Snorby tarball install for Security Onion – alpha

A couple of days ago I exchanged a volley of tweets with the author of Snorby  @Mephux about including Snorby in Security Onion. Doug Burks chimed in later and said he preferred a tarball or a DEB.

I thought I could help here because this is how we package Web Trisul , also a Ruby on Rails app. The end user does not have to install Ruby, Bundler, Rails, and the app. Everything including Ruby is packaged in a single tar.gz file. All the user does it unzip it and start the app. The downside is that this is platform dependent.

So here is a first attempt at tarballing Snorby for the Security Onion platform. I want the folks involved with the two projects to check it out.

Step 1 : Download the tarball from here (UPDATE: no longer available, follow instructions in this blog post and create your own tarball with the latest snorby sources)

Step 2 : Login to security onion and type

Step 3 : Start Snorby

Step 4 : Login

Point browser to http://<host>:3000

Thats it !


The setup is very simple.

  1. Used the excellent rbenv with RBENV_ROOT redefined to /usr/local/share/snorby/.rbenv
  2. Used ruby-build to install Ruby with prefix pointing to above
  3. Wrote a script called thind which will setup the paths and shims normally done by rbenv and invoke thin
  4. bundle exec – is the magic command that enables this
  5. Changed database.yml to point to securityonion-db
  6. Tarred the whole thing

Wait for the next blog post for instructions on how to make this tarball.

Here’s a screenshot – we tried on a brand new SO install.snorby on seco





Author: Vivek Rajagopalan

Vivek Rajagopalan is the a lead developer for Trisul Network Analytics. Prior products were Unsniff Network Analyzer and Unbrowse SNMP. Loves working with packets , very high speed networks, and helping track down the bad guys on the internet.