The key difference between the "vanilla" Snorby installation and this procedure is that I want to use Ubuntu's packaged versions of as many things as possible. I love the way Ruby bundles dependencies and compiles a standalone environment. Any sane admin would sacrifice disk space to reduce system interdependencies. I'm just seeing what I can get away with.
You must have gcc and a supporting build environment installed. I don't show that here. You install the Ruby components with:
$ sudo apt-get install ruby1.9.3 rails bundler rake wkhtmltopdf
Now you need dev packages for the gems that have C/C++ source that needs to be built:
$ sudo apt-get install mysql-server git-core libxml++2.6-dev libxslt1-dev libmysqlclient-dev
Now build. This process can be done entirely as a non-root user, therefore it should be. No excuses.
$ sudo mkdir /opt/snorby
$ sudo chown me:me /opt/snorby
$ cd /opt/snorby
$ wget https://github.com/Snorby/snorby/archive/v2.6.2.tar.gz
$ tar -xvf v2.6.2.tar.gz
$ cd snorby-2.6.2
$ bundle install
$ bundle exec rake snorby:setup
During setup I see this warning:
"Jammit Warning: Asset compression disabled -- Java unavailable."
I'm ignoring it based on reading this thread.
Add a snorby user to the database. Don't fail to change the name and password.
mysql> grant all on snorby.* to 'snorby'@'localhost' identified by 'snorby';
Use the default configurations as a template:
Use the default configurations as a template:
cp config/snorby_config.yml.example config/snorby_config.yml
cp config/database.yml.example config/database.yml
Customize those files to match your needs. Snorby's instructions have the best information. Here's what I changed in my configuration:
- Basic configuration: domain, email.
- The location of wkhtmltopdf is /usr/bin/wkhtmltopdf
- Database username and password.
What's next? Snorby's site has instructions on how to start it. After that you have to integrate the output of Suricata.
