Ben's notes

Linux, Unix, network, radio...

User Tools

Site Tools


Snort and Snorby

This guide will help you install a Snort sensor and the Snorby web interface.


  • PC Engines APU, as collection device.
  • NAS for storing unified2 logs.
  • Debian Wheezy (7.5) Virtual machine for Snorby & MySQL.

Install PC Engines APU and start Snort

  • Update APU firmware.
  • Install CentOS 6.5.
  • Install RPMforge repository.
  • Download snortrules, the daq and snort RPM from Snort.
  • Install the required libdnet 1.11 package from RPMforge (not 1.12 from EPEL)
    # yum -y install libdnet-1.11
  • Install DAQ and Snort
    # yum -y localinstall ./daq-2.0.2-1.centos6.x86_64.rpm
    # yum -y localinstall ./snort-
  • In my case i had to change the snort userid to match the snort user on the NAS, to be able to write to the NFS share
    # usermod -u 1030 -g 100 snort
  • Mount the NFS share at boot.
    # vi /etc/fstab
    nashost:/volume1/snort /mnt/snort nfs rsize=8192,wsize=8192,timeo=14,intr 0 0
    # mount -a
  • Edit /etc/sysconfig/snort. Configure as needed, but change CONF and LOGDIR, disable ALERTMODE and BINARY_LOG.
  • Create the needed directories and symlinks.
    # ln -s /usr/lib64/snort- /usr/local/lib/snort_dynamicpreprocessor
    # ln -s /usr/lib64/snort- /usr/local/lib/snort_dynamicengine
    # mkdir -p /usr/local/lib/snort_dynamicrules
    # chown -R snort:users /usr/local/lib/snort_dynamicrules
    # chmod -R 700 /usr/local/lib/snort_dynamicrules
    # touch /usr/local/snort/etc/../rules/white_list.rules
    # touch /usr/local/snort/etc/../rules/black_list.rules
  • Extract snort rules.
    # mkdir -p /usr/local/snort
    # tar zxf snortrules-snapshot-2961.tar.gz -C /usr/local/snort
  • Edit /usr/local/snort/etc/snort.conf. For exmaple enable sfportscan, decoder rules, dynamic library rules. Be sure to enable unified2 output.
    output unified2: filename /mnt/snort/log/snort_eth1.u2, limit 128
  • Start snort.
    # service snortd start
    Starting snort: Spawning daemon child...
    My daemon child 27345 lives...
    Daemon parent exiting (0)
                                                               [  OK  ]
  • After a while logs will be created.
    # find /mnt/snort/log/

Install and start Snorby

apt-get install git imagemagick mysql-server wkhtmltopdf curl libxslt-dev libxml2-dev libmysqld-dev

mysql -u root -p
create database snorby;
grant all privileges on snorby.* to "snorby"@"%" identified by "snorby";
flush privileges;

curl -L | bash -s stable --rails

# add your username to the rails group
source /usr/local/rvm/scripts/rvm

rvm list known
rvm install 1.9.3
rvm use 1.9.3
(bundle install)

git clone

cd snorby && bundle install

cp config/database.yml.example config/database.yml
vi config/database.yml

cp config/snorby_config.yml.example  config/snorby_config.yml
vi config/snorby_config.yml

bundle exec rake snorby:setup
bundle exec rails server -e production

Go to: http://snorby:3000/users/login
Password: snorby

Change credentials

Mount NFS share from NAS

#Install barnyard2 on APU sensor
yum install mysql-devel
cd /opt
git clone
cd barnyard2
./configure --with-mysql --with-mysql-libraries=/usr/lib64/mysql --with-mysql-includes=/usr/include/
make install
Create a sample rules file (eg. look at etc/barnyard2.conf)
barnyard2 -?

edit /usr/local/etc/barnyard2.conf

config reference_file:      /usr/local/snort/etc/reference.config
config classification_file: /usr/local/snort/etc/classification.config
config gen_file:            /usr/local/snort/etc/
config sid_file:            /usr/local/snort/etc/
config logdir: /mnt/snort/log
config hostname:   snort
config interface:  eth1
config daemon
config waldo_file: /mnt/snort/bylog.waldo
config archivedir: /mnt/snort/archive
input unified2
output alert_fast: /mnt/snort/log/barnyard2.alert
output database: log, mysql, user=snort password=snortpass dbname=snorby host=snorby

ln -s /etc/snort/ /usr/local/snort/etc
/usr/local/bin/barnyard2 -c /usr/local/etc/barnyard2.conf -d /mnt/snort/log -f snort_eth1.u2
snort_and_snorby.txt · Last modified: 2021/10/09 15:14 by