Archive for November, 2011

After succesfully installing Suricata and Snorby, I’m going to use Barnyard2 to read the alerts and send them to Snorby’s database. Barnyard2 understands the unified2 binary format. If you get lost, don’t be worry because I’m going to update the Snorby how-to. If you can’t wait, I’ve followed these steps:

  1. Download Barnyard2
    wget http://www.securixlive.com/download/barnyard2/barnyard2-1.9.tar.gz
  2. tar xvfz barnyard2-1.9.tar.gz
  3. cd barnyard2-1.9/
  4. You’ll need mysql libraries, if you want to store Suricata’s events
    apt-get install mysql-client libmysqlclient-dev
  5. I’m going to compile barnyard2 with pfring an libpcap support. If you followed my howto, include files and libraries are inside /opt/PF_RING
    ./configure –with-mysql –with-libpcap-includes=/opt/PF_RING/include –with-libpcap-libraries=/opt/PF_RING/lib  –with-libpfring-includes=/opt/PF_RING/include –with-libpfring-libraries=/opt/PF_RING/lib
  6. make && make install
  7. Let’s check if barnyard2 is ready.  If you see a pig all is good 😀
    barnyard2 –help
    / ,,_  \  Version 2.1.9 (Build 263)
    |o”  )~|  By the SecurixLive.com Team: http://www.securixlive.com/about.php
    + ”” +  (C) Copyright 2008-2010 SecurixLive.
  8. If barnyard complains about libpcap.so.1 not being found, use this:
    ln -s /opt/PF_RING/lib/libpcap.so.1 /usr/lib/libpcap.so.1
  9. Now, you will need a barnyard2 config file:
    cp etc/barnyard2.conf /etc/barnyard2.conf
  10. Edit /etc/barnyard2.conf and add the following line (change dbuser, dbpass, database, x.x.x.x with the rigth values for your snorby MySQL database):
    output database: alert, mysql, user=dbuser password=dbpass dbname=database host=x.x.x.x
  11. Barnyard’s config file need to know where are your config and map files to indentify the rules. I’m using Emerging Threats rules in my /etc/suricata directory.
    # set the appropriate paths to the file(s) your Suricata process is using.
    config reference_file:      /etc/suricata/reference.config
    config classification_file: /etc/suricata/classification.config
    config gen_file:            /etc/suricata/gen-msg.map
    config sid_file:            /etc/suricata/sid-msg.map
  12. Check if you find this lines in /etc/suricata/suricata.yaml:
    – unified2-alert:
    enabled: yes
    filename: unified2.alert
  13. Ok. I have Suricata running. With this command the unified2 binary files will be read and new events will be sent to snorby -> barnyard2 -c /etc/barnyard2.conf -d /var/log/suricata -f unified2.alert
  14. All seems to work fine. Snorby is starting to show events.

  15. Snorby is awesome. More info soon!

Read Full Post »

According to snorby.org,  Snorby is a ruby on rails web application for network security monitoring that interfaces with current popular intrusion detection systems (Snort, Suricata and Sagan). The project goal is to create a free, open source and highly competitive application for network monitoring for both private and enterprise use.

Today I’m going to show you how to install Snorby on Debian 6. This is the first time I use Snorby and I want to use it to monitor my Suricata IDS. In the following weeks I’ll post my first impressions.

Download the pdf and contact me for any comments, errors or suggestions.

Read Full Post »