Project

General

Profile

Feature #269

Updated by Daniel Curtis almost 11 years ago

I have setup Snort on my router, however due to the flash based media for its OS there are constraints on log files size. The snort package on pfSense support Barnyard2, which is a MySQL interface to allow logs or alerts to be stored on a MySQL database, which is where Snorby comes in.  
 > Snorby brings your existing and new network securits monitoring data to life with a suite of beautiful, relevant, and, most importantly, actionable metrics. Share data like sensor activity comparisons or your most active signatures directly with your constituents with daily, weekly, monthly, and ad-hoc PDF reports.   

 Snorby requires a LAMP stack with Ruby and Passenger installed, I have the LAMP stack already installed, however I will include the the packages in this tutorial to be comprehensive. 

 As a first step we’re going to install Snort. Luckily it’s up in the repos, so we’re just going to apt-get it. I’m going to go with the @snort-mysql@ package, as it gives a mysql DB support to snort which is a good thing.  

 First let’s get a mysql server up and running: 
 <pre> 
 apt-get update 
 apt-get upgrade 
 apt-get install mysql-server mysql-client 
 </pre> 

 Then we can get snorby up: 
 <pre> 
 apt-get install snort-mysql 
 </pre> 
 This is needed to for a SQL schema file 

 This will ask a few questions and it doesn’t matter what you answer as we’ll have to reconfigure it after Snorby has been installed anyway. 

 Moving on to installing the Snorby prerequisites: 
 <pre> 
 apt-get install libyaml-dev git-core default-jre imagemagick libmagickwand-dev wkhtmltopdf build-essential libssl-dev libreadline-gplv2-dev zlib1g-dev <linux-headers-686-pae> libsqlite3-dev libxslt1-dev libxml2-dev libmysqlclient-dev libmysql++-dev apache2-prefork-dev libcurl4-openssl-dev ruby ruby-dev 
 </pre> 

 Don’t forget to use the linux headers +for your kernel’s architecture+… 

 Instal a few prerequisite gems: 
 <pre> 
 gem install bundler rails  
 gem install rake --version=0.9.2 
 </pre> 

 Switch to the web directory: 
 <pre> 
 cd /var/www/ 
 </pre> 

 Download the source for the application. 
 <pre> 
 git clone http://github.com/Snorby/snorby.git 
 </pre> 

 Change to the Snorby config directory: 
 <pre> 
 cd /var/www/snorby/config/ 
 </pre> 

 Set up configuration files: 
 <pre> 
 cp database.yml.example database.yml 
 cp snorby_config.yml.example snorby_config.yml 
 sed -i s/"\/usr\/local\/bin\/wkhtmltopdf"/"\/usr\/bin\/wkhtmltopdf"/g snorby_config.yml 
 </pre> 

 Create snort database and user: 
 <pre> 
 mysql -u root -p 

 CREATE DATABASE snort; 
 GRANT ALL PRIVILEGES TO 'snort'@'localhost' IDENTIFIED BY 'SuperSecretPassword'; 
 EXIT 
 </pre> 

 Tell snorby the mysql database name, user and password that it should use. 
 <pre> 
 nano database.yml 
 </pre> 

 At this point you should also create the user and the database.  

 Change into the Snorby directory: 
 <pre> 
 cd /var/www/snorby/ 
 </pre> 

 Let’s install it: 
 <pre> 
 bundle install --deployment 
 bundle exec rake snorby:setup 
 </pre> 

 I encountered an error during this part, after googling a bit I found that a stale Gemfile.lock was the culprit and to solve it I needed to remove the @.bundle@ directory then @bundle install@: 
 <pre> 
 cd /var/www/snorby 
 rm -rf .bundle 
 bundle install 
 bundle exec rake snorby:setup 
 </pre> 

 I also encountered a problem where I had to set the time in the @config/snorby_config.yml@ 

 A third error was encountered where there was a dependency problem where bundler needed a version of @activesupport@ that was not installed, to fix this I ran: 
 <pre> 
 bundle update activesupport railties rails 
 gem install arel 
 gem install ezprint 
 bundle install 
 bundle exec rake snorby:setup 
 </pre> 

 Yet another problem was encuntered during the installation: 
 > rake aborted! 
 > uninitialized constant Syck::Syck 
 >  
 > Tasks: TOP => snorby:setup => environment 
 The fix was actually simple as well. +Make sure the database in the database.yml file matches the database created earlier+. 

 At this point Snorby should start when you type: 
 <pre> 
 bundle exec rails server -e production -b 127.0.0.1 
 </pre> 

 If you point your browser to 
 http://localhost:3000/ 
 the Snorby WebUI should pop up.  
 You can access it with the default credentials: 
 * snorby@snorby.org 
 * snorby 

 Don’t be stupid, c+hange the *email* and the *password* after logging in+. 

 Now if you look around the site you’ll notice that Snorby isn’t getting any data just yet. So we’ll have to configure Snort! 

 h3. ALT VPS Method 

 Since ALT uses a pfSense firewall, snort is installed there (at a cost to performance). And as such snort and barnyard must be configured on the pfSense firewall by going to +Service -> Snort -> Edit Interface -> barnyard2+ 

 h3. Original method 

 Now if you look around the site you’ll notice that Snorby isn’t getting any data just yet. So we’ll have to configure Snort: 
 <pre> 
 dpkg-reconfigure snort-mysql 
 </pre> 

 Answer the questions, set up all the interface you need for sniffing network traffic and enter Snorby’s mysql database and the username and password for it when prompted. Now that the database is configured we’ll just need to move away a lock file, so that Snort can start up. 
 <pre> 
 mv /etc/snort/db-pending-config /etc/snort/db-pending-config_no_more 
 </pre> 

 At this point we’re ready to launch snort: 
 <pre> 
 service snort start 
 </pre> 

 h2. Let’s test it! 

 Snort should alert for nmap scans so on another box just type: 
 <pre> 
 

 nmap -A -T5 yourhost.org 
 </pre> 

 Let it run, then check Snorby. You should see something similar to the picture below. 

 Now there’s really only one thing left before we’re done. 

 h2. Make Snorby autostart rails web server on boot 

 <pre> 
 cd /etc/init.d/ 
 nano snorby 
 </pre> 

 A simple script like this should do the trick: 

 <pre> 
 #!/bin/bash 

 cd /var/www/snorby && bundle exec rails server -e production & 
 </pre> 

 Let’s put it to start in runlevel 2: 
 <pre> 
 chmod +x snorby 
 update-rc.d -f snorby start 2 
 </pre> 

 And now Snorby will start whenever the system enters runlevel 2 and we’re done.

Back