Snorby Spsa
(SPSA) Snorby Preconfigured Security Application.
Spsa is the turnkey application for intrusion detection, this make effortless for anyone to deploy and use Snorby, the new and modern Snort IDS front-end. With the Spsa iso image it is possible to get Snorby and Snort up and running out of the box within a few minutes. All comments, feedback and suggestions are welcome on this page.
Download the Spsa Users Manual
Iso Image
Download: spsa.1.5.iso.
Size Compressed: 446 MB
MD5: e72bff5a6f8124407c3bc4fc4e15776e
Snorby interface: https://ipaddress:8080
Username: Snorby
Password: admin
Ssh login:
Username: root
Password: the password you have chosen during the installation
Snorby official web site: http://snorby.org
Snorby Issues: http://github.com/mephux/Snorby/issues
Snorby GoogleGroups: http://groups.google.com/group/snorby
IRC: #snorby – irc.freenode.net
Credits:
(SPSA) Snorby Preconfigured Security Application is developed by Phillip Bailey.
Snorby is developed by Dustin Webber .
Thanks to:
The TurnKey crew www.turnkeylinux.org . The snorby community .
Changelog
30-08-2010 – Spsa 1.5 Released
[*] Improvements and fixes
*Email reporting support enabled (Postfix Gmail relay or Snorby standalone mode)
*New snort start/stop script
*Added snort 2.8.6.1-1
*oinkmaster ssl certificates fixed
*emerging threats rules fixed
Testimonials
The main reason for us posting about Snorby in addition to it being a great tool, is the Snorby Virtual Appliance by Mr. Phillip Bailey. He has developed the Snorby virtual appliance and the ISO solution, to provide a pre-configured out of the box Snorby front-end for Snort. – pentestit.com”’
Now the easiest way to get snorby up and running is to actually download the pre-made VMware image from here http://www.cryptolife.org/index.php/Snorby you can of course build your own on a vps or whatever else you fancy but i have a dedicated VMware server to use that i run images off “an excellent practice i might add” so ill be doing it this way. - securityjokes.com
After downloading a recently created VMware appliance with a configured version of Snort, Barnyard, Apache (or maybe webrick I can’t quite remember) and Snorby all ready to go, I was eager to get it running and hammer it with some traffic. -red-7.co.uk
30/06/2010 at 9:17 am Permalink
Hi Phillip,
great work ! the iso installation was very straightforward, looking forward for new releases and features.
Jack the j.
07/07/2010 at 10:38 pm Permalink
So what is the username/password?
08/07/2010 at 2:21 am Permalink
Snorby interface: https://ipaddress:8080
Username: Snorby
Password: admin
Ssh login:
Username: root
Password: the password you have chosen during the installation
13/07/2010 at 11:59 pm Permalink
Hi, Like a manual on how to setup snorby?
14/07/2010 at 6:51 am Permalink
Hello, I’m on vacation. In a few weeks the manual will be ready, for the moment you can take a look here, http://www.cryptolife.org/index.php/Install_snorby_from_the_iso
http://www.cryptolife.org/index.php/Snorby_virtual_appliance
regards,
phillip
30/07/2010 at 1:58 am Permalink
Can I monitor two snort installations (redundant isp’s) from one gui console? Or can I setup one snorby installation to monitor two incoming ISP connections?
Thanks for the work.
30/07/2010 at 4:25 am Permalink
Hello,
you can install as many snort sensors as you want and tunnel them
via ssh/vpn/stunnel to the snorby database. This is a useful example:
http://blog.bodhizazen.net/linux/snort-ssh/
04/08/2010 at 5:43 pm Permalink
Thanks for the quick replay pbailey. I’ll try that out.
13/08/2010 at 6:17 pm Permalink
Is the snort version still 2.2? If so, you can’t use oinkmaster codes anymore. Is it safe to upgrade snort to the latest version without breaking snorby?
13/08/2010 at 7:12 pm Permalink
Snort 2.8.6 is installed.
24/08/2010 at 2:55 pm Permalink
Tell me more about the rules and updates? You have configured
url = http://www.emergingthreats.net/rules/emerging.rules.tar.gz
When I run /usr/local/bin/updatesnortrules to update the rules, it looks like a ton of rules are added named emerging-rulename.rule.
I don’t see these referenced in the snort.conf file. Do we need to manually add them to get the latest rules running? or is there some reference I missed in your config?
Thanks.
24/08/2010 at 3:25 pm Permalink
Oh.. never mind, I see you added
include $RULE_PATH/emerging.conf
to the snort.conf file.
Cool, thanks for the work.
25/08/2010 at 12:47 pm Permalink
Hi Phillip,
Can you add the updated ca-certificates package (apt-get install ca-certificates) to the ISO? I’m trying to setup Oinkmaster for the Snort signatures, and ran into a problem with SSL because the certs weren’t installed. I’m sure others will run into this too.
Here’s a link for more details:
http://marc.info/?l=snort-users&m=127791856110280&w=2
Thanks!
Rob
25/08/2010 at 1:38 pm Permalink
Hi Rob, thanks very much for your feedback. This weekend I will work on fixing the CA and the emerging rules problem along with some other small problems.
Feedbacks and comments are an invaluable source information for the future development, please everyone keep posting bugs, comments and ideas. Thanks, phillip
27/08/2010 at 2:37 am Permalink
Awesome, thanks for the updates. One other thing I just noticed, sendmail or postfix isn’t installed.. or maybe there is a way to specify an SMTP server in Snorby for sending emails out? It doesn’t seem to work from the ISO. Not seeing anything in mail.log either.
Not a huge deal, but just something I noticed.
Thanks for all the time you put into this. It’s really nice to get snort off the ground in a couple of minutes.
Best Regards,
Rob
27/08/2010 at 6:10 am Permalink
Hi Rob,
thanks for the update. I’m going to install postfix with a gmail relay .
http://ubuntu-tutorials.com/2008/11/11/relaying-postfix-smtp-via-smtpgmailcom/
TO DO in the next release:
Certification Authority
Emerging rules
postfix relay
Thanks very much.
31/08/2010 at 6:04 pm Permalink
Thanks Phillip!!
After spending about 12 hours or so chasing the differences in another web how-to on setting up Snort with Barnyard & Base, I reached the bottom of the page & saw a link to your site…
Thanks to VBox & your help I now have a working IDS system on my home network.. So far, no unexplained packets.. (I do have a number of false positives but nothing real as of yet…)
Maybe one day I’ll pass the CISSP exam too… (like the 11th of this month..)
Again, thanks for the working ISO..
31/08/2010 at 6:38 pm Permalink
Hi Mike,
for more details please grab the spsa manual http://bailey.st/spsa/spsa1.5manual.pdf . Right now I’m working on a IPS implementation of the iso. All the best for your CISSP.
Phillip
01/09/2010 at 5:17 pm Permalink
Hey Phillip,
If I wanted to provide some patches/feedback/changes to SPSA, what works best?
Drop me a mail and we can talk off-line. I would like to integrate OpenFPC into Snorby’s GUI / SPSA.
-Leon
03/09/2010 at 9:10 pm Permalink
Is there an easy way to clear all events in Snorby version 1.1.3? I saw there was a clear all events command but wasn’t sure how or where to use that command. Do you use the command within mysql or on the console. Please be specific if possible. Any help is appreciated. Thanks
03/09/2010 at 9:24 pm Permalink
Hi! I was able to get this up and running on a dedicated box, but I am not able to get it running on Virtual Box, the wiki page that probably described that now just points back to this website.
Anyone have any information on how to configure this iso in some of the popular VMs?
03/09/2010 at 9:29 pm Permalink
Hi John,
Log in the Snorby console and go to Settings -> Sensor settings . You will see a red button “Remove Events”, just press it. Go back to the dashboard and update the cache, no more events.
Phillip
03/09/2010 at 9:50 pm Permalink
@WereTaco
Hello, can you be more specific about your problem with virtual box ?
03/09/2010 at 9:59 pm Permalink
Phillip you rock man, solved my issue!