Currently viewing the tag: "Snorby"

This is a guide to installing Snorby running on an Ubuntu Server machine, for integration with a Snort instance on pfSense. This howto should also work on Debian and other Debian-based distributions, however I HIGHLY recommend NOT using Debian itself in any production environment, due to the distributions lack of compile time security options in its packages (blog about this to come).

Furthermore, this how-to guide should also work just fine (with minor tweaks) for installing Snorby on a seperate machine to integration with a standalone Snort instance.

I highly recommend purchasing the premium rules subscription from Sourcefire, which carries an annual cost of $29.95 so that your system has the most current rules.

Let’s get started

Software Installation and MySQL Setup

pfSense Configuration

For the sake of brevity, I will not cover the installation and initial interface configuration of Snort on pfSense. Please refer to the Setup Snort Package from the pfSenseDocs to do this.

  1. From the pfSense web GUI, navigate to the Snort service menu: Services » Snort
  2. Edit the interface (repeat for each interface you wish to use with Snorby) and navigate to the Barnyard2 tab
  3. Check the Enable Barnyard2 on this Interface checkbox
  4. In the Log to a Mysql Database dialog, use the folowing format (change the values appropriately):
  5. In the If Settings tab, check the box for Log Alerts to a snort unified2 file.
  6. Save the configuration and restart the Snort service on pfSense.

Snorby Web UI

Navigate the the following URL to access the Snorby web UI: