debian, suricata, snorby, barnyard, ruby 2.x, apache

von

Helpful tips you may find useful, after a dist-upgrade to debian 8 jessie.

Since I came from debian 7 wheezy and did the upgrade to debian 8, I had problems with snorby. Here’s the fix.

Some days ago I made the decision to upgrade from debian 7 wheezy to debian 8 jessie (apt-get dist-upgrade).
Before you do, please read the release notes carefully!

  • https://www.debian.org/releases/jessie/releasenotes
  • https://www.debian.org/releases/jessie/i386/release-notes/ch-upgrading.de.html
  • https://www.debian.org/releases/jessie/i386/release-notes/ch-upgrading.en.html
  • https://www.debian.org/releases/jessie/amd64/release-notes/ch-upgrading.de.html
  • https://www.debian.org/releases/jessie/amd64/release-notes/ch-upgrading.en.html

suricata

Debian 8, codename jessie, offers a version of suricata that is very near the actual official version. As a consequence of this I have removed the older version of suricata and afterwards I installed the actual version of suricata. You can use apt or package manager.
https://packages.debian.org/jessie/suricata

settings files

Please make sure that you keep the settings file of suricata and barnyard2 at the right place – done’t touch! [or use backup]

snorby and ruby

At this step I got problems. Debian 8 jessie has ruby version 2.x but snorby still needs and wants version 1.9.x.
https://packages.debian.org/jessie/ruby

Terminal output:

Snorby requires Ruby version 1.9.x
We suggest using Ruby Version Manager (RVM) https://rvm.io/ to install the newest release
root@machine:.../snorby#

You may want or you may need older versions of ruby but I have no other ruby applications running on my system. This way I removed all the old [wheezy] versions of ruby 1.8.1, 1.9.x while checking files and folders – cleaned up.

My system now has debian 8 jessie and ruby 2.1.5 but again, snorby won’t start.

What to do to get snorby and ruby 2.x running?

Solution: here’s the hack, that I’ve found.

1) Comment out the check for ruby version

in –> snorby/config/application.rb

or, that’s what I did, change the version number for checking:

# Check Ruby Version
# unless RUBY_VERSION.match(/^1.9/)
unless RUBY_VERSION.match(/^2.1/)
# puts "Snorby requires Ruby version 1.9.x"
puts "Snorby requires Ruby version 2.1.x"
puts "We suggest using Ruby Version Manager (RVM) https://rvm.io/ to install the newest release"
exit 1
end

Read more: https://groups.google.com/forum/#!topic/snorby/n3gKBCzPyyA

2) Edit lib/snorby/payload.rb

Surprisingly, when you try to run snorby, another error appears like this:

rake aborted!
SyntaxError: /var/www/snorby/lib/snorby/payload.rb:57:
invalid multibyte escape: /[\040\177-\377]/
invalid multibyte escape: /[\000-\040\177-\377]/

I’ve commented and replaced the lines with those below

if @new_lines
string.gsub!(/[\x0a]/, ".")
string.gsub!(Regexp.new("[\040\177-\377]"), '.')
# OLD: string.gsub!(/[\040\177-\377]/, '.')
else
string.gsub!(Regexp.new("[\000-\040\177-\377]"), ".")
# OLD: string.gsub!(/[\000-\040\177-\377]/, ".")
end

read more: https://github.com/Snorby/snorby/issues/318

Please keep in mind, remember, that this hack concerns some files out of the snorby git repository!
Try using branches or what ever else.