Snorby установка debian/ubuntu/linux

Linux > Snorby установка debian/ubuntu/linux
23.12.2014 14:50:06


Наиболее часто встречающиеся слова в статье:

[install] [OpenJDK] [database] [/var/www/snorby] [projectz] [apt-get] [wkhtmltopdf] [production] [localhost] [Solution]


Статья:

Установим JAVA
apt-get install default-jre

Установка необходимых пакетов

 apt-get install git imagemagick wkhtmltopdf

apt-get install    openssl  libmysqlclient-dev libreadline6-dev

 

Устанавливаем Ruby
sudo apt-get update
sudo apt-get install git-core curl zlib1g-dev build-essential libssl-dev libreadline-dev libyaml-dev libsqlite3-dev sqlite3 libxml2-dev libxslt1-dev libcurl4-openssl-dev python-software-properties
Устанавливаем rvm
sudo apt-get install libgdbm-dev libncurses5-dev automake libtool bison libffi-dev
curl -L https://get.rvm.io | bash -s stable
source ~/.rvm/scripts/rvm
echo "source ~/.rvm/scripts/rvm" >> ~/.bashrc
rvm install 1.9.3 
rvm use 1.9.3 --default
ruby -v


Команда для rubygems не устанавливать документацию:
echo "gem: --no-ri --no-rdoc" > ~/.gemrc
Установка самой  SNORBY

#sudo apt-get install ruby-dev

sudo gem install thor i18n bundler tzinfo builder memcache-client rack rack-test erubis mail  rack-mount rails sqlite3

sudo git clone http://github.com/snorby/snorby.git /var/www/html/snorby
# cd /var/www/html/snorby/config
# cp database.yml.example database.yml
# cp snorby_config.yml.example snorby_config.yml

Привим /var/www/html/snorby/config/database.yml : look for the "snorby" entry and enter the mysql root username & password here :

snorby: &snorby
  adapter: mysql
  username: root
  password: 'mysqlrootpassword' 
  host: localhost

 

Правим  /var/www/html/snorby/config/snorby_config.yml : Проверяем путь к  wkhtmltopdf ( if you need to find it use which wkhtmltopdf ), make it look like this:

development:
  domain: localhost:3000
  wkhtmltopdf: /usr/bin/wkhtmltopdf

test:
  domain: localhost:3000
  wkhtmltopdf: /usr/bin/wkhtmltopdf

production:
  domain: localhost:3000
  wkhtmltopdf: /usr/bin/wkhtmltopdf

компиляция

cd /var/www/html/snorby/
 bundle install --deployment
 bundle install --path vendor/cache 
 rake snorby:setup --trace

запуск  bundle exec rails server -e production -d

В браузере  вход:

http://your-server:3000
username: snorby@snorby.org
password: snorby

 


ОБНОВЛЕНИЕ:
# cd /var/www/html/snorby
# git pull origin master
# rake snorby:update

Если проблемы  с запуском  delayed_job(предупреждение  в веб интерфейсе -The Snorby worker is not currently running. It's imperative you start the worker immediately! All backend calculations are performed asynchronously using the Snorby Worker.) то надо выполнить
# cd /var/www/html/snorby/
# ruby script/delayed_job start RAILS_ENV=production 

+ возможно придётся  , если не стартанёт то выполнить 

rails runner 'Snorby::Jobs::SensorCacheJob.new(false).perform; Snorby::Jobs::DailyCacheJob.new(false).perform'

 

++++++++++++++++++++++++++++++++++++++

УСТАНОВКА barnuard2

apt-get install libpcre3 libpcre3-dbg libpcre3-dev 
            build-essential autoconf automake libtool 
            libpcap-dev libnet1-dev mysql-client libdaq-dev libdnet libdumbnet-dev libdnet-dev  libmysqld-dev git-core
    apt-get install dh-autoreconf libpcap-dev
  1. в UBUNTU cd /usr/include && ln -s dumbnet.h dnet.h
  2. cd /usr/lib && libdumbnet.so libdnet.so
cd /usr/src
git clone https://github.com/firnsy/barnyard2.git

cd barnyard2
sudo autoreconf -fvi -I ./m4
sudo ./configure --with-mysql --with-mysql-libraries=/usr/lib/x86_64-linux-gnu && make && sudo make install

configure Suricata ......

cp ./etc/barnyard2.conf /etc/suricata/

Edit the barnyard2 conf file and set the following parameters :

config reference_file:      /etc/suricata/reference.config
config classification_file: /etc/suricata/classification.config
config gen_file:            /etc/suricata/rules/gen-msg.map
config sid_file:            /etc/suricata/rules/sid-msg.map
.....
.....
output database: log, mysql, user=snorbyuser password=PASSWORD123 /
   dbname=snorby host=192.168.1.111 sensor_name=sensor1

 

++++++++++++++++++++++++++++++++++++++

РЕШЕНИЕ ПРОБЛЕМ

Иногдабывает , что не обновляется цифровое количество зафиксированных алертов в дашборде

Решение: надо очистить таблицу caches(mysql -p use snorby; truncate table caches; exit ) и сделать
Restart Restart Worker в меню Administration->Worker & Job Queue и перезапустить Restart Worker

Issue 1:
# rake snorby:setup
(in /var/www/snorby)
rake aborted!
You have already activated rake 10.0.3, but your Gemfile requires rake 0.9.2. Using bundle exec may solve this.
/var/www/snorby/config/boot.rb:8
/var/www/snorby/config/application.rb:1
/var/www/snorby/Rakefile:4
(See full trace by running task with --trace)

Solution 1:

# gem uninstall rake –version 10.0.3
 
Select gem to uninstall:
1. rake-0.9.2
2. rake-10.0.3
3. All versions
> 2
Successfully uninstalled rake-10.0.3
INFO:  gem "342200223version" is not installed
INFO:  gem "10.0.3" is not installed

ВТОРАЯ ПРОБЛЕМА
# rake snorby:setup
(in /var/www/snorby)
Snorby requires Ruby version 1.9.x
We suggest using Ruby Version Manager (RVM) https://rvm.io/ to install the newest release

РЕШЕНИЕ

# ruby -v
ruby 1.8.7 (2011-06-30 patchlevel 352) [x86_64-linux]
 
Install RVM with ruby:
# curl -L https://get.rvm.io | bash -s stable --ruby
 
Additionally with rails:
# curl -L https://get.rvm.io | bash -s stable --rails
 
# /usr/local/rvm/bin/rvm list known
 
# /usr/local/rvm/bin/rvm install 1.9.3
Already installed ruby-1.9.3-p362.
To reinstall use:
 
    rvm reinstall 1.9.3
 
# /usr/local/rvm/bin/rvm reinstall 1.9.3
 
 
# /usr/local/rvm/bin/rvm use 1.9.3
 
RVM is not a function, selecting rubies with 'rvm use ...' will not work.
 
You need to change your terminal emulator preferences to allow login shell.
Sometimes it is required to use `/bin/bash --login` as the command.
Please visit https://rvm.io/integration/gnome-terminal/ for a projectz
 
# /bin/bash --login
 
# rvm use 1.9.3
Using /usr/local/rvm/gems/ruby-1.9.3-p362
 
# ruby -v
ruby 1.9.3p362 (2012-12-25 revision 38607) [x86_64-linux]
# which ruby
/usr/local/rvm/rubies/ruby-1.9.3-p362/bin/ruby

Run the following commands in the /var/www/snorby folder

# rake snorby:setup
(in /var/www/snorby)
Could not find rake-0.9.2 in any of the sources
Try running `bundle install`.
 
# bundle install
 
# gem list | grep rake
rake (10.0.3, 0.9.2)
 
Run the following commands in the /var/www/snorby folder
# rake snorby:setup
(in /var/www/snorby)
1296b52b8ef69eebdfe675a79b3df1240ea6335b42e476cf33915a31a0870d579a4e3bd165d3669a5802593d26de8c9b11ddf26d6cc8e1a1c9c04f450450a193
[datamapper] Created database 'snorby'
[datamapper] Finished auto_upgrade! for :default repository 'snorby'
[~] Adding `index_timestamp_cid_sid` index to the event table
[~] Adding `id` to the event table
[~] Building `aggregated_events` database view
[~] Building `events_with_join` database view
* Removing old jobs
* Starting the Snorby worker process.
* Adding jobs to the queue

Updating Snorby

# cd /var/www/snorby
# git pull origin master
# rake snorby:update