Installing and Configuring Snorby on Debian Wheezy

Snorby is a ruby on rails web application for network security monitoring that interfaces with current popular intrusion detection systems (Snort, Suricata and Sagan). The basic fundamental concepts behind Snorby are simplicity, organization and power. The project goal is to create a free, open source and highly competitive application for network monitoring for both private and enterprise use.

Set up your system with the follow script to ensure that nothing will be missing http://wiki.douglasqsantos.com.br/doku.php/confinicialwheezy_en

  • The Snorby will use the follow ip: 192.168.1.251

Let's install the dependencies for Snorby.

aptitude install bison autoconf automake ca-certificates ethtool flex g++ gcc gcc-4.4 make zlib1g-dev pkg-config checkinstall mysql-server default-jdk \
mysql-common mysql-client libmysqlclient-dev libyaml-dev git-core imagemagick libmagickwand-dev build-essential libssl-dev libreadline-gplv2-dev \
zlib1g-dev linux-headers-$(uname -r) libsqlite3-dev libxslt1-dev libxml2-dev libapache2-mod-passenger libmysql++-dev apache2-prefork-dev libssl-dev libtool \
apache2-mpm-worker libcurl4-openssl-dev ruby ruby-dev libcurl4-openssl-dev curl libmnl-dev libnfnetlink-dev libnetfilter-queue-dev -y

We need to get another dependence and install manually with the follow command

cd /usr/src
wget -c http://wiki.douglasqsantos.com.br/Downloads/ips/wkhtmltox-0.12.2_linux-wheezy-amd64.deb
dpkg -i wkhtmltox-0.12.2_linux-wheezy-amd64.deb
apt-get install -f -y

Now we need to install the rails and rake

gem install bundler rails
gem install rake --version=0.9.2

Now we need to get snorby sources with the follow command

cd /var/www && wget -c http://wiki.douglasqsantos.com.br/Downloads/ips/snorby.tar.gz

We need to decompress the Snorby

tar -xvf snorby.tar.gz

Now we need to copy some files

cd /var/www/snorby/config/
cp database.yml.example database.yml
cp snorby_config.yml.example snorby_config.yml

Now we need to configure the Snorby main file as follows

vim /var/www/snorby/config/snorby_config.yml
#/var/www/snorby/config/snorby_config.yml
production:
  baseuri: ''
  domain: 'snorby.douglasqsantos.com.br'
  wkhtmltopdf: /usr/local/bin/wkhtmltopdf
  ssl: false
  mailer_sender: 'douglas.q.santos@gmail.com'
  geoip_uri: "http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz"
  rules:
    - ""
  authentication_mode: database
  timezone_search: true
  time_zone: 'America/Sao_Paulo'

Now we need to create the database to snorby

mysql -u root -p
CREATE DATABASE snorby;
GRANT ALL PRIVILEGES ON snorby.* TO snorby@'%' IDENTIFIED BY 'senha';
FLUSH PRIVILEGES;
exit

Now we need to enable the remote access because the Suricata or Snort will need to write here.

vim /etc/mysql/my.cnf
[...]
bind-address            = 0.0.0.0

Now we need to restart the mysql server as follows

/etc/init.d/mysql restart

Now we need to configure the database connection file

vim /var/www/snorby/config/database.yml
# /var/www/snorby/config/database.yml
snorby: &snorby
  adapter: mysql
  username: snorby
  password: "senha"
  host: localhost

production:
  database: snorby
  <<: *snorby

Now we need to deploy the Snorby like this

cd /var/www/snorby/
bundle install
bundle exec rake snorby:setup RAILS_ENV=production

Now we need to create the virtual host that Snorby will use

vim /etc/apache2/sites-available/snorby.conf
<VirtualHost *:80>
      ServerName snorby.douglasqsantos.com.br
      DocumentRoot /var/www/snorby/public
      RailsEnv production
      <Directory /var/www/snorby/public>
        AllowOverride all
        Options -MultiViews
      </Directory>
        ServerSignature Off
        LogLevel info
        CustomLog /var/log/apache2/snorby.douglasqsantos.com.br-access.log combined
        ErrorLog /var/log/apache2/snorby.douglasqsantos.com.br-error.log
</VirtualHost>

Now we need to set the permissions on the Snorby directory

chown -R www-data:www-data /var/www/snorby

Now let's disable the default virtual host and enable the Snorby

a2dissite default
a2ensite snorby.conf

Now we can restart the Apache server

/etc/init.d/apache2 restart

Now we can check the log files as follows

tail -f /var/log/apache2/snorby.douglasqsantos.com.br-*

Let's launch the snorby on the boot time we need to create a script to startup the snorby.

We need to create the directory to store the scripts

mkdir /etc/snorby

We need to create the script that will start the snorby

vim /etc/snorby/snorby-start
#!/bin/bash

cd /var/www/snorby; RAILS_ENV=production /usr/local/bin/rails runner 'Snorby::Worker.start'

We need to create the script that will stop the snorby

vim /etc/snorby/snorby-start
#!/bin/bash

cd /var/www/snorby; RAILS_ENV=production /usr/local/bin/rails runner 'Snorby::Worker.stop'

Now we need to create the systemV script

vim /etc/init.d/rc.snorby
#!/bin/sh
#-------------------------------------------------#
# Author: Douglas Quintiliano dos Santos
# Date: 14/04/2015
#-------------------------------------------------#
### BEGIN INIT INFO
# Provides:             rc.snorby
# Required-Start:       $remote_fs $syslog
# Required-Stop:        $remote_fs $syslog
# Default-Start:        2 3 4 5
# Default-Stop:
# Short-Description:    Snorby
### END INIT INFO

case $1 in
  start)
    echo "${GREEN}[         Starting Snorby          ]${CLOSE}"
    . /etc/snorby/snorby-start
    echo "${GREEN}[         Started Snorby           ]${CLOSE}"

  ;;
  stop)
   echo "${RED}[         Stopping Snorby ...      ]${CLOSE}";
   . /etc/snorby/snorby-stop
   echo "${RED}[         Stopped Snorby           ] ${CLOSE}";
  ;;
  restart)
     $0 stop
     $0 start
   ;;

  *)
   echo  "${RED}Valid Options:(start|stop|restart)${CLOSE}"
  ;;
esac

Needs to change the script permission

chmod +x /etc/init.d/rc.snorby

Needs to insert in the boot time

insserv -f -v rc.snorby

Now we need to start the snorby

/etc/init.d/rc.snorby start

Now we can access the Snorby in http://192.168.1.190 user: snorby@snorby.org password: snorby

We will get something like this.

Afterwards we configure the Barnyard2 to populate the Snorby database we will start to get some information like below.

We will able to see the informations like this as well.

Email Configuration

if you need to enable the email alert configure the follow file

vim /var/www/snorby/config/initializers/mail_config.rb 
# Snorby Mail Configuration

# #
# Gmail Example:
#
 ActionMailer::Base.delivery_method = :smtp
 ActionMailer::Base.smtp_settings = {
   :address              => "mail.douglasqsantos.com.br",
   :port                 => 587,
   :domain               => "douglasqsantos.com.br",
   :user_name            => "snorby-monitor@douglasqsantos.com.br",
   :password             => "pzv3d7JERDPsW4d",
   :authentication       => "plain",
   :enable_starttls_auto => true
 }

# #
# Sendmail Example:
#
# ActionMailer::Base.delivery_method = :sendmail
# ActionMailer::Base.sendmail_settings = {
#   :location => '/usr/sbin/sendmail',
#   :arguments => '-i -t'
# }

ActionMailer::Base.perform_deliveries = true
ActionMailer::Base.raise_delivery_errors = true

# Mail.register_interceptor(DevelopmentMailInterceptor) if Rails.env.development?

After that we need to update the snorby configuration like this

We need to access the snorby directory

cd /var/www/snorby/

Now we need to update the configuration

bundle exec rake snorby:update RAILS_ENV=production

Now need to configure the email in: Administration/General settings.

  • Company name: DOUGLASQSANTOS
  • Company email: snorby-monitor@douglasqsantos.com.br
  • Save Settings.

Now need to configure the administrator email in: Settings

  • Email: snorby@douglasqsantos.com.br
  • Put the password and confirm it and Update settings.

Note: The email snorby@douglasqsantos.com.br usually is a alias to another emails.

References