Installing Snorby

This guide will help you with installing Snorby on a freshly installed Ubuntu 12.04 LTS server. We’ll be using the latest version from the git repository.

Install required dependencies

Snorby uses a number of libraries and tools. They should be installed before we’re going to install Snorby.

# apt-get install apache2 git imagemagick wkhtmltopdf ruby1.9.3 libyaml-dev libxml2-dev libxslt1-dev  zlib1g-dev build-essential openssl libssl-dev libmysqlclient-dev libreadline6-dev
# gem install rails
# gem update

Install snorby

We’re going to fetch the latest version from Snorby from the Git tree.

git clone http://github.com/Snorby/snorby.git

Once snorby is downloaded, we proceed by installing a few dependencies.

# cd snorby && bundle install

Create 2 config files

You have to create 2 files in the config/ directory. First file is called database.yml and this is the contents.

# Snorby Database Configuration
#
# Please set your database password/user below
# NOTE: Indentation is important.
#
snorby: &snorby
  adapter: mysql
  username: snorby
  password: "s3cr3t"
  host: 127.0.0.1 # or the IP of your database server

development:
  database: snorby
  <

The second file is snorby_config.yml

production:
  domain: 'snorby.yourdomain.com' # can be changed to your domain
  wkhtmltopdf: /usr/bin/wkhtmltopdf # correct for Ubuntu 12.04
  ssl: false
  mailer_sender: 'snorby@yourdomain.com'  # can be changed 
  geoip_uri: "http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz"
  rules:
    - ""
  authentication_mode: database

Create database account

Before proceeding you have to create a database user that can connect from the snorby machine to your MySQL server. You also need to create a new database and give full rights for the new user to the new database. The user should and the database should be called “snorby”. The password should be the same password as the one used in “database.yml”.

Run the setup program for Snorby

The command should finalize the installation of Snorby on your system.

# bundle exec rake snorby:setup

Final step : run Snorby

This command will start Snorby without detaching from the console. It’s a good idea to use this the first time so you can check if any errors are reported.

bundle exec rails server -e production

If you didn’t get any errors, you should be able to access your Snorby installation using the following URL. This assumes you running Snorby and your webbrowser on the same machine. Adapt to your needs if necessary.

http://localhost:3000

The default login is ‘snorby@snorby.org’. Password is ‘snorby’. You’ll notice that the database is still empty. You’ll need a tool like Barnyard2 to send events from Snort to your Snorby database.

Configuring Barnyard2 event feed

This assumes you’ve installed Barnyard2 as described in this post. Add the following line to your /etc/snort/barnyard2.conf config file.

output database: log, mysql, user=snorby password=s3cr3t dbname=snorby host=localhost

Adapt the password and the host if necessary. They should match the database and password you used in the database.yml configuration file.
After restarting barnyard2, events will start to pop up in the GUI.

snorby-screenshot

Snorby Screenshot

27 thoughts on “Installing Snorby

  1. Johnny Venter

    For clarification, if we have barnyard2 installed and use snorby; we should have entries in our barnyard2.conf such as:

    output database: log, mysql, user=snortuser password=secretpwd dbname=snort host=127.0.0.1

    ***AND***

    output database: log, mysql, user=snorby password=s3cr3t dbname=snorby host=localhost

    Thanks.

    Reply
      1. Juan

        This part is confusing. Can you elaborate on what you mean by “…if you only want to use snorby”?

        Are you saying that if we want to use some other front-end in addition to Snorby, then barnyard2 should output to two databases (snort and snorby)?

        If we only want to use Snorby as the front-end, then should we use only the “snort” database for all 3 programs: Snort, Barnyard2 and Snorby? I had already created the “snort” database for Snort and Barnyard2. Therefore, can we keep the following in /etc/snort/barnyard2.conf?:

        output database: log, mysql, user=snort password=s3cr3t dbname=snort host=localhost

        But, when I run the following, I get the following error:

        # bundle exec rake snorby:setup
        ERROR 1007 (HY000) at line 1: Can’t create database ‘snort’; database exists
        rake aborted!
        Incorrect table definition; there can be only one auto column and it must be defined as a key
        Tasks: TOP => db:autoupgrade
        (See full trace by running task with –trace)

        When I go to http://sub.mydomain.com:3000, Snorby tries to read the `users` table, which does not exist in the `snort` database and therefore, it fails.

        I created the “snorby” database and changed config/database.yml to reference the `snorby` database. When I ran the following, I got a different response this time. It created tables for the `snorby` database. Most of them are identical to the tables in `snort` database, but each database has a few tables that the other one does not, such as the `users` table:

        # bundle exec rake snorby:setup
        ERROR 1007 (HY000) at line 1: Can’t create database ‘snorby’; database exists
        [datamapper] Finished auto_upgrade! for :default repository ‘snorby’
        [~] Adding `index_timestamp_cid_sid` index to the event table
        [~] Adding `index_caches_ran_at` index to the caches table
        [~] Adding `id` to the event table
        [~] Building `aggregated_events` database view
        [~] Building `events_with_join` database view
        * Removing old jobs
        * Starting the Snorby worker process.
        Jammit Warning: Asset compression disabled — Java unavailable.
        * Adding jobs to the queue

        I was able to sign in to Snorby at http://sub.mydomain.com:3000, because there is a `users` table in the `snorby` database. Does this mean, that we need two databases? `snort` and `snorby`?

        If so, then I need to have both of the following in /etc/snort/barnyard2.conf:

        output database: log, mysql, user=snort password=s3cr3t dbname=snort host=localhost
        output database: log, mysql, user=snorby password=s3cr3t dbname=snorby host=localhost

        …but I cannot restart barnyard2. I tried the following, but none of them worked:

        # barnyard2 stop
        # barnyard2 restart
        # service barnyard2 stop
        # /etc/init.d/barnyard2 stop

        How do I restart barnyard2?

        Reply
  2. Roel

    Hi,

    After following your steps successfully I bump against the following error :

    [root@imgproxy] bundle exec rake snorby:setup
    rake aborted!
    undefined method `symbolize_keys’ for nil:NilClass

    (See full trace by running task with –trace)

    Is that due to a missing gem or ?

    Reply
  3. Gojko

    Same problem, i’m located in snorby folder as a root user.

    When I run the command bundle exec rake snorby:setup –trace…

    root@sistem-H67A-USB3-B3:/snorby# bundle exec rake snorby:setup –trace
    rake aborted!
    undefined method `symbolize_keys’ for nil:NilClass
    /snorby/config/application.rb:39:in `’
    /snorby/config/application.rb:14:in `’
    /snorby/Rakefile:4:in `require’
    /snorby/Rakefile:4:in `’
    /var/lib/gems/1.9.1/gems/rake-0.9.2/lib/rake/rake_module.rb:25:in `load’
    /var/lib/gems/1.9.1/gems/rake-0.9.2/lib/rake/rake_module.rb:25:in `load_rakefile’
    /var/lib/gems/1.9.1/gems/rake-0.9.2/lib/rake/application.rb:495:in `raw_load_rakefile’
    /var/lib/gems/1.9.1/gems/rake-0.9.2/lib/rake/application.rb:78:in `block in load_rakefile’
    /var/lib/gems/1.9.1/gems/rake-0.9.2/lib/rake/application.rb:129:in `standard_exception_handling’
    /var/lib/gems/1.9.1/gems/rake-0.9.2/lib/rake/application.rb:77:in `load_rakefile’
    /var/lib/gems/1.9.1/gems/rake-0.9.2/lib/rake/application.rb:61:in `block in run’
    /var/lib/gems/1.9.1/gems/rake-0.9.2/lib/rake/application.rb:129:in `standard_exception_handling’
    /var/lib/gems/1.9.1/gems/rake-0.9.2/lib/rake/application.rb:59:in `run’
    /var/lib/gems/1.9.1/gems/rake-0.9.2/bin/rake:32:in `’
    /usr/local/bin/rake:23:in `load’
    /usr/local/bin/rake:23:in `’

    Reply
  4. Sam

    Problems installing gem install rails:
    root@Sensorstar-XPS:/tmp/ruby-2.0.0-p247# gem install rails
    ERROR: Loading command: install (LoadError)
    cannot load such file — openssl
    ERROR: While executing gem … (NoMethodError)
    undefined method `invoke_with_build_args’ for nil:NilClass
    root@Sensorstar-XPS:/tmp/ruby-2.0.0-p247# gem update
    ERROR: Loading command: update (LoadError)
    cannot load such file — openssl
    ERROR: While executing gem … (NoMethodError)
    undefined method `invoke_with_build_args’ for nil:NilClass

    Reply
      1. Sam

        Hi, thanks for your reply. I am a new to Ruby, and was following the compilation steps provided in another Snorby installation “cheat-sheet”
        (https://www.corelan.be/index.php/2011/02/27/cheat-sheet-installing-snorby-2-2-with-apache2-and-suricata-with-barnyard2-on-ubuntu-10-x/).

        So I was not expecting there to be missing components, and at present, am looking how to remedy this. The steps I followed in the cheat-sheet are below:
        ============================================
        Installing Ruby 1.9.2p0
        cd /tmp
        wget http://ftp.ruby-lang.org//pub/ruby/1.9/ruby-1.9.2-p0.tar.gz
        tar -xvzf ruby-1.9.2-p0.tar.gz
        cd ruby-1.9.2-p0
        ./configure
        make && make install
        ln -s /usr/local/ruby/bin/bundle /usr/bin
        Run “ruby – v” and verify that it returns the correct version :
        ruby 1.9.2p0 (2010-08-18 revision 29036) [i686-linux]
        Install Gems:
        1. gem install thor i18n bundler
        2. gem install tzinfo builder memcache-client rack rack-test erubis mail text-format
        3. gem install rack-mount –version=0.4.0
        4. gem install rails sqlite3-ruby
        =====================================================================
        Results follow:
        =====================================================================
        Gem component install step 2 complained it needed an earlier version of Ruby:
        sudo gem install tzinfo builder memcache-client rack rack-test erubis mail text-format
        ERROR: Error installing text-format:
        text-hyphen requires Ruby version = 1.9.3.
        Building native extensions. This could take a while…
        ERROR: Error installing sqlite3-ruby:
        ERROR: Failed to build gem native extension.
        /usr/local/bin/ruby extconf.rb
        checking for sqlite3.h… no
        sqlite3.h is missing. Try ‘port install sqlite3 +universal’
        or ‘yum install sqlite-devel’ and check your shared library search path (the
        location where your sqlite3 shared library is located).
        ====================================================================
        I ignored the one needing the earlier version of Ruby but went and installed the latest Ruby-2.0.0-p247, substituting Ruby-2.0.0-p247 for ruby-1.9.2 in the above installation steps, and re-attempted to install the same gems per the same steps. After that, I got different install errors, similar to the ones I experienced in this tutorial. Then I re-installed Ruby 1.9.2 and I installed yum and attempted the ‘yum install sqlite-devel’ but got other errors shown below:
        ======================================================================
        yum install sqlite-devel
        There are no enabled repos.
        Run “yum repolist all” to see the repos you have.
        You can enable repos with yum-config-manager –enable
        /tmp/ruby-1.9.2-p0# yum repolist all
        repolist: 0
        /tmp/ruby-1.9.2-p0# pcmanfm&
        [1] 15046
        /tmp/ruby-1.9.2-p0#
        ** (emacs24:15186): WARNING **: Couldn’t connect to accessibility bus: Failed to connect to socket /tmp/dbus-K3OJJASHQf: Connection refused
        Gtk-Message: (for origin information, set GTK_DEBUG): failed to retrieve property `GtkRange::activate-slider’ of type `gboolean’ from rc file value “((GString*) 0x7f3118a322c0)” of type `GString’
        ==========================================================================
        After all that, I went looking for another install tutorial, and found yours, and attempted to follow the gem install steps having Ruby-2.0.0-p247 re- installed and got the errors I reported in my reply to this tutorial.
        So, at this point on the short term, I am looking quick tips on getting the Ruby Gems needed for installing Snorby, and in the long term, looking to gain proficiency in Ruby programming.

        Thanks
        Sam

        Reply
  5. Victor

    I have followed all of your posts in this series, but i still don’t see any events in Snorby.

    Snort is running, i have checked its process.

    I have checked the files in /var/log/snort/ and they seem to be fine, i have several merged.log files, an alert file and several tcpdump.log files.

    Barynard2 starts ok, the process is running, but after several minutes i check syslog and it says that it can’t find the barynard2.waldo file. I create a blank one and start it again and syslog says:

    Barynard2 initialization completed succesfully (pid=25211)
    ignoring corrupt/truncated waldo file /var/log/snort/barnyard2.waldo
    ERROR: unable to open directoy ” (no such file or directory)
    ERROR: unable to find the next spool file!

    Then it shows a list of records , each of them with a 0 next to them.

    And i can’t start barynard2 as a normal command, i run it like a script (e.g. ./barnyard2 -c …. ) from the barnyard2-instalation/bin/ folder)

    I am also doing this on a Ubuntu server 12.04

    Any ideas on why is this happening?

    Reply
    1. Evan

      Remove the .waldo file if you created it. Make sure the /var/log/snort is -rw by the snort user. Also make sure you only have one output in barnyard2.conf which is:

      output database: log, mysql, user=yoursnorbyuser password=yoursnorbypasswod dbname=snorby host=localhost

      I run barnyard2 like:
      ./barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f merged.log -w /var/log/snort/barnyard2.waldo.

      Reply
      1. Juan

        Hi Evan,

        No data appears in the Snorby Dashboard, pages or tabs for me as well.

        I have the following permission for /var/log/snort

        drwxr-s— 2 snort adm 4096 Apr 4 18:02 snort

        I have one output in barnyard2.conf which is:

        output database: log, mysql, user=yoursnorbyuser password=yoursnorbypasswod dbname=snorby host=127.0.0.1

        The size of the `snorby` database in MySQL is now 4.4 MB.

        I run barnyard2 with:
        barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f merged.log -w /var/log/snort/barnyard2.waldo

        I have the following in /usr/src/snorby/config/database.yml:

        snorby: &snorby
        adapter: mysql
        username: yoursnorbyuser
        password: yoursnorbypasswod
        host: localhost

        development:
        database: snorby
        <<: *snorby

        test:
        database: snorby
        <<: *snorby

        production:
        database: snorby
        <<: *snorby

        I have no alert file, one merged.log file and several tcpdump.log files in /var/log/snort/

        What am I doing wrong?

        Reply
  6. aziz

    Dear Thomas,
    i have configured snort,snorby and barnyard2 in lubuntu 12.10. i have followed all the procedures you suggested but barnyard2 cannot send events from snort to snorby database.

    Reply
  7. Nauseous

    The author said read the previous article for barnyard2 setup which states the database name is SNORT not SNORBY, so use the previous barnyard2 article setup as he specified. On snorby it DOES show SNORBY as the database but he did say that it’s should be SNORT database NOT SNORBY database in previous article when he said to use previous configured setting which is the SNORT database NOT SNORBY.

    Nothing is this article shows that you should be using SNORBY database but using previous article settings which doesn’t work correctly per author of this article.

    When you use the SNORBY database it only has three tables which is creates on it’s own so this will not function with barnyard2 as specified in previous to current article.

    With the SNORBY database and using barnyard2 the database connection using SNORBY database is NOT functioning.

    Reply
    1. Thomas Elsen Post author

      In chapter “Configuring Barnyard2 event feed”, it’s explained how to configure barnyard2 to send a extra feed of events to the SNORBY database. If you create that extra feed and restart barnyard2, it will feed the events also to the SNORBY database. The http gui of snorby should show them.

      Reply
  8. Ray Dios Haque

    I bombed out on this step BIG TIME. I would get through one error and get three more. But it could just be the time that has lapsed since this was originally written, and all of the changes that have taken place since then. I was able to follow the install instructions from snorby.org (which weren’t all that different) and it went flawlessly.

    Reply
  9. Avi

    When I try to run the setup I get an error with rake-0.9.2. Any ideas? I installed it.

    # sudo bundle exec rake snorby:setup
    No time_zone specified in snorby_config.yml; detected time_zone: US/Pacific-New
    60fa58ac588cb78172318d32cda1a42cdf118edaa9ea8855ddacc57f6878a0db9264ae5d4122b52ed13292aa06dc4cb00c5fba366ca579f5f2f9ef18c88cdcec
    ERROR 1007 (HY000) at line 1: Can’t create database ‘snorby’; database exists
    [datamapper] Finished auto_upgrade! for :default repository ‘snorby’
    * Removing old jobs
    * Starting the Snorby worker process.
    /var/lib/gems/1.9.1/gems/bundler-1.6.2/lib/bundler/spec_set.rb:92:in `materialize’: Could not find rake-0.9.2 in any of the sources (Bundler::GemNotFound)
    from /var/lib/gems/1.9.1/gems/bundler-1.6.2/lib/bundler/spec_set.rb:85:in `map!’
    from /var/lib/gems/1.9.1/gems/bundler-1.6.2/lib/bundler/spec_set.rb:85:in `materialize’
    from /var/lib/gems/1.9.1/gems/bundler-1.6.2/lib/bundler/definition.rb:133:in `specs’
    from /var/lib/gems/1.9.1/gems/bundler-1.6.2/lib/bundler/definition.rb:178:in `specs_for’
    from /var/lib/gems/1.9.1/gems/bundler-1.6.2/lib/bundler/definition.rb:167:in `requested_specs’
    from /var/lib/gems/1.9.1/gems/bundler-1.6.2/lib/bundler/environment.rb:18:in `requested_specs’
    from /var/lib/gems/1.9.1/gems/bundler-1.6.2/lib/bundler/runtime.rb:13:in `setup’
    from /var/lib/gems/1.9.1/gems/bundler-1.6.2/lib/bundler.rb:120:in `setup’
    from /var/lib/gems/1.9.1/gems/bundler-1.6.2/lib/bundler/setup.rb:17
    [X] Error: Unable to start the Snorby worker process.

    Reply
    1. hernani

      the problem is gone , but i have another question , the console where run snorby show me this warning

      [2014-06-19 22:28:44] WARN Could not determine content-length of response body. Set content-length of the response or set Response#chunked = true

      thanks

      hernani

      Reply
  10. hernani

    i found soluction for this errors in google, but i have another error no found soluction in google.

    were is the error —> Routing Error uninitialized constant BaseuriController

    can you help me with this error??

    thanks
    hernani

    Reply
  11. renpoo

    Hi! 1st. time to be here.
    I have a question about exec of Snorby on this command.
    > MyMachine:snorby renpoo$ sudo bundle exec rake snorby::setup –trace
    > rake aborted!
    > undefined method `symbolize_keys’ for nil:NilClass

    Traced flow is like below.
    > /Users/renpoo/src/snorby/config/application.rb:39:in `’
    > /Users/renpoo/src/snorby/config/application.rb:14:in `’
    > /Users/renpoo/src/snorby/Rakefile:4:in `require’
    > /Users/renpoo/src/snorby/Rakefile:4:in `’
    > /Users/renpoo/src/snorby/vendor/bundle/ruby/1.9.1/gems/rake-0.9.2/lib/rake/rake_module.rb:25:in `load’
    > /Users/renpoo/src/snorby/vendor/bundle/ruby/1.9.1/gems/rake-0.9.2/lib/rake/rake_module.rb:25:in `load_rakefile’
    > /Users/renpoo/src/snorby/vendor/bundle/ruby/1.9.1/gems/rake-0.9.2/lib/rake/application.rb:495:in `raw_load_rakefile’
    > /Users/renpoo/src/snorby/vendor/bundle/ruby/1.9.1/gems/rake-0.9.2/lib/rake/application.rb:78:in `block in load_rakefile’
    > /Users/renpoo/src/snorby/vendor/bundle/ruby/1.9.1/gems/rake-0.9.2/lib/rake/application.rb:129:in `standard_exception_handling’
    > /Users/renpoo/src/snorby/vendor/bundle/ruby/1.9.1/gems/rake-0.9.2/lib/rake/application.rb:77:in `load_rakefile’
    > /Users/renpoo/src/snorby/vendor/bundle/ruby/1.9.1/gems/rake-0.9.2/lib/rake/application.rb:61:in `block in run’
    > /Users/renpoo/src/snorby/vendor/bundle/ruby/1.9.1/gems/rake-0.9.2/lib/rake/application.rb:129:in `standard_exception_handling’
    > /Users/renpoo/src/snorby/vendor/bundle/ruby/1.9.1/gems/rake-0.9.2/lib/rake/application.rb:59:in `run’
    > /Users/renpoo/src/snorby/vendor/bundle/ruby/1.9.1/gems/rake-0.9.2/bin/rake:32:in `’
    > /Users/renpoo/src/snorby/vendor/bundle/ruby/1.9.1/bin/rake:23:in `load’
    > /Users/renpoo/src/snorby/vendor/bundle/ruby/1.9.1/bin/rake:23:in `’

    I’ve read some of posts above, but failed to do
    > sudo RAILS_ENV=production bundle exec rake –trace snorby::setup
    since it reproduced the same error like “undefined method `symbolize_keys’ for nil:NilClass”.

    What can I do at this kind of situation?
    Could you help me?
    Thanks in advance.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *