The key difference between the "vanilla" Snorby installation and this procedure is that I want to use Ubuntu's packaged versions of as many things as possible. I love the way Ruby bundles dependencies and compiles a standalone environment. Any sane admin would sacrifice disk space to reduce system interdependencies. I'm just seeing what I can get away with.
You must have gcc and a supporting build environment installed. I don't show that here. You install the Ruby components with:
$ sudo apt-get install ruby1.9.3 rails bundler rake wkhtmltopdf
Now you need dev packages for the gems that have C/C++ source that needs to be built:
$ sudo apt-get install mysql-server git-core libxml++2.6-dev libxslt1-dev libmysqlclient-dev
Now build. This process can be done entirely as a non-root user, therefore it should be. No excuses.
$ sudo mkdir /opt/snorby
$ sudo chown me:me /opt/snorby
$ cd /opt/snorby
$ wget https://github.com/Snorby/snorby/archive/v2.6.2.tar.gz
$ tar -xvf v2.6.2.tar.gz
$ cd snorby-2.6.2
$ bundle install
$ bundle exec rake snorby:setup
During setup I see this warning:
"Jammit Warning: Asset compression disabled -- Java unavailable."
I'm ignoring it based on reading this thread.
Add a snorby user to the database. Don't fail to change the name and password.
mysql> grant all on snorby.* to 'snorby'@'localhost' identified by 'snorby';
Use the default configurations as a template:
Use the default configurations as a template:
cp config/snorby_config.yml.example config/snorby_config.yml
cp config/database.yml.example config/database.yml
Customize those files to match your needs. Snorby's instructions have the best information. Here's what I changed in my configuration:
- Basic configuration: domain, email.
- The location of wkhtmltopdf is /usr/bin/wkhtmltopdf
- Database username and password.
What's next? Snorby's site has instructions on how to start it. After that you have to integrate the output of Suricata.
Hello Mike,
ReplyDeleteDo I need to load the Barynard schema into the Snorby database? Is that even necessary? I am using Snort with Pfsense and it comes with Barnyard2.
Thanks,
Ken
Hi Ken,
DeleteI don't remember exactly. But, I'm using Barnyard2 from the Ubuntu repository and I don't see any installed SQL files. Therefore, I wouldn't have manually loaded the schema. It think Barnyard2 must be initializing the schema if it sees that it's tables don't exist.
You have to punch in your DB user and password in both /etc/barnyard2.conf and in your /config/database.yml files.
Cheers
./m