Tested On
OS: CentOS 6.2 i386
Snort Version: 2.9.2.2 IPv6 GRE (Build 121)
Hardware: VirtualBox 4.1.14
About
Snorby is a frontend application for Snort. Snorby let you check and analyze your Snort events and alerts from a web browser.
Prerequisite
Install Snorby
- Install apache and prerequisite packages
yum install libyaml-devel httpd git ImageMagick ImageMagick-devel libxml2-devel libxslt-devel gcc-c++ curl-devel httpd-devel apr-devel apr-util-devel readline-devel -y
- Download and install Ruby
cd /usr/local/src/snort wget https://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.3-p327.tar.gz tar xvzf ruby-1* cd ruby-1* ./configure && make && make install
- Install openssl extension
cd ext/openssl/ ruby extconf.rb make && make install
- Install gem dependencies
gem install thor i18n bundler tzinfo builder memcache-client rack rack-test erubis mail rack-mount rails --no-rdoc --no-ri gem install rake --version=0.9.2 --no-rdoc --no-ri gem uninstall rake --version=0.9.2.2
- Download and install wkhtmltopdf
cd /usr/local/src/snort
- For i386:
wget https://wkhtmltopdf.googlecode.com/files/wkhtmltopdf-0.9.9-static-i386.tar.bz tar jxvf wkhtmltopdf-0* mv wkhtmltopdf-i386 /usr/local/bin/wkhtmltopdf
- For X86_64:
wget https://wkhtmltopdf.googlecode.com/files/wkhtmltopdf-0.9.9-static-amd64.tar.bz2 tar jxvf wkhtmltopdf-0* mv wkhtmltopdf-amd64 /usr/local/bin/wkhtmltopdf
chown root:root /usr/local/bin/wkhtmltopdf
- Download and configure snorby
cd /var/www/html/ git clone https://github.com/Snorby/snorby.git cd /var/www/html/snorby/config/ cp database.yml.example database.yml cp snorby_config.yml.example snorby_config.yml chown -R apache:apache /var/www/html/snorby
- Set mysql root password
mysqladmin password humus
- Configure snorby database username and password
vi database.yml
.... snorby: &snorby adapter: mysql username: root password: humus host: localhost ...
- Install Snorby
cd /var/www/html/snorby bundle install --deployment rake snorby:setup
- Configure Barnyard to output alerts to snorby database
vi /etc/snort/barnyard.conf
... output database: log, mysql, user=root password=humus dbname=snorby host=localhost ...
- Restart Barnyard
service barnyard2 stop service barnyard2 start
- Install Passenger module for apache
gem install passenger cd /usr/local/lib/ruby/gems/1.9.1/gems/passenger-3.0.19/bin ./passenger-install-apache2-module
- Configure and restart apache
vi /etc/httpd/conf/httpd.conf
... #<VirtualHost *:80> # ServerAdmin webmaster@dummy-host.example.com # DocumentRoot /www/docs/dummy-host.example.com # ServerName dummy-host.example.com # ErrorLog logs/dummy-host.example.com-error_log # CustomLog logs/dummy-host.example.com-access_log common #</VirtualHost> LoadModule passenger_module /usr/local/lib/ruby/gems/1.9.1/gems/passenger-3.0.19/ext/apache2/mod_passenger.so PassengerRoot /usr/local/lib/ruby/gems/1.9.1/gems/passenger-3.0.19 PassengerRuby /usr/local/bin/ruby <VirtualHost *:80> ServerAdmin admin@nachum234.com ServerName snorby.nachum234.com DocumentRoot /var/www/html/snorby/public <Directory "/var/www/html/snorby/public"> AllowOverride all Order deny,allow Allow from all Options -MultiViews </Directory> </VirtualHost>
service httpd restart
- Configure DNS name snorby.nachum234.com to resolve the IP address of the snorby server (DNS or hosts file)
- Browse to https://snorby.nachum234.com and login to snorby with the default username/password snorby@snorby.org/snorby
That’s all. Now you can work with your new Snorby system to analyze Snort data.
If you don’t already configure your snort system to get automatic updates you can do it using the following guide: Configure Snort Automatic Rules Updating With Pulledpork
Please visit https://www.snorby.org/ for more information about Snorby configuration and usage.