Insta Snorby 0.8.0 Install Notes (Revised): - Snorby/snorby GitHub Wiki

1. Put LAN connection on eth0 (management network interface)
2. Have SPAN connection ready (will go on eth1)
3. Have your Oinkcode handy

1. Enter your Oinkcode
2. Install the security updates

1. NTP – Edit /etc/ntp.conf (add your own ntp server)
2. Apache Ports – Edit /etc/apache2/ports.conf to disable listening on port 80 (if desired) comment out (add “#”) at the start of both lines referencing port 80 and restart by entering: “/etc/init.d/apache2 restart” or simply wait until reboot later
3. Set Snort monitoring port to eth1 (SPAN interface)
4. Set interface to eth1 in /usr/lib/inithooks/everyboot.d/88snortstart
5. Set interface to eth1 in /etc/snort/barnyard2.conf
6. Identify and kill snort and barnyard processes using “ps aux | grep snort”
7. Restart snort: “/usr/local/bin/snort -g snort -u snort -c /etc/snort/snort.conf -i eth1 -D
8. Restart barnyard: /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -G /etc/snort/gen-msg.map -S /etc/sid-msg.map -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -D”

1. Define “$HOME_NET” and “$EXTERNAL_NET” variables
2. Consider and edit all other modifications with caution. https://www.snort.org/docs
3. Consider configuring a BPF file to dump undesired traffic (See ”Creating BPF File” procedure below…)

1. /usr/lib/inithooks/bin/pulledpork.py
2. /usr/lib/inithooks/bin/oinkcode.py
3. /usr/lib/inithooks/bin/interface_select.py
4. /var/spool/cron/crontabs/root
5. /root/crontmp
6. /root/pulledpork-0.6.1/etc/pulledpork.conf (last line MUST reference “0.6.0” instead of “0.6.1”)
7. Test pulledpork by running it manually: /root/pulledpork-0.6.1/pulledpork.pl -c /root/pulledpork-0.6.1/etc/pulledpork.conf -H -v >> /var/log/pulledpork 2>&1
8. Check the date/time stamp on: /etc/snort/rules/snort.rules file or the log data at: /var/log/pulledpork

1. /usr/lib/inithooks/bin/interface_select.py contains a reference to version 0.4-267, which should be 0.6-314.
2. Change interface to eth1 in /etc/openfpc/openfpc-default.conf

1. cd /var/www/snorby
2. cp config/database.yml tmp
3. cp config/snorby_config.yml tmp
4. git stash save
5. git pull
6. git stash clear
7. cp tmp/database.yml config
8. cp tmp/snorby_config.yml config
9. bundle install - -deployment
10. rake snorby:setup

1. Edit /var/www/snorby/config/database.yml as necessary
2. Edit /var/www/snorby/config/snorby_config.yml as necessary

1. Configure network interfaces to static IPs at /etc/network/interfaces
2. Connect SPAN cable to eth1 interface
3. Reboot the server
4. Login to Snorby web interface as [email protected] and configure Admin settings

1. vim /etc/snort/ignore.bpf (to create file and insert tcpdump lines like the following)

not (src host 10.x.x.x or src host 10.x.x.x)

1. vim snort.conf (to add the following lines under “Step #2”)

Config bpf_file: /etc/snort/ignore.bpf

1. Cd to the main snorby directory (in my case it is /var/www/snorby) and execute these commands:
2. rails c
3. Snorby::Jobs.clear_cache(true)
4. Snorby::Jobs.run_now!

1. Cd to the main snorby directory (in my case it is /var/www/snorby) and execute these commands:
2. rails c
3. Snorby::Jobs.reset_cache(:all, true)

1. Cd to the main snorby directory (in my case it is /var/www/snorby) and execute the following commands:
2. rake snorby:hard_reset
3. rails c
4. Snorby::Worker.restart