Altough the config/database.yml file supports remote mysql servers (and part of the installation does too) lib/tasks/install_snorby.rake contains a hardcode system call to mysql which assumes a local database:

13: system("mysql -u #{@dbconfig['production']['username']} --password=#{@dbconfig['production']['password']} #{@dbconfig['production']['database']} < #{RAILS_ROOT}/db/create_mysql")
...
25: system("mysql -u #{@dbconfig['production']['username']} --password=#{@dbconfig['production']['password']} #{@dbconfig['production']['database']} < #{RAILS_ROOT}/db/create_mysql")

Replacing these lines with:

13: system("mysql -u #{@dbconfig['production']['username']} --password=#{@dbconfig['production']['password']} --host=#{@dbconfig['production']['host']} #{@dbconfig['production']['database']} < #{RAILS_ROOT}/db/create_mysql")
...
25: system("mysql -u #{@dbconfig['production']['username']} --password=#{@dbconfig['production']['password']} --host=#{@dbconfig['production']['host']} #{@dbconfig['production']['database']} < #{RAILS_ROOT}/db/create_mysql")

fixed the issue in my case, but somebody with more knowledge of Ruby should make this conditional so the '---host' part only gets added when the user defines a host in the database.yml file.

Is there 2.3.12 is .iso file and where is the url for download.

Also the setup is same as was for the previous version that i installed?

Also 2.3.12 is only IDS or IDS/IPS?

Please provide me the download .iso file.

Also can i run the latest .iso file on Hyper-V?

Saeed

Ubuntu 9.10 server. Everything works great except for reports. Reports not being generated because the crons have not been setup. To try and get the crons installed I did the following

$ gem sources -a http://gems.github.com
$ gem install javan-whenever
$ rake whenever --update-crontab snorby --set environment=production

which produces no output nor adding the crons.

exec $ ./runner -e production "Event.run_daily_report" throws the following errors.

/var/lib/gems/1.8/gems/rails-2.3.5/lib/commands/runner.rb:48: /usr/lib/ruby/1.8/rubygems/custom_require.rb:31:in gem_original_require': no such file to load -- prawn/format (MissingSourceFile) from /usr/lib/ruby/1.8/rubygems/custom_require.rb:31:inrequire'
from /var/lib/gems/1.8/gems/activesupport-2.3.5/lib/active_support/dependencies.rb:158:in require' from /root/Snorby/lib/pdf_for_email.rb:3 from /usr/lib/ruby/1.8/rubygems/custom_require.rb:31:ingem_original_require'
from /usr/lib/ruby/1.8/rubygems/custom_require.rb:31:in require' from /var/lib/gems/1.8/gems/activesupport-2.3.5/lib/active_support/dependencies.rb:158:inrequire'
from /var/lib/gems/1.8/gems/activesupport-2.3.5/lib/active_support/dependencies.rb:265:in require_or_load' from /var/lib/gems/1.8/gems/activesupport-2.3.5/lib/active_support/dependencies.rb:425:inload_missing_constant'
from /var/lib/gems/1.8/gems/activesupport-2.3.5/lib/active_support/dependencies.rb:80:in const_missing' from /var/lib/gems/1.8/gems/activesupport-2.3.5/lib/active_support/dependencies.rb:92:inconst_missing'
from /var/lib/gems/1.8/gems/activesupport-2.3.5/lib/active_support/dependencies.rb:437:in load_missing_constant' from /var/lib/gems/1.8/gems/activesupport-2.3.5/lib/active_support/dependencies.rb:96:inconst_missing'
from /root/Snorby/app/models/event.rb:54:in run_daily_report' from (eval):1 from /usr/lib/ruby/1.8/rubygems/custom_require.rb:31:ineval'
from /var/lib/gems/1.8/gems/rails-2.3.5/lib/commands/runner.rb:48
from /usr/lib/ruby/1.8/rubygems/custom_require.rb:31:in gem_original_require' from /usr/lib/ruby/1.8/rubygems/custom_require.rb:31:inrequire'
from ./runner:3

Did I miss a step? I'm pretty new to ruby stuff so any help would be great.

Cheers,
Eric

The search panel in Snorby is great I think. Is it possible to support wildcards in some of the fields? For example, I'd like to search for any host on the 192.168.1.0 network (192.168.1.0/24 or 192.168.1.5-10 or 192.168.1.*).

Is it possible to have a drill-down option to list the "Unique Event Types" shown on the Dashboard screen? As it stands presently, under Snorby v1.1.3, I am not able to see a list that shows all unique event types.

Unable to login, start up snorby, db access etc... get to login screen a http://address:port use snorby:admin then 500 error, see below output.

=> Booting WEBrick
=> Rails 2.3.2 application starting on http://192.168.1.7:3000
=> Call with -d to detach
=> Ctrl-C to shutdown server
[2009-07-09 11:11:51] INFO WEBrick 1.3.1
[2009-07-09 11:11:51] INFO ruby 1.8.6 (2008-08-11) [i386-freebsd7]
[2009-07-09 11:11:51] INFO WEBrick::HTTPServer#start: pid=91400 port=3000

Processing PagesController#dashboard (for 192.168.1.107 at 2009-07-09 11:12:01) [GET]
Parameters: {"action"=>"dashboard", "controller"=>"pages"}
Rendering template within layouts/application
Rendering pages/dashboard

ActionView::TemplateError (NaN) on line #116 of app/views/pages/dashboard.html.erb:
113:
114:
115:
116: <%= horizontal_bar_graph [["Event Percentage", ((0 + Event.find(:all, :include => :sig, :conditions => ['signature.sig_class_id = 0']).size/Event.all.size.to_f) * 100).round(2)]] %>
117:
118: <%- for c in @categories -%>
119:

app/views/pages/dashboard.html.erb:116
/usr/local/lib/ruby/1.8/webrick/httpserver.rb:104:in `service'
/usr/local/lib/ruby/1.8/webrick/httpserver.rb:65:in `run'
/usr/local/lib/ruby/1.8/webrick/server.rb:173:in `start_thread'
/usr/local/lib/ruby/1.8/webrick/server.rb:162:in `start'
/usr/local/lib/ruby/1.8/webrick/server.rb:162:in `start_thread'
/usr/local/lib/ruby/1.8/webrick/server.rb:95:in `start'
/usr/local/lib/ruby/1.8/webrick/server.rb:92:in `each'
/usr/local/lib/ruby/1.8/webrick/server.rb:92:in `start'
/usr/local/lib/ruby/1.8/webrick/server.rb:23:in `start'
/usr/local/lib/ruby/1.8/webrick/server.rb:82:in `start'

Rendering /usr/home/jj/Snorby/public/500.html (500 Internal Server Error)

Processing ApplicationController#index (for 192.168.1.107 at 2009-07-09 11:12:05) [GET]

ActionController::RoutingError (No route matches "/%5C" with {:method=>:get}):
/usr/local/lib/ruby/1.8/webrick/httpserver.rb:104:in service' /usr/local/lib/ruby/1.8/webrick/httpserver.rb:65:inrun'
/usr/local/lib/ruby/1.8/webrick/server.rb:173:in start_thread' /usr/local/lib/ruby/1.8/webrick/server.rb:162:instart'
/usr/local/lib/ruby/1.8/webrick/server.rb:162:in start_thread' /usr/local/lib/ruby/1.8/webrick/server.rb:95:instart'
/usr/local/lib/ruby/1.8/webrick/server.rb:92:in each' /usr/local/lib/ruby/1.8/webrick/server.rb:92:instart'
/usr/local/lib/ruby/1.8/webrick/server.rb:23:in start' /usr/local/lib/ruby/1.8/webrick/server.rb:82:instart'

Rendering /usr/home/jj/Snorby/public/404.html (404 Not Found)

Processing PagesController#dashboard (for 192.168.1.107 at 2009-07-09 11:12:08) [GET]
Parameters: {"action"=>"dashboard", "controller"=>"pages"}
Rendering template within layouts/application
Rendering pages/dashboard

ActionView::TemplateError (NaN) on line #116 of app/views/pages/dashboard.html.erb:
113:
114:
115:
116: <%= horizontal_bar_graph [["Event Percentage", ((0 + Event.find(:all, :include => :sig, :conditions => ['signature.sig_class_id = 0']).size/Event.all.size.to_f) * 100).round(2)]] %>
117:
118: <%- for c in @categories -%>
119:

app/views/pages/dashboard.html.erb:116
/usr/local/lib/ruby/1.8/webrick/httpserver.rb:104:in `service'
/usr/local/lib/ruby/1.8/webrick/httpserver.rb:65:in `run'
/usr/local/lib/ruby/1.8/webrick/server.rb:173:in `start_thread'
/usr/local/lib/ruby/1.8/webrick/server.rb:162:in `start'
/usr/local/lib/ruby/1.8/webrick/server.rb:162:in `start_thread'
/usr/local/lib/ruby/1.8/webrick/server.rb:95:in `start'
/usr/local/lib/ruby/1.8/webrick/server.rb:92:in `each'
/usr/local/lib/ruby/1.8/webrick/server.rb:92:in `start'
/usr/local/lib/ruby/1.8/webrick/server.rb:23:in `start'
/usr/local/lib/ruby/1.8/webrick/server.rb:82:in `start'

Rendering /usr/home/jj/Snorby/public/500.html (500 Internal Server Error)

Processing PagesController#dashboard (for 192.168.1.107 at 2009-07-09 11:12:13) [GET]
Parameters: {"action"=>"dashboard", "controller"=>"pages"}
Rendering template within layouts/application
Rendering pages/dashboard

ActionView::TemplateError (NaN) on line #116 of app/views/pages/dashboard.html.erb:
113:
114:
115:
116: <%= horizontal_bar_graph [["Event Percentage", ((0 + Event.find(:all, :include => :sig, :conditions => ['signature.sig_class_id = 0']).size/Event.all.size.to_f) * 100).round(2)]] %>
117:
118: <%- for c in @categories -%>
119:

app/views/pages/dashboard.html.erb:116
/usr/local/lib/ruby/1.8/webrick/httpserver.rb:104:in `service'
/usr/local/lib/ruby/1.8/webrick/httpserver.rb:65:in `run'
/usr/local/lib/ruby/1.8/webrick/server.rb:173:in `start_thread'
/usr/local/lib/ruby/1.8/webrick/server.rb:162:in `start'
/usr/local/lib/ruby/1.8/webrick/server.rb:162:in `start_thread'
/usr/local/lib/ruby/1.8/webrick/server.rb:95:in `start'
/usr/local/lib/ruby/1.8/webrick/server.rb:92:in `each'
/usr/local/lib/ruby/1.8/webrick/server.rb:92:in `start'
/usr/local/lib/ruby/1.8/webrick/server.rb:23:in `start'
/usr/local/lib/ruby/1.8/webrick/server.rb:82:in `start'

Rendering /usr/home/jj/Snorby/public/500.html (500 Internal Server Error)
no

Processing PagesController#dashboard (for 192.168.1.107 at 2009-07-09 11:16:14) [GET]
Parameters: {"action"=>"dashboard", "controller"=>"pages"}
Rendering template within layouts/application
Rendering pages/dashboard

ActionView::TemplateError (NaN) on line #116 of app/views/pages/dashboard.html.erb:
113:
114:
115:
116: <%= horizontal_bar_graph [["Event Percentage", ((0 + Event.find(:all, :include => :sig, :conditions => ['signature.sig_class_id = 0']).size/Event.all.size.to_f) * 100).round(2)]] %>
117:
118: <%- for c in @categories -%>
119:

app/views/pages/dashboard.html.erb:116
/usr/local/lib/ruby/1.8/webrick/httpserver.rb:104:in `service'
/usr/local/lib/ruby/1.8/webrick/httpserver.rb:65:in `run'
/usr/local/lib/ruby/1.8/webrick/server.rb:173:in `start_thread'
/usr/local/lib/ruby/1.8/webrick/server.rb:162:in `start'
/usr/local/lib/ruby/1.8/webrick/server.rb:162:in `start_thread'
/usr/local/lib/ruby/1.8/webrick/server.rb:95:in `start'
/usr/local/lib/ruby/1.8/webrick/server.rb:92:in `each'
/usr/local/lib/ruby/1.8/webrick/server.rb:92:in `start'
/usr/local/lib/ruby/1.8/webrick/server.rb:23:in `start'
/usr/local/lib/ruby/1.8/webrick/server.rb:82:in `start'

Rendering /usr/home/jj/Snorby/public/500.html (500 Internal Server Error)

Processing PagesController#dashboard (for 192.168.1.107 at 2009-07-09 11:19:37) [GET]
Parameters: {"action"=>"dashboard", "controller"=>"pages"}
Rendering template within layouts/application
Rendering pages/dashboard

ActionView::TemplateError (NaN) on line #116 of app/views/pages/dashboard.html.erb:
113:
114:
115:
116: <%= horizontal_bar_graph [["Event Percentage", ((0 + Event.find(:all, :include => :sig, :conditions => ['signature.sig_class_id = 0']).size/Event.all.size.to_f) * 100).round(2)]] %>
117:
118: <%- for c in @categories -%>
119:

app/views/pages/dashboard.html.erb:116
/usr/local/lib/ruby/1.8/webrick/httpserver.rb:104:in `service'
/usr/local/lib/ruby/1.8/webrick/httpserver.rb:65:in `run'
/usr/local/lib/ruby/1.8/webrick/server.rb:173:in `start_thread'
/usr/local/lib/ruby/1.8/webrick/server.rb:162:in `start'
/usr/local/lib/ruby/1.8/webrick/server.rb:162:in `start_thread'
/usr/local/lib/ruby/1.8/webrick/server.rb:95:in `start'
/usr/local/lib/ruby/1.8/webrick/server.rb:92:in `each'
/usr/local/lib/ruby/1.8/webrick/server.rb:92:in `start'
/usr/local/lib/ruby/1.8/webrick/server.rb:23:in `start'
/usr/local/lib/ruby/1.8/webrick/server.rb:82:in `start'

Rendering /usr/home/jj/Snorby/public/500.html (500 Internal Server Error)

Processing PagesController#dashboard (for 192.168.1.107 at 2009-07-09 19:17:42) [GET]
Parameters: {"action"=>"dashboard", "controller"=>"pages"}
Redirected to http://192.168.1.7:3000/login
Filter chain halted as [:require_user] rendered_or_redirected.
Completed in 3ms (DB: 0) | 302 Found [http://192.168.1.7/]

Processing UserSessionsController#new (for 192.168.1.107 at 2009-07-09 19:17:42) [GET]
Parameters: {"action"=>"new", "controller"=>"user_sessions"}
Rendering template within layouts/application
Rendering user_sessions/new
Completed in 70ms (View: 41, DB: 24) | 200 OK [http://192.168.1.7/login]

Processing UserSessionsController#create (for 192.168.1.107 at 2009-07-09 19:17:51) [POST]
Parameters: {"commit"=>"Login", "user_session"=>{"password"=>"[FILTERED]", "login"=>"snorby", "remember_me"=>"1"}, "action"=>"create", "authenticity_token"=>"jW1QRYoVgxGjue53dsIjivfI7xH4aHNnr0TBc0c3FgE=", "controller"=>"user_sessions"}
Redirected to http://192.168.1.7:3000/
Completed in 368ms (DB: 3) | 302 Found [http://192.168.1.7/user_session]

Processing PagesController#dashboard (for 192.168.1.107 at 2009-07-09 19:17:52) [GET]
Parameters: {"action"=>"dashboard", "controller"=>"pages"}
Rendering template within layouts/application
Rendering pages/dashboard

ActionView::TemplateError (NaN) on line #116 of app/views/pages/dashboard.html.erb:
113:
114:
115:
116: <%= horizontal_bar_graph [["Event Percentage", ((0 + Event.find(:all, :include => :sig, :conditions => ['signature.sig_class_id = 0']).size/Event.all.size.to_f) * 100).round(2)]] %>
117:
118: <%- for c in @categories -%>
119:

app/views/pages/dashboard.html.erb:116
/usr/local/lib/ruby/1.8/webrick/httpserver.rb:104:in `service'
/usr/local/lib/ruby/1.8/webrick/httpserver.rb:65:in `run'
/usr/local/lib/ruby/1.8/webrick/server.rb:173:in `start_thread'
/usr/local/lib/ruby/1.8/webrick/server.rb:162:in `start'
/usr/local/lib/ruby/1.8/webrick/server.rb:162:in `start_thread'
/usr/local/lib/ruby/1.8/webrick/server.rb:95:in `start'
/usr/local/lib/ruby/1.8/webrick/server.rb:92:in `each'
/usr/local/lib/ruby/1.8/webrick/server.rb:92:in `start'
/usr/local/lib/ruby/1.8/webrick/server.rb:23:in `start'
/usr/local/lib/ruby/1.8/webrick/server.rb:82:in `start'

Rendering /usr/home/jj/Snorby/public/500.html (500 Internal Server Error)

Processing PagesController#dashboard (for 192.168.1.107 at 2009-07-09 19:23:21) [GET]
Parameters: {"action"=>"dashboard", "controller"=>"pages"}
Rendering template within layouts/application
Rendering pages/dashboard

ActionView::TemplateError (NaN) on line #116 of app/views/pages/dashboard.html.erb:
113:
114:
115:
116: <%= horizontal_bar_graph [["Event Percentage", ((0 + Event.find(:all, :include => :sig, :conditions => ['signature.sig_class_id = 0']).size/Event.all.size.to_f) * 100).round(2)]] %>
117:
118: <%- for c in @categories -%>
119:

app/views/pages/dashboard.html.erb:116
/usr/local/lib/ruby/1.8/webrick/httpserver.rb:104:in `service'
/usr/local/lib/ruby/1.8/webrick/httpserver.rb:65:in `run'
/usr/local/lib/ruby/1.8/webrick/server.rb:173:in `start_thread'
/usr/local/lib/ruby/1.8/webrick/server.rb:162:in `start'
/usr/local/lib/ruby/1.8/webrick/server.rb:162:in `start_thread'
/usr/local/lib/ruby/1.8/webrick/server.rb:95:in `start'
/usr/local/lib/ruby/1.8/webrick/server.rb:92:in `each'
/usr/local/lib/ruby/1.8/webrick/server.rb:92:in `start'
/usr/local/lib/ruby/1.8/webrick/server.rb:23:in `start'
/usr/local/lib/ruby/1.8/webrick/server.rb:82:in `start'

Rendering /usr/home/jj/Snorby/public/500.html (500 Internal Server Error)

Processing UserSessionsController#new (for 192.168.1.107 at 2009-07-09 19:23:40) [GET]
Parameters: {"action"=>"new", "controller"=>"user_sessions"}
Redirected to http://192.168.1.7:3000/account
Filter chain halted as [:require_no_user] rendered_or_redirected.
Completed in 10ms (DB: 3) | 302 Found [http://192.168.1.7/login]

Processing UsersController#show (for 192.168.1.107 at 2009-07-09 19:23:40) [GET]
Parameters: {"action"=>"show", "controller"=>"users"}
Rendering template within layouts/application
Rendering users/show

ActionView::TemplateError (undefined method `login' for nil:NilClass) on line #3 of app/views/users/show.html.erb:
1:

2: Login:
3: <%=h @user.login %>
4:

app/views/users/show.html.erb:3
/usr/local/lib/ruby/1.8/webrick/httpserver.rb:104:in `service'
/usr/local/lib/ruby/1.8/webrick/httpserver.rb:65:in `run'
/usr/local/lib/ruby/1.8/webrick/server.rb:173:in `start_thread'
/usr/local/lib/ruby/1.8/webrick/server.rb:162:in `start'
/usr/local/lib/ruby/1.8/webrick/server.rb:162:in `start_thread'
/usr/local/lib/ruby/1.8/webrick/server.rb:95:in `start'
/usr/local/lib/ruby/1.8/webrick/server.rb:92:in `each'
/usr/local/lib/ruby/1.8/webrick/server.rb:92:in `start'
/usr/local/lib/ruby/1.8/webrick/server.rb:23:in `start'
/usr/local/lib/ruby/1.8/webrick/server.rb:82:in `start'

Rendering /usr/home/jj/Snorby/public/500.html (500 Internal Server Error)

Processing UsersController#show (for 192.168.1.107 at 2009-07-09 19:23:43) [GET]
Parameters: {"action"=>"show", "controller"=>"users"}
Rendering template within layouts/application
Rendering users/show

ActionView::TemplateError (undefined method `login' for nil:NilClass) on line #3 of app/views/users/show.html.erb:
1:

2: Login:
3: <%=h @user.login %>
4:

app/views/users/show.html.erb:3
/usr/local/lib/ruby/1.8/webrick/httpserver.rb:104:in `service'
/usr/local/lib/ruby/1.8/webrick/httpserver.rb:65:in `run'
/usr/local/lib/ruby/1.8/webrick/server.rb:173:in `start_thread'
/usr/local/lib/ruby/1.8/webrick/server.rb:162:in `start'
/usr/local/lib/ruby/1.8/webrick/server.rb:162:in `start_thread'
/usr/local/lib/ruby/1.8/webrick/server.rb:95:in `start'
/usr/local/lib/ruby/1.8/webrick/server.rb:92:in `each'
/usr/local/lib/ruby/1.8/webrick/server.rb:92:in `start'
/usr/local/lib/ruby/1.8/webrick/server.rb:23:in `start'
/usr/local/lib/ruby/1.8/webrick/server.rb:82:in `start'

Rendering /usr/home/jj/Snorby/public/500.html (500 Internal Server Error)

Snorby databse has data but I am not able to see any events in Snorby GUI

Not sure I missed some configuration settings, but is it possible to disable the flash graphs on the Dashboard so they don't get loaded every time?

When I am trying to send a report from Snorby's reports by pressing the envelop icon (email PDF) it does not send it to smpt server (I don't see it on mail server logs) , while sending an event report by email is working fine - so my questions is where I have to digg this issue? any commands to execute from a concole to see it output?
Please advise

Regards,
Mike
By the way - Snorby is very impressive tool!

Not sure if i'm missing something. In email.yml, I've tried "authentication: none" and "authentication: plain". My smtp server does not require any authentication, it doesn't relay non-local addresses.

with ":authentication: plain" set:

/usr/src/Snorby/script/runner -e production "Event.run_daily_report"

output:
/usr/lib/ruby/gems/1.8/gems/rails-2.3.2/lib/commands/runner.rb:48: /usr/lib/ruby/1.8/net/smtp.rb:577:in auth_plain': 504 5.7.4 Unrecognized authentication type. (Net::SMTPAuthenticationError) from /usr/lib/ruby/1.8/net/smtp.rb:571:insend'
from /usr/lib/ruby/1.8/net/smtp.rb:571:in authenticate' from /usr/lib/ruby/gems/1.8/gems/ambethia-smtp-tls-1.1.2/lib/smtp-tls.rb:32:indo_start'
from /usr/lib/ruby/1.8/net/smtp.rb:378:in start' from /usr/lib/ruby/gems/1.8/gems/actionmailer-2.3.2/lib/action_mailer/base.rb:681:inperform_delivery_smtp'
from /usr/lib/ruby/gems/1.8/gems/actionmailer-2.3.2/lib/action_mailer/base.rb:523:in __send__' from /usr/lib/ruby/gems/1.8/gems/actionmailer-2.3.2/lib/action_mailer/base.rb:523:indeliver!'
from /usr/lib/ruby/gems/1.8/gems/actionmailer-2.3.2/lib/action_mailer/base.rb:395:in method_missing' from /usr/src/Snorby/app/models/event.rb:37:inrun_daily_report'
from (eval):1
from /usr/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:31:in eval' from /usr/lib/ruby/gems/1.8/gems/rails-2.3.2/lib/commands/runner.rb:48 from /usr/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:31:ingem_original_require'
from /usr/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:31:in `require'
from /usr/src/Snorby/script/runner:3

with "authentication: none"

/usr/src/Snorby/script/runner -e production "Event.run_daily_report"

output:
/usr/lib/ruby/gems/1.8/gems/rails-2.3.2/lib/commands/runner.rb:48: /usr/lib/ruby/1.8/net/smtp.rb:566:in check_auth_args': wrong auth type none (ArgumentError) from /usr/lib/ruby/gems/1.8/gems/ambethia-smtp-tls-1.1.2/lib/smtp-tls.rb:12:indo_start'
from /usr/lib/ruby/1.8/net/smtp.rb:378:in start' from /usr/lib/ruby/gems/1.8/gems/actionmailer-2.3.2/lib/action_mailer/base.rb:681:inperform_delivery_smtp'
from /usr/lib/ruby/gems/1.8/gems/actionmailer-2.3.2/lib/action_mailer/base.rb:523:in __send__' from /usr/lib/ruby/gems/1.8/gems/actionmailer-2.3.2/lib/action_mailer/base.rb:523:indeliver!'
from /usr/lib/ruby/gems/1.8/gems/actionmailer-2.3.2/lib/action_mailer/base.rb:395:in method_missing' from /usr/src/Snorby/app/models/event.rb:37:inrun_daily_report'
from (eval):1
from /usr/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:31:in eval' from /usr/lib/ruby/gems/1.8/gems/rails-2.3.2/lib/commands/runner.rb:48 from /usr/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:31:ingem_original_require'
from /usr/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:31:in `require'
from /usr/src/Snorby/script/runner:3

Dear All,

I've installed Snorby on Ubuntu server 10.04 and after the successfull
login i get back:

"500 Internal Server Error If you are the administrator
of this website, then please read this web application's log file to find
out what went wrong.2"

I've installed Snorby hundred times and I never had such error.

Below you can find the gem list and the production.log

Thanks and best regards.

Phillip

gem list

*** LOCAL GEMS ***

actionmailer (2.3.8)
actionpack (2.3.8)
activerecord (2.3.8)
activeresource (2.3.8)
activesupport (2.3.8)
chronic (0.2.3)
hoe (2.6.1)
javan-whenever (0.3.7)
json_pure (1.4.3)
mysql (2.8.1)
prawn (0.8.4)
prawn-core (0.8.4)
prawn-layout (0.8.4)
prawn-security (0.8.4)
rack (1.2.1, 1.1.0)
rails (2.3.8)
rake (0.8.7)
rubyforge (2.0.4)

production log

Logfile created on Fri Jun 25 12:54:15 +0200 2010

Processing UserSessionsController#new (for 188.129.64.98 at 2010-06-25 13:05:40) [GET]
Parameters: {"action"=>"new", "controller"=>"user_sessions"}
Rendering template within layouts/application
Rendering user_sessions/new
Completed in 114ms (View: 62, DB: 25) | 200 OK [http://193.198.207.6/]

Processing UserSessionsController#create (for 188.129.64.98 at 2010-06-25 13:05:48) [POST]
Parameters: {"commit"=>"Login \302\273", "user_session"=>{"remember_me"=>"0", "password"=>"[FILTERED]", "login"=>"Snorby"}, "action"=>"create", "authenticity_token"=>"HasBIGltolIeqXO27mXRcksifyTS2N/jVp53XPCqwfM=", "controller"=>"user_sessions"}
Redirected to http://193.198.207.6:8080/dashboard
Completed in 317ms (DB: 60) | 302 Found [http://193.198.207.6/user_session]

Processing PagesController#dashboard (for 188.129.64.98 at 2010-06-25 13:05:48) [GET]
Parameters: {"action"=>"dashboard", "controller"=>"pages"}

ActiveRecord::StatementInvalid (Mysql::Error: MySQL server has gone away: SELECT * FROM calc_caches LIMIT 1):
app/controllers/pages_controller.rb:26:in dashboard' /usr/lib/ruby/1.8/webrick/httpserver.rb:104:inservice'
/usr/lib/ruby/1.8/webrick/httpserver.rb:65:in run' /usr/lib/ruby/1.8/webrick/server.rb:173:instart_thread'
/usr/lib/ruby/1.8/webrick/server.rb:162:in start' /usr/lib/ruby/1.8/webrick/server.rb:162:instart_thread'
/usr/lib/ruby/1.8/webrick/server.rb:95:in start' /usr/lib/ruby/1.8/webrick/server.rb:92:ineach'
/usr/lib/ruby/1.8/webrick/server.rb:92:in start' /usr/lib/ruby/1.8/webrick/server.rb:23:instart'
/usr/lib/ruby/1.8/webrick/server.rb:82:in `start'

Rendering template within layouts/application
Rendering /errors/500.html.erb (500 Internal Server Error)

Processing ApplicationController#dashboard (for 188.129.64.98 at 2010-06-25 13:05:49) [GET]
Parameters: {"action"=>"dashboard", "controller"=>"pages"}

ActionView::TemplateError (Mysql::Error: MySQL server has gone away: SELECT count(*) AS count_all FROM users WHERE (last_request_at > '2010-06-25 10:55:49') ) on line #3 of app/views/layouts/_footer.html.erb:
1:

app/views/layouts/_footer.html.erb:3
app/views/layouts/application.html.erb:45
app/controllers/application_controller.rb:71:in `render_optional_error_file'
/usr/lib/ruby/1.8/webrick/httpserver.rb:104:in `service'
/usr/lib/ruby/1.8/webrick/httpserver.rb:65:in `run'
/usr/lib/ruby/1.8/webrick/server.rb:173:in `start_thread'
/usr/lib/ruby/1.8/webrick/server.rb:162:in `start'
/usr/lib/ruby/1.8/webrick/server.rb:162:in `start_thread'
/usr/lib/ruby/1.8/webrick/server.rb:95:in `start'
/usr/lib/ruby/1.8/webrick/server.rb:92:in `each'
/usr/lib/ruby/1.8/webrick/server.rb:92:in `start'
/usr/lib/ruby/1.8/webrick/server.rb:23:in `start'
/usr/lib/ruby/1.8/webrick/server.rb:82:in `start'

Rendering template within layouts/application
Rendering /errors/500.html.erb (500 Internal Server Error)
/!\ FAILSAFE /!\ Fri Jun 25 13:05:49 +0200 2010
Status: 500 Internal Server Error

ActionView::TemplateError (Mysql::Error: MySQL server has gone away: SELECT * FROM users WHERE (users.id = '1') LIMIT 1) on line #2 of app/views/layouts/_header.html.erb:
1:

Filterable live event viewer, i.e. by IP, by sensor, by event

Ability to assign specific sensors and reports to specific users, i.e. user A gets access to sensors 2 & 5 and daily/weekly/monthly reports on those only.

I'm using Snorby 2.0.1 installed from Insta-Snorby. The link at the bottom says that to reset all data we need to run 'rake snorby:reset RAILS_ENV=production' but the output I got is 'rake aborted. Don't know how to build task'. Can someone tell me how to reset snorby database, so get a fresh install with no events at all

https://lswiki.byu.edu/index.php?title=Snort,_Barnyard2,_and_Snorby&diff=11344&oldid=11343

Error Message:
ActionView::TemplateError ( not found) on line #23 of app/views/events/show.pdf.prawn:
20: ### Start Of Cover
21:
22: pdf.move_down(90)
23: pdf.image snorby_logo, :scale => 0.7, :position => :center
24: pdf.move_down(15)
25: pdf.text "#{@event.sig.sig_name}", :size => 15, :style => :bold, :align => :center
26: pdf.text "This report was generated: #{Time.now.strftime('%A, %B %d, %Y')}", :size => 12, :align => :center

Processing EventsController#index (for x.x.x.x at 2009-09-30 12:20:55) [GET]
Parameters: {"action"=>"index", "controller"=>"events"}
Rendering template within layouts/application
Rendering events/index
Completed in 347ms (View: 283, DB: 17) | 200 OK [http://x.x.x.x/events]
_/root/Snorby/app/views/events/event.html.erb:53: warning: Object#id will be deprecated; use Object#object_id

Hi Folks,

It is my first post here and i just installed the Snorby on a Physical machine from the .iso file.

Now its working fine but how to create/define the category under the Event Category Information.

Regards,

Saeed

search doesn't work when i try to filter by a criteria. I receive 500 error
"Premature end of script headers: searches" from apache

The Source IP address column on the daily/weekly/monthly PDF reports that are sent by email, is truncating the last digits of the IP address. (Ex: 192.168.102.53 is displaying as 192.168.102.5)

I've noticed that this is worse for the "Low Severity" table than the others. "Medium Severity" seems to be okay, but "High Severity" cells will slightly cut off the last digit in a very long address such as 192.168.100.254.

Viewing in Adobe Reader 9.3

Hi!, when I try to export reports to pdf I can't do it.
I'm not sure if I need any gem to do it or it's a bug.
And I noticed when I do the search, the PDF icon is not displayed as in the flash tutorial.

I installed CentOS v5.4, mysql 5.0.77-4.el5_4.1, ruby 1.8.5

Thanks for all.

I am testing Snorby for the first time. So far I am really impressed. Love the clean feel to things.

The only problem I can find so far is the reports do not seem to be generated. I noticed on this install doc page it mentions running rake snorby:setup RAILS_ENV=production to setup the DBs and cron tab. The DB seemed to be created but I do not have any cron jobs setup. Can you provide me what should be in my cron tab?

Again, you have done a great job. Please keep up the good work. I'll try not to post too many feature requests :)

Hi, I'm getting the following trace from the event drill down page:

Processing EventsController#show (for 10.0.0.1 at 2010-08-26 14:47:22) [GET]
Parameters: {"action"=>"show", "id"=>"1,17819", "controller"=>"events"}
Rendering template within layouts/application
Rendering events/show

ActionView::TemplateError (undefined method `interface' for nil:NilClass) on line #16 of app/views/events/_summary.html.erb:
13:                     </tr>
14:                     <tr>
15:                             <td><%= @event.sensor.id %></td>
16:                             <td><%= @event.sensor.interface %></td>
17:                             <td><%= @event.sensor.hostname %></td>
18:                             <%- if @event.sig.sig_gid == 1 -%>
19:                             <td><%= link_to "#{@event.sig.sig_gid}:#{@event.sig.sig_sid}", "http://rootedyour.com/snortsid?sid=#{@event.sig.sig_sid}", :target => '_blank', :title => 'More Information', :class => 'add_tipsy' %></td>

    app/views/events/_summary.html.erb:16
    app/views/events/show.html.erb:27
    app/controllers/events_controller.rb:16:in `show'
    thin (1.2.5) lib/thin/connection.rb:76:in `pre_process'
    thin (1.2.5) lib/thin/connection.rb:74:in `catch'
    thin (1.2.5) lib/thin/connection.rb:74:in `pre_process'
    thin (1.2.5) lib/thin/connection.rb:57:in `process'
    thin (1.2.5) lib/thin/connection.rb:42:in `receive_data'
    eventmachine (0.12.10) lib/eventmachine.rb:256:in `run_machine'
    eventmachine (0.12.10) lib/eventmachine.rb:256:in `run'
    thin (1.2.5) lib/thin/backends/base.rb:57:in `start'
    thin (1.2.5) lib/thin/server.rb:156:in `start'
    thin (1.2.5) lib/thin/controllers/controller.rb:80:in `start'
    thin (1.2.5) lib/thin/runner.rb:177:in `send'
    thin (1.2.5) lib/thin/runner.rb:177:in `run_command'
    thin (1.2.5) lib/thin/runner.rb:143:in `run!'
    thin (1.2.5) bin/thin:6
    /usr/bin/thin:19:in `load'
    /usr/bin/thin:19

Rendering template within layouts/application
Rendering /errors/500.html.erb (500 Internal Server Error)

I tried running both stable and master, but got the same thing. Any ideas?

Hi, I recently upgraded my Snorby IDS box OS to Ubuntu 10.10 Server. Reports never worked for me, but I noticed that now while actively capturing alerts Snorby reports an error (We're Sorry but something went wrong) when a alert message is selected. Any suggestions? After captures are complete you are able to display the alert details. Thanks.

I can't login to snorby -- i get invalid username/password. I think it has something to do with the error I get when I setup the database etc through rake. fyi rake is new to me. There aren't any rows in the user table. This is fedora on 10.

Here is the trace output:

[root@snorby]# rake snorby:setup RAILS_ENV=production --trace

(in /var/www/html/snorby)
** Invoke snorby:setup (first_time)
** Invoke environment (first_time)
** Execute environment
** Execute snorby:setup
[~] Setting Up Snorby Database.
** Invoke db:drop (first_time)
** Invoke db:load_config (first_time)
** Invoke rails_env (first_time)
** Execute rails_env
** Execute db:load_config
** Execute db:drop
** Invoke db:create (first_time)
** Invoke db:load_config
** Execute db:create
** Invoke db:migrate (first_time)
** Invoke environment
** Execute db:migrate
== CreateSessions: migrating =================================================
-- create_table(:sessions)
-> 0.0024s
-- add_index(:sessions, :session_id)
-> 0.0131s
-- add_index(:sessions, :updated_at)
-> 0.0036s
== CreateSessions: migrated (0.0199s) ========================================

== CreateSettings: migrating =================================================
-- create_table(:settings)
-> 0.0029s
-- execute("Insert into settings (app_name, app_dev, app_website, device_name, events_per_page) Values ('Snorby', 'Dustin Willis Webber',

'http://www.snorby.org', 'Snorby', '20')")
-> 0.0005s
== CreateSettings: migrated (0.0038s) ========================================

== CreateSearches: migrating =================================================
-- create_table(:searches)
-> 0.0036s
-- add_index(:searches, :sid)
-> 0.0036s
-- add_index(:searches, :sid_class_id)
-> 0.0081s
-- add_index(:searches, :ip_src)
-> 0.0039s
-- add_index(:searches, :ip_dst)
-> 0.0122s
-- add_index(:searches, :sport)
-> 0.0047s
-- add_index(:searches, :dport)
-> 0.0117s
-- add_index(:searches, :sig_priority)
-> 0.0102s
== CreateSearches: migrated (0.0601s) ========================================

== CreateUsers: migrating ====================================================
-- create_table(:users)
-> 0.0124s
-- add_column(:users, :avatar_file_name, :string)
-> 0.0181s
-- add_column(:users, :avatar_content_type, :string)
-> 0.0046s
-- add_column(:users, :avatar_file_size, :integer)
-> 0.0119s
-- add_column(:users, :avatar_updated_at, :datetime)
-> 0.0041s
-- add_index(:users, :name)
-> 0.0041s
-- add_index(:users, :email)
-> 0.0184s
-- add_index(:users, :persistence_token)
-> 0.0067s
-- add_index(:users, :last_request_at)
-> 0.0047s
== CreateUsers: migrated (0.0872s) ===========================================

== CreateReports: migrating ==================================================
-- create_table(:reports)
-> 0.0030s
== CreateReports: migrated (0.0032s) =========================================

== CreateCalcCaches: migrating ===============================================
-- create_table(:calc_caches)
-> 0.0140s
== CreateCalcCaches: migrated (0.0143s) ======================================

== CreateImportances: migrating ==============================================
-- create_table(:importances)
-> 0.0025s
-- add_index(:importances, :sid)
-> 0.0035s
-- add_index(:importances, :cid)
-> 0.0036s
-- add_index(:importances, :user_id)
-> 0.0151s
== CreateImportances: migrated (0.0256s) =====================================

== CreateComments: migrating =================================================
-- create_table(:comments)
-> 0.0025s
-- add_index(:comments, :sid)
-> 0.0040s
-- add_index(:comments, :cid)
-> 0.0036s
-- add_index(:comments, :user_id)
-> 0.0130s
== CreateComments: migrated (0.0240s) ========================================

** Invoke db:schema:dump (first_time)
** Invoke environment
** Execute db:schema:dump
[~] Importing snort DB schema...
** Invoke snorby:cache (first_time)
** Invoke environment
** Execute snorby:cache

Building Snorby Cache

[~] Cache Built Successfully.
rake aborted!
undefined method cid' for nil:NilClass /var/www/html/snorby/app/models/calc_cache.rb:28:inbuild_cache'
/var/www/html/snorby/lib/tasks/install_snorby.rake:110
/usr/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:636:in call' /usr/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:636:inexecute'
/usr/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:631:in each' /usr/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:631:inexecute'
/usr/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:597:in invoke_with_call_chain' /usr/lib/ruby/1.8/monitor.rb:242:insynchronize'
/usr/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:590:in invoke_with_call_chain' /usr/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:583:ininvoke'
/var/www/html/snorby/lib/tasks/install_snorby.rake:14
/usr/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:636:in call' /usr/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:636:inexecute'
/usr/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:631:in each' /usr/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:631:inexecute'
/usr/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:597:in invoke_with_call_chain' /usr/lib/ruby/1.8/monitor.rb:242:insynchronize'
/usr/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:590:in invoke_with_call_chain' /usr/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:583:ininvoke'
/usr/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:2051:in invoke_task' /usr/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:2029:intop_level'
/usr/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:2029:in each' /usr/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:2029:intop_level'
/usr/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:2068:in standard_exception_handling' /usr/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:2023:intop_level'
/usr/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:2001:in run' /usr/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:2068:instandard_exception_handling'
/usr/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:1998:in run' /usr/lib/ruby/gems/1.8/gems/rake-0.8.7/bin/rake:31 /usr/bin/rake:19:inload'
/usr/bin/rake:19

[root@snorby]# rake snorby:cache RAILS_ENV=production
(in /var/www/html/snorby)

Building Snorby Cache

[~] Cache Built Successfully.

Snorby Cache Complete!

Snorby will cache every hour and clicking the refresh icon on the dashboard will force cache updates.
Some cache updates may take awhile before data changes can be observed.

Here are the versions:

[root@snorby]# gem list -l

*** LOCAL GEMS ***

actionmailer (2.3.4, 2.1.1)
actionpack (2.3.4, 2.1.1)
activeldap (1.2.0, 1.0.9)
activerecord (2.3.4, 2.1.1)
activeresource (2.3.4, 2.1.1)
activesupport (2.3.4, 2.1.1)
arrayfields (4.7.4, 4.5.0)
attributes (5.0.1)
builder (2.1.2)
cgi_multipart_eof_fix (2.5.0, 2.3)
cobbler (1.6.0)
daemons (1.0.10, 1.0.7)
dbd-mysql (0.4.3)
dbi (0.4.3)
deprecated (2.0.1)
facets (2.7.0, 2.5.0)
fastthread (1.0.7, 1.0.1)
fattr (2.1.0)
ferret (0.11.6)
gem2rpm (0.6.0)
gem_plugin (0.2.3)
gettext (2.0.4, 1.93.0)
gettext_activerecord (2.0.4)
git (1.2.5, 1.0.7)
gruff (0.3.6, 0.3.4)
highline (1.5.1, 1.4.0)
hoe (2.3.3, 2.0.0)
hpricot (0.8.1)
htmlentities (4.2.0, 4.0.0)
json_pure (1.1.9)
krb5-auth (0.7)
locale (2.0.4)
main (4.2.0, 2.8.2)
markaby (0.5)
mechanize (0.9.3, 0.9.2)
mongrel (1.1.5, 1.0.1)
mysql (2.8.1)
nokogiri (1.4.0, 1.2.3)
passenger (2.2.5)
pervasives (1.1.0)
picnic (0.8.1.1, 0.6.5)
prawn (0.5.1)
prawn-core (0.5.1)
prawn-format (0.2.1)
prawn-layout (0.2.1)
rack (1.0.1, 0.4.0)
rails (2.3.4, 2.1.1)
rake (0.8.7, 0.8.4)
restr (0.5.2, 0.4.0)
reststop (0.4.1, 0.3.0)
rspec (1.2.9, 1.1.11)
rubyforge (2.0.3, 1.0.3)
rubygems-update (1.3.5, 1.3.4)
sqlite3-ruby (1.2.5, 1.2.4)
tlsmail (0.0.1)
zoom (0.4.1)

[root@snorby]# rake -V
rake, version 0.8.7

[root@snorby]# ruby -v
ruby 1.8.6 (2008-08-11 patchlevel 287) [i386-linux]

[root@snorby]# rails -v
Rails 2.3.4

/usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -f snort.u2 -d /data/snortlogs/ -L /data/snortlogs/ -w /data/snortlogs/barnyard2.waldo -D

/usr/bin/ruby /var/www/html/snorby/script/server -e production -p 48620 -d

Hi,
I haven't tested the new version yet but if it is not already the vase could you add postgres database support as database backend? Also is the remote database backup support will be nice to have in case the postgres database is not local.
Thanks

Report is only counting 1 session for every alert. Many of the alerts i've had have multiple sessions and multiple src/dest.

POLICY GoToMyPC local service running

Report:
POLICY GoToMyPC local service running 1 10.43.137.48 216.115.208.199 1 (1 session)

Search for event:
Successfully submitted search and found 6 results.

I started Snorby and snort in terminal for Fedora 11. I was provided a link to where snorby is functioning correctly but I get no interface. What have I forgot

After Settings->Sensor settings->Remove events for 1 sensor (sensor 5, I had 5 before doing so), the "Sensor information" on Dashboard shows statistics wrong. And there is a duplicate of sensor 5 everywhere, sensor 6.

1- In Settings->Sensor settings, there is now sensor 6 duplicate of sensor 5
2- In Dashboard/Sensor information:
a. the duplicate sensor 6 is at the top of the sensor list (order: 6,1,2,3,4,5), duplicate to 5
b. "Last Event" column still show data for sensor 5.
c. "Last Event" for sensor 6 not updating.

Workaround would probably be to remove sensor 5 as now all events come to the sensor 6. I have screenshots and can provide access to the web interface as well.

Snorby 1.1.3 Spsa, modified the system a little bit (remote sensor -> MySQL, time zone, new user etc. unrelated stuff).

I have tested the snorby setup with a posgres db backend but with no luch until now. I plan to test with mysql but can you tell me if postgres is a supported db backup with snorby? Or give some requirements? There's definitively a lack of documentation here.
Thanks

UPDATED Didn't have time to write up full documentation yet. But here is what you will need to get Snort 2.8.6 compiled /w mysql support and dynamic plugins, along with what Snorby needs in Ubuntu 10.4

UPDATED Get your dependencies: Some of these might not be needed, but all of these are required if you plan to compile snort and ntop. If you don't plan on rolling those two packages by hand into your system (not recomended by me) these are still good packages to have installed just in case you do need compile something in the future and need the libraries to do so.

apt-get install build-essential libpcap-dev libmysqlclient-dev mysql-client mysql-server bison flex apache2 libapache2-mod-php5 php5-gd php5-mysql libphp-adodb php-pear libc6-dev g++ gcc pcregrep libpcre3-dev rubygems libopenssl-ruby ruby1.8-dev rake libtool automake autoconf libgdbm-dev librrd-dev python-dev geoip-bin libgeoip-dev php5-geoip python-geoip git-core

UPDATED Download the latest source of snort and untar. I used the following ./configure bellow... Reason: I use preprocessor-rules and if you want to use them as well, you'll have to make sure and tell snort to compile that in. The default preprocessor-rules are located in the snort src directory i.e. snort-2.8.6/preproc_rules/preprocessor.rules just copy that file to /etc/snort dir and refrence that file in snort.conf.

./configure -enable-dynamicplugin --with-mysql --enable-decoder-preprocessor-rules

make

make install

Keep your snort src directory handy, for uninstall i.e. make uninstall

Updated now let's get Snorby going; We need some gems installed. We have to install a certin version of Prawn to get PDF's to work and also need a another version of rails installed as well. NOTE: go grab a cup coffee this one might take a little bit!

gem install -v=2.3.2 rails
gem install -v=0.6.2 prawn
gem install -v=0.6.2 prawn-core
gem install -v=0.2.3 prawn-format
gem install -v=0.3.2 prawn-layout
gem install -v=0.1.1 prawn-security
gem install mysql

You can do this all on one line i.e. gem install -v=2.3.2 rails; gem install -v=0.6.2 prawn; gem install -v=0.6.2 prawn-core; gem install -v=0.2.3 prawn-format; gem install -v=0.3.2 prawn-layout; gem install -v=0.1.1 prawn-security; gem install mysql

Compile ntop should work as per their instructions and it's out of scope for this short incomplete document, since Snorby doesn't depend on it.

you should be able to now go into the Snorby directory and install with rake (NEW INSTALL ONLY)

rake snorby:setup RAILS_ENV=production

This is very high level, to the point, short n sweet. This is a work in progress please let me know if you have any questions or add/edit to this document.

Cheers,
Eric

Hi,

I´ve just installed Snorby2.2.5 and I have a problem. Dashboard always show no events, but when I click to Events tab, events are there. I tried everything what I found here, but it still dont work. And next problem is that SensorCacheJob automatically shut down after 30 minutes and I have to start it again and again manually.
Please help.
Thanks.

Martin

Hi,

It would be great if you can create a button to go to the next/previous event while you are viewing a specific event.

Regards,
Francois

Hai y'all

I have this one and only one problem. i when i search for specific event
for example i have rule set for facebook activity, it will monitor everything regarding facebook and its b/c i have to show the compnays activity over the month. and where it suppose to ask you for pdf option its not asking me at all.
and if i do one individual event it will ask me but it givees me error "can't find file etc..."

here are gems that i have installed:

[root@localhost snort]# gem list

*** LOCAL GEMS ***

abstract (1.0.0)
actionmailer (3.0.1, 2.3.2)
actionpack (3.0.1, 2.3.2)
activemodel (3.0.1)
activerecord (3.0.1, 2.3.2)
activeresource (3.0.1, 2.3.2)
activesupport (3.0.1, 2.3.2)
arel (1.0.1)
builder (2.1.2)
bundler (1.0.3)
daemon_controller (0.2.5)
erubis (2.6.6)
fastthread (1.0.7)
file-tail (1.0.5)
i18n (0.4.1)
mail (2.2.7)
mime-types (1.16)
mysql (2.8.1)
passenger (3.0.0)
polyglot (0.3.1)
prawn (0.6.2)
prawn-core (0.6.3, 0.6.2)
prawn-format (0.2.3)
prawn-layout (0.8.4, 0.3.2)
prawn-security (0.8.4, 0.1.1)
rack (1.2.1)
rack-mount (0.6.13)
rack-test (0.5.6)
rails (3.0.1, 2.3.2)
railties (3.0.1)
rake (0.8.7)
rubygems-update (1.3.7)
sinatra (1.0)
spruz (0.1.5)
thor (0.14.3)
treetop (1.4.8)
tzinfo (0.3.23)

Please if someone can point me to right direction for this. been trying to get this issue fixed so i can move on to next and last step of my project would be customizing all the rules and eliminating what is not needed.

THanks

while running this:

/var/www/Snorby/script/runner -e production "Event.run_daily_report" >> /var/www/Snorby/log/snorby_reports.log

I get this:

/usr/local/lib/ruby/gems/1.8/gems/rails-2.3.2/lib/rails/gem_dependency.rb:99:Warning: Gem::Dependency#version_requirements is deprecated and will be removed on or after August 2010. Use #requirement
/usr/local/lib/ruby/gems/1.8/gems/rails-2.3.2/lib/commands/runner.rb:48: /usr/local/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:31:in gem_original_require': no such file to load -- prawn/format (MissingSourceFile) from /usr/local/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:31:inrequire'
from /usr/local/lib/ruby/gems/1.8/gems/activesupport-2.3.2/lib/active_support/dependencies.rb:158:in require' from /var/www/Snorby/lib/pdf_for_email.rb:3 from /usr/local/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:31:ingem_original_require'
from /usr/local/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:31:in require' from /usr/local/lib/ruby/gems/1.8/gems/activesupport-2.3.2/lib/active_support/dependencies.rb:158:inrequire'
from /usr/local/lib/ruby/gems/1.8/gems/activesupport-2.3.2/lib/active_support/dependencies.rb:265:in require_or_load' from /usr/local/lib/ruby/gems/1.8/gems/activesupport-2.3.2/lib/active_support/dependencies.rb:425:inload_missing_constant'
from /usr/local/lib/ruby/gems/1.8/gems/activesupport-2.3.2/lib/active_support/dependencies.rb:80:in const_missing' from /usr/local/lib/ruby/gems/1.8/gems/activesupport-2.3.2/lib/active_support/dependencies.rb:92:inconst_missing'
from /usr/local/lib/ruby/gems/1.8/gems/activesupport-2.3.2/lib/active_support/dependencies.rb:437:in load_missing_constant' from /usr/local/lib/ruby/gems/1.8/gems/activesupport-2.3.2/lib/active_support/dependencies.rb:96:inconst_missing'
from /var/www/Snorby/app/models/event.rb:54:in run_daily_report' from (eval):1 from /usr/local/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:31:ineval'
from /usr/local/lib/ruby/gems/1.8/gems/rails-2.3.2/lib/commands/runner.rb:48
from /usr/local/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:31:in gem_original_require' from /usr/local/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:31:inrequire'
from /var/www/Snorby/script/runner:3

Hello

i have just finished installation of Snorby 2.0 using following manual
http://www.catapult-creative.com/2009/2/4/installing-rails-on-centos-5/
and
http://wiki.github.com/mephux/Snorby/migrating-from-acid-base-to-snorby-on-ubuntu-904-amd64-jaunty

everything went ok but now when i try to logon with default user/pass which is snorby/admin i get following
"Incorrect User and/or Password. "
any idea how how fix it?.
Please advice
Thanks

root@Snorby:/var/www/Snorby# rake snorby:setup RAILS_ENV=production --trace
(in /var/www/Snorby)
rake aborted!
no such file to load -- initializer
/usr/local/lib/site_ruby/1.8/rubygems/custom_require.rb:31:in gem_original_require' /usr/local/lib/site_ruby/1.8/rubygems/custom_require.rb:31:inrequire'
/var/www/Snorby/config/boot.rb:55:in load_initializer' /var/www/Snorby/config/boot.rb:38:inrun'
/var/www/Snorby/config/boot.rb:11:in boot!' /var/www/Snorby/config/boot.rb:110 /usr/local/lib/site_ruby/1.8/rubygems/custom_require.rb:31:ingem_original_require'
/usr/local/lib/site_ruby/1.8/rubygems/custom_require.rb:31:in require' /var/www/Snorby/Rakefile:4 /usr/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:2383:inload'
/usr/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:2383:in raw_load_rakefile' /usr/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:2017:inload_rakefile'
/usr/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:2068:in standard_exception_handling' /usr/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:2016:inload_rakefile'
/usr/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:2000:in run' /usr/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:2068:instandard_exception_handling'
/usr/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:1998:in run' /usr/lib/ruby/gems/1.8/gems/rake-0.8.7/bin/rake:31 /usr/bin/rake:19:inload'
/usr/bin/rake:19
root@Snorby:/var/www/Snorby#

Hi, i installed all the required Ruby & Gems, when i run " ruby server -e production -p 3000 -d ", i get an error : Rails requires RubyGems >= . Please install RubyGems and try again: http://rubygems.rubyforge.org

But i have rubygems installed, :

[root@SNORT script]# gem list

*** LOCAL GEMS ***

actionmailer (2.3.2)
actionpack (2.3.2)
activerecord (2.3.2)
activeresource (2.3.2)
activesupport (2.3.2)
mysql (2.8.1)
prawn (0.8.4)
prawn-core (0.8.4)
prawn-layout (0.8.4)
prawn-security (0.8.4)
rails (2.3.2)
rake (0.8.7)
rubygems-update (1.3.7)

Can anyone help me to solve this issue?

Thanks

Hello,

It is possible to search an alert by subnet ?
I use Snorby daily and some colleague want to know if an alert was detected on a certain subnet.

Thanks a lot and sorry for my bad english.

I have followed all the install steps and the frontpage show version 1.1.3 instead of 2. Is it a normal behaviour?

Hi,

I just installed the Snorby from Insta-Snorby-0.8.0.iso file and now i am on the admin page and can access the ssh but there is nothing on the dashboard last 3 hours and i enabled the rules on /etc/snort/snort.conf but still nothing showing.

root@Insta-Snorby ~# pico /etc/network/interfaces
auto eth0
iface eth0 inet static
address 172.16.1.9
netmask 255.255.255.0
gateway 172.16.1.1
dns-nameservers 172.20.4.10

auto eth1
iface eth1 inet dhcp

Can anybody help me?

Is there any good commands how to start, stop and restart the snorby services and also how to download Snort Rules. /etc/oinkmaster.conf

Regards,

Saeed

Hello all,
I've got it working well enough to display snort events in Dashboard and Events, but when I tried to drill down into any event I got error:
ActionView::TemplateError (undefined method `interface' for nil:NilClass) on line #16 of app/views/events/_summary.html.e
rb:
13:
14:
15: <%= @event.sensor.id %>
16: <%= @event.sensor.interface %>
17: <%= @event.sensor.hostname %>
18: <%- if @event.sig.sig_gid == 1 -%>
19: <%= link_to "#{@event.sig.sig_gid}:#{@event.sig.sig_sid}", "http://rootedyour.com/sno
rtsid?sid=#{@event.sig.sig_sid}", :target => '_blank', :title => 'More Information', :class => 'add_tipsy' %>

app/views/events/_summary.html.erb:16
app/views/events/show.html.erb:27
app/controllers/events_controller.rb:16:in `show'
/usr/local/lib/ruby/1.8/webrick/httpserver.rb:104:in `service'
/usr/local/lib/ruby/1.8/webrick/httpserver.rb:65:in `run'
/usr/local/lib/ruby/1.8/webrick/server.rb:173:in `start_thread'
/usr/local/lib/ruby/1.8/webrick/server.rb:162:in `start'
/usr/local/lib/ruby/1.8/webrick/server.rb:162:in `start_thread'
/usr/local/lib/ruby/1.8/webrick/server.rb:95:in `start'
/usr/local/lib/ruby/1.8/webrick/server.rb:92:in `each'
/usr/local/lib/ruby/1.8/webrick/server.rb:92:in `start'
/usr/local/lib/ruby/1.8/webrick/server.rb:23:in `start'
/usr/local/lib/ruby/1.8/webrick/server.rb:82:in `start'

Rendering template within layouts/application
Rendering /errors/500.html.erb (500 Internal Server Error)

Hello,

I would know how to shorten dashboard update, indeed I think 30 minutes is too long.

Thanks.

On OpenBSD 4.5, running snorby 1.1.0

When I go to look at the dashboard, it says

" We're sorry, but something went wrong.

We've been notified about this issue and we'll take a look at it shortly."

I am running the webrick in non-daemon mode -- errors go to stdout -- and it says this:

Processing PagesController#dashboard (for 10.10.117.9 at 2009-08-14 15:43:58) [GET]
Parameters: {"action"=>"dashboard", "controller"=>"pages"}

NoMethodError (undefined method high_severity' for nil:NilClass): app/controllers/pages_controller.rb:27:indashboard'
/usr/local/lib/ruby/1.8/webrick/httpserver.rb:104:in service' /usr/local/lib/ruby/1.8/webrick/httpserver.rb:65:inrun'
/usr/local/lib/ruby/1.8/webrick/server.rb:173:in start_thread' /usr/local/lib/ruby/1.8/webrick/server.rb:162:instart'
/usr/local/lib/ruby/1.8/webrick/server.rb:162:in start_thread' /usr/local/lib/ruby/1.8/webrick/server.rb:95:instart'
/usr/local/lib/ruby/1.8/webrick/server.rb:92:in each' /usr/local/lib/ruby/1.8/webrick/server.rb:92:instart'
/usr/local/lib/ruby/1.8/webrick/server.rb:23:in start' /usr/local/lib/ruby/1.8/webrick/server.rb:82:instart'

Rendering template within layouts/application
Rendering /errors/500.html.erb (500 Internal Server Error)

I am running into issues when deleting large numbers of events (45,000); I have yet to have the operation complete even after waiting for several hours. Eventually the process either just hangs or crashes.

Server is a 2.8Ghz Xeon with 2GB of RAM

I'm trying to run snorby using apache on a different web root (e.g. I want to be able to access https://myserver/snorby). Unfortunately I couldn't make this work so I started snorby using:

/www-ssl/server/bin/ruby script/server -e production -b 127.0.0.1 -p 8081 -P /snorby -d

and then use reverse proxy in apache so that when I go to https://myserver/snorby, apache will fetch http://127.0.0.1:8081/snorby in the background. Unfortunately the open-flash-chart*.swf graphs seem to be hardcoded to be at /... which makes this setup fail. I tried copying the swf files to the root of the apache server but then they seem to make a back connection to http://myserver/snorby/graph/pie_event_severity?high=0&low=0&medium=46 (note the http in stead of https at the front).

Is it possible to make snorby use only relative links to reference itself, that would make it a lot easier to relocate it?

Processing PagesController#events_for_sensor (for ::ffff:192.168.5.136 at 2010-07-20 16:44:13) [GET]
Parameters: {"sensor"=>"2", "controller"=>"pages", "action"=>"events_for_sensor"}
Rendering template within layouts/application
Rendering pages/events_for_sensor

ActionView::TemplateError (undefined method `in_time_zone' for nil:NilClass) on line #5 of app/views/events/_event.html.erb:
2:

app/views/events/_event.html.erb:5
app/views/pages/events_for_sensor.html.erb:4
<internal:prelude>:8:in `synchronize'
/apps/IPsoft/ruby191/lib/ruby/1.9.1/webrick/httpserver.rb:111:in `service'
/apps/IPsoft/ruby191/lib/ruby/1.9.1/webrick/httpserver.rb:70:in `run'
/apps/IPsoft/ruby191/lib/ruby/1.9.1/webrick/server.rb:183:in `block in start_thread'

When I try read/access one item of events I got the message: "We're sorry, but something went wrong."

the url (example) -> http://x.x.x.x:3000/events/1,19

And there is the log generate:
"ActionView::TemplateError (undefined method `interface' for nil:NilClass) on line #16 of app/views/events/_summary.html.erb:
13:
14:
15: <%= @event.sensor.id %>
16: <%= @event.sensor.interface %>
17: <%= @event.sensor.hostname %>
18: <%- if @event.sig.sig_gid == 1 -%>
19: <%= link_to "#{@event.sig.sig_gid}:#{@event.sig.sig_sid}", "http://rootedyour.com/snortsid?sid=#{@event.sig.sig_sid}", :target => '_blank', :title => 'More Information', :class => 'add_tipsy' %>

app/views/events/_summary.html.erb:16
app/views/events/show.html.erb:27
app/controllers/events_controller.rb:16:in `show'"

I'm using Fedora 10 Linux, rubygems 1.3.1, ruby 1.8.6 (2008-08-11 patchlevel 287) [i386-linux], Rails 2.3.2.

Rendering pages/dashboard

ActionView::TemplateError (Mysql::Error: MySQL server has gone away: SELECT count(*) AS count_all FROM users WHERE (last_request_at > '2010-07-20 19:23:23') ) on line #3 of app/views/layouts/_footer.html.erb:
1:

app/views/layouts/_footer.html.erb:3
app/views/layouts/application.html.erb:45
<internal:prelude>:8:in `synchronize'
/apps/IPsoft/ruby191/lib/ruby/1.9.1/webrick/httpserver.rb:111:in `service'
/apps/IPsoft/ruby191/lib/ruby/1.9.1/webrick/httpserver.rb:70:in `run'
/apps/IPsoft/ruby191/lib/ruby/1.9.1/webrick/server.rb:183:in `block in start_thread'

Rendering template within layouts/application
Rendering /errors/500.html.erb (500 Internal Server Error)

gem list

*** LOCAL GEMS ***

actionmailer (2.3.8, 2.3.2)
actionpack (2.3.8, 2.3.2)
activerecord (2.3.8, 2.3.2)
activeresource (2.3.8, 2.3.2)
activesupport (2.3.8, 2.3.2)
Ascii85 (1.0.0)
chronic (0.2.3)
color (1.4.1)
hoe (2.6.1)
json_pure (1.4.3)
mysql (2.8.1)
pdf-reader (0.8.5)
pdf-writer (1.1.8)
prawn (0.8.4, 0.6.2)
prawn-core (0.8.4, 0.6.3, 0.6.2)
prawn-format (0.2.3)
prawn-layout (0.8.4, 0.3.2)
prawn-security (0.8.4, 0.1.1)
rack (1.2.1, 1.1.0)
rails (2.3.8, 2.3.2)
rake (0.8.7)
rubyforge (2.0.4)
transaction-simple (1.4.0)
whenever (0.5.0)

Post login, post redirection to /dashboard, if I go to /events, the pages render.

ruby -v

ruby 1.9.1p378 (2010-01-10 revision 26273) [i686-linux]

]# gem -v
1.3.5