNAL_NET” variables
2. Consider and edit all other modifications with caution. https://www.snort.org/docs
3. Consider configuring a BPF file to dump undesired traffic (See ”Creating BPF File” procedure below…)

Pulledpork 0.6.1 Fix

This version of pulledpork contains an incorrect version reference to 0.5.0 in the following files:

1. /usr/lib/inithooks/bin/pulledpork.py
2. /usr/lib/inithooks/bin/oinkcode.py
3. /usr/lib/inithooks/bin/interface_select.py
4. /var/spool/cron/crontabs/root
5. /root/crontmp
6. /root/pulledpork-0.6.1/etc/pulledpork.conf (last line MUST reference “0.6.0” instead of “0.6.1”)
7. Test pulledpork by running it manually: /root/pulledpork-0.6.1/pulledpork.pl -c /root/pulledpork-0.6.1/etc/pulledpork.conf -H -v >> /var/log/pulledpork 2>&1
8. Check the date/time stamp on: /etc/snort/rules/snort.rules file or the log data at: /var/log/pulledpork

Openfpc Fix

1. /usr/lib/inithooks/bin/interface_select.py contains a reference to version 0.4-267, which should be 0.6-314.
2. Change interface to eth1 in /etc/openfpc/openfpc-default.conf

Upgrade Snorby

1. cd /var/www/snorby
2. cp config/database.yml tmp
3. cp config/snorby_config.yml tmp
4. git stash save
5. git pull
6. git stash clear
7. cp tmp/database.yml config
8. cp tmp/snorby_config.yml config
9. bundle install - -deployment
10. rake snorby:setup

Snorby Configuration

1. Edit /var/www/snorby/config/database.yml as necessary
2. Edit /var/www/snorby/config/snorby_config.yml as necessary

Final Steps

1. Configure network interfaces to static IPs at /etc/network/interfaces
2. Connect SPAN cable to eth1 interface
3. Reboot the server
4. Login to Snorby web interface as snorby@snorby.org and configure Admin settings

Other Procedures for your reference:

Creating a By-Pass File (BPF) to Ignore Specified Traffic

1. vim /etc/snort/ignore.bpf (to create file and insert tcpdump lines like the following)

not (src host 10.x.x.x or src host 10.x.x.x)

1. vim snort.conf (to add the following lines under “Step #2”)

Config bpf_file: /etc/snort/ignore.bpf

Manually Clear/Update Dashboard:

1. Cd to the main snorby directory (in my case it is /var/www/snorby) and execute these commands:
2. rails c
3. Snorby::Jobs.clear_cache(true)
4. Snorby::Jobs.run_now!

Soft Reset of Snorby

1. Cd to the main snorby directory (in my case it is /var/www/snorby) and execute these commands:
2. rails c
3. Snorby::Jobs.reset_cache(:all, true)

Hard Reset of Snorby (WARNING - all Snorby data and admin settings will be lost!!!)

1. Cd to the main snorby directory (in my case it is /var/www/snorby) and execute the following commands:
2. rake snorby:hard_reset
3. rails c
4. Snorby::Worker.restart