Skip to content

Home

Jump to bottom Edit New page
Chris Smith edited this page Nov 8, 2013 · 161 revisions

osProtect

Application Overview

This is a Ruby on Rails application offering a modern interface for network security IDS/IPS management and reporting.

The app features notification via email of any alerts/events matching criteria established by users.

Also, reports can be sent via email, in PDF format, on a daily, weekly, or monthly basis detailing all of the alerts/events for the sensors being monitored. Immediate online reports, in HTML or PDF formats, are also possible.

Further, users may be placed into groups restricting them to particular sensors. However, any user with the role of admin may view all event data as well as create groups and users.

Installation Overview

  • Prerequisites for the rails app:
    • a rails app user account, such as osprotect
    • add packages, libraries, and build tools needed by other software installations
    • MySQL Ver 14.14 Distrib 5.1.41 +
    • Snort and Barnyard2 (or another IDS that supports the default Snort database schema)
    • Ruby 2 +
    • JavaScript runtime
    • Rails 4 +
    • A web and/or application server, such as Apache/Passenger, Nginx/Thin, or Nginx/Unicorn, and so on
  • Configure the server so emails may be sent from the rails app, and installing Postfix is a good solution
  • Install Redis which is used by Resque and Resque Scheduler for background processing
  • Procfile, Foreman, and Resque workers for background processing
  • Install this Rails application

Add a rails user *nix account

sudo adduser osprotect

This will be the account that executes/runs this rails application, and if configured as a sudo user may be used to install most of the software. Note that rails-app-user is just an example user account, it is probably more appropriate to use osprotect as the user account.

Add packages, libraries, and build tools needed by other software installations

Logged in as root or a sudo user do:

sudo aptitude -y install curl wget nmap nbtscan
sudo aptitude -y install autoconf automake bison build-essential flex git-core libapr1-dev libaprutil1-dev libc6-dev libcurl4-openssl-dev libexpat1 libffi-dev libpcap-ruby libpcap0.8-dev libpcre3-dev libreadline6 libreadline6-dev libssl-dev libtool libxml2 libxml2-dev libxslt-dev libxslt1-dev libxslt1.1 libyaml-dev ncurses-dev openssl ssl-cert subversion zlib1g zlib1g-dev

MySQL Ver 14.14 Distrib 5.1.41 +

Please consult the MySQL site for the latest installation instructions, but typically on Ubuntu these are the installation instructions.

You may have MySQL up and running on another accessible server, in which case you can point Barnyard2 and this rails app (in config/database.yml) to the database on that server.

Snort and Barnyard2

Please consult the Snort docs and Barnyard2 site for the latest installation instructions, but the following are typical installation instructions:

  1. To install Snort

  2. To install Barnyard2

  3. Configure rc.local to start Snort and Barnyard2 during system boot

Ruby 2 +

Installing Ruby using RVM is an excellent way to manage different versions of Ruby as well as creating gemsets for each application and here is how to install and use it.

JavaScript runtime

Installing Node.js provides a JavaScript runtime.

Rails 4 +

See step 6. under Install this Rails application later on this page. As each app on a system may use a different version of rails and dependencies on other gems, it is best to allow Bundler to manage all of the gems and their dependencies.

Web and Application Servers

  • To use Apache as the web server and Passenger as the rails app server, see these install instructions.

  • To use Nginx as the web server and Thin as the rails app server, see these install instructions.

Emails

See these instructions to allow this rails app to send emails.

Redis

Redis is used by the gems Resque, Resque Scheduler, and Resque Mailer for background processing, and is only needed if you desire to do background emailing, Notifications, Reports/PDFs which are all optional features in osProtect.

Be sure to check the Redis site for the latest installation instructions, but these instructions are typical for installing Redis.

Also, see the instructions to set up Redis as an Upstart service.

Install this Rails application

(1) log in as the osprotect user (not root) ... this is the user under which the rails app will execute/run

(2) cd /home/osprotect/app ... or your preferred installation directory

(3) git clone git://github.com/clonesec/osProtect.git ... to download and create the osProtect folder

(4) cd osProtect

(5) As a safeguard for any PDF documents created by users, ensure that the shared folder is located outside of the app folder, so any future releases/deployments will not delete any existing PDF documents:

  • pwd ... should display for example /home/osprotect/app/osProtect, or your installation directory
  • mkdir -p /home/osprotect/apps/osProtect/shared/reports ... i.e. this is outside of the osProtect folder
  • edit config/app_config.yml to set reports folder:
  • reports_path: /home/osprotect/apps/osProtect/shared/reports

(6) To avoid re-installing every gem on releases/deployments when there are no Gemfile changes, usually the case, do:

  • The best practice is to use a deployment tool such as Capistrano, and the osProtect repository on Github includes both a Capfile and config/deploy.rb files to help you get started.

now run bundler to install rails and all of the gems in the Gemfile:

bundle install --deployment --without assets development test

(7) to enable background processing (notifications and PDF creation) perform these instructions

(8) to enable rules management perform these instructions

(9) it is required that a Snort database already be installed

  • another MySQL user should be created for this rails app to use when accessing the existing Snort database ... details here
  • this MySQL user name does not have to be same as the osprotect (rails app user)

(10) edit config/database.yml ... edit as appropriate for your installation of MySQL and the Snort database

(11) bundle exec rake db:migrate ... add osProtect tables to the Snort schema (note: the Snort tables/data are not altered by this app)

(12) bundle exec rake db:seed ... create the initial admin user, edit this file to change the admin password and email

(13) edit config/resque.yml ... edit this file if you are not using the default IP/Port for Redis

(14) edit config/app_config.yml ... edit as appropriate for your installation ... details here

(15) bundle exec rake assets:precompile ... compress/prepare assets to be served by a web server (optional if not using a web server)

(16) visit http://osprotect.example.com/ (use your domain) in a web browser

Add a custom footer
Add a custom sidebar
Clone this wiki locally