Skip to content
This repository has been archived by the owner on Apr 16, 2021. It is now read-only.

Snorby #51

Closed
GoogleCodeExporter opened this issue Mar 24, 2015 · 13 comments
Closed

Snorby #51

GoogleCodeExporter opened this issue Mar 24, 2015 · 13 comments

Comments

@GoogleCodeExporter
Copy link

https://github.com/Snorby/snorby

Original issue reported on code.google.com by doug.bu...@gmail.com on 9 Dec 2010 at 12:36

@GoogleCodeExporter
Copy link
Author

[deleted comment]

@GoogleCodeExporter
Copy link
Author

Any thoughts or concerns on integrating snorby into the build?

Original comment by liam.ran...@gmail.com on 13 Jul 2011 at 4:28

  • Added labels: ****
  • Removed labels: ****

@GoogleCodeExporter
Copy link
Author

@vivekrj created a tarball:
http://t.co/HUvKmTbe

need to change database name

For SSL:
try "thin start --ssl" ; if that dont work we need to check if rack-ssl is 
setup ...@mephux

Original comment by doug.bu...@gmail.com on 6 Nov 2011 at 6:14

  • Added labels: ****
  • Removed labels: ****

@GoogleCodeExporter
Copy link
Author

Doug,

Let me know what i can do to help. I will be looking into the rack-ssl 
requirement with weekend to make sure everything is ready to rock.

- Dustin

Original comment by Dustin.W...@gmail.com on 18 Nov 2011 at 3:07

  • Added labels: ****
  • Removed labels: ****

@GoogleCodeExporter
Copy link
Author

Hi Dustin,

I just pushed out a new version of Barnyard2 and my next step is to update 
Suricata to the new 1.1.  After that, I should be ready to focus on getting 
Snorby integrated.  Let me know what you find out about rack-ssl.  Any and all 
assistance would be appreciated!

Thanks,
Doug

Original comment by doug.bu...@gmail.com on 18 Nov 2011 at 3:20

  • Added labels: ****
  • Removed labels: ****

@GoogleCodeExporter
Copy link
Author

Followed Vivek's instructions here to install Rails and Snorby using rbenv:
http://www.unleashnetworks.com/blog/?p=356

Updated Vivek's snorby_start script as follows:
#!/bin/bash
# Originally written by Vivek Rajagopalan
# http://www.unleashnetworks.com/blog/?p=356
# Revised by Doug Burks for Security Onion.
#
# Version:
# 20111222
#
# Changelog:
# 20111222 - Initial release for Security Onion
# root area
SNORBYHOME=/usr/local/share/snorby
# from rbenv
export RBENV_ROOT=$SNORBYHOME/.rbenv
export PATH=$RBENV_ROOT/bin:$PATH
eval "$(rbenv init -)"
if ! test -e $SNORBYHOME/db/first; then
    cd $SNORBYHOME
    echo "Running first-time Snorby setup"
    bundle exec rake snorby:setup | grep "datamapper"
    touch $SNORBYHOME/db/first
    echo "Done initializing snorby"
fi
# start the webserver
cd $SNORBYHOME
echo "Starting thin web server"
bundle exec thin start --ssl -e production -d
echo "Running Snorby jobs"
bundle exec script/delayed_job start
bundle exec rails runner 'Snorby::Jobs::SensorCacheJob.new(false).perform; 
Snorby::Jobs::DailyCacheJob.new(false).perform'

Packaged Snorby:
/usr/local/lib/ruby/gems/1.9.1/gems/fpm-0.3.11/bin/fpm -s dir -t deb -n 
securityonion-snorby -v 20111222 /usr/local/share/snorby

Original comment by doug.bu...@gmail.com on 23 Dec 2011 at 6:15

  • Added labels: ****
  • Removed labels: ****

@GoogleCodeExporter
Copy link
Author

Created Snorby desktop shortcut and built new menu package:
/usr/local/lib/ruby/gems/1.9.1/gems/fpm-0.3.11/bin/fpm -s dir -t deb -n 
securityonion-menu -v 20111222 
/etc/xdg/xdg-xubuntu/menus/xfce-applications.menu 
/usr/share/desktop-directories/securityonion* 
/usr/share/applications/securityonion* /etc/skel/Desktop/*.desktop

Original comment by doug.bu...@gmail.com on 23 Dec 2011 at 6:15

  • Added labels: ****
  • Removed labels: ****

@GoogleCodeExporter
Copy link
Author

Updated /etc/init/securityonion.conf as follows:
script
    sleep 5
    # If this is a SLAVE, stop MySQL and start SSH tunnel
    SSH_DIR="/root/.ssh"
    SSH_CONF="$SSH_DIR/securityonion_ssh.conf"
    if [ -f $SSH_CONF ]
    then
            # We are a SLAVE
        # Stop MySQL
        service mysql stop
        # Establish persistent SSH tunnel to MASTER.
            KEY="$SSH_DIR/securityonion"
        # Upstart uses sh instead of bash so we can't use "source"
        SSH_USERNAME=`grep SSH_USERNAME $SSH_CONF | cut -d\= -f2`
        SERVERNAME=`grep SERVERNAME $SSH_CONF | cut -d\= -f2`
            /usr/bin/autossh -f -M 61234 -i "$KEY" -N -L 3306:127.0.0.1:3306 $SSH_USERNAME@$SERVERNAME
    fi
    # Both SLAVES and MASTERS need to start NSM services
    service nsm start
    /etc/nsm/ossec/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i 127.0.0.1 -p 5 -c /etc/nsm/ossec/ossec_agent.conf
    # If this is a MASTER, then start Snorby
        [ -d /var/lib/mysql/securityonion_db/ ] && /usr/local/share/snorby/snorby_start
end script

Built new nsm package:
/usr/local/lib/ruby/gems/1.9.1/gems/fpm-0.3.11/bin/fpm -s dir -t deb -n 
securityonion-nsmnow-admin-scripts -v 20111222 /etc/init.d/nsm* 
/usr/share/nsmnow/ /usr/local/sbin/nsm* /usr/local/lib/nsmnow/ 
/etc/cron.d/sensor-* /etc/init/securityonion.conf

Original comment by doug.bu...@gmail.com on 23 Dec 2011 at 6:16

  • Added labels: ****
  • Removed labels: ****

@GoogleCodeExporter
Copy link
Author

Added email address to /usr/local/bin/setup:
    # Ask for email address for Snorby
    TITLE="Email address"
    TEXT="What is your email address?\r\n\r\nThis will be used when logging into Snorby."
    SNORBY_EMAIL=`zenity --title="$TITLE" --text="$TEXT" --entry`
    [ x$SNORBY_EMAIL = "x" ] && exit

Added autossh (for slaves) and snorby DB initialization (for masters) to 
/usr/local/bin/setup process:
SSH_DIR="/root/.ssh"
SSH_CONF="$SSH_DIR/securityonion_ssh.conf"
if [ -f $SSH_CONF ]
then
        # We are a SENSOR  
    echo "70"
    echo "# Starting SSH tunnel to MASTER." | tee -a $LOG
    # Stop MySQL
    service mysql stop | tee -a $LOG
    # Establish persistent SSH tunnel to MASTER
    ps aux |grep "autoss[h]" |awk '{print $2}' |xargs kill
        KEY="$SSH_DIR/securityonion"
        source $SSH_CONF
    /usr/bin/autossh -f -M 61234 -i "$KEY" -N -L 3306:127.0.0.1:3306 $SSH_USERNAME@$SERVERNAME
else
    # We are the MASTER.
    echo "70"
    echo "# Initializing Snorby database." | tee -a $LOG
    # Kill any existing Snorby processes.
    ps aux |grep "thi[n]" |awk '{print $2}' |xargs kill
    ps aux |grep "dela[y]" |awk '{print $2}' |xargs kill
    # Delete any existing Snorby data.
    mysql -e "drop database snorby"
    # Remove the first flag
    rm -f /usr/local/share/snorby/db/first
    # Set email and password
    cp /usr/local/share/snorby/db/seeds.rb.securityonion /usr/local/share/snorby/db/seeds.rb
        sed -i "s|ReplaceWithDesiredEmail|$SNORBY_EMAIL|g" /usr/local/share/snorby/db/seeds.rb
        sed -i "s|ReplaceWithDesiredPassword|$SGUIL_CLIENT_PASSWORD_1|g" /usr/local/share/snorby/db/seeds.rb
    # Initialize Snorby DB
    SNORBYHOME=/usr/local/share/snorby
    export RBENV_ROOT=$SNORBYHOME/.rbenv
    export PATH=$RBENV_ROOT/bin:$PATH
    eval "$(rbenv init -)"
        cd $SNORBYHOME
        bundle exec rake snorby:setup | grep "datamapper"
        touch $SNORBYHOME/db/first
    # Open port 3000 for Snorby web interface
    ufw allow 3000/tcp
    # Shred the password!
    shred -u /usr/local/share/snorby/db/seeds.rb
fi
echo "85"
echo "# Starting all NSM services." | tee -a $LOG
service nsm start | tee -a $LOG

Added snorby_start to /usr/local/bin/setup:
if [ -d /var/lib/mysql/securityonion_db/ ]
then
    /usr/local/bin/sguild-add-user "$SGUIL_CLIENT_USERNAME" "$SGUIL_CLIENT_PASSWORD_1" 
        /usr/local/share/snorby/snorby_start &
    cd /var/www/squert/.scripts/Ip2c/
    ./ip2c.tcl &
    cd -
fi

Packaged /usr/local/bin/setup as follows:
/usr/local/lib/ruby/gems/1.9.1/gems/fpm-0.3.11/bin/fpm -s dir -t deb -n 
securityonion-setup -v 20111222 /usr/local/bin/setup

Original comment by doug.bu...@gmail.com on 23 Dec 2011 at 6:16

  • Added labels: ****
  • Removed labels: ****

@GoogleCodeExporter
Copy link
Author

Added the following to security-onion-upgrade.sh:
sed -i 's| |=|g' $CONF
source $CONF
if [ "$VERSION" = "20111214" ]; then
        NEW="20111222"
        echo "**********************************************"   | $LOGGER
        echo "* Upgrading from $VERSION to $NEW."               | $LOGGER
        echo "**********************************************"   | $LOGGER
        DIR="/nsm/backup/$NEW"
        mkdir -p $DIR                                           | $LOGGER
        cd $DIR

    echo "* Installing new Setup script"            | $LOGGER
    FILE=securityonion-setup_"$NEW"_i386.deb
    wget -q http://sourceforge.net/projects/security-onion/files/$NEW/$FILE -O $FILE | $LOGGER
    dpkg -i $FILE                       | $LOGGER

    echo "* Installing new NSM scripts"         | $LOGGER
    FILE=securityonion-nsmnow-admin-scripts_"$NEW"_i386.deb
    wget -q http://sourceforge.net/projects/security-onion/files/$NEW/$FILE -O $FILE | $LOGGER
    dpkg -i $FILE                       | $LOGGER
    service cron restart

    echo "* Installing Snorby"              | $LOGGER
    FILE=securityonion-snorby_"$NEW"_i386.deb
    wget -q http://sourceforge.net/projects/security-onion/files/$NEW/$FILE -O $FILE | $LOGGER
    dpkg -i $FILE                       | $LOGGER

    FILE=securityonion-menu_"$NEW"_i386.deb
    echo "* Installing $FILE"               | $LOGGER
    wget -q http://sourceforge.net/projects/security-onion/files/$NEW/$FILE -O $FILE | $LOGGER
    dpkg -i --force-overwrite $FILE             | $LOGGER
    cp /etc/skel/Desktop/securityonion-snorby.desktop /home/*/Desktop/

    echo "* Installing wkhtmltopdf and autossh"     | $LOGGER
    apt-get update >/dev/null
    apt-get -y install wkhtmltopdf autossh          | $LOGGER

    # Are we a MASTER?
    if [ -d /var/lib/mysql/securityonion_db/ ]
    then
        # Start Snorby
        IP=`ifconfig |grep "inet addr" | awk '{print $2}' |cut -d\: -f2 |grep -v "127.0.0.1" |head -1`
        PASSWORD=`cat /dev/urandom| tr -dc 'a-zA-Z0-9' | fold -w 10| head -n 1`
        cp /usr/local/share/snorby/db/seeds.rb.securityonion /usr/local/share/snorby/db/seeds.rb
        sed -i "s|ReplaceWithDesiredEmail|snorby@securityonion.local|g" /usr/local/share/snorby/db/seeds.rb
        sed -i "s|ReplaceWithDesiredPassword|$PASSWORD|g" /usr/local/share/snorby/db/seeds.rb
        /usr/local/share/snorby/snorby_start
        ufw allow 3000/tcp
        shred -u /usr/local/share/snorby/db/seeds.rb
        echo "***************************************************************"
        echo "An initial password has been randomly generated for you."
        echo "Please login to Snorby and change this initial password now!"
        echo "Address: https://$IP:3000"
        echo "Username: snorby@securityonion.local"
        echo "Password: $PASSWORD"
        echo "***************************************************************"
    fi

    # Are we a SLAVE?
    SSH_DIR="/root/.ssh"
    SSH_CONF="$SSH_DIR/securityonion_ssh.conf"
    if [ -f $SSH_CONF ]
    then
        # Stop MySQL and establish persistent SSH tunnel to MASTER
        KEY="$SSH_DIR/securityonion"
            source $SSH_CONF
        service mysql stop
            /usr/bin/autossh -M 61234 -i "$KEY" -N -L 3306:127.0.0.1:3306 $SSH_USERNAME@$SERVERNAME &
        sleep 5
    fi

    # Update Barnyard2 config to send alerts to snorby DB
    for i in /etc/nsm/*/barnyard2.conf
    do
        echo "output database: alert, mysql, user=root dbname=snorby host=127.0.0.1" >> $i
    done
    /usr/local/sbin/nsm_sensor_ps-restart --only-barnyard2

        sed -i "s|VERSION=$VERSION|VERSION=$NEW|g" $CONF        | $LOGGER
        echo "* Upgrade to $NEW complete."                      | $LOGGER
        echo 
fi

Original comment by doug.bu...@gmail.com on 23 Dec 2011 at 6:17

  • Added labels: ****
  • Removed labels: ****

@GoogleCodeExporter
Copy link
Author

Published:
http://securityonion.blogspot.com/2011/12/security-onion-20111222-now-available.
html

Original comment by doug.bu...@gmail.com on 23 Dec 2011 at 7:56

  • Changed state: Verified
  • Added labels: ****
  • Removed labels: ****

@GoogleCodeExporter
Copy link
Author

Went through the build but the dashboard doesn't update for me. I double 
checked and the OS timezone was UTC. How do you run the rails console on 
securityonion? 

I believe I need to run Snorby::Jobs.clear_cache(true) after I change 
application.rb to EST and, the OS to EST, and restart snorby. 

Original comment by mattlehm...@gmail.com on 10 Jan 2012 at 5:11

  • Added labels: ****
  • Removed labels: ****

@GoogleCodeExporter
Copy link
Author

Hi mattlehman84,

This issue is closed.  I've created a new issue for your question here:
http://code.google.com/p/security-onion/issues/detail?id=186

Original comment by doug.bu...@gmail.com on 10 Jan 2012 at 6:29

  • Added labels: ****
  • Removed labels: ****

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

1 participant