Powered by Blogger.
/ / Installing Snorby for Snort on Centos 6.6 64bit

Installing Snorby for Snort on Centos 6.6 64bit

We’ve gone through installing Snort and installing PulledPork and Barnyard2. It’s not much help if there isn’t an easy way to look at the alerts and events being triggered in Snort. Snorby integrates with Snort by providing metrics and reporting. The installation is a ruby on rails application. If configured properly you can now classify events to pre-configured or custom classifications. You can also do so with a simple hot key.

Even for a small team who doesn’t have a dedicated security analyst you can schedule daily reports to be emailed out with a summary of events. To get a glimpse of what it’s capable you can take a look at the demo at http://demo.snorby.org. Username is snorby@snorby.org and the password is snorby.

1) Prerequisites
yum -y groupinstall "Development Tools"
yum install -y openssl-devel readline-devel libxml2-devel libxslt-devel mysql mysql-devel mysql-libs mysql-server urw-fonts libX11-devel libXext-devel qconf fontconfig-devel libXrender-devel unzip ImageMagick xz urw-fonts libXext openssl-devel libXrender libxslt-devel libxml2-devel gdbm-devel libffi-devel zlib-devel openssl-devel libyaml-devel readline-devel curl-devel openssl-devel pcre-devel git memcached-devel valgrind-devel mysql-devel ImageMagick-devel libyaml-devel
rpm -Uvh http://blog.globaldyne.co.uk/support_files/wkhtmltox-0.12.1_linux-centos6-amd64.rpm
wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
wget http://rpms.famillecollet.com/enterprise/remi-release-6.rpm
rpm -Uvh remi-release-6*.rpm epel-release-6*.rpm

2) Get The Code & Dependencies
$ git clone http://github.com/Snorby/snorby.git

cd snorby && bundle install

3) Edit The Snorby Configurations
There are three configuration files that will need to be modified for everything to work correctly.

Snorby Database Configurations – config/database.yml

# Snorby Database Configuration
#
# Please set your database password/user below
#
snorby: &snorby
  adapter: mysql
  username: root
  password: MYSQLPASS
  host: localhost

development:
  database: snorby
  <<: *snorby

test:
  database: snorby
  <<: *snorby

production:
  database: snorby
  <<: *snorby

Snorby System Configurations – config/snorby_config.yml

development:
  domain: localhost:3000
  wkhtmltopdf: /Users/mephux/.rvm/gems/ruby-1.9.2-p0/bin/wkhtmltopdf
  mailer_sender: 'snorby@snorby.org'
  rules:
    - "/Users/mephux/.snort/rules"
    - "/Users/mephux/.snort/so_rules"

test:
  domain: localhost:3000
  wkhtmltopdf: /usr/local/bin/wkhtmltopdf
  mailer_sender: 'snorby@snorby.org'

# Change the production configuration
# for your environment.
production:
  domain: 'demo.snorby.org'
  wkhtmltopdf: /path/to/wkhtmltopdf
  mailer_sender: 'snorby@snorby.org'
  rules:
    - "/path/to/rules/folder"
    - "/path/to/so_rules/folder"

Snorby Mail Configurations – config/initializers/mail_config.rb

# Snorby Mail Configuration

# # #
# Gmail Example:
#
# ActionMailer::Base.delivery_method = :smtp
# ActionMailer::Base.smtp_settings = {
#   :address              => "smtp.gmail.com",
#   :port                 => 587,
#   :domain               => "snorby.org",
#   :user_name            => "snorby",
#   :password             => "snorby",
#   :authentication       => "plain",
#   :enable_starttls_auto => true
# }

# # #
# Sendmail Example:
#
# ActionMailer::Base.delivery_method = :sendmail
# ActionMailer::Base.sendmail_settings = {
#   :location => '/usr/sbin/sendmail',
#   :arguments => '-i -t'
# }

ActionMailer::Base.perform_deliveries = true
ActionMailer::Base.raise_delivery_errors = true

# Mail.register_interceptor(DevelopmentMailInterceptor) if Rails.env.development?

4) Start Snorby
First we need to setup the database and the snorby defaults.
bundle exec rake snorby:setup
Once this is completed you can start Snorby using the following commands.

bundle exec rails server -e production

ruby script/delayed_job start RAILS_ENV=production
It is very important that you always remember to start Snorby in production mode.
Snorby ships with an administrator account preconfigured. The default credentials are listed below. Please remember you change the password/email address or remove this accout if it’s not needed.
  • Username: snorby@snorby.org
  • Password: snorby
5) Point your browser into Snorby installation:
http://<yourip>:3000/
You sould get the following screen after you logon:
    Blogger Comment
    Facebook Comment