Snorby: Debug the mailing feature and creating cron job

Do not run the following commands unless you really need to:

cd /path/to/snorby

bundle exec rails c production
Snorby::Jobs::SensorCacheJob.new(true).perform
Snorby::Jobs::DailyCacheJob.new(true).perform (this command is invalid for version 2.6.2)

I tried a few things. From the shell of my CentOS 6.4 everything works fine but can’t make it automatically to send me reports, so I didn’t bother to go ahead with the source but just added that simple file (named snorby_report.cron) in /etc/cron.daily:

#!/bin/sh
cd /path/to/snorby
RAILS_ENV=production /usr/bin/rails r ‘Snorby::Jobs::SensorCacheJob.new(true).perform’

Installing Snort on CentOS 6.4

My guide is simple. Just the commands you need to run. Please, read before copy and paste. It requires clean minimal installation of CentOS 6.4 and Internet connectivity:

yum install wget
wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
wget http://rpms.famillecollet.com/enterprise/remi-release-6.rpm
rpm -Uvh remi-release-6.rpm epel-release-6-8.noarch.rpm

vi /etc/yum.repo.d/remi.repo

        [remi]
        enabled=1

        [remi-php55]
        enabled=1

yum install autoconf automake bison flex gcc glibc libdnet libdnet-devel libpcap libpcap-devel make mlocate pcre-devel rpm-build zlib zlib zlib-devel

wget snort and daq source rpms from snort.org

rpmbuild –rebuild daq-2.0.1-1.src.rpm
yum localinstall rpmbuild/RPMS/x86_64/daq-2.0.1-1.x86_64.rpm
rpmbuild –rebuild snort-2.9.5.5-1.src.rpm
yum localinstall rpmbuild/RPMS/x86_64/snort-2.9.5.5-1.x86_64.rpm

yum install mysql-server
chkconfig –add mysqld
chkconfig mysqld on
service mysqld start
mysql_secure_installation

checking for all runnung barnyard2 proceesses

I am running “snort” with two sensors. Occasionally one of my “barnyard2” processes is dying and if I am not checking the processes on the shell, there is no way I’ll know that. So I wrote a single line perl script and put it in a cron job to be run every five minutes. If there are not two barnyard2 processes running, I’m getting an e-mail. Is that simple.

 

if(`ps -aef |grep barnyard2 |grep -v grep |wc -l`!=2) {`mail -s BY2DOWN me\@email.edu</dev/null`;};

 

Of course, the whole procedure could be automated, I mean if the script detects the issue, could restart my init.d script controlling barnyard2 (in my case it controls snortd and barnyard2 at the same time) but wth will I do that… Just login and start the process is enough in my case.

So, just decided to share. Put #!/bin/perl on the top of the line above, make it chmod +x or 755, the cron should be */5 * * * * /full/path/by2.check, or something like that. That line should be enough for beginners if any.

Snorby No time_zone specified in snorby_config.yml; detected time_zone:

When I installed Snorby 2.6.2 and I started it, everything looked good and worked but I was getting that warning below, all the time:

 

No time_zone specified in snorby_config.yml; detected time_zone: America/Los_Angeles

Regardless of the fact I already put it in the config file: snorby_config.yml

  # If timezone_search is undefined or false, searching based on time will
  # use UTC times (historical behavior). If timezone_search is true
  # searching will use local time.
  timezone_search: true
  # uncomment to set time zone to time zone of box from /usr/share/zoneinfo, e.g. “America/Cancun”
  time_zone: ‘America/Los_Angeles’

 

So how did I fix it? Pretty simple actually but took me a lot of digging. Edit application.rd which is in the config directory, that way:

## time_zone = CONFIG[:time_zone] # set your local time zone here. use rake time:zones:local to choose a value, or use UTC.
    time_zone = “America/Los_Angeles”

 

That’s it. Search for the string “Central Time”. It is right after it. Line 77