Helpful tips you may find useful, after a dist-upgrade to debian 8 jessie.
Since I came from debian 7 wheezy and did the upgrade to debian 8, I had problems with snorby. Here’s the fix.
Some days ago I made the decision to upgrade from debian 7 wheezy to debian 8 jessie (apt-get dist-upgrade).
Before you do, please read the release notes carefully!
Debian 8, codename jessie, offers a version of suricata that is very near the actual official version. As a consequence of this I have removed the older version of suricata and afterwards I installed the actual version of suricata. You can use apt or package manager.
Please make sure that you keep the settings file of suricata and barnyard2 at the right place – done’t touch! [or use backup]
snorby and ruby
At this step I got problems. Debian 8 jessie has ruby version 2.x but snorby still needs and wants version 1.9.x.
Snorby requires Ruby version 1.9.x We suggest using Ruby Version Manager (RVM) https://rvm.io/ to install the newest release root@machine:.../snorby#
You may want or you may need older versions of ruby but I have no other ruby applications running on my system. This way I removed all the old [wheezy] versions of ruby 1.8.1, 1.9.x while checking files and folders – cleaned up.
My system now has debian 8 jessie and ruby 2.1.5 but again, snorby won’t start.
What to do to get snorby and ruby 2.x running?
Solution: here’s the hack, that I’ve found.
1) Comment out the check for ruby version
in –> snorby/config/application.rb
or, that’s what I did, change the version number for checking:
# Check Ruby Version # unless RUBY_VERSION.match(/^1.9/) unless RUBY_VERSION.match(/^2.1/) # puts "Snorby requires Ruby version 1.9.x" puts "Snorby requires Ruby version 2.1.x" puts "We suggest using Ruby Version Manager (RVM) https://rvm.io/ to install the newest release" exit 1 end
2) Edit lib/snorby/payload.rb
Surprisingly, when you try to run snorby, another error appears like this:
rake aborted! SyntaxError: /var/www/snorby/lib/snorby/payload.rb:57: invalid multibyte escape: /[\040\177-\377]/ invalid multibyte escape: /[\000-\040\177-\377]/
I’ve commented and replaced the lines with those below
if @new_lines string.gsub!(/[\x0a]/, ".") string.gsub!(Regexp.new("[\040\177-\377]"), '.') # OLD: string.gsub!(/[\040\177-\377]/, '.') else string.gsub!(Regexp.new("[\000-\040\177-\377]"), ".") # OLD: string.gsub!(/[\000-\040\177-\377]/, ".") end
read more: https://github.com/Snorby/snorby/issues/318
Please keep in mind, remember, that this hack concerns some files out of the snorby git repository!
Try using branches or what ever else.