Follow

Snort on CentOS 6 with redBorder Live - Part II

Installing the redBorder package

Once Snort is properly installed and running (or if you already had it running), you need to proceed to install the redBorder-IPS-generic package. This package allows you to bind the Snort instance to the redBorder Live service, to enable rule management, and to configure barnyard2 to securely send the events to the cloud.

redBorder-IPS-generic requires the following additional packages in order to work:

  • ruby
  • GeoIP
  • net-snmp
  • sharutils
  • Additional gems installed as part of the dependencies
[root@snortstd-centos6 ~]# yum install redBorder-IPS-generic

As part of the installation process, a message appears asking you to include some lines in the snmpd.conf file of the net-snmp package:

...
INFO: Please, add these lines to your snmpd.conf file in order to allow get basic statistics:
>>> /etc/snmp/snmpd.conf
disk /
com2sec redBorderUser localhost redBorder
group redBorderGroup v1 redBorderUser
group redBorderGroup v2c redBorderUser
view all included .1 80
access redBorderGroup "" any noauth exact all none none

These lines allow the installed redBorder agent to send basic system information to the redBorder Live service obtained using local snmp queries to the redBorder Community.

Another two messages appear that you need to consider:

...
INFO: You must enable perfmonitor preprocessor to enable statistics. To enable it add the folowing line: preprocessor perfmonitor: time 300 file /var/log/snort/snort.stats pktcnt 10000

This first message references the configuration of the Snort perfmonitor preprocessor.

...
Claim this IPS with the UUID: bd93699b-ff15-4d07-a0f2-f07da1a9ca81
...

The second message reports the unique UUID reserved for this installation, which will be used to identify the system in the redBorder Live environment.

You will be asked to prompt this UUID when registering the system in redBorder Live, and can view it at any time in the /opt/rb/etc/rb-uuid file:

[root@snortstd-centos6 ~]# cat /opt/rb/etc/rb-uuid 
bd93699b-ff15-4d07-a0f2-f07da1a9ca81

Now we add the proposed changes into the snmpd.conf file:

[root@snortstd-centos6 ~]# cat >> /etc/snmp/snmpd.conf <<EOF
com2sec redBorderUser localhost redBorder
group redBorderGroup v1 redBorderUser
group redBorderGroup v2c redBorderUser
view all included .1 80
access redBorderGroup "" any noauth exact all none none
EOF

To monitor the state of the file system (state, usage, mounting point, etc.) add the following line:

[root@snortstd-centos6 ~]# cat >> /etc/snmp/snmpd.conf <<EOF
disk /
EOF

Finally, restart the snmpd service:

[root@snortstd-centos6 ~]# /etc/init.d/snmpd restart
Stopping snmpd:                                            [  OK  ]
Starting snmpd:                                            [  OK  ]

Check that the configuration is correct by executing the following basic queries:

[root@snortstd-centos6 ~]# snmpwalk -v2c -c redBorder localhost \
UCD-SNMP-MIB::systemStats

UCD-SNMP-MIB::ssIndex.0 = INTEGER: 1
UCD-SNMP-MIB::ssErrorName.0 = STRING: systemStats
UCD-SNMP-MIB::ssSwapIn.0 = INTEGER: 0 kB
UCD-SNMP-MIB::ssSwapOut.0 = INTEGER: 0 kB
UCD-SNMP-MIB::ssIOSent.0 = INTEGER: 4 blocks/s
UCD-SNMP-MIB::ssIOReceive.0 = INTEGER: 0 blocks/s
UCD-SNMP-MIB::ssSysInterrupts.0 = INTEGER: 17 interrupts/s
UCD-SNMP-MIB::ssSysContext.0 = INTEGER: 58 switches/s
UCD-SNMP-MIB::ssCpuUser.0 = INTEGER: 0
UCD-SNMP-MIB::ssCpuSystem.0 = INTEGER: 0
UCD-SNMP-MIB::ssCpuIdle.0 = INTEGER: 99
UCD-SNMP-MIB::ssCpuRawUser.0 = Counter32: 6379
UCD-SNMP-MIB::ssCpuRawNice.0 = Counter32: 1545
UCD-SNMP-MIB::ssCpuRawSystem.0 = Counter32: 4131
UCD-SNMP-MIB::ssCpuRawIdle.0 = Counter32: 8684393
UCD-SNMP-MIB::ssCpuRawWait.0 = Counter32: 27199
UCD-SNMP-MIB::ssCpuRawKernel.0 = Counter32: 0
UCD-SNMP-MIB::ssCpuRawInterrupt.0 = Counter32: 1
UCD-SNMP-MIB::ssIORawSent.0 = Counter32: 1720732
UCD-SNMP-MIB::ssIORawReceived.0 = Counter32: 770644
UCD-SNMP-MIB::ssRawInterrupts.0 = Counter32: 625495
UCD-SNMP-MIB::ssRawContexts.0 = Counter32: 875982
UCD-SNMP-MIB::ssCpuRawSoftIRQ.0 = Counter32: 73
UCD-SNMP-MIB::ssRawSwapIn.0 = Counter32: 0
UCD-SNMP-MIB::ssRawSwapOut.0 = Counter32: 0


[root@snortstd-centos6 ~]# snmpwalk -v2c -c redBorder localhost \
UCD-SNMP-MIB::dskEntry

UCD-SNMP-MIB::dskIndex.1 = INTEGER: 1
UCD-SNMP-MIB::dskPath.1 = STRING: /
UCD-SNMP-MIB::dskDevice.1 = STRING: /dev/mapper/vg_snortstd-lv_root
UCD-SNMP-MIB::dskMinimum.1 = INTEGER: 100000
UCD-SNMP-MIB::dskMinPercent.1 = INTEGER: -1
UCD-SNMP-MIB::dskTotal.1 = INTEGER: 14225776
UCD-SNMP-MIB::dskAvail.1 = INTEGER: 11303996
UCD-SNMP-MIB::dskUsed.1 = INTEGER: 2192488
UCD-SNMP-MIB::dskPercent.1 = INTEGER: 16
UCD-SNMP-MIB::dskPercentNode.1 = INTEGER: 6
UCD-SNMP-MIB::dskTotalLow.1 = Gauge32: 14225776
UCD-SNMP-MIB::dskTotalHigh.1 = Gauge32: 0
UCD-SNMP-MIB::dskAvailLow.1 = Gauge32: 11303996
UCD-SNMP-MIB::dskAvailHigh.1 = Gauge32: 0
UCD-SNMP-MIB::dskUsedLow.1 = Gauge32: 2192488
UCD-SNMP-MIB::dskUsedHigh.1 = Gauge32: 0
UCD-SNMP-MIB::dskErrorFlag.1 = INTEGER: noError(0)
UCD-SNMP-MIB::dskErrorMsg.1 = STRING:

From here, you can continue with the registration and configuration process here.

Have more questions? Submit a request

Comments

Powered by Zendesk