This guide will help you with installing Snorby on a freshly installed Ubuntu 12.04 LTS server. We’ll be using the latest version from the git repository.
Install required dependencies
Snorby uses a number of libraries and tools. They should be installed before we’re going to install Snorby.
# apt-get install apache2 git imagemagick wkhtmltopdf ruby1.9.3 libyaml-dev libxml2-dev libxslt1-dev zlib1g-dev build-essential openssl libssl-dev libmysqlclient-dev libreadline6-dev # gem install rails # gem update
We’re going to fetch the latest version from Snorby from the Git tree.
git clone http://github.com/Snorby/snorby.git
Once snorby is downloaded, we proceed by installing a few dependencies.
# cd snorby && bundle install
Create 2 config files
You have to create 2 files in the config/ directory. First file is called database.yml and this is the contents.
# Snorby Database Configuration # # Please set your database password/user below # NOTE: Indentation is important. # snorby: &snorby adapter: mysql username: snorby password: "s3cr3t" host: 127.0.0.1 # or the IP of your database server development: database: snorby <
The second file is snorby_config.yml
production: domain: 'snorby.yourdomain.com' # can be changed to your domain wkhtmltopdf: /usr/bin/wkhtmltopdf # correct for Ubuntu 12.04 ssl: false mailer_sender: 'firstname.lastname@example.org' # can be changed geoip_uri: "http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz" rules: - "" authentication_mode: database
Create database account
Before proceeding you have to create a database user that can connect from the snorby machine to your MySQL server. You also need to create a new database and give full rights for the new user to the new database. The user should and the database should be called “snorby”. The password should be the same password as the one used in “database.yml”.
Run the setup program for Snorby
The command should finalize the installation of Snorby on your system.
# bundle exec rake snorby:setup
Final step : run Snorby
This command will start Snorby without detaching from the console. It’s a good idea to use this the first time so you can check if any errors are reported.
bundle exec rails server -e production
If you didn’t get any errors, you should be able to access your Snorby installation using the following URL. This assumes you running Snorby and your webbrowser on the same machine. Adapt to your needs if necessary.
The default login is ‘email@example.com’. Password is ‘snorby’. You’ll notice that the database is still empty. You’ll need a tool like Barnyard2 to send events from Snort to your Snorby database.
Configuring Barnyard2 event feed
This assumes you’ve installed Barnyard2 as described in this post. Add the following line to your /etc/snort/barnyard2.conf config file.
output database: log, mysql, user=snorby password=s3cr3t dbname=snorby host=localhost
Adapt the password and the host if necessary. They should match the database and password you used in the database.yml configuration file.
After restarting barnyard2, events will start to pop up in the GUI.