Snorby Spsa
(SSD) Snorby Security Distribution .
Snorby SSD is is an open source IDS (Intrusion Detection System) Linux distribution based on Snort and Snorby. Built on Ubuntu 8.04 LTS (turnkey linux) and managed from the Snorby web interface. With the Snorby Spsd iso image it is possible to get a complete Intrusion Detection System up and running out of the box within a few minutes. All comments, feedback and suggestions are welcome on this page.
Iso Image
Download: spsa.1.5.iso.
Size Compressed: 446 MB
MD5: e72bff5a6f8124407c3bc4fc4e15776e
Download Statistics
Snorby interface: https://ipaddress:8080
Username: Snorby
Password: admin
Ssh login:
Username: root
Password: the password you have chosen during the installation
Snorby official web site: http://snorby.org
Snorby Issues: http://github.com/mephux/Snorby/issues
Snorby GoogleGroups: http://groups.google.com/group/snorby
IRC: #snorby – irc.freenode.net
Credits:
(SSD) Snorby Security Distribution is developed by Phillip Bailey.
Snorby is developed by Dustin Webber .
Thanks to:
The TurnKey crew www.turnkeylinux.org . The snorby community .
Changelog
30-08-2010 – Spsa 1.5 Released
[*] Improvements and fixes
*Email reporting support enabled (Postfix Gmail relay or Snorby standalone mode)
*New snort start/stop script
*Added snort 2.8.6.1-1
*oinkmaster ssl certificates fixed
*emerging threats rules fixed
Testimonials
The main reason for us posting about Snorby in addition to it being a great tool, is the Snorby Virtual Appliance by Mr. Phillip Bailey. He has developed the Snorby virtual appliance and the ISO solution, to provide a pre-configured out of the box Snorby front-end for Snort. – pentestit.com”’
Now the easiest way to get snorby up and running is to actually download the pre-made VMware image from here http://www.cryptolife.org/index.php/Snorby you can of course build your own on a vps or whatever else you fancy but i have a dedicated VMware server to use that i run images off “an excellent practice i might add” so ill be doing it this way. - securityjokes.com
After downloading a recently created VMware appliance with a configured version of Snort, Barnyard, Apache (or maybe webrick I can’t quite remember) and Snorby all ready to go, I was eager to get it running and hammer it with some traffic. -red-7.co.uk
Deploying & Utilizing Intrusion Detection Using Snorby – Snorby Preconfigured Security Application (SPSA) is developed by Phillip Bailey and is an ISO disc image solution based on Ubuntu server 8.4 LTS. SPSA makes installation of Snort effortless for anyone with minimal knowledge of configuring or deploying Snort.- Hakin9
Scridb filter
30/06/2010 at 9:17 am Permalink
Hi Phillip,
great work ! the iso installation was very straightforward, looking forward for new releases and features.
Jack the j.
07/07/2010 at 10:38 pm Permalink
So what is the username/password?
08/07/2010 at 2:21 am Permalink
Snorby interface: https://ipaddress:8080
Username: Snorby
Password: admin
Ssh login:
Username: root
Password: the password you have chosen during the installation
13/07/2010 at 11:59 pm Permalink
Hi, Like a manual on how to setup snorby?
14/07/2010 at 6:51 am Permalink
Hello, I’m on vacation. In a few weeks the manual will be ready, for the moment you can take a look here, http://www.cryptolife.org/index.php/Install_snorby_from_the_iso
http://www.cryptolife.org/index.php/Snorby_virtual_appliance
regards,
phillip
30/07/2010 at 1:58 am Permalink
Can I monitor two snort installations (redundant isp’s) from one gui console? Or can I setup one snorby installation to monitor two incoming ISP connections?
Thanks for the work.
30/07/2010 at 4:25 am Permalink
Hello,
you can install as many snort sensors as you want and tunnel them
via ssh/vpn/stunnel to the snorby database. This is a useful example:
http://blog.bodhizazen.net/linux/snort-ssh/
04/08/2010 at 5:43 pm Permalink
Thanks for the quick replay pbailey. I’ll try that out.
13/08/2010 at 6:17 pm Permalink
Is the snort version still 2.2? If so, you can’t use oinkmaster codes anymore. Is it safe to upgrade snort to the latest version without breaking snorby?
13/08/2010 at 7:12 pm Permalink
Snort 2.8.6 is installed.
24/08/2010 at 2:55 pm Permalink
Tell me more about the rules and updates? You have configured
url = http://www.emergingthreats.net/rules/emerging.rules.tar.gz
When I run /usr/local/bin/updatesnortrules to update the rules, it looks like a ton of rules are added named emerging-rulename.rule.
I don’t see these referenced in the snort.conf file. Do we need to manually add them to get the latest rules running? or is there some reference I missed in your config?
Thanks.
24/08/2010 at 3:25 pm Permalink
Oh.. never mind, I see you added
include $RULE_PATH/emerging.conf
to the snort.conf file.
Cool, thanks for the work.
25/08/2010 at 12:47 pm Permalink
Hi Phillip,
Can you add the updated ca-certificates package (apt-get install ca-certificates) to the ISO? I’m trying to setup Oinkmaster for the Snort signatures, and ran into a problem with SSL because the certs weren’t installed. I’m sure others will run into this too.
Here’s a link for more details:
http://marc.info/?l=snort-users&m=127791856110280&w=2
Thanks!
Rob
25/08/2010 at 1:38 pm Permalink
Hi Rob, thanks very much for your feedback. This weekend I will work on fixing the CA and the emerging rules problem along with some other small problems.
Feedbacks and comments are an invaluable source information for the future development, please everyone keep posting bugs, comments and ideas. Thanks, phillip
27/08/2010 at 2:37 am Permalink
Awesome, thanks for the updates. One other thing I just noticed, sendmail or postfix isn’t installed.. or maybe there is a way to specify an SMTP server in Snorby for sending emails out? It doesn’t seem to work from the ISO. Not seeing anything in mail.log either.
Not a huge deal, but just something I noticed.
Thanks for all the time you put into this. It’s really nice to get snort off the ground in a couple of minutes.
Best Regards,
Rob
27/08/2010 at 6:10 am Permalink
Hi Rob,
thanks for the update. I’m going to install postfix with a gmail relay .
http://ubuntu-tutorials.com/2008/11/11/relaying-postfix-smtp-via-smtpgmailcom/
TO DO in the next release:
Certification Authority
Emerging rules
postfix relay
Thanks very much.
31/08/2010 at 6:04 pm Permalink
Thanks Phillip!!
After spending about 12 hours or so chasing the differences in another web how-to on setting up Snort with Barnyard & Base, I reached the bottom of the page & saw a link to your site…
Thanks to VBox & your help I now have a working IDS system on my home network.. So far, no unexplained packets.. (I do have a number of false positives but nothing real as of yet…)
Maybe one day I’ll pass the CISSP exam too… (like the 11th of this month..)
Again, thanks for the working ISO..
31/08/2010 at 6:38 pm Permalink
Hi Mike,
for more details please grab the spsa manual http://bailey.st/spsa/spsa1.5manual.pdf . Right now I’m working on a IPS implementation of the iso. All the best for your CISSP.
Phillip
01/09/2010 at 5:17 pm Permalink
Hey Phillip,
If I wanted to provide some patches/feedback/changes to SPSA, what works best?
Drop me a mail and we can talk off-line. I would like to integrate OpenFPC into Snorby’s GUI / SPSA.
-Leon
03/09/2010 at 9:10 pm Permalink
Is there an easy way to clear all events in Snorby version 1.1.3? I saw there was a clear all events command but wasn’t sure how or where to use that command. Do you use the command within mysql or on the console. Please be specific if possible. Any help is appreciated. Thanks
03/09/2010 at 9:24 pm Permalink
Hi! I was able to get this up and running on a dedicated box, but I am not able to get it running on Virtual Box, the wiki page that probably described that now just points back to this website.
Anyone have any information on how to configure this iso in some of the popular VMs?
03/09/2010 at 9:29 pm Permalink
Hi John,
Log in the Snorby console and go to Settings -> Sensor settings . You will see a red button “Remove Events”, just press it. Go back to the dashboard and update the cache, no more events.
Phillip
03/09/2010 at 9:50 pm Permalink
@WereTaco
Hello, can you be more specific about your problem with virtual box ?
03/09/2010 at 9:59 pm Permalink
Phillip you rock man, solved my issue!
09/09/2010 at 1:28 pm Permalink
This is going to sound like a basic question but I have searched all over and am not finding it. How do you add sensors or can you point me to the documentation that explains it?
09/09/2010 at 2:14 pm Permalink
@Ross,
Hello,
thanks for the question. If you mean to add a new external sensor, the job can be done with a ssh tunnel/openvpn or stunnel solution from the sensor to the snorby box.
This can be the starting point:
http://blog.bodhizazen.net/linux/snort-ssh/
http://www.forteach.net/os/sysadmin/35475.html
Phillip
09/09/2010 at 7:00 pm Permalink
@Phillip
Thanks for the prompt reply. Actually I was looking more at Snorby, where does snorby pull it’s lists of sensors from?
09/09/2010 at 9:12 pm Permalink
@Ross
Hello,
Everything you need is inside the /etc/snort/snort.conf file.
Take a look here,Snort users manual:
http://www.snort.org/assets/140/snort_manual_2_8_6.pdf
Best,
Phillip
15/09/2010 at 8:30 pm Permalink
Sorry about the question but, Is this a booteable .iso ? if so, in which distro is based ? thanks!.
15/09/2010 at 8:33 pm Permalink
@Jose
Hello,
Snorby-psa is a full bootable linux distro based on turnkey linux (http://www.turnkeylinux.org ubuntu 8.4 LTS).
Phillip
16/09/2010 at 5:36 pm Permalink
I have run into an issue where, when uncommenting any of the “Custom rule sets” in the snort.conf file, I don’t get any events. Im not even sure snort is running, doesn’t show up when I run
ps aux | grep snort.When I comment them out, I see a lot of “unclassified” hits.
Thoughts?
16/09/2010 at 6:13 pm Permalink
@mbower
Hello,
/var/log/syslog is your friend, take a look there.
Phillip
01/10/2010 at 6:23 pm Permalink
Hello Pbailey
I installed the snorby 1.5 in 2 diff. VMs (XenServer / VMWare ESXi).
On both, my sensor ins´t receiveing any events, not even low events.
In 1.4 i was able to. There´s any config that i must do in those cases?
Ty
04/10/2010 at 11:41 am Permalink
@Marcel Tavares
Hello Marcel,
please check the /var/log/syslog file for any errors.
Phillip
13/10/2010 at 5:20 pm Permalink
Hi Phillip;
Your current release has snort 2.8.6.3. Is it possible to add Snort 2.9.0 to SPSA with out screwing things up?…Or are you going to be releasing a SPSA ver 1.6 that will include 2.9.0?
Also is there away to upgrade the rules automatically if you have an oink code?
Not sure how to do that with SPSA.
I see Rob talked about it just below but I don’t follow
BTW…GREAT job on the project…look forward to future releases!!
Thanks
14/10/2010 at 11:22 am Permalink
@Snort Fan
I’m working on the snort update from 2.8.6.3 to 2.9.0
14/10/2010 at 4:39 pm Permalink
Hey, Is there a way to install the snorby iso ( whole environment ) to a hard disk?
Thanks,
15/10/2010 at 6:00 am Permalink
@Sean
please download the Spsa manual and follow the installation instructions.
Phillip
04/11/2010 at 3:44 am Permalink
i can see, i cant add any other snort sensors in this, i mean, like BASE, can we pull events from mysql database, schema’s has given by snort installation ???
I think that would be awesome feature, where you can directly pull all the events from mysql database.
08/11/2010 at 7:05 pm Permalink
Hi ,
May be this is a weird question but am very damn new to snort, I had configured snort in Redhat linux from snort.org, and even Base. I didnot understand BASE. So i thought of looking Snort front end tool and finally found snorby. I had downloaded the snortby-spsa. Now my question is If I install snorby-spsa from the CD or iso, is the main snort which i configured in Redhat Linux is stilll require or I can directly use the snorby-spsa as a Snort IDS? Please give me reply am fully confused of how to use Snort. can you also please tell me the difference between Snorby-spsa and Main Snort configuration which I configure in redhat.
08/11/2010 at 10:08 pm Permalink
@Sai
Hello,
you can tunnel the snort alerts from a remote sensor to the Snorby machine via ssh.
09/11/2010 at 1:26 pm Permalink
@ pbailey,
Thanks for the quick response, can you please tell me how to tunnel the snort alerts from a remote sensor to the snorby machine…????
I had successfully configured snorby on my virtual box.
Thanks
Sai
@ Sai google it : ssh mysql tunnel snort
09/11/2010 at 3:16 pm Permalink
I was wondering is there is a way to monitor alarms from OSSEC on Snorby. OSSEC can parse, correlate and generate alarms for SNORT ans since the OSSEC GUI is not very usable it will be awesome to get Snort and OSSEC alarms on Snorby.
Any thoughts or suggestions?
@Jay, a good starting point http://www.ossec.net/wiki/OSSEC_&_BASE
10/11/2010 at 6:09 am Permalink
@ pbailey
After installing snorby, do we need to change some settings because am not able to get reports, an error “you not have currently reports”
Please help me
Thanks
Sai
11/11/2010 at 2:18 pm Permalink
Hello,
First I want to say thank-you very much for creating the awesome applicance.
Next, my question – I have 2 nics installed on the box, with the first nic set up with an IP for management and the 2nd nic without an IP and connected to a spanned/mirrored port.
However, I am not seeing any alerts on the 2nd nic. Please note that ifconfig does show traffic hitting the interface. Is this not a supported way of installing SNORBY? I mean with a 2nd nic acting as a sensor and first nic as the managment interface?
Look forward to to quick response.
@Zee
Hello, thanks for the compliments.
For example you have two network cards, eth0 is the management/gui interface and eth1 is the interface connected to the spanned/mirrored port, in order to fix this problem you need to adjust the correct interface in the snort start-up script that is located in /etc/init.d/snort .
You need to change this, snort -D -i eth0 -u snorby -c /etc/snort/snort.conf -v to
snort -D -i [spanned interface, ex eth1] -u snorby -c /etc/snort/snort.conf -v
And of course restart snort.
Phillip
11/11/2010 at 4:54 pm Permalink
Does Snorby SPSA use Barnyard?
@Nick
no, this version of SPSA is not using Barnyard, will start from the next.
Phillip
11/11/2010 at 8:40 pm Permalink
Great…thanks for the quick respons!
12/11/2010 at 2:08 pm Permalink
Good link the Ossec2Base. Been thinking about it and I’m thinking of deploying Sagan (http://sagan.softwink.com/) and send all the OSSEC alerts and other correlated info to Snorby via Syslog.
@Jay, please let me know about it.
16/11/2010 at 5:26 am Permalink
Hi,
Thanks for this front end.. appreciate it.
Ok, so now I have VPN network between my snort and snorby spsa.. how do i add more sensors?
@teedeer Take a look to this blog post, you will find a very detailed example – http://www.securityjokes.com/2010/04/pfsense-remote-logging-and-snorby.html
23/11/2010 at 2:04 am Permalink
Could you tell me the password for the database I am trying to install cacti alongside Snorby so that I can monitor network performance. Thank you for such a great product. This is such a great way to get your IDS giving you data quickly.
thank you for your help
@Phillip
Hi,
as the database doesn’t accept external connection, there’s no password for the mysql root user. You can type mysql -u root and you are in.
thanks for your praises
Phillip Bailey
30/11/2010 at 6:36 pm Permalink
Any updates on a 1.6 release ??
@Dentifrice: You can expect a new release around January 2011
30/11/2010 at 7:19 pm Permalink
I haven’t had any luck with the gmail relay. Can you cover what needs to be configured? I was getting a certificate error as well in syslog when it was trying to send.
@Rob
Hello, please check if you have any firewall/gateway that is blocking the port 587 toward
google, you can download the Ssd Users Manual and check in Mail notification.
Phillip
02/12/2010 at 7:46 am Permalink
hi phillip,
nice work; it would be fine to include some “how to setup this with an existing snort/acid-database” – section into your manual, for us who have not much to do with rails-applications. and you might want to update your iso onto the latest emerging-rulesets http://rules.emergingthreats.net/
http://www.emergingthreats.net/index.php/home-mainmenu-1/17-sigs/226-the-new-rulesets-are-ready.html
mex
@mex,
hi mex,
1) emergingthreats rules, the distribution come with oinkmaste already configured for downloading the latest rules from ET, here you can find a post regarding the last snort upgrade, please read the README
file where you can find the information to configure oinkmaster according to the latest rules http://bailey.st/blog/2010/11/11/snort-upgrade-from-2-8-6-1-1-to-2-9-0-1-on-snorby-spsa
2) Base and Howtos, about this I’m thinking to open a wiki in order to have some sort collaboration about the documentation.
I’m trying to do my best, this project started as a joke.
Phillip
03/12/2010 at 7:24 am Permalink
Hi Phillip,
I’ve tried to install SPSA. You’ve done a great work. All services are ok but I’ve a little problem during report generation. I’ve modified postfix configuration to use an internal mail relay. I’ve tried to use ***script/runner -e production “Event.run_daily_report”*** into /var/Snorby directory and the script makes the report and sends it as pdf attach in email (when Snorby db is empty).
So, I’ve tried to do a vulnerability scan on the SPSA appliance and, when i’ve tried to generate a new report, the report it’s ok in Snorby but is not sended via email.
Also from Snorby I can’t send reports via email.
Some suggestions?
Thanks in advance and… i’m sorry for my english
Stefano
05/01/2011 at 1:34 pm Permalink
Hello,
How to add a new external sensor to Snorby listing sensors. ?
Best Regards,
Pd: I’m sorry for my english.
17/01/2011 at 3:26 am Permalink
Hello Phillip.
The link to the Ssd Users Manual doesn’t seem to work. When I attempt to download it I only get a 295 byte file. Is the manual still available at the link listed above? Thanks.
Hi Scott, the manual has been restored .
24/01/2011 at 5:40 am Permalink
Hi Phillip,
Thanks for releasing the spsa. All works fine and working. Great stuffs.
Can I know, If I upgrade my current Snorby 1.1.3 (the one that came with snorby spsa 1.5) to Snorby 2.2.1 or later, is there gonna be any problem? or any easier workaround? thanks
cheers,
salawank
Hi salawank,
In order to upgrade to snorby 2 you need to remove all the old ruby stuff and delete the old snorby datbase.
regards,
Phillip
07/02/2011 at 6:32 pm Permalink
I was wondering if there is a way to use this ISO to make a bootable usb stick. The computer I am going to install this to does not have a CD drive.
Hi Nick,
you can use unetbootin to create a bootable usb drive (pen or HD).
http://unetbootin.sourceforge.net/
Phillip
17/03/2011 at 2:37 pm Permalink
There does not appear to be any way to add new Snort sensors (or change the default one) in the Snorby web interface.
Do I need to edit a config file somewhere?
@Stephen
yes, you need to log in with ssh and tweak the snort.conf file and the startup scripts.
best,
phillip
02/04/2011 at 9:07 pm Permalink
Hey man, great idea I’m sure your slammed with work. I’ve been looking at setting up snort as an ips with snort inline or snortsam, I understand your current iso won’t do that, but any idea which way your heading so once your iso does head to ips I will be use to the tools?
21/04/2011 at 1:43 pm Permalink
Many thank’s. These are the tools i’ve been looking for!!
@ivan
Hello,
Please check our latest project http://bailey.st/blog/smooth-sec/
regards,
phillip
06/08/2011 at 9:09 am Permalink
Hi Phillip,
I got few questions :
1. what’s the difference between Snorby Spsa and SmoothSec ?
2. any steps how update Snorby on both distro ?
3. as Spsa is quite old, any steps how to install and configure Snort on SmoothSec ?
Regards,
Tom
06/08/2011 at 3:37 pm Permalink
@TomAng
Hi tom,
thanks for your comment.
1) Snorby Spsa was the first ready to go intrusion detection distribution based on Snorby (first generation) and Snort. Smooth-Sec a new distribution equipped with suricata IDS and Snorby 2.0. Suricata is a new multithread IDS/IPS engine, this mean that if you have a multi-core monster machine allow you to use all the cores available.
2) If you want to use snort I recommend you to use directly InstaSnorby http://snorby.org/ – I don’t recommend you to upgrade Snorby-Spsa.
3) If you want to use snort I recommend you to use directly InstaSnorby http://snorby.org/
Thanks again for you feedback.
Phillip
23/09/2011 at 2:30 pm Permalink
If you have idiotically locked yourself out by changing the password and not noting it down – how can I reset the snorby password via command line?
Hello,
If you are using Smooth-Sec you can run this script /root/script.utils/CleanAllEvents.sh , be careful that
this will erase all your events but will also reset the login credentials.
Best.
11/10/2011 at 11:58 pm Permalink
Let me know if you need any help with Sagan in Snorby-SPSA. It’s pretty straight forward, but you can always catch me on freenode #sagan or via e-mail
13/10/2011 at 12:38 pm Permalink
Hello,
Snorby-SPSA is not longer developed, I’ve moved to another project called smooth-sec
http://bailey.st/blog/smooth-sec . Stay in touch.
Phillip
24/10/2011 at 11:30 pm Permalink
Hi Philip,
Please, how can I switch from console to gui?
I have used “startx” and “sudo startx” but is not working.
Thank you.
30/12/2011 at 6:10 pm Permalink
Hi Philip,
Many thanks and congratulations for the SmoothSec project. I am currently using SmoothSec 1.3 version and I was wondering whether a newer version will be available.
Regards,
Marios
05/01/2012 at 5:27 am Permalink
Hi Guys,
Thanks for the very wonderful tool.
I would like to ask if we compare this IDS with any hardware based solution so what is the difference between them?
Is this tool beneficial for us to configure on our network?
Regards,
Saeed
07/01/2012 at 12:50 pm Permalink
Hi,
How can i install this .iso file on a Hyper-V machine, I am going to trying installing but in the manual mentioned this .iso file is only for physical machine not VM.
I just tried on a Vmachine but after rebooting it asks for IP address.
So can anybody tell me how do i resolve this issue?
Regards,
Saeed