snorby is a ruby ​​application that is used to display / report the results of detection of intrusion detection software such as Snort, Sagan, and suricata. Snorby has an attractive appearance and layout, it is neat and easy to use, making snorby become one great option, beside anval, base, and the standard snortreport as snort reporting sotware to user. if you want to install snort, on a previous post i have written about the basic installation of Snort, which is one of the standard and widely IDS used.

Snorby is a ruby ​​application, because of that its installation process us a little bit new for me. Snorby installation tutorials have been written and published on the internet. It is also displayed on the main page of http://snorby.org, but the installation tutorials is not comprehensive enough. so if you are looking for the comprehensive one, you can go to snorby.org wiki pages. There is snorby installation in ubuntu without the use of RVM. The installation tutorial is complete enough to be followed if we want to install snorby on ubuntu machine.

snorby installation:

1. install dependencies
[php]

sudo apt-get install gcc g++ build-essential libssl-dev libreadline5-dev zlib1g-dev linux-headers-generic libsqlite3-dev libxslt-dev libxml2-dev imagemagick libmysqlclient-dev libmagick9-dev git-core mysql-server wkhtmltopdf[/php]

2. download and install ruby
[php]

sudo wget ftp://ftp.ruby-lang.org//pub/ruby/1.9/ruby-1.9.2-p0.tar.gz
tar -xvzf ruby-1.9.2-p0.tar.gz
cd ruby-1.9.2-p0/
sudo ./configure –prefix=/usr/local/ruby && sudo make && sudo make install[/php]

3. add ruby ​​bin folder to the environment
[php]

sudo nano /etc/environment
PATH=”/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/ruby/bin”
source /etc/environment[/php]

4. add a symbolic link ruby ​​and gem
ln -s /usr/local/ruby/bin/ruby /usr/bin/ruby
ln -s /usr/local/ruby/bin/gem /usr/bin/gem

5. check ruby ​​version
ruby -v
if it displays “ruby 1.9.2p0” means it’s appropriate to make sure the source has not gained true and correct symbolic link

6. gem install packages
[php]

sudo gem install tzinfo builder memcache-client rack rack-test erubis mail text-format bundler thor i18n sqlite3-ruby
sudo gem install rack-mount -v 0.4.0
sudo gem install rails -v 3.0.0[/php]

add a symbolic link to rails and rake
ln -s /usr/local/ruby​​/bin/rails /usr/bin/rails
ln -s /usr/local/ruby​​/bin/rake /usr/bin/rake

7. Installation snorby

download source via git snorby
git clone git://github.com/Snorby/snorby.git
or if it does not work try
git clone http://github.com/Snorby/snorby.git

if the clone or the download is completed there will be a new folder that contains the source snorby snorby, perform the database configuration
nano config/database.yml
fill in the username and password root

do configuration files snorby
nano config/snorby_config.yml

do email configuration
nano config/initializers/mail_config.rb

setup do
rake snorby:setup RAILS_ENV=production

do install jre if not installed or there is error “Jammit Warning: Asset compression disabled – Java unavailable”
sudo apt-get install default-jre-headless

do the installation / update rake if there is error “uninitialized constant Rake:: DSL”
sudo gem update rake

8. Start the application
rails server -e production
to check whether the application has started open
http://yourdomain.com:3000
log in with
user email: snorby@snorby.org
pass : snorby

this step by step intallation is obtained at:
https://github.com/Snorby/snorby/wiki/Ubuntu-1.9.2-without-RVM-by-Eric-Peters
with little change in command in step 7

this tutorials is already quite complete, but sometimes there are problems that arise, among others:

1. login error

user and log in if you are using a standard installation from source is snorby
user: snorby@snorby.org
password: snorby

it should display message when authentication success, but sometime when we enter the authentication we just get an error message logged. this error is probably caused by installing wrong software version.
solution
before running setup make sure all the software version is right
or
if you have verified you software version
run the setup once again

2. does not display any log

if we can log in to snorby and had to start snorby worker should be able to walk and began to display log-log packets captured by the interface snort. but an error in setting the database resulted in snorby not show any log, to make sure that the database settings correctly. snort/barnyard2 database settings and standards are as follows:

database name: snort
user: snort
password: yourpassword

whereas when we set up snorby, snorby will create a database snorby with user snorby. the solution can be done by replacing all the snort databases on the previous installation with the database snorby and replace all the usernames into snorby. or another solution can be done by simply replacing the database name alone, but coupled with providing grants to all users snort to the database snorby

mysql-u root-p
password:

grant all privileges on snorby .* to ‘snort’@’localhost’ identified by ‘yoursnortdatabasepassword’ with grant option;

steps above should be able to resolve installation issues snorby.