Snorby / Barnyard2 Install with PfSense

ProxyMoron · Nov 1, 2015, 5:14 PM

Hi All,
Can somebody point me to an up-to date guide or instructions on how install Barnyard2 and ultimately Snorby to use with Snort on PfSense?

I've looked about but find the following issues:-

They also install snort - but with PfSense snort is already installed
They are way out of date
Not specific to PfSense

I've seen that barnyard2 can be installed on the same box as PfSense but it seems that Snorby cannot.
I have an Ubuntu VM spun up whereby i intended to install Barnyard2 and Snorby and point snort on PfSense to that but nearly every guide i look at assumes that snort is on the same box as Barnyard2 which in this case its not.

Any help would be appreciated here.

bmeeks · Nov 2, 2015, 1:18 PM

I've never found a guide either. What I did was install Snorby (on Ubuntu in my case). Then you just enable Barnyard2 in the Snort setup on pfSense (provide the DB credentials and DB host). It should work, but expect periodic problems. Barnyard2 took a wrong turn (my opinion only!) with the 2.1.3 release in terms of how it interacts with a MySQL database. I so many irritating issues on my personal firewall with Barnyard2 that I just disabled it for now.

Bill

ProxyMoron · Nov 2, 2015, 1:57 PM

Ah,
Thanks Bill, so am i right in saying that you don't actually have to install Barnyard2 then? You just install Snorby on Ubuntu then point your PfSense to the Ubuntu box with Snorby running by clicking the Barnyard2 box in PfSense and filling in the details there?

Thanks

bmeeks · Nov 2, 2015, 11:57 PM

Yes, that is correct. Barnyard2 comes as part of the Snort package on pfSense. Click the Barnyard tab for the Snort interfaces(s) you wish to use Barnyard for logging.

Bill

ProxyMoron · Nov 4, 2015, 3:05 PM

Well based on you advice i managed to get Snorby up and running, although i haven't started to connect Snort yet from PfSense.

Here is what i did so for in case it helps. Your mileage may (and probably will) vary.

cd /usr/local/bin

$ sudo apt-get install curl
$ \curl -L https://get.rvm.io | bash -s stable –ruby
source /usr/local/rvm/scripts/rvm
$ rvm get stable --autolibs=enable
$ rvm install ruby-1.9.3-p551
$ rvm --default use ruby-1.9.3

apt-get install imagemagick

gem install wkhtmltopdf

gem install bundler

#apt-get install libxml2-dev
#apt-get install libxslt-dev

#mysql -u root -p
create database snorby;
create user 'snorby'@'localhost' IDENTIFIED BY 'XXXXXXXXX';
grant all privileges on snorby.* to 'snorby'@'localhost' with grant option;
FLUSH PRIVILEGES;
quit

:/usr/local/bin/snorby# cd config
:/usr/local/bin/snorby/config# cp database.yml.example ./database.yml
:/usr/local/bin/snorby/config# cp snorby_config.yml.example ./snorby_config.yml
<edited database.yml,="" changing="" username="" to="" snortuser,="" password="" snortuser's="" pw=""><edited snorby_config.yml,="" changing="" domain="" to="" localhost:3000="">#nano Gemfile

REMOVE LINE - gem 'devise_cas_authenticatable', :git => 'https://github.com/Snorby/snorby_cas_authenticatable.git'
ADD LINE - gem 'devise_cas_authenticatable', '~> 1.5'

#bundle install
#bundle exec rake snorby:setup
#bundle exec rails server -e production</edited></edited>