Follow

Snort on CentOS 6 with redBorder Live - Part III

Registering the sensor in redBorder Live

First, verify that rb_register service is stopped:

[root@snortstd-centos6 ~]# /etc/init.d/rb-register status
rb_register is stopped

Next, start the service to produce the first stage of the registration process:

[root@snortstd-centos6 ~]# /etc/init.d/rb-register start
Starting rb_register:                                      [  OK  ]
Domain to connect: live.redorder.com
Verify remote certificate: enabled
Sensor UUID to claim: bd93699b-ff15-4d07-a0f2-f07da1a9ca81

The system has registered the unique UUID and will wait until it is claimed by you. You can verify that the process has been carried out successfully by checking the system logs:

[root@snortstd-centos6 ~]# tail -f /var/log/rb-register/current
time="2016-05-10T11:06:38+02:00" level=info msg="Stored UUID on DB: 369516204340538230" 
time="2016-05-10T11:06:38+02:00" level=info msg="Registered!"
time="2016-05-10T11:06:38+02:00" level=info msg="Requesting certificate"
time="2016-05-10T11:07:39+02:00" level=info msg="Claimed!"
time="2016-05-10T11:07:39+02:00" level=info msg="Chef called"
time="2016-05-10T11:07:39+02:00" level=info msg=Done

You can force the creation of a new UUID at any time by unbinding the sensor from redBorder Live using the following command:

[root@snortstd-centos6 ~]# /opt/rb/bin/rb_disassociate_sensor.sh 
Are you sure you want to disassociate this sensor from the manager? (y/N) y
Stopping rb_register:                                      [  OK  ]
Deleting /opt/rb/etc/chef/client.pem
Deleting /opt/rb/etc/chef/client.rb
Deleting /etc/cron.d/redborder
Deleting /opt/rb/etc/sysconfig/barnyard2
Deleting /opt/rb/etc/sid-msg.map
Deleting /opt/rb/etc/barnyard2.conf
Deleting /opt/rb/etc/rb-conf
Deleting /opt/rb/etc/rb-conf-final.sh
Starting rb_register:                                      [  OK  ]
Sensor UUID to claim: 28e4df0f-4fd5-4fe2-9142-d4b92ea96e9d

This script unbinds the sensor, stops the rb_register service, creates a new UUID, and starts the rb_register service.

You should use it only if one of the following occurs:

  • There was an error in the prior registration process and you can't claim the sensor for whatever reason
  • You want to have a new UUID

To claim the new sensor, you have to enter redBorder Live with your user and password, access the Sensors section, and select Claim sensor. You have one week to do so or the UUID will expire in the system and you will be required to create a new one.

Introduce a descriptive name for the sensor and the UUID to identify it in redBorder Live. Be careful when introducing the UUID, as you only have three attempts. If you enter it incorrectly three times, the UUID will be removed and you will have to create a new one. If this happens too many times, your account may be blocked.

When saving the data the sensor will be bound to redBorder Live with the current account.

Sensor registered in redBorder Live

The user can verify that the sensor has been properly bound to redBorder Live by reviewing the system logs:

[root@snortstd-centos6 ~]# tail -f /var/log/messages 
Feb  2 16:43:51 snortstd rb_register[32025]: STATUS: VERIFYING
Feb  2 16:44:51 snortstd rb_register[32025]: STATUS: VERIFYING
Feb  2 16:45:51 snortstd rb_register[32025]: STATUS: CLAIMED
Feb  2 16:45:51 snortstd rb_register[32025]: Saved certificate in: /opt/rb/etc/chef/client.pem

The rb_register service goes from VERIFYING to CLAIMED and stores the certificate that will authorize the communications with redBorder Live.

In redBorder Live the user can see a green circle in the Last Checked column of the Sensors section: this means that the sensor has been properly registered.

This column also indicates the time lapsed since the last sensor check.

From this point, you can configure your Snort sensor and assign its policies.

Basic Configuration

To edit the configuration of the sensor, you need to click on the Configuration icon, to the right of the row, and select Edit from the given options.

Now you access a basic configuration form to configure your Snort sensor. This configuration is very basic compared to what we enable when the sensor is our own Snort version, but gives the basic working points without interfering with your existing configuration.

The system proposes a series of default values that are valid and in accordance with this guide, so it is not mandatory to change them.

If your environment is different in any way, you should introduce the relevant values in the form.

The last step is to configure the security policies for the Snort sensor. To do so, return to the Sensors menu, click on Configure and select the Signature Policies submenu.

Select the security policy you want to apply by clicking the Assign icon. Finally, to apply that policy to the sensor, click on the Apply Conf option that appears in the top right corner. The policy applied will be marked in green.

 A more detailed guide for policy management will be available soon.

 

Have more questions? Submit a request

Comments

Powered by Zendesk