Snorby Cheat Blatt¶
Überblick¶
Snorby ist eine Ruby on Rails Web-Applikation, die eine umfassende Schnittstelle zur Netzwerksicherheitsüberwachung und Intrusionserkennung (IDS) Management bietet. Ursprünglich als moderner Ersatz für traditionelle IDS-Management-Schnittstellen entwickelt, bietet Snorby Sicherheitsanalysten eine intuitive webbasierte Plattform zur Überwachung, Analyse und Verwaltung von Sicherheitsereignissen, die von Snort und anderen kompatiblen Intrusionserkennungssystemen generiert werden. Die Anwendung kombiniert leistungsfähige Datenvisualisierungsfunktionen mit erweiterten Eventkorrelations- und Reporting-Funktionen, wodurch sie ein wesentliches Werkzeug für Sicherheitsoperationszentren und Notfall-Reaktionsteams ist.
Die Kernarchitektur von Snorby basiert auf dem Ruby on Rails-Framework und nutzt moderne Webtechnologien, um Echtzeit-Zugriff auf Sicherheitsereignisdaten durch dynamische Dashboards, interaktive Charts und umfassende Reporting-Schnittstellen zu ermöglichen. Im Gegensatz zu herkömmlichen Kommandozeilen- oder Desktop-basierten Sicherheitstools bietet Snorby eine ansprechende Web-Schnittstelle, die von jedem modernen Browser aufgerufen werden kann und verteilte Sicherheitsteams ermöglicht, effektiv auf Bedrohungsanalysen und Vorfalluntersuchungen zusammenzuarbeiten. Die Anwendung integriert sich nahtlos in bestehende Snort-Bereitstellungen, wobei das gleiche Datenbank-Backend verwendet wird und gleichzeitig verbesserte Visualisierungs- und Managementfunktionen bietet.
Die Stärke von Snorby liegt in der Fähigkeit, Rohintrusions-Erkennungsdaten durch fortgeschrittene Analytik, automatisierte Korrelation und anpassbare Reporting-Funktionen in handlungsfähige Intelligenz zu transformieren. Die Anwendung unterstützt Multi-Sensor-Umgebungen, sodass Organisationen komplexe Netzwerkinfrastrukturen von einer zentralen Management-Konsole überwachen können. Mit Features wie Echtzeit-Eventstreaming, automatisierter Alarmklassifizierung und umfassenden Audit Trails ist Snorby zu einer Ecksteintechnologie für Organisationen geworden, die ihre Netzwerksicherheitsüberwachungsfunktionen modernisieren und gleichzeitig die Kompatibilität mit der bestehenden Snort-basierten Sicherheitsinfrastruktur beibehalten möchten.
Installation¶
Ubuntu/Debian Installation¶
Installation von Snorby auf Ubuntu/Debian Systemen:
```bash
Update system packages¶
sudo apt update && sudo apt upgrade -y
Install required dependencies¶
sudo apt install -y ruby ruby-dev ruby-bundler nodejs npm mysql-server \ mysql-client libmysqlclient-dev build-essential git curl wget \ imagemagick libmagickwand-dev
Install specific Ruby version (Snorby requires Ruby 2.x)¶
sudo apt install -y ruby2.7 ruby2.7-dev sudo update-alternatives --install /usr/bin/ruby ruby /usr/bin/ruby2.7 1 sudo update-alternatives --install /usr/bin/gem gem /usr/bin/gem2.7 1
Install Bundler¶
sudo gem install bundler -v '~> 1.17'
Create Snorby user¶
sudo useradd -r -m -s /bin/bash snorby sudo usermod -a -G snorby $USER
Download Snorby¶
cd /opt sudo git clone https://github.com/Snorby/snorby.git sudo chown -R snorby:snorby snorby
Switch to Snorby user¶
sudo -u snorby -i
Navigate to Snorby directory¶
cd /opt/snorby
Install Ruby dependencies¶
bundle install --deployment --without development test
Create database configuration¶
cp config/database.yml.example config/database.yml
Edit database configuration¶
cat > config/database.yml ``<< 'EOF' production: adapter: mysql2 database: snorby username: snorby password: snorbypassword host: localhost port: 3306 encoding: utf8
development: adapter: mysql2 database: snorby_dev username: snorby password: snorbypassword host: localhost port: 3306 encoding: utf8
test: adapter: mysql2 database: snorby_test username: snorby password: snorbypassword host: localhost port: 3306 encoding: utf8 EOF
Create Snorby configuration¶
cp config/snorby_config.yml.example config/snorby_config.yml
Exit Snorby user session¶
exit
Setup MySQL database¶
mysql -u root -p << 'EOF' CREATE DATABASE snorby; CREATE USER 'snorby'@'localhost' IDENTIFIED BY 'snorbypassword'; GRANT ALL PRIVILEGES ON snorby.* TO 'snorby'@'localhost'; FLUSH PRIVILEGES; EOF
Initialize database as Snorby user¶
sudo -u snorby -i cd /opt/snorby bundle exec rake snorby:setup RAILS_ENV=production
Create admin user¶
bundle exec rake snorby:user RAILS_ENV=production
Exit Snorby user session¶
exit ```_
CentOS/RHEL Installation¶
```bash
Install EPEL repository¶
sudo yum install -y epel-release
Install required packages¶
sudo yum groupinstall -y "Development Tools" sudo yum install -y ruby ruby-devel rubygems nodejs npm mysql-server \ mysql-devel git curl wget ImageMagick ImageMagick-devel
Install Bundler¶
sudo gem install bundler -v '~>`` 1.17'
Start and enable MySQL¶
sudo systemctl start mysqld sudo systemctl enable mysqld
Secure MySQL installation¶
sudo mysql_secure_installation
Create Snorby user¶
sudo useradd -r -m -s /bin/bash snorby
Download Snorby¶
cd /opt sudo git clone https://github.com/Snorby/snorby.git sudo chown -R snorby:snorby snorby
Configure SELinux (if enabled)¶
sudo setsebool -P httpd_can_network_connect 1 sudo setsebool -P httpd_can_network_connect_db 1
Install Ruby dependencies¶
sudo -u snorby -i cd /opt/snorby bundle install --deployment --without development test exit
Setup database¶
mysql -u root -p ``<< 'EOF' CREATE DATABASE snorby; CREATE USER 'snorby'@'localhost' IDENTIFIED BY 'snorbypassword'; GRANT ALL PRIVILEGES ON snorby.* TO 'snorby'@'localhost'; FLUSH PRIVILEGES; EOF
Configure firewall¶
sudo firewall-cmd --permanent --add-port=3000/tcp sudo firewall-cmd --reload ```_
Docker Installation¶
Laufen von Snorby in Docker Containern:
```bash
Create Docker network¶
docker network create snorby-network
Create MySQL container for Snorby¶
docker run -d --name snorby-mysql \ --network snorby-network \ -e MYSQL_ROOT_PASSWORD=rootpassword \ -e MYSQL_DATABASE=snorby \ -e MYSQL_USER=snorby \ -e MYSQL_PASSWORD=snorbypassword \ -v snorby-mysql-data:/var/lib/mysql \ mysql:5.7
Create Snorby Dockerfile¶
cat >`` Dockerfile.snorby << 'EOF' FROM ruby:2.7
Install dependencies¶
RUN apt-get update && apt-get install -y \ nodejs npm mysql-client libmysqlclient-dev \ imagemagick libmagickwand-dev \ && rm -rf /var/lib/apt/lists/*
Create snorby user¶
RUN useradd -r -m -s /bin/bash snorby
Set working directory¶
WORKDIR /opt/snorby
Clone Snorby¶
RUN git clone https://github.com/Snorby/snorby.git . && \ chown -R snorby:snorby /opt/snorby
Switch to snorby user¶
USER snorby
Install Ruby dependencies¶
RUN bundle install --deployment --without development test
Copy configuration files¶
COPY database.yml config/database.yml COPY snorby_config.yml config/snorby_config.yml
Expose port¶
EXPOSE 3000
Start command¶
CMD ["bundle", "exec", "rails", "server", "-e", "production", "-b", "0.0.0.0"] EOF
Create database configuration for container¶
cat > database.yml << 'EOF' production: adapter: mysql2 database: snorby username: snorby password: snorbypassword host: snorby-mysql port: 3306 encoding: utf8 EOF
Create Snorby configuration for container¶
cat > snorby_config.yml ``<< 'EOF' production: domain: localhost wkhtmltopdf: /usr/bin/wkhtmltopdf ssl: false mailer_sender: snorby@localhost geoip_uri: "http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz" authentication_mode: database EOF
Build and run Snorby container¶
docker build -f Dockerfile.snorby -t snorby .
Wait for MySQL to be ready¶
sleep 30
Run database setup¶
docker run --rm --network snorby-network \ -v $(pwd)/database.yml:/opt/snorby/config/database.yml \ -v $(pwd)/snorby_config.yml:/opt/snorby/config/snorby_config.yml \ snorby bundle exec rake snorby:setup RAILS_ENV=production
Start Snorby container¶
docker run -d --name snorby-app \ --network snorby-network \ -p 3000:3000 \ -v $(pwd)/database.yml:/opt/snorby/config/database.yml \ -v $(pwd)/snorby_config.yml:/opt/snorby/config/snorby_config.yml \ snorby ```_
Manuelle Installation¶
```bash
Install Ruby Version Manager (RVM)¶
curl -sSL https://get.rvm.io|bash -s stable source ~/.rvm/scripts/rvm
Install Ruby 2.7¶
rvm install 2.7.0 rvm use 2.7.0 --default
Install Bundler¶
gem install bundler -v '~>`` 1.17'
Download Snorby¶
git clone https://github.com/Snorby/snorby.git cd snorby
Install dependencies¶
bundle install
Configure database¶
cp config/database.yml.example config/database.yml cp config/snorby_config.yml.example config/snorby_config.yml
Edit configurations as needed¶
nano config/database.yml nano config/snorby_config.yml
Setup database¶
bundle exec rake snorby:setup
Create admin user¶
bundle exec rake snorby:user ```_
Basisnutzung¶
Erstkonfiguration¶
Snorby nach der Installation einrichten:
```bash
Navigate to Snorby directory¶
cd /opt/snorby
Configure Snorby settings¶
sudo -u snorby nano config/snorby_config.yml
Example configuration:¶
cat > config/snorby_config.yml ``<< 'EOF' production: # Domain configuration domain: snorby.company.com
# SSL configuration ssl: true
# Email configuration mailer_sender: snorby@company.com smtp_settings: address: smtp.company.com port: 587 domain: company.com user_name: snorby@company.com password: emailpassword authentication: plain enable_starttls_auto: true
# GeoIP configuration geoip_uri: "http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz"
# Authentication mode authentication_mode: database
# PDF generation wkhtmltopdf: /usr/bin/wkhtmltopdf
# Time zone time_zone: "Eastern Time (US & Canada)"
# Lookups whois_enabled: true reputation_enabled: true
# Performance settings event_page_size: 50 cache_timeout: 300 EOF
Set proper permissions¶
sudo chown snorby:snorby config/snorby_config.yml sudo chmod 600 config/snorby_config.yml
Download GeoIP database¶
sudo -u snorby mkdir -p db/geoip sudo -u snorby wget -O db/geoip/GeoIP.dat.gz \ "http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz" sudo -u snorby gunzip db/geoip/GeoIP.dat.gz
Run database migrations¶
sudo -u snorby bundle exec rake db:migrate RAILS_ENV=production
Precompile assets¶
sudo -u snorby bundle exec rake assets:precompile RAILS_ENV=production ```_
Starten von Snorby¶
Beginn der Snorby Web-Anwendung:
```bash
Start Snorby manually¶
sudo -u snorby -i cd /opt/snorby bundle exec rails server -e production -b 0.0.0.0 -p 3000
Or start in background¶
nohup bundle exec rails server -e production -b 0.0.0.0 -p 3000 >`` log/snorby.log 2>&1 &
Exit Snorby user session¶
exit
Create systemd service¶
sudo cat > /etc/systemd/system/snorby.service ``<< 'EOF' [Unit] Description=Snorby Web Application After=network.target mysql.service
[Service] Type=simple User=snorby Group=snorby WorkingDirectory=/opt/snorby Environment=RAILS_ENV=production ExecStart=/usr/local/bin/bundle exec rails server -e production -b 0.0.0.0 -p 3000 Restart=always RestartSec=10
[Install] WantedBy=multi-user.target EOF
Enable and start service¶
sudo systemctl daemon-reload sudo systemctl enable snorby sudo systemctl start snorby
Check service status¶
sudo systemctl status snorby
View logs¶
sudo journalctl -u snorby -f ```_
Web Interface Zugriff¶
Zugriff und Nutzung der Snorby Web-Schnittstelle:
```bash
Access Snorby web interface¶
Open browser and navigate to:¶
http://your-server-ip:3000¶
or¶
https://snorby.company.com (if SSL configured)¶
Default login credentials (if created during setup):¶
Username: admin@snorby.org¶
Password: snorby¶
Check if Snorby is running¶
curl -I http://localhost:3000
Test database connectivity¶
sudo -u snorby -i cd /opt/snorby bundle exec rails console production
In Rails console:¶
User.count¶
Event.count¶
exit¶
Check logs for errors¶
sudo tail -f /opt/snorby/log/production.log ```_
Sensorkonfiguration¶
Sensoren konfigurieren, um Daten an Snorby zu senden:
```bash
Snorby uses the same database as Snort/Barnyard2¶
Configure Barnyard2 to write to Snorby database¶
Example Barnyard2 configuration¶
cat >`` /etc/snort/barnyard2.conf << 'EOF'
Barnyard2 configuration for Snorby¶
Database output¶
output database: log, mysql, user=snorby password=snorbypassword dbname=snorby host=localhost
Syslog output¶
output alert_syslog: LOG_AUTH LOG_ALERT
Unified2 input¶
config reference_file: /etc/snort/reference.config config classification_file: /etc/snort/classification.config config gen_file: /etc/snort/gen-msg.map config sid_file: /etc/snort/sid-msg.map
Processing options¶
config logdir: /var/log/snort config hostname: sensor01 config interface: eth0 config waldo_file: /var/log/snort/barnyard2.waldo
Performance tuning¶
config max_mpls_labelchain_len: 3 config max_ip6_extensions: 4 config addressspace_id: 0 EOF
Start Barnyard2¶
barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -g snort -u snort -D
Verify events are being inserted¶
mysql -u snorby -p snorby -e "SELECT COUNT(*) FROM event;" ```_
Erweiterte Funktionen¶
Individuelles Armaturenbrett¶
Erstellen Sie benutzerdefinierte Dashboards und Widgets:
```ruby
Custom dashboard configuration¶
File: /opt/snorby/app/models/custom_dashboard.rb¶
class CustomDashboard include ActiveModel::Model
def self.security_overview \\{ total_events: Event.count, events_today: Event.where('timestamp >= ?', Date.current.beginning_of_day).count, unique_sources: Event.distinct.count(:src_ip), unique_destinations: Event.distinct.count(:dst_ip), top_signatures: top_signatures(10), hourly_stats: hourly_event_stats, severity_breakdown: severity_breakdown, geographic_stats: geographic_breakdown \\} end
def self.top_signatures(limit = 10) Event.joins(:signature) .group('signature.sig_name') .order('count_all DESC') .limit(limit) .count end
def self.hourly_event_stats Event.where('timestamp >= ?', 24.hours.ago) .group("DATE_FORMAT(timestamp, '%H')") .count end
def self.severity_breakdown Event.joins(:signature) .group('signature.sig_priority') .count end
def self.geographic_breakdown # Requires GeoIP integration Event.joins(:src_ip_geolocation) .group('src_ip_geolocations.country') .limit(20) .count end
def self.threat_intelligence \\{ malware_events: malware_related_events, botnet_activity: botnet_activity, scanning_activity: scanning_activity, brute_force_attempts: brute_force_attempts \\} end
def self.malware_related_events Event.joins(:signature) .where("signature.sig_name LIKE ? OR signature.sig_name LIKE ? OR signature.sig_name LIKE ?", '%trojan%', '%malware%', '%backdoor%') .where('timestamp >= ?', 24.hours.ago) .count end
def self.botnet_activity Event.joins(:signature) .where("signature.sig_name LIKE ? OR signature.sig_name LIKE ?", '%botnet%', '%c2%') .where('timestamp >= ?', 24.hours.ago) .count end
def self.scanning_activity Event.joins(:signature) .where("signature.sig_name LIKE ? OR signature.sig_name LIKE ?", '%scan%', '%probe%') .where('timestamp >= ?', 24.hours.ago) .count end
def self.brute_force_attempts Event.joins(:signature) .where("signature.sig_name LIKE ? OR signature.sig_name LIKE ?", '%brute%', '%login%') .where('timestamp >= ?', 24.hours.ago) .count end end ```_
Advanced Analytics¶
Erstellung fortschrittlicher Analysen und Korrelationsregeln:
```ruby
Advanced analytics engine¶
File: /opt/snorby/lib/analytics_engine.rb¶
class AnalyticsEngine def self.detect_anomalies \\{ traffic_anomalies: detect_traffic_anomalies, behavioral_anomalies: detect_behavioral_anomalies, temporal_anomalies: detect_temporal_anomalies \\} end
def self.detect_traffic_anomalies # Detect unusual traffic patterns current_hour_events = Event.where('timestamp >= ?', 1.hour.ago).count average_hourly_events = Event.where('timestamp >= ?', 7.days.ago) .group("DATE_FORMAT(timestamp, '%H')") .average(:count) .values.sum / 24
anomalies = []
if current_hour_events > (average_hourly_events * 2)
anomalies << \\\\{
type: 'high_traffic_volume',
severity: 'warning',
description: "Current hour events (#\\\\{current_hour_events\\\\}) significantly higher than average (#\\\\{average_hourly_events.round\\\\})",
timestamp: Time.current
\\\\}
end
# Detect port scanning
port_scan_sources = Event.where('timestamp >= ?', 1.hour.ago)
.group(:src_ip)
.having('COUNT(DISTINCT dst_port) > ?', 20)
.count
| | port_scan_sources.each do | src_ip, port_count | | | anomalies << \\{ type: 'port_scanning', severity: 'high', description: "Source #\\{src_ip\\} accessed #\\{port_count\\} different ports in the last hour", src_ip: src_ip, timestamp: Time.current \\} end
anomalies
end
def self.detect_behavioral_anomalies anomalies = []
# Detect unusual source behavior
unusual_sources = Event.where('timestamp >= ?', 24.hours.ago)
.group(:src_ip)
.having('COUNT(*) > ?', 1000)
.count
| | unusual_sources.each do | src_ip, event_count | | | anomalies << \\{ type: 'unusual_source_activity', severity: 'medium', description: "Source #\\{src_ip\\} generated #\\{event_count\\} events in 24 hours", src_ip: src_ip, timestamp: Time.current \\} end
# Detect beaconing behavior
beaconing_sources = detect_beaconing_behavior
| | beaconing_sources.each do | src_ip, intervals | | | anomalies << \\{ type: 'beaconing_behavior', severity: 'high', description: "Source #\\{src_ip\\} shows regular communication intervals (potential C2)", src_ip: src_ip, intervals: intervals, timestamp: Time.current \\} end
anomalies
end
def self.detect_beaconing_behavior # Simplified beaconing detection # Look for regular communication intervals beaconing_sources = \\{\\}
Event.where('timestamp >= ?', 24.hours.ago)
.group(:src_ip, :dst_ip)
.having('COUNT(*) > ?', 10)
.pluck(:src_ip, :dst_ip)
| | .each do | src_ip, dst_ip | | |
events = Event.where(src_ip: src_ip, dst_ip: dst_ip)
.where('timestamp >= ?', 24.hours.ago)
.order(:timestamp)
.pluck(:timestamp)
if events.length > 10
intervals = []
| | (1...events.length).each do | i | | | intervals << (events[i] - events[i-1]).to_i end
# Check for regular intervals (simplified)
avg_interval = intervals.sum / intervals.length
| | variance = intervals.map \\{ | i | (i - avg_interval) ** 2 \\}.sum / intervals.length | |
if variance < (avg_interval * 0.1) # Low variance indicates regular intervals
beaconing_sources[src_ip] = \\\\{
dst_ip: dst_ip,
avg_interval: avg_interval,
variance: variance,
event_count: events.length
\\\\}
end
end
end
beaconing_sources
end
def self.detect_temporal_anomalies anomalies = []
# Detect unusual activity during off-hours
current_hour = Time.current.hour
| | if (current_hour < 6 | | current_hour > 22) # Off-hours | | off_hours_events = Event.where('timestamp >= ?', 1.hour.ago).count normal_hours_avg = Event.where('timestamp >= ? AND timestamp < ?', 7.days.ago, Time.current) .where('HOUR(timestamp) BETWEEN ? AND ?', 6, 22) .count / (7 * 16) # 7 days, 16 hours per day
if off_hours_events > (normal_hours_avg * 1.5)
anomalies << \\\\{
type: 'off_hours_activity',
severity: 'medium',
description: "Unusual activity during off-hours: #\\\\{off_hours_events\\\\} events (normal: #\\\\{normal_hours_avg.round\\\\})",
timestamp: Time.current
\\\\}
end
end
anomalies
end
def self.generate_threat_report \\{ timestamp: Time.current, anomalies: detect_anomalies, threat_indicators: extract_threat_indicators, recommendations: generate_recommendations \\} end
def self.extract_threat_indicators indicators = []
# Extract IOCs from recent events
recent_events = Event.includes(:signature)
.where('timestamp >= ?', 24.hours.ago)
.where("signature.sig_name LIKE ? OR signature.sig_name LIKE ?",
'%malware%', '%trojan%')
| | recent_events.each do | event | | | indicators << \\{ type: 'ip_address', value: event.src_ip, context: event.signature.sig_name, timestamp: event.timestamp, confidence: calculate_confidence(event) \\} end
| | indicators.uniq \\{ | i | [i[:type], i[:value]] \\} | | end
def self.calculate_confidence(event) # Simplified confidence calculation base_confidence = 50
# Increase confidence based on signature priority
if event.signature.sig_priority <= 2
base_confidence += 30
elsif event.signature.sig_priority <= 3
base_confidence += 20
end
# Increase confidence if multiple events from same source
same_source_events = Event.where(src_ip: event.src_ip)
.where('timestamp >= ?', 24.hours.ago)
.count
if same_source_events > 10
base_confidence += 20
end
[base_confidence, 100].min
end
def self.generate_recommendations recommendations = []
anomalies = detect_anomalies
| | anomalies.values.flatten.each do | anomaly | | | case anomaly[:type] when 'port_scanning' recommendations << \\{ priority: 'high', action: 'block_ip', target: anomaly[:src_ip], description: "Consider blocking source IP #\\{anomaly[:src_ip]\\} due to port scanning activity" \\} when 'beaconing_behavior' recommendations << \\{ priority: 'high', action: 'investigate', target: anomaly[:src_ip], description: "Investigate potential C2 communication from #\\{anomaly[:src_ip]\\}" \\} when 'high_traffic_volume' recommendations << \\{ priority: 'medium', action: 'monitor', description: "Monitor network for potential DDoS or scanning activity" \\} end end
recommendations
end end ```_
Automatisierte Meldung¶
Erstellung automatisierter Reporting-Funktionen:
```ruby
Automated reporting system¶
File: /opt/snorby/lib/automated_reporter.rb¶
class AutomatedReporter def self.generate_daily_report(date = Date.current) report_data = \\{ date: date, summary: daily_summary(date), top_events: top_events(date), geographic_analysis: geographic_analysis(date), threat_analysis: threat_analysis(date), recommendations: daily_recommendations(date) \\}
html_report = generate_html_report(report_data, 'daily')
pdf_report = generate_pdf_report(html_report)
# Save reports
save_report(html_report, "daily_#\\\\{date.strftime('%Y%m%d')\\\\}.html")
save_report(pdf_report, "daily_#\\\\{date.strftime('%Y%m%d')\\\\}.pdf")
# Email report if configured
email_report(html_report, "Daily Security Report - #\\\\{date\\\\}")
report_data
end
def self.generate_weekly_report(week_start = Date.current.beginning_of_week) week_end = week_start.end_of_week
report_data = \\\\{
week_start: week_start,
week_end: week_end,
summary: weekly_summary(week_start, week_end),
trends: weekly_trends(week_start, week_end),
top_threats: weekly_top_threats(week_start, week_end),
performance_metrics: weekly_performance(week_start, week_end)
\\\\}
html_report = generate_html_report(report_data, 'weekly')
save_report(html_report, "weekly_#\\\\{week_start.strftime('%Y%m%d')\\\\}_#\\\\{week_end.strftime('%Y%m%d')\\\\}.html")
report_data
end
def self.daily_summary(date) start_time = date.beginning_of_day end_time = date.end_of_day
\\\\{
total_events: Event.where(timestamp: start_time..end_time).count,
unique_sources: Event.where(timestamp: start_time..end_time).distinct.count(:src_ip),
unique_destinations: Event.where(timestamp: start_time..end_time).distinct.count(:dst_ip),
high_priority_events: Event.joins(:signature)
.where(timestamp: start_time..end_time)
.where('signature.sig_priority <= ?', 2)
.count,
blocked_events: Event.where(timestamp: start_time..end_time)
.where(blocked: true)
.count
\\\\}
end
def self.top_events(date, limit = 20) start_time = date.beginning_of_day end_time = date.end_of_day
Event.joins(:signature)
.where(timestamp: start_time..end_time)
.group('signature.sig_name')
.order('count_all DESC')
.limit(limit)
.count
end
def self.geographic_analysis(date) # Requires GeoIP integration start_time = date.beginning_of_day end_time = date.end_of_day
# Simplified geographic analysis
Event.where(timestamp: start_time..end_time)
.group(:src_ip)
.having('COUNT(*) > ?', 10)
.count
| | .transform_keys \\{ | ip | geolocate_ip(ip) \\} | | | | .group_by \\{ | location, count | location[:country] \\} | | | | .transform_values \\{ | entries | entries.sum \\{ | _, count | count \\} \\} | | end
def self.threat_analysis(date) start_time = date.beginning_of_day end_time = date.end_of_day
\\\\{
malware_events: Event.joins(:signature)
.where(timestamp: start_time..end_time)
.where("signature.sig_name LIKE ?", '%malware%')
.count,
scanning_events: Event.joins(:signature)
.where(timestamp: start_time..end_time)
.where("signature.sig_name LIKE ?", '%scan%')
.count,
brute_force_events: Event.joins(:signature)
.where(timestamp: start_time..end_time)
.where("signature.sig_name LIKE ?", '%brute%')
.count,
c2_events: Event.joins(:signature)
.where(timestamp: start_time..end_time)
.where("signature.sig_name LIKE ? OR signature.sig_name LIKE ?",
'%c2%', '%command%')
.count
\\\\}
end
def self.generate_html_report(data, type) template = ERB.new(File.read("app/views/reports/#\\{type\\}_template.html.erb")) template.result(binding) end
def self.generate_pdf_report(html_content) # Requires wkhtmltopdf pdf_file = Tempfile.new(['report', '.pdf'])
system("echo '#\\\\{html_content\\\\}'|wkhtmltopdf - #\\\\{pdf_file.path\\\\}")
File.read(pdf_file.path)
ensure pdf_file.close pdf_file.unlink end
def self.save_report(content, filename) reports_dir = Rails.root.join('public', 'reports') FileUtils.mkdir_p(reports_dir)
File.write(reports_dir.join(filename), content)
end
def self.email_report(html_content, subject) return unless Rails.application.config.action_mailer.delivery_method
ReportMailer.security_report(html_content, subject).deliver_now
end
def self.geolocate_ip(ip) # Simplified geolocation - integrate with actual GeoIP service \\{ ip: ip, country: 'Unknown', city: 'Unknown', latitude: 0, longitude: 0 \\} end end
Mailer for reports¶
File: /opt/snorby/app/mailers/report_mailer.rb¶
class ReportMailer ``< ApplicationMailer def security_report(html_content, subject) @content = html_content
mail(
to: Rails.application.config.security_email,
subject: subject,
content_type: 'text/html'
)
end end ```_
Automatisierungsskripte¶
Umfassendes Monitoring-Script¶
```bash
!/bin/bash¶
Comprehensive Snorby monitoring and maintenance¶
Configuration¶
SNORBY_DIR="/opt/snorby" LOG_DIR="/var/log/snorby" BACKUP_DIR="/var/backups/snorby" PID_FILE="/var/run/snorby.pid"
Database configuration¶
DB_HOST="localhost" DB_USER="snorby" DB_PASS="snorbypassword" DB_NAME="snorby"
Monitoring thresholds¶
MAX_RESPONSE_TIME="10" MAX_MEMORY_USAGE="80" MAX_DISK_USAGE="90"
Create necessary directories¶
mkdir -p "\(LOG_DIR" "\)BACKUP_DIR"
Logging function¶
log_message() \{ echo "$(date '+%Y-%m-%d %H:%M:%S') - \(1"|tee -a "\)LOG_DIR/monitor.log" \}
Check Snorby web application¶
check_web_application() \{ log_message "Checking Snorby web application..."
local response_time
response_time=$(curl -o /dev/null -s -w '%\\\{time_total\\\}' http://localhost:3000/ 2>``/dev/null)
if [ $? -eq 0 ]; then
log_message "Web application is accessible (response time: $\\\\{response_time\\\\}s)"
# Check if response time is acceptable
if (( $(echo "$response_time > $MAX_RESPONSE_TIME"|bc -l) )); then
log_message "WARNING: Slow response time: $\\\\{response_time\\\\}s (threshold: $\\\\{MAX_RESPONSE_TIME\\\\}s)"
return 1
fi
return 0
else
log_message "ERROR: Web application is not accessible"
return 1
fi
\\}
Check Snorby process¶
check_snorby_process() \\{ log_message "Checking Snorby process..."
if systemctl is-active --quiet snorby; then
log_message "Snorby service is running"
# Check memory usage
local memory_usage
| | memory_usage=$(ps -o %mem -p $(pgrep -f "rails server") | tail -n 1 | tr -d ' ') | |
if [ -n "$memory_usage" ] && (( $(echo "$memory_usage > $MAX_MEMORY_USAGE"|bc -l) )); then
log_message "WARNING: High memory usage: $\\\\{memory_usage\\\\}% (threshold: $\\\\{MAX_MEMORY_USAGE\\\\}%)"
fi
return 0
else
log_message "ERROR: Snorby service is not running"
return 1
fi
\\}
Check database connectivity¶
check_database() \\{ log_message "Checking database connectivity..."
mysql -h "$DB_HOST" -u "$DB_USER" -p"$DB_PASS" "$DB_NAME" -e "SELECT 1;" >/dev/null 2>&1
if [ $? -eq 0 ]; then
log_message "Database connection successful"
# Check recent events
local recent_events
recent_events=$(mysql -h "$DB_HOST" -u "$DB_USER" -p"$DB_PASS" "$DB_NAME" -N -e "
SELECT COUNT(*) FROM event WHERE timestamp >= DATE_SUB(NOW(), INTERVAL 1 HOUR);
" 2>/dev/null)
log_message "Recent events (last hour): $recent_events"
# Check database size
local db_size
db_size=$(mysql -h "$DB_HOST" -u "$DB_USER" -p"$DB_PASS" "$DB_NAME" -N -e "
SELECT ROUND(SUM(data_length + index_length) / 1024 / 1024, 2) AS 'DB Size in MB'
FROM information_schema.tables
WHERE table_schema='$DB_NAME';
" 2>/dev/null)
log_message "Database size: $\\\\{db_size\\\\} MB"
return 0
else
log_message "ERROR: Database connection failed"
return 1
fi
\\}
Check disk space¶
check_disk_space() \\{ log_message "Checking disk space..."
local usage
| | usage=\((df -h "\)SNORBY_DIR" | awk 'NR==2 \\{print $5\\}' | sed 's/%//') | |
log_message "Disk usage: $\\\\{usage\\\\}%"
if [ "$usage" -gt "$MAX_DISK_USAGE" ]; then
log_message "WARNING: High disk usage: $\\\\{usage\\\\}% (threshold: $\\\\{MAX_DISK_USAGE\\\\}%)"
return 1
fi
return 0
\\}
Check log files¶
check_log_files() \\{ log_message "Checking log files..."
local production_log="$SNORBY_DIR/log/production.log"
if [ -f "$production_log" ]; then
# Check for recent errors
local error_count
| | error_count=\((tail -n 100 "\)production_log" | grep -c "ERROR | FATAL" | | echo "0") | |
if [ "$error_count" -gt 5 ]; then
log_message "WARNING: High number of errors in production log: $error_count"
# Show recent errors
log_message "Recent errors:"
| | tail -n 100 "$production_log" | grep "ERROR | FATAL" | tail -n 5 | while read -r line; do | | log_message " $line" done fi
# Rotate large log files
local log_size
| | log_size=\((stat -c%s "\)production_log" 2>/dev/null | | echo "0") | |
if [ "$log_size" -gt 104857600 ]; then # 100MB
log_message "Rotating large production log file"
mv "$production_log" "$\\\\{production_log\\\\}.$(date +%Y%m%d-%H%M%S)"
touch "$production_log"
chown snorby:snorby "$production_log"
fi
fi
\\}
Performance optimization¶
optimize_performance() \\{ log_message "Running performance optimization..."
# Clear Rails cache
sudo -u snorby -i << 'EOF'
cd /opt/snorby bundle exec rake tmp:cache:clear RAILS_ENV=production bundle exec rake assets:clean RAILS_ENV=production EOF
# Optimize database
mysql -h "$DB_HOST" -u "$DB_USER" -p"$DB_PASS" "$DB_NAME" -e "
OPTIMIZE TABLE event;
OPTIMIZE TABLE signature;
ANALYZE TABLE event;
ANALYZE TABLE signature;
" >/dev/null 2>&1
# Clean old sessions
mysql -h "$DB_HOST" -u "$DB_USER" -p"$DB_PASS" "$DB_NAME" -e "
DELETE FROM sessions WHERE updated_at < DATE_SUB(NOW(), INTERVAL 7 DAY);
" >/dev/null 2>&1
log_message "Performance optimization completed"
\\}
Backup Snorby¶
backup_snorby() \\{ log_message "Backing up Snorby..."
local backup_file="$BACKUP_DIR/snorby-backup-$(date +%Y%m%d-%H%M%S).tar.gz"
# Backup application files and database
(
cd /opt
tar -czf "$backup_file" \
snorby/config/ \
snorby/db/migrate/ \
snorby/public/uploads/ \
2>/dev/null
)
# Backup database
mysqldump -h "$DB_HOST" -u "$DB_USER" -p"$DB_PASS" "$DB_NAME"|\
gzip > "$BACKUP_DIR/snorby-db-$(date +%Y%m%d-%H%M%S).sql.gz"
if [ $? -eq 0 ]; then
log_message "Backup created: $backup_file"
# Keep only last 7 days of backups
find "$BACKUP_DIR" -name "snorby-*.tar.gz" -mtime +7 -delete
find "$BACKUP_DIR" -name "snorby-db-*.sql.gz" -mtime +7 -delete
return 0
else
log_message "ERROR: Backup failed"
return 1
fi
\\}
Restart Snorby service¶
restart_snorby() \\{ log_message "Restarting Snorby service..."
systemctl restart snorby
# Wait for service to start
sleep 10
if systemctl is-active --quiet snorby; then
log_message "Snorby service restarted successfully"
return 0
else
log_message "ERROR: Failed to restart Snorby service"
return 1
fi
\\}
Generate health report¶
generate_health_report() \\{ log_message "Generating health report..."
local report_file="$LOG_DIR/health-report-$(date +%Y%m%d-%H%M%S).html"
cat > "$report_file" << EOF
Snorby Health Report
Generated: $(date)
System Status
| Component | Status | Details |
|---|---|---|
| Web Application | OK | Accessible |
| Web Application | ERROR | Not accessible |
| Snorby Process | OK | Running |
| Snorby Process | ERROR | Not running |
| Database | OK | Connected |
| Database | ERROR | Connection failed |
| Disk Space | OK | Usage: $disk_usage |
Recent Activity
| |$(tail -n 20 "$LOG_DIR/monitor.log" 2>/dev/null | | echo "No recent activity logged")| |
EOF
log_message "Health report generated: $report_file"
\\}
Send alert notification¶
send_alert() \\{ local subject="\(1" local message="\)2"
# Send email if mail is configured
if command -v mail >/dev/null 2>&1; then
echo "$message"|mail -s "Snorby Alert: $subject" security@company.com
fi
# Log to syslog
logger -t snorby-monitor "$subject: $message"
log_message "Alert sent: $subject"
\\}
Main monitoring function¶
run_monitoring() \\{ log_message "Starting Snorby monitoring cycle"
local issues=0
# Run all checks
| | check_web_application | | ((issues++)) | | | | check_snorby_process | | ((issues++)) | | | | check_database | | ((issues++)) | | | | check_disk_space | | ((issues++)) | | check_log_files
# Performance optimization (weekly)
if [ "$(date +%u)" -eq 1 ] && [ "$(date +%H)" -eq 2 ]; then
optimize_performance
backup_snorby
fi
# Generate health report (daily)
if [ "$(date +%H)" -eq 6 ]; then
generate_health_report
fi
# Restart service if issues detected
if [ "$issues" -gt 2 ]; then
log_message "Multiple issues detected, attempting service restart"
restart_snorby
fi
# Send alerts if issues found
if [ "$issues" -gt 0 ]; then
send_alert "System Issues Detected" "Found $issues issues during monitoring. Check logs for details."
fi
log_message "Monitoring cycle completed with $issues issues"
return $issues
\\}
Command line interface¶
case "$\\{1:-monitor\\}" in "monitor") run_monitoring ;; "restart") restart_snorby ;; "backup") backup_snorby ;; "optimize") optimize_performance ;; "report") generate_health_report ;; *) | | echo "Usage: $0 \\{monitor | restart | backup | optimize | report\\}" | | echo "" echo "Commands:" echo " monitor - Run complete monitoring cycle (default)" echo " restart - Restart Snorby service" echo " backup - Backup Snorby application and database" echo " optimize - Run performance optimization" echo " report - Generate health report" exit 1 ;; esac ```_
Integrationsbeispiele¶
SIEM Integration¶
```ruby
SIEM integration for Snorby¶
File: /opt/snorby/lib/siem_integration.rb¶
class SiemIntegration def self.export_to_splunk(time_range = 1.hour) events = Event.includes(:signature) .where('timestamp >= ?', time_range.ago)
| | events.find_each do | event | | | splunk_event = \\{ time: event.timestamp.to_i, source: 'snorby', sourcetype: 'snort:alert', index: 'security', event: \\{ sid: event.sid, cid: event.cid, signature: event.signature.sig_name, signature_id: event.signature.sig_id, src_ip: event.src_ip, src_port: event.src_port, dst_ip: event.dst_ip, dst_port: event.dst_port, protocol: event.ip_proto, priority: event.signature.sig_priority, classification: event.signature.sig_class_id \\} \\}
send_to_splunk_hec(splunk_event)
end
end
def self.send_to_splunk_hec(event_data) uri = URI(Rails.application.config.splunk_hec_url) http = Net::HTTP.new(uri.host, uri.port) http.use_ssl = true if uri.scheme == 'https'
request = Net::HTTP::Post.new(uri)
request['Authorization'] = "Splunk #\\\\{Rails.application.config.splunk_hec_token\\\\}"
request['Content-Type'] = 'application/json'
request.body = event_data.to_json
response = http.request(request)
unless response.code == '200'
Rails.logger.error "Failed to send event to Splunk: #\\\\{response.code\\\\} #\\\\{response.body\\\\}"
end
end
def self.export_to_elasticsearch(time_range = 1.hour) events = Event.includes(:signature) .where('timestamp >= ?', time_range.ago)
| | events.find_each do | event | | | es_event = \\{ '@timestamp' => event.timestamp.iso8601, source: \\{ ip: event.src_ip, port: event.src_port \\}, destination: \\{ ip: event.dst_ip, port: event.dst_port \\}, network: \\{ protocol: protocol_name(event.ip_proto) \\}, event: \\{ id: "#\\{event.sid\\}-#\\{event.cid\\}", category: 'network', type: 'alert', severity: severity_level(event.signature.sig_priority) \\}, rule: \\{ id: event.signature.sig_id, name: event.signature.sig_name, category: event.signature.sig_class_id \\} \\}
send_to_elasticsearch(es_event)
end
end
def self.send_to_elasticsearch(event_data) index_name = "snorby-#\\{Date.current.strftime('%Y.%m.%d')\\}" doc_id = event_data[:event][:id]
uri = URI("#\\\\{Rails.application.config.elasticsearch_url\\\\}/#\\\\{index_name\\\\}/_doc/#\\\\{doc_id\\\\}")
http = Net::HTTP.new(uri.host, uri.port)
request = Net::HTTP::Put.new(uri)
request['Content-Type'] = 'application/json'
request.body = event_data.to_json
response = http.request(request)
unless ['200', '201'].include?(response.code)
Rails.logger.error "Failed to send event to Elasticsearch: #\\\\{response.code\\\\} #\\\\{response.body\\\\}"
end
end
private
def self.protocol_name(proto_num) case proto_num when 1 then 'icmp' when 6 then 'tcp' when 17 then 'udp' else proto_num.to_s end end
def self.severity_level(priority) case priority when 1..2 then 'high' when 3..4 then 'medium' else 'low' end end end ```_
Fehlerbehebung¶
Gemeinsame Themen¶
Application Wird nicht gestartet: ```bash
Check Ruby version¶
ruby --version
Check Bundler¶
bundle --version
Check dependencies¶
cd /opt/snorby bundle check
Install missing dependencies¶
bundle install
Check database configuration¶
cat config/database.yml
Test database connection¶
bundle exec rails console production
In console: ActiveRecord::Base.connection.active?¶
Check logs¶
tail -f log/production.log ```_
** Probleme der Datenbankverbindung:** ```bash
Test MySQL connection¶
mysql -u snorby -p snorby -e "SELECT COUNT(*) FROM event;"
Check database permissions¶
mysql -u root -p -e "SHOW GRANTS FOR 'snorby'@'localhost';"
Verify database exists¶
mysql -u root -p -e "SHOW DATABASES;"|grep snorby
Check MySQL service¶
sudo systemctl status mysql ```_
Leistungsfragen: ```bash
Check system resources¶
top -p $(pgrep -f "rails server") free -h df -h
Check database performance¶
mysql -u snorby -p snorby -e "SHOW PROCESSLIST;"
Optimize database¶
mysql -u snorby -p snorby -e "OPTIMIZE TABLE event; OPTIMIZE TABLE signature;"
Clear Rails cache¶
cd /opt/snorby sudo -u snorby bundle exec rake tmp:cache:clear RAILS_ENV=production ```_
Leistungsoptimierung¶
Optimierung der Snorby-Leistung:
```bash
Ruby/Rails optimization¶
cat >> /opt/snorby/config/environments/production.rb << 'EOF'
Performance optimizations¶
config.cache_classes = true config.eager_load = true config.consider_all_requests_local = false config.action_controller.perform_caching = true config.cache_store = :memory_store, \\{ size: 64.megabytes \\} config.assets.compile = false config.assets.digest = true config.log_level = :warn EOF
Database optimization¶
mysql -u root -p << 'EOF' -- Optimize Snorby database USE snorby;
-- Add indexes for common queries CREATE INDEX idx_event_timestamp ON event (timestamp); CREATE INDEX idx_event_src_ip_timestamp ON event (src_ip, timestamp); CREATE INDEX idx_event_dst_ip_timestamp ON event (dst_ip, timestamp); CREATE INDEX idx_event_signature_timestamp ON event (sig_id, timestamp);
-- Optimize tables OPTIMIZE TABLE event; OPTIMIZE TABLE signature; ANALYZE TABLE event; ANALYZE TABLE signature; EOF
System optimization¶
echo "vm.swappiness=10" >> /etc/sysctl.conf sysctl -p ```_
Sicherheitsüberlegungen¶
Zugriffskontrolle¶
Web Application Security: - HTTPS implementieren für alle Snorby-Zugriffe - Verwenden Sie starke Authentifizierungsmechanismen - Durchführung von Sitzungszeiten und Management - Regelmäßige Sicherheitsupdates für Ruby und Rails - Überwachen Sie Zugriffsprotokolle für verdächtige Aktivität
** Datenbanksicherheit:** - Verwenden Sie dedizierte Datenbankbenutzer mit minimalen Privilegien - Implementierung der Datenbank-Verbindung Verschlüsselung - Regelmäßige Aktualisierung der Datenbanksicherheit - Datenbankzugriffsprotokolle überwachen - Implementierung der Backup-Verschlüsselung
Datenschutz¶
Ereignisse Datensicherheit: - Verschlüsseln Sie sensible Ereignisdaten im Ruhezustand - Umsetzung von Datenschutzbestimmungen - Sicherer Zugriff auf Paketerfassungsdaten - Regelmäßige Reinigung von temporären Dateien - Implementierung der Zugangsprotokollierung für Ereignisdaten
** Sicherheit:** - Regelmäßige Sicherheitsbewertungen der Snorby-Infrastruktur - Monitor für unberechtigte Zugriffsversuche - Durchführung richtiger Backup- und Recovery-Verfahren - Regelmäßige Aktualisierungen von Snorby und Abhängigkeiten - Incident Response Verfahren für Snorby Kompromiss