Update: 02/06/2013. I’ve created a new post for CentOS 6.4 ig you have problems with CentOS 6.3 try to check this post first.
If I want to have fun with Suricata IDS I think it will be useful to have a monitoring tool to track possible alerts. I’ve chosen Snorby as it seems to have a nice and intuitive GUI. Snorby uses ruby on rails and a mysql database. After many attempts I’ve finally got it running so I want to share with you the steps I’ve followed.
According to its web page, Snorby requires:
- Ruby > 0.9.2
- ImageMagick > 6.6.4
- Rails > 3.0.0
Unfortunately, packages in CentOS 6.3 repositories have older versions, maybe you can find newer versions in other repositories but time I’ll stick with the official repositories. Compilation fun! Warning: if you use the following commands check if newer versions of downloaded packages exist and change directories and names accordingly.
- We’ll start installing some packages using yum
yum groupinstall "Development Tools" yum install openssl-devel readline-devel libxml2-devel libxslt-devel mysql mysql-devel mysql-libs mysql-server urw-fonts
- Let’s compile ImageMagick.
cd /opt wget ftp://ftp.sunet.se/pub/multimedia/graphics/ImageMagick/ImageMagick-6.8.3-7.tar.gz cd ImageMagick-6.8.3-7 ./configure make make install ldconfig /usr/local/lib
- Time for Wkhtmltopdf. I’ve downloaded the source files because I had problems with the static versions of Wkhtmltopdf. I’ve used the readme file (README_WKHTMLTOPDF) which comes with wkhtmltopdf as a guide, but notice that the gitorious repository is not found.Warning: this step is going to take a loooong time so if you don’t need pdf reporting skip it.
Warning: if you see squares in your pdf report instead of text install with yum the urw-fonts package. This information is provided thanks to this stackoverflow question.
cd /opt git clone git://github.com/jcsalterego/wkhtmltopdf-qt.git wkhtmltopdf-qt cd wkhtmltopdf-qt ./configure -nomake tools,examples,demos,docs,translations -opensource -prefix ../wkqt make -j3 make install cd /opt wget http://wkhtmltopdf.googlecode.com/files/wkhtmltopdf-0.11.0_rc1.tar.bz2 tar jxvf wkhtmltopdf-0.11.0_rc1.tar.bz2 cd wkhtmltopdf-0.11.0_rc1 ../wkqt/bin/qmake make ldconfig ln -s /opt/wkhtmltopdf-0.11.0_rc1/bin/wkhtmltopdf /usr/local/bin/wkhtmltopdf
- MySQL!. Start the service and if it’s the first time you install it use the mysql_secure_installation to set root’s password and remove unnecessary tables.
service mysqld start mysql_secure_installation chkconfig mysqld on
- And now we need Ruby and RubyGems. I’m installing ruby 9.3 from ruby’s webpage.
cd /opt wget http://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.3-p392.tar.gz tar xvfz ruby-1.9.3-p392.tar.gz cd ruby-1.9.3-p392 ./configure make make install cd /opt wget http://production.cf.rubygems.org/rubygems/rubygems-2.0.2.tgz tar xvfz rubygems-2.0.2.tgz cd rubygems-2.0.2 ruby setup.rb
- We now have gem installed and we’re going to install bundler gem which is needed by Snorby setup.
cd /opt gem install bundler
- OK. I want to use Snorby so I need to download it!. I’ve had problems with the latest git version of snorby so I had to use the zip with the stable version (which is linked from Snorby’s webpage).
wget -O snorby.zip https://github.com/Snorby/snorby/zipball/v2.5.6 unzip snorby.zip cd Snorby-snorby-42dd6d5
- Now, pay attention! I’ve found many problems trying to use bundle with ruby 9.3 and I spent several hours finding out what to do. This is what I’ve done, I can guarantee that it’ll work with a newer ruby or snorby version but at least if you find the same problem you won’t suffer. If you find any error please contact me maybe I can help you and update the post so it’s useful for other users.
Edit the Gemfile file and change this line: gem 'rake', '0.9.2' to: gem 'rake', '> 0.9.2' unless you want this error to show when using bundler: "error: /usr/local/lib/ruby/gems/1.9.1/gems/bundler-1.3.1/lib/bundler/fetcher.rb:112:in `specs': undefined method `each' for nil:NilClass (NoMethodError)" Edit the Gemfile file and add this line: gem 'orm_adapter' after the line: gem netaddr , unless you want this error when using bundler: 'orm_adapter' file not found Edit Gemfile.lock and change rake (0.9.2) to rake(0.9.2.2) so rake setup does not complain about a different rake version.
//Create a snorby_config.yml file. Edit the production section and set your domain cp config/snorby_config.yml.example config/snorby_config.yml // Create a database.yml config file. Edit the file and set the root password and MySQL server location cp config/database.yml.example config/database.yml
- OK! Now let’s install Snorby. And don’t forget to read the README.md file provided by Snorby’s developers
// We are in the snorby directory // bundle install rake snorby:setup // This is the command's output // [datamapper] Created database 'snorby' [datamapper] Finished auto_upgrade! for :default repository 'snorby' [~] Adding `index_timestamp_cid_sid` index to the event table [~] Adding `id` to the event table [~] Building `aggregated_events` database view [~] Building `events_with_join` database view * Removing old jobs * Starting the Snorby worker process. * Adding jobs to the queue
- Snorby is installed woohoo! Before launching it let’s create an iptables rule (TCP 3000 is the default port)
iptables -I INPUT -p tcp --dport 3000 -m state --state=NEW,ESTABLISHED,RELATED -j ACCEP
- And now finally let’s start Snorby in my CentOS 6.3 server:
rails server -e production Booting WEBrick => Rails 3.1.10 application starting in production on http://0.0.0.0:3000 => Call with -d to detach => Ctrl-C to shutdown server [2013-03-08 19:01:18] INFO WEBrick 1.3.1 [2013-03-08 19:01:18] INFO ruby 1.9.3 (2013-02-22) [x86_64-linux] [2013-03-08 19:01:18] INFO WEBrick::HTTPServer#start: pid=1347 port=3000
- If all is fine, open a web browser http://x.x.x.x:3000 and use the default user/password: email@example.com / snorby. Here, two screenshots so you can check that I haven’t lied to you.
Ok. Soon I’ll update this post or create another one explaining how to configure other important things (mail, sensor…)
P.S: You should create a snorby user in your mysql server and change it in the database.yml config file so the root user is not used. e.g: grant all privileges on snorby.* to snorby@localhost identified by ‘password’;
P.S 2 (2013-03-10): PDF reporting problem with wkhtmltopdf has been solved after compiling wkhtmltopdf and QT (be patient you’ll need time). This is a Snorby Report sample.