debian, suricata, snorby, barnyard, ruby 2.x, apache

Helpful tips you may find useful, after a dist-upgrade to debian 8 jessie.

Since I came from debian 7 wheezy and did the upgrade to debian 8, I had problems with snorby. Here’s the fix.

Some days ago I made the decision to upgrade from debian 7 wheezy to debian 8 jessie (apt-get dist-upgrade).
Before you do, please read the release notes carefully!



Debian 8, codename jessie, offers a version of suricata that is very near the actual official version. As a consequence of this I have removed the older version of suricata and afterwards I installed the actual version of suricata. You can use apt or package manager.

settings files

Please make sure that you keep the settings file of suricata and barnyard2 at the right place – done’t touch! [or use backup]

snorby and ruby

At this step I got problems. Debian 8 jessie has ruby version 2.x but snorby still needs and wants version 1.9.x.

Terminal output:

Snorby requires Ruby version 1.9.x
We suggest using Ruby Version Manager (RVM) to install the newest release

You may want or you may need older versions of ruby but I have no other ruby applications running on my system. This way I removed all the old [wheezy] versions of ruby 1.8.1, 1.9.x while checking files and folders – cleaned up.

My system now has debian 8 jessie and ruby 2.1.5 but again, snorby won’t start.

What to do to get snorby and ruby 2.x running?

Solution: here’s the hack, that I’ve found.

1) Comment out the check for ruby version

in –> snorby/config/application.rb

or, that’s what I did, change the version number for checking:

# Check Ruby Version
# unless RUBY_VERSION.match(/^1.9/)
unless RUBY_VERSION.match(/^2.1/)
# puts "Snorby requires Ruby version 1.9.x"
puts "Snorby requires Ruby version 2.1.x"
puts "We suggest using Ruby Version Manager (RVM) to install the newest release"
exit 1

Read more:!topic/snorby/n3gKBCzPyyA

2) Edit lib/snorby/payload.rb

Surprisingly, when you try to run snorby, another error appears like this:

rake aborted!
SyntaxError: /var/www/snorby/lib/snorby/payload.rb:57:
invalid multibyte escape: /[\040\177-\377]/
invalid multibyte escape: /[\000-\040\177-\377]/

I’ve commented and replaced the lines with those below

if @new_lines
string.gsub!(/[\x0a]/, ".")
string.gsub!("[\040\177-\377]"), '.')
# OLD: string.gsub!(/[\040\177-\377]/, '.')
string.gsub!("[\000-\040\177-\377]"), ".")
# OLD: string.gsub!(/[\000-\040\177-\377]/, ".")

read more:

Please keep in mind, remember, that this hack concerns some files out of the snorby git repository!
Try using branches or what ever else.