Add files via upload

scripts/Snorby/setup.sh

@@ -1,19 +1,45 @@
 #!/usr/bin/env bash
 # author: ym2011
-# date: 2016-11-21
-# version: 0.0.4
+# date: 2016-11-26
+# version: 0.8
+
 echo "it will install snorby,suricata,barnyard2 automately. so take a coffee/n"
 
-yum install epel-release
+# 0x01 OS basic environment
+# 1 os installation
+# we doing the all following steps basing on CentOS-6.8-x86_64 server.
+# therefore, we should install system using the CentOS-6.8-x86_64-bin-DVD1.iso.
+
+# 2 set the epel sources
+yum -y install epel-release
+rpm -ivh http://repo.mysql.com//mysql57-community-release-el6-9.noarch.rpm
 yum -y install yum-utils
 yum clean all
 yum-complete-transaction --cleanup-only
+sleep 30
 
-sleep 60
-# install dependences
-yum -y install gcc-c++ patch readline readline-devel zlib zlib-devel git-core libyaml-devel libffi-devel openssl-devel make libpcap-devel pcre-devel libyaml-devel file-devel jansson-devel nss-devel libcap-ng-devel libnet-devel tar libnetfilter_queue-devel lua-devel mysql-devel fontconfig-devel libX11-devel libXrender-devel libxml2-devel libxslt-devel qconf
+# 0x02 install some important dependences
+yum -y install gcc-c++ patch readline readline-devel zlib zlib-devel git-core libyaml-devel libffi-devel openssl-devel make libpcap-devel pcre-devel libyaml-devel file-devel jansson-devel nss-devel libcap-ng-devel libnet-devel tar libnetfilter_queue-devel lua-devel fontconfig-devel libX11-devel libXrender-devel libxml2-devel libxslt-devel qconf
 
-# dwonload and install ImageMagick
+# 0x03 install and configure mysql
+# yum install mysql mysql-devel mysql*
+yum -y install mysql-community-server
+service mysqld start
+chkconfig mysqld on
+# warnig：we would change the password for root and add a user for snorby in MySQL.
+# to find out the password of root, we should do the following:
+# grep 'temporary password' /var/log/mysqld.log | awk '{print $11}'
+# the result is the password for root， and then do the following:
+# note: we need to type the password the result above after we typed the following command，
+# mysql -uroot -p
+# SET PASSWORD FOR 'root'@'localhost' = "yyMM@2011";
+# create user 'snorbyroot'@'localhost' identified by 'MMyy@2011';
+# grant all privileges on snorby.* to 'snorbyroot'@'localhost' with grant option;
+# flush privileges;
+# quit
+
+# 0x04 package for IDS
+# 1 dwonload and install ImageMagick
 cd /opt/
 wget --no-check-certificate -t 50 https://www.imagemagick.org/download/ImageMagick-6.9.6-5.tar.gz
 if [ ! -f "ImageMagick-6.9.6-5.tar.gz" ]
@@ -34,7 +60,7 @@ tar zxvf ImageMagick-6.9.6-5.tar.gz && cd ImageMagick-6.9.6-5
 sleep 5
 ldconfig /usr/local/lib
 
-# dwonload and install yaml
+# 2 dwonload and install yaml
 cd /opt/
 wget --no-check-certificate -t 50 http://pyyaml.org/download/libyaml/yaml-0.1.4.tar.gz
 if [ ! -f "yaml-0.1.4.tar.gz" ]
@@ -55,7 +81,7 @@ tar zxvf yaml-0.1.4.tar.gz && cd yaml-0.1.4
 ./configure && make && make install
 sleep 5
 
-# dwonload and install libhtp
+# 3 dwonload and install libhtp
 cd /opt/
 wget --no-check-certificate -t 50 -O libhtp-0.5.20.tar.gz https://codeload.github.com/OISF/libhtp/tar.gz/0.5.20 
 tar zxvf libhtp-0.5.20.tar.gz && cd libhtp-0.5.20
@@ -63,15 +89,11 @@ tar zxvf libhtp-0.5.20.tar.gz && cd libhtp-0.5.20
 ./configure && make && make install
 sleep 10
 
-# configure mysql
-# yum install mysql mysql-devel mysql*
-service mysqld start
-chkconfig mysqld on       
-/usr/bin/mysqladmin -u root password 'yymm2011@!@'
 
-# install ruby
-cd /opt/
-curl -L get.rvm.io | bash -s stable
+# 0x05 install ruby 
+# snory needs  ruby support to run. the ruby version should be 1.9.3 or higher.
+# here we choose the version 2.0.0
+cd /opt/ && curl -L get.rvm.io | bash -s stable
 sleep 10
 command curl -sSL https://rvm.io/mpapis.asc | gpg2 --import -
 source /etc/profile.d/rvm.sh
@@ -82,33 +104,40 @@ ruby -v
 sleep 20
 gem install bundler
 sleep 20
-# dwonload and install snorby
-cd /opt/ && git clone git://github.com/Snorby/snorby.git && cd snorby
 
-# 修改文件Gemfile,把gem 'rake', '0.9.2'   改成  gem 'rake', '> 0.9.2'
+# 0x07 dwonload and install snorby
+cd /opt/ && git clone git://github.com/Snorby/snorby.git 
+cd /opt/snorby/
+
+# modify the file Gemfile,gem 'rake', '0.9.2' --->> gem 'rake', '> 0.9.2'，。
+# the step can be skipped if the ruby version is not less than 2.0.0
 # sed -i 's/0.9.2/>0.9.2.2/g' Gemfile
 
-# 修改文件Gemfile.lock,把 rake (0.9.2)  改成  rake(0.9.2.2)
+# modify Gemfile.lock, rake (0.9.2) --->> rake(0.9.2.2)
+# the step can be skipped if the ruby version is not less than 2.0.0
 # sed -i 's/\(0.9.2\)/0.9.2.2/g' Gemfile.lock
 
-# 创建snorby_config.yml和database.yml两个文件
-cp config/snorby_config.yml.example config/snorby_config.yml
-cp config/database.yml.example config/database.yml
+# create snorby_config.yml and database.yml
+cp ./config/snorby_config.yml.example ./config/snorby_config.yml
+cp ./config/database.yml.example ./config/database.yml
  
-# 修改snorby_config.yml，把time_zone前面的注释去掉，并把UTC改为Asia/Shanghai
-# 打开database.yml 把里面 mysql的账号密码修改成我们设置的账号密码（root/ ym2011@2011my)
+# modify snorby_config.yml，we can choose to delete the symbol #, 
+# which is thefront of the time_zone，and change UTC to Asia/Shanghai
+# open database.yml, change the account and password to our own. here is root/ ym2011@2011my.
 sed -i 's/root/snorbyroot/g 'config/database.yml 
-sed -i 's/Enter Password Here/ym2011@2011my/g' config/database.yml
-# 进入snorby目录，执行如下命令开始安装：
-# 因为我们不需要postgreSQL, 所以要删除该库，否则编译会出错。
+sed -i 's/Enter Password Here/MMyy@2011/g' config/database.yml
+# change into snorby，execute the following commands to startinstallation.
+# since we don't need postgreSQL, we are better to delete the library,
+# or else it would go wrong whlie installing.
 sed -i '/dm-postgres-adapter/d' Gemfile
 bundle install
 
-# 设置iptables
-# /etc/init.d/iptables stop	#关闭防火墙，其他主机可以访问http://ip:3000
+# 0x08 set iptables
+# if we can access to the http://ip:3000(the ip is the server ip) in other computer.
+# /etc/init.d/iptables stop	#we can stop the iptables( nor recommended), and then access to http://ip:3000
 iptables -I INPUT -p tcp --dport 3000 -m state --state=NEW,ESTABLISHED,RELATED -j ACCEPT
 
-# dwonload and install barnyard2
+# 0x09 dwonload and install barnyard2
 cd /opt/ && wget --no-check-certificate -t 50 -O barnyard2-2-1.13.tar.gz https://codeload.github.com/firnsy/barnyard2/tar.gz/v2-1.13
 if [ ! -f "barnyard2-2-1.13.tar.gz" ]
 then
@@ -126,10 +155,11 @@ fi
 
 tar xvfz barnyard2-2-1.13.tar.gz && cd barnyard2-2-1.13/
 ./autogen.sh
+# if the above command failed to execute, please check the  locations where mysql-libraries and mysql locate in.
 ./configure --with-mysql-libraries=/usr/lib64/mysql/ --with-mysql=/usr/bin/mysql
 make && make install
 
-# dwonload and install Suricata 
+# 0x10 dwonload and install Suricata 
 cd /opt/ && wget -t 50 http://www.openinfosecfoundation.org/download/suricata-3.1.tar.gz
 if [ ! -f "suricata-3.1.tar.gz" ]; then
 	echo "the network is unreachable.please check your network and run this script again"
@@ -149,75 +179,55 @@ echo " congratulations!, snorby、suricata、barnyard2 is fullly installed. "
 echo " we will configure the configuration files automatically."
 echo " please wait a minute"
 
-# configure Suricata、Barnyard 2
-#把Barnyard 2安装源文件中的etc/barnyard2.conf文件拷贝到Suricata的配置目录
+# 0x11  configure Suricata、Barnyard 2
+# 1 copy etc/barnyard2.con in barnyard2-2-1.13 directory to Suricata configuration directory
 cd /opt/barnyard2-2-1.13
 cp ./etc/barnyard2.conf /etc/suricata/
 
-#创建barnyard2日志目录/var/log/barnyard2
+#2 create barnyard2 log directory named /var/log/barnyard2
 mkdir /var/log/barnyard2
 
-# 修改barnyard2.conf
-# 把 默认的snort文件配置改成 suricata
+# 3 change barnyard2.conf
+# change the default snort file configuration to suricata
 sed -i 's/snort/suricata/g' /etc/suricata/barnyard2.conf
 sed -i 's/gen-msg.map/rules\/gen-msg.map/g' /etc/suricata/barnyard2.conf
 sed -i 's/sid-msg.map/rules\/sid-msg.map/g' /etc/suricata/barnyard2.conf
 
-# 把数据信息添加到barnyard2.conf  //已完成
-sed -i '$a output database: log, mysql, user=snorbroot password=ym2011@2011my dbname=snorby host=localhost' /etc/suricata/barnyard2.conf
+# 4 add the MySQL information to barnyard2.conf
+sed -i '$a output database: log, mysql, user=snorbroot password=MMyy@2011 dbname=snorby host=localhost' /etc/suricata/barnyard2.conf
 
-#找到“config hostname”和“config interface”，eth0是镜像端口所在的网卡，按照你的实际情况修改.(unfinished)
-#匹配到该字符串，在匹配行的下面添加新的一行字符串
+# 5 find out the string "config hostname" and "config interface". the later is to monitor the traffic, it can be more than one.
+# match this string and add a new line next.
 sed -i -e '/#config hostname:   thor/a\config hostname:   ym/' /etc/suricata/barnyard2.conf
 sed -i -e '/#config interface:  eth0/a\config interface:  eth0/' /etc/suricata/barnyard2.conf
 sed -i -e '/#config waldo_file/a\config waldo_file: /var/log/suricata/suricata.waldo' /etc/suricata/barnyard2.conf
 
-# 编辑suricata.yaml文件
+# 6 edit suricata.yaml
 touch /var/log/suricata/suricata.waldo
 
-# 修改日志格式文件:
-#匹配到该字符串，在匹配行的下面添加新的一行字符串
+# 7 modify log format fled:
+# match this string and add a new line next.
 sed -i -e '/default-log-format/a\  default-log-format: "[%i] %t -(%f:%l) <%d> (%n) -- "' /etc/suricata/suricata.yaml
 
-# 找到#pid-file: /var/run/suricata.pid把前面的#号去掉
-#匹配到该字符串，在匹配行的下面添加新的一行字符串
+# 8 figure out #pid-file: /var/run/suricata.pid, and drop the #
+# match this string and add a new line next.
 sed -i -e '/pid-file/a\pid-file: /var/run/suricata.pid' /etc/suricata/suricata.yaml
 
-# 启用 threshold，找到#threshold-file: /etc/suricata/threshold.config
-#匹配到该字符串threshold-file，在匹配行的下面添加新的一行字符串
+# 9 figure out #threshold-file: /etc/suricata/threshold.config,and drop the "#"
 sed -i -e '/threshold-file/a\threshold-file: /etc/suricata/threshold.config' /etc/suricata/suricata.yaml
 
-# 开启syslog 功能, 在/etc/suricata/suricata.yaml ， 找到：
-# 匹配并替换在字符串/var/log/suricata/suricata.log/，Step 4之间的内容，把enabled: no 改成 enabled: yes
+# 10 enable syslog function, in /etc/suricata/suricata.yaml ， find out 
+# match and replace the word no to yes between string"/var/log/suricata/suricata.log/" and "Step 4"
 sed -i -e '\/var\/log\/suricata\/suricata.log/,/Step 4/s/no/yes/g' /etc/suricata/suricata.yaml
 
-# 开启unified2 logging in the suricata yaml:
-# 匹配并替换在字符串unified2-alert， unified2.alert之间的内容，把enabled: no 改成 enabled: yes
+# 11 enable unified2 logging in the suricata yaml:
+# match and replace the word no to yes between string " unified2-alert " and " unified2.alert " 
 sed -i -e '/unified2-alert/,/unified2.alert/s/no/yes/g' /etc/suricata/suricata.yaml
 
+# 0x12 the complete script for this setup：
+# https://github.com/ym2011/penetration/tree/master/scripts/Snorby
+
 echo " congratulations!, all configurations is fullly finished. "
-echo " we will do modify and add a user for snorby in MySQL"
-
-TIMESTAMP=`date +%Y%m%d%H%M%S`  
-LOG=call_sql_${TIMESTAMP}.log  
-echo "Start execute sql statement at `date`." >>${LOG}  
-# execute sql stat  
-mysql -u root -p yymm2011@!@-e "  
-tee /tmp/temp.log  
-create user 'snorbyroot'@'localhost' IDENTIFIED BY 'ym2011@2011my';
-grant all privileges on snorby.* to 'snorbyroot'@'localhost' with grant option;
-flush privileges; 
-notee  
-quit"  
-
-echo -e "\n">>${LOG}  
-echo "below is output result.">>${LOG}  
-cat /tmp/temp.log>>${LOG}  
-echo "script executed successful.">>${LOG}  
-
-echo " please run the file: start-ids.sh to start the service "
+echo " script executed successful.if errors occurs, please run the command above on your own"
+echo " please run the file: start-ids.sh to start the service and do the step [3 configure mysql] on youronw"
 echo " have fun ! "
-
-
-
-