Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
394 lines (283 sloc) 12.1 KB
Building & Installing SAGAN For FreeBSD 8 & liblognorm < 0.3.9
Goal => **Configure Sagan with liblognorm to log to unified2 snort logging format, using barnyard2 for output plugins**
This goal outlines the best practices to decouple the processor and allow for the fastest logging, and alerting chain possible.
## Install these Dependencies from Ports Tree:
*Note: Althought the versions are listed here explicit, you may want/need to build the latest from the port tree.*
pcre-8.30_2 Perl Compatible Regular Expressions library
perl-5.12.4_4 Practical Extraction and Report Language
libdnet-1.11_3 A simple interface to low level networking routines
libee-0.3.2 An event expression library inspired by CEE
libestr-0.1.2 A library for some string essentials
autoconf-2.68 Automatically configure source code on many Un*x platforms
automake-1.11.1 GNU Standards-compliant Makefile generator (1.11)
pulledpork-0.6.1_2 Script to update snort-2.8+ rules
syslog-ng-3.3.5 A powerful syslogd replacement
Build these freebsd packages from '/usr/ports', 'pkg_add -r', or 'portmaster -n'
[user@sensor /usr/ports/devel/libee]# sudo make clean install
### Barnyard2 Output Plugins:
Barnyard2 output plugins such as 'mysql' require additional dependencies to be prebuilt.
barnyard2-1.9_2 An output system for Snort or Suricata that parses unified2
mysql-client-5.5.23 Multithreaded SQL database (client) (can be added for barnyard2 sql logging)
## Switch FreeBSD syslog to syslog-ng using FIFO
Modify your '/etc/rc.conf'
syslog_ng_config="-u root"
Add New syslog-ng outputs to `/usr/local/etc/syslog-ng.conf`
destination sagan {
log {
# uncomment this line to open port 514 to receive messages
Note: FreeBSD imports in the /etc/syslog.conf as a module to syslog-ng
Stop old Syslog & Start syslog-ng
[user@sensor ~/sagan-0.2.1]# sudo mkfifo /var/run/sagan.fifo
[user@sensor ~/]# sudo /etc/rc.d/syslog stop
[user@sensor ~/]# sudo /usr/local/etc/rc.d/syslog-ng start
Installing the rest From Source:
(At this time Sagan and liblognorm are not in the FreeBSD ports tree.)
## Liblognorm
### Option 1. Fetch Nightly
GIT REPO for liblognorm;a=summary
[user@sensor ~/]# wget -O liblognorm.0.3.4.tar.gz ";a=snapshot;h=f4b985047cd23be087aa93632acdd7ef7ea8ec70;sf=tgz"
- or -
[user@sensor ~/]# git clone git://
Nightly requires auto tooling to build your ./configure file
[user@sensor ~/]# cd liblognorm*
[user@sensor ~/liblognorm]# aclocal
[user@sensor ~/liblognorm]# autoconf
[user@sensor ~/liblognorm]# autoreconf -f -i -Wall,no-obsolete
### Option 2. Fetch a tag/snapshot
Tags should be ready release with configure files *liblognorm.0.3.4.tar.gz*;a=snapshot;h=f4b985047cd23be087aa93632acdd7ef7ea8ec70;sf=tgz
[user@sensor ~/]# fetch
[user@sensor ~/]# tar -zxvf liblognorm-*
### Continue to Compile liblognorm
[user@sensor ~/]# cd liblognorm*
[user@sensor ~/liblognorm]# LDFLAGS=-L/usr/local/lib CFLAGS=-I/usr/local/include ./configure
[user@sensor ~/liblognorm]# make
[user@sensor ~/liblognorm]# sudo make install
You should see
Libraries have been installed in:
### Normalizer
The normalizer binary has been installed with liblognorm, and can assist you in testing your *.rulebase files.
$ normalizer -r ./example.rulebase -e json < ./example.log
{"src-port": "14121", "src-ip": "", "username": "bobuser"}
## Sagan
Download and Decompress Sagan
[user@sensor ~/]# fetch
[user@sensor ~/]# tar zxvf sagan-*
[user@sensor ~/]# cd sagan *
Configure Sagan to log to unified2 snort logging format. This is best way to decouple the processor and allow for the fastest logging. Use barnyard2 for output plugins.
[user@sensor ~/sagan-0.2.1] LDFLAGS=-L/usr/local/lib CFLAGS=-I/usr/local/include ./configure --disable-mysql --disable-postgresql --disable-esmtp --disable-prelude --enable-lognorm --enable-libdnet --disable-snortsam
[user@sensor ~/sagan-0.2.1]# make
[user@sensor ~/sagan-0.2.1]# sudo make install
At the end of the install you should see
/usr/bin/install -c -d "/usr/local/share/man/man8"
/usr/bin/install -c -m 644 etc/sagan.8 "/usr/local/share/man/man8"
/usr/bin/install -c -m 755 src/sagan "/usr/local/sbin/sagan"
/usr/bin/install -c -d "/var/log/sagan"
/usr/bin/install -c -d "/var/run/sagan"
Sagan has been installed! You still need to do a few more things before your
up and running. See for
more information.
Ensure the binary is properly linked and will run without segfault
- LDD shows that libee, libestr, liblognorm, libpcap, libdnet, threading, pcre are all enabled and compiled in.
[user@sensor ~/sagan-0.2.1]# sudo ldd /usr/local/sbin/sagan
/usr/local/sbin/sagan: => /usr/local/lib/ (0x80085e000) => /lib/ (0x800a6c000) => /usr/local/lib/ (0x800c9f000) => /usr/local/lib/ (0x800ea7000) => /usr/local/lib/ (0x8010ae000) => /lib/ (0x8012b0000) => /lib/ (0x8014d1000) => /usr/local/lib/ (0x8016f4000) => /lib/ (0x80194a000)
Create a FreeBSD Sagan Service Script
[user@sensor ~/sagan-0.2.1]# fetch -o /usr/local/etc/rc.d/sagan
[user@sensor ~/sagan-0.2.1]# sudo chmod a+x /usr/local/etc/rc.d/sagan
Modify your '/etc/rc.conf' and this new sagan rc.d startup script.
## Pulledpork
Download rules via Pulledpork (rule set manager)
Note: pulledpork does not at this time support the classification.config, reference.config, or any *.rulebase files
[user@sensor ~/sagan-0.2.1]# fetch -o /usr/local/etc/pulledpork/pulledpork.sagan.conf
[user@sensor ~/sagan-0.2.1]# fetch -o /usr/local/etc/sagan-rules/classification.config
[user@sensor ~/sagan-0.2.1]# fetch -o /usr/local/etc/sagan-rules/reference.config
[user@sensor ~/sagan-0.2.1]# -d -T -vv -c /usr/local/etc/pulledpork/pulledpork.sagan.conf
You should see pulled pork run.
Writing /var/log/sid_changes.log....
Rule Stats....
Enabled Rules:----1538
Dropped Rules:----6
Disabled Rules:---1
Total Rules:------1545
Please review /var/log/sid_changes.log for additional details
Fly Piggy Fly!
Modify the Sagan Config '/usr/local/etc/sagan.conf' to # all rules file names and only use
include $RULE_PATH/sagan.rules
## FetchCarl
Download and install 'fetchcarl'
[user@sensor ~/sagan-0.2.1]# fetch -o /usr/local/bin/fetchcarl
[user@sensor ~/sagan-0.2.1]# chmod +x /usr/local/bin/fetchcarl
[user@sensor ~]# fetchcarl --help
usage: fetchcarl options
This command will assist in downloading and updating sagan-rules rulebase, and map files.
-f, --file Sagan configuration file location
default: /usr/local/etc/sagan.conf
-u, --url Sagan-rule git repo url
-v, --verbose Verbose
-h, --help Show this message
[user@sensor ~]# fetchcarl --verbose
the folder (/tmp/sagan_rules) you specified does not exist or doesn't contain a git repo.. fetching
Cloning into '/tmp/sagan_rules'...
remote: Counting objects: 549, done.
remote: Compressing objects: 100% (255/255), done.
remote: Total 549 (delta 462), reused 368 (delta 292)
Receiving objects: 100% (549/549), 275.21 KiB, done.
Resolving deltas: 100% (462/462), done.
Finished pulling sagan rules.
Sagan rulebase and config update complete.
(Note: Sagan *.rules were not updated. Use pulledpork for this process.)
## Running Sagan
Run Sagan for the first time.
[user@sensor ~]# /usr/local/etc/rc.d/sagan start
... wait -- do stuff like fail ssh logins, and sudo cmds ...
[user@sensor ~]# ls -la /var/log/sagan/sagan*
-rw-r--r-- 1 root sagan 4785 May 10 18:20 sagan.u2.1336685484
## Barnyard2
### Configuration
Create barnyard2.conf files
[user@sensor ~]# sudo fetch -o /usr/local/etc/barnyard2.cli.conf
[user@sensor ~]# cat /usr/local/etc/barnyard2.cli.conf
# this is not hard, only unified2 is supported ;)
input unified2
# Step 3: setup the output plugins
output alert_fast: stdout
### Run Barnyard2
Collect the unified2 data and output to double check alert chain is working.
[user@sensor ~]# sudo mkdir /var/log/barnyard2 # Barnyard complains when this directory doesnt exist, although it is not used.
[user@sensor ~]# barnyard2 -c /usr/local/etc/barnyard2.cli.conf -C /usr/local/etc/sagan-rules/classification.config -S /usr/local/etc/sagan-rules/ -R /usr/local/etc/sagan-rules/reference.config -f sagan.u2 -d /var/log/sagan/ --nolock-pidfile
[user@sensor ~]# cat alert
[**] [5000075] [OPENSSH] Authentication success [shadowbq] [**]
[Classification: successful-user] [Priority: 1]
2012-05-10 17:25:39 -> auth info
Message: Accepted publickey for shadowbq from port 59625 ssh2
[Xref =>]
[**] [5000406] [OPENSSH] Accepted publickey [**]
[Classification: successful-user] [Priority: 1]
2012-05-10 17:25:39 -> auth info
Message: Accepted publickey for shadowbq from port 59625 ssh2
[Xref =>]
### YEA!
Working.. Moving ON!
### Barnyard Production Service
Set up barnyard2 to run in via rc.d
Modify your '/etc/rc.conf' and barnyard rc.d startup script.
barnyard2_flags="-D -f sagan.u2 -d /var/log/sagan"
### Optional. Barnyard2 and Existing Snorby/Base/DB
Set up barnyard2 to log to snorby mysql remote database
(this can be skipped if not running snorby, or remote db)
[user@sensor ~]# sudo fetch -o /usr/local/etc/barnyard2.conf
[user@sensor ~]# sudo cat /usr/local/etc/barnyard2.conf
config reference_file: /usr/local/etc/sagan-rules/reference.config
config classification_file: /usr/local/etc/sagan-rules/classification.config
config sid_file: /usr/local/etc/sagan-rules/
config hostname: sagan
config interface: misc
config waldo_file: /var/log/sagan/barnyard2.waldo
input unified2
output database: log, mysql, user=snorby password=s3cr3tsauce dbname=snorby host=snorby
### Start Barnyard2
[user@sensor ~]# sudo /usr/local/etc/rc.d/barnyard2 start