TM

Snorby

Snorby is a frontend application for Snort. Snorby let you check and analyze your Snort events and alerts from a web browser.

Prerequisite
Snort installation
Barnyard installation

Snort Installation

# wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
# rpm -ivh epel-release-6-8.noarch.rpm

# wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
# rpm -ivh rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
# yum update -y

# yum -y groupinstall ‘Development Tools’

# yum install wget make httpd gcc gcc-c++ nmap nbtscan mysql mysql-bench mysql-server mysql-devel php php-pear php-common php-gd gd php-cli php-mysql php-pear-Numbers-Roman php-pear-Numbers-Words php-pear-Image-Color php-pear-Image-Canvas php-pear-Image-Graph pcre pcre-devel mod_ssl libxml2 libxml2-devel glib2-devel libpcap libpcap-devel libdnet libdnet-devel yum-utils tcpdump flex bison byacc zlib zlib-devel libtool -y

Installating libpcap from source code:

# wget http://www.tcpdump.org/release/libpcap-1.3.0.tar.gz
# tar -xvzf libpcap-1.3.0.tar.gz
# cd libpcap-1.3.0
# ./configure && make && make install
# ldconfig -v

Download & install daq

# wget http://www.snort.org/downloads/2103
# tar -xvzf daq-2.0.0.tar.gz
# cd daq-2.0.0
# ./configure && make && make install
# ldconfig -v

Create snort user and group

# groupadd snort
# useradd -g snort snort -d /var/log/snort -s /sbin/nologin -c “SNORT_USER”

Download and install snort:

# wget http://www.snort.org/downloads/2112
# tar -xvzf snort-2.9.4.tar.gz
# cd snort-2.9.4
# ./configure –prefix /usr/local/snort && make && make install

To make the symbolic link (symlink) for snort

# ln -s /usr/local/snort/bin/snort /usr/sbin/

You need to register before downloading snortrules:

https://www.snort.org/login

Once you download snortrules(considering you download files to /downlaods), extract to /usr/local/src/snort

# mkdir /usr/local/src/snort

# cd /downloads
# tar -xvzf snortrules-snapshot-2940.tar.gz -C /usr/local/src/snort/
# ls /usr/local/src/snort/
etc preproc_rules rules so_rules

Create directory for snort logging

# mkdir -p /usr/local/snort/var/log
# chown snort:snort /usr/local/snort/var/log/

# ln -s /usr/local/snort/var/log /var/log/snort/
# ln -s /usr/local/snort/lib/snort_dynamicpreprocessor /usr/local/lib/snort_dynamicpreprocessor
# ln -s /usr/local/snort/lib/snort_dynamicengine /usr/local/lib/snort_dynamicengine

Create a directory /usr/local/snort/etc and then copy the signatures (including the snort.conf file) to /usr/local/snort/etc:

# mkdir -p /usr/local/snort/etc
# cp etc/* /usr/local/snort/etc/
# chown -R snort:snort /usr/local/snort
# ln -s /usr/local/snort/etc /etc/snort

Troubleshooting:
Snort 2.9.4 mysql schema missing?

Snort removed direct to db output since Snort 2.9.3, so the schemas are removed from tar file, you will find mysql schema in barnyard2. But we are not going to use barnyard2 mysql schema either. We will be using snorby database.
Barnyard is application that run on Snort binary files and can output the data to MySQL server and then use it with other PHP web application.

=======================================
Comment out or delete all reputation preprocessor configuration lines from snort.conf and configure ouput plugin

# vi /usr/local/snort/etc/snort.conf
preprocessor reputation: \
memcap 500, \
priority whitelist, \
nested_ip inner, \
whitelist $WHITE_LIST_PATH/white_list.rules, \
blacklist $BLACK_LIST_PATH/black_list.rules

# Add this line
output unified2: filename snort.log, limit 128

=======================================

=======================================

# touch /usr/local/src/snort/rules/black_list.rules
# touch /usr/local/src/snort/rules/white_list.rules

Set Path to your rules files (this can be a relative path)
# vi /usr/local/snort/etc/snort.conf
# such as: c:\snort\rules
#var RULE_PATH ../rules
#var SO_RULE_PATH ../so_rules
#var PREPROC_RULE_PATH ../preproc_rules

var RULE_PATH /usr/local/src/snort/rules
var SO_RULE_PATH /usr/local/src/snort/so_rules
var PREPROC_RULE_PATH /usr/local/src/snort/preproc_rules
var WHITE_LIST_PATH /usr/local/src/snort/rules
var BLACK_LIST_PATH /usr/local/src/snort/rules
=======================================

Create Dynamicrules directory

# mkdir /usr/local/snort/lib/snort_dynamicrules
# ln -s /usr/local/snort/lib/snort_dynamicrules /usr/local/lib/snort_dynamicrules

Copy your Linux distribution specific precompiled dynamicrules files

# uname -a
Linux csbug 2.6.32-279.19.1.el6.x86_64 #1 SMP Wed Dec 19 07:05:20 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux

If it was 64-bit it would be similar to above; notice the x86_64 GNU/Linux:

# cp /usr/local/src/snort/so_rules/precompiled/RHEL-6-0/x86-64/2.9.4.0/* /usr/local/lib/snort_dynamicrules

Configure Snort startup script to run at startup

# cp rpm/snortd /etc/init.d/
# chmod +x /etc/init.d/snortd
# chkconfig snortd on

# cp rpm/snort.sysconfig /etc/sysconfig/snort
# chown -R snort:snort /etc/sysconfig/snort

=======================================

# vi /etc/sysconfig/snort
# /etc/sysconfig/snort
# $Id: snort.sysconfig,v 1.8 2003/09/19 05:18:12 dwittenb Exp $

#### General Configuration

INTERFACE=eth0
CONF=/etc/snort/snort.conf
USER=snort
GROUP=snort
PASS_FIRST=0

#### Logging & Alerting

LOGDIR=/var/log/snort
ALERTMODE=fast
DUMP_APP=1
BINARY_LOG=1
NO_PACKET_LOG=0
PRINT_INTERFACE=0
=======================================

If the directory ‘/var/log/snort’ does not exist on your system, issue the following commands as ‘root’ (permissions should be 700):

# cd /var/log
# mkdir snort
# chmod 700 snort
# chown snort:snort snort
# chown -R snort:snort snort*
# chown -R snort:snort snort_dynamic*
# chmod -R 700 snort*

Enter a simple rule as following for testing:

# vi /usr/local/src/snort/rules/local.rules
alert icmp any any -> $HOME_NET any (msg:”ICMP Check Rule”; sid:10000001;)
alert tcp any any -> any 80 (msg:”TCP Check Rule”; sid:1000002;)
alert udp any any -> any any (msg:”UDP Check Rule”; sid:1000003;)
alert icmp any any <> any any (msg:”ICMP”; sid: 1000001; rev:1;)

#cd /usr/sbin
./snort -T -i eth0 -u snort -g snort -c /etc/snort/snort.conf

Test Snort configuration

# snort -c /etc/snort/snort.conf -A console -T -i eth0 -u snort -g snort -l /var/log/snort

# ps aux |grep -i “snort”
root 480 0.0 0.0 103244 812 pts/1 S+ 16:05 0:00 grep -i snort
root 32128 0.0 0.1 119240 1740 pts/0 S+ 12:29 0:00 vi /usr/local/snort/etc/snort.conf

Ping the management IP address from another machine. Alerts should be printed to the console like this:
01/04-15:16:40.016554 [**] [1:10000001:0] ICMP test [**] [Priority: 0] {ICMP} 192.168.208.120 -> 192.168.208.124
01/04-15:16:40.016561 [**] [1:10000001:0] ICMP test [**] [Priority: 0] {ICMP} 192.168.208.124 -> 192.168.208.120
01/04-15:16:40.542349 [**] [1:10000001:0] ICMP test [**] [Priority: 0] {IPV6-ICMP} fe80::84d2:9d77:3872:3f10 -> ff02::1:ff48:5d5b
01/04-15:16:40.542654 [**] [1:10000001:0] ICMP test [**] [Priority: 0] {IPV6-ICMP} fe80::c809:97e1:148:5d5b -> ff02::1:ff72:3f10

Dump the stub rules. Run Snort with the “dump dynamic rules” option to install the shared object rules

# snort -c /usr/local/snort/etc/snort.conf –dump-dynamic-rules=/usr/local/src/snort/so_rules

You should see a message at the end of the Snort output on screen that says “Finished dumping dynamic rules.”
At this point, you can look in the /etc/snort/so_rules directory and you should see a set of rules files, verifying that they have been installed.

# ls -al /usr/local/src/snort/so_rules/

=======================================
Now enable all the dynamic, decoder and preprocessor rules in /usr/local/snort/etc/snort.conf :

# vi /usr/local/snort/etc/snort.conf

# decoder and preprocessor event rules
include $PREPROC_RULE_PATH/preprocessor.rules
include $PREPROC_RULE_PATH/decoder.rules
include $PREPROC_RULE_PATH/sensitive-data.rules

# dynamic library rules
include $SO_RULE_PATH/bad-traffic.rules
include $SO_RULE_PATH/chat.rules
include $SO_RULE_PATH/dos.rules
include $SO_RULE_PATH/exploit.rules
include $SO_RULE_PATH/icmp.rules
include $SO_RULE_PATH/imap.rules
include $SO_RULE_PATH/misc.rules
include $SO_RULE_PATH/multimedia.rules
include $SO_RULE_PATH/netbios.rules
include $SO_RULE_PATH/nntp.rules
include $SO_RULE_PATH/p2p.rules
include $SO_RULE_PATH/smtp.rules
include $SO_RULE_PATH/snmp.rules
include $SO_RULE_PATH/specific-threats.rules
include $SO_RULE_PATH/web-activex.rules
include $SO_RULE_PATH/web-client.rules
include $SO_RULE_PATH/web-iis.rules
include $SO_RULE_PATH/web-misc.rules

===================================================================================================
Once dynamic rules are enabled Output should be similar to:

# snort -c /usr/local/snort/etc/snort.conf –dump-dynamic-rules=/usr/local/src/snort/so_rules/
Running in Rule Dump mode

–== Initializing Snort ==–
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file “/usr/local/snort/etc/snort.conf”
Finished dumping dynamic rules.
Snort exiting

===================================================================================================

Test the snort configuration to ensure no errors

# snort -c /etc/snort/snort.conf -A console -T -i eth0 -u snort -g snort -l /var/log/snort

Last lines should be similar to:
Snort successfully validated the configuration!
Snort exiting

Now we can start Snort for eth0:

# snort -c /usr/local/snort/etc/snort.conf -A console -q -u snort -g snort -i eth0

Start Snort as daemon

# snort -c /usr/local/snort/etc/snort.conf -i eth0 -D

============================
Create the following script as ‘/etc/init.d/snortd’. This will be used to run snort on daemon mode:

# vi /etc/init.d/snortd
#!/bin/sh
#
# snortd Start/Stop the snort IDS daemon.
#
# chkconfig: 2345 40 60
# description: snort is a lightweight network intrusion detection tool that
# currently detects more than 1100 host and network
# vulnerabilities, portscans, backdoors, and more.
#
# June 10, 2000 — Dave Wreski
# – initial version
#
# July 08, 2000 Dave Wreski
# – added snort user/group
# – support for 1.6.2

# Source function library.
. /etc/rc.d/init.d/functions

# Specify your network interface here
INTERFACE=eth0

# See how we were called.
case “$1″ in
start)
echo -n “Starting snort: ”
/usr/sbin/snort -q -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth0 -D
touch /var/lock/subsys/snort
echo
;;
stop)
echo -n “Stopping snort: ”
killproc snort
rm -f /var/lock/subsys/snort
echo
;;
restart)
$0 stop
$0 start
;;
status)
status snort
;;
*)
echo “Usage: $0 {start|stop|restart|status}”
exit 1
esac

exit 0

========================================

Match the following variable in /etc/sysconfig/snort

# vi /etc/sysconfig/snort
### General Configuration

INTERFACE=eth0
CONF=/usr/local/snort/etc/snort.conf
USER=snort
GROUP=snort
PASS_FIRST=0

#### Logging & Alerting
LOGDIR=/var/log/snort/

ALERTMODE=fast
DUMP_APP=1
BINARY_LOG=1
NO_PACKET_LOG=0
PRINT_INTERFACE=0
========================================

Snort installation completed. Now that we have a Snort server writing it’s data in binary format we need to install Barnyard. Barnyard is application that run on Snort binary files and can output the data to MySQL server and then use it with other PHP web application.

# snort -V

,,_ -*> Snort! < *-
o" )~ Version 2.9.4 GRE (Build 40)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
Copyright (C) 1998-2012 Sourcefire, Inc., et al.
Using libpcap version 1.0.0
Using PCRE version: 7.8 2008-09-05
Using ZLIB version: 1.2.3

Troubleshooting 1:
# snort -c /usr/local/snort/etc/snort.conf –dump-dynamic-rules=/usr/local/src/snort/so_rules
ERROR: The dynamic detection library “/usr/local/lib/snort_dynamicrules/chat.so” version 1.0 compiled with dynamic engine library version 1.15 isn’t compatible with the current dynamic engine library “/usr/local/lib/snort_dynamicengine/libsf_engine.so” version 1.17.
Fatal Error, Quitting..

Solution 1:
Comment out the line similar to foll in your snort.conf
# path to dynamic rules libraries
#dynamicdetection directory /usr/local/lib/snort_dynamicrules

=============================================================================================
Barnyard Installation

# cd /usr/local/src/snort
# git clone https://github.com/firnsy/barnyard2.git barnyard2
# cd barnyard2/
# ./autogen.sh
# ./configure –with-mysql –with-mysql-libraries=/usr/lib64/mysql
# make && make install

OPTIONAL :

Creating tables in Snort database

Since we are using snorby as frontend for snort logs, snorby by default installs mysql database, so we won’t be using barnyards mysql database.
or else if you are to use other front end like base, aanval, squill, then you will require to install mysql database as follows:

You will find “create_mysql” file in the schemas directory, essentially this file is a listing of all the SQL commands needed to create the tables in the Snort database. Using the “< " character, we can tell MySQL to load this text file and run the commands contained in it.

# ls /usr/local/src/snort/barnyard2/schemas/create_mysql

So, to create the Snort tables:

# mysql -D snort -u root -p < /usr/local/src/snort/barnyard2/schemas/create_mysql
Enter the root password when prompted.
Now if you log in to MySQL you can look at the tables to check that everything worked.

# mysql -u root -p
mysql> use snort;
mysql> show tables;
exit

=============================================================================================

# cp rpm/barnyard2 /etc/init.d/
# chmod +x /etc/init.d/barnyard2
# cp rpm/barnyard2.config /etc/sysconfig/barnyard2
# chkconfig barnyard2 on

# mkdir /var/log/barnyard2
# chmod 666 /var/log/barnyard2
# touch /var/log/snort/barnyard2.waldo
# chown snort:snort /var/log/snort/barnyard2.waldo

Interface snort should listen on:

# ifconfig -a | grep encap |grep -v lo
eth0 Link encap:Ethernet HWaddr 8C:89:A5:F4:26:BF

===============================

Change barnyard running time and change -L to -l in barnyard2 startup script on “BARNY_OPTS=” line

# vi /etc/init.d/barnyard2

…
# chkconfig: 2345 70 60
…
BARNYARD_OPTS=”-D -c $CONF -d $SNORTDIR/${INT} -w $WALDO_FILE -l $SNORTDIR/${INT} -a $ARCHIVEDIR -f $LOG_FILE -X $PIDFILE $EXTRA_ARGS”
…
===============================

# chkconfig barnyard2 on

===============================

# vi /etc/sysconfig/barnyard2
# Config file for /etc/init.d/barnyard2
LOG_FILE=”snort_unified.log”

# You probably don’t want to change this, but in case you do
SNORTDIR=”/var/log/snort”
INTERFACES=”eth0″

# Probably not this either
CONF=/usr/local/etc/barnyard2.conf

EXTRA_ARGS=”"
===============================

Although Snort no longer uses the signature ID mapping file sid-msg.map, Barnyard2 does use it, and references it in the Barnyard2 configuration file.

# cp /usr/local/src/snort/etc/sid-msg.map /usr/local/snort/etc/

===============================

# vi /usr/local/snort/etc/barnyard.conf
# set the appropriate paths to the file(s) your Snort process is using.
config reference_file: /etc/snort/reference.config
config classification_file: /etc/snort/classification.config
config gen_file: /etc/snort/gen-msg.map
config sid_file: /etc/snort/sid-msg.map

config logdir: /var/log/barnyard2

config hostname: localhost
config interface: eth0
# define the full waldo filepath.

config waldo_file: /var/log/snort/barnyard2.waldo

output database: log, mysql, user=root password=redhat dbname=snorby host=localhost

===============================

Test Snort configuration

# snort -c /etc/snort/snort.conf -A console -T -i eth0 -u snort -g snort -l /var/log/snort

Run Snort with the following command string in daemon mode

# /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort.conf -D

# /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort.conf -i eth0 -D

# /etc/init.d/snortd restart

To stop snort and barnyard:
# sudo pkill snort
# sudo pkill barnyard2

Now, check to see if barnyard is correctly inserting events into the database:

# mysql -u snort -p -D snort -e “select count(*) from event”

If the count returned a number greater than zero, then it must be working.

Launch Barnyard2 as daemon with the following command string

# barnyard2 -c /usr/local/etc/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo
or
# /usr/local/bin/barnyard2 -c /usr/local/etc/barnyard2.conf -G /usr/local/snort/etc/gen-msg.map -S /usr/local/snort/etc/sid-msg.map -C /usr/local/snort/etc/classification.config -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo -D
or
# /usr/local/bin/barnyard2 -c /usr/local/etc/barnyard2.conf -G /usr/local/snort/etc/gen-msg.map -S /usr/local/snort/etc/sid-msg.map -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo -D

This will run barnyard2 in daemon mode. If barnyard2 does not appear to be working, omit the -D parameter and you will be able to see any errors that might prevent barnyard2 from running.
When barnyard2 is running, you should see a new sensor in Snorby. If you don’t like the display name of the sensor, you can change the name via Administration Menu – Sensors

Barnyard installation completed. Now that we have Snort server and Barnyard writing Snort logs. We can now install frontend application like BASE or Snorby to see and analyze snort data in a convenient web application.

=================================================
Pulledpork Installation
PulledPork is an opensource perl script that can automatically update Snort rules.

# yum install perl-Crypt-SSLeay perl-libwww-perl perl-Archive-Tar -y
# wget https://code.google.com/p/pulledpork/downloads/detail?name=pulledpork-0.6.1.tar.gz -O pulledpork.tar.gz
# tar zxvf /usr/local/src/snort/pulledpork.tar.gz
# mv pulledpork-0.6.1/ pulledpork
# cp pulledpork /usr/local/snort/

http://www.snort.org/reg-rules/snortrules-snapshot-2940.tar.gz/ad57fc86773d09d35f9c626deaeb2acd9d4509e6

# vi /usr/local/snort/pulledpork/etc/pulledpork.conf

rule_path=/usr/local/etc/snort/rules/snort.rules
local_rules=/usr/local/src/snort/rules/local.rules
sid_msg=/usr/local/snort/etc/sid-msg.map
snort_path=/usr/local/snort/bin/snort
config_path=/etc/snort/snort.conf
sostub_path=/usr/local/src/snort/so_rules/
pid_path=/var/run/snort_eth0.pid

=================================================

Snorby Installation

# yum install -y gcc make automake autoconf curl-devel openssl-devel zlib-devel httpd-devel apr-devel apr-util-devel mysql-server mysql-devel
# yum install -y libxml2 libxml2-devel libxslt libxslt-devel ImageMagick* git-core
# yum search openjdk
# yum install java-1.7.0-openjdk -y

===============================

Install RVM with ruby:

# \curl -L https://get.rvm.io | bash -s stable –ruby

Additionally with rails:
# \curl -L https://get.rvm.io | bash -s stable –rails

# /usr/local/rvm/bin/rvm list known

# /usr/local/rvm/bin/rvm install 1.9.3
Already installed ruby-1.9.3-p362.
To reinstall use:

rvm reinstall 1.9.3

# /usr/local/rvm/bin/rvm reinstall 1.9.3

# /usr/local/rvm/bin/rvm use 1.9.3

RVM is not a function, selecting rubies with ‘rvm use …’ will not work.

You need to change your terminal emulator preferences to allow login shell.
Sometimes it is required to use `/bin/bash –login` as the command.
Please visit https://rvm.io/integration/gnome-terminal/ for a example

# /bin/bash –login

# rvm use 1.9.3
Using /usr/local/rvm/gems/ruby-1.9.3-p362

# ruby -v
ruby 1.9.3p362 (2012-12-25 revision 38607) [x86_64-linux]
# which ruby
/usr/local/rvm/rubies/ruby-1.9.3-p362/bin/ruby

# bundle install

# gem list | grep rake
rake (10.0.3, 0.9.2)

===============================
wkhtmltopdf Installation

# wget https://wkhtmltopdf.googlecode.com/files/wkhtmltopdf-0.10.0_rc2-static-amd64.tar.bz2
# tar -xvf wkhtmltopdf-0.10.0_rc2-static-amd64.tar.bz2 -C /opt
# cd /opt/
# mv wkhtmltopdf-amd64 wkhtmltopdf
# mv wkhtmltopdf /usr/local/bin/
# wkhtmltopdf

===============================

# Snorby Setup from git
# cd /var/www/
# git clone git://github.com/Snorby/snorby.git

# cd /var/www/snorby/config
# cp database.yml.example database.yml
# cp snorby_config.yml.example snorby_config.yml
# chown -R root:apache /var/www/snorby/

===============================

# vi /var/www/snorby/config/database.yml

# Snorby Database Configuration
#
# Please set your database password/user below
# NOTE: Indentation is important.
#
snorby: &snorby
adapter: mysql
username: root
password: “redhat” # Example: password: “s3cr3tsauce”
host: localhost

development:
database: snorby
< <: *snorby

test:
database: snorby
<<: *snorby

production:
database: snorby
<<: *snorby

===============================

# vi /var/www/snorby/config/snorby_config.yml

#
# Production
#
# Change the production configuration for your environment.
#
# USE THIS!
#
production:
domain: localhost:3000
wkhtmltopdf: /usr/local/bin/wkhtmltopdf
ssl: false
mailer_sender: ‘snorby@snorby.org’
geoip_uri: “http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz”
rules:
– “”
authentication_mode: database

#
# Only Use For Development
#
development:
domain: localhost:3000
wkhtmltopdf: /Users/mephux/.rvm/gems/ruby-1.9.2-p0/bin/wkhtmltopdf
ssl: false
mailer_sender: ‘snorby@snorby.org’
geoip_uri: “http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz”
rules:
– “/Users/mephux/.snort/rules”
– “/Users/mephux/.snort/so_rules”
authentication_mode: database
# authentication_mode: cas
# cas_config:
# base_url: https://auth.server.com.br/
# login_url: https://auth.server.com.br/login?domain=server
# logout_url: https://auth.server.com.br/logout?domain=server

#
# Only Use For Testing
#
test:
domain: localhost:3000
wkhtmltopdf: /usr/local/bin/wkhtmltopdf
mailer_sender: ‘snorby@snorby.org’
geoip_uri: “http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz”
authentication_mode: database

===============================

# mysql -u root -p
mysql> show databases;
+——————–+
| Database |
+——————–+
| information_schema |
| bugs |
| mysql |
+——————–+
3 rows in set (0.02 sec)

mysql> exit

# /etc/init.d/mysqld restart

The *:mysql (Listen) means it listens from all source addresses.
# sudo lsof -i | grep mysqld
mysqld 21656 mysql 11u IPv4 534153 0t0 TCP *:mysql (LISTEN)

# cd /var/www/snorby

# bundle install –deployment
# bundle install –path vendor/cache
# rake snorby:setup –trace

Run the following commands in the /var/www/snorby folder
# rake snorby:setup
(in /var/www/snorby)
1296b52b8ef69eebdfe675a79b3df1240ea6335b42e476cf33915a31a0870d579a4e3bd165d3669a5802593d26de8c9b11ddf26d6cc8e1a1c9c04f450450a193
[datamapper] Created database ‘snorby’
[datamapper] Finished auto_upgrade! for :default repository ‘snorby’
[~] Adding `index_timestamp_cid_sid` index to the event table
[~] Adding `id` to the event table
[~] Building `aggregated_events` database view
[~] Building `events_with_join` database view
* Removing old jobs
* Starting the Snorby worker process.
* Adding jobs to the queue

Finally start snorby, add -d to start it as daemon

# cd /var/www/snorby/

# bundle exec rails server -e production -d
=> Booting WEBrick
=> Rails 3.1.0 application starting in production on http://0.0.0.0:3000

Login with

http://localhost:3000

username: snorby@snorby.org
password: snorby

# mysql -u root -p
mysql> show databases;
+——————–+
| Database |
+——————–+
| information_schema |
| bugs |
| mysql |
| snorby |
+——————–+
4 rows in set (0.03 sec)

Run snort in daemon mode if not running:

# /usr/sbin/snort -u snort -g snort -c /etc/snort/snort.conf -D

Now Run barnyard :

# /usr/local/bin/barnyard2 -c /usr/local/etc/barnyard2.conf -G /usr/local/snort/etc/gen-msg.map -S /usr/local/snort/etc/sid-msg.map -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo -D

# /usr/local/bin/barnyard2 -c /usr/local/etc/barnyard2.conf -G /usr/local/snort/etc/gen-msg.map -S /usr/local/snort/etc/sid-msg.map -d /var/log/snort -f unified2.alert -w /var/log/snort/barnyard2.waldo -D

This will run barnyard2 in daemon mode. If barnyard2 does not appear to be working, omit the -D parameter and you will be able to see any errors that might prevent barnyard2 from running.
When barnyard2 is running, you should see a new sensor in Snorby. If you don’t like the display name of the sensor, you can change the name via Administration Menu – Sensors

# ps ax | grep snort
6076 ? Ssl 0:00 /usr/sbin/snort -u snort -g snort -c /etc/snort/snort.conf -D
6080 ? Rs 0:12 /usr/local/bin/barnyard2 -c /usr/local/etc/barnyard2.conf -G /usr/local/snort/etc/gen-msg.map -S /usr/local/snort/etc/sid-msg.map -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo -D
6083 pts/2 S+ 0:00 grep snort

Now, check to see if barnyard is correctly inserting events into the database:

# mysql -u root -p -D snorby -e “select count(*) from event”
Enter password:
+———-+
| count(*) |
+———-+
| 21738 |
+———-+

If the count returned a number greater than zero, then it must be working.

===============================
Issue 1:

# rake snorby:setup
(in /var/www/snorby)
rake aborted!
You have already activated rake 10.0.3, but your Gemfile requires rake 0.9.2. Using bundle exec may solve this.
/var/www/snorby/config/boot.rb:8
/var/www/snorby/config/application.rb:1
/var/www/snorby/Rakefile:4
(See full trace by running task with –trace)

Solution 1:

# gem uninstall rake –version 10.0.3

Select gem to uninstall:
1. rake-0.9.2
2. rake-10.0.3
3. All versions
> 2
Successfully uninstalled rake-10.0.3
INFO: gem “\342\200\223version” is not installed
INFO: gem “10.0.3″ is not installed

===============================

Issue 2:

# rake snorby:setup
(in /var/www/snorby)
Snorby requires Ruby version 1.9.x
We suggest using Ruby Version Manager (RVM) https://rvm.io/ to install the newest release

Solution 2:

# ruby -v
ruby 1.8.7 (2011-06-30 patchlevel 352) [x86_64-linux]

Install RVM with ruby:
# \curl -L https://get.rvm.io | bash -s stable –ruby

Additionally with rails:
# \curl -L https://get.rvm.io | bash -s stable –rails

# /usr/local/rvm/bin/rvm list known

# /usr/local/rvm/bin/rvm install 1.9.3
Already installed ruby-1.9.3-p362.
To reinstall use:

rvm reinstall 1.9.3

# /usr/local/rvm/bin/rvm reinstall 1.9.3

# /usr/local/rvm/bin/rvm use 1.9.3

RVM is not a function, selecting rubies with ‘rvm use …’ will not work.

You need to change your terminal emulator preferences to allow login shell.
Sometimes it is required to use `/bin/bash –login` as the command.
Please visit https://rvm.io/integration/gnome-terminal/ for a example

# /bin/bash –login

# rvm use 1.9.3
Using /usr/local/rvm/gems/ruby-1.9.3-p362

# ruby -v
ruby 1.9.3p362 (2012-12-25 revision 38607) [x86_64-linux]
# which ruby
/usr/local/rvm/rubies/ruby-1.9.3-p362/bin/ruby

Run the following commands in the /var/www/snorby folder
# rake snorby:setup
(in /var/www/snorby)
Could not find rake-0.9.2 in any of the sources
Try running `bundle install`.

# bundle install

# gem list | grep rake
rake (10.0.3, 0.9.2)

Run the following commands in the /var/www/snorby folder
# rake snorby:setup
(in /var/www/snorby)
1296b52b8ef69eebdfe675a79b3df1240ea6335b42e476cf33915a31a0870d579a4e3bd165d3669a5802593d26de8c9b11ddf26d6cc8e1a1c9c04f450450a193
[datamapper] Created database ‘snorby’
[datamapper] Finished auto_upgrade! for :default repository ‘snorby’
[~] Adding `index_timestamp_cid_sid` index to the event table
[~] Adding `id` to the event table
[~] Building `aggregated_events` database view
[~] Building `events_with_join` database view
* Removing old jobs
* Starting the Snorby worker process.
* Adding jobs to the queue

Finally start snorby, add -d to start it as daemon

# cd /var/www/snorby/

# bundle exec rails server -e production -d
=> Booting WEBrick
=> Rails 3.1.0 application starting in production on http://0.0.0.0:3000

Login with

http://localhost:3000

username: snorby@snorby.org
password: snorby

===============================
Troubleshooting Error:
Issue:
WARN TCPServer Error: Address already in use – bind(2)
Exiting

Solution:
# lsof | grep 3000
# netstat -nltpu | grep 3000
tcp 0 0 0.0.0.0:3000 0.0.0.0:* LISTEN 24443/ruby

# lsof | grep IPv4

It seems that port 3000 is already in use. Try using some another port.
# bundle exec rails server -e production -p 3001

Try to Login with

http://localhost:3001

===============================
Issue 3:

Jammit Warning: Asset compression disabled — Java unavailable.

# rake snorby:setup
Jammit Warning: Asset compression disabled — Java unavailable.
47b4f5d4d24b0c3e3fbc3ed6bf499caab089b27b973a2a04c0a078930507ac88aabcf81b1b3e59fa4f6887b36e6ea2a35ad4a09a3177f2dcf2f9fb359d43a8dd
[datamapper] Created database ‘snorby’
[datamapper] Finished auto_upgrade! for :default repository ‘snorby’
[~] Adding `index_timestamp_cid_sid` index to the event table
[~] Adding `id` to the event table
[~] Building `aggregated_events` database view
[~] Building `events_with_join` database view
* Removing old jobs
* Starting the Snorby worker process.
Jammit Warning: Asset compression disabled — Java unavailable.
* Adding jobs to the queue

Solution 3:

# yum search openjdk
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: virror.hanoilug.org
* epel: mirror.neu.edu.cn
* extras: virror.hanoilug.org
* rpmforge: archive.cs.uu.nl
* updates: virror.hanoilug.org
epel/pkgtags | 327 B 00:00
============================= N/S Matched: openjdk =============================
java-1.6.0-openjdk.x86_64 : OpenJDK Runtime Environment
java-1.6.0-openjdk-demo.x86_64 : OpenJDK Demos
java-1.6.0-openjdk-devel.x86_64 : OpenJDK Development Environment
java-1.6.0-openjdk-javadoc.x86_64 : OpenJDK API Documentation
java-1.6.0-openjdk-src.x86_64 : OpenJDK Source Bundle
java-1.7.0-openjdk.x86_64 : OpenJDK Runtime Environment
java-1.7.0-openjdk-demo.x86_64 : OpenJDK Demos
java-1.7.0-openjdk-devel.x86_64 : OpenJDK Development Environment
java-1.7.0-openjdk-javadoc.noarch : OpenJDK API Documentation
java-1.7.0-openjdk-src.x86_64 : OpenJDK Source Bundle
icedtea-web.x86_64 : Additional Java components for OpenJDK

Name and summary matches only, use “search all” for everything.

# yum install java-1.7.0-openjdk -y

===============================
Updating Snorby

Updating snorby is as easy as running the following commands :

# cd /var/www/snorby
# git pull origin master
# rake snorby:update

===============================
Install Passenger module for apache

# gem install passenger

# gem update
# gem list

# which ruby
/usr/local/rvm/rubies/ruby-1.9.3-p362/bin/ruby

# cd /usr/local/rvm/gems/ruby-1.9.3-p362/bin/
# ./passenger-install-apache2-module

===============================
Configure and restart apache

vi /etc/httpd/conf/httpd.conf
…
#
# ServerAdmin webmaster@dummy-host.example.com
# DocumentRoot /www/docs/dummy-host.example.com
# ServerName dummy-host.example.com
# ErrorLog logs/dummy-host.example.com-error_log
# CustomLog logs/dummy-host.example.com-access_log common
#

LoadModule passenger_module /usr/local/rvm/gems/ruby-1.9.3-p362/gems/passenger-3.0.18/ext/apache2/mod_passenger.so
PassengerRoot /usr/local/rvm/gems/ruby-1.9.3-p362/gems/passenger-3.0.18
PassengerRuby /usr/bin/ruby

# ServerAdmin admin@nachum234.com
# ServerName snorby.nachum234.com
DocumentRoot /var/www/snorby/public/

AllowOverride all
Order deny,allow
Allow from all
Options -MultiViews

===============================

Possibly Related Posts:

• ‘Network error: Connection reset by peer’ or ‘Network error: Connection refused’
• How to change Time Zone on redhat system
• How to block ssh users failed login attempts
• How to disable / enable a Linux user account
• How to install lshw and hwinfo on centos