under version 2.0.1

looks at column "handler"

Hi. It seems like there is an issue with the locked_by column in delayed_jobs that makes the worker fail.

Error message: Data too long for column 'locked_by' at row 1.
Result: Kills the worker.

I quick-fixed the problem by extending the current column to a varhar(255).

After a install to hard disk, hard to fix permissions on /var/www/snorby/log/production.log in order to use the website:

]# chmod 666 /var/www/snorby/log/production.log

Running Snorby 2.0.1 'hard disk" install in vmplayer

I'm new to Snorby and I am going to demo it at work some time this week (with Solera). I've noticed that the Events do not auto populate (realtime) and that I have to refresh the page (or click the "New Events Available" button if I want to see the latest alerts. Is there a way to get Snorby to pull /refresh every ~10sec? I thought i read that it uses Ajax for the pull request, is there a parameter that i can modify to get the desired results?
On another note, does anyone know the "Packet capture extract url" for Solera? (IE X.X.X.X/Solera/TheFileYourLookingFor)

This way I can deploy directly from this repo instead of having to maintain my own fork.

Hi, yesterday I installed your snorby, and everything was fine. Today i reinstalled snorby with new source ( uploaded 12h ago ) and have that problem:

rake snorby:setup
(in /var/www/html/snorby)
rake aborted!
Don't know how to build task 'asset:packager:build_all'

(See full trace by running task with --trace)

GeoIP support would be a great feature for Snorby. Squert's heat map is pretty great:
http://www.pintumbler.org/_/rsrc/1293195985651/Code/squert/sq3.png.

Also, having the country code listed in the index would also be useful:
http://www.pintumbler.org/_/rsrc/1293197479237/Code/squert/sq4.png

Thanks again for the great work!

Hello,

I have a suggestion : It maybe interesting to look alerts by clicking on graphs from the dashboard. For example, I look the signature's graph : I am tempted to click on the utmost signature to view all alerts... But it's not possible.

Do you think that is possible ?

Thanks a lot !

Hi,
I have been testing over the past few days and things are looking great! Really good job so far!

One thing that I have noticed though is that any IP addresses (Destination at least but likely source as well) that are over 127.255.255.255 are displayed as 127.255.255.255.

I have tested snort logging to a DB on the same system created with the snort create_mysql.gz script and it works just fine.

Does that make any sense? or am I missing something that would prevent this from logging correctly like a mysql plugin or something?

Thanks in advance for any input!

Ian Dawson
Ubuntu 10.04 server
MySql 5.1.41

When an alert is expanded the references for that rule should be included in the interface. They should be clickable and open in a new tab/window.

It would be nice to see a history of who classified the event. Currently I can see the classification if I hover over the title, but it does not tell me who classified it. Maybe a section below the Notes showing who did what?

Any ideas how I can install Snorby with outbound TCP/9418 (git) blocked at our firewall? Looks like the bundle install is waiting for:

Fetching git://github.com/mephux/delayed_job.git

Thanks for any ideas.

Barnyard is not running and found this error in /var/log/syslog, seems to be related to snort v2.9 :
http://blog.nielshorn.net/2010/10/barnyard2-solving-the-unknown-record-type-errors/

Running Snorby 2.0.1 'hard disk" install in vmplayer

I completed the installation and tried to access the page but got the following error:

We’re sorry, but something went wrong.

We’ve been notified about this issue and we’ll take a look at it shortly.

Any idea what might be the reason?

thanks,

Kind of a big thing to ask, but I'd really like to see this project provide support for viewing Razorback events. Would be a pretty big win to say you are the first Snort event GUI to do so... :)

I have just installed to Snorby 2.0.1 (actually edge version from git), and everything seems to be working well (hooray!)... except there's some kind of layout issue with the layout of all the events view pages. How to describe it? It's like instead of starting each row on the left side, there's a big gap, then the first row starts and wraps its content onto the next row, which starts after a small gap and wraps onto the next row, ad infinitum.

Interestingly, if I click one of the events to see the details, then all the rows beneath the detail-view panel line up correctly, but all the ones above it continue to look borked as described above.

My browser is the latest stable Firefox 3.6.13 on Windows, and I've flushed the cache in case there was some old CSS in there. Any suggestions for me? Thanks!

Hi,

Is there a way to build a new front page view that shows a sliding window of the last 24 hours of events ?

I have installed Snorby2 and received the "Your bundle is complete!" message from the snorby dir. When I hit the snorby page in the browser I am getting:

http://github.com/mephux/ezprint.git (at rails3) is not checked out. Please run bundle install (Bundler::GitError)

I installed ezprint by: gem install ezprint

If I issue: bundle show

I see:
Gems included by the bundle: (others removed)
ezprint (0.2.0 c231df7)

Any ideas? Thanks again.

I first wanted to say thank you for all of your hard work! The new version of Snorby is awesome!

I wanted to request the ability to filter or limit the ability of specific users to specific sensors. To hopefully further clarify, I want to roll the new version of Snorby out our techs and I would like to limit each tech to the ability to see specific sensors. For instance Tech A has access to sensors A, B, D. Tech B has access to sensors C, E, Q. Tech C has access to F, G, H. And the Administrators can still see all sensors.

I cannot find anywhere to setup email alerts using the insta-snorby install. I see it installs sendmail but I do not see anywhere to add email addresses or setup email alerts. Am I just overlooking something?

GeoIP support would be a great feature for Snorby. Squert's heat map is pretty great:
http://www.pintumbler.org/_/rsrc/1293195985651/Code/squert/sq3.png

Also, having the country code listed in the index would also be useful:
http://www.pintumbler.org/_/rsrc/1293197479237/Code/squert/sq4.png

Thanks again for the great work!

I have installed Snorby last week, and everything was working fine. It was collecting and displaying events just fine. During the course of holidays the emails that I was receiving showed that there is no events (0) which is impossible.

I checked if snort is running and it was and was able to capture events as expected. But Snorby interface does not show anything. Only the events that it capture up until Dec 31, 2010. It did not display anything that was capture on Jan 1, 2011 up until today.

Any idea what may caused this?

Thanks!

The Event listings page(s) show date, but not time-of-day.

This makes it difficult to manually correlate a specific event with logs from other monitoring tools (eg firewall logs, ipflow records, etc).

Hello,

My question is so simple :
How to configure a https connection to the Snorby interface ?

Thanks a lot

Is there any way the snorby worker can be started via an init/startup script? I haven't been able to get the script to start other than running rails c. I don't want to give other users shell access to the box. Thanks again.

Hello,

I want to search alert on snorby by subnet. For example, in destination IP :
192.168.1.0/24
This request return all alerts for 192.168.1.0/24 subnet.

That is possible ?

Thanks a lot for this good work !

When I do a rake snorby:setup in the snorby directory Datamapper always attempts to connect to localhost despite me specifying an external MySQL server. Here's the error:

    snorby $ rake snorby:setup
    (in /web/sites/home/snorby)
    ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (2)
    rake aborted!
    Incorrect table definition; there can be only one auto column and it must be defined as a key
    /web/sites/home/snorby/vendor/cache/ruby/1.9.1/gems/dm-migrations-1.0.2/lib/dm-migrations/adapters/dm-do-adapter.rb:70:in `execute_non_query'
    /web/sites/home/snorby/vendor/cache/ruby/1.9.1/gems/dm-migrations-1.0.2/lib/dm-migrations/adapters/dm-do-adapter.rb:70:in `block (2 levels) in upgrade_model_storage'
    /web/sites/home/snorby/vendor/cache/ruby/1.9.1/gems/dm-migrations-1.0.2/lib/dm-migrations/adapters/dm-do-adapter.rb:64:in `map'
    /web/sites/home/snorby/vendor/cache/ruby/1.9.1/gems/dm-migrations-1.0.2/lib/dm-migrations/adapters/dm-do-adapter.rb:64:in `block in upgrade_model_storage'
    /web/sites/home/snorby/vendor/cache/ruby/1.9.1/gems/dm-do-adapter-1.0.2/lib/dm-do-adapter/adapter.rb:260:in `with_connection'
    /web/sites/home/snorby/vendor/cache/ruby/1.9.1/gems/dm-migrations-1.0.2/lib/dm-migrations/adapters/dm-do-adapter.rb:63:in `upgrade_model_storage'
    /web/sites/home/snorby/vendor/cache/ruby/1.9.1/gems/dm-migrations-1.0.2/lib/dm-migrations/auto_migration.rb:71:in `upgrade_model_storage'
    /web/sites/home/snorby/vendor/cache/ruby/1.9.1/gems/dm-migrations-1.0.2/lib/dm-migrations/auto_migration.rb:143:in `auto_upgrade!'
    /web/sites/home/snorby/vendor/cache/ruby/1.9.1/gems/dm-migrations-1.0.2/lib/dm-migrations/auto_migration.rb:45:in `block in repository_execute'
    /web/sites/home/snorby/vendor/cache/ruby/1.9.1/gems/dm-core-1.0.2/lib/dm-core/support/descendant_set.rb:68:in `block in each'
    /web/sites/home/snorby/vendor/cache/ruby/1.9.1/gems/dm-core-1.0.2/lib/dm-core/support/descendant_set.rb:67:in `each'
    /web/sites/home/snorby/vendor/cache/ruby/1.9.1/gems/dm-core-1.0.2/lib/dm-core/support/descendant_set.rb:67:in `each'
    /web/sites/home/snorby/vendor/cache/ruby/1.9.1/gems/dm-migrations-1.0.2/lib/dm-migrations/auto_migration.rb:44:in `repository_execute'
    /web/sites/home/snorby/vendor/cache/ruby/1.9.1/gems/dm-migrations-1.0.2/lib/dm-migrations/auto_migration.rb:27:in `auto_upgrade!'
    /web/sites/home/snorby/vendor/cache/ruby/1.9.1/gems/dm-rails-1.0.4/lib/dm-rails/railties/database.rake:47:in `block (3 levels) in <top (required)>'
    /web/sites/home/snorby/vendor/cache/ruby/1.9.1/gems/dm-rails-1.0.4/lib/dm-rails/railties/database.rake:46:in `each'
    /web/sites/home/snorby/vendor/cache/ruby/1.9.1/gems/dm-rails-1.0.4/lib/dm-rails/railties/database.rake:46:in `block (2 levels) in <top (required)>'
    /usr/local/lib/ruby/1.9.1/rake.rb:634:in `call'
    /usr/local/lib/ruby/1.9.1/rake.rb:634:in `block in execute'
    /usr/local/lib/ruby/1.9.1/rake.rb:629:in `each'
    /usr/local/lib/ruby/1.9.1/rake.rb:629:in `execute'
    /usr/local/lib/ruby/1.9.1/rake.rb:595:in `block in invoke_with_call_chain'
    /usr/local/lib/ruby/1.9.1/monitor.rb:201:in `mon_synchronize'
    /usr/local/lib/ruby/1.9.1/rake.rb:588:in `invoke_with_call_chain'
    /usr/local/lib/ruby/1.9.1/rake.rb:581:in `invoke'
    /web/sites/home/snorby/lib/tasks/snorby.rake:28:in `block (2 levels) in <top (required)>'
    /usr/local/lib/ruby/1.9.1/rake.rb:634:in `call'
    /usr/local/lib/ruby/1.9.1/rake.rb:634:in `block in execute'
    /usr/local/lib/ruby/1.9.1/rake.rb:629:in `each'
    /usr/local/lib/ruby/1.9.1/rake.rb:629:in `execute'
    /usr/local/lib/ruby/1.9.1/rake.rb:595:in `block in invoke_with_call_chain'
    /usr/local/lib/ruby/1.9.1/monitor.rb:201:in `mon_synchronize'
    /usr/local/lib/ruby/1.9.1/rake.rb:588:in `invoke_with_call_chain'
    /usr/local/lib/ruby/1.9.1/rake.rb:581:in `invoke'
    /usr/local/lib/ruby/1.9.1/rake.rb:2041:in `invoke_task'
    /usr/local/lib/ruby/1.9.1/rake.rb:2019:in `block (2 levels) in top_level'
    /usr/local/lib/ruby/1.9.1/rake.rb:2019:in `each'
    /usr/local/lib/ruby/1.9.1/rake.rb:2019:in `block in top_level'
    /usr/local/lib/ruby/1.9.1/rake.rb:2058:in `standard_exception_handling'
    /usr/local/lib/ruby/1.9.1/rake.rb:2013:in `top_level'
    /usr/local/lib/ruby/1.9.1/rake.rb:1992:in `run'
    /usr/local/bin/rake:31:in `<main>'V

Here is my database.yml (hostname and password changed of course):
# Snorby Database Configuration
#
# Please set your database password/user below
#
snorby: &snorby
adapter: mysql
database: snorby
username: snorby
password: PASSWORD
host: mysql.example.com

development:
  database: snorby
  <<: *snorby

test:
  database: snorby
  <<: *snorby

production:
  database: snorby
  <<: *snorby

since deletion of events is no longer possible, it would be nice to archive events to a second database, and to provide a way to select either the live or archive database to query on

Ever since I installed snorby a month ago the Severity Indicators do not work. On the dashboard they show 0, 0, 0 and in the search page the severity menu is broken. I have ~30000 events so I would assume that something would of tripped it by now.

Is there something I did wrong? Why aren't the severity indicators not showing up or working?

On high volume sensors a lot of alarms are continuously triggered. This makes the current view a little inefficient, for me anyway. It would have been great if we would have the ability to group the alarms, especially on IPs, ports and the sids. This would speed up alarm handling quite much.

It would also have been quite nice if Snorby had the ability to customize the columns to display, like on src and dst ports.

Preferrably the two above was customizable user options. We are all different, right?

By the way, I bugged you on the IRC channel a year ago about the tuning feature you mentioned back then. One of you mentioned you were looking into pulled pork, how is that coming? It sure would have been nice to get rid of the false positives from the GUI. And when it comes to the classifications, why aren't Snorby auto-tuning future alarms?

That's my first observations. Congratz with a great release. I am truly impressed.

// Tommy

I have Snorby 2.2.5 running on RHEL 5 and all seems to be working except for adding notes to events or clicking certain locations in the interface. What happens is an "Authentication Required" login window pops up and no credentials work. Initial login to Snorby works fine.

Hello,

Perhaps I'm idiot... But how to delete an alert on Snorby 2.0.0 ?

I put alerts on false positive, but I really want to delete alerts...

Thanks a lot.

I am attempting to get Snorby up and running on a RPM based OS, with CentOS being upstream. However its been a painful process and after almost a week I have yet to get ruby working. However I've installed Ruby on an Ubuntu box before flawlessly, and since I have a server that runs Ubuntu Server, it would be nice to put Snorby on there.

I would assume that Snorby parses the log files of Snort. So can Snorby operate with just the log files (linked directory on the Ubuntu box pointing to the RPM box) or does it require Snort to actually be installed and working on the machine that its on?

My Snorby2.0 box suffered a power outage.

On boot, the Snorby worker would not start from 'Worker & Job Queue' menu, additionally no jobs were listed. Reboot did not help.

I could manually run SensorCache and DailyCache jobs from Rails console. But attempting to start/restart worker gave me :

irb(main):006:0> Snorby::Worker.restart
Terminated

Solution was to delete the delayed_pid file (I'm assuming left over from the time of my power outage) :

/var/www/snorby/tmp/pids# rm delayed_job.pid

then start worker from Rails console :

irb(main):002:0> Snorby::Worker.start
=> "delayed_job: process with pid 3472 started.\n"

Hope this helps,

Would it be possible to create a new section where snort perfstats can be viewed? --Just configured a subdirectory within Snorby to display graphs created by pmgraph, but it would be nice if could be integrated.

THANKS!

jpv

Snorby interface stopped displaying any info since Jan 1, 2011. I'm not sure what happen/caused this. I know for sure that prior that date everything was working normal.

This is what I get when I try to update:

git pull
-bash: Already: command not found

rake snorby:update
-bash: (in: command not found

The first time I ran git pull I got the following:

git pull
remote: Counting objects: 262, done.
remote: Compressing objects: 100% (200/200), done.
remote: Total 204 (delta 116), reused 0 (delta 0)
Receiving objects: 100% (204/204), 155.69 KiB | 83 KiB/s, done.
Resolving deltas: 100% (116/116), completed with 46 local objects.
From http://github.com/Snorby/snorby
9d8dcc7..a76b875 demo -> origin/demo
f78372a..3287e6b master -> origin/master

• [new branch] mobile -> origin/mobile
• [new branch] packet-capture -> origin/packet-capture
  From http://github.com/Snorby/snorby
• [new tag] 2.1.0 -> 2.1.0

Any idea what the reason might be for this #error #bug

I had Snorby up and running. I did a fresh re-install now I am unable to start the worker. Last time I started it via command line but can't remember how I did it.

If I click start worker from the admin menu nothing seems to happen, I get the below in the production log:

Started GET "/jobs" for (MY IP ADDY) at 2010-12-13 10:44:30 -0500
Processing by JobsController#index as HTML
Rendered settings/_menu.html.erb (5.1ms)
Rendered jobs/_job.html.erb (18.6ms)
Rendered jobs/_jobs.html.erb (21.9ms)
Rendered layouts/_version.html.erb (0.1ms)
Rendered layouts/_header.html.erb (12.4ms)
Rendered layouts/_content.html.erb (0.1ms)
Rendered layouts/_footer.html.erb (0.2ms)
Rendered jobs/index.html.erb within layouts/application (50.9ms)
Completed 200 OK in 107ms (Views: 49.7ms | Models: 4.522ms)

Any ideas, how do you start from the command line? I did it last time but can't seem to this time. Thanks again.

Hello,

I install Snorby 2.0.0. It works fine, I see alerts on event menu.

But the Dashboard is not working... There is 0 high, 0 medium and 0 low... And there is no information on the graph...

I missed a thing during installation ?

Thanks !

Snorby 2.0 is wonderful. Hats off to all involved. I have a feature request. It would be helpful (for me anyway) to see the seconds on the timestamp for an alert. Maybe just add it to the time when you hover the mouse over it to see the seconds. This will make it easier for log correlation to other log sources.

Thanks again for great release.

Hi everyone,

I've installed a fresh machine with Ubuntu 10.04 following the official step by step procedure, the machine worked for a week. Today I tried to log In and got this error from the apache web server "We're sorry, but something went wrong. We've been notified about this issue and we'll take a look at it shortly." - I've checked also in the production logs and I found this:

Started GET "/" for 188.129.104.72 at 2010-12-28 08:03:04 +0100
Processing by PageController#dashboard as HTML
Rendered page/_severity_dashboard.html.erb (3.3ms)
Rendered page/_graph_event.html.erb (1.0ms)
Rendered page/_graph_severity.html.erb (0.3ms)
Rendered page/_graph_protocol.html.erb (0.3ms)
Rendered page/_graph_signature.html.erb (0.2ms)
Rendered page/_graph_source_ips.html.erb (0.3ms)
Rendered page/_graph_destination_ips.html.erb (0.2ms)
Rendered page/_graph_dashboard.html.erb (4.6ms)
Rendered layouts/_version.html.erb (0.1ms)
Rendered layouts/_header.html.erb (57.9ms)
Rendered layouts/_content.html.erb (0.2ms)
Rendered layouts/_footer.html.erb (0.3ms)
Rendered page/dashboard.html.erb within layouts/application (212.9ms)
Completed 200 OK in 617ms (Views: 211.8ms | Models: 51.548ms)

SystemStackError (stack level too deep):

Any idea about this problem ?

Best regards,

Alex

Hi,
Thanks for snorby, its great.

I tried to enable blacklist.rules. I uncommented out the rules, and tried to wget domain.com/ok.exe (line 168) no alert was generated.

Also emerging-voip.rules is enabled by default yet when I scan my range with sipvicious no alerts are generated.

What must I do to enable rules in snorby?

Thanks
Bryan

I setup my Snorby 2 box after the start of the year and had some issues with the dashboard not displaying information. After running the cache jobs manually I ended up getting alerts to appear on the dashboard again. This month however I've noticed that I do not have anything showing up on the dashboard for the "This Week" and "This Month" selections. However my "Today" and "Yesterday" displays are showing my correct alert data, graphs, etc.. "This Quarter" and "This Year" contains data, but does not seem to update with the data from February.

Also when I select "More Options>Last Month" and then export to PDF the date shows as December 1, 2010 - December 31, 2010 with data from January 1, 2011 - January 31, 2010. I had no actual events prior to the start of the year as I had not setup Snorby prior to that point. Selecting "More Options>Last Week" and then export to PDF shows correct dates, but does not contain any data on either the PDF or the dashboard.

Any ideas on what is causing this or how I can troubleshoot it?

Hello,

I'm using Snorby 2 and it's very greate.

How to configure the mail repport ? I indicate my mail address on general settings and install sendmail on my machine, but nothing appends...

Thanks for your help.

Why cant we delete events? The new classification system is nice but I test new rules that generate noise that I would like to delete. It is a required feature in my opinion.

When running off the insta snorby CD Ethernet interface setup is near the end after entering your oinkcode, and selecting the interface to monitor. This causes me to be unable to download rules as well as selecting any interface other than localhost to monitor.

It would be great to have the option to group events together as in Sguil / Squert. This could possibly be done as an alternate view. All alerts with the same IP addresses and signatures could be grouped together with a count. Other possible forms of grouping: group together a summary of all alerts based off just one IP (source or destination), make a list of all source/destination IPs based off a signature, etc. This would be very useful in investigations.

I currently have the dashboard view displayed on a large monitor on the wall in our office. I setup Firefox to reload the page every 30m in sync with the dashboard updates, but it keeps going back to the default tab, which is Sensors. I only have one sensor, as I am only monitoring one network, so that graph is not extremely useful. It would be nice if we could change the default tab to be the Severities tab, as that one is the most useful to our current usage.

It would also be nice if we could easily modify the color of the severity lines to match the colors of the giant buttons at the top of the page. Red for High, Yellow for Medium, and Green for Low. I imagine I can go in somewhere and tweak the colors in HTML or javascript, but I think that would be a useful feature for the admin account to be able to set in General Settings.

Hello,

How to configure severity for a custom rules ?

For example, I have a very simple rules like :
alert tcp $HOME_NET any <> 74.208.64.145 any (msg:"Conficker Detect"; sid: 2140001)

Thanks a lot.

I'd like the ability to delete a sensor, as I could with Snorby 1.x.