This post is work in progress but I never got around to finishing it. Sorry
After a first failed attempt to install Snorby on an Arch Linux server (Snorby requires Ruby 1.9.x, Arch uses 2.x and I’m not willing to use the AUR version for this) I’m doing this on a Ubuntu 14.04 Server.
Before installing Snorby we have to install snort itself. This can be done with
sudo apt-get install snort. Snort asks for a network address range to use for
HOME_NET. Since I’m not sure what to use here (the network may change), I just use standard value. This can later be changed using snort config files.
For testing purposes I add a new rule file in
/etc/snort/rules/ with a very basic rule that logs everything. You really shouldn’t do this in productive use, this will spam your snort output.
alert ip any any -> any any (msg:"Someone tried to access the server"; sid:100001; rev:1; priority:2;)
To use the new rule file you have to include it in the snort config
/etc/snort/snort.conf by adding a line
In order to inspect outgoing traffic I had to add the
-k none option to Snort in order to disable checksum tests for TCP connections (cf. serverfault). The option can be permanently added by adding it to
A common requirement for rules on a server is to inspect outgoing documents for suspicious content. Checking for example if a website contains a certain string can be done as follows:
alert tcp any 80 -> any any (file_data; content:"Placeholder"; flow:to_client,established; msg:"Detected placeholderwebsite"; sid:1000002; rev:1; priority:2;)
In order for this rule to work properly one has to make sure that
snort.conf contains at least the following elements for
server_flow_depth 0 \
Before installing snorby I need to make sure that certain software is installed.
The base system is a fresh Ubuntu 14.04 Server installation. Before installing Snorby we have to make sure that all requirements are installed. The Snorby website lists the following dependencies:
Wkhtmltopdf. But installing dependencies is not as easy as it sounds. I’m on a headless server and don’t want to install video drivers. So what to do with the strange
Wkhtmltopdf package? And why the heck does a headless application need X? But luckily there is a ruby gem of wkhtmltopdf that does not need any X component (documentation of Snorby is really bad here). So we just use
sudo gem install wkhtmltopdf and we are good (ignore the errors during installation). We also have to install
make on Ubuntu. Further we need
mysql-server installed. To get rails and bundler we have to install them with
sudo gem install bundler and
sudo gem install rails.
Now we need to get snorby sources
git clone https://github.com/Snorby/snorby
After changing to the
cd snorby directory we can install it using
Now we have to configure snorby to be able to read events from the database. To do so we copy
database.yml.example in the
config folder to
database.yml and change the database configuration to access MySQL. Further we copy
snorby_config.yml and check that
domain are correct in the
production section. It seems there are more dependencies needed (in particular
nokogiri needs more). So we have to install
Now we should be able to run
bundle exec rake snorby:setup
to set-up snorby and start it with
bundle exec rails server -e production
To get the snort output into our Snorby interface we use Barnyard2. Since there is no package for Ubuntu in the official repositories we have to build Barnyard2 from source.
git clone https://github.com/firnsy/barnyard2
To build Barnyard2 we need some developement tools
sudo apt-get install build-essential libtool autoconf libpcap-dev libmysqld-dev
After changing to the Barnyard2 directory
cd barnyard2 we run
./autogen.sh, configure it for MySQL
./configure --with-mysql --with-mysql-libraries=/usr/lib/x86_64-linux-gnu/ (the additional library and include path are necessary on Ubuntu to find MySQL) run
make. I only enable MySQL here, but other outpus are possible. To eventually install Barnyard to we use
sudo make install.
After installing Barnyard2 it needs configuration. First I copy the example config file
sudo cp etc/barnyard2.conf /etc/ before modifying it to run as a daemon and write to the database
config hostname: localhost
config interface: eth0
output database: log, mysql, user=root password=root dbname=snort host=localhost
config logdir: /var/log/barnyard2/
config waldo_file: /var/log/barnyard2/barnyard2.waldo
We have to set up the Barnyard2 database. We create a new database
create database snort;, get the Barnyard2 schema
and install it to our new database
mysql -u <user> -p snort < create_mysql.
I ran into the problem that snort had no
sid-msg.map. This can be created with
# /usr/share/oinkmaster/create-sidmap.pl rules/ > sid-msg.map
/etc/snort. I ran into some further problems and had to create the waldo file manually, i.e.
sudo touch /var/log/barnyard2/barnyard2.waldo
sudo chown snort:snort /var/log/barnyard2/barnyard2.waldo
This still throws a warning that the waldo file is corrupt, but Barnyard2 is at least running. I got a lot of warnings of the form
WARNING: Can't extract timestamp extension from '..'using base ''
from old/corrupted snort log files. So I removed all logs from `/var/log/snort/`. Note that this warning is also shown when the snort log is empty!
To start Barnyard2 now we use
sudo /usr/local/bin/barnyard2 -c /etc/barnyard2.conf -d /var/log/snort/ -f snort.out
where the first parameter sets the config file to use, the second tells barynard2 in which folder to look for snort output files and the last one gives the base-name of snort output in that folder.
Testing the setup
To test if Snorby is actually working I install and start Apache. This is not necessary since my snort rule from above is logging everything, but you may want to do this anyway to test some real rules. The Snorby web interface is located at
http://<server ip>:3000/. The default credentials are
Username: firstname.lastname@example.org, Password: snorby.