Installing and Configuring Snorby on CentOS 7

Snorby is a ruby on rails web application for network security monitoring that interfaces with current popular intrusion detection systems (Snort, Suricata and Sagan). The basic fundamental concepts behind Snorby are simplicity, organization and power. The project goal is to create a free, open source and highly competitive application for network monitoring for both private and enterprise use.

Set up your system with the follow script to ensure that nothing will be missing http://wiki.douglasqsantos.com.br/doku.php/confinicialcentos7_en

  • The Snorby will use the follow ip: 192.168.1.251

Let's install the development tools

yum groupinstall "Development Tools" -y

Let's install the dependencies for Snorby.

yum install openssl-devel readline-devel libxml2-devel libxslt-devel mariadb mariadb-devel mariadb-server  urw-fonts libX11-devel libXext-devel git   \
fontconfig-devel libXrender-devel unzip wget xorg-x11-server-Xvfb libyaml libyaml-devel gdbm-devel db4-devel libffi-devel ethtool httpd  httpd-devel \
ImageMagick ImageMagick-devel curl libcurl libcurl-devel libmnl-devel gcc zlib-devel jansson-devel libnet-devel libnetfilter_queue-devel  java-1.8.0-openjdk -y

Need now to compile the ruby let's get the tarball

cd /usr/src && wget -c http://wiki.douglasqsantos.com.br/Downloads/ips/ruby-1.9.3-p551.tar.xz

Now need to decompress the file

tar -xvf ruby-1.9.3-p551.tar.xz && cd /usr/src/ruby-1.9.3-p551

Now need to configure the packet

./configure --prefix=/usr

Now we need to compile and install the packet.

make && make install

Now let's check the ruby version

ruby -v
ruby 1.9.3p551 (2014-11-13 revision 48407) [x86_64-linux]

Let's enable the httpd

systemctl enable httpd

Let's enable the mariadb

systemctl enable mariadb

We need to get another dependence and install manually with the follow command

cd /usr/src
wget -c http://wiki.douglasqsantos.com.br/Downloads/ips/wkhtmltox-0.12.2_linux-centos7-amd64.rpm
yum install wkhtmltox-0.12.2_linux-centos7-amd64.rpm -y

Now we need to install the rails and rake

gem install bundler rails
gem install rake --version=0.9.2

Now we need to get snorby sources with the follow command

cd /var/www/html && wget -c http://wiki.douglasqsantos.com.br/Downloads/ips/snorby.tar.gz

We need to decompress the Snorby

tar -xvf snorby.tar.gz

Now we need to copy some files

cd /var/www/html/snorby/config/
cp database.yml.example database.yml
cp snorby_config.yml.example snorby_config.yml

Now we need to configure the Snorby main file as follows

vim /var/www/html/snorby/config/snorby_config.yml
#/var/www/snorby/html/config/snorby_config.yml
production:
  baseuri: ''
  domain: 'snorby.douglasqsantos.com.br'
  wkhtmltopdf: /usr/local/bin/wkhtmltopdf
  ssl: false
  mailer_sender: 'douglas.q.santos@gmail.com'
  geoip_uri: "http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz"
  rules:
    - ""
  authentication_mode: database
  timezone_search: true
  time_zone: 'America/Sao_Paulo'

Now we need to enable the remote access because the Suricata or Snort will need to write here.

vim /etc/my.cnf
[mysqld]
[...]
bind-address            = 0.0.0.0

Now we need to start the mariadb service

systemctl start mariadb

Now we need to set up the password like this

mysqladmin -u root password 'password'

Now we need to create the database to snorby

mysql -u root -p
CREATE DATABASE snorby;
GRANT ALL PRIVILEGES ON snorby.* TO snorby@'%' IDENTIFIED BY 'senha';
GRANT ALL PRIVILEGES ON snorby.* TO snorby@'localhost' IDENTIFIED BY 'senha';
FLUSH PRIVILEGES;
exit

Now we need to configure the database connection file

vim /var/www/html/snorby/config/database.yml
# /var/www/html/snorby/config/database.yml
snorby: &snorby
  adapter: mysql
  username: snorby
  password: "senha"
  host: localhost

production:
  database: snorby
  <<: *snorby

Now we need to deploy the Snorby like this

cd /var/www/html/snorby/
bundle install
bundle exec rake snorby:setup RAILS_ENV=production

Let's install the passenger gem ruby

gem install passenger

Now let's install the passenger module for apache

passenger-install-apache2-module -a

Now we need to create the modules configuration for apache.

vim /etc/httpd/conf.modules.d/passenger.conf
LoadModule passenger_module /usr/lib/ruby/gems/1.9.1/gems/passenger-5.0.6/buildout/apache2/mod_passenger.so

Now we need to create the configuration file for passenger module

vim /etc/httpd/conf.d/passenger.conf
<IfModule mod_passenger.c>
    PassengerRoot /usr/lib/ruby/gems/1.9.1/gems/passenger-5.0.6
    PassengerDefaultRuby /usr/bin/ruby
</IfModule>

Now we need to create the virtual host that Snorby will use

vim /etc/httpd/conf.d/snorby.conf
<VirtualHost *:80>
      ServerName snorby.douglasqsantos.com.br
      DocumentRoot /var/www/html/snorby/public
      RailsEnv production
      <Directory /var/www/html/snorby/public>
        AllowOverride all
        Options -MultiViews
      </Directory>
        ServerSignature Off
        LogLevel info
        CustomLog /var/log/httpd/snorby.douglasqsantos.com.br-access.log combined
        ErrorLog /var/log/httpd/snorby.douglasqsantos.com.br-error.log
</VirtualHost>

Now we need to set the permissions on the Snorby directory

chown -R apache:apache /var/www/html/snorby

Now we can restart the Apache server

systemctl restart httpd

Now we can check the log files as follows

tail -f /var/log/httpd/snorby.douglasqsantos.com.br-*

Now we need to create a service to start and stop the snorby

vim /usr/lib/systemd/system/snorby.service
[Unit]
Description=Snorby ConfiServ
After=syslog.target

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/etc/snorby/snorby-start
ExecStop=/etc/snorby/snorby-stop

[Install]
WantedBy=multi-user.target

Now we need to enable the new service like this

systemctl enable snorby

Now we need to create the directory that will be store the script files

mkdir /etc/snorby

Now we need to create the start script file

vim /etc/snorby/snorby-start
#!/bin/bash

cd /var/www/html/snorby; RAILS_ENV=production /usr/bin/rails runner 'Snorby::Worker.start'

Now we need to create the stop script file

vim /etc/snorby/snorby-stop
#!/bin/bash

cd /var/www/html/snorby; RAILS_ENV=production /usr/bin/rails runner 'Snorby::Worker.stop'

Now we need to give the execution permission

chmod +x /etc/snorby/snorby-*

Now we need to start the snorby

systemctl start snorby

Now we can access the Snorby in http://192.168.1.251 user: snorby@snorby.org password: snorby

We will get something like this.

Afterwards we configure the Barnyard2 to populate the Snorby database we will start to get some information like below.

We will able to see the informations like this as well.

Email Configuration

if you need to enable the email alert configure the follow file

vim /var/www/snorby/config/initializers/mail_config.rb 
# Snorby Mail Configuration

# #
# Gmail Example:
#
 ActionMailer::Base.delivery_method = :smtp
 ActionMailer::Base.smtp_settings = {
   :address              => "mail.douglasqsantos.com.br",
   :port                 => 587,
   :domain               => "douglasqsantos.com.br",
   :user_name            => "snorby-monitor@douglasqsantos.com.br",
   :password             => "pzv3d7JERDPsW4d",
   :authentication       => "plain",
   :enable_starttls_auto => true
 }

# #
# Sendmail Example:
#
# ActionMailer::Base.delivery_method = :sendmail
# ActionMailer::Base.sendmail_settings = {
#   :location => '/usr/sbin/sendmail',
#   :arguments => '-i -t'
# }

ActionMailer::Base.perform_deliveries = true
ActionMailer::Base.raise_delivery_errors = true

# Mail.register_interceptor(DevelopmentMailInterceptor) if Rails.env.development?

After that we need to update the snorby configuration like this

We need to access the snorby directory

cd /var/www/snorby/

Now we need to update the configuration

bundle exec rake snorby:update RAILS_ENV=production

Now need to configure the email in: Administration/General settings.

  • Company name: DOUGLASQSANTOS
  • Company email: snorby-monitor@douglasqsantos.com.br
  • Save Settings.

Now need to configure the administrator email in: Settings

  • Email: snorby@douglasqsantos.com.br
  • Put the password and confirm it and Update settings.

Note: The email snorby@douglasqsantos.com.br usually is a alias to another emails.

References