MISTERY

OS used/tested for this tutorial - Debian Wheezy and/or Ubuntu LTS 12.0.4
With 3.2.0 and 3.5.0 kernel level respectively with Suricata 2.0dev at the moment of this writing.



This article consists of the following major 3 sections:
  • Network card drivers and tuning
  • Kernel specific tunning
  • Suricata.yaml configuration  (file extraction specific)

Network and system  tools:
apt-get install ethtool bwm-ng iptraf htop

Network card drivers and tuning

Our card is Intel 82599EB 10-Gigabit SFI/SFP+


rmmod ixgbe
sudo modprobe ixgbe FdirPballoc=3
ifconfig eth3 up
then (we disable irqbalance and make sure it does not enable itself during reboot)
 killall irqbalance
 service irqbalance stop

 apt-get install chkconfig
 chkconfig irqbalance off
Get the Intel network driver form here (we will use them in a second) -https://downloadcenter.intel.com/default.aspx

 Download to your directory of choice then unzip,compile and install:
 tar -zxf ixgbe-3.18.7.tar.gz 
 cd /home/pevman/ixgbe-3.18.7/src
 make clean && make && make install
Set irq affinity - do not forget to change eth3  below with the name of the network interface you are using: 
 cd ../scripts/
 ./set_irq_affinity  eth3


 You should see something like this:
root@suricata:/home/pevman/ixgbe-3.18.7/scripts# ./set_irq_affinity  eth3
no rx vectors found on eth3
no tx vectors found on eth3
eth3 mask=1 for /proc/irq/101/smp_affinity
eth3 mask=2 for /proc/irq/102/smp_affinity
eth3 mask=4 for /proc/irq/103/smp_affinity
eth3 mask=8 for /proc/irq/104/smp_affinity
eth3 mask=10 for /proc/irq/105/smp_affinity
eth3 mask=20 for /proc/irq/106/smp_affinity
eth3 mask=40 for /proc/irq/107/smp_affinity
eth3 mask=80 for /proc/irq/108/smp_affinity
eth3 mask=100 for /proc/irq/109/smp_affinity
eth3 mask=200 for /proc/irq/110/smp_affinity
eth3 mask=400 for /proc/irq/111/smp_affinity
eth3 mask=800 for /proc/irq/112/smp_affinity
eth3 mask=1000 for /proc/irq/113/smp_affinity
eth3 mask=2000 for /proc/irq/114/smp_affinity
eth3 mask=4000 for /proc/irq/115/smp_affinity
eth3 mask=8000 for /proc/irq/116/smp_affinity
root@suricata:/home/pevman/ixgbe-3.18.7/scripts#
Now we have the latest drivers installed (at the time of this writing) and we have run the affinity script:
   *-network:1
       description: Ethernet interface
       product: 82599EB 10-Gigabit SFI/SFP+ Network Connection
       vendor: Intel Corporation
       physical id: 0.1
       bus info: pci@0000:04:00.1
       logical name: eth3
       version: 01
       serial: 00:e0:ed:19:e3:e1
       width: 64 bits
       clock: 33MHz
       capabilities: pm msi msix pciexpress vpd bus_master cap_list ethernet physical fibre
       configuration: autonegotiation=off broadcast=yes driver=ixgbedriverversion=3.18.7 duplex=full firmware=0x800000cb latency=0 link=yes multicast=yes port=fibre promiscuous=yes
       resources: irq:37 memory:fbc00000-fbc1ffff ioport:e000(size=32) memory:fbc40000-fbc43fff memory:fa700000-fa7fffff memory:fa600000-fa6fffff



We need to disable all offloading on the network card in order for the IDS to be able to see the traffic as it is supposed to be (without checksums,tcp-segmentation-offloading and such..) Otherwise your IDPS would not be able to see all "natural" network traffic the way it is supposed to and will not inspect it properly.

This would influence the correctness of ALL outputs including file extraction. So make sure all offloading features are OFF !!!

When you first install the drivers and card your offloading settings might look like this:
root@suricata:/home/pevman/ixgbe-3.18.7/scripts# ethtool -k eth3
Offload parameters for eth3:
rx-checksumming: on
tx-checksumming: on
scatter-gather: on
tcp-segmentation-offload: on
udp-fragmentation-offload: off
generic-segmentation-offload: on
generic-receive-offload: on
large-receive-offload: on
rx-vlan-offload: on
tx-vlan-offload: on
ntuple-filters: off
receive-hashing: on
root@suricata:/home/pevman/ixgbe-3.18.7/scripts#

So we disable all of them, like so (and we load balance the UDP flows for that particular network card):

ethtool -K eth3 tso off
ethtool -K eth3 gro off
ethtool -K eth3 lro off
ethtool -K eth3 gso off
ethtool -K eth3 rx off
ethtool -K eth3 tx off
ethtool -K eth3 sg off
ethtool -K eth3 rxvlan off
ethtool -K eth3 txvlan off
ethtool -N eth3 rx-flow-hash udp4 sdfn
ethtool -N eth3 rx-flow-hash udp6 sdfn
ethtool -n eth3 rx-flow-hash udp6 
ethtool -n eth3 rx-flow-hash udp4
ethtool -C eth3 rx-usecs 0 rx-frames 0
ethtool -C eth3 adaptive-rx off

Your output should look something like this:
root@suricata:/home/pevman/ixgbe-3.18.7/scripts# ethtool -K eth3 tso off
root@suricata:/home/pevman/ixgbe-3.18.7/scripts# ethtool -K eth3 gro off
root@suricata:/home/pevman/ixgbe-3.18.7/scripts# ethtool -K eth3 lro off
root@suricata:/home/pevman/ixgbe-3.18.7/scripts# ethtool -K eth3 gso off
root@suricata:/home/pevman/ixgbe-3.18.7/scripts# ethtool -K eth3 rx off
root@suricata:/home/pevman/ixgbe-3.18.7/scripts# ethtool -K eth3 tx off
root@suricata:/home/pevman/ixgbe-3.18.7/scripts# ethtool -K eth3 sg off
root@suricata:/home/pevman/ixgbe-3.18.7/scripts# ethtool -K eth3 rxvlan off
root@suricata:/home/pevman/ixgbe-3.18.7/scripts# ethtool -K eth3 txvlan off
root@suricata:/home/pevman/ixgbe-3.18.7/scripts# ethtool -N eth3 rx-flow-hash udp4 sdfn
root@suricata:/home/pevman/ixgbe-3.18.7/scripts# ethtool -N eth3 rx-flow-hash udp6 sdfn
root@suricata:/home/pevman/ixgbe-3.18.7/scripts# ethtool -n eth3 rx-flow-hash udp6
UDP over IPV6 flows use these fields for computing Hash flow key:
IP SA
IP DA
L4 bytes 0 & 1 [TCP/UDP src port]
L4 bytes 2 & 3 [TCP/UDP dst port]

root@suricata:/home/pevman/ixgbe-3.18.7/scripts# ethtool -n eth3 rx-flow-hash udp4
UDP over IPV4 flows use these fields for computing Hash flow key:
IP SA
IP DA
L4 bytes 0 & 1 [TCP/UDP src port]
L4 bytes 2 & 3 [TCP/UDP dst port]

root@suricata:/home/pevman/ixgbe-3.18.7/scripts# ethtool -C eth3 rx-usecs 0 rx-frames 0 
root@suricata:/home/pevman/ixgbe-3.18.7/scripts# ethtool -C eth3 adaptive-rx off

Now we doublecheck and run ethtool again to verify that the offloading is OFF:
root@suricata:/home/pevman/ixgbe-3.18.7/scripts# ethtool -k eth3
Offload parameters for eth3: 
rx-checksumming: off
tx-checksumming: off
scatter-gather: off
tcp-segmentation-offload: off
udp-fragmentation-offload: off
generic-segmentation-offload: off
generic-receive-offload: off
large-receive-offload: off
rx-vlan-offload: off
tx-vlan-offload: off

Ring parameters on the network card:

root@suricata:~# ethtool -g eth3
Ring parameters for eth3:
Pre-set maximums:
RX:             4096
RX Mini:        0
RX Jumbo:       0
TX:            4096
Current hardware settings:
RX:             512
RX Mini:        0
RX Jumbo:       0
TX:             512


We can increase that to the max Pre-set RX:

root@suricata:~# ethtool -G eth3 rx 4096

Then we  have a look again:

root@suricata:~# ethtool -g eth3
Ring parameters for eth3:
Pre-set maximums:
RX:             4096
RX Mini:        0
RX Jumbo:       0
TX:             4096
Current hardware settings:
RX:             4096
RX Mini:        0
RX Jumbo:       0
TX:             512

Making network changes permanent across reboots


On Ubuntu for example you can do:
root@suricata:~# crontab -e

Add the following: 
# add cronjob at reboot - disbale network offload
@reboot /opt/tmp/disable-network-offload.sh

and your disable-network-offload.sh script (in this case under /opt/tmp/ ) will contain the following:
#!/bin/bash
ethtool -K eth3 tso off
ethtool -K eth3 gro off
ethtool -K eth3 lro off
ethtool -K eth3 gso off
ethtool -K eth3 rx off
ethtool -K eth3 tx off
ethtool -K eth3 sg off
ethtool -K eth3 rxvlan off
ethtool -K eth3 txvlan off
ethtool -N eth3 rx-flow-hash udp4 sdfn
ethtool -N eth3 rx-flow-hash udp6 sdfn
ethtool -C eth3 rx-usecs 0 rx-frames 0
ethtool -C eth3 adaptive-rx off
with:
chmod 755 disable-network-offload.sh



Kernel specific tunning


Certain adjustments in parameters in the kernel can help as well :

sysctl -w net.core.netdev_max_backlog=250000
sysctl -w net.core.rmem_max = 16777216
sysctl -w net.core.rmem_max=16777216
sysctl -w net.core.rmem_default=16777216
sysctl -w net.core.optmem_max=16777216


Making kernel changes permanent across reboots


example:
echo 'net.core.netdev_max_backlog =250000' >> /etc/sysctl.conf

reload the changes: 
sysctl -p

OR for all the above adjustments:

echo 'net.core.netdev_max_backlog=250000' >> /etc/sysctl.conf
echo 'net.core.rmem_max = 16777216' >> /etc/sysctl.conf
echo 'net.core.rmem_max=16777216' >> /etc/sysctl.conf
echo 'net.core.rmem_default=16777216' >> /etc/sysctl.conf
echo 'net.core.optmem_max=16777216' >> /etc/sysctl.conf
sysctl -p


Suricata.yaml configuration  (file extraction specific)

As of Suricata 1.2  - it is possible to detect and extract/store over 5000 types of files from HTTP sessions.

Specific file extraction instructions can also be found in the official page documentation. 

The following libraries are needed on the system running Suricata :
apt-get install libnss3-dev libnspr4-dev

Suricata also needs to be compiled with file extraction enabled (not covered here).

In short in the suriacta.yaml, those are the sections below that can be tuned/configured and affect the file extraction and logging:
(the bigger the mem values the better on a busy link )


  - eve-log:
      enabled: yes
      type: file #file|syslog|unix_dgram|unix_stream
      filename: eve.json
      # the following are valid when type: syslog above
      #identity: "suricata"
      #facility: local5
      #level: Info ## possible levels: Emergency, Alert, Critical,
                   ## Error, Warning, Notice, Info, Debug
      types:
        - alert
        - http:
            extended: yes     # enable this for extended logging information
        - dns
        - tls:
            extended: yes     # enable this for extended logging information
        - files:
            force-magic: yes   # force logging magic on all logged files
            force-md5: yes     # force logging of md5 checksums
        #- drop
        - ssh


For file store to disk/extraction:
   - file-store:
      enabled: yes       # set to yes to enable
      log-dir: files    # directory to store the files
      force-magic: yes   # force logging magic on all stored files
      force-md5: yes     # force logging of md5 checksums
      #waldo: file.waldo # waldo file to store the file_id across runs


 stream:
  memcap: 32mb
  checksum-validation: no      # reject wrong csums
  inline: auto                  # auto will use inline mode in IPS mode, yes or no set it statically
  reassembly:
    memcap: 128mb
    depth: 1mb                  # reassemble 1mb into a stream
  
depth: 1mb , would mean that in one tcp reassembled flow, the max size of the file that can be extracted is just about 1mb.

Both stream.memcap and reassembly.memcap (if reassembly is needed) must be big enough to accommodate the whole file on the fly in traffic that needs to be extracted PLUS any other stream and reassembly tasks that the engine needs to do while inspecting the traffic on a particular link. 

 app-layer:
  protocols:
....
....
     http:
      enabled: yes
      # memcap: 64mb

The default limit for mem usage for http is 64mb   , that could be increased , ex - memcap: 4GB -  since HTTP is present everywhere and a low memcap on a busy HTTP link would limit the inspection and extraction size ability.

       libhtp:

         default-config:
           personality: IDS

           # Can be specified in kb, mb, gb.  Just a number indicates
           # it's in bytes.
           request-body-limit: 3072
           response-body-limit: 3072

The default values above control how far the HTTP request and response body is tracked and also limit file inspection. This should be set to a much higher value:

        libhtp:

         default-config:
           personality: IDS

           # Can be specified in kb, mb, gb.  Just a number indicates
           # it's in bytes.
           request-body-limit: 1gb
           response-body-limit: 1gb

 or 0 (which would mean unlimited):

       libhtp:

         default-config:
           personality: IDS

           # Can be specified in kb, mb, gb.  Just a number indicates
           # it's in bytes.
           request-body-limit: 0
           response-body-limit: 0

and then of course you would need a rule loaded(example):
alert http any any -> any any (msg:"PDF file Extracted"; filemagic:"PDF document"; filestore; sid:11; rev:11;)



That's it.

 

 

 

 

 

 

출처 : http://pevma.blogspot.kr/2014/03/suricata-prepearing-10gbps-network.html

 

 

 

 

 

신고

Comment +0

Reference 1:https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_Snorby_and_Barnyard2_set_up_guide

Reference 2: http://www.aldeid.com/wiki/Suricata/Setting-up-rules

Reference 3: https://www.corelan.be/index.php/2011/02/27/cheat-sheet-installing-snorby-2-2-with-apache2-and-suricata-with-barnyard2-on-ubuntu-10-x/

Reference 4: https://github.com/Snorby/snorby/issues/102#issuecomment-1704653

Reference 5: http://www.aldeid.com/wiki/Snorby

Disclaimer
I claimed no credits for this post, this post is for my own personal reference while installing the components onto the Ubuntu Server 12.04 LTS. No plagiarism is intended! All setup credits go to References above. Please follow the steps from the references to setup one IDS yourself.

Softwares needed for the setup

1. Suricata, the IDS engine.

2. Apache2, the webserver.

3. MySQL, the database server.

4. Barnyard2, the parser which parses unified2 format from Suricata and write them to MySQL database.

5. Snorby, the web interface frontend for managing IDS alerts.

6. Ruby 1.9.3, at least version 1.9.2 is needed to support Snorby.

7. wkhtmltopdf, for export to pdf.

8. Ubuntu Server 12.04 LTS 32-bit, the base Linux OS.

9. Passenger.

Pre-requisite programs
1. gcc – GNU compiler frontend, basically it uses the appropriate the compiler to compile your source code. If your source code is in C++ GCC uses g++.
2. g++ – C++ compiler
3. build-essential – This is an information list to build Debian packages.
4. libssl-dev – Source code for SSL.
5. libreadline6-dev – Source code for readline library. Readline is a GNU software library for line-editing in a CLI, it allows user to move the text cursor and do tab completion.
6. zlib1g-dev – source code for zlib library. Zlib contains library for data compression.
7. linux-headers-generic – Linux header files that are required to compile Linux.
8. libsqlite3-dev – SQLite library source code.
9. libxslt-dev – source code for XLST library.
10. libxml2-dev – Source code for XML library.
11. imagemagick – for displaying and converting image formats.
12. git-core – for downloading softwares and source code. This is needed for downloading snorby.
13. libmysqlclient-dev – SQL client library source code.
14. mysql-server – MySQL server
15. libmagickwand-dev – source code for imagemagick library.
16. default-jre – Java runtime environment for Linux.
17. ruby1.9.3 – Ruby version 1.9.3.

SSH onto the installed Ubuntu server, then copy and paste the packages needed from this guide.

While installation you will be asked to provide root password for mysql.

WKhtmltoPDF

You can obtain the program from here https://code.google.com/p/wkhtmltopdf/

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
cyruslab@localhost:/tmp$ mkdir wkhtmlpdf
cyruslab@localhost:/tmp$ cd wkhtmlpdf
 
Resolving wkhtmltopdf.googlecode.com (wkhtmltopdf.googlecode.com)... 173.194.72.82, 2404:6800:4008:c00::52
Connecting to wkhtmltopdf.googlecode.com (wkhtmltopdf.googlecode.com)|173.194.72.82|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 11393207 (11M) [application/octet-stream]
Saving to: `wkhtmltoimage-0.11.0_rc1-static-i386.tar.bz2'
 
100%[======================================>] 11,393,207  1.94M/s   in 7.3s
 
2012-10-12 17:01:55 (1.49 MB/s) - `wkhtmltoimage-0.11.0_rc1-static-i386.tar.bz2' saved [11393207/11393207]
 
cyruslab@localhost:/tmp/wkhtmlpdf$ tar -jxvf wkhtmltoimage-0.11.0_rc1-static-i386.tar.bz2
wkhtmltoimage-i386
cyruslab@localhost:/tmp/wkhtmlpdf$ sudo cp wkhtmltoimage-i386 /usr/bin/wkhtmltopdf

Installing and configuring snorby

Ruby Gems required:
1. thor
2. i18n
3. bundler
4. tzinfo
5. builder
6. memcache-client
7. rack
8. rack-test
9. erubis
10. mail
11. text-format
12. rack-mount
13. rails
14. sqlite3

You will see an error for installing text-format gem, because the ruby I installed is higher than the expected version.
Reference Output while installation:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
cyruslab@localhost:/tmp/wkhtmlpdf$ sudo gem install thor i18n bundler tzinfo bui                                                                                lder memcache-client rack rack-test erubis mail text-format rack-mount rails sql                                                                                ite3
Fetching: thor-0.16.0.gem (100%)
Successfully installed thor-0.16.0
Fetching: i18n-0.6.1.gem (100%)
Successfully installed i18n-0.6.1
Fetching: bundler-1.2.1.gem (100%)
Successfully installed bundler-1.2.1
Fetching: tzinfo-0.3.33.gem (100%)
Successfully installed tzinfo-0.3.33
Fetching: builder-3.1.3.gem (100%)
Successfully installed builder-3.1.3
Fetching: memcache-client-1.8.5.gem (100%)
Successfully installed memcache-client-1.8.5
Fetching: rack-1.4.1.gem (100%)
Successfully installed rack-1.4.1
Fetching: rack-test-0.6.2.gem (100%)
Successfully installed rack-test-0.6.2
Fetching: erubis-2.7.0.gem (100%)
Successfully installed erubis-2.7.0
Fetching: mime-types-1.19.gem (100%)
Fetching: polyglot-0.3.3.gem (100%)
Fetching: treetop-1.4.11.gem (100%)
Fetching: mail-2.4.4.gem (100%)
Successfully installed mime-types-1.19
Successfully installed polyglot-0.3.3
Successfully installed treetop-1.4.11
Successfully installed mail-2.4.4
Fetching: text-hyphen-1.0.2.gem (100%)
ERROR:  Error installing text-format:
        text-hyphen requires Ruby version < 1.9.
Fetching: rack-mount-0.8.3.gem (100%)
Successfully installed rack-mount-0.8.3
Fetching: multi_json-1.3.6.gem (100%)
Fetching: activesupport-3.2.8.gem (100%)
Fetching: builder-3.0.3.gem (100%)
Fetching: activemodel-3.2.8.gem (100%)
Fetching: rack-cache-1.2.gem (100%)
Fetching: journey-1.0.4.gem (100%)
Fetching: hike-1.2.1.gem (100%)
Fetching: tilt-1.3.3.gem (100%)
Fetching: sprockets-2.1.3.gem (100%)
Fetching: actionpack-3.2.8.gem (100%)
Fetching: arel-3.0.2.gem (100%)
Fetching: activerecord-3.2.8.gem (100%)
Fetching: activeresource-3.2.8.gem (100%)
Fetching: actionmailer-3.2.8.gem (100%)
Fetching: rake-0.9.2.2.gem (100%)
Fetching: rack-ssl-1.3.2.gem (100%)
Fetching: json-1.7.5.gem (100%)
Building native extensions.  This could take a while...
Fetching: rdoc-3.12.gem (100%)
Depending on your version of ruby, you may need to install ruby rdoc/ri data:
 
<= 1.8.6 : unsupported
 = 1.8.7 : gem install rdoc-data; rdoc-data --install
 = 1.9.1 : gem install rdoc-data; rdoc-data --install
>= 1.9.2 : nothing to do! Yay!
Fetching: railties-3.2.8.gem (100%)
Fetching: rails-3.2.8.gem (100%)
Successfully installed multi_json-1.3.6
Successfully installed activesupport-3.2.8
Successfully installed builder-3.0.3
Successfully installed activemodel-3.2.8
Successfully installed rack-cache-1.2
Successfully installed journey-1.0.4
Successfully installed hike-1.2.1
Successfully installed tilt-1.3.3
Successfully installed sprockets-2.1.3
Successfully installed actionpack-3.2.8
Successfully installed arel-3.0.2
Successfully installed activerecord-3.2.8
Successfully installed activeresource-3.2.8
Successfully installed actionmailer-3.2.8
Successfully installed rake-0.9.2.2
Successfully installed rack-ssl-1.3.2
Successfully installed json-1.7.5
Successfully installed rdoc-3.12
Successfully installed railties-3.2.8
Successfully installed rails-3.2.8
Fetching: sqlite3-1.3.6.gem (100%)
Building native extensions.  This could take a while...
Successfully installed sqlite3-1.3.6
35 gems installed
Installing ri documentation for thor-0.16.0...
Installing ri documentation for i18n-0.6.1...
Installing ri documentation for bundler-1.2.1...
Installing ri documentation for tzinfo-0.3.33...
Installing ri documentation for builder-3.1.3...
Installing ri documentation for memcache-client-1.8.5...
Installing ri documentation for rack-1.4.1...
Installing ri documentation for rack-test-0.6.2...
Installing ri documentation for erubis-2.7.0...
Installing ri documentation for mime-types-1.19...
Installing ri documentation for polyglot-0.3.3...
Installing ri documentation for treetop-1.4.11...
Installing ri documentation for mail-2.4.4...
Installing ri documentation for rack-mount-0.8.3...
Installing ri documentation for multi_json-1.3.6...
Installing ri documentation for activesupport-3.2.8...
Installing ri documentation for builder-3.0.3...
Installing ri documentation for activemodel-3.2.8...
Installing ri documentation for rack-cache-1.2...
Installing ri documentation for journey-1.0.4...
Installing ri documentation for hike-1.2.1...
Installing ri documentation for tilt-1.3.3...
Installing ri documentation for sprockets-2.1.3...
Installing ri documentation for actionpack-3.2.8...
Installing ri documentation for arel-3.0.2...
Installing ri documentation for activerecord-3.2.8...
Installing ri documentation for activeresource-3.2.8...
Installing ri documentation for actionmailer-3.2.8...
Installing ri documentation for rake-0.9.2.2...
Installing ri documentation for rack-ssl-1.3.2...
Installing ri documentation for json-1.7.5...
Installing ri documentation for rdoc-3.12...
Installing ri documentation for railties-3.2.8...
Installing ri documentation for rails-3.2.8...
Installing ri documentation for sqlite3-1.3.6...
Installing RDoc documentation for thor-0.16.0...
Installing RDoc documentation for i18n-0.6.1...
Installing RDoc documentation for bundler-1.2.1...
Installing RDoc documentation for tzinfo-0.3.33...
Installing RDoc documentation for builder-3.1.3...
Installing RDoc documentation for memcache-client-1.8.5...
Installing RDoc documentation for rack-1.4.1...
Installing RDoc documentation for rack-test-0.6.2...
Installing RDoc documentation for erubis-2.7.0...
Installing RDoc documentation for mime-types-1.19...
Installing RDoc documentation for polyglot-0.3.3...
Installing RDoc documentation for treetop-1.4.11...
Installing RDoc documentation for mail-2.4.4...
Installing RDoc documentation for rack-mount-0.8.3...
Installing RDoc documentation for multi_json-1.3.6...
Installing RDoc documentation for activesupport-3.2.8...
Installing RDoc documentation for builder-3.0.3...
Installing RDoc documentation for activemodel-3.2.8...
Installing RDoc documentation for rack-cache-1.2...
Installing RDoc documentation for journey-1.0.4...
Installing RDoc documentation for hike-1.2.1...
Installing RDoc documentation for tilt-1.3.3...
Installing RDoc documentation for sprockets-2.1.3...
Installing RDoc documentation for actionpack-3.2.8...
Installing RDoc documentation for arel-3.0.2...
Installing RDoc documentation for activerecord-3.2.8...
Installing RDoc documentation for activeresource-3.2.8...
Installing RDoc documentation for actionmailer-3.2.8...
Installing RDoc documentation for rake-0.9.2.2...
Installing RDoc documentation for rack-ssl-1.3.2...
Installing RDoc documentation for json-1.7.5...
Installing RDoc documentation for rdoc-3.12...
Installing RDoc documentation for railties-3.2.8...
Installing RDoc documentation for rails-3.2.8...
Installing RDoc documentation for sqlite3-1.3.6...
cyruslab@localhost:/tmp/wkhtmlpdf$

This reference output is to record what are expected while installation, suppose you encountered a different output which you do not know if it is right or wrong you can refer to this reference output for details.

Download snorby with git
Git is a very cool program for downloading packages, it clones whatever path is defined in github. Use sudo git clone http://github.com/Snorby/snorby.git /var/www/snorby to download snorby into /var/www/snorby, you do not need to create sub directory of snorby git will do it for you. :)

Reference output is below:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
Cloning into '/var/www/snorby'...
remote: Counting objects: 9659, done.
remote: Compressing objects: 100% (3362/3362), done.
remote: Total 9659 (delta 6478), reused 9265 (delta 6134)
Receiving objects: 100% (9659/9659), 7.51 MiB | 247 KiB/s, done.
Resolving deltas: 100% (6478/6478), done.
cyruslab@localhost:/tmp/wkhtmlpdf$ ls -lah /var/www/snorby/
total 100K
drwxr-xr-x 14 root root 4.0K Oct 12 17:12 .
drwxr-xr-x  3 root root 4.0K Oct 12 17:11 ..
drwxr-xr-x  7 root root 4.0K Oct 12 17:12 app
-rw-r--r--  1 root root 7.9K Oct 12 17:12 ChangeLog.md
drwxr-xr-x  5 root root 4.0K Oct 12 17:12 config
-rw-r--r--  1 root root  156 Oct 12 17:12 config.ru
drwxr-xr-x  2 root root 4.0K Oct 12 17:12 db
-rw-r--r--  1 root root 3.5K Oct 12 17:12 Gemfile
-rw-r--r--  1 root root 8.8K Oct 12 17:12 Gemfile.lock
drwxr-xr-x  8 root root 4.0K Oct 12 17:12 .git
-rw-r--r--  1 root root  458 Oct 12 17:12 .gitignore
drwxr-xr-x  4 root root 4.0K Oct 12 17:12 lib
-rw-r--r--  1 root root 1.7K Oct 12 17:12 LICENSE
drwxr-xr-x  2 root root 4.0K Oct 12 17:12 log
drwxr-xr-x  7 root root 4.0K Oct 12 17:12 public
-rw-r--r--  1 root root  307 Oct 12 17:12 Rakefile
-rw-r--r--  1 root root 3.9K Oct 12 17:12 README.md
drwxr-xr-x  2 root root 4.0K Oct 12 17:12 script
drwxr-xr-x  8 root root 4.0K Oct 12 17:12 spec
drwxr-xr-x  6 root root 4.0K Oct 12 17:12 test
drwxr-xr-x  2 root root 4.0K Oct 12 17:12 tmp
drwxr-xr-x  3 root root 4.0K Oct 12 17:12 vendor
cyruslab@localhost:/tmp/wkhtmlpdf$

Configuring database.yml
Make a copy of the example database.yml.

1
cyruslab@localhost:/$ cd /var/www/snorby/config/ && sudo cp database.yml.example database.yml

Put in your MySQL password so that snorby can connect to mysql to retrieve the database to tabulate its dashboard.

1
2
3
4
5
snorby: &snorby
  adapter: mysql
  username: root
  password: "your_sql_passwd" # Example: password: "s3cr3tsauce"
  host: localhost

Make a copy of snorby_config.yml

1
cyruslab@localhost:/var/www/snorby/config$ sudo cp snorby_config.yml.example snorby_config.yml

Modify the wkhtmltopdf file path:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
#
# Production
#
# Change the production configuration for your environment.
#
# USE THIS!
#