Install Snort, Barnyard2, PulledPork, and Snorby With Nginx on FreeBSD

Prepare the system

  • Update the system
    pkg update && pkg upgrade
    portsnap fetch extract
  • Install portmaster:
    cd /usr/ports/ports-mgmt/portmaster
    make install clean

Install Snort

  • Install Snort
    portmaster security/snort security/barnyard2 security/pulledpork

    NOTE: Enable [X]MYSQL during the config of security/barnyard2

  • Create the following directories:
    mkdir -p /usr/local/etc/snort/so_rules
    mkdir -p /usr/local/etc/snort/rules/iplists
    mkdir -p /var/log/barnyard2
  • Then create a few blank files:
    touch /usr/local/etc/snort/rules/snort.rules
    touch /usr/local/etc/snort/rules/local.rules
    touch /usr/local/etc/snort/rules/white_list.rules
    touch /usr/local/etc/snort/rules/black_list.rules
    touch /var/log/snort/barnyard2.waldo

Configure Snort

  • Edit the snort config file:
    vi /usr/local/etc/snort/snort.conf
    • And modify the following parameters:
      ipvar HOME_NET
      ipvar EXTERNAL_NET any
      var RULE_PATH /usr/local/etc/snort/rules
      var SO_RULE_PATH /usr/local/etc/snort/so_rules
      var PREPROC_RULE_PATH /usr/local/etc/snort/preproc_rules
      var WHITE_LIST_PATH /usr/local/etc/snort/rules
      var BLACK_LIST_PATH /usr/local/etc/snort/rules
      dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
      dynamicengine /usr/local/lib/snort_dynamicengine/
      #dynamicdetection directory /usr/local/lib/snort/dynamicrules
      output unified2: filename snortunified2.log, limit 128
      ## Comment out every $RULE_PATH line
      #include $RULE_PATH
      ## Add definition for aggregate snort.rules file
      include $RULE_PATH/snort.rules
  • (Optional) Remove all commented lines from snort config:
    grep '^[^#]' /usr/local/etc/snort/snort.conf > /usr/local/etc/snort/temp.conf
    mv -f /usr/local/etc/snort/temp.conf /usr/local/etc/snort/snort.conf

Configure Pulledpork

  • Create and edit a Pulledpork config file:
    cp /usr/local/etc/pulledpork/pulledpork.conf.sample /usr/local/etc/pulledpork/pulledpork.conf
    vi /usr/local/etc/pulledpork/pulledpork.conf
    • And modify the following, making sure to replace <oinkcode> with your actual oinkcode.
  • Update Snort rules using Pulledpork: -c /usr/local/etc/pulledpork/pulledpork.conf
  • If you have such an error while issuing the command with the -vv parameter:
    500 Can't connect to (Crypt-SSLeay can't verify hostnames
    • Then add this environment variable:
      export HTTPS_CA_DIR=/usr/share/ca-certificates/ -c /usr/local/etc/pulledpork/pulledpork.conf
  • And add following line to /etc/crontab (the example automatically checks for the presence of new rules every 12 hours):
    echo '## Update Snort rules' >> /etc/crontab
    echo '5 */12 * * * /usr/bin/perl /usr/local/bin/ -c /usr/local/etc/pulledpork/pulledpork.conf' >> /etc/crontab
  • Restart cron:
    service cron restart

Configure Barnyard2

  • Edit the barnyard2 config file:
    vi /usr/local/etc/barnyard2.conf
    • And modify the following:
      config hostname:
      output database: log, mysql, user=snorby password=SuperSecretPassword dbname=snorby host=localhost

Install Snorby

Snorby is a web frontend for the Snort IDS, and this is a simple guide on installing it on FreeBSD 9.2. This guide only sets up Snorby, as my setup has the Snort agent on remote machine, sending its data to a different remote database.

  • Install a few prerequisite packages:
    portmaster shells/bash ftp/wget textproc/flex devel/pcre net/libdnet textproc/libxml2 textproc/libxslt graphics/ImageMagick devel/lwp www/p5-LWP-UserAgent-WithCache security/p5-Crypt-SSLeay www/p5-LWP-Protocol-https lang/ruby21 devel/ruby-gems converters/wkhtmltopdf devel/readline
  • Fix Bash:
    ln -s /usr/local/bin/bash /bin/bash

    NOTE: This is required later by snorby, an error will occur otherwise.

  • Install some prerequisite gems:
    portmaster print/rubygem-prawn devel/rubygem-thor devel/rubygem-i18n sysutils/rubygem-bundler devel/rubygem-tzinfo devel/rubygem-builder databases/rubygem-memcache-client www/rubygem-rack www/rubygem-rack-test www/rubygem-erubis mail/rubygem-mail textproc/rubygem-text databases/rubygem-sqlite3 devel/rubygem-rake databases/rubygem-mysql www/rubygem-rack-mount www/rubygem-rails
  • Now create a snorby user:
    pw add user -n snorby -d /usr/local/www/snorby -m -s /usr/local/bin/bash -c "Snorby" 
  • Get Snorby from the download section or use the latest edge release via git.
    cd /usr/local/www
    git clone git://
  • Install RVM:
    su - snorby
    curl -L | bash
    source /usr/local/www/snorby/.rvm/scripts/rvm
  • Install Ruby 1.9.3
    rvm install 1.9.3
    rvm use 1.9.3
  • Install Passenger inside the RVM environment:
    gem install passenger
  • Install bundler inside the RVM environment:
    gem install bundler
  • Create a database config file:
    cp config/database.example.yml config/database.yml
    • Change the database, host, user, and password accordingly
  • Create and edit the Snorby config:
    cp config/snorby_config.yml.example config/snorby_config.yml
    vi config/snorby_config.yml
    • And add or modify the following
      # Change the production configuration for your environment.
      wkhtmltopdf: /usr/local/bin/wkhtmltopdf
      mailer_sender: ''
      geoip_uri: "" 
      - "/usr/local/etc/snort/rules" 
      authentication_mode: database
  • Install Gem Dependencies
    RAILS_ENV=production bundle install --path vendor/bundle
  • Install the railties gem using the system libraries:
    gem install railties -- --use-system-libraries
  • Run the Snorby Setup
    RAILS_ENV=production bundle exec rake snorby:setup
  • Restart the snorby worker:
    RAILS_ENV=production bundle exec rails r Snorby::Worker.stop
    RAILS_ENV=production bundle exec rails r Snorby::Worker.start
  • Exit the snorby user environment:

Snorbyfix Script

  • Create the snorbyfix script:
    vi /usr/local/bin/
    • And add the following:
      # Snorby Worker script
      su - snorby -c 'RAILS_ENV=production rails r Snorby::Worker.restart'
  • Create a cronjob to run the snorbyfix script every hour:
    echo '## Fix snorby worker' >> /etc/crontab
    echo '* 1 * * * snorby /usr/local/bin/' >> /etc/crontab 
  • Make the script executable:
    chmod +x /usr/local/bin/
  • Restart the cron service:
    service cron restart

Install Nginx

  • Install Nginx with Passenger
    portmaster www/nginx

    NOTE: Make sure to enable [X]PASSENGER when running make config

  • Install the Passenger gem:
    portmaster www/rubygem-passenger

    NOTE: Make sure to enable (*) NGINX when running make config

Configure Nginx

  • Create a configuration directory to make managing individual server blocks easier:
    mkdir /usr/local/etc/nginx/conf.d
  • Configuring Nginx and Passenger, edit the /usr/local/etc/nginx/nginx.conf file:
    vi /usr/local/etc/nginx/nginx.conf
    • And add/modify the following
      user  www www;
      worker_processes  4;
      error_log  /var/log/nginx/error.log notice;
      pid        /var/run/;
      events {
        worker_connections  1024;
      http {
        passenger_root /usr/local/lib/ruby/gems/2.0/gems/passenger-4.0.58;
        passenger_ruby /usr/local/bin/ruby;
        passenger_max_pool_size 15;
        passenger_pool_idle_time 300;
        #passenger_spawn_method direct; # Uncomment on Ruby 1.8 for ENC to work
        include       mime.types;
        default_type  application/octet-stream;
        sendfile      on;
        tcp_nopush    on;
        keepalive_timeout  65;
        tcp_nodelay        on;
        # Load config files from the /etc/nginx/conf.d directory
        include /usr/local/etc/nginx/conf.d/*.conf;

      NOTE: The above configuration will set the ruby used by passenger to the system default ruby.

  • And add a default site configuration in /usr/local/etc/nginx/conf.d/default.conf:
    server {
      listen 80 default;
      server_name _;
      index index.html index.php;
      root /usr/local/www;
      # IP and IP ranges which should get access
      # all else will be denied
      deny all;
      # basic HTTP auth
      auth_basic "Restricted";
      auth_basic_user_file htpasswd;
      location ~ \.cgi$ {
        try_files $uri =404;
        include fastcgi_params;
        fastcgi_pass unix:/var/run/fcgiwrap/fcgiwrap.sock;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param REMOTE_USER $remote_user;
      location ~ \.php$ {
        try_files $uri =404;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
  • Find the exact ruby version that snorby will use:
    su - snorby
    passenger-config --ruby-command
    • Example output:
      passenger-config was invoked through the following Ruby interpreter:
        Command: /usr/local/www/snorby/.rvm/gems/ruby-1.9.3-p551/wrappers/ruby
        Version: ruby 1.9.3p551 (2014-11-13 revision 48407) [x86_64-freebsd9.3]
        To use in Apache: PassengerRuby /usr/local/www/snorby/.rvm/gems/ruby-1.9.3-p551/wrappers/ruby
        To use in Nginx : passenger_ruby /usr/local/www/snorby/.rvm/gems/ruby-1.9.3-p551/wrappers/ruby
        To use with Standalone: /usr/local/www/snorby/.rvm/gems/ruby-1.9.3-p551/wrappers/ruby /usr/local/www/snorby/.rvm/gems/ruby-1.9.3-p551/gems/passenger-4.0.58/bin/passenger start
  • And create a server block for snorby
    vi /usr/local/etc/nginx/conf.d/snorby.conf
    • And add the following:
      server {
        listen       80;
        passenger_enabled on;
        passenger_ruby /usr/local/www/snorby/.rvm/gems/ruby-1.9.3-p551/wrappers/ruby;
        passenger_user             snorby;
        passenger_group            snorby;
        access_log /var/log/nginx/snorby.log;
        root /usr/local/www/snorby/public;
  • Create the log directory to prevent issues on startup:
    mkdir /var/log/nginx
  • Restart nginx
    service nginx restart

source :

Posted on: October 17, 2017, by :  | 215 views

Leave a Reply