This guide will help you with installing Snorby on a freshly installed Ubuntu 12.04 LTS server. We’ll be using the latest version from the git repository.
Install required dependencies
Snorby uses a number of libraries and tools. They should be installed before we’re going to install Snorby.
# apt-get install apache2 git imagemagick wkhtmltopdf ruby1.9.3 libyaml-dev libxml2-dev libxslt1-dev zlib1g-dev build-essential openssl libssl-dev libmysqlclient-dev libreadline6-dev # gem install rails # gem update
Install snorby
We’re going to fetch the latest version from Snorby from the Git tree.
git clone http://github.com/Snorby/snorby.git
Once snorby is downloaded, we proceed by installing a few dependencies.
# cd snorby && bundle install
Create 2 config files
You have to create 2 files in the config/ directory. First file is called database.yml and this is the contents.
# Snorby Database Configuration # # Please set your database password/user below # NOTE: Indentation is important. # snorby: &snorby adapter: mysql username: snorby password: "s3cr3t" host: 127.0.0.1 # or the IP of your database server development: database: snorby <
The second file is snorby_config.yml
production:
domain: 'snorby.yourdomain.com' # can be changed to your domain
wkhtmltopdf: /usr/bin/wkhtmltopdf # correct for Ubuntu 12.04
ssl: false
mailer_sender: 'snorby@yourdomain.com' # can be changed
geoip_uri: "http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz"
rules:
- ""
authentication_mode: database
Create database account
Before proceeding you have to create a database user that can connect from the snorby machine to your MySQL server. You also need to create a new database and give full rights for the new user to the new database. The user should and the database should be called “snorby”. The password should be the same password as the one used in “database.yml”.
Run the setup program for Snorby
The command should finalize the installation of Snorby on your system.
# bundle exec rake snorby:setup
Final step : run Snorby
This command will start Snorby without detaching from the console. It’s a good idea to use this the first time so you can check if any errors are reported.
bundle exec rails server -e production
If you didn’t get any errors, you should be able to access your Snorby installation using the following URL. This assumes you running Snorby and your webbrowser on the same machine. Adapt to your needs if necessary.
http://localhost:3000
The default login is ‘snorby@snorby.org’. Password is ‘snorby’. You’ll notice that the database is still empty. You’ll need a tool like Barnyard2 to send events from Snort to your Snorby database.
Configuring Barnyard2 event feed
This assumes you’ve installed Barnyard2 as described in this post. Add the following line to your /etc/snort/barnyard2.conf config file.
output database: log, mysql, user=snorby password=s3cr3t dbname=snorby host=localhost
Adapt the password and the host if necessary. They should match the database and password you used in the database.yml configuration file.
After restarting barnyard2, events will start to pop up in the GUI.
Snorby Screenshot
For clarification, if we have barnyard2 installed and use snorby; we should have entries in our barnyard2.conf such as:
output database: log, mysql, user=snortuser password=secretpwd dbname=snort host=127.0.0.1
***AND***
output database: log, mysql, user=snorby password=s3cr3t dbname=snorby host=localhost
Thanks.
No, you only need 1 entry if you only want to use snorby.
Best regards,
Thomas
This part is confusing. Can you elaborate on what you mean by “…if you only want to use snorby”?
Are you saying that if we want to use some other front-end in addition to Snorby, then barnyard2 should output to two databases (snort and snorby)?
If we only want to use Snorby as the front-end, then should we use only the “snort” database for all 3 programs: Snort, Barnyard2 and Snorby? I had already created the “snort” database for Snort and Barnyard2. Therefore, can we keep the following in /etc/snort/barnyard2.conf?:
output database: log, mysql, user=snort password=s3cr3t dbname=snort host=localhost
But, when I run the following, I get the following error:
# bundle exec rake snorby:setup
ERROR 1007 (HY000) at line 1: Can’t create database ‘snort’; database exists
rake aborted!
Incorrect table definition; there can be only one auto column and it must be defined as a key
Tasks: TOP => db:autoupgrade
(See full trace by running task with –trace)
When I go to http://sub.mydomain.com:3000, Snorby tries to read the `users` table, which does not exist in the `snort` database and therefore, it fails.
I created the “snorby” database and changed config/database.yml to reference the `snorby` database. When I ran the following, I got a different response this time. It created tables for the `snorby` database. Most of them are identical to the tables in `snort` database, but each database has a few tables that the other one does not, such as the `users` table:
# bundle exec rake snorby:setup
ERROR 1007 (HY000) at line 1: Can’t create database ‘snorby’; database exists
[datamapper] Finished auto_upgrade! for :default repository ‘snorby’
[~] Adding `index_timestamp_cid_sid` index to the event table
[~] Adding `index_caches_ran_at` index to the caches table
[~] Adding `id` to the event table
[~] Building `aggregated_events` database view
[~] Building `events_with_join` database view
* Removing old jobs
* Starting the Snorby worker process.
Jammit Warning: Asset compression disabled — Java unavailable.
* Adding jobs to the queue
I was able to sign in to Snorby at http://sub.mydomain.com:3000, because there is a `users` table in the `snorby` database. Does this mean, that we need two databases? `snort` and `snorby`?
If so, then I need to have both of the following in /etc/snort/barnyard2.conf:
output database: log, mysql, user=snort password=s3cr3t dbname=snort host=localhost
output database: log, mysql, user=snorby password=s3cr3t dbname=snorby host=localhost
…but I cannot restart barnyard2. I tried the following, but none of them worked:
# barnyard2 stop
# barnyard2 restart
# service barnyard2 stop
# /etc/init.d/barnyard2 stop
How do I restart barnyard2?
Hi,
After following your steps successfully I bump against the following error :
[root@imgproxy] bundle exec rake snorby:setup
rake aborted!
undefined method `symbolize_keys’ for nil:NilClass
(See full trace by running task with –trace)
Is that due to a missing gem or ?
I’ve never seen that.
I tried googling the error.
https://groups.google.com/forum/#!topic/snorby/KqG7OoVRpp4
Same problem, i’m located in snorby folder as a root user.
When I run the command bundle exec rake snorby:setup –trace…
root@sistem-H67A-USB3-B3:/snorby# bundle exec rake snorby:setup –trace
rake aborted!
undefined method `symbolize_keys’ for nil:NilClass
/snorby/config/application.rb:39:in `’
/snorby/config/application.rb:14:in `’
/snorby/Rakefile:4:in `require’
/snorby/Rakefile:4:in `’
/var/lib/gems/1.9.1/gems/rake-0.9.2/lib/rake/rake_module.rb:25:in `load’
/var/lib/gems/1.9.1/gems/rake-0.9.2/lib/rake/rake_module.rb:25:in `load_rakefile’
/var/lib/gems/1.9.1/gems/rake-0.9.2/lib/rake/application.rb:495:in `raw_load_rakefile’
/var/lib/gems/1.9.1/gems/rake-0.9.2/lib/rake/application.rb:78:in `block in load_rakefile’
/var/lib/gems/1.9.1/gems/rake-0.9.2/lib/rake/application.rb:129:in `standard_exception_handling’
/var/lib/gems/1.9.1/gems/rake-0.9.2/lib/rake/application.rb:77:in `load_rakefile’
/var/lib/gems/1.9.1/gems/rake-0.9.2/lib/rake/application.rb:61:in `block in run’
/var/lib/gems/1.9.1/gems/rake-0.9.2/lib/rake/application.rb:129:in `standard_exception_handling’
/var/lib/gems/1.9.1/gems/rake-0.9.2/lib/rake/application.rb:59:in `run’
/var/lib/gems/1.9.1/gems/rake-0.9.2/bin/rake:32:in `’
/usr/local/bin/rake:23:in `load’
/usr/local/bin/rake:23:in `’
Instead bundle install try this RAILS_ENV=production bundle install –deployment.
Thanks for the tip!
I’ve done a bit of searching around when this didn’t work for me on Ubuntu 14.04.
I have tried:
RAILS_ENV=production bundle install –deployment
and it seems to have worked.
For those like me who just stumbled upon this thread, that is a double dash before “deployment”
Problems installing gem install rails:
root@Sensorstar-XPS:/tmp/ruby-2.0.0-p247# gem install rails
ERROR: Loading command: install (LoadError)
cannot load such file — openssl
ERROR: While executing gem … (NoMethodError)
undefined method `invoke_with_build_args’ for nil:NilClass
root@Sensorstar-XPS:/tmp/ruby-2.0.0-p247# gem update
ERROR: Loading command: update (LoadError)
cannot load such file — openssl
ERROR: While executing gem … (NoMethodError)
undefined method `invoke_with_build_args’ for nil:NilClass
Did you compile ruby yourself? If so, you have to include support for openssl. That seems to be missing. Googling the error will give you a lot of hints.
Hi, thanks for your reply. I am a new to Ruby, and was following the compilation steps provided in another Snorby installation “cheat-sheet”
(https://www.corelan.be/index.php/2011/02/27/cheat-sheet-installing-snorby-2-2-with-apache2-and-suricata-with-barnyard2-on-ubuntu-10-x/).
So I was not expecting there to be missing components, and at present, am looking how to remedy this. The steps I followed in the cheat-sheet are below:
============================================
Installing Ruby 1.9.2p0
cd /tmp
wget http://ftp.ruby-lang.org//pub/ruby/1.9/ruby-1.9.2-p0.tar.gz
tar -xvzf ruby-1.9.2-p0.tar.gz
cd ruby-1.9.2-p0
./configure
make && make install
ln -s /usr/local/ruby/bin/bundle /usr/bin
Run “ruby – v” and verify that it returns the correct version :
ruby 1.9.2p0 (2010-08-18 revision 29036) [i686-linux]
Install Gems:
1. gem install thor i18n bundler
2. gem install tzinfo builder memcache-client rack rack-test erubis mail text-format
3. gem install rack-mount –version=0.4.0
4. gem install rails sqlite3-ruby
=====================================================================
Results follow:
=====================================================================
Gem component install step 2 complained it needed an earlier version of Ruby:
sudo gem install tzinfo builder memcache-client rack rack-test erubis mail text-format
ERROR: Error installing text-format:
text-hyphen requires Ruby version = 1.9.3.
Building native extensions. This could take a while…
ERROR: Error installing sqlite3-ruby:
ERROR: Failed to build gem native extension.
/usr/local/bin/ruby extconf.rb
checking for sqlite3.h… no
sqlite3.h is missing. Try ‘port install sqlite3 +universal’
or ‘yum install sqlite-devel’ and check your shared library search path (the
location where your sqlite3 shared library is located).
====================================================================
I ignored the one needing the earlier version of Ruby but went and installed the latest Ruby-2.0.0-p247, substituting Ruby-2.0.0-p247 for ruby-1.9.2 in the above installation steps, and re-attempted to install the same gems per the same steps. After that, I got different install errors, similar to the ones I experienced in this tutorial. Then I re-installed Ruby 1.9.2 and I installed yum and attempted the ‘yum install sqlite-devel’ but got other errors shown below:
======================================================================
yum install sqlite-devel
There are no enabled repos.
Run “yum repolist all” to see the repos you have.
You can enable repos with yum-config-manager –enable
/tmp/ruby-1.9.2-p0# yum repolist all
repolist: 0
/tmp/ruby-1.9.2-p0# pcmanfm&
[1] 15046
/tmp/ruby-1.9.2-p0#
** (emacs24:15186): WARNING **: Couldn’t connect to accessibility bus: Failed to connect to socket /tmp/dbus-K3OJJASHQf: Connection refused
Gtk-Message: (for origin information, set GTK_DEBUG): failed to retrieve property `GtkRange::activate-slider’ of type `gboolean’ from rc file value “((GString*) 0x7f3118a322c0)” of type `GString’
==========================================================================
After all that, I went looking for another install tutorial, and found yours, and attempted to follow the gem install steps having Ruby-2.0.0-p247 re- installed and got the errors I reported in my reply to this tutorial.
So, at this point on the short term, I am looking quick tips on getting the Ruby Gems needed for installing Snorby, and in the long term, looking to gain proficiency in Ruby programming.
Thanks
Sam
I have followed all of your posts in this series, but i still don’t see any events in Snorby.
Snort is running, i have checked its process.
I have checked the files in /var/log/snort/ and they seem to be fine, i have several merged.log files, an alert file and several tcpdump.log files.
Barynard2 starts ok, the process is running, but after several minutes i check syslog and it says that it can’t find the barynard2.waldo file. I create a blank one and start it again and syslog says:
Barynard2 initialization completed succesfully (pid=25211)
ignoring corrupt/truncated waldo file /var/log/snort/barnyard2.waldo
ERROR: unable to open directoy ” (no such file or directory)
ERROR: unable to find the next spool file!
Then it shows a list of records , each of them with a 0 next to them.
And i can’t start barynard2 as a normal command, i run it like a script (e.g. ./barnyard2 -c …. ) from the barnyard2-instalation/bin/ folder)
I am also doing this on a Ubuntu server 12.04
Any ideas on why is this happening?
Remove the .waldo file if you created it. Make sure the /var/log/snort is -rw by the snort user. Also make sure you only have one output in barnyard2.conf which is:
output database: log, mysql, user=yoursnorbyuser password=yoursnorbypasswod dbname=snorby host=localhost
I run barnyard2 like:
./barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f merged.log -w /var/log/snort/barnyard2.waldo.
Hi Evan,
No data appears in the Snorby Dashboard, pages or tabs for me as well.
I have the following permission for /var/log/snort
drwxr-s— 2 snort adm 4096 Apr 4 18:02 snort
I have one output in barnyard2.conf which is:
output database: log, mysql, user=yoursnorbyuser password=yoursnorbypasswod dbname=snorby host=127.0.0.1
The size of the `snorby` database in MySQL is now 4.4 MB.
I run barnyard2 with:
barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f merged.log -w /var/log/snort/barnyard2.waldo
I have the following in /usr/src/snorby/config/database.yml:
snorby: &snorby
adapter: mysql
username: yoursnorbyuser
password: yoursnorbypasswod
host: localhost
development:
database: snorby
<<: *snorby
test:
database: snorby
<<: *snorby
production:
database: snorby
<<: *snorby
I have no alert file, one merged.log file and several tcpdump.log files in /var/log/snort/
What am I doing wrong?
Excellent post. Deployed this at home and the office.
Dear Thomas,
i have configured snort,snorby and barnyard2 in lubuntu 12.10. i have followed all the procedures you suggested but barnyard2 cannot send events from snort to snorby database.
The author said read the previous article for barnyard2 setup which states the database name is SNORT not SNORBY, so use the previous barnyard2 article setup as he specified. On snorby it DOES show SNORBY as the database but he did say that it’s should be SNORT database NOT SNORBY database in previous article when he said to use previous configured setting which is the SNORT database NOT SNORBY.
Nothing is this article shows that you should be using SNORBY database but using previous article settings which doesn’t work correctly per author of this article.
When you use the SNORBY database it only has three tables which is creates on it’s own so this will not function with barnyard2 as specified in previous to current article.
With the SNORBY database and using barnyard2 the database connection using SNORBY database is NOT functioning.
In chapter “Configuring Barnyard2 event feed”, it’s explained how to configure barnyard2 to send a extra feed of events to the SNORBY database. If you create that extra feed and restart barnyard2, it will feed the events also to the SNORBY database. The http gui of snorby should show them.
I bombed out on this step BIG TIME. I would get through one error and get three more. But it could just be the time that has lapsed since this was originally written, and all of the changes that have taken place since then. I was able to follow the install instructions from snorby.org (which weren’t all that different) and it went flawlessly.
When I try to run the setup I get an error with rake-0.9.2. Any ideas? I installed it.
# sudo bundle exec rake snorby:setup
No time_zone specified in snorby_config.yml; detected time_zone: US/Pacific-New
60fa58ac588cb78172318d32cda1a42cdf118edaa9ea8855ddacc57f6878a0db9264ae5d4122b52ed13292aa06dc4cb00c5fba366ca579f5f2f9ef18c88cdcec
ERROR 1007 (HY000) at line 1: Can’t create database ‘snorby’; database exists
[datamapper] Finished auto_upgrade! for :default repository ‘snorby’
* Removing old jobs
* Starting the Snorby worker process.
/var/lib/gems/1.9.1/gems/bundler-1.6.2/lib/bundler/spec_set.rb:92:in `materialize’: Could not find rake-0.9.2 in any of the sources (Bundler::GemNotFound)
from /var/lib/gems/1.9.1/gems/bundler-1.6.2/lib/bundler/spec_set.rb:85:in `map!’
from /var/lib/gems/1.9.1/gems/bundler-1.6.2/lib/bundler/spec_set.rb:85:in `materialize’
from /var/lib/gems/1.9.1/gems/bundler-1.6.2/lib/bundler/definition.rb:133:in `specs’
from /var/lib/gems/1.9.1/gems/bundler-1.6.2/lib/bundler/definition.rb:178:in `specs_for’
from /var/lib/gems/1.9.1/gems/bundler-1.6.2/lib/bundler/definition.rb:167:in `requested_specs’
from /var/lib/gems/1.9.1/gems/bundler-1.6.2/lib/bundler/environment.rb:18:in `requested_specs’
from /var/lib/gems/1.9.1/gems/bundler-1.6.2/lib/bundler/runtime.rb:13:in `setup’
from /var/lib/gems/1.9.1/gems/bundler-1.6.2/lib/bundler.rb:120:in `setup’
from /var/lib/gems/1.9.1/gems/bundler-1.6.2/lib/bundler/setup.rb:17
[X] Error: Unable to start the Snorby worker process.
hello,
i install snorby without problem, but when i go to web page http://127.0.0.1:3000 tell me no connection to server and dont see snorby.
can you help me?
thanks
hernani
the problem is gone , but i have another question , the console where run snorby show me this warning
[2014-06-19 22:28:44] WARN Could not determine content-length of response body. Set content-length of the response or set Response#chunked = true
thanks
hernani
i found soluction for this errors in google, but i have another error no found soluction in google.
were is the error —> Routing Error uninitialized constant BaseuriController
can you help me with this error??
thanks
hernani
Hi! 1st. time to be here.
I have a question about exec of Snorby on this command.
> MyMachine:snorby renpoo$ sudo bundle exec rake snorby::setup –trace
> rake aborted!
> undefined method `symbolize_keys’ for nil:NilClass
Traced flow is like below.
> /Users/renpoo/src/snorby/config/application.rb:39:in `’
> /Users/renpoo/src/snorby/config/application.rb:14:in `’
> /Users/renpoo/src/snorby/Rakefile:4:in `require’
> /Users/renpoo/src/snorby/Rakefile:4:in `’
> /Users/renpoo/src/snorby/vendor/bundle/ruby/1.9.1/gems/rake-0.9.2/lib/rake/rake_module.rb:25:in `load’
> /Users/renpoo/src/snorby/vendor/bundle/ruby/1.9.1/gems/rake-0.9.2/lib/rake/rake_module.rb:25:in `load_rakefile’
> /Users/renpoo/src/snorby/vendor/bundle/ruby/1.9.1/gems/rake-0.9.2/lib/rake/application.rb:495:in `raw_load_rakefile’
> /Users/renpoo/src/snorby/vendor/bundle/ruby/1.9.1/gems/rake-0.9.2/lib/rake/application.rb:78:in `block in load_rakefile’
> /Users/renpoo/src/snorby/vendor/bundle/ruby/1.9.1/gems/rake-0.9.2/lib/rake/application.rb:129:in `standard_exception_handling’
> /Users/renpoo/src/snorby/vendor/bundle/ruby/1.9.1/gems/rake-0.9.2/lib/rake/application.rb:77:in `load_rakefile’
> /Users/renpoo/src/snorby/vendor/bundle/ruby/1.9.1/gems/rake-0.9.2/lib/rake/application.rb:61:in `block in run’
> /Users/renpoo/src/snorby/vendor/bundle/ruby/1.9.1/gems/rake-0.9.2/lib/rake/application.rb:129:in `standard_exception_handling’
> /Users/renpoo/src/snorby/vendor/bundle/ruby/1.9.1/gems/rake-0.9.2/lib/rake/application.rb:59:in `run’
> /Users/renpoo/src/snorby/vendor/bundle/ruby/1.9.1/gems/rake-0.9.2/bin/rake:32:in `’
> /Users/renpoo/src/snorby/vendor/bundle/ruby/1.9.1/bin/rake:23:in `load’
> /Users/renpoo/src/snorby/vendor/bundle/ruby/1.9.1/bin/rake:23:in `’
I’ve read some of posts above, but failed to do
> sudo RAILS_ENV=production bundle exec rake –trace snorby::setup
since it reproduced the same error like “undefined method `symbolize_keys’ for nil:NilClass”.
What can I do at this kind of situation?
Could you help me?
Thanks in advance.
The Snorby worker is not currently running. I can’t start snorby worker.