Installing Hogzilla + Snort Module

Note 1: The Snort module is still under development.

Note 2: You should install it in a segregated network. By default, the services are available without authentication.

Note 3: This guide is for Debian Linux


  1. Preparing installation
  2. Installing Snort
  3. Installing Barnyard2-hz
  4. Installing Snorby
  5. Installing Java
  6. Installing Hadoop/HBase
  7. Installing Apache Spark
  8. Installing Hogzilla
  9. Installing Pigtail
  10. Running and Testing
  11. Configure rc.local
  12. It doesn’t work. How to get help?

1. Preparing installation

The number of servers and the hardware configuration depend on your environment. If you have a relative large traffic to be analysed (we still don’t have benchmark to precise it), you shall consider:

  • n Snort sensors with Barnyard2-hz (collect and sending)
  • m Servers for Hadoop/HBase/Apache Spark (processing and NoSQL DB)
  • 1 Server for MySQL DB (used for Snorby)
  • 1 Server for Snorby (monitoring user interface)

Define your sensors and certify that they are connected in span ports. You can have more than one, but we recommend to test first with just one.

In this guide we are assuming:

  • 1 server for Snort/Snorby/MySQL/Barnyard2 (we refer to it by Server A in this guide)
  • 1 server for Hadoop/HBase/Apache Spark (we refer to it by Server B in this guide)

Install your favorite Linux distribution (I personally suggest Debian), or maybe some *BSD. Yes! You can use Virtual Machines in all servers, even in Snort. But remember that you can lose some performance in capturing data and in some cases it can be relevant.

Install some important dependencies

apt-get install vim vim-scripts

Add Hogzilla user and create the data directory

Just in Server B

adduser hogzilla
mkdir /data
chown hogzilla /data

Generate RSA key for SSH authentication

Just in Server B

su - hogzilla
ssh-keygen -t rsa
<press enter 3 times>
cat ~/.ssh/ >> ~/.ssh/authorized_keys
chmod 0600 ~/.ssh/authorized_keys

Server A

Install some important dependencies

apt-get install vim vim-scripts

2. Installing Snort

Install dependencies for Snort compilation

apt-get install flex bison libpcap-dev libdnet-dev libdumbnet-dev rsync

Download DAQ and Snort


Compile and install DAQ

tar xvzf daq-2.0.6.tar.gz
cd daq-2.0.6
./configure --prefix=/usr/local/snort
mkdir /usr/local/snort
make install
ln -s /usr/local/snort/bin/daq-modules-config /usr/bin/

Compile and install Snort

tar xvzf snort-
cd snort-
./configure --prefix=/usr/local/snort --with-daq-includes=/usr/local/snort/include --with-daq-libraries=/usr/local/snort/lib --enable-sourcefire
make install

Copy configuration templates

mkdir /usr/local/snort/etc
rsync -avzP etc/*.conf* /usr/local/snort/etc/.
rsync -avzP etc/*.map /usr/local/snort/etc/.

Copy configuration templates

vim /usr/local/snort/etc/snort.conf

The main change is add/change the lines

include $RULE_PATH/snort.rules
var WHITE_LIST_PATH /usr/local/snort/etc/rules
var BLACK_LIST_PATH /usr/local/snort/etc/rules

and comment all lines like


Maybe you will need more adjusts to fit you environment. Check the Snort documentation (references below).

Create snort user

groupadd snort
useradd -g snort snort

Adjust paths

mkdir /usr/local/snort/etc/rules
mkdir /usr/local/snort/lib/snort_dynamicrules
mkdir /usr/local/snort/etc/rules/iplists
mkdir -p /usr/local/snort/var/log
touch /usr/local/snort/etc/rules/local.rules
touch /usr/local/snort/etc/rules/white_list.rules
touch /usr/local/snort/etc/rules/black_list.rules
Install PulledPork

PulledPork is a script to download and update the Snort’s rules. We recommend you to create an account at and generate you Oik Code.

You also can subscribe for the paid rules.

Install dependencies

apt-get install libcrypt-ssleay-perl liblwp-protocol-https-perl subversion

Download source files

svn checkout pulledpork-read-only

Create directories and copy files

mkdir /usr/local/pp
mkdir /usr/local/pp/etc
mkdir /usr/local/pp/bin
rsync -avzP pulledpork-read-only/etc/.  /usr/local/pp/etc/.
rsync -avzP pulledpork-read-only/ /usr/local/pp/bin/.

Run PulledPork

/usr/local/pp/bin/ -c /usr/local/pp/etc/pulledpork.conf -l

Maybe you will need to specify the rules version.

/usr/local/pp/bin/ -S -c /usr/local/pp/etc/pulledpork.conf -l

Configure RSyslog to log Snort

vim /etc/rsyslog.d/snort.conf

Add lines

if $programname == 'snort' then /var/log/snort.log
& ~

Restart RSyslog

service rsyslog restart

Run Snort

/usr/local/snort/bin/snort -c /usr/local/snort/etc/snort.conf -T


If you prefer other Linux distribution, I recommend the official Setup Guides at


3. Installing Barnyard2-hz

Install dependencies

apt-get install libboost-dev libboost-test-dev libboost-program-options-dev libboost-system-dev libboost-filesystem-dev libevent-dev automake libtool flex bison pkg-config g++ libssl-dev ant automake php5-dev php5-cli phpunit libglib2.0-dev libtool libtool-bin libpcap-dev libmysqld-dev git

Install lib nDPI

git clone
cd nDPI
make install

Install thrift

tar xzvf thrift-0.9.3.tar.gz
cd thrift-0.9.3
make install

Install Barnyard2-hz

git clone
cd barnyard2
./configure --with-mysql --prefix=/usr/local/by --with-mysql-libraries=/usr/lib/x86_64-linux-gnu
make install

Configure rsyslogd

Add the content below into /etc/rsyslog.d/by.conf

if $programname == 'barnyard2' then /var/log/barnyard.log
& ~

Restart RSyslogd

service rsyslogd restart

Start Barnyard2-hz

/usr/local/by/bin/barnyard2 -c /usr/local/by/etc/barnyard2.conf -a /usr/local/snort/var/log/archive -f merged.log -d /usr/local/snort/var/log &

4. Installing Snorby

Snorby requires Ruby 1.9.x! It really does not run if you don’t use it! (Believe, I tried.)

Install dependencies

apt-get install libyaml-dev git-core default-jre imagemagick libmagickwand-dev wkhtmltopdf build-essential libssl-dev zlib1g-dev linux-headers-amd64 libsqlite3-dev libxslt1-dev libxml2-dev libmysqlclient-dev libmysql++-dev apache2-prefork-dev libcurl4-openssl-dev libreadline6-dev

Remove ruby

apt-get purge ruby ruby-dev ruby-build

Install RVM

gpg --keyserver hkp:// --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3
curl -sSL | bash -s stable --quiet-curl --ruby=1.9.3
source /usr/local/rvm/scripts/rvm
rvm requirements

Download Snorby

cd /var/www
git clone

Configure Snorby

cd /var/www/snorby/config
cp database.yml.example database.yml
cp snorby_config.yml.example snorby_config.yml
sed -i s/"\/usr\/local\/bin\/wkhtmltopdf"/"\/usr\/bin\/wkhtmltopdf"/g snorby_config.yml

Patch Snorby

BUG described at:

In file “Gemfile”, change

gem 'devise_cas_authenticatable',  :git => ''


gem 'devise_cas_authenticatable', '~> 1.5'

Install more dependencies

gem install net-ssh -v '2.9.2'
gem install rake --version=0.9.2

Create database

Access mysql CLI.

mysql -uroot -p

Create database and grant access.

create database snorby;
grant all on snorby.* to snorby@localhost identified by 'snorby123'; -- Choose your password here

Configure Snorby

Change database, mailing and other data in files above.

vim /var/www/snorby/config/database.yml
vim /var/www/snorby/config/snorby_config.yml
vim /var/www/snorby/config/initializers/mail_config.rb

Setup Snorby and run it

cd /var/www/snorby
bundle install
bundle exec rake snorby:setup
bundle exec rails server -e production -b

Access Snorby interface


Default user and password are

PASS: snorby


Server B

5. Installing Java

Download JRE


accept the terms and click on jdk-7u79-linux-x64.tar.gz .

Uncompress it in /usr/java/

tar xzvf jdk-7u79-linux-x64.tar.gz
mkdir /usr/java
mv jdk1.7.0_79/ /usr/java

Change the paths and binary links. In Debian you can use update-alternatives

update-alternatives --install /usr/bin/java java    /usr/java/jdk1.7.0_79/bin/java  2
update-alternatives --install /usr/bin/javac javac  /usr/java/jdk1.7.0_79/bin/javac 2
update-alternatives --install /usr/bin/jar jar      /usr/java/jdk1.7.0_79/bin/jar   2
update-alternatives --set java  /usr/java/jdk1.7.0_79/bin/java
update-alternatives --set javac /usr/java/jdk1.7.0_79/bin/javac
update-alternatives --set jar   /usr/java/jdk1.7.0_79/bin/jar

Add variables to profile

echo 'export JAVA_HOME="/usr/java/jdk1.7.0_79"' >> /etc/profile
echo 'export PATH="$PATH:$JAVA_HOME/bin"' >> /etc/profile

6. Installing Hadoop/HBase

Through this step you should use user hogzilla

Download Hadoop and HBase

mkdir /home/hogzilla/app
cd /home/hogzilla/app
wget ''
tar xzvf hadoop-2.7.1.tar.gz
mv hadoop-2.7.1 /home/hogzilla/hadoop

wget -c ''
tar xzvf hbase-1.1.2-bin.tar.gz
mv hbase-1.1.2 /home/hogzilla/hbase

Add some variables in ~/.bashrc

echo 'export HADOOP_HOME=/home/hogzilla/hadoop' >> ~/.bashrc
echo 'export HADOOP_MAPRED_HOME=$HADOOP_HOME' >> ~/.bashrc
echo 'export HADOOP_COMMON_HOME=$HADOOP_HOME' >> ~/.bashrc
echo 'export HADOOP_HDFS_HOME=$HADOOP_HOME' >> ~/.bashrc
echo 'export YARN_HOME=$HADOOP_HOME' >> ~/.bashrc
echo 'export HADOOP_COMMON_LIB_NATIVE_DIR=$HADOOP_HOME/lib/native' >> ~/.bashrc
echo 'export PATH=$PATH:$HADOOP_HOME/sbin:$HADOOP_HOME/bin' >> ~/.bashrc
echo 'export HADOOP_INSTALL=$HADOOP_HOME' >> ~/.bashrc
echo 'export HADOOP_OPTS="-Djava.library.path=$HADOOP_HOME/lib"' >> ~/.bashrc
echo 'export HADOOP_CONF_DIR=$HADOOP_HOME/etc/hadoop' >> ~/.bashrc
source ~/.bashrc

Configure Hadoop

cd $HADOOP_HOME/etc/hadoop
echo 'export JAVA_HOME=/usr/java/jdk1.7.0_79/' >>

cp -i core-site.xml core-site.xml-original
cp -i hdfs-site.xml hdfs-site.xml-original
cp -i yarn-site.xml yarn-site.xml-original
cp -i mapred-site.xml.template mapred-site.xml

Put the lines below inside “configuration” tags in core-site.xml


Put the lines below inside “configuration” tags in hdfs-site.xml

      <name>dfs.replication</name >

Put the lines below inside “configuration” tags in yarn-site.xml


Put the lines below inside “configuration” tags in mapred-site.xml


Initiate HDFS and Start Hadoop

hdfs namenode -format

Configure HBase

cd /home/hogzilla/hbase/conf
cp -i
cp -i hbase-site.xml hbase-site.xml-original
echo 'export JAVA_HOME=/usr/java/jdk1.7.0_79/' >>

Put the lines below inside “configuration” tags in hbase-site.xml

    <!-- <name></name> -->
    <value>900000</value> <!-- 900 000, 15 minutes -->
    <value>900000</value> <!-- 15 minutes -->

Start HBase

cd /home/hogzilla/hbase
./bin/ start thrift

Create Hogzilla tables in HBase

./bin/hbase shell

Inside HBase Shell

create 'hogzilla_flows','flow','event'
create 'hogzilla_events','event'
create 'hogzilla_sensor','sensor'
create 'hogzilla_signatures','signature'

More variables in ./.bashrc

echo 'export CLASSPATH=$CLASSPATH:/home/hogzilla/hbase/lib/*' >> ~/.bashrc
source ~/.bashrc

7. Installing Apache Spark

Through this step you should use user hogzilla

Download Apache Spark

Take a look at to see if you are downloading the latest version.

cd /home/hogzilla/app
tar xzvf spark-1.6.0-bin-hadoop2.6.tgz
mv spark-1.6.0-bin-hadoop2.6 /home/hogzilla/spark

Configure Apache Spark

cd /home/hogzilla/spark/conf

Start Apache Spark

cd /home/hogzilla


8. Installing Hogzilla

Through this step you should use user hogzilla

Download Hogzilla

cd /home/hogzilla
mv Hogzilla-v0.5.1-alpha.jar Hogzilla.jar

Create and run a script

Put the content below in /home/hogzilla/



# You can change the values of --num-executors, --driver-memory, --executor-memory, --executor-cores according to your resources.
while : ; do 
     ./spark/bin/spark-submit \
     --master yarn-cluster \
         --num-executors 2 \
         --driver-memory 712m \
         --executor-memory 712m \
         --executor-cores 2 \
     --jars $HBASE_PATH/lib/hbase-annotations-$HBASE_VERSION.jar,$HBASE_PATH/lib/hbase-annotations-$HBASE_VERSION-tests.jar,$HBASE_PATH/lib/hbase-client-$HBASE_VERSION.jar,$HBASE_PATH/lib/hbase-common-$HBASE_VERSION.jar,$HBASE_PATH/lib/hbase-common-$HBASE_VERSION-tests.jar,$HBASE_PATH/lib/hbase-examples-$HBASE_VERSION.jar,$HBASE_PATH/lib/hbase-hadoop2-compat-$HBASE_VERSION.jar,$HBASE_PATH/lib/hbase-hadoop-compat-$HBASE_VERSION.jar,$HBASE_PATH/lib/hbase-it-$HBASE_VERSION.jar,$HBASE_PATH/lib/hbase-it-$HBASE_VERSION-tests.jar,$HBASE_PATH/lib/hbase-prefix-tree-$HBASE_VERSION.jar,$HBASE_PATH/lib/hbase-procedure-$HBASE_VERSION.jar,$HBASE_PATH/lib/hbase-protocol-$HBASE_VERSION.jar,$HBASE_PATH/lib/hbase-rest-$HBASE_VERSION.jar,$HBASE_PATH/lib/hbase-server-$HBASE_VERSION.jar,$HBASE_PATH/lib/hbase-server-$HBASE_VERSION-tests.jar,$HBASE_PATH/lib/hbase-shell-$HBASE_VERSION.jar,$HBASE_PATH/lib/hbase-thrift-$HBASE_VERSION.jar,$HBASE_PATH/lib/htrace-core-3.1.0-incubating.jar,$HBASE_PATH/lib/guava-12.0.1.jar --driver-class-path ./$HBASE_PATH/conf/ --class Hogzilla  /home/hogzilla/Hogzilla.jar  &> /tmp/hogzilla.log

sleep 600

rm -rf /tmp/hadoop-hogzilla*


Run it

chmod 755
./ &

9. Installing Pigtail

As user root.

Certify that Thrift is installed. See above.

Download Pigtail

mkdir /root/app
cd /root/app
apt-get install git
git clone
mv pigtail/pigtail.php /root
mkdir /usr/lib/php/Thrift/Packages/
mv pigtail/gen-php/Hbase/  /usr/lib/php/Thrift/Packages/

apt-get install php5-mysql
cd /root

Change configuration

Change MySQL db-name, host, user and password.

vim pigtail.php

Certify the MySQL Access

In MySQL, you need to to execute the following command as user root. (Change SERVER and PASSWORD)

grant all privileges on snorby.* to 'snorby'@'SERVER' identified by 'PASSWORD';

In /etc/mysql/my.cnf, you must have

bind-address            = *

You will need to restart MySQL if you change my.cnf

service mysql restart

Run Pigtail

php ./pigtail.php >&/dev/null&

10. Running and Testing

[to be completed]

  • Snort

-> Run

/usr/local/snort/bin/snort -U -D -i eth1 -u snort -g snort -c /usr/local/snort/etc/snort.conf -l /usr/local/snort/var/log/  &

-> Wait some minutes

-> Check logs

less /var/log/snort.log

-> Check the Unified2 file

ls -la /usr/local/snort/var/log/merged*
  • Barnyard2-hz

-> Run

/usr/local/by-hz/bin/barnyard2 -c /usr/local/by-hz/etc/barnyard2.conf -a /usr/local/snort/var/log/archive -f merged.log -d /usr/local/snort/var/log &

-> Check /var/log/barnyard2.log

less /var/log/barnyard2.log
  • Java

-> Run

java -v
  • Hadoop

-> Run

-> List directory

hadoop fs -ls /hbase

-> Check GUI

Services at URL http://serverIP:50070
Cluster Applications at URL http://serverIP:8088
  • HBase

-> Check GUI

Check URL http://serverIP:16010
  • Apache Spark -> Try the standalone mode

    su - hogzilla
  • Hogzilla

-> Check process execution and logs into Hadoop interface (above)

-> Check generated events into HBase

su - hogzilla
./hbase/bin/hbase shell
count 'hogzilla_events'
  • Pigtail -> Activate the DEBUG variable inside the PHP script and run it if you need!

11. Configure rc.local

To run after reboot, put the following lines in your /etc/rc.local:

In Server A

/usr/local/snort/bin/snort -U -D -i eth1 -u snort -g snort -c /usr/local/snort/etc/snort.conf -l /usr/local/snort/var/log/  &
/usr/local/by-hz/bin/barnyard2 -c /usr/local/by-hz/etc/barnyard2.conf -a /usr/local/snort/var/log/archive -f merged.log -d /usr/local/snort/var/log &
( cd /usr/local/snorby/ ; bundle exec rails server -e production -b >&/dev/null ) &

In Server B

# Start hadoop
su hogzilla -c "/home/hogzilla/hadoop/sbin/"
su hogzilla -c "/home/hogzilla/hadoop/sbin/"
# Start HBase
su hogzilla -c "/home/hogzilla/hbase/bin/"
su hogzilla -c "/home/hogzilla/hbase/bin/ start thrift"
# Start Apache Spark
su hogzilla -c "/home/hogzilla/spark/sbin/"
su hogzilla -c "/home/hogzilla/spark/sbin/"

12. It doesn’t work. How can I get help?

Please, help us improve this guide. Submit your troubles in our Mailing list.