PenetrationTestingScripts/scripts/Snorby/setup.sh

#!/usr/bin/env bash
# author: ym2011
# date: 2016-11-21
# version: 0.0.4
echo "it will install snorby,suricata,barnyard2 automately. so take a coffee/n"

yum install epel-release
yum -y install yum-utils
yum clean all
yum-complete-transaction --cleanup-only

sleep 60
# install dependences
yum -y install gcc-c++ patch readline readline-devel zlib zlib-devel git-core libyaml-devel libffi-devel openssl-devel make libpcap-devel pcre-devel libyaml-devel file-devel jansson-devel nss-devel libcap-ng-devel libnet-devel tar libnetfilter_queue-devel lua-devel mysql-devel fontconfig-devel libX11-devel libXrender-devel libxml2-devel libxslt-devel qconf

# dwonload and install ImageMagick
cd /opt/
wget --no-check-certificate -t 50 https://www.imagemagick.org/download/ImageMagick-6.9.6-5.tar.gz
if [ ! -f "ImageMagick-6.9.6-5.tar.gz" ]
then
	echo "the network is unreachable.please check your network and run this script again"
else
	fs="`du -B 1M ImageMagick-6.9.6-5.tar.gz | awk '{print $1}'`"
	while [ $fs -lt 12 ];
	do
		rm -rf ImageMagick-6.9.6-5.tar.gz && echo "the network is unstable.please check your network and run this script again"
		wget --no-check-certificate -t 50 https://www.imagemagick.org/download/ImageMagick-6.9.6-5.tar.gz
		break
	done

fi
tar zxvf ImageMagick-6.9.6-5.tar.gz && cd ImageMagick-6.9.6-5
./configure && make && make install
sleep 5
ldconfig /usr/local/lib

# dwonload and install yaml
cd /opt/
wget --no-check-certificate -t 50 http://pyyaml.org/download/libyaml/yaml-0.1.4.tar.gz
if [ ! -f "yaml-0.1.4.tar.gz" ]
then
	echo "the network is unreachable.please check your network and run this script again"
else
	fs="`du -B 1k yaml-0.1.4.tar.gz | awk '{print $1}'`"
	while [ $fs -lt 450 ];
	do
		rm -rf yaml-0.1.4.tar.gz && echo "the network is unstable.please check your network and run this script again"
		wget --no-check-certificate -t 50 http://pyyaml.org/download/libyaml/yaml-0.1.4.tar.gz
		break
	done

fi

tar zxvf yaml-0.1.4.tar.gz && cd yaml-0.1.4
./configure && make && make install
sleep 5

# dwonload and install libhtp
cd /opt/
wget --no-check-certificate -t 50 -O libhtp-0.5.20.tar.gz https://codeload.github.com/OISF/libhtp/tar.gz/0.5.20 
tar zxvf libhtp-0.5.20.tar.gz && cd libhtp-0.5.20
./autogen.sh
./configure && make && make install
sleep 10

# configure mysql
# yum install mysql mysql-devel mysql*
service mysqld start
chkconfig mysqld on       
/usr/bin/mysqladmin -u root password 'yymm2011@!@'

# install ruby
cd /opt/
curl -L get.rvm.io | bash -s stable
sleep 10
command curl -sSL https://rvm.io/mpapis.asc | gpg2 --import -
source /etc/profile.d/rvm.sh
sleep 10
rvm install 2.0.0
sleep 20
ruby -v
sleep 20
gem install bundler
sleep 20
# dwonload and install snorby
cd /opt/ && git clone git://github.com/Snorby/snorby.git && cd snorby

# 修改文件Gemfile,把gem 'rake', '0.9.2'   改成  gem 'rake', '> 0.9.2'
# sed -i 's/0.9.2/>0.9.2.2/g' Gemfile

# 修改文件Gemfile.lock,把 rake (0.9.2)  改成  rake(0.9.2.2)
# sed -i 's/\(0.9.2\)/0.9.2.2/g' Gemfile.lock

# 创建snorby_config.yml和database.yml两个文件
cp config/snorby_config.yml.example config/snorby_config.yml
cp config/database.yml.example config/database.yml
 
# 修改snorby_config.yml，把time_zone前面的注释去掉，并把UTC改为Asia/Shanghai
# 打开database.yml 把里面 mysql的账号密码修改成我们设置的账号密码（root/ ym2011@2011my)
sed -i 's/root/snorbyroot/g 'config/database.yml 
sed -i 's/Enter Password Here/ym2011@2011my/g' config/database.yml
# 进入snorby目录，执行如下命令开始安装：
# 因为我们不需要postgreSQL, 所以要删除该库，否则编译会出错。
sed -i '/dm-postgres-adapter/d' Gemfile
bundle install

# 设置iptables
# /etc/init.d/iptables stop	#关闭防火墙，其他主机可以访问http://ip:3000
iptables -I INPUT -p tcp --dport 3000 -m state --state=NEW,ESTABLISHED,RELATED -j ACCEPT

# dwonload and install barnyard2
cd /opt/ && wget --no-check-certificate -t 50 -O barnyard2-2-1.13.tar.gz https://codeload.github.com/firnsy/barnyard2/tar.gz/v2-1.13
if [ ! -f "barnyard2-2-1.13.tar.gz" ]
then
	echo "the network is unreachable.please check your network and run this script again"
else
	fs="`du -B 1k barnyard2-2-1.13.tar.gz | awk '{print $1}'`"
	while [ $fs -lt 400 ];
	do
		rm -rf barnyard2-2-1.13.tar.gz && echo "the network is unstable.please check your network and run this script again"
		wget --no-check-certificate -t 50 -O barnyard2-2-1.13.tar.gz https://codeload.github.com/firnsy/barnyard2/tar.gz/v2-1.13
		break
	done

fi

tar xvfz barnyard2-2-1.13.tar.gz && cd barnyard2-2-1.13/
./autogen.sh
./configure --with-mysql-libraries=/usr/lib64/mysql/ --with-mysql=/usr/bin/mysql
make && make install

# dwonload and install Suricata 
cd /opt/ && wget -t 50 http://www.openinfosecfoundation.org/download/suricata-3.1.tar.gz
if [ ! -f "suricata-3.1.tar.gz" ]; then
	echo "the network is unreachable.please check your network and run this script again"
else
	fs1="`du -B 1M suricata-3.1.tar.gz | awk '{print $1}'`"
	if [ $fs1 -lt 3 ]; then
			rm -rf suricata-3.1.tar.gz && echo "the network is unstable.please check your network and run this script again"
			
	fi

fi
tar -xvzf suricata-3.1.tar.gz && cd suricata-3.1
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-nfqueue --enable-lua
make && make install-full

echo " congratulations!, snorby、suricata、barnyard2 is fullly installed. "
echo " we will configure the configuration files automatically."
echo " please wait a minute"

# configure Suricata、Barnyard 2
#把Barnyard 2安装源文件中的etc/barnyard2.conf文件拷贝到Suricata的配置目录
cd /opt/barnyard2-2-1.13
cp ./etc/barnyard2.conf /etc/suricata/

#创建barnyard2日志目录/var/log/barnyard2
mkdir /var/log/barnyard2

# 修改barnyard2.conf
# 把 默认的snort文件配置改成 suricata
sed -i 's/snort/suricata/g' /etc/suricata/barnyard2.conf
sed -i 's/gen-msg.map/rules\/gen-msg.map/g' /etc/suricata/barnyard2.conf
sed -i 's/sid-msg.map/rules\/sid-msg.map/g' /etc/suricata/barnyard2.conf

# 把数据信息添加到barnyard2.conf  //已完成
sed -i '$a output database: log, mysql, user=snorbroot password=ym2011@2011my dbname=snorby host=localhost' /etc/suricata/barnyard2.conf

#找到“config hostname”和“config interface”，eth0是镜像端口所在的网卡，按照你的实际情况修改.(unfinished)
#匹配到该字符串，在匹配行的下面添加新的一行字符串
sed -i -e '/#config hostname:   thor/a\config hostname:   ym/' /etc/suricata/barnyard2.conf
sed -i -e '/#config interface:  eth0/a\config interface:  eth0/' /etc/suricata/barnyard2.conf
sed -i -e '/#config waldo_file/a\config waldo_file: /var/log/suricata/suricata.waldo' /etc/suricata/barnyard2.conf

# 编辑suricata.yaml文件
touch /var/log/suricata/suricata.waldo

# 修改日志格式文件:
#匹配到该字符串，在匹配行的下面添加新的一行字符串
sed -i -e '/default-log-format/a\  default-log-format: "[%i] %t -(%f:%l) <%d> (%n) -- "' /etc/suricata/suricata.yaml

# 找到#pid-file: /var/run/suricata.pid把前面的#号去掉
#匹配到该字符串，在匹配行的下面添加新的一行字符串
sed -i -e '/pid-file/a\pid-file: /var/run/suricata.pid' /etc/suricata/suricata.yaml

# 启用 threshold，找到#threshold-file: /etc/suricata/threshold.config
#匹配到该字符串threshold-file，在匹配行的下面添加新的一行字符串
sed -i -e '/threshold-file/a\threshold-file: /etc/suricata/threshold.config' /etc/suricata/suricata.yaml

# 开启syslog 功能, 在/etc/suricata/suricata.yaml ， 找到：
# 匹配并替换在字符串/var/log/suricata/suricata.log/，Step 4之间的内容，把enabled: no 改成 enabled: yes
sed -i -e '\/var\/log\/suricata\/suricata.log/,/Step 4/s/no/yes/g' /etc/suricata/suricata.yaml

# 开启unified2 logging in the suricata yaml:
# 匹配并替换在字符串unified2-alert， unified2.alert之间的内容，把enabled: no 改成 enabled: yes
sed -i -e '/unified2-alert/,/unified2.alert/s/no/yes/g' /etc/suricata/suricata.yaml

echo " congratulations!, all configurations is fullly finished. "
echo " we will do modify and add a user for snorby in MySQL"

TIMESTAMP=`date +%Y%m%d%H%M%S`  
LOG=call_sql_${TIMESTAMP}.log  
echo "Start execute sql statement at `date`." >>${LOG}  
# execute sql stat  
mysql -u root -p yymm2011@!@-e "  
tee /tmp/temp.log  
create user 'snorbyroot'@'localhost' IDENTIFIED BY 'ym2011@2011my';
grant all privileges on snorby.* to 'snorbyroot'@'localhost' with grant option;
flush privileges; 
notee  
quit"  

echo -e "\n">>${LOG}  
echo "below is output result.">>${LOG}  
cat /tmp/temp.log>>${LOG}  
echo "script executed successful.">>${LOG}  

echo " please run the file: start-ids.sh to start the service "
echo " have fun ! "