Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Snorby #51

Closed
GoogleCodeExporter opened this issue Mar 24, 2015 · 13 comments

Comments

@GoogleCodeExporter
Copy link

commented Mar 24, 2015

https://github.com/Snorby/snorby

Original issue reported on code.google.com by doug.bu...@gmail.com on 9 Dec 2010 at 12:36

@GoogleCodeExporter

This comment has been minimized.

Copy link
Author

commented Mar 24, 2015

[deleted comment]
@GoogleCodeExporter

This comment has been minimized.

Copy link
Author

commented Mar 24, 2015

Any thoughts or concerns on integrating snorby into the build?

Original comment by liam.ran...@gmail.com on 13 Jul 2011 at 4:28

  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter

This comment has been minimized.

Copy link
Author

commented Mar 24, 2015

@vivekrj created a tarball:
http://t.co/HUvKmTbe

need to change database name

For SSL:
try "thin start --ssl" ; if that dont work we need to check if rack-ssl is 
setup ...@mephux

Original comment by doug.bu...@gmail.com on 6 Nov 2011 at 6:14

  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter

This comment has been minimized.

Copy link
Author

commented Mar 24, 2015

Doug,

Let me know what i can do to help. I will be looking into the rack-ssl 
requirement with weekend to make sure everything is ready to rock.

- Dustin

Original comment by Dustin.W...@gmail.com on 18 Nov 2011 at 3:07

  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter

This comment has been minimized.

Copy link
Author

commented Mar 24, 2015

Hi Dustin,

I just pushed out a new version of Barnyard2 and my next step is to update 
Suricata to the new 1.1.  After that, I should be ready to focus on getting 
Snorby integrated.  Let me know what you find out about rack-ssl.  Any and all 
assistance would be appreciated!

Thanks,
Doug

Original comment by doug.bu...@gmail.com on 18 Nov 2011 at 3:20

  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter

This comment has been minimized.

Copy link
Author

commented Mar 24, 2015

Followed Vivek's instructions here to install Rails and Snorby using rbenv:
http://www.unleashnetworks.com/blog/?p=356

Updated Vivek's snorby_start script as follows:
#!/bin/bash
# Originally written by Vivek Rajagopalan
# http://www.unleashnetworks.com/blog/?p=356
# Revised by Doug Burks for Security Onion.
#
# Version:
# 20111222
#
# Changelog:
# 20111222 - Initial release for Security Onion
# root area
SNORBYHOME=/usr/local/share/snorby
# from rbenv
export RBENV_ROOT=$SNORBYHOME/.rbenv
export PATH=$RBENV_ROOT/bin:$PATH
eval "$(rbenv init -)"
if ! test -e $SNORBYHOME/db/first; then
    cd $SNORBYHOME
    echo "Running first-time Snorby setup"
    bundle exec rake snorby:setup | grep "datamapper"
    touch $SNORBYHOME/db/first
    echo "Done initializing snorby"
fi
# start the webserver
cd $SNORBYHOME
echo "Starting thin web server"
bundle exec thin start --ssl -e production -d
echo "Running Snorby jobs"
bundle exec script/delayed_job start
bundle exec rails runner 'Snorby::Jobs::SensorCacheJob.new(false).perform; 
Snorby::Jobs::DailyCacheJob.new(false).perform'

Packaged Snorby:
/usr/local/lib/ruby/gems/1.9.1/gems/fpm-0.3.11/bin/fpm -s dir -t deb -n 
securityonion-snorby -v 20111222 /usr/local/share/snorby

Original comment by doug.bu...@gmail.com on 23 Dec 2011 at 6:15

  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter

This comment has been minimized.

Copy link
Author

commented Mar 24, 2015

Created Snorby desktop shortcut and built new menu package:
/usr/local/lib/ruby/gems/1.9.1/gems/fpm-0.3.11/bin/fpm -s dir -t deb -n 
securityonion-menu -v 20111222 
/etc/xdg/xdg-xubuntu/menus/xfce-applications.menu 
/usr/share/desktop-directories/securityonion* 
/usr/share/applications/securityonion* /etc/skel/Desktop/*.desktop

Original comment by doug.bu...@gmail.com on 23 Dec 2011 at 6:15

  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter

This comment has been minimized.

Copy link
Author

commented Mar 24, 2015

Updated /etc/init/securityonion.conf as follows:
script
    sleep 5
    # If this is a SLAVE, stop MySQL and start SSH tunnel
    SSH_DIR="/root/.ssh"
    SSH_CONF="$SSH_DIR/securityonion_ssh.conf"
    if [ -f $SSH_CONF ]
    then
            # We are a SLAVE
        # Stop MySQL
        service mysql stop
        # Establish persistent SSH tunnel to MASTER.
            KEY="$SSH_DIR/securityonion"
        # Upstart uses sh instead of bash so we can't use "source"
        SSH_USERNAME=`grep SSH_USERNAME $SSH_CONF | cut -d\= -f2`
        SERVERNAME=`grep SERVERNAME $SSH_CONF | cut -d\= -f2`
            /usr/bin/autossh -f -M 61234 -i "$KEY" -N -L 3306:127.0.0.1:3306 $SSH_USERNAME@$SERVERNAME
    fi
    # Both SLAVES and MASTERS need to start NSM services
    service nsm start
    /etc/nsm/ossec/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i 127.0.0.1 -p 5 -c /etc/nsm/ossec/ossec_agent.conf
    # If this is a MASTER, then start Snorby
        [ -d /var/lib/mysql/securityonion_db/ ] && /usr/local/share/snorby/snorby_start
end script

Built new nsm package:
/usr/local/lib/ruby/gems/1.9.1/gems/fpm-0.3.11/bin/fpm -s dir -t deb -n 
securityonion-nsmnow-admin-scripts -v 20111222 /etc/init.d/nsm* 
/usr/share/nsmnow/ /usr/local/sbin/nsm* /usr/local/lib/nsmnow/ 
/etc/cron.d/sensor-* /etc/init/securityonion.conf

Original comment by doug.bu...@gmail.com on 23 Dec 2011 at 6:16

  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter

This comment has been minimized.

Copy link
Author

commented Mar 24, 2015

Added email address to /usr/local/bin/setup:
    # Ask for email address for Snorby
    TITLE="Email address"
    TEXT="What is your email address?\r\n\r\nThis will be used when logging into Snorby."
    SNORBY_EMAIL=`zenity --title="$TITLE" --text="$TEXT" --entry`
    [ x$SNORBY_EMAIL = "x" ] && exit

Added autossh (for slaves) and snorby DB initialization (for masters) to 
/usr/local/bin/setup process:
SSH_DIR="/root/.ssh"
SSH_CONF="$SSH_DIR/securityonion_ssh.conf"
if [ -f $SSH_CONF ]
then
        # We are a SENSOR  
    echo "70"
    echo "# Starting SSH tunnel to MASTER." | tee -a $LOG
    # Stop MySQL
    service mysql stop | tee -a $LOG
    # Establish persistent SSH tunnel to MASTER
    ps aux |grep "autoss[h]" |awk '{print $2}' |xargs kill
        KEY="$SSH_DIR/securityonion"
        source $SSH_CONF
    /usr/bin/autossh -f -M 61234 -i "$KEY" -N -L 3306:127.0.0.1:3306 $SSH_USERNAME@$SERVERNAME
else
    # We are the MASTER.
    echo "70"
    echo "# Initializing Snorby database." | tee -a $LOG
    # Kill any existing Snorby processes.
    ps aux |grep "thi[n]" |awk '{print $2}' |xargs kill
    ps aux |grep "dela[y]" |awk '{print $2}' |xargs kill
    # Delete any existing Snorby data.
    mysql -e "drop database snorby"
    # Remove the first flag
    rm -f /usr/local/share/snorby/db/first
    # Set email and password
    cp /usr/local/share/snorby/db/seeds.rb.securityonion /usr/local/share/snorby/db/seeds.rb
        sed -i "s|ReplaceWithDesiredEmail|$SNORBY_EMAIL|g" /usr/local/share/snorby/db/seeds.rb
        sed -i "s|ReplaceWithDesiredPassword|$SGUIL_CLIENT_PASSWORD_1|g" /usr/local/share/snorby/db/seeds.rb
    # Initialize Snorby DB
    SNORBYHOME=/usr/local/share/snorby
    export RBENV_ROOT=$SNORBYHOME/.rbenv
    export PATH=$RBENV_ROOT/bin:$PATH
    eval "$(rbenv init -)"
        cd $SNORBYHOME
        bundle exec rake snorby:setup | grep "datamapper"
        touch $SNORBYHOME/db/first
    # Open port 3000 for Snorby web interface
    ufw allow 3000/tcp
    # Shred the password!
    shred -u /usr/local/share/snorby/db/seeds.rb
fi
echo "85"
echo "# Starting all NSM services." | tee -a $LOG
service nsm start | tee -a $LOG

Added snorby_start to /usr/local/bin/setup:
if [ -d /var/lib/mysql/securityonion_db/ ]
then
    /usr/local/bin/sguild-add-user "$SGUIL_CLIENT_USERNAME" "$SGUIL_CLIENT_PASSWORD_1" 
        /usr/local/share/snorby/snorby_start &
    cd /var/www/squert/.scripts/Ip2c/
    ./ip2c.tcl &
    cd -
fi

Packaged /usr/local/bin/setup as follows:
/usr/local/lib/ruby/gems/1.9.1/gems/fpm-0.3.11/bin/fpm -s dir -t deb -n 
securityonion-setup -v 20111222 /usr/local/bin/setup

Original comment by doug.bu...@gmail.com on 23 Dec 2011 at 6:16

  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter

This comment has been minimized.

Copy link
Author

commented Mar 24, 2015

Added the following to security-onion-upgrade.sh:
sed -i 's| |=|g' $CONF
source $CONF
if [ "$VERSION" = "20111214" ]; then
        NEW="20111222"
        echo "**********************************************"   | $LOGGER
        echo "* Upgrading from $VERSION to $NEW."               | $LOGGER
        echo "**********************************************"   | $LOGGER
        DIR="/nsm/backup/$NEW"
        mkdir -p $DIR                                           | $LOGGER
        cd $DIR

    echo "* Installing new Setup script"            | $LOGGER
    FILE=securityonion-setup_"$NEW"_i386.deb
    wget -q http://sourceforge.net/projects/security-onion/files/$NEW/$FILE -O $FILE | $LOGGER
    dpkg -i $FILE                       | $LOGGER

    echo "* Installing new NSM scripts"         | $LOGGER
    FILE=securityonion-nsmnow-admin-scripts_"$NEW"_i386.deb
    wget -q http://sourceforge.net/projects/security-onion/files/$NEW/$FILE -O $FILE | $LOGGER
    dpkg -i $FILE                       | $LOGGER
    service cron restart

    echo "* Installing Snorby"              | $LOGGER
    FILE=securityonion-snorby_"$NEW"_i386.deb
    wget -q http://sourceforge.net/projects/security-onion/files/$NEW/$FILE -O $FILE | $LOGGER
    dpkg -i $FILE                       | $LOGGER

    FILE=securityonion-menu_"$NEW"_i386.deb
    echo "* Installing $FILE"               | $LOGGER
    wget -q http://sourceforge.net/projects/security-onion/files/$NEW/$FILE -O $FILE | $LOGGER
    dpkg -i --force-overwrite $FILE             | $LOGGER
    cp /etc/skel/Desktop/securityonion-snorby.desktop /home/*/Desktop/

    echo "* Installing wkhtmltopdf and autossh"     | $LOGGER
    apt-get update >/dev/null
    apt-get -y install wkhtmltopdf autossh          | $LOGGER

    # Are we a MASTER?
    if [ -d /var/lib/mysql/securityonion_db/ ]
    then
        # Start Snorby
        IP=`ifconfig |grep "inet addr" | awk '{print $2}' |cut -d\: -f2 |grep -v "127.0.0.1" |head -1`
        PASSWORD=`cat /dev/urandom| tr -dc 'a-zA-Z0-9' | fold -w 10| head -n 1`
        cp /usr/local/share/snorby/db/seeds.rb.securityonion /usr/local/share/snorby/db/seeds.rb
        sed -i "s|ReplaceWithDesiredEmail|snorby@securityonion.local|g" /usr/local/share/snorby/db/seeds.rb
        sed -i "s|ReplaceWithDesiredPassword|$PASSWORD|g" /usr/local/share/snorby/db/seeds.rb
        /usr/local/share/snorby/snorby_start
        ufw allow 3000/tcp
        shred -u /usr/local/share/snorby/db/seeds.rb
        echo "***************************************************************"
        echo "An initial password has been randomly generated for you."
        echo "Please login to Snorby and change this initial password now!"
        echo "Address: https://$IP:3000"
        echo "Username: snorby@securityonion.local"
        echo "Password: $PASSWORD"
        echo "***************************************************************"
    fi

    # Are we a SLAVE?
    SSH_DIR="/root/.ssh"
    SSH_CONF="$SSH_DIR/securityonion_ssh.conf"
    if [ -f $SSH_CONF ]
    then
        # Stop MySQL and establish persistent SSH tunnel to MASTER
        KEY="$SSH_DIR/securityonion"
            source $SSH_CONF
        service mysql stop
            /usr/bin/autossh -M 61234 -i "$KEY" -N -L 3306:127.0.0.1:3306 $SSH_USERNAME@$SERVERNAME &
        sleep 5
    fi

    # Update Barnyard2 config to send alerts to snorby DB
    for i in /etc/nsm/*/barnyard2.conf
    do
        echo "output database: alert, mysql, user=root dbname=snorby host=127.0.0.1" >> $i
    done
    /usr/local/sbin/nsm_sensor_ps-restart --only-barnyard2

        sed -i "s|VERSION=$VERSION|VERSION=$NEW|g" $CONF        | $LOGGER
        echo "* Upgrade to $NEW complete."                      | $LOGGER
        echo 
fi

Original comment by doug.bu...@gmail.com on 23 Dec 2011 at 6:17

  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter

This comment has been minimized.

Copy link
Author

commented Mar 24, 2015

Published:
http://securityonion.blogspot.com/2011/12/security-onion-20111222-now-available.
html

Original comment by doug.bu...@gmail.com on 23 Dec 2011 at 7:56

  • Changed state: Verified
  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter

This comment has been minimized.

Copy link
Author

commented Mar 24, 2015

Went through the build but the dashboard doesn't update for me. I double 
checked and the OS timezone was UTC. How do you run the rails console on 
securityonion? 

I believe I need to run Snorby::Jobs.clear_cache(true) after I change 
application.rb to EST and, the OS to EST, and restart snorby. 

Original comment by mattlehm...@gmail.com on 10 Jan 2012 at 5:11

  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter

This comment has been minimized.

Copy link
Author

commented Mar 24, 2015

Hi mattlehman84,

This issue is closed.  I've created a new issue for your question here:
http://code.google.com/p/security-onion/issues/detail?id=186

Original comment by doug.bu...@gmail.com on 10 Jan 2012 at 6:29

  • Added labels: ****
  • Removed labels: ****
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
1 participant
You can’t perform that action at this time.