Snorby in CentOS 6.4

25/02/2014: Hi, I’ve created a new post for CentOS 6.5 but it may work also for CentOS 6.4, please visit this new post before. I’ll keep this article as an archived version if you need to compile wkhtmltopdf for any reason.

 

If I want to have fun with Suricata IDS I think it will be useful to have a monitoring tool to track possible alerts. I’ve chosen Snorby as it seems to have a nice and intuitive GUI. Snorby uses ruby on rails and a mysql database. After many attempts I’ve finally got it running so I want to share with you the steps I’ve followed.

According to its web page, Snorby requires:

• Ruby > 1.9.2
• ImageMagick > 6.6.4
• Rails > 3.0.0
• Wkhtmltopdf

Unfortunately, packages in CentOS 6.4 repositories have older versions, maybe you can find newer versions in other repositories but time I’ll stick with the official repositories. Compilation fun! Warning: if you use the following commands check if newer versions of downloaded packages exist and change directories and names accordingly.

1. We’ll start installing some packages using yum

   yum groupinstall "Development Tools"
   yum install openssl-devel readline-devel libxml2-devel libxslt-devel mysql mysql-devel mysql-libs mysql-server urw-fonts libX11-devel libXext-devel qconf fontconfig-devel libXrender-devel unzip wget

2. Let’s compile ImageMagick.

   cd /opt
   wget http://ftp.sunet.se/pub/multimedia/graphics/ImageMagick/ImageMagick-6.8.5-9.tar.gz

3. tar xvfz ImageMagick-6.8.5-9.tar.gz
   cd ImageMagick-6.8.5-9
   ./configure
   make
   make install
   ldconfig /usr/local/lib

4. Time for Wkhtmltopdf. I’ve downloaded the source files because I had problems with the static versions of Wkhtmltopdf. I’ve used the readme file (README_WKHTMLTOPDF) which comes with wkhtmltopdf as a guide, but notice that the gitorious repository is not found.Warning: this step is going to take a loooong time so if you don’t need pdf reporting skip it.Warning: if you see squares in your pdf report instead of text install with yum the urw-fonts package. This information is provided thanks to this stackoverflow question.

   cd /opt
   git clone git://github.com/jcsalterego/wkhtmltopdf-qt.git wkhtmltopdf-qt
   cd wkhtmltopdf-qt

5. // Edit the mkspecs/linux-g++-64/qmake.conf file and change the following lines:
   QMAKE_LIBDIR_X11 = /usr/lib64
   QMAKE_LIBDIR_OPENGL = /usr/lib64

6. ./configure -nomake tools,examples,demos,docs,translations -opensource -prefix ../wkqt
   make -j3
   make install
   
   cd /opt
   wget http://wkhtmltopdf.googlecode.com/files/wkhtmltopdf-0.11.0_rc1.tar.bz2
   tar jxvf wkhtmltopdf-0.11.0_rc1.tar.bz2
   cd wkhtmltopdf-0.11.0_rc1
   ../wkqt/bin/qmake
   make
   ldconfig
   ln -s /opt/wkhtmltopdf-0.11.0_rc1/bin/wkhtmltopdf /usr/local/bin/wkhtmltopdf
   ln -s /opt/wkhtmltopdf-0.11.0_rc1/bin/libwkhtmltox.so.0 /usr/lib64/libwkhtmltox.so.0

7. MySQL!. Start the service and if it’s the first time you install it use the mysql_secure_installation to set root’s password and remove unnecessary tables.

   service mysqld start
   mysql_secure_installation
   chkconfig mysqld on

8. And now we need Ruby and RubyGems. I’m installing ruby 1.9.3 from ruby’s webpage.

   cd /opt
   wget ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.3-p448.tar.gz
   tar xvfz ruby-1.9.3-p448.tar.gz
   cd ruby-1.9.3-p448
   ./configure
   make
   make install
   
   cd /opt
   wget http://production.cf.rubygems.org/rubygems/rubygems-2.0.4.tgz
   tar xvfz rubygems-2.0.4.tgz
   cd rubygems-2.0.4
   ruby setup.rb

9. We now have gem installed and we’re going to install bundler gem which is needed by Snorby setup.

   cd /opt
   gem install bundler

10. OK. I want to use Snorby so I need to download it!. I’ve had problems with the latest git version of snorby so I had to use the zip with the stable version (which is linked from Snorby’s webpage).

    wget -O snorby.zip --no-check-certificate https://github.com/Snorby/snorby/archive/master.zip
    unzip snorby.zip
    cd snorby-master

11. Now, pay attention! I’ve found many problems trying to use bundle with ruby 9.3 and I spent several hours finding out what to do. This is what I’ve done, I can guarantee that it’ll work with a newer ruby or snorby version but at least if you find the same problem you won’t suffer. If you find any error please contact me maybe I can help you and update the post so it’s useful for other users.

    //Edit the Gemfile file and change this line: 
    //gem 'rake', '0.9.2'   to:  gem 'rake', '> 0.9.2'
    //unless you want this error to show when using bundler: "error: /usr/local/lib/ruby/gems/1.9.1/gems/bundler-1.3.1/lib/bundler/fetcher.rb:112:in `specs': undefined method `each' //for nil:NilClass (NoMethodError)"
    
    //Edit the Gemfile file and add this line: 
    //gem 'orm_adapter' after the line: gem netaddr, 
    //unless you want this error when using bundler: 'orm_adapter' file not found
    
    //Edit Gemfile.lock and change rake (0.9.2) to rake(0.9.2.2) 
    //so rake setup does not complain about a different rake version
    
    //Create a snorby_config.yml file. Edit the production section and set your domain
    cp config/snorby_config.yml.example config/snorby_config.yml
    // Create a MySQL database and a user for snorby
    mysql> create database snorby;
    Query OK, 1 row affected (0.00 sec)
    mysql> grant all privileges on snorby.* to snorby@localhost identified by 'snorby';
    
    // Create a database.yml config file. 
    // Edit the file and set the root password and MySQL server location
    cp config/database.yml.example config/database.yml

12. OK! Now let’s install Snorby. And don’t forget to read the README.md file provided by Snorby’s developers

    // We are in the snorby directory 
    bundle install
    rake snorby:setup
    
    // This is the command's output
    ERROR 1007 (HY000) at line 1: Can't create database 'snorby'; database exists
    [datamapper] Finished auto_upgrade! for :default repository 'snorby'
    [~] Adding `index_timestamp_cid_sid` index to the event table
    [~] Adding `id` to the event table
    [~] Building `aggregated_events` database view
    [~] Building `events_with_join` database view
    * Removing old jobs
    * Starting the Snorby worker process.
    * Adding jobs to the queue

13. Snorby is installed woohoo! Before launching it let’s create an iptables rule (TCP 3000 is the default port)

    iptables -I INPUT -p tcp --dport 3000 -m state --state=NEW,ESTABLISHED,RELATED -j ACCEPT

14. And now finally let’s start Snorby in my CentOS 6.4 server:

    rails server -e production
    Booting WEBrick Rails 3.1.12 application starting in production on http://0.0.0.0:300
    Call with -d to detach 
    Ctrl-C to shutdown server

15. If all is fine, open a web browser http://x.x.x.x:3000.  Here, two screenshots so you can check that I haven’t lied to you.
    

Snorby default credentials are: snorby@snorby.org and password snorby.

I’ve had several issues with QT compilation and these links helped me:

• http://qt-project.org/forums/viewthread/6476
• http://www.qtforum.org/article/27886/installing-qt4-problem-basic-xlib-functionality-test-failed.html

Enjoy!