UPDATE: Snort 2.9.9.x has been released. Please see the updated series of articles here or my quick install guide here.

I am leaving this older guide online for anyone who wants to install this older version of Snort on Ubuntu, but you really should be using the updated guide for the 2.9.9.x version of Snort, since support for older versions of Snort are set to expire, and the updated guide is kept more up to date and includes BASE instead of Snorby for a Web GUI.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. Installing Snort
2. Configure Snort to Run as a NIDS
3. Writing and Testing a Single Rule With Snort
4. Installing Barnyard2
5. Installing PulledPork
6. Creating Upstart Scripts for Snort
7. Creating systemD Scripts for Snort
8. Installing Snorby on Ubuntu 12
9. Installing Snorby on Ubuntu 14
10. Installing Snorby on Ubuntu 15
11. Conclusion

Installing Snorby On Ubuntu 15

Snorby is a web GUI for managing your Snort system. The Snort daemon created in the last section will write all alerts to a Unified2 file, and Barnyard2 will process those alerts into a MySQL database. Snorby will let you browse, search, and profile those alerts from the database in a easy to view way. Snorby is a ruby on rails application, which we will launch with Phusion Passenger on Apache server. An alternative to Snorby is BASE, which is a simpler (less web-2.0) interface that still has a lot of popularity. You can read my article on BASE here (note that that guide hasn’t been updated in a few months, so you should be able to find newer versions of some of the supporting software, like ADOdb).

The bad news is that neither Snorby or BASE are still actively developed. They will work just fine for a hobby or small business setup, but you may want to look at other alternatives if you have more stringent requirements, or need to be able to view more complex visualizations of your data. One option is sguil, and another popular one is Splunk Enterprise (a commercial product, but free for up to 500 MB of log data per day). Splunk has a great interface for Snort alert data. An example of this can be seen in this video from DerbyCon starting at the 43:40 minute mark (this video is also an excellent overview of OpenAppID).

Installation

On Ubuntu 15, ruby 1.9 is not available in the repositories, so we need to download and install from source. We need some pre-requisites for Ruby 1.9:

sudo apt-get install -y libgdbm-dev libncurses5-dev git-core curl zlib1g-dev build-essential \
libssl-dev libreadline-dev libyaml-dev libsqlite3-dev sqlite3 libxml2-dev libxslt1-dev \
libcurl4-openssl-dev python-software-properties libffi-dev

Next, let’s install the Ruby Gem pre-requisites:

sudo apt-get install -y imagemagick apache2 libyaml-dev libxml2-dev libxslt-dev git libssl-dev

Snorby installs a number of Ruby gems. To speed up their installation, run the following two commands to prevent the install of documentation when gems are installed:

echo "gem: --no-rdoc --no-ri" > ~/.gemrc
sudo sh -c "echo gem: --no-rdoc --no-ri > /etc/gemrc"

Download the ruby 1.9.3 source and install:

cd ~/snort_src/
wget https://cache.ruby-lang.org/pub/ruby/1.9/ruby-1.9.3-p551.tar.gz
tar -xvzf ruby-1.9.3-p551.tar.gz
cd ruby-1.9.3-p551
./configure
make
sudo make install

Install the gems required for management and installation:

# These gems will also install other required gems
sudo gem install wkhtmltopdf
sudo gem install bundler
sudo gem install rails
sudo gem install rake --version=0.9.2

Download the 2.6.2 version of Snorby and move it to your web root directory:

cd ~/snort_src/
wget https://github.com/Snorby/snorby/archive/v2.6.2.tar.gz -O snorby-2.6.2.tar.gz
tar xzvf snorby-2.6.2.tar.gz
sudo cp -r ./snorby-2.6.2/ /var/www/html/snorby/

Install all of the Snorby pre-requisites. Ignore warnings about running bundle as root. If you get connection errors when trying to download gems, just re-run the command until it succeeds.

cd /var/www/html/snorby
sudo bundle install

Snorby uses database.yml to tell it how to connect to the MySQL server. We will copy the example file to the correct location and edit it with our MySQL root credentials (Snorby will need to create a database):

sudo cp /var/www/html/snorby/config/database.yml.example /var/www/html/snorby/config/database.yml
sudo vi /var/www/html/snorby/config/database.yml

You need to change the password field in this database.yml file to reflect the MySQL root password you set when installing MySQL (MySqlROOTpassword if you are following this guide exactly). Note that we will change this later after Snorby has setup the database it needs to use a lower-priviledged MySQL account. The beginning of the file should look like this after editing:

# Snorby Database Configuration
#
# Please set your database password/user below
# NOTE: Indentation is important.
#
snorby: &snorby
     adapter: mysql
     username: root
     password: "MySqlROOTpassword" # Example: password: "s3cr3tsauce"
     host: localhost

... and so on

Now we need to create the Snorby configuration file (copied from it’s example file), and update it to point to the correct version of wkhtmlpdf (we use sed to make this change):

sudo cp /var/www/html/snorby/config/snorby_config.yml.example /var/www/html/snorby/config/snorby_config.yml
sudo sed -i s/"\/usr\/local\/bin\/wkhtmltopdf"/"\/usr\/bin\/wkhtmltopdf"/g /var/www/html/snorby/config/snorby_config.yml

Now we want to install Snorby. The below command will download the necessary gems and will create a new database called Snorby for use. This can take some time to complete. You can ignore errors about ”Jammit Warning: Asset compression disabled – Java unavailable.”.

cd /var/www/html/snorby
sudo bundle exec rake snorby:setup

Now we want to edit the MySQL Snorby database to grant access to a lower privilidged user (we don’t want the Snorby application using the root password to interface with the database). Run the following commands to create a new MySQL user named snorby with password PASSWORD123. You will be prompted for your MySQL root password (MySqlROOTpassword) after the first command:

$ mysql -u root -p
myslq> create user 'snorby'@'localhost' IDENTIFIED BY 'PASSWORD123';
myslq> grant all privileges on snorby.* to 'snorby'@'localhost' with grant option;
myslq> flush privileges;
myslq> exit

Now that we’ve created a new MySQL snorby user and password, edit Snorby’s database.yml to tell Snorby to use the new account rather than the root MySQL account:

sudo vi /var/www/html/snorby/config/database.yml

The file should now look like this (note the changes to lines 8 and 9):

# Snorby Database Configuration
#
# Please set your database password/user below
# NOTE: Indentation is important.
#
snorby: &snorby
   adapter: mysql
   username: snorby
   password: "PASSWORD123" # Example: password: "s3cr3tsauce"
   host: localhost

development:
   database: snorby
   <<: *snorby

test:
   database: snorby
   <<: *snorby

production:
   database: snorby
   <<: *snorby

Now we are ready to test Snorby. Run Snorby with:

cd /var/www/html/snorby/
sudo bundle exec rails server -e production

This will start Snorby listening on port 3000. Navigate to http://ip_of_snorby_server:3000 and you should see the logon screen. Don’t log in at this time as we are only testing that the software runs. Use ctrl-c at the command prompt to stop the Snorby server.

Installing Phusion Passenger

We will use Phusion Passenger, an application server module for Apache to launch Snorby. First install pre-requisites:

sudo apt-get install -y libcurl4-openssl-dev apache2-threaded-dev libaprutil1-dev libapr1-dev

Next, install the Passenger gem and the Apache module (we don’t install the Ubuntu repository version of Phusion Passenger because it doesn’t work well).

sudo gem install passenger
sudo passenger-install-apache2-module

The Phusion Passenger install wizard will start. Un-check the Python language support (we only need Ruby support) using the arrows and space bar, then use enter to continue through the menu options. After compiling software, the wizard will finally tell you to copy some text to your Apache configuration file. We don’t want to copy the entire output to the Apache configuration file, because Apache now uses separate files for modules (one for the path to the .so file for the module, and one for configuration for the module). We do want the information that is printed, we will just use it slightly differently. Copy the five lines of text that are shown on the screen, as you’ll need them. Hit enter twice to exit the wizard.

My install showed the following 5 lines of text that are needed (yours may be different):

  LoadModule passenger_module /usr/local/lib/ruby/gems/1.9.1/gems/passenger-5.0.21/buildout/apache2/mod_passenger.so
  <IfModule mod_passenger.c>
    PassengerRoot /usr/local/lib/ruby/gems/1.9.1/gems/passenger-5.0.21
    PassengerDefaultRuby /usr/local/bin/ruby
  </IfModule>

The first line tells Apache the path to the shared object library to load the Phusion passenger module. We want to create a new file for this line. Create this file:

sudo vi /etc/apache2/mods-available/passenger.load

And paste the first line into that file. In my case, I pasted:

LoadModule passenger_module /usr/local/lib/ruby/gems/1.9.1/gems/passenger-5.0.21/buildout/apache2/mod_passenger.so

The final 4 lines specify the configuration for Phusion Passenger. Create the configuration file as follows:

sudo vi /etc/apache2/mods-available/passenger.conf

And paste the two content lines in. You do not need the <ifmodule> tags In my case, I pasted:

PassengerRoot /usr/local/lib/ruby/gems/1.9.1/gems/passenger-5.0.21
PassengerDefaultRuby /usr/local/bin/ruby

Note: yes, the lines above say ruby1.9.1, and we did install ruby 1.9.3. Ubuntu 12 does some file system redirection that makes this happen, but it doesn’t cause any issues.

Next, enable the Passenger module:

sudo a2enmod passenger
sudo service apache2 restart

and then verify that it loaded by running the following command (look for Passenger in the output):

apache2ctl -t -D DUMP_MODULES

Now we need to create an Apache website for Snorby:

sudo vi /etc/apache2/sites-available/snorby.conf

with the following content:

<virtualhost *:80>
     ServerAdmin webmaster@localhost
     ServerName snorby.sublimerobots.com
     DocumentRoot /var/www/html/snorby/public
     <directory "/var/www/html/snorby/public">
          AllowOverride all
          Order deny,allow
          Allow from all
          Options -MultiViews
          </directory>
</virtualhost>

Now enable the new site, disable the default site, and reload Apache to see the new configurations:

cd /etc/apache2/sites-available/
sudo a2ensite snorby.conf
sudo service apache2 reload

cd /etc/apache2/sites-enabled
sudo a2dissite 000-default
sudo service apache2 reload

Now we need to tell Barnyard2 to output events to the Snorby database that we created above.

sudo vi /etc/snort/barnyard2.conf

Append at the end off the file:

output database: log, mysql, user=snorby password=PASSWORD123 dbname=snorby host=localhost sensor_name=sensor1

We can disable the other output file that you created during the Barnyard2 testing by deleting the previous line (or putting a hash in front of it to disable it), so that it looks like the following:

# output database: log, mysql, user=snort password=MySqlSNORTpassword dbname=snort host=localhost)

Restart Barnyard2 to load the new configuration:

sudo service barnyard2 restart

Creating a systemD daemon for the Snorby worker process

Snorby needs one service running for database maintenance (a Snorby worker daemon). We will create an systemD daemon for this task. First we need to create the daemon service file:

sudo vi /lib/systemd/system/snorby_worker.service

with the following content:

[Unit]
Description=Snorby Worker Daemon
Requires=apache2.service
After=syslog.target network.target apache2.service

[Service]
Type=forking
WorkingDirectory=/var/www/html/snorby
ExecStart=/usr/local/bin/ruby script/delayed_job start

[Install]
WantedBy=multi-user.target

Now tell systemD that the script exists, and then verify that it installed correctly:

sudo systemctl enable snorby_worker
systemctl status snorby_worker.service

Note that this daemon will often list as stop/waiting, and that is ok, because of how it works. You can check the worker job status use the web interface (look under Administration –> Worker and Job Queue). You may need to restart the server once at this stage because a differernt version of the worker service may be running from earlier testing. Verify that the worker process is running from the web interface after a reboot.

To log into the web interface: open a web browser and navigate to http://ip_of_snorby_server. You don’t need to enter the port number, as it is listening on port 80 now. The default login information is:
E-mail: snorby@snorby.org
Password: snorby

(current Snorby documentation lists the email as example.com, not snorby.org. That is incorrect for the 2.6.2 version of Snorby, where the username remains snorby@snorby.org)

If you are logged into the Snorby web interface, then congratulations, your system is fully setup. Continue on to the last part of this guide to see where to go from here: Conclusion.