├── Offline
├── create-sidmap.pl
├── dpkgorderUbuntui686.txt
├── dpkgorderUbuntux86_64.txt
├── dpkgorderDebiani686.txt
├── dpkgorderDebianx86_64.txt
├── as-offline-README.txt
└── as-offline-stage1.sh
├── autosnort-vmwareplayer-guidance.pdf
├── Autosnort-CentOS
├── aanvalbpu.service
├── snortbarn.service
├── Previous_Rel
│ └── previous interface install scripts
│ │ ├── syslog_full-centOS.sh
│ │ ├── base-centOS.sh
│ │ ├── syslog_full-CentOS-10-23-2014.sh
│ │ ├── aanval-centOS.sh
│ │ ├── snortreport-centOS.sh
│ │ ├── base-CentOS-03-07-14.sh
│ │ ├── snortreport-CentOS-03-06-14.sh
│ │ └── aanval-CentOS-03-07-14.sh
├── aanvalbpu
├── autosyslog_full-CentOS.sh
├── snortbarn
└── PolicyModules
│ └── passenger.te
├── Autosnort-Ubuntu
├── AVATAR
│ ├── snortd.service
│ ├── Previous_Rel
│ │ └── snortd
│ ├── full_autosnort.conf
│ └── readme.txt
├── Previous_Rel
│ └── previous interface install scripts
│ │ ├── syslog_full-ubuntu.sh
│ │ ├── base-ubuntu.sh
│ │ ├── syslog_full-ubuntu-11-02-2014.sh
│ │ ├── snortreport-ubuntu.sh
│ │ ├── aanval-ubuntu.sh
│ │ ├── base-ubuntu-02-01-2014.sh
│ │ ├── snortreport-ubuntu-02-01-2014.sh
│ │ ├── aanval-ubuntu-02-01-2014.sh
│ │ ├── snorby-ubuntu.sh
│ │ └── base-ubuntu-11-02-2014.sh
├── aanvalbpu
├── autosyslog_full-ubuntu.sh
├── initsguil
├── snortbarn
└── autobase-ubuntu.sh
├── MIT-License.txt
├── Autosnort-Kali
├── aanvalbpu
├── autosyslog_full-kali.sh
├── snortbarn
├── autosnort-kali-readme.txt
├── autobase-kali.sh
└── Previous_Rel
│ └── previous interface install scripts
│ └── autobase-kali.sh
├── Autosnort-Debian
├── aanvalbpu
├── Previous_Rel
│ └── previous interface install scripts
│ │ ├── base-debian.sh
│ │ ├── syslog_full-debian-10-23-2014.sh
│ │ ├── syslog_full-debian.sh
│ │ ├── base-debian-02-08-2014.sh
│ │ ├── snortreport-debian-02-08-2014.sh
│ │ ├── snortreport-debian.sh
│ │ ├── aanval-debian.sh
│ │ ├── aanval-debian-02-08-2014.sh
│ │ ├── base-debian-10-23-2014.sh
│ │ └── snorby-debian.sh
├── autosyslog_full-debian.sh
├── snortbarn
└── autobase-debian.sh
├── BT5r3
└── readme-bt5r3.txt
└── README.txt
/Offline/create-sidmap.pl:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/da667/Autosnort/HEAD/Offline/create-sidmap.pl
--------------------------------------------------------------------------------
/autosnort-vmwareplayer-guidance.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/da667/Autosnort/HEAD/autosnort-vmwareplayer-guidance.pdf
--------------------------------------------------------------------------------
/Autosnort-CentOS/aanvalbpu.service:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Aanval Background Processors
3 | After=http.service
4 |
5 | [Service]
6 | Type=forking
7 | ExecStart=/bin/bash -c "cd /var/www/html/aanval/apps;perl idsBackground.pl -start"
8 |
9 | [Install]
10 | WantedBy=multi-user.target
11 |
--------------------------------------------------------------------------------
/Autosnort-CentOS/snortbarn.service:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Snort and Barnyard2 service start
3 | After=syslog.target network.target
4 |
5 | [Service]
6 | Type=forking
7 | ExecStart=/bin/bash -c "ip link set arp off multicast off promisc on dev ens33; /opt/snort/bin/snort -D -u snort -g snort -c /opt/snort/etc/snort.conf -i ens33; /usr/local/bin/barnyard2 -c /opt/snort/etc/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -D"
8 |
9 | [Install]
10 | WantedBy=multi-user.target
11 |
--------------------------------------------------------------------------------
/Autosnort-Ubuntu/AVATAR/snortd.service:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Snort Daemon
3 | After=syslog.target network.target
4 |
5 | [Service]
6 | Type=simple
7 |
8 | ProtectHome=true
9 | ProtectKernelTunables=true
10 | ProtectKernelModules=true
11 | ProtectControlGroups=true
12 |
13 | ExecStartPre=/usr/sbin/ip link set up promisc on arp off multicast off dev snort_iface1
14 | ExecStartPre=/usr/sbin/ip link set up promisc on arp off multicast off dev snort_iface2
15 | ExecStartPre=/usr/sbin/ethtool -K snort_iface1 rx off tx off gro off lro off
16 | ExecStartPre=/usr/sbin/ethtool -K snort_iface2 rx off tx off gro off lro off
17 |
18 | ExecStart=snort_basedir/bin/snort -D -u snort -g snort -c /opt/snort/etc/snort.conf -Q --daq afpacket --daq-mode inline -i snort_iface1:snort_iface2
19 |
20 | KillMode=process
21 |
22 | Restart=on-failure
23 | RestartSec=60s
24 |
25 | [Install]
26 | WantedBy=multi-user.target
--------------------------------------------------------------------------------
/Autosnort-CentOS/Previous_Rel/previous interface install scripts/syslog_full-centOS.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | #rsyslog module
3 | #configures barnyard2 to use syslog full logging format over udp/514
4 |
5 | #We take the copy barnyard2.conf and use grep -v to disable mysql by removing that line. We then ask the user what name the want the sensor appear as, and the ip address of the syslog server.
6 |
7 | cat /usr/local/snort/etc/barnyard2.conf | grep -v mysql > /root/barnyard2.conf.tmp
8 | sensor_iface=`cat /root/barnyard2.conf.tmp | grep interface | cut -d" " -f3`
9 |
10 | read -p "What would you like the sensor's name to appear as?" sensor_name
11 | read -p "What is the ip address of the syslog server? (in x.x.x.x format; e.g. 192.168.1.254)" syslog_server
12 |
13 | echo "output log_syslog_full: sensor_name $sensor_name-$sensor_iface, server $syslog_server, protocol udp, port 514, operation_mode complete" >> /root/barnyard2.conf.tmp
14 |
15 | cp /root/barnyard2.conf.tmp /usr/local/snort/etc/barnyard2.conf
16 |
17 | exit 0
--------------------------------------------------------------------------------
/Autosnort-Ubuntu/Previous_Rel/previous interface install scripts/syslog_full-ubuntu.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | #rsyslog module
3 | #configures barnyard2 to use syslog full logging format over udp/514
4 |
5 | #We take the copy barnyard2.conf and use grep -v to disable mysql by removing that line. We then ask the user what name the want the sensor appear as, and the ip address of the syslog server.
6 |
7 | cat /usr/local/snort/etc/barnyard2.conf | grep -v mysql > /root/barnyard2.conf.tmp
8 | sensor_iface=`cat /root/barnyard2.conf.tmp | grep interface | cut -d" " -f3`
9 |
10 | read -p "What would you like the sensor's name to appear as?" sensor_name
11 | read -p "What is the ip address of the syslog server? (in x.x.x.x format; e.g. 192.168.1.254)" syslog_server
12 |
13 | echo "output log_syslog_full: sensor_name $sensor_name-$sensor_iface, server $syslog_server, protocol udp, port 514, operation_mode complete" >> /root/barnyard2.conf.tmp
14 |
15 | cp /root/barnyard2.conf.tmp /usr/local/snort/etc/barnyard2.conf
16 |
17 | exit 0
--------------------------------------------------------------------------------
/MIT-License.txt:
--------------------------------------------------------------------------------
1 | The MIT License (MIT)
2 |
3 | Copyright (c) 2012 Tony Robinson - Triptych Security
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
6 |
7 | The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
8 |
9 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
10 |
--------------------------------------------------------------------------------
/Autosnort-Kali/aanvalbpu:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | ### BEGIN INIT INFO
3 | # Provides: background processors
4 | # Required-Start: $local_fs $remote_fs $network $named $syslog $time
5 | # Required-Stop: $local_fs $remote_fs $network $named $syslog $time
6 | # Default-Start: 2 3 4 5
7 | # Default-Stop: 0 1 6
8 | # Short-Description: start and stop aanval BPUs (background processors)
9 | # Description: Aanval is a web front-end for snort.
10 | ### END INIT INFO
11 |
12 | do_start()
13 | {
14 | echo "Starting Aanval BPUs"
15 | cd /var/www/aanval/apps
16 | perl idsBackground.pl -start
17 | if [ $? -eq 0 ]; then
18 | echo "Aanval BPUs successfully started."
19 | logger "Aanval BPUs Started!"
20 | else
21 | echo "Aanval BPUs failed to start!"
22 | fi
23 | return 0
24 | }
25 |
26 | do_stop()
27 | {
28 | echo "Stopping Aanval BPUs"
29 | cd /var/www/html/aanval/apps
30 | perl idsBackground.pl -stop
31 | if [ $? -eq 0 ]; then
32 | echo "Aanval BPUs successfully stopped."
33 | logger "Aanval BPUs Stopped!"
34 | else
35 | echo "Aanval BPUs failed to stop! (Permissions? Already stopped?)"
36 | fi
37 | return 0
38 | }
39 |
40 | case "$1" in
41 | start)
42 | do_start
43 | ;;
44 | stop)
45 | do_stop
46 | ;;
47 | restart)
48 | do_stop
49 | do_start
50 | ;;
51 | *)
52 | echo "Usage: snortbarn {start|stop|restart}" >&2
53 | exit 3
54 | ;;
55 | esac
56 | exit 0
--------------------------------------------------------------------------------
/Autosnort-Debian/aanvalbpu:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | ### BEGIN INIT INFO
3 | # Provides: background processors
4 | # Required-Start: $local_fs $remote_fs $network $named $syslog $time
5 | # Required-Stop: $local_fs $remote_fs $network $named $syslog $time
6 | # Default-Start: 2 3 4 5
7 | # Default-Stop: 0 1 6
8 | # Short-Description: start and stop aanval BPUs (background processors)
9 | # Description: Aanval is a web front-end for snort.
10 | ### END INIT INFO
11 |
12 | do_start()
13 | {
14 | echo "Starting Aanval BPUs"
15 | cd /var/www/aanval/apps
16 | perl idsBackground.pl -start
17 | if [ $? -eq 0 ]; then
18 | echo "Aanval BPUs successfully started."
19 | logger "Aanval BPUs Started!"
20 | else
21 | echo "Aanval BPUs failed to start!"
22 | fi
23 | return 0
24 | }
25 |
26 | do_stop()
27 | {
28 | echo "Stopping Aanval BPUs"
29 | cd /var/www/html/aanval/apps
30 | perl idsBackground.pl -stop
31 | if [ $? -eq 0 ]; then
32 | echo "Aanval BPUs successfully stopped."
33 | logger "Aanval BPUs Stopped!"
34 | else
35 | echo "Aanval BPUs failed to stop! (Permissions? Already stopped?)"
36 | fi
37 | return 0
38 | }
39 |
40 | case "$1" in
41 | start)
42 | do_start
43 | ;;
44 | stop)
45 | do_stop
46 | ;;
47 | restart)
48 | do_stop
49 | do_start
50 | ;;
51 | *)
52 | echo "Usage: snortbarn {start|stop|restart}" >&2
53 | exit 3
54 | ;;
55 | esac
56 | exit 0
--------------------------------------------------------------------------------
/Autosnort-Ubuntu/aanvalbpu:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | ### BEGIN INIT INFO
3 | # Provides: background processors
4 | # Required-Start: $local_fs $remote_fs $network $named $syslog $time
5 | # Required-Stop: $local_fs $remote_fs $network $named $syslog $time
6 | # Default-Start: 2 3 4 5
7 | # Default-Stop: 0 1 6
8 | # Short-Description: start and stop aanval BPUs (background processors)
9 | # Description: Aanval is a web front-end for snort.
10 | ### END INIT INFO
11 |
12 | do_start()
13 | {
14 | echo "Starting Aanval BPUs"
15 | cd /var/www/aanval/apps
16 | perl idsBackground.pl -start
17 | if [ $? -eq 0 ]; then
18 | echo "Aanval BPUs successfully started."
19 | logger "Aanval BPUs Started!"
20 | else
21 | echo "Aanval BPUs failed to start!"
22 | fi
23 | return 0
24 | }
25 |
26 | do_stop()
27 | {
28 | echo "Stopping Aanval BPUs"
29 | cd /var/www/html/aanval/apps
30 | perl idsBackground.pl -stop
31 | if [ $? -eq 0 ]; then
32 | echo "Aanval BPUs successfully stopped."
33 | logger "Aanval BPUs Stopped!"
34 | else
35 | echo "Aanval BPUs failed to stop! (Permissions? Already stopped?)"
36 | fi
37 | return 0
38 | }
39 |
40 | case "$1" in
41 | start)
42 | do_start
43 | ;;
44 | stop)
45 | do_stop
46 | ;;
47 | restart)
48 | do_stop
49 | do_start
50 | ;;
51 | *)
52 | echo "Usage: snortbarn {start|stop|restart}" >&2
53 | exit 3
54 | ;;
55 | esac
56 | exit 0
--------------------------------------------------------------------------------
/Offline/dpkgorderUbuntui686.txt:
--------------------------------------------------------------------------------
1 | libc-bin*.deb
2 | libc6*.deb
3 | m4*.deb
4 | libfl-dev*.deb
5 | flex*.deb
6 | libcap2*.deb
7 | ttf-dejavu-core*.deb
8 | fontconfig-config*.deb
9 | libfontconfig1*.deb
10 | libjpeg-turbo8*.deb
11 | libjpeg8*.deb
12 | libxpm4*.deb
13 | libgd2-xpm*.deb
14 | libgomp1*.deb
15 | libltdl7*.deb
16 | liblua5.1-0*.deb
17 | libmpfr4*.deb
18 | mysql-common*.deb
19 | libmysqlclient18*.deb
20 | libpcrecpp0*.deb
21 | libquadmath0*.deb
22 | libreadline5*.deb
23 | libnet-daemon-perl*.deb
24 | libplrpc-perl*.deb
25 | libdbi-perl*.deb
26 | libdbd-mysql-perl*.deb
27 | mysql-client-core-5.5*.deb
28 | mysql-client-5.5*.deb
29 | mysql-server-core-5.5*.deb
30 | mysql-server-5.5*.deb
31 | libmpc2*.deb
32 | libapr1*.deb
33 | libaprutil1*.deb
34 | libaprutil1-dbd-sqlite3*.deb
35 | libaprutil1-ldap*.deb
36 | apache2.2-bin*.deb
37 | apache2-utils*.deb
38 | apache2.2-common*.deb
39 | apache2-mpm-prefork*.deb
40 | apache2*.deb
41 | autoconf*.deb
42 | autotools-dev*.deb
43 | automake*.deb
44 | binutils*.deb
45 | libbison-dev*.deb
46 | bison*.deb
47 | cpp-4.6*.deb
48 | cpp*.deb
49 | ethtool*.deb
50 | gcc-4.6*.deb
51 | gcc*.deb
52 | libc-dev-bin*.deb
53 | linux-libc-dev*.deb
54 | libc6-dev*.deb
55 | libstdc++6-4.6-dev*.deb
56 | g++-4.6*.deb
57 | g++*.deb
58 | php5-common*.deb
59 | libapache2-mod-php5*.deb
60 | libhtml-template-perl*.deb
61 | libltdl-dev*.deb
62 | zlib1g-dev*.deb
63 | libmysqlclient-dev*.deb
64 | libruby1.8*.deb
65 | ruby1.8*.deb
66 | ruby*.deb
67 | ruby-pcap*.deb
68 | libpcap-ruby*.deb
69 | libpcap0.8-dev*.deb
70 | libpcre3-dev*.deb
71 | libt1-5*.deb
72 | libtool*.deb
73 | make*.deb
74 | manpages-dev*.deb
75 | mysql-server*.deb
76 | nbtscan*.deb
77 | php5*.deb
78 | php5-cli*.deb
79 | php5-gd*.deb
80 | php5-mysql*.deb
81 | ssl-cert*.deb
82 | nmap*.deb
83 |
--------------------------------------------------------------------------------
/Offline/dpkgorderUbuntux86_64.txt:
--------------------------------------------------------------------------------
1 | libc-bin*.deb
2 | libc6*.deb
3 | m4*.deb
4 | libfl-dev*.deb
5 | flex*.deb
6 | libcap2*.deb
7 | ttf-dejavu-core*.deb
8 | fontconfig-config*.deb
9 | libfontconfig1*.deb
10 | libjpeg-turbo8*.deb
11 | libjpeg8*.deb
12 | libxpm4*.deb
13 | libgd2-xpm*.deb
14 | libgomp1*.deb
15 | libltdl7*.deb
16 | liblua5.1-0*.deb
17 | libmpfr4*.deb
18 | mysql-common*.deb
19 | libmysqlclient18*.deb
20 | libpcrecpp0*.deb
21 | libquadmath0*.deb
22 | libreadline5*.deb
23 | libnet-daemon-perl*.deb
24 | libplrpc-perl*.deb
25 | libdbi-perl*.deb
26 | libdbd-mysql-perl*.deb
27 | mysql-client-core-5.5*.deb
28 | mysql-client-5.5*.deb
29 | mysql-server-core-5.5*.deb
30 | mysql-server-5.5*.deb
31 | libmpc2*.deb
32 | libapr1*.deb
33 | libaprutil1*.deb
34 | libaprutil1-dbd-sqlite3*.deb
35 | libaprutil1-ldap*.deb
36 | apache2.2-bin*.deb
37 | apache2-utils*.deb
38 | apache2.2-common*.deb
39 | apache2-mpm-prefork*.deb
40 | apache2*.deb
41 | autoconf*.deb
42 | autotools-dev*.deb
43 | automake*.deb
44 | binutils*.deb
45 | libbison-dev*.deb
46 | bison*.deb
47 | cpp-4.6*.deb
48 | cpp*.deb
49 | ethtool*.deb
50 | gcc-4.6*.deb
51 | gcc*.deb
52 | libc-dev-bin*.deb
53 | linux-libc-dev*.deb
54 | libc6-dev*.deb
55 | libstdc++6-4.6-dev*.deb
56 | g++-4.6*.deb
57 | g++*.deb
58 | php5-common*.deb
59 | libapache2-mod-php5*.deb
60 | libhtml-template-perl*.deb
61 | libltdl-dev*.deb
62 | zlib1g-dev*.deb
63 | libmysqlclient-dev*.deb
64 | libruby1.8*.deb
65 | ruby1.8*.deb
66 | ruby*.deb
67 | ruby-pcap*.deb
68 | libpcap-ruby*.deb
69 | libpcap0.8-dev*.deb
70 | libpcre3-dev*.deb
71 | libt1-5*.deb
72 | libtool*.deb
73 | make*.deb
74 | manpages-dev*.deb
75 | mysql-server*.deb
76 | nbtscan*.deb
77 | php5*.deb
78 | php5-cli*.deb
79 | php5-gd*.deb
80 | php5-mysql*.deb
81 | ssl-cert*.deb
82 | nmap*.deb
83 |
--------------------------------------------------------------------------------
/Autosnort-Debian/Previous_Rel/previous interface install scripts/base-debian.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | #BASE shell script 'module'
3 | #Sets up BASE for for Autosnort
4 |
5 |
6 | echo "grabbing packages for BASE"
7 | #grab packages for BASE. Most of the primary required packages are pulled by the main AS script.
8 | apt-get install -y libphp-adodb ca-certificates php-pear libwww-perl php5 php5-mysql php5-gd
9 |
10 | #These are php-pear config commands Seen in the 2.9.4.0 install guide for Debian.
11 | pear config-set preferred_state alpha
12 | pear channel-update pear.php.net
13 | pear install --alldeps Image_Color Image_Canvas Image_Graph
14 |
15 |
16 | #The BASE tarball creates a directory for us, all we need to do is move to webroot.
17 | cd /var/www/
18 | #Have to adjust PHP logging otherwise BASE will barf on startup.
19 | sed -i 's/error_reporting \= E_ALL \& ~E_DEPRECATED/error_reporting \= E_ALL \& ~E_NOTICE/' /etc/php5/apache2/php.ini
20 |
21 | # We need to grab BASE from sourceforge. If this fails, we exit the script with a status of 1
22 | # A check is built into the main script to verify this script exits cleanly. If it doesn't,
23 | # The user should be informed and brought back to the main interface selection menu.
24 | echo "grabbing BASE."
25 | wget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz -O base-1.4.5.tar.gz
26 | if [ $? != 0 ];then
27 | echo "Attempt to pull down BASE failed. Please verify network connectivity and try again."
28 | exit 1
29 | else
30 | echo "Successfully downloaded the BASE tarball."
31 | fi
32 | tar -xzvf base-1.4.5.tar.gz
33 | rm base-1.4.5.tar.gz
34 | mv base-* base
35 |
36 | #BASE requires the /var/www/ directory to be owned by www-data
37 | chown -R www-data:www-data /var/www
38 |
39 | exit 0
--------------------------------------------------------------------------------
/Autosnort-Ubuntu/Previous_Rel/previous interface install scripts/base-ubuntu.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | #BASE shell script 'module'
3 | #Sets up BASE for for Autosnort
4 |
5 |
6 | echo "grabbing packages for BASE"
7 | #grab packages for BASE. Most of the primary required packages are pulled by the main AS script.
8 | apt-get install -y libphp-adodb ca-certificates php-pear libwww-perl php5 php5-mysql php5-gd
9 |
10 | #These are php-pear config commands Seen in the 2.9.4.0 install guide for Debian.
11 | pear config-set preferred_state alpha
12 | pear channel-update pear.php.net
13 | pear install --alldeps Image_Color Image_Canvas Image_Graph
14 |
15 |
16 | #The BASE tarball creates a directory for us, all we need to do is move to webroot.
17 | cd /var/www/
18 | #Have to adjust PHP logging otherwise BASE will barf on startup.
19 | sed -i 's/error_reporting \= E_ALL \& ~E_DEPRECATED/error_reporting \= E_ALL \& ~E_NOTICE/' /etc/php5/apache2/php.ini
20 |
21 | # We need to grab BASE from sourceforge. If this fails, we exit the script with a status of 1
22 | # A check is built into the main script to verify this script exits cleanly. If it doesn't,
23 | # The user should be informed and brought back to the main interface selection menu.
24 | echo "grabbing BASE."
25 | wget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz -O base-1.4.5.tar.gz
26 | if [ $? != 0 ];then
27 | echo "Attempt to pull down BASE failed. Please verify network connectivity and try again."
28 | exit 1
29 | else
30 | echo "Successfully downloaded the BASE tarball."
31 | fi
32 | tar -xzvf base-1.4.5.tar.gz
33 | rm base-1.4.5.tar.gz
34 | mv base-* base
35 |
36 | #BASE requires the /var/www/ directory to be owned by www-data
37 | chown -R www-data:www-data /var/www
38 |
39 | exit 0
--------------------------------------------------------------------------------
/Autosnort-CentOS/aanvalbpu:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | #
3 | #Snortbarn Startup script for Aanval Background Processors
4 | # chkconfig: - 86 14
5 | # description: This script provided by Autosnort. It is \
6 | # Responsible for Starting/Stopping Both \
7 | # Aanval's Background Processor Daemons
8 | # processnames: BPU
9 | ### BEGIN INIT INFO
10 | # Provides: background processors
11 | # Required-Start: $local_fs $remote_fs $network $named $syslog $time $httpd
12 | # Required-Stop: $local_fs $remote_fs $network $named $syslog $time $httpd
13 | # Default-Start: 2 3 4 5
14 | # Default-Stop: 0 1 6
15 | # Short-Description: start and stop aanval BPUs (background processors)
16 | # Description: Aanval is a web front-end for snort.
17 | ### END INIT INFO
18 |
19 | # Source function library.
20 | . /etc/rc.d/init.d/functions
21 |
22 | do_start()
23 | {
24 | echo "Starting Aanval BPUs"
25 | cd /var/www/html/aanval/apps
26 | perl idsBackground.pl -start
27 | if [ $? -eq 0 ]; then
28 | echo "Aanval BPUs successfully started."
29 | logger "Aanval BPUs Started!"
30 | else
31 | echo "Aanval BPUs failed to start!"
32 | fi
33 | return 0
34 | }
35 |
36 | do_stop()
37 | {
38 | echo "Stopping Aanval BPUs"
39 | cd /var/www/html/aanval/apps
40 | perl idsBackground.pl -stop
41 | if [ $? -eq 0 ]; then
42 | echo "Aanval BPUs successfully stopped."
43 | logger "Aanval BPUs Stopped!"
44 | else
45 | echo "Aanval BPUs failed to stop! (Permissions? Already stopped?)"
46 | fi
47 | return 0
48 | }
49 |
50 | case "$1" in
51 | start)
52 | do_start
53 | ;;
54 | stop)
55 | do_stop
56 | ;;
57 | restart)
58 | do_stop
59 | do_start
60 | ;;
61 | *)
62 | echo "Usage: snortbarn {start|stop|restart}" >&2
63 | exit 3
64 | ;;
65 | esac
66 | exit 0
--------------------------------------------------------------------------------
/Autosnort-CentOS/Previous_Rel/previous interface install scripts/base-centOS.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | #BASE shell script 'module'
3 | #Sets up BASE for for Autosnort
4 |
5 |
6 | echo "grabbing packages for BASE"
7 | #grab packages for BASE. Most of the primary required packages are pulled by the main AS script.
8 | yum -y install php-pear.noarch php-adodb.noarch perl-libwww-perl
9 |
10 | #These are php-pear config commands Seen in the 2.9.4.0 install guide for Debian.
11 | pear config-set preferred_state alpha
12 | pear channel-update pear.php.net
13 | pear install --alldeps Image_Color Image_Canvas Image_Graph
14 |
15 |
16 | #The BASE tarball creates a directory for us, all we need to do is move to webroot.
17 | cd /var/www/html
18 | #Have to adjust PHP logging otherwise BASE will barf on startup.
19 | sed -i 's/error_reporting \= E_ALL \& ~E_DEPRECATED/error_reporting \= E_ALL \& ~E_NOTICE/' /etc/php.ini
20 |
21 | # We need to grab BASE from sourceforge. If this fails, we exit the script with a status of 1
22 | # A check is built into the main script to verify this script exits cleanly. If it doesn't,
23 | # The user should be informed and brought back to the main interface selection menu.
24 | echo "grabbing BASE."
25 | wget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz -O base-1.4.5.tar.gz
26 | if [ $? != 0 ];then
27 | echo "Attempt to pull down BASE failed. Please verify network connectivity and try again."
28 | exit 1
29 | else
30 | echo "Successfully downloaded the BASE tarball."
31 | fi
32 | tar -xzvf base-1.4.5.tar.gz
33 | rm base-1.4.5.tar.gz
34 | mv base-* base
35 |
36 | #BASE requires the /var/www/html directory to be owned by www-data
37 | chown -R apache:apache /var/www/html
38 | chcon -R -t httpd_sys_rw_content_t /var/www/html
39 |
40 | exit 0
--------------------------------------------------------------------------------
/Autosnort-Debian/Previous_Rel/previous interface install scripts/syslog_full-debian-10-23-2014.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | #rsyslog module
3 | #configures barnyard2 to use syslog full logging format over udp/514
4 |
5 | ########################################
6 | #Metasploit-like print statements: status, good, bad and notification. Gratouitiously copied from Darkoperator's metasploit install script.
7 |
8 | function print_status ()
9 | {
10 | echo -e "\x1B[01;34m[*]\x1B[0m $1"
11 | }
12 |
13 | function print_good ()
14 | {
15 | echo -e "\x1B[01;32m[*]\x1B[0m $1"
16 | }
17 |
18 | function print_error ()
19 | {
20 | echo -e "\x1B[01;31m[*]\x1B[0m $1"
21 | }
22 |
23 | function print_notification ()
24 | {
25 | echo -e "\x1B[01;33m[*]\x1B[0m $1"
26 | }
27 |
28 | ########################################
29 |
30 | #We take the copy barnyard2.conf and use grep -v to disable mysql by removing that line. We then ask the user what name the want the sensor appear as, and the ip address of the syslog server.
31 |
32 | print_status "Reconfiguring barnyard2.conf output plugin to syslog_full.."
33 |
34 | grep -v mysql /usr/local/snort/etc/barnyard2.conf > /root/barnyard2.conf.tmp
35 | sensor_iface=`grep interface /root/barnyard2.conf.tmp | cut -d" " -f3`
36 |
37 | read -p "What would you like the sensor's name to appear as?" sensor_name
38 | read -p "What is the ip address of the syslog server? (in x.x.x.x format; e.g. 192.168.1.254)" syslog_server
39 |
40 | echo "output log_syslog_full: sensor_name $sensor_name-$sensor_iface, server $syslog_server, protocol udp, port 514, operation_mode complete" >> /root/barnyard2.conf.tmp
41 |
42 | cp /root/barnyard2.conf.tmp /usr/local/snort/etc/barnyard2.conf
43 |
44 | print_good "Successfully modified /usr/local/snort/etc/barnyard2.conf to output to syslog_full."
45 |
46 | exit 0
--------------------------------------------------------------------------------
/Autosnort-Debian/Previous_Rel/previous interface install scripts/syslog_full-debian.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | #rsyslog module
3 | #configures barnyard2 to use syslog full logging format over udp/514
4 |
5 | ########################################
6 | #Metasploit-like print statements: status, good, bad and notification. Gratouitiously copied from Darkoperator's metasploit install script.
7 |
8 | function print_status ()
9 | {
10 | echo -e "\x1B[01;34m[*]\x1B[0m $1"
11 | }
12 |
13 | function print_good ()
14 | {
15 | echo -e "\x1B[01;32m[*]\x1B[0m $1"
16 | }
17 |
18 | function print_error ()
19 | {
20 | echo -e "\x1B[01;31m[*]\x1B[0m $1"
21 | }
22 |
23 | function print_notification ()
24 | {
25 | echo -e "\x1B[01;33m[*]\x1B[0m $1"
26 | }
27 |
28 | ########################################
29 |
30 | #We take the copy barnyard2.conf and use grep -v to disable mysql by removing that line. We then ask the user what name the want the sensor appear as, and the ip address of the syslog server.
31 |
32 | print_status "Reconfiguring barnyard2.conf output plugin to syslog_full."
33 |
34 | cat /usr/local/snort/etc/barnyard2.conf | grep -v mysql > /root/barnyard2.conf.tmp
35 | sensor_iface=`cat /root/barnyard2.conf.tmp | grep interface | cut -d" " -f3`
36 |
37 | read -p "What would you like the sensor's name to appear as?" sensor_name
38 | read -p "What is the ip address of the syslog server? (in x.x.x.x format; e.g. 192.168.1.254)" syslog_server
39 |
40 | echo "output log_syslog_full: sensor_name $sensor_name-$sensor_iface, server $syslog_server, protocol udp, port 514, operation_mode complete" >> /root/barnyard2.conf.tmp
41 |
42 | cp /root/barnyard2.conf.tmp /usr/local/snort/etc/barnyard2.conf
43 |
44 | print_good "Successfully modified /usr/local/snort/etc/barnyard2.conf to output to syslog_full."
45 |
46 | exit 0
--------------------------------------------------------------------------------
/Autosnort-CentOS/Previous_Rel/previous interface install scripts/syslog_full-CentOS-10-23-2014.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | #rsyslog module
3 | #configures barnyard2 to use syslog full logging format over udp/514
4 |
5 | ########################################
6 | #Metasploit-like print statements: status, good, bad and notification. Gratouitiously copied from Darkoperator's metasploit install script.
7 |
8 | function print_status ()
9 | {
10 | echo -e "\x1B[01;34m[*]\x1B[0m $1"
11 | }
12 |
13 | function print_good ()
14 | {
15 | echo -e "\x1B[01;32m[*]\x1B[0m $1"
16 | }
17 |
18 | function print_error ()
19 | {
20 | echo -e "\x1B[01;31m[*]\x1B[0m $1"
21 | }
22 |
23 | function print_notification ()
24 | {
25 | echo -e "\x1B[01;33m[*]\x1B[0m $1"
26 | }
27 |
28 | ########################################
29 |
30 | #We take the copy barnyard2.conf and use grep -v to disable mysql by removing that line. We then ask the user what name the want the sensor appear as, and the ip address of the syslog server.
31 |
32 | print_status "Reconfiguring barnyard2.conf output plugin to syslog_full.."
33 |
34 | cat /usr/local/snort/etc/barnyard2.conf | grep -v mysql > /root/barnyard2.conf.tmp
35 | sensor_iface=`grep interface /root/barnyard2.conf.tmp | cut -d" " -f3`
36 |
37 | read -p "What would you like the sensor's name to appear as?" sensor_name
38 | read -p "What is the ip address of the syslog server? (in x.x.x.x format; e.g. 192.168.1.254)" syslog_server
39 |
40 | echo "output log_syslog_full: sensor_name $sensor_name-$sensor_iface, server $syslog_server, protocol udp, port 514, operation_mode complete" >> /root/barnyard2.conf.tmp
41 |
42 | cp /root/barnyard2.conf.tmp /usr/local/snort/etc/barnyard2.conf
43 |
44 | print_good "Successfully modified /usr/local/snort/etc/barnyard2.conf to output to syslog_full."
45 |
46 | exit 0
--------------------------------------------------------------------------------
/Autosnort-Ubuntu/Previous_Rel/previous interface install scripts/syslog_full-ubuntu-11-02-2014.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | #rsyslog module
3 | #configures barnyard2 to use syslog full logging format over udp/514
4 | #Updated on 2/1/2014
5 |
6 | ########################################
7 | #Metasploit-like print statements: status, good, bad and notification. Gratuitously copied from Darkoperator's metasploit install script.
8 |
9 | function print_status ()
10 | {
11 | echo -e "\x1B[01;34m[*]\x1B[0m $1"
12 | }
13 |
14 | function print_good ()
15 | {
16 | echo -e "\x1B[01;32m[*]\x1B[0m $1"
17 | }
18 |
19 | function print_error ()
20 | {
21 | echo -e "\x1B[01;31m[*]\x1B[0m $1"
22 | }
23 |
24 | function print_notification ()
25 | {
26 | echo -e "\x1B[01;33m[*]\x1B[0m $1"
27 | }
28 |
29 | ########################################
30 |
31 | #We take the copy barnyard2.conf and use grep -v to disable mysql by removing that line. We then ask the user what name the want the sensor appear as, and the ip address of the syslog server.
32 |
33 | print_status "Reconfiguring barnyard2.conf output plugin to syslog_full."
34 |
35 | grep -v mysql /usr/local/snort/etc/barnyard2.conf > /root/barnyard2.conf.tmp
36 | sensor_iface=`grep interface /root/barnyard2.conf.tmp | cut -d" " -f3`
37 |
38 | read -p "What would you like the sensor's name to appear as?" sensor_name
39 | read -p "What is the ip address of the syslog server? (in x.x.x.x format; e.g. 192.168.1.254)" syslog_server
40 |
41 | echo "output log_syslog_full: sensor_name $sensor_name-$sensor_iface, server $syslog_server, protocol udp, port 514, operation_mode complete" >> /root/barnyard2.conf.tmp
42 |
43 | cp /root/barnyard2.conf.tmp /usr/local/snort/etc/barnyard2.conf
44 |
45 | print_good "Successfully modified /usr/local/snort/etc/barnyard2.conf to output to syslog_full."
46 |
47 | exit 0
--------------------------------------------------------------------------------
/Autosnort-Ubuntu/AVATAR/Previous_Rel/snortd:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | ### BEGIN INIT INFO
3 | # Provides: snort
4 | # Required-Start: $local_fs $remote_fs $network $named $syslog $time
5 | # Required-Stop: $local_fs $remote_fs $network $named $syslog $time
6 | # Default-Start: 2 3 4 5
7 | # Default-Stop: 0 1 6
8 | # Short-Description: start and stop snort
9 | # Description: Snort is a powerful open-source Intrusion Detection System.
10 | ### END INIT INFO
11 |
12 | #The location of the snort binary
13 | SNORTD=snort_basedir/bin/snort
14 | #Command line execution options for snort
15 | OPTIONS="-D -u snort -g snort -c snort_basedir/etc/snort.conf -Q --daq afpacket --daq-mode inline -i snort_iface1:snort_iface2"
16 |
17 | do_start()
18 | {
19 | echo "Starting Snort"
20 | /sbin/ifconfig snort_iface1 up -arp -multicast promisc
21 | /sbin/ifconfig snort_iface2 up -arp -multicast promisc
22 | $SNORTD $OPTIONS
23 | if [ $? -eq 0 ]; then
24 | echo "Snort successfully started."
25 | logger "Snort Started!"
26 | else
27 | echo "Snort failed to start!"
28 | fi
29 | return 0
30 | }
31 |
32 | do_status()
33 | {
34 | pidof snort
35 | if [ $? -eq 0 ]; then
36 | echo "Snort is running with a pid of `pidof snort`"
37 | else
38 | echo "Snort is not running."
39 | fi
40 | }
41 |
42 | do_stop()
43 | {
44 | echo "Stopping Snort"
45 | kill $(pidof snort) 2> /dev/null
46 | if [ $? -eq 0 ]; then
47 | echo "Snort successfully killed."
48 | logger "Killed Snort."
49 | else
50 | echo "Snort could not be killed! (Permissions? Already dead?)"
51 | fi
52 | return 0
53 | }
54 |
55 | case "$1" in
56 | start)
57 | do_start
58 | ;;
59 | stop)
60 | do_stop
61 | ;;
62 | restart)
63 | do_stop
64 | do_start
65 | ;;
66 | status)
67 | do_status
68 | ;;
69 | *)
70 | echo "Usage: snortd {start|stop|restart|status}" >&2
71 | exit 3
72 | ;;
73 | esac
74 | exit 0
--------------------------------------------------------------------------------
/Autosnort-Ubuntu/Previous_Rel/previous interface install scripts/snortreport-ubuntu.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | #Snortreport shell script 'module'
3 | #Sets up snort report for Autosnort
4 |
5 | apt-get install -y php5 php5-mysql php5-gd nmap nbtscan
6 |
7 | #Grab jpgraph and throw it in /var/www
8 | #Required to display graphs in snort report UI
9 |
10 | echo "Downloading and installing jpgraph."
11 |
12 | cd /usr/src
13 | wget http://hem.bredband.net/jpgraph/jpgraph-1.27.1.tar.gz
14 | if [ $? != 0 ];then
15 | echo "Attempt to pull down jpgraph failed. Please verify network connectivity and try again."
16 | exit 1
17 | else
18 | echo "Successfully downloaded the aanval tarball."
19 | fi
20 | mkdir /var/www/jpgraph
21 | tar -xzvf jpgraph-1.27.1.tar.gz
22 | cp -r jpgraph-1.27.1/src /var/www/jpgraph
23 |
24 | echo "jpgraph downloaded to /usr/src. installed to /var/www/jpgraph."
25 |
26 | #now to install snort report.
27 |
28 | echo "downloading and installing snort report"
29 |
30 | cd /usr/src
31 | wget http://www.symmetrixtech.com/ids/snortreport-1.3.3.tar.gz
32 | if [ $? != 0 ];then
33 | echo "Attempt to pull down snortreport failed. Please verify network connectivity and try again."
34 | exit 1
35 | else
36 | echo "Successfully downloaded the aanval tarball."
37 | fi
38 |
39 | tar -xzvf snortreport-1.3.3.tar.gz -C /var/www/
40 | mv /var/www/snortreport-1.3.3 /var/www/snortreport
41 |
42 | #Decided to change the script: the main script should make the user create a snort database user and assign it password.
43 | #At this point, we should automatically drop this password into srconf.php instead of asking the user if they want to.
44 | #If the user wants this to work, they have to do it anyhow.
45 |
46 | cp /var/www/snortreport/srconf.php /root/srconf.php.tmp
47 | sed -i 's/YOURPASS/'$MYSQL_PASS_1'/' /root/srconf.php.tmp
48 | cp /root/srconf.php.tmp /var/www/snortreport/srconf.php
49 | rm /root/srconf.php.tmp
50 | echo "password insertion complete."
51 | echo ""
52 |
53 | exit 0
54 |
--------------------------------------------------------------------------------
/Autosnort-CentOS/autosyslog_full-CentOS.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | #rsyslog module
3 | #configures barnyard2 to use syslog full logging format over udp/514
4 |
5 | ########################################
6 | #Metasploit-like print statements: status, good, bad and notification. Gratouitiously copied from Darkoperator's metasploit install script.
7 |
8 | function print_status ()
9 | {
10 | echo -e "\x1B[01;34m[*]\x1B[0m $1"
11 | }
12 |
13 | function print_good ()
14 | {
15 | echo -e "\x1B[01;32m[*]\x1B[0m $1"
16 | }
17 |
18 | function print_error ()
19 | {
20 | echo -e "\x1B[01;31m[*]\x1B[0m $1"
21 | }
22 |
23 | function print_notification ()
24 | {
25 | echo -e "\x1B[01;33m[*]\x1B[0m $1"
26 | }
27 |
28 | ########################################
29 | #The config file should be in the same directory that snorby script is exec'd from. This shouldn't fail, but if it does..
30 |
31 | execdir=`pwd`
32 | if [ ! -f $execdir/full_autosnort.conf ]; then
33 | print_error "full_autosnort.conf was NOT found in $execdir. This script relies HEAVILY on this config file. The main autosnort script, full_autosnort.conf and this file should be located in the SAME directory."
34 | exit 1
35 | else
36 | source $execdir/full_autosnort.conf
37 | print_good "Found config file."
38 | fi
39 |
40 | #We take the copy barnyard2.conf and use grep -v to disable mysql by removing that line. We then ask the user what name the want the sensor appear as, and the ip address of the syslog server.
41 |
42 | print_status "Reconfiguring barnyard2.conf output plugin to syslog_full.."
43 |
44 |
45 | grep -v mysql $snort_basedir/etc/barnyard2.conf > /root/barnyard2.conf.tmp
46 | sensor_iface=`grep interface /root/barnyard2.conf.tmp | cut -d" " -f3`
47 |
48 | echo "output log_syslog_full: sensor_name $sensor_name-$snort_iface, server $syslog_server, protocol udp, port 514, operation_mode complete" >> /root/barnyard2.conf.tmp
49 |
50 | cp /root/barnyard2.conf.tmp $snort_basedir/etc/barnyard2.conf
51 |
52 | print_good "Successfully modified /usr/local/snort/etc/barnyard2.conf to output to syslog_full."
53 |
54 | exit 0
--------------------------------------------------------------------------------
/Autosnort-Debian/autosyslog_full-debian.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | #rsyslog module
3 | #configures barnyard2 to use syslog full logging format over udp/514
4 |
5 | ########################################
6 | #Metasploit-like print statements: status, good, bad and notification. Gratouitiously copied from Darkoperator's metasploit install script.
7 |
8 | function print_status ()
9 | {
10 | echo -e "\x1B[01;34m[*]\x1B[0m $1"
11 | }
12 |
13 | function print_good ()
14 | {
15 | echo -e "\x1B[01;32m[*]\x1B[0m $1"
16 | }
17 |
18 | function print_error ()
19 | {
20 | echo -e "\x1B[01;31m[*]\x1B[0m $1"
21 | }
22 |
23 | function print_notification ()
24 | {
25 | echo -e "\x1B[01;33m[*]\x1B[0m $1"
26 | }
27 |
28 | ########################################
29 | #The config file should be in the same directory that snorby script is exec'd from. This shouldn't fail, but if it does..
30 |
31 | execdir=`pwd`
32 | if [ ! -f $execdir/full_autosnort.conf ]; then
33 | print_error "full_autosnort.conf was NOT found in $execdir. This script relies HEAVILY on this config file. The main autosnort script, full_autosnort.conf and this file should be located in the SAME directory."
34 | exit 1
35 | else
36 | source $execdir/full_autosnort.conf
37 | print_good "Found config file."
38 | fi
39 |
40 | ########################################
41 | #We take the copy barnyard2.conf and use grep -v to disable mysql by removing that line. We then ask the user what name the want the sensor appear as, and the ip address of the syslog server.
42 |
43 | print_status "Reconfiguring barnyard2.conf output plugin to syslog_full.."
44 |
45 |
46 | grep -v mysql $snort_basedir/etc/barnyard2.conf > /root/barnyard2.conf.tmp
47 | sensor_iface=`grep interface /root/barnyard2.conf.tmp | cut -d" " -f3`
48 |
49 | echo "output log_syslog_full: sensor_name $sensor_name-$snort_iface, server $syslog_server, protocol udp, port 514, operation_mode complete" >> /root/barnyard2.conf.tmp
50 |
51 | cp /root/barnyard2.conf.tmp $snort_basedir/etc/barnyard2.conf
52 |
53 | print_good "Successfully modified /usr/local/snort/etc/barnyard2.conf to output to syslog_full."
54 |
55 | exit 0
--------------------------------------------------------------------------------
/Autosnort-Kali/autosyslog_full-kali.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | #rsyslog module
3 | #configures barnyard2 to use syslog full logging format over udp/514
4 |
5 | ########################################
6 | #Metasploit-like print statements: status, good, bad and notification. Gratouitiously copied from Darkoperator's metasploit install script.
7 |
8 | function print_status ()
9 | {
10 | echo -e "\x1B[01;34m[*]\x1B[0m $1"
11 | }
12 |
13 | function print_good ()
14 | {
15 | echo -e "\x1B[01;32m[*]\x1B[0m $1"
16 | }
17 |
18 | function print_error ()
19 | {
20 | echo -e "\x1B[01;31m[*]\x1B[0m $1"
21 | }
22 |
23 | function print_notification ()
24 | {
25 | echo -e "\x1B[01;33m[*]\x1B[0m $1"
26 | }
27 |
28 | ########################################
29 | #The config file should be in the same directory that snorby script is exec'd from. This shouldn't fail, but if it does..
30 |
31 | execdir=`pwd`
32 | if [ ! -f $execdir/full_autosnort.conf ]; then
33 | print_error "full_autosnort.conf was NOT found in $execdir. This script relies HEAVILY on this config file. The main autosnort script, full_autosnort.conf and this file should be located in the SAME directory."
34 | exit 1
35 | else
36 | source $execdir/full_autosnort.conf
37 | print_good "Found config file."
38 | fi
39 |
40 | ########################################
41 | #We take the copy barnyard2.conf and use grep -v to disable mysql by removing that line. We then ask the user what name the want the sensor appear as, and the ip address of the syslog server.
42 |
43 | print_status "Reconfiguring barnyard2.conf output plugin to syslog_full.."
44 |
45 |
46 | grep -v mysql $snort_basedir/etc/barnyard2.conf > /root/barnyard2.conf.tmp
47 | sensor_iface=`grep interface /root/barnyard2.conf.tmp | cut -d" " -f3`
48 |
49 | echo "output log_syslog_full: sensor_name $sensor_name-$snort_iface, server $syslog_server, protocol udp, port 514, operation_mode complete" >> /root/barnyard2.conf.tmp
50 |
51 | cp /root/barnyard2.conf.tmp $snort_basedir/etc/barnyard2.conf
52 |
53 | print_good "Successfully modified /usr/local/snort/etc/barnyard2.conf to output to syslog_full."
54 |
55 | exit 0
--------------------------------------------------------------------------------
/Autosnort-Ubuntu/autosyslog_full-ubuntu.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | #rsyslog module
3 | #configures barnyard2 to use syslog full logging format over udp/514
4 |
5 | ########################################
6 | #Metasploit-like print statements: status, good, bad and notification. Gratouitiously copied from Darkoperator's metasploit install script.
7 |
8 | function print_status ()
9 | {
10 | echo -e "\x1B[01;34m[*]\x1B[0m $1"
11 | }
12 |
13 | function print_good ()
14 | {
15 | echo -e "\x1B[01;32m[*]\x1B[0m $1"
16 | }
17 |
18 | function print_error ()
19 | {
20 | echo -e "\x1B[01;31m[*]\x1B[0m $1"
21 | }
22 |
23 | function print_notification ()
24 | {
25 | echo -e "\x1B[01;33m[*]\x1B[0m $1"
26 | }
27 |
28 | ########################################
29 | #The config file should be in the same directory that snorby script is exec'd from. This shouldn't fail, but if it does..
30 |
31 | execdir=`pwd`
32 | if [ ! -f $execdir/full_autosnort.conf ]; then
33 | print_error "full_autosnort.conf was NOT found in $execdir. This script relies HEAVILY on this config file. The main autosnort script, full_autosnort.conf and this file should be located in the SAME directory."
34 | exit 1
35 | else
36 | source $execdir/full_autosnort.conf
37 | print_good "Found config file."
38 | fi
39 |
40 | ########################################
41 | #We take the copy barnyard2.conf and use grep -v to disable mysql by removing that line. We then ask the user what name the want the sensor appear as, and the ip address of the syslog server.
42 |
43 | print_status "Reconfiguring barnyard2.conf output plugin to syslog_full.."
44 |
45 |
46 | grep -v mysql $snort_basedir/etc/barnyard2.conf > /root/barnyard2.conf.tmp
47 | sensor_iface=`grep interface /root/barnyard2.conf.tmp | cut -d" " -f3`
48 |
49 | echo "output log_syslog_full: sensor_name $sensor_name-$snort_iface, server $syslog_server, protocol udp, port 514, operation_mode complete" >> /root/barnyard2.conf.tmp
50 |
51 | cp /root/barnyard2.conf.tmp $snort_basedir/etc/barnyard2.conf
52 |
53 | print_good "Successfully modified /usr/local/snort/etc/barnyard2.conf to output to syslog_full."
54 |
55 | exit 0
--------------------------------------------------------------------------------
/Offline/dpkgorderDebiani686.txt:
--------------------------------------------------------------------------------
1 | perl-base*.deb
2 | libc-bin*.deb
3 | libc6*.deb
4 | libc6-i686*.deb
5 | m4*.deb
6 | flex*.deb
7 | mysql-common*.deb
8 | libdb4.7*.deb
9 | perl*.deb perl-modules*.deb
10 | libnet-daemon-perl*.deb
11 | libplrpc-perl*.deb
12 | libdbi-perl*.deb
13 | libmysqlclient16*.deb
14 | libdbd-mysql-perl*.deb
15 | mysql-client-core-5.5*.deb
16 | mysql-client-5.5*.deb
17 | psmisc*.deb
18 | libaio1*.deb
19 | mysql-server-core-5.5*.deb
20 | mysql-server-5.5*.deb
21 | libmagic1*.deb
22 | file*.deb
23 | libcap2*.deb
24 | libgpg-error0*.deb
25 | libgcrypt11*.deb
26 | libtasn1-3*.deb
27 | libgnutls26*.deb
28 | libsasl2-2*.deb
29 | libldap-2.4-2*.deb
30 | libpcre3*.deb
31 | libxml2*.deb
32 | mime-support*.deb
33 | libapr1*.deb
34 | libexpat1*.deb
35 | libaprutil1*.deb
36 | libaprutil1-dbd-sqlite3*.deb
37 | libaprutil1-ldap*.deb
38 | apache2.2-bin*.deb
39 | apache2-utils*.deb
40 | apache2.2-common*.deb
41 | apache2-mpm-prefork*.deb
42 | apache2*.deb
43 | autoconf*.deb
44 | autotools-dev*.deb
45 | automake*.deb
46 | binutils*.deb
47 | bison*.deb
48 | libgmp3c2*.deb
49 | libmpfr4*.deb
50 | cpp-4.4*.deb
51 | cpp*.deb
52 | ethtool*.deb
53 | libgomp1*.deb
54 | gcc-4.4*.deb
55 | gcc*.deb
56 | libc-dev-bin*.deb
57 | linux-libc-dev*.deb
58 | libc6-dev*.deb
59 | libstdc++6-4.4-dev*.deb g++-4.4*.deb g++*.deb
60 | libonig2*.deb
61 | libqdbm14*.deb
62 | php5-common*.deb
63 | libapache2-mod-php5*.deb
64 | libhtml-template-perl*.deb
65 | libjpeg62*.deb
66 | libltdl7*.deb
67 | libltdl-dev*.deb
68 | liblua5.1-0*.deb
69 | libmysqlclient18*.deb
70 | zlib1g-dev*.deb
71 | libmysqlclient-dev*.deb
72 | libpcap0.8*.deb
73 | libreadline5*.deb
74 | libruby1.8*.deb
75 | libpcap-ruby1.8*.deb
76 | libpcap-ruby*.deb
77 | libpcap0.8-dev*.deb
78 | libpcrecpp0*.deb
79 | libpcre3-dev*.deb
80 | libpng12-0*.deb
81 | libsasl2-modules*.deb
82 | libxau6*.deb
83 | libxdmcp6*.deb
84 | libxcb1*.deb
85 | libx11-data*.deb
86 | libx11-6*.deb
87 | libt1-5*.deb
88 | libtool*.deb
89 | libxpm4*.deb
90 | make*.deb
91 | manpages-dev*.deb
92 | mysql-server*.deb
93 | nbtscan*.deb
94 | openssl*.deb
95 | php5*.deb
96 | php5-cli*.deb
97 | php5-gd*.deb
98 | php5-mysql*.deb
99 | sgml-base*.deb
100 | ssl-cert*.deb
101 | xml-core*.deb
102 | nmap*.deb
103 |
--------------------------------------------------------------------------------
/Offline/dpkgorderDebianx86_64.txt:
--------------------------------------------------------------------------------
1 | perl-base*.deb
2 | libc-bin*.deb
3 | libc6*.deb
4 | libc6-i686*.deb
5 | m4*.deb
6 | flex*.deb
7 | mysql-common*.deb
8 | libdb4.7*.deb
9 | perl*.deb perl-modules*.deb
10 | libnet-daemon-perl*.deb
11 | libplrpc-perl*.deb
12 | libdbi-perl*.deb
13 | libmysqlclient16*.deb
14 | libdbd-mysql-perl*.deb
15 | mysql-client-core-5.5*.deb
16 | mysql-client-5.5*.deb
17 | psmisc*.deb
18 | libaio1*.deb
19 | mysql-server-core-5.5*.deb
20 | mysql-server-5.5*.deb
21 | libmagic1*.deb
22 | file*.deb
23 | libcap2*.deb
24 | libgpg-error0*.deb
25 | libgcrypt11*.deb
26 | libtasn1-3*.deb
27 | libgnutls26*.deb
28 | libsasl2-2*.deb
29 | libldap-2.4-2*.deb
30 | libpcre3*.deb
31 | libxml2*.deb
32 | mime-support*.deb
33 | libapr1*.deb
34 | libexpat1*.deb
35 | libaprutil1*.deb
36 | libaprutil1-dbd-sqlite3*.deb
37 | libaprutil1-ldap*.deb
38 | apache2.2-bin*.deb
39 | apache2-utils*.deb
40 | apache2.2-common*.deb
41 | apache2-mpm-prefork*.deb
42 | apache2*.deb
43 | autoconf*.deb
44 | autotools-dev*.deb
45 | automake*.deb
46 | binutils*.deb
47 | bison*.deb
48 | libgmp3c2*.deb
49 | libmpfr4*.deb
50 | cpp-4.4*.deb
51 | cpp*.deb
52 | ethtool*.deb
53 | libgomp1*.deb
54 | gcc-4.4*.deb
55 | gcc*.deb
56 | libc-dev-bin*.deb
57 | linux-libc-dev*.deb
58 | libc6-dev*.deb
59 | libstdc++6-4.4-dev*.deb g++-4.4*.deb g++*.deb
60 | libonig2*.deb
61 | libqdbm14*.deb
62 | php5-common*.deb
63 | libapache2-mod-php5*.deb
64 | libhtml-template-perl*.deb
65 | libjpeg62*.deb
66 | libltdl7*.deb
67 | libltdl-dev*.deb
68 | liblua5.1-0*.deb
69 | libmysqlclient18*.deb
70 | zlib1g-dev*.deb
71 | libmysqlclient-dev*.deb
72 | libpcap0.8*.deb
73 | libreadline5*.deb
74 | libruby1.8*.deb
75 | libpcap-ruby1.8*.deb
76 | libpcap-ruby*.deb
77 | libpcap0.8-dev*.deb
78 | libpcrecpp0*.deb
79 | libpcre3-dev*.deb
80 | libpng12-0*.deb
81 | libsasl2-modules*.deb
82 | libxau6*.deb
83 | libxdmcp6*.deb
84 | libxcb1*.deb
85 | libx11-data*.deb
86 | libx11-6*.deb
87 | libt1-5*.deb
88 | libtool*.deb
89 | libxpm4*.deb
90 | make*.deb
91 | manpages-dev*.deb
92 | mysql-server*.deb
93 | nbtscan*.deb
94 | openssl*.deb
95 | php5*.deb
96 | php5-cli*.deb
97 | php5-gd*.deb
98 | php5-mysql*.deb
99 | sgml-base*.deb
100 | ssl-cert*.deb
101 | xml-core*.deb
102 | nmap*.deb
103 |
--------------------------------------------------------------------------------
/Autosnort-Ubuntu/AVATAR/full_autosnort.conf:
--------------------------------------------------------------------------------
1 | ##full_autosnort configuration file##
2 | # The options below are configuration options that need to be filled out (unless otherwise noted) for the script to run successfully. Each variable/configuration option will have an explanation as to what it is for, why it needs to be set, and valid configuration options.
3 | # After Autosnort completes and you confirm everything is running correctly, you may delete, shred, burn, or consume this file however you see fit.
4 | # But in all seriousness, after the script completes, store this file some place SAFE, or delete it.
5 |
6 | ##snort_basedir##
7 | # This option is sets the directory where you would like snort to be installed.
8 | # Do not place any trailing slashes (/) at the end of the desired directory path.
9 | # See the default setting for a valid example
10 | ##Options##
11 | # Any valid unix directory path, Autosnort will create parent directories if they do not exist. MUST BE AN ABSOLUTE PATH.
12 | #default setting: /opt/snort
13 | snort_basedir=/opt/snort
14 |
15 | ##snort_iface_1##
16 | # This is the name of the first interface you will be using snort to sniff traffic on.
17 | # This option MUST be set.
18 | # Example:
19 | # snort_iface_1=eth1
20 | #default setting: snort_iface_1=eth1
21 | snort_iface_1=eth1
22 |
23 | ##snort_iface_2##
24 | # This is the name of the second interface you will be using snort to sniff traffic on.
25 | # This option MUST be set.
26 | # Example:
27 | # snort_iface_2=eth2
28 | #default setting: snort_iface_2=eth2
29 | snort_iface_2=eth2
30 |
31 |
32 | ##o_code##
33 | # This setting is the oink code that will be used by pulled pork to download your rules.
34 | # You MUST input a valid oink code for the script to function normally.
35 | # This can be a registered user oink code, or VRT rule subscription oink code; doesn't matter.
36 | # If you have no idea what an oink code is, or how to get one visit snort.org and create an account (it's free)
37 | # After registering your account, and logging in under your account settings should be the ability to check your subscriptions and oink codes. The oink code is a series of numbers and letters.
38 | # Example:
39 | # o_code=2426170067b2e110c1f3fdee444118fcc15180f0
40 | # the above is not a valid oink code; do not use it.
41 | o_code=
42 |
--------------------------------------------------------------------------------
/Autosnort-Ubuntu/initsguil:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | ### BEGIN INIT INFO
3 | # Provides: snort_agent.tcl, sguild
4 | # Required-Start: $local_fs $remote_fs $network $named $syslog $time $snortbarn
5 | # Required-Stop: $local_fs $remote_fs $network $named $syslog $time $snortbarn
6 | # Default-Start: 2 3 4 5
7 | # Default-Stop: 0 1 6
8 | # Short-Description: start and stop sguild, and sguil's snort_agent.tcl
9 | # Description: Sguil is a powerful set of scripts in TCL for managing NSM events.
10 | ### END INIT INFO
11 |
12 | #Command line execution options for sguild
13 | OPTIONS="-c /opt/sguil/server/sguild.conf -C /opt/sguil/ssl"
14 | #Command line execution options for snort_agent.tcl
15 | OPTIONS2="-c /opt/sguil/sensor/snort_agent.conf"
16 |
17 | do_start()
18 | {
19 | echo "Starting sguild and snort_agent"
20 | cd /opt/sguil/server
21 | sleep 10
22 | tclsh sguild $OPTIONS
23 | if [ $? -eq 0 ]; then
24 | echo "Sguild successfully started."
25 | logger "Sguild Started!"
26 | else
27 | echo "Sguild failed to start!"
28 | fi
29 | cd /opt/sguil/sensor
30 | sleep 10
31 | tclsh snort_agent.tcl $OPTIONS2
32 | if [ $? -eq 0 ]; then
33 | echo "snort_agent successfully started."
34 | logger "snort_agent Started!"
35 | else
36 | echo "snort_agent failed to start!"
37 | fi
38 | return 0
39 | }
40 |
41 | do_status()
42 | {
43 | echo "Listing tclsh processes:"
44 | ps -ef | grep tcl
45 | }
46 |
47 | do_stop()
48 | {
49 | echo "Stopping sguild and snort_agent"
50 | kill `ps -ef | egrep "sguild|snort_agent" | egrep -v "egrep" | awk '{print $2}'|tr '\n' ' '` 2> /dev/null
51 | if [ $? -eq 0 ]; then
52 | echo "Sguid and snort_agent processes terminated."
53 | logger "Killed sguild and snort_agent."
54 | else
55 | echo "Sguild and/or snort_agent could not be killed! (Permissions? Already dead?)"
56 | fi
57 | return 0
58 | }
59 |
60 | case "$1" in
61 | start)
62 | do_start
63 | ;;
64 | stop)
65 | do_stop
66 | ;;
67 | restart)
68 | do_stop
69 | do_start
70 | ;;
71 | status)
72 | do_status
73 | ;;
74 | *)
75 | echo "Usage: snortbarn {start|stop|restart|status}" >&2
76 | exit 3
77 | ;;
78 | esac
79 | exit 0
--------------------------------------------------------------------------------
/Autosnort-Kali/snortbarn:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | ### BEGIN INIT INFO
3 | # Provides: snort, barnyard2
4 | # Required-Start: $local_fs $remote_fs $network $named $syslog $time
5 | # Required-Stop: $local_fs $remote_fs $network $named $syslog $time
6 | # Default-Start: 2 3 4 5
7 | # Default-Stop: 0 1 6
8 | # Short-Description: start and stop snort and barnyard2
9 | # Description: Snort is a powerful open-source Intrusion Detection System.
10 | # Barnyard2 is a tool for processing snort unified2 log files.
11 | ### END INIT INFO
12 |
13 | #The location of the snort binary
14 | SNORTD=snort_basedir/bin/snort
15 | #The location of the barnyard2 binary
16 | BY2D=/usr/local/bin/barnyard2
17 | #Command line execution options for snort
18 | OPTIONS="-D -u snort -g snort -c snort_basedir/etc/snort.conf -i snort_iface"
19 | #Command line execution options for barnyard 2
20 | OPTIONS2="-c snort_basedir/etc/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -D"
21 |
22 | do_start()
23 | {
24 | echo "Starting Snort and Barnyard"
25 | /sbin/ifconfig snort_iface up -arp -multicast promisc
26 | $SNORTD $OPTIONS
27 | if [ $? -eq 0 ]; then
28 | echo "Snort successfully started."
29 | logger "Snort Started!"
30 | else
31 | echo "Snort failed to start!"
32 | fi
33 | $BY2D $OPTIONS2
34 | if [ $? -eq 0 ]; then
35 | echo "Barnyard2 successfully started."
36 | logger "Barnyard2 Started!"
37 | else
38 | echo "Barnyard2 failed to start!"
39 | fi
40 | return 0
41 | }
42 |
43 | do_status()
44 | {
45 | pidof snort
46 | if [ $? -eq 0 ]; then
47 | echo "Snort is running with a pid of `pidof snort`"
48 | else
49 | echo "Snort is not running."
50 | fi
51 | pidof barnyard2
52 | if [ $? -eq 0 ]; then
53 |
54 | echo "Barnyard2 is running with a pid of `pidof barnyard2`"
55 | else
56 | echo "Barnyard2 is not running."
57 | fi
58 | }
59 |
60 | do_stop()
61 | {
62 | echo "Stopping Snort and Barnyard" ""
63 | kill $(pidof snort) 2> /dev/null
64 | if [ $? -eq 0 ]; then
65 | echo "Snort successfully killed."
66 | logger "Killed Snort."
67 | else
68 | echo "Snort could not be killed! (Permissions? Already dead?)"
69 | fi
70 | kill $(pidof barnyard2) 2> /dev/null
71 | if [ $? -eq 0 ]; then
72 | echo "Barnyard2 successfully killed."
73 | logger "Killed Barnyard2."
74 | else
75 | echo "Barnyard2 could not be killed! (Permissions? Already dead?)"
76 | fi
77 | return 0
78 | }
79 |
80 | case "$1" in
81 | start)
82 | do_start
83 | ;;
84 | stop)
85 | do_stop
86 | ;;
87 | restart)
88 | do_stop
89 | do_start
90 | ;;
91 | status)
92 | do_status
93 | ;;
94 | *)
95 | echo "Usage: snortbarn {start|stop|restart|status}" >&2
96 | exit 3
97 | ;;
98 | esac
99 | exit 0
--------------------------------------------------------------------------------
/Autosnort-Debian/snortbarn:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | ### BEGIN INIT INFO
3 | # Provides: snort, barnyard2
4 | # Required-Start: $local_fs $remote_fs $network $named $syslog $time
5 | # Required-Stop: $local_fs $remote_fs $network $named $syslog $time
6 | # Default-Start: 2 3 4 5
7 | # Default-Stop: 0 1 6
8 | # Short-Description: start and stop snort and barnyard2
9 | # Description: Snort is a powerful open-source Intrusion Detection System.
10 | # Barnyard2 is a tool for processing snort unified2 log files.
11 | ### END INIT INFO
12 |
13 | #The location of the snort binary
14 | SNORTD=snort_basedir/bin/snort
15 | #The location of the barnyard2 binary
16 | BY2D=/usr/local/bin/barnyard2
17 | #Command line execution options for snort
18 | OPTIONS="-D -u snort -g snort -c snort_basedir/etc/snort.conf -i snort_iface"
19 | #Command line execution options for barnyard 2
20 | OPTIONS2="-c snort_basedir/etc/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -D"
21 |
22 | do_start()
23 | {
24 | echo "Starting Snort and Barnyard"
25 | /sbin/ifconfig snort_iface up -arp -multicast promisc
26 | $SNORTD $OPTIONS
27 | if [ $? -eq 0 ]; then
28 | echo "Snort successfully started."
29 | logger "Snort Started!"
30 | else
31 | echo "Snort failed to start!"
32 | fi
33 | $BY2D $OPTIONS2
34 | if [ $? -eq 0 ]; then
35 | echo "Barnyard2 successfully started."
36 | logger "Barnyard2 Started!"
37 | else
38 | echo "Barnyard2 failed to start!"
39 | fi
40 | return 0
41 | }
42 |
43 | do_status()
44 | {
45 | pidof snort
46 | if [ $? -eq 0 ]; then
47 | echo "Snort is running with a pid of `pidof snort`"
48 | else
49 | echo "Snort is not running."
50 | fi
51 | pidof barnyard2
52 | if [ $? -eq 0 ]; then
53 |
54 | echo "Barnyard2 is running with a pid of `pidof barnyard2`"
55 | else
56 | echo "Barnyard2 is not running."
57 | fi
58 | }
59 |
60 | do_stop()
61 | {
62 | echo "Stopping Snort and Barnyard" ""
63 | kill $(pidof snort) 2> /dev/null
64 | if [ $? -eq 0 ]; then
65 | echo "Snort successfully killed."
66 | logger "Killed Snort."
67 | else
68 | echo "Snort could not be killed! (Permissions? Already dead?)"
69 | fi
70 | kill $(pidof barnyard2) 2> /dev/null
71 | if [ $? -eq 0 ]; then
72 | echo "Barnyard2 successfully killed."
73 | logger "Killed Barnyard2."
74 | else
75 | echo "Barnyard2 could not be killed! (Permissions? Already dead?)"
76 | fi
77 | return 0
78 | }
79 |
80 | case "$1" in
81 | start)
82 | do_start
83 | ;;
84 | stop)
85 | do_stop
86 | ;;
87 | restart)
88 | do_stop
89 | do_start
90 | ;;
91 | status)
92 | do_status
93 | ;;
94 | *)
95 | echo "Usage: snortbarn {start|stop|restart|status}" >&2
96 | exit 3
97 | ;;
98 | esac
99 | exit 0
--------------------------------------------------------------------------------
/Autosnort-Ubuntu/snortbarn:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | ### BEGIN INIT INFO
3 | # Provides: snort, barnyard2
4 | # Required-Start: $local_fs $remote_fs $network $named $syslog $time
5 | # Required-Stop: $local_fs $remote_fs $network $named $syslog $time
6 | # Default-Start: 2 3 4 5
7 | # Default-Stop: 0 1 6
8 | # Short-Description: start and stop snort and barnyard2
9 | # Description: Snort is a powerful open-source Intrusion Detection System.
10 | # Barnyard2 is a tool for processing snort unified2 log files.
11 | ### END INIT INFO
12 |
13 | #The location of the snort binary
14 | SNORTD=snort_basedir/bin/snort
15 | #The location of the barnyard2 binary
16 | BY2D=/usr/local/bin/barnyard2
17 | #Command line execution options for snort
18 | OPTIONS="-D -u snort -g snort -c snort_basedir/etc/snort.conf -i snort_iface"
19 | #Command line execution options for barnyard 2
20 | OPTIONS2="-c snort_basedir/etc/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -D"
21 |
22 | do_start()
23 | {
24 | echo "Starting Snort and Barnyard"
25 | /sbin/ifconfig snort_iface up -arp -multicast promisc
26 | $SNORTD $OPTIONS
27 | if [ $? -eq 0 ]; then
28 | echo "Snort successfully started."
29 | logger "Snort Started!"
30 | else
31 | echo "Snort failed to start!"
32 | fi
33 | $BY2D $OPTIONS2
34 | if [ $? -eq 0 ]; then
35 | echo "Barnyard2 successfully started."
36 | logger "Barnyard2 Started!"
37 | else
38 | echo "Barnyard2 failed to start!"
39 | fi
40 | return 0
41 | }
42 |
43 | do_status()
44 | {
45 | pidof snort
46 | if [ $? -eq 0 ]; then
47 | echo "Snort is running with a pid of `pidof snort`"
48 | else
49 | echo "Snort is not running."
50 | fi
51 | pidof barnyard2
52 | if [ $? -eq 0 ]; then
53 |
54 | echo "Barnyard2 is running with a pid of `pidof barnyard2`"
55 | else
56 | echo "Barnyard2 is not running."
57 | fi
58 | }
59 |
60 | do_stop()
61 | {
62 | echo "Stopping Snort and Barnyard" ""
63 | kill $(pidof snort) 2> /dev/null
64 | if [ $? -eq 0 ]; then
65 | echo "Snort successfully killed."
66 | logger "Killed Snort."
67 | else
68 | echo "Snort could not be killed! (Permissions? Already dead?)"
69 | fi
70 | kill $(pidof barnyard2) 2> /dev/null
71 | if [ $? -eq 0 ]; then
72 | echo "Barnyard2 successfully killed."
73 | logger "Killed Barnyard2."
74 | else
75 | echo "Barnyard2 could not be killed! (Permissions? Already dead?)"
76 | fi
77 | return 0
78 | }
79 |
80 | case "$1" in
81 | start)
82 | do_start
83 | ;;
84 | stop)
85 | do_stop
86 | ;;
87 | restart)
88 | do_stop
89 | do_start
90 | ;;
91 | status)
92 | do_status
93 | ;;
94 | *)
95 | echo "Usage: snortbarn {start|stop|restart|status}" >&2
96 | exit 3
97 | ;;
98 | esac
99 | exit 0
--------------------------------------------------------------------------------
/Autosnort-Ubuntu/Previous_Rel/previous interface install scripts/aanval-ubuntu.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | #Aanval shell script 'module'
3 | #Sets up Aanval for for Autosnort
4 | #WARNING: DO NOT TRY TO USE AANVAL TO MANAGE THE SENSOR!
5 | #GETTING THIS TO ACTUALLY WORK IS GOING TO TAKE A LOT OF TIME AND EFFORT
6 | #TO FIGURE OUT WHERE AANVAL IS TRYING TO LOOK FOR THINGS, NOT TO MENTION
7 | #SOME RE-WORKING OF AUTOSNORT ITSELF...THIS IS STRICTLY TO GET THE IDS
8 | #EVENT VIEW FUNCTIONALITY WORKING.
9 |
10 | echo "grabbing packages for aanval"
11 | #grab packages for aanval most of the primary required packages are pulled by the main AS script.
12 | apt-get install -y zlib1g-dev libmysqld-dev byacc libxml2-dev zlib1g php5 php5-mysql php5-gd nmap
13 |
14 | echo "making the aanval web UI directory"
15 | #Make the aanval directory under /var/www, and cd into it
16 | mkdir /var/www/aanval
17 | cd /var/www/aanval
18 |
19 | # We need to grab aanval from the aanval.com site. If this fails, we exit the script with a status of 1
20 | # A check needs to be built into the main script to verify this script exits cleanly. If it doesn't,
21 | # The user should be informed and brought back to the main interface selection menu.
22 | echo "grabbing aanval."
23 | wget https://www.aanval.com/download/pickup -O aanval.tar.gz --no-check-certificate
24 | if [ $? != 0 ];then
25 | echo "Attempt to pull down aanval console failed. Please verify network connectivity and try again."
26 | exit 1
27 | else
28 | echo "Successfully downloaded the aanval tarball."
29 | fi
30 | tar -xzvf aanval.tar.gz
31 | rm aanval.tar.gz
32 |
33 | #Creating the database infrastructure for Aanval -- We make the database aanvaldb and give the snort user the ability to do work on it.
34 | #This database is totally separate from the snort database, BOTH must be present.
35 |
36 | while true; do
37 | echo "enter the mysql root user password to create the aanvaldb database."
38 | mysql -u root -p -e "create database aanvaldb;"
39 | if [ $? != 0 ]; then
40 | echo "the command did NOT complete successfully. (bad password?) Please try again."
41 | continue
42 | else
43 | echo "aanvaldb database created!"
44 | break
45 | fi
46 | done
47 |
48 | #note: need to pass off mysql_pass_1 as an environment variable in the main script:
49 | #code: ask for snort database password, save to var MYSQL_PASS_1 (yes, case matters)
50 | #export MYSQL_PASS_1, call it in child shell script for aanval. ($MYSQL_PASS_1)
51 |
52 | while true; do
53 | echo "you'll need to enter the mysql root user password one more time to grant the snort database user permissions to the aanvaldb database."
54 | mysql -u root -p -e "grant create, insert, select, delete, update on aanvaldb.* to snort@localhost identified by '$MYSQL_PASS_1';"
55 | if [ $? != 0 ]; then
56 | echo "the command did NOT complete successfully. (bad password?) Please try again."
57 | continue
58 | else
59 | echo "snort database schema created!"
60 | break
61 | fi
62 | done
63 |
64 | chown -R www-data:www-data /var/www/aanval
65 |
66 | exit 0
--------------------------------------------------------------------------------
/BT5r3/readme-bt5r3.txt:
--------------------------------------------------------------------------------
1 | This readme is specifically for BT5-R3
2 |
3 |
4 | If you take a look at the script, you'll notice its about as long as the scripts for CentOS and Ubuntu and
5 | operates mostly the same. There's less action and less checks going on with the backtrack script because
6 | backtrack is designed to be ran as the root user, and has practically all of the pre-req libraries and tools
7 | installed by default.
8 |
9 | You'll probably notice that the script runs a bit faster, doesn't install jpgraph, snortreport, or configure mysql
10 | for you -- there's a reason for this.
11 |
12 | It's been stated multiple times, even by the creators of the distro themselves, that Backtrack is a security distro,
13 | and not necessarily a secure distro. Having considered this and thinking about it, I decided to drop the installation
14 | of mysql and the web frontend.
15 |
16 | The following are NOT installed on backtrack systems:
17 | -jpgraph
18 | -mysql server (already installed, but I do not enable the mysql server or run the mysql_secure_installation script)
19 | -snortreport
20 | -barnyard 2
21 |
22 | Some may ask "Well, what's the point if you're not going to do a full sensor install?" glad you asked. The version
23 | of snort installed with BT5r3 is 2.8.5.2 -- likely whatever is in the default Ubuntu repos. 2.8.5.2 is a few years old
24 | now and has been deprecated -- meaning no new rules. There have been a number of stability fixes and functionality
25 | enhancements that have gone into snort since then (for instance the DAQ -data acquisition libraries) as well as a
26 | number of new, improved rules, new rule options and recategorizations -- that's plenty of benefit to reserachers who
27 | do malicious traffic analysis as well as hackers worldwide who have to quickly analyze traffic that is being thrown
28 | against them in CTFs around the world -- MS08-067 may still be around, by there are new threats in town and a new
29 | version of snort is simply a nice addition to backtrack.
30 |
31 | Others may ask "Well, why didn't you submit a ticket to redmine to have the distro maintainers to update snort?"
32 | Because I'm a hacker, that's why - why make other people do something that I can do just as well myself?. Let's take
33 | a look at this seriously. Let's say I ask them to update the version of snort in the distro repos. Let's assume that
34 | they immediately do so and it becomes available in the BT5 repos. With how fast new versions of snort are released,
35 | I'd be asking them to update again eventually, taking away their attention to other, probably more important projects
36 | and issues that need to be resolved.
37 |
38 | On the other hand, I provide this script to Backtrack users, and they can download an updated version of snort for
39 | themselves. The script automatically gets the latest stable source and DAQ libs without bothering the distro maintainers.
40 | Problem solved. Forever.
41 |
42 |
43 | I think that does it. Here's contact information if you want to send love/hatemail bribes, questions, etc.:
44 | twitter: @da_667
45 | e-mail: deusexmachina667@gmail.com
--------------------------------------------------------------------------------
/Autosnort-CentOS/snortbarn:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | #
3 | #Snortbarn Startup script for Snort and Barnyard2
4 | # chkconfig: - 85 15
5 | # description: This script provided by Autosnort. It is \
6 | # Responsible for Starting/Stopping Both \
7 | # Snort and Barnyard2.
8 | # processnames: snort, barnyard2
9 | # config: snort_basedir/etc/banyard2.conf
10 | # config: snort_basedir/etc/snort.conf
11 | # pidfile: /var/run/snort_snort_iface.pid
12 | # pidfile: /var/run/barnyard2_hstnm-snort_iface.pid
13 | ### BEGIN INIT INFO
14 | # Provides: snort, barnyard2
15 | # Required-Start: $local_fs $remote_fs $network $named $syslog $time
16 | # Required-Stop: $local_fs $remote_fs $network $named $syslog $time
17 | # Default-Start: 3 4 5
18 | # Default-Stop: 0 1 6
19 | # Short-Description: start and stop snort and barnyard2
20 | # Description: Snort is a powerful open-source Intrusion Detection System.
21 | # Barnyard2 is a tool for processing snort unified2 log files.
22 | ### END INIT INFO
23 |
24 | #The location of the snort binary
25 | SNORTD=snort_basedir/bin/snort
26 | #The location of the barnyard2 binary
27 | BY2D=/usr/local/bin/barnyard2
28 | #Command line execution options for snort
29 | OPTIONS="-D -u snort -g snort -c snort_basedir/etc/snort.conf -i snort_iface"
30 | #Command line execution options for barnyard 2
31 | OPTIONS2="-c snort_basedir/etc/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -D"
32 |
33 | # Source function library.
34 | . /etc/rc.d/init.d/functions
35 |
36 | do_start()
37 | {
38 | echo "Starting Snort and Barnyard"
39 | /sbin/ifconfig snort_iface up -arp -multicast promisc
40 | $SNORTD $OPTIONS
41 | if [ $? -eq 0 ]; then
42 | echo "Snort successfully started."
43 | logger "Snort Started!"
44 | else
45 | echo "Snort failed to start!"
46 | fi
47 | $BY2D $OPTIONS2
48 | if [ $? -eq 0 ]; then
49 | echo "Barnyard2 successfully started."
50 | logger "Barnyard2 Started!"
51 | else
52 | echo "Barnyard2 failed to start!"
53 | fi
54 | return 0
55 | }
56 |
57 | do_status()
58 | {
59 | pidof snort
60 | if [ $? -eq 0 ]; then
61 |
62 | echo "Snort is running with a pid of `pidof snort`"
63 | else
64 | echo "Snort is not running."
65 | fi
66 | pidof barnyard2
67 | if [ $? -eq 0 ]; then
68 |
69 | echo "Barnyard2 is running with a pid of `pidof barnyard2`"
70 | else
71 | echo "Barnyard2 is not running."
72 | fi
73 | }
74 |
75 | do_stop()
76 | {
77 | echo "Stopping Snort and Barnyard" ""
78 | kill $(pidof snort) 2> /dev/null
79 | if [ $? -eq 0 ]; then
80 | echo "Snort successfully killed."
81 | logger "Killed Snort."
82 | else
83 | echo "Snort could not be killed! (Permissions? Already dead?)"
84 | fi
85 | kill $(pidof barnyard2) 2> /dev/null
86 | if [ $? -eq 0 ]; then
87 | echo "Barnyard2 successfully killed."
88 | logger "Killed Barnyard2."
89 | else
90 | echo "Barnyard2 could not be killed! (Permissions? Already dead?)"
91 | fi
92 | return 0
93 | }
94 |
95 | case "$1" in
96 | start)
97 | do_start
98 | ;;
99 | stop)
100 | do_stop
101 | ;;
102 | restart)
103 | do_stop
104 | do_start
105 | ;;
106 | status)
107 | do_status
108 | ;;
109 | *)
110 | echo "Usage: snortbarn {start|stop|restart|status}" >&2
111 | exit 3
112 | ;;
113 | esac
114 | exit 0
--------------------------------------------------------------------------------
/Autosnort-CentOS/Previous_Rel/previous interface install scripts/aanval-centOS.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | #Aanval shell script 'module'
3 | #Sets up Aanval for for Autosnort
4 | #WARNING: DO NOT TRY TO USE AANVAL TO MANAGE THE SENSOR!
5 | #GETTING THIS TO ACTUALLY WORK IS GOING TO TAKE A LOT OF TIME AND EFFORT
6 | #TO FIGURE OUT WHERE AANVAL IS TRYING TO LOOK FOR THINGS, NOT TO MENTION
7 | #SOME RE-WORKING OF AUTOSNORT ITSELF...THIS IS STRICTLY TO GET THE IDS
8 | #EVENT VIEW FUNCTIONALITY WORKING.
9 |
10 | echo "grabbing packages for aanval"
11 | #grab packages for aanval most of the primary required packages are pulled by the main AS script.
12 | yum -y install perl-Crypt-SSLeay perl-libwww-perl perl-Archive-Tar perl-IO-Socket-SSL openssl-devel
13 |
14 | echo "making the aanval web UI directory"
15 | #Make the aanval directory under /var/www/html, and cd into it
16 | mkdir /var/www/html/aanval
17 | cd /var/www/html/aanval
18 |
19 | # We need to grab aanval from the aanval.com site. If this fails, we exit the script with a status of 1
20 | # A check needs to be built into the main script to verify this script exits cleanly. If it doesn't,
21 | # The user should be informed and brought back to the main interface selection menu.
22 | echo "grabbing aanval."
23 | wget https://www.aanval.com/download/pickup -O aanval.tar.gz --no-check-certificate
24 | if [ $? != 0 ];then
25 | echo "Attempt to pull down aanval console failed. Please verify network connectivity and try again."
26 | exit 1
27 | else
28 | echo "Successfully downloaded the aanval tarball."
29 | fi
30 | tar -xzvf aanval.tar.gz
31 | rm aanval.tar.gz
32 |
33 | #Creating the database infrastructure for Aanval -- We make the database aanvaldb and give the snort user the ability to do work on it.
34 | #This database is totally separate from the snort database, BOTH must be present.
35 |
36 | while true; do
37 | echo "enter the mysql root user password to create the aanvaldb database."
38 | mysql -u root -p -e "create database aanvaldb;"
39 | if [ $? != 0 ]; then
40 | echo "the command did NOT complete successfully. (bad password?) Please try again."
41 | continue
42 | else
43 | echo "aanvaldb database created!"
44 | break
45 | fi
46 | done
47 |
48 | #note: need to pass off mysql_pass_1 as an environment variable in the main script:
49 | #code: ask for snort database password, save to var MYSQL_PASS_1 (yes, case matters)
50 | #export MYSQL_PASS_1, call it in child shell script for aanval. ($MYSQL_PASS_1)
51 |
52 | while true; do
53 | echo "you'll need to enter the mysql root user password one more time to grant the snort database user permissions to the aanvaldb database."
54 | mysql -u root -p -e "grant create, insert, select, delete, update on aanvaldb.* to snort@localhost identified by '$MYSQL_PASS_1';"
55 | if [ $? != 0 ]; then
56 | echo "the command did NOT complete successfully. (bad password?) Please try again."
57 | continue
58 | else
59 | echo "database access granted!"
60 | break
61 | fi
62 | done
63 | echo ""
64 | echo "modifying SELinux to allow httpd access to aanval directory and mysql database. This will take a moment or two. please be patient."
65 | echo ""
66 | #discovered during testing that this HAD to be set for aanval to be able to talk to the mysql database.
67 | setsebool -P httpd_can_network_connect_db 1
68 | #this is to ensure httpd has access to do what it needs to files in /var/www/html/aanval
69 | cd /var/www/html
70 | chcon -R -t httpd_sys_rw_content_t aanval/
71 |
72 | echo ""
73 | echo ""
74 | echo "SELinux reconfigured. Remember: you need to poke a hole in the firewall for port 80!"
75 | echo ""
76 | echo ""
77 |
78 | exit 0
--------------------------------------------------------------------------------
/Autosnort-CentOS/Previous_Rel/previous interface install scripts/snortreport-centOS.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | #Aanval shell script 'module'
3 | #Sets up snort report for Autosnort
4 |
5 | #Grab jpgraph and throw it in /var/www/html/
6 | #Required to display graphs in snort report UI
7 |
8 | echo "Downloading and installing jpgraph."
9 |
10 | cd /usr/src
11 | wget http://hem.bredband.net/jpgraph/jpgraph-1.27.1.tar.gz
12 | if [ $? != 0 ];then
13 | echo "Attempt to pull down jpgraph failed. Please verify network connectivity and try again."
14 | exit 1
15 | else
16 | echo "Successfully downloaded the aanval tarball."
17 | fi
18 | mkdir /var/www/html/jpgraph
19 | tar -xzvf jpgraph-1.27.1.tar.gz
20 | cp -r jpgraph-1.27.1/src /var/www/html/jpgraph
21 |
22 | echo "jpgraph downloaded to /usr/src. installed to /var/www/html/jpgraph."
23 |
24 | #now to install snort report.
25 |
26 | echo "downloading and installing snort report"
27 |
28 | cd /usr/src
29 | wget http://www.symmetrixtech.com/ids/snortreport-1.3.3.tar.gz
30 | if [ $? != 0 ];then
31 | echo "Attempt to pull down snortreport failed. Please verify network connectivity and try again."
32 | exit 1
33 | else
34 | echo "Successfully downloaded the aanval tarball."
35 | fi
36 |
37 | tar -xzvf snortreport-1.3.3.tar.gz -C /var/www/html/
38 | mv /var/www/html/snortreport-1.3.3 /var/www/html/snortreport
39 |
40 | #Decided to change the script: the main script should make the user create a snort database user and assign it password.
41 | #At this point, we should automatically drop this password into srconf.php instead of asking the user if they want to.
42 | #If the user wants this to work, they have to do it anyhow.
43 |
44 | cp /var/www/html/snortreport/srconf.php /root/srconf.php.tmp
45 | sed -i 's/YOURPASS/'$MYSQL_PASS_1'/' /root/srconf.php.tmp
46 | cp /root/srconf.php.tmp /var/www/html/snortreport/srconf.php
47 | rm /root/srconf.php.tmp
48 | echo "password insertion complete."
49 | echo ""
50 |
51 | #known problem with snort report 1.3.3 not playing nice on systems that have the short_open_tag directive in php.ini set to off, as well as a requirement to reconfigure SELinux to allow httpd to perform r/w operations in /var/www/html. Give the user a choice if they want the script to automatically resolve this, or if they plan on adding in proper php open tags on their own and/or reconfiguring/turning off SELinux (not recommended!)
52 |
53 | echo ""
54 | echo "Would you like me to to set the short_open_tag directive in php.ini to on and configure SELinux for snort report?"
55 | echo "Please see http://autosnort.blogspot.com/2012/11/how-to-fix-problems-with-snort-report.html as to why this is important"
56 | echo ""
57 | while true; do
58 | read -p "
59 | Select 1 for autosnort to enable short_open_tag and reconfigure SELinux
60 | Select 2 to continue if you plan on reconfiguring SELinux manually and/or the php scripts with short open tags manually
61 | " srecon
62 | case $srecon in
63 | 1 )
64 | echo "Reconfiguring php.ini..."
65 | echo ""
66 | sed -i 's/short\_open\_tag \= Off/short\_open\_tag \= On/' /etc/php.ini
67 | echo "Reconfiguring SELinux to allow httpd r/w access to snort report directory"
68 | echo ""
69 | cd /var/www/html
70 | chcon -R -t httpd_sys_rw_content_t snortreport/
71 | echo ""
72 | echo "We're all done here. Don't forget to reconfigure CentOS' firewall (system-configure-firewall-tui) to allow your web server port inbound!"
73 | break
74 | ;;
75 | 2 )
76 | echo ""
77 | echo "Right then, moving on."
78 | break
79 | ;;
80 | * )
81 | echo ""
82 | echo "Invalid choice. Select 1 or 2 as your options, please."
83 | ;;
84 | esac
85 | done
86 |
87 |
88 | exit 0
89 |
--------------------------------------------------------------------------------
/Autosnort-Ubuntu/Previous_Rel/previous interface install scripts/base-ubuntu-02-01-2014.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | #BASE shell script 'module'
3 | #Sets up BASE for for Autosnort
4 | #Updated on 2/1/2014
5 |
6 | ########################################
7 | #logging setup: Stack Exchange made this.
8 |
9 | base_logfile=/var/log/base_install.log
10 | mkfifo ${base_logfile}.pipe
11 | tee < ${base_logfile}.pipe $base_logfile &
12 | exec &> ${base_logfile}.pipe
13 | rm ${base_logfile}.pipe
14 |
15 | ########################################
16 | #Metasploit-like print statements: status, good, bad and notification. Gratouitiously copied from Darkoperator's metasploit install script.
17 |
18 | function print_status ()
19 | {
20 | echo -e "\x1B[01;34m[*]\x1B[0m $1"
21 | }
22 |
23 | function print_good ()
24 | {
25 | echo -e "\x1B[01;32m[*]\x1B[0m $1"
26 | }
27 |
28 | function print_error ()
29 | {
30 | echo -e "\x1B[01;31m[*]\x1B[0m $1"
31 | }
32 |
33 | function print_notification ()
34 | {
35 | echo -e "\x1B[01;33m[*]\x1B[0m $1"
36 | }
37 |
38 | ########################################
39 | #grab packages for BASE, and supresses the notification for libphp-adodb. Most of the primary required packages are pulled by the main AS script.
40 |
41 | print_status "Grabbing packages required for BASE.."
42 |
43 | echo libphp-adodb libphp-adodb/pathmove note | debconf-set-selections
44 | apt-get install -y libphp-adodb ca-certificates php-pear libwww-perl php5 php5-mysql php5-gd &>> $base_logfile
45 | if [ $? != 0 ];then
46 | print_error "Failed to acquire required packages for Base. See $base_logfile for details."
47 | exit 1
48 | else
49 | print_good "Successfully acquired packages."
50 | fi
51 |
52 | ########################################
53 |
54 | #These are php-pear config commands Seen in the 2.9.4.0 install guide for Debian.
55 |
56 | print_status "Setting php-pear options.."
57 |
58 | pear config-set preferred_state alpha &>> $base_logfile
59 | pear channel-update pear.php.net &>> $base_logfile
60 | pear install --alldeps Image_Color Image_Canvas Image_Graph &>> $base_logfile
61 |
62 | print_good "Successfully configured php-pear options."
63 |
64 | #Have to adjust PHP logging otherwise BASE will barf on startup.
65 |
66 | print_status "Reconfiguring php error reporting for BASE.."
67 | sed -i 's/error_reporting \= E_ALL \& ~E_DEPRECATED/error_reporting \= E_ALL \& ~E_NOTICE/' /etc/php5/apache2/php.ini
68 |
69 | ########################################
70 |
71 | #The BASE tarball creates a directory for us, all we need to do is move to webroot.
72 |
73 | print_status "Installing BASE.."
74 |
75 | cd /var/www/
76 |
77 | # We need to grab BASE from sourceforge. If this fails, we exit the script with a status of 1
78 | # A check is built into the main script to verify this script exits cleanly. If it doesn't,
79 | # The user should be informed and brought back to the main interface selection menu.
80 |
81 | print_status "Grabbing BASE via Sourceforge.."
82 |
83 | wget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz -O base-1.4.5.tar.gz &>> $base_logfile
84 |
85 | if [ $? != 0 ];then
86 | print_error "Attempt to pull down BASE failed. See $base_logfile for details."
87 | exit 1
88 | else
89 | print_good "Successfully downloaded the BASE tarball."
90 | fi
91 |
92 | tar -xzvf base-1.4.5.tar.gz &>> $base_logfile
93 | if [ $? != 0 ];then
94 | print_error "Attempt to install BASE has failed. See $base_logfile for details."
95 | exit 1
96 | else
97 | print_good "Successfully installed base to /var/www/base."
98 | fi
99 |
100 | rm base-1.4.5.tar.gz
101 | mv base-* base
102 |
103 | print_status "Resetting default site DocumentRoot to /var/www/base."
104 | sed -i 's/DocumentRoot \/var\/www/DocumentRoot \/var\/www\/base/' /etc/apache2/sites-available/*default*
105 |
106 | #BASE requires the /var/www/ directory to be owned by www-data
107 | print_status "Granting ownership of /var/www to www-data user and group."
108 | chown -R www-data:www-data /var/www
109 |
110 | print_notification "The log file for this interface installation is located at: $base_logfile"
111 |
112 | exit 0
--------------------------------------------------------------------------------
/Offline/as-offline-README.txt:
--------------------------------------------------------------------------------
1 | Documentation: Autosnort offline installer.
2 | Supported Operating Systems: Ubuntu 12.04 32-bit and 64-bit, Debian 6 32-bit and 64-bit.
3 |
4 | Before you begin, you will need the following:
5 | 1) root access on both your online AND offline systems
6 | 2) as-offline-stage1.sh
7 | 3) as-offline-stage2.sh
8 | 4) dpkgorder$OS$arch.txt, where $OS is Ubuntu or Debian and $arch is i686 (32-bit) or x86_64(64-bit)
9 | 5) create-sidmap.pl (special note: this script was NOT created by me. It is included as a part of the Oinkmaster suite. I am simply including it here as a part of the script as a convenience. If you wish for me to remote the create-sidmap.pl script, please contact me!)
10 | 6) VRT rules tarball
11 | 7) a system with internet access that is similar to the offline system you plan on running this script on. By similar I mean:
12 | -Same Distro (Ubuntu 12.04)
13 | -Same arch (x86_64 || i386)
14 | -Same software version (e.g. 12.04)
15 | -Either a base installed of the OS, or an install that is quite literally identical, so you don't end up with missing packages. Use clonezilla/acronis/DD or whatever to clone the OS if you have to here, or just use the stage 1 script on a base install of the operating system and architecture you plan to install the stage 2 script on.
16 |
17 | Guide:
18 |
19 | Step 1: Drop the stage 1 shell script, dpkgorder$OS$arch.txt, and create-sidmap.pl files on to your system with internet access. Make sure they are in the same directory!
20 |
21 | Step 2: Run the stage 1 shell script. May take a bit of time, depending on your internet connection. The stage 1 script grabs all the packages required via apt-get,
22 | but will NOT install them on this system, only download them for use on your offline system. Afterwards, the script will also download:
23 |
24 | -jpgraph
25 | -snortreport 1.3.3
26 | -libdnet 1.12
27 | -the latest version of snort and DAQ
28 |
29 | Finally the script will tar it all up for you to sneakernet it to your offline system. At this point, you should have 2 tarballs:
30 |
31 | -AS_offline_$OS$arch.tar.gz
32 | --contains the .deb packages
33 | --contains the .deb installer list file (dpkgorder$OS$arch.txt)
34 | --contains the source tarballs for snort, daq, snortreport, jpgraph and libdnet
35 | --contains create-sidmap.pl
36 | -snortrules-snapshot-[snortver].tar.gz
37 | --da rulez for snort.
38 | --a basic snort.conf
39 |
40 | note: the script only does the bare minimum to snort.conf to get it to work. modifying snort.conf is completely left to the user!
41 |
42 | Step 3: Copy these two tarballs to whatever media you plan on using to copy it to the offline system. I recommend something with a capacity of at least 256mb (shouldn't be hard to find)
43 |
44 | Step 4: Drop the stage 2 shellscript and both of the tarballs above on to your offline system, into the same directory
45 |
46 | Step 5: Run the stage 2 shellscript and follow the prompts. the script will unpack and install everything. You should have a running IDS installation by the time we're done here.
47 |
48 | Special considerations:
49 | -If you want snort and barnyard to be daemonized (that is run automatically on boot), then you MUST have at least two network interfaces, or be willing to lose network connectivity on your single interface.
50 |
51 | This is because the installer will configure the sniffing interface to come up automatically on boot -- without an ip address, in promiscuous mode and to ignore any and all arp traffic (promisc mode will
52 | pick it up, but the interface will NOT respond to any ARP requests. period.) this is per IDS best practices: Dedicate 1 interface for sniffing, and a second interface for carrying traffic to interact with the IDS.
53 |
54 | If you only have one interface on your IDS you will either need console access to the system to manage it, or select the option to NOT configure the interface on boot and/or daemonize snort/barnyard2.
55 |
56 | Other recommendations:
57 | run iptables on the interface that will be carrying traffic to interact with the IDS. snortreport runs on port 80, and traditionally, SSH is used to get a shell session on linux systems. usually this is port 22. In the future I may provide an iptables autoconfiguration script... but for now, I leave firewall configuration as an exercise to the user.
--------------------------------------------------------------------------------
/Autosnort-Debian/Previous_Rel/previous interface install scripts/base-debian-02-08-2014.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | #BASE shell script 'module' for Debian.
3 | #Sets up BASE for Autosnort
4 |
5 | ########################################
6 | #logging setup: Stack Exchange made this.
7 |
8 | base_logfile=/var/log/base_install.log
9 | mkfifo ${base_logfile}.pipe
10 | tee < ${base_logfile}.pipe $base_logfile &
11 | exec &> ${base_logfile}.pipe
12 | rm ${base_logfile}.pipe
13 |
14 | ########################################
15 | #Metasploit-like print statements: status, good, bad and notification. Gratuitously copied from Darkoperator's metasploit install script.
16 |
17 | function print_status ()
18 | {
19 | echo -e "\x1B[01;34m[*]\x1B[0m $1"
20 | }
21 |
22 | function print_good ()
23 | {
24 | echo -e "\x1B[01;32m[*]\x1B[0m $1"
25 | }
26 |
27 | function print_error ()
28 | {
29 | echo -e "\x1B[01;31m[*]\x1B[0m $1"
30 | }
31 |
32 | function print_notification ()
33 | {
34 | echo -e "\x1B[01;33m[*]\x1B[0m $1"
35 | }
36 |
37 | ########################################
38 | #grab packages for BASE, and supresses the notification for libphp-adodb. Most of the primary required packages are pulled by the main AS script.
39 |
40 | print_status "Grabbing packages required for BASE."
41 |
42 | echo libphp-adodb libphp-adodb/pathmove note | debconf-set-selections
43 | apt-get install -y libphp-adodb ca-certificates php-pear libwww-perl php5 php5-mysql php5-gd &>> $base_logfile
44 | if [ $? != 0 ];then
45 | print_error "Failed to acquire required packages for Base. See $base_logfile for details."
46 | exit 1
47 | else
48 | print_good "Successfully acquired packages."
49 | fi
50 |
51 | ########################################
52 |
53 | #These are php-pear config commands Seen in the 2.9.4.0 install guide for Debian.
54 |
55 | print_status "Configuring php via php-pear."
56 |
57 | pear config-set preferred_state alpha &>> $base_logfile
58 | pear channel-update pear.php.net &>> $base_logfile
59 | pear install --alldeps Image_Color Image_Canvas Image_Graph &>> $base_logfile
60 | if [ $? != 0 ];then
61 | print_error "Failed to acquire required packages for Base. See $base_logfile for details."
62 | exit 1
63 | else
64 | print_good "Successfully acquired packages via pear install."
65 | fi
66 |
67 | print_good "Successfully configured php via php-pear."
68 |
69 | #Have to adjust PHP logging otherwise BASE will barf on startup.
70 |
71 | print_status "Reconfiguring php error reporting for BASE."
72 | sed -i 's/error_reporting \= E_ALL \& ~E_DEPRECATED/error_reporting \= E_ALL \& ~E_NOTICE/' /etc/php5/apache2/php.ini
73 |
74 | ########################################
75 |
76 | #The BASE tarball creates a directory for us, all we need to do is move to webroot.
77 |
78 | print_status "Installing BASE."
79 |
80 | cd /var/www/
81 |
82 | # We need to grab BASE from sourceforge. If this fails, we exit the script with a status of 1
83 | # A check is built into the main script to verify this script exits cleanly. If it doesn't,
84 | # The user should be informed and brought back to the main interface selection menu.
85 |
86 | print_status "Grabbing BASE via Sourceforge."
87 |
88 | wget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz -O base-1.4.5.tar.gz &>> $base_logfile
89 |
90 | if [ $? != 0 ];then
91 | print_error "Attempt to pull down BASE failed. See $base_logfile for details."
92 | exit 1
93 | else
94 | print_good "Successfully downloaded the BASE tarball."
95 | fi
96 |
97 | tar -xzvf base-1.4.5.tar.gz &>> $base_logfile
98 | if [ $? != 0 ];then
99 | print_error "Attempt to install BASE has failed. See $base_logfile for details."
100 | exit 1
101 | else
102 | print_good "Successfully installed base to /var/www/base."
103 | fi
104 |
105 | rm base-1.4.5.tar.gz
106 | mv base-* base
107 |
108 | print_status "Resetting default site DocumentRoot to /var/www/base."
109 | sed -i 's/DocumentRoot \/var\/www/DocumentRoot \/var\/www\/base/' /etc/apache2/sites-available/*default*
110 |
111 | #BASE requires the /var/www/ directory to be owned by www-data
112 | print_status "Granting ownership of /var/www to www-data user and group."
113 | chown -R www-data:www-data /var/www
114 |
115 | print_notification "The log file for this interface installation is located at: $base_logfile"
116 |
117 | exit 0
--------------------------------------------------------------------------------
/Autosnort-CentOS/Previous_Rel/previous interface install scripts/base-CentOS-03-07-14.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | #BASE shell script 'module'
3 | #Sets up BASE for for Autosnort
4 |
5 | ########################################
6 | #logging setup: Stack Exchange made this.
7 |
8 | base_logfile=/var/log/base_install.log
9 | mkfifo ${base_logfile}.pipe
10 | tee < ${base_logfile}.pipe $base_logfile &
11 | exec &> ${base_logfile}.pipe
12 | rm ${base_logfile}.pipe
13 |
14 | ########################################
15 | #Metasploit-like print statements: status, good, bad and notification. Gratuitously copied from Darkoperator's metasploit install script.
16 |
17 | function print_status ()
18 | {
19 | echo -e "\x1B[01;34m[*]\x1B[0m $1"
20 | }
21 |
22 | function print_good ()
23 | {
24 | echo -e "\x1B[01;32m[*]\x1B[0m $1"
25 | }
26 |
27 | function print_error ()
28 | {
29 | echo -e "\x1B[01;31m[*]\x1B[0m $1"
30 | }
31 |
32 | function print_notification ()
33 | {
34 | echo -e "\x1B[01;33m[*]\x1B[0m $1"
35 | }
36 |
37 | ########################################
38 | #grab packages for BASE. Most of the other required packages are pulled by the main AS script.
39 |
40 | print_status "Grabbing packages required for BASE.."
41 |
42 | yum -y install php php-common php-gd php-cli php-mysql php-pear.noarch php-adodb.noarch perl-libwww-perl openssl-devel mod_ssl &>> $base_logfile
43 | if [ $? != 0 ];then
44 | print_error "Failed to acquire required packages for Base. See $base_logfile for details."
45 | exit 1
46 | else
47 | print_good "Successfully acquired packages."
48 | fi
49 |
50 | ########################################
51 |
52 | #These are php-pear config commands Seen in the 2.9.4.0 install guide for Debian.
53 |
54 | print_status "Configuring php via php-pear.."
55 |
56 | pear config-set preferred_state alpha &>> $base_logfile
57 | pear channel-update pear.php.net &>> $base_logfile
58 | pear install --alldeps Image_Color Image_Canvas Image_Graph &>> $base_logfile
59 | if [ $? != 0 ];then
60 | print_error "Failed to acquire required packages for Base. See $base_logfile for details."
61 | exit 1
62 | else
63 | print_good "Successfully configured php and acquired packages via php pear."
64 | fi
65 |
66 | #Have to adjust PHP logging otherwise BASE will barf on startup.
67 |
68 | print_status "Reconfiguring php error reporting for BASE.."
69 | sed -i 's#error_reporting \= E_ALL \& ~E_DEPRECATED#error_reporting \= E_ALL \& ~E_NOTICE#' /etc/php.ini
70 |
71 | ########################################
72 |
73 | #Move to DocumentRoot, grab base, untar it and rename the directory to just 'base' for simplicity sake.
74 |
75 | print_status "Installing BASE.."
76 |
77 | cd /var/www/html
78 |
79 | # We need to grab BASE from sourceforge. If this fails, we exit the script with a status of 1
80 | # A check is built into the main script to verify this script exits cleanly. If it doesn't,
81 | # The user should be informed and brought back to the main interface selection menu.
82 |
83 | print_status "Grabbing BASE via Sourceforge.."
84 |
85 | wget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz -O base-1.4.5.tar.gz &>> $base_logfile
86 |
87 | if [ $? != 0 ];then
88 | print_error "Attempt to pull down BASE failed. See $base_logfile for details."
89 | exit 1
90 | else
91 | print_good "Successfully downloaded the BASE tarball."
92 | fi
93 |
94 | tar -xzvf base-1.4.5.tar.gz &>> $base_logfile
95 | if [ $? != 0 ];then
96 | print_error "Attempt to install BASE has failed. See $base_logfile for details."
97 | exit 1
98 | else
99 | print_good "Successfully installed base to /var/www/html/base."
100 | fi
101 |
102 | rm base-1.4.5.tar.gz
103 | mv base-* base
104 |
105 | ########################################
106 |
107 | #Other configuration Errata specific to CentOS to get this to work:
108 | #Resetting DocumentRoot
109 | #Setting ownership of all Base's stuff to be owned by apache
110 | #Aand of course, SELinux permission changes found that BASE needs httpd_sys_rw_content_t perms to work with the database.
111 |
112 | print_status "Resetting default site DocumentRoot to /var/www/html/base."
113 |
114 | #making a copy of httpd.conf before we reset DocumentRoot, in case the script explodes in a fit of rage, the user has a backup httpd.conf.
115 | cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.orig
116 | print_status "Resetting default site DocumentRoot and Directory to /var/www/html/base."
117 | sed -i 's#/var/www/html#/var/www/html/base#g' /etc/httpd/conf/httpd.conf &>> $base_logfile
118 |
119 |
120 | #BASE requires the /var/www/html directory to be owned by apache
121 | print_status "Granting ownership of /var/www/html/base recursively to apache user and group.."
122 | chown -R apache:apache base/ &>> $base_logfile
123 |
124 | print_status "Configuring SELinux permissions for the httpd_sys_rw_content_t context recursively under /var/www/html/base.."
125 | chcon -R -t httpd_sys_rw_content_t base/ &>> $base_logfile
126 |
127 | print_notification "The log file for this interface installation is located at: $base_logfile"
128 |
129 | exit 0
130 |
131 |
--------------------------------------------------------------------------------
/Autosnort-Debian/Previous_Rel/previous interface install scripts/snortreport-debian-02-08-2014.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | #Snortreport shell script 'module'
3 | #Sets up snort report for Autosnort on Debian Systems
4 |
5 | ########################################
6 | #logging setup: Stack Exchange made this.
7 |
8 | sreport_logfile=/var/log/sr_install.log
9 | mkfifo ${sreport_logfile}.pipe
10 | tee < ${sreport_logfile}.pipe $sreport_logfile &
11 | exec &> ${sreport_logfile}.pipe
12 | rm ${sreport_logfile}.pipe
13 |
14 | ########################################
15 | #Metasploit-like print statements: status, good, bad and notification. Gratuitously copied from Darkoperator's metasploit install script.
16 |
17 | function print_status ()
18 | {
19 | echo -e "\x1B[01;34m[*]\x1B[0m $1"
20 | }
21 |
22 | function print_good ()
23 | {
24 | echo -e "\x1B[01;32m[*]\x1B[0m $1"
25 | }
26 |
27 | function print_error ()
28 | {
29 | echo -e "\x1B[01;31m[*]\x1B[0m $1"
30 | }
31 |
32 | function print_notification ()
33 | {
34 | echo -e "\x1B[01;33m[*]\x1B[0m $1"
35 | }
36 |
37 | ########################################
38 |
39 | print_status "Installing packages for Snort Report.."
40 |
41 | apt-get install -y php5 php5-mysql php5-gd nmap nbtscan &>> $sreport_logfile
42 | if [ $? != 0 ];then
43 | print_error "Failed to acquire required packages for Snortreport. See $sreport_logfile for details."
44 | exit 1
45 | else
46 | print_good "Successfully acquired packages."
47 | fi
48 |
49 | ########################################
50 |
51 | #Grab jpgraph and throw it in /var/www
52 | #Required to display graphs in snort report UI
53 |
54 | print_status "Downloading and installing jpgraph.."
55 |
56 | cd /var/www
57 |
58 | wget http://jpgraph.net/download/download.php?p=5 -O jpgraph305.tar.gz &>> $sreport_logfile
59 | if [ $? != 0 ];then
60 | print_error "Attempt to pull down jpgraph failed. See $sreport_logfile for details."
61 | exit 1
62 | else
63 | print_good "Successfully downloaded jpgraph."
64 | fi
65 |
66 | print_status "Installing jpgraph.."
67 |
68 | tar -xzvf jpgraph305.tar.gz &>> $sreport_logfile
69 | if [ $? != 0 ];then
70 | print_error "Attempt to install jpgraph failed. See $sreport_logfile for details."
71 | exit 1
72 | else
73 | print_good "Successfully installed jpgraph."
74 | fi
75 |
76 | rm -rf jpgraph305.tar.gz
77 | mv jpgraph-3* jpgraph
78 |
79 | ########################################
80 |
81 | #now to install snort report.
82 |
83 | print_status "downloading and installing Snort Report.."
84 |
85 |
86 | wget http://www.symmetrixtech.com/ids/snortreport-1.3.4.tar.gz &>> $sreport_logfile
87 | if [ $? != 0 ];then
88 | print_error "Attempt to pull down Snortreport failed. See $sreport_logfile for details."
89 | exit 1
90 | else
91 | print_good "Successfully downloaded Snort Report."
92 | fi
93 |
94 | tar -xzvf snortreport-1.3.4.tar.gz &>> $sreport_logfile
95 | if [ $? != 0 ];then
96 | print_error "Attempt to install Snort Report failed. See $sreport_logfile for details."
97 | exit 1
98 | else
99 | print_good "Successfully installed Snort Report."
100 | fi
101 |
102 | rm -rf snortreport-1.3.4.tar.gz
103 | mv /var/www/snortreport-1.3.4 /var/www/snortreport
104 |
105 | ########################################
106 |
107 | print_status "Pointing Snort Report to the mysql database.."
108 |
109 | sed -i 's/PASSWORD/'$MYSQL_PASS_1'/' /var/www/snortreport/srconf.php
110 |
111 | print_good "Snort Report successfully configured to talk to mysql database."
112 |
113 | ########################################
114 |
115 | # Snort Report is littered with short open tags.
116 | # sed statement 1 removes all short open tags, but breaks some things.
117 | # sed statement 2 fixes some of the things that sed statement 1 mistakenly replaced
118 | # sed statement 3 fixes all instances of ${sreport_logfile}.pipe
13 | rm ${sreport_logfile}.pipe
14 |
15 | ########################################
16 | #Metasploit-like print statements: status, good, bad and notification. Gratuitously copied from Darkoperator's metasploit install script.
17 |
18 | function print_status ()
19 | {
20 | echo -e "\x1B[01;34m[*]\x1B[0m $1"
21 | }
22 |
23 | function print_good ()
24 | {
25 | echo -e "\x1B[01;32m[*]\x1B[0m $1"
26 | }
27 |
28 | function print_error ()
29 | {
30 | echo -e "\x1B[01;31m[*]\x1B[0m $1"
31 | }
32 |
33 | function print_notification ()
34 | {
35 | echo -e "\x1B[01;33m[*]\x1B[0m $1"
36 | }
37 |
38 | ########################################
39 |
40 | print_status "Installing packages for Snortreport.."
41 |
42 | apt-get install -y php5 php5-mysql php5-gd nmap nbtscan &>> $sreport_logfile
43 | if [ $? != 0 ];then
44 | print_error "Failed to acquire required packages for Snortreport. See $sreport_logfile for details."
45 | exit 1
46 | else
47 | print_good "Successfully acquired packages."
48 | fi
49 |
50 | ########################################
51 |
52 | #Grab jpgraph and throw it in /var/www
53 | #Required to display graphs in snort report UI
54 |
55 | print_status "Downloading and installing jpgraph.."
56 |
57 | cd /var/www
58 |
59 | wget http://jpgraph.net/download/download.php?p=5 -O jpgraph305.tar.gz &>> $sreport_logfile
60 | if [ $? != 0 ];then
61 | print_error "Attempt to pull down jpgraph failed. See $sreport_logfile for details."
62 | exit 1
63 | else
64 | print_good "Successfully downloaded jpgraph."
65 | fi
66 |
67 | print_status "Installing jpgraph.."
68 |
69 | tar -xzvf jpgraph305.tar.gz &>> $sreport_logfile
70 | if [ $? != 0 ];then
71 | print_error "Attempt to install jpgraph failed. See $sreport_logfile for details."
72 | exit 1
73 | else
74 | print_good "Successfully installed jpgraph."
75 | fi
76 |
77 | rm -rf jpgraph305.tar.gz
78 | mv jpgraph-3* jpgraph
79 |
80 | ########################################
81 |
82 | #now to install snort report.
83 |
84 | print_status "downloading and installing Snort Report.."
85 |
86 |
87 | wget http://www.symmetrixtech.com/ids/snortreport-1.3.4.tar.gz &>> $sreport_logfile
88 | if [ $? != 0 ];then
89 | print_error "Attempt to pull down Snort Report failed. See $sreport_logfile for details."
90 | exit 1
91 | else
92 | print_good "Successfully downloaded Snort Report."
93 | fi
94 |
95 | tar -xzvf snortreport-1.3.4.tar.gz &>> $sreport_logfile
96 | if [ $? != 0 ];then
97 | print_error "Attempt to install Snort Report failed. See $sreport_logfile for details."
98 | exit 1
99 | else
100 | print_good "Successfully installed Snort Report."
101 | fi
102 |
103 | rm -rf snortreport-1.3.4.tar.gz
104 | mv /var/www/snortreport-1.3.4 /var/www/snortreport
105 |
106 | ########################################
107 |
108 | print_status "Pointing Snort Report to the mysql database.."
109 |
110 | sed -i 's/PASSWORD/'$MYSQL_PASS_1'/' /var/www/snortreport/srconf.php
111 |
112 | print_good "Snort Report successfully configured to talk to mysql database."
113 |
114 | ########################################
115 |
116 | # Snort Report is littered with short open tags.
117 | # sed statement 1 removes all short open tags, but breaks some things.
118 | # sed statement 2 fixes some of the things that sed statement 1 mistakenly replaced
119 | # sed statement 3 fixes all instances of ${sreport_logfile}.pipe
12 | rm ${sreport_logfile}.pipe
13 |
14 | ########################################
15 | #Metasploit-like print statements: status, good, bad and notification. Gratouitiously copied from Darkoperator's metasploit install script.
16 |
17 | function print_status ()
18 | {
19 | echo -e "\x1B[01;34m[*]\x1B[0m $1"
20 | }
21 |
22 | function print_good ()
23 | {
24 | echo -e "\x1B[01;32m[*]\x1B[0m $1"
25 | }
26 |
27 | function print_error ()
28 | {
29 | echo -e "\x1B[01;31m[*]\x1B[0m $1"
30 | }
31 |
32 | function print_notification ()
33 | {
34 | echo -e "\x1B[01;33m[*]\x1B[0m $1"
35 | }
36 |
37 | ########################################
38 |
39 | print_status "Installing packages for Snortreport."
40 |
41 | apt-get install -y php5 php5-mysql php5-gd nmap nbtscan &>> $sreport_logfile
42 | if [ $? != 0 ];then
43 | print_error "Failed to acquire required packages for Snortreport. See $sreport_logfile for details."
44 | exit 1
45 | else
46 | print_good "Successfully acquired packages."
47 | fi
48 |
49 | ########################################
50 |
51 | #Grab jpgraph and throw it in /var/www
52 | #Required to display graphs in snort report UI
53 |
54 | print_status "Downloading and installing jpgraph."
55 |
56 | cd /var/www
57 |
58 | wget http://hem.bredband.net/jpgraph/jpgraph-1.27.1.tar.gz &>> $sreport_logfile
59 | if [ $? != 0 ];then
60 | print_error "Attempt to pull down jpgraph failed. See $sreport_logfile for details."
61 | exit 1
62 | else
63 | print_good "Successfully downloaded jpgraph."
64 | fi
65 |
66 | print_status "Installing jpgraph."
67 |
68 | tar -xzvf jpgraph-1.27.1.tar.gz &>> $sreport_logfile
69 | if [ $? != 0 ];then
70 | print_error "Attempt to install jpgraph failed. See $sreport_logfile for details."
71 | exit 1
72 | else
73 | print_good "Successfully installed jpgraph."
74 | fi
75 |
76 | rm -rf jpgraph-1.27.1.tar.gz
77 | mv jpgraph-1.27.1 jpgraph
78 |
79 | ########################################
80 |
81 | #now to install snort report.
82 |
83 | print_status "downloading and installing Snortreport."
84 |
85 |
86 | wget http://www.symmetrixtech.com/ids/snortreport-1.3.3.tar.gz &>> $sreport_logfile
87 | if [ $? != 0 ];then
88 | print_error "Attempt to pull down Snortreport failed. See $sreport_logfile for details."
89 | exit 1
90 | else
91 | print_good "Successfully downloaded Snortreport."
92 | fi
93 |
94 | tar -xzvf snortreport-1.3.3.tar.gz &>> $sreport_logfile
95 | if [ $? != 0 ];then
96 | print_error "Attempt to install Snortreport failed. See $sreport_logfile for details."
97 | exit 1
98 | else
99 | print_good "Successfully installed Snortreport."
100 | fi
101 |
102 | rm -rf snortreport-1.3.3.tar.gz
103 | mv /var/www/snortreport-1.3.3 /var/www/snortreport
104 |
105 | ########################################
106 |
107 | print_status "Pointing Snortreport to the mysql database."
108 |
109 | sed -i 's/YOURPASS/'$MYSQL_PASS_1'/' /var/www/snortreport/srconf.php
110 |
111 | print_good "Snortreport successfully configured to talk to mysql database."
112 |
113 | ########################################
114 |
115 | #known problem with snort report 1.3.3 not playing nice on systems that have the short_open_tag directive in php.ini set to off -- READ:Debian by default. Give the user a choice if they want the script to automatically resolve this, or if they plan on adding in proper php open tags on their own.
116 |
117 | print_notification "Would you like me to to set the short_open_tag directive in php.ini to on for snort report?"
118 | print_notification "Please see http://autosnort.blogspot.com/2012/11/how-to-fix-problems-with-snort-report.html as to why this is important"
119 | while true; do
120 | read -p "
121 | Select 1 for autosnort to enable short_open_tag
122 | Select 2 to continue if you plan on reconfiguring the php scripts with short open tags manually
123 | " srecon
124 | case $srecon in
125 | 1 )
126 | print_status "Reconfiguring php.ini..."
127 | sed -i 's/short\_open\_tag \= Off/short\_open\_tag \= On/' /etc/php5/apache2/php.ini
128 | print_good "php.ini successfully reconfigured."
129 | break
130 | ;;
131 | 2 )
132 | echo ""
133 | print_notification "You have chosen to not enable short open tags."
134 | print_notification "You'll need to modify the offending php pages to remove the short open tags contained on those pages in order for the web pages to render properly."
135 | break
136 | ;;
137 | * )
138 | echo ""
139 | print_notification "Invalid choice. Please try again."
140 | ;;
141 | esac
142 | done
143 |
144 | print_status "Resetting default site DocumentRoot to /var/www/snortreport"
145 | sed -i 's/DocumentRoot \/var\/www/DocumentRoot \/var\/www\/snortreport/' /etc/apache2/sites-available/default
146 |
147 | print_notification "The log file for this interface installation is located at: $sreport_logfile"
148 |
149 | exit 0
150 |
--------------------------------------------------------------------------------
/Offline/as-offline-stage1.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | #####################################################################################################################################
3 | #####################################################################################################################################
4 | # Autosnort offline installer. Downloads all required packages and .tar.gz files for autosnort. As implied, this means this script #
5 | # must be ran on a system that DOES have internet access. Also, the offline and online operating system AND distro MUST match. this #
6 | # should be a given. Be forewarned, this script is VERY VERY stripped down. If you run into problems, report them! #
7 | # twitter: @da_667 #
8 | # email: deusexmachina667@gmail.com #
9 | # Shouts to UAS and Forgottensec. I'm never there, but I'm always there. #
10 | #####################################################################################################################################
11 | #####################################################################################################################################
12 |
13 | # determine arch. Much uglier work-around to support Debian here.
14 | arch=`uname -a | cut -d " " -f12`
15 | # determine OS. not the cleanest method... but it works.
16 | OS=`cat /etc/issue.net | cut -d " " -f1`
17 |
18 | # This exists for idiot proofing. The script uses wget extensively, so I want to make sure it's there. I'm not going to bother
19 | # Checking for apt-get or dpkg because it should be there. Not going to hand-hold THAT much.
20 |
21 |
22 | which wget 2>&1 >> /dev/null
23 | if [ $? -ne 0 ]; then
24 | echo "wget not found. installing wget"
25 | echo ""
26 | apt-get -y install wget
27 | else
28 | echo "wget found."
29 | echo ""
30 | fi
31 |
32 | # The portions below are pretty easy to follow. we're making directories and making them nested parents,
33 | # Then using apt-get with the -y -d and the -o options. -y is to not be prompted to accept the download confirmation -d is to
34 | # only download the packages -o sets the script's cache directory to our newly created cache directory. the subdirectories need to be
35 | # there otherwise apt will bitch and complain.
36 |
37 | mkdir -p AS_offline_$OS$arch/apt_pkgs/archives/partial
38 |
39 | # Debian needs access to particiular apt repos to pull the required packages. We're doing a check here to see if the host OS is Debian.
40 | # Then adding the repos in question and pulling the GPG key if the host OS is Debian.
41 |
42 | if [ $OS = "Debian" ]; then
43 | echo "adding deb and deb-src via http://packages.dotdeb.org to apt sources."
44 | echo "# the below lines are added via autosnort to ensure a successful snort installation." >> /etc/apt/sources.list
45 | echo "deb http://packages.dotdeb.org squeeze all" >> /etc/apt/sources.list
46 | echo "deb-src http://packages.dotdeb.org squeeze all" >> /etc/apt/sources.list
47 | echo "adding packages.dotdeb.org gpg key."
48 | wget http://www.dotdeb.org/dotdeb.gpg && cat dotdeb.gpg | apt-key add -
49 | else
50 | echo "Not Debian. Moving on."
51 | echo ""
52 | fi
53 | apt-get update
54 | apt-get install -y -d -o dir::cache=./AS_offline_$OS$arch/apt_pkgs ethtool nmap nbtscan apache2 php5 php5-mysql php5-gd libpcap0.8-dev libpcre3-dev g++ bison flex libpcap-ruby make autoconf libtool mysql-server libmysqlclient-dev linux-libc-dev libxpm4
55 |
56 |
57 |
58 | # Next, we need to download our source packages. we drop these in a sources directory. grabs: barnyard2, snort, daq, libdnet, snortreport, and jpgraph
59 |
60 | mkdir AS_offline_$OS$arch/sources
61 | cd AS_offline_$OS$arch/sources
62 |
63 | # Handy quick and dirty way to determine the latest stable release versions of snort and daq, then download them.
64 | wget -q http://snort.org/snort-downloads -O /tmp/snort-downloads
65 | snortver=`cat /tmp/snort-downloads | grep snort-[0-9]|cut -d">" -f2 |cut -d"<" -f1 | head -1`
66 | daqver=`cat /tmp/snort-downloads | grep daq|cut -d">" -f2 |cut -d"<" -f1 | head -1`
67 | rm /tmp/snort-downloads
68 | wget http://snort.org/dl/snort-current/$snortver -O $snortver
69 | wget http://snort.org/dl/snort-current/$daqver -O $daqver
70 |
71 | wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz
72 | wget http://www.symmetrixtech.com/ids/snortreport-1.3.3.tar.gz
73 | wget http://hem.bredband.net/jpgraph/jpgraph-1.27.1.tar.gz
74 | wget http://www.securixlive.com/download/barnyard2/barnyard2-1.9.tar.gz -O barnyard2.tar.gz
75 |
76 | #get out of the packages directory and tar it up for sneakernet transit to the offline system and interaction with the stage 2 script.
77 | cd ../..
78 | # this dpkgorder script is included with the stage1 shell script. It's MANDATORY to have this file in the archives directory. these are the
79 | # packages installed via the apt-get line above. They MUST be installed in the order presented in this file.
80 | # create-sidmap.pl is not mandatory to have, but if you want to know what snort alert 23455 is named, you'll include it.
81 |
82 | cp dpkgorder$OS$arch.txt AS_offline_$OS$arch/apt_pkgs/archives/
83 | cp create-sidmap.pl AS_offline_$OS$arch/sources
84 | tar -cvzf AS_offline_$OS$arch.tar.gz AS_offline_$OS$arch/
85 |
86 | # as part of snort install:
87 | # need to symlink these two libraries on ubuntu. snort doesn't know where to find them by default.
88 | # ln -s /usr/local/lib/libdnet.1.0.1 /usr/lib/libdnet.1
89 | # ln -s /usr/local/lib/libsfbpf.so.0 /usr/lib/libsfbpf.so.0
90 |
--------------------------------------------------------------------------------
/Autosnort-CentOS/Previous_Rel/previous interface install scripts/snortreport-CentOS-03-06-14.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | #Snortreport shell script 'module'
3 | #Sets up snortreport for Autosnort on CentOS Systems
4 | #modified on 08/15. Not yet tested.
5 |
6 | ########################################
7 | #logging setup: Stack Exchange made this.
8 |
9 | sreport_logfile=/var/log/sr_install.log
10 | mkfifo ${sreport_logfile}.pipe
11 | tee < ${sreport_logfile}.pipe $sreport_logfile &
12 | exec &> ${sreport_logfile}.pipe
13 | rm ${sreport_logfile}.pipe
14 |
15 | ########################################
16 | #Metasploit-like print statements: status, good, bad and notification. Gratuitously copied from Darkoperator's metasploit install script.
17 |
18 | function print_status ()
19 | {
20 | echo -e "\x1B[01;34m[*]\x1B[0m $1"
21 | }
22 |
23 | function print_good ()
24 | {
25 | echo -e "\x1B[01;32m[*]\x1B[0m $1"
26 | }
27 |
28 | function print_error ()
29 | {
30 | echo -e "\x1B[01;31m[*]\x1B[0m $1"
31 | }
32 |
33 | function print_notification ()
34 | {
35 | echo -e "\x1B[01;33m[*]\x1B[0m $1"
36 | }
37 |
38 | ########################################
39 |
40 | print_status "Installing packages for Snort Report.."
41 |
42 | yum -y install php php-common php-gd php-cli php-mysql &>> $sreport_logfile
43 | if [ $? != 0 ];then
44 | print_error "Failed to acquire required packages for Snort Report. See $sreport_logfile for details."
45 | exit 1
46 | else
47 | print_good "Successfully acquired packages."
48 | fi
49 |
50 | ########################################
51 |
52 | #Grab jpgraph and throw it in /var/www/html
53 | #Required to display graphs in snort report UI
54 |
55 | print_status "Downloading and installing jpgraph.."
56 |
57 | cd /var/www/html
58 |
59 | wget http://jpgraph.net/download/download.php?p=5 -O jpgraph305.tar.gz &>> $sreport_logfile
60 | if [ $? != 0 ];then
61 | print_error "Attempt to pull down jpgraph failed. See $sreport_logfile for details."
62 | exit 1
63 | else
64 | print_good "Successfully downloaded jpgraph."
65 | fi
66 |
67 | print_status "Installing jpgraph.."
68 |
69 | tar -xzvf jpgraph305.tar.gz &>> $sreport_logfile
70 | if [ $? != 0 ];then
71 | print_error "Attempt to install jpgraph failed. See $sreport_logfile for details."
72 | exit 1
73 | else
74 | print_good "Successfully installed jpgraph."
75 | fi
76 |
77 | rm -rf jpgraph305.tar.gz
78 | mv jpgraph-3* jpgraph
79 |
80 | ########################################
81 |
82 | #now to install snort report.
83 |
84 | print_status "downloading and installing Snort Report.."
85 |
86 |
87 | wget http://www.symmetrixtech.com/ids/snortreport-1.3.4.tar.gz &>> $sreport_logfile
88 | if [ $? != 0 ];then
89 | print_error "Attempt to pull down Snortreport failed. See $sreport_logfile for details."
90 | exit 1
91 | else
92 | print_good "Successfully downloaded Snort Report."
93 | fi
94 |
95 | tar -xzvf snortreport-1.3.4.tar.gz &>> $sreport_logfile
96 | if [ $? != 0 ];then
97 | print_error "Attempt to install Snort Report failed. See $sreport_logfile for details."
98 | exit 1
99 | else
100 | print_good "Successfully installed Snort Report."
101 | fi
102 |
103 | rm -rf snortreport-1.3.4.tar.gz
104 | mv /var/www/html/snortreport-1.3.4 /var/www/html/snortreport
105 |
106 | ########################################
107 |
108 | print_status "Pointing Snortreport to the mysql database.."
109 |
110 | sed -i 's/PASSWORD/'$MYSQL_PASS_1'/' /var/www/html/snortreport/srconf.php
111 |
112 | print_good "Snort Report successfully configured to talk to mysql database."
113 |
114 | ########################################
115 |
116 | # Snort Report is littered with short open tags.
117 | # As much as I really want to banish them from all OS versions FOREVER,
118 | # Until CentOS or the EPEL repos have PHP 5.4+, I can't do it and here's why:
119 | # If the programmer uses shortcuts like ${base_logfile}.pipe
12 | rm ${base_logfile}.pipe
13 |
14 | ########################################
15 | #Metasploit-like print statements: status, good, bad and notification. Gratuitously copied from Darkoperator's metasploit install script.
16 |
17 | function print_status ()
18 | {
19 | echo -e "\x1B[01;34m[*]\x1B[0m $1"
20 | }
21 |
22 | function print_good ()
23 | {
24 | echo -e "\x1B[01;32m[*]\x1B[0m $1"
25 | }
26 |
27 | function print_error ()
28 | {
29 | echo -e "\x1B[01;31m[*]\x1B[0m $1"
30 | }
31 |
32 | function print_notification ()
33 | {
34 | echo -e "\x1B[01;33m[*]\x1B[0m $1"
35 | }
36 |
37 | ########################################
38 | #Error Checking function. Checks for exist status of last command ran. If non-zero assumes something went wrong and bails script.
39 |
40 | function error_check
41 | {
42 |
43 | if [ $? -eq 0 ]; then
44 | print_good "$1 successfully completed."
45 | else
46 | print_error "$1 failed. Please check $logfile for more details, or contact deusexmachina667 at gmail dot com for more assistance."
47 | exit 1
48 | fi
49 |
50 | }
51 |
52 | ########################################
53 | #Pre-setup. First, if the base directory exists, delete it. It causes more problems than it resolves, and usually only exists if the install failed in some way. Wipe it away, start with a clean slate.
54 | if [ -d /var/www/base ]; then
55 | print_notification "base directory exists. Deleting to prevent issues.."
56 | rm -rf /var/www/base
57 | fi
58 |
59 | execdir=`pwd`
60 | if [ ! -f $execdir/full_autosnort.conf ]; then
61 | print_error "full_autosnort.conf was NOT found in $execdir. This script relies HEAVILY on this config file. The main autosnort script, full_autosnort.conf and this file should be located in the SAME directory."
62 | exit 1
63 | else
64 | source $execdir/full_autosnort.conf
65 | print_good "Found config file."
66 | fi
67 |
68 | ########################################
69 | #grab packages for BASE
70 |
71 | print_status "Grabbing packages required for BASE."
72 |
73 | echo libphp-adodb libphp-adodb/pathmove note | debconf-set-selections
74 | apt-get install -y libphp-adodb ca-certificates php-pear libwww-perl php5 php5-mysql php5-gd &>> $base_logfile
75 | error_check 'Package installation'
76 |
77 | ########################################
78 |
79 | #These are php-pear config commands Seen in the 2.9.4.0 install guide for Debian.
80 |
81 | print_status "Configuring php via php-pear."
82 |
83 | pear config-set preferred_state alpha &>> $base_logfile
84 | pear channel-update pear.php.net &>> $base_logfile
85 | pear install --alldeps Image_Color Image_Canvas Image_Graph &>> $base_logfile
86 | error_check 'PHP-Pear configuration'
87 |
88 | print_good "Successfully configured php via php-pear."
89 |
90 | ########################################
91 | #Have to adjust PHP logging otherwise BASE will barf on startup.
92 |
93 | print_status "Reconfiguring php error reporting for BASE.."
94 | sed -i 's/error_reporting \= E_ALL \& ~E_DEPRECATED/error_reporting \= E_ALL \& ~E_NOTICE/' /etc/php5/apache2/php.ini
95 |
96 | ########################################
97 |
98 | #The BASE tarball creates a directory for us, all we need to do is move to webroot.
99 |
100 | print_status "Installing BASE."
101 |
102 | cd /var/www/
103 |
104 | # We need to grab BASE from sourceforge. If this fails, we exit the script with a status of 1
105 | # A check is built into the main script to verify this script exits cleanly. If it doesn't,
106 | # The user should be informed and brought back to the main interface selection menu.
107 |
108 | print_status "Grabbing BASE via Sourceforge."
109 | wget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz -O base-1.4.5.tar.gz &>> $base_logfile
110 | error_check 'BASE download'
111 |
112 | tar -xzvf base-1.4.5.tar.gz &>> $base_logfile
113 | error_check 'Untar of BASE'
114 |
115 | rm base-1.4.5.tar.gz
116 | mv base-* base
117 |
118 | #BASE requires the /var/www/ directory to be owned by www-data
119 | print_status "Granting ownership of /var/www to www-data user and group."
120 | chown -R www-data:www-data /var/www
121 |
122 | ########################################
123 |
124 | #These are virtual host settings. The default virtual host forces redirect of all traffic to https (SSL, port 443) to ensure console traffic is encrypted and secure. We then enable the new SSL site we made, and restart apache to start serving it.
125 |
126 |
127 | print_status "Configuring Virtual Host Settings for Base.."
128 |
129 | echo "#This is an SSL VHOST added by autosnort. Simply remove the file if you no longer wish to serve the web interface." > /etc/apache2/sites-available/base-ssl
130 | echo "" >> /etc/apache2/sites-available/base-ssl
131 | echo " #Turn on SSL. Most of the relevant settings are set in /etc/apache2/mods-available/ssl.conf" >> /etc/apache2/sites-available/base-ssl
132 | echo " SSLEngine on" >> /etc/apache2/sites-available/base-ssl
133 | echo "" >> /etc/apache2/sites-available/base-ssl
134 | echo " #Mod_Rewrite Settings. Force everything to go over SSL." >> /etc/apache2/sites-available/base-ssl
135 | echo " RewriteEngine On" >> /etc/apache2/sites-available/base-ssl
136 | echo " RewriteCond %{HTTPS} off" >> /etc/apache2/sites-available/base-ssl
137 | echo " RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}" >> /etc/apache2/sites-available/base-ssl
138 | echo "" >> /etc/apache2/sites-available/base-ssl
139 | echo " #Now, we finally get to configuring our VHOST." >> /etc/apache2/sites-available/base-ssl
140 | echo " ServerName base.localhost" >> /etc/apache2/sites-available/base-ssl
141 | echo " DocumentRoot /var/www/base" >> /etc/apache2/sites-available/base-ssl
142 | echo "" >> /etc/apache2/sites-available/base-ssl
143 |
144 | ########################################
145 |
146 | a2ensite base-ssl &>> $base_logfile
147 | error_check 'Enable BASE vhost'
148 |
149 | service apache2 restart &>> $base_logfile
150 | error_check 'Apache restart'
151 |
152 | print_notification "The log file for this interface installation is located at: $base_logfile"
153 |
154 | exit 0
--------------------------------------------------------------------------------
/Autosnort-Kali/autobase-kali.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | #BASE shell script 'module' for Debian.
3 | #Sets up BASE for Autosnort
4 |
5 | ########################################
6 | #logging setup: Stack Exchange made this.
7 |
8 | base_logfile=/var/log/base_install.log
9 | mkfifo ${base_logfile}.pipe
10 | tee < ${base_logfile}.pipe $base_logfile &
11 | exec &> ${base_logfile}.pipe
12 | rm ${base_logfile}.pipe
13 |
14 | ########################################
15 | #Metasploit-like print statements: status, good, bad and notification. Gratuitously copied from Darkoperator's metasploit install script.
16 |
17 | function print_status ()
18 | {
19 | echo -e "\x1B[01;34m[*]\x1B[0m $1"
20 | }
21 |
22 | function print_good ()
23 | {
24 | echo -e "\x1B[01;32m[*]\x1B[0m $1"
25 | }
26 |
27 | function print_error ()
28 | {
29 | echo -e "\x1B[01;31m[*]\x1B[0m $1"
30 | }
31 |
32 | function print_notification ()
33 | {
34 | echo -e "\x1B[01;33m[*]\x1B[0m $1"
35 | }
36 |
37 | ########################################
38 | #Error Checking function. Checks for exist status of last command ran. If non-zero assumes something went wrong and bails script.
39 |
40 | function error_check
41 | {
42 |
43 | if [ $? -eq 0 ]; then
44 | print_good "$1 successfully completed."
45 | else
46 | print_error "$1 failed. Please check $logfile for more details, or contact deusexmachina667 at gmail dot com for more assistance."
47 | exit 1
48 | fi
49 |
50 | }
51 |
52 | ########################################
53 | #Pre-setup. First, if the base directory exists, delete it. It causes more problems than it resolves, and usually only exists if the install failed in some way. Wipe it away, start with a clean slate.
54 | if [ -d /var/www/base ]; then
55 | print_notification "base directory exists. Deleting to prevent issues.."
56 | rm -rf /var/www/base
57 | fi
58 |
59 | execdir=`pwd`
60 | if [ ! -f $execdir/full_autosnort.conf ]; then
61 | print_error "full_autosnort.conf was NOT found in $execdir. This script relies HEAVILY on this config file. The main autosnort script, full_autosnort.conf and this file should be located in the SAME directory."
62 | exit 1
63 | else
64 | source $execdir/full_autosnort.conf
65 | print_good "Found config file."
66 | fi
67 |
68 | ########################################
69 | #grab packages for BASE
70 |
71 | print_status "Grabbing packages required for BASE."
72 |
73 | echo libphp-adodb libphp-adodb/pathmove note | debconf-set-selections
74 | apt-get install -y libphp-adodb ca-certificates php-pear libwww-perl php5 php5-mysql php5-gd &>> $base_logfile
75 | error_check 'Package installation'
76 |
77 | ########################################
78 |
79 | #These are php-pear config commands Seen in the 2.9.4.0 install guide for Debian.
80 |
81 | print_status "Configuring php via php-pear."
82 |
83 | pear config-set preferred_state alpha &>> $base_logfile
84 | pear channel-update pear.php.net &>> $base_logfile
85 | pear install --alldeps Image_Color Image_Canvas Image_Graph &>> $base_logfile
86 | error_check 'PHP-Pear configuration'
87 |
88 | print_good "Successfully configured php via php-pear."
89 |
90 | ########################################
91 | #Have to adjust PHP logging otherwise BASE will barf on startup.
92 |
93 | print_status "Reconfiguring php error reporting for BASE.."
94 | sed -i 's/error_reporting \= E_ALL \& ~E_DEPRECATED/error_reporting \= E_ALL \& ~E_NOTICE/' /etc/php5/apache2/php.ini
95 |
96 | ########################################
97 |
98 | #The BASE tarball creates a directory for us, all we need to do is move to webroot.
99 |
100 | print_status "Installing BASE."
101 |
102 | cd /var/www/
103 |
104 | # We need to grab BASE from sourceforge. If this fails, we exit the script with a status of 1
105 | # A check is built into the main script to verify this script exits cleanly. If it doesn't,
106 | # The user should be informed and brought back to the main interface selection menu.
107 |
108 | print_status "Grabbing BASE via Sourceforge."
109 | wget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz -O base-1.4.5.tar.gz &>> $base_logfile
110 | error_check 'BASE download'
111 |
112 | tar -xzvf base-1.4.5.tar.gz &>> $base_logfile
113 | error_check 'Untar of BASE'
114 |
115 | rm base-1.4.5.tar.gz
116 | mv base-* base
117 |
118 | #BASE requires the /var/www/ directory to be owned by www-data
119 | print_status "Granting ownership of /var/www to www-data user and group."
120 | chown -R www-data:www-data /var/www
121 |
122 | ########################################
123 |
124 | #These are virtual host settings. The default virtual host forces redirect of all traffic to https (SSL, port 443) to ensure console traffic is encrypted and secure. We then enable the new SSL site we made, and restart apache to start serving it.
125 |
126 |
127 | print_status "Configuring Virtual Host Settings for Base.."
128 |
129 | echo "#This is an SSL VHOST added by autosnort. Simply remove the file if you no longer wish to serve the web interface." > /etc/apache2/sites-available/base-ssl
130 | echo "" >> /etc/apache2/sites-available/base-ssl
131 | echo " #Turn on SSL. Most of the relevant settings are set in /etc/apache2/mods-available/ssl.conf" >> /etc/apache2/sites-available/base-ssl
132 | echo " SSLEngine on" >> /etc/apache2/sites-available/base-ssl
133 | echo "" >> /etc/apache2/sites-available/base-ssl
134 | echo " #Mod_Rewrite Settings. Force everything to go over SSL." >> /etc/apache2/sites-available/base-ssl
135 | echo " RewriteEngine On" >> /etc/apache2/sites-available/base-ssl
136 | echo " RewriteCond %{HTTPS} off" >> /etc/apache2/sites-available/base-ssl
137 | echo " RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}" >> /etc/apache2/sites-available/base-ssl
138 | echo "" >> /etc/apache2/sites-available/base-ssl
139 | echo " #Now, we finally get to configuring our VHOST." >> /etc/apache2/sites-available/base-ssl
140 | echo " ServerName base.localhost" >> /etc/apache2/sites-available/base-ssl
141 | echo " DocumentRoot /var/www/base" >> /etc/apache2/sites-available/base-ssl
142 | echo "" >> /etc/apache2/sites-available/base-ssl
143 |
144 | ########################################
145 |
146 | a2ensite base-ssl &>> $base_logfile
147 | error_check 'Enable BASE vhost'
148 |
149 | service apache2 restart &>> $base_logfile
150 | error_check 'Apache restart'
151 |
152 | print_notification "The log file for this interface installation is located at: $base_logfile"
153 |
154 | exit 0
--------------------------------------------------------------------------------
/Autosnort-CentOS/Previous_Rel/previous interface install scripts/aanval-CentOS-03-07-14.sh:
--------------------------------------------------------------------------------
1 | ########################################
2 | #logging setup: Stack Exchange made this.
3 |
4 | aanval_logfile=/var/log/aanval_install.log
5 | mkfifo ${aanval_logfile}.pipe
6 | tee < ${aanval_logfile}.pipe $aanval_logfile &
7 | exec &> ${aanval_logfile}.pipe
8 | rm ${aanval_logfile}.pipe
9 |
10 | ########################################
11 | #Metasploit-like print statements: status, good, bad and notification. Gratouitiously copied from Darkoperator's metasploit install script.
12 |
13 | function print_status ()
14 | {
15 | echo -e "\x1B[01;34m[*]\x1B[0m $1"
16 | }
17 |
18 | function print_good ()
19 | {
20 | echo -e "\x1B[01;32m[*]\x1B[0m $1"
21 | }
22 |
23 | function print_error ()
24 | {
25 | echo -e "\x1B[01;31m[*]\x1B[0m $1"
26 | }
27 |
28 | function print_notification ()
29 | {
30 | echo -e "\x1B[01;33m[*]\x1B[0m $1"
31 | }
32 |
33 | ########################################
34 |
35 | print_status "Grabbing packages for aanval.."
36 | yum -y install php php-common php-gd php-cli php-mysql byacc libxslt-devel php-pear.noarch php-adodb.noarch perl-Crypt-SSLeay perl-libwww-perl perl-Archive-Tar perl-IO-Socket-SSL openssl-devel mod_ssl &>> $aanval_logfile
37 | if [ $? != 0 ];then
38 | print_error "Failed to acquire required packages for Aanval. See $aanval_logfile for details."
39 | exit 1
40 | else
41 | print_good "Successfully acquired packages."
42 | fi
43 |
44 | ########################################
45 |
46 | #Make the aanval directory under /var/www, and cd into it
47 | mkdir /var/www/html/aanval
48 | cd /var/www/html/aanval
49 |
50 |
51 |
52 | # We need to grab aanval from the aanval.com site.
53 | print_status "Grabbing aanval."
54 | wget https://www.aanval.com/download/pickup -O aanval.tar.gz --no-check-certificate &>> $aanval_logfile
55 | if [ $? != 0 ];then
56 | print_error "Attempt to pull down aanval console failed. See $aanval_logfile for details."
57 | exit 1
58 | else
59 | print_good "Successfully downloaded Aanval."
60 | fi
61 |
62 | print_status "Installing Aanval.."
63 |
64 | tar -xzvf aanval.tar.gz &>> $aanval_logfile
65 | if [ $? != 0 ];then
66 | print_error "Attempt to unpack Aanval failed. See $aanval_logfile for details."
67 | exit 1
68 | else
69 | print_good "Successfully installed aanval to /var/www/html/aanval."
70 | fi
71 | rm -rf aanval.tar.gz
72 |
73 | ########################################
74 |
75 | #Creating the database infrastructure for Aanval -- We make the database aanvaldb and give the snort user the ability to do work on it.
76 | #This database is totally separate from the snort database, BOTH must be present.
77 |
78 | print_status "Configuring mysql to work with Aanval."
79 |
80 | while true; do
81 | print_notification "Enter the mysql root user password to create the aanvaldb database."
82 | mysql -u root -p -e "create database aanvaldb;" &>> $aanval_logfile
83 | if [ $? != 0 ]; then
84 | print_notification "the command did NOT complete successfully. (bad password?) Please try again."
85 | continue
86 | else
87 | print_good "aanvaldb database created!"
88 | break
89 | fi
90 | done
91 |
92 | while true; do
93 | print_notification "you'll need to enter the mysql root user password one more time to grant the snort database user permissions to the aanvaldb database."
94 | mysql -u root -p -e "grant create, insert, select, delete, update on aanvaldb.* to snort@localhost identified by '$MYSQL_PASS_1';" &>> $aanval_logfile
95 | if [ $? != 0 ]; then
96 | print_notification "the command did NOT complete successfully. (bad password?) Please try again."
97 | continue
98 | else
99 | print_good "database access granted!"
100 | break
101 | fi
102 | done
103 |
104 | ########################################
105 |
106 | print_status "Granting ownership of /var/www/html/aanval to apache.."
107 |
108 | chown -R apache:apache /var/www/html/aanval
109 |
110 | cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.orig
111 | print_status "Resetting default site DocumentRoot and Directory Permissions to /var/www/html/aanval.."
112 | sed -i 's#/var/www/html#/var/www/html/aanval#g' /etc/httpd/conf/httpd.conf &>> $aanval_logfile
113 |
114 | print_status "Configuring SELinux permissions for Aanval.."
115 | print_notification "Setsebool takes a moment or two to do its thing. Please be patient, I promise the script isn't hanging."
116 | #discovered during testing that this HAD to be set for aanval to be able to talk to the mysql database.
117 | setsebool -P httpd_can_network_connect_db 1
118 | #this is to ensure httpd has access to do what it needs to files in /var/www/html/aanval
119 | cd /var/www/html
120 | chcon -R -t httpd_sys_rw_content_t aanval/
121 |
122 | print_good "SELinux permissions successfully modified."
123 |
124 | print_status "Starting background processors for Aanval web interface.."
125 | cd /var/www/html/aanval/apps
126 | perl idsBackground.pl -start &>> $aanval_logfile
127 | if [ $? != 0 ];then
128 | print_error "failed to start background processors. See $aanval_logfile for details."
129 | exit 1
130 | else
131 | print_good "Successfully started background processors."
132 | fi
133 |
134 | ########################################
135 |
136 | print_notification "The background processors need to run in order to export events fro the snort database to aanval's database."
137 | while true; do
138 | print_notification "Would you like to add commands to start the background processors on boot to rc.local?"
139 | read -p "
140 | Select 1 if you want entries added to /etc/rc.local
141 | Select 2 if you do not.
142 | " bgpstart
143 | case $bgpstart in
144 | 1)
145 | print_status "Adding job to start background processors on boot to /etc/rc.local.."
146 | echo "cd /var/www/html/aanval/apps" >> /etc/rc.local
147 | echo "perl idsBackground.pl -start" >> /etc/rc.local
148 | print_good "Successfully added background processors to rc.local."
149 | break
150 | ;;
151 | 2)
152 | print_notification "If the system reboots, the background processors will need to be started."
153 | print_notification "You can do this by running: cd /var/www/html/aanval/apps && perl idsBackground.pl -start"
154 | break
155 | ;;
156 | *)
157 | print_notification "I didn't understand your response. Please try again."
158 | continue
159 | ;;
160 | esac
161 | done
162 |
163 | print_notification "The log file for this interface installation is located at: $aanval_logfile"
164 |
165 | exit 0
--------------------------------------------------------------------------------
/Autosnort-Ubuntu/autobase-ubuntu.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | #BASE shell script 'module'
3 | #Sets up BASE for Autosnort
4 |
5 | ########################################
6 | #logging setup: Stack Exchange made this.
7 |
8 | base_logfile=/var/log/base_install.log
9 | mkfifo ${base_logfile}.pipe
10 | tee < ${base_logfile}.pipe $base_logfile &
11 | exec &> ${base_logfile}.pipe
12 | rm ${base_logfile}.pipe
13 |
14 | ########################################
15 | #Metasploit-like print statements: status, good, bad and notification. Gratuitously copied from Darkoperator's metasploit install script.
16 |
17 | function print_status ()
18 | {
19 | echo -e "\x1B[01;34m[*]\x1B[0m $1"
20 | }
21 |
22 | function print_good ()
23 | {
24 | echo -e "\x1B[01;32m[*]\x1B[0m $1"
25 | }
26 |
27 | function print_error ()
28 | {
29 | echo -e "\x1B[01;31m[*]\x1B[0m $1"
30 | }
31 |
32 | function print_notification ()
33 | {
34 | echo -e "\x1B[01;33m[*]\x1B[0m $1"
35 | }
36 |
37 | ########################################
38 | #Error Checking function. Checks for exist status of last command ran. If non-zero assumes something went wrong and bails script.
39 |
40 | function error_check
41 | {
42 |
43 | if [ $? -eq 0 ]; then
44 | print_good "$1 successfully completed."
45 | else
46 | print_error "$1 failed. Please check $logfile for more details, or contact deusexmachina667 at gmail dot com for more assistance."
47 | exit 1
48 | fi
49 |
50 | }
51 |
52 | ########################################
53 | #Pre-setup. First, if the base directory exists, delete it. It causes more problems than it resolves, and usually only exists if the install failed in some way. Wipe it away, start with a clean slate.
54 | if [ -d /var/www/base ]; then
55 | print_notification "base directory exists. Deleting to prevent issues.."
56 | rm -rf /var/www/base
57 | fi
58 |
59 | execdir=`pwd`
60 | if [ ! -f $execdir/full_autosnort.conf ]; then
61 | print_error "full_autosnort.conf was NOT found in $execdir. This script relies HEAVILY on this config file. The main autosnort script, full_autosnort.conf and this file should be located in the SAME directory."
62 | exit 1
63 | else
64 | source $execdir/full_autosnort.conf
65 | print_good "Found config file."
66 | fi
67 |
68 | ########################################
69 | #grab packages for BASE.
70 |
71 | print_status "Grabbing packages required for BASE.."
72 |
73 | echo libphp-adodb libphp-adodb/pathmove note | debconf-set-selections
74 | apt-get install -y libphp-adodb ca-certificates php-pear libwww-perl php5 php5-mysql php5-gd &>> $base_logfile
75 | error_check 'Package installation'
76 |
77 |
78 | ########################################
79 |
80 | #These are php-pear config commands.
81 |
82 | print_status "Configuring php via php-pear."
83 |
84 | pear config-set preferred_state alpha &>> $base_logfile
85 | pear channel-update pear.php.net &>> $base_logfile
86 | pear install --alldeps Image_Color Image_Canvas Image_Graph &>> $base_logfile
87 | error_check 'PHP-Pear configuration'
88 |
89 | print_good "Successfully configured php via php-pear."
90 |
91 | ########################################
92 | #Have to adjust PHP logging otherwise BASE will barf on startup.
93 |
94 | print_status "Reconfiguring php error reporting for BASE.."
95 | sed -i 's/error_reporting \= E_ALL \& ~E_DEPRECATED/error_reporting \= E_ALL \& ~E_NOTICE/' /etc/php5/apache2/php.ini
96 |
97 | ########################################
98 |
99 | #The BASE tarball creates a directory for us, all we need to do is move to webroot.
100 |
101 | print_status "Installing BASE."
102 |
103 | cd /var/www/
104 |
105 | # We need to grab BASE from sourceforge. If this fails, we exit the script with a status of 1
106 | # A check is built into the main script to verify this script exits cleanly. If it doesn't,
107 | # The user should be informed and brought back to the main interface selection menu.
108 |
109 | print_status "Grabbing BASE via Sourceforge."
110 | wget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz -O base-1.4.5.tar.gz &>> $base_logfile
111 | error_check 'BASE download'
112 |
113 | tar -xzvf base-1.4.5.tar.gz &>> $base_logfile
114 | error_check 'Untar of BASE'
115 |
116 | rm base-1.4.5.tar.gz
117 | mv base-* base
118 |
119 | #BASE requires the /var/www/ directory to be owned by www-data
120 | print_status "Granting ownership of /var/www to www-data user and group."
121 | chown -R www-data:www-data /var/www
122 |
123 | ########################################
124 |
125 | #These are virtual host settings. The default virtual host forces redirect of all traffic to https (SSL, port 443) to ensure console traffic is encrypted and secure. We then enable the new SSL site we made, and restart apache to start serving it.
126 |
127 |
128 | print_status "Configuring Virtual Host Settings for Base.."
129 |
130 | echo "#This is an SSL VHOST added by autosnort. Simply remove the file if you no longer wish to serve the web interface." > /etc/apache2/sites-available/base-ssl.conf
131 | echo "" >> /etc/apache2/sites-available/base-ssl.conf
132 | echo " #Turn on SSL. Most of the relevant settings are set in /etc/apache2/mods-available/ssl.conf" >> /etc/apache2/sites-available/base-ssl.conf
133 | echo " SSLEngine on" >> /etc/apache2/sites-available/base-ssl.conf
134 | echo "" >> /etc/apache2/sites-available/base-ssl
135 | echo " #Mod_Rewrite Settings. Force everything to go over SSL." >> /etc/apache2/sites-available/base-ssl
136 | echo " RewriteEngine On" >> /etc/apache2/sites-available/base-ssl.conf
137 | echo " RewriteCond %{HTTPS} off" >> /etc/apache2/sites-available/base-ssl.conf
138 | echo " RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}" >> /etc/apache2/sites-available/base-ssl.conf
139 | echo "" >> /etc/apache2/sites-available/base-ssl.conf
140 | echo " #Now, we finally get to configuring our VHOST." >> /etc/apache2/sites-available/base-ssl.conf
141 | echo " ServerName base.localhost" >> /etc/apache2/sites-available/base-ssl.conf
142 | echo " DocumentRoot /var/www/base" >> /etc/apache2/sites-available/base-ssl.conf
143 | echo "" >> /etc/apache2/sites-available/base-ssl.conf
144 |
145 | ########################################
146 |
147 | a2ensite base-ssl.conf &>> $base_logfile
148 | error_check 'Enable BASE vhost'
149 |
150 | service apache2 restart &>> $base_logfile
151 | error_check 'Apache restart'
152 |
153 | print_notification "The log file for this interface installation is located at: $base_logfile"
154 |
155 | exit 0
--------------------------------------------------------------------------------
/Autosnort-Debian/Previous_Rel/previous interface install scripts/aanval-debian.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | #Aanval shell script 'module'
3 | #Sets up Aanval for for Autosnort
4 | #WARNING: DO NOT TRY TO USE AANVAL TO MANAGE THE SENSOR!
5 | #GETTING THIS TO ACTUALLY WORK IS GOING TO TAKE A LOT OF TIME AND EFFORT
6 | #TO FIGURE OUT WHERE AANVAL IS TRYING TO LOOK FOR THINGS, NOT TO MENTION
7 | #SOME RE-WORKING OF AUTOSNORT ITSELF...THIS IS STRICTLY TO GET THE IDS
8 | #EVENT VIEW FUNCTIONALITY WORKING.
9 |
10 | ########################################
11 | #logging setup: Stack Exchange made this.
12 |
13 | snorby_logfile=/var/log/aanval_install.log
14 | mkfifo ${aanval_logfile}.pipe
15 | tee < ${aanval_logfile}.pipe $aanval_logfile &
16 | exec &> ${aanval_logfile}.pipe
17 | rm ${aanval_logfile}.pipe
18 |
19 | ########################################
20 | #Metasploit-like print statements: status, good, bad and notification. Gratouitiously copied from Darkoperator's metasploit install script.
21 |
22 | function print_status ()
23 | {
24 | echo -e "\x1B[01;34m[*]\x1B[0m $1"
25 | }
26 |
27 | function print_good ()
28 | {
29 | echo -e "\x1B[01;32m[*]\x1B[0m $1"
30 | }
31 |
32 | function print_error ()
33 | {
34 | echo -e "\x1B[01;31m[*]\x1B[0m $1"
35 | }
36 |
37 | function print_notification ()
38 | {
39 | echo -e "\x1B[01;33m[*]\x1B[0m $1"
40 | }
41 |
42 | ########################################
43 |
44 | print_status "grabbing packages for aanval"
45 | #grab packages for aanval most of the primary required packages are pulled by the main AS script.
46 | apt-get install -y zlib1g-dev libmysqld-dev byacc libxml2-dev zlib1g php5 php5-mysql php5-gd nmap libssl-dev libcrypt-ssleay-perl libphp-adodb php-pear &>> $aanval_logfile
47 | if [ $? != 0 ];then
48 | print_bad "Failed to acquire required packages for Aanval. See $aanval_logfile for details."
49 | exit 1
50 | else
51 | print_good "Successfully acquired packages."
52 | fi
53 |
54 | ########################################
55 |
56 | print_status "making the aanval web UI directory"
57 |
58 | #Make the aanval directory under /var/www, and cd into it
59 | mkdir /var/www/aanval
60 | cd /var/www/aanval
61 |
62 |
63 |
64 | # We need to grab aanval from the aanval.com site. If this fails, we exit the script with a status of 1
65 | # A check needs to be built into the main script to verify this script exits cleanly. If it doesn't,
66 | # The user should be informed and brought back to the main interface selection menu.
67 | print_status "Grabbing aanval."
68 | wget https://www.aanval.com/download/pickup -O aanval.tar.gz --no-check-certificate &>> $aanval_logfile
69 | if [ $? != 0 ];then
70 | print_bad "Attempt to pull down aanval console failed. See $aanval_logfile for details."
71 | exit 1
72 | else
73 | print_good "Successfully downloaded Aanval."
74 | fi
75 |
76 | print_status "Installing Aanval."
77 |
78 | tar -xzvf aanval.tar.gz
79 | if [ $? != 0 ];then
80 | print_bad "Attempt to unpack Aanval failed. See $aanval_logfile for details."
81 | exit 1
82 | else
83 | print_good "Successfully installed aanval to /var/www/aanval."
84 | fi
85 | rm -rf aanval.tar.gz
86 |
87 | ########################################
88 |
89 | #Creating the database infrastructure for Aanval -- We make the database aanvaldb and give the snort user the ability to do work on it.
90 | #This database is totally separate from the snort database, BOTH must be present.
91 |
92 | print_status "Configuring mysql to work with Aanval."
93 |
94 | while true; do
95 | print_notification "Enter the mysql root user password to create the aanvaldb database."
96 | mysql -u root -p -e "create database aanvaldb;" &>> $aanval_logfile
97 | if [ $? != 0 ]; then
98 | print_notification "the command did NOT complete successfully. (bad password?) Please try again."
99 | continue
100 | else
101 | print_good "aanvaldb database created!"
102 | break
103 | fi
104 | done
105 |
106 | #note: need to pass off mysql_pass_1 as an environment variable in the main script:
107 | #code: ask for snort database password, save to var MYSQL_PASS_1 (yes, case matters)
108 | #export MYSQL_PASS_1, call it in child shell script for aanval. ($MYSQL_PASS_1)
109 |
110 | while true; do
111 | print_notification "you'll need to enter the mysql root user password one more time to grant the snort database user permissions to the aanvaldb database."
112 | mysql -u root -p -e "grant create, insert, select, delete, update on aanvaldb.* to snort@localhost identified by '$MYSQL_PASS_1';" &>> $aanval_logfile
113 | if [ $? != 0 ]; then
114 | print_notification "the command did NOT complete successfully. (bad password?) Please try again."
115 | continue
116 | else
117 | print_good "database access granted!"
118 | break
119 | fi
120 | done
121 |
122 | print_status "Granting ownership of /var/www/aanval to www-data."
123 |
124 | chown -R www-data:www-data /var/www/aanval
125 |
126 | print_status "Starting background processors for Aanval web interface."
127 | cd /var/www/aanval/apps
128 | perl idsBackground.pl -start &>> $aanval_logfile
129 | if [ $? != 0 ];then
130 | print_bad "failed to start background processors. See $aanval_logfile for details."
131 | exit 1
132 | else
133 | print_good "Successfully started background processors."
134 | fi
135 |
136 | print_notification "The background processors need to run in order to export events fro the snort database to aanval's database."
137 | print_notification "Would you like to add commands to start the background processors on boot to rc.local?"
138 | while true; do
139 | print_notification "Would you like to add commands to start the background processors on boot to rc.local?"
140 | read -p "
141 | Select 1 if you want entries added to /etc/rc.local
142 | Select 2 if you do not.
143 | " bgpstart
144 | case $bgpstart in
145 | 1)
146 | print_status "Adding job to start background processors on boot to /etc/rc.local."
147 | echo "cd /var/www/aanval/apps" >> /etc/rc.local
148 | echo "perl idsBackground.pl -start" >> /etc/rc.local
149 | print_good "Successfully added background processors to rc.local."
150 | break
151 | ;;
152 | 2)
153 | print_notification "If the system reboots, the background processors will need to be started."
154 | print_notification "You can do this by running: cd /var/www/aanval/apps && perl idsBackground.pl -start"
155 | break
156 | ;;
157 | *)
158 | print_notification "I didn't understand your response. Please try again."
159 | continue
160 | ;;
161 | esac
162 | done
163 |
164 | print_good "Aanval installation successful."
165 |
166 | exit 0
--------------------------------------------------------------------------------
/Autosnort-Ubuntu/Previous_Rel/previous interface install scripts/aanval-ubuntu-02-01-2014.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | #Aanval shell script 'module'
3 | #Sets up Aanval for for Autosnort
4 | #WARNING: DO NOT TRY TO USE AANVAL TO MANAGE THE SENSOR!
5 | #GETTING THIS TO ACTUALLY WORK IS GOING TO TAKE A LOT OF TIME AND EFFORT
6 | #TO FIGURE OUT WHERE AANVAL IS TRYING TO LOOK FOR THINGS, NOT TO MENTION
7 | #SOME RE-WORKING OF AUTOSNORT ITSELF...THIS IS STRICTLY TO GET THE IDS
8 | #EVENT VIEW FUNCTIONALITY WORKING.
9 | #Updated on 2/1/2014
10 |
11 | ########################################
12 | #logging setup: Stack Exchange made this.
13 |
14 | aanval_logfile=/var/log/aanval_install.log
15 | mkfifo ${aanval_logfile}.pipe
16 | tee < ${aanval_logfile}.pipe $aanval_logfile &
17 | exec &> ${aanval_logfile}.pipe
18 | rm ${aanval_logfile}.pipe
19 |
20 | ########################################
21 | #Metasploit-like print statements: status, good, bad and notification. Gratuitously copied from Darkoperator's metasploit install script.
22 |
23 | function print_status ()
24 | {
25 | echo -e "\x1B[01;34m[*]\x1B[0m $1"
26 | }
27 |
28 | function print_good ()
29 | {
30 | echo -e "\x1B[01;32m[*]\x1B[0m $1"
31 | }
32 |
33 | function print_error ()
34 | {
35 | echo -e "\x1B[01;31m[*]\x1B[0m $1"
36 | }
37 |
38 | function print_notification ()
39 | {
40 | echo -e "\x1B[01;33m[*]\x1B[0m $1"
41 | }
42 |
43 | ########################################
44 |
45 | print_status "Grabbing packages for aanval.."
46 | #grab packages for aanval most of the primary required packages are pulled by the main AS script. Also suppressing the message for libphp-adodb
47 | echo libphp-adodb libphp-adodb/pathmove note | debconf-set-selections
48 | apt-get install -y zlib1g-dev libmysqld-dev byacc libxml2-dev zlib1g php5 php5-mysql php5-gd nmap libssl-dev libcrypt-ssleay-perl libphp-adodb php-pear &>> $aanval_logfile
49 |
50 | if [ $? != 0 ];then
51 | print_error "Failed to acquire required packages for Aanval. See $aanval_logfile for details."
52 | exit 1
53 | else
54 | print_good "Successfully acquired packages."
55 | fi
56 |
57 | ########################################
58 |
59 | #Make the aanval directory under /var/www, and cd into it
60 | mkdir /var/www/aanval
61 | cd /var/www/aanval
62 |
63 |
64 |
65 | # We need to grab aanval from the aanval.com site
66 |
67 | print_status "Grabbing aanval.."
68 | wget https://www.aanval.com/download/pickup -O aanval.tar.gz --no-check-certificate &>> $aanval_logfile
69 | if [ $? != 0 ];then
70 | print_error "Attempt to pull down aanval console failed. See $aanval_logfile for details."
71 | exit 1
72 | else
73 | print_good "Successfully downloaded Aanval."
74 | fi
75 |
76 | print_status "Installing Aanval."
77 |
78 | tar -xzvf aanval.tar.gz &>> $aanval_logfile
79 | if [ $? != 0 ];then
80 | print_error "Attempt to unpack Aanval failed. See $aanval_logfile for details."
81 | exit 1
82 | else
83 | print_good "Successfully installed aanval to /var/www/aanval."
84 | fi
85 | rm -rf aanval.tar.gz
86 |
87 | ########################################
88 |
89 | #Creating the database infrastructure for Aanval -- We make the database aanvaldb and give the snort user the ability to do work on it.
90 | #This database is totally separate from the snort database, BOTH must be present.
91 |
92 | print_status "Configuring mysql to work with Aanval.."
93 |
94 | while true; do
95 | print_notification "Enter the mysql root user password to create the aanvaldb database."
96 | mysql -u root -p -e "create database aanvaldb;" &>> $aanval_logfile
97 | if [ $? != 0 ]; then
98 | print_notification "the command did NOT complete successfully. (bad password?) Please try again."
99 | continue
100 | else
101 | print_good "aanvaldb database created!"
102 | break
103 | fi
104 | done
105 |
106 | #Here we call the MYSQL_PASS_1 variable from the main autosnort script in order to give the snort database user access to the aanval db for maintenance.
107 |
108 | while true; do
109 | print_notification "you'll need to enter the mysql root user password one more time to grant the snort database user permissions to the aanvaldb database."
110 | mysql -u root -p -e "grant create, insert, select, delete, update on aanvaldb.* to snort@localhost identified by '$MYSQL_PASS_1';" &>> $aanval_logfile
111 | if [ $? != 0 ]; then
112 | print_notification "the command did NOT complete successfully. (bad password?) Please try again."
113 | continue
114 | else
115 | print_good "database access granted!"
116 | break
117 | fi
118 | done
119 |
120 | ########################################
121 |
122 | print_status "Granting ownership of /var/www/aanval to www-data.."
123 |
124 | chown -R www-data:www-data /var/www/aanval
125 |
126 | print_status "Resetting DocumentRoot to /var/www/aanval"
127 | sed -i 's/DocumentRoot \/var\/www/DocumentRoot \/var\/www\/aanval/' /etc/apache2/sites-available/*default*
128 |
129 | print_status "Starting background processors for Aanval web interface."
130 | cd /var/www/aanval/apps
131 | perl idsBackground.pl -start &>> $aanval_logfile
132 | if [ $? != 0 ];then
133 | print_error "failed to start background processors. See $aanval_logfile for details."
134 | exit 1
135 | else
136 | print_good "Successfully started background processors."
137 | fi
138 |
139 | ########################################
140 |
141 | print_notification "The background processors need to run in order to export events fro the snort database to aanval's database."
142 | while true; do
143 | print_notification "Would you like to add commands to start the background processors on boot to rc.local?"
144 | read -p "
145 | Select 1 if you want entries added to /etc/rc.local
146 | Select 2 if you do not.
147 | " bgpstart
148 | case $bgpstart in
149 | 1)
150 | print_status "Adding job to start background processors on boot to /etc/rc.local."
151 | echo "cd /var/www/aanval/apps" >> /etc/rc.local
152 | echo "perl idsBackground.pl -start" >> /etc/rc.local
153 | print_good "Successfully added background processors to rc.local."
154 | break
155 | ;;
156 | 2)
157 | print_notification "If the system reboots, the background processors will need to be started."
158 | print_notification "You can do this by running: cd /var/www/aanval/apps && perl idsBackground.pl -start"
159 | break
160 | ;;
161 | *)
162 | print_notification "I didn't understand your response. Please try again."
163 | continue
164 | ;;
165 | esac
166 | done
167 |
168 | print_notification "The log file for this interface installation is located at: $aanval_logfile"
169 |
170 | exit 0
--------------------------------------------------------------------------------
/README.txt:
--------------------------------------------------------------------------------
1 | Autosnort
2 |
3 | Tony Robinson/da_667
4 | twitter: @da_667
5 | email: deusexmachina667 [at] gmail [dot] com
6 |
7 |
8 | Autosnort is a series of bash shell scripts designed to install a fully functional, fully updated stand-alone snort sensor with an IDS event review console of your choice, on a variety of Linux distributions. The script is very meticulously commented in order for users to fully understand all the changes the script performs on a given system. That way if a user wants to make their own customizations, or gain a better understanding of the install process, that information is present.
9 |
10 | I chose to write Autosnort as an alternative to other IDS solutions and also as a way for me to learn shell scripting a bit better, while granting snort users of any proficiency the capability to install the latest and greatest version of snort and its components as soon as they become available with as little muss and fuss as possible -- with only the interfaces or features they desired, on an operating system they want to use. As it stands right now, Autosnort supports the followin major linux distributions:
11 |
12 | -Ubuntu 12.X and 14.x
13 | -Debian 7.x and 8.x
14 | -CentOS 6.x and 7.x
15 | -Kali Linux
16 |
17 | All this being said.. I am _NOT_ claiming that Autosnort is better than any other IDS solution. Open-source is all about freedom of choice, simply consider Autosnort another option when you need to stand up an IDS sensor quickly and easily.
18 |
19 | If you feel that this script is not as robust as it can be, is missing key features, or does not implement functionality in an intuitive manner, I welcome all criticisms, bugs, feature requests, code contributions, and/or anything else you can throw at me. Also cash. Thanks for your time!
20 |
21 |
22 | Autosnort will:
23 |
24 | 1. Install the latest versions of Snort, Barnyard2, DAQ (Data Acquisition) Libraries as well as any other required repositories and pre-reqs for all of Snort's components automatically with no user input required (beyond filling out a configuration file)
25 |
26 | 2. Automatically downloads pulled pork and uses it to pull down the latest available rules for your version of Snort, so long as you have a valid Oink Code -- Doesn't matter if it's a registered user or VRT subscription Oink Code. Don't have or know what an oink code is? Visit snort.org, register on their website and login. There's an option to display your oink code once you log in.
27 |
28 | 3. Can automatically install a variety of IDS event consoles/output mechanisms. Autosnort handles installation of pre-req packages for the console, configuration files, as well as configuring Apache to serve Web-Based IDS event consoles over HTTPS. You may choose among the following:
29 |
30 | --Bammv's SGUIL project (sguild and snort_agent.tcl)
31 | --Symmetrix Technologies' SnortReport web interface
32 | --Threat Stack's Snorby web interface (NO LONGER SUPPORTED - Scripts still provided)
33 | --Tactical Flex's Aanval web interface
34 | --BASE web interface (Currently hosted by SourceForge)
35 | --syslog_full messages to port 514/udp (think: barebones sensor install or SIEM integration)
36 | --configure barnyard2 to log to a remote database (central console, distributed sensors)
37 | --install no interface at all
38 |
39 |
40 | Requirements:
41 |
42 | 1. An internet connection -- Autosnort downloads os repo packages required to install everything over the internet as well as system updates (exception: Autosnort offline!), so internet access is a must!
43 |
44 | 2. Root/sudo access -- several system-wide changes are made with Autosnort. as such, root privileges are required.
45 |
46 | 3. A minimum of two network interfaces is recommended. Autosnort dedicates one interface solely to sniffing traffic. This interface will NOT respond to any service requests at all, but this can easily be modified if you only have a single network interface. Get a second network card, if at all possible!
47 |
48 | 4.SSH/Secure remote access to the system for remote system administration is very highly recommended, but not absolutely necessary, if you have console access.
49 |
50 | Here are the instructions to run the Autosnort:
51 |
52 | 1. Edit the full_autosnort.conf file to reflect your installation requirements. At a minimum you will need to provide a password for the ROOT mysql user and the SNORT mysql user and finally a valid oink code for snort.org. By default, the config file will install mysql, httpd, snorby, snort, barnyard2 and init/systemd scripts. Snort will run on eth1. If you wish to change the default settings, the configuration file has tons of comments to help you along the way. There is a separate full_autosnort.conf for each operating system.
53 | 2. Run autosnort-ubuntu-mm-dd-yyyy.sh script. By default, all of the files necessary to run autosnort are in the same directory. At a minimum, the script requires full_autosnort.conf, snortbarn (init/systemd script) and the interface install script (for example, autosnorby-ubuntu) to be in the SAME directory. By default, all the files required are in the same directory.
54 | Note: If you are installing aanval, you will also need the aanvalbpu (init/systemd script) to be in the same directory as well. If you are installing sguil, the initsguil init script must also be present.
55 | 3. Run the autosnort-os-mm-dd-yyyy.sh script:
56 | as root:
57 | bash autosnort-os-mm-dd-yyyy.sh
58 | alternatively:
59 | chmod u+x autosnort-os-mm-dd-yyyy.sh;./autosnort-ubuntu-mm-dd-yyyy.sh
60 | via sudo:
61 | sudo bash autosnort-os-mm-dd-yyyy.sh
62 | 4. The script should run completely without any user input. If there are any problems, the scripts log command output in the following locations:
63 | /var/log/autosnort_install.log
64 | /var/log/base_install.log
65 | /var/log/snortreport_install.log
66 | /var/log/snorby_install.log
67 | /var/log/aanval_install.log
68 | /var/log/sguil_install.log
69 | Contact me with a copy of any of the above log files and I'll do what I can to assist you.
70 |
71 | Note: After the installation is complete, either secure the full_autosnort.conf file, or delete it to ensure the root and/or snort database user's passwords are secured.
72 |
73 | snort is installed under: /opt/snort (by default, but can be user-modified)
74 |
75 | barnyard2 is installed under: /usr/local/bin
76 |
77 | pulledpork is installed under: /usr/src
78 |
79 | snort.conf and barnyard2.conf are located under: /opt/snort/etc (by default, but is modified if snort's install directory is changed)
80 |
81 | web interfaces are installed under: /var/www (ubuntu, debian, kali) or /var/www/html (centOS/RHEL)
82 |
83 | TO-DO List:
84 |
85 | 1. More complete support for distributed installs (e.g. mysql over SSL/STUNNEL)
86 |
87 | 2. Support for inline installations (afpacket, NFQ, pf_ring)
88 |
--------------------------------------------------------------------------------
/Autosnort-Debian/Previous_Rel/previous interface install scripts/aanval-debian-02-08-2014.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | #Aanval shell script 'module'
3 | #Sets up Aanval for for Autosnort
4 | #WARNING: DO NOT TRY TO USE AANVAL TO MANAGE THE SENSOR!
5 | #GETTING THIS TO ACTUALLY WORK IS GOING TO TAKE A LOT OF TIME AND EFFORT
6 | #TO FIGURE OUT WHERE AANVAL IS TRYING TO LOOK FOR THINGS, NOT TO MENTION
7 | #SOME RE-WORKING OF AUTOSNORT ITSELF...THIS IS STRICTLY TO GET THE IDS
8 | #EVENT VIEW FUNCTIONALITY WORKING.
9 |
10 | ########################################
11 | #logging setup: Stack Exchange made this.
12 |
13 | aanval_logfile=/var/log/aanval_install.log
14 | mkfifo ${aanval_logfile}.pipe
15 | tee < ${aanval_logfile}.pipe $aanval_logfile &
16 | exec &> ${aanval_logfile}.pipe
17 | rm ${aanval_logfile}.pipe
18 |
19 | ########################################
20 | #Metasploit-like print statements: status, good, bad and notification. Gratouitiously copied from Darkoperator's metasploit install script.
21 |
22 | function print_status ()
23 | {
24 | echo -e "\x1B[01;34m[*]\x1B[0m $1"
25 | }
26 |
27 | function print_good ()
28 | {
29 | echo -e "\x1B[01;32m[*]\x1B[0m $1"
30 | }
31 |
32 | function print_error ()
33 | {
34 | echo -e "\x1B[01;31m[*]\x1B[0m $1"
35 | }
36 |
37 | function print_notification ()
38 | {
39 | echo -e "\x1B[01;33m[*]\x1B[0m $1"
40 | }
41 |
42 | ########################################
43 |
44 | print_status "Grabbing packages for Aanval.."
45 | #grab packages for aanval most of the primary required packages are pulled by the main AS script. Also suppressing the message for libphp-adodb
46 | echo libphp-adodb libphp-adodb/pathmove note | debconf-set-selections
47 | apt-get install -y zlib1g-dev libmysqld-dev byacc libxml2-dev zlib1g php5 php5-mysql php5-gd nmap libssl-dev libcrypt-ssleay-perl libphp-adodb php-pear &>> $aanval_logfile
48 |
49 | if [ $? != 0 ];then
50 | print_error "Failed to acquire required packages for Aanval. See $aanval_logfile for details."
51 | exit 1
52 | else
53 | print_good "Successfully acquired packages."
54 | fi
55 |
56 | ########################################
57 |
58 | #Make the aanval directory under /var/www, and cd into it
59 | mkdir /var/www/aanval
60 | cd /var/www/aanval
61 |
62 |
63 |
64 | # We need to grab aanval from the aanval.com site. If this fails, we exit the script with a status of 1
65 | # A check needs to be built into the main script to verify this script exits cleanly. If it doesn't,
66 | # The user should be informed and brought back to the main interface selection menu.
67 | print_status "Grabbing Aanval.."
68 | wget https://www.aanval.com/download/pickup -O aanval.tar.gz --no-check-certificate &>> $aanval_logfile
69 | if [ $? != 0 ];then
70 | print_error "Attempt to pull down aanval console failed. See $aanval_logfile for details."
71 | exit 1
72 | else
73 | print_good "Successfully downloaded Aanval."
74 | fi
75 |
76 | print_status "Installing Aanval.."
77 |
78 | tar -xzvf aanval.tar.gz &>> $aanval_logfile
79 | if [ $? != 0 ];then
80 | print_error "Attempt to unpack Aanval failed. See $aanval_logfile for details."
81 | exit 1
82 | else
83 | print_good "Successfully installed aanval to /var/www/aanval."
84 | fi
85 | rm -rf aanval.tar.gz
86 |
87 | ########################################
88 |
89 | #Creating the database infrastructure for Aanval -- We make the database aanvaldb and give the snort user the ability to do work on it.
90 | #This database is totally separate from the snort database, BOTH must be present.
91 |
92 | print_status "Configuring mysql to work with Aanval.."
93 |
94 | while true; do
95 | print_notification "Enter the mysql root user password to create the aanvaldb database."
96 | mysql -u root -p -e "create database aanvaldb;" &>> $aanval_logfile
97 | if [ $? != 0 ]; then
98 | print_notification "the command did NOT complete successfully. (bad password?) Please try again."
99 | continue
100 | else
101 | print_good "aanvaldb database created!"
102 | break
103 | fi
104 | done
105 |
106 | #note: need to pass off mysql_pass_1 as an environment variable in the main script:
107 | #code: ask for snort database password, save to var MYSQL_PASS_1 (yes, case matters)
108 | #export MYSQL_PASS_1, call it in child shell script for aanval. ($MYSQL_PASS_1)
109 |
110 | while true; do
111 | print_notification "you'll need to enter the mysql root user password one more time to grant the snort database user permissions to the aanvaldb database."
112 | mysql -u root -p -e "grant create, insert, select, delete, update on aanvaldb.* to snort@localhost identified by '$MYSQL_PASS_1';" &>> $aanval_logfile
113 | if [ $? != 0 ]; then
114 | print_notification "the command did NOT complete successfully. (bad password?) Please try again."
115 | continue
116 | else
117 | print_good "database access granted!"
118 | break
119 | fi
120 | done
121 |
122 | ########################################
123 |
124 | print_status "Granting ownership of /var/www/aanval to www-data.."
125 |
126 | chown -R www-data:www-data /var/www/aanval
127 |
128 | print_status "Resetting DocumentRoot to /var/www/aanval"
129 | sed -i 's/DocumentRoot \/var\/www/DocumentRoot \/var\/www\/aanval/' /etc/apache2/sites-available/*default*
130 |
131 | print_status "Starting background processors for Aanval web interface.."
132 | cd /var/www/aanval/apps
133 | perl idsBackground.pl -start &>> $aanval_logfile
134 | if [ $? != 0 ];then
135 | print_error "failed to start background processors. See $aanval_logfile for details."
136 | exit 1
137 | else
138 | print_good "Successfully started background processors."
139 | fi
140 |
141 | ########################################
142 |
143 | print_notification "The background processors need to run in order to export events fro the snort database to aanval's database."
144 | while true; do
145 | print_notification "Would you like to add commands to start the background processors on boot to rc.local?"
146 | read -p "
147 | Select 1 if you want entries added to /etc/rc.local
148 | Select 2 if you do not.
149 | " bgpstart
150 | case $bgpstart in
151 | 1)
152 | print_status "Adding job to start background processors on boot to /etc/rc.local."
153 | echo "cd /var/www/aanval/apps" >> /etc/rc.local
154 | echo "perl idsBackground.pl -start" >> /etc/rc.local
155 | print_good "Successfully added background processors to rc.local."
156 | break
157 | ;;
158 | 2)
159 | print_notification "If the system reboots, the background processors will need to be started."
160 | print_notification "You can do this by running: cd /var/www/aanval/apps && perl idsBackground.pl -start"
161 | break
162 | ;;
163 | *)
164 | print_notification "I didn't understand your response. Please try again."
165 | continue
166 | ;;
167 | esac
168 | done
169 |
170 | print_notification "The log file for this interface installation is located at: $aanval_logfile"
171 |
172 | exit 0
--------------------------------------------------------------------------------
/Autosnort-CentOS/PolicyModules/passenger.te:
--------------------------------------------------------------------------------
1 | #Passenger.te -- this SELinux policy module basically allows snorby to do everything it needs to in order to maintain itself and the system.
2 | #It's insane that ROR/Snorby needs all this to work, in addition to other setsebools and chcons to work... but the bottom line is: You don't have to turn off SELinux to use this rails app.
3 | #For my own notes: checkmodule -M -m -o passenger.mod passenger.te && semodule_package -o passenger.pp -m passenger.mod && semodule -i passenger.pp
4 | module passenger 1.0;
5 |
6 | # Not an expert at SELinux module building, but this is similar to library declarations in C programming -- these are things that the module needs to be able to do and contexts the module needs to be able to understand
7 |
8 | require {
9 | type init_t;
10 | type initrc_t;
11 | type system_cronjob_t;
12 | type mysqld_t;
13 | type usr_t;
14 | type syslogd_t;
15 | type system_dbusd_t;
16 | type abrt_dump_oops_t;
17 | type dhcpc_t;
18 | type kernel_t;
19 | type auditd_t;
20 | type udev_t;
21 | type mysqld_safe_t;
22 | type postfix_pickup_t;
23 | type sshd_t;
24 | type crond_t;
25 | type getty_t;
26 | type anon_inodefs_t;
27 | type httpd_tmp_t;
28 | type devpts_t;
29 | type user_devpts_t;
30 | type httpd_sys_script_t;
31 | type security_t;
32 | type httpd_t;
33 | type unconfined_t;
34 | type selinux_config_t;
35 | type hi_reserved_port_t;
36 | type httpd_sys_content_t;
37 | type httpd_sys_rw_content_t;
38 | type var_t;
39 | type cert_t;
40 | type postfix_qmgr_t;
41 | type postfix_master_t;
42 | class file { getattr read create append write execute execute_no_trans open };
43 | class process { siginh signal noatsecure rlimitinh setpgid getsession };
44 | class unix_stream_socket { read write shutdown };
45 | class chr_file { read write append ioctl };
46 | class capability { setuid dac_override chown fsetid setgid fowner sys_nice sys_resource sys_ptrace kill };
47 | class fifo_file { setattr create getattr unlink };
48 | class sock_file { write getattr setattr create unlink };
49 | class lnk_file { read getattr };
50 | class udp_socket name_bind;
51 | class dir { write read search add_name getattr };
52 | }
53 | #This stuff below is more of an access control list -- these are things the contexts below are requesting to be able to do in order to run properly.
54 | #============= httpd_sys_script_t ==============
55 | allow httpd_sys_script_t abrt_dump_oops_t:dir { search getattr };
56 | allow httpd_sys_script_t abrt_dump_oops_t:file { read open };
57 | allow httpd_sys_script_t anon_inodefs_t:file { read write };
58 | allow httpd_sys_script_t auditd_t:dir { search getattr };
59 | allow httpd_sys_script_t auditd_t:file { read open };
60 | allow httpd_sys_script_t cert_t:dir { search getattr };
61 | allow httpd_sys_script_t cert_t:file { read getattr };
62 | allow httpd_sys_script_t cert_t:lnk_file read;
63 | allow httpd_sys_script_t crond_t:dir { search getattr };
64 | allow httpd_sys_script_t crond_t:file { read open };
65 | allow httpd_sys_script_t devpts_t:chr_file { read write };
66 | allow httpd_sys_script_t dhcpc_t:dir { search getattr };
67 | allow httpd_sys_script_t dhcpc_t:file { read open };
68 | allow httpd_sys_script_t getty_t:dir { search getattr };
69 | allow httpd_sys_script_t getty_t:file { read open };
70 | allow httpd_sys_script_t httpd_sys_content_t:fifo_file setattr;
71 | allow httpd_sys_script_t httpd_sys_content_t:sock_file { create unlink setattr };
72 | allow httpd_sys_script_t httpd_sys_rw_content_t:file { execute execute_no_trans };
73 | allow httpd_sys_script_t httpd_t:dir { search getattr };
74 | allow httpd_sys_script_t httpd_t:file { read open };
75 | allow httpd_sys_script_t httpd_t:unix_stream_socket { read write };
76 | allow httpd_sys_script_t httpd_tmp_t:fifo_file setattr;
77 | allow httpd_sys_script_t httpd_tmp_t:sock_file { write create unlink setattr };
78 | allow httpd_sys_script_t init_t:dir { search getattr };
79 | allow httpd_sys_script_t init_t:file { read open };
80 | allow httpd_sys_script_t initrc_t:dir { search getattr };
81 | allow httpd_sys_script_t initrc_t:file { read open };
82 | allow httpd_sys_script_t kernel_t:dir { search getattr };
83 | allow httpd_sys_script_t kernel_t:file { read open };
84 | allow httpd_sys_script_t mysqld_safe_t:dir { search getattr };
85 | allow httpd_sys_script_t mysqld_safe_t:file { read open };
86 | allow httpd_sys_script_t mysqld_t:dir { search getattr };
87 | allow httpd_sys_script_t mysqld_t:file { read open };
88 | allow httpd_sys_script_t postfix_master_t:dir { search getattr };
89 | allow httpd_sys_script_t postfix_master_t:file { read open };
90 | allow httpd_sys_script_t postfix_pickup_t:dir { search getattr };
91 | allow httpd_sys_script_t postfix_pickup_t:file { read open };
92 | allow httpd_sys_script_t postfix_qmgr_t:dir { search getattr };
93 | allow httpd_sys_script_t postfix_qmgr_t:file { read open };
94 | allow httpd_sys_script_t self:capability { setuid chown fsetid setgid fowner dac_override sys_nice sys_resource sys_ptrace kill };
95 | allow httpd_sys_script_t self:process { setpgid getsession };
96 | allow httpd_sys_script_t sshd_t:dir { search getattr };
97 | allow httpd_sys_script_t sshd_t:file { read open };
98 | allow httpd_sys_script_t syslogd_t:dir { search getattr };
99 | allow httpd_sys_script_t syslogd_t:file { read open };
100 | allow httpd_sys_script_t system_cronjob_t:dir getattr;
101 | allow httpd_sys_script_t system_dbusd_t:dir { search getattr };
102 | allow httpd_sys_script_t system_dbusd_t:file { read open };
103 | allow httpd_sys_script_t udev_t:dir { search getattr };
104 | allow httpd_sys_script_t udev_t:file { read open };
105 | allow httpd_sys_script_t unconfined_t:dir { search getattr };
106 | allow httpd_sys_script_t unconfined_t:file { read open };
107 | allow httpd_sys_script_t unconfined_t:process signal;
108 | allow httpd_sys_script_t user_devpts_t:chr_file { read write append ioctl };
109 | allow httpd_sys_script_t usr_t:file execute;
110 | allow httpd_sys_script_t var_t:dir { write read add_name };
111 | allow httpd_sys_script_t var_t:file { read getattr create append };
112 | #============= httpd_t ==============
113 | allow httpd_t hi_reserved_port_t:udp_socket name_bind;
114 | allow httpd_t httpd_sys_content_t:fifo_file { create unlink getattr setattr };
115 | allow httpd_t httpd_sys_content_t:sock_file { getattr unlink setattr };
116 | allow httpd_t httpd_sys_script_t:process { siginh rlimitinh noatsecure };
117 | allow httpd_t httpd_sys_script_t:unix_stream_socket { read write shutdown };
118 | allow httpd_t httpd_tmp_t:fifo_file { create unlink getattr setattr };
119 | allow httpd_t httpd_tmp_t:sock_file { getattr unlink setattr };
120 | allow httpd_t security_t:dir search;
121 | allow httpd_t self:capability { fowner fsetid };
122 | allow httpd_t selinux_config_t:dir search;
123 | allow httpd_t var_t:file { read getattr };
124 | allow httpd_t var_t:lnk_file { read getattr };
--------------------------------------------------------------------------------
/Autosnort-Debian/Previous_Rel/previous interface install scripts/base-debian-10-23-2014.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | #BASE shell script 'module' for Debian.
3 | #Sets up BASE for Autosnort
4 |
5 | ########################################
6 | #logging setup: Stack Exchange made this.
7 |
8 | base_logfile=/var/log/base_install.log
9 | mkfifo ${base_logfile}.pipe
10 | tee < ${base_logfile}.pipe $base_logfile &
11 | exec &> ${base_logfile}.pipe
12 | rm ${base_logfile}.pipe
13 |
14 | ########################################
15 | #Metasploit-like print statements: status, good, bad and notification. Gratuitously copied from Darkoperator's metasploit install script.
16 |
17 | function print_status ()
18 | {
19 | echo -e "\x1B[01;34m[*]\x1B[0m $1"
20 | }
21 |
22 | function print_good ()
23 | {
24 | echo -e "\x1B[01;32m[*]\x1B[0m $1"
25 | }
26 |
27 | function print_error ()
28 | {
29 | echo -e "\x1B[01;31m[*]\x1B[0m $1"
30 | }
31 |
32 | function print_notification ()
33 | {
34 | echo -e "\x1B[01;33m[*]\x1B[0m $1"
35 | }
36 |
37 | ########################################
38 | #grab packages for BASE, and supresses the notification for libphp-adodb. Most of the primary required packages are pulled by the main AS script.
39 |
40 | print_status "Grabbing packages required for BASE."
41 |
42 | echo libphp-adodb libphp-adodb/pathmove note | debconf-set-selections
43 | apt-get install -y libphp-adodb ca-certificates php-pear libwww-perl php5 php5-mysql php5-gd &>> $base_logfile
44 | if [ $? != 0 ];then
45 | print_error "Failed to acquire required packages for Base. See $base_logfile for details."
46 | exit 1
47 | else
48 | print_good "Successfully acquired packages."
49 | fi
50 |
51 | ########################################
52 |
53 | #These are php-pear config commands Seen in the 2.9.4.0 install guide for Debian.
54 |
55 | print_status "Configuring php via php-pear."
56 |
57 | pear config-set preferred_state alpha &>> $base_logfile
58 | pear channel-update pear.php.net &>> $base_logfile
59 | pear install --alldeps Image_Color Image_Canvas Image_Graph &>> $base_logfile
60 | if [ $? != 0 ];then
61 | print_error "Failed to acquire required packages for Base. See $base_logfile for details."
62 | exit 1
63 | else
64 | print_good "Successfully acquired packages via pear install."
65 | fi
66 |
67 | print_good "Successfully configured php via php-pear."
68 |
69 | #Have to adjust PHP logging otherwise BASE will barf on startup.
70 |
71 | print_status "Reconfiguring php error reporting for BASE."
72 | sed -i 's/error_reporting \= E_ALL \& ~E_DEPRECATED/error_reporting \= E_ALL \& ~E_NOTICE/' /etc/php5/apache2/php.ini
73 |
74 | ########################################
75 |
76 | #The BASE tarball creates a directory for us, all we need to do is move to webroot.
77 |
78 | print_status "Installing BASE."
79 |
80 | cd /var/www/
81 |
82 | # We need to grab BASE from sourceforge. If this fails, we exit the script with a status of 1
83 | # A check is built into the main script to verify this script exits cleanly. If it doesn't,
84 | # The user should be informed and brought back to the main interface selection menu.
85 |
86 | print_status "Grabbing BASE via Sourceforge."
87 |
88 | wget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz -O base-1.4.5.tar.gz &>> $base_logfile
89 |
90 | if [ $? != 0 ];then
91 | print_error "Attempt to pull down BASE failed. See $base_logfile for details."
92 | exit 1
93 | else
94 | print_good "Successfully downloaded the BASE tarball."
95 | fi
96 |
97 | tar -xzvf base-1.4.5.tar.gz &>> $base_logfile
98 | if [ $? != 0 ];then
99 | print_error "Attempt to install BASE has failed. See $base_logfile for details."
100 | exit 1
101 | else
102 | print_good "Successfully installed base to /var/www/base."
103 | fi
104 |
105 | rm base-1.4.5.tar.gz
106 | mv base-* base
107 |
108 | #BASE requires the /var/www/ directory to be owned by www-data
109 | print_status "Granting ownership of /var/www to www-data user and group."
110 | chown -R www-data:www-data /var/www
111 |
112 | ########################################
113 |
114 | #These are virtual host settings. The default virtual host forces redirect of all traffic to https (SSL, port 443) to ensure console traffic is encrypted and secure. We then enable the new SSL site we made, and restart apache to start serving it.
115 |
116 |
117 | print_status "Configuring Virtual Host Settings for Base.."
118 | echo "#This default vhost config geneated by autosnort. To remove, run cp /etc/apache2/defaultsiteconfbak /etc/apache2/sites-available/default" > /etc/apache2/sites-available/default
119 | echo "#This VHOST exists as a catch, to redirect any requests made via HTTP to HTTPS." >> /etc/apache2/sites-available/default
120 | echo "" >> /etc/apache2/sites-available/default
121 | echo " DocumentRoot /var/www/base" >> /etc/apache2/sites-available/default
122 | echo " #Mod_Rewrite Settings. Force everything to go over SSL." >> /etc/apache2/sites-available/default
123 | echo " RewriteEngine On" >> /etc/apache2/sites-available/default
124 | echo " RewriteCond %{HTTPS} off" >> /etc/apache2/sites-available/default
125 | echo " RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}" >> /etc/apache2/sites-available/default
126 | echo "" >> /etc/apache2/sites-available/default
127 |
128 | echo "#This is an SSL VHOST added by autosnort. Simply remove the file if you no longer wish to serve the web interface." > /etc/apache2/sites-available/base-ssl
129 | echo "" >> /etc/apache2/sites-available/base-ssl
130 | echo " #Turn on SSL. Most of the relevant settings are set in /etc/apache2/mods-available/ssl.conf" >> /etc/apache2/sites-available/base-ssl
131 | echo " SSLEngine on" >> /etc/apache2/sites-available/base-ssl
132 | echo "" >> /etc/apache2/sites-available/base-ssl
133 | echo " #Mod_Rewrite Settings. Force everything to go over SSL." >> /etc/apache2/sites-available/base-ssl
134 | echo " RewriteEngine On" >> /etc/apache2/sites-available/base-ssl
135 | echo " RewriteCond %{HTTPS} off" >> /etc/apache2/sites-available/base-ssl
136 | echo " RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}" >> /etc/apache2/sites-available/base-ssl
137 | echo "" >> /etc/apache2/sites-available/base-ssl
138 | echo " #Now, we finally get to configuring our VHOST." >> /etc/apache2/sites-available/base-ssl
139 | echo " ServerName base.localhost" >> /etc/apache2/sites-available/base-ssl
140 | echo " DocumentRoot /var/www/base" >> /etc/apache2/sites-available/base-ssl
141 | echo "" >> /etc/apache2/sites-available/base-ssl
142 |
143 | a2ensite base-ssl &>> $base_logfile
144 | if [ $? -ne 0 ]; then
145 | print_error "Failed to enable base-ssl virtual host. See $base_logfile for details."
146 | exit 1
147 | else
148 | print_good "Successfully made virtual host changes."
149 | fi
150 |
151 | service apache2 restart &>> $base_logfile
152 | if [ $? -ne 0 ]; then
153 | print_error "Failed to restart apache2. See $base_logfile for details."
154 | exit 1
155 | else
156 | print_good "Successfully restarted apache2."
157 | fi
158 |
159 | print_notification "The log file for this interface installation is located at: $base_logfile"
160 |
161 | exit 0
--------------------------------------------------------------------------------
/Autosnort-Ubuntu/Previous_Rel/previous interface install scripts/snorby-ubuntu.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | #Snorby shell script 'module'
3 | #Sets up snorby for Autosnort
4 |
5 | #This entire first block is to: Grab pre-reqs for Snorby, rvm (to install and automatically fix dependencies for ruby), install all the gems needed for snorby, then pull down snorby via github.
6 |
7 | apt-get install -y libyaml-dev git-core wkhtmltopdf libssl-dev libxslt1-dev libsqlite3-dev libmysql++-dev libcurl4-openssl-dev apache2-prefork-dev default-jre-headless curl sudo
8 | \curl -\#L https://get.rvm.io | sudo bash -s stable
9 | /usr/local/rvm/bin/rvm autolibs enable
10 | source /etc/profile.d/rvm.sh
11 | wget http://ruby-lang.org/en/downloads -O /tmp/downloads.html
12 | rubyver=`cat /tmp/downloads.html | grep -e "ruby-" | head -2 | tail -1 | cut -d"-" -f3,4 | cut -d"." -f1,2,3`
13 | rvm install ruby-$rubyver
14 | gem install thor i18n bundler tzinfo builder memcache-client rack rack-test rack-mount rails rake rubygems-update erubis mail text-format sqlite3 daemon_controller passenger
15 | update_rubygems
16 | cd /var/www/
17 | git clone http://github.com/Snorby/snorby.git
18 |
19 | #Now that we pulled down snorby, we have to modify the configuration files. sed is used to point snorby to the proper path for wkhtmltopdf, and we have the user enter the root mysql user's creds to have snorby create the snorby database.
20 | #TODO: at the end of the script give the snort database user rights to manage the snorby database; database.yml is world readable by default. I don't like the idea of having root database creds world-readable.
21 |
22 | cd /var/www/snorby/config
23 | cp database.yml.example database.yml #database name, user, and password
24 | cp snorby_config.yml.example snorby_config.yml #change path to wkhtmltopdf to /usr/bin/wkhtmltopdf
25 | sed -i 's/usr\/local\/bin/usr\/bin/' snorby_config.yml
26 |
27 | while true; do
28 | echo "Please enter the ROOT mysql user's password. Snorby needs it in order to create the snorby database."
29 | read -s -p "Please enter the ROOT database user password:" root_pass_1
30 | echo ""
31 | read -s -p "Confirm:" root_pass_2
32 | echo ""
33 | if [ "$root_pass_1" == "$root_pass_2" ]; then
34 | echo "password confirmed."
35 | echo ""
36 | sed -i 's/password: "Enter Password Here" # Example: password: "s3cr3tsauce"/password: '$root_pass_1'/' database.yml
37 | break
38 | else
39 | echo ""
40 | echo -e "Passwords do not match. Please try again."
41 | continue
42 | fi
43 | done
44 |
45 | #This entire block and all the echo statements below are to install the passenger apache module. I don't know much about rails or ruby, other than passenger is considered vital to getting everything to work. This compiles passenger, adds it to apache2.conf and creates a new default site for snorby
46 |
47 | passengerver=`ls /usr/local/rvm/gems/ruby-$rubyver/gems/ | grep passenger | cut -d"-" -f2,3`
48 | passenger-install-apache2-module --auto #takes a long time to compile the .so
49 | #add to apache2.conf:
50 | echo "" >> /etc/apache2/apache2.conf
51 | echo "# This stuff is to make Snorby work properly mod_passenger is required for snorby to work." >> /etc/apache2/apache2.conf
52 | echo "" >> /etc/apache2/apache2.conf
53 | echo "LoadModule passenger_module /usr/local/rvm/gems/ruby-$rubyver/gems/passenger-$passengerver/libout/apache2/mod_passenger.so" >> /etc/apache2/apache2.conf
54 | echo "PassengerRoot /usr/local/rvm/gems/ruby-$rubyver/gems/passenger-$passengerver" >> /etc/apache2/apache2.conf
55 | echo "PassengerDefaultRuby /usr/local/rvm/wrappers/ruby-$rubyver/ruby" >> /etc/apache2/apache2.conf
56 |
57 | #add to sites-avaiable/snorby, disable default site. wonder if maybe I should try doing this for the other web interfaces?
58 |
59 | echo "" >> /etc/apache2/sites-available/snorby
60 | echo " ServerName snorby.localhost" >> /etc/apache2/sites-available/snorby
61 | echo " # !!! Be sure to point DocumentRoot to 'public'!" >> /etc/apache2/sites-available/snorby
62 | echo " DocumentRoot /var/www/snorby/public" >> /etc/apache2/sites-available/snorby
63 | echo " " >> /etc/apache2/sites-available/snorby
64 | echo " # This relaxes Apache security settings." >> /etc/apache2/sites-available/snorby
65 | echo " AllowOverride all" >> /etc/apache2/sites-available/snorby
66 | echo " # MultiViews must be turned off." >> /etc/apache2/sites-available/snorby
67 | echo " Options -MultiViews" >> /etc/apache2/sites-available/snorby
68 | echo " " >> /etc/apache2/sites-available/snorby
69 | echo "" >> /etc/apache2/sites-available/snorby
70 |
71 | #The below portion are the final steps. The first thing we do is make a copy of the Gemfile.lock, and using grep -v, remove all references to psych_shield in the Gemfile.lock file. Reason for this is that bundler will bomb out because it sees an inconsistency with the Gemfile.lock and Gemfile. Grepping out psych_shield fixes that.
72 |
73 | #The rest is to perform the final installation steps for snorby use bundler to grab the remaining gems needed and configure everything, then rake to make it run. The a2dis/ensite are to disable the default apache site and enable snorby, setting it as the default site.
74 | #TODO:https
75 |
76 |
77 | cd /var/www/snorby
78 | cp Gemfile.lock Gemfile.lock.bak
79 | cat Gemfile.lock.bak | grep -v psych_shield > Gemfile.lock
80 | bundle install --deployment
81 |
82 | rake snorby:setup
83 |
84 | #The commands below are to drop priveleges: We want to have the snort user manage the snorby database. This is done for security purposes. I'm not comfortable with the root database user's creds being in a world-readable file.
85 |
86 | mysql -uroot -p$root_pass_1 -e "grant create, insert, select, delete, update on snorby.* to snort@localhost identified by '$MYSQL_PASS_1';"
87 | sed -i 's/username: root/username: snort/' /var/www/snorby/config/database.yml
88 | sed -i 's/password: '$root_pass_1'/password: '$MYSQL_PASS_1'/' /var/www/snorby/config/database.yml
89 | sed -i 's/dbname=snort/dbname=snorby/' /usr/local/snort/etc/barnyard2.conf
90 |
91 | #give www-data access to snorby's files, enable the snort site, disable the default, restart apache.
92 |
93 | chown -R www-data:www-data /var/www/snorby/
94 |
95 | a2dissite default
96 | a2ensite snorby
97 | service apache2 reload
98 |
99 | #Need to modify barnyard2.conf to have it dump directly to the snorby database instead of snort. This is REQUIRED.
100 | #TODO: We have the root mysql user's password. We have the snort mysql user's password. Drop privs to the snort mysql user right here, right after the database is made.
101 |
102 | #echo "cd /var/www/snorby && ruby script/delayed_job start" >> /etc/rc.local
103 | #echo "cd /var/www/snorby && rails runner 'Snorby::Jobs::SensorCacheJob.new(false).perform; Snorby::Jobs::DailyCacheJob.new(false).perform'" >> /etc/rc.local
104 |
105 | #the above entries to rc.local don't actually work on boot, but if the root user actually runs those commands, it does work... so I'm disabling the commands until a reliable method to start the delayed_job and run the cache jobs on boot is discovered.
106 |
107 | #SSL config:
108 | #a2enmod ssl
109 | #a2enmod rewrite
110 | #more to come here...
--------------------------------------------------------------------------------
/Autosnort-Debian/Previous_Rel/previous interface install scripts/snorby-debian.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | #Snorby shell script 'module'
3 | #Sets up snorby for Autosnort
4 |
5 | #This entire first block is to: Grab pre-reqs for Snorby, rvm (to install and automatically fix dependencies for ruby), install all the gems needed for snorby, then pull down snorby via github.
6 |
7 | apt-get install -y libyaml-dev git-core wkhtmltopdf libssl-dev libxslt1-dev libsqlite3-dev libmysql++-dev libcurl4-openssl-dev apache2-prefork-dev default-jre-headless curl sudo
8 | \curl -k -\#L https://get.rvm.io | sudo bash -s stable
9 | /usr/local/rvm/bin/rvm autolibs enable
10 | source /etc/profile.d/rvm.sh
11 | wget http://ruby-lang.org/en/downloads -O /tmp/downloads.html
12 | rubyver=`cat /tmp/downloads.html | grep -e "ruby-" | head -2 | tail -1 | cut -d"-" -f3,4 | cut -d"." -f1,2,3`
13 | rvm install ruby-$rubyver
14 | gem install thor i18n bundler tzinfo builder memcache-client rack rack-test rack-mount rails rake rubygems-update erubis mail text-format sqlite3 daemon_controller passenger
15 | update_rubygems
16 | cd /var/www/
17 | git clone http://github.com/Snorby/snorby.git
18 |
19 | #Now that we pulled down snorby, we have to modify the configuration files. sed is used to point snorby to the proper path for wkhtmltopdf, and we have the user enter the root mysql user's creds to have snorby create the snorby database.
20 | #TODO: at the end of the script give the snort database user rights to manage the snorby database; database.yml is world readable by default. I don't like the idea of having root database creds world-readable.
21 |
22 | cd /var/www/snorby/config
23 | cp database.yml.example database.yml #database name, user, and password
24 | cp snorby_config.yml.example snorby_config.yml #change path to wkhtmltopdf to /usr/bin/wkhtmltopdf
25 | sed -i 's/usr\/local\/bin/usr\/bin/' snorby_config.yml
26 |
27 | while true; do
28 | echo "Please enter the ROOT mysql user's password. Snorby needs it in order to create the snorby database."
29 | read -s -p "Please enter the ROOT database user password:" root_pass_1
30 | echo ""
31 | read -s -p "Confirm:" root_pass_2
32 | echo ""
33 | if [ "$root_pass_1" == "$root_pass_2" ]; then
34 | echo "password confirmed."
35 | echo ""
36 | sed -i 's/password: "Enter Password Here" # Example: password: "s3cr3tsauce"/password: '$root_pass_1'/' database.yml
37 | break
38 | else
39 | echo ""
40 | echo -e "Passwords do not match. Please try again."
41 | continue
42 | fi
43 | done
44 |
45 | #This entire block and all the echo statements below are to install the passenger apache module. I don't know much about rails or ruby, other than passenger is considered vital to getting everything to work. This compiles passenger, adds it to apache2.conf and creates a new default site for snorby
46 |
47 | passengerver=`ls /usr/local/rvm/gems/ruby-$rubyver/gems/ | grep passenger | cut -d"-" -f2,3`
48 | passenger-install-apache2-module --auto #takes a long time to compile the .so
49 | #add to apache2.conf:
50 | echo "" >> /etc/apache2/apache2.conf
51 | echo "# This stuff is to make Snorby work properly mod_passenger is required for snorby to work." >> /etc/apache2/apache2.conf
52 | echo "" >> /etc/apache2/apache2.conf
53 | echo "LoadModule passenger_module /usr/local/rvm/gems/ruby-$rubyver/gems/passenger-$passengerver/libout/apache2/mod_passenger.so" >> /etc/apache2/apache2.conf
54 | echo "PassengerRoot /usr/local/rvm/gems/ruby-$rubyver/gems/passenger-$passengerver" >> /etc/apache2/apache2.conf
55 | echo "PassengerDefaultRuby /usr/local/rvm/wrappers/ruby-$rubyver/ruby" >> /etc/apache2/apache2.conf
56 |
57 | #add to sites-avaiable/snorby, disable default site. wonder if maybe I should try doing this for the other web interfaces?
58 |
59 | echo "" >> /etc/apache2/sites-available/snorby
60 | echo " ServerName snorby.localhost" >> /etc/apache2/sites-available/snorby
61 | echo " # !!! Be sure to point DocumentRoot to 'public'!" >> /etc/apache2/sites-available/snorby
62 | echo " DocumentRoot /var/www/snorby/public" >> /etc/apache2/sites-available/snorby
63 | echo " " >> /etc/apache2/sites-available/snorby
64 | echo " # This relaxes Apache security settings." >> /etc/apache2/sites-available/snorby
65 | echo " AllowOverride all" >> /etc/apache2/sites-available/snorby
66 | echo " # MultiViews must be turned off." >> /etc/apache2/sites-available/snorby
67 | echo " Options -MultiViews" >> /etc/apache2/sites-available/snorby
68 | echo " " >> /etc/apache2/sites-available/snorby
69 | echo "" >> /etc/apache2/sites-available/snorby
70 |
71 | #The below portion are the final steps. The first thing we do is make a copy of the Gemfile.lock, and using grep -v, remove all references to psych_shield in the Gemfile.lock file. Reason for this is that bundler will bomb out because it sees an inconsistency with the Gemfile.lock and Gemfile. Grepping out psych_shield fixes that.
72 |
73 | #The rest is to perform the final installation steps for snorby use bundler to grab the remaining gems needed and configure everything, then rake to make it run. The a2dis/ensite are to disable the default apache site and enable snorby, setting it as the default site.
74 | #TODO:https
75 |
76 |
77 | cd /var/www/snorby
78 | cp Gemfile.lock Gemfile.lock.bak
79 | cat Gemfile.lock.bak | grep -v psych_shield > Gemfile.lock
80 | bundle install --deployment
81 |
82 | rake snorby:setup
83 |
84 | #The commands below are to drop priveleges: We want to have the snort user manage the snorby database. This is done for security purposes. I'm not comfortable with the root database user's creds being in a world-readable file.
85 |
86 | mysql -uroot -p$root_pass_1 -e "grant create, insert, select, delete, update on snorby.* to snort@localhost identified by '$MYSQL_PASS_1';"
87 | sed -i 's/username: root/username: snort/' /var/www/snorby/config/database.yml
88 | sed -i 's/password: '$root_pass_1'/password: '$MYSQL_PASS_1'/' /var/www/snorby/config/database.yml
89 | sed -i 's/dbname=snort/dbname=snorby/' /usr/local/snort/etc/barnyard2.conf
90 |
91 | #give www-data access to snorby's files, enable the snort site, disable the default, restart apache.
92 |
93 | chown -R www-data:www-data /var/www/snorby/
94 |
95 | a2dissite default
96 | a2ensite snorby
97 | service apache2 reload
98 |
99 | #Need to modify barnyard2.conf to have it dump directly to the snorby database instead of snort. This is REQUIRED.
100 | #TODO: We have the root mysql user's password. We have the snort mysql user's password. Drop privs to the snort mysql user right here, right after the database is made.
101 |
102 | #echo "cd /var/www/snorby && ruby script/delayed_job start" >> /etc/rc.local
103 | #echo "cd /var/www/snorby && rails runner 'Snorby::Jobs::SensorCacheJob.new(false).perform; Snorby::Jobs::DailyCacheJob.new(false).perform'" >> /etc/rc.local
104 |
105 | #the above entries to rc.local don't actually work on boot, but if the root user actually runs those commands, it does work... so I'm disabling the commands until a reliable method to start the delayed_job and run the cache jobs on boot is discovered.
106 |
107 | #SSL config:
108 | #a2enmod ssl
109 | #a2enmod rewrite
110 | #more to come here...
--------------------------------------------------------------------------------
/Autosnort-Kali/Previous_Rel/previous interface install scripts/autobase-kali.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | #BASE shell script 'module' for Debian.
3 | #Sets up BASE for Autosnort
4 |
5 | ########################################
6 | #logging setup: Stack Exchange made this.
7 |
8 | base_logfile=/var/log/base_install.log
9 | mkfifo ${base_logfile}.pipe
10 | tee < ${base_logfile}.pipe $base_logfile &
11 | exec &> ${base_logfile}.pipe
12 | rm ${base_logfile}.pipe
13 |
14 | ########################################
15 | #Metasploit-like print statements: status, good, bad and notification. Gratuitously copied from Darkoperator's metasploit install script.
16 |
17 | function print_status ()
18 | {
19 | echo -e "\x1B[01;34m[*]\x1B[0m $1"
20 | }
21 |
22 | function print_good ()
23 | {
24 | echo -e "\x1B[01;32m[*]\x1B[0m $1"
25 | }
26 |
27 | function print_error ()
28 | {
29 | echo -e "\x1B[01;31m[*]\x1B[0m $1"
30 | }
31 |
32 | function print_notification ()
33 | {
34 | echo -e "\x1B[01;33m[*]\x1B[0m $1"
35 | }
36 |
37 | ########################################
38 | #grab packages for BASE, and supresses the notification for libphp-adodb. Most of the primary required packages are pulled by the main AS script.
39 |
40 | execdir=`pwd`
41 | source $execdir/full_autosnort.conf
42 |
43 | print_status "Grabbing packages required for BASE."
44 |
45 | echo libphp-adodb libphp-adodb/pathmove note | debconf-set-selections
46 | apt-get install -y libphp-adodb ca-certificates php-pear libwww-perl php5 php5-mysql php5-gd &>> $base_logfile
47 | if [ $? != 0 ];then
48 | print_error "Failed to acquire required packages for Base. See $base_logfile for details."
49 | exit 1
50 | else
51 | print_good "Successfully acquired packages."
52 | fi
53 |
54 | ########################################
55 |
56 | #These are php-pear config commands Seen in the 2.9.4.0 install guide for Debian.
57 |
58 | print_status "Configuring php via php-pear."
59 |
60 | pear config-set preferred_state alpha &>> $base_logfile
61 | pear channel-update pear.php.net &>> $base_logfile
62 | pear install --alldeps Image_Color Image_Canvas Image_Graph &>> $base_logfile
63 | if [ $? != 0 ];then
64 | print_error "Failed to acquire required packages for Base. See $base_logfile for details."
65 | exit 1
66 | else
67 | print_good "Successfully acquired packages via pear install."
68 | fi
69 |
70 | print_good "Successfully configured php via php-pear."
71 |
72 | #Have to adjust PHP logging otherwise BASE will barf on startup.
73 |
74 | print_status "Reconfiguring php error reporting for BASE."
75 | sed -i 's/error_reporting \= E_ALL \& ~E_DEPRECATED/error_reporting \= E_ALL \& ~E_NOTICE/' /etc/php5/apache2/php.ini
76 |
77 | ########################################
78 |
79 | #The BASE tarball creates a directory for us, all we need to do is move to webroot.
80 |
81 | print_status "Installing BASE."
82 |
83 | cd /var/www/
84 |
85 | # We need to grab BASE from sourceforge. If this fails, we exit the script with a status of 1
86 | # A check is built into the main script to verify this script exits cleanly. If it doesn't,
87 | # The user should be informed and brought back to the main interface selection menu.
88 |
89 | print_status "Grabbing BASE via Sourceforge."
90 |
91 | wget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz -O base-1.4.5.tar.gz &>> $base_logfile
92 |
93 | if [ $? != 0 ];then
94 | print_error "Attempt to pull down BASE failed. See $base_logfile for details."
95 | exit 1
96 | else
97 | print_good "Successfully downloaded the BASE tarball."
98 | fi
99 |
100 | tar -xzvf base-1.4.5.tar.gz &>> $base_logfile
101 | if [ $? != 0 ];then
102 | print_error "Attempt to install BASE has failed. See $base_logfile for details."
103 | exit 1
104 | else
105 | print_good "Successfully installed base to /var/www/base."
106 | fi
107 |
108 | rm base-1.4.5.tar.gz
109 | mv base-* base
110 |
111 | #BASE requires the /var/www/ directory to be owned by www-data
112 | print_status "Granting ownership of /var/www to www-data user and group."
113 | chown -R www-data:www-data /var/www
114 |
115 | ########################################
116 |
117 | #These are virtual host settings. The default virtual host forces redirect of all traffic to https (SSL, port 443) to ensure console traffic is encrypted and secure. We then enable the new SSL site we made, and restart apache to start serving it.
118 |
119 |
120 | print_status "Configuring Virtual Host Settings for Base.."
121 | echo "#This default vhost config geneated by autosnort. To remove, run cp /etc/apache2/defaultsiteconfbak /etc/apache2/sites-available/default" > /etc/apache2/sites-available/default
122 | echo "#This VHOST exists as a catch, to redirect any requests made via HTTP to HTTPS." >> /etc/apache2/sites-available/default
123 | echo "" >> /etc/apache2/sites-available/default
124 | echo " DocumentRoot /var/www/base" >> /etc/apache2/sites-available/default
125 | echo " #Mod_Rewrite Settings. Force everything to go over SSL." >> /etc/apache2/sites-available/default
126 | echo " RewriteEngine On" >> /etc/apache2/sites-available/default
127 | echo " RewriteCond %{HTTPS} off" >> /etc/apache2/sites-available/default
128 | echo " RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}" >> /etc/apache2/sites-available/default
129 | echo "" >> /etc/apache2/sites-available/default
130 |
131 | echo "#This is an SSL VHOST added by autosnort. Simply remove the file if you no longer wish to serve the web interface." > /etc/apache2/sites-available/base-ssl
132 | echo "" >> /etc/apache2/sites-available/base-ssl
133 | echo " #Turn on SSL. Most of the relevant settings are set in /etc/apache2/mods-available/ssl.conf" >> /etc/apache2/sites-available/base-ssl
134 | echo " SSLEngine on" >> /etc/apache2/sites-available/base-ssl
135 | echo "" >> /etc/apache2/sites-available/base-ssl
136 | echo " #Mod_Rewrite Settings. Force everything to go over SSL." >> /etc/apache2/sites-available/base-ssl
137 | echo " RewriteEngine On" >> /etc/apache2/sites-available/base-ssl
138 | echo " RewriteCond %{HTTPS} off" >> /etc/apache2/sites-available/base-ssl
139 | echo " RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}" >> /etc/apache2/sites-available/base-ssl
140 | echo "" >> /etc/apache2/sites-available/base-ssl
141 | echo " #Now, we finally get to configuring our VHOST." >> /etc/apache2/sites-available/base-ssl
142 | echo " ServerName base.localhost" >> /etc/apache2/sites-available/base-ssl
143 | echo " DocumentRoot /var/www/base" >> /etc/apache2/sites-available/base-ssl
144 | echo "" >> /etc/apache2/sites-available/base-ssl
145 |
146 | a2ensite base-ssl &>> $base_logfile
147 | if [ $? -ne 0 ]; then
148 | print_error "Failed to enable base-ssl virtual host. See $base_logfile for details."
149 | exit 1
150 | else
151 | print_good "Successfully made virtual host changes."
152 | fi
153 |
154 | service apache2 restart &>> $base_logfile
155 | if [ $? -ne 0 ]; then
156 | print_error "Failed to restart apache2. See $base_logfile for details."
157 | exit 1
158 | else
159 | print_good "Successfully restarted apache2."
160 | fi
161 |
162 | print_notification "The log file for this interface installation is located at: $base_logfile"
163 |
164 | exit 0
--------------------------------------------------------------------------------
/Autosnort-Ubuntu/AVATAR/readme.txt:
--------------------------------------------------------------------------------
1 | This is a special release of autosnort meant to be used for students in the Building Virtual Labs class and/or readers of Building Virtual Machine Labs: A Hands-On Guide book. This script performs the following tasks:
2 |
3 | -Downloads required pre-reqs to run and compile snort
4 | -Compiles snort with the --enable-sourcefire config option. Snort is installed to /opt/snort/bin/snort, while snort's supporting files are installed to /opt/snort/etc
5 | -Downloads pulledpork.pl to /usr/src/pulledpork, and creates a stripped-down pulledpork.conf in /usr/src/pulledpork/etc. This is used to download the latest TALOS rules (with a valid register/subscriber oinkcode)
6 | -Configures snort for inline mode operation via af-packet bridging
7 | -Installes the "snortd" systemd service script for service persistence and control
8 | -Very stripped-down: This installer does NOT install barnyard2, or include any options to install an interface of any sort. This installs pulledpork, and snort with some persistence, and that's it.
9 | -Inline mode operation: This installer requires a minimum of 3 network interfaces to work properly. Two interfaces will be placed into inline mode via the AFPACKET DAQ. ARP will be disabled on these interfaces, meaning that your system will NOT respond to any traffic sent to these interfaces. By default, the script will attempt to bridge the eth1 and eth2 interfaces. You can specify different interface names to be bridged in the full_autosnort.conf file
10 | -Pulledpork.pl is installed and used to download the initial ruleset for snort. you will need to register a free account on snort.org (or pay for a rule subscription), and copy your oinkcode into the full_autosnort.conf file for this script to work properly
11 |
12 | 1. pull https://github.com/da667/Autosnort
13 | 2. cd Autosnort/Autosnort-Ubuntu/AVATAR
14 | 3. modify full_autosnort.conf (e.g. interface names, base installation directory, etc.). At an absolute minimum you MUST input a valid snort.org Oink Code
15 | 4. As root, (or via "sudo") run autosnort-ubuntu-AVATAR.sh
16 | 5. On successful reboot, snort should be running (try ps -ef | grep snort to check)
17 | 6. snortd.service should be registered, you can use 'service snortd (start|stop|status|restart) to control the snort process, and/or use systemd systemctl commands to control the snort service as well.
18 | 7. Errors? Problems? Check the file /var/log/autosnort_install.log for troubleshooting.
19 |
20 | Thanks,
21 |
22 | da_667
23 |
24 | -Patch Notes-
25 |
26 | 4-23-20
27 | -Ubuntu 20.04 is out. In preparation for a second edition of Building Virtual Machine Labs, support for ubuntu 16.04 has been removed from this release. Out with the old, in with the new.
28 | --As always previous releases are in the previous released directory if you have an ubuntu 16.04 server you can't upgrade, and you need to have a Snort instance for. Don't sweat it.
29 | -Fixed a problem with compiling libDAQ in which you need to run autoreconf before the configure/make/make install song and dance
30 | -The ifconfig command has been phased out and replaced with ip link set to configure interface flags now.
31 | -Replaced the old snortd init script with a systemd snortd.service file.
32 | --Why? Because it takes advantage of the only good thing systemd has to offer: service watchdog/service persistence. Additionally there is some light sandboxing that systemd affords to services. This is literally the only time you'll hear me saying anything positive about systemd. I hope you enjoy it
33 | 5-27-19
34 | -the rule_url for the 'opensource.gz' file that pulledpork downloads has changed, and either it changed a while ago and the redirects are broken, or it changed recently and they broke the redirects. This was another single-line fix.
35 | 5-21-19
36 | -Discovered a bug where Shared Object rules were no longer being used/installed. Why? As it turns out, snort doesn't ship precompiled rules for Ubuntu 12.04 anymore. Which makes sense. Single line change in the script fixed the issue.
37 | 1-3-19
38 | -A user reported an issue where autosnort is failing to download the latest ".conf" files from snort.org/configurations. Apparently at some point, the reference snort conf files started getting posted to snort.org/documents instead. The script has been changed to wget snort.org/documents, egrep for "snort-20*-conf" to get a list of snort 2.x reference conf files available for download, and attempts to download the latest one, and if that fails (for some odd reason) the second latest one. For example, currently snort 2.9.12 is out. The conf file for snort 2.9.11.1 is the latest config file, while 2.9.11 is the second latest available. The script will try to pull the config file for 2.9.11.1, then if that fails revert to trying to pull the config file for 2.9.11. Some of you might be worried, thinking the 2.9.11.1 config file might not be compatible with 2.9.12, but 99% of the time, this is NEVER an issue. But if you insist on having a matching reference config file for the latest version of snort, then I highly suggest hitting the snort mailing list and bothering Joel Esler or whoever is in charge of this process. Usually someone pings him on the mailing list and they upload a new reference config file a few hours later.
39 | 12-29-18
40 | -Users reported users that the script no longer works, complaining about a libluajit dependency. apparently the Snort team has opted to included openappID as a part of the --enable-sourcefire compile option that the autosnort script has used for years now.
41 | --Script has been updated to download a couple of dependencies in order to be able to run openappID -- libnghttp2, libluajit, libssl-dev, pkg-config and a few others. All you need to know is that Snort should configure and compile with no errors, at least as of 2.9.12
42 | ---please note that this script doesn't download fingerprints for openappID, nor does it enable the openappId preprocessor in snort.conf. If you're interested in learning how to do that, that is an exercise that will be left to you to try out. Have fun storming the castle!
43 | --Had to write in a config change very similar to the autosuricata config change we wrote for ubuntu 18.04 users recently: backing up the apt sources.list file, clobber the existing sources.list, and regenerate a new sources.list file that enables the universe repos for ubuntu 18.04. This is because 18.04 doesn't enable universe by default, and libluajit is a universe repo package.
44 | -discovered an issue where pulledpork was actually dropping any rules into the /opt/snort/rules/snort.rules file, claiming 0 new rules. Added the "-P" option to pulledpork execution, to force pulledpork to process rules, even if it /thinks/ there are no new rules.
45 | 8-3-18
46 | -This script is now compatible with Ubuntu 18.04, in addition to Ubuntu 16.04
47 | -Fixed the pulledpork.conf this script generates. It now reflects the current version of pulledpork.pl (0.7.4)
48 | 10-18-2017
49 | - Fixed a bug in the "snorttar" variable regex. To make a long story short, Cisco changed filename version formats for the Snort tarball on their site, and that broke various things in the script, like downloading the latest Snort tarball, and downloading the right rules for the current snort version via pulledpork. This should be un-borked now.
50 | - Removed attempts to download older snort rule tarballs via pulledpork. Cisco now allows Registered Snort users (e.g. the free rule users) to download a rule tarball compatible with the latest snort release (that means compatible Shared Object rules). The only difference is that the rules are /still/ 30 days behind the subscribed users. Such is life.
--------------------------------------------------------------------------------
/Autosnort-Ubuntu/Previous_Rel/previous interface install scripts/base-ubuntu-11-02-2014.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | #BASE shell script 'module'
3 | #Sets up BASE for for Autosnort
4 | #Updated on 2/1/2014
5 |
6 | ########################################
7 | #logging setup: Stack Exchange made this.
8 |
9 | base_logfile=/var/log/base_install.log
10 | mkfifo ${base_logfile}.pipe
11 | tee < ${base_logfile}.pipe $base_logfile &
12 | exec &> ${base_logfile}.pipe
13 | rm ${base_logfile}.pipe
14 |
15 | ########################################
16 | #Metasploit-like print statements: status, good, bad and notification. Gratouitiously copied from Darkoperator's metasploit install script.
17 |
18 | function print_status ()
19 | {
20 | echo -e "\x1B[01;34m[*]\x1B[0m $1"
21 | }
22 |
23 | function print_good ()
24 | {
25 | echo -e "\x1B[01;32m[*]\x1B[0m $1"
26 | }
27 |
28 | function print_error ()
29 | {
30 | echo -e "\x1B[01;31m[*]\x1B[0m $1"
31 | }
32 |
33 | function print_notification ()
34 | {
35 | echo -e "\x1B[01;33m[*]\x1B[0m $1"
36 | }
37 |
38 | ########################################
39 | #grab packages for BASE, and supresses the notification for libphp-adodb. Most of the primary required packages are pulled by the main AS script.
40 |
41 | print_status "Grabbing packages required for BASE.."
42 |
43 | echo libphp-adodb libphp-adodb/pathmove note | debconf-set-selections
44 | apt-get install -y libphp-adodb ca-certificates php-pear libwww-perl php5 php5-mysql php5-gd &>> $base_logfile
45 | if [ $? != 0 ];then
46 | print_error "Failed to acquire required packages for Base. See $base_logfile for details."
47 | exit 1
48 | else
49 | print_good "Successfully acquired packages."
50 | fi
51 |
52 | ########################################
53 |
54 | #These are php-pear config commands Seen in the 2.9.4.0 install guide for Debian.
55 |
56 | print_status "Setting php-pear options.."
57 |
58 | pear config-set preferred_state alpha &>> $base_logfile
59 | pear channel-update pear.php.net &>> $base_logfile
60 | pear install --alldeps Image_Color Image_Canvas Image_Graph &>> $base_logfile
61 |
62 | print_good "Successfully configured php-pear options."
63 |
64 | #Have to adjust PHP logging otherwise BASE will barf on startup.
65 |
66 | print_status "Reconfiguring php error reporting for BASE.."
67 | sed -i 's/error_reporting \= E_ALL \& ~E_DEPRECATED/error_reporting \= E_ALL \& ~E_NOTICE/' /etc/php5/apache2/php.ini
68 |
69 | ########################################
70 |
71 | #The BASE tarball creates a directory for us, all we need to do is move to webroot.
72 |
73 | print_status "Installing BASE.."
74 |
75 | cd /var/www/
76 |
77 | # We need to grab BASE from sourceforge. If this fails, we exit the script with a status of 1
78 | # A check is built into the main script to verify this script exits cleanly. If it doesn't,
79 | # The user should be informed and brought back to the main interface selection menu.
80 |
81 | print_status "Grabbing BASE via Sourceforge.."
82 |
83 | wget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz -O base-1.4.5.tar.gz &>> $base_logfile
84 |
85 | if [ $? != 0 ];then
86 | print_error "Attempt to pull down BASE failed. See $base_logfile for details."
87 | exit 1
88 | else
89 | print_good "Successfully downloaded the BASE tarball."
90 | fi
91 |
92 | tar -xzvf base-1.4.5.tar.gz &>> $base_logfile
93 | if [ $? != 0 ];then
94 | print_error "Attempt to install BASE has failed. See $base_logfile for details."
95 | exit 1
96 | else
97 | print_good "Successfully installed base to /var/www/base."
98 | fi
99 |
100 | rm base-1.4.5.tar.gz
101 | mv base-* base
102 |
103 | #BASE requires the /var/www/ directory to be owned by www-data
104 | print_status "Granting ownership of /var/www to www-data user and group."
105 | chown -R www-data:www-data /var/www
106 |
107 | ########################################
108 |
109 | #These are virtual host settings. The 000-default.conf virtual host forces redirect of all traffic to https (SSL, port 443) to ensure console traffic is encrypted and secure. We then enable the new SSL site we made, and restart apache to start serving it.
110 |
111 |
112 | print_status "Configuring Virtual Host Settings for Base.."
113 | echo "#This 000-default.conf vhost config geneated by autosnort. To remove, run cp /etc/apache2/000-default.confsiteconfbak /etc/apache2/sites-available/000-default.conf" > /etc/apache2/sites-available/000-default.conf
114 | echo "#This VHOST exists as a catch, to redirect any requests made via HTTP to HTTPS." >> /etc/apache2/sites-available/000-default.conf
115 | echo "" >> /etc/apache2/sites-available/000-default.conf
116 | echo " DocumentRoot /var/www/base" >> /etc/apache2/sites-available/000-default.conf
117 | echo " #Mod_Rewrite Settings. Force everything to go over SSL." >> /etc/apache2/sites-available/000-default.conf
118 | echo " RewriteEngine On" >> /etc/apache2/sites-available/000-default.conf
119 | echo " RewriteCond %{HTTPS} off" >> /etc/apache2/sites-available/000-default.conf
120 | echo " RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}" >> /etc/apache2/sites-available/000-default.conf
121 | echo "" >> /etc/apache2/sites-available/000-default.conf
122 |
123 | echo "#This is an SSL VHOST added by autosnort. Simply remove the file if you no longer wish to serve the web interface." > /etc/apache2/sites-available/base-ssl.conf
124 | echo "" >> /etc/apache2/sites-available/base-ssl.conf
125 | echo " #Turn on SSL. Most of the relevant settings are set in /etc/apache2/mods-available/ssl.conf" >> /etc/apache2/sites-available/base-ssl.conf
126 | echo " SSLEngine on" >> /etc/apache2/sites-available/base-ssl.conf
127 | echo "" >> /etc/apache2/sites-available/base-ssl.conf
128 | echo " #Mod_Rewrite Settings. Force everything to go over SSL." >> /etc/apache2/sites-available/base-ssl.conf
129 | echo " RewriteEngine On" >> /etc/apache2/sites-available/base-ssl.conf
130 | echo " RewriteCond %{HTTPS} off" >> /etc/apache2/sites-available/base-ssl.conf
131 | echo " RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}" >> /etc/apache2/sites-available/base-ssl.conf
132 | echo "" >> /etc/apache2/sites-available/base-ssl.conf
133 | echo " #Now, we finally get to configuring our VHOST." >> /etc/apache2/sites-available/base-ssl.conf
134 | echo " ServerName base.localhost" >> /etc/apache2/sites-available/base-ssl.conf
135 | echo " DocumentRoot /var/www/base" >> /etc/apache2/sites-available/base-ssl.conf
136 | echo "" >> /etc/apache2/sites-available/base-ssl.conf
137 |
138 | ########################################
139 |
140 | #enable our vhost and restart apache to serve them.
141 |
142 | a2ensite 000-default.conf
143 | if [ $? -ne 0 ]; then
144 | print_error "Failed to enable default virtual host. See $base_logfile for details."
145 | exit 1
146 | else
147 | print_good "Successfully made virtual host changes."
148 | fi
149 |
150 | a2ensite base-ssl.conf &>> $base_logfile
151 | if [ $? -ne 0 ]; then
152 | print_error "Failed to enable base-ssl.conf virtual host. See $base_logfile for details."
153 | exit 1
154 | else
155 | print_good "Successfully made virtual host changes."
156 | fi
157 |
158 | service apache2 restart &>> $base_logfile
159 | if [ $? -ne 0 ]; then
160 | print_error "Failed to restart apache2. See $base_logfile for details."
161 | exit 1
162 | else
163 | print_good "Successfully restarted apache2."
164 | fi
165 | print_notification "The log file for this interface installation is located at: $base_logfile"
166 |
167 | exit 0
--------------------------------------------------------------------------------