Terracatta's picture

EDIT **01/23/2011** New Version Available (0.6.0) Changed info below to reflect

Hey everyone. I am proud to announce the creation of my first turnkey-linux TKLpatch!

Insta-Snorby is a new appliance that is essentially a fully-ready snort solution out of the box. The ISO still needs some slight tweaks but I've published the source and full overlay at https://github.com/Snorby/insta-snorby under GPLv3

The ISO can be found here: 


I was new to turnkey-linux starting this week so I want to thank the core devs and this community for doing such a great job with documentation and putting up their own TKL examples.

Hopefully you guys find this useful! Don't be shy with bugs, feedback and other issues you might encounter!

The appliance is designed for users who want to test Snorby 2.2.1 (a new Snort IDS front-end) or need a quick and dirty snort sensor installed.

It comes with the following:

  • Snort - The latest version of the popular Intrusion Detection System
  • Barnyard 2.19  - An application that deciphers Snort unified2 logs and puts them into the snorby database
  • Snorby 2.2.1 - The IDS front-end
  • OpenFPC - Full packet capture monitoring
  • Pulled Pork 0.5 - IDS rule update management

The installation process will walk you through setting up the MySQL server and ask you to put in your "Oinkcode" which will automatically download the latest VRT rules (the sigs that power the IDS) from SourceFire. Emerging Threat rules (another popular rules distro) are already downloaded and enabled.

To use the appliance effectively, you can do one of the following:

  1. In a VM bridge eth0 with the interface on the host you want to monitor
  2. Use a physical server and attach it to a network tap or a mirrored port on your switch

Once the appliance is installed you simply browse you https://<ip> and login with the following credentials. 

user snorby@snorby.org
password: snorby

Read more at the following places

Snorby home-page - http://snorby.org

Latest Snorby Blog Post - https://lookycode.com/posts/5-New-Snorby-2-2-1-and-Insta-Snorby-0-6-0!-


New Features since 0.5.0

  • Added option to enable pulled pork to automatically update rules
  • Added setup screen to choose interface you would like Snort,Barnyard2, and OpenFPC to run on
  • Added timezone selection screen
  • Added seamless authentication to OpenFPC installation from Snorby

Enhancements since 0.5.0

  • Upgraded Snorby from 2.1.0 to 2.2.1
  • Upgraded to Barnyard 1.9 branch 
  • Upgraded to Snort

Bug Fixes since 0.5.0

  • Fixed production log permissions issue
  • Fixed bug that did not restart Snorby workers on subsequent reboots
  • Fixed issue with ruleset that was not showing VRT alert names in Snorby
  • Changed default Snorby mail address to actual .localdomain


Joseph's picture

I just recently discovered Snorby and was configuring it.  I was trying to figure out how to use my oinkcode, and during my search found your site with "Insta-Snorby".  How does this differ from the regular Snorby at http://bailey.st/blog/smooth-sec/  ?

Dylan's picture

I think one of the most topical questions once one has a SNORT instance up and running is what to do with all the alert information. The key to a useful IDS deployment is too spend some time profiling your network traffic. The first time you fire up Snorby you are going to get shed loads of alerts. In most commercial deployments most of these alerts will be false positives, or maybe stuff you know you shouldnt be doing like SNMP public strings but you know all this right ? What you are looking for is the really nasty stuff. Spend some time going through the alerts an weedning out the false positives. For instance i had a load of high alerts about p2p traffic , turned out if was our ghost server just going about its normal business. Then there was a load of SNMP public string alerts , yeah we know thats bad but the source was snmp_traphost.xxx.xxx. Lets park these for the moment and tune our ears. We know that sort of stuff is bad but we can take note of these issues / risks add them to our risk register for fixing and move on. What you want to do is suppress all the traffic you know you shouldnt have , log it in a risk register and deal with it. By using suppression you can then have a pretty quiet system , listening only for that nasty traffic that you will get a payrise for proactivly managing. So im my opinion after you have configured snort.conf preproccesors etc take some time to reduce the background noise with suppression. Below is an excerpt from my /etc/snort/threshold.conf

What you want to do is spend some time identifying and suppressing stuff you trust so that the static is reduced and you can see clearly.


suppress gen_id 119 , sig_id 19  \ stops gen and sig ID from fireing
suppress gen_id 119 , sig_id 15
suppress gen_id 119 , sig_id 14
suppress gen_id 122 , sig_id 3, track by_dst, ip \ stops gen and sig from fireing with dst of 10.x
suppress gen_id 1   , sig_id 2008597, track by_src, ip


Hope this helps ! I really cant stress enough that if you dont spend the time to tune your IDS it will just give you a buzz for a few days and then no one , including you will ever look at it again !




Saeed's picture


I just installed the Snorby from Insta-Snorby-0.8.0.iso file and now i am on the admin page and can access the ssh but there is nothing on the dashboard last 3 hours and i enabled the rules on /etc/snort/snort.conf but still nothing showing.

root@Insta-Snorby ~# pico /etc/network/interfaces
auto eth0
iface eth0 inet static

auto eth1
iface eth1 inet dhcp

Can anybody help me?

Is there any good commands how to start, stop and restart the snorby services and also how to download Snort Rules. /etc/oinkmaster.conf



moonie's picture

I've installed the latest (0.9.0) version, when I try to add a new user there is no field for a password, and it fails saying a password is required.

Abraham Sarfo's picture

Hi Terracatta

Please I am evaluating Snorby and its features in comparison with other NSM tools.

Right now I am working on an experiment of using your insta-Snorby to monitor traffic.

I am able to run Insta-Snorby and log on but no traffic is monitored.

It only show localhost:eth0 and there is no traffic.

Please help with how I should set up the network and configuration?

I am using just two computers (VM) and using hub and ADSL connection.

how best should l connect and configure to get it functioning?

How would I configure the ethernet to run in promi 

I am counting on your help.

I look forward to hearing from you.



DDJ 's picture

VM = Bridge all adapters , dont use NAT.

Check : Barnyard.conf - Make sure the interface listed is the one you want to sniff on

Check scripts in  : /usr/lib/inithooks/everyboot.d  - Make sure you have the right interface configs

Check your logs for errors : Syslog etc

Check interfaces are up : for Sniffing interface use ifconfig eth1 [or what ever your instance is] up . This will bring up the sniffing interface up correctly with no IP.



Abraham Sarfo's picture

Many thanks DDJ.

I've got Snorby sniffing packet on eth1 now.

That's a good step towards my work so far.

Saeed's picture



This download URL is not working.

Kindly tell me where from i download the file?



Jeremy Davis's picture

Neither the 0.8 or 0.9 links appear to be working...? The website is up, so don't know what's happening?

RamonGB's picture


Any update on this? Any place I can download the iso other than www.snorby.org? 



scomagg's picture

Still no access to the 0.9.0 link... any updates on when it will be back up?


Crossthreaded's picture

It appears that this project is no longer maintained or available.

Jeremy Davis's picture

Hasn't been maintained for a long time... The upstream software isn't either...
Fred M.'s picture

This was a good idea, but has fallen silent. The Security Onion implementation requires a mirrored port on a router/switch. Are there any other Security/IPS TKL appliances with Snort / Suricata around? TIA.

Jeremy Davis's picture

But it is certainly a gap in our current line-up. If you can find some software that seems suitable I'd be happy for an appliance request. If/when you have a specific request we could put it on the issue tracker if you wanted.

Not sure how close it is to your request but I have previously come across a cool looking security related product called OSSIM... Thoughts?

Fred M.'s picture

Hi Jeremy, I found OSSIM when I was searching and thought about too. What do you think? an OSSIM Community Appliance?

Jeremy Davis's picture

If you're interested in having a crack at it I'm more than happy to help where I can. The starting point would be to read up on TKLDev (if you haven't already)...

Any questions please do not hesitate to ask.

Jeremy Davis's picture

Due to the age of this thread, plus the fact that it seems to attract spammers, I'm going to lock it from further comments.

Legitimate user who would like to discuss the content of this thread, please start a new forum thread (starting a new thread requires log in). Please feel free to request that your new thread be cross linked with this one if you believe it's relevant. Assuming your request is legitimate, I'd be happy to do that.


  • 1
  • 2