Tested On

OS: CentOS 6.2 i386
Snort Version: 2.9.2.2 IPv6 GRE (Build 121)
Hardware: VirtualBox 4.1.14

About

Snorby is a frontend application for Snort. Snorby let you check and analyze your Snort events and alerts from a web browser.

Prerequisite

Install Snorby

  • Install apache and prerequisite packages
yum install libyaml-devel httpd git ImageMagick ImageMagick-devel libxml2-devel libxslt-devel gcc-c++ curl-devel httpd-devel apr-devel apr-util-devel readline-devel -y
  • Download and install Ruby
cd /usr/local/src/snort
wget https://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.3-p327.tar.gz
tar xvzf ruby-1*
cd ruby-1*
./configure && make && make install
  • Install openssl extension
cd ext/openssl/
ruby extconf.rb
make && make install
  • Install gem dependencies
gem install thor i18n bundler tzinfo builder memcache-client rack rack-test erubis mail rack-mount rails --no-rdoc --no-ri
gem install rake --version=0.9.2 --no-rdoc --no-ri
gem uninstall rake --version=0.9.2.2
  • Download and install wkhtmltopdf
cd /usr/local/src/snort
  • For i386:
wget https://wkhtmltopdf.googlecode.com/files/wkhtmltopdf-0.9.9-static-i386.tar.bz
tar jxvf wkhtmltopdf-0*
mv wkhtmltopdf-i386 /usr/local/bin/wkhtmltopdf
  • For X86_64:
wget https://wkhtmltopdf.googlecode.com/files/wkhtmltopdf-0.9.9-static-amd64.tar.bz2
tar jxvf wkhtmltopdf-0*
mv wkhtmltopdf-amd64 /usr/local/bin/wkhtmltopdf
chown root:root /usr/local/bin/wkhtmltopdf
  • Download and configure snorby
cd /var/www/html/
git clone https://github.com/Snorby/snorby.git
cd /var/www/html/snorby/config/
cp database.yml.example database.yml
cp snorby_config.yml.example snorby_config.yml
chown -R apache:apache /var/www/html/snorby
  • Set mysql root password
mysqladmin password humus
  • Configure snorby database username and password
vi database.yml
....
snorby: &snorby
 adapter: mysql
 username: root
 password: humus
 host: localhost
...
  • Install Snorby
cd /var/www/html/snorby
bundle install --deployment
rake snorby:setup
  • Configure Barnyard to output alerts to snorby database
vi /etc/snort/barnyard.conf
...
output database: log, mysql, user=root password=humus dbname=snorby host=localhost
...
  • Restart Barnyard
service barnyard2 stop
service barnyard2 start
  • Install Passenger module for apache
gem install passenger
cd /usr/local/lib/ruby/gems/1.9.1/gems/passenger-3.0.19/bin
./passenger-install-apache2-module
  • Configure and restart apache
vi /etc/httpd/conf/httpd.conf
...
#<VirtualHost *:80>
#    ServerAdmin webmaster@dummy-host.example.com
#    DocumentRoot /www/docs/dummy-host.example.com
#    ServerName dummy-host.example.com
#    ErrorLog logs/dummy-host.example.com-error_log
#    CustomLog logs/dummy-host.example.com-access_log common
#</VirtualHost>

LoadModule passenger_module /usr/local/lib/ruby/gems/1.9.1/gems/passenger-3.0.19/ext/apache2/mod_passenger.so
PassengerRoot /usr/local/lib/ruby/gems/1.9.1/gems/passenger-3.0.19
PassengerRuby /usr/local/bin/ruby

<VirtualHost *:80>
        ServerAdmin admin@nachum234.com
        ServerName snorby.nachum234.com
        DocumentRoot /var/www/html/snorby/public

        <Directory "/var/www/html/snorby/public">
                AllowOverride all
                Order deny,allow
                Allow from all
                Options -MultiViews
        </Directory>
</VirtualHost>
service httpd restart
  • Configure DNS name snorby.nachum234.com to resolve the IP address of the snorby server (DNS or hosts file)
  • Browse to https://snorby.nachum234.com and login to snorby with the default username/password snorby@snorby.org/snorby

That’s all. Now you can work with your new Snorby system to analyze Snort data.

If you don’t already configure your snort system to get automatic updates you can do it using the following guide: Configure Snort Automatic Rules Updating With Pulledpork

Please visit https://www.snorby.org/ for more information about Snorby configuration and usage.

Lahav Savir

Founder and CTO, Cloud Platforms

Read more posts by Lahav Savir