How to install Snorby for Snort

In this post i’m going to detail my experience with installing Snorby , a GUI for Snort. I first hopped into installing Snorby (having Snort installed) and thinking that’s it, but it turned out that several other software are were required for a Snorby-Snort system to work properly. I managed to do this relating to other tutorials (which can be found at the end of the post) but i have added what kind of errors i stumbled upon.

Software needed

  • Webserver related (apache2, php5, mysql-server)
  • Snort
  • Pulledpork
  • Barnyard2
  • Snorby

Operating system

I have ran into several problems related to operating system version and architecture. I have tried solving them, but everytime something new would pop-up. I managed to install everything i needed on Ubuntu Server 12.04.3 (the latest) 32bit version on a VirtualBox machine and everything went ok from here. (after trying Debian 7 32 and 64bit, Ubuntu desktop 64bits and wastubg a lot of hours).

I’m going to start showing how i installed each of them, presuming that you already have an webserver set up. If not just run the following command to install all that’s necesary:

 apt-get install apache2 php5 php5-mysql mysql-server phpmyadmin

Installing Snort

apt-get install snort
nano /etc/snort/snort.conf

Look for lines starting with “output” and add the following next to them (be sure to comment any line that is similar, but its probably already commented)
output unified2: filename merged.log, limit 128

Now reboot

reboot

After rebooting verify if snort has already started ( ps -ef  | grep snort ) . If not, just start it manually

/etc/init.d/snort start

Check if there are any merged.log files (they will probably be something like merged.log.13800088312) in the log files

ls /var/log/snort/merged.log

If it’s there, everythig is ok, if not check the latest lines in /var/log/syslog and see if you can relate to anything or if something is “googleable”.

Installing PulledPork

Install prerequisites

apt-get install libcrypt-ssleay-perl liblwp-protocol-https-perl

Get the script from the official source, place it in the proper directory and set the proper permision so that it will be executable

cd /usr/local/bin && wget http://pulledpork.googlecode.com/svn/trunk/pulledpork.pl

chmod 755 pulledpork.pl

Generate yourself an oinkcode from the Snort website, after creating an account

https://snort.org/account/oinkcode

Create configuration folder, download and modify configuration file to suit your needs. You can get my version (the 1st one) where you simply add your oinkcode and change (if necesary) the version, or you can get the default configuration file (if you want to read everything and have to add/uncomment lines)

mkdir /etc/pulledpork && cd /etc/pulledpork

wget -O pulledpork.conf http://pastebin.com/raw.php?i=D0xf2SQw

wget http://pulledpork.googlecode.com/svn-history/r254/trunk/etc/pulledpork.conf

Modify the Snort configuration file

nano /etc/snort/snort.conf

Look for the line ( ctrl+w and then type: ) “dynamicdetection directory /usr/lib/snort_dynamicrules” (without quotations) and uncomment it. Now create the appropiate folder (mkdir /usr/lib/snort_dynamicrules). Now add the following line, doesn’t matter where but better put it between the lines starting with “portvar” , after the one with HTTP_PORTS:

portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143]

Save the file (ctrl+x , enter). Now, we have to remove the old “include rule” lines and add the new ones:

sed -i ‘/^include $RULE_PATH/d’ /etc/snort/snort.conf

echo “include $RULE_PATH/snort.rules” >> /etc/snort/snort.conf

echo “include $RULE_PATH/local.rules” >> /etc/snort/snort.conf

Delete the current rules so that pulledpork will download the new ones. Read the next line after the command before issuing the command.

rm /etc/snort/rules/*.rules

When i did this, barnyard2 complained about not finding the local.rules file. I just created a blank one and left it like that. You can also do that, or you can choose not to delete it in the first place.

touch /etc/snort/rules/local.rules

Run pulledpork. I first got an error here. If you also get one it’s most likely because of the pulledpork.conf file, where the version might not be the one your are using.

pulledpork.pl -c /etc/pulledpork/pulledpork.conf

After each update like this, restart snort. If you get any errors check /var/log/syslog to see what’s happening. The first time it didn’t work for me because i didn’t had the local.rules file i mentioned earlier.

/etc/init.d/snort restart

Installing Barnyard2

We are going to build it from source so we will need some software and libraries

apt-get install build-essential libtool autoconf git libpcap-dev libmysqld-dev libprelude-dev

Getting the latest version from git

git clone git://github.com/firnsy/barnyard2.git

Creating makefiles

cd barnyard2

./autogen.sh

./configure –with-mysql –with-mysql-libraries=/usr/lib/i386-linux-gnu –enable-prelude –prefix=$HOME/barnyard2-install

At the ./configure line i got an error saying ” unable to find mysqlclient library” . This is because you either don’t have mysql installed or you haven’t specified where to look for the library. For 64 bit servers the path would be “/usr/lib/x86_64-linux-gnu” and for 32 bit servers “/usr/lib/i386-linux-gnu”. If you keep getting the same error even if you tried the correct path, try locating where would they be by issuing the next command. If you have LAMP  installed (like i had) it would most likely detect the library files from LAMP in /opt/ but i don’t think that’s what you really want.

 locate libmysqlclient

Start building

make

mkdir $HOME/barnyard2-install

make install

find $HOME/barnyard2-install

If you ran the command as root, the folder will be created in /root/ . If you ran it as a normal user it will be in your normal home folder (/home/user/)/ Now you should see several lines showing you the structure of the barnyard2-install folder. The executable can be found in barnyard2-install/bin/

Create the database for barnyard2. I did this via phpmyadmin but it also can be done via the command line. You can name it anyway you want, but i opted for a name related to the process (snort). You can also create a new user that will have all the privileges over the new database. I didn’t create a new and i used root. This may not be what you want in terms of security, but this is up to you.

Now get the script that will set up your database tables and run it against the newly created database. Replace <user> with your user (in my case , it was root) and the <DBNAME> with your newly created database (my case – snort)

wget https://raw.github.com/firnsy/barnyard2/master/schemas/create_mysql

mysql -u <user> -p <DBNAME> < create_mysql

Create the config file for barnyard and adapt it to your instalation

cat > /etc/snort/barnyard2.conf <<
config reference_file:      /etc/snort/reference.config
config classification_file: /etc/snort/classification.config
config gen_file:            /etc/snort/gen-msg.map
config sid_file:            /etc/snort/sid-msg.map
config logdir: /var/log/snort
config hostname:   ubuntuids
config interface:  eth0
config daemon
config waldo_file: /var/log/snort/barnyard2.waldo
input unified2
output database: log, mysql, user=<USERNAME> password=<PASSWORD> dbname=<DBNAME> host=127.0.0.1
# if you want to have to forward alerts also to syslog, uncomment the following 2 lines.
#output alert_syslog_full: sensor_name snortIds1-eth1, local
#output log_syslog_full: sensor_name snortIds1-eth1, local, log_priority LOG_CRIT
EOF

Run barnyard2. Remember that the executable is in the barnyard2-install/bin/ folder.

./barnyard2 -c /etc/snort/barnyard2.conf -f merged.log

At first, you will see an output for several seconds and then the script will exit. This is ok, because as you can see above, it is configured to run as a daemon. Initially, it worked for me, i could see the process running (ps -ef | grep barnyard2) but after a few minutes the process would disappear and i would get some errors in my syslog, saying that the barnyard2.waldo can’t be found. If this happens to you, you need to create the waldo file and adjust the run command:

touch /var/log/snort/barnyard2.waldo

chown root.root /var/log/snort/barnyard2.waldo

./barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f merged.log -w /var/log/snort/barnyard2.waldo

Installing Snorby

First get your prerequisites. Be carefull with the ruby version you are installing because that led me to countless errors. 1.9.3 is the one you want to use.

apt-get install imagemagick wkhtmltopdf ruby1.9.3 libyaml-dev libxml2-dev libxslt1-dev zlib1g-dev build-essential openssl libssl-dev libmysqlclient-dev libreadline6-dev

gem install rails –no-ri –no-rdoc && gem update

Get the latest Snorby version from git

git clone http://github.com/Snorby/snorby.git

Install it

cd snorby && bundle install

At this stage i’ve encountered those errors i was talking about earlier. One example is with RedCloth. This was simply version dependent and i barely figured it out.

redcloth errorAfter following the suggestions in the error (gem install RedCloth -v ‘4.2.9’), i got this:

redcloth error

The Redcloth issue was because i was using the 1.9.1 version.

Other errors:

  • ” an error occurred while installing nokogiri 1.5.9″ . Solved it by installing:
 apt-get install libxslt-dev libxml2-dev
  •  “an error occurred while installing do_mysql (0.10.12)” . Solved it by installing:
 apt-get install libmysqlclient-dev

Create the necesary configuration files. You already have example of them in the folder. The first one is database.yml (and the example file is database.yml.example) :

# Snorby Database Configuration
#
# Please set your database password/user below
# NOTE: Indentation is important.
#
snorby: &snorby
  adapter: mysql
  username: snorby
  password: "s3cr3t"
  host: 127.0.0.1 # or the IP of your database server

development:
  database: snorby
  <

And the second is snorby_config.yml (and the example file is snorby_config.yml.example) :

production:
  domain: 'snorby.yourdomain.com' # can be changed to your domain
  wkhtmltopdf: /usr/bin/wkhtmltopdf # correct for Ubuntu 12.04
  ssl: false
  mailer_sender: 'snorby@yourdomain.com'  # can be changed 
  geoip_uri: "http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz"
  rules:
    - ""
  authentication_mode: database

As you can see in the config files, there is a new database name and a new user. Create them accordingly to the files.

Finalize instalation and start server

bundle exec rake snorby:setup

bundle exec rails server -e production

The server should now be accesible on your machine on port 3000. The default login credentials are ‘snorby@snorby.org’ and ‘snorby’ .

localhost:3000

Linking barnyard2 with Snorby so that we can see the events and alerts in the GUI. Add the following line to your /etc/snort/barnyard2.conf file:

output database: log, mysql, user=snorby password=s3cr3t dbname=snorby host=localhost

After this i just rebooted my machine and started barnyard2 again. I logged in Snorby (localhost:3000) and i could see events popping up.

snorby

It took a while before i actually got this working and googled/solved all the errors. If it still doesn’t work for you check your log files (specifically /var/log/syslog) . What you see in there is most likely going to get you starting in fixing it. Anyway, i don’t recommend anybody doing this. It’s just too time consuming and its causing too many headaches before it actually works (if it works). I recommend using an already deployed solution like EasyIDS.

Props for the base tutorial 

Resources

  • Nice tutorial. Well done…
    Interesting blog.

  • Your post was excellent.

    I initially started to Snort-Snorby deploy in CentOS and later looking at your screenshot, I tried with Ubuntu Setup.

    It worked for me, but as every one aware that snorby is dead slow.

    Small fixes on your post:
    ===================

    1) While “Create the config file for barnyard and adapt it to your instalation”

    -> remove EOF

    Since it showed error to me.

    2) While “apt-get install ruby1.9.3 rails imagemagick wkhtmltopdf”

    Do as follows to have safe ruby1.9.3 installation, since while installing rails through apt-get, it installs ruby1.8 as a dependency of rails. This is ridiculous, because bundle takes ruby -v 1.8 as default.


    apt-get install imagemagick wkhtmltopdf ruby1.9.3 libyaml-dev libxml2-dev libxslt1-dev zlib1g-dev build-essential openssl libssl-dev libmysqlclient-dev libreadline6-dev

    then install rails through gem


    gem install rails –no-ri –no-rdoc && gem update

    After this start “bundle install”

    3) Some Extras:

    git proxy:
    git config –global http.proxy http://:

    gem proxy:
    gem –http-proxy=http://:

    4) I don’t know, why in between we have to create snort database, at the end of barnyard in stallion. It would be better to create in the name of snorby, so that it could be used for snorby as well.