March 3, 2015

Install Snorby for Suricata on CentOS 7

These instructions are for setting up Snorby and processing Suricata's unified2 logs into the Snorby database.



A working CentOS 7 installation with Suricata.

The EPEL Repository for CentOS 7.

SELinux is set to permissive.

Install CentOS development tools: yum groupinstall "Development Tools"

Install Prerequisites available via yum: yum install git ImageMagick wkhtmltopdf zlib-devel mariadb-server mariadb-devel libxml2-devel libxslt-devel libpcap.devel libdnet libdnet-devel httpd httpd-devel libcurl-devel

Install the DAQ binary from rpm -ihv

Optional: yum install phpmyadmin php


Setup MariaDB (MySQL):

systemctl enable mariadb

systemctl start mariadb


Create a snorby mysql database and user.

    Login to MySQL: mysql –u root –p

    Create the Snorby database: create database snorby;

    Create the Snorby user: createuser 'snorby'@'localhost' identified by 'snorbypass';

    Grant all privileges to user snorby on database snorby: grant all privileges on snorby.* to 'snorby'@'localhost';

    Reload the privileges: flush privileges;


Setup Ruby & Rails:

The yum package for ruby is too new for Snorby. Install RVM (Ruby Version Manager) to install a previous version of ruby.

curl -sSL | bash -s stable

Log-out and log-in to get RVM in your path.

Install required dependencies for RVM: rvm requirements

Install ruby 1.9.3: rvm install 1.9.3

Set the default Ruby version: rvm use 1.9.3 --default

Update Ruby Gems: gem update

Install Rails: gem install rails


Setup Snorby:

Change to the /srv directory and download Snorby: git clone


Change to the Snorby download directory and run: bundle install

Change to the Snorby/config directory

Copy database.yml.example to database.yml and snorby_config.yml.example to snorby_config.yml

Edit database.yml and enter your database crendentials.

Edit snorby_config.yml and update the production settings to match your environment.

Let's setup the Snorby database: bundle exec rake snorby:setup

Test Snorby startup: bundle exec rails server –e production

If you can login using username with password snorby at http//<snorby server ip>:3000, everything went well.


Setup Barnyard2:

Next we'll install Barnyard2 to tie Snorby and Suricata together.

Change to the /srv directory and download Barnyard2: git clone

Change to the /srv/barnyard2 directory and run: ./ , ./configure –with-mysql –with-mysql-libraries=/usr/lib64/mysql, make && make install

Change to the /srv/banyard2/etc directory and copy barnyard2.conf to /etc/suricata/

Modify /etc/suricata/barnyard2.conf to match your Suricata configuration.

Append the following to barnyard2.conf: output database: log, mysql, user=snorbyuser password=snorbypass dbname=snorby host=localhost

Make the barnyard2 log directory: mkdir /var/log/barnyard2

Test barnyard2 starup: barnyard2 –c /etc/suricata/barnyard2.conf –f unified2.alert

Create a service file called barnyard2.service in /usr/lib/system/system    / with the following information:


Description=Barnyard2 Unified2 Log Processor



ExecStart=/usr/local/bin/barnyard2 -c /etc/suricata/barnyard2.conf -f unified2.alert




Enable the bardyard2 service: systemctl enable barnyard2

Start the barnyard service: systemctl start barnyard2


Setup Passenger:

Rails does not have its own startup script but we can start it with Apache using Passenger.

Install Passenger: gem install passenger

Install the Apache module for Passenger: passenger-install-apache2-module

Create an Apache configuration file for Snorby name snorby.conf in: /etc/httpd/conf.d/ with the following contents:

<VirtualHost *:80>

DocumentRoot /srv/snorby/public

<Directory /srv/snorby/public>

AllowOverride all

Options -MultiViews

Require all granted




LoadModule passenger_module /usr/local/rvm/gems/ruby-1.9.3-p551/gems/passenger-4.0.59/buildout/apache2/

<IfModule mod_passenger.c>

PassengerRoot /usr/local/rvm/gems/ruby-1.9.3-p551/gems/passenger-4.0.59

PassengerDefaultRuby /usr/local/rvm/gems/ruby-1.9.3-p551/wrappers/ruby



Test the Apache configuration: apachectl configtest

Restart Apache to load the configuration: apachectl restart


Snorby should now be running on port 80 and all services will automatically start on a reboot.

No comments:

Post a Comment