For my research project, I am in need to setup a Network Intrusion Detection System, or NIDS, on a lab network. Being on the attacker side for a few years, I heard a lot about Snort as the industry leader for open source rule-based NIDS so I chose it. I followed a great guide about its configuration but I encountered a problem while trying to configure one of its Snort Web UI named Snorby. This post is about fixing this specific problem for a few Linux-savvy who do not know well the Ruby web dev stack.
My network lab is pretty standard: a pfSense managing 3 subnets. I dedicated one virtual machine to Snort and I started to follow the guide for the configuration. The guide is pretty detailed and up to date, for the most part. I had no trouble installing the first three components, out of the four that are described in the guide:
- Snort itself, the network IDS analyzing the network
- Barnyard2, which offers a model for snorts output to add persistence to data
- PulledPork, which enables periodic updates for Snort rules
- Snorby, which offers a Web UI for Snort alerts.
I am not a big fan of UI since pretty much everything can be achieved with the command line, but in this case I thought it was a need. I can compare my experience with a NIDS to the action of manually sniff packets for network analysis: either in the console with Tcpdump, or with the desktop application Wireshark. I can still parse sniffed packets with the former tool but if I have the choice, I will go with Wireshark without a doubt.
Snorby is a Ruby on Rails application running on Ruby 1.9.3. I know nothing about this Web framework and Ruby principles of module managements, which are called Gems.
At the beginning of the Snorby section of the guide, we need to install modules with the Gem utility. One of them is rails, installed with # gem install rails. I encountered a bug with the installation of the gem, and not being in a environment I am familiar with, I had trouble to deal with it.
Error: mime-types-data requires Ruby version >= 2.0
Basically, the bug is documented. One of the first fix suggested on the Github issue page was to install a specific version of the module: gem install mime-types -v 2.6.2. Although it seemed to work for some people, it did not for me. Another answer to the issue was to install a specific version of the module, but with another utility “rvm”.
I looked into this utility and it is a version manager to deal with different ruby environments. I installed it with the quick and easy guide, and I was ready to install my trouble module with this fix posted on Github.
Strangely, I did not had the right version and Ubuntu repo did not either. Nevertheless, I downloaded it through rvm and I was able to install the specific version of mime-types, followed by a successful installation of rails.
Hurray! I was able to continue the setup as intended and with no errors, I got it working.
I intend to use it to see the trace of my attacks. For example, I can see the heartbeat request and response from an Heartbleed vulnerability exploitation like shown on this next screen.
Hope this helps one of you in the same situation.