snort-installation

# Increase swap file from 100MB to 2048MB. 
# Change the size in /etc/dphys-swapfile:
# CONF_SWAPFILE=2048
sudo nano /etc/dphys-swapfile

# Installing the Snort Pre-Requisites
# Snort has four main pre-requisites:
# pcap (libpcap-dev) available from the Ubuntu repository
# PCRE (libpcre3-dev) available from the Ubuntu repository
# Libdnet (libdumbnet-dev) available from the Ubuntu repository
# DAQ (http://www.snort.org/downloads/) compiled from source	
sudo apt-get install -y libpcap-dev libpcre3-dev libdumbnet-dev supervisor sysstat

# In this guide, we will be downloading a number of tarbals for various software packages. We will create a 
# folder called snort src to keep them all in one place:
mkdir ~/snort_src
cd ~/snort_src

# The Snort DAQ (Data AcQuisition library)has a few pre-requisites that need to be installed:
sudo apt-get install -y bison flex

# Download and install the latest version of DAQ from the Snort website. The steps below use wget to
# download version 2.0.6 of DAQ, which is the latest version at the time of writing this guide.
cd ~/snort_src
wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz
tar -xvzf daq-2.0.6.tar.gz
cd daq-2.0.6
./configure
make
sudo make install


#Installing Snort
				
# To install Snort on Ubuntu, there are additional required pre-requisite that needs to be installed that is
# not mentioned in the documentation:
# zlibg which is a compression library.
# liblzma-dev which provides decompression of swf files (adobe flasash)
# openssl, and libssl-dev which both provide SHA and MD5 file signatures:
sudo apt-get install -y zlib1g-dev liblzma-dev openssl libssl-dev
				
# We are now ready to download the Snort source tarball, compile, and then install. The --enable-sourcefire
# option gives Packet Performance Monitoring (PPM)4 5, which lets us do performance monitoring for rules
# and pre-processors, and builds Snort the same way that the Snort team does:
cd ~/snort_src
wget https://snort.org/downloads/snort/snort-2.9.9.0.tar.gz
tar -xvzf snort-2.9.9.0.tar.gz
cd snort-2.9.9.0
./configure --enable-sourcefire
make
sudo make install

# Run the following command to update shared libraries (you'll get an error when you try to run Snort if you skip this step):
sudo ldconfig
				
# Place a symlink to the Snort binary in /usr/sbin:
sudo ln -s /usr/local/bin/snort /usr/sbin/snort
				
# Test Snort by running the binary as a regular user, passing it the -V flag (which tells Snort to verify itself
# and any configuration files passed to it).
snort -V

# Configuring Snort to Run in NIDS Mode
				
# Since we don't want Snort to run as root, we need to create an unprivileged account and group for the
# daemon to run under (snort:snort). We will also create a number of files and directories required by
# Snort, and set permissions on those files. Snort will have the following directories:
# Configurations and rule files in /etc/snort
# Alerts will be written to /var/log/snort
# Compiled rules (.so rules) will be stored in /usr/local/lib/snort_dynamicrules
				
# Create the snort user and group:
cd ~
sudo groupadd snort
sudo useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort
				
# Create the Snort directories:
sudo mkdir /etc/snort
sudo mkdir /etc/snort/rules
sudo mkdir /etc/snort/rules/iplists
sudo mkdir /etc/snort/preproc_rules
sudo mkdir /usr/local/lib/snort_dynamicrules
sudo mkdir /etc/snort/so_rules

# Create some files that stores rules and ip lists
sudo touch /etc/snort/rules/iplists/black_list.rules
sudo touch /etc/snort/rules/iplists/white_list.rules
sudo touch /etc/snort/rules/local.rules
sudo touch /etc/snort/sid-msg.map
				
# Create our logging directories:
sudo mkdir /var/log/snort
sudo mkdir /var/log/snort/archived_logs
				
# Adjust permissions:
sudo chmod -R 0775 /etc/snort
sudo chmod -R 0775 /var/log/snort
sudo chmod -R 0775 /var/log/snort/archived_logs
sudo chmod -R 0775 /etc/snort/so_rules
sudo chmod -R 0775 /usr/local/lib/snort_dynamicrules

# Change Ownership on folders:
sudo chown -R snort:snort /etc/snort
sudo chown -R snort:snort /var/log/snort
sudo chown -R snort:snort /usr/local/lib/snort_dynamicrules

# Snort needs some configuration files and the dynamic preprocessors copied from the Snort source tarball into 
# the /etc/snort folder.
# The configuration files are:
# classification.config
# file_magic.conf
# reference.config
# snort.conf
# threshold.conf
# attribute_table.dtd
# gen-msg.map
# unicode.map
# To copy the configuration files and the dynamic preprocessors, run the following commands:
cd ~/snort_src/snort-2.9.9.0/etc/
sudo cp *.conf* /etc/snort
sudo cp *.map /etc/snort
sudo cp *.dtd /etc/snort
cd ~/snort_src/snort-2.9.9.0/src/dynamic-preprocessors/build/usr/local/lib/snort_dynamicpreprocessor/
sudo cp * /usr/local/lib/snort_dynamicpreprocessor/

# We now have the following directory layout and file locations:
# Snort binary file: /usr/local/bin/snort
# Snort configuration file: /etc/snort/snort.conf
# Snort log data directory: /var/log/snort
# Snort rules directories: /etc/snort/rules
#							/etc/snort/so rules
#							/etc/snort/preproc rules
#							/usr/local/lib/snort dynamicrules
# Snort IP list directories: /etc/snort/rules/iplists
# Snort dynamic preprocessors: /usr/local/lib/snort dynamicpreprocessor/

# We now need to edit Snort's main configuration file, /etc/snort/snort.conf. When we run Snort with
# this file as an argument, it tells Snort to run in NIDS mode.
# We need to comment out all of the individual rule files that are referenced in the Snort configuration file,
# since instead of downloading each file individually, we will use PulledPork to manage our rulesets, which
# combines all the rules into a single file. The following line will comment out all rulesets in our snort.conf file:
sudo sed -i "s/include \$RULE\_PATH/#include \$RULE\_PATH/" /etc/snort/snort.conf

# We will now manually change some settings in the snort.conf file, using your favourite editor:
sudo nano /etc/snort/snort.conf

# Change the following lines to meet your environment:
# Line 45, HOME NET should match your internal (friendly) network.
# ipvar HOME_NET 192.168.10.0/24
# Note: You should not set EXTERNAL NET to !$HOME NET as recommended in some guides, since it can cause Snort to miss alerts.
# Set the following file paths in snort.conf, beginning at line 104:
# var RULE_PATH /etc/snort/rules
# var SO_RULE_PATH /etc/snort/so_rules
# var PREPROC_RULE_PATH /etc/snort/preproc_rules
# var WHITE_LIST_PATH /etc/snort/rules/iplists
# var BLACK_LIST_PATH /etc/snort/rules/iplists
# In order to make testing Snort easy, we want to enable the local.rules file, where we can add rules that
# Snort can alert on. Un-comment (remove the hash symbol) from line 546 so it looks like this:
# include $RULE_PATH/local.rules

# Once the configuration file is ready, we will have Snort verify that it is a valid file, and all necessary files
# it references are correct. We use the -T flag to test the configuration file, the -c flag to tell Snort which
# configuration file to use, and -i to specify the interface that Snort will listen on (this is a new requirement
# for the 2.9.9.x version of snort).
sudo snort -T -c /etc/snort/snort.conf -i eth0

# Writing a Simple Rule to Test Snort Detection
				
# Paste the following single line into the empty local rules file: /etc/snort/rules/local.rules:
# alert icmp any any -> $HOME_NET any (msg:"ICMP test detected"; GID:1; sid:10000001; rev:001; classtype:icmp-event;)
sudo nano /etc/snort/rules/local.rules

# Barnyard2 doesn't read meta-information about alerts from the local.rules file.
# To make sure that barnyard2 knows that the rule we created with unique identifier 10000001 has the 
# message "ICMP Test Detected", as well as
# some other information. We add the following line to the /etc/snort/sid-msg.map file:
# 1 || 10000001 || 001 || icmp-event || 0 || ICMP Test detected || url,tools.ietf.org/html/rfc792
sudo nano /etc/snort/sid-msg.map

# Since we made changes to the Snort configuration, we should test the configuration file again:
sudo snort -T -c /etc/snort/snort.conf -i eth0

# Now that we know that Snort correctly loads our rule and our configuration, we can start snort in NIDS
# mode, and tell it to output any alerts right to the console. We will run Snort from the command line, 
#using the following flags:
# -A console The `console' option prints fast mode alerts to stdout
# -q Quiet mode. Don't show banner and status report.
# -u snort Run Snort as the following user after startup
# -g snort Run Snort as the following group after startup
# -c /etc/snort/snort.conf The path to our snort.conf file
# -i eth0 The interface to listen on (change to your interface if different)
sudo /usr/local/bin/snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0
				
# Use ctrl-c to stop Snort from running. Note that Snort has saved a copy of this information in /var/log/snort,
# with the name snort.log.nnnnnnnnn (the numbers may be different). At this point Snort is running correctly in 
# NIDS mode and generating alerts.


# Installing Barnyard2
				
# First install the Barnyard2 pre-requisites:
sudo apt-get install -y mysql-server libmysqlclient-dev mysql-client autoconf libtool
				
# After Installin MySQL. First, you'll want to run the included security script. 
# This changes some of the less secure default options for things like remote root logins and sample users.
sudo mysql_secure_installation

# We need to tell snort that it should output it's alerts in a binary format (to a file) that Barnyard2 can
# process. To do that, edit the /etc/snort/snort.conf file, and after line 521 (the commented line starting
# with the hash sign) add the following line:
# output unified2: filename snort.u2, limit 128
sudo nano /etc/snort/snort.conf

# Now download and install Barnyard2 2.1.14 release 336:
cd ~/snort_src
wget https://github.com/firnsy/barnyard2/archive/7254c24702392288fe6be948f88afb74040f6dc9.tar.gz -O barnyard2-2-1.14-336.tar.gz
tar zxvf barnyard2-2-1.14-336.tar.gz
mv barnyard2-7254c24702392288fe6be948f88afb74040f6dc9 barnyard2-2-1.14-336
cd barnyard2-2-1.14-336
autoreconf -fvi -I ./m4

# Barnyard2 needs access to the dnet.h library, which we installed with the Ubuntu libdumbnet package earlier.
# However, Barnyard2 expects a different file name for this library. Create a soft link from dnet.h to dubmnet.h
# so there are no issues:
sudo ln -s /usr/include/dumbnet.h /usr/include/dnet.h
sudo ldconfig
./configure --with-mysql --with-mysql-libraries=/usr/lib/arm-linux-gnueabihf
make
sudo make install

# Once Barnyard2 is installed, the next step is to copy and create some files that Barnyard2 requires to run:
cd ~/snort_src/barnyard2-2-1.14-336
sudo cp etc/barnyard2.conf /etc/snort
# the /var/log/barnyard2 folder is never used or referenced
# but barnyard2 will error without it existing
sudo mkdir /var/log/barnyard2
sudo chown snort.snort /var/log/barnyard2
sudo touch /var/log/snort/barnyard2.waldo
sudo chown snort:snort /var/log/snort/barnyard2.waldo

# Since Barnyard2 saves alerts to our MySQL database, we need to create that database, as well as a `snort'
# MySQL user to access that database.
mysql -u root -p
create database snort;
use snort;
source ~/snort_src/barnyard2-2-1.14-336/schemas/create_mysql
show tables;
CREATE USER 'snort'@'localhost' IDENTIFIED BY 'snortpass';
grant create, insert, select, delete, update on snort.* to 'snort'@'localhost';
exit

# We need to tell Barnyard2 how to connect to the MySQL database. Edit /etc/snort/barnyard2.conf,
# and at the end of the file add this line: 
# output database: log, mysql, user=snort password=snortpass dbname=snort host=localhost
# also on line 70 change config hostname to snort-ids to uniquely identify sensor in the database and uncomment 
# config interface: eth0
sudo nano /etc/snort/barnyard2.conf

# Since the password is stored in cleartext in the barnyard2.conf file, we should prevent other users from reading it:
sudo chmod o-r /etc/snort/barnyard2.conf

# Run Snort in alert mode
sudo /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

# Ping the interface eth0 from another computer, you won't see any output on the screen because Snort wasn't 
# started with the -A console 
# flag like before. Once the ping stops, type ctrl-c to stop Snort. you should
# see a new file in the /var/log/snort directory with following name: snort.u2.nnnnnnnnnn
cd /var/log/snort
ls -l

# We now run Barnyard2 and tell it to process the events in snort.u2.nnnnnnnnnn and load them into the Snort database. 
# We use the following 
# flags with Barnyard2:
# -c /etc/snort/barnyard2.conf The path to the barnyard2.conf file
# -d /var/log/snort The folder to look for Snort output files
# -f snort.u2 The Filename to look for in the above directory (snort.u2.nnnnnnnnnn)
# -w /var/log/snort/barnyard2.waldo The location of the waldo file (bookmark file)
# -u snort Run Barnyard2 as the following user after startup
# -g snort Run Barnyard2 as the following group after startup
# Run Barnyard2 with the following command:
sudo barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -g snort -u snort

# use Ctrl-c to stop the process.
				
# We now want to check the MySQL database to see if Barnyard2 wrote the events. If you have 8 you are OK.
mysql -u snort -p -D snort -e "select count(*) from event"


# Installing PulledPork
				
# Install the PulledPork pre-requisites:
sudo apt-get install -y libcrypt-ssleay-perl liblwp-useragent-determined-perl
				
# Download and install the PulledPork perl script and configuration files:
cd ~/snort_src
wget https://github.com/finchy/pulledpork/archive/8b9441aeeb7e1477e5be415f27dbc4eb25dd9d59.tar.gz -O pulledpork-0.7.2-196.tar.gz
tar xvfvz pulledpork-0.7.2-196.tar.gz
mv pulledpork-8b9441aeeb7e1477e5be415f27dbc4eb25dd9d59 pulledpork-0.7.2-196
cd pulledpork-0.7.2-196/
sudo cp pulledpork.pl /usr/local/bin
sudo chmod +x /usr/local/bin/pulledpork.pl
sudo cp etc/*.conf /etc/snort

# Check that PulledPork runs by checking the version, using the -V flag:
/usr/local/bin/pulledpork.pl -V
				
# Configure PulledPork by editing /etc/snort/pulledpork.conf with the following command:
sudo nano /etc/snort/pulledpork.conf

# Anywhere you see <oinkcode>enter the oinkcode you received from snort.org
# Line 19 & 26: enter your oinkcode where appropriate (or comment out if no oinkcode)
# Line 29: Un-comment for Emerging threats ruleset (not tested with this guide)
# Line 74: change to: rule_path=/etc/snort/rules/snort.rules
# Line 89: change to: local_rules=/etc/snort/rules/local.rules
# Line 92: change to: sid_msg=/etc/snort/sid-msg.map
# Line 96: change to: sid_msg_version=2
# Line 119: change to: config_path=/etc/snort/snort.conf
# Line 133: change to: distro=Debian-6-0
# Line 141: change to: black_list=/etc/snort/rules/iplists/black_list.rules
# Line 150: change to: IPRVersion=/etc/snort/rules/iplists

# We want to run PulledPork manually this one time to make sure it works. The following flags are used with PulledPork:
# -l Write detailed logs to /var/log
# -c /etc/snort/snort.conf The path to our pulledpork.conf file
# Run the following command:
sudo /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -l

# Edit /etc/snort/snort.conf, and add at line 548 the above:
# include $RULE_PATH/snort.rules
sudo nano /etc/snort/snort.conf

# Since we've modified the Snort configuration file (via the loaded rules file), we should test the Snort configuration file.
# This will also check the new snort.rules file that PulledPork created:
sudo snort -T -c /etc/snort/snort.conf -i eth0

# You can ignore warnings about flowbits not being checked, as well GID duplicate warnings.
				
# Once that is successful, we want to set PulledPork to run daily. To do this, we add the PulledPork script to root's crontab:
sudo crontab -e
				
# Append the follwoing line in crontab:
01 04 * * * /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -l


# Creating Startup Scripts
cd ~
				
# To create the Snort systemD service, use an editor to create a service file:
sudo nano /lib/systemd/system/snort.service
				
# with the following content (change eth0 if different on your system):
[Unit]
Description=Snort NIDS Daemon
After=syslog.target network.target
[Service]
Type=simple
ExecStart=/usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 -D
[Install]
WantedBy=multi-user.target

# Now we tell systemD that the service should be started at boot:
sudo systemctl enable snort
				
# Finally, we want to start the service:
sudo systemctl start snort
				
# to check that the service is running:
systemctl status snort

# Next, create the Barnyard2 systemd service. We will add two flags here: -D to run as a daemon, and
# -a /var/log/snort/archived logs, this will move logs that Barnyard2 has processed to the
# /var/log/snort/archived/ folder. Use an editor to create a service file:
sudo nano /lib/systemd/system/barnyard2.service

# with the following content ( the exec content line should be one line, through ...archived logs):
[Unit]
Description=Barnyard2 Daemon
After=syslog.target network.target
[Service]
Type=simple
ExecStart=/usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -q -w /var/log/snort/barnyard2.waldo -g snort -u snort -D -a /var/log/snort/archived_logs
[Install]
WantedBy=multi-user.target

# Now we tell systemD that the service should be started at boot:
sudo systemctl enable barnyard2
				
# Finally, we want to start the service:
sudo systemctl start barnyard2
				
# to check that the service is running:
systemctl status barnyard2
				
# Reboot and verify that both services start correctly.


# Install Snorby 2.6.2 with extra tips from http://install-snorby-raspberry-pi-2.blogspot.gr/2015/04/snorby-complete-installation-guide.html
				
# Install the Snorby Pre-requisites:
sudo apt-get install -y imagemagick apache2 libyaml-dev libxml2-dev libxslt-dev git build-essential postgresql postgresql-server-dev-9.4 libreadline-dev libgdbm3 libgdbm-dev
				
cd /usr/local/src/
sudo wget https://cache.ruby-lang.org/pub/ruby/2.3/ruby-2.3.3.tar.gz
sudo tar xvfvz ruby-2.3.3.tar.gz
sudo rm -rf ruby-2.3.3.tar.gz
cd ruby-2.3.3
sudo ./configure
sudo make
sudo make install
				
# Run "ruby – v" and verify that it returns the correct version :
ruby -v

sudo echo "gem: --no-rdoc --no-ri" > ~/.gemrc
sudo sh -c "echo gem: --no-rdoc --no-ri > /etc/gemrc"
				
# Install the gems required for management and installation:
sudo gem update --system
sudo gem install wkhtmltopdf
sudo gem install bundler
sudo gem install bcrypt
sudo gem install nokogiri -v '1.6.6.2'
sudo gem install do_postgres
sudo gem install rails
sudo gem install rake

# Run "rails – v" and verify that it returns the correct version :
rails -v
				
# Download Snorby source files:
cd /var/www/html/
sudo git clone https://github.com/Snorby/snorby.git
cd snorby
sudo bundle install
				
# Then edit database information and change the password to access your mysql server:
sudo cp /var/www/html/snorby/config/database.yml.example /var/www/html/snorby/config/database.yml
sudo nano /var/www/html/snorby/config/database.yml

# Edit the snorby configuration file: /var/www/html/snorby/config/snorby_config.yml and change the path of the wkhtmktopdf script:
sudo cp /var/www/html/snorby/config/snorby_config.yml.example /var/www/html/snorby/config/snorby_config.yml
sudo sed -i s/"\/usr\/local\/bin\/wkhtmltopdf"/"\/usr\/bin\/wkhtmltopdf"/g /var/www/html/snorby/config/snorby_config.yml
				
# Then install Snorby by issuing:
# You can ignore errors about "Jammit Warning: Asset compression disabled { Java unavailable."
sudo bundle exec rake snorby:setup

# Now we want to edit the MySQL Snorby database to grant access to a lower privilidged user
mysql -u root -p
create user 'snorby'@'localhost' IDENTIFIED BY 'snorbypass';
grant all privileges on snorby.* to 'snorby'@'localhost' with grant option;
flush privileges;
exit

# Now that we've created a new MySQL snorby user and password, edit Snorby's database.yml to use the new account:
sudo nano /var/www/html/snorby/config/database.yml
				
# Now we are ready to test Snorby.
cd /var/www/html/snorby/
sudo bundle exec rails server -e production

# This will start Snorby and will be available on port 3000. Navigate to http://<ip_of_snorby_server>:3000 and you 
# should see the logon screen.
# Don't log in at this time as we are only testing that the software runs. Use ctrl-c to stop the Snorby server.
				
# We will use Phusion Passenger, an application server module for Apache to launch Snorby. First install pre-requisites:
sudo apt-get install -y libcurl4-openssl-dev apache2-threaded-dev libaprutil1-dev libapr1-dev
				
# Install the Passenger gem and the apache module
# cd /usr/local/src/ruby-2.3.3
sudo gem install passenger
sudo passenger-install-apache2-module

# The Phusion Passenger install wizard will start. Un-check the Python language support (we only need Ruby
# support) using the arrows and space bar, then use enter to continue through the menu options.
# After compiling software, the wizard will finally tell you to copy some text to your Apache configuration file.
# We don't want to do that because Apache now uses separate files for modules. We do want the information
# that is printed, we will just use it slightly differently. Copy the six lines of text that are shown, as you'll need
# them. Hit enter twice to exit the wizard.
# Mine looks like that:
# LoadModule passenger_module /usr/local/lib/ruby/gems/2.3.0/gems/passenger-5.1.1/buildout/apache2/mod_passenger.so
# <IfModule mod_passenger.c>
# 	PassengerRoot /usr/local/lib/ruby/gems/2.3.0/gems/passenger-5.1.1
# 	PassengerDefaultRuby /usr/local/bin/ruby
# </IfModule>

# Create this file:
sudo nano /etc/apache2/mods-available/passenger.load
				
# And paste the first line into that file.
LoadModule passenger_module /usr/local/lib/ruby/gems/2.3.0/gems/passenger-5.1.1/buildout/apache2/mod_passenger.so
				
# The final 4 lines specify the configuration for Phusion Passenger. Create the correct file as follows:
sudo nano /etc/apache2/mods-available/passenger.conf
				
# And paste the two content lines in. You do not need the <IfModule>tags
PassengerRoot /usr/local/lib/ruby/gems/2.3.0/gems/passenger-5.1.1
PassengerDefaultRuby /usr/local/bin/ruby

# Enable the Passenger module:
sudo a2enmod passenger
sudo service apache2 restart
				
# and then verify that it loaded (look for Passenger in the output):
apache2ctl -t -D DUMP_MODULES

# Now we need to create a website for Snorby:
sudo nano /etc/apache2/sites-available/snorby.conf
				
# Input the following into that file:
<VirtualHost *:80>
	ServerAdmin webmaster@localhost
	ServerName snorby.sublimerobots.com
	DocumentRoot /var/www/html/snorby/public
	<Directory "/var/www/html/snorby/public">
		AllowOverride all
		Order deny,allow
		Allow from all
		Options -MultiViews
	</Directory>
</VirtualHost>

# Now enable the new site, disable the default site, and reload Apache to see the new configurations:
cd /etc/apache2/sites-available/
sudo a2ensite snorby.conf
sudo service apache2 reload
				
cd /etc/apache2/sites-enabled
sudo a2dissite 000-default
sudo service apache2 reload

# Now we need to tell Barnyard2 to output events to the Snorby database that we created above.
# Append at the end of the file:
# output database: log, mysql, user=snorby password=snorbypass dbname=snorby host=localhost sensor_name=snort-ids
sudo nano /etc/snort/barnyard2.conf

# We can disable the other output file that you created during the Barnyard2 testing by deleting the previous
# line (or putting a hash in front of it to disable it).
# output database: log, mysql, user=snort password=snortpass dbname=snort host=localhost

# Restart Barnyard2 to load the new configuration:
sudo service barnyard2 restart

# Snorby needs one service running for database maintenance (a Snorby worker daemon). We will create a systemD daemon 
# for this task.
# First we need to create the service file:
sudo nano /lib/systemd/system/snorby_worker.service

# with the following content:
[Unit]
Description=Snorby Worker Daemon
Requires=apache2.service
After=syslog.target network.target apache2.service
[Service]
Type=forking
WorkingDirectory=/var/www/html/snorby
ExecStart=/usr/local/bin/ruby script/delayed_job start
[Install]
WantedBy=multi-user.target

# Now make the script executable, and tell systemD that the script exists, and then verify that it installed correctly:
sudo systemctl enable snorby_worker
systemctl status snorby_worker.service

# We do not want to start the Snorby worker daemon at this time because an instance of the worker is already
# running (from when you installed Snorby). You can verify this by logging into the web interface using the
# instructions below. In the Snorby web interface, look for the snorby worker status under Administration {>Worker and Job Queue).

# To log into the web interface: open a web browser and navigate to http://<ip_of_snorby_server>. you
# don't need to enter the port number, as it is listening on port 80 now.
# The default login information is:
# E-mail: snorby@example.com
# Password: snorby