In this guide, I’ll go through installation and Configuration of Snorby as a front-end of Snort IDS. Before this, Snort must be installed and configured. If that’s not done yet, please follow following link:
– Install and Configure Snort HIDS with Barnyard2, Base & MySQL on Ubuntu
– Installing Snort Sensor on Windows Host with Remote Snort +MySQL using WinIDS
Let us start installation of Snorby, first Pre-requisites:
Prerequisites:
Update OS First:
# apt-get upgrade
Installing Required Pre-Requisites:
Install Ruby & Its addons:
# gem install bundler
# gem install rails
# gem install rake –version=0.9.2
Install Snorby:
# git clone http://github.com/Snorby/snorby.git
# cd /var/www/snorby/config/
# cp database.yml.example database.yml
# cp snorby_config.yml.example snorby_config.yml
# sed -i s/”\/usr\/local\/bin\/wkhtmltopdf”/”\/usr\/bin\/wkhtmltopdf”/g /var/www/snorby/config/snorby_config.yml
Configure snorby database username and password:
Edit the settings to match your MySQL installation, in my network, it is given below as an example:
# bundle install –deployment
# rake snorby:setup
Setup Apache:
Setup Apache to work with Snorby. First we need to install required module of Apache:
# passenger-install-apache2-module
Copy the lines provided at the end of the installation script in Apache config file.
The lines should look something like this at the end of the file
# see README.Debian for details.
LoadModule passenger_module /var/lib/gems/1.9.1/gems/passenger-3.0.18/ext/apache2/mod_passenger.so
PassengerRoot /var/lib/gems/1.9.1/gems/passenger-3.0.18
PassengerRuby /usr/bin/ruby1.9.1
# Include generic snippets of statements
Include conf.d/
# Include the virtual host configurations:
Include sites-enabled/
Now add the website as follows:
Add the following lines (change the ServerAdmin and Servername to something of your choice):
<VirtualHost *:80>
ServerAdmin snorby@localhost
ServerName snorby.localnet
DocumentRoot /var/www/snorby/public
<Directory “/var/www/snorby/public”>
AllowOverride all
Order deny,allow
Allow from all
Options -MultiViews
</Directory>
</VirtualHost>
Enable the new website and disable the default site:
# a2ensite snorby
# service apache2 reload
Browse to the new website at: http://snorby.localnet (in my example) and login with the following default credentials:
Note: For this, we need to add DNS host entry to either DNS Server (if have access to), or else to hosts file.
Username: snorby@snorby.org
Password: snorby
You should see a page that looks something like this:
sudo rake snorby:setup
Gem::LoadError: You have already activated rake 10.4.2, but your Gemfile requires rake 0.9.2. Prepending `bundle exec` to your command may solve this.
Please tell me how to solve this. I have tried bundle update and bundle exec but no luck ;/
first remove currently installed rake version by:
# gem uninstall rake -v 10.4.2
check if this works, if not, install rake with command:
# gem install rake -v 0.9.2
it should fix the version issue.
I want sudo service apache2 restart
apache2: Syntax error on line 234 of /etc/apache2/apache2.conf: Cannot load /var/lib/gems/1.9.1
/gems/passenger-5.0.13/ext/apache2/mod_passenger.so into server: /var/lib/gems/1.9.1
/gems/passenger-5.0.13/ext/apache2/mod_passenger.so: invalid ELF header
OTL….
How can I fix it
Try installing perl-apache2 module by:
# sudo passenger-install-apache2-module
Then restart Apache2 again.
Thank you veryvery much it solved can i ask someting more?
Glad to know it helped. Yes, sure please ask…
Submitting Credentials, Pleas Wait… is continue how can I fix?
Sorry, I could not understand, where are you facing this error at.? Can you please give more details or better if screenshot.?
rake snorby:setup generates error: “/usr/bin/env: ruby: Permission denied” . Any ideas, Muhammad? [Running Ubuntu 14.04] Thanks
are you executing command with “sudo” in the beginning. normally Permission Denied error is faced due to limited permissions on ubuntu/debian hosts’ users and they need to execute every system level command with “sudo” in the beginning.
Yes. Executing with sudo.
Execute this command first:
# chown -R apache:apache /var/www/html/snorby
then execute
# rake snorby:setup
else, install snorby bundle first.
# sudo bundle exec rake snorby:setup
Thx bro just wondering after snorby been installed does it need any rules or any thing? I installed snorby in my Kali machine it does not start until I run sudo service mysql restart and sudo service apache2 restart and when it start all the default values are 0. I don’t know if I need to play with administration or events?
Hi, You are welcome.
No further configuration required for auto-start of Snorby. You may need to verify that apache and mysql both are started and executed fine on every start by hosting a test website.
Thank you for reply, what do u mean by hosting a test website? Do you mean I should set up a host website?
Hi,
Yes, just like you’ve hosted Snorby in Apache along with MySQL DB, I’m asking you to host another website to test if Apache & MySQL are working fine and issue is with Snorby only.
Hi! Thx for this guide. I’m having problems installing rake. I get this error:
ERROR: While executing gem … (URI::InvalidURIError)
URI must be ascii only “?gems=u{2013}version=0.9.2”
I’ve been googling but can’t find any solution that works.
I tried to do the next step and then I got the following error while running:
sed -i s/”/usr/local/bin/wkhtmltopdf”/”/usr/bin/wkhtmltopdf”/g’ /var/www/snorby/config/snorby_config.yml
Error:
sed: -e expression #1, char 11: unknown option to `s’
I can’t find any solutions for these problems and would appretiate if someone know how to fix this!
Hi,
Which version of Rake are you using/installed ?
Try to uninstall Rake with following command:
# gem uninstall rake
Now install rake with command:
# gem install rake -v 0.9.2
it should fix the issue.