Snorby on CentOS 6.3

Update: 02/06/2013. I’ve created a new post for CentOS 6.4 ig you have problems with CentOS 6.3 try to check this post first.

If I want to have fun with Suricata IDS I think it will be useful to have a monitoring tool to track possible alerts. I’ve chosen Snorby as it seems to have a nice and intuitive GUI. Snorby uses ruby on rails and a mysql database. After many attempts I’ve finally got it running so I want to share with you the steps I’ve followed.

According to its web page, Snorby requires:

  • Ruby > 0.9.2
  • ImageMagick > 6.6.4
  • Rails > 3.0.0
  • Wkhtmltopdf

Unfortunately, packages in CentOS 6.3 repositories have older versions, maybe you can find newer versions in other repositories but time I’ll stick with the official repositories. Compilation fun! Warning: if you use the following commands check if newer versions of downloaded packages exist and change directories and names accordingly.

  1. We’ll start installing some packages using yum 
    yum groupinstall "Development Tools"
    yum install openssl-devel readline-devel libxml2-devel libxslt-devel mysql mysql-devel mysql-libs mysql-server urw-fonts
    
  2. Let’s compile ImageMagick.
    cd /opt
    wget ftp://ftp.sunet.se/pub/multimedia/graphics/ImageMagick/ImageMagick-6.8.3-7.tar.gz
    cd ImageMagick-6.8.3-7
    ./configure
    make
    make install
    ldconfig /usr/local/lib
    
  3. Time for Wkhtmltopdf. I’ve downloaded the source files because I had problems with the static versions of Wkhtmltopdf. I’ve used the readme file (README_WKHTMLTOPDF) which comes with wkhtmltopdf as a guide, but notice that the gitorious repository is not found.Warning: this step is going to take a loooong time so if you don’t need pdf reporting skip it.

    Warning: if you see squares in your pdf report instead of text install with yum the urw-fonts package. This information is provided thanks to this stackoverflow question.

    cd /opt
    git clone git://github.com/jcsalterego/wkhtmltopdf-qt.git wkhtmltopdf-qt
    cd wkhtmltopdf-qt
    ./configure -nomake tools,examples,demos,docs,translations -opensource -prefix ../wkqt
    make -j3
    make install
    
    cd /opt
    wget http://wkhtmltopdf.googlecode.com/files/wkhtmltopdf-0.11.0_rc1.tar.bz2
    tar jxvf wkhtmltopdf-0.11.0_rc1.tar.bz2
    cd wkhtmltopdf-0.11.0_rc1
    ../wkqt/bin/qmake
    make
    ldconfig
    ln -s /opt/wkhtmltopdf-0.11.0_rc1/bin/wkhtmltopdf /usr/local/bin/wkhtmltopdf
    
  4. MySQL!. Start the service and if it’s the first time you install it use the mysql_secure_installation to set root’s password and remove unnecessary tables.
    service mysqld start
    mysql_secure_installation
    chkconfig mysqld on
    
  5. And now we need Ruby and RubyGems. I’m installing ruby 9.3 from ruby’s webpage.
    cd /opt
    wget http://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.3-p392.tar.gz
    tar xvfz ruby-1.9.3-p392.tar.gz
    cd ruby-1.9.3-p392
    ./configure
    make
    make install
    
    cd /opt
    wget http://production.cf.rubygems.org/rubygems/rubygems-2.0.2.tgz
    tar xvfz rubygems-2.0.2.tgz
    cd rubygems-2.0.2
    ruby setup.rb
    
  6. We now have gem installed and we’re going to install bundler gem which is needed by Snorby setup.
    cd /opt
    gem install bundler
    
  7. OK. I want to use Snorby so I need to download it!. I’ve had problems with the latest git version of snorby so I had to use the zip with the stable version (which is linked from Snorby’s webpage).
    wget -O snorby.zip https://github.com/Snorby/snorby/zipball/v2.5.6
    unzip snorby.zip
    cd Snorby-snorby-42dd6d5
    
  8. Now, pay attention! I’ve found many problems trying to use bundle with ruby 9.3 and I spent several hours finding out what to do. This is what I’ve done, I can guarantee that it’ll work with a newer ruby or snorby version but at least if you find the same problem you won’t suffer. If you find any error please contact me maybe I can help you and update the post so it’s useful for other users.
    Edit the Gemfile file and change this line: gem 'rake', '0.9.2'   to:  gem 'rake', '> 0.9.2' unless you want this error to show when using bundler: "error: /usr/local/lib/ruby/gems/1.9.1/gems/bundler-1.3.1/lib/bundler/fetcher.rb:112:in `specs': undefined method `each' for nil:NilClass (NoMethodError)"
    
    Edit the Gemfile file and add this line: gem 'orm_adapter' after the line: gem netaddr , unless you want this error when using bundler: 'orm_adapter' file not found
    
    Edit Gemfile.lock and change rake (0.9.2) to rake(0.9.2.2) so rake setup does not complain about a different rake version.
    
    //Create a snorby_config.yml file. Edit the production section and set your domain
    cp config/snorby_config.yml.example config/snorby_config.yml
    
    // Create a database.yml config file. Edit the file and set the root password and MySQL server location
    cp config/database.yml.example config/database.yml
    
  9. OK! Now let’s install Snorby. And don’t forget to read the README.md file provided by Snorby’s developers
    // We are in the snorby directory //
    bundle install
    rake snorby:setup
    
    // This is the command's output //
    [datamapper] Created database 'snorby'
    [datamapper] Finished auto_upgrade! for :default repository 'snorby'
    [~] Adding `index_timestamp_cid_sid` index to the event table
    [~] Adding `id` to the event table
    [~] Building `aggregated_events` database view
    [~] Building `events_with_join` database view
    * Removing old jobs
    * Starting the Snorby worker process.
    * Adding jobs to the queue
    
  10. Snorby is installed woohoo! Before launching it let’s create an iptables rule (TCP 3000 is the default port)
    iptables -I INPUT -p tcp --dport 3000 -m state --state=NEW,ESTABLISHED,RELATED -j ACCEP
    
  11. And now finally let’s start Snorby in my CentOS 6.3 server:
    rails server -e production
    
    Booting WEBrick
    => Rails 3.1.10 application starting in production on http://0.0.0.0:3000
    => Call with -d to detach
    => Ctrl-C to shutdown server
    [2013-03-08 19:01:18] INFO WEBrick 1.3.1
    [2013-03-08 19:01:18] INFO ruby 1.9.3 (2013-02-22) [x86_64-linux]
    [2013-03-08 19:01:18] INFO WEBrick::HTTPServer#start: pid=1347 port=3000
    
  12. If all is fine, open a web browser http://x.x.x.x:3000 and use the default user/password: snorby@snorby.org / snorby. Here, two screenshots so you can check that I haven’t lied to you.snorby_loginsnorby_administrator

Ok. Soon I’ll update this post or create another one explaining how to configure other important things (mail, sensor…)

P.S: You should create a snorby user in your mysql server and change it in the database.yml config file so the root user is not used. e.g: grant all privileges on snorby.* to snorby@localhost identified by ‘password’;

P.S 2 (2013-03-10): PDF reporting problem with wkhtmltopdf has been solved after compiling wkhtmltopdf and QT (be patient you’ll need time). This is a Snorby Report sample.

Advertisements

13 thoughts on “Snorby on CentOS 6.3

  1. Bui says:

    hello,
    I have a problem on step 3:
    You might need to modify the include and library search paths by editing
    QMAKE_INCDIR_X11 and QMAKE_LIBDIR_X11 in /opt/wkhtmltopdf-qt/mkspecs/linux-g++.
    How do I do ?

    Thank you.

    Like

    • n40lab says:

      I don’t remember that I had to modify the QMAKE_INCDIR_X11 and QMAKE_LIBDIR_X11. Is there any error when executing the commands in step 3, if so could you please post it so I can have more information?

      Regards,

      Miguel

      Like

  2. Bui says:

    Hello,
    I have a problem on step 9. When I run command: rake snorby:setup. This is problem:
    rake snorby:setup
    /usr/local/bin/rake:23:in `load’: cannot load such file — /usr/local/lib/ruby/gems/1.9.1/gems/rake-0.9.2.2/bin/rake (LoadError)
    from /usr/local/bin/rake:23:in `’
    Can you help me?.

    Thank you.

    Like

    • n40lab says:

      Hi,
      tomorrow I’ll try to follow again the steps in this post to check if I’ve to update it.

      Have you compiled the ruby version (step 5) and if so, what version have you downloaded? I think there’s a ruby/rake version problem and the change in the Gemfile.lock (step 8 is not working).

      Like

  3. morteza says:

    Hello
    I have Problem on step 9.
    when I run rake snorby:setup see this error
    [root@localhost Snorby-snorby-42dd6d5]# rake snorby:setup
    /usr/local/lib/ruby/1.9.1/yaml.rb:56:in `’:
    It seems your ruby installation is missing psych (for YAML output).
    To eliminate this warning, please install libyaml and reinstall your ruby.
    Jammit Warning: Asset compression disabled — Java unavailable.
    72175bf265eb88c9a72e0ecaa2b4fc8bedc93138cec4fb874ae55502410504623412acf5694df43e5ab973cac84fdbf2bb3da4c86884ef351a925845db3c3e46
    ERROR 1045 (28000): Access denied for user ‘root’@’localhost’ (using password: YES)
    rake aborted!
    Access denied for user ‘root’@’localhost’ (using password: YES)

    Tasks: TOP => db:autoupgrade
    (See full trace by running task with –trace)
    and I have a one request
    Please upload a snort installation on centos.
    thanks.

    Like

    • n40lab says:

      Hi,
      you have a MySQL error. You have to edit the config/database.yml file (see step 8 of this article) and set the user and password for your MySQL database then snorby will be able to connect to the database and create the tables needed.

      If you need mor help let me know.

      Cheers!

      Like

  4. Antony says:

    {“email”=>”snorby@snorby.org”, “password”=>”[FILTERED]”, “remember_me”=>”1”}}
    Completed 401 Unauthorized in 2ms

    default user does not work
    user:snorby@snorby.org
    pass:snorby

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s