Thursday , October 18 2018
Home / Information Security / Installing Snorby on Ubuntu for Snort with Barnyard2

Installing Snorby on Ubuntu for Snort with Barnyard2

In this guide, I’ll go through installation and Configuration of Snorby as a front-end of Snort IDS. Before this, Snort must be installed and configured. If that’s not done yet, please follow following link:

– Install and Configure Snort HIDS with Barnyard2, Base & MySQL on Ubuntu

Installing Snort Sensor on Windows Host with Remote Snort +MySQL using WinIDS

Let us start installation of Snorby, first Pre-requisites:

Prerequisites:

Update OS First:

# apt-get update
# apt-get upgrade

Installing Required Pre-Requisites:

# apt-get install mysql-server apache2 libyaml-dev git-core default-jre imagemagick libmagickwand-dev wkhtmltopdf gcc g++ build-essential libssl-dev libreadline-gplv2-dev zlib1g-dev linux-headers-generic libsqlite3-dev libxslt1-dev libxml2-dev libmysqlclient-dev libmysql++-dev apache2-prefork-dev libcurl4-openssl-dev -y

Install Ruby & Its addons:

# apt-get install ruby1.9.3 ruby-text-format
# gem install bundler
# gem install rails
# gem install rake –version=0.9.2

Install Snorby:

# cd /var/www/
# git clone http://github.com/Snorby/snorby.git
# cd /var/www/snorby/config/
# cp database.yml.example database.yml
# cp snorby_config.yml.example snorby_config.yml
# sed -i s/”\/usr\/local\/bin\/wkhtmltopdf”/”\/usr\/bin\/wkhtmltopdf”/g /var/www/snorby/config/snorby_config.yml

Configure snorby database username and password:

# vim /var/www/snorby/cofig/database.yml

Edit the settings to match your MySQL installation, in my network, it is given below as an example:

4 - SnorbyConfig

# cd /var/www/snorby/
# bundle install –deployment
# rake snorby:setup

Setup Apache:

Setup Apache to work with Snorby. First we need to install required module of Apache:

# gem install passenger
# passenger-install-apache2-module

5 - InstallPessenger

 

 

6 - InstallPessengerApache2Module

 

 

Copy the lines provided at the end of the installation script in Apache config file.

# vim /etc/apache2/apache2.conf

The lines should look something like this at the end of the file

# Include of directories ignores editors’ and dpkg’s backup files,
# see README.Debian for details.
LoadModule passenger_module /var/lib/gems/1.9.1/gems/passenger-3.0.18/ext/apache2/mod_passenger.so
PassengerRoot /var/lib/gems/1.9.1/gems/passenger-3.0.18
PassengerRuby /usr/bin/ruby1.9.1

# Include generic snippets of statements
Include conf.d/

# Include the virtual host configurations:
Include sites-enabled/

Now add the website as follows:

# vim /etc/apache2/sites-available/snorby

Add the following lines (change the ServerAdmin and Servername to something of your choice):

<VirtualHost *:80>
ServerAdmin snorby@localhost
ServerName snorby.localnet
DocumentRoot /var/www/snorby/public

<Directory “/var/www/snorby/public”>
AllowOverride all
Order deny,allow
Allow from all
Options -MultiViews
</Directory>
</VirtualHost>

7 - ApacheConfigSnorby

Enable the new website and disable the default site:

# a2dissite default
# a2ensite snorby
# service apache2 reload

Browse to the new website at:  http://snorby.localnet (in my example) and login with the following default credentials:

Note:  For this, we need to add DNS host entry to either DNS Server (if have access to), or else to hosts file.

Credentials:

Username:      snorby@snorby.org
Password:       snorby

You should see a page that looks something like this:

8 - Snorby Frontend

About Muhammad Attique

Check these out :)

How to Modify GRUB Bootloader version 2

I’m going to show you how can we edit and modify GRUB Bootloader version 2, …

18 comments

  1. sudo rake snorby:setup
    Gem::LoadError: You have already activated rake 10.4.2, but your Gemfile requires rake 0.9.2. Prepending `bundle exec` to your command may solve this.

    Please tell me how to solve this. I have tried bundle update and bundle exec but no luck ;/

    • Muhammad Attique

      first remove currently installed rake version by:

      # gem uninstall rake -v 10.4.2

      check if this works, if not, install rake with command:

      # gem install rake -v 0.9.2

      it should fix the version issue.

  2. I want sudo service apache2 restart

    apache2: Syntax error on line 234 of /etc/apache2/apache2.conf: Cannot load /var/lib/gems/1.9.1

    /gems/passenger-5.0.13/ext/apache2/mod_passenger.so into server: /var/lib/gems/1.9.1

    /gems/passenger-5.0.13/ext/apache2/mod_passenger.so: invalid ELF header

    OTL….

    How can I fix it

  3. Submitting Credentials, Pleas Wait… is continue how can I fix?

    • Muhammad Attique

      Sorry, I could not understand, where are you facing this error at.? Can you please give more details or better if screenshot.?

  4. rake snorby:setup generates error: “/usr/bin/env: ruby: Permission denied” . Any ideas, Muhammad? [Running Ubuntu 14.04] Thanks

    • are you executing command with “sudo” in the beginning. normally Permission Denied error is faced due to limited permissions on ubuntu/debian hosts’ users and they need to execute every system level command with “sudo” in the beginning.

  5. Thx bro just wondering after snorby been installed does it need any rules or any thing? I installed snorby in my Kali machine it does not start until I run sudo service mysql restart and sudo service apache2 restart and when it start all the default values are 0. I don’t know if I need to play with administration or events?

    • Hi, You are welcome.
      No further configuration required for auto-start of Snorby. You may need to verify that apache and mysql both are started and executed fine on every start by hosting a test website.

      • Thank you for reply, what do u mean by hosting a test website? Do you mean I should set up a host website?

        • Hi,
          Yes, just like you’ve hosted Snorby in Apache along with MySQL DB, I’m asking you to host another website to test if Apache & MySQL are working fine and issue is with Snorby only.

  6. Hi! Thx for this guide. I’m having problems installing rake. I get this error:
    ERROR: While executing gem … (URI::InvalidURIError)
    URI must be ascii only “?gems=u{2013}version=0.9.2”

    I’ve been googling but can’t find any solution that works.

    I tried to do the next step and then I got the following error while running:
    sed -i s/”/usr/local/bin/wkhtmltopdf”/”/usr/bin/wkhtmltopdf”/g’ /var/www/snorby/config/snorby_config.yml

    Error:
    sed: -e expression #1, char 11: unknown option to `s’

    I can’t find any solutions for these problems and would appretiate if someone know how to fix this!

    • Muhammad Attique

      Hi,
      Which version of Rake are you using/installed ?

      Try to uninstall Rake with following command:

      # gem uninstall rake

      Now install rake with command:

      # gem install rake -v 0.9.2

      it should fix the issue.

Leave a Reply

Your email address will not be published. Required fields are marked *