Install configure Snort in Ubuntu 16.04 (Xenial Xerus) with Barnyard2, PulledPork and Snorby

We are going to use Ubuntu 16.04 (Xenial Xerus) due to a bug in Ubuntu 14.04 LTS regarding Ruby. You can read more about this bug here.

And we are going to host Snort in VMWare as a virtual machine:

  • Make sure to select the VMXNET 3 type network adapter when creating the guest system.
  • Install VMware Tools in the guest system.

1 – Configure Ubuntu

Reboot the system

1.1 – Configure Network

Since Ubuntu 15.10, network interfaces are named as Predictable Network Interfaces. Please check the interface name with ifconfig.

We have to disable LRO (Large Receive Offload) and GRO (Generic Receive Offload) for any interface that Snort listens on. Read section 1.5 Packet Acquisition to get more info.

Add the following lines for each network interface.

We are using the ens160 interface

Restart the system and verify that LRO and GRO are disabled

The output should look like this:

2 – Install Snort

2.1 – Install Snort prerequisites

And now let’s download, compile and install Snort:

Update the shared libraries, otherwise you will get an error when you try to run Snort:

Create a symlink to the Snort binary:

Now run Snort as a normal user and verify the installation and the configuration:

With the exception of the version numbers, the output should look similar to this:

3 – Configure Snort

Snort should not run as root, so we are going to create a normal user and a group to run the snort daemon:

3.1 – Create necessary files and folders

Create files and directories required by Snort:

3.2 – Set permissions in the necessary files and folders

Adjust permissions on files and folders:

3.3 – Copy configuration files

Copy the configuration files and the dynamic preprocessors:

Now this is our directory layout and file locations:

Description Path
Snort log data directory: /var/log/snort
Snort rules directories: /etc/snort/rules
/etc/snort/so_rules
/etc/snort/preproc_rule
/usr/local/lib/snort_dynamicrules
Snort IP list directories: /etc/snort/rules/iplists
Snort dynamic preprocessors: /usr/local/lib/snort_dynamicpreprocessor/

And this is how our directory tree should look like;

3.4 – Edit Snort’s configuration file

When configuring Snort, you can do it as two different types:

  • Network based intrusion detection system (NIDS)
  • Host based intrusion detection systems (HIDS)

Whe are going to run Snort in NIDS mode.

snort.conf references several configuration files and since we are going to use PulledPork to manage the rulesets (PulledPork combines all rules into a single file) we need to comment out those references.

Run the following command to comment out all rulesets:

Now edit the file manually:

Go to line 45 and change:

to

Some guides recommend to set EXTERNAL_NET to !$HOME NET. Do not do that, it can cause Snort to miss alerts.

Go to the line 104

And change the following values:

to

Go to the line 545

Uncomment the line:

to enable the local rules and test Snort.

Test the configuration file:

The last two lines of the output should look like this:

4 – Test Snort

Since we commented out all rule files references in /etc/snort/snort.conf there are no rules loaded.

You can see that in the output from the last command:

So let’s create a rule to test Snort.

Edit the local.rules file:

Add the line:

Edit the sid-msg.map file:

Add the line:

In this test Snort will generate an alert when it sees an ICMP “Echo request” or “Echo reply” (ping)

Since we modified Snort’s configuration file, let’s test it again:

This time if you look at the output you should see something like this:

Now we can start Snort in NIDS mode, from the command line and tell it to output any alert to the console.

We will use the following options:

Option Description
-A console Prints fast mode alerts to stdout
-q Quiet mode. Don’t show banner and status report.
-u snort Run Snort as the following user
-g snort Run Snort as the following group
-c /etc/snort/snort.conf The path to our snort.conf file
-i ens160 The interface to listen on

Now that Snort is running and listening on ens160, let’s make a ping from another computer.

And the output should be something like this:

Now we know that Snort is running and generating alerts in NIDS mode.

Stop Snort (Ctrl+c)

A copy of this info is now saved in /var/log/snort/snort.log.xxxxxxxxxx

5 – Install Barnyard2

Barnyard2 is an open source interpreter for Snort’s binary output files.

Snort will output events in binary form to a folder, then Barnyard2 will read those files and write them into a MySQL database. This way we can view, search and profile events.

5.1 – Install Barnyard2 prerequisites

Tell Snort to output alerts in binary format:

Go to the line 521

Change:

to

5.2 – Download and install Barnyard2

5.3 – Create necessary files and folders

5.4 – Create the MySQL database

5.5 – Configure Barnyard2 to use the MySQL database

Add the following line at the end of the file:

Change the permissions on the file to prevent other users from reading it:

Test the configuration

We are going to test 3 things here:

  • Snort is writing events to the correct binary log file
  • Barnyard is reading those logs
  • Barnyard is writing the events to the MySQL database

Run Snort in alert mode:

Here we do not have the -A console flag so you won’t see any output in the terminal

Ping Snort’s ens160 interface from another computer a few times then type Ctrl+c to stop Snort

There should be a snort.u2.xxxxxxxxxx file in /var/log/snort

Run Barnyard, tell it to read the events in snort.u2.xxxxxxxxxx and load them into the database.

We are going to use the following options:

Option Description
-c /etc/snort/barnyard2.conf The path to the barnyard2.conf file
-d /var/log/snort The folder to look for Snort output files
-f snort.u2 The Filename to look for in the above directory (snort.u2.nnnnnnnnnn)
-w /var/log/snort/barnyard2.waldo The location of the waldo file (bookmark file)
-u snort Run Barnyard2 as the following user
-g snort Run Barnyard2 as the following group

Run the command:

And you should get an output similar to this:

After pressing Ctrl+c to stop Barnyard2, you will see information about the records it processed.

Let’s check now if Barnyard2 wrote the events into the database:

The output should look similar to this:

If the count is greater than 0 it means that Snort and Barnyard are properly installed and configured.

6 – Install PulledPork

PulledPork is a helper script writen in Perl that will automatically download, combine and install/update the latest rules for you.

6.1 – Install PulledPork prerequisites

6.2 – Download and install PulledPork

Check that PulledPork runs:

The output should look like this:

6.3 – Configure PulledPork

First we need to create an account in https://www.snort.org in order to get an Oinkcode. This will allow us to download the regular rules and documentation. This Oinkcode must be kept safe.

Once we have the Oinkcode we can start configuring !Pulledpork

Replace every instance of <oinkcode> with the Oinkcode you got (lines 19 and 26).

Uncomment line 29

Change line 74

from

to

Change line 89

from

to

Change line 92

from

to

Change line 96

from

to

Change line 119

from

to

Change line 133

from

to

Yes, we are using Ubuntu 16.04 but change the line like I did

Change line 141

from

to

Change line 150

from

to

6.4 – Test the configuration

We are going to test that it works using the following flags:

Option Description
-l Write detailed logs to /var/log
-c /etc/snort/pulledpork.conf The path to our pulledpork.conf file

Run the command:

The end of the output should look similar to this:

Here we see that PulledPork downloaded 49580 rules.

After this, the file snort.rules was created in /etc/snort/rules/ and PulledPork combined all the rules into that file.

Now let’s include that file into the Snort configuration.

Around line 539 you will find the Step #7: Customize your rule set section, followed by all the rule files that we commented out previously.

There you can add the line:

Once again, since we modified Snort’s configuration file, let’s test it to make sure everything is in order:

The last two lines of the otput should look like this:

Ignore warnings about flowbits not being checked and GID duplicate

Configure crontab for PulledPork

We want PulledPork to run daily.

Add the lines:

7 – Startup Scripts

We are going to create scripts to run Snort and Barnyard2 on system startup.

Remember that this is Ubuntu 16.04 so we use systemd instead of upstart

7.1 – Snort startup script

Add the code:

Enable the script at boot time:

Start the service:

Check that the service is running:

The output should look similar to this:

7.2 – Barnyard2 startup script

Add the code:

Enable the script at boot time:

Start the service:

Check that the service is running:

The output should look similar to this:

Reboot and verify that both scripts started with the system

8 – Web GUI for Snort

We are going to install Snorby. Snorby is a ruby on rails web application for network security monitoring that interfaces with Snort.

8.1 – Install Snorby prerequisites

8.2 – Install Ruby Gems prerequisites

Snorby uses Ruby and it will require several gems to be installed. Since we do not want the documentation to be installed alongside the gems, we run the following commands:

8.3 – Download and install Ruby

8.4 – Install required gems

8.5 – Download Snorby

8.6 – Create Snorby’s web folder

Ignore warnings about running bundle as root

8.7 – Configure Snorby’s MySQL connection

Here we need to use the root password for the MySQL server so Snorby can create it’s database. Later we will reconfigure this file to use a specific username and password with low privileges.

Create the configuration file:

Edit it to point to the correct version of wkhtmlpdf

8.8 – Install Snorby

UPDATE!!!

Due to changes in mysql 5.7, the do_mysql 0.10.16 gem no longer works so we have to edit the Gemfile.lock file.

Search for do_mysql (~> 0.10.6) and do_mysql (0.10.16) and replace them for do_mysql (0.10.17)

8.9 – Configure Snorby’s MySQL database

Log into MySQL

Create a user for Snorby:

Grant Snorby’s user permissions on Snorby’s database:

Flush privileges:

Exit MySQL

8.10 – Reconfigure Snorby’s MySQL connection

Edit the username and password. The file should look like this:

8.11 – Test Snorby

This will start Snorby on port 3000. You can visit the server URL but do not log in, we are just testing that it works.

Press Ctr+c to stop Snorby

8.12 – Install Phusion Passenger

Phusion Passenger is an application server module for Apache to launch Snorby

8.12.1 – Install Phusion Passenger prerequisites

8.12.2 – Install the Passenger gem and the Apache module

This last command will start the Phusion Passenger install wizard.

Press Enter

Using the arrow keys go toPython

Press the Space bar to deselect Python

Press Enter

This will start compiling the software and it is going to take a while.

When it finishes compiling, it will tell you to write some lines to the Apache configuration file

Do not do that, we are going to use a different approach. But copy the lines, because we need them.

Press Enter twice to exit the wizard

8.12.3 – Configure Apache to use Phusion Passenger

Copy the first line into the file:

Copy the lines:

Enable the passenger module:

Verify that the module is loaded:

Make sure the passenger module is in the output

8.13 – Create Snorby’s virtualhost

Add the code:

Enable the virtualhost:

Disable the default virtualhost:

8.14 – Integrate Barnyard2 with Snorby

Append to the end of the file:

Disable the previously configured output database:

Restart Barnyard2:

8.15 – Create a daemon for Snorby

Add the code:

Make the script start at system startup:

Check that the script was loaded:

Restart the system, go the server’s URL and login with the following info:

Email Password
snorby@example.com snorby

8.16 – Verify that alerts are being writen into Snorby’s database

Wait a few minutes and check that the events are being writen to Snorby’s database:

You can also log into Snorby’s web interface and check for events there.

9 – Snort in promiscuous mode

We are going to tell the ESXi server to mirror all traffic to a specific interface in our IDS server.

9.1 – Create the virtual switch

We need create a vSwitch in ESXi and configure it:

  • Log into the vCenter server.
  • Select the ESXi host.
  • Click the Configuration tab.
  • On the left, under Hardware, select Networking.
  • Click Properties on the vSwitch where Snort will have the listening interface on.
  • Under the Ports tab, double click on the virtual switch or portgroup you want to modify.
  • Under the Security tab click on the Promiscuous Mode checkbox and select Accept from the dropdown menu.
  • Click the OK, then the Close button.

9.2 – Create a new interface

We need to ad a new interface to the IDS server:

  • Log into the vCenter server.
  • Right click the IDS server and select Edit Settings…
  • Under the Hardware tab click on the Add button.
  • Select Ethernet Adapter and click Next >
  • Select VMXNET 3 as Adapter Type.
  • Under Named network with specified label: select the vSwitch with promiscuous mode enabled.
  • Click Next > and then Finish.
  • Click on the new network adapter and check the MAC address, we are going to need it later.
  • Click on the OK button to close the virtual machine properties window.

9.3 – Configure the interface

Remember that the interfaces are named as Predictable Network Interfaces, so we need to find out the name of our new interface.

Check the output, look for the MAC address of the new interface and get the name.

In my case it was ens192

Configure the new interface in promiscuous mode.

Add the following lines:

This is how my ìnterfaces file looks like now:

9.4 – Reconfigure Snort

Now we have to tell Snort to listen on the interface with promiscuous mode enabled:

Replace ens160 with ens192

And that’s all. Now you have Snort, Barnyard2, PulledPork and Snorby all working together.

38 thoughts on “Install configure Snort in Ubuntu 16.04 (Xenial Xerus) with Barnyard2, PulledPork and Snorby

  1. Hello,

    Great guide and was able to complete it. Am just facing one issue at the moment.
    I made this in a virtual environment with 16.04 Ubuntu machines where one of them is the snort/snorby IDS.

    The problem is with Barnyard2. I was able to create the startup script and currently it’s running fine. But once I load pulledpork to update it’s rules (which runs fine) I need to restart the Barnyard2 service to make them active. This is where it goes wrong. It’s not able to restart the Barnyard2 service. It gets stuck on a permission error in /var/run/ where the .pid files are located. These seem to be created by root but when restarting barnyard2 it’s creating these files, then writing to them and when those files need to be deleted to end the startup process of the service, it degrades to the username and group we defined in the startup script, namely -u snort and -g snort, these obviously don’t have permissions to remove the .pid files that are in /var/run created by root. Same thing happens when using the manual command to start barnyard2, so it’s not just the startup script.

    Please see the following website where they describe the same thing: http://seclists.org/snort/2014/q4/227

    Do you have any idea how I would fix this?

    1. Hello, I am going to replicate the process again and check if I get the same error. But I do not remember having any problem. I will reply when I finish testing.

      Best regards

    2. Ok two things:

      One – There was an error in step 6.3. In the “Change line 89” I had “rule_path=/etc/snort/rules/snort.rules” but it should be “local_rules=/etc/snort/rules/local.rules” I already fixed that

      Two – In step “8.8 – Install Snorby” I updated the info because there was an Update for MySQL.

      I will post a video doing everything from scratch, just have to compress it.

      Hope this solves your problem.

      Best regards

      1. Hello,

        Sorry for the delayed reply.
        I appreciate the fact that you checked for the issue and attempt to resolve it.
        For now I will have to trust your word on the fact that it solved the issue as for the moment I tried a workaround that currently works for me, but it’s not pretty at all.

        So just for anyone else reading this.
        I changed my credentials to root in the barnyard2.service so that it would run with superuser at any time and not face the permission error. That’s not what fixed it by the way because I faced another MySQL error which told me it was having duplicate entries in the database. So what I did was, went into the database, searched for all entries of which the ref_sig was higher than 1 and deleted those. Basically removing all my previous detection messages. (It was a test environment anyway so it didn’t matter).

        @Uhtdi, I will try your adjusted guide anyway and see if that fixes it the way it should be done. Thanks for everything.

      2. Now having read your changes (should have done that first) I noticed you added a piece of information on the gemlock file. This is an issue I also faced and fixed after a long time of using Google. Glad you found it as well and added it to the guide.

        Thanks again.

  2. Hello,
    I have got a some errors.

    ————————
    8.8 – Install Snorby
    ————————
    $ sudo bundle exec rake snorby:setup
    Jammit Warning: Asset compression disabled — Java unavailable.
    No time_zone specified in snorby_config.yml; detected time_zone: Asia/Novosibirsk
    2b487ce1f5811926270e01b1cd7c93c906c21b54a8ce3133d406039592630b8707bd52196ebfe42281cbc49e612fe470739bcff15bdd2c16a985fd649b1e9b41
    mysql: [Warning] Using a password on the command line interface can be insecure.
    [datamapper] Created database ‘snorby’
    rake aborted!
    You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”’ at line 1

    Tasks: TOP => db:autoupgrade
    (See full trace by running task with –trace)

    ———————-
    8.11 – Test Snorby
    ———————-
    $ sudo bundle exec rails server -e production
    Could not find do_mysql-0.10.17 in any of the sources
    Run bundle install to install missing gems.

    What can be a reason of problem?

    1. Hi. No idea, that error could be something on Rubi or in MySQL.

      You cannot get to step 8.11 if you are getting errors in step 8.8

      Are you using Ubuntu 16.04? because if not, then you do not have to change the do_mysql version in step 8.8

      Best regards

  3. Great build. Getting syntax error for line 140 passenger.load in apache2.conf with apache refusing to start. Noticed the first config line in 8.12.2 that the phusion passenger install wizard wants you copy is different from the one you provided and I entered in 8.12.3. Entered both ways but same error.

    Suggestions? Thanks!

    1. Not really, don’t know what the problem could be. Maybe another package changed. I already made the video where I follow all these steps, just have to edit it but right now I am very busy at work.

      The 8.12.2 step is correct, I do not copy those lines in the Apache configuration file because I use a different method. But the rror you get sound more like a Ruby problem.

      I will post the video as soon as I can.

      Best regards

    2. Hi there.
      If you started with a fresh install of 16.04, rvm is not installed, so /usr/local/rvm does not exist.
      Try searching mod_passenger

      sudo find /usr -name mod_passenger.so

      Mine is at:
      /usr/local/lib/ruby/gems/2.3.0/gems/passenger-5.0.30/buildout/apache2/mod_passenger.so

      And write that path to
      /etc/apache2/mods-available/passenger.load :
      LoadModule passenger_module /usr/local/lib/ruby/gems/2.3.0/gems/passenger-5.0.30/buildout/apache2/mod_passenger.so

      Best,
      Leo.

  4. So when I log in the first time to the web site I receive;

    We’re sorry, but something went wrong.

    We’ve been notified about this issue and we’ll take a look at it shortly.

    After looking at the apache2 error.log I see the user doesn’t exist…

    IApp 3505 stderr: DataObjects::SyntaxError (Table ‘snorby.users’ doesn’t exist):
    App 3505 stderr: app/controllers/application_controller.rb:37:in user_setup'
    App 3505 stderr:
    App 3505 stderr:
    App 3505 stderr: Table 'snorby.users' doesn't exist (code: 1146, sql state: 42S02, query: SELECT
    id, email, encrypted_password, remember_token, remember_created_at, reset_password_token, sign_in_count, current_sign_in_at, last_sign_in_at, current_sign
    _in_ip, last_sign_in_ip, favorites_count, accept_notes, notes_count, per_page_count, admin, enabled, gravatar, created_at, updated_at, online, last_daily_report_at, last_weekly_report_at, last_monthly_report_at, last_email_report_at, emai
    l_reports FROM users WHERE email = 'snorby@example.com' LIMIT 1, uri: mysql:snorby@localhostsnorby?database=snorby&path=snorby&adapter=mysql&username=snorby&password=jd5t258x3Y&host=localhost)
    App 3505 stderr:
    App 3505 stderr: DataObjects::SyntaxError (Table 'snorby.users' doesn't exist):
    App 3505 stderr: app/controllers/application_controller.rb:37:in
    user_setup’
    App 3505 stderr:
    App 3505 stderr:

    Can you point me to where I need to add this user?

    Thank you,
    A

  5. Hi, this user is created by default. From your log output, what I can see is that maybe you missed something while configuring MySQL.

    Did you skip Step 8.8?

    Because you are getting:

    App 3505 stderr: DataObjects::SyntaxError (Table ‘snorby.users’ doesn’t exist):

    And that table should be created when you run:

    :~$ sudo bundle exec rake snorby:setup

    1. Thank you for the reply, yes, the user was created and I’ve verified this by querying the list of users.

      I’ve even deleted the account and recreated it. Very odd…

      At this point I will just start from scratch since this is a new install…

  6. Ok so I’ve gotten as far as 8.8, sudo bundle exec rake snorby:setup and it’s thrown the following error;

    infra@snort01a:/var/www/html/snorby$ sudo bundle exec rake snorby:setup
    Jammit Warning: Asset compression disabled — Java unavailable.
    No time_zone specified in snorby_config.yml; detected time_zone: US/Central
    10a441230171e67d0a0c42c65f6605d51e6014176aa4b839173d3b99b4ee841a77322d8192c1f085c016dd7e4e2e7769aac532e1c17665abf3a295e368b76cc3
    mysql: [Warning] Using a password on the command line interface can be insecure.
    [datamapper] Created database ‘snorby’
    rake aborted!
    You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”’ at line 1

    Tasks: TOP => db:autoupgrade
    (See full trace by running task with –trace)

    infra@snort01a:/var/www/html/snorby$ sudo bundle exec rake snorby:setup –trace
    Jammit Warning: Asset compression disabled — Java unavailable.
    No time_zone specified in snorby_config.yml; detected time_zone: US/Central
    ** Invoke snorby:setup (first_time)
    ** Invoke environment (first_time)
    ** Execute environment
    ** Execute snorby:setup
    ** Invoke secret (first_time)
    ** Execute secret
    d617957c141574101eb5d74a4fa9165c63ca463913e8cd44c34cabdf6c32b842d4d94163e3b8b93e1058331cddfb0f27ed8270df7e31e4f3c22051ade228043d
    ** Invoke db:create (first_time)
    ** Invoke environment
    ** Execute db:create
    mysql: [Warning] Using a password on the command line interface can be insecure.
    ERROR 1007 (HY000) at line 1: Can’t create database ‘snorby’; database exists
    ** Invoke snorby:update (first_time)
    ** Invoke environment
    ** Execute snorby:update
    ** Invoke db:autoupgrade (first_time)
    ** Invoke environment
    ** Execute db:autoupgrade
    rake aborted!
    You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”’ at line 1
    /usr/local/lib/ruby/gems/2.3.0/gems/dm-do-adapter-1.2.0/lib/dm-do-adapter/adapter.rb:34:in execute_reader'
    /usr/local/lib/ruby/gems/2.3.0/gems/dm-do-adapter-1.2.0/lib/dm-do-adapter/adapter.rb:34:in
    block in select’
    /usr/local/lib/ruby/gems/2.3.0/gems/dm-do-adapter-1.2.0/lib/dm-do-adapter/adapter.rb:276:in with_connection'
    /usr/local/lib/ruby/gems/2.3.0/gems/dm-do-adapter-1.2.0/lib/dm-do-adapter/adapter.rb:33:in
    select’
    /usr/local/lib/ruby/gems/2.3.0/gems/dm-migrations-1.2.0/lib/dm-migrations/adapters/dm-mysql-adapter.rb:22:in storage_exists?'
    /usr/local/lib/ruby/gems/2.3.0/gems/dm-migrations-1.2.0/lib/dm-migrations/adapters/dm-do-adapter.rb:90:in
    create_model_storage’
    /usr/local/lib/ruby/gems/2.3.0/gems/dm-migrations-1.2.0/lib/dm-migrations/adapters/dm-do-adapter.rb:57:in upgrade_model_storage'
    /usr/local/lib/ruby/gems/2.3.0/gems/dm-migrations-1.2.0/lib/dm-migrations/auto_migration.rb:73:in
    upgrade_model_storage’
    /usr/local/lib/ruby/gems/2.3.0/gems/dm-migrations-1.2.0/lib/dm-migrations/auto_migration.rb:145:in auto_upgrade!'
    /usr/local/lib/ruby/gems/2.3.0/gems/dm-migrations-1.2.0/lib/dm-migrations/auto_migration.rb:47:in
    block in repository_execute’
    /usr/local/lib/ruby/gems/2.3.0/gems/dm-migrations-1.2.0/lib/dm-migrations/auto_migration.rb:46:in each'
    /usr/local/lib/ruby/gems/2.3.0/gems/dm-migrations-1.2.0/lib/dm-migrations/auto_migration.rb:46:in
    repository_execute’
    /usr/local/lib/ruby/gems/2.3.0/gems/dm-migrations-1.2.0/lib/dm-migrations/auto_migration.rb:27:in auto_upgrade!'
    /usr/local/lib/ruby/gems/2.3.0/gems/dm-rails-1.2.1/lib/dm-rails/railties/database.rake:47:in
    block (3 levels) in ‘
    /usr/local/lib/ruby/gems/2.3.0/gems/dm-rails-1.2.1/lib/dm-rails/railties/database.rake:46:in each'
    /usr/local/lib/ruby/gems/2.3.0/gems/dm-rails-1.2.1/lib/dm-rails/railties/database.rake:46:in
    block (2 levels) in ‘
    /usr/local/lib/ruby/gems/2.3.0/gems/rake-0.9.2/lib/rake/task.rb:205:in block in execute'
    /usr/local/lib/ruby/gems/2.3.0/gems/rake-0.9.2/lib/rake/task.rb:200:in
    each’
    /usr/local/lib/ruby/gems/2.3.0/gems/rake-0.9.2/lib/rake/task.rb:200:in execute'
    /usr/local/lib/ruby/gems/2.3.0/gems/rake-0.9.2/lib/rake/task.rb:158:in
    block in invoke_with_call_chain’
    /usr/local/lib/ruby/2.3.0/monitor.rb:214:in mon_synchronize'
    /usr/local/lib/ruby/gems/2.3.0/gems/rake-0.9.2/lib/rake/task.rb:151:in
    invoke_with_call_chain’
    /usr/local/lib/ruby/gems/2.3.0/gems/rake-0.9.2/lib/rake/task.rb:144:in invoke'
    /var/www/html/snorby/lib/tasks/snorby.rake:40:in
    block (2 levels) in ‘
    /usr/local/lib/ruby/gems/2.3.0/gems/rake-0.9.2/lib/rake/task.rb:205:in block in execute'
    /usr/local/lib/ruby/gems/2.3.0/gems/rake-0.9.2/lib/rake/task.rb:200:in
    each’
    /usr/local/lib/ruby/gems/2.3.0/gems/rake-0.9.2/lib/rake/task.rb:200:in execute'
    /usr/local/lib/ruby/gems/2.3.0/gems/rake-0.9.2/lib/rake/task.rb:158:in
    block in invoke_with_call_chain’
    /usr/local/lib/ruby/2.3.0/monitor.rb:214:in mon_synchronize'
    /usr/local/lib/ruby/gems/2.3.0/gems/rake-0.9.2/lib/rake/task.rb:151:in
    invoke_with_call_chain’
    /usr/local/lib/ruby/gems/2.3.0/gems/rake-0.9.2/lib/rake/task.rb:144:in invoke'
    /var/www/html/snorby/lib/tasks/snorby.rake:33:in
    block (2 levels) in ‘
    /usr/local/lib/ruby/gems/2.3.0/gems/rake-0.9.2/lib/rake/task.rb:205:in block in execute'
    /usr/local/lib/ruby/gems/2.3.0/gems/rake-0.9.2/lib/rake/task.rb:200:in
    each’
    /usr/local/lib/ruby/gems/2.3.0/gems/rake-0.9.2/lib/rake/task.rb:200:in execute'
    /usr/local/lib/ruby/gems/2.3.0/gems/rake-0.9.2/lib/rake/task.rb:158:in
    block in invoke_with_call_chain’
    /usr/local/lib/ruby/2.3.0/monitor.rb:214:in mon_synchronize'
    /usr/local/lib/ruby/gems/2.3.0/gems/rake-0.9.2/lib/rake/task.rb:151:in
    invoke_with_call_chain’
    /usr/local/lib/ruby/gems/2.3.0/gems/rake-0.9.2/lib/rake/task.rb:144:in invoke'
    /usr/local/lib/ruby/gems/2.3.0/gems/rake-0.9.2/lib/rake/application.rb:112:in
    invoke_task’
    /usr/local/lib/ruby/gems/2.3.0/gems/rake-0.9.2/lib/rake/application.rb:90:in block (2 levels) in top_level'
    /usr/local/lib/ruby/gems/2.3.0/gems/rake-0.9.2/lib/rake/application.rb:90:in
    each’
    /usr/local/lib/ruby/gems/2.3.0/gems/rake-0.9.2/lib/rake/application.rb:90:in block in top_level'
    /usr/local/lib/ruby/gems/2.3.0/gems/rake-0.9.2/lib/rake/application.rb:129:in
    standard_exception_handling’
    /usr/local/lib/ruby/gems/2.3.0/gems/rake-0.9.2/lib/rake/application.rb:84:in top_level'
    /usr/local/lib/ruby/gems/2.3.0/gems/rake-0.9.2/lib/rake/application.rb:62:in
    block in run’
    /usr/local/lib/ruby/gems/2.3.0/gems/rake-0.9.2/lib/rake/application.rb:129:in standard_exception_handling'
    /usr/local/lib/ruby/gems/2.3.0/gems/rake-0.9.2/lib/rake/application.rb:59:in
    run’
    /usr/local/lib/ruby/gems/2.3.0/gems/rake-0.9.2/bin/rake:32:in '
    /usr/local/bin/rake:23:in
    load’
    /usr/local/bin/rake:23:in '
    /usr/local/lib/ruby/gems/2.3.0/gems/bundler-1.12.5/lib/bundler/cli/exec.rb:63:in
    load’
    /usr/local/lib/ruby/gems/2.3.0/gems/bundler-1.12.5/lib/bundler/cli/exec.rb:63:in kernel_load'
    /usr/local/lib/ruby/gems/2.3.0/gems/bundler-1.12.5/lib/bundler/cli/exec.rb:24:in
    run’
    /usr/local/lib/ruby/gems/2.3.0/gems/bundler-1.12.5/lib/bundler/cli.rb:304:in exec'
    /usr/local/lib/ruby/gems/2.3.0/gems/bundler-1.12.5/lib/bundler/vendor/thor/lib/thor/command.rb:27:in
    run’
    /usr/local/lib/ruby/gems/2.3.0/gems/bundler-1.12.5/lib/bundler/vendor/thor/lib/thor/invocation.rb:126:in invoke_command'
    /usr/local/lib/ruby/gems/2.3.0/gems/bundler-1.12.5/lib/bundler/vendor/thor/lib/thor.rb:359:in
    dispatch’
    /usr/local/lib/ruby/gems/2.3.0/gems/bundler-1.12.5/lib/bundler/vendor/thor/lib/thor/base.rb:440:in start'
    /usr/local/lib/ruby/gems/2.3.0/gems/bundler-1.12.5/lib/bundler/cli.rb:11:in
    start’
    /usr/local/lib/ruby/gems/2.3.0/gems/bundler-1.12.5/exe/bundle:27:in block in '
    /usr/local/lib/ruby/gems/2.3.0/gems/bundler-1.12.5/lib/bundler/friendly_errors.rb:98:in
    with_friendly_errors’
    /usr/local/lib/ruby/gems/2.3.0/gems/bundler-1.12.5/exe/bundle:19:in '
    /usr/local/bin/bundle:23:in
    load’
    /usr/local/bin/bundle:23:in `’
    Tasks: TOP => db:autoupgrade
    infra@snort01a:/var/www/html/snorby$

    The snorby db was created in 8.7 if I’m not mistaken so I’m not sure why is complaining.

    Let me know what you think.

    Thank you!

  7. Update—

    Ah you have to edit the Gemfile.lock before running;

    sudo bundle exec rake snorby:setup

    Now I’m presented with the following;

    Could not find do_mysql-0.10.17 in any of the sources
    Run bundle install to install missing gems.

    So I will re-run the bundle install, hopefully this will correct the issues.

  8. Thanks for the detailed post! I signed up for your site because you are actively writing detailed how-to guides for Ubuntu. I realized I probably should have made sure you’re not releasing any email addresses to other parties? 🙂

    My question is on the topic of rolling your own vs the pre-compiled snort packages available through Ubuntu. Did you compile yourself because that is your personal SOP, or did you find something not to liking with the precompiled snort packages? (I have not looked for the others yet).

    Cheers, Tim

    1. Hi there. I compiled it myself because I wanted to install the latest version and also to have a bit more of control over the configuration (files and folders location). Glad you find my posts useful.

      Regards

  9. Hello, thank you for the post.
    I have followed your tutorial but I have a problem installing snorby.
    The error message I got is:
    “An error occurred while installing do_postgres (0.10.16) and Bundler cannot continue. Make sure that ‘gem install do_postgres -v ‘0.10.16” succeeds before bundling.
    The log says it is missing postgres.h. I have installed libpq, still it’s not bundling. I have also tried to install the gem without success. Rather it seems to install do_postgres version 0.10.19.
    Please I need help.
    Thank you.

      1. No. I’m using MySQL too. I don’t know because is asking gem install do_postgres -v ‘0.10.16, after “bundle install” command

        I followed this tutorial step by step.

        Regards

      2. Hi im getting the same error when sudo bundle install, please help me urgent. Doing my final year project with this. If you can provide the complete video for this tutorial it will be great.

  10. Hi i have a problem log in to snorby, when i enter the URL or 127.0.0.1 it displays the index of the path folder at the browser. Please help need to demo tomorrow :(. What am i doing wrong??

    Index of /
    [ICO] Name Last modified Size Description
    [TXT] 404.html 2016-11-22 09:01 728
    [TXT] 422.html 2016-11-22 09:01 711
    [TXT] 500.html 2016-11-22 09:01 728
    [DIR] assets/ 2016-11-22 09:01 –
    [IMG] favicon.ico 2016-11-22 09:01 0
    [IMG] favicon.png 2016-11-22 09:01 1.2K
    [DIR] flash/ 2016-11-22 09:01 –
    [DIR] images/ 2016-11-22 09:01 –
    [DIR] javascripts/ 2016-11-22 09:01 –
    [TXT] robots.txt 2016-11-22 09:01 204
    [DIR] stylesheets/ 2016-11-22 09:01 –
    Apache/2.4.18 (Ubuntu) Server at 127.0.0.1 Port 80

  11. Hi… barnyar2 have a problem to write SQL data

    Using waldo file ‘/var/log/snort/barnyard2.waldo’:
    spool directory = /var/log/snort
    spool filebase = snort.u2
    time_stamp = 1480279062
    record_idx = 221
    Opened spool file ‘/var/log/snort/snort.u2.1480279062’
    11/27-18:40:56.352141 [**] [1:10000001:1] ICMP test detected [**] [Classification: Generic ICMP event] [Priority: 3] {ICMP} 192.168.100.120 -> 192.168.100.163
    ERROR: database mysql_error: Data too long for column ‘data_payload’ at row 1
    SQL=[INSERT INTO data (sid,cid,data_payload) VALUES (1,128,’6162636465666768696A6B6C6D6E6F70717273747576776162636465666768696A6B6C6D6E6F70717273747576776162636465666768696A6B6C6D6E6F70717273747576776162636465666768696A6B6C6D6E6F70717273747576776162636465666768696A6B6C6D6E6F70717273747576776162636465666768696A6B6C6D6E6F70717273747576776162636465666768696A6B6C6D6E6F70717273747576776162636465666768696A6B6C6D6E6F70717273747576776162636465666768696A6B6C6D6E6F70717273747576776162636465666768696A6B6C6D6E6F70717273747576776162636465666768696A6B6C6D6E6F70717273747576776162636465666768696A6B6C6D6E6F70717273747576776162636465666768696A6B6C6D6E6F70717273747576776162636465666768696A6B6C6D6E6F70717273747576776162636465666768696A6B6C6D6E6F70717273747576776162636465666768696A6B6C6D6E6F70717273747576776162636465666768696A6B6C6D6E6F70717273747576776162636465666768696A6B6C6D6E6F70717273747576776162636465666768696A6B6C6D6E6F707172737475767761626364656667686Fatal Error, Quitting..
    Barnyard2 exiting
    database: Closing connection to database “snorby”

  12. Hi Dear
    When i execute the 7.1 step to enable snort at startup i get this error:

    Synchronizing state of snort.service with SysV init with /lib/systemd/systemd-sysv-install…
    Executing /lib/systemd/systemd-sysv-install enable snort
    insserv: snort: Not a directory
    update-rc.d: error: insserv rejected the script header
    .

  13. Followed all the procedures and everything works fine except it seems to generate alerts that match ‘local.rules’ only.
    Made sure I commented out “include $RULE_PATH/snort.rules” in snort.confi file and “rule_path=/etc/snort/rules/snort.rules” in pulledpork.conf but still no success.

    I ran a nmap scan & some ping flooding commands but nothing was recorded in snorby database while showing only items matching local.rules.

    Any help would be greatly appreciated.

  14. Great guide! Lengthy and in depth!
    I’m having some problems though.

    After having pulledpork update my rules Barnyard2 won’t write to the SQL.
    At first is worked out pretty well with Barnyard just wrinting that ICMP rule to it’s own Snort SQL. Then having PulledPork ran as well as setting up Snorby and switching Barnyard to Snorby DB it did not work anymore.

    I’ve tried to launch Barnyard with the “old” DB config to have it write to Snort DB but no go.
    My unified2 bineries are being updated so Snort works.

    Here’s my sysctl status of Barnyard2.

    $ systemctl status barnyard2
    * barnyard2.service – Barnyard2 Daemon
    Loaded: loaded (/lib/systemd/system/barnyard2.service; enabled; vendor preset: enabled)
    Active: inactive (dead) since Mon 2017-03-13 14:59:51 CET; 17h ago
    Process: 1364 ExecStart=/usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -q -w /var/log/snort/barnyard2.waldo -g snort -u snort -D -a /var/log/snort/archived_logs (code=exited, status=0/SUCCESS)
    Main PID: 1364 (code=exited, status=0/SUCCESS)

    Mar 13 14:42:49 localhost barnyard2[1364]: Log directory = /var/log/barnyard2
    Mar 13 14:42:49 localhost barnyard2[1364]: INFO database: Defaulting Reconnect/Transaction Error limit to 10
    Mar 13 14:42:49 localhost barnyard2[1364]: INFO database: Defaulting Reconnect sleep time to 5 second
    Mar 13 14:42:49 localhost barnyard2[1364]: Initializing daemon mode
    Mar 13 14:42:49 localhost barnyard2[1364]: Daemon initialized, signaled parent pid: 1
    Mar 13 14:42:49 localhost barnyard2[1364]: PID path stat checked out ok, PID path set to /var/run/
    Mar 13 14:42:49 localhost barnyard2[1364]: Writing PID “1364” to file “/var/run//barnyard2_NULL.pid”
    Mar 13 14:47:10 localhost barnyard2[1364]: [SignaturePullDataStore()]: No signature found in database …

  15. Hello,

    I did the steps as you mentioned but I do not understand the area promiscuously, I create another physical interface, I put another vswitch, but it does not retrieve any information from the network.

    Thanks in advance.

  16. Great guide!! Especially in snorby installation section…
    But i have question,,do you know which is password must i use when i want export to pdf?
    because when downloaded i have to insert a username and password…..
    Thank you…

  17. Hello,

    My first post, and I have a problem 🙂

    I am stuck at 5.5 step. Barnyard doesn`t read well log files – I think – …

    Example:

    root@SRV-SNORT:/home/bogdan# sudo /usr/local/bin/snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0
    04/24-20:04:22.808300 [**] [1:10000001:1] ICMP test detected [**] [Classification: Generic ICMP event] [Priority: 3] {ICMP} 192.168.200.10 -> 192.168.200.3
    04/24-20:04:22.808324 [**] [1:10000001:1] ICMP test detected [**] [Classification: Generic ICMP event] [Priority: 3] {ICMP} 192.168.200.3 -> 192.168.200.10
    04/24-20:04:23.820871 [**] [1:10000001:1] ICMP test detected [**] [Classification: Generic ICMP event] [Priority: 3] {ICMP} 192.168.200.10 -> 192.168.200.3
    04/24-20:04:23.820886 [**] [1:10000001:1] ICMP test detected [**] [Classification: Generic ICMP event] [Priority: 3] {ICMP} 192.168.200.3 -> 192.168.200.10
    04/24-20:04:24.836488 [**] [1:10000001:1] ICMP test detected [**] [Classification: Generic ICMP event] [Priority: 3] {ICMP} 192.168.200.10 -> 192.168.200.3
    04/24-20:04:24.836508 [**] [1:10000001:1] ICMP test detected [**] [Classification: Generic ICMP event] [Priority: 3] {ICMP} 192.168.200.3 -> 192.168.200.10
    04/24-20:04:25.852951 [**] [1:10000001:1] ICMP test detected [**] [Classification: Generic ICMP event] [Priority: 3] {ICMP} 192.168.200.10 -> 192.168.200.3
    04/24-20:04:25.852963 [**] [1:10000001:1] ICMP test detected [**] [Classification: Generic ICMP event] [Priority: 3] {ICMP} 192.168.200.3 -> 192.168.200.10

    Snort is working. But if I run command for testing from step 5.5 it doesent show the output from your example and there are some WARNINGS at the begininning.

    Ex:

    root@SRV-SNORT:/home/bogdan# sudo /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0
    ^C*** Caught Int-Signal
    root@SRV-SNORT:/home/bogdan# sudo barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -g snort -u snort
    Running in Continuous mode

    –== Initializing Barnyard2 ==–
    Initializing Input Plugins!
    Initializing Output Plugins!
    Parsing config file “/etc/snort/barnyard2.conf”

    +[ Signature Suppress list ]+
    —————————-
    +[No entry in Signature Suppress List]+
    —————————-
    +[ Signature Suppress list ]+

    WARNING: invalid Reference spec ‘001’. Ignored
    WARNING: invalid Reference spec ‘icmp-event’. Ignored
    WARNING: invalid Reference spec ‘0’. Ignored
    WARNING: invalid Reference spec ‘ICMP Test detected’. Ignored
    Barnyard2 spooler: Event cache size set to [2048]
    Log directory = /var/log/barnyard2
    INFO database: Defaulting Reconnect/Transaction Error limit to 10
    INFO database: Defaulting Reconnect sleep time to 5 second
    [SignatureReferencePullDataStore()]: No Reference found in database …
    database: compiled support for (mysql)
    database: configured to use mysql
    database: schema version = 107
    database: host = localhost
    database: user = snort
    database: database name = snort
    database: sensor name = SRV-SNORT:NULL
    database: sensor id = 1
    database: sensor cid = 1
    database: data encoding = hex
    database: detail level = full
    database: ignore_bpf = no
    database: using the “log” facility

    –== Initialization Complete ==–

    ______ -*> Barnyard2 <*-
    / ,,_ \ Version 2.1.14 (Build 337)
    |o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/
    + '''' + (C) Copyright 2008-2013 Ian Firns

    Using waldo file ‘/var/log/snort/barnyard2.waldo’:
    spool directory = /var/log/snort
    spool filebase = snort.log
    time_stamp = 1493046730
    record_idx = 0
    Opened spool file ‘/var/log/snort/snort.log.1493053458’
    Waiting for new data

    Why do I have this problems? Only diffrent thing I did from the tutorial was to instal Snort 2.9.9.0 intead 2.9.8.x.

    Please help me 🙂

    Thank you!

  18. Dear good afternoon

    I am not registering events in snorby, I have the following error in baryard2

    ——————————————————————————————————

    ● barnyard2.service – Barnyard2 Daemon
    Loaded: loaded (/lib/systemd/system/barnyard2.service; enabled; vendor preset: enabled)
    Active: active (running) since dom 2017-10-01 20:11:19 CLST; 1min 39s ago
    Main PID: 2264 (barnyard2)
    CGroup: /system.slice/barnyard2.service
    └─2264 /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -q -w /var/log/snort/ba

    oct 01 20:11:19 svsnort-H81M-DS2 barnyard2[2264]: +[No entry in Signature Suppress List]+
    oct 01 20:11:19 svsnort-H81M-DS2 barnyard2[2264]: —————————-
    +[ Signature Suppress list ]+
    oct 01 20:12:58 svsnort-H81M-DS2 barnyard2[2264]: Barnyard2 spooler: Event cache size set to [2048]
    oct 01 20:12:58 svsnort-H81M-DS2 barnyard2[2264]: Log directory = /var/log/barnyard2
    oct 01 20:12:58 svsnort-H81M-DS2 barnyard2[2264]: INFO database: Defaulting Reconnect/Transaction Error limit to 10
    oct 01 20:12:58 svsnort-H81M-DS2 barnyard2[2264]: INFO database: Defaulting Reconnect sleep time to 5 second
    oct 01 20:12:58 svsnort-H81M-DS2 barnyard2[2264]: Initializing daemon mode
    oct 01 20:12:58 svsnort-H81M-DS2 barnyard2[2264]: Daemon initialized, signaled parent pid: 1
    oct 01 20:12:58 svsnort-H81M-DS2 barnyard2[2264]: PID path stat checked out ok, PID path set to /var/run/
    oct 01 20:12:58 svsnort-H81M-DS2 barnyard2[2264]: Writing PID “2264” to file “/var/run//barnyard2_NULL.pid”
    —————————————————————————————————

    Please help.

Leave a Reply