Installing Snort and Snorby on Debian

In this post I’m going to walk you through on how-to install Snort and the Snorby web UI on a freshly installed Debian Wheezy box.

As a first step we’re going to install Snort. Luckily it’s up in the repos, so we’re just going to apt-get it. I’m going to go with the snort-mysql package, as it gives a mysql DB support to snort which is a good thing. So first let’s get a mysql server up and running

get update && apt-get upgrade -y && apt-get install mysql-server mysql-client

Then we can get snorby up:

apt-get install snort-mysql

This will ask a few questions and it doesn’t matter what you answer as we’ll have to reconfigure it after Snorby has been installed anyway.

Moving on to installing Snorby. Prerequisites:

apt-get install libyaml-dev git-core default-jre imagemagick libmagickwand-dev wkhtmltopdf build-essential libssl-dev libreadline-gplv2-dev zlib1g-dev <linux-headers-686-pae> libsqlite3-dev libxslt1-dev libxml2-dev libmysqlclient-dev libmysql++-dev apache2-prefork-dev libcurl4-openssl-dev ruby ruby-dev

 
apt-cache search linux-headers

linux-headers-3.2.0-4-all - All header files for Linux 3.2 (meta-package)
linux-headers-3.2.0-4-all-amd64 - All header files for Linux 3.2 (meta-package)
linux-headers-3.2.0-4-amd64 - Header files for Linux 3.2.0-4-amd64
linux-headers-3.2.0-4-common - Common header files for Linux 3.2.0-4
linux-headers-3.2.0-4-common-rt - Common header files for Linux 3.2.0-4-rt
linux-headers-3.2.0-4-rt-amd64 - Header files for Linux 3.2.0-4-rt-amd64
linux-headers-2.6-amd64 - Header files for Linux amd64 configuration (dummy package)
linux-headers-amd64 - Header files for Linux amd64 configuration (meta-package)
linux-headers-rt-amd64 - Header files for Linux rt-amd64 configuration (meta-package

apt-get install libyaml-dev git-core default-jre imagemagick libmagickwand-dev wkhtmltopdf build-essential libssl-dev libreadline-gplv2-dev zlib1g-dev libsqlite3-dev libxslt1-dev libxml2-dev libmysqlclient-dev libmysql++-dev apache2-prefork-dev libcurl4-openssl-dev ruby ruby-dev linux-headers-3.2.0-4-all

Don’t forget to use the linux headers for your kernel’s architecture

gem install bundler rails 

gem install rake --version=0.9.2

cd /var/www/

Download the source for the application.

git clone http://github.com/Snorby/snorby.git

cd /var/www/snorby/config/

Set up configuration files.

cp database.yml.example database.yml

cp snorby_config.yml.example snorby_config.yml

sed -i s/"\/usr\/local\/bin\/wkhtmltopdf"/"\/usr\/bin\/wkhtmltopdf"/g snorby_config.yml

Tell snorby the mysql database name, user and password that it should use.

nano database.yml

At this point you should also create the user and the database. I just used phpmyadmin, but it shouldn’t be too hard to create a new user from the command line.

cd /var/www/snorby/

Let’s install it.

bundle install --deployment

bundle exec rake snorby:setup

At this point Snorby should start when you type:

bundle exec rails server -e production -b 127.0.0.1

If you point your browser to

http://localhost:3000

the Snorby WebUI should pop up. You can access it with the default credentials:

snorby@snorby.org
snorby

Don’t be stupid, change the email and the password after logging in.

Now if you look around the site you’ll notice that Snorby isn’t getting any data just yet. So we’ll have to configure Snort!

dpkg-reconfigure snort-mysql

Answer the questions, set up all the interface you need for sniffing network traffic and enter Snorby’s mysql database and the username and password for it when prompted. Now that the database is configured we’ll just need to move away a lock file, so that Snort can start up.

mv /etc/snort/db-pending-config /etc/snort/db-pending-config_no_more

At this point we’re ready to launch snort:

service snort start

Let’s test it!

Snort should alert for nmap scans so on another box just type:

nmap -A -T5 yourhost.org

Let it run, then check Snorby. You should see something similar to the picture below.

Now there’s really only one thing left before we’re done: Make Snorby autostart on boot.

cd /etc/init.d/

nano snorby

A simple script like this should do the trick:

#!/bin/bash

cd /var/www/snorby && bundle exec rails server -e production &

Let’s put it to start in runlevel 2:

chmod +x snorby

update-rc.d -f snorby start 2

And now Snorby will start whenever the system enters runlevel 2 and we’re done.

Last updated on