Today I spent the majority of the day installing and configuring a new Snorby frontend server for testing. I am documenting the process here and will be submitting the process to Snorby.org to add to the wiki. I will be making some inital assumptions that you are comfortable using the command line, have some experience with SQL and Apache. Although pretty much anyone should be able to follow this guide through with no prior knowledge, it is useful to have the background knowledge so that you “understand” what it is you are typing! It’s worth noting I won’t be installing Snort, or detailing any configuration at this point, I am building a bare frontend with the intention that data will be fed into the database from elsewhere, as building a sensor, DB server and frontend onto a single box is a bad idea, and pretty un-realistic tbh! With that over, lets begin!
Updated 03/03/10 to include Apache configuration 
First, configure your server hardware. I went with a nice beefy Poweredge 2970 with 8x146Gb SAS Drives, Dual AMD Opteron 6Core Processors and 64Gb RAM – I think that should be plenty 
RAID configuration consisted of 2 drives in RAID 1 containing the / and Swap Partitions using EXT4 – The rest was configured in RAID 5 and was for the database etc. Server also has a PERC SAS Direct Attached Storage card for future expansion. Once the base hardware is configured it’s time to install the OS – I went with Ubuntu Server 9.04 as I don’t trust 9.10 and there are a few improvements over 8.04 however it doesn’t make much difference in this regard, so go with whatever suits you. The OS was a fairly standard install, I installed LAMP, OpenSSH and MySQL at build time to speed up the process. Once the OS is installed its time to get some dependencies!
First things first, you will probably want to install GIT to simplify the process of obtaining the Snorby components.
$sudo apt-get install git git-core
When trying to run the Apache/Ruby configuration script it threw a few errors about missing dependencies. I have listed them here, you may/may not need them but it wouldn’t harm either way:
$sudo apt-get install apache2-prefork-dev
$sudo apt-get install libapr1-dev
$sudo apt-get install libaprutil1-dev
$sudo apt-get install libopenssl-ruby
After grabbing a copy of git, we should now move on to getting Ruby/Rake/Rails setup and configured. In addition to the binaries you will need a few gems, follow the instructions carefully as the Ubuntu repositories doesn’t include the correct version of Rake for whatever reason…
$sudo apt-get install ruby ruby1.8-dev rubygems
I will install Rake & Rails via Rubygems, as this seems to fix a few issues with wrong/incompatible versions that come from the repositories:
$sudo gem install rake
$sudo gem install rails
Add symlinks to ruby gems from your bin directory:
$sudo ln -s /var/lib/gems/1.8/bin/rake /usr/bin
$sudo ln -s /var/lib/gems/1.8/bin/rails /usr/bin
Few more gems are now needed:
$sudo gem install prawn
$sudo gem install mysql
$sudo gem install passenger
We need to symlink the passenger binaries (hence the asterisk) just like we did the earlier Rails/Rake.
$sudo ln -s /var/lib/gems/1.8/bin/pass* /usr/bin
Installing the gems as root means we don’t need to add any local paths to our .profile and makes sure any user on the box can use them. Next we need to create a database for Snorby, from a command line:
$mysqladmin -u root -p{root password} create snorby (or whatever you want to call the database)
$mysql -u root -p{root password}
mysql> CREATE USER '{username}'@'localhost' IDENTIFIED BY '{password}';
mysql> GRANT ALL PRIVILEGES ON snorby.* TO '{username}'@'localhost' WITH GRANT OPTION;
At this point you may want to use the create_mysql script bundled with Snorby/Snort to create the DB table structure, although Snorby seems to do it when you run the configuration script (or maybe it was just me….):
$sudo mysql -u root -p{root password} snorby < {path to script directory}/create_mysql
$git clone git:github.com/mephux/Snorby.git
We need to edit Snorby’s database config file to reflect the changes we made above:
$cd ~/Snorby
~/Snorby$cp config/database.yml.example config/database.yml
~/Snorby$nano config/database.yml
The configuration is simple, change the database, username & password fields as appropriate. You only need change the host if you have your DB on another server somewhere, in this case we don’t so the default is fine:
production:
adapter: mysql
database: name_of_snort_database_here
username: my_user
password: my_password
host: localhost
We need to comment out RAILS_GEM_VERSION…. in the environment.rb file otherwise it will throw an error when configuring:
$nano config/environment.rb
Now we should move the Snorby folder to /var/www so that Apache can use the files.
$sudo mv ~/Snorby/ /var/www
Almost done, we just need to run the rails setup and let it do its thing, creating the table structure and setting up all the required bits and pieces:
$cd /var/www/Snorby
/var/www/Snorby$rake snorby:setup RAILS_ENV=production
Now lets quickly setup the apache2 Ruby module. Follow the prompts and make note of the lines you need to add to the apache2.conf file:
$sudo passenger-install-apache2-module
In my case (it will differ depending on your apache version so make a note of what the script says) I was asked to add the following:
LoadModule passenger_module /var/lib/gems/1.8/gems/passenger-2.2.10/ext/apache2/mod_passenger.so
PassengerRoot /var/lib/gems/1.8/gems/passenger-2.2.10
PassengerRuby /usr/bin/ruby1.8
To:
$sudo nano /etc/apache2/apache2.conf
Next thing to do is either modify the default apache vhost to use Snorby as its document root, or create a new one (beyond the scope of this article):
$sudo nano /etc/apache2/sites-available/default
My default vhost file now contains the following:
ServerAdmin webmaster@localhost
DocumentRoot /var/www/Snorby/public
RailsBaseURI /
Options Indexes FollowSymLinks MultiViews
AllowOverride all
Order deny,allow
allow from all
ErrorLog /var/log/apache2/error.log
Restart Apache and all being well you should be good to go. Try connecting to your server from a web interface, you should hopefully see the Snorby login page. Default credentials are – Snorby/admin
Hi. I'm Matt Newham, 23 years old. I'm a network security engineer, specializing in Intrusion Detection.
Hi,
I’ve been using Snort with it’s own mysql database configured via phpmyadmin, which works fine. I wanted to have a look at Snorby and all of the instructions have worked fine upto:
rake snorby:setup RAILS_ENV=production
Where it errors saying tha the mysql gem is required. Can you confirm I need to gem install mysql?
Will this install another instance of mysql in addition to the existing one or just the extensions required? I’ve shown the full error message below:
thanks
Doug
ERRORS MESSAGE:
root@lab05:/var/www/Snorby# rake snorby:setup RAILS_ENV=production
(in /var/www/Snorby)
[~] Setting Up Snorby Database.
!!! The bundled mysql.rb driver has been removed from Rails 2.2. Please install the mysql gem and try again: gem install mysql.
Couldn’t drop snort : #
!!! The bundled mysql.rb driver has been removed from Rails 2.2. Please install the mysql gem and try again: gem install mysql.
rake aborted!
no such file to load — mysql
Doug, the mysql gem is merely a plugin for ruby to allow it to talk to a mysql db so installing it shouldn’t be a problem. Try installing the extension (remember to sudo) and see if that works.
Matt
Thanks for sharing your tips, I was struggling getting snorby and apache working together (absolutly no skill in Ruby&cie). Your apache vhost setup allowed me to get it aside with Base on a CentOS.
@elgo No problem, I’m glad I was a help
Enjoy playing around with Snorby.
Matt
Hi, Thanks for your tips.
rake snorby:setup RAILS_ENV=production
I Have all installed and configured whithout barnyard in this moment. I can work with base with no problem. I have confgured an vhost on apache whitch rwrite allowed and option and all. When i Go with my browser in my virthualhost that contain Snorby Nothing com and i don’t find error log.
I m in freebsd 7.3…
Thanks vor sharing your tips vor resolving my problem…