Suricata

Below is a script to get Suricata and Barnyard setup quickly and somewhat painlessly (Created By Nubzzz)


 * 1) !/bin/bash

if $UID -ne 0 ; then echo "$0 must be run as root" exit 1 fi echo This script is intended to be installed after Snorby has been installed echo Please see my other document regarding the installation procedure echo for Snorby on Ubuntu echo echo -n 'Have you installed Snorby yet? (y or n)' read response case $response in [nN] ) echo Please install snorby first exit 1 [yY] )

sudo apt-get update sudo apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev \ build-essential autoconf automake libtool libpcap-dev libnet1-dev \ libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 \ make libmagic-dev vim pkg-config build-essential cd /tmp/ wget http://www.openinfosecfoundation.org/download/suricata-1.2.1.tar.gz tar -zxvf suricata-1.2.1.tar.gz cd suricata-1.2.1/ ./configure sudo make sudo make install sudo ldconfig sudo mkdir /etc/suricata sudo mkdir /etc/suricata/rules sudo mkdir /var/log/suricata sudo cp classification.config /etc/suricata sudo cp reference.config /etc/suricata sudo cp suricata.yaml /etc/suricata cd /tmp wget http://www.securixlive.com/download/barnyard2/barnyard2-1.9.tar.gz tar -zxvf barnyard2-1.9.tar.gz cd barnyard2-1.9 ./configure --with-mysql sudo make sudo make install cp $(pwd)/etc/barnyard2.conf /etc/suricata/ sudo mkdir /var/log/barnyard2 cd /etc/suricata wget http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz tar -zxvf emerging.rules.tar.gz rm emerging.rules.tar.gz clear echo edit the classification-file and echo reference-config-file lines under the rule-files echo in the suricata.yaml file to read as follows echo echo classification-file: /etc/suricata/rules/classification.config echo reference-config-file: /etc/suricata/rules/reference.config echo echo 'COPY THEM NOW! (Yes....I was too lazy to script it out)' echo Press enter when you have the lines in your clipboard read sudo nano /etc/suricata/suricata.yaml clear echo echo Now we are going to edit the barnyard configuration echo '(Same deal with a different program, MAKE SURE IT MATCHES!)' echo '(This assumes you are using Snorby, make sure you have the creds right!)' echo echo config reference_file: /etc/suricata/reference.config echo config classification_file: /etc/suricata/classification.config echo config gen_file: /etc/suricata/rules/gen-msg.map echo config sid_file: /etc/suricata/rules/sid-msg.map echo echo '# This should go at the end of the config file' echo Be ABSOLUTELY sure that you change the information to match against echo your Mysql database information for the user and password echo echo output database: log, mysql, user=snorbyuser password=some_pass echo dbname=snorby host=localhost sensor_name=sensor1 echo echo READY........GO! read sudo nano /etc/suricata/barnyard2.conf clear echo echo Creating init.d script
 * 1) brief interuption to install barnyard2
 * 1) back to our regularly scheduled install

touch /etc/init.d/suricata chmod +x /etc/init.d/suricata echo "#!/bin/bash


 * 1) This script starts up suricata and barnyard2
 * 2) in Daemon Mode upon startup

case \$1 in

'start') echo 'Starting Suricata' /usr/local/bin/suricata -c /etc/suricata/suricata.yaml -i eth0 -D echo 'Starting Barnyard2' /usr/local/bin/barnyard2 -c /etc/suricata/barnyard2.conf -d /var/log/suricata -f unified2.alert -w /var/log/suricata/suricata.waldo -D 'stop') killall barnyard2 killall suricata 'restart') stop start echo 'Usage /etc/init.d/suricata {start|stop|restart}' exit 1 esac exit 0" > /etc/init.d/suricata cd /etc/init.d/ update-rc.d suricata defaults cd ~ echo echo echo THAT WAS EASY! echo echo Now start Suricata and Barnyard and up and you will be golden echo echo Use the following command to start Suricata up to check to make sure it runs echo '(replace eth0 with your listening interface)' echo echo suricata -c /etc/suricata/suricata.yaml -i eth0 echo echo Use the following command to start Barnyard up to check to make sure it runs echo echo barnyard2 -c /etc/suricata/barnyard2.conf -d /var/log/suricata -f unified2.alert -w /var/log/suricata/suricata.waldo echo echo echo Once you verify that the settings are good start up both with /etc/init.d/suricata start echo echo

echo Please install snorby first exit 1 esac