Snorby установка debian/ubuntu/linux

Linux > Snorby установка debian/ubuntu/linux
23.12.2014 14:50:06

Наиболее часто встречающиеся слова в статье:

[install] [OpenJDK] [database] [/var/www/snorby] [projectz] [apt-get] [wkhtmltopdf] [production] [localhost] [Solution]


Установим JAVA
apt-get install default-jre

Установка необходимых пакетов

 apt-get install git imagemagick wkhtmltopdf

apt-get install    openssl  libmysqlclient-dev libreadline6-dev


Устанавливаем Ruby
sudo apt-get update
sudo apt-get install git-core curl zlib1g-dev build-essential libssl-dev libreadline-dev libyaml-dev libsqlite3-dev sqlite3 libxml2-dev libxslt1-dev libcurl4-openssl-dev python-software-properties
Устанавливаем rvm
sudo apt-get install libgdbm-dev libncurses5-dev automake libtool bison libffi-dev
curl -L | bash -s stable
source ~/.rvm/scripts/rvm
echo "source ~/.rvm/scripts/rvm" >> ~/.bashrc
rvm install 1.9.3 
rvm use 1.9.3 --default
ruby -v

Команда для rubygems не устанавливать документацию:
echo "gem: --no-ri --no-rdoc" > ~/.gemrc
Установка самой  SNORBY

#sudo apt-get install ruby-dev

sudo gem install thor i18n bundler tzinfo builder memcache-client rack rack-test erubis mail  rack-mount rails sqlite3

sudo git clone /var/www/html/snorby
# cd /var/www/html/snorby/config
# cp database.yml.example database.yml
# cp snorby_config.yml.example snorby_config.yml

Привим /var/www/html/snorby/config/database.yml : look for the "snorby" entry and enter the mysql root username & password here :

snorby: &snorby
  adapter: mysql
  username: root
  password: 'mysqlrootpassword' 
  host: localhost


Правим  /var/www/html/snorby/config/snorby_config.yml : Проверяем путь к  wkhtmltopdf ( if you need to find it use which wkhtmltopdf ), make it look like this:

  domain: localhost:3000
  wkhtmltopdf: /usr/bin/wkhtmltopdf

  domain: localhost:3000
  wkhtmltopdf: /usr/bin/wkhtmltopdf

  domain: localhost:3000
  wkhtmltopdf: /usr/bin/wkhtmltopdf


cd /var/www/html/snorby/
 bundle install --deployment
 bundle install --path vendor/cache 
 rake snorby:setup --trace

запуск  bundle exec rails server -e production -d

В браузере  вход:

password: snorby


# cd /var/www/html/snorby
# git pull origin master
# rake snorby:update

Если проблемы  с запуском  delayed_job(предупреждение  в веб интерфейсе -The Snorby worker is not currently running. It's imperative you start the worker immediately! All backend calculations are performed asynchronously using the Snorby Worker.) то надо выполнить
# cd /var/www/html/snorby/
# ruby script/delayed_job start RAILS_ENV=production 

+ возможно придётся  , если не стартанёт то выполнить 

rails runner ';'



УСТАНОВКА barnuard2

apt-get install libpcre3 libpcre3-dbg libpcre3-dev 
            build-essential autoconf automake libtool 
            libpcap-dev libnet1-dev mysql-client libdaq-dev libdnet libdumbnet-dev libdnet-dev  libmysqld-dev git-core
    apt-get install dh-autoreconf libpcap-dev
  1. в UBUNTU cd /usr/include && ln -s dumbnet.h dnet.h
  2. cd /usr/lib &&
cd /usr/src
git clone

cd barnyard2
sudo autoreconf -fvi -I ./m4
sudo ./configure --with-mysql --with-mysql-libraries=/usr/lib/x86_64-linux-gnu && make && sudo make install

configure Suricata ......

cp ./etc/barnyard2.conf /etc/suricata/

Edit the barnyard2 conf file and set the following parameters :

config reference_file:      /etc/suricata/reference.config
config classification_file: /etc/suricata/classification.config
config gen_file:            /etc/suricata/rules/
config sid_file:            /etc/suricata/rules/
output database: log, mysql, user=snorbyuser password=PASSWORD123 /
   dbname=snorby host= sensor_name=sensor1




Иногдабывает , что не обновляется цифровое количество зафиксированных алертов в дашборде

Решение: надо очистить таблицу caches(mysql -p use snorby; truncate table caches; exit ) и сделать
Restart Restart Worker в меню Administration->Worker & Job Queue и перезапустить Restart Worker

Issue 1:
# rake snorby:setup
(in /var/www/snorby)
rake aborted!
You have already activated rake 10.0.3, but your Gemfile requires rake 0.9.2. Using bundle exec may solve this.
(See full trace by running task with --trace)

Solution 1:

# gem uninstall rake –version 10.0.3
Select gem to uninstall:
1. rake-0.9.2
2. rake-10.0.3
3. All versions
> 2
Successfully uninstalled rake-10.0.3
INFO:  gem "342200223version" is not installed
INFO:  gem "10.0.3" is not installed

# rake snorby:setup
(in /var/www/snorby)
Snorby requires Ruby version 1.9.x
We suggest using Ruby Version Manager (RVM) to install the newest release


# ruby -v
ruby 1.8.7 (2011-06-30 patchlevel 352) [x86_64-linux]
Install RVM with ruby:
# curl -L | bash -s stable --ruby
Additionally with rails:
# curl -L | bash -s stable --rails
# /usr/local/rvm/bin/rvm list known
# /usr/local/rvm/bin/rvm install 1.9.3
Already installed ruby-1.9.3-p362.
To reinstall use:
    rvm reinstall 1.9.3
# /usr/local/rvm/bin/rvm reinstall 1.9.3
# /usr/local/rvm/bin/rvm use 1.9.3
RVM is not a function, selecting rubies with 'rvm use ...' will not work.
You need to change your terminal emulator preferences to allow login shell.
Sometimes it is required to use `/bin/bash --login` as the command.
Please visit for a projectz
# /bin/bash --login
# rvm use 1.9.3
Using /usr/local/rvm/gems/ruby-1.9.3-p362
# ruby -v
ruby 1.9.3p362 (2012-12-25 revision 38607) [x86_64-linux]
# which ruby

Run the following commands in the /var/www/snorby folder

# rake snorby:setup
(in /var/www/snorby)
Could not find rake-0.9.2 in any of the sources
Try running `bundle install`.
# bundle install
# gem list | grep rake
rake (10.0.3, 0.9.2)
Run the following commands in the /var/www/snorby folder
# rake snorby:setup
(in /var/www/snorby)
[datamapper] Created database 'snorby'
[datamapper] Finished auto_upgrade! for :default repository 'snorby'
[~] Adding `index_timestamp_cid_sid` index to the event table
[~] Adding `id` to the event table
[~] Building `aggregated_events` database view
[~] Building `events_with_join` database view
* Removing old jobs
* Starting the Snorby worker process.
* Adding jobs to the queue

Updating Snorby

# cd /var/www/snorby
# git pull origin master
# rake snorby:update