Snort on Ubuntu 11.04
Previously I had been running insta-snorby, but after the 100th time of either ruby, ruby on rails, snorby's job or some other failure, it was decided to build a new system, this time where all the parts were easily supported and UP-TO-DATE!
The final result was Ubuntu Server 11.04, with the latest versions of Snort, Barnyard2, PulledPork and SnortReport.
I tried very, very, very hard to also add in Snorby to the mix, and I managed to get its cache jobs to run for a few hours, then they would die with no useful error messages. It doesn't help that some of the official documentation points you to an old repository, it also does help that the GEMs it makes use of are highly unstable.
I also looked at Sguil and its framework, its nice but i dislike the need to install a client, and massively change the effiency of this Snort deployment.
It should also be added that both Snorby and Sguil fail at one thing, having documentation. You need accurate documentation, and also need documentation that isn't 5 years old. SnortReport is old, but the documentation was perfect, not that i needed it.
Anyway, here is how I did it.
1) Follow the Installing Snort on Ubuntu 10.04 guide at http://www.snort.org/docs.
I didn't install Snort to /usr/local/snort, I instead put everything in the default paths, its just a lot less work.
2) Installed PulledPork according to the documentation
3) To start snort and barnyard2:
sudo ifconfig eth1 up
sudo snort -D -u snort -g snort -c /etc/snort/snort.conf -i eth1 --pid-path /var/run/snort
sudo barnyard2 -c /etc/snort/barnyard2.conf -G /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.wald -D --pid-path /var/run/barnyard2
4) To update rules:
sudo perl /usr/local/pulledpork/pulledpork.pl -c /etc/snort/pulledpork.conf
There really isn't anything else you need to do.
I have included various config files in the brain samples section: