This is a guide to installing Snorby running on an Ubuntu Server machine, for integration with a Snort instance on pfSense. This howto should also work on Debian and other Debian-based distributions, however I HIGHLY recommend NOT using Debian itself in any production environment, due to the distributions lack of compile time security options in its packages (blog about this to come).
Furthermore, this how-to guide should also work just fine (with minor tweaks) for installing Snorby on a seperate machine to integration with a standalone Snort instance.
I highly recommend purchasing the premium rules subscription from Sourcefire, which carries an annual cost of $29.95 so that your system has the most current rules.
Let’s get started
Software Installation and MySQL Setup
# Get packages (presuming you already have MySQL installed): sudo apt-get install git-core ruby ruby1.8-dev rake rubygems rails # Install rails: gem install rails -v=2.3.2 --no-rdoc --no-ri # Install other needed gems: gem install rake prawn mysql --no-rdoc --no-ri # Create a database for Snorby and Snort: mysqladmin -uroot create snorbydb -p mysql -uroot -p CREATE USER 'snorby'@'localhost' IDENTIFIED BY 'pass'; CREATE USER 'snorby'@'pfSense IP' IDENTIFIED BY 'pass'; CREATE USER 'snorby'@'pfsense.host.name' IDENTIFIED BY 'pass'; GRANT ALL PRIVILEGES ON snorbydb.* TO 'snorby'@'localhost'; GRANT ALL PRIVILEGES ON snorbydb.* TO 'snorby'@'pfSense IP'; GRANT ALL PRIVILEGES ON snorbydb.* TO 'snorby'@'pfsense.host.name'; FLUSH PRIVILEGES; exit # Grab the Snort source: cd /usr/local/src/ sudo apt-get source snort # Load the Snort MySQL database schema: cat snort-2.x.x.x/schemas/create_mysql |mysql -usnorby snorbydb -p # Now grab the Snorby source from Github: git clone git://github.com/mephux/Snorby.git # While your pwd is /usr/local/src/ .. copy the configuration files: cp Snorby/config/database.yml.example Snorby/config/database.yml cp Snorby/config/email.yml.example Snorby/config/email.yml # Edit the database YAML config file to reflect your snorby database info (production stanza): vi Snorby/config/database.yml # Edit the database YAML config file to reflect your email server info (production stanza): vi Snorby/config/email.yml # Setup Snorby for production: rake snorby:setup RAILS_ENV=production # Start Snorby! ruby script/server -e production -b 0.0.0.0 -p 8080 -d
pfSense Configuration
For the sake of brevity, I will not cover the installation and initial interface configuration of Snort on pfSense. Please refer to the Setup Snort Package from the pfSenseDocs to do this.
- From the pfSense web GUI, navigate to the Snort service menu: Services » Snort
- Edit the interface (repeat for each interface you wish to use with Snorby) and navigate to the Barnyard2 tab
- Check the Enable Barnyard2 on this Interface checkbox
- In the Log to a Mysql Database dialog, use the folowing format (change the values appropriately):
output database: alert, mysql, user=user password=pass dbname=snorby host=IP
- In the If Settings tab, check the box for Log Alerts to a snort unified2 file.
- Save the configuration and restart the Snort service on pfSense.
Snorby Web UI
Navigate the the following URL to access the Snorby web UI:
http://snorby_ip_or_hostname:8080/ User: Snorby (case sensitive) Pass: admin