Feature request: Snorby as a Rails engine

[frankie-loves-jesus]

Convert Snorby into a Rails engine so it can be plugged into existing Rails apps.

http://railscasts.com/episodes/277-mountable-engines?view=comments

[frankie-loves-jesus]

@mephux any word on this?

[akshatpradhan]

Hi @frankie-loves-jesus, Would you mind sharing your use case for this? I assume you have an existing rails app, but I guess I don't see the benefits yet.

[frankie-loves-jesus]

It just makes little sense to run something like this as a stand-alone Rails app. If it's first going to be a Rails app, it might as well help protect other Rails apps. In huge networks it's often the apps and websites that garner the most attention from hackers (ie. making money by stealing user info, credit cards, redirecting traffic etc.).

Hoping to one day run Snorby with https://github.com/kickstarter/rack-attack, http://d3js.org/ and my own custom layout.

By reorganizing Snorby into a simplified Rails engine, we'd also get closer to Snorby's fundamental concepts:

The basic fundamental concepts behind Snorby are simplicity, organization and power.

[akshatpradhan]

Thank you for articulating your response! You mentioned that if it's going to be a rails app, it might as well help protect other rails apps. What would Django sites or CakePHP sites use?

[frankie-loves-jesus]

I reckon they would have to generate an empty Rails app and then just include the Snorby gem in order to have a fully working app. I think it's a win-win either way.

If it's an empty Rails app, Snorby should serve front-end views as well to guide the user to the admin UI. If an admin UI already exists, there should be a Rake task to copy Snorby's views into the app's existing views folder so the owner can do his or her customizing.

See https://github.com/radar/forem and https://github.com/spree/spree for perhaps the best examples of Rails engines to date. And ofcourse http://edgeguides.rubyonrails.org/engines.html.

[akshatpradhan]

I reckon they would have to generate an empty Rails app and then just include the Snorby gem

This is interesting. I guess other security engineers would have to be ok with this process, right?

Would you be able to find a few fellow security engineers to give us a simple :+1: for this feature request?

[akshatpradhan]

Hi @frankie-loves-jesus, I was curious if you had an update on any other fellow security engineers having a need to turn this into a Rails Engine?

[frankie-loves-jesus]

I think Threat Stack is currently putting all their efforts into releasing Cloud Sight. But after that, from what I hear, we'll have lots to look forward to.

My guess is that if Snorby were to become a Rails engine, it would become a must for all the millions of Rails apps out there, and Threat Stack's popularity would skyrocket.

[akshatpradhan]

@frankie-loves-jesus I really feel like you're confused. Snorby is a web gui to interface with Snort IDS, very much like Webistrano is a web gui to interface with Capistrano. Snorby only provides a dashboard allowing for monitoring of security events that Snort IDS detects.

Its important to stress that Snorby doesn't provide any actual protection for rails applications. If you're looking to protect your Rails applications, you should be using a web app firewall.

As someone who's worked with both Snort and Rails, I would never have installed Snorby as an engine into our Rails App. Why?

Because

1. Snorby doesn't provide any actual security to the Rails framework.
2. I don't want my security events publicly available in the DMZ! I want that shit locked down on a separate private host for only my internal tech team to handle.

Please do correct me if you think I'm wrong! I'm enjoying this very much!

[frankie-loves-jesus]

Not everybody has the luxury of separate private hosts or internal tech teams. If your admin area is already compromised, the fact that you show security stats through it should be the least of your concerns. Especially if you, like me, have lots of other stuff in your admin area like users, activities, financial progress and so on. I'm always on the move as well so logging onto my admin from the airport to get all the latest news is something I find quite convenient.

Thanks for introducing me to ModSecurity. Never heard of that one.

[akshatpradhan]

@frankie-loves-jesus You're saying you want to run your Snort IDS, your web app, and snorby all on the same machine?

[frankie-loves-jesus]

Yeah. Well, not Snort but Suricata.

[akshatpradhan]

I'm quite sure you're doing something wrong if you have Suricata, Web App, and Snorby all on one server, even if you're a 1 person company. That kind of setup really goes against cybersecurity 101 standards.

Here's a basic security standard that says just that: " The Organization (i) allocates publicly accessible information system components to separate subnetworks; (ii) prevents public access into the organization's sensitive internal networks except as appropriately mediated; (iii) limits the number of access points to and from the sensitive information system."

Security events are considered sensitive information because they could contain personally identifiable information or credit card data. Security Events (e.g. metrics/pcaps in Snorby) should not live on the same host as your company's web application.

What's your background if you don't mind me asking? Your public activity mostly shows you contributing to front end development stuff. You seem interesting!

[frankie-loves-jesus]

Yeah, you're right. Maybe I should start migrating as much sensitive info as I can off my PostgreSQL into some local medium. But I'd still like (carefully chosen) Snorby and Suricata info available through my admin dashboard -- so in that sense -- we're back at the main topic of this discussion which is requesting Snorby as a Rails engine.

[miketanderson]

@frankie-loves-jesus I'm afraid I also don't understand your intent with this request. As @akshatpradhan stated: Snorby doesn't provide any actual security to the Rails framework.

And I'll add: Snorby doesn't provide security to anything - Snorby provides visibility into the security provider. Snorby is the interface to the protection engine, either Snort or Suricata.

I'm only guessing here, but it looks like your request boils down to one of two possibilities: -you are looking for something to provide protection to your existing Rails apps -you are looking for an interface to another Rails app / to logs & events from another Rails app

Neither of which seem to me to be a good use case for Snorby.

[frankie-loves-jesus]

you are looking for something to provide protection to your existing Rails apps

No I'm not.

you are looking for an interface to another Rails app / to logs & events from another Rails app

No. Let me be clear. What I'm looking to do is:

• display security stats in my app's admin area
• plug Snorby into my existing app (ie. adding it to my Gemfile) as opposed to running Snorby as an additional standalone app (DRY)