I recently had a problem with a
broken Snorby database that was jamming barnyard2 and thus
breaking pretty much anything Suricata-alert related in my SO
system. My final solution was to completely wipe out the Snorby
application along with it's data and start fresh. I did not
want to rebuild SO. This is the method that worked well for me,
and since I seem to remember someone asking a while back about
resetting Snorby while leaving SO intact, I offer it here to the
wider group. Refinements are welcome.
The following
procedure will completely wipe out all of your Snorby data and
any custom configurations you have made to Snorby, restoring
Snorby to like-new condition while leaving the rest of SO
alone. I have only tested this on a standalone install of SO.
sudo su -
# shut down NSM services
service nsm stop
#
adapt these two lines to reflect your existing local snorby
credentials and then run them
SNORBY_EMAIL="***EMAIL ADDR HERE***"
SGUIL_CLIENT_PASSWORD_1="***PASSWORD HERE***"
# these are needed by the script below
LOG=log.txt
ELSA=YES
#
run this code section which was lifted directly from sosetup
# Kill any existing Snorby processes.
pkill delayed_job
# Delete any existing Snorby data.
if [ -d /var/lib/mysql/snorby ]; then
mysql -e "drop database snorby" >> $LOG 2>&1
fi
# Set email and password
cp /opt/snorby/db/seeds.rb.securityonion /opt/snorby/db/seeds.rb
sed -i "s|ReplaceWithDesiredEmail|$SNORBY_EMAIL|g" /opt/snorby/db/seeds.rb
sed -i "s|ReplaceWithDesiredPassword|$SGUIL_CLIENT_PASSWORD_1|g" /opt/snorby/db/seeds.rb
# Set FPC options
IP=`ifconfig |grep "inet addr" | awk '{print $2}' |cut -d\: -f2 |grep -v "127.0.0.1" |head -1`
sed -i "s|packet_capture_url, nil|packet_capture_url, 'https://$IP/capme/'|g" /opt/snorby/db/seeds.rb
sed -i "s|packet_capture, nil|packet_capture, 1|g" /opt/snorby/db/seeds.rb
sed -i "s|packet_capture_auto_auth, 1|packet_capture_auto_auth, nil|g" /opt/snorby/db/seeds.rb
# Initialize Snorby DB
su www-data -c "cd /opt/snorby; bundle exec rake snorby:setup RAILS_ENV=production" >> $LOG 2>&1
# Shred the Snorby password
shred -u /opt/snorby/db/seeds.rb >> $LOG 2>&1
# Pivot from Snorby to ELSA
[ "$ELSA" = "YES" ] && mysql -uroot -Dsnorby -e "INSERT INTO lookups (title,value) VALUES('ELSA Search By IP Address','https://$IP:3154/?query_string=\"\${ip}\"%20groupby:program')"
# review the log if you wish
less log.txt
# get a fresh start
shutdown -r now
Please advise
#!/bin/bash# shut down NSM services and Snorbyservice nsm stop# purge all unified2 files since otherwise they tend to get reloaded into Snorby by barnyard2rm -f /nsm/sensor_data/*-*/snort.unified2.*# backup snorby's config-related db tablesmysqldump snorby settings users lookups sensor > /tmp/snorby-config-backup.sql
# Kill any existing Snorby processes.pkill delayed_job# Delete any existing Snorby data.if [ -d /var/lib/mysql/snorby ]; thenmysql -e "drop database snorby"
fi# Set a dummy email and password to facilitate initialization (will be replaced by db table restore)cp /opt/snorby/db/seeds.rb.securityonion /opt/snorby/db/seeds.rbsed -i "s|ReplaceWithDesiredEmail|du...@dummy.com|g" /opt/snorby/db/seeds.rbsed -i "s|ReplaceWithDesiredPassword|dummy_password|g" /opt/snorby/db/seeds.rb
# Set FPC optionsIP=`ifconfig |grep "inet addr" | awk '{print $2}' |cut -d\: -f2 |grep -v "127.0.0.1" |head -1`sed -i "s|packet_capture_url, nil|packet_capture_url, 'https://$IP/capme/'|g" /opt/snorby/db/seeds.rbsed -i "s|packet_capture, nil|packet_capture, 1|g" /opt/snorby/db/seeds.rbsed -i "s|packet_capture_auto_auth, 1|packet_capture_auto_auth, nil|g" /opt/snorby/db/seeds.rb
# Initialize Snorby DB - will take while
su www-data -c "cd /opt/snorby; bundle exec rake snorby:setup RAILS_ENV=production"
# Shred the Snorby passwordshred -u /opt/snorby/db/seeds.rb
# restore config tablesmysql snorby < /tmp/snorby-config-backup.sql# update Snorby's reference tablesrule-update
# restart all SO services
service nsm stopservice nsm start
Writing v1 /etc/nsm/rules/sid-msg.map....
Done
WARNING: Ignoring bad line in SID file: 'v1'
______ -*> Barnyard2 <*-
/ ,,_ \ Version 2.1.13 (Build 333) TCL
|o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/
+ '''' + (C) Copyright 2008-2013 Ian Firns <fir...@securixlive.com>
Before Stopping and Start Section:
ERROR: Unable to open directory '' (No such file or directory)
ERROR: Unable to find the next spool file!
Bottom line, I was able to login to Snorby ; but I did not see some test snort alerts I created, but which showed up in Sguil.
Thank you!
Steve