Install Snorby for snort and sagan CentOS/RHEL 5 or 6

Overview

Snorby is a ruby on rails application for network security monitoring that interfaces with popular IDS Intrusion Detection Systems(Snort, Sagan and Suricata). If you are looking for a cool, simple yet powerful IDS monitoring interface, snorby is perfect for you.

Install Snorby for snort and sagan CentOS 5 or 6

Install some dependencies


# yum install -y gcc ruby-devel libxml2 libxml2-devel libxslt libxslt-devel ImageMagick* readline-devel

Install libyaml not available in base CentOS repos, also install wkhtmltopdf.


# wget http://pyyaml.org/download/libyaml/yaml-0.1.4.tar.gz
# tar zxvf yaml-0.1.4.tar.gz
# cd yaml-0.1.4
# ./configure
# make
# make install
# wget http://wkhtmltopdf.googlecode.com/files/wkhtmltopdf-0.9.9-static-amd64.tar.bz2
# bunzip2 wkhtmltopdf-0.9.9-static-amd64.tar.bz2
# tar xvf wkhtmltopdf-0.9.9-static-amd64.tar
# cp wkhtmltopdf-amd64 /usr/local/bin/wkhtmltopdf

Now lets install ruby.


# wget http://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.3-p194.tar.gz
# tar zxvf ruby-1.9.3-p194.tar.gz
# cd ruby-1.9.3-p194
# ./configure
# make
# make install

Install bundle


# gem install bundle

Pull snorby code from git repo. You need snorby under /var/www/


# cd /var/www/
# git clone http://github.com/Snorby/snorby.git

Install all ruby dependencies


# cd snorby
# bundle install
# bundle install --path vendor/cache

 
Edit the configuration files according to your environment. Copy the sample file and edit it using a file editor


# cd /var/www/snorby/config/
# cp snorby_config.yml.example snorby_config.yml
# vi /var/www/snorby/config/snorby_config.yml
(Make sure your domain and wkhtmlpdf path is set properly)
development:
domain: snorby.linuxdrops.com
wkhtmltopdf: /usr/local/bin/wkhtmltopdf

test:
domain: snorby.linuxdrops.com
wkhtmltopdf: /usr/local/bin/wkhtmltopdf

production:
domain: snorby.linuxdrops.com
wkhtmltopdf: /usr/local/bin/wkhtmltopdf

 
Edit mail_config.rb to enable mail notifications.


# vi /var/www/snorby/config/initializers/mail_config.rb

(Uncomment the following lines)
ActionMailer::Base.delivery_method = :sendmail
ActionMailer::Base.sendmail_settings = {
:location => '/usr/sbin/sendmail',
:arguments => '-i -t'
}

 
Copy the sample database.yml and add db username and password, for snorby to create database add mysql root username and password, we will change this shortly after the installation.


# cd /var/www/snorby/config/
# cp database.yml.example database.yml
# vi /var/www/snorby/config/database.yml
(Put in mysql root username and password, don't worry we will change it later)
snorby: &snorby
adapter: mysql
username: root
password: root
host: localhost

development:
database: snort
<<: *snorby

test:
database: snort
<<: *snorby

production:
database: snort
<<: *snorby

Start snorby installation.


# cd /var/www/html/snorby
# rake snorby:setup

Snorby will create the database by the name snort, once done you would want to create a new db user and provide all access on this database. Once completed you should change the same in database.yml file


# mysql -uroot -proot
mysql > grant all privileges on snort.* to 'snort'@'localhost' identified by 'snort';
mysql > flush privileges;
mysql > exit;

# vi /var/www/snorby/config/database.yml
snorby: &snorby
adapter: mysql
username: snort
password: snort
host: localhost

development:
database: snort
<<: *snorby

test:
database: snort
<<: *snorby

production:
database: snort
<<: *snorby

Install apache passenger module


# passenger-install-apache2-module

The installer will show you the lines you need to add to apache configuration(Refer the screenshot below)
snorby03 300x176 Install Snorby for snort and sagan CentOS/RHEL 5 or 6

Create a configuration file to load passennger module at apache startup


# vi /etc/httpd/conf.d/passenger.conf

Append the following to it


LoadModule passenger_module /usr/local/lib/ruby/gems/1.9.1/gems/passenger-3.0.17/ext/apache2/mod_passenger.so
PassengerRoot /usr/local/lib/ruby/gems/1.9.1/gems/passenger-3.0.17
PassengerRuby /usr/local/bin/ruby

Create a virtual host for snorby


# vi /etc/httpd/conf/httpd.conf

Append the following to it


<VirtualHost *:80>
ServerAdmin root@localhost
ServerName snorby.linuxdrops.com
RailsEnv production
ServerAlias localhost.localdomain
DocumentRoot /var/www/html/snorby/public
ErrorLog logs/snorby-error_log
CustomLog logs/snorby-access_log custom
<Directory /var/www/html/snorby/public>
Allow from all
Options -MultiViews
</Directory>
</VirtualHost>

Finally restart apache


# /etc/init.d/httpd restart

Point your browser to http://ip-address-or-domain
snorby111 300x176 Install Snorby for snort and sagan CentOS/RHEL 5 or 6
 
snorby13 300x176 Install Snorby for snort and sagan CentOS/RHEL 5 or 6